Skip to content

CAVA Privacy Policy

Cava Group, Inc. and its direct or indirect subsidiaries (collectively, “CAVA,” “we,” “us” or “Company”) respect your privacy, and we are committed to protecting it through our compliance with this privacy policy (“Policy”). We adopted this policy to describe our policies and practices regarding the personal information we collect about consumers and options consumers may have concerning their information.

This Policy, more specifically, is intended to provide consumers with information about how we collect, use, disclose, retain, and safeguard certain of the personal information we gather about them through online and offline channels such as when you access or use our website or mobile applications (collectively, “Site”) or through other channels including but not limited to when you visit one of our locations, in-store kiosks or portals, or in-store internet access that we own or operate, phone, e-mail or text interactions, in-person events, viewing or interacting with our online advertisements, applications or e-mails, social media interactions on our websites and other third party websites such as social media sites, viewing our e-mails, or through our authorized services providers.

Please read this Policy carefully before using the Site or otherwise submitting personal information to us. By accessing or visiting the Site or providing your personal information, you indicate your understanding that the collection, use, disclosure, and retention of your personal information is subject to the terms of this Policy and our Terms of Use found at www.cava.com/terms. Except as otherwise noted, any capitalized terms not defined in the Policy have the meaning set forth in the Terms of Use.

If you do not consent to the collection, use, disclosure, and retention of your personal information as described in this Policy, please do not provide us with such information.

This Policy does not apply to third-party websites accessible through our Site.

1. Personal Information We Collect

As described below, we may collect or may have collected in the preceding 12 months the following categories of personal information (“PI” or “personal information”). We may add to the categories of PI we collect and the purpose(s) we collect and use it. In those cases, we will inform and update this section of the Policy.

Identifiers – such as name, postal address, e-mail address, phone number, account name, date of birth, Social Security number, driver’s license number, photograph, passport number, unique personal identifier, online identifier, Internet Protocol address, e-mail address, account name, or other similar identifiers.

Personal information under California Civil Code Section 1798.80(e) such asname, signature, physical characteristics or description, address, telephone number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.

Protected status – such as citizenship, ethnic background, gender, or other similar identifiers.

Commercial informationsuch asproducts and services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

Internet or other electronic network activitysuch asbrowsing history, search history, a consumer’s interaction with an internet website, application, or advertisement.

Biometric informationsuch as an individual’s physiological, biological, or behavioral characteristics used or is intended to be used singly or in combination with each other or with other identifying data, to establish individual identity.

Geolocation data such aslocation information while using one of our apps.

Audio, electronic, visual, thermal, or similar informationsuch asidentifiable information obtained about you from voice-mail messages, while speaking with our service representatives, including on the telephone, and captured by video cameras.

Professional or employment-related information – such as information on job applications, information needed during onboarding for payroll and benefits, and information needed for evaluating performance.

Consumer profilesuch asinferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, and behaviors.

Sensitive personal information – particularly as applicable for employees and job applicants, this information may include a Social Security, driver’s license, state identification card, or passport number;account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; precise geolocation; racial or ethnic origin; religious or philosophical beliefs; union membership; contents of mail, e-mail, and text messages unless we are the intended recipient of the communication; genetic data; biometric information; health information; and information regarding sex life or sexual orientation.

Personal information does not include publicly available information from government records and deidentified or aggregated consumer information. You acknowledge and understand that any biometric data collected in connection with your use of Apple, Inc. or Google, Inc. technology is not shared with CAVA and CAVA does not have access to any of your biometric data, which will be stored on your own device.

2. How Long We Retain Your Information

We retain your personal information for as long as necessary to provide you products and services, while you have an open account with us, and to fulfill the purposes outlined in this Privacy Policy, unless we have or deidentified or deleted your personal information in response to a request to delete. We may retain your personal information for longer if it is necessary to comply with our legal obligations or reporting obligations, resolve disputes, collect fees, etc. or as permitted or required by applicable law. We may also retain your personal information in a deidentified or aggregated form so that it can no longer be associated with you. To determine the appropriate retention period for your personal information, we consider various factors such as the amount, nature, and sensitivity of your information; the potential risk of unauthorized access, use or disclosure; the purposes for which we process your personal information; applicable legal requirements.

3. Business or Commercial Purposes for Which We Collect or Disclose Your Information

In general, we will use the personal information we collect only for the purpose it was collected, for compatible purposes, as permitted or required by law, as necessary to carry out our contractual duties and obligations, and as otherwise provided in this Policy. For example, we may use your personal information in the following ways:

To Operate Our Site, Facilities or Services. We may use your personal information to: administer and enable use, review, improve, and monitor our website, applications, online services, physical locations, and in-store kiosks or portals.

For Internal Use. We may use your personal information to operate our business, such as in the following examples:

  • If you create a CAVA account or enroll in the Rewards Program, we may collect your name, address, phone number, e-mail address, date of birth, password, preferences and any additional information you choose to submit such as a credit card. We use this information to provide the services you request, process payments, contact you via e-mail or regular mail about new products, services, content, or information that we think may be of interest to you.

  • If you shop with us or place an order, we may collect your name, address, phone number(s), e-mail address, billing information (including credit/debit card number and expiration date), and, if applicable, the names, addresses, and phone numbers of gift recipients. We use this information to process and fulfill your order and as otherwise described in this Policy.

  • We may contact your gift recipients regarding new products and services that we think may be of interest to them.

  • When you interact with any of our social media accounts or pages, we may collect personal information you provide or make available through that page or site. If you choose to link or login to your CAVA account with or through a social networking service, CAVA and that service may share certain information about you and your activities with each other.

  • When you use our Site or applications, we may collect your IP address or device identifier automatically. We may be able to determine your location based on the IP address. When you use our app, we may collect your precise location (e.g., your GPS coordinates). If you allow your device to provide us with this information, we use it to make improvements to our products and services, and to provide recommendations and deliver relevant targeted advertising.

  • When you download or access certain features of the Site, such as our mobile application, we may collect information about your location to provide you with information on products and services that you request, process orders, personalize content and experiences on the Site.

  • We may automatically collect a unique numerical identifier assigned to you by a first-party cookie when you use our services. We use this information to identify you, provide the services, keep you logged in, prevent fraud, and provide you with targeted information and offers.

  • We may collect your device identification information automatically when you use our services to monitor your use and the effectiveness of our services, to identify you, and to provide you with targeted information and offers.

  • We may create records of goods or services purchased or considered, as well as purchasing or consuming histories or tendencies to measure the effectiveness of our services and to provide you with targeted information, advertisements and offers.

  • If you contact us via phone, we may record the call and when you visit one of our locations, we may collect your photographic or video image. We use this information to monitor our customer service, maintain the security of our systems and physical locations, and train employees.

  • We may collect your date of birth and other information about your preferences when you provide it to us, such as your favorite store, ordering preferences or favorites, allergen or other dietary information, or other information that you may choose to provide. We use this information to respond to your requests, improve the services, and send information and advertisements to you. We may analyze your actual or likely preferences through a series of computer processes. On some occasions, we may add our observations to your internal profile. We use this information to gauge and develop our marketing activities, measure the appeal and effectiveness of our services, applications, and tools, and to provide you with targeted information, advertisements, and offers. We may use any of the categories of information listed above for other business or operational purposes compatible with the context in which the personal information was collected.

To Communicate with You. We may use your personal information to communicate with you, including sending messages about the availability of our Site, security, or other product or service-related issues. (You may change your communication preferences at any time. Please be aware that you may not be able to opt-out of receiving service messages from us, including security and legal notices, except as otherwise provided under law.) We may also send you administrative or account-related information to keep you updated about your account and the Site. Such communications may include information about Policy updates, confirmations of your account actions or transactions, security updates or tips, or other relevant transaction-related information. Site-related communications are not promotional in nature.

To Provide Support Services. We may use your personal information to provide support services and engage in quality control activities concerning our products and services.

To Enforce Compliance with Our Terms and Agreements or Policies. When you access or use our Site, you are bound to our Terms of Use and this Policy (which is incorporated into our Terms of Use and made a part thereof). To ensure compliance, we may process your personal information in connection with monitoring, investigating, preventing, and mitigating prohibited, illicit or illegal activities on our Site. We may also process your personal information to investigate, prevent or mitigate violations of our internal terms, agreements or policies; enforce our agreements with third parties and business partners; and for other purposes related to the services we provide to you, operation of our business, or your application for or employment with us.

To Ensure the Security of the Services. We may process your personal information as necessary or appropriate to protect the rights, property, security, and safety of our employees, applicants, and customers, our information systems, and the public. Keeping you safe may require us to process your personal information, such as your device information, activity information, and other relevant information. We use such information to combat spam, malware, malicious activities or security risks; improve and enforce our security measures; and to monitor and verify your identity so that unauthorized users do not gain access to your information.

To Maintain Legal and Regulatory Compliance. Our business is subject to certain laws and regulations which may require us to process your personal information. For example, we may collect your age to comply with laws that restrict collection and disclosure of personal information belonging to minors. We may also use your personal information to respond to law enforcement requests, as required by applicable law, court order, or governmental regulations, and for other lawful processes or public safety purposes.

To Engage in Marketing Activities. We may process your contact information or information about your interactions with us to send you marketing communications and keep you updated about the Site and our business; provide you with information about events or other materials; and deliver targeted marketing to you.

Other Purposes. We may use your personal information to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us is among the assets transferred.

4. Sources of Information

We may collect your personal information from the following sources:

You. We may collect information that you provide during your interactions with us such as through our Site, by e-mail, or when you communicate with us online, by phone, or at one of our locations. We may also collect information when you attend an event, or participate in a sweepstakes, contest, promotion, or program we sponsor. We may collect information when you are an applicant for employment with us and employed by us. We may also collect information through certain online tracking tools, such as browser cookies, flash cookies, and web beacons.

Related entities and affiliates. We may collect information about you from our affiliates and other related parties including joint ventures.

Service providers and contractors. We may collect your personal information from service providers or contractors who collected information about you that is needed to provide you products or services or in connection with your application for or employment with us.

News outlets, social media, surveys, and certain third parties. In the course of performing our services or marketing activities, or in connection with your application for or employment with us, we or third parties on our behalf may conduct research and other activities resulting in the collection of PI about you.

Information collected automatically (subject to opt-out). As you navigate through and interact with our Site, we may compile statistical information concerning your usage of the Site through analytics services, such as those provided by Google Analytics. To do so, we may collect certain information about your equipment, browsing actions and patterns, including:

  • Details of your visits to our Site, such as traffic data, location data, logs and other communication data and the resources that you access and use on the Site.

  • Information about your computer and internet connection, including your IP address, operating system, and browser type.

  • Information about the type of device you are using, mobile ad identifiers, the time and length of your visit, and the website that referred you to our Site.

  • Information about your preferences to make your use of the Site more productive, via the use of cookies. For more information on cookies, please see the Cookies, Tracking, and Certain Communications section below. We may use this information to generate aggregate statistics about visitors to our Site. Please check your web browser if you want to learn what information your browser sends or how to change your settings.

Your Choices.You have the right to limit the information you provide us. If you choose not to provide us certain information we request, however, we may be unable to provide you access to certain of our services and/or content.

We may sometimes send you e-mail communications about our products and services. To opt-out of receiving these communications, please click the “unsubscribe” link in the applicable communications or take other similar action to opt-out, as available (e.g., by using a designated webform that we may make available for such purpose).

5. CAVA Loyalty Rewards Program

CAVA provides its customers with an opportunity to participate in our CAVA Rewards Program (“Program”). To enroll, we may collect your name, e-mail address, phone number, and date of birth. We also collect and retain your purchase history. How we use and disclose the personal information we collect from you is described in our Privacy Policy. Members of the CAVA Loyalty Rewards Program (as may be named otherwise from time to time) can earn program credit on eligible purchases that can be redeemed for CAVA food and beverage items at participating CAVA locations. By participating, members may also be rewarded with exclusive offers, discounts, invites to events, sneak peeks on new menu items, special birthday gifts, and other surprise rewards.

To become a member or enroll in the Program, you must affirmatively opt in, which you may do by visiting https://cava.com/rewards or by clicking “Sign In” and then “Sign Up” or “Create an Account” on the home page or app and completing all required fields, or in such other manner that we may provide from time to time.” You can freely withdraw your consent at any time by submitting an instruction to do so on https://support.cava.com.

By enrolling in CAVA Rewards, you authorize CAVA, its affiliates, and partners to communicate marketing and company information to you. Communications may include marketing e-mails, direct mail, and other communications about offers and promotions. By enrolling, you agree to all terms listed in our Privacy Policy and Terms and Conditions.

Additional information for California residents is provided in Section 17(g) and for Colorado residents, in Section 18(a) of this Policy.

6. Cookies, Tracking, and Certain Communications

We use cookies and other web technologies to collect and store certain types of information when you visit the Site. A cookie is a small file consisting of letters and numbers that automatically collect certain information from you. This file uniquely identifies and recognizes your browser or device and transmits information back to the server. Depending on the cookie type, it may perform functions such as remembering your user preferences, improving the quality of your visit, recording the website pages you view, remembering the name or address you entered during a visit, or delivering ads that are targeted to your interests and browsing activity.

Types of Cookies.

First and Third Party Cookies: First party cookies are generally placed on your computer or device by the website you are visiting. For example, we may use a first party cookie to improve website security. Third party cookies are placed on your computer or device by a source other than the website you are visiting in order to enable third-party features such as advertising, analytics, videos, or interactive content.

Essential or Strictly Necessary Cookies: These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually set in response to actions taken by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. These cookies do not store any personally identifiable information.

Performance and Functionality Cookies: Although these are non-essential cookies, they help the website perform and function as designed. For example, performance and functionality cookies may help the website display videos, enable chat sessions, or recognize whether you visited the website before.

Analytics Cookies: These cookies track your usage of the website. The information these cookies collect can be used for various purposes such as understanding how visitors use the website, site and content customization, or advertising and marketing.

Advertising Cookies: Advertising and marketing cookies perform functions such as helping customize your website experience, personalizing ads based on your online activities and interests, measuring the effectiveness of ads, preventing an ad from reappearing, and serving you targeted advertisements. Information from these cookies may be disclosed to third parties or third parties may place these cookies on your computer or device. Advertising and marketing cookies may track your online activities.

Generally, the Site uses essential, functional, and performance cookies to function and perform as designed; analytics cookies to understand how you use the Site, improve its functionality, and other related purposes; and advertising cookies to help us with our advertising and marketing activities. We and our third-party partners and service providers may collect and track information about your online activities over time and across different websites, applications, and devices.

Web beacons. Pages of our Site and our e-mails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit us to perform functions such as count users who have visited those pages or opened an e-mail and for other related Site statistics (for example, recording the popularity of certain website content and verifying system and server integrity).

Analytics. We may use third-party analytical tools, including Google Analytics, a web analytics service provided by Google, Inc. (“Google”), to help us better understand how you use our Site. These analytical tools will place cookies or other tracking technology on your computer or device to collect information about your activity related to, and usage of, the Site. The information collected by these analytical tools will tell us things such as which search engine referred you to our Site, how you navigated around our Site, what you purchased, and other information to help us to better serve you with more personalized information and product offerings. The technologies used by Google may collect information such as your IP address, time of visit, whether you are a returning visitor, and any referring website. The information generated by Google Analytics will be transmitted to and stored by Google and will be subject to Google’s privacy policies.

In the event a third-party provider of analytical tools will have access to personal information, such as your name, address, phone number or precise location, we contractually require such third-party provider to limit its use of information to perform services for us and to maintain all information it collects and analyzes for us securely and in confidence. Such third parties may not share your information with anyone else, or use it for any other purpose, except on an aggregated, basis.

Targeted Marketing. We may partner with third-party advertising companies who utilize cookies or other tracking technologies to collect information about you when you use the Site. These cookies and other technologies are used to provide advertisements about goods and services that may be of interest to you. These third parties may collect information about your online activities over time and across different websites and other online services. They may use this information to provide you with interest-based advertising or other targeted content. They may use persistent identifiers to anonymously track your Internet usage across other websites in their networks beyond our Services. Such third parties may, with sufficient data from various sources, be able to personally identify you.

Cross-Device Technologies. We and our service providers may use collected information to establish connections among related web browsers and devices (such as smartphones, tablets, computers, and TVs) for targeted advertising, analytics, attribution, and reporting purposes. We and/or our service providers may match your browsers or devices if you log into the same online service on multiple devices or if your devices share similar attributes that support an inference that they are used by the same person or household. This means that your online behavior (information about your activity on websites or apps on your current browser or device and your device’s geolocation (which may include specific longitude and latitude)) may be combined with information collected from your other browsers or devices. For example, our service providers may use this information to deliver an ad on your tablet or smartphone, to limit the number of times you see an ad across your devices, and to help measure the effectiveness of advertising campaigns across devices.

Embedded Content. The Site contains embedded content (e.g., videos) which may place third party cookies on your device that track your online activity to enhance your experience or assess the success of their application. We have no direct control over the information these third party cookies collect, and you should refer to their website privacy policy for additional information.

Social Media Sharing. This Site may offer social media sharing features or other integrated tools, which let you share actions you take on this website with other media, and vice versa. These features may collect information about your IP address and which page you are visiting on our Site, and they may set a cookie or employ other tracking technologies. The use of such features enables the sharing of information with your friends or the public, depending on the settings you establish with the third party that provides the social sharing feature. Social media sharing features and widgets are either hosted by a third party or hosted directly on our Site. Your interactions with those features are governed by the privacy policies of the companies that provide them. For more information about the purpose and scope of data collection and processing in connection with social media sharing features, please visit the privacy policies of the third parties that provide these features.

7. Controlling Cookies, Your Choices, and Opting Out of Targeted Advertising

Cookies. You may control cookies, including preventing or stopping the installation and storage of cookies, through your browser settings and other tools. Most browsers will allow you to block or refuse cookies. However, you may need to manually adjust your preferences each time you visit a site. For more information, see the Help section of your browser. Please note that if you block certain cookies, some of the services and functionalities of our Site may not work.

IMPORTANT: BY USING THE SITE, YOU CONSENT TO THE PROCESSING OF ANY PERSONAL INFORMATION FOR THE PURPOSES AND FUNCTIONS DESCRIBED ABOVE.

Communications and Advertising Preferences. You may update or change certain communication and advertising preferences by (1) logging into your registered account and updating the relevant account setting, or (2) changing your device’s relevant settings for our mobile apps. If you no longer want us to collect information through our mobile apps, please uninstall them.

You may also attempt to opt out of certain targeted marketing practices in web browsers and mobile applications by following the instructions below. For all the below third-party options, CAVA cannot verify these processes and disclaims any responsibility. Please note that you will need to opt out separately on all of your browsers and devices, as each opt-out will apply only to the specific browser or device from which you opt out. If you delete or reset your cookies or mobile identifiers, change browsers, or use a different device, any opt-out cookie or tool may no longer function, and you will have to opt out again. Note that some service providers may also make their own opt-out process available. Please note that even if you choose to opt-out of receiving targeted advertising, you may still receive advertising about CAVA.

  • Web Browser Opt-Out: To opt out in web browsers, please visit the Network Advertising Initiative Consumer Opt-Out Page at www.networkadvertising.org/choices and the Digital Advertising Alliance Consumer Choice page at www.aboutads.info/consumers.

  • Mobile Application Opt-Out: To opt out in mobile apps, please visit the Network Advertising Initiative Mobile Device Opt Outs page at https://thenai.org/opt-out/mobile-opt-out/, and learn about the Digital Advertising Alliance's AppChoices tool at www.aboutads.info/appchoices to adjust the advertising preferences on your mobile device.

  • Location Opt-Out: If you do not want to use your location for targeted marketing purposes, you may adjust your location preferences on your computer, browser, or mobile device. You can also stop the collection of location information by uninstalling our app from your device.

  • Google Analytics Opt-Out. To limit our collection of data via Google Analytics on our websites, visit the sites only from browsers on which you have installed Google Analytics’ opt-out browser add-on.

Do Not Track. “Do Not Track” is a privacy preference that you can set in your Internet search browser that sends a signal to a website that you do not want the website operator to track certain browsing information about you. However, because our Site is not configured to detect Do Not Track signals from a user’s computer, we are unable to respond to Do Not Track requests.

8. Disclosures of Personal Information

In general, we will not disclose your personal information except with your consent and as described in this Policy. We may disclose your personal information for the same reasons that we may use it, as described in this Policy, which includes disclosing it to our affiliates and non-affiliates, as we deem necessary to carry out those purposes. We endeavor to choose affiliates and non-affiliates whose standards for the protection of data match ours.

The following identify the categories of third parties to whom we may disclose personal information we may collect about you, as described above.

Third parties as directed by you. We may disclose your personal information to the third parties to whom you direct.

Services providers. We may disclose your personal information to certain service providers such as those who provide catering and food delivery services, administer consumer promotions, analyze data, process and fulfill orders you place, provide directions or maps, customer service, payment processing, marketing and advertising services, professional services, debt collection services, information technology services, payroll, benefits, and other employment-related services, and data storage services. We might also authorize our service providers to collect personal information on our behalf.

Business partners. We may disclose your personal information to our business partners for purposes of collaborating on providing services to you. These business partners should also have their own privacy statements that set forth the manner in which they will collect, use, and disclose personal information. Where applicable, we encourage you to review each such business partner’s privacy statement.

Advertising or social media partners. We may disclose your personal information to advertising or social media partners or allow them to collect personal information about you. One such purpose may be for cross-contextual advertising.

Governmental authorities and other third parties. We may disclose your personal information as necessary to comply with federal, state, or local laws, civil, criminal, or regulatory inquiry, investigation, subpoena, or summons, cooperate with law enforcement agencies concerning conduct or activity that we reasonably and in good faith believe may violate federal, state, or local laws, detect, investigate and prevent fraud or other unlawful activities, protect and defend ourselves, our property, our employees, our customers, and our users, and exercise or defend legal claims.

Affiliates and successors to all or portions of our business. We may disclose your personal information with certain direct or indirect affiliates or subsidiaries of our parent company. If all or part of our business is sold, we may disclose personal information in preparation for or as part of that transaction.

9. Third Party Website Links and Third-Party Integrations

Some portions of our Site may contain links to other websites on the Internet that are neither under our control nor maintained by us. Such links do not constitute an endorsement by us of those other websites, the content displayed therein, or the persons or entities associated therewith. You acknowledge that we are providing these links to you only as a convenience, and you agree that we are not responsible for the content of such websites. Your use of these other linked websites is subject to the respective terms of use and privacy policies located on the linked websites.

If you place an order on a delivery website, your use of that website is subject to its terms of use and privacy policy.

We may also provide links to third party integrations. Third party integrations are websites or platforms that synchronize with our Site to provide you additional functionality, tools, or services such as maps, sending requested information, etc. You acknowledge and agree we are not responsible for the availability of third party integrations and do not endorse and are not responsible or liable for any content, advertising, goods, services or other materials on, available through, or provided by such integrations. We are not responsible for the privacy or other practices of such sites and cannot guarantee the security of personal information that you provide, or is collected by, such sites. We encourage you to review the privacy policies and terms and conditions on those integrations.

10. E-mail and SMS Communications

We may collect your e-mail address via cookies and pixels on the Site through the use of trusted third-party partners. These partners may combine your e-mail information with other information they have access to such as mailing address so that we may send relevant marketing offers to you via direct mail.

You may elect to receive text messages from us. When you sign up to receive text messages, we will send you information about promotional offers and more. These messages may use information automatically collected based on your actions while on our Site and may prompt messaging such as cart abandon messages. To the extent you voluntarily opt to have SMS notifications sent directly to your mobile phone, we receive and store the information you provide, including your telephone number or when you read a text message. You may opt out of receiving text messages at any time by texting “STOP” to our text messages. Data obtained through the short code program will not be shared with any third parties for their marketing reasons or purposes. For more information about text messages, see our Text Messaging Terms.

11. Our Site and Children

Our Site is not intended for children under the age of 18. We do not knowingly collect personal information on individuals under the age of 18. IF YOU ARE UNDER 18, DO NOT USE OR PROVIDE ANY INFORMATION ON THIS SITE OR THROUGH ANY OF ITS FEATURES, REGISTER WITH THE SITE, MAKE ANY PURCHASES THROUGH THE SITE, OR PROVIDE ANY INFORMATION ABOUT YOURSELF TO US, INCLUDING YOUR NAME, ADDRESS, TELEPHONE NUMBER, EMAIL ADDRESS, OR ANY SCREEN NAME OR USERNAME YOU MAY USE. If you believe personal information was provided to us by someone under 18, please contact us immediately at [email protected] or 1-844-707-6841. Notwithstanding the foregoing, we may permit job applicants or employees that are 16 or 17 years old whose personal information we may collect, use, and share for purposes consistent with such roles.

You must be 18 years old to register or create an account with us without parental consent. By personally creating an account with us, you represent you are at least 18 years old.

12. Security

We take precautions to protect data and information under our control from misuse, loss or alteration. Our security measures include industry-standard physical, technical, and administrative measures to prevent unauthorized access to or disclosure of your information, to maintain data accuracy, to ensure the appropriate use of information, and otherwise safeguard your personal information. However, no system for safeguarding personal or other information is 100% secure and, although we have taken steps to protect your personal information from being intercepted, accessed, used or disclosed by unauthorized persons, we cannot fully eliminate security risks associated with personal information.

Please recognize that protecting your personal information is also your responsibility. We ask you to be responsible for safeguarding the password, security questions and answers, and other authentication information you use to access our Site.

13. Applicable Law

This Policy is governed by the laws of the State of Delaware, without regard to its conflict of laws principles. Jurisdiction for any claims arising under or out of this Policy shall lie exclusively with the state and federal courts within the State of Delaware. If any provision of this Policy is held by a court or other tribunal of competent jurisdiction to be invalid, illegal or unenforceable for any reason, such provision will be eliminated or limited to the minimum extent such that the remaining provisions of these terms will continue in full force and effect and in the manner most favorable to CAVA.

14. Notice to Site Users Located Outside the U.S.

The Company operates in accordance with the laws of the U.S. When you access our Site from outside the U.S., we may transfer the PI that we collect from you to a location outside of your jurisdiction, including the U.S. The data protection laws in these jurisdictions may not provide you with the same protections as those of your jurisdiction. By using this Site, you acknowledge that these laws may provide a different standard of protection and you consent to the transfer of your personal data to other jurisdictions, including the U.S.

15. Changes to this Policy

We reserve the right, at our sole discretion, to change, modify, add, or remove portions of this Policy at any time. If this Policy changes in the future, we will let you know by posting the updated policy in our Site with the most recent modification date. Please check the Site periodically for changes. Your continued use of our Site, any rewards programs, or contacting our guest services center, means you acknowledge and understand our current and updated Policy.

16. Contact Us

If you have questions, you can contact us by

  • Calling 1-844-707-6841 on Monday-Friday from 6am – 5pm ET or

  • E-mailing us at [email protected].

17. Accessibility

Persons with disabilities may obtain this notice in alternative format upon request by contacting us at [email protected] or calling 1-844-707-6841.

STATE SPECIFIC NOTICES

CALIFORNIA RESIDENTS

This section supplements and amends the information contained in the Policy with respect to California residents. The other provisions of the Policy continue to apply, except as modified in this California section.

Shine the Light

If you are a California resident, California Civil Code Section 1798.83 permits you to request information regarding the disclosure of your personal information by certain members of the Company to third parties for the third parties’ direct marketing purposes. Requests may be made one time per calendar year. If applicable, this information would include the categories of customer information and the names and addresses of those businesses with which we disclosed customer information for the immediately prior calendar year (e.g., requests made in 2022 will receive information regarding 2021 sharing activities). You may submit your request using the contact information in this Policy.

California Consumer Privacy Act

The following provisions describe our policies and practices regarding the collection, use, and disclosure of personal information, including information we obtain when you access or use the Site, or through other channels (e.g., phone and e-mail conversations, when you visit our locations or attend our events, or through our authorized services providers), in accordance with the California Consumer Privacy Act, as amended (“CCPA”).

Any terms defined in the CCPA have the same meaning when utilized in this section. The other provisions of the Policy continue to apply except as modified herein.

Please read this section carefully before using the Site or submitting information to us. By accessing or visiting the Site, or submitting personal information to us, you indicate your understanding that the collection, use, and sharing of your information is subject to the terms of this section and our Terms of Use. Except as otherwise noted, any capitalized terms not defined in this section have the meaning set forth in the Policy and Terms of Use.

Sources of Information

We may collect your personal information from the following sources:

You. We may collect information that you provide during your interactions with us such as through our Site, by e-mail, or when you communicate with us online, by phone, or at one of our locations. We may also collect information when you attend an event, or participate in a sweepstakes, contest, promotion, or program we sponsor. We may collect information when you are an applicant for employment with us and employed by us. We may also collect information through certain online tracking tools, such as browser cookies, flash cookies, and web beacons.

Related entities and affiliates. We may collect information about you from our affiliates and other related parties including joint ventures.

Service providers and contractors. We may collect your personal information from service providers or contractors who collected information about you that is needed to provide you products or services or in connection with your application for or employment with us.

News outlets, social media, surveys, and certain third parties. In the course of performing our services or marketing activities, or in connection with your application for or employment with us, we or third parties on our behalf may conduct research and other activities resulting in the collection of PI about you.

Information collected automatically (subject to opt-out). As you navigate through and interact with our Site, we may compile statistical information concerning your usage of the Site through analytics services, such as those provided by Google Analytics. To do so, we may collect certain information about your equipment, browsing actions and patterns, including:

  • Details of your visits to our Site, such as traffic data, location data, logs and other communication data and the resources that you access and use on the Site.

  • Information about your computer and internet connection, including your IP address, operating system, and browser type.

  • Information about the type of device you are using, mobile ad identifiers, the time and length of your visit, and the website that referred you to our Site.

  • Information about your preferences to make your use of the Site more productive, via the use of cookies. For more information on cookies, please see the Cookies, Tracking, and Certain Communications section below. We may use this information to generate aggregate statistics about visitors to our Site. Please check your web browser if you want to learn what information your browser sends or how to change your settings.

How Long We Retain Your Information

We retain your personal information for as long as necessary to provide you products and services, while you have an open account with us, and to fulfill the purposes outlined in this Privacy Policy, unless we have or deidentified or deleted your personal information in response to a request to delete. We may retain your personal information for longer if it is necessary to comply with our legal obligations or reporting obligations, resolve disputes, collect fees, etc. or as permitted or required by applicable law. We may also retain your personal information in a deidentified or aggregated form so that it can no longer be associated with you. To determine the appropriate retention period for your personal information, we consider various factors such as the amount, nature, and sensitivity of your information; the potential risk of unauthorized access, use or disclosure; the purposes for which we process your personal information; applicable legal requirements.

Disclosures of Personal Information

In general, we will not disclose your personal information except with your consent and as described in this Policy. We may disclose your personal information for the same reasons that we may use it, as described in this Policy, which includes disclosing it to our affiliates and non-affiliates, as we deem necessary to carry out those purposes. We endeavor to choose affiliates and non-affiliates whose standards for the protection of data match ours.

The following chart describes the categories of personal information we may collect or may have collected about you in the preceding 12 months and, for each category, identifies the categories of third parties to whom we may disclose that information and the purposes of collection and use.

You acknowledge and understand that any biometric data collected in connection with your use of Apple, Inc. or Google, Inc. technology is not shared with CAVA and CAVA does not have access to any of your biometric data.

Categories of Personal Information

Categories of Third Parties to Whom Disclosed & Purposes for Collection and Disclosure

Identifiers – such as name, postal address, e-mail address, phone number, account name, date of birth, Social Security number, driver’s license number, photograph, passport number, unique personal identifier, online identifier, Internet Protocol address, e-mail address, account name, or other similar identifiers.

Third parties as directed by you. We may disclose your personal information to the third parties to whom you direct. (Purposes repeated for each row below.)

Services providers. We may disclose your personal information to certain service providers such as those who provide catering and food delivery services, administer consumer promotions, analyze data, process and fulfill orders you place, provide customer service, payment processing, marketing and advertising services, professional services, debt collection services, information technology services, payroll, benefits, and other employment-related services, and data storage services. We might also authorize our service providers to collect personal information on our behalf. (Purposes repeated for each row below.)

Business partners and affiliates. We may disclose your personal information to our business partners for purposes of collaborating on providing services to you. These business partners should also have their own privacy statements that set forth the manner in which they will collect, use, and disclose personal information. Where applicable, we encourage you to review each such business partner’s privacy statement. (Purposes repeated for each row below.)

Governmental authorities and other third parties. We may disclose your personal information as necessary to comply with federal, state, or local laws, civil, criminal, or regulatory inquiry, investigation, subpoena, or summons, cooperate with law enforcement agencies concerning conduct or activity that we reasonably and in good faith believe may violate federal, state, or local laws, detect, investigate and prevent fraud or other unlawful activities, protect and defend ourselves, our property, our employees, our customers, and our users, and exercise or defend legal claims. (Purposes repeated for each row below.)

Advertising, analytics, and/or social media vendors. We may disclose your personal information to advertising or social media partners or allow them to collect personal information about you. (Purposes repeated for each row below.)

Affiliates and successors to all or portions of our business. We may disclose your personal information with certain direct or indirect affiliates or subsidiaries of our parent company. If all or part of our business is sold, we may disclose personal information in preparation for or as part of that transaction. (Purposes repeated for each row below.)

Personal information under California Civil Code Section 1798.80(e) such as name, signature, physical characteristics or description, address, telephone number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.

Third parties as directed by you; services providers; business partners and affiliates; governmental authorities and other third parties; advertising, analytics, and/or social media vendors; affiliates and successors to all or portions of our business.

Protected status – such as citizenship, ethnic background, gender, or other similar identifiers.

Third parties as directed by you; services providers; business partners and affiliates; governmental authorities and other third parties; advertising, analytics, and/or social media vendors; affiliates and successors to all or portions of our business.

Commercial information such as products and services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

Third parties as directed by you; services providers; business partners and affiliates; governmental authorities and other third parties; advertising, analytics, and/or social media vendors; affiliates and successors to all or portions of our business.

Internet or other electronic network activity such as browsing history, search history, a consumer’s interaction with an internet website, application, or advertisement.

Third parties as directed by you; services providers; business partners and affiliates; governmental authorities and other third parties; advertising, analytics, and/or social media vendors; affiliates and successors to all or portions of our business.

Geolocation data – such as location information while using one of our apps.

Third parties as directed by you; services providers; business partners and affiliates; governmental authorities and other third parties; advertising, analytics, and/or social media vendors; affiliates and successors to all or portions of our business.

Audio, electronic, visual, thermal, or similar information such as identifiable information obtained about you from voice-mail messages, while speaking with our service representatives, including on the telephone, and captured by video cameras.

Third parties as directed by you; services providers; business partners and affiliates; governmental authorities and other third parties; advertising, analytics, and/or social media vendors; affiliates and successors to all or portions of our business.

Professional or employment-related information – such as information on job applications, information needed during onboarding for payroll and benefits, and information needed for evaluating performance.

Third parties as directed by you; services providers; business partners and affiliates; governmental authorities and other third parties; advertising, analytics, and/or social media vendors; affiliates and successors to all or portions of our business.

Consumer profile such as inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, and behaviors.

Third parties as directed by you; services providers; business partners and affiliates; governmental authorities and other third parties; advertising, analytics, and/or social media vendors; affiliates and successors to all or portions of our business.

Sensitive personal information – particularly as applicable for employees and job applicants, this information may include a Social Security, driver’s license, state identification card, or passport number; account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; precise geolocation; racial or ethnic origin; religious or philosophical beliefs; union membership; contents of mail, e-mail, and text messages unless we are the intended recipient of the communication; genetic data; biometric information; health information; and information regarding sex life or sexual orientation.

Third parties as directed by you; services providers; business partners and affiliates; governmental authorities and other third parties; advertising, analytics, and/or social media vendors; affiliates and successors to all or portions of our business.

"Selling" or "Sharing" of Personal Information

We may sell or share your personal information, and/or have sold or shared your personal information in the preceding 12 months, to the following categories of third parties for the purposes listed below. Under the CCPA, “selling” means an exchange of personal information for monetary or other valuable consideration. “Sharing” means making available a consumer’s personal information to a third party for cross-context behavior advertising, whether or not for monetary or other valuable consideration.

We do not have actual knowledge that we have sold or shared the personal information of minors under the age of 16.

Categories of Personal Information Sold or Shared

Categories of Third Parties to Whom Sold or Shared

Identifiers

Business partners and affiliates; advertising, analytics, and/or social media vendors; and affiliates and successors to all or portions of our business.

Personal information under California Civil Code Section 1798.80(e)

Business partners and affiliates; advertising, analytics, remarketing, and/or social media vendors; and affiliates and successors to all or portions of our business.

Protected status

Business partners and affiliates; advertising, analytics, remarketing, and/or social media vendors; and affiliates and successors to all or portions of our business.

Commercial information

Business partners and affiliates; advertising, analytics, remarketing, and/or social media vendors; and affiliates and successors to all or portions of our business.

Internet or other electronic network activity

Business partners and affiliates; advertising, analytics, remarketing, and/or social media vendors; and affiliates and successors to all or portions of our business.

Geolocation data

Business partners and affiliates; advertising, analytics, remarketing, and/or social media vendors; and affiliates and successors to all or portions of our business.

Audio, electronic, visual, thermal, or similar information

Business partners and affiliates; advertising, analytics, remarketing, and/or social media vendors; and affiliates and successors to all or portions of our business.

Professional or employment-related information

Business partners and affiliates; advertising, analytics, remarketing, and/or social media vendors; and affiliates and successors to all or portions of our business.

Consumer profile

Business partners and affiliates; advertising, analytics, remarketing, and/or social media vendors; and affiliates and successors to all or portions of our business.

Sensitive personal information

Business partners and affiliates; advertising, analytics, remarketing, and/or social media vendors; and affiliates and successors to all or portions of our business.

Financial Incentives

CAVA provides its customers with an opportunity to participate in our CAVA Rewards Program (“Program”). For more information, please see Section 5 above. By participating in the Program, members may also be rewarded with exclusive offers, discounts, invites to events, sneak peeks on new menu items, special birthday gifts, and other surprise rewards. These benefits, rewards, and offers may be deemed “financial incentives” provided in exchange for your personal information under applicable laws, including the California Consumer Privacy Act (“CCPA”). For additional information, see our CAVA Rewards Terms and Conditions at https://cava.com/rewards-terms.

We may also offer our customers opportunities to participate in surveys, e-mail opt-ins, or other opportunities. In exchange for such participation, you may be offered a financial incentive, such as discount or coupon. As part of these opportunities, we may collect personal information, such as your name, preferences, opinions, and other responses. Participating in our financial incentive programs is completely voluntary.  If you do not wish to receive the financial incentive, then do not submit your personal information, complete the form, or pursue the opportunity. If you subsequently wish to withdraw your personal information and or withdraw the financial incentive related to the opportunity, then please contact us at [email protected].

The CCPA requires that we calculate the value to us of the personal information we collect, use, and retain under the Program or any of the above opportunities. We have made a reasonable and good faith calculation that the value of the information, taking into consideration revenue generated by participation in the same, is equivalent to the costs and expenses we incur to provide you with exclusive offers, discounts, invites to events, sneak peeks on new menu items, special birthday gifts, and other surprise rewards. These costs and expenses include collection and retention of the information, administration of the Program or opportunity, marketing costs, record keeping, analytics and research, technical services, fraud prevention, event planning and hosting, and employee training.

Consumer Rights

California residents have the following rights with respect to the personal information we collect about them. Exceptions may apply.

Right to Know About Personal Information Collected or Disclosed.We describe in this Policy our current practices as they relate to how we collect, use and disclose personal information. As a California resident, you have the right to request that we disclose additional information as it relates to our data collection activities during the preceding 12 months. To the extent applicable, you have the right to know:

  • the categories of personal information we have collected about you

  • the categories of sources from which we collected the personal information

  • the business or commercial purpose for collecting, selling, or sharing personal information, if applicable

  • the categories of personal information we sold or disclosed for a business purpose

  • the categories of third parties to whom we sold or disclosed personal information

  • the specific pieces of personal information we have collected about you

Upon receipt of a verifiable consumer request and as required by the CCPA, we will provide a response to your requests. Any disclosures we provide will only cover the 12-month period preceding the receipt of your verifiable consumer request. With respect to personal information collected on and after January 1, 2022, and to the extent expressly required by applicable regulation, you may request that such disclosures cover a period beyond the 12 months referenced above, provided doing so would not require a disproportionate effort by us.

Right to Delete. You have the right to request that we delete personal information we collected or maintain about you, subject to certain exceptions. Upon receipt of a verifiable request, we will delete and direct any service providers, contractors and third parties to whom we disclosed your personal information, to delete your personal information.

We are not required to comply with deletion requests if we, or our service providers, contractors, or third parties need the subject information in order to:

  • Complete the transaction for which the PI was collected, provide a good or service requested by you, or reasonably anticipated by you within the context of our ongoing business relationship with you, or otherwise perform a contract between the Company and you.

  • Help to ensure security and integrity to the extent the use of the consumer's PI is reasonably necessary and proportionate for those purposes.

  • Debug to identify and repair errors that impair existing intended functionality.

  • Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.

  • Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.

  • Engage in public or peer-reviewed scientific, historical, or statistical research that confirms or adheres to all other applicable ethics and privacy laws, when the Company's deletion of the information is likely to render impossible or seriously impair the ability to complete such research, if you have provided informed consent.

  • Comply with a legal obligation.

  • Otherwise use your personal information, internally, in a lawful manner that is compatible with the context in which you provided the information.

Right to Request Correction. You have the right, subject to certain limitations, to request that we correct any inaccurate personal information we maintain about you. Upon receipt of a verifiable consumer request, and as required by the CCPA, we will take appropriate steps to respond to your request.

Right to Opt Out of Having Your Information Sold or Shared. You have the right, subject to certain limitations, to opt-out of having your personal information sold or shared. This Site recognizes and processes opt-out preference signals the following ways:

  • Modifying Your Cookie Preferences. When you visit one of our websites that collects personal information through cookies, pixel tags, or similar tracking technologies, you will be presented with a banner that offers you a choice about whether to accept or reject our use of cookies and similar tracking technologies, the use of which may constitute a “sale” or “share” of personal information under applicable law. By clicking “Decline All/Do Not Sell or Share,” you will opt out the selling or share of your personal information. If you wish to amend your choices, you can do so by clicking “Revoke Consent” at https://cava.com/ca-opt-out after making your initial selections through the cookie banner. Please note that your request to opt-out of sale/sharing will be linked to your browser identifier only. If you use a different computer or Internet browser to access our sites, you will need to renew your cookie management choices.

  • Global Privacy Control. You may exercise your opt-out right by broadcasting an opt-out preference signal, such as the Global Privacy Control (GPC) (on the browsers and/or browser extensions that support such a signal). To download and use a browser supporting the GPC browser signal, click here: https://globalprivacycontrol.org/orgs. If you choose to use the GPC signal, you will need to turn it on for each supported browser or browser extension you use.

  • Contact CAVA. Please call 1-844-707-6841 on Monday-Friday from 6am – 5pm EST or email [email protected] to ask that you be opted out.

To exercise this opt-out right, please visit https://cava.com/ca-opt-out.

Right to Limit the Use of Sensitive Personal Information. California law allows California residents the right to limit our use of the sensitive personal information we collect about you. However, we only use your sensitive personal information for permitted purposes and do not use this information to infer characteristics about you. Because our use and disclosure of your sensitive personal information is already limited in accordance with applicable law, you do not need to take any further action to limit the disclosure or use of your sensitive personal information.

Right to Non-Discrimination for the Exercise of Privacy Rights. We will not discriminate against you for exercising any of your rights under the CCPA. This includes but is not limited to: (A) denying you goods or services; (B) charging you different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; (C) providing you with a different level or quality of goods or services; or (D) suggesting that you will receive a different price or rate for goods or services or a different level or quality of goods or services. Employees, applicants, and independent contractors have the right not to be retaliated against for exercising any of their rights under the CCPA.

Submitting Consumer Rights Requests

How to submit. To submit a California consumer rights request, please contact us by

  • Calling 1-844-707-6841 on Monday-Friday from 6am – 5pm ET or

  • E-mailing [email protected].

Verifiable Requests. We reserve the right to only respond to verifiable consumer requests to Know, Delete, or Correct. A verifiable consumer request is one made by any individual who is:

  • the consumer who is the subject of the request,

  • a consumer on behalf of the consumer’s minor child, or

  • the authorized agent of the consumer.

To verify your identity, we may ask you to verify personal information we already have on file for you. If we cannot verify your identity from the information we have on file, we may request additional information which we will only use to verify your identity, and for security or fraud-prevention purposes. Making a verifiable consumer request does not require you to create an account with us. Additionally, you will need to describe your request with sufficient detail to allow us to review, understand, assess, and respond.

Authorized Agents. You may authorize a natural person or a business (the Agent) to submit a Request to Know, Correct, Delete, Opt Out of the Sale/Sharing of Personal Information, or Limit Use of Sensitive Personal Information on your behalf. The Agent must provide signed permission to submit the request, and you must either (i) verify your own identity with the business or (ii) directly confirm with us that you provide permission to the Agent. These steps are not required when you have provided the authorized agent with power of attorney pursuant to Probate Code sections 4000 to 4465. We reserve the right to deny requests from persons or businesses claiming to be authorized agents that do not submit sufficient proof of their authorization.

Our response. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.

We reserve the right to charge a fee to process or respond to your request if it is excessive, repetitive, or manifestly unfounded. If we determine that a request warrants a fee, we will attempt to notify you as to why we made that decision and provide a cost estimate before completing your request. We will endeavor to respond to a verifiable consumer request within forty-five (45) calendar days of receipt, but we may require an extension of up to forty-five (45) additional calendar days to respond and we will notify you of the need for the extension.

A link to CAVA’s privacy policy can be found here: www.cava.com/privacy.

COLORADO RESIDENTS

The following provisions describe our policies and practices regarding the collection, use, and disclosure of personal data we collect from Colorado residents including information we obtain when you access or use the Site, or through other channels (e.g., phone and e-mail conversations, when you visit our locations or attend our events, or through our authorized services providers), in accordance with the Colorado Privacy Act (“CPA”).

Any terms defined in the CPA have the same meaning when utilized in this section. The other provisions of the Policy continue to apply except as modified herein.

Please read this section carefully before using the Site or submitting information to us. By accessing or visiting the Site, or submitting personal information to us, you indicate your understanding that the collection, use, and sharing of your information is subject to the terms of this section and our Terms of Use. Except as otherwise noted, any capitalized terms not defined in this section have the meaning set forth in the Policy and Terms of Use.

This CPA Section does not apply to personal data we collect about you in a commercial or employment context.

Bona Fide Loyalty Program

CAVA provides its customers with an opportunity to participate in our CAVA Loyalty Rewards Program (“Program”). For more information, see section 5, above.

As part of our Program

  • We collect and sell or process for targeted advertising the categories of personal or sensitive data through the Loyalty Program as set forth in section 17.f, above.

  • We share your personal or sensitive data with the following categories of third partiesas set forth in section 17.e, above.

If you request that we delete your personal data, we will be unable to provide a Loyalty Program benefit because we will be unable to identify you, track your activity, and otherwise administer the Loyalty Program.

Disclosing and Selling Personal Data

CAVA discloses and or sells, as that term is defined by the CPA, personal data to the categories of third parties set forth in section 17.e and f, above.

Targeted Advertising

Cava processes your personal data for targeted advertising. To Opt Out of the processing of your personal data for targeted advertising, see the section below on Consumer Rights.

Consumer Rights

Colorado residents have specific rights with respect to personal data we collect about them. Subject to verification and certain limitations, these rights include the following:

Right to Confirmation and Access. You have the right to request that we confirm whether we are processing your personal data and to access such personal data.

Right to Request Correction of Your Personal Data. You have the right to request that we correct any inaccurate personal data we maintain about you.

Right To Request Deletion of Your Personal Data. You have the right to request that we delete personal data we collected or maintain about you.

Right to Obtain a Copy. You have the right to obtain a copy of your personal data that you previously provided to us in a portable and, to the extent technically feasible, readily usable format where the processing is carried out by automated means up to two times in per calendar year.

Right to Opt Out of the Processing of Personal Data. You have the right to opt out of processing personal data for purposes of (i) targeted advertising, (ii) the sale of personal data.

We do not process personal data for profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.

Submitting Consumer Rights Requests

How to submit. To submit a Colorado consumer rights request to Access, Correct, Delete or Port, please contact the Company by

  • Calling 1-844-707-6841 on Monday-Friday from 6am – 5pm ET or

  • E-mailing [email protected].

Opt Out. To Opt Out of the Sale of your personal data or the Processing of your Personal Data for Targeted Advertising, click visit https://cava.com/ca-opt-out.

Verifiable Requests. We reserve the right to only respond to verifiable consumer requests to confirm and access, correct, delete, obtain a copy, opt out of selling or processing personal data for targeted advertising.

What to submit. If we request, you must provide sufficient information to help us verify your identity and/or authority to act on behalf of a consumer. In general, we may ask you to provide identifying information that we already maintain about you or we may use a third-party verification service. In either event, we will try to avoid asking you for sensitive personal data to verify your identity. We may not be able to respond to your request or provide you with personal data if we cannot verify your identity or authority to make the request and confirm the personal data relates to you. However, making a verifiable consumer request does not require you to create an account with us.

You will also need to describe your request with sufficient detail to allow us to review, understand, assess, and respond. We will not use the personal data we collect from an individual to verify a request for any other purpose, except as required or permitted by law.

Our response. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.

We reserve the right to charge a fee to process or respond to your request if it is excessive, repetitive, or manifestly unfounded. If we determine that a request warrants a fee, we will attempt to notify you as to why we made that decision and provide a cost estimate before completing your request. We will endeavor to respond to a verifiable consumer request within forty-five (45) calendar days of receipt, but we may require an extension of up to forty-five (45) additional calendar days to respond and we will notify you of the need for the extension.

Authorized Agent. You may authorize a natural person or a business (the Agent) to act on your behalf with respect to rights to Opt Out of the Sale of Personal Data or Processing of Personal Data for Targeted Advertising. The Agent must provide proof of signed permission to submit the request, and you must either (i) verify your own identity with the business or (ii) directly confirm with us that you provide permission to the Agent. We reserve the right to deny requests from persons or businesses claiming to be authorized agents that do not submit sufficient proof of their authorization.

Appeals. You have the right to appeal our denial of a request by following the instructions in our message communicating such denial or contacting us at https://support.cava.com/.

NEVADA RESIDENTS

This section supplements and amends the information contained in the Policy with respect to Nevada residents. The other provisions of the Policy continue to apply, except as modified in this Nevada section.

If you are a Nevada resident, you have the right to submit a verified request instructing us not to sell “covered information” we have collected about you or will collect about you online through our Site. A “sale” means the exchange of covered information for monetary consideration. “Covered information” means one or more of the following: a first and last name; home or other physical address which includes the name of a street and the name of a city or town; e-mail address; telephone number; Social Security number; identifier that allows a specific person to be contacted either physically or online; any other information concerning a person collected from the person through the Site and maintained by us in combination with an identifier in a form that makes the information personally identifiable. To submit your request, you may contact us by

  • Calling 1-844-707-6841 on Monday-Friday from 6am – 5pm ET

  • E-mailing [email protected].

VIRGINIA RESIDENTS

The following provisions describe our policies and practices regarding the collection, use, and disclosure of personal information we collect from Virginia residents including information we obtain when you access or use the Site, or through other channels (e.g., phone and e-mail conversations, when you visit our locations or attend our events, or through our authorized services providers), in accordance with the Virginia Consumer Privacy Act (“VCDPA”).

Any terms defined in the VCDPA have the same meaning when utilized in this section. The other provisions of the Policy continue to apply except as modified herein.

Please read this section carefully before using the Site or submitting information to us. By accessing or visiting the Site, or submitting personal information to us, you indicate your understanding that the collection, use, and sharing of your information is subject to the terms of this section and our Terms of Use. Except as otherwise noted, any capitalized terms not defined in this section have the meaning set forth in the Policy and Terms of Use.

This VCDPA Section does not apply to personal data we collect about you in a commercial or employment context.

Consumer Rights

Virginia residents have specific rights with respect to personal data we collect about them. Subject to verification and certain limitations, these rights include the following:

Right to Confirmation and Access. You have the right to request that we confirm whether we are processing your personal data and to access such personal data.

Right to Request Correction of Your Personal Data. You have the right to request that we correct any inaccurate personal data we maintain about you.

Right To Request Deletion of Your Personal Data. You have the right to request that we delete personal data we collected or maintain about you.

Right to Obtain a Copy. You have the right to obtain a copy of your personal data that you previously provided to us in a portable and, to the extent technically feasible, readily usable format where the processing is carried out by automated means.

Right to Opt Out of the Processing of Personal Data. You have the right to opt out of processing personal data for purposes of (i) targeted advertising or (ii) the sale of personal data.

We do not process personal data for profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.

Submitting Consumer Rights Requests

How to submit. To submit a Virginia consumer rights request, please contact the Company by

  • Calling 1-844-707-6841 on Monday-Friday from 6am – 5pm ET or

  • E-mailing [email protected].

Verifiable Requests. We reserve the right to only respond to verifiable consumer requests to confirm and access, correct, delete, obtain a copy or to opt out of processing.

What to submit. If we request, you must provide sufficient information to help us verify your identity and/or authority to act on behalf of a consumer. In general, we may ask you to provide identifying information that we already maintain about you or we may use a third-party verification service. In either event, we will try to avoid asking you for sensitive personal data to verify your identity. We may not be able to respond to your request or provide you with personal data if we cannot verify your identity or authority to make the request and confirm the personal data relates to you. However, making a verifiable consumer request does not require you to create an account with us.

You will also need to describe your request with sufficient detail to allow us to review, understand, assess, and respond. We will not use the personal data we collect from an individual to verify a request for any other purpose, except as required or permitted by law.

Our response. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.

We reserve the right to charge a fee to process or respond to your request if it is excessive, repetitive, or manifestly unfounded. If we determine that a request warrants a fee, we will attempt to notify you as to why we made that decision and provide a cost estimate before completing your request. We will endeavor to respond to a verifiable consumer request within forty-five (45) calendar days of receipt, but we may require an extension of up to forty-five (45) additional calendar days to respond and we will notify you of the need for the extension.

Authorized Agent. You may authorize a natural person or a business (the Agent) to act on your behalf with respect to rights Opt Out of the Sale of Personal Data or Processing of Personal Data for Targeted Advertising. The Agent must provide proof of signed permission to submit the request, and you must either (i) verify your own identity with the business or (ii) directly confirm with us that you provide permission to the Agent. We reserve the right to deny requests from persons or businesses claiming to be authorized agents that do not submit sufficient proof of their authorization.

Appeals. You have the right to appeal our denial of a request by following the instructions in our message communicating such denial or contacting us at https://support.cava.com/.

CONNECTICUT RESIDENTS

The following provisions describe our policies and practices regarding the collection, use, and disclosure of personal data we collect from Connecticut residents including information we obtain when you access or use the Site, or through other channels (e.g., phone and e-mail conversations, when you visit our locations or attend our events, or through our authorized services providers), in accordance with the Connecticut Data Privacy Act (“CTDPA”).

Any terms defined in the CTDPA have the same meaning when utilized in this section. The other provisions of the Policy continue to apply except as modified herein.

Please read this section carefully before using the Site or submitting information to us. By accessing or visiting the Site, or submitting personal information to us, you indicate your understanding that the collection, use, and sharing of your information is subject to the terms of this section and our Terms of Use. Except as otherwise noted, any capitalized terms not defined in this section have the meaning set forth in the Policy and Terms of Use.

This CTDPA Section does not apply to personal data we collect about you in a commercial or employment context.

Disclosing and Selling Personal Data

CAVA discloses and or sells, as that term is defined by the CTDPA personal data to the categories of third parties listed in Section 17(e)-(f) above.

To Opt Out of the sale of your personal data, see the section below on Consumer Rights.

Targeted Advertising

Cava processes your personal data for targeted advertising. To Opt Out of the processing of your personal data for targeted advertising, see the section below on Consumer Rights.

Consumer Rights

Connecticut residents have specific rights with respect to personal data we collect about them. Subject to verification and certain limitations, these rights include the following:

Right to Confirmation and Access. You have the right to request that we confirm whether we are processing your personal data and to access such personal data.

Right to Request Correction of Your Personal Data. You have the right to request that we correct any inaccurate personal data we maintain about you.

Right To Request Deletion of Your Personal Data. You have the right to request that we delete personal data we collected or maintain about you.

Right to Obtain a Copy. You have the right to obtain a copy of your personal data that you previously provided to us in a portable and, to the extent technically feasible, readily usable format where the processing is carried out by automated means up to two times in per calendar year.

Right to Opt Out of the Processing of Personal Data. You have the right to opt out of processing personal data for purposes of (i) targeted advertising or (ii) the sale of personal data.

We do not process personal data for profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.

Submitting Consumer Rights Requests

How to submit. To submit a Connecticut consumer rights request to Access, Correct, Delete or Port, please contact the Company by

  • Calling 1-844-707-6841 on Monday-Friday from 6am – 5pm ET or

  • E-mailing [email protected].

Opt Out. To Opt Out of the Sale of your personal data or the Processing of your Personal Data for Targeted Advertising, click visit https://cava.com/opt-out.

Verifiable Requests. We reserve the right to only respond to verifiable consumer requests to confirm and access, correct, delete, obtain a copy.

What to submit. If we request, you must provide sufficient information to help us verify your identity and/or authority to act on behalf of a consumer. In general, we may ask you to provide identifying information that we already maintain about you or we may use a third-party verification service. In either event, we will try to avoid asking you for sensitive personal data to verify your identity. We may not be able to respond to your request or provide you with personal data if we cannot verify your identity or authority to make the request and confirm the personal data relates to you. However, making a verifiable consumer request does not require you to create an account with us.

You will also need to describe your request with sufficient detail to allow us to review, understand, assess, and respond. We will not use the personal data we collect from an individual to verify a request for any other purpose, except as required or permitted by law.

Our response. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.

We reserve the right to charge a fee to process or respond to your request if it is excessive, repetitive, or manifestly unfounded. If we determine that a request warrants a fee, we will attempt to notify you as to why we made that decision and provide a cost estimate before completing your request. We will endeavor to respond to a verifiable consumer request within forty-five (45) calendar days of receipt, but we may require an extension of up to forty-five (45) additional calendar days to respond and we will notify you of the need for the extension.

Authorized Agent. You may authorize a natural person or a business (the Agent) to act on your behalf with respect to rights under this Connecticut Section. When you submit a Request to Opt Out of the Sale of Personal Data or Processing of Personal Data for Targeted Advertising the Agent must provide proof of signed permission to submit the request, and you must either (i) verify your own identity with the business or (ii) directly confirm with us that you provide permission to the Agent. We reserve the right to deny requests from persons or businesses claiming to be authorized agents that do not submit sufficient proof of their authorization.

Appeals. You have the right to appeal our denial of a request by following the instructions in our message communicating such denial or contacting us at https://support.cava.com/.

Last Modified June 28, 2023