Privacy Policy
This Privacy Policy describes how Guzman y Gomez ("we", "us", "our", or "the Company") collects, uses, discloses, stores, and protects your personal information when you visit our website at gyg-au.com, use our mobile applications, place orders, participate in loyalty programs, or otherwise interact with our food services and digital platforms. We are committed to protecting your privacy in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) contained in Schedule 1 of that Act, as well as all other applicable Australian privacy and consumer protection laws.
By accessing our website, using our app, placing an order, or otherwise providing us with your personal information, you acknowledge that you have read, understood, and agree to the terms set out in this Privacy Policy. If you do not agree with this policy, please discontinue use of our services immediately.
We encourage you to read this document carefully and contact us if you have any questions or concerns about how we handle your personal information.
1. About Us and Our Commitment to Privacy
Guzman y Gomez is an Australian food and restaurant business operating through its website at gyg-au.com and associated digital platforms. We operate restaurants and food service outlets across Australia and provide online ordering, delivery services, loyalty programs, and related food-related services to our customers.
We recognise that privacy is a fundamental right. Our approach to collecting and handling personal information is guided by the following principles:
- We only collect personal information that is necessary for the purposes outlined in this policy.
- We collect personal information by fair and lawful means.
- We take reasonable steps to ensure that the personal information we hold is accurate, up to date, and complete.
- We protect personal information from misuse, interference, loss, and unauthorised access or disclosure.
- We respect your rights to access and correct your personal information.
Our contact details for privacy-related matters are as follows:
| Company Name | Guzman y Gomez |
|---|---|
| Website | gyg-au.com |
| Email Address | [email protected] |
2. What Personal Information We Collect
We collect various types of personal information depending on how you interact with us. "Personal information" has the meaning given to it under the Privacy Act 1988 (Cth), which is information or an opinion about an identified individual or an individual who is reasonably identifiable.
2.1 Information You Provide Directly
When you create an account, place an order, contact our customer service team, participate in promotions, or otherwise engage with our services, you may provide us with personal information including:
- Identity Information: Your full name, date of birth, and gender (where provided).
- Contact Information: Email address, phone number, and physical address (including delivery addresses).
- Account Credentials: Username, password, and security questions and answers.
- Payment Information: Credit or debit card details, billing address, and payment method preferences. Note that full card details are processed securely by our third-party payment providers and are not stored on our own servers.
- Order Information: Details of the food and beverages you order, your order history, customisation preferences, dietary requirements, and any special instructions you provide.
- Loyalty Program Information: Points balances, rewards history, preferences, and participation records in our loyalty or promotional programs.
- Communications: Any information you submit when you contact our customer service team, provide feedback, complete surveys, or write reviews, including the content of your messages.
- User-Generated Content: Photos, comments, or other content you submit via our platform or in connection with our promotions.
2.2 Information Collected Automatically
When you visit our website or use our mobile applications, we automatically collect certain technical and usage information, including:
- Device Information: Device type, operating system, browser type and version, device identifiers (such as IP address and mobile device ID), screen resolution, and language settings.
- Usage Data: Pages viewed, links clicked, time and date of access, session duration, referring and exit URLs, search queries entered on our platform, and navigation paths through our website or app.
- Location Data: Approximate or precise geolocation data where you permit location access on your device. This helps us identify nearby restaurant locations and provide relevant delivery options.
- Log Data: Server logs, error reports, and performance data generated during your interactions with our digital services.
- Cookie and Tracking Data: Information collected through cookies, web beacons, pixels, and similar tracking technologies as described further in Section 8 of this policy.
2.3 Information From Third Parties
We may also receive personal information about you from third parties, including:
- Social Media Platforms: If you choose to log in or connect your account with a social media service (such as Facebook or Google), we may receive information from that platform, such as your name, email address, and profile picture, subject to your privacy settings on that platform.
- Delivery Partners: Third-party delivery platforms such as Uber Eats, DoorDash, or Menulog may share your order and contact information with us in connection with orders placed through those platforms.
- Payment Processors: Our payment service providers may share transaction confirmation and fraud prevention information with us.
- Analytics Providers: We may receive aggregated or de-identified usage and marketing analytics from our analytics service providers.
- Marketing Partners: We may receive information from our marketing partners in connection with joint promotions or advertising campaigns, subject to your consent where required.
3. How We Use Your Personal Information
We use the personal information we collect for the following purposes, all of which are consistent with our obligations under the Australian Privacy Principles:
3.1 Providing and Managing Our Services
- Processing and fulfilling your food orders, including online orders and delivery arrangements.
- Creating and managing your customer account.
- Processing payments and managing billing-related matters.
- Facilitating and administering our loyalty and rewards programs.
- Responding to your enquiries, complaints, and customer service requests.
- Sending you order confirmations, receipts, and updates regarding your transactions.
- Enabling you to save favourite orders, customise your preferences, and access your order history.
3.2 Improving Our Products and Services
- Conducting research, analysis, and testing to improve the quality of our food, service, and customer experience.
- Analysing usage patterns and trends to optimise our website, app, and restaurant operations.
- Developing new menu items, products, and services based on customer preferences and feedback.
- Monitoring and improving the performance and security of our digital platforms.
3.3 Marketing and Communications
- Sending you promotional offers, special deals, and marketing communications about Guzman y Gomez products and services, where you have consented to receive such communications or where we are otherwise permitted to do so under applicable law.
- Personalising the content, recommendations, and offers you see on our website, app, and in our communications based on your order history, preferences, and behaviour.
- Conducting customer satisfaction surveys and market research.
- Managing competitions, promotions, and giveaways in which you choose to participate.
You can opt out of receiving marketing communications at any time by clicking the "unsubscribe" link in any email we send, adjusting your notification preferences in your account settings, or contacting us at [email protected].
3.4 Legal and Compliance Purposes
- Complying with applicable laws, regulations, and legal obligations, including those under the Privacy Act 1988 (Cth), the Competition and Consumer Act 2010 (Cth), and relevant state and territory food safety and consumer protection legislation.
- Enforcing our Terms of Service and other agreements with you.
- Detecting, investigating, and preventing fraudulent transactions, security incidents, and other potentially illegal or prohibited activities.
- Protecting the rights, property, and safety of Guzman y Gomez, our customers, and the public.
- Responding to lawful requests from government authorities, regulators, law enforcement agencies, and courts.
4. Sharing Your Personal Information With Third Parties
We do not sell your personal information to third parties. We may disclose your personal information to the following categories of recipients for the purposes described in this policy:
4.1 Service Providers
We engage trusted third-party service providers who perform services on our behalf and who are contractually required to protect your personal information. These include:
- IT and Cloud Service Providers: Hosting, data storage, software infrastructure, and cybersecurity services.
- Payment Processors: Secure processing of payment card transactions. We use PCI-DSS compliant payment processors to handle all financial transactions.
- Delivery Partners: Third-party food delivery platforms and courier services engaged to fulfil your delivery orders.
- Marketing and Advertising Platforms: Email marketing providers, social media advertising platforms, and digital marketing analytics tools.
- Customer Service Platforms: Helpdesk and customer relationship management (CRM) systems that assist our customer service operations.
- Analytics Providers: Website and mobile app analytics platforms such as Google Analytics and similar services.
- Loyalty Program Administrators: Technology providers who assist in administering our rewards and loyalty programs.
4.2 Business Partners
We may share your information with carefully selected business partners where you have chosen to participate in a joint promotion, collaborative offering, or co-branded service. We will always seek your consent before sharing your information for such purposes where required.
4.3 Legal Requirements and Law Enforcement
We may disclose your personal information to government agencies, regulators, law enforcement authorities, or courts when:
- We are required to do so by law, regulation, or court order.
- We reasonably believe disclosure is necessary to prevent or investigate fraud, criminal activity, or a threat to the safety of any person.
- Disclosure is authorised or required under the Privacy Act 1988 (Cth) or another applicable law.
4.4 Business Transfers
In the event that Guzman y Gomez undergoes a merger, acquisition, sale of assets, restructuring, or other corporate transaction, your personal information may be transferred to the successor entity as part of that transaction. We will notify you of any such change and ensure that your personal information continues to be protected in accordance with this policy.
4.5 With Your Consent
We may share your personal information with other third parties where you have provided your express consent for us to do so.
5. Data Security
We take the security of your personal information seriously and implement a range of technical, administrative, and physical safeguards to protect it from misuse, interference, loss, unauthorised access, modification, or disclosure. Our security measures include:
- Encryption: We use industry-standard SSL/TLS encryption to protect data transmitted between your device and our servers. Sensitive data, including payment information, is encrypted at rest and in transit.
- Access Controls: We restrict access to personal information to authorised personnel only, on a need-to-know basis. All staff with access to personal data are subject to confidentiality obligations.
- Secure Payment Processing: All payment card transactions are processed by PCI-DSS compliant payment processors. We do not store full credit or debit card numbers on our systems.
- Regular Security Assessments: We conduct regular security audits, vulnerability assessments, and penetration testing to identify and address potential security risks in our systems and processes.
- Incident Response: We maintain documented procedures for detecting, reporting, and responding to personal data breaches, including notifying affected individuals and the Office of the Australian Information Commissioner (OAIC) where required under the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth).
- Staff Training: Our staff receive regular training on privacy obligations and secure data handling practices.
- Third-Party Security: We require our service providers and partners to implement appropriate security measures to protect any personal information they handle on our behalf.
While we take every reasonable precaution to protect your personal information, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, and we encourage you to take steps to protect your own information, such as keeping your account password confidential and logging out of your account after each session.
6. Your Privacy Rights
Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have the following rights with respect to your personal information:
6.1 Right to Access
You have the right to request access to the personal information we hold about you. We will provide you with access to this information within a reasonable timeframe, subject to certain exceptions permitted by law (for example, where providing access would adversely affect the privacy of another individual, or where the information is subject to legal professional privilege).
6.2 Right to Correction
If you believe that any personal information we hold about you is inaccurate, incomplete, out of date, irrelevant, or misleading, you have the right to request that we correct it. We will take reasonable steps to correct the information within a reasonable timeframe. You may also correct much of your information directly through your account settings on our website or app.
6.3 Right to Deletion
In certain circumstances, you may request that we delete or de-identify your personal information. We will comply with such requests where we are not legally required or otherwise entitled to retain the information. Please note that we may need to retain certain information for legal, tax, accounting, or other legitimate business purposes.
6.4 Right to Withdraw Consent
Where we rely on your consent to process your personal information (such as for marketing communications), you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of any processing carried out before the withdrawal.
6.5 Right to Make a Complaint
You have the right to make a complaint if you believe we have breached the Australian Privacy Principles or the Privacy Act 1988 (Cth). Please see Section 11 of this policy for information on how to make a complaint.
6.6 How to Exercise Your Rights
To exercise any of the rights described above, please contact us using the following details:
- Email: [email protected]
- Website: gyg-au.com
We will respond to your request within a reasonable period, generally within 30 days. We may need to verify your identity before processing your request. In some cases, we may charge a reasonable fee for providing access to your information, but we will notify you of any applicable fee before proceeding.
7. Data Retention
We retain your personal information for as long as necessary to fulfil the purposes for which it was collected, including to satisfy our legal, regulatory, accounting, and reporting obligations. The specific retention period depends on the type of information and the purpose for which it was collected.
Our general data retention practices are as follows:
| Type of Information | Retention Period |
|---|---|
| Customer account information | For the duration of your account, plus up to 7 years after account closure |
| Order history and transaction records | Up to 7 years from the date of the transaction (for tax and accounting purposes) |
| Payment records | Up to 7 years, as required by Australian taxation law |
| Customer service and complaint records | Up to 3 years from the date of resolution |
| Marketing preferences and consent records | Until you withdraw consent, plus up to 3 years thereafter |
| Website and app usage data (analytics) | Up to 26 months (in line with standard analytics retention settings) |
| Cookie and tracking data | As specified in our Cookie Policy (see Section 8) |
| Security and fraud prevention records | Up to 7 years from the date of the relevant incident or suspected incident |
When personal information is no longer required, we take reasonable steps to destroy it or permanently de-identify it in a secure manner.
8. Cookies and Tracking Technologies
Our website and mobile applications use cookies and similar tracking technologies (such as web beacons, pixels, and local storage) to enhance your browsing experience, analyse usage, and deliver personalised content and advertising.
8.1 Types of Cookies We Use
- Strictly Necessary Cookies: Essential for the operation of our website and app, enabling core functions such as login, shopping cart, and order processing.
- Performance and Analytics Cookies: Used to collect information about how visitors use our website, which pages are visited most often, and whether error messages are received. This data helps us improve the performance of our platform.
- Functionality Cookies: Allow our website to remember your preferences (such as your preferred restaurant location or dietary settings) to provide a more personalised experience.
- Targeting and Advertising Cookies: Used to deliver advertisements that are relevant to your interests, and to measure the effectiveness of our advertising campaigns. These cookies may be set by our advertising partners.
8.2 Managing Your Cookie Preferences
You can manage your cookie preferences through your browser settings, which allow you to accept, reject, or delete cookies. Please note that if you disable certain cookies, some features of our website or app may not function correctly.
For detailed information about the specific cookies we use, how long they persist, and how to manage your preferences, please refer to our full Cookie Policy available at gyg-au.com.
9. International Data Transfers
Guzman y Gomez is an Australian business and primarily stores and processes your personal information within Australia. However, some of our third-party service providers and technology platforms may be located outside of Australia, meaning that your personal information may be transferred to, stored in, or processed in countries other than Australia, including but not limited to the United States, the European Union, Singapore, or the United Kingdom.
Where we transfer personal information overseas, we take reasonable steps to ensure that the recipient handles your information in a manner consistent with the Australian Privacy Principles, including by:
- Entering into data processing agreements with overseas service providers that require them to protect your personal information to a standard at least equivalent to that required under Australian law.
- Only transferring data to countries or organisations that have been assessed as providing adequate levels of data protection.
- Implementing appropriate contractual and technical safeguards to protect international data transfers.
By using our services, you acknowledge and consent to your personal information being transferred to overseas recipients as described in this policy. Please be aware that if you do not consent to such transfers, we may not be able to provide you with all of our services.
In accordance with Australian Privacy Principle 8, before transferring personal information to an overseas recipient, we take reasonable steps to ensure that the recipient does not breach the APPs in relation to that information.
10. Children's Privacy
Our services are intended for use by individuals who are 18 years of age or older. We do not knowingly collect, use, or disclose personal information from children under the age of 18 without the consent of a parent or legal guardian.
If you are a parent or guardian and you believe that your child under the age of 18 has provided us with personal information without your consent, please contact us immediately at [email protected]. Upon confirmation, we will take prompt steps to delete that information from our records.
We do not direct our online ordering, loyalty programs, or marketing communications specifically at children. If you are under 18, please do not submit personal information through our website or app without the involvement and consent of your parent or legal guardian.
11. How to Make a Privacy Complaint
We take privacy complaints seriously and are committed to resolving any concerns promptly and fairly. If you believe we have not complied with the Privacy Act 1988 (Cth), the Australian Privacy Principles, or this Privacy Policy, please follow the steps below:
11.1 Step 1: Contact Us Directly
In the first instance, please contact our Privacy Team with details of your concern. We ask that you provide as much information as possible so that we can investigate the matter thoroughly. You can contact us by:
- Email: [email protected]
- Website: gyg-au.com
We will acknowledge your complaint within 5 business days and aim to provide a substantive response within 30 days. Where a complaint is complex, we may require additional time to investigate, and we will keep you informed of our progress.
11.2 Step 2: Escalate to the OAIC
If you are not satisfied with our response, or if we have failed to respond within a reasonable timeframe, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC), which is the independent national regulator for privacy and freedom of information in Australia.
Website: www.oaic.gov.au
Phone: 1300 363 992
Post: GPO Box 5218, Sydney NSW 2001
Email: [email protected]
The OAIC has the power to investigate privacy complaints, make determinations, and seek enforceable undertakings or civil penalty orders in serious cases. There is generally no charge for lodging a complaint with the OAIC.
12. Direct Marketing and Your Choices
We may use your personal information to send you direct marketing communications, including promotional emails, push notifications, SMS messages, and in-app communications about our food, menu items, special offers, loyalty program updates, events, and promotions. We will only send you direct marketing communications where we have your consent to do so, or where we are otherwise permitted under applicable law (such as the Spam Act 2003 (Cth) and the Do Not Call Register Act 2006 (Cth)).
You may opt out of receiving direct marketing communications from us at any time by:
- Clicking the "unsubscribe" link in any marketing email we send you.
- Replying "STOP" to any marketing SMS we send you.
- Adjusting your notification preferences in your account settings on our website or app.
- Contacting us directly at [email protected].
Please allow up to 10 business days for your opt-out request to take effect. Please note that even if you opt out of direct marketing, we will continue to send you transactional and service-related communications (such as order confirmations and account notifications) as these are necessary to provide our services to you.
13. Third-Party Websites and Links
Our website and app may contain links to third-party websites, social media platforms, and services that are not operated by us. We are not responsible for the privacy practices or content of those third-party websites. We encourage you to review the privacy policies of any third-party sites you visit before providing your personal information.
Our website may also include social media features (such as "Like" or "Share" buttons) and widgets. These features may collect your IP address, the page you are visiting, and set a cookie to enable the feature to function properly. Social media features and widgets are either hosted by a third party or hosted directly on our website. Your interactions with these features are governed by the privacy policy of the company providing them.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by:
- Posting the updated Privacy Policy on our website at gyg-au.com with a new "Last Updated" date.
- Sending you an email notification to your registered email address (for material changes).
- Displaying a prominent notice on our website or app.
We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your personal information. Your continued use of our services after any changes to this Privacy Policy constitutes your acceptance of the updated policy.
15. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal information, please do not hesitate to contact our Privacy Team:
| Company | Guzman y Gomez |
|---|---|
| [email protected] | |
| Website | gyg-au.com |
We are committed to working with you to resolve any privacy concerns and to ensuring that your personal information is handled with the care and respect it deserves. We will respond to all privacy enquiries within a reasonable timeframe.
This Privacy Policy was last reviewed and updated on June 7, 2026. The previous version of this policy is available upon request by contacting us at [email protected].