Effective Date: January 1, 2020
Last Updated: December 24, 2019
In this Policy, the terms “Shake Shack,” “we,” and “us” refer to Shake Shack Enterprises, LLC and its wholly owned and operated locations. This Policy does not apply to information collected by Shake Shack licensees, which maintain their own privacy policies and procedures.
By using any of the Services, you consent to the terms of this Policy.
The Personal Information Shake Shack Collects and How We Use It
In connection with your interactions with us through the Services, we may collect personal information from you or from other sources. This information may be information that you directly provide to us, such as information that you provide when you visit the Services, or information that is passively or automatically collected from you, such as information collected from your browser or device. The personal information may identify you directly (e.g., your name). We also collect certain information that does not identify you directly, but in certain circumstances could allow you to be identified indirectly (e.g. certain technical data associated with devices that you use to interact with the Services).
In some instances Shake Shack may also collect information from third party sources, upon whom we rely to provide the Services. We use both business partners and service providers, such as payment processors and analytics providers, to perform services on our behalf. Some of these partners may have access to information about you that we may or may not otherwise have (for example, where you sign up directly with that provider) and may share some or all of this information with us. We may use this information to administer and improve the Services and to conduct marketing and advertising campaigns.
In addition to the categories of information referenced above, Shake Shack may also collect aggregated data or anonymized data that does not directly identify you.
How We Share and Disclose Information
Shake Shack only shares information, including Personal Information (as defined in the section entitled “California Residents” below), with affiliated companies, as well as carefully selected business partners and service providers to provide better service to you. These companies need information about you to perform their service function (such as to process and fulfill your order, verify your credit card information, and to protect you from fraud). We also share information, including Personal Information, with specially chosen companies that help us with marketing functions (such as manage our Internet business, maintain and manage our customer information, as well as market our products and services). We may engage vendors to serve advertisements on our behalf across the Internet and to provide analytics services. These entities may collect certain information from you (e.g. click stream information, browser type, time and date, hardware/software information, cookie ID, IP address, etc.) when you visit our Website or Mobile App and use that information to provide advertisements about goods and services that are deemed to be of greater interest to you.
We may also share your information for any other purpose as disclosed at the time of collection, or when we have otherwise obtained consent. Please note that this Policy is not intended to limit our ability to share or disclose aggregated, pseudonymized, or anonymized data. Shake Shack also reserves the right to use or disclose information as needed to satisfy any law, regulation or legal request, to fulfill your requests, or to cooperate in any law enforcement or similar investigation.
How We Protect Your Information
Shake Shack takes a number of steps to protect your information from unauthorized access, use, or disclosure. Shake Shack protects your information using technical, physical, and administrative security measures to reduce the risk of loss, misuse, unauthorized access, disclosure, or modification of your information. Examples of our safeguards include firewalls, data encryption, physical access controls, and administrative informational controls. When you transmit sensitive information (such as a credit card number) through the Website or in the Mobile App, we encrypt the transmission of that information using the Secure Sockets Layer (SSL) protocol. No system or network can be guaranteed to be 100% secure. As a result, we recommend that you help us keep your information safe by taking reasonable steps such as keeping your passwords private, changing them from time to time, and not disclosing personal data in places that can be accessed publicly.
We retain your information only for as long as is necessary to provide the Services and to fulfill the transactions you have requested, or for other necessary purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements.
“Cookies” and Advertisers
The Website and the Mobile App server, or the servers of companies that are used to operate the Website and the Mobile App, may place a “cookie” on your computer, store data in your computer browser or access pre-existing removable tracking features on your mobile device in order to allow you to use the Website and the Mobile App and to personalize your experience. A “cookie” is a small piece of data that can be sent by a web server to your computer, which then may be stored by your browser on your computer’s hard drive. Cookies and browser storage allow us to recognize your computer while you are on our Website and the Mobile App and help customize your online experience and make it more convenient for you. Cookies and browser storage are also useful in allowing more efficient log-in for users, tracking transaction histories, and preserving information between sessions. The information collected from cookies and browser storage may also be used to improve the functionality of the websites and applications.
Most web browser applications (such as Microsoft Internet Explorer, Google Chrome, Firefox and Apple Safari) have features that can notify you when you receive a cookie or prevent cookies from being sent. If you disable cookies or other device tracking features, however, you may not be able to use certain personalized functions of the Website or the Mobile App.
Links to Other Sites
In some areas of the Website or the Mobile App, we may provide a link to another website. Other websites, including social media sites, have their own policies regarding privacy and security, and these may vary from ours.
The Services are directed toward and designed for use by persons aged 13 or older. Shake Shack will not approve applications of, or establish or maintain registrations for any child whom Shake Shack knows to be under the age of 13. Shake Shack does not solicit or knowingly collect personally identifiable information from children under the age of 13. If Shake Shack nevertheless discovers that it has received personally identifiable information from an individual who indicates that he or she is, or whom Shake Shack otherwise has reason to believe is, under the age of 13, Shake Shack will delete such information from its systems. Additionally, a child’s parent or legal guardian may request that the child’s information be corrected or deleted from our files by requesting this via our Contact Us page.
If you have reason to believe that child under the age of 13 has provided personal data to us without parental consent, please contact us using any of the methods described in the “Contact Us” section of this Policy, and we will endeavor to delete that data from our systems.
|Categories of Personal Information Collected||Business Purposes for Collection|
|Personal Identifiers (e.g., name, email address, and date of birth)||
|Other personal information (e.g., drivers license, credit card number, health insurance information)||
|Demographic information (e.g., gender, familial status, and citizenship status)||
|Commercial information (e.g., purchasing activity)||
|Biometric information (e.g., eye color)||
|Internet or other electronic activity information (e.g., clickstream data and information regarding interaction with a web site)||
|Geolocation data (e.g., mobile device location)||
|Audio, electronic, or visual information (e.g., photographs)||
|Professional or employment-related information (e.g., employment history, educational information)||
|Customer order information (e.g., order number)||
|Inferences drawn from personal information (e.g., preferences)||
|Employee tax-related information (e.g., garnishments and tax remittance)||
|Other shareholder information (e.g., voting records)||
|Miscellaneous categories of consumer information (e.g., household income, dietary habits, allergies)||
In accordance with the CCPA, California residents have the right to request that we disclose the following information about our collection and use of “Personal Information,” over the twelve months prior to your requests:
- The categories of Personal Information we collect about you.
- The categories of sources for the Personal Information we collect about you.
- Our business or commercial purpose for collecting or selling that Personal Information.
- The specific pieces of Personal Information collected about you.
- If we disclosed your Personal Information for a business purpose, a list of the categories of Personal Information we have disclosed in the prior twelve months.
- If we sold your Personal Information for a business purpose, a list of the categories of Personal Information we have sold in the prior twelve months.
You also have the right to request that we delete any of your Personal Information. In some circumstances we may not be able to honor your request for deletion – for example, if we need to hold on to your information to protect the security or functionality of our operations, to service your account, or to comply with legal obligations.
To ask for a record of the information we hold about you, or to ask us to delete your information, please visit https://www.shakeshack.com/privacy-request/ or call us at (844) 766 – 8973. You must provide enough information that we can verify who you are and that you are a California resident. We will only use personal information provided in a request to verify the requester’s identity and authority to make the request.
You also have the right to direct us not to sell your personal information at any time. To opt out of the sale of your personal information, you may submit a request to us by visiting https://www.shakeshack.com/privacy-request/. Alternatively, you can click here:
We will not deny services, charge different prices, offer a different quality of service or otherwise discriminate against your for exercising your rights under the CCPA.
European Privacy Rights
Where applicable, we will adhere to data protection laws in the European Union (“EU”) and the United Kingdom (“UK”). Where the laws of your country allow, you understand that we will transfer, store, and use your data in the United States and any other country where we operate. In some of the countries to which we transfer personal data, the privacy and data protection laws and rules regarding when government authorities may access data may vary from those of your country.
Shake Shack’s processing of personal data is (i) necessary for the performance of a contract with the individual providing information; (ii) necessary for compliance with a legal obligation; (iii) based on consent (where applicable); and/or (iv) within the legitimate interests of Shake Shack. When we transfer personal data outside of the EU or the UK, we ensure an adequate level of protection for the rights of data subjects based on the adequacy of the receiving country’s data protection laws, contractual obligations placed on the recipient of the data (model clauses may be requested by inquiry as described below), or EU-US Privacy Shield principles.
Shake Shack complies with the EU-US Privacy Shield principles (the “Principles”) regarding the collection, use, sharing, and retention of personal data from the European Union, as described in our EU-US Privacy Shield certification.
If you have a Privacy Shield-related complaint, please contact our Data Protection Officer below. As part of our participation in Privacy Shield, if you have a dispute with us about our adherence to the Principles, we will seek to resolve it through our internal complaint resolution process, alternatively through the independent dispute resolution body JAMS, and under certain conditions, through the potentially binding Privacy Shield arbitration process.
Privacy Shield participants are subject to the investigatory and enforcement powers of the US Federal Trade Commission and other authorized statutory bodies. Under certain circumstances, participants may be liable for the transfer of personal data from the EU to third parties outside the EU. Learn more about the EU-US Privacy Shield.
In accordance with the General Data Protection Regulation (“GDPR”) and the UK’s Data Protection Act 2018 (“DPA”), users who are located in the EU or the UK have the following rights:
- If the processing of personal data is based on your consent, the right to withdraw consent for future processing of that data.
- The right to request from Shake Shack, a “data controller” as defined under the GDPR, access to and rectification of your personal data.
- Subject to limitations as provided for in the GDPR and the DPA, the right to request restriction of the processing of your personal data or to object to the processing of your personal data.
- Subject to limitations as provided for in the GDPR and the DPA, the right to request erasure of your personal data.
To exercise the above mentioned rights to revocation, information correction, blocking or deletion, please contact our data protection officer via the contact details provided below. The exercising of your rights is free of charge.
We hope to be able to resolve all questions or complaints with you directly, although you have the right to contact the data protection supervisory authority if you wish to do so.
Data Protection Officer
If you have any questions regarding the processing of your personal data, please do not hesitate to contact our data protection officer directly. He will also assist you in case you have information requests or other requests or complaints:
Senior Vice President and General Counsel
225 Varick Street, New York, NY 10014
This Policy went into effect on the date noted at the top of this webpage. We may update this Policy from time to time. If we make material changes, we will post the updated Policy on this page and change the date at the top of this webpage. We encourage you to look for updates and changes to this Policy periodically, especially before you provide information, and particularly personally identifiable information, directly to us through the Services. Your continued use of the Services after any changes to this Policy are in effect constitutes your acceptance of the revised Policy.
We welcome your questions, comments, and concerns about privacy. You can contact Shake Shack Customer Service online at https://www.shakeshack.com/contact/ or by phone at 646.747.7200, or by postal mail at:
Shake Shack Enterprises, LLC,
225 Varick Street, New York, NY 10014