Privacy Policy

EFFECTIVE DATE: SEPTEMBER 9, 2024

LAST REVIEWED ON: SEPTEMBER 9, 2024

THE QDOBA WEBSITE AND MOBILE APPLICATIONS ARE ONLY INTENDED FOR USERS IN THE UNITED STATES OR CANADA. IF YOU RESIDE OUTSIDE OF THE UNITED STATES OR CANADA, PLEASE DO NOT USE ANY QDOBA WEBSITE OR ANY MOBILE APPLICATION.

INTRODUCTION

QDOBA Restaurant Corporation (“QDOBA” or “we” or “us” or “our”) respects your privacy and is committed to protecting it through our compliance with this Privacy Policy (this “policy”).

This policy describes the information we collect about you or that you may provide to us, including, but not limited to, when you visit our website, www.QDOBA.com (the “Website”), use the QDOBA Rewards mobile application (the “App,” and together with the Website, our “Services”), or interact with us, whether online, in person, or otherwise, and our practices for collecting, using, maintaining, protecting, and disclosing that information. Your participation in any of our Services is voluntary.

This policy applies to information we collect throughout our business, including:

- On this Website, including when making online or catering orders through our Services.

- Within the QDOBA Rewards Mobile App, including when making online orders through our Services.

- In email, text, and other electronic messages using our Services.

- Through your participation in the QDOBA Rewards program or when you interact with other of our advertising applications on third-party websites, mobile applications, and/or services.

- When you respond to a survey that we, or our third-party service providers, perform.

- When you participate in a promotional sweepstakes or other contest that we, or our third party service providers, conduct.

- From our affiliates and subsidiaries.

- Offline or through any other means of communication or methods of interaction.

However, this policy does not apply to information collected by any third party (including our franchisees (but not our affiliates and subsidiaries)), including through any application or content (including advertising) that may link to or be accessible from our Services unless such third party collecting the information on our behalf as described above (e.g., when conduct a survey on our behalf). In addition, this policy does not apply to information collected from or about our employees, contractors, or applicants or our affiliates’ or subsidiaries’ employees, contractors, or applicants (when acting as employees or contractors). Information collected from or about such employees or contractors will be used and protected pursuant to our employee policies. If you are an employee or contractor of QDOBA or one of its affiliates or subsidiaries, please contact human resources for more information about our employee policies.

Please read this policy carefully to understand our policies and practices regarding your information and how we will treat it. If you do not agree with our policies and practices, your choice is not to provide us information or to use our Services, purchase from us, or otherwise interact with QDOBA or any of its affiliates or subsidiaries. This policy may change from time to time (see CHANGES TO OUR PRIVACY POLICY). Except as otherwise required under applicable law, your continued use of our Services, purchase of our products, provision of personal information, or other communications or interactions with QDOBA or any of its affiliates or subsidiaries after we make changes is deemed to be acceptance of those changes, so please check the policy periodically for updates.

CHILDREN UNDER THE AGE OF 18

Our Services are not intended for children under 18 years of age. No one under age 18 may provide any personal information to or on our Services, and we do not knowingly collect personal information from children under 18. If you are under 18, do not use or provide any information on our Services or on or through any of its features, make any purchases through our Services, use any of interactive or public comment features of our Services, or provide any information about yourself to us, including your name, address, telephone number, email address, or any screen name or username you may use. If we learn we have collected or received personal information from a child under 18 without verification of parental consent, we will delete that information.

If you believe we might have any information from or about a child under 18, please contact us at:

- www.qdoba.com/talk-to-us, or

- QDOBA RESTAURANT CORPORATION, 350 Camino de La Reina, Suite 400, San Diego, California, 92108.

INFORMATION WE COLLECT ABOUT YOU AND HOW WE COLLECT IT

We collect several types of information from and about users of our Services, and products and services and those individuals that interact with us. We collect information: (i) by which you may be personally identified, such as name, birthdate, age, postal address, e-mail address, telephone number, veteran status, personal preferences, credit card information, including billing address, or any other identifiers by which you may be contacted online or offline; (ii) that is about you but individually does not identify you, such as IP address or other online identifiers; and/or (iii) about your internet connection, the equipment you use to access our Website, and usage details (collectively, “Personal Data”).

We collect this information:

- Directly from you when you provide it to us or a third party acting on our behalf.

- Automatically as you navigate through our Website.

- From our subsidiaries and affiliates.

- Information collected automatically may include usage details, IP addresses, and information collected through cookies, web beacons, pixels, and other tracking technologies.

Information You Provide to Us

The information we collect or receive from you may include:

- Information that you provide by filling in forms supplied on our Services. This includes information provided on or through our Services at the time of registering to use QDOBA Rewards, making online orders, posting material, making an inquiry concerning operating a QDOBA franchise, purchasing a physical or digital Q-Cash card or checking your balance on a Q-Cash card with our third-party partner, submitting feedback and inquiries via QDOBA.com/talk-to-us, using our location finder feature, or requesting any other information or services. We may also ask you for information when you enter a contest or promotion sponsored by us or when you report a problem with our Services.

- Your social media identification if you use social media single sign-on.

- Records and copies of your correspondence (including email addresses) if you contact us.

- Your responses to surveys that we or our service providers might ask you to complete.

- Details of transactions you carry out through our Services (including online orders and catering orders made through our Website) and of the fulfillment of your orders. You may be required to provide a credit card or other financial information before placing an order through our Services.

- Browsing history, search queries, search history, and other information on your interaction with our Services.

- Information that is about you but individually does not identify you, such as:

- Location information, including: QDOBA locations you may have visited, latitude and longitude (when location-based services are enabled) to provide targeted messaging and information on the nearest QDOBA locations, and delivery information provided during ordering.

- Your personal preferences including: dietary preferences, email and communication preferences, and other optional questions about your purchase behavior and menu preferences.

Information We Collect through Automatic Data Collection Technologies

As you navigate through and interact on our Services, we use automatic data collection technologies to collect certain information about your equipment, browsing actions, and patterns, including:

- Details of your visits to our Services, including traffic data, location data, activity logs and other communication data, and the resources that you access and use on our Services.

- Information about your device and internet connection, including your IP address, operating system, and browser type.

We also use these technologies to collect information about your online activities over time and across third-party websites or apps or other online services (behavioral tracking).

Do Not Track (“DNT”) and Global Privacy Control (“GPC”) are privacy preferences that users can set in their web browsers. When our Websites receive a DNT/GPC code, except in the case of certain scenarios where a user actively and knowingly provides Personal Data (e.g. contact forms), our Websites do not track your use across multiple websites other than the Company’s brand Websites included within this notice, but other websites (including, without limitation, certain of our subsidiaries’, affiliates’, and third party providers’ websites) to which we link may continue to track you. When we receive web requests from a user who enables DNT/GPC by actively choosing an opt-out setting in the user’s browser, we will take reasonable efforts to disable tracking cookies/scripts (e.g. Google Analytics, Google Ads, Facebook, X (f/k/a Twitter), Run, and/or other third party scripts).

For more information, see CHOICES ABOUT HOW WE USE AND DISCLOSE YOUR INFORMATION.

The information we collect automatically is generally statistical data and does not include Personal Data, but we may maintain it or associate it with Personal Data we collect in other ways or receive from third parties. It helps us to improve our Services and to deliver a better and more personalized service, including by enabling us to:

- Estimate our audience size and usage patterns.

- Store information about your preferences, allowing us to customize our Services according to your individual interests.

- Speed up your searches.

- Monitor, assess, manage, diagnose problems with, improve, and otherwise administer our Services.

- Recognize you when you return to our Services.

Automatic and Third-Party Information Collection, Analysis, and Tracking

When you use our Services (or their content), we or certain third parties use automatic information collection technologies to collect information about you or your device. These third parties may include:

- Advertisers, ad networks, and ad servers.

- Analytics companies.

- Your mobile device manufacturer.

- Your mobile service provider.

On the Website, the technologies we use for this automatic data collection include:

- Cookies (or browser cookies). A cookie is a small file placed on the hard drive of your computer. You may refuse to accept browser cookies by activating the appropriate setting on your browser. However, if you select this setting you may be unable to access certain parts of our Services. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you direct your browser to our Services.

- Locally Stored Cookies. Certain features of our Services may use locally stored objects (or cookies) to collect and store information about your preferences and navigation to, from, and on our Services. These objects cookies are not managed by the same browser or device settings as are used for browser cookies. For information about managing your privacy and security settings for these objects and cookies, see CHOICES ABOUT HOW WE USE AND DISCLOSE YOUR INFORMATION.

- Web Beacons or Tracking Pixels. Pages of our Services or our e-mails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit us to track certain activities, for example, to count users who have visited those pages or opened an email and for other related Services statistics (for example, recording the popularity of certain content and verifying system and server integrity).

For more information on our use of cookies, please see our Cookie Policy.

The information automatically collected and analyzed include:

- Usage Details. Certain details of your access to and use of the Services, including traffic data, location data, activity logs and other communication data, and the resources that you access and use on or through the Services.

- Device Information. Information about your mobile device, computer, and internet connection, including the device’s unique device identifier, IP address, operating system, browser type, mobile network information, and the device’s telephone number.

- Stored Information and Files. Metadata and other information associated with other files stored on your device. This may include, for example, photographs, audio and video clips, personal contacts, and address book information.

- Location Information. Real-time information about the location of your device. Location information is analyzed and used to provide you with local restaurant menus and locations, to send targeted promotional offers, and for research purposes as described more below.

We may tie this information to Personal Data about you that we collect from other sources or that you provide to us.

There are additional disclosures in the SPECIAL U.S. PRIVACY INFORMATION SECTION below.

Third-Party Use of Cookies and Other Tracking Technologies

Certain third parties may use cookies, alone or in conjunction with web beacons, pixels, or other tracking technologies, to collect information about you when you use our Services. The information they collect may be associated with your Personal Data or they may collect information, including Personal Data, about your online activities over time and across different websites, apps, and other online services websites. They may use this information to provide you with interest-based (behavioral) advertising or other targeted advertising or content.

We do not control these third parties’ tracking technologies or how they may be used. If you have any questions about an advertisement or other targeted content, you should contact the responsible provider directly. For information about how you can opt out of receiving targeted advertising from many providers, see CHOICES ABOUT HOW WE USE AND DISCLOSE YOUR INFORMATION.

There are additional disclosures in the SPECIAL U.S. PRIVACY INFORMATION SECTION below.

HOW WE USE AND DISCLOSE YOUR INFORMATION

We use information that we collect about you or that you provide to us, including any Personal Data:

- To present our Services and their contents to you.

- To provide you with information, products, or services that you request from us.

- To market or advertise our products, services, promotions, contests, and other activities;

- To provide you with notices about your QDOBA Rewards and/or Catering accounts, including expiration notices.

- To carry out our obligations and enforce our rights arising from any contracts entered between you and us, including for billing and collection.

- To extent required under law, to notify you about changes to our Services or any products or services we offer or provide though it.

- To allow you to participate in interactive features on our Services such as checking Q-Cash card balance, managing QDOBA Rewards program, and submitting online orders.

- To estimate our audience size and usage patterns.

- To store information about your preferences, allowing us to customize our Services according to your individual interests.

- To speed up your searches.

- To monitor, assess, manage, diagnose problems with, improve, and otherwise administer our Services.

- To recognize you when you return to our Services.

- To provide, support, personalize, and develop our Website, App, products, and services.

- To create, maintain, customize, and secure your account with us.

- To process your requests, purchases, transactions, and payments and prevent transactional fraud.

- To provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses.

- To personalize your App and Website experiences and to deliver content and product and service offerings relevant to your interests, including targeted offers and ads through our App, Website, third-party sites, and via email or text message (with your consent, where required by law).

- To help maintain the safety, security, and integrity of our App, Website, products and services, databases and other technology assets, and business.

- For testing, research, analysis, and product development, including developing and improving our App, Website, products, and services.

- To notify you about changes to our Services or any products or services we offer or provide though it.

- To respond to law enforcement requests and/or as required by applicable law, court or governmental order, or other governmental regulation.

- To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all QDOBA’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Data held by QDOBA about our users is among the assets transferred.

- To fulfill any other purpose for which you provide it.

- For any other purpose with your consent.

-In any other way we may describe when you provide the information.

We also use your information to contact you about our own and third-party goods and services that may be of interest to you. If you do not want us to use your information in this way, please check the relevant box located on the form on which we collect your data or adjust your user preferences in your account profile. For more information, see CHOICES ABOUT HOW WE USE AND DISCLOSE YOUR INFORMATION.

We use the Personal Data we have collected from you to enable us to display advertisements to our advertisers’ target audiences. Even though we do not disclose your Personal Data for these purposes without your notice, if you click on or otherwise interact with an advertisement, the advertiser may assume that you meet its target criteria.

There are additional disclosures in the SPECIAL U.S. PRIVACY INFORMATION SECTION below.

You should carefully review the rules of each sweepstakes, contest, raffle, and promotion in which you participate through our Websites, including pages on social-networking services/applications, as they may contain additional important information about the collection, use, and disclosure of your information. To the extent the terms and conditions of the sweepstakes, contest, raffle, or other promotion rules conflict with this privacy policy, the terms and conditions of those rules shall control.

DISCLOSURE OF YOUR INFORMATION

We may disclose aggregated information about our users and information that does not identify any individual without restriction.

WE DO NOT SELL THE PERSONAL DATA WE COLLECT OR USE.

We may disclose Personal Data that we collect, or you provide as described in this policy:

- To our subsidiaries and affiliates.

- To contractors, service providers, and other third parties we use to support our business and who are bound by contractual obligations to keep Personal Data confidential and use it only for the purposes for which we disclose it to them (all of which are described herein).

- To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all QDOBA’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Data held by QDOBA about our Services’ users is among the assets transferred.

- To governmental entities or other authorities as necessary to respond to law enforcement requests and/or as required by applicable law, court or governmental order, or other governmental regulation.

- To third parties to provide you with customized content, targeted offers, and advertising via email or push notification, or across our website, other websites, mobile applications, social media, or online services. We contractually require these third parties to keep Personal Data confidential and use it only for the purposes for which we disclose it to them.

- To third parties to market their products or services to you if you have not opted out of these disclosures. We contractually require these third parties to keep Personal Data confidential and use it only for the purposes for which we disclose it to them. For more information, see CHOICES ABOUT HOW WE USE AND DISCLOSE YOUR INFORMATION.

- To fulfill the purpose for which you provide it. For example, if you give us an email address to send an e-gift card to a friend, we will transmit the contents of that email and your email address to the recipient.

- With your consent.

- For any other purpose disclosed by us when you provide the information.

We may also disclose your Personal Data:

- To comply with any court order, law, or legal process, including to respond to any government or regulatory request.

- To enforce or apply our Terms of Use and other agreements, including for billing and collection purposes.

- If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of QDOBA, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.

There are additional disclosures in the SPECIAL U.S. PRIVACY INFORMATION SECTION below.

CHOICES ABOUT HOW WE USE AND DISCLOSE YOUR INFORMATION

We strive to provide you with choices regarding the Personal Data you provide us with. We have created mechanisms to provide you with the following control over your information:

- Tracking Technologies and Advertising. You can set your browser to refuse all or some browser cookies, or to alert you when cookies are being sent. To learn how you can manage your Flash cookie settings, visit the Flash player settings page on Adobe’s website. If you disable or refuse cookies, please note that some parts of this site may then be inaccessible or not function properly.

- Promotional Offers from Us. If you do not wish to have your email address or contact information used by us to promote our products or services, you can opt-out of receiving promotional emails at the time of providing data or at any other time by logging into the Services and adjusting your user email preferences in your Account Profile. Please note that this opt-out does not apply to emails sent by us as a result of a product purchase, QDOBA Rewards account-related information, or other similar transactions. If we have sent you a promotional email, you may click on the “unsubscribe” link in the email footer to be omitted from all future email distributions. When you use the App, you may receive push notifications. If you prefer not to receive push notifications, you may adjust your settings on your mobile device to control whether you want to receive these alerts.

We do not control third parties’ collection or use of your information to serve interest-based advertising or other targeted advertising. However, these third parties may provide you with ways to choose not to have your information collected or used in this way. For example, to opt out of ads you see through Meta/Facebook products, you can visit Facebook’s “Activity information from ad partners” section in the Ad Choices webpage through this link. If you wish to opt out of interest-based advertising more generally, please visit http://preferences-mgr.truste.com/ or http://optout.aboutads.info to manage your preferences. You may also delete your history, clear your cache, and delete or manage cookies through your browser and device settings. Please note that you may continue to receive generic ads.

There are additional disclosures in the SPECIAL U.S. PRIVACY INFORMATION SECTION below.

ACCESSING AND CORRECTING YOUR INFORMATION

You can review and change your Personal Data by logging into your QDOBA Rewards account on the Services and visiting your Account Profile, or by logging into the App and adjusting your preferences on the Settings Screen. You may also send us a request via [email protected] to request access to, correct, or delete any Personal Data that you have provided to us. We can only delete credit card information in accordance with our standard retention policy. We may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause the information to be incorrect.

There are additional disclosures in the SPECIAL U.S. PRIVACY INFORMATION SECTION below.

SPECIAL U.S. PRIVACY INFORMATION

Certain U.S. state laws may provide you with additional rights regarding our use of your personal information.

As described more in this policy, some of the personal information we collect information meets the definitions of “personal information,” “personal data,” “sensitive data,” or “sensitive personal information” under these state laws. Any such “sensitive data” or “sensitive personal information” is referred to as “Sensitive Data” in this policy.

In particular, within the last twelve (12) months, we collected (whether directly, indirectly (e.g., by observing your actions on the Website), or from third parties) the categories of Personal Data and Sensitive Data listed below, which constitute “sensitive personal information” subject to these state laws, listed in the tables below. Any such collection has been for the purposes included in the appropriate section of the HOW WE USE YOUR INFORMATION section above.

For the purposes of this Section, “Personal Data” does not include information specifically excluded from the scope of applicable data protection laws, such as certain publicly available information, deidentified or aggregated consumer information, or health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

We have not sold any Personal Data or Sensitive Data of consumers in the last twelve (12) months. As used herein, “sell” or “sold” is defined in state privacy laws.

QDOBA obtains the categories of Personal Data and Sensitive Data listed above from the following categories of sources:

Directly from you when you provide it to us or a third party acting on our behalf.

Automatically as you navigate through our Website.

Information collected automatically may include usage details, IP addresses, and information collected through cookies, web beacons, pixels, and other tracking technologies.

We disclose your Personal Data or Sensitive Data to a third party for business purposes. When we disclose Personal Data or Sensitive Data for a business purpose, we enter into a contract that describes the purpose and requires the recipient to both keep that Personal Data and Sensitive Data confidential and not use it for any purpose except performing the contract. We disclosed Personal Data or Sensitive Data, as applicable, for a business purpose to the following categories of third parties:

Subsidiaries and affiliates;

email and other information technology service providers,

consumer relations, including consumer complaint response services,

legal representation, including with regard to preventing harm to our company, its subsidiaries, our products or services, or a person or property (e.g., fraud prevention) or the prosecution, processing, defense, or disposition of any claims of potential claims; and

shareholder record-keeping, notice, transfer agent, and other investor relation services.

We share your Personal Data with third parties, but we will not share your Sensitive Data with third parties. As used in this policy, “share” refers to sharing for purposes of cross-context behavioral advertising or targeted advertising, as contemplated under state privacy laws. Applicable law prohibits third parties who receive the Personal Data from selling or resharing it unless you have received explicit notice and an opportunity to opt-out of further sales or sharing.

We share your Personal Data with the following categories of third parties for cross-context behavioral advertising/targeted advertising:

Advertisers.

Social media companies.

Internet cookie information recipients, like Google.

As applicable, certain state privacy laws provide their residents, respectively, with specific rights regarding their Personal Data, including the following:

1. Access to Specific Information and Data Portability Rights. You may have the right to request that we disclose certain information to you about our collection and use of your Personal Data and Sensitive Data.

Once we receive and verify your request (please see Subsection Exercising Access, Data Portability, Correction, and Deletion Rights below for more information), we will disclose to you, as applicable:

The categories of Personal Data and Sensitive Data we collected about you.

The categories of sources for Personal Data and Sensitive Data we collected about you.

Our business or commercial purpose for collecting or sharing that Personal Data or Sensitive Data, as applicable.

The categories of third parties with whom we disclose Personal Data and Sensitive Data.

The specific pieces of Personal Data and Sensitive Data we collected about you (also called a data portability request).

If we sold, shared, or disclosed your Personal Data or Sensitive Data for a business purpose, a list disclosing the Personal Data or Sensitive Data categories that we disclosed for a business purpose and for each category identified, the categories of third parties to whom we disclosed that particular category of Personal Data or Sensitive Data, as applicable.

2. Correct Specific Information. You may have the right to request that we correct inaccurate Personal Data about you. Once we receive and verify your request (please see Subsection Exercising Access, Data Portability, Correction, and Deletion Rights below for more information), we will use commercially reasonable efforts to correct the information to comply with your request. Not all state privacy laws may afford this right to their residents.

3. Deletion Request Rights. You may have the right to request that we delete any of your Personal Data or Sensitive Data that we collected from you and retained, subject to certain exceptions. Once we receive and verify your request (please see Subsection Exercising Access, Data Portability, Correction, and Deletion Rights below for more information), we will delete (and direct our service providers to delete) your Personal Data or Sensitive Data, as applicable, unless an exception applies. In responding to your request, we will inform you whether or not we have complied with the request, and, if we have not complied, provide you with an explanation as to why.

We may deny your deletion request as permitted by applicable law. For example, we may deny your deletion request if retaining the information is necessary for us, or our service provider(s), to:

Complete the transaction for which we collected the Personal Data or Sensitive Data, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.

Help to safeguard the security and integrity of your Personal Data and Sensitive Data to the extent the use of your Personal Data or Sensitive Data is reasonably necessary and proportionate for those purposes.

Debug products to identify and repair errors that impair existing intended functionality.

Exercise free speech, ensure the right of another consumer to exercise his/her free speech rights, or exercise another right provided for by law.

Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).

Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.

Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.

Comply with a legal obligation.

4. Right to Limit Use and Disclosure of Sensitive Data. You may have the right, at any time, to direct us to limit our use and disclosure of your Sensitive Data to use which is necessary for certain purposes enumerated in applicable law (“Enumerated Purposes”). To the extent we use or disclose your Sensitive Data for purposes other than the Enumerated Purposes, you may have the right to limit such use or disclosure. However, if our use and disclosure of your Sensitive Data is limited to the Enumerated Purposes, you do not have such right. To the extent applicable, you may also have the right to withdraw the consent you provided for our use and disclosure of your Sensitive Data.

The Enumerated Purposes include the following:

To perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services.

To detect security incidents that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted Personal Data, including Sensitive Data.

To resist malicious, deceptive, fraudulent, or illegal actions directed at us and to prosecute those responsible for those actions.

To ensure the physical safety of natural persons.

For short-term, transient use, including, but not limited to, non-personalized advertising shown as part of a consumer’s current interaction with us, provided that we will not disclose the Sensitive Personal Data, to another third party and will not use it to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with us.

To perform services on behalf of us, such as maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of our business.

To verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured by, manufactured for, or controlled by us.

For purposes that do not infer characteristics about you.

Currently, we do not use Sensitive Data for purposes other than the Enumerated Purposes above, and we do not sell or share any Sensitive Data.

5. Personal Data Sharing Opt-Out and Opt-In Rights.

Pursuant to applicable law, you may have the right to direct us to not share your Personal Data at any time (the “right to opt-out”). As used herein, “share” refers to sharing for purposes of cross-context behavioral advertising or targeted advertising, as contemplated under state privacy law.

Pursuant to California law, we hereby disclose that we do not have actual knowledge that we sell or share the Personal Data of consumers under 18 years of age, and we do and will not sell or share the Personal Data of consumers we actually know are less than 18 years of age, unless we receive affirmative authorization (the “right to opt-in”) from either the consumer who is between 13 and 18 years of age, or the parent or guardian of a consumer less than 13 years of age. Consumers who opt-in to Personal Data sharing may opt-out of future sharing at any time.

To exercise the right to opt-out, you (or your authorized agent) may submit a request to us by visiting the following Internet Web page link: Do Not Share My Personal Data

You may also exercise the right to opt-out using an opt-out preference signal in a format commonly used and recognized by businesses, such as through an HTTP header field. When we receive an opt-out preference signal, we will treat it as a valid request to opt-out of the sale or sharing for that browser or device sending the signal, and, if known, for the consumer.

Once you make an opt-out request, we will wait at least twelve (12) months before asking you to reauthorize Personal Data sharing. However, you may change your mind and opt back into Personal Data sharing at any time by logging into your account or visiting the following Internet Web link: QDOBAConsumer Requests

You do not need to create an account with us to exercise your opt-out rights. We will only use Personal Data provided in an opt-out request to review and comply with the request.

If you wish to opt out of interest-based advertising not provided by us, please visit http://preferences-mgr.truste.com/ or http://optout.aboutads.info to manage your preferences. You may also delete your delete your history, clear your cache, and delete or manage cookies through the browser and device settings. Finally, you may opt out of advertising directly through the third party provider itself. For example, to opt out of ads you see through Meta/Facebook products, you can visit Facebook’s “Activity information from ad partners” section in the Ad Choices webpage through this link. Please note that you may continue to receive generic ads.

Exercising Access, Data Portability, Correction and Deletion Rights.

To exercise the access, data portability, correction, and deletion rights described above, please submit a consumer request to us through one of the following:

Toll-Free Phone: 866-500-0094

Email: [email protected]

Postal Address:

QDOBA RESTAURANT CORPORATION

Attention: Privacy Request

350 Camino de La Reina, Suite 400

San Diego, California 92108

Your Account: Click “Profile”, then click “Permanently Delete My Account”.

Online: QDOBA Consumer Requests

If you use one of the request methods above, we will request certain information for verification purposes, such as your name, address, and e-mail address. We will use this information to verify this is a permitted request, such as by matching your name and address with information in our records. Depending on the type of request, we may require a certain number of data points to allow for verification.

Only you, or a person properly authorized to act on your behalf, may make a verifiable consumer request related to your Personal Data. You may also make a verifiable consumer request on behalf of your minor child.

An authorized agent may make a request on your behalf using the request methods designated above. Additionally, if you use an authorized agent to submit a consumer request, we may require the authorized agent to provide proof that you gave the agent signed permission to submit the request. We may also require you to verify your own identity directly with us or directly confirm with us that you provided the authorized agent permission to submit the request.

The verifiable consumer request must:

Provide sufficient information that allows us to reasonably verify whether you are the person about whom we collected Personal Data or an authorized agent of such person.

Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with Personal Data if we cannot verify your identity or authority to make the request and confirm the Personal Data relates to you.

Making a verifiable consumer request does not require you to create an account with us. However, we do consider requests made through your password protected account sufficiently verified when the request relates to Personal Data associated with that specific account.

We will only use Personal Data provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

If we deny your request, you may have the right to appeal against our decision. Further, if you appeal and your appeal is denied, you may have the right to complain to your state’s attorney general. You may appeal your decision by contacting us at [email protected].

For instructions on exercising sale or sharing opt-out rights, see Personal Data Sharing Opt-Out and Opt-In Rights.

7. Response Timing and Format. In accordance with applicable law, we endeavor to respond to a consumer request within forty-five (45) days of its receipt. If we require more time (up to 45 additional days), we will inform you of the reason and extension period in writing. If you have an account with us, we may deliver our written response to that account. If you do not have an account with us, we may deliver our written response by mail or electronically, at your option.

The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Data that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

You may make a consumer request for access or data portability free of charge twice within a 12-month period. Additional access or data portability requests may be subject to a fee. We may charge a fee to process or respond to your consumer request if it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

8. Non-Discrimination. We will not discriminate against you for exercising any of your rights. Unless permitted by applicable laws, in connection with you exercising your rights, we will not:

Deny you goods or services.

Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.

Provide you a different level or quality of goods or services.

Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

However, we may offer you certain financial incentives permitted by applicable laws that can result in different prices, rates, or quality levels. Any legally permitted financial incentive we offer will reasonably relate to your Personal Data’s value to us and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt in consent, which you may revoke at any time.

9. Other California Privacy Rights. California Civil Code Section § 1798.83 permits California residents to request certain information regarding our disclosure of personal data to third parties for their direct marketing purposes. To make these requests, please send an email to [email protected] or by mail to Privacy Request, 350 Camino de La Reina San Diego, California, 92108.

CANADIAN RESIDENTS

Notwithstanding anything herein to the contrary, if you are a resident of Canada, the following provisions shall apply (and trump all conflicting provisions in this policy):

We will not send you any online newsletter or email marketing communication unless you express consent to receive such newsletters or communications from us.

Prior to receiving any such newsletter or email marketing communications, you will be given the opportunity to consent to receive such communications from us. If you opt-in to receive such communications, we may use the information to communicate with you regarding our products, services, and promotions, to provide you with other information that you request, and/or to improve our product and service offerings.

You will always have the opportunity to “unsubscribe” from receiving the e-mail or other communication at any time. You can unsubscribe by clicking on the “unsubscribe” link found at the bottom of any of our emails, or by contacting us at:

QDOBA RESTAURANT CORPORATION

Attention: Guest Relations

350 Camino de La Reina, Suite 400

San Diego, California 92108

You can also “unsubscribe” from promotional emails through changing your personal preferences by logging into your QDOBA Rewards account on the Website or QDOBA mobile application and visiting your Profile.

Please be aware that we are headquartered in, and many of our third-party service providers are be located within, the United States, and as a result your information will be transferred to the United States.

We do not directly advertise to any children under the age of 18, including, without limitation, any children under the age of 18 living in Quebec.

DATA SECURITY

We have implemented measures designed to secure your Personal Data from accidental loss and from unauthorized access, use, alteration, and disclosure. Any payment transactions will be encrypted.

The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our Services, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your Personal Data, we cannot guarantee the security of your Personal Data transmitted via our Services. Any transmission of Personal Data is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained in the Services.

INFORMATION RECEIVED FROM THIRD PARTIES

If you choose to connect your account on our Services to your account on another Service, we may receive information from the other service, such as a third-party delivery platform. You may also choose to grant us access to your data from another service. You can stop sharing the information from the other service with us by removing our access to that other service.

We do not control these third parties’ tracking technologies or how they may be used. If you have any questions about any third party’s policies or procedures, you should contact the responsible provider directly.

OTHER SITES

Our Services may contain links to other sites, including those of our business partners. While we seek to link only to sites that share our high standards and respect for privacy, we are not responsible for the content or privacy and security practices and policies of these websites or any other sites that are linked to from our Services, or any damage to, or viruses that may infect your computer equipment or other property, or for any loss or corruption of data resulting from any third party website navigated to or accessed from links hosted on or contained in our Services. If you decide to access any website linked to our Services, you do so entirely at your own risk. We do not guarantee that you will receive an alert when you leave our Services, and it is your responsibility to determine when you have left the Services. Any Personal Data you provide on linked pages or applications is provided directly to that third party and is subject to that third party’s privacy notice or policy. We encourage you to learn about their privacy and security practices and policies before providing them with Personal Data.

CHANGES TO OUR PRIVACY POLICY

We may amend this policy at any time. If we make any material changes in the way we collect, use, and/or share your personal data or to this policy, we will notify you by prominently posting notice of the changes on the websites and apps covered by this policy and as otherwise required by law (if any). The date this policy was last revised is identified at the top of the page. We encourage you to review this page periodically for the latest information on our policy.

CONTACT INFORMATION

To ask questions or comment about this privacy policy and our privacy practices, contact us via QDOBA.com/talk-to-us, or write us at: QDOBA RESTAURANT CORPORATION, Attention: Privacy Request, 350 Camino de La Reina, Suite 400 San Diego, California, 92108.