Privacy Policy

Effective Date: July 1, 2026 | Last Updated: July 1, 2026

1. Introduction and Scope

Costa Vida is committed to protecting the privacy and security of your personal information. This Privacy Policy applies to all individuals who interact with our website, mobile applications, in-store services, catering requests, loyalty programs, and any other services we provide (collectively, the "Services").

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your personal information as described herein. If you do not agree with the terms of this Privacy Policy, please do not use our Services.

This Privacy Policy is governed by applicable United States federal and state privacy laws, including but not limited to the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Federal Trade Commission Act (FTC Act), and other applicable consumer protection regulations. Depending on your state of residence, additional rights and protections may apply to you.

2. Information We Collect

We collect various types of information in connection with the Services we provide. The categories of personal information we collect are described below.

2.1 Personal Information You Provide Directly

When you interact with Costa Vida through our website, mobile app, in-store services, or other channels, you may voluntarily provide us with personal information, including:

  • Contact Information: Full name, email address, phone number, mailing address, and billing address.
  • Account Information: Username, password, profile picture, and account preferences when you create an account with us.
  • Order Information: Food preferences, dietary restrictions, order history, special instructions, and payment details (processed securely through third-party payment processors).
  • Loyalty Program Information: Participation records, points balance, rewards redemption history, and preferences.
  • Catering and Event Information: Event details, guest count estimates, special dietary requirements, and delivery or pickup preferences.
  • Communications: Messages, inquiries, complaints, or feedback you submit to us via email, contact forms, social media, or other communication channels.
  • Survey and Contest Data: Responses to surveys, sweepstakes entries, or contest participation information.
  • Employment Applications: If you apply for a job with Costa Vida, we may collect your resume, work history, references, and other relevant employment information.

2.2 Information Collected Automatically

When you visit our website or use our digital services, we automatically collect certain technical information about your device and browsing activities, including:

  • Device Information: Device type, operating system, browser type and version, device identifiers, mobile network information, and hardware model.
  • Usage Data: Pages visited, time and date of visits, time spent on pages, links clicked, referring URLs, exit pages, and navigation paths through our website.
  • Location Data: General geographic location based on IP address, and precise geolocation data if you grant permission on a mobile device (used to locate nearby Costa Vida restaurants).
  • Log Data: Server logs including IP address, browser type, internet service provider, referring and exit pages, operating system, date and time stamps, and clickstream data.
  • Cookie and Tracking Data: Information collected through cookies, web beacons, pixel tags, and similar tracking technologies (see Section 7 for more details).
  • Transaction Data: Records of your purchases, order frequency, average order value, and other transactional behaviors on our digital platforms.

2.3 Information from Third-Party Sources

We may receive information about you from third-party sources, including:

  • Social Media Platforms: If you connect your social media account (e.g., Facebook, Google, Instagram) to our Services or interact with our social media pages, we may receive information such as your public profile, email address, and social connections, subject to your privacy settings on those platforms.
  • Payment Processors: Transaction confirmation and fraud prevention data from our payment processing partners.
  • Marketing Partners: Information from advertising networks, data analytics providers, and marketing partners to help us better understand our customers and improve our marketing efforts.
  • Public Sources: Publicly available information such as public records or information available on the internet.
  • Business Partners: Information shared by delivery platform partners (such as third-party food delivery apps) when you order Costa Vida products through those platforms.

3. How We Use Your Information

We use the personal information we collect for a variety of legitimate business purposes. The specific purposes include:

3.1 Providing and Improving Our Services

  • Processing and fulfilling your food orders, including in-store, online, and catering orders.
  • Creating and managing your account and loyalty program membership.
  • Processing payments and preventing fraudulent transactions.
  • Sending order confirmations, receipts, and status updates.
  • Responding to your customer service inquiries, complaints, and feedback.
  • Personalizing your experience by saving your preferences and order history.
  • Improving the quality, functionality, and features of our Services based on usage patterns and feedback.
  • Developing new menu items, promotions, and service offerings.

3.2 Analytics and Business Intelligence

  • Analyzing website and app usage patterns to understand customer behavior and preferences.
  • Conducting market research and analyzing trends in the food service industry.
  • Measuring the effectiveness of our marketing campaigns and promotional activities.
  • Generating aggregated, anonymized statistical reports for internal business analysis.
  • Optimizing restaurant operations, staffing, and inventory management based on order data.

3.3 Marketing and Communications

  • Sending you promotional emails, newsletters, special offers, and updates about Costa Vida (where you have consented or where permitted by law).
  • Delivering targeted advertisements on our website, third-party websites, and social media platforms.
  • Notifying you of new menu items, seasonal promotions, loyalty rewards, and exclusive member benefits.
  • Conducting sweepstakes, contests, surveys, and other promotional activities.
  • Sending SMS or push notifications about your orders and promotional offers (where you have opted in).

3.4 Legal and Compliance Purposes

  • Complying with applicable federal and state laws, regulations, and legal obligations.
  • Responding to lawful requests from government authorities, courts, and law enforcement agencies.
  • Enforcing our Terms of Service and other applicable agreements.
  • Protecting the rights, safety, and property of Costa Vida, our customers, employees, and the public.
  • Investigating and preventing fraud, security breaches, and other potentially illegal activities.
  • Maintaining records for tax, accounting, and audit purposes.

4. Legal Bases for Processing Personal Information

Under applicable United States privacy law and the FTC Act, we process your personal information based on the following legal foundations:

  • Contract Performance: Processing necessary to fulfill orders and provide the Services you have requested.
  • Consent: Where you have given explicit consent for marketing communications, cookie placement, or other specific processing activities.
  • Legitimate Business Interests: Processing that serves our legitimate interests, such as fraud prevention, improving our Services, and conducting business analytics, provided these interests do not override your privacy rights.
  • Legal Obligation: Processing required to comply with applicable laws and regulations, including tax reporting, food safety regulations, and responses to lawful government requests.

5. Sharing and Disclosure of Personal Information

We do not sell, rent, or trade your personal information to third parties for their own independent marketing purposes. However, we may share your information in the following circumstances:

5.1 Service Providers and Business Partners

We share personal information with trusted third-party service providers who assist us in operating our business and delivering our Services. These service providers are contractually obligated to protect your information and may only use it for the specific purposes we have authorized. Our service providers include:

  • Payment Processors: Companies that securely process credit card, debit card, and digital wallet payments on our behalf.
  • IT and Cloud Services: Providers of hosting, data storage, content delivery, and technology infrastructure services.
  • Analytics Providers: Companies such as Google Analytics that help us analyze website traffic and user behavior.
  • Email and Marketing Platforms: Services that manage our email marketing campaigns, newsletter distribution, and promotional communications.
  • Customer Support Tools: Platforms that support our customer service operations and ticketing systems.
  • Delivery Partners: Third-party food delivery platforms and logistics companies that fulfill delivery orders.
  • Loyalty Program Administrators: Companies that manage the technology and operations of our customer loyalty program.
  • Advertising Networks: Digital advertising partners that help us display targeted advertisements online.

5.2 Legal Requirements and Law Enforcement

We may disclose your personal information when we believe in good faith that disclosure is necessary to:

  • Comply with applicable law, regulation, legal process, or enforceable governmental request.
  • Respond to subpoenas, court orders, or legal proceedings.
  • Enforce our Terms of Service or investigate potential violations thereof.
  • Detect, prevent, or address fraud, security issues, or technical problems.
  • Protect the rights, property, and safety of Costa Vida, our users, employees, or the public as required or permitted by law.

5.3 Business Transfers

In the event that Costa Vida undergoes a merger, acquisition, restructuring, sale of assets, or other business transaction, your personal information may be transferred to the acquiring entity as part of that transaction. We will notify you via email and/or a prominent notice on our website of any such change in ownership or use of your personal information, and will provide you with choices about your information in accordance with applicable law.

5.4 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you with third parties for research, marketing, analytics, and other business purposes. This type of sharing does not constitute a disclosure of personal information.

6. Your Privacy Rights

Depending on your state of residence within the United States, you may have the following rights with respect to your personal information. We are committed to honoring these rights in accordance with applicable law.

6.1 Rights Under the California Consumer Privacy Act (CCPA/CPRA)

If you are a California resident, you have the following rights under the CCPA as amended by the CPRA:

Right Description
Right to Know You have the right to request that we disclose what personal information we collect, use, disclose, and sell about you, including the categories and specific pieces of personal information.
Right to Delete You have the right to request that we delete personal information we have collected from you, subject to certain exceptions provided by law.
Right to Correct You have the right to request correction of inaccurate personal information that we maintain about you.
Right to Opt-Out You have the right to opt out of the sale or sharing of your personal information to third parties. Note: Costa Vida does not sell personal information in the traditional sense, but may share data with advertising partners.
Right to Limit Use of Sensitive Information You have the right to limit the use and disclosure of your sensitive personal information to only what is necessary to provide the requested services.
Right to Non-Discrimination We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny services, charge different prices, or provide a different quality of service based on your exercise of these rights.

6.2 General Privacy Rights for All U.S. Residents

Regardless of your state of residence, Costa Vida provides all users with the following privacy-related choices:

  • Access and Review: You may log into your account to access and review the personal information associated with your profile.
  • Correction and Update: You may update or correct your personal information through your account settings or by contacting us directly.
  • Deletion: You may request the deletion of your account and associated personal information, subject to legal retention requirements.
  • Marketing Opt-Out: You may opt out of receiving promotional emails by clicking the "unsubscribe" link in any marketing email we send, or by contacting us directly. Note that opting out of marketing communications does not affect transactional communications related to your orders.
  • SMS Opt-Out: You may opt out of SMS communications by replying "STOP" to any text message we send or by contacting us directly.
  • Data Portability: Upon request, we will provide you with a copy of your personal information in a structured, commonly used, and machine-readable format where technically feasible.

6.3 How to Exercise Your Privacy Rights

To exercise any of the rights described above, please contact us using one of the following methods:

When submitting a request, please provide sufficient information to allow us to reasonably verify your identity and understand the nature of your request. We will respond to verified consumer requests within 45 days, as required by California law. If we require additional time, we will inform you of the reason and extension period in writing.

You may designate an authorized agent to submit a request on your behalf. If you use an authorized agent, we may require written permission from you authorizing the agent to act on your behalf, and we may require you to verify your identity directly with us.

7. Cookie Policy and Tracking Technologies

Our website uses cookies and similar tracking technologies to enhance your browsing experience, analyze website traffic, and deliver personalized content and advertising. This section provides a summary of our cookie practices.

7.1 Types of Cookies We Use

  • Essential Cookies: Strictly necessary for the operation of our website, including session management, shopping cart functionality, and security features. These cookies cannot be disabled without affecting website functionality.
  • Performance and Analytics Cookies: Used to collect information about how visitors use our website, such as which pages are visited most frequently and whether users encounter error messages. We use tools like Google Analytics for this purpose.
  • Functionality Cookies: Allow our website to remember choices you make (such as your preferred language, location, or saved favorites) to provide enhanced, personalized features.
  • Targeting and Advertising Cookies: Used to deliver advertisements relevant to your interests on our website and across other websites. These cookies track your browsing habits and may be set by third-party advertising networks.

7.2 Managing Your Cookie Preferences

You can control and manage cookies through your browser settings. Most web browsers allow you to refuse or delete cookies. Please note that disabling certain cookies may affect the functionality and performance of our website. For more detailed information about cookies and how to manage them, please refer to our full Cookie Policy available on our website.

You may also opt out of interest-based advertising by visiting:

8. Data Security

Costa Vida takes the security of your personal information seriously and implements a comprehensive set of technical, administrative, and physical safeguards designed to protect your information from unauthorized access, use, disclosure, alteration, and destruction.

8.1 Security Measures

  • Encryption: We use industry-standard Secure Socket Layer (SSL) / Transport Layer Security (TLS) encryption to protect data transmitted between your browser and our servers. Sensitive payment information is encrypted using PCI-DSS compliant methods.
  • Access Controls: We restrict access to personal information to authorized employees, contractors, and service providers who have a legitimate need to access such information to perform their duties.
  • Secure Storage: Personal information is stored on secure servers with access controls, firewalls, and intrusion detection systems.
  • Regular Security Audits: We conduct regular security assessments and vulnerability testing of our systems and networks.
  • Employee Training: Our employees receive regular training on data privacy and security best practices.
  • Incident Response: We maintain a documented data breach response plan to quickly identify, contain, and remediate security incidents, and to notify affected individuals and authorities as required by law.

8.2 Limitations of Security

While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security of your personal information. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately at [email protected].

9. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. The specific retention periods we apply are as follows:

Category of Data Retention Period
Account and Profile Information Duration of active account plus 3 years after account closure or last interaction
Order and Transaction History 7 years (for tax and accounting compliance)
Loyalty Program Records Duration of program participation plus 2 years after last activity
Marketing and Communication Preferences Until you opt out, plus 1 year for record-keeping
Customer Service Communications 3 years from the date of the last interaction
Website Usage and Analytics Data 26 months (standard Google Analytics retention period)
Cookie and Tracking Data Varies by cookie type (session to 24 months)
Legal and Compliance Records As required by applicable law, typically 5-7 years

After the applicable retention period expires, we will securely delete or anonymize your personal information. In some cases, we may retain information longer if required by law or if necessary to resolve disputes, enforce agreements, or protect our legal rights.

10. Children's Privacy

Costa Vida does not knowingly collect personal information from children under the age of 13 as defined by the Children's Online Privacy Protection Act (COPPA), or from individuals under the age of 18 as a matter of our general policy. Our website and digital services are not directed toward children or minors.

If we become aware that we have inadvertently collected personal information from a child under the age of 13 without verified parental consent, or from any individual under the age of 18 in violation of this policy, we will take immediate steps to delete such information from our records. If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact us immediately at [email protected] so that we can take appropriate action.

11. International Data Transfers

Costa Vida is a United States-based food service company, and our primary operations are conducted within the United States. Your personal information is collected, stored, and processed on servers located within the United States.

If you are accessing our Services from outside the United States, please be aware that your information may be transferred to, stored in, and processed in the United States. Privacy laws in the United States may differ from those in your country of residence and may not provide the same level of protection. By using our Services from outside the United States, you acknowledge and consent to the transfer, storage, and processing of your personal information in the United States in accordance with this Privacy Policy.

For any transfers involving personal information of individuals in jurisdictions with applicable international data transfer requirements, we will implement appropriate safeguards to ensure that your personal information receives an adequate level of protection.

12. Third-Party Links and Services

Our website may contain links to third-party websites, mobile applications, social media platforms, and other online services that are not operated or controlled by Costa Vida. This Privacy Policy does not apply to such third-party services. When you click on a link to a third-party website or service, you will be leaving our website and the third party's own privacy policy will govern the collection and use of your information.

We encourage you to review the privacy policies of any third-party websites or services you visit. We are not responsible for the privacy practices, content, or data security measures of third-party websites or services, and we make no representations or warranties about the privacy or security of such third-party services.

13. Do Not Track Signals

Some web browsers include a "Do Not Track" (DNT) feature that signals to websites that you do not want your online activity tracked. Currently, there is no universally accepted standard for how websites should respond to DNT signals. At this time, our website does not respond to or alter its data collection practices based on DNT signals from your browser. We will continue to monitor developments in this area and update our practices as industry standards evolve.

14. California-Specific Disclosures

In accordance with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), we provide the following additional disclosures for California residents.

14.1 Categories of Personal Information Collected in the Past 12 Months

  • Identifiers (name, email address, phone number, IP address, account username)
  • Commercial information (purchase records, order history, loyalty program data)
  • Internet or other electronic network activity (browsing history, interaction data)
  • Geolocation data (general location derived from IP address)
  • Inferences drawn from other categories to create a profile about consumer preferences
  • Professional or employment-related information (for job applicants)

14.2 Business Purposes for Collecting Personal Information

We collect the above categories of personal information for the business purposes described in Section 3 of this Privacy Policy, including service provision, analytics, marketing, and legal compliance.

14.3 California "Shine the Light" Law

California Civil Code Section 1798.83 permits California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please contact us at [email protected].

15. Filing a Privacy Complaint

If you believe that Costa Vida has violated your privacy rights or has not handled your personal information in accordance with this Privacy Policy or applicable law, we encourage you to first contact us directly so that we may attempt to resolve your concern.

15.1 Contact Costa Vida

Please reach out to our privacy team using the contact information provided in Section 16 below. We will investigate your complaint and respond within a reasonable timeframe.

15.2 California Residents — Contact the California Privacy Protection Agency

California residents who wish to file a formal privacy complaint may contact the California Privacy Protection Agency (CPPA):

  • Website: cppa.ca.gov
  • Address: California Privacy Protection Agency, 2101 Arena Blvd, Sacramento, CA 95834

15.3 Federal Trade Commission (FTC)

All U.S. consumers may file complaints about unfair or deceptive privacy practices with the Federal Trade Commission:

15.4 State Attorney General Offices

Residents of other U.S. states may contact their respective State Attorney General's office to file complaints about privacy violations or unfair business practices. Contact information for your state's Attorney General can typically be found on your state government's official website.

16. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us using the following information:

Costa Vida — Privacy Inquiries

When contacting us about a privacy matter, please include your full name, email address, and a description of your inquiry or request so that we can respond promptly and effectively. For requests to exercise your rights under the CCPA/CPRA or other applicable privacy laws, please specify the nature of your request and provide sufficient identifying information to allow us to verify your identity.

17. Changes to This Privacy Policy

We reserve the right to update, modify, or revise this Privacy Policy at any time to reflect changes in our business practices, the Services we offer, applicable laws, or industry standards. When we make changes to this Privacy Policy, we will update the "Last Updated" date at the top of this page.

For material changes that significantly affect how we collect, use, or share your personal information, we will provide you with more prominent notice, such as by sending you an email notification or posting a prominent announcement on our website before the changes take effect. We encourage you to review this Privacy Policy periodically to stay informed about our privacy practices.

Your continued use of our Services after the effective date of any revised Privacy Policy constitutes your acceptance of the updated policy. If you do not agree with the revised Privacy Policy, you must stop using our Services and may request deletion of your personal information as described in Section 6 of this policy.