FIVE GUYS

PRIVACY POLICY

Effective Date: December 31, 2019

Download PDF

Five Guys Enterprises, LLC and its parent and affiliated entities (“Five Guys,” "us," or "we") adopted this Privacy Policy to reflect our commitment to protecting your privacy. We take the collection of Personal Information from our consumers seriously and are committed to protecting your Personal Information in accordance with this Privacy Policy. Please read below to learn how we collect, use, and disclose Personal Information.

We adopt this notice to comply with the California Consumer Privacy Act of 2018 (CCPA) and other applicable privacy laws, including the EU’s General Data Protection Regulation (GDPR). Any terms defined in the CCPA have the same meaning when used in this Notice. We have also included specific information for other applicable privacy laws so that our consumers who may be subject to those laws can be informed of their rights and the options Five Guys provides to enable the exercise of those rights.

For information about specific rights under applicable privacy laws that may be different from the general information applicable to all Five Guys consumers, please see the sections labelled “Rights and Choices For California Consumers,” “Rights and Choices for Nevada Consumers,” and/or “Rights and Choices for EU/EEA (and UK) Consumers” at the end of this Privacy Policy.

WHERE THIS PRIVACY POLICY APPLIES

This Privacy Policy applies to (a) our websites, including the websites available at https://www.fiveguys.com/ and https://five-guys-gear.myshopify.com/ (each, a “Site” and collectively the “Sites”); (b) our interactions with our consumers in our corporate-owned stores in California; and, (c) sweepstakes, contents, promotions, and, consumer satisfaction surveys (subsections (b) and (c) are each a “Service” and collectively the “Services”). Please note that the franchisee-owned Five Guys stores are outside the control of Five Guys and, as such, this Privacy Policy does not apply to your in-store interactions in those stores. We encourage you to contact those franchisee-owned Five Guys stores directly to learn more about their privacy practices.

If a particular service provided by or on behalf of Five Guys refers or links to a different privacy policy, then that privacy policy – not this Privacy Policy – applies.

By submitting any information through a Site, you acknowledge and agree that Five Guys may process (i.e., collect, use, etc.) your Personal Information as described in this Privacy Policy.

THE TYPES OF INFORMATION WE COLLECT

We collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device (“Personal Information”). Personal Information does not include:

  • Publicly available information from government records;
  • Deidentified or aggregated consumer information; or,
  • Information excluded from the scope of applicable privacy laws (including the CCPA and GDPR), like:
    • health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
    • Personal Information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

For the purposes of consumers subject to the GDPR, Personal Information has the same meaning as “Personal Data” under that Regulation.

In particular, we have collected the following categories of Personal Information from our consumers:

Category

Examples

Collected

A. Identifiers

A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.

YES

B. Personal Information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).

A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.

Some Personal Information included in this category may overlap with other categories.

YES

C. Protected classification characteristics under California or federal law.

Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).

YES

D. Commercial information.

Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

YES

E. Biometric information.

Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.

YES

F. Internet or other similar network activity.

Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.

YES

G. Geolocation data.

Physical location or movements.

YES

H. Sensory data.

Audio, electronic, visual, thermal, olfactory, or similar information.

YES

I. Professional or employment-related information.

Current or past job history or performance evaluations.

YES

J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).

Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.

NO

K. Inferences drawn from other Personal Information.

Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

NO

We obtain the categories of Personal Information listed above from the following categories of sources:

  • Directly from you. For example, from forms you complete or products and services you purchase.
  • Indirectly from you. For example, from observing your actions on our Website including by technological means. For more information about how we may collect your Personal Information by technological means, please see the section labelled “Personal Information Collected Via Technology.”
  • From Service Providers. For example, from vendors that provide services to us, which enable you to purchase products, so we can fulfill your purchases.
  • From publicly available sources, such as social media sites, when permitted by the terms of service for those sources. For example, if you communicate with us over Twitter or Instagram, we may receive additional information about you from your profile.

PERSONAL INFORMATION COLLECTED VIA TECHNOLOGY

As you access or use a Site, we use technological means to collect information from you (including some Personal Information) to make the Sites more useful to you, including the Uniform Resource Locator (URL) you just came from, the URL you go to next, your browser type, your Internet Service Provider (ISP), and your Internet Protocol (IP) address. We may also use cookies and pixels to collect Personal Information from you about your use of our Sites.

An "IP Address" is a number that is automatically assigned to your computer when you use the Internet. In some cases your IP address stays the same from browser session to browser session. However, if you use a consumer internet service provider, your IP address may vary from session to session. We track IP addresses solely in conjunction with session cookies to analyze our web page flow.

"Cookies" are small pieces of information that a website sends to your computer's hard drive while you are viewing a website. Five Guys uses both session cookies (which expire once you close your web browser) and persistent cookies (which stay on your computer until they expire or until you delete them) to provide you with a more personal and interactive experience on the Sites. Persistent cookies can be removed by following the help directions for your internet browser. If you choose to disable all or most cookies, some areas of the Site may not work properly.

In addition to cookies, Five Guys uses "pixels" to enable certain cookies or advertisements on the Sites and to track the number of times a link or advertisement is served on a webpage. A pixel is a tiny, 1x1 image that is loaded when you visit our Sites, but instead of calling up an image, it causes a cookie or application to be downloaded. Pixels can be used to track user activities, track the number of times a user has viewed a particular link or advertisement, track and optimize website traffic, display advertisements, keep track of advertising commissions, and otherwise collect data for online marketing and website analysis. As with cookies, our Sites utilize both session pixels and persistent pixels.

We also use cookies and tracking/marketing pixels for four general purposes: (1) to ensure the functionality, optimization, and ease of use of our Sites; (2) to ensure and maintain the security of our Sites; (3) to collect anonymous, statistical data regarding how visitors interact with the Sites; and, (4) for marketing purposes. We also utilize the tools available through Google Analytics in order to monitor site flow and statistical data regarding our Site users.

The cookies that we use for functionality and security purposes are considered necessary cookies, without which the Site would not function properly. These cookies allow some of the basic functions of our Sites to work properly, such as remembering your preferences as you navigate the Sites. In addition, these cookies help us secure the Sites by preventing cross-site request forgery attacks and by throttling excessive request rates.

We also use cookies to collect statistical information regarding how visitors interact with our Sites and to track repeat visits to our Sites. While these cookies collect information regarding how you use our Sites in order to help us understand site flow and improve our website, all such statistical data is anonymous and does not personally identify you.

Finally, we use both cookies and pixels on our Sites for marketing purposes, including: to check whether your browser supports the use of cookies, to deliver general advertisements from third party advertisers, to present targeted advertisements to particular Site visitors, to track the particular advertisements that have been displayed to you, to collect data regarding how you interact with YouTube videos across different websites, to estimate your bandwidth on pages with integrated YouTube videos, to track your browser activity across devices and marketing channels, to track the actions you take after viewing an advertisement in order to measure the efficacy of the advertisement, and to display particular advertisements in order to re-engage visitors that are likely to convert to customers based on those visitors’ online behavior across websites.

You have the option to manage the cookies we use in connection with the Sites through the cookie consent settings and preferences centers made available to you on the Sites.

HOW WE USE YOUR PERSONAL INFORMATION

We may use or disclose the Personal Information we collect for one or more of the following purposes:

  • To fulfill or meet the reason you provided the information. For example, if you share your name and contact information to ask a question about our products or services, we will use that Personal Information to respond to your inquiry. If you provide your Personal Information to purchase a product or service, we will use that information to process your payment and facilitate delivery. If you provide Personal Information to enter a contest or sweepstake, we will use that information to process your entry and to contact you to fulfill the terms of that contest or sweepstake if you win. We may also save your information to facilitate new product orders or process returns.
  • To provide, support, personalize, and develop our Website, products, and services.
  • To process your requests, purchases, transactions, and payments and prevent transactional fraud.
  • To provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses.
  • To personalize your Website experience and to deliver content and product and service offerings relevant to your interests, including targeted offers and ads through our Website, third-party sites, and via email or text message (with your consent, where required by law).
  • To help maintain the safety, security, and integrity of our Website, products and services, databases and other technology assets, and business.
  • For testing, research, analysis, and product development, including to develop and improve our Website, products, and services.
  • To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
  • As described to you when collecting your Personal Information or as otherwise set forth in applicable privacy laws, including the GDPR and the CCPA.
  • To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Information held by us about our consumers is among the assets transferred.

We will not collect additional categories of Personal Information or use the Personal Information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

Except as described in the section labelled “Personal Information Collected Via Technology,” Five Guys does not engage in direct marketing. If that changes in the future, we will update this Privacy Policy and provide you with more information at that time. In the event the Privacy Policy has been updated and we begin a direct marketing program, you will be able to opt out at any time by following the instructions included in every e-mail sent to you via the “Unsubscribe” link.

You may not opt out of non-promotional communications from Five Guys, including confirmation messages regarding successful order requests. Please note, regardless of your communication settings, we may continue to communicate with you regarding changes to terms and conditions, Privacy Policy updates, data breaches, or other significant information related to your Personal Information for as long as it is retained by Five Guys.

If you provide feedback on any of our products or services to us, we may use such feedback for any purpose, provided we will not associate such feedback with your Personal Information. We will collect any information contained in your feedback and will treat the Personal Information in such communication in accordance with this Privacy Policy.

We will not perform any automated decision-making processes involving the information that we collect.

We may create Deidentified Information records from Personal Information by excluding information (such as your name and/or IP address) that would allow someone to identify a specific individual. "Deidentified Information" means information that is not associated with or linked to your Personal Information, including any feedback you may provide, which cannot be reidentified with your Personal Information. Deidentified Information does not permit the identification of individual persons. We may use this Deidentified Information to analyze request patterns and usage patterns so that we may enhance our products and services. Five Guys reserves the right to use and disclose Deidentified Information to third parties in its discretion.

In addition to the above, various privacy laws specify numerous legitimate and lawful ways that we may use the Personal Information we collect without your consent. For more information, please see the section labelled “Notice Regarding Required Consents.”

‌HOW WE SHARE YOUR PERSONAL INFORMATION

We may disclose your Personal Information to a third party for a business purpose. When we disclose Personal Information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that Personal Information confidential and not use it for any purpose except performing the contract.

We share your Personal Information with the following categories of third parties:

  • Service providers;
  • Affiliates of Five Guys;
  • Franchisees of Five Guys;
  • Social media websites; and,
  • Government entities, including judicial and law enforcement authorities pursuant to lawful requests.

While we may request your consent to use or share your Personal Information to fulfill or perform services regarding your orders and requests, we may also use or share your Personal Information without your consent for any legitimate purpose as allowed under the applicable laws and regulations (see the section labelled “Notice Regarding Requested Consents,” below), including fulfilling our contractual obligations to you. Five Guys has taken certain organizational and technological security measures to protect your Personal Information, described in the “How We Protect Your Information” section, and requires at least the same degree of organizational and technological security measures to be used by all third parties with whom we may share your Personal Information.

Additionally, we may share some or all of your Personal Information with "Affiliates" (parent company, subsidiaries, joint ventures, or other companies under common ownership and/or control), in which case we will require our Affiliates to provide at least the same degree of protection for your Personal Information as we do under this Privacy Policy. If our company or our assets are acquired by another company, that company will possess the Personal Information collected by us and it will assume the rights and obligations regarding your Personal Information as described in this Privacy Policy.

If we disclose your Personal Information to Affiliates or third parties as identified in this section, we agree to be liable for violations of your privacy rights by the Affiliates and third parties to which we have disclosed your Personal Information.

Some of our Affiliates may be international organizations or organizations that were formed in the United States. If we share your Personal Information with such Affiliates, we will use appropriate methods to transmit your information in accordance with all applicable laws and regulations. Such methods may include the Privacy Shield framework, model contract clauses, or binding corporate bylaws.

In certain circumstances, we may be required to disclose your Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

DISCLOSURES OF YOUR PERSONAL INFORMATION FOR A BUSINESS PURPOSE

In the preceding twelve (12) months, Company has disclosed the following categories of Personal Information for a business purpose:

Category A: Identifiers.

Category B: California Customer Records Personal Information categories.

Category C: Protected classification characteristics under California or federal law.

Category D: Commercial information.

Category E: Biometric information.

Category F: Internet or other similar network activity.

Category G: Geolocation data.

Category H: Sensory data.

Category I: Professional or employment-related information.

We may disclose your Personal Information for a business purpose to the following categories of third parties:

  • Service providers;
  • Affiliates of Five Guys;
  • Franchisees of Five Guys; and,
  • Social media websites.

SALES OF YOUR PERSONAL INFORMATION

It is Five Guys’ policy not to sell the Personal Information of our consumers. As such, in the preceding twelve (12) months, we have not sold Personal Information.

‌HOW WE PROTECT YOUR INFORMATION

To protect your Personal Information, we agree to take reasonable technical and organizational precautions in addition to following industry best practices to make sure it is not inappropriately lost, misused, accessed, disclosed, altered, or destroyed.

Five Guys has implemented industry-standard organizational and electronic means of protecting your Personal Information. Our Sites make use of back-end technology that has been CSA STAR Certified and covered by a range of ISO certifications, including ISO 27001:2013, ISO 27017:2015, ISO 27018:2014, ISO 20000-1:2011, ISO 22301:2012, and ISO 9001:2015, and which is designed protect your Personal Information. We store Personal Information behind a computer firewall, which is a barrier designed to prevent outsiders from accessing our servers. In addition, Five Guys protects your Personal Information from unauthorized physical access by storing your Personal Information in a controlled facility. Except as provided elsewhere in this Privacy Policy, Five Guys limits access to Personal Information, regardless of if it is stored electronically or in physical form, to those persons (including employees and contractors) in Five Guys' organization who have a business need for such access.

Even though we have taken significant steps to ensure that your Personal Information is not intercepted, accessed, used, or disclosed to or by unauthorized persons, you should know that Five Guys cannot completely eliminate security risks associated with Personal Information.

NOTICE REGARDING REQUESTED CONSENTS

If you use the Sites, you may be asked to consent to the collection and use of your Personal Information for particular purposes. While you will not be penalized or prejudiced for refusing to consent to the collection, retention, and use of your information as described in this Privacy Policy, failure to provide consent may interfere with or disrupt certain features of the Sites or prevent us from fulfilling orders or purchase requests you make.

When we are using your Personal Information on the basis of your consent, you are entitled to withdraw that consent at any time. If you revoke your consent, you will not be penalized or prejudiced for revoking your consent.

Even if you refuse or revoke your consent, Five Guys may continue to collect, retain, and use your Personal Information or sensitive Personal Information so long as such retention and use is consistent with the purposes described in this Privacy Policy and that collection, retention, and use is lawful and allowed without obtaining your consent under the applicable laws and regulations.

These uses, among others, may include:

  • Complying with legal obligations, for example, tax, employment, and other laws or regulations;
  • Fulfilling our contractual obligations to you;
  • Fulfilling our legitimate business interests and purposes, whether performed by ourselves or a third party, so long as that purpose does not override your fundamental rights and freedoms;
  • Preventing fraud;
  • For internal administrative purposes, whether your information is maintained internally or shared with our subsidiaries and affiliates, franchisees, or third party contractors for this purpose;
  • Ensuring network and information security;
  • Establishing, exercising, or defending against any legal claims; or,
  • Using your Personal Information in accordance with any valid consents you have given.

When we collect, retain, or use your Personal Information based on a legitimate interest or the public interest, as described above, you may have the right to object at any time to that use of your Personal Information if your local law gives you that right.

NOTICE REGARDING CHILDREN

We do not target our Sites or Services toward or intentionally gather Personal Information about visitors who are under the age of 13. Furthermore, we do not intentionally allow visitors under the age of 18 to place orders via our Sites. If a child under 13 submits Personal Information to us and we learn that the Personal Information is the information of a child under 13, we will attempt to delete that Personal Information as soon as possible. If you believe that we might have any Personal Information from a child under 13, please contact us using the information in the below “Contact Us” section.

By using this Site, you represent that you are at least the age of majority in your state, province, or country of residence, or that you are the age of majority in your state, province, or country of residence and you have given us your consent to allow any of your minor dependents to use this Site.

LINKS TO OTHER SITES

If we have provided a link to any other website or location, it is for your convenience and does not signify our endorsement of such other website or location or its contents. We have no control over, do not review, and cannot be responsible for these outside websites or their content. Please be aware that the terms of our Privacy Policy do not apply to these outside websites.

Of particular note, please be aware that the Five Guys “Order” website and application, and the Five Guys “Career” website, are operated by our trusted partners and are not controlled or operated by Five Guys. The terms of our Privacy Policy do not apply to these outside websites and applications, and these websites and applications have their own Terms of Service and Privacy Policy. We are not responsible for the privacy practices of these websites and applications, except as otherwise required under the relevant laws and regulations. We encourage you to read their terms and privacy statements if you wish to utilize these websites and applications.

Once you leave our store’s website or are redirected to a third-party website or application, you are no longer governed by this Privacy Policy or our website’s Terms of Service. For your convenience, we may provide pop-up banners or notices in some instances when you leave our store’s website or are directed to a third-party website or application, but we make no representations that we will provide such notice for all third party links on our Site.

When you click on links on our store, they may direct you away from our Site. We are not responsible for the privacy practices of other sites and encourage you to read their privacy statements.

NOTICE REGARDING OUR SHOPIFY STORE

Our “Five Guys Gear” store is hosted by Shopify Inc. They provide the online e-commerce platform that allows us to sell our products and services to you.

Any Personal Information you provide through the Shopify platform, or that is otherwise collected by Shopify, is stored in Shopify’s data storage facilities, databases, and the general Shopify application on a secure server behind a firewall.

If you choose a direct payment gateway to complete your purchase, then Shopify stores your credit card data. It is encrypted through the Payment Card Industry Data Security Standard (PCI-DSS). Your purchase transaction data is stored only as long as is necessary to complete your purchase transaction. After that transaction is complete, your purchase transaction information is deleted or rendered unreadable (masked).

All direct payment gateways on Shopify adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express, and Discover. PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers.

For more information about Shopify’s privacy practices and use of information, please see Shopify’s Terms of Service (https://www.shopify.com/legal/terms) and Privacy Statement (https://www.shopify.com/legal/privacy).

PRIVACY POLICY UPDATES

We reserve the right to amend this Privacy Policy at our discretion and at any time. If we change the way we collect, use, or disclosure your Personal Information that require us to make changes to this Privacy Policy, we will post a notice on this page and update the Privacy Policy’s effective date. Your continued use of our Sites following any posted updates to the Privacy Policy constitutes your acceptance of such changes. If you object to any of the changes to our Privacy Policy, you must stop using the Sites.

CONTACT US

If you have any general questions about our Privacy Policy or questions about how we collect, use, or share your Personal Information, or would like to exercise your rights with respect to your Personal Information as permitted by certain laws applicable to consumers as described above, please do not hesitate to contact our Privacy Officer at:

Phone: (877) 258-2136

Website: https://www.fiveguys.com/Privacy-Policy

Email: privacy@fiveguys.com

Mailing Address:

Five Guys Enterprises, LLC

ATTN: Privacy Officer

10718 Richmond Highway

Lorton, VA 22079 USA

RIGHTS AND CHOICES FOR CALIFORNIA CONSUMERS

The CCPA provides consumers (California residents) with specific rights regarding their Personal Information. This section describes your CCPA rights and explains how to exercise those rights.

‌ACCESS TO YOUR PERSONAL INFORMATION AND DATA PORTABILITY RIGHTS

You have the right to request that we disclose certain information to you about our collection and use of your Personal Information over the past 12 months. Once we receive and confirm your verifiable consumer request (see the section labelled “Exercising Your Access, Data Portability, and Deletion Rights”), we will disclose to you:

  • The categories of Personal Information we collected about you.
  • The categories of sources for the Personal Information we collected about you.
  • Our business or commercial purpose for collecting or selling that Personal Information.
  • The categories of third parties with whom we share that Personal Information.
  • The specific pieces of Personal Information we collected about you (also called a data portability request).
  • If we sold or disclosed your Personal Information for a business purpose, two separate lists disclosing:
  • sales, identifying the Personal Information categories that each category of recipient purchased; and
  • disclosures for a business purpose, identifying the Personal Information categories that each category of recipient obtained.

‌DELETION REQUEST RIGHTS

You have the right to request that we delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see the section labelled “Exercising Your Access, Data Portability, and Deletion Rights”), we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies.

We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

  • Complete the transaction for which we collected the Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, or otherwise perform our contract with you.
  • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
  • Debug products to identify and repair errors that impair existing intended functionality.
  • Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
  • Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
  • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
  • Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
  • Comply with a legal obligation.
  • Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

EXERCISING YOUR ACCESS, DATA PORTABILITY, AND DELETION RIGHTS

To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:

  • Calling us at (877) 258-2136;
  • Submitting your request using the below webform;

    EXERCISE YOUR CCPA RIGHTS

    OR,

  • Visiting one of our California corporate-owned Five Guys stores and submitting your rights request on the physical forms available in store, which must be returned to Five Guys by mail in an envelope affixed with the appropriate postage to the address listed on that form.

Please note that our Sites are not configured to accept and respond to web browser Do Not Track (DNT) signals. As such, if you would like to exercise your privacy rights, we encourage you to do so by submitting a request using one of the methods described above.

Please also note that you are currently only permitted to submit one type of request at a time on the above webform. If you would like to submit multiple request types, please submit a separate form for each and we will work with you to process the requests in an appropriate order.

Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your Personal Information. You may also make a verifiable consumer request on behalf of your minor child. To designate an authorized agent, you must authorize that agent to act on your behalf and the agent must have registered with the California Secretary of State. Before processing any request received from an authorized agent, we will take reasonable efforts to confirm their identity and their authority to act on your behalf.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative, which may include:
  • Your first and last name;
  • Email address(es);
  • Phone number(s);
  • Street address;
  • Social media username and platform; and,
  • Any other information you think may be helpful to allow us to identify you and process your request such as merchandise order information or device identifiers including device type and IMEI or MAC address.
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you.

You do not need to create an account with us to exercise the rights made available to you under the CCPA. We will only use Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

For instructions on exercising sale opt-out rights, see the section labeled “Personal Information Sales Opt-Out and Opt-In Rights.”

‌RESPONSE TIMING AND FORMAT

We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to an additional forty-five (45) days for a total period of time not to exceed ninety (90) days from when your request was submitted), we will inform you of the reason and necessary extension period in writing.

Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance, specifically a comma separated value (.csv) file.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

‌PERSONAL INFORMATION SALES OPT-OUT AND OPT-IN RIGHTS

If you are 16 years of age or older, you have the right to direct us to not sell your Personal Information at any time (the “right to opt-out”). It is Five Guys’ policy not to sell the Personal Information of our consumers and we do not sell the Personal Information of consumers we actually know are less than 16 years of age, unless we receive affirmative authorization (the “right to opt-in”) from either the consumer who is at least 13 but not yet 16 years of age, or the parent or guardian of a consumer less than 13 years of age. Consumers who opt-in to Personal Information sales may opt-out of future sales at any time.

To exercise the right to opt-out, you (or your authorized representative) may submit a request to us by visiting the following Internet Web page link:

DO NOT SELL MY PERSONAL INFORMATION (CA)

You may also choose to submit a request to opt-out by using the general CCPA Rights Request process as described in the section labelled “Exercising Your Access, Data Portability, and Deletion Rights.”

Once you make an opt-out request, we will wait at least twelve (12) months before asking you to reauthorize Personal Information sales. However, you may change your mind and opt back into Personal Information sales at any time by using the general CCPA Rights Request process as described in the section labelled “Exercising Your Access, Data Portability, and Deletion Rights.”

You do not need to create an account with us to exercise your opt-out rights or any other right made available to you under the CCPA. We will only use Personal Information provided in an opt-out request to review and comply with the request.

‌NON-DISCRIMINATION

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

  • Deny you goods or services.
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
  • Provide you a different level or quality of goods or services.
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

OTHER CALIFORNIA PRIVACY RIGHTS

California’s “Shine the Light” law (Civil Code Section § 1798.83) permits users of our Website that are California residents to request certain information regarding our disclosure of Personal Information to third parties for their direct marketing purposes. To make such a request, please send an email to privacy@fiveguys.com or contact us using the information provided in the “Contact Us” section.

RIGHTS AND CHOICES FOR NEVADA CONSUMERS

If you are a resident of the State of Nevada, you have the right to request that Five Guys not sell the Personal Information we currently have about you or that we might collect about you in the future. Although it is currently Five Guys’ policy not to sell our consumers’ Personal Information, if you would like to register an email address with Five Guys to request that we not sell your Personal Information now or in the future, please follow the below link and provide the requested information.

DO NOT SELL MY PERSONAL INFORMATION (NV)

Following our receipt of your request, we will make reasonable efforts to verify your identity and that the request is authentic. When we have verified your request, we will confirm that your Personal Information will not be sold by Five Guys. If you change your email address in the future, please note that you will need to re-register the new email address with us so we can continue to ensure that we do not sell your Personal Information.

Five Guys will only use the information you provide in connection with your request to process that request. Because of the on-going nature of your right not to have your Personal Information sold under Nevada law, we will retain the information provided in this request until you withdraw the request.

RIGHTS AND CHOICES FOR EU/EEA (AND UK) CONSUMERS

The GDPR provides individuals (residents of the European Union (EU) and European Economic Area (EEA)) with specific rights regarding their Personal Information. As of the effective date of this Privacy Policy, the UK is covered by the GDPR but has taken steps to adopt laws that mirror the GDPR that are intended to go into effect following the UK’s departure from the EU. References to the GDPR in this Privacy Policy are intended to cover the UK’s replacement laws.

This section describes your GDPR rights and explains how to exercise those rights.

The GDPR extends a number of rights to residents of the EU, EEA, and, through mirrored laws adopted by the UK intended to go into effect following the UK’s departure from the EU, the UK. These rights include the rights of/to: access, rectification, erasure (“the right to be forgotten”), restrict processing, data portability, and objection to profiling and automated decision-making. Individuals subject to the GDPR also have the right not to be discriminated against for exercising these rights.

EXERCISING YOUR GDPR RIGHTS

You have the right to control your Personal Information as described below. In order to request access to, correct, object to our use and retention of your Personal Information, or to exercise any of your rights related to your Personal Information as described in your local law, please send a request by e-mail to privacy@fiveguys.com or by mail using the contact information listed in the “Contact Us” section above. Please include “Personal Information Request” in the subject line of your e-mail.

You can control your Personal Information in the following ways:

  • You can ask us to see and/or obtain a copy of the Personal Information we hold about you;
  • You can inform us of any changes to your Personal Information, or if you want us to correct any of the Personal Information we hold about you;
  • In certain situations, you can ask us to erase, block, or restrict the Personal Information we hold about you, or object to the particular ways in which we are using your Personal Information; and,
  • In certain situations, you can also ask us to send the Personal Information you have given us to a third party.

When you contact us to exercise any of the privacy rights described above, please provide the following:

  • Your first and last name;
  • Your e-mail address;
  • Your phone number;
  • If you were an employee of Five Guys in the past, your employee ID number;
  • Your country or countries of citizenship; and,
  • A brief description of your request, which can be based on the above list.

Because we do not want your Personal Information to be exposed to someone else, we will make a reasonable effort to confirm your identity before processing your request. This identity confirmation effort may come directly from us or from a trusted vendor.

Five Guys will only use the Personal Information you provide in connection with your request to check our systems and confirm whether we possess any of your Personal Information and to process any Personal Information access or management requests we receive from you. After we have completed reviewing your request, we may store the information we provide to you for a reasonable amount of time after fulfilling your request in case you have additional inquiries. After the information is no longer necessary, we will automatically delete this information from our records or make it permanently unreadable (masked data).

Any contact information provided in connection with a request to exercise your rights related to your Personal Information will not be used for direct marketing purposes and will not be shared with others unless necessary to verify your identity and/or complete your request.

RESPONSE TIMING AND FORMAT

We will do our best to respond to your request as soon as possible, and, in any event, no later than 30 days after receiving your request. Please note that making multiple requests at one time may slow down our processing of your request. If additional time is required to complete your request, we will notify you of that fact and the reasons why we require additional time to fully respond to your particular request.

In certain circumstances, where we are able to do so, some requests may need to be fulfilled in a logical order. For example, if you request to see what information Five Guys has about you and at the same time request that Five Guys erase your Personal Information, we will first provide you with access to your Personal Information, then we may ask you to confirm again that you would like us to delete that information.

In some circumstances, we may not be able to comply with your requests related to your Personal Information. In those cases, we will respond as soon as possible, and, in any event, no later than 30 days after receiving your request. Our response will let you know if and why we are not able to comply and will share information with you about how you can object to the relevant Supervisory Authorities if you think our continued use or maintenance of that information is improper.

If you have a concern about our handling of your Personal Information or your request, please contact us first using the information in the “Contact Us” section below so we can try to resolve your concerns. We are committed to working with you to obtain a fair resolution to any complaint or concern you may have about our use of your Personal Information. If, however, you believe that we have not been able to assist with your request, complaint, or concern, you may have the right to lodge a complaint with the data protection authority in your country (if one exists in your country) or supervisory authority. You may also have a right to a judicial remedy if it is determined your Personal Information is being used illegally.