Privacy Policy

Welcome to Costa Vida. This Privacy Policy explains how Costa Vida ("we," "us," "our," or "the Company") collects, uses, discloses, and safeguards your personal information when you visit our website at food-costavida.click, place orders through our online platform, participate in our loyalty programs, or interact with us in any other capacity. Please read this policy carefully. By accessing or using our website and services, you acknowledge that you have read, understood, and agree to the practices described herein.

We are committed to protecting your privacy and handling your personal data in a transparent, lawful, and responsible manner. This policy applies to all users located in the United States and is designed to comply with applicable federal and state privacy laws, including the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), and the Federal Trade Commission Act (FTC Act), which governs unfair or deceptive trade practices involving consumer data.

If you do not agree with the terms set forth in this Privacy Policy, please refrain from using our website or services. If you have questions or concerns, please contact us at the information provided at the end of this document.

1. Who We Are

Costa Vida is a food service business operating in the United States. Our online platform located at food-costavida.click provides customers with information about our menu offerings, online ordering capabilities, promotional information, and other food-related services. We are committed to delivering an exceptional dining experience while respecting and protecting the privacy of every individual who interacts with our business.

2. Information We Collect

We collect various types of information in connection with your use of our website, mobile services, and food ordering platforms. The categories below describe the personal information we may collect.

2.1 Personal Identification Information

When you create an account, place an order, sign up for our loyalty program, or contact us, we may collect the following personal identifiers:

• Full name
• Email address
• Phone number
• Billing and delivery address
• Date of birth (for age verification and promotional purposes)
• Username and password for your online account
• Profile preferences and dietary restrictions you choose to share with us

2.2 Payment and Financial Information

When you place an order or make a purchase through our website, we collect payment-related information. Please note that full payment card numbers are processed directly by our authorized third-party payment processors and are not stored on our servers. We may retain limited transaction data such as:

• Last four digits of your credit or debit card number
• Billing address associated with your payment method
• Transaction history, including order amounts and dates
• Gift card or coupon codes redeemed

2.3 Order and Transaction Data

To fulfill your food orders and improve our services, we collect:

• Items ordered and customizations requested
• Order frequency and purchasing history
• Special instructions submitted with orders
• Loyalty points earned and redeemed
• Preferred restaurant location or delivery zone

2.4 Device and Technical Information

When you visit our website or use our digital platforms, we automatically collect certain technical information, including:

• IP address
• Browser type and version
• Operating system and device type
• Screen resolution
• Time zone and language settings
• Referring URLs and exit pages
• Pages visited and time spent on each page
• Clickstream data and navigation paths through our website

2.5 Location Information

With your permission, or as part of our delivery and location-based services, we may collect:

• General geographic location based on your IP address
• Precise GPS location data if you grant permission via your mobile device
• Delivery address you provide when placing an order
• Nearest restaurant location preferences

2.6 Communications Data

If you contact us by email, phone, or through contact forms on our website, we may collect and retain:

• The content of your messages and inquiries
• Customer support tickets and responses
• Survey responses and feedback submissions
• Reviews or comments you submit

2.7 Cookies and Tracking Technologies

We use cookies, web beacons, pixel tags, and similar tracking technologies to collect information about your browsing behavior on our website. These technologies help us recognize returning visitors, remember your preferences, and analyze site traffic. For a detailed explanation of the cookies we use, please refer to our Cookie Policy available on our website. You may control cookie settings through your browser. Please note that disabling certain cookies may affect the functionality of our website.

2.8 Information Collected from Third Parties

We may receive information about you from third-party sources, including:

• Social media platforms when you connect your account or interact with our social media pages
• Third-party food delivery platforms that facilitate orders on our behalf
• Analytics providers such as Google Analytics
• Advertising partners and marketing networks
• Publicly available sources

3. How We Use Your Information

We use the personal information we collect for the following purposes, each of which is supported by a legitimate interest, legal obligation, or your consent:

3.1 Service Provision and Order Fulfillment

• Processing and fulfilling your food orders, whether for pickup or delivery
• Managing your account and loyalty program membership
• Communicating with you about the status of your orders
• Providing customer support and resolving disputes
• Processing payments and refunds
• Sending order confirmations and receipts via email or SMS

3.2 Analytics and Service Improvement

• Analyzing how users interact with our website and identifying areas for improvement
• Conducting research to understand customer preferences and behaviors
• Monitoring and improving the performance and security of our platform
• Developing new menu items, features, and services based on user feedback
• Generating internal reports and business analytics

3.3 Marketing and Promotional Communications

• Sending you promotional emails, newsletters, and special offers if you have opted in
• Personalizing content and recommendations on our website based on your preferences and order history
• Delivering targeted advertisements on third-party platforms such as social media and search engines
• Administering contests, promotions, sweepstakes, and loyalty rewards programs
• Notifying you about changes to our menu, locations, or services

You may opt out of marketing communications at any time by clicking the "unsubscribe" link in any promotional email or by contacting us at [email protected]. Opting out of marketing communications will not affect our ability to send you transactional messages related to your orders.

3.4 Legal and Compliance Purposes

• Complying with applicable federal, state, and local laws and regulations
• Responding to lawful requests from government authorities and law enforcement
• Enforcing our Terms of Service and other applicable agreements
• Detecting, preventing, and addressing fraud, security breaches, and other prohibited activities
• Exercising or defending legal claims

4. Legal Bases for Processing Personal Information

While the CCPA/CPRA does not require us to identify a specific legal basis for processing in the same manner as the GDPR, we process your personal information in accordance with the FTC Act and applicable state consumer protection laws. Our processing activities are based on the following grounds:

• Contractual necessity: Processing required to fulfill your orders and deliver services you have requested.
• Legitimate interests: Processing necessary for our business interests, such as fraud prevention, security, and service improvement, where these interests are not overridden by your rights.
• Legal obligation: Processing required to comply with applicable laws and regulations.
• Consent: Processing based on your affirmative consent, such as subscribing to marketing communications. You may withdraw consent at any time.

5. Sharing Your Information with Third Parties

We do not sell, rent, or lease your personal information to third parties for monetary compensation. However, we may share your information with trusted partners and service providers under specific circumstances as described below.

5.1 Service Providers and Business Partners

We engage third-party companies and individuals to assist us in operating our business, providing services on our behalf, and improving our offerings. These service providers are authorized to use your personal information only as necessary to perform services for us and are contractually obligated to protect your data. Categories of service providers include:

• Payment processors and financial institutions (e.g., credit card processors)
• Food delivery platform partners (e.g., DoorDash, Uber Eats, Grubhub, or similar services)
• Cloud hosting and data storage providers
• Email and SMS marketing platforms
• Customer relationship management (CRM) software providers
• Analytics and performance monitoring services (e.g., Google Analytics)
• Advertising and retargeting partners
• IT security and fraud prevention services

5.2 Legal Requirements and Law Enforcement

We may disclose your personal information if required to do so by law, or in response to valid legal process, including:

• Court orders, subpoenas, or other judicial or administrative proceedings
• Requests from federal, state, or local law enforcement authorities
• Regulatory or governmental agency investigations
• Situations where we believe disclosure is necessary to protect the rights, property, or safety of Costa Vida, our customers, or the public

5.3 Business Transfers

In the event of a merger, acquisition, corporate reorganization, sale of business assets, or other similar transaction, your personal information may be transferred as part of the business assets. We will provide notice via a prominent posting on our website and, where required by law, obtain your consent before your personal information is transferred and becomes subject to a different privacy policy.

5.4 Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you with third parties for purposes including research, marketing, analytics, and service improvement. This data is no longer considered personal information and is not subject to the restrictions in this Privacy Policy.

6. Data Security

We take the security of your personal information seriously and implement a variety of technical, administrative, and physical safeguards to protect your data against unauthorized access, disclosure, alteration, or destruction. Our security measures include, but are not limited to:

• Encryption: We use SSL/TLS encryption to protect data transmitted between your browser and our servers. Sensitive data, including payment information, is encrypted both in transit and at rest.
• Access controls: Access to personal information is restricted to authorized employees and service providers who need the information to perform their job functions. We use role-based access controls and multi-factor authentication for system access.
• Secure payment processing: We partner with PCI DSS-compliant payment processors to handle payment card information securely. Full card numbers are never stored on our systems.
• Regular security assessments: We conduct periodic security audits, vulnerability assessments, and penetration testing to identify and address potential weaknesses in our systems.
• Incident response: We maintain an incident response plan to address potential data breaches promptly. In the event of a data breach, we will notify affected individuals and regulatory authorities as required by applicable law.
• Employee training: Our employees receive regular training on data protection best practices and security protocols.

7. Your Privacy Rights

Depending on your state of residence, you may have certain rights regarding your personal information. We are committed to honoring these rights in accordance with applicable law.

7.1 California Residents — CCPA/CPRA Rights

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

• Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, the business purposes for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions (such as when retention is necessary to fulfill a transaction, comply with a legal obligation, or detect security incidents).
• Right to Correct: You have the right to request correction of inaccurate personal information we maintain about you.
• Right to Opt Out of Sale or Sharing: You have the right to opt out of the "sale" or "sharing" of your personal information for cross-context behavioral advertising purposes. We do not sell personal information for monetary compensation, but we may share it with advertising partners as described in this policy. To opt out, please contact us at [email protected].
• Right to Limit Use of Sensitive Personal Information: You have the right to request that we limit our use of sensitive personal information to purposes strictly necessary for providing our services.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. This means we will not deny you services, charge you different prices, or provide you with a lower quality of service because you exercised your privacy rights.

7.2 Rights Available to All US Users

Regardless of your state of residence, we extend the following privacy rights to all users of our platform:

• Right to Access: You may request a copy of the personal information we hold about you by logging into your account or submitting a request to [email protected].
• Right to Correction: If you believe any personal information we hold about you is inaccurate or incomplete, you may request a correction by contacting us directly.
• Right to Deletion: You may request deletion of your personal data, subject to our legal obligations and legitimate business needs.
• Right to Opt Out of Marketing: You may opt out of promotional communications at any time by following unsubscribe instructions or contacting us.
• Right to Data Portability: Where technically feasible, you may request a copy of your personal data in a structured, commonly used, and machine-readable format.

7.3 How to Submit a Privacy Rights Request

To exercise any of the rights described above, you may:

• Email us at: [email protected] with the subject line "Privacy Rights Request"
• Visit our website at food-costavida.click and use the contact form provided

We will respond to verifiable consumer requests within 45 days of receipt. We may extend this period by an additional 45 days when reasonably necessary, and we will notify you of any such extension within the initial 45-day period. We may need to verify your identity before processing your request by asking you to confirm information associated with your account. We will not charge a fee for processing your request unless it is excessive, repetitive, or manifestly unfounded.

7.4 Authorized Agents

California residents may designate an authorized agent to submit requests on their behalf. To authorize an agent, you must provide written permission to the agent to act on your behalf and verify your identity directly with us. We reserve the right to deny requests from agents who do not submit proof of authorization.

8. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to enhance your experience, analyze website traffic, and deliver personalized content and advertising. Cookies are small text files placed on your device when you visit our website. We use the following types of cookies:

• Essential Cookies: Necessary for the operation of our website, such as enabling you to log in, maintain your shopping cart, and process orders.
• Performance and Analytics Cookies: Used to collect information about how visitors use our website, such as which pages are visited most frequently. This information is aggregated and anonymous.
• Functionality Cookies: Allow us to remember your preferences, such as your preferred restaurant location, language settings, and saved menu customizations.
• Targeting and Advertising Cookies: Used to deliver advertisements relevant to your interests on our website and third-party platforms. These cookies may track your browsing habits across different websites.

You may control cookie preferences through your browser settings or through cookie consent tools available on our website. Please note that disabling essential cookies may impair your ability to use our services effectively. For more detailed information about our use of cookies, please see our full Cookie Policy available on food-costavida.click.

9. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, comply with our legal obligations, resolve disputes, and enforce our agreements. The following retention periods apply:

After the applicable retention period expires, personal information will be securely deleted or anonymized in accordance with our data disposal procedures.

10. Children's Privacy

Our website and services are not directed at children under the age of 13. We do not knowingly collect, use, or disclose personal information from children under 13 in violation of the Children's Online Privacy Protection Act (COPPA). If you are under 18 years of age, please do not use our website or submit any personal information without the supervision and consent of a parent or legal guardian.

If we become aware that we have inadvertently collected personal information from a child under the age of 13 without verifiable parental consent, we will take immediate steps to delete such information from our records. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us immediately at [email protected] so that we can take appropriate action.

11. International Data Transfers

Costa Vida operates within the United States, and the primary processing of your personal data occurs within the United States. However, some of our third-party service providers, including cloud hosting companies, analytics platforms, and marketing tools, may be based in or process data in countries outside of the United States.

When we transfer personal data internationally, we take steps to ensure that adequate protections are in place to safeguard your information in accordance with applicable US law. These protections may include:

• Executing data processing agreements with service providers that include standard data protection provisions
• Verifying that service providers adhere to recognized security frameworks and privacy standards
• Limiting the data transferred to only what is necessary for the specific service being provided

If you are accessing our website from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where privacy laws may differ from those in your jurisdiction. By using our website and services from outside the United States, you consent to the transfer of your information to the United States in accordance with this Privacy Policy.

12. Third-Party Websites and Links

Our website may contain links to third-party websites, platforms, or applications, including social media pages, delivery partner platforms, and promotional partners. This Privacy Policy applies only to information collected through our website at food-costavida.click and our directly operated services. We are not responsible for the privacy practices or content of any third-party websites. We encourage you to review the privacy policies of any third-party sites you visit through links on our website before providing them with any personal information.

13. Social Media and Third-Party Login Features

Our website may offer features that allow you to connect your social media accounts or use third-party login credentials (such as "Sign in with Google" or "Sign in with Facebook") to access our services. When you use these features, the third-party platform may share certain profile information with us, such as your name, email address, and profile photo, in accordance with their own privacy policies and your account settings.

We may also use social media plugins, share buttons, and embedded content that allow social media platforms to collect information about your interaction with our website, even if you do not click on the plugin or button. The collection and use of information by these social media platforms is governed by their respective privacy policies, which we encourage you to review.

14. Do Not Track Signals

Some web browsers include a "Do Not Track" (DNT) feature that transmits a signal to websites indicating that the user does not wish to be tracked. Currently, our website does not respond to DNT signals because there is no universally accepted standard for interpreting such signals. We will continue to monitor developments in this area and update our practices as industry standards evolve. California residents may exercise their opt-out rights under the CCPA/CPRA as described in Section 7 of this Privacy Policy.

15. Filing Complaints with Data Protection Authorities

If you believe that we have not handled your personal information in accordance with applicable law or this Privacy Policy, we encourage you to contact us first at [email protected] so that we can investigate your concern and work toward a resolution.

If you are not satisfied with our response, you may have the right to file a complaint with the appropriate regulatory authority. In the United States, relevant authorities include:

• Federal Trade Commission (FTC): The FTC enforces federal consumer protection laws, including protections relating to privacy and data security. You may file a complaint at reportfraud.ftc.gov or call 1-877-FTC-HELP (1-877-382-4357).
• California Privacy Protection Agency (CPPA) — for California residents: The CPPA enforces the CCPA/CPRA. You may file a complaint at cppa.ca.gov.
• State Attorney General's Office: Residents of other states may contact their state's Attorney General office for consumer protection inquiries related to data privacy.

16. Changes to This Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time to reflect changes in our business practices, legal requirements, or service offerings. When we make material changes to this policy, we will:

• Post the revised policy on this page with an updated "Last Updated" date
• Send an email notification to registered account holders at the email address we have on file
• Display a prominent notice on our website homepage for a reasonable period following the change

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of our website and services after any modifications to this Privacy Policy constitutes your acceptance of the updated terms. If you do not agree with the updated policy, please discontinue use of our services and contact us to request deletion of your personal information.

17. Contact Us

If you have any questions, concerns, comments, or requests related to this Privacy Policy or our data practices, please do not hesitate to contact our privacy team using the information below:

We will make every effort to respond to your inquiry within 30 business days. For requests involving your rights under the CCPA/CPRA, we will respond within the timeframes required by applicable law as described in Section 7 of this Privacy Policy.