Important announcements regarding COVID-19 & our commitment to your safety. Learn More

Privacy

Privacy Settings

Shake Shack takes your privacy very seriously and only provides personal information as required for the products and services you request. We have provided the following controls to Approve and Withdraw consent to process future requests. You can update these settings and view our Privacy Policy at any time from the Shake Shack Privacy page.

  • Cookies Shake Shack uses cookies in order to manage your privacy controls. Our 3rd Party Services use cookies in order to deliver their services to provide the best user experience including the following types of cookies and browser-based data:
  • Marketing Shake Shack sends your browser-based data and other personal information provided by you on our website to Mailchimp in order to personalize the marketing communications and promotions we send you. Additionally, we send anonymized data to Google and Facebook in order to help us fix technical issues, errors and highlight areas such as navigation where we can improve our Website and other digital properties.
  • Guest Support Shake Shack sends your browser-based data and other personal information provided by you on our website to Salesforce to aid our Guest Services team in responding to guest inquires and requests.
  • Social Media Shake Shack embeds social media widgets, videos, and playlists into our website to allow guest to interact with our brand through 3rd party services.

Shake Shack uses the following 3rd Party Services in order to provide the best user experience to its guests: Google, Facebook, Instagram, Twitter, Youtube, Mailchimp, Salesforce, AWS, Cloudflare, Career Arc, Spotify, Paytronix, TeamWorld, Olo, and Session M.

Privacy Policy

Effective Date:  January 1, 2020

Last Updated:  December 24, 2019

Shake Shack has adopted this privacy policy (this “Policy”) in order to inform you of its policies with respect to the personal information Shake Shack collects about you through our interactions with you and through our products, services, events, and programs – including our website located at www.shakeshack.com (the “Website”), the Shake Shack mobile application (the “Mobile App”), and transactions completed at Shake Shack physical locations (each a “Service,” and collectively, the “Services”).

In this Policy, the terms “Shake Shack,” “we,” and “us” refer to Shake Shack Enterprises, LLC and its wholly owned and operated locations.  This Policy does not apply to information collected by Shake Shack licensees, which maintain their own privacy policies and procedures.

By using any of the Services, you consent to the terms of this Policy.

 

The Personal Information Shake Shack Collects and How We Use It

In connection with your interactions with us through the Services, we may collect personal information from you or from other sources. This information may be information that you directly provide to us, such as information that you provide when you visit the Services, or information that is passively or automatically collected from you, such as information collected from your browser or device. The personal information may identify you directly (e.g., your name). We also collect certain information that does not identify you directly, but in certain circumstances could allow you to be identified indirectly (e.g. certain technical data associated with devices that you use to interact with the Services).

In some instances Shake Shack may also collect information from third party sources, upon whom we rely to provide the Services. We use both business partners and service providers, such as payment processors and analytics providers, to perform services on our behalf. Some of these partners may have access to information about you that we may or may not otherwise have (for example, where you sign up directly with that provider) and may share some or all of this information with us. We may use this information to administer and improve the Services and to conduct marketing and advertising campaigns.

In addition to the categories of information referenced above, Shake Shack may also collect aggregated data or anonymized data that does not directly identify you.

 

How We Share and Disclose Information

Shake Shack only shares information, including Personal Information (as defined in the section entitled “California Residents” below), with affiliated companies, as well as carefully selected business partners and service providers to provide better service to you. These companies need information about you to perform their service function (such as to process and fulfill your order, verify your credit card information, and to protect you from fraud). We also share information, including Personal Information, with specially chosen companies that help us with marketing functions (such as manage our Internet business, maintain and manage our customer information, as well as market our products and services). We may engage vendors to serve advertisements on our behalf across the Internet and to provide analytics services. These entities may collect certain information from you (e.g. click stream information, browser type, time and date, hardware/software information, cookie ID, IP address, etc.) when you visit our Website or Mobile App and use that information to provide advertisements about goods and services that are deemed to be of greater interest to you.

We may also share your information for any other purpose as disclosed at the time of collection, or when we have otherwise obtained consent. Please note that this Policy is not intended to limit our ability to share or disclose aggregated, pseudonymized, or anonymized data. Shake Shack also reserves the right to use or disclose information as needed to satisfy any law, regulation or legal request, to fulfill your requests, or to cooperate in any law enforcement or similar investigation.

 

How We Protect Your Information

Shake Shack takes a number of steps to protect your information from unauthorized access, use, or disclosure. Shake Shack protects your information using technical, physical, and administrative security measures to reduce the risk of loss, misuse, unauthorized access, disclosure, or modification of your information. Examples of our safeguards include firewalls, data encryption, physical access controls, and administrative informational controls. When you transmit sensitive information (such as a credit card number) through the Website or in the Mobile App, we encrypt the transmission of that information using the Secure Sockets Layer (SSL) protocol. No system or network can be guaranteed to be 100% secure. As a result, we recommend that you help us keep your information safe by taking reasonable steps such as keeping your passwords private, changing them from time to time, and not disclosing personal data in places that can be accessed publicly.

 

Data Retention

We retain your information only for as long as is necessary to provide the Services and to fulfill the transactions you have requested, or for other necessary purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements.

 

“Cookies” and Advertisers

The Website and the Mobile App server, or the servers of companies that are used to operate the Website and the Mobile App, may place a “cookie” on your computer, store data in your computer browser or access pre-existing removable tracking features on your mobile device in order to allow you to use the Website and the Mobile App and to personalize your experience. A “cookie” is a small piece of data that can be sent by a web server to your computer, which then may be stored by your browser on your computer’s hard drive. Cookies and browser storage allow us to recognize your computer while you are on our Website and the Mobile App and help customize your online experience and make it more convenient for you. Cookies and browser storage are also useful in allowing more efficient log-in for users, tracking transaction histories, and preserving information between sessions. The information collected from cookies and browser storage may also be used to improve the functionality of the websites and applications.

Most web browser applications (such as Microsoft Internet Explorer, Google Chrome, Firefox and Apple Safari) have features that can notify you when you receive a cookie or prevent cookies from being sent. If you disable cookies or other device tracking features, however, you may not be able to use certain personalized functions of the Website or the Mobile App.

 

Links to Other Sites

In some areas of the Website or the Mobile App, we may provide a link to another website. Other websites, including social media sites, have their own policies regarding privacy and security, and these may vary from ours.

 

Children’s Privacy

The Services are directed toward and designed for use by persons aged 13 or older. Shake Shack will not approve applications of, or establish or maintain registrations for any child whom Shake Shack knows to be under the age of 13. Shake Shack does not solicit or knowingly collect personally identifiable information from children under the age of 13. If Shake Shack nevertheless discovers that it has received personally identifiable information from an individual who indicates that he or she is, or whom Shake Shack otherwise has reason to believe is, under the age of 13, Shake Shack will delete such information from its systems. Additionally, a child’s parent or legal guardian may request that the child’s information be corrected or deleted from our files by requesting this via our Contact Us page.

If you have reason to believe that child under the age of 13 has provided personal data to us without parental consent, please contact us using any of the methods described in the “Contact Us” section of this Policy, and we will endeavor to delete that data from our systems.

 

California Residents

This section supplements our privacy policy with additional information for California residents only. The California Consumer Privacy Act (“CCPA”) provides specific protections and rules with respect to California’s own definition of “Personal Information,” which includes information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. As noted above, we collect information that you provide directly when you register for or use the Services, user credentials that you supply directly when you register for or update your login information to use the Services, demographic data, payment data, device data, usage data, location data, information about your interests and preferences, third party integrations, and other third party data. The below chart provides additional detail on the categories of Personal Information we collect and the purposes for which we use Personal Information.

Categories of Personal Information Collected Business Purposes for Collection
Personal Identifiers (e.g., name, email address, and date of birth)
  • Marketing (including advertising, customer acquisition and lead generation, performance media, audience segmentation, event organization, web traffic analytics, brand promotion and analytics, surveys and consumer research, campaigns, management of influencer and other partner relationships, social media content distribution and analytics, mobile application communications, contest administration, and customer engagement and analytics)
  • Operational purposes (including order processing, payment, gift card, voucher and coupon processing, receipt processing, anti-fraud, sales data reporting, provision of food truck services, third-party delivery coordination, and mobile application and kiosk services and analytics)
  • Employment and recruiting (including conducting background checks and employment eligibility verification, for interview purposes, payroll administration and employee timekeeping, benefit administration, creation of tax forms, office administration, business expense processing, industry benchmarking, and internal communications)
  • Investor relations (including communicating with potential investors, processing stock purchases and transfers, distributing proxy statements and collecting shareholder votes, giving investor presentations, and contacting shareholders)
  • Development and real estate for the purpose of expanding the Services
  • Business relationship management
  • Customer service
  • Charitable giving
  • Legal compliance
Other personal information (e.g., drivers license, credit card number, health insurance information)
  • Marketing (including surveys and consumer research, and management of influencer and other partner relationships)
  • Operational purposes (including order processing, payment, gift card, voucher and coupon processing, receipt processing, anti-fraud, sales data reporting, and mobile application and kiosk services and analytics)
  • Employment and recruiting (including payroll administration and benefit administration)
  • Development and real estate investment for the purpose of expanding the Services
  • Legal compliance
Demographic information (e.g., gender, familial status, and citizenship status)
  • Marketing (including surveys and consumer research, and social media content distribution and analytics)
  • Operational purposes (including mobile application services)
  • Employment and recruiting (including conducting background checks and employment eligibility verification, payroll administration, and benefit administration)
  • Investor relations (including giving investor presentations)
  • Charitable giving
  • Legal compliance
Commercial information (e.g., purchasing activity)
  • Marketing (including surveys and consumer research, and mobile application management and communications)
  • Operational purposes (including order processing and oversight, payment, gift card, voucher and coupon processing, receipt processing, anti-fraud, sales data reporting and analysis, third-party delivery coordination, mobile application and kiosk services and analytics, inventory management, and financial auditing)
  • Investor relations (including processing stock purchases and transfers)
  • Development and real estate purposes
  • Customer service
Biometric information (e.g., eye color)
  • Employment and recruiting
  • Legal compliance
Internet or other electronic activity information (e.g., clickstream data and information regarding interaction with a web site)
  • Marketing (including customer acquisition and lead generation, audience segmentation, web traffic and search engine analytics, brand promotion and analytics, surveys and consumer research, campaigns, management of influencer relationships, social media content analytics, mobile application management and communications, contest administration, providing mobile store locator services, and customer engagement and analytics)
  • Operational purposes (including anti-fraud, and mobile application and kiosk services and analytics)
  • Employment and recruiting
  • Investor relations (including communicating with potential investors)
  • Customer service
  • Charitable giving
Geolocation data (e.g., mobile device location)
  • Marketing (including social media content distribution and providing mobile store locator services)
  • Operational purposes (including anti-fraud)
Audio, electronic, or visual information (e.g., photographs)
  • Marketing (including advertising)
  • Customer and employee safety
  • Legal compliance
  • Customer service and quality assurance
  • Detecting security incidents
Professional or employment-related information (e.g., employment history, educational information)
  • Marketing (including lead generation and management of influencer and other partner relationships)
  • Operational purposes (including third-party delivery coordination, order processing and oversight)
  • Employment and recruiting (including for interview purposes, selecting candidates, payroll administration and employee timekeeping, benefit administration, creation of tax forms, office administration, business expense processing, industry benchmarking, and internal communications)
  • Investor relations (including giving investor presentations)
  • Business relationship management
  • Legal compliance
Customer order information (e.g., order number)
  • Operational purposes (including order processing, inventory management, and menu management)
  • Customer service
Inferences drawn from personal information (e.g., preferences)
  • Marketing (including audience segmentation, campaigns, management of influencer and other partner relationships, social media content distribution and analytics, and customer engagement and analytics)
  • Employment and recruiting
Employee tax-related information (e.g., garnishments and tax remittance)
  • Employment and recruiting (including payroll administration)
  • Legal compliance
Other shareholder information (e.g., voting records)
  • Investor relations (including contacting shareholders)
Miscellaneous categories of consumer information (e.g., household income, dietary habits, allergies)
  • Marketing (including surveys and consumer research and mobile application communications)
  • Operational purposes (including order processing and mobile application and kiosk services and analytics)

 

In accordance with the CCPA, California residents have the right to request that we disclose the following information about our collection and use of “Personal Information,” over the twelve months prior to your requests:

  • The categories of Personal Information we collect about you.
  • The categories of sources for the Personal Information we collect about you.
  • Our business or commercial purpose for collecting or selling that Personal Information.
  • The specific pieces of Personal Information collected about you.
  • If we disclosed your Personal Information for a business purpose, a list of the categories of Personal Information we have disclosed in the prior twelve months.
  • If we sold your Personal Information for a business purpose, a list of the categories of Personal Information we have sold in the prior twelve months.

You also have the right to request that we delete any of your Personal Information.  In some circumstances we may not be able to honor your request for deletion – for example, if we need to hold on to your information to protect the security or functionality of our operations, to service your account, or to comply with legal obligations.

To ask for a record of the information we hold about you, or to ask us to delete your information, please visit https://www.shakeshack.com/privacy-request/ or call us at (844) 766 – 8973.  You must provide enough information that we can verify who you are and that you are a California resident.  We will only use personal information provided in a request to verify the requester’s identity and authority to make the request.

You also have the right to direct us not to sell your personal information at any time.  To opt out of the sale of your personal information, you may submit a request to us by visiting https://www.shakeshack.com/privacy-request/.  Alternatively, you can click here:

 

We will not deny services, charge different prices, offer a different quality of service or otherwise discriminate against your for exercising your rights under the CCPA.

 

European Privacy Rights

Where applicable, we will adhere to data protection laws in the European Union (“EU”) and the United Kingdom (“UK”). Where the laws of your country allow, you understand that we will transfer, store, and use your data in the United States and any other country where we operate. In some of the countries to which we transfer personal data, the privacy and data protection laws and rules regarding when government authorities may access data may vary from those of your country.

Shake Shack’s processing of personal data is (i) necessary for the performance of a contract with the individual providing information; (ii) necessary for compliance with a legal obligation; (iii) based on consent (where applicable); and/or (iv) within the legitimate interests of Shake Shack. When we transfer personal data outside of the EU or the UK, we ensure an adequate level of protection for the rights of data subjects based on the adequacy of the receiving country’s data protection laws, contractual obligations placed on the recipient of the data (model clauses may be requested by inquiry as described below), or EU-US Privacy Shield principles.

Shake Shack complies with the EU-US Privacy Shield principles (the “Principles”) regarding the collection, use, sharing, and retention of personal data from the European Union, as described in our EU-US Privacy Shield certification.

If you have a Privacy Shield-related complaint, please contact our Data Protection Officer below. As part of our participation in Privacy Shield, if you have a dispute with us about our adherence to the Principles, we will seek to resolve it through our internal complaint resolution process, alternatively through the independent dispute resolution body JAMS, and under certain conditions, through the potentially binding Privacy Shield arbitration process.

Privacy Shield participants are subject to the investigatory and enforcement powers of the US Federal Trade Commission and other authorized statutory bodies. Under certain circumstances, participants may be liable for the transfer of personal data from the EU to third parties outside the EU. Learn more about the EU-US Privacy Shield.

In accordance with the General Data Protection Regulation (“GDPR”) and the UK’s Data Protection Act 2018 (“DPA”), users who are located in the EU or the UK have the following rights:

  • If the processing of personal data is based on your consent, the right to withdraw consent for future processing of that data.
  • The right to request from Shake Shack, a “data controller” as defined under the GDPR, access to and rectification of your personal data.
  • Subject to limitations as provided for in the GDPR and the DPA, the right to request restriction of the processing of your personal data or to object to the processing of your personal data.
  • Subject to limitations as provided for in the GDPR and the DPA, the right to request erasure of your personal data.

To exercise the above mentioned rights to revocation, information correction, blocking or deletion, please contact our data protection officer via the contact details provided below. The exercising of your rights is free of charge.

We hope to be able to resolve all questions or complaints with you directly, although you have the right to contact the data protection supervisory authority if you wish to do so.

 

Data Protection Officer

If you have any questions regarding the processing of your personal data, please do not hesitate to contact our data protection officer directly. He will also assist you in case you have information requests or other requests or complaints:

Ron Palmese

Senior Vice President and General Counsel

225 Varick Street, New York, NY 10014

Phone: 646.727.7200

Email: privacy@shakeshack.com

 

Changes to This Privacy Policy

This Policy went into effect on the date noted at the top of this webpage. We may update this Policy from time to time. If we make material changes, we will post the updated Policy on this page and change the date at the top of this webpage. We encourage you to look for updates and changes to this Policy periodically, especially before you provide information, and particularly personally identifiable information, directly to us through the Services. Your continued use of the Services after any changes to this Policy are in effect constitutes your acceptance of the revised Policy.

 

Contact Us

We welcome your questions, comments, and concerns about privacy. You can contact Shake Shack Customer Service online at https://www.shakeshack.com/contact/ or by phone at 646.747.7200, or by postal mail at:

Shake Shack Enterprises, LLC,

225 Varick Street, New York, NY 10014