We at Chiquito respect your right to privacy. This Privacy Notice describes the types of personal information that you may provide to us or which we may otherwise collect when you communicate with us, and how we may use your information, who we may share it with and how we protect it. We also tell you how you can update your information, unsubscribe from receiving marketing communications from us or change your preferences.
Chiquito is a brand of The Restaurant Group (UK) Limited, a company registered in England under company number 894426, with its registered office at 5-7 Marshalsea Road, London SE1 1EP. VAT number 340 3778 62 (“Chiquito”, “we” or “us”), which is the data controller of your personal information.
What this Privacy Notice covers
Whenever you communicate with us, including when you:
• visit our website located at http://www.chiquito.co.uk
• make a booking
• use one of our apps
• use the Free Wi-Fi service in one of our restaurants or
• provide your details to show that you qualify for certain discounts
(whether you do this directly or through one of our partners or sub-contractors), we collect, store and use your personal data in various ways. Because at Chiquito, we know that your personal data is important to you, we want to be completely transparent with you, so you know exactly what we are doing with it. This Privacy Notice explains:
• what information we collect and how we obtain it
• how we collect and use Test and Trace information
• how we protect your information
• purpose and legal basis for the information we collect and use
• special offers and promotions
• sharing and disclosure of Personal Information
• collection of information by third party sites
• your rights regarding your Personal Information
• retention of Personal Information
• disabling / Enabling Cookies
• revisions to this Privacy Notice
• how to contact us
What information is collected and how do we obtain it?
In the normal course of our business, we will collect personal information relating to you, such as your name, address, phone number, e-mail address and date of birth (“Personal Information”) whenever you communicate with us or one of our partners or sub-contractors, (including by email, phone, SMS, via the website, our apps or otherwise), for example, in the following situations:
• when you book a table, order online or by telephone, dine in, pay a deposit, pay your bill or purchase a voucher for use in one of our restaurants. When you book or order through one of our partners (including LiveRes, Sevenrooms or our delivery partners), they may pass your Personal Information (including your name, email address, telephone number and details of your booking) onto us;
• when you register for Chiquito rewards, vouchers or other offers, subscribe for e-mail newsletters and update services (we may also ask you your age, whether you have children (but not their names), your postcode, your marketing preferences and other relevant information and may use this to tailor offers appropriate to you);
• when you want to show that you qualify for certain discount offers (e.g. our NHS or student discounts or promotions), we will ask for your first name, surname, date of birth, email address, college or university (for students) or medical institution and position held (for NHS staff) to verify that you qualify;
• when you use our free Wi-Fi service (we may also ask you your age so we can ensure we meet any minimum legal age limits);
• the Chiquito App provides services based on your location; if you wish to switch off location services, you will need to change the settings on your device;
• if you choose to participate in market research initiatives or promotional events, complete a questionnaire or competition entry form;
• we operate CCTV in all our restaurants - please consult the signage in the restaurant for more details;
• if you submit a job application form and/or CV, or otherwise seek employment with us, we will collect your Personal Information (including employment history and qualifications, photo id, and reference contact details and, where required, criminal records checks). You may also choose to give us certain details about a medical condition or disability, religious belief or other sensitive data relevant to your application for employment. We also collect ethnicity data (on a voluntary basis) in order to monitor our adherence to equal opportunities and anti-discrimination laws.
Some of the personal information that you provide may include sensitive personal information, such as health-related information when you make a complaint or suffer an incident in one of our restaurants (see above). We need this information to investigate the complaint or incident and (if necessary) report it to health or other authorities, law enforcement agencies, our insurers and any suppliers who may be involved. We may also collect information about the names of others in your party, and any other information needed for the purposes of the investigation.
Information may be collected automatically when you use the Free Wi-Fi service in one of our restaurants in order to produce aggregated and anonymous reports concerning the use of the Free Wi-Fi service. These reports will not personally identify you. Specifically, the information we collect automatically may include information like your IP address, device type, unique device identification numbers, browser-type, broad geographic location (e.g. country or city-level location) and other technical information.
Please note that Free Wi-Fi is not available for persons under 18 years old. If you are under 18 years old, you will need to ask a parent or other responsible adult to sign in for you.
Payment and card details and paying via the app or website
In order to pay your Chiquito bill using Pay My Bill or another app or website feature, where this service is available, you will need to input a valid email address and your credit or debit card details. Payment processing services are provided by Braintree, a division of PayPal (Europe) S.a.r.l. et Cie, SCA (“Braintree”), which will involve transferring your data to Braintree’s servers located within the United States. Braintree is self-certified to the US Department of Commerce under the EU-US Privacy Shield. The application will transfer payment details directly from Braintree to the operator’s point of sale system.
We will not store your card details on our system. Your personal and card details will be securely stored by Braintree and used only for the purpose of administering payment, verification of transactions, refunds and ease of use in future transactions using the service. However, your CSC/CVV number will not be stored and must be entered each time you use a card for authentication. We will also share your email address with Omnifi Limited who will generate and send you an electronic receipt on our behalf, following bill payment.
Test and Trace information
To support NHS Test and Trace, we are required by law to collect and keep a record of staff and guests and visitors who come onto our premises for the purpose of contact tracing.
By maintaining records of staff and guests, and sharing these with NHS Test and Trace where requested, we can help to identify people who may have been exposed to the coronavirus.
As a guest of Chiquito, you will be asked to provide some basic information and contact details as part of your booking (either when you pre-book or, if you don’t already have a booking, when you walk in and ask for a table). If a booking cannot be made on our system, we may ask you to complete a paper Test and Trace form. The following information will be collected:
• the names of all guests, or if it is a group of people, the name of the lead member of the group
• a contact phone number for each guest, or for the lead member of a group of people
• date of visit and arrival time and departure time.
We will also use this information to support NHS Test and Trace. Chiquito will be responsible for compliance with data protection legislation for the period of time it holds the information. When that information is requested by the NHS Test and Trace service, the NHS would at this point be responsible for compliance with data protection legislation.
We will only share information with NHS Test and Trace if it is specifically requested by them. For example, if another guest at the venue reported symptoms and subsequently tested positive, NHS Test and Trace can request the log of guest details for a particular time period (for example, this may be all guests who visited on a particular day or time period or guests who dined in the vicinity of the guest who tested positive). NHS Test and Trace will not disclose this information to any third party unless required to do so by law (for example, as a result of receiving a court order).
If the information is collected only for the purpose of contact tracing (for example, if you are asked to complete a paper Test and Trace form) it will not be used for other purposes, and in addition, where the information is only collected for the purpose of contact tracing, it will be destroyed 21 days after the date of your visit.
However, if the information is part of, or collected at the same time as, information that we would usually collect, store and use in our ordinary dealings with you (such as the information we collect for bookings or when you use our WiFi or the Pay by Phone facility), this information will continue to be held after 21 days and we will use it as we usually would, unless and until you tell us not to.
Your information will always be stored and used in compliance with the relevant data protection legislation.
How do we protect your information?
We apply appropriate technical and organisational security measures to prevent unauthorized access to Personal Information we hold about you. All Personal Information about our guests is stored within a robust secure environment. We never sell your data to a third party. Our practice is that no data is ever provided to third parties except in the circumstances described below under Sharing and Disclosure of Personal Information.
Please note that email correspondence with us is in free format text and cannot be encrypted. Accordingly please do not send any sensitive information such as credit card details or passwords via email. Please also note that perfect security does not exist on the Internet. You’ll know that you’re in a secure area of our website when a “padlock” icon appears on your screen and the “http” portion of our URL address changes to “https.” The “s” stands for “secure.”
Purpose and legal basis for the information we collect and use
We know how important your Personal Information is so we will only ever collect and use your Personal Information for a lawful reason relating to our business. Generally this means that we will use your Personal Information:
• to carry out a contract with you or because you have asked us to take specific steps, for example booking a table, ordering food, arranging delivery or collection, applying a discount, processing payment of your bill, allowing you to connect to free WiFi at our restaurants, investigating and handling complaints or considering your CV or employment application;
• because we have to comply with the law and applicable regulations, for example NHS Test and Trace or reporting any health, safety or security incidents to the relevant authorities,
• for legitimate legal purposes such as providing you with special offers, discounts, news and information about us which may be of interest to you (we think you’ll love receiving these but, if not, you can opt out at any time); updating and maintaining our records, retaining your details so you can log in quicker in the future, preventing or detecting fraud or abuses of our website or our Free Wi-Fi service, issuing vouchers for use in our restaurants, enabling third parties to carry out technical, logistical or other functions on our behalf to make our apps, website more useful to you; for personalised service and communications , targeted and online behavioural advertising: analytics and profiling of guests; monitoring website usage and offer performance / conversion; guest surveys and data analytics to understand how we are doing, whether we are meeting our guests’ needs and seeking ways we can improve our products, services, communications and offers;
• where required by external parties we deal with such as our insurers (e.g. where there has been an accident or incident in one of our restaurants), suppliers (if there has been a food-related incident) or where necessary for the establishment, exercise or defence of any legal claims.
Special offers and promotions
We think you will love hearing about our special offers, discounts, news and information and don’t want you to miss out on our special deals, so unless you have told us that you do not wish to be contacted for this purpose, we will send these to you by email or text. These may include joint promotions with our business partners.
If you no longer want to receive such special offers, discounts, news and information, you can either:
• simply click on “unsubscribe” at the foot of the email or text and we will take you off our marketing and promotions list or
• if you have registered for Chiquito offers, rewards or vouchers, log into your account on our website at www.chiquito.co.uk and change your preferences at any time.
Sharing and disclosure of Personal Information
We want you to be clear on what we do with your Personal Information. We will keep your Personal Information secure and never sell your Personal Information to anyone. We do use sub-contractors to carry out certain functions on our behalf and, occasionally, have to disclose your Personal Information (for example, to provide specific services to you or dealing with insurers or public authorities like the police). This is described more fully below:
Sub-contractors, suppliers and agents: from time to time we employ other companies to perform functions on our behalf including taking orders and fulfilling order deliveries, designing and sending guest communications, providing guest vouchers, analysing data, providing elements of our IT or back-up systems, providing marketing assistance, processing payments, improving our services and providing customer service. They may have access to Personal Information needed to perform their functions, but are not permitted to use it for other purposes and cannot modify, disclose or erase your data without our instructions.
Payment processing: Payment processing services are provided by Braintree, a division of PayPal (Europe) S.a.r.l. et Cie, SCA. We will also share your email address with Omnifi Limited who will generate and send you electronic receipts and other payment confirmations on our behalf.
Checking you qualify for certain discount offers: In order to check that you qualify for certain offers (e.g. our NHS or student discounts and promotions) we will share your details with a third-party ID verification service provider, SheerID, Inc., based in the US, and their relevant sub-processors, also based in the US. However, we will always ask for your consent before we share your details.
Legal reasons: we may disclose information about you (i) if we are required to do so by law or regulation (e.g. food safety), (ii) in response to a request from law enforcement authorities or other government officials, or (iii) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal activity.
Fraud / Credit Risk: where necessary to prevent fraud or reduce credit risk, we may exchange your Personal Information with other companies and organisations.
Business transfers: in any corporate transactions (e.g. buying or selling of businesses, stores or business units) Personal Information is generally one of the transferred assets. We reserve the right to transfer any information we have about you in the event we sell or transfer all or a portion of our business or assets, however that would always be under conditions of strict confidentiality and limited to the specific purpose.
Sending data outside of the UK or Europe: We generally do not transfer your Personal Information to countries outside the UK and the European Union. However, some of our appointed carriers, sub-contractors, suppliers and agents may transfer, use or store data in other countries. Where this is the case, they are obliged to ensure that there is equivalent protection for your Personal Information as would be the case within the UK and the European Union.
If you want to make use of our student or NHS discounts, we will ask for your consent before we transfer your Personal Information to our third-party ID verification service provider based in the US.
We have taken appropriate safeguards to require that your Personal Information will remain protected in accordance with this Privacy Notice. In absence of an adequacy decision, these safeguards may include implementing the European Commission’s Standard Contractual Clauses for transfers of personal information by a data controller established in the European Union to a processor established in a third country which does not offer adequate level of protection.
Collection of information by third party sites
Our website may contain links to other websites whose privacy practices may be different to ours. You should check the privacy notices of those third party sites as we have no control over information that is submitted to or collected by those third party sites. We are not responsible for the content of these sites, any products or services that may be offered through these sites, or any other use of these sites.
Your rights regarding your Personal Information
You have certain rights regarding your Personal Information. We summarise these below:
Right to access: You have the right to access data about you that we use. If you have registered for Chiquito offers, rewards or vouchers, you can see and update your Personal Information by logging into your account on our website at www.chiquito.co.uk. If you want to access all your Personal Information or specific Personal Information not available on your Chiquito Rewards account, then you can make an access request by writing to us (see below). We will process your request without undue delay and, at the latest, within 1 month, unless your request is complex or numerous in which case we may take up to 3 months, but we will inform you within 1 month if this is the case.
Please note that there are certain limited exceptions to your right to access personal data such as if it would involve disclosing the personal information of another person who has not consent to such disclosure, if disclosing Personal Information would prejudice on-going negotiations with you, information relating to the prevention or detection of crime or apprehension or prosecution of offenders, management information and information covered by legal privilege.
Right to rectification: when you log in to your account, you can also rectify or update any information on your account. If you are not able to do so, then you can make a rectification request by writing to us (see below).
Right to erasure: When you log on to your account, you may also erase any data on your account with the exception of data that is required for you to keep your account open (such as your email address, name etc.). You also have the right request us to erase Personal Information which Chiquito hold about you by writing to us (see below).
Please note that there are exceptions such as where we need to retain Personal Information for legal reasons (e.g. where necessary for the establishment, exercise or defence of any legal claims) or where we have another legitimate business reason for retaining Personal Information.
Right to restrict or object to processing: if you want to stop receiving special offers, discounts, news and information from us, either:
• simply click on “unsubscribe” at the foot of the email or text and we will take you off our marketing and promotions list,or
• if you have registered for Chiquito offers, just log into your account on our website at www.chiquito.co.uk and change your preferences on your profile tab at any time,or
• in case you do not have an account on our website, you can simply write to: Guest Services, Chiquito, 5-7 Marshalsea Road, London SE1 1EP.
You also have the right to request portability of your Personal Information which you have given us.
Right to complain to a data protection authority: You have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority.
To make a request concerning your Personal Information, as described above, please use the contact form on the website or write to: Guest Services, Chiquito, 5-7 Marshalsea Road, London SE1 1E.
Retention of Personal Information
We will keep your data for as long as necessary to carry out the purpose for which we collected it. If we have had no online contact from you (e.g. logging onto free Wi-Fi, using your Chiquito rewards, ordering vouchers or taking up special offers and promotions) for 3 years, we may delete your Personal Information.
If at any time you wish to opt-out of receiving special offers and promotions, restrict our processing of your Personal Information, or ask us to erase your Personal Information, please see Your rights regarding your Personal Information above.
We, our service providers, and/or non-affiliated third parties, may use “cookies” or similar technologies on the Site. When you visit our website we serve cookies to your computer. Cookies may be used in the following ways:
• to enable the personalisation features on our website (which give you the ability to recall recently viewed pages and see information which you have input online);
• to compile anonymous, aggregated statistics that allow us to understand how users use our website and to help us improve the structure of our website. We cannot identify you personally in this way
• for advertising and marketing purposes and
• for security, site and product integrity.
A cookie is a text-only string of information that a website transfers to the cookie file of the browser on your computer’s hard disk so that the website can recognise your computer when a user of your computer returns to a website previously visited by someone using your computer. A cookie will typically contain the name of the domain from which the cookie has come, the “lifetime” of the cookie, and a value, usually a randomly generated unique number that identifies your computer. Cookies are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the website.
There are two broad categories of cookies “first party cookies” and “third party cookies”. First party cookies are cookies that are served directly by the website operator to your computer, and are used only by the website operator to recognise your computer when it revisits that site. Third party cookies are served by a service provider on behalf of the website operator, and can be used by the service provider to recognise your computer when it visits other websites. Third party cookies are most commonly used for website analytics or advertising purposes.
The sorts of cookies we use may include:
Anonymous site usage statistics
We use Google Analytics cookies to record anonymous usage of the site and produce statistics such as the number of visitors to a page. These cookies include _ga, _gat, _gid.
We also use Hotjar web analytics to keep track of how people use our web site. It has no personal information stored and certainly cannot be used to contact you.
Some parts of our website are supplied by third parties and embedded within this site. When you use third party services they may also place cookies on end user browsers. An example of this is our table reservation system. These third parties may use additional cookies for service, performance, tracking and analytics purposes and the information practices of those third-parties are not covered by this Privacy Notice. We suggest you check these third party websites for more information about the cookies they use.
Gift vouchers/shopping cart
Disabling / Enabling Cookies
You can accept or decline cookies by modifying the setting in your browser. The “help” portion of the toolbar on most Internet browsers will tell you how to change your browser cookie settings, including how to have the browser notify you when you receive a new cookie, and how to disable cookies altogether. For further details on how to do this please visit the educational sources http://www.allaboutcookies.org and http://www.youronlinechoices.eu.
Please note that if you disable cookies you may not be able to use all the features of our website.
Revisions to this Privacy Notice
We may update or revise all or any part of this Privacy Notice from time to time. A copy of the current Privacy Notice will be posted on our website and we encourage you to check it from time to time so you are aware of any changes or updates to the notice. When we update our Privacy Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make.
You can see when this Privacy Notice was last updated by checking the “last updated” date displayed at the bottom of this Privacy Notice.
How to contact us
Should you have any questions about this Privacy Notice or how we use your Personal Information, please write to us at:
5 – 7 Marshalsea Road
London SE1 1EP
5th November 2021