Privacy Policy

This Privacy Policy describes how Costa Vida ("we," "us," "our," or the "Company") collects, uses, discloses, and safeguards your personal information when you visit our website at vidacosta.digital, place orders online, use our mobile applications, visit our restaurant locations, or otherwise interact with our services (collectively, the "Services"). Please read this Privacy Policy carefully. By accessing or using our Services, you acknowledge that you have read, understood, and agree to the practices described herein.

We are committed to protecting your privacy and handling your personal information with transparency, integrity, and in compliance with applicable United States federal and state privacy laws, including the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (CCPA/CPRA), the Federal Trade Commission Act (FTC Act), and other applicable regulations.

1. About Us

Costa Vida is a food service business operating in the United States. We provide fresh, made-from-scratch Mexican-inspired food through our restaurant locations and digital ordering channels.

For any privacy-related questions, concerns, or requests, you may contact us directly at the email address listed above. We will make every effort to respond to your inquiry within a reasonable timeframe, and no later than 45 days as required under applicable law.

2. Information We Collect

We collect various categories of personal information depending on how you interact with us. Below is a comprehensive breakdown of the types of data we may collect:

2.1 Personal Identification Information

When you create an account, place an order, join our loyalty or rewards program, participate in a promotion, or otherwise engage with our Services, we may collect:

• Full name
• Email address
• Phone number
• Mailing or delivery address (including street address, city, state, and ZIP code)
• Date of birth (for loyalty rewards and age verification purposes)
• Username and password (for account holders)
• Profile photo (if voluntarily uploaded)

2.2 Payment and Transaction Information

When you make a purchase through our website, app, or in-store kiosks, we or our authorized payment processors may collect:

• Credit or debit card details (processed securely — we do not store full card numbers)
• Billing address
• Transaction history, including order details, amounts, dates, and locations
• Gift card or promotional code usage

2.3 Usage and Behavioral Data

When you visit our website or use our mobile application, we automatically collect certain information about your device and behavior, including:

• IP address
• Browser type and version
• Operating system and device type
• Pages viewed and features used
• Date and time of access
• Referring URLs (the website that directed you to ours)
• Click-stream data and navigation paths
• Time spent on individual pages
• Search queries made within our platform

2.4 Location Information

With your permission or based on your IP address, we may collect:

• Precise geolocation data (if you enable location services on your device)
• Approximate location based on your IP address
• Location of the restaurant you visit or select for ordering purposes

2.5 Communications and Feedback

If you contact us directly, submit feedback, complete a survey, or engage with our customer service team, we may collect:

• Content of your messages, emails, or live chat transcripts
• Customer support tickets and correspondence history
• Survey responses and ratings
• Social media interactions (comments, messages, tags)

2.6 Cookies and Tracking Technologies

We use cookies, web beacons, pixel tags, and similar tracking technologies to collect information about your browsing activities. Please refer to Section 8 of this Privacy Policy for detailed information about our use of cookies and your options for managing them.

2.7 Information from Third Parties

We may receive information about you from third-party sources, such as:

• Social media platforms (if you connect your social account or engage with our social pages)
• Online ordering and delivery platforms (e.g., third-party delivery services)
• Marketing and analytics partners
• Loyalty program integrations
• Publicly available sources

3. How We Use Your Information

We use the personal information we collect for the following purposes:

3.1 Providing and Managing Our Services

• Processing and fulfilling your food orders (online, in-app, or in-store)
• Creating and managing your account
• Facilitating payment processing and issuing receipts
• Operating and maintaining our loyalty and rewards program
• Sending order confirmations, updates, and delivery notifications
• Responding to customer service requests and resolving disputes

3.2 Personalization and User Experience

• Personalizing your experience by remembering preferences and past orders
• Suggesting menu items based on your order history
• Displaying location-relevant information such as nearby restaurant hours and menus

3.3 Marketing and Communications

• Sending promotional emails, newsletters, and offers (only where you have provided consent or as otherwise permitted by law)
• Notifying you about new menu items, limited-time offers, and special events
• Conducting targeted advertising on third-party platforms based on your interests and behaviors
• Sending SMS or push notifications where you have opted in

You may opt out of marketing communications at any time by clicking "unsubscribe" in any marketing email, replying "STOP" to any SMS message, or contacting us at [email protected].

3.4 Analytics and Performance Improvement

• Analyzing website and app usage to improve our digital platforms
• Monitoring service performance and diagnosing technical problems
• Conducting internal research and business analysis to better understand customer needs
• Developing new products, features, and menu offerings

3.5 Legal Compliance and Safety

• Complying with applicable federal, state, and local laws and regulations
• Responding to legal process, court orders, or government requests
• Preventing fraud, unauthorized transactions, and other illegal activities
• Enforcing our Terms of Service and other policies
• Protecting the rights, property, or safety of Costa Vida, our customers, and the public

4. How We Share Your Information

We do not sell your personal information to third parties for their own independent use. However, we may share your information in the following circumstances:

4.1 Service Providers and Business Partners

We work with trusted third-party vendors and service providers who assist us in operating our business. These parties are contractually obligated to protect your information and may only use it for the purposes we specify. Categories of service providers include:

• Payment processors: To securely handle credit card and payment transactions
• Cloud hosting and IT providers: For data storage, security, and website infrastructure
• Analytics providers: Such as Google Analytics, to help us understand usage patterns
• Email and SMS marketing platforms: To send communications on our behalf
• Delivery and logistics partners: When you place a delivery order
• Customer service platforms: To manage support tickets and communications
• Loyalty and rewards program administrators

4.2 Franchise Operators

Costa Vida operates through a franchise model. Information related to transactions at specific franchise locations may be shared with the franchise operator of that location solely for purposes of fulfilling your order and providing customer service.

4.3 Legal and Regulatory Disclosures

We may disclose your personal information when required by law or in response to valid legal process, including:

• Subpoenas, court orders, or government investigations
• Requests from law enforcement agencies
• Compliance with applicable federal or state regulations
• Protection of the rights and safety of our employees, customers, or the public

4.4 Business Transfers

In the event of a merger, acquisition, sale of assets, reorganization, or similar corporate transaction, your personal information may be transferred to the acquiring party. We will notify you via email and/or a prominent notice on our website prior to your information being transferred and becoming subject to a different privacy policy.

4.5 With Your Consent

We may share your information with third parties when you have expressly consented to such sharing, including when you choose to participate in co-branded promotions or third-party integrations.

5. Data Security

Costa Vida takes the security of your personal information seriously. We implement a variety of technical, administrative, and physical safeguards designed to protect your data against unauthorized access, disclosure, alteration, and destruction. Our security measures include:

• Encryption: We use Secure Socket Layer (SSL) / Transport Layer Security (TLS) encryption to protect data transmitted between your browser and our servers.
• Access controls: Access to personal information is restricted to authorized personnel who need it to perform their job functions.
• Secure payment processing: Payment card data is processed by PCI-DSS compliant payment processors. We do not store full payment card numbers on our systems.
• Regular security assessments: We conduct periodic security audits and vulnerability assessments of our systems and infrastructure.
• Employee training: Our team members receive regular training on privacy and data security best practices.
• Incident response plan: We maintain a data breach response plan to ensure prompt action in the event of a security incident.

Despite our best efforts, no method of data transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data. If you believe your account has been compromised, please contact us immediately at [email protected].

6. Your Privacy Rights

Depending on your state of residence, you may have certain rights with respect to your personal information. We honor all legally granted rights under applicable U.S. law, including rights available under the CCPA/CPRA for California residents.

6.1 Right to Know and Access

You have the right to request information about the categories and specific pieces of personal information we have collected about you, the purposes for which we use it, and the categories of third parties with whom we share it.

6.2 Right to Correct

You have the right to request that we correct inaccurate personal information that we hold about you.

6.3 Right to Delete

You have the right to request that we delete personal information we have collected about you, subject to certain exceptions (e.g., where retention is required by law or necessary to complete a transaction).

6.4 Right to Data Portability

Where technically feasible, you may request a copy of your personal information in a structured, commonly used, and machine-readable format.

6.5 Right to Opt Out of Sale or Sharing

Under the CCPA/CPRA, California residents have the right to opt out of the "sale" or "sharing" of their personal information for cross-context behavioral advertising purposes. While we do not sell personal information for monetary consideration, some of our data-sharing activities with advertising partners may qualify as "sharing" under California law. You may exercise this right by contacting us at [email protected].

6.6 Right to Limit Use of Sensitive Personal Information

California residents have the right to limit our use of sensitive personal information (such as precise geolocation, account credentials, and health data) to purposes reasonably necessary to provide our Services.

6.7 Right to Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights. This means we will not deny you goods or services, charge different prices, or provide a different level of service because you exercised your rights under applicable privacy law.

6.8 How to Submit a Privacy Request

To exercise any of the rights described above, please contact us using one of the following methods:

• Email: [email protected]
• Website: vidacosta.digital

We will verify your identity before processing your request to protect the security of your information. We aim to respond to all verified requests within 45 days. If we require additional time (up to 90 days total), we will notify you of the extension and the reason for the delay. We may need to verify your identity before fulfilling your request by asking you to confirm information associated with your account.

6.9 Authorized Agents

California residents may designate an authorized agent to submit privacy requests on their behalf. The authorized agent must provide written authorization signed by you, and we may still require you to verify your identity directly with us.

7. Cookie Policy Summary

We use cookies and similar tracking technologies on our website and digital platforms. Cookies are small text files stored on your device that help us recognize you, remember your preferences, and improve your experience.

7.1 Types of Cookies We Use

• Strictly Necessary Cookies: Essential for the operation of our website, including logging in, shopping cart functionality, and order processing. These cannot be disabled.
• Performance and Analytics Cookies: Help us understand how visitors interact with our website by collecting anonymous usage statistics (e.g., Google Analytics).
• Functional Cookies: Allow us to remember your preferences and settings, such as your preferred restaurant location or language.
• Marketing and Advertising Cookies: Used to deliver relevant advertisements to you on our website and third-party platforms based on your interests and browsing behavior.

7.2 Managing Your Cookie Preferences

You can manage your cookie preferences through your browser settings. Most browsers allow you to block or delete cookies. Please note that disabling certain cookies may affect the functionality of our website. You may also opt out of certain third-party advertising cookies by visiting the Network Advertising Initiative Opt-Out Tool or the Digital Advertising Alliance Opt-Out Page.

For a more comprehensive explanation of our cookie practices, please review our full Cookie Policy, available on our website at vidacosta.digital.

8. Data Retention

We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, accounting, or reporting requirements. The specific retention period for different categories of data is as follows:

When personal information is no longer needed, we will securely delete, destroy, or anonymize it in accordance with our internal data retention procedures.

9. Children's Privacy

Our Services are intended for use by individuals who are 18 years of age or older. We do not knowingly collect, use, or disclose personal information from children under the age of 13. If we become aware that we have inadvertently collected personal information from a child under 13 without verifiable parental consent, we will take immediate steps to delete such information from our records.

We do not direct our digital marketing activities toward minors. Our website, mobile application, and online ordering systems are designed for adult consumers. If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact us at [email protected] and we will promptly address the matter.

For users between the ages of 13 and 17, we strongly encourage parental or guardian supervision when interacting with our digital Services. Under the CCPA/CPRA, we do not sell or share the personal information of consumers we know to be under the age of 16 without affirmative opt-in consent.

10. International Data Transfers

Costa Vida is headquartered and operates primarily within the United States. All personal information we collect is processed and stored on servers located within the United States. If you are accessing our Services from outside the United States, please be aware that your information will be transferred to, processed, and stored in the United States, where data protection laws may differ from those in your country of residence.

By using our Services from outside the United States, you consent to the transfer of your personal information to the United States for processing in accordance with this Privacy Policy. We take reasonable steps to ensure that any international transfer of data is conducted with appropriate safeguards to protect your privacy rights.

11. Third-Party Links and Services

Our website and application may contain links to third-party websites, social media platforms, or embedded content from other providers (such as third-party delivery services or review platforms). We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party services you access through our platform. This Privacy Policy applies only to information collected directly by Costa Vida through our own Services.

12. California-Specific Privacy Disclosures

In addition to the rights described in Section 6, California residents have the following rights and disclosures under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

12.1 Categories of Personal Information Collected in the Past 12 Months

• Identifiers (name, email address, phone number, IP address)
• Commercial information (purchase history, preferences)
• Internet or electronic network activity information (browsing behavior, interactions with our website)
• Geolocation data (approximate or precise, depending on device settings)
• Sensory information (photos submitted voluntarily)
• Inferences drawn from collected data to create a customer profile

12.2 Shine the Light Law

Under California Civil Code Section 1798.83 (the "Shine the Light" law), California residents who have an established business relationship with us may request information about the categories of personal information we have shared with third parties for their direct marketing purposes during the preceding calendar year. To make such a request, please contact us at [email protected].

12.3 Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals to websites. We currently do not modify our data collection practices in response to DNT signals, as there is no universal standard for their implementation. However, you may opt out of certain tracking activities as described in Section 7 (Cookie Policy Summary).

13. Your Choices and Opt-Out Options

We want to ensure you have control over your personal information. Here is a summary of your choices:

• Account Information: You may update or correct your account information at any time by logging into your account on our website or app.
• Marketing Emails: Click "unsubscribe" at the bottom of any marketing email we send, or contact us at [email protected].
• SMS Messages: Reply "STOP" to any promotional text message to opt out of future SMS communications.
• Push Notifications: Disable push notifications through your device's notification settings.
• Cookies: Manage your cookie preferences through your browser settings or our cookie preference tool (where available).
• Location Services: Disable location access through your device settings at any time.

14. Filing a Complaint

If you believe your privacy rights have been violated, or if you are dissatisfied with how we have handled your personal information or privacy request, we encourage you to contact us first so we can attempt to resolve the matter directly:

• Email: [email protected]
• Website: vidacosta.digital

If you are a California resident and are not satisfied with our response, you may file a complaint with the California Privacy Protection Agency (CPPA):

For concerns related to deceptive or unfair business practices under federal law, you may also contact the Federal Trade Commission (FTC):

Residents of other states may also have rights under their respective state privacy laws. We are committed to honoring all legally granted privacy rights regardless of your state of residence.

15. Changes to This Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time to reflect changes in our business practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by:

• Posting the updated Privacy Policy on our website at vidacosta.digital with a new "Last Updated" date
• Sending an email notification to registered account holders
• Displaying a prominent notice on our website or mobile application

Your continued use of our Services after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. We encourage you to review this page periodically to stay informed about how we are protecting your information.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please do not hesitate to reach out to us:

We are dedicated to addressing your privacy concerns promptly and transparently. Our team will make every effort to respond to your inquiry within 45 days of receipt, or sooner where legally required or operationally feasible.