Privacy Policy
This Privacy Policy explains how Guzman y Gomez ("we," "us," "our," or "the Company") collects, uses, discloses, stores, and protects your personal information when you visit our website at guzman-y-gomez.com, use our mobile applications, place orders, participate in our loyalty programs, or otherwise interact with our services. We are committed to protecting your privacy and handling your personal information in an open and transparent manner in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) contained in Schedule 1 of that Act.
Please read this Privacy Policy carefully. By accessing or using our website, placing an order, or engaging with our services in any way, you acknowledge that you have read, understood, and agree to the collection, use, and disclosure of your personal information as described in this Policy. If you do not agree with the terms of this Privacy Policy, please do not use our services.
1. About Us
Guzman y Gomez is an Australian food and restaurant business operating across Australia and internationally. We serve fresh Mexican-inspired food through our restaurant locations, online ordering platform, and mobile application.
| Company Name | Guzman y Gomez |
|---|---|
| Website | guzman-y-gomez.com |
| Email Address | [email protected] |
| Country of Operation | Australia |
| Applicable Law | Privacy Act 1988 (Cth), Australian Privacy Principles (APPs) |
For all privacy-related inquiries, please use the contact details provided in Section 14 of this Policy.
2. What Personal Information We Collect
We collect personal information that is reasonably necessary for us to provide our food services, manage customer relationships, and improve our business operations. "Personal information" has the meaning given to it under the Privacy Act 1988 (Cth) — that is, information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether or not the information or opinion is true, and whether or not it is recorded in a material form.
2.1 Information You Provide Directly
When you interact with us, you may provide the following categories of personal information:
- Identity Information: Your full name, username, or display name associated with your account.
- Contact Information: Your email address, mailing address, and phone number.
- Account Credentials: Password or authentication information used to access your account on our website or mobile app.
- Order Information: Details of food items ordered, special dietary preferences or requests, delivery address, and order history.
- Payment Information: Credit card or debit card details, billing address, and transaction history. Note that full payment card details are processed by our PCI-DSS compliant third-party payment processors and are not stored on our servers.
- Loyalty Program Information: Points balances, redemption history, and preferences associated with your GYG loyalty or rewards account.
- Communications: Messages, feedback, complaints, or inquiries you send us through contact forms, email, or social media platforms.
- Survey Responses: Information you provide when participating in competitions, promotions, surveys, or feedback requests.
- Dietary and Allergen Information: Information about food allergies or dietary requirements that you voluntarily share with us to facilitate safe food preparation.
2.2 Information We Collect Automatically
When you visit our website or use our mobile application, we automatically collect certain technical and usage data, including:
- Device Information: Device type, operating system, browser type and version, screen resolution, and unique device identifiers.
- Log Data: IP address, date and time of access, pages viewed, links clicked, referring URLs, and the duration of your visit.
- Location Data: Approximate location derived from your IP address; precise geolocation data (with your consent) to help you find nearby Guzman y Gomez restaurant locations.
- Usage Data: How you interact with our website, app features you use, search queries entered, items added to your cart, and navigation patterns.
- Cookie and Tracking Data: Information collected through cookies, web beacons, pixel tags, and similar tracking technologies. Please see Section 9 for more details.
2.3 Information Collected From Third Parties
We may receive personal information about you from third parties in the following circumstances:
- Social Media Platforms: If you choose to log in via a social media account (such as Facebook, Google, or Apple), we may receive your name, email address, profile picture, and other information you have made available through that platform.
- Delivery Partners: Third-party delivery platforms (such as DoorDash, Uber Eats, or Menulog) may share limited order and contact information with us to fulfill your delivery.
- Analytics Providers: Aggregated or pseudonymous data from analytics service providers that help us understand website traffic and user behaviour.
- Marketing Partners: Contact details or advertising identifiers from our trusted marketing partners, where you have provided consent to those third parties to share your information with businesses like ours.
3. How We Use Your Personal Information
We use personal information only for the purposes for which it was collected, or for directly related purposes that you would reasonably expect, or for purposes to which you have consented. Our primary purposes include:
3.1 Service Provision and Order Fulfilment
- Processing and fulfilling your food orders, whether placed in-store, online, or via our mobile application.
- Managing your account and providing access to account features, order history, and loyalty rewards.
- Facilitating payment processing and issuing receipts or invoices.
- Coordinating delivery or click-and-collect services.
- Responding to your customer service inquiries, complaints, or feedback.
- Accommodating dietary requirements or allergen requests to ensure food safety.
3.2 Business Operations and Improvement
- Analysing ordering trends, website usage, and customer preferences to improve our menu, service offerings, and user experience.
- Conducting internal research and analytics to understand how our customers engage with our brand.
- Developing new products, services, and features.
- Training staff and improving service delivery standards.
- Monitoring and maintaining the security and integrity of our systems and platforms.
3.3 Marketing and Communications
- Sending you promotional emails, special offers, new product announcements, and marketing communications where you have opted in to receive such communications or where we are otherwise permitted to do so under the Spam Act 2003 (Cth).
- Personalising marketing content based on your ordering history and preferences.
- Administering competitions, promotions, surveys, and loyalty programs.
- Delivering targeted advertising through third-party platforms such as Meta (Facebook/Instagram) and Google Ads, using hashed identifiers or advertising audiences.
3.4 Legal and Compliance Purposes
- Complying with our legal obligations under Australian law, including food safety regulations, taxation law, and consumer protection legislation.
- Responding to lawful requests from government authorities, regulators, or law enforcement agencies.
- Establishing, exercising, or defending legal claims.
- Preventing fraud, money laundering, and other unlawful activity.
4. Legal Basis for Processing
Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, we are permitted to collect and use personal information where:
- It is reasonably necessary for one or more of our functions or activities as a food business;
- You have consented to the collection and use for a specified purpose;
- It is required or authorised by or under an Australian law or a court/tribunal order;
- It is necessary for us to fulfil our contractual obligations to you (for example, processing your food order); or
- It is necessary for our legitimate business interests, provided those interests are not outweighed by your privacy interests.
5. Disclosure of Personal Information to Third Parties
We do not sell your personal information to third parties. However, we may disclose your personal information to trusted third parties in the following circumstances:
5.1 Service Providers
We engage third-party service providers who assist us in operating our business. These providers may access your personal information only to the extent necessary to perform their services and are contractually required to handle your data in accordance with applicable Australian privacy laws. Our service providers include:
- Payment Processors: To securely process credit card and debit card transactions.
- Delivery Partners: Third-party platforms and couriers who assist in delivering your orders.
- Cloud and IT Service Providers: Companies that host our website, databases, and mobile application infrastructure.
- Customer Support Platforms: Tools and software we use to manage customer inquiries and service tickets.
- Marketing and Advertising Platforms: Email marketing providers, social media advertising networks, and analytics tools.
- Loyalty Program Operators: Third parties who assist in managing our rewards and loyalty programs.
- Legal and Professional Advisors: Lawyers, accountants, and auditors who provide professional advice to the Company.
5.2 Business Transfers
If Guzman y Gomez undergoes a merger, acquisition, sale of assets, restructuring, or similar business transaction, your personal information may be transferred as part of that transaction. We will take reasonable steps to ensure that the acquiring entity commits to protecting your personal information in a manner consistent with this Privacy Policy.
5.3 Legal Requirements
We may disclose your personal information where we are required to do so by law, court order, or at the request of a government authority, law enforcement agency, or regulatory body. We may also disclose information where we believe disclosure is necessary to protect the safety of any individual, prevent fraud or criminal activity, or enforce our legal rights.
5.4 With Your Consent
We may share your personal information with third parties where you have given us your express consent to do so.
6. International Transfers of Personal Information
Guzman y Gomez is an Australian business; however, some of the third-party service providers we use may store or process your personal information outside of Australia. This may include countries such as the United States, the United Kingdom, Singapore, or other jurisdictions where our technology partners maintain data centres.
Before disclosing your personal information to an overseas recipient, we take reasonable steps to ensure that the recipient is subject to a law, binding scheme, or contract that provides substantially similar protections to the Australian Privacy Principles, in accordance with Australian Privacy Principle 8.1. By using our services, you acknowledge and consent to the potential transfer of your personal information to overseas recipients as described in this section.
If we are unable to ensure adequate protections for an overseas transfer, we will take all reasonable steps to inform you before making any such disclosure.
7. Data Security
We take the security of your personal information seriously and implement a range of administrative, technical, and physical security measures to protect your data against unauthorised access, disclosure, alteration, loss, or destruction. Our security measures include:
- Encryption: Transmission of data between your browser or device and our servers is protected using Secure Socket Layer (SSL) / Transport Layer Security (TLS) encryption.
- Access Controls: Personal information is accessible only to authorised personnel who require access in the course of their duties. Access is governed by role-based permissions and strong authentication requirements.
- Payment Security: We do not store full credit card numbers on our servers. Payment processing is handled by PCI-DSS compliant third-party processors.
- System Monitoring: We regularly monitor our systems for security vulnerabilities, suspicious activity, and potential data breaches.
- Staff Training: Our staff receive training on privacy obligations and data handling best practices.
- Incident Response: We maintain an incident response plan to manage and respond to data breaches in accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth).
Despite these measures, no method of data transmission or storage is completely secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee absolute security. In the event of a data breach that is likely to result in serious harm to affected individuals, we will notify the affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with our legal obligations under the NDB scheme.
8. Data Retention
We retain your personal information only for as long as is necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. Our general retention approach is as follows:
| Type of Information | Retention Period |
|---|---|
| Account and registration data | For the duration of your account plus 7 years after account closure |
| Order and transaction history | 7 years from the date of the transaction (for taxation and legal compliance) |
| Payment records | 7 years (as required by the Income Tax Assessment Act 1997) |
| Marketing preferences and consent records | Until you withdraw consent, plus 5 years thereafter |
| Customer service communications | 3 years from the date of the communication |
| Website usage and analytics data | Up to 26 months (or as specified by individual analytics tools) |
| Competition and promotion entries | 12 months after the competition closes |
| Complaint or legal dispute records | 7 years from resolution of the matter |
When personal information is no longer required, we will take reasonable steps to destroy or permanently de-identify it in a secure manner.
9. Cookies and Tracking Technologies
Our website and mobile application use cookies and similar tracking technologies (such as web beacons, pixel tags, and local storage) to enhance your experience, analyse website traffic, and deliver targeted advertising.
9.1 Types of Cookies We Use
- Essential Cookies: Necessary for the website to function correctly, including session management, shopping cart functionality, and security features. These cannot be disabled.
- Performance and Analytics Cookies: Help us understand how visitors interact with our website by collecting aggregated, anonymised data about page views, navigation paths, and error messages.
- Functional Cookies: Remember your preferences, such as your location, language settings, and saved order preferences.
- Marketing and Advertising Cookies: Used to track your browsing activity across websites to deliver personalised advertising relevant to your interests. These are typically set by third-party advertising networks with our permission.
9.2 Managing Your Cookie Preferences
You can control and manage cookies through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, or alert you when a cookie is being set. Please note that disabling certain cookies may affect the functionality of our website and your user experience.
For detailed information about the cookies we use, the purposes for which we use them, and how to manage your preferences, please refer to our Cookie Policy.
10. Your Privacy Rights
Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have a number of rights in relation to your personal information. We are committed to honouring these rights in a timely and transparent manner.
10.1 Right of Access
You have the right to request access to the personal information we hold about you. We will provide you with a copy of your personal information, subject to certain exceptions permitted by law (for example, where providing access would unreasonably affect the privacy of another individual, or where we are required by law to withhold the information).
10.2 Right to Correction
If you believe that the personal information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, you have the right to request that we correct it. We will take reasonable steps to correct the information within 30 days of receiving your request, or notify you if we disagree with the requested correction.
10.3 Right to Deletion
In certain circumstances, you may request that we delete your personal information. We will comply with such requests unless we are required by law to retain the information, or we need it to fulfil our contractual obligations or to establish, exercise, or defend legal claims.
10.4 Right to Opt Out of Direct Marketing
You have the right to opt out of receiving direct marketing communications from us at any time. You can do this by:
- Clicking the "unsubscribe" link in any marketing email we send you;
- Updating your communication preferences in your account settings; or
- Contacting us directly using the contact details in Section 14 of this Policy.
We will process your opt-out request as soon as practicable and within the timeframes required by the Spam Act 2003 (Cth). Note that even after opting out of marketing communications, you may still receive transactional or service-related messages (such as order confirmations or account notifications).
10.5 Right to Data Portability
While the Australian Privacy Principles do not currently mandate a formal right to data portability equivalent to those found in European law, we endeavour to provide you with a copy of your personal information in a structured, commonly used format upon request where technically feasible.
10.6 Right to Withdraw Consent
Where we rely on your consent as the basis for processing your personal information, you may withdraw that consent at any time by contacting us. Withdrawal of consent will not affect the lawfulness of any processing carried out before the withdrawal.
10.7 How to Exercise Your Rights
To exercise any of your privacy rights, please submit a written request to us using the contact details in Section 14. We may need to verify your identity before processing your request to ensure that personal information is not disclosed to an unauthorised person. We will respond to your request within 30 days. If we are unable to meet this timeframe, we will notify you of the expected response time.
11. Children's Privacy
Our online services, including our website and mobile application, are not directed at children under the age of 18 years. We do not knowingly collect personal information from individuals under the age of 18 without verifiable parental or guardian consent.
If you are under 18 years of age, please do not provide us with any personal information without the express consent of a parent or legal guardian. If you are a parent or guardian and you believe your child has provided us with personal information without your consent, please contact us immediately using the details in Section 14 of this Policy. We will take prompt steps to delete any such information from our records.
Individuals aged 18 and over may create an account, place orders, and participate in our loyalty programs and promotions in accordance with our Terms of Service.
12. Third-Party Links and Services
Our website and mobile application may contain links to third-party websites, platforms, and services that are not operated or controlled by Guzman y Gomez. These may include social media platforms, delivery partner websites, review platforms, and payment gateway providers. This Privacy Policy does not apply to third-party websites or services, and we are not responsible for the privacy practices of those third parties.
We encourage you to review the privacy policies of any third-party websites you visit before providing them with your personal information. The inclusion of a link to a third-party website on our platform does not constitute an endorsement of that website or its privacy practices.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our business practices, technology, legal requirements, or regulatory developments. When we make material changes to this Policy, we will:
- Update the "Last Updated" date at the top of this page;
- Post the revised Privacy Policy on our website at guzman-y-gomez.com; and
- Where required by law or where the changes are significant, notify you by email or through a prominent notice on our website or mobile application.
Your continued use of our website or services after the effective date of a revised Privacy Policy constitutes your acceptance of the updated terms. We encourage you to review this Policy periodically to stay informed about how we are protecting your personal information.
14. Contact Us — Privacy Inquiries
If you have any questions, concerns, or complaints about this Privacy Policy, our privacy practices, or how we handle your personal information, please contact our Privacy Officer using the following details:
Privacy Inquiries — Guzman y Gomez
Company: Guzman y Gomez
Email: [email protected]
Website: guzman-y-gomez.com
Country: Australia
When contacting us about a privacy matter, please include your full name, contact details, and a description of your concern or request so that we can respond effectively. We will acknowledge receipt of your inquiry within 5 business days and endeavour to provide a substantive response within 30 days.
15. How to Lodge a Complaint With the Regulator
If you are not satisfied with our response to your privacy concern or complaint, or if you believe that we have handled your personal information in a manner that contravenes the Privacy Act 1988 (Cth) or the Australian Privacy Principles, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC).
Office of the Australian Information Commissioner (OAIC)
Website: www.oaic.gov.au
Phone: 1300 363 992 (within Australia)
Email: [email protected]
Post: GPO Box 5218, Sydney NSW 2001, Australia
Online Complaint Form: www.oaic.gov.au/privacy/privacy-complaints
Before lodging a complaint with the OAIC, we encourage you to contact us first so that we have the opportunity to resolve your concern directly. However, you are entitled to contact the OAIC at any time.
The OAIC has the power to investigate complaints, make determinations, and in certain circumstances, award compensation or require organisations to change their privacy practices. For more information about the OAIC's complaint handling process, please visit their website at www.oaic.gov.au.
16. Applicable Law and Regulatory Framework
This Privacy Policy is governed by and construed in accordance with the laws of Australia. The following key legislative instruments and regulations apply to our collection, use, and handling of personal information:
- Privacy Act 1988 (Cth) — The primary federal privacy legislation governing the handling of personal information by Australian organisations.
- Australian Privacy Principles (APPs) — Thirteen principles set out in Schedule 1 of the Privacy Act 1988 (Cth) that govern the collection, storage, use, disclosure, quality, and security of personal information.
- Notifiable Data Breaches (NDB) Scheme — Part IIIC of the Privacy Act 1988 (Cth), which requires organisations to notify individuals and the OAIC of eligible data breaches.
- Spam Act 2003 (Cth) — Governs the sending of commercial electronic messages, including marketing emails and SMS messages.
- Do Not Call Register Act 2006 (Cth) — Governs unsolicited telemarketing calls to individuals who have registered their numbers on the Do Not Call Register.
- Competition and Consumer Act 2010 (Cth) — Including the Australian Consumer Law (ACL), which governs consumer protection in Australia.
- Food Standards Australia New Zealand Act 1991 (Cth) — Relevant to food safety obligations that may intersect with the handling of health and dietary information.
Any dispute arising in connection with this Privacy Policy will be subject to the jurisdiction of the courts of Australia.
Guzman y Gomez — Privacy Policy
Effective Date: March 18, 2026 | Last Updated: March 18, 2026
For privacy inquiries: [email protected] | guzman-y-gomez.com