Privacy Policy

Effective Date: May 21, 2026  |  Last Updated: May 21, 2026

This Privacy Policy explains how Guzman y Gomez ("we", "us", "our", or "the Company") collects, uses, discloses, stores, and protects your personal information when you visit our website at gozmangomez.com, use our mobile applications, place orders, or otherwise interact with our services. We are committed to protecting your privacy and handling your personal information in a transparent, responsible, and lawful manner.

By accessing our website, using our services, or providing us with your personal information, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this Policy, please discontinue use of our website and services.

This Privacy Policy is governed by the Privacy Act 1988 (Cth) of Australia and the Australian Privacy Principles (APPs) contained in Schedule 1 of that Act. Where applicable, we also comply with the Spam Act 2003 (Cth), the Do Not Call Register Act 2006 (Cth), and relevant state-based privacy legislation.

1. About Us

Guzman y Gomez is a food and restaurant business operating in Australia. We offer fresh, high-quality Mexican-inspired food through our physical restaurant locations, online ordering platform, mobile applications, and delivery services.

Company Name Guzman y Gomez
Website gozmangomez.com
Email Address [email protected]
Country of Operation Australia
Applicable Law Privacy Act 1988 (Cth), Australian Privacy Principles (APPs)

For all privacy-related inquiries, please contact our Privacy Officer at [email protected].

2. Information We Collect

We collect various types of personal information from and about you in connection with your use of our website, services, and interactions with us. "Personal information" has the meaning given to it under the Privacy Act 1988 (Cth), being information or an opinion about an identified individual, or an individual who is reasonably identifiable.

2.1 Personal Information You Provide Directly

When you create an account, place an order, sign up for our loyalty programme, contact us, or otherwise engage with our services, you may provide us with:

  • Identity Information: Full name, date of birth, and gender.
  • Contact Information: Email address, telephone number, and residential or delivery address.
  • Account Credentials: Username and password (stored in encrypted form).
  • Payment Information: Credit card or debit card details, billing address, and transaction history. Note that full payment card details are processed by our secure payment processors and are not stored directly by us.
  • Order Information: Your food preferences, order history, dietary requirements, and special instructions.
  • Loyalty Programme Data: Points balances, rewards history, and redemption records.
  • Communications: Records of your communications with us, including customer service enquiries, complaints, feedback, and survey responses.
  • Marketing Preferences: Your opt-in or opt-out status for marketing communications and the communication channels you prefer.
  • Employment Information: If you apply for a job with us, we may collect your resume, employment history, qualifications, and references.

2.2 Information We Collect Automatically

When you use our website or mobile application, we automatically collect certain technical and usage data, including:

  • Device Information: Device type, operating system, browser type and version, screen resolution, and unique device identifiers.
  • Usage Data: Pages visited, time spent on each page, links clicked, search queries made on our platform, and the referring URL.
  • IP Address: Your Internet Protocol (IP) address, which may be used to determine your approximate geographic location.
  • Log Data: Server log files containing information such as access times, error logs, and request details.
  • Location Data: If you grant permission, we may collect your precise geographic location to help you find nearby restaurants or estimate delivery times.
  • Cookie and Tracking Data: Data collected through cookies, pixel tags, web beacons, and similar technologies. Please refer to Section 8 of this Policy for more information about our use of cookies.

2.3 Information We Collect From Third Parties

We may also receive personal information about you from third parties, including:

  • Delivery Partners: Information shared by third-party food delivery platforms (such as Uber Eats, DoorDash, or Menulog) when you place an order through those services.
  • Social Media Platforms: If you choose to log in or register via a social media account (e.g., Google or Facebook), we may receive basic profile information such as your name and email address, subject to the privacy settings of that platform.
  • Analytics Providers: Aggregated or de-identified data from analytics and advertising services that help us understand how our website is used.
  • Payment Processors: Confirmation of payment and transaction reference numbers from our authorised payment processing partners.
  • Publicly Available Sources: We may supplement information we hold about you with information obtained from publicly accessible sources, in accordance with the APPs.

3. How We Use Your Personal Information

We only use your personal information for purposes that are disclosed to you, that you have consented to, or that are otherwise permitted under the Privacy Act 1988 (Cth). The primary purposes for which we collect and use your personal information include:

3.1 Provision of Services

  • Processing and fulfilling your food orders, whether placed online, via our app, or in-store.
  • Managing your customer account, including your loyalty programme membership.
  • Arranging delivery or facilitating in-store or drive-through pick-up.
  • Processing payments and issuing receipts or tax invoices.
  • Responding to your enquiries, requests, and complaints.
  • Providing technical support for our digital platforms.

3.2 Business Operations and Improvement

  • Analysing usage patterns to improve the functionality, content, and user experience of our website and mobile application.
  • Conducting internal research, data analytics, and reporting to understand customer preferences and behaviour.
  • Developing new menu items, services, and features based on customer feedback and trends.
  • Managing our restaurant operations, staffing, and supply chain.
  • Training and quality assurance for our customer service teams.

3.3 Marketing and Promotions

  • Sending you promotional emails, special offers, discount codes, and news about Guzman y Gomez, where you have opted in to receive such communications.
  • Notifying you of loyalty programme rewards, points updates, and exclusive member benefits.
  • Running competitions, giveaways, and promotional campaigns.
  • Displaying personalised advertisements on our platforms or on third-party websites and social media platforms, based on your browsing history and purchase behaviour.
  • Measuring the effectiveness of our marketing campaigns and communications.

You have the right to opt out of receiving direct marketing communications from us at any time. See Section 7 for details on how to exercise your rights.

3.4 Legal and Compliance Purposes

  • Complying with our obligations under applicable Australian laws and regulations, including the Privacy Act 1988 (Cth), the Australian Consumer Law (Schedule 2 of the Competition and Consumer Act 2010 (Cth)), and food safety laws.
  • Detecting, investigating, and preventing fraud, security incidents, and other unlawful activity.
  • Responding to lawful requests from government authorities, law enforcement agencies, or courts.
  • Enforcing our Terms of Service and other agreements.
  • Protecting the rights, property, and safety of Guzman y Gomez, our customers, staff, and the public.

4. Disclosure of Your Personal Information to Third Parties

We do not sell your personal information to third parties. However, we may disclose your personal information to the following categories of recipients in connection with the purposes described above:

4.1 Service Providers and Business Partners

We engage trusted third-party service providers to assist us in operating our business and delivering our services. These providers are only permitted to use your personal information to perform services on our behalf and are contractually required to maintain appropriate privacy and security standards. They include:

  • IT and Cloud Services: Hosting providers, database managers, and software-as-a-service (SaaS) vendors.
  • Payment Processors: Authorised payment gateways and financial institutions that process your card transactions securely.
  • Delivery Partners: Third-party delivery platforms and logistics providers who facilitate delivery of your food orders.
  • Marketing and Advertising Agencies: Companies that help us manage our digital advertising, email campaigns, and loyalty communications.
  • Analytics Providers: Services such as Google Analytics that help us understand website traffic and user behaviour.
  • Customer Support Platforms: Tools used to manage customer service enquiries and communications.
  • Franchisees: Where you visit or interact with a Guzman y Gomez franchised restaurant location, relevant operational information may be shared with that franchisee.

4.2 Legal and Regulatory Disclosures

We may disclose your personal information to government bodies, law enforcement agencies, regulatory authorities, or courts where we are required to do so by law, or where we reasonably believe that disclosure is necessary to:

  • Comply with a legal obligation or judicial order.
  • Protect and defend our legal rights or property.
  • Prevent or investigate suspected wrongdoing, fraud, or threats to public safety.

4.3 Business Transfers

In the event of a merger, acquisition, corporate restructure, sale of business assets, or similar transaction, your personal information may be transferred to the relevant successor entity as part of that transaction. We will notify you of any such transfer and any consequential changes to this Privacy Policy.

4.4 With Your Consent

We may disclose your personal information to other third parties with your explicit consent, such as when you choose to participate in partner promotions or link your account with a third-party service.

5. International Transfers of Personal Information

Guzman y Gomez operates primarily in Australia; however, some of our third-party service providers may be located overseas, including in the United States, the United Kingdom, Singapore, and other countries. As a result, your personal information may be transferred to, stored in, or processed in countries outside of Australia.

Where we transfer personal information overseas, we do so in accordance with Australian Privacy Principle 8 (APP 8). We take reasonable steps to ensure that overseas recipients handle your personal information in a manner that is consistent with the APPs. This may include:

  • Entering into data transfer agreements or contractual clauses with overseas recipients that impose privacy obligations consistent with the APPs.
  • Ensuring that the overseas country has privacy laws that are substantially similar to the APPs.
  • Obtaining your consent to the overseas transfer where required.

Please note that if you consent to an overseas transfer, or where APP 8.1 cannot reasonably be complied with, we may not be accountable under the Privacy Act 1988 (Cth) for any subsequent handling of your personal information by the overseas recipient. We will always endeavour to work with reputable international partners who uphold high privacy standards.

6. Data Security

We take the security of your personal information seriously and implement a range of technical, administrative, and organisational measures designed to protect your personal information from unauthorised access, use, alteration, disclosure, loss, or destruction. Our security measures include, but are not limited to:

  • Encryption: Sensitive data, including payment information and passwords, is encrypted using industry-standard Transport Layer Security (TLS) protocols and secure hashing algorithms.
  • Access Controls: Access to personal information is restricted to authorised employees and service providers who have a legitimate business need to access it. All staff with access to personal data are subject to confidentiality obligations.
  • Secure Payment Processing: We use Payment Card Industry Data Security Standard (PCI DSS) compliant payment processors to handle financial transactions.
  • Regular Security Assessments: We conduct periodic reviews and audits of our security practices, systems, and infrastructure to identify and address potential vulnerabilities.
  • Incident Response: We maintain a data breach response plan in accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by law.
  • Staff Training: All employees who handle personal information receive regular training on privacy obligations, data handling best practices, and security awareness.

While we employ robust security measures, no system is entirely impenetrable. We cannot guarantee the absolute security of information transmitted over the internet. You are responsible for keeping your account credentials confidential and for notifying us immediately if you suspect any unauthorised use of your account.

7. Your Rights Under the Australian Privacy Principles

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have a number of important rights in relation to the personal information we hold about you. We are committed to respecting and facilitating the exercise of these rights.

7.1 Right to Access

You have the right to request access to the personal information we hold about you. This includes the right to know what categories of personal information we hold, the purposes for which it is used, and who it has been disclosed to. To make an access request, please contact us at [email protected]. We will respond to your request within 30 days. We may need to verify your identity before processing your request.

7.2 Right to Correction

If you believe that personal information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, you have the right to request that we correct it. You can update certain account information directly through your online account settings, or by contacting us at [email protected]. We will take reasonable steps to correct the information within 30 days of your request.

7.3 Right to Erasure (Deletion)

In certain circumstances, you may request that we delete the personal information we hold about you. We will consider your request in light of our legal obligations, contractual requirements, and legitimate business interests. Please note that some personal information may need to be retained for compliance with legal obligations (e.g., financial record-keeping requirements under the Corporations Act 2001 (Cth) and the Income Tax Assessment Act 1997 (Cth)).

7.4 Right to Opt Out of Direct Marketing

You have the right to opt out of receiving direct marketing communications from us at any time. You can exercise this right by:

  • Clicking the "unsubscribe" link in any marketing email we send you.
  • Updating your communication preferences in your account settings on our website or app.
  • Contacting us directly at [email protected].

Please allow up to 5 business days for your opt-out request to take effect. Please note that even if you opt out of marketing communications, we may still send you transactional or service-related communications (e.g., order confirmations, receipts, and account notifications).

7.5 Right to Complain

If you believe that we have breached the Australian Privacy Principles or otherwise failed to handle your personal information in accordance with the Privacy Act 1988 (Cth), you have the right to make a complaint. Please see Section 11 of this Policy for details on how to lodge a complaint.

7.6 How to Exercise Your Rights

To exercise any of the rights described above, please contact our Privacy Officer by email at [email protected]. We may need to verify your identity to process your request. We will not charge a fee for making an access or correction request, although in some circumstances (e.g., very complex or extensive requests), we may charge a reasonable fee to cover our costs of compliance, in accordance with APP 12.3.

8. Cookies and Tracking Technologies

Our website and mobile application use cookies and similar tracking technologies to enhance your browsing experience, analyse website traffic, and deliver personalised content and advertisements.

8.1 What Are Cookies?

Cookies are small text files that are placed on your device (computer, smartphone, or tablet) when you visit a website. They allow the website to recognise your device and remember certain information about your preferences and activity.

8.2 Types of Cookies We Use

Cookie Type Purpose
Strictly Necessary Cookies Essential for the operation of our website, including enabling you to log in, place orders, and use the shopping cart.
Performance/Analytics Cookies Help us understand how visitors interact with our website by collecting anonymous statistical data (e.g., Google Analytics).
Functionality Cookies Remember your preferences such as language settings, location, and saved menu items to provide a personalised experience.
Marketing/Advertising Cookies Used to deliver relevant advertisements to you on our website and across the internet, based on your browsing behaviour.

8.3 Managing Cookies

You can control and manage cookies through your browser settings. Most browsers allow you to refuse or delete cookies. However, disabling certain cookies may affect the functionality of our website. For detailed information about managing cookies, please refer to your browser's help documentation.

For more information about how we use cookies and your choices, please read our Cookie Policy, which is available on our website at gozmangomez.com.

9. Data Retention

We retain your personal information only for as long as is necessary to fulfil the purposes for which it was collected, or as required by law. The retention periods we apply depend on the type of information and the purpose for which it is used:

Data Type Retention Period
Account and profile information For the duration of your account, plus 7 years after account closure
Order history and transaction records 7 years from the date of transaction (for tax and accounting purposes)
Loyalty programme data For the duration of your membership, plus 2 years after membership ends
Customer service communications 3 years from the date of the communication
Marketing preference records Until you withdraw consent or close your account, plus 2 years
Website usage and analytics data Up to 26 months (in line with standard analytics retention settings)
Cookie data Varies by cookie type (session cookies expire when browser is closed; persistent cookies expire as per individual cookie settings)
Job application records (unsuccessful applicants) 12 months from the date of application, unless otherwise required

After the applicable retention period, personal information is securely deleted or de-identified. We may retain de-identified or aggregated data indefinitely for statistical and research purposes, as such data cannot be used to identify you.

10. Children's Privacy

Our services are intended for individuals who are 18 years of age or older. We do not knowingly collect, use, or disclose personal information from children under the age of 18 without the consent of a parent or legal guardian.

If you are under 18 years of age, please do not provide us with your personal information or use our online services without the supervision and consent of a parent or legal guardian. If you are a parent or guardian and believe that your child under the age of 18 has provided us with personal information without your consent, please contact us immediately at [email protected] so that we can take appropriate steps to delete that information.

We are committed to protecting the privacy and safety of children online and encourage parents and guardians to actively supervise their children's online activities.

11. How to Make a Privacy Complaint

If you have any concerns or complaints about the way we have collected, used, or disclosed your personal information, or if you believe we have failed to comply with the Australian Privacy Principles or the Privacy Act 1988 (Cth), we encourage you to contact us in the first instance.

11.1 Internal Complaints Process

To lodge a complaint with us, please contact our Privacy Officer using the following details:

Privacy Officer
Guzman y Gomez
Email: [email protected]
Website: gozmangomez.com

Please provide the following information in your complaint:

  • Your full name and contact details.
  • A description of the privacy concern or complaint.
  • Details of the personal information involved.
  • The outcome you are seeking.

We will acknowledge receipt of your complaint within 5 business days and aim to provide a substantive response within 30 days. If your complaint is complex, we will notify you if we require additional time to investigate.

11.2 External Complaints — Office of the Australian Information Commissioner (OAIC)

If you are not satisfied with our response to your complaint, or if you prefer to lodge your complaint directly with the national privacy regulator, you may contact the Office of the Australian Information Commissioner (OAIC):

Office of the Australian Information Commissioner (OAIC)
Website: www.oaic.gov.au
Phone: 1300 363 992
GPO Box 5218, Sydney NSW 2001
Online Complaint Form: Available at www.oaic.gov.au/privacy/privacy-complaints

The OAIC is an independent statutory authority that handles privacy complaints and enquiries under the Privacy Act 1988 (Cth). The OAIC may investigate your complaint, attempt conciliation between the parties, or take other actions in accordance with its powers under the Act.

You may also seek advice or assistance from a legal practitioner if you have concerns about how your personal information has been handled.

12. Links to Third-Party Websites

Our website and app may contain links to third-party websites, social media platforms, delivery service providers, and other external services. This Privacy Policy applies only to our own website and services. We are not responsible for the privacy practices of third-party websites, and we encourage you to read the privacy policies of any third-party sites you visit. The inclusion of a link to a third-party website does not constitute an endorsement of that site or its privacy practices.

13. Social Media and User-Generated Content

If you interact with our brand on social media platforms (such as Instagram, Facebook, X/Twitter, or TikTok), please note that those interactions are subject to the privacy policies of the respective platforms. We may collect information about you from social media interactions, such as tags, mentions, reviews, or direct messages, in accordance with the platform's terms of service.

If you submit reviews, photos, or other user-generated content via our website, app, or social media channels, you acknowledge that such content may be publicly visible and may be used by us for marketing and promotional purposes (subject to any separate terms you agree to at the time of submission).

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our business practices, legal obligations, or the services we offer. When we make material changes to this Policy, we will notify you by:

  • Posting the updated Privacy Policy on our website at gozmangomez.com with a revised effective date.
  • Sending an email notification to registered account holders where the changes are significant.
  • Displaying a notice on our app or website prompting you to review the updated Policy.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of our website or services after any changes have been published will constitute your acceptance of the updated Privacy Policy.

15. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or the handling of your personal information, please do not hesitate to contact our Privacy Officer:

Guzman y Gomez — Privacy Officer
Email: [email protected]
Website: gozmangomez.com
Country: Australia

We are committed to resolving your privacy concerns promptly and transparently, and to ensuring that your personal information is handled with the care and respect it deserves.

Important Notice: This Privacy Policy was last updated on May 21, 2026. This document is provided for general informational purposes. For legal advice specific to your situation, please consult a qualified Australian privacy law practitioner.