Privacy Policy

This Privacy Policy explains how Guzman y Gomez ("we", "us", "our", or "the Company") collects, uses, discloses, stores, and protects your personal information when you visit our website at guzmanygomiz.com, use our mobile application, place orders through our digital platforms, visit our restaurant locations, or otherwise interact with our services. We are committed to handling your personal information responsibly and in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) contained in Schedule 1 of that Act, as well as any applicable state and territory privacy legislation.

By accessing our website, placing an order, creating an account, signing up to our loyalty program, or otherwise engaging with our services, you acknowledge that you have read, understood, and agree to the terms of this Privacy Policy. If you do not agree with this Policy, please do not use our services or provide us with your personal information.

We encourage you to read this Privacy Policy carefully and in full. If you have any questions, you can contact our Privacy Officer at any time using the details provided in the Contact Us section at the end of this document.


1. About Us

Guzman y Gomez is a food and beverage company operating quick-service Mexican-inspired restaurants across Australia and internationally. Our registered business operations are conducted in Australia, and we are subject to Australian federal and applicable state/territory privacy laws.

Company Name Guzman y Gomez
Website guzmanygomiz.com
Email Address [email protected]

2. Scope of This Privacy Policy

This Privacy Policy applies to all personal information we collect through the following channels:

  • Our website at guzmanygomiz.com and any associated subdomains
  • Our mobile applications available on iOS and Android platforms
  • Our online ordering and delivery platforms
  • In-store interactions, including at our restaurant locations across Australia
  • Our loyalty rewards program and promotional campaigns
  • Customer support communications via email, phone, or live chat
  • Social media platforms and third-party advertising networks where we operate
  • Competitions, surveys, and feedback forms

This Policy applies to customers, website visitors, prospective employees, loyalty program members, and any other individuals whose personal information we handle in the course of our business operations.


3. What Personal Information We Collect

We collect different types of personal information depending on how you interact with us. "Personal information" has the meaning given to it under the Privacy Act 1988 (Cth) and refers to information or an opinion about an identified individual, or an individual who is reasonably identifiable.

3.1 Identity and Contact Information

When you create an account, place an order, or register for our loyalty program, we may collect:

  • Full name
  • Email address
  • Phone number (mobile or landline)
  • Date of birth (for age verification and birthday rewards)
  • Home or delivery address
  • Gender (if you choose to provide it)
  • Profile photo or avatar (if uploaded)

3.2 Transaction and Order Information

When you place an order through our digital platforms or in-store, we may collect:

  • Order history and itemised purchase records
  • Payment method type (e.g., credit card, debit card, digital wallet — note: we do not store full card numbers)
  • Billing address
  • Delivery address and delivery instructions
  • Special dietary requirements or preferences disclosed during ordering
  • Timestamps and location of orders

3.3 Usage and Technical Data

When you access our website or mobile application, we automatically collect certain technical information, including:

  • IP address
  • Browser type and version
  • Operating system and device type
  • Referring URL and exit pages
  • Pages visited and time spent on each page
  • Clickstream data and navigation paths
  • Search terms entered on our website or app
  • App version and crash reports
  • Device identifiers (such as advertising IDs)

3.4 Location Data

With your consent, we may collect precise geolocation data through our mobile application to help you find the nearest Guzman y Gomez restaurant, facilitate delivery services, and provide location-relevant content. You can withdraw consent for location tracking at any time through your device settings. We may also collect approximate location data based on your IP address.

3.5 Loyalty Program and Marketing Data

When you participate in our loyalty rewards program or marketing campaigns, we may collect:

  • Loyalty points balance and transaction history
  • Reward redemptions and offer uptake
  • Marketing preferences and communication opt-in/opt-out status
  • Survey responses and feedback submissions
  • Competition entries and associated responses

3.6 Sensitive Information

We generally do not seek to collect sensitive information (as defined under the Privacy Act 1988), such as health information, racial or ethnic origin, religious beliefs, or biometric data. However, if you voluntarily disclose dietary or allergen requirements (for example, a food allergy or intolerance), this may constitute health information. We will only use such information for the purpose for which it was provided — namely, to accommodate your dietary needs. We will handle any sensitive information you provide with the additional care required under the Australian Privacy Principles.

3.7 Communications and Customer Support Data

When you contact us, we may collect:

  • The content of your communications (emails, chat logs, phone call records)
  • Your stated complaint or enquiry details
  • Records of resolutions provided

4. How We Collect Personal Information

We collect personal information through the following means:

  • Directly from you — when you create an account, place an order, contact us, complete a form, enter a competition, or otherwise interact with us
  • Automatically — through cookies, web beacons, pixels, server logs, and similar tracking technologies when you visit our website or use our app
  • From third parties — such as third-party delivery platforms (e.g., Uber Eats, DoorDash), payment processors, social media platforms (if you log in via a social account), analytics providers, and advertising partners
  • In-store — through loyalty program card scanning, feedback kiosks, or CCTV systems at our restaurant premises

Where practicable, we will collect personal information directly from you. If we collect information about you from a third party, we will take reasonable steps to notify you of this collection, unless doing so would be unreasonable or impracticable in the circumstances.


5. How We Use Your Personal Information

We use your personal information for the following purposes. All uses are consistent with the Australian Privacy Principles and are either necessary for the performance of our services or based on your consent.

5.1 Service Provision and Order Fulfilment

  • Processing and completing your food orders (online and in-store)
  • Arranging delivery of orders to your specified address
  • Managing your account and loyalty program membership
  • Processing payments and issuing receipts
  • Responding to your enquiries and customer support requests
  • Sending transactional communications (e.g., order confirmations, delivery updates)

5.2 Marketing and Promotions

  • Sending you promotional materials, special offers, and newsletters (where you have consented)
  • Personalising marketing content based on your order history and preferences
  • Conducting competitions, prize draws, and promotional campaigns
  • Retargeting advertising on third-party platforms such as Meta (Facebook/Instagram) and Google
  • Informing you about new menu items, restaurant openings, and company news

We will only send you direct marketing communications where you have provided consent or where we are permitted to do so under the Spam Act 2003 (Cth). You may opt out of marketing communications at any time by clicking the "unsubscribe" link in our emails, adjusting your preferences in your account settings, or contacting us directly.

5.3 Analytics and Business Improvement

  • Analysing usage patterns, customer behaviour, and preferences to improve our products and services
  • Conducting market research and customer satisfaction surveys
  • Monitoring website and app performance, identifying bugs and errors
  • Developing new menu items, features, and service offerings
  • Generating aggregated, de-identified statistical reports for internal business planning

5.4 Legal and Compliance Purposes

  • Complying with our legal obligations under applicable Australian legislation
  • Preventing fraud, unauthorised access, and other unlawful activities
  • Responding to lawful requests from government authorities or courts
  • Enforcing our Terms of Service and other agreements
  • Protecting the rights, property, and safety of Guzman y Gomez, our staff, customers, and the public

5.5 Safety and Security

  • Operating CCTV systems in and around our restaurant locations for safety and crime prevention purposes, in accordance with applicable state surveillance and workplace laws
  • Monitoring our digital systems for security threats and unauthorised access

6. Disclosure of Personal Information to Third Parties

We do not sell your personal information to third parties. We may, however, share your personal information with third parties in the following circumstances:

6.1 Service Providers and Business Partners

We engage third-party service providers who assist us in operating our business. These parties are only given access to the personal information they need to perform their specific services and are contractually required to protect your information in accordance with Australian privacy laws. These service providers include:

  • Payment processors and financial institutions
  • Third-party delivery platforms (e.g., Uber Eats, DoorDash, Menulog)
  • IT infrastructure, hosting, and cloud storage providers
  • Email marketing and customer communication platforms
  • Analytics and data intelligence providers (e.g., Google Analytics)
  • Loyalty program technology providers
  • Social media platforms for advertising and remarketing
  • Customer relationship management (CRM) software providers
  • Legal, accounting, and professional advisory firms

6.2 Franchisees

Guzman y Gomez operates through a franchise model. Individual restaurant locations may be operated by franchisees. Where necessary to facilitate your orders or resolve complaints related to a specific franchise location, we may share relevant information with the applicable franchisee. Franchisees are required to handle personal information in accordance with our privacy standards and applicable law.

6.3 Legal and Regulatory Disclosures

We may disclose your personal information to government agencies, law enforcement bodies, regulators, or courts where required or authorised by law, including under the Privacy Act 1988, the Australian Consumer Law (Schedule 2 of the Competition and Consumer Act 2010), or any other applicable legislation.

6.4 Business Transactions

In the event of a merger, acquisition, restructure, asset sale, or similar corporate transaction, your personal information may be transferred to the acquiring or successor entity. We will notify you of any such change in accordance with our obligations under the Privacy Act 1988.

6.5 With Your Consent

We may share your personal information with other parties where you have given us your explicit consent to do so.


7. International Transfers of Personal Information

Guzman y Gomez operates primarily in Australia but may use cloud computing services, software platforms, and service providers whose servers are located outside of Australia — including in the United States, the United Kingdom, the European Union, Singapore, and other countries.

Under Australian Privacy Principle 8, before we disclose your personal information to an overseas recipient, we must take reasonable steps to ensure the overseas recipient does not breach the APPs in relation to your information. We do this by:

  • Entering into data processing agreements with overseas service providers that include privacy and security obligations equivalent to those required under Australian law
  • Selecting vendors that maintain internationally recognised security certifications (e.g., ISO 27001, SOC 2)
  • Conducting due diligence on the privacy practices of overseas recipients

By using our services, you acknowledge that your personal information may be transferred to and processed in countries outside Australia. We take all reasonable steps to ensure your information is protected during such transfers.


8. Cookies and Tracking Technologies

Our website and mobile application use cookies, web beacons, pixels, and similar tracking technologies to improve your experience and gather usage data. Cookies are small text files placed on your device when you visit our website.

8.1 Types of Cookies We Use

Cookie Type Purpose
Strictly Necessary Required for the website to function properly (e.g., login sessions, shopping cart)
Performance / Analytics Collect information about how visitors use our website (e.g., Google Analytics)
Functional Remember your preferences such as language, location, and order history
Targeting / Advertising Deliver relevant advertisements and track the effectiveness of our marketing campaigns

You can control cookie settings through your web browser. Most browsers allow you to refuse or delete cookies. However, disabling certain cookies may affect the functionality of our website. For more detailed information about the specific cookies we use, their duration, and how to manage your preferences, please refer to our Cookie Policy.


9. Data Security

We take the security of your personal information seriously and implement a range of technical, administrative, and physical safeguards to protect it from unauthorised access, disclosure, alteration, loss, or destruction. Our security measures include:

9.1 Technical Measures

  • Encryption of data in transit using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) protocols
  • Encryption of sensitive data at rest using industry-standard encryption algorithms
  • Secure firewalls and intrusion detection systems
  • Payment Card Industry Data Security Standard (PCI-DSS) compliant payment processing
  • Regular vulnerability assessments and penetration testing
  • Multi-factor authentication for administrative access to systems containing personal information

9.2 Organisational Measures

  • Strict access controls based on the principle of least privilege
  • Regular privacy and security training for all staff who handle personal information
  • Internal privacy policies and data handling procedures
  • Non-disclosure agreements with employees and contractors
  • Regular audits and reviews of data handling practices

9.3 Data Breach Response

Despite our best efforts, no data transmission or storage system is completely secure. In the event of an eligible data breach (as defined under the Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act 1988), we will:

  • Conduct a prompt assessment of the breach
  • Notify the Office of the Australian Information Commissioner (OAIC) where required
  • Notify affected individuals where the breach is likely to result in serious harm, as required by law
  • Take immediate steps to contain and remediate the breach

10. Data Retention

We retain your personal information only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our general retention periods are as follows:

Category of Data Retention Period
Account and profile information For the duration of your account, plus 3 years after account closure
Order and transaction records 7 years (as required for tax and financial record-keeping under the Income Tax Assessment Act 1997)
Marketing preferences and opt-in records Until you opt out, plus 3 years thereafter
Customer support communications 3 years from the date of the last interaction
Usage and analytics data Up to 26 months (varies by analytics tool)
CCTV footage from restaurant premises Typically 30 days, unless required for an investigation or legal matter
Cookie and tracking data As specified in our Cookie Policy (typically session to 24 months)

Once data is no longer required, we will securely delete, destroy, or de-identify it in accordance with our data disposal procedures.


11. Your Privacy Rights

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have a number of rights in relation to your personal information. We are committed to facilitating the exercise of these rights in a timely and transparent manner.

11.1 Right of Access

You have the right to request access to the personal information we hold about you. Upon receiving a valid request, we will provide you with a copy of your information within a reasonable timeframe (generally within 30 days). We may charge a reasonable fee for access requests that are complex or require significant resources, and we will notify you of any such fee in advance.

11.2 Right to Correction

If you believe that personal information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, you have the right to request that we correct it. We will take reasonable steps to correct the information within 30 days of receiving your request.

11.3 Right to Deletion (De-identification)

In certain circumstances, you may request that we delete or de-identify your personal information — for example, if you close your account and there is no legal requirement for us to retain the data. We will assess your request and respond accordingly. Note that we may need to retain certain information for legal, regulatory, or legitimate business purposes even after you request deletion.

11.4 Right to Withdraw Consent

Where we process your personal information based on your consent (for example, for direct marketing), you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of any processing carried out before you withdrew your consent.

11.5 Right to Opt Out of Direct Marketing

You may opt out of receiving direct marketing communications from us at any time by:

  • Clicking the "unsubscribe" link in any marketing email we send you
  • Logging into your account and updating your communication preferences
  • Contacting us directly at [email protected]

11.6 Right to Make a Complaint

If you believe we have breached your privacy rights or failed to comply with the Australian Privacy Principles, you have the right to make a complaint. Please refer to Section 14 (Complaints) of this Policy for further information.

11.7 How to Exercise Your Rights

To exercise any of the above rights, please submit a written request to our Privacy Officer using the contact details provided in Section 13. We may need to verify your identity before processing your request to ensure we are dealing with the correct individual.


12. Children's Privacy

Guzman y Gomez does not knowingly collect personal information from children under the age of 18. If you are under 18, please do not create an account or submit any personal information to us through our digital platforms.

If we become aware that we have inadvertently collected personal information from a child under the age of 18 without appropriate parental or guardian consent, we will take immediate steps to delete that information from our records. If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us immediately at [email protected].

Nothing in this section prevents minors from visiting our restaurant locations in person or purchasing food products with the supervision or assistance of a parent or guardian. This restriction applies specifically to the creation of digital accounts and participation in online loyalty programs.


13. Contact Us — Privacy Enquiries

If you have any questions, concerns, or requests relating to this Privacy Policy or the way we handle your personal information, please contact our Privacy Officer using the details below:

We aim to acknowledge all privacy enquiries within 5 business days and resolve them within 30 days. If your matter is complex, we may require additional time and will notify you accordingly.


14. How to File a Complaint

14.1 Internal Complaints Process

If you believe that we have mishandled your personal information or breached the Australian Privacy Principles, we encourage you to first raise the matter directly with us by contacting our Privacy Officer at [email protected]. Please provide as much detail as possible about your concern so that we can investigate and respond effectively.

We will acknowledge your complaint within 5 business days and endeavour to resolve it within 30 days. If we require additional time, we will inform you of the expected timeframe and the reasons for the delay.

14.2 External Complaints — Office of the Australian Information Commissioner (OAIC)

If you are not satisfied with our response to your complaint, or if you wish to lodge a complaint directly with the relevant authority, you may contact the Office of the Australian Information Commissioner (OAIC), which is the independent federal body responsible for privacy regulation in Australia:

The OAIC has the power to investigate privacy complaints and, where appropriate, make determinations that may include orders for us to change our practices or to provide remedies to affected individuals. There is no cost to you for lodging a complaint with the OAIC.

14.3 State and Territory Regulators

Depending on the nature of your complaint and the state or territory in which it arose, you may also be entitled to lodge a complaint with the relevant state or territory privacy regulator. For example:

Please note that these state/territory regulators primarily deal with complaints about public sector agencies. For complaints about private sector companies such as Guzman y Gomez, the OAIC is the primary regulatory body.


15. Third-Party Websites and Links

Our website and app may contain links to third-party websites, applications, or services that are operated independently of Guzman y Gomez. This includes delivery platforms, social media platforms, and payment gateways. When you click on such links, you will leave our digital environment and be subject to the privacy policies and terms of those third parties.

We are not responsible for the privacy practices of third-party websites and encourage you to review their privacy policies before providing any personal information. The inclusion of a link on our website does not constitute our endorsement of that third party or its privacy practices.


16. Social Media and User-Generated Content

If you interact with us on social media platforms such as Instagram, Facebook, TikTok, or X (formerly Twitter), or if you tag us in posts or submit user-generated content (e.g., photos, reviews, or comments) through our campaigns, please be aware that:

  • Information you share publicly on social media is visible to other users of those platforms and is subject to the privacy settings you have configured on those platforms
  • We may republish, share, or feature user-generated content in our marketing materials with your consent
  • We do not control and are not responsible for the privacy practices of social media platforms
  • Our social media interactions may be monitored for customer service and compliance purposes

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our business practices, legal obligations, or the regulatory environment. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this Policy
  • Post a prominent notice on our website or within our app
  • Where appropriate, notify registered users via email

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of our services after the posting of any changes constitutes your acceptance of the updated Policy.

If we make changes that require your consent under the Privacy Act 1988, we will seek that consent before processing your personal information in a new way.


18. Applicable Law and Governing Legislation

This Privacy Policy is governed by and construed in accordance with the following key Australian privacy legislation and related instruments:

  • Privacy Act 1988 (Cth) — the primary federal privacy legislation governing the collection, use, and disclosure of personal information by Australian organisations
  • Australian Privacy Principles (APPs) — Schedule 1 of the Privacy Act 1988, outlining the obligations of APP entities
  • Notifiable Data Breaches (NDB) scheme — Part IIIC of the Privacy Act 1988, governing notification obligations in the event of an eligible data breach
  • Spam Act 2003 (Cth) — governing the sending of commercial electronic messages and providing rights to opt out of marketing communications
  • Competition and Consumer Act 2010 (Cth) — including the Australian Consumer Law, relevant to fair dealing and consumer rights
  • Surveillance Devices Acts — relevant state and territory legislation governing the use of CCTV and other surveillance technologies at our premises

This Privacy Policy was last reviewed and updated on July 1, 2026. If you have any questions about this Policy or our privacy practices, please contact us at [email protected].