Privacy Policy

This Privacy Policy describes how Cafe Rio ("we," "us," or "our") collects, uses, discloses, and protects your personal information when you visit our website at caferiomexican.digital, use our online ordering services, interact with our mobile applications, or otherwise engage with our business. We are committed to protecting your privacy and handling your personal data in a transparent, lawful, and responsible manner.

Please read this Privacy Policy carefully before using our website or services. By accessing or using our services, you acknowledge that you have read, understood, and agree to the practices described in this policy. If you do not agree with this policy, please discontinue use of our services immediately.

We reserve the right to update or modify this Privacy Policy at any time. We will notify you of material changes by posting the updated policy on our website with a revised effective date. Your continued use of our services following any changes constitutes your acceptance of the updated policy.

1. About Us and How to Contact Us

Cafe Rio is a food service business operating in the United States. We are dedicated to providing our customers with high-quality Mexican-inspired food and a memorable dining experience. For any questions, concerns, or requests related to this Privacy Policy or your personal data, you may contact us using the following information:

Our privacy team is available to respond to all inquiries regarding personal data within a reasonable timeframe, and in any case, no later than forty-five (45) days from the date of your request, as required under applicable United States privacy laws.

2. Scope of This Privacy Policy

This Privacy Policy applies to all individuals who interact with Cafe Rio through any of the following channels:

• Visiting or browsing our website at caferiomexican.digital
• Placing online orders through our website or third-party delivery platforms
• Subscribing to our email newsletters, promotions, or loyalty programs
• Contacting us via email, phone, or online contact forms
• Participating in surveys, contests, or promotional activities organized by us
• Interacting with us on social media platforms
• Visiting any of our physical restaurant locations

This policy does not apply to third-party websites, services, or applications that may be linked from our website. We encourage you to review the privacy policies of any third-party services you access through links on our website.

3. Information We Collect

We collect various types of information in connection with your use of our services. The categories of personal information we collect are described in detail below.

3.1 Personal Identification Information

When you create an account, place an order, sign up for our loyalty program, or contact us, we may collect the following personal identification information:

• Full name — to identify you and personalize your experience
• Email address — to communicate with you regarding orders, promotions, and account activity
• Phone number — for order confirmations, delivery coordination, and customer support
• Mailing and delivery addresses — to process and fulfill food orders and deliveries
• Date of birth — to verify age eligibility for certain promotions and to personalize your birthday offers
• Username and password — to secure your online account
• Profile photo — if voluntarily provided during account registration

3.2 Financial and Payment Information

When you make a purchase through our website or mobile app, we collect payment-related information necessary to process your transaction. This may include:

• Credit or debit card details (card number, expiration date, CVV)
• Billing address associated with your payment method
• Digital wallet identifiers (e.g., Apple Pay, Google Pay)
• Transaction history and purchase records

Please note that we do not store full payment card numbers on our servers. All payment transactions are processed through PCI DSS-compliant third-party payment processors who adhere to strict industry security standards.

3.3 Order and Transaction Data

We collect information related to the food orders and transactions you place with us, including:

• Menu items selected and order history
• Order preferences, customizations, and special instructions
• Frequency and timing of orders
• Pickup or delivery preferences
• Loyalty points earned and redeemed
• Promotional codes or discounts applied

3.4 Usage Data and Online Activity

When you visit our website or use our digital services, we automatically collect certain technical and usage information, including:

• IP address — to determine your approximate geographic location and detect security threats
• Browser type and version — to optimize the display of our website for your device
• Operating system — to ensure compatibility with our digital services
• Pages visited and time spent on each page — to understand how users navigate our website
• Referring URLs — to understand how you arrived at our website
• Links clicked — to analyze engagement with our website content
• Search terms used on our website — to improve our search functionality and content offerings
• Date and time of visits — to monitor traffic patterns and optimize performance

3.5 Device Information

We may collect information about the devices you use to access our services, including:

• Device type (desktop, mobile, tablet)
• Device identifiers (unique device ID, advertising ID)
• Mobile network information
• Screen resolution and display settings
• App version (if applicable)
• Push notification tokens (if you opt in to notifications)

3.6 Location Data

With your consent, we may collect precise or approximate geolocation data from your device to help you find the nearest Cafe Rio location, provide accurate delivery estimates, and customize your experience based on your region. You may disable location services at any time through your device settings.

3.7 Communications and Customer Support Data

When you contact us for customer support, submit feedback, or participate in surveys, we collect:

• Content of your messages, emails, or online chat conversations
• Records of your communications with our support team
• Survey responses and feedback you provide
• Social media messages or mentions directed at us

3.8 Information from Third Parties

We may also receive information about you from third-party sources, including:

• Social media platforms (if you log in using a social account or interact with our social media presence)
• Third-party food delivery platforms (e.g., DoorDash, Uber Eats, Grubhub)
• Analytics providers and data enrichment services
• Marketing partners and advertising networks
• Publicly available databases and directories

4. How We Use Your Information

We use the personal information we collect for the following purposes:

4.1 Service Provision and Order Fulfillment

• Processing and fulfilling your food orders, both online and in-person
• Coordinating pickup and delivery logistics
• Managing your customer account and loyalty program membership
• Sending order confirmations, receipts, and status updates
• Processing payments and managing billing inquiries
• Responding to your questions, complaints, and customer support requests

4.2 Personalization and User Experience

• Personalizing your browsing experience based on your preferences and order history
• Recommending menu items and promotions tailored to your tastes
• Saving your favorite orders and delivery addresses for future use
• Providing location-based content, such as nearby restaurant locations and local promotions

4.3 Marketing and Communications

• Sending you promotional emails, newsletters, and special offers (with your consent where required)
• Notifying you of new menu items, seasonal specials, and limited-time promotions
• Conducting loyalty program communications and reward notifications
• Delivering targeted advertising through our website and third-party platforms based on your interests
• Inviting you to participate in surveys, contests, or feedback programs

You may opt out of marketing communications at any time by clicking the "unsubscribe" link in any marketing email, adjusting your account notification settings, or contacting us directly at [email protected].

4.4 Analytics and Business Intelligence

• Analyzing website traffic, user behavior, and engagement metrics
• Evaluating the performance of our marketing campaigns
• Understanding customer preferences to improve our menu and services
• Generating internal reports and business intelligence insights
• Conducting market research and customer satisfaction analysis

4.5 Legal Compliance and Safety

• Complying with applicable federal and state laws and regulations
• Responding to lawful requests from government authorities, courts, and law enforcement
• Detecting, investigating, and preventing fraudulent transactions and unauthorized access
• Enforcing our Terms of Service and other applicable policies
• Protecting the rights, property, and safety of our company, customers, and the public

5. Legal Basis for Processing

We process your personal information based on one or more of the following legal grounds:

• Contractual necessity: Processing is necessary to fulfill our contractual obligations to you, such as processing your food orders and managing your account.
• Legitimate interests: We process certain data to pursue our legitimate business interests, such as improving our services, detecting fraud, and conducting analytics, provided these interests are not overridden by your rights and interests.
• Consent: Where required by law, we obtain your express consent before processing your data for marketing purposes or other discretionary uses.
• Legal obligation: We process data as required to comply with applicable laws, regulations, and legal processes.

6. Sharing Your Information with Third Parties

We do not sell your personal information to third parties. However, we may share your information with trusted third parties in the following circumstances:

6.1 Service Providers and Business Partners

We engage third-party service providers who perform services on our behalf and who have access to your personal information only to the extent necessary to perform those services. These include:

• Payment processors — to handle credit card and digital payment transactions securely
• Delivery and logistics partners — to coordinate and fulfill food delivery orders
• Cloud hosting providers — to store and manage our website data and infrastructure
• Email service providers — to send transactional and marketing emails
• Analytics providers — such as Google Analytics, to analyze website traffic and user behavior
• Customer relationship management (CRM) platforms — to manage customer interactions and loyalty programs
• Advertising networks — to deliver targeted advertisements on our behalf
• Fraud detection services — to identify and prevent fraudulent transactions

All third-party service providers are contractually obligated to use your information only for the purposes for which it was shared, and to maintain appropriate security standards.

6.2 Legal Requirements and Law Enforcement

We may disclose your personal information when we believe in good faith that such disclosure is necessary to:

• Comply with applicable law, regulation, or legal process, including subpoenas, court orders, or government requests
• Enforce our Terms of Service or other applicable agreements
• Protect the rights, property, or safety of Cafe Rio, our customers, employees, or the public
• Detect, prevent, or address fraud, security, or technical issues

6.3 Business Transfers

In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your personal information may be transferred to the acquiring entity as part of the transaction. We will notify you via email or a prominent notice on our website before your information is transferred and becomes subject to a different privacy policy.

6.4 Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you with third parties for research, marketing, analytics, and other purposes.

7. Cookies and Tracking Technologies

We use cookies, web beacons, pixel tags, and similar tracking technologies to enhance your experience on our website, analyze usage patterns, and deliver relevant advertising. Cookies are small text files stored on your device when you visit our website.

7.1 Types of Cookies We Use

You can control cookie preferences through your browser settings. Most browsers allow you to refuse cookies or alert you when cookies are being sent. However, disabling certain cookies may affect the functionality of our website. For more detailed information about the cookies we use and how to manage them, please refer to our Cookie Policy available on our website.

8. Data Security

We take the security of your personal information seriously and implement a variety of administrative, technical, and physical safeguards to protect your data from unauthorized access, disclosure, alteration, or destruction. Our security measures include:

• Encryption: We use industry-standard SSL/TLS encryption to protect data transmitted between your browser and our servers.
• Access controls: We restrict access to personal information to authorized employees and contractors who need it to perform their job functions.
• Secure payment processing: All payment transactions are processed through PCI DSS-compliant third-party processors.
• Regular security assessments: We conduct periodic security audits and vulnerability assessments to identify and remediate potential risks.
• Data minimization: We collect only the personal information necessary for the purposes described in this policy.
• Employee training: Our staff receives regular training on data privacy and security best practices.
• Incident response plan: We maintain a documented data breach response plan to detect, contain, and respond to security incidents in a timely manner.

While we make every effort to protect your personal information, no security system is completely impenetrable. We cannot guarantee the absolute security of your data. In the event of a data breach that affects your rights and freedoms, we will notify you and applicable regulatory authorities as required by law.

9. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. The following general retention periods apply:

When personal information is no longer needed for any of our lawful purposes, we securely delete, destroy, or anonymize it in accordance with our data retention procedures.

10. Your Privacy Rights

Depending on your state of residence within the United States, you may have the following rights with respect to your personal information:

10.1 Rights Under the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)

If you are a resident of California, you have the following rights under the CCPA and CPRA:

• Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the sources from which it was collected, the purposes for which it is used, and the categories of third parties with whom we share it.
• Right to Delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to Correct: You have the right to request correction of inaccurate personal information we maintain about you.
• Right to Opt-Out of Sale or Sharing: You have the right to opt out of the sale or sharing of your personal information with third parties for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information: You may have the right to limit our use of certain sensitive personal information to specific purposes.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you services, charge you different prices, or provide a different level of service because you exercised your privacy rights.

To submit a CCPA/CPRA request, please contact us at [email protected] or use the contact form on our website. We will verify your identity before processing your request and respond within forty-five (45) days, which may be extended by an additional forty-five (45) days where reasonably necessary.

10.2 General U.S. Consumer Privacy Rights

Regardless of your state of residence, we strive to honor the following consumer privacy rights in compliance with applicable federal and state laws, including the FTC Act:

• Right to Access: You may request a copy of the personal information we hold about you.
• Right to Correction: You may request that we correct or update inaccurate or incomplete personal information.
• Right to Deletion: You may request that we delete your personal information, subject to legal retention requirements.
• Right to Data Portability: You may request a copy of your personal information in a structured, commonly used, machine-readable format.
• Right to Opt-Out of Marketing: You may opt out of receiving marketing communications from us at any time.
• Right to Withdraw Consent: Where we process your data based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out before the withdrawal.

10.3 How to Exercise Your Rights

To exercise any of the rights described above, please contact us using any of the following methods:

• Email: [email protected] (with the subject line "Privacy Rights Request")
• Website: caferiomexican.digital

We may need to verify your identity before processing your request. Verification may involve confirming your email address, account details, or other identifying information. We will not discriminate against you for exercising your privacy rights.

You may also designate an authorized agent to submit a privacy request on your behalf, provided that the agent provides written proof of their authorization and you verify your identity directly with us.

11. Children's Privacy

Our website and services are not directed to children under the age of 13, and we do not knowingly collect personal information from children. We comply fully with the Children's Online Privacy Protection Act (COPPA), which prohibits the collection of personal information from children under 13 without verifiable parental consent.

If you are between the ages of 13 and 17, you should only use our services with the involvement and consent of a parent or legal guardian. We encourage parents and guardians to monitor their children's online activities and to contact us if they believe their child has provided us with personal information without their consent.

If we discover that we have inadvertently collected personal information from a child under the age of 13, we will promptly delete such information from our systems. If you believe that a child has provided us with personal information, please contact us immediately at [email protected].

12. International Data Transfers

Cafe Rio is based in the United States, and the personal information we collect is primarily stored and processed in the United States. If you access our services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country of residence.

When we transfer personal information internationally, we take appropriate measures to ensure that such transfers comply with applicable privacy laws and that your data is adequately protected. These measures may include:

• Transferring data to countries that have been recognized as providing an adequate level of data protection
• Using standard contractual clauses or other legally approved data transfer mechanisms
• Ensuring that third-party service providers who receive transferred data maintain appropriate safeguards

By using our services and providing us with your personal information, you consent to the transfer and processing of your information in the United States and any other countries where we or our service providers operate.

13. Third-Party Links and Integrations

Our website may contain links to third-party websites, services, and applications, including social media platforms, food delivery apps, and partner websites. These third-party services operate independently and have their own privacy policies, which govern the collection and use of your personal information on their platforms.

We are not responsible for the privacy practices, content, or security of any third-party websites or services. We encourage you to review the privacy policies of any third-party services you visit or use. The inclusion of a link on our website does not imply our endorsement of the linked site or service.

Our website may also include social media features, such as "Like" or "Share" buttons, which are hosted by their respective social media platforms. These features may collect your IP address, the pages you visit on our site, and may set cookies to enable the feature to function properly. Your interaction with these features is governed by the privacy policy of the company providing the feature.

14. Do Not Track Signals

Some web browsers include a "Do Not Track" (DNT) feature that sends a signal to websites requesting that your browsing activity not be tracked. Currently, our website does not respond to DNT signals because there is no universally accepted standard for how DNT signals should be interpreted and implemented.

However, we do provide you with meaningful choices regarding the collection and use of your personal information through our cookie management tools, opt-out mechanisms, and privacy rights request process described in this policy.

15. California Shine the Light Law

California Civil Code Section 1798.83 (the "Shine the Light" law) permits California residents to request and receive information once per year, free of charge, about the categories of personal information we disclosed to third parties for direct marketing purposes and the names and addresses of those third parties during the preceding calendar year.

If you are a California resident and wish to make such a request, please contact us at [email protected] with the subject line "California Shine the Light Request." We will respond to your request within thirty (30) days.

16. Nevada Privacy Rights

Nevada residents have the right to opt out of the sale of certain covered information to third parties. If you are a Nevada resident and wish to exercise this right, please contact us at [email protected]. We will respond to your request within sixty (60) days and will not sell your covered information if you opt out.

17. Filing a Complaint

If you believe that we have violated your privacy rights or handled your personal information in a manner inconsistent with this Privacy Policy or applicable law, we encourage you to contact us first so that we can attempt to resolve your concern:

• Email: [email protected]
• Subject line: "Privacy Complaint"

We take all privacy complaints seriously and will investigate your concern promptly. We will respond to your complaint within thirty (30) days of receipt.

If you are not satisfied with our response or believe that we are not processing your personal information in accordance with applicable law, you also have the right to file a complaint with the relevant regulatory authority:

17.1 Federal Trade Commission (FTC)

The FTC enforces federal consumer protection laws, including privacy-related regulations, under the FTC Act. You may file a complaint with the FTC at:

17.2 California Attorney General (for California Residents)

California residents may file complaints with the California Attorney General's Office regarding violations of the CCPA/CPRA:

17.3 California Privacy Protection Agency (CPPA)

The California Privacy Protection Agency (CPPA) is the primary regulatory authority responsible for enforcing California's privacy laws, including the CPRA. California residents may contact the CPPA at:

Residents of other states may contact their respective state attorney general's office or consumer protection agency for guidance on filing a privacy-related complaint.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, applicable laws, or business operations. When we make material changes to this policy, we will:

• Post the updated policy on our website at caferiomexican.digital with a revised "Last Updated" date
• Send an email notification to registered account holders when changes are significant
• Display a prominent notice on our website for a reasonable period following the update

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of our services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

19. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal information, please do not hesitate to contact our privacy team. We are committed to addressing your inquiries promptly and transparently.

When contacting us with a privacy inquiry or rights request, please include your full name, email address, and a description of your request or concern to help us process your inquiry efficiently. All requests will be handled in strict confidence and in accordance with applicable privacy laws.