Privacy Policy

Effective Date: May 8, 2026 | Last Updated: May 8, 2026

Welcome to Costa Vida. We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how Costa Vida ("we," "us," or "our") collects, uses, discloses, and safeguards your information when you visit our website costavida-meal.rest, place orders, or otherwise interact with our services. Please read this policy carefully. If you disagree with its terms, please discontinue use of our site and services.

This Privacy Policy applies to all information collected through our website, mobile features, online ordering platforms, loyalty programs, email communications, and any other services we offer (collectively, the "Services"). By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by all the terms of this Privacy Policy.

1. Who We Are

Costa Vida is a food service business operating in the United States. We provide fresh, high-quality meals and dining experiences to our valued customers. For the purposes of this Privacy Policy, Costa Vida acts as the data controller of your personal information.

Company Name	Costa Vida
Website	costavida-meal.rest
Email Address	[email protected]
Country of Operation	United States

2. Information We Collect

We collect various types of information in connection with your use of our Services. The categories of information we collect include the following:

2.1 Personal Information You Provide Directly

When you interact with us voluntarily — such as creating an account, placing a food order, signing up for our newsletter, or contacting customer support — we may collect the following personal information:

Name: First and last name for account registration, order fulfillment, and personalization.
Email Address: Used for order confirmations, account communications, and marketing (where consented).
Phone Number: For order updates, delivery coordination, and customer service purposes.
Mailing and Delivery Address: Required for delivery orders and billing purposes.
Payment Information: We collect credit/debit card details, billing address, and transaction data through our secure, PCI-DSS-compliant payment processors. We do not store full card numbers on our own servers.
Account Credentials: Username and encrypted password for account access.
Dietary Preferences and Order History: Information about your food preferences and past orders to improve our recommendations and services.
Feedback and Communications: Any messages, reviews, surveys, or other communications you send to us.
Loyalty Program Information: If you participate in any rewards or loyalty program, we collect points balances, redemption history, and associated account information.

2.2 Information Collected Automatically

When you visit our website or use our Services, certain information is automatically collected by our systems and third-party tools. This includes:

Device Information: Device type, operating system, browser type and version, screen resolution, and unique device identifiers.
Usage Data: Pages visited, time spent on pages, links clicked, search queries entered on our site, referring URLs, and navigation paths.
IP Address: Your internet protocol (IP) address, which may be used to approximate your geographic location at the city or regional level.
Log Files: Server log files that record your interactions with our website, including timestamps, errors encountered, and other diagnostic data.
Cookie and Tracking Data: Information collected through cookies, web beacons, pixel tags, and similar technologies. Please see Section 7 (Cookies and Tracking Technologies) for more details.
Location Data: Approximate location derived from your IP address, or precise location if you grant permission through your device settings for delivery purposes.

2.3 Information From Third Parties

We may receive information about you from third-party sources, including:

Third-Party Ordering Platforms: If you place an order through a third-party delivery or ordering app that integrates with our services, we may receive your name, order details, and delivery address.
Social Media Platforms: If you connect your social media account to our Services or interact with us through platforms such as Facebook, Instagram, or Google, we may receive profile information as permitted by your privacy settings on those platforms.
Marketing Partners: We may receive data from our advertising and analytics partners to help us understand audience demographics and improve our marketing campaigns.
Analytics Providers: Companies such as Google Analytics that provide aggregated data about how users interact with our website.

3. How We Use Your Information

We use the information we collect for a variety of business and operational purposes, all consistent with the legitimate conduct of our food service business. These purposes include:

3.1 Providing and Managing Our Services

Processing and fulfilling your food orders, including delivery and pickup coordination.
Managing your account, including creating and updating your profile and preferences.
Processing payments and sending transaction receipts and confirmations.
Responding to your customer service inquiries, complaints, and requests.
Administering loyalty programs, promotions, and contests you participate in.
Verifying your identity and preventing unauthorized account access or fraudulent transactions.

3.2 Improving Our Products and Services

Analyzing usage patterns and user behavior to improve website functionality and user experience.
Conducting internal research and development to enhance our menu offerings and service quality.
Monitoring and analyzing the performance of our website, apps, and ordering systems.
Performing data analytics to identify trends and better understand customer preferences.

3.3 Marketing and Communications

Sending you promotional emails, newsletters, and special offers for our food and services, where you have consented or where permitted by applicable law.
Personalizing marketing content based on your order history, preferences, and browsing behavior.
Displaying targeted advertisements on our website, social media platforms, and partner sites using interest-based advertising technologies.
Conducting surveys and soliciting feedback to improve our customer experience.
Notifying you about new menu items, seasonal promotions, and events relevant to your interests.

3.4 Legal and Compliance Purposes

Complying with applicable federal, state, and local laws and regulations.
Responding to lawful requests from government authorities or law enforcement agencies.
Enforcing our Terms of Service and other policies.
Protecting the rights, property, and safety of Costa Vida, our customers, and the public.
Preventing and detecting fraud, abuse, or other illegal activity on our platform.

4. Legal Bases for Processing (United States)

Costa Vida operates in the United States and complies with applicable U.S. privacy laws, including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Federal Trade Commission Act (FTC Act), and other applicable state and federal privacy regulations.

Under these frameworks, our lawful bases for processing your personal information include:

Contract Performance: Processing necessary to fulfill your orders and manage your account.
Legitimate Business Interests: Processing for fraud prevention, security, improving our services, and internal analytics.
Legal Obligation: Processing required to comply with applicable laws and respond to governmental or legal requests.
Consent: Marketing communications and certain cookie uses where your express consent has been obtained.

5. Sharing Your Information With Third Parties

We do not sell, rent, or trade your personal information to third parties for their own independent marketing purposes without your consent. However, we may share your information with certain categories of trusted third parties as described below:

5.1 Service Providers and Business Partners

We engage reputable third-party companies and individuals to perform services on our behalf. These service providers have access to your personal information only to the extent necessary to perform their functions and are contractually obligated to protect your information. Categories of service providers include:

Payment Processors: To securely process credit card and other payment transactions.
Delivery and Logistics Partners: To coordinate and fulfill delivery orders.
Cloud Hosting and IT Infrastructure Providers: To store and manage our website and systems securely.
Email and SMS Marketing Platforms: To deliver promotional communications on our behalf.
Analytics and Advertising Platforms: Such as Google Analytics, Meta Pixel, and similar tools that help us understand website traffic and ad performance.
Customer Relationship Management (CRM) Software Providers: To manage customer communications and support tickets.
Fraud Detection and Security Services: To identify and prevent fraudulent transactions and unauthorized access.

5.2 Legal Requirements and Protection of Rights

We may disclose your personal information if we believe in good faith that such disclosure is necessary to:

Comply with a legal obligation, subpoena, court order, or other governmental request.
Enforce our Terms of Service or protect our legal rights.
Protect the safety and security of our users, employees, or the public.
Investigate, prevent, or take action regarding suspected fraud, illegal activity, or violations of our policies.

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your personal information may be transferred to the acquiring entity as part of the transaction. We will notify you through a prominent notice on our website or via email before your information becomes subject to a materially different privacy policy.

5.4 Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified information — which cannot reasonably be used to identify you — with third parties for research, marketing, analytics, and other business purposes without restriction.

6. Data Security Measures

The security of your personal information is important to us. We implement a comprehensive set of technical, administrative, and physical safeguards designed to protect your data from unauthorized access, disclosure, alteration, or destruction. These measures include:

Encryption: All data transmitted between your browser and our website is encrypted using Secure Socket Layer (SSL) / Transport Layer Security (TLS) technology. Sensitive payment data is encrypted at rest and in transit.
Access Controls: Access to personal information is strictly limited to authorized personnel who have a legitimate business need to access it. Role-based access control (RBAC) policies are enforced.
PCI-DSS Compliance: Our payment processing systems comply with Payment Card Industry Data Security Standards (PCI-DSS) to protect cardholder data.
Secure Data Storage: Personal information is stored on secure servers hosted in facilities with physical and environmental safeguards.
Regular Security Audits: We conduct periodic security assessments and vulnerability testing to identify and address potential weaknesses in our systems.
Incident Response Plan: We maintain a data breach response plan to promptly address security incidents and notify affected individuals as required by law.
Employee Training: Our staff receive regular training on data privacy and security best practices.

Please Note: While we take all reasonable precautions, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee the absolute security of your personal information. You are encouraged to use strong passwords and protect your account credentials.

7. Cookies and Tracking Technologies

Our website uses cookies, web beacons, pixel tags, and similar tracking technologies to enhance your user experience, analyze website traffic, and support our marketing activities. Below is a summary of how we use these technologies:

7.1 Types of Cookies We Use

Cookie Type	Purpose
Strictly Necessary Cookies	Essential for the website to function properly. These enable core features such as shopping cart functionality, secure login, and order processing. Cannot be disabled.
Performance and Analytics Cookies	Collect anonymous data about how visitors use our website (e.g., pages visited, time spent). Used to improve site performance and user experience (e.g., Google Analytics).
Functional Cookies	Remember your preferences such as language settings, saved addresses, and personalization choices to enhance your experience.
Marketing and Advertising Cookies	Track your browsing activity to deliver relevant advertisements and measure the effectiveness of our marketing campaigns on third-party platforms.

7.2 Managing Your Cookie Preferences

You have the right to control the use of non-essential cookies. You may manage your preferences through:

Our cookie consent banner, which appears on your first visit to our website.
Your browser settings, where you can block or delete cookies at any time. Please note that disabling certain cookies may affect the functionality of our website.
Opting out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on.
Visiting the Digital Advertising Alliance's opt-out page at www.aboutads.info/choices to manage interest-based advertising preferences.

For detailed information about the specific cookies we use, their duration, and how to manage them, please refer to our Cookie Policy.

8. Your Privacy Rights

Depending on your state of residence and applicable law, you may have the following rights with respect to your personal information:

8.1 Rights Under the California Consumer Privacy Act (CCPA/CPRA)

If you are a resident of California, you have the following specific rights under the CCPA as amended by the CPRA:

Right to Know: You have the right to request that we disclose what personal information we collect, use, disclose, and sell about you.
Right to Delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions.
Right to Correct: You have the right to request correction of inaccurate personal information we hold about you.
Right to Opt-Out of Sale or Sharing: You have the right to direct us not to sell or share your personal information with third parties for cross-context behavioral advertising. To exercise this right, please click "Do Not Sell or Share My Personal Information" on our website or contact us directly.
Right to Limit Use of Sensitive Personal Information: You have the right to limit our use and disclosure of sensitive personal information to purposes specifically authorized by the CPRA.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny services, charge different prices, or provide a different level of service because you exercised your privacy rights.
Right to Data Portability: You may request a copy of your personal information in a portable, readily usable format.

8.2 General Privacy Rights (All U.S. Residents)

Regardless of your state of residence, we honor the following general privacy rights for all our customers:

Access: You may request a copy of the personal information we hold about you.
Correction: You may request that we update or correct inaccurate or incomplete personal information.
Deletion: You may request that we delete your personal information, subject to legal retention obligations.
Withdrawal of Consent: Where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
Opt-Out of Marketing: You may opt out of receiving promotional emails at any time by clicking the "Unsubscribe" link in any email we send, or by contacting us directly.

8.3 How to Exercise Your Rights

To exercise any of the above rights, please submit a verifiable request to us by:

Email: [email protected] (with the subject line: "Privacy Rights Request")
Website: costavida-meal.rest

We will verify your identity before processing your request. You may be required to provide information sufficient to confirm your identity (e.g., name and email address associated with your account). We will respond to verified requests within 45 days as required under applicable law. If additional time is needed, we will notify you of the extension and the reason for it.

You may designate an authorized agent to make requests on your behalf. Authorized agents must provide written authorization signed by you or a valid power of attorney.

9. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, including satisfying legal, accounting, or reporting requirements. Our general data retention guidelines are as follows:

Data Category	Retention Period
Account Information	Duration of account + 3 years after account deletion (or as required by law)
Order and Transaction Records	7 years (for financial and tax compliance purposes)
Payment Information	Retained only for the transaction period; full card data not stored
Marketing Preferences and Consent Records	Until consent is withdrawn, plus 3 years for compliance records
Customer Service Communications	3 years from the date of last interaction
Website Usage and Analytics Data	Up to 26 months (as configured in analytics platforms)
Cookie Data	Varies by cookie type; session cookies expire at end of browser session; persistent cookies as specified in our Cookie Policy
Legal Compliance Records	As required by applicable federal and state law

When personal information is no longer required for the purposes for which it was collected, we will securely delete or anonymize it in accordance with our data retention and disposal policies.

10. Children's Privacy

Important: Our Services are intended for individuals who are 18 years of age or older. We do not knowingly collect personal information from children under the age of 18.

Costa Vida does not direct its website, app, or services to minors under the age of 18. We do not knowingly solicit or collect personal information from children. If we become aware that we have inadvertently collected personal information from a child under 18 without appropriate parental consent, we will take immediate steps to delete that information from our records.

Our practices are consistent with the Children's Online Privacy Protection Act (COPPA), which prohibits the collection of personal information from children under 13 without verifiable parental consent. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at [email protected] and we will take prompt action to remove the information.

By using our Services, you represent and warrant that you are at least 18 years of age. If you are between 13 and 17 years old, you may only use our Services with the verifiable consent and supervision of a parent or legal guardian.

11. International Data Transfers

Costa Vida is based in the United States. Our website, servers, and systems are primarily located in the United States. If you are accessing our Services from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States.

The data protection laws of the United States may differ from those in your country of residence. By using our Services, you consent to the transfer of your information to the United States and acknowledge that your information will be processed in accordance with this Privacy Policy and applicable U.S. law, including the FTC Act and relevant state privacy laws.

When we transfer data internationally or work with service providers located in other countries, we implement appropriate safeguards — such as standard contractual clauses, data processing agreements, and other contractual protections — to ensure that your information receives an adequate level of protection consistent with applicable privacy regulations.

12. Third-Party Links and Services

Our website may contain links to third-party websites, social media platforms, or integrated services (such as third-party delivery apps or payment gateways) that are not operated by Costa Vida. When you click on a third-party link, you will be directed to that third party's website. We strongly advise you to review the privacy policy of every website you visit.

We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party websites or services. The inclusion of any link on our website does not imply our endorsement of the linked website or any association with its operators.

13. Do Not Track Signals

Some web browsers offer a "Do Not Track" (DNT) feature that sends a signal to websites requesting that your browsing activity not be tracked. At this time, there is no universally accepted standard for interpreting DNT signals, and our website does not currently alter its data collection and use practices in response to DNT browser signals. We will continue to monitor developments in this area and update our practices accordingly.

However, California residents have the right to opt out of the sale or sharing of their personal information under the CCPA/CPRA, which goes beyond DNT signals. Please see Section 8 for instructions on how to exercise this right.

14. Marketing Communications and Opt-Out

From time to time, we may send you promotional emails, SMS messages, push notifications, or other communications about our menu, special offers, events, and other news related to Costa Vida. We will only send you marketing communications where we have your consent or a lawful basis to do so.

You may opt out of receiving marketing communications at any time by:

Clicking the "Unsubscribe" or "Opt-Out" link included in any marketing email we send.
Replying "STOP" to any marketing SMS messages.
Updating your communication preferences in your account settings on our website.
Contacting us directly at [email protected] with your opt-out request.

Please note that even if you opt out of marketing communications, we may still send you transactional or administrative messages necessary for the performance of our Services, such as order confirmations, payment receipts, and important account notifications.

15. Filing a Complaint With a Data Protection Authority

If you believe that your privacy rights have been violated and are not satisfied with our response to your complaint, you have the right to lodge a complaint with the appropriate regulatory authority.

15.1 California Residents

California residents may file a complaint with the California Privacy Protection Agency (CPPA), the state authority responsible for enforcing the CCPA/CPRA:

Website: cppa.ca.gov
Address: 2101 Arena Blvd, Sacramento, CA 95834, United States

15.2 All U.S. Consumers

Consumers in the United States may also file a complaint with the Federal Trade Commission (FTC), which enforces federal consumer protection and privacy laws including the FTC Act:

Website: www.ftc.gov/complaint
Phone: 1-877-FTC-HELP (1-877-382-4357)

We encourage you to contact us first at [email protected] so that we have the opportunity to resolve your concern directly before you escalate the matter to a regulatory authority.

16. Changes to This Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time to reflect changes in our practices, technology, legal requirements, or other business factors. When we make material changes, we will:

Post the revised Privacy Policy on this page with an updated "Last Updated" date.
Send an email notification to registered users where the changes are significant.
Display a prominent notice on our website for a reasonable period following the change.

Your continued use of our Services after the effective date of the revised Privacy Policy constitutes your acceptance of the updated terms. We encourage you to review this page periodically to stay informed about how we protect your information.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please do not hesitate to contact our privacy team using the following details:

Costa Vida — Privacy Inquiries

Company	Costa Vida
Email	[email protected]
Website	costavida-meal.rest
Country	United States

We aim to respond to all privacy-related inquiries within 10 business days. For verifiable consumer requests under the CCPA/CPRA, we will respond within the timeframes required by applicable law (generally within 45 days, with a possible extension of an additional 45 days where reasonably necessary).

Effective Date: This Privacy Policy is effective as of May 8, 2026. All previous versions of this policy are superseded by this document.