Privacy Policy
EXTERNAL PRIVACY POLICY
ISSP-PP-001
This policy was last updated on September 20, 2023.
INTRODUCTION
At El Pollo Loco, Inc. (“EPL”), our Mission is to Feed the Love that Makes us All Feel Like Family. Treating our valued customers like family means we respect, value, and safeguard the personal information you provide to us. At EPL, your Privacy is a high priority. This Privacy Policy describes how EPL, and its subsidiary and affiliated entities, collect, use, and disclose personal information of visitors to our restaurants and websites, and users of our mobile application, loyalty programs, and other online services. This policy applies to all personal information we may collect about you, via each of the means referenced below. EPL’s Privacy Policy does not apply to our franchisees. Please see our franchisees’ privacy policies for information on how they use customer information that they separately collect in their restaurants.
POLICY SUMMARY
The following summary provides highlights of our policy, but please read further below to review our full policy.
INFORMATION WE COLLECT
We collect various types of information about you, including:
- Information you provide to us;
- Information we collect about your use of our websites, mobile application, and other online services; and
- Information we obtain from third parties, such as those providing services to us to improve your customer experience.
We also may collect information in ways that we describe to you at the time we collect it or via other means, with your consent.
USE OF INFORMATION
We use the information we collect about our customers for the following business purposes:
- To communicate with you regarding our products, offers, promotions;
- To facilitate business transactions such as the purchase of food from our restaurants;
- To deliver targeted advertising, including offers and promotions;
- To learn more about our customers in order to improve our customers’ experience with EPL; and
- To manage online and other services your request from EPL
We may also use information we collect about you for other business purposes when you consent or otherwise request that we do so.
COOKIES AND ONLINE ADVERTISING
As with most companies, when you use EPL’s websites and online services, we may use cookies, web beacons, do-not-track signals, and other related technologies to improve and customize the advertisements you see and your overall experience with our services. See below for additional information about our collection of information using these technologies.
DISCLOSURE OF INFORMATION
We may disclose to or share the personal information we collect about you to the following parties:
- Business partners and service providers, including those that provides advertising or social media services;
- Companies and entities affiliated with EPL;
- Franchisees of EPL; and
- Other parties when required or permitted by applicable law, such as to protect our consumers and their data, or to facilitate a transaction such as the purchase of food
DATA SECURITY
Although EPL cannot guarantee security of our online services or information transmitted over the Internet, we have put in place certain procedures to safeguard your personal information when it is in our control. Please see the full policy below for more information regarding data security.
YOUR DATA PRIVACY RIGHTS
Your personal information is important. Please see below for information regarding EPL’s websites and online services, links to third-party sites, your privacy rights under California law, and children’s privacy.
PRIVACY POLICY
This Privacy Policy describes how El Pollo Loco, Inc. (“EPL”) and its subsidiaries and affiliated companies (collectively, “EPL”, “we”, or “our”) collect, use and disclose personal information of customers and others who visit our restaurants or our websites, as well as users of our online services and others to whom we expressly provide that this Privacy Policy will apply. This policy applies to data collected when you visit and use EPL’s website, mobile or tablet applications, or loyalty programs, and to data collected in restaurants, and other on-line services or platforms (collectively, the “Services”). With respect to personal information collected via the Internet, this Privacy Policy outlines the types of personal information that you may provide to us on any Services controlled by EPL which link to this Privacy Policy, and it explains how EPL handles such personal information. This Privacy Policy does not apply to websites or applications that do not link to this Privacy Policy or to third-party websites to which the Services may link. Your use of the Services is subject to this Privacy Policy and any additional terms and conditions that may be applicable to such Services, including EPL’s Terms of Use.
Please note that if you are a California resident you may have additional rights as set forth in the California Privacy Notice below.
COLLECTON OF PERSONAL INFORMATION
We collect personal information about customers and users of our Services in a variety of ways. We may collect information you provide to us, information we collect through your use of the Services, and information we collect from our third-party business partners and from publicly available sources.
Information You Provide to Us
We collect personal information from you when you voluntarily use or engage with the Services, such as providing general comments, making purchases of food or gift cards in one of our restaurants, online, or through our mobile application, registering for sweepstakes or contests, participating in our loyalty programs, and content submissions. For example, you may submit your name, postal address, e-mail address, IP address, phone number, gender, and/or birthdate in order to receive information about various subjects, register for or participate in programs, contact customer service, make purchases, or respond to surveys.
In order to process a financial transaction you request, such as the purchase of food or gift cards in a restaurant, through our mobile app, or online, we [Our Third-Party processor] may collect credit card information such as your credit card number, security code, the card’s expiration date, and a signature. When you enter one of our restaurants, we may collect information through our security cameras.
It is always your option to provide your personal information, but you may not be able to participate in some or all of the Services if you choose not to provide your personal information. By providing personal information through the Services, you explicitly consent to our collection and use of all such personal information as described in this Privacy Policy. If you submit someone else’s personal information to us (e.g., someone else’s contact information), you represent that you are authorized to provide this information to us.
INFORMATION COLLECTED AUTOMATICALLY
When you visit or use our Services, EPL may collect certain personal information by automated means. We may use “cookies” to store certain personal information on your computer that allows us to customize your use of EPL’s Services or to simply facilitate signing into the Services. A cookie is a small file placed on the hard drive of your computer. You may refuse to accept browser cookies by activating the appropriate setting on your browser. However, if you select this setting you may be unable to access certain parts of our Services. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you direct your browser to our Services. You can set your browser to refuse all or some browser cookies, or to alert you when cookies are being sent. To learn how you can manage your Flash cookie settings, visit the Flash player settings page on Adobe’s website. If you disable or refuse cookies, please note that some parts of our websites may then be inaccessible or not function properly.
The personal information we collect through cookies and tracking technologies may include your Internet Protocol (IP) address, computer/mobile device operating system and browser type, type of mobile device, the unique device identifier (UDID) or mobile equipment identifier (MEID) for your mobile device, the address of a referring web site (if any), and the pages you visit on our Services. We may use this personal information to operate, maintain, and manage our Services and to provide services such as technical support. In addition, we may collect certain personal information using various tracking technologies, Internet tags, and web beacons such as number of visitors/users of the Online Services, but only in an aggregate and non-personally identifiable form.
For each user of EPL’s Services, EPL’s Web server automatically recognizes and stores computer-readable personal information such as the visitor’s IP address and domain name combination. This is typically anonymous information automatically provided by your computer. We use this personal information to follow visitor traffic patterns through the Services to improve user experience.
INFORMATION COLLECTED THROUGH YOUR USE OF THE SERVICES
When you use the Services, such as EPL’s website or mobile application (the “App”) and related content, we may collect information about your use of these Services. The information automatically collected may include:
Usage Details. Certain details of your access to and use of the App, including traffic data, location data, logs and other communication data and the resources that you access and use on or through the App.
Device Information. Information about your mobile device and internet connection, including the device’s unique device identifier, IP address, operating system, browser type, mobile network information and the device’s telephone number.
Stored Information and Files. Metadata and other information associated with other files stored on your device. This may include, for example, photographs, audio and video clips, personal contacts and address book information.
Geolocation: Our App and mobile versions of our website may collect precise personal information about the location of your mobile device using location awareness technologies such as GPS, Wi-Fi, Bluetooth or cell tower proximity if you have consented to such tracking.
Depending on the permission settings of your personal mobile device(s) and the permission settings you choose for EPL’s mobile application, when using the App we may also collect or have access to your:
- Camera. If you enable this functionality, the App may access the camera to scan and input payment method details.
- Wi-Fi connection information. If you enable this functionality, this may allow the App to view Wi-Fi connections.
- Other. Depending on the transactions or services you choose, the App will send and receive data to and from the Internet, enable network access, control vibration of your device, or prevent your device from sleeping.
By adjusting the permissions either in your mobile device settings or your settings for the App, you may enable or disable location tracking. Please note, however, that even if you disable location services, other means of establishing or estimating location may exist and be used (such as connecting to WiFI, your device’s proximity to a WiFi network, Bluetooth technology, beacons, or our networks). Note also that if you enable location tracking, you may allow the App to track your location in the background, which can decrease battery life.
EPL may combine the personal information you provide through the Services with personal information we may collect off-line from you or from third parties.
INFORMATION COLLECTED BY OR THROUGH THIRD PARTIES
We may work with certain third parties who use one or more automated information collection technologies to collect information about you or your mobile or computing device. These third parties may include:
- Advertisers, ad networks and ad servers.
- Analytics companies.
- Your mobile device manufacturer.
- Your mobile service provider.
We or these third parties may use tracking technologies to collect information about you when you use the App. The information collected may be associated with your personal information or may include information, including personal information, about your online activities over time and across different websites, apps, and other online services websites.
Some functionality provided by the Services may allow you to log in via one or more of your third-party social media accounts or share information or content from the Services in or through your social media platforms. We may combine information we collect about you with information we obtain from these or other publicly or commercially available third party sources, as permitted by law. When you submit information to a third party, you are subject to that third party’s terms of use and privacy policies, for which we are not responsible.
DO-NOT-TRACK AND OTHER CHOICES WITH RESPECT TO ONLINE ADVERTISING
If your Internet browser employs blocking or “Do Not Track” technology that limits recognition or the collection of such computer-readable personal information, EPL will not alter or bypass such technology. EPL does not provide access to third parties to track your personal information through your use of the Services, but EPL may allow third parties to access certain personal information you provide as described in the Use and Disclosure of Your Personal Information Section below. For websites, you may opt-out of certain tracking, however, by disabling cookies through your browser or by visiting the opt-outs provided by the Network Advertising Initiative, Digital Advertising Alliance, and Google.
For more information regarding managing the privacy of your information with respect to online advertising, and to learn how to opt-out of having your information collected by these networks, please visit: http://www.youradchoices.com, http://www.aboutads.info/appchoices, http://www.networkadvertising.org, or https://www.networkadvertising.org/mobile-choice. To opt out in mobile apps, please download the Digital Advertising Alliance’s AppChoices tool at http://www.aboutads.info/appchoices and adjust the advertising preferences on your mobile device. Please note that we are not responsible for the opt out process of third parties.
USE OF YOUR PERSONAL INFORMATION
The privacy of your personal data is important. EPL will only use the personal information we collect about you for the purposes described in this Privacy Policy. Generally, EPL may use the personal information you provide, or that we collect from other sources, for our general business purposes, such as responding to your requests or questions, processing transactions such as food or gift card orders, to fulfill the purpose for which you provided it, communicating about customer service, informing you about others’ products or services you might find interesting, or personalizing our Services to meet your needs or preferences, or for marketing our products and services to you.
More specifically, EPL may use the personal information we collect about you for the following purposes:
- To facilitate your use of the Services;
- To improve your user experience with the Services;
- To conduct or facilitate business transactions, such as processing payment information for food or gift card purchases;
- To enable and facilitate participation in our gift card, mobile app, loyalty and other program;
- To communicate with you about our restaurants and the Services, including through interest-based (behavioral) and other targeted advertising and content;
- To respond to your requests, comments, questions, or feedback;
- To register you for accounts on the Services, such as EPL’s loyalty program;
- To provide you with marketing communications, such as promotions or offers, new product information, and information about our restaurants
- To register you for SMS, email and/or mailing lists for marketing communications;
- To provide location-based services;
- To perform analyses of the various features and functionality of the Services for our marketing purposes;
- To analyze and understand your and other consumers’ interaction with EPL and the Services, including your demographic information, EPL-related behavior and your preferences and interests, so that we may improve our products and the Services to delight our customers;
- To enable “Share With a Friend” or related services. (Note that unless and only where it is permitted by law, we do not use the contact information you provide for “Share With a Friend” functionality for other unrelated purposes without your consent or that of the recipient, if and as applicable.);
- To prevent, identify, investigate, or take action concerning suspected or actual illegal activity, or any activity that violates our policies, either in restaurant or online; or
- For any other purpose, with your consent where appropriate.
With respect to location information in particular, EPL uses this personal information for location-based services that you request, such as locating nearby EPL restaurants, identifying special offers that may be of interest to you, or personalizing your interactions with EPL. For most mobile devices, you can withdraw your permission for EPL to acquire location information through the device settings. If you have questions about how to disable your mobile device’s location services, we recommend you contact your mobile device service provider or the device manufacturer. If you would like us to delete location personal information we have collected, please contact us at the email or postal address listed below. Please note that the applications may not function properly following deletion, and that we may be required by law to retain certain personal information.
See the chart below for more information about how we use personal information we collect about you.
DISCLOSURE OF YOUR PERSONAL INFORMATION
In order to fulfill the purposes described above, we may disclose your personal information to third parties as set forth below:
- To our subsidiaries, affiliates and franchisees who are restricted to using such information in accordance with this Privacy Policy.
- To our vendors and service providers who provide services or perform functions on our behalf, (including but not limited to, Punchh Loyalty, Heartland Payment Systems, IBM Marketing Cloud, Google Analytics, Facebook, Oracle Data Cloud, Place IQ, BlueLithium, Quantcast, Rocket Fuel, and Envysion) who are bound by obligations to keep personal information confidential and use it only for the purposes for which we disclose it to them. This includes providing personal information to social media companies which you connect with the Services and other third parties who provide content, advertising, or other functionality related to the Services.
- To third parties with your consent.
- To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of EPL’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by EPL’s services’ users is among the assets transferred.
- To comply with any court order, law, or legal process, including to respond to any government or regulatory request.
- To enforce or apply our EPL Website terms of use, Online Ordering Terms of Sale and other agreements, including for billing and collection purposes.
- If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of EPL, our customers, or others. This includes exchanging personal information with other companies and organizations for the purposes of fraud protection and credit risk reduction.
- We may also publicly post on our Services certain user-generated content you submit to us.
We may also disclose aggregated personal information about our users, and personal information that does not identify any individual.
In all instances the personal information will be used only for the purposes enunciated in this Privacy Policy.
EPL fully encourages all parents to supervise their children’s on-line activities and regularly monitor their children’s use of the Internet, including use of EPL’s Services. Parents should consider using parental control tools and other services to assist them in supervising their children’s on-line use or on-line disclosure of their name, address or other personal information without parental consent.
THIRD-PARTY INFORMATION & MOBILE APPLICATION COLLECTION, ANALYSIS AND TRACKING
EPL’s Services and communications through the Services may contain links and pointers to other third party websites, including, without limitation, websites for employment applications, advertising, and social media platforms. This Privacy Policy does not apply to these third party websites, and we are not responsible for the privacy practices, policies, or content of any such third party websites, even if you link to them through the Services or communications related to the Services. We have no control over how such third party websites collect or use personal information, and we have no responsibility for any personal information you provide or content you post on such third party websites. We encourage you to read and understand the privacy policies of any third party websites that you visit.
CORRECTING, ACCESSNG, & DELETING YOUR INFORMATION
You can change or review your personal information by logging into your account on the applications provided through the Services and visiting your account profile page. We cannot delete your personal information except by also deleting your user account. We provide you with the ability to access, rectify, port and erase your data. We store data until such data is no longer necessary to provide our Services or until your account is deleted, whichever comes first. We may not accommodate a request to change information if we believe the change would violate any or legal requirement or cause the information to be incorrect. Regarding information about children, see above re Children Under the Age of 13.
NOTICE TO CALIFORNIA CONSUMERS
This Notice to California Consumers contains the disclosures required under the California Consumer Privacy Act (“CCPA”). For individuals who are California residents, the CCPA requires certain disclosures about the categories of personal information we collect and how we use it, the categories of sources from whom we collect personal information, and the third parties with whom we share it.
California residents may request a list of certain third parties to which we have disclosed personally identifiable information about you for their own direct marketing purposes. You may make a personal information request twice in a 12-month period, so that EPL can collect information from the requesting party so that it can verify your identity, and that EPL will respond within 45 days of receiving a personal information request.
You have the following rights under the CCPA:
- Right to know about personal information collected, disclosed or sold
California residents have the right to request that we disclose what categories of personal information that we collect, use, disclose or sell about you. You may also request the specific pieces of personal information that we have collected about you. You may only make two such requests in a 12-month period, and the information provided need only cover the 12-month period prior to your request.
- Right to request deletion of your personal information
You may also request that we delete any personal information that we have collected from you, provided that we may retain personal information as authorized under the CCPA, including, but not limited to, retaining personal information necessary to provide our Services, detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, debug to identify and repair errors that impair our Site and Services, to enable solely internal uses that are reasonably aligned with your expectations based on the your relationship with us, comply with a legal obligation, or otherwise use your personal information, internally, in a lawful manner that is compatible with the context in which your provided it. If you are a California resident, you may exercise your rights under the CCPA and submit your requests in one of the following methods: (a) by submitting this online form; (b) by calling the following toll free number 877-EPL-4YOU (877-375-4968). You may also receive information about how to submit a request by visiting one of our restaurants.
NOTE: we do not sell your personal information as that term is defined in the CCPA or under Nevada Law (Section Chapter 603A of the Nevada Revised Statutes). We may provide your personal information to service providers that perform services on our behalf, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of EPL. Such service providers are prohibited retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services for us.
In order to submit a request, we will need to verify your identity. If you have an account with us that is password-protected, we may verify your identity through our existing authentication practices for your account. We may request two or more data points of personal information and other proof of identification depending on the nature of the request and the personal information requested to verify your identity.
Please note that following your verified request, we will send you your personal information from the following email address: IRM Notification <no-reply@trustarc.com>. (Any response to your request, including any personal information may be sent as an encrypted file).
We will process and respond to your request within 45 days (in some cases, as is allowed under the CCPA, this process may be extended by an additional 45-90 days).
Please note that once you have submitted a request, we will send you a receipt, acknowledging your request, within 10 days. If, for some reason, you do not receive such a receipt within 10 days of your submitted request, please send us an email to privacy@elpolloloco.com as an error may have occurred.
As a California resident, you also have the right to designate an agent to exercise these rights on your behalf. We may require proof that you have designated the authorized agent to act on your behalf and to verify your identity directly with us. Please contact us at privacy@elpolloloco.com for more information if you wish to submit a request through an authorized agent.
We hereby inform you that if you exercise any of your rights under the CCPA, we may not deny you goods or services for that reason, or subject you to different prices than those paid by other consumers, unless provided otherwise under the CCPA, Federal, or State law.
Notice of Information We Collect
Pursuant to California Civil Section 1798.100(b), this serves as notice of the categories of personal information that we collect through the Site and at our locations and the commercial purposes for which we collected that information. All of the categories of personal information we collect about you (as detailed below) come from the following categories of sources:
- You, including through your use of our Site and Services and on behalf of any students that you enroll for our Services
- Automatically collected from you
- Our affiliate companies and franchisees
- Third parties
In particular, we have collected the following categories of personal information from California consumers within the last twelve (12) months for the following purposes:
Category
Collected
Purpose
A. Identifiers.
YES
Limited to name, email, and ip address, for loyalty, email campaigns, and online ordering systems
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).
YES
Limited to name, phone number, address, credit card number, and signature, which may be used for online order processing purposes
C. Protected classification characteristics under California or federal law.
YES
Limited to age and gender which may be used by our loyalty and offers platform
D. Commercial information.
YES
Limited to your El Pollo Loco purchase history
E. Biometric information.
NO
N/A
F. Internet or other similar network activity.
YES
Limited to interactions with the El Pollo Loco website or iOS/Android APPS
G. Geolocation data.
YES
Our App and mobile versions of our website and some 3rd parties such as Facebook may use Geolocation data for advertising and curbside pickup order fulfillment purposes. For any data collected by third party sites, related PII and geolocation history is not stored or shared with El Pollo Loco. With respect to El Pollo Loco’s app and website, any geolocation data used for order fulfillment is not stored or retained by El Pollo Loco.
H. Sensory data.
YES
Limited to video and audio in restaurant through our security camera systems. Used to assure physical safety and security in our restaurants. Not used for identification or linking to consumer activity.
I. Professional or employment-related information.
NO
N/A
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).
NO
N/A
K. Inferences drawn from other Personal Information.
YES
Limited to ordering preferences for marketing purposes. Some 3rd parties such as Facebook may be evaluating other preferences or characteristics.
NOTICE OF DISCLOSURES OF PERSONAL INFORMATION FOR A BUSINESS PURPOSE
In the past 12 months we have disclosed the following categories of personal information listed in Section A through K above for one or more business purposes. Such disclosures have been made to service providers and other recipients as listed in the Section entitled “DISCLOSURE OF YOUR PERSONAL INFORMATION.” In addition, please note that user generated content may be disclosed to other users of our website and Services.
The definition of “business purpose” is as follows:
- Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with laws and other standards;
- Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity;
- Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business;
- Debugging to identify and repair errors that impair existing intended functionality;
- Short-term, transient use, provided the personal information is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction;
- Undertaking internal research for technological development and demonstration; and
- Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the company, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
INFORMATION SECURITY
EPL takes great pride and care in maintaining the safety and security of your personal information and in preventing its unauthorized access by employing appropriate technology and internal procedures. When we transmit sensitive personal information through our Services, we protect it by encryption, such as Secure Socket Layer (SSL) protocol. However, EPL does not guarantee that unauthorized access is completely preventable in every circumstance, as no method of electronically storing or transmitting data is completely secure. It is highly recommended that you monitor your credit card activity and use of your personal information on a regular basis.
The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our Services, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we strive to protect your personal information, we cannot guarantee the security of your personal information transmitted via our Services. Any transmission of personal information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained in the Services.
CONSENT
Your continued use of the Services constitutes your agreement to this Privacy Policy and any updates. By accepting the terms of this Privacy Policy, you are consenting to the collection and processing of all personal information provided by you through your use of the Services and sharing of such personal information in accordance with the terms of this Privacy Policy.
UPDATES TO OUR PRIVACY POLICY
EPL will update this Privacy Policy annually or if a change in business is impactful to assure that we are open and transparent about the categories and elements of personal information that we collect directly from you. For any material change to this Privacy Policy, particularly any change relating to the collection and use of your personal information, we will notify you (for example, by posting a notice with the Services or sending an e-mail to an e-mail address that you had agreed to provide). You are responsible for ensuring we have an up-to-date active and deliverable email address for you, and for visiting our Services and this privacy policy to check for any revisions to stay informed about our use and protection of your personal information.
REVOCATIONS OF POLICY AND QUESTIONS
Please feel free to contact us to discuss concerns or expectations or to raise your concerns and contact authorities if you feel we have not adequately fulfilled our obligations or respected your rights under the law. You may revoke acceptance of the terms of this Privacy Policy, request that your e-mail address or other personal information is not shared, or send any other inquiries about our practices relating to personal information and Privacy Policy by clicking the “PRIVACY REQUEST” button on this policy page.