Privacy Policy

Effective Date: June 25, 2026  |  Last Updated: June 25, 2026

At Zupas, we are deeply committed to protecting your privacy and handling your personal data with transparency, integrity, and care. We operate in the United States and comply with applicable federal and state privacy laws, including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Federal Trade Commission Act (FTC Act), and other relevant regulations. This Privacy Policy applies to all users of our website, mobile platforms, in-store digital services, and any other services we offer.

By accessing or using our website at zupasrestaurant.rest or any of our related services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with the terms of this policy, please discontinue use of our services immediately.

1. About Us

Zupas is a food service company operating in the United States, dedicated to providing fresh, high-quality meals and an exceptional dining experience to our customers. We operate physical restaurant locations as well as a digital presence through our website and online ordering systems.

For all privacy-related inquiries, you may contact us using the following information:

2. Information We Collect

We collect various categories of personal information depending on how you interact with our services. Below, we describe each category of data we collect and the circumstances under which we collect it.

2.1 Personal Identification Information

When you create an account, place an order, sign up for our loyalty program, or contact us directly, we may collect the following personal identification information:

• Full name — to identify you as a customer and personalize your experience
• Email address — to send order confirmations, receipts, promotional offers, and service communications
• Phone number — to contact you regarding your order status or customer service matters
• Mailing address and delivery address — to fulfill delivery orders and process any mail-based promotions
• Date of birth — to verify age eligibility for certain promotions and loyalty rewards
• Username and password — to manage your account securely on our website

2.2 Payment and Financial Information

When you make a purchase through our website or in-store digital kiosks, we collect payment information necessary to process your transaction. This may include:

• Credit or debit card details (processed through secure third-party payment processors)
• Billing address associated with your payment method
• Gift card numbers and loyalty point balances
• Transaction history and purchase records

2.3 Usage and Behavioral Data

When you visit our website at zupasrestaurant.rest, we automatically collect certain technical and behavioral information about your interactions, including:

• Pages viewed, time spent on each page, and navigation paths through our website
• Search queries entered on our website
• Menu items viewed, added to cart, or purchased
• Referring URLs (the website that directed you to ours)
• Clickstream data and interaction logs
• Frequency and duration of visits to our website
• Features and services accessed or used

2.4 Device and Technical Information

We collect technical information about the device and browser you use to access our website, including:

• IP address and approximate geographic location derived from your IP address
• Device type (desktop, mobile, tablet)
• Operating system and version
• Browser type and version
• Screen resolution and display settings
• Device identifiers and mobile advertising IDs
• Network carrier information (for mobile users)
• Time zone settings

2.5 Location Data

With your permission, we may collect precise geolocation data to help you find the nearest Zupas restaurant location, enable location-based promotions, or facilitate delivery services. You may disable location tracking at any time through your device settings. We may also collect approximate location information based on your IP address.

2.6 Communications and Feedback

When you contact us via email, phone, our website contact form, social media, or other channels, we collect the content of your communications, your contact details, and any other information you voluntarily provide. This includes customer service inquiries, complaints, feedback, survey responses, and reviews.

2.7 Loyalty Program Data

If you enroll in our loyalty or rewards program, we collect data related to your participation, including points earned and redeemed, rewards claimed, program tier status, participation history, and preferences you set within the program.

2.8 Information from Third Parties

We may receive information about you from third parties, including:

• Social media platforms if you connect your account or log in using social authentication
• Third-party food delivery platforms (such as DoorDash, Uber Eats, or Grubhub) that facilitate your orders
• Marketing partners and advertising networks
• Analytics providers
• Review platforms and feedback aggregators

3. How We Use Your Information

We use the personal information we collect for specific, legitimate purposes related to the operation of our food service business. Below is a comprehensive description of how we use your data:

3.1 Service Provision and Order Fulfillment

• Processing and fulfilling your food orders, whether placed online, through the app, or in-store
• Managing your customer account and loyalty program membership
• Sending order confirmations, status updates, and delivery notifications
• Processing payments and managing billing
• Handling returns, refunds, and customer service requests
• Verifying your identity when necessary for account security

3.2 Personalization and Customer Experience

• Personalizing the content, menu recommendations, and promotions displayed to you
• Remembering your preferences, favorite menu items, and past orders to make reordering easier
• Tailoring our communications to match your dietary preferences and interests
• Providing customized loyalty rewards and offers based on your purchase history

3.3 Marketing and Promotional Communications

With your consent or where permitted by applicable law, we use your information to:

• Send you promotional emails, newsletters, and special offers about our food and services
• Notify you about new menu items, seasonal specials, and restaurant openings
• Conduct targeted advertising campaigns through third-party advertising platforms
• Invite you to participate in surveys, contests, and promotional events

You may opt out of marketing communications at any time by clicking the "unsubscribe" link in any promotional email or by contacting us at [email protected].

3.4 Analytics and Business Intelligence

• Analyzing website traffic, user behavior, and engagement patterns to improve our digital platforms
• Understanding which menu items, promotions, and features are most popular
• Monitoring and improving the performance of our website and ordering systems
• Conducting internal research to support business decision-making
• Generating aggregate, anonymized statistical reports

3.5 Legal Compliance and Safety

• Complying with applicable federal, state, and local laws and regulations
• Responding to lawful requests from government authorities, courts, or law enforcement agencies
• Detecting, preventing, and investigating fraud, unauthorized access, or other illegal activities
• Enforcing our Terms of Service and other applicable policies
• Protecting the rights, property, and safety of Zupas, our customers, and the public

3.6 Operational and Administrative Purposes

• Maintaining and improving our food products, services, and restaurant operations
• Training staff and developing operational procedures
• Managing supplier and partner relationships
• Conducting audits and quality assurance activities

4. Cookies and Tracking Technologies

Our website at zupasrestaurant.rest uses cookies, web beacons, pixel tags, and similar tracking technologies to enhance your browsing experience, analyze website performance, and deliver relevant advertising.

4.1 Types of Cookies We Use

• Essential Cookies: These are necessary for the website to function properly and cannot be disabled. They enable core features such as shopping cart functionality, user authentication, and secure checkout.
• Analytical/Performance Cookies: These cookies help us understand how visitors interact with our website by collecting and reporting usage statistics anonymously. We use services such as Google Analytics for this purpose.
• Functional Cookies: These cookies remember your preferences and settings (such as language preferences or saved addresses) to provide a more personalized experience.
• Advertising/Targeting Cookies: These cookies are used to deliver advertisements relevant to your interests and to measure the effectiveness of our advertising campaigns.

4.2 Managing Your Cookie Preferences

You can manage your cookie preferences through your browser settings or through our cookie consent tool available on our website. Please be aware that disabling certain cookies may affect the functionality of our website and your ability to place orders. For more detailed information about our use of cookies, please refer to our Cookie Policy.

5. Sharing Your Information with Third Parties

We do not sell your personal information to third parties for monetary compensation. However, we may share your information with trusted third parties in the following circumstances:

5.1 Service Providers and Business Partners

We share personal information with third-party service providers who assist us in operating our business. These providers are contractually obligated to protect your information and use it only for the specific services they provide to us. Such providers include:

• Payment processors — to securely process your financial transactions
• Delivery and logistics partners — to fulfill food delivery orders
• Cloud hosting and IT infrastructure providers — to host our website and store data securely
• Email and SMS marketing platforms — to send communications on our behalf
• Analytics providers — to help us understand website performance and user behavior
• Customer relationship management (CRM) platforms — to manage customer interactions
• Fraud prevention services — to protect against unauthorized transactions

5.2 Third-Party Food Delivery Platforms

If you place an order through a third-party delivery platform such as DoorDash, Uber Eats, or Grubhub, your information will be shared with that platform as necessary to fulfill your order. The use of your information by these third-party platforms is governed by their own privacy policies, which we encourage you to review.

5.3 Legal Requirements and Law Enforcement

We may disclose your personal information when required to do so by law or in response to valid legal process, including:

• Court orders, subpoenas, or other judicial proceedings
• Requests from law enforcement agencies or government authorities
• Situations where disclosure is necessary to protect national security or public safety
• Situations where we believe disclosure is necessary to comply with applicable law or regulation

5.4 Business Transfers

In the event of a merger, acquisition, sale of assets, reorganization, or other business transfer involving Zupas, your personal information may be transferred to the acquiring entity or successor organization. We will notify you of any such transfer that materially affects how your information is used and provide you with an opportunity to opt out where required by law.

5.5 Advertising Partners

We may share aggregated, anonymized, or pseudonymized data with advertising partners to deliver targeted advertisements on third-party platforms. We do not share personally identifiable information with advertising partners without your consent, except as described in this policy.

5.6 Protection of Rights

We may share your information when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Zupas, our customers, employees, or the public, including exchanging information with other organizations for fraud prevention and cybersecurity purposes.

6. Your Privacy Rights

Depending on your location within the United States, you may have certain rights with respect to your personal information. We are committed to honoring these rights in accordance with applicable law.

6.1 Rights for California Residents (CCPA/CPRA)

If you are a resident of California, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with the following rights:

6.2 Rights for All Users

Regardless of your location, we extend the following privacy rights to all users of our services:

• Access: You may request access to the personal information we hold about you.
• Correction: You may request that we correct any inaccurate or incomplete personal information.
• Deletion: You may request deletion of your personal information where we have no legitimate reason to continue processing it.
• Opt-Out of Marketing: You may opt out of receiving marketing communications from us at any time.
• Account Closure: You may request the closure of your account and the deletion of your account information.

6.3 How to Exercise Your Rights

To exercise any of the rights described above, please submit your request through one of the following channels:

• Email: [email protected]
• Website: Submit a request through our privacy request form at zupasrestaurant.rest

We will verify your identity before processing your request to protect your privacy and security. We will respond to your request within 45 days as required by the CCPA/CPRA. If we need additional time, we will notify you of the extension and the reason for it. There is no fee for submitting a privacy rights request, though we may charge a reasonable fee for excessive or repetitive requests.

7. Data Security

We take the security of your personal information seriously and implement a range of technical, administrative, and physical safeguards designed to protect your data from unauthorized access, disclosure, alteration, or destruction.

7.1 Security Measures We Implement

• Encryption: All data transmitted between your browser and our website is encrypted using industry-standard SSL/TLS technology. Sensitive data stored in our systems is also encrypted at rest.
• Access Controls: We restrict access to personal information to authorized employees, contractors, and service providers who have a legitimate need to access it in connection with their job responsibilities. All personnel with access to personal data are subject to confidentiality obligations.
• Firewalls and Intrusion Detection: We deploy firewalls, intrusion detection systems, and other network security technologies to protect our infrastructure from unauthorized access.
• Payment Security: Our payment processing systems are PCI-DSS compliant, ensuring that your financial data is handled according to the highest industry standards for payment security.
• Regular Security Audits: We conduct regular security assessments, vulnerability scans, and penetration tests to identify and address potential security weaknesses.
• Employee Training: All employees who handle personal data receive regular training on data protection best practices and our privacy policies.
• Incident Response: We maintain a data breach response plan to ensure that any security incidents are identified, contained, and addressed promptly, and that affected individuals are notified as required by law.

7.2 Limitations of Security

Despite our best efforts, no security system is completely impenetrable, and no method of data transmission over the internet is 100% secure. While we strive to protect your personal information using commercially reasonable measures, we cannot guarantee absolute security. You also play an important role in protecting your information — please use a strong password for your account, do not share your login credentials with others, and notify us immediately if you suspect unauthorized access to your account.

8. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by applicable law. The following guidelines govern our data retention practices:

When personal information is no longer needed for the purpose for which it was collected and no legal retention obligation applies, we securely delete or anonymize it. Anonymized data may be retained indefinitely for analytical purposes.

9. Children's Privacy

We are committed to protecting the privacy of children and complying with the Children's Online Privacy Protection Act (COPPA) and other applicable laws protecting minors. Our website, online ordering platform, and loyalty programs are not directed at children under 18, and we do not knowingly solicit or collect personal information from minors.

If we become aware that we have inadvertently collected personal information from a child under the age of 18 without verifiable parental consent, we will take immediate steps to delete that information from our records. If you are a parent or guardian and believe that your child has provided personal information to us, please contact us immediately at [email protected] so that we can investigate and take appropriate action.

We encourage parents and guardians to supervise their children's online activities and to use parental control tools to help maintain a safe online environment for minors.

10. International Data Transfers

Zupas is a United States-based company, and your personal information is primarily collected, stored, and processed within the United States. However, some of our third-party service providers may operate in or have servers located in other countries.

If your personal information is transferred internationally, we ensure that appropriate safeguards are in place to protect your data in accordance with this Privacy Policy and applicable US laws. These safeguards may include contractual data protection provisions with our service providers, or other legally recognized mechanisms for international data transfer.

If you are accessing our website from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country of residence. By using our services, you consent to this transfer and processing of your data in the United States.

11. Third-Party Links and Services

Our website may contain links to third-party websites, applications, or services, including social media platforms, delivery partner platforms, and payment processors. Please be aware that we are not responsible for the privacy practices of these third parties. This Privacy Policy applies only to our website and services. We encourage you to read the privacy policies of any third-party services you access through links on our website before providing any personal information to them.

12. How to File a Privacy Complaint

If you have concerns about how we handle your personal information or believe that we have violated your privacy rights, we encourage you to contact us first so that we can address your concerns directly.

12.1 Internal Complaint Process

To file a privacy complaint with Zupas, please follow these steps:

1. Submit your complaint in writing to [email protected] with the subject line "Privacy Complaint."
2. Include your full name, contact information, a description of your complaint, and any relevant details or documentation.
3. We will acknowledge receipt of your complaint within 5 business days and provide a substantive response within 30 days.
4. If we require additional time to investigate, we will notify you of the extension and the expected timeline for resolution.

12.2 External Regulatory Complaints

If you are not satisfied with our response to your privacy complaint, you have the right to file a complaint with the relevant regulatory authority. In the United States, the following options are available:

• Federal Trade Commission (FTC): The FTC enforces consumer protection and privacy laws at the federal level. You may file a complaint at www.ftc.gov or by calling 1-877-FTC-HELP (1-877-382-4357).
• California Privacy Protection Agency (CPPA): If you are a California resident and believe your rights under the CCPA/CPRA have been violated, you may file a complaint with the California Privacy Protection Agency at www.cppa.ca.gov.
• State Attorney General: Residents of most states may also file privacy complaints with their state's Attorney General's office.

13. Do Not Track Signals

Some web browsers may transmit "Do Not Track" (DNT) signals to websites. Currently, there is no universally accepted standard for how websites should respond to DNT signals. At present, our website does not respond to DNT signals from browsers. We will continue to monitor developments in this area and update our practices if industry standards emerge.

California residents who wish to exercise their right to opt out of the sale or sharing of their personal information may do so by contacting us as described in Section 6 of this policy.

14. Changes to This Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time to reflect changes in our business practices, legal obligations, or the services we offer. When we make material changes to this policy, we will:

• Post the updated Privacy Policy on our website at zupasrestaurant.rest with a revised "Last Updated" date at the top of the page
• Send an email notification to registered account holders when changes are significant
• Display a prominent notice on our website for a reasonable period following the update

Your continued use of our website or services after the effective date of the revised Privacy Policy constitutes your acceptance of the updated terms. If you do not agree with the revised policy, you should discontinue using our services and may request deletion of your account by contacting us at [email protected].

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

15. Legal Basis for Processing (Federal and State Law References)

We process your personal information in compliance with applicable United States federal and state privacy laws, including but not limited to:

• Federal Trade Commission Act (15 U.S.C. § 45) — which prohibits unfair or deceptive practices in commerce, including privacy-related practices
• California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.) as amended by the California Privacy Rights Act (Proposition 24) — for the collection, use, and sharing of personal information of California residents
• Children's Online Privacy Protection Act (15 U.S.C. §§ 6501–6506) — governing the online collection of personal information from children under 13
• CAN-SPAM Act (15 U.S.C. § 7701 et seq.) — governing commercial email communications
• Telephone Consumer Protection Act (47 U.S.C. § 227) — governing automated telephone and SMS communications
• Payment Card Industry Data Security Standard (PCI-DSS) — governing the security of payment card data

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please do not hesitate to contact our privacy team. We are committed to addressing your inquiries promptly and transparently.

This Privacy Policy was last updated on June 25, 2026, and is effective as of that date. All previous versions of this Privacy Policy are superseded by this document.