Privacy Policy

Effective Date: April 22, 2026  |  Last Updated: April 22, 2026

This Privacy Policy describes how Costa Vida ("we," "us," "our," or the "Company") collects, uses, discloses, retains, and protects information about you when you visit our website at costvida.rest, use our online ordering platform, sign up for our loyalty or rewards program, interact with us on social media, or otherwise engage with our services (collectively, the "Services"). We are committed to protecting your privacy and handling your personal information in a transparent and responsible manner consistent with applicable United States federal and state laws, including the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (CCPA/CPRA), the Federal Trade Commission Act (FTC Act), and other applicable state privacy statutes.

Please read this Privacy Policy carefully. By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by the practices described herein. If you do not agree with this policy, please discontinue use of our Services immediately.

For privacy-related inquiries, you may contact us at any time using the information provided in the Contact Us section below.

1. Who We Are

Costa Vida is a food service business operating through its website at costvida.rest. We provide fresh, made-to-order food items and related services to our customers across the United States. Our contact details for privacy matters are as follows:

Company Name Costa Vida
Website costvida.rest
Email Address [email protected]

2. Information We Collect

We collect various types of information in connection with the operation of our Services. The categories of information we collect include:

2.1 Personal Information You Provide Directly

When you interact with our website or Services, you may voluntarily provide us with personal information, including but not limited to:

  • Identity Information: Your full name, username, or similar identifiers used to create an account or place an order.
  • Contact Information: Email address, mailing address, billing address, delivery address, and telephone number.
  • Account Credentials: Passwords, security questions, and other authentication details when you register for an account or loyalty program.
  • Payment Information: Credit or debit card numbers, expiration dates, billing addresses, and other financial information necessary to process your transactions. Payment card data is processed by our PCI-DSS compliant third-party payment processors; we do not store full card numbers on our servers.
  • Order Details: Information about the food items you order, dietary preferences, customizations, special instructions, and order history.
  • Loyalty and Rewards Data: Membership information, points balances, redemption history, and promotional preferences associated with any loyalty or rewards program you join.
  • Communications: Any messages, feedback, reviews, survey responses, or correspondence you send us through contact forms, email, or customer support channels.
  • Marketing Preferences: Your preferences regarding receiving marketing and promotional communications from us, including newsletter subscriptions and SMS opt-in status.

2.2 Information Collected Automatically

When you visit our website or use our digital Services, certain information is collected automatically through cookies, web beacons, pixel tags, and similar tracking technologies:

  • Device Information: IP address, device type, operating system and version, browser type and version, screen resolution, device identifiers, and mobile network information.
  • Usage Data: Pages viewed, hyperlinks clicked, time spent on pages, referring URLs, search queries entered on our website, features used, and other interactions with our Services.
  • Log Data: Server log files that record requests made to our servers, including date and time of access, the pages requested, and any errors encountered.
  • Location Data: General geographic location inferred from your IP address, or more precise location information (such as GPS-based location) if you grant our website or app permission to access your device's location services. We use location data to help you find nearby Costa Vida locations and to provide relevant localized content.
  • Cookie and Tracking Data: Information gathered through cookies, web beacons, local storage, and similar technologies as described in Section 8 of this Privacy Policy.

2.3 Information Received from Third Parties

We may receive information about you from third-party sources, which we may combine with the information we collect directly:

  • Social Media Platforms: If you connect your social media account (e.g., Facebook, Google, Apple) to our Services or interact with our social media pages, we may receive profile information such as your name, email address, profile picture, and friend lists in accordance with that platform's privacy settings.
  • Analytics Providers: Third-party analytics services that provide us with aggregated and segmented data about how users interact with our website.
  • Advertising Partners: Information about your interests and online activities from advertising networks and data brokers used to serve relevant advertisements.
  • Delivery and Fulfillment Partners: If you order food delivery through a third-party delivery platform that has a data-sharing arrangement with us, we may receive order confirmation and contact details necessary to fulfill your order.
  • Payment Processors: Transaction confirmation and fraud screening results from payment service providers.

2.4 Sensitive Personal Information

We do not intentionally collect sensitive categories of personal information such as racial or ethnic origin, political opinions, religious beliefs, health data, genetic or biometric data, or precise real-time geolocation beyond what is necessary for the delivery service functionality described above. If any such data is inadvertently shared with us, it will be deleted as soon as reasonably practicable.

3. How We Use Your Information

We use the information we collect for the following purposes, relying on lawful bases including contract performance, legitimate business interests, your consent, and compliance with legal obligations:

3.1 Service Provision and Order Fulfillment

  • Processing and fulfilling your food orders, including coordinating with kitchen staff and delivery partners.
  • Managing your account, including registration, authentication, and password recovery.
  • Processing payments and providing receipts and order confirmations.
  • Administering loyalty and rewards programs and tracking your participation.
  • Providing customer support and responding to your inquiries, complaints, or requests.
  • Sending transactional communications such as order confirmations, delivery status updates, and account notifications.

3.2 Service Improvement and Analytics

  • Analyzing website traffic, user behavior, and engagement patterns to improve the design, functionality, and content of our Services.
  • Conducting internal research and business analysis to understand customer preferences and optimize our menu offerings.
  • Troubleshooting technical issues and ensuring the security and performance of our website and ordering platforms.
  • Developing new features, products, and services based on user feedback and usage data.

3.3 Marketing and Promotional Communications

  • Sending you promotional emails, SMS messages, push notifications, or direct mail about new menu items, special offers, events, and seasonal promotions, where you have opted in or where permitted by applicable law.
  • Personalizing the content and advertisements you see on our website and on third-party platforms based on your preferences and browsing history.
  • Running sweepstakes, contests, and other promotional campaigns.
  • Measuring the effectiveness of our marketing campaigns and adjusting our strategies accordingly.
Your Choice: You may opt out of marketing communications at any time by clicking the "unsubscribe" link in any email, replying "STOP" to any SMS, or contacting us at [email protected]. Opting out of marketing will not affect transactional communications related to your orders or account.

3.4 Legal and Compliance Purposes

  • Complying with applicable federal, state, and local laws and regulations.
  • Responding to legal process, court orders, subpoenas, or lawful requests from governmental authorities.
  • Enforcing our Terms of Service and other agreements.
  • Protecting the rights, property, safety, and security of Costa Vida, our customers, employees, and the public.
  • Detecting, investigating, and preventing fraudulent transactions, unauthorized access, and other illegal activities.

4. Sharing Your Information with Third Parties

We do not sell your personal information for monetary consideration. However, we may share your information with third parties in the following circumstances:

4.1 Service Providers and Business Partners

We engage trusted third-party companies and individuals to perform services on our behalf. These service providers are given access to your personal information only to the extent necessary to perform their functions and are contractually obligated to maintain the confidentiality and security of your data. Categories of service providers include:

  • Payment processors and financial institutions for transaction processing and fraud prevention.
  • Food delivery and logistics partners who facilitate delivery of your orders.
  • Cloud computing and data hosting providers who store our data on secure servers.
  • Email service providers and SMS marketing platforms for sending communications.
  • Website analytics providers such as Google Analytics.
  • Customer relationship management (CRM) software providers.
  • Advertising networks and retargeting platforms.
  • Loyalty program technology providers.
  • Cybersecurity and fraud detection firms.

4.2 Legal Requirements and Protection of Rights

We may disclose your personal information to law enforcement agencies, regulatory bodies, courts, or other governmental authorities if we believe in good faith that such disclosure is required or permitted by applicable law, including the FTC Act, or is necessary to:

  • Comply with a legal obligation, court order, or regulatory requirement.
  • Protect and defend the legal rights or property of Costa Vida.
  • Prevent or investigate possible wrongdoing in connection with our Services.
  • Protect the personal safety of users of our Services or the public.

4.3 Business Transfers

In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your personal information may be transferred to the acquiring entity or successor as part of the transaction. We will notify you via email and/or a prominent notice on our website prior to your personal information becoming subject to a different privacy policy.

4.4 With Your Consent

We may share your information with additional third parties in circumstances not described above when we have obtained your explicit consent to do so.

4.5 Aggregated or De-Identified Data

We may share aggregated, de-identified, or anonymized information that cannot reasonably be used to identify you with third parties for research, marketing, analytics, and other business purposes.

5. Data Security

We implement a comprehensive range of technical, administrative, and physical security measures designed to protect your personal information against unauthorized access, disclosure, alteration, loss, or destruction. Our security practices include:

  • Encryption: We use Secure Socket Layer (SSL) / Transport Layer Security (TLS) encryption to protect data transmitted between your browser and our servers. Stored sensitive data is encrypted at rest using industry-standard encryption algorithms.
  • Access Controls: Access to personal information is restricted to authorized personnel who need it to perform their job functions. We enforce role-based access controls, multi-factor authentication for administrative access, and regular access reviews.
  • PCI-DSS Compliance: Our payment processing systems and practices adhere to Payment Card Industry Data Security Standards (PCI-DSS) to protect your financial information.
  • Network Security: We employ firewalls, intrusion detection systems, and regular vulnerability scanning and penetration testing to identify and address security threats.
  • Data Minimization: We collect only the minimum personal information necessary to fulfill the purposes described in this Privacy Policy.
  • Employee Training: All employees who handle personal information receive regular privacy and security training.
  • Incident Response: We maintain a documented data breach response plan and will notify affected individuals and relevant authorities as required by applicable law, including applicable state breach notification laws, in the event of a data security incident.
Please Note: While we take every reasonable precaution to protect your information, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security of your data. You are also responsible for maintaining the confidentiality of your account credentials and for any activities that occur under your account.

6. Your Privacy Rights

Depending on your state of residence within the United States, you may have certain rights regarding your personal information. We are committed to honoring these rights where applicable:

6.1 Rights Under the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA)

If you are a California resident, you have the following rights under the CCPA/CPRA:

  • Right to Know: You have the right to request that we disclose what personal information we collect, use, disclose, and sell or share about you, including the categories, sources, business purposes, and third parties involved.
  • Right to Delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions permitted by law.
  • Right to Correct: You have the right to request that we correct inaccurate personal information we maintain about you.
  • Right to Opt-Out of Sale or Sharing: You have the right to opt out of the sale or sharing of your personal information for cross-context behavioral advertising purposes. While we do not sell personal information for money, certain sharing with advertising partners may constitute "sharing" under the CPRA. You may exercise this right by clicking the "Do Not Sell or Share My Personal Information" link on our website footer.
  • Right to Limit Use of Sensitive Personal Information: You have the right to limit our use or disclosure of sensitive personal information to uses necessary to provide the requested services.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights. We will not deny you goods or services, charge you different prices, or provide you a different level of quality based solely on your exercise of these rights.

To exercise your California privacy rights, please submit a verifiable consumer request by emailing us at [email protected] with the subject line "California Privacy Request" or by visiting our website at costvida.rest. We will respond to verifiable requests within 45 days as required by law, with a possible extension of an additional 45 days where necessary.

6.2 Rights Available to All U.S. Residents

Regardless of your state of residence, we offer the following rights to all users:

  • Access and Review: You may log in to your account at any time to access and review the personal information associated with your profile.
  • Correction: You may update or correct inaccurate personal information through your account settings or by contacting us directly.
  • Deletion: You may request deletion of your account and associated personal information by contacting us at [email protected]. Please note that we may retain certain information as required by law or for legitimate business purposes such as fraud prevention.
  • Portability: You may request a copy of your personal information in a structured, commonly used, and machine-readable format where technically feasible.
  • Opt-Out of Marketing: You may opt out of receiving marketing communications as described in Section 3.3.

6.3 How to Submit a Privacy Request

To exercise any of your privacy rights, please contact us using the following methods:

We will need to verify your identity before processing certain requests to ensure that we do not disclose or delete information belonging to another individual. Verification may require you to provide information that matches what we have on file for your account. You may also designate an authorized agent to submit requests on your behalf, in which case we may require written proof of authorization.

7. Cookies and Tracking Technologies

Our website uses cookies, web beacons, pixel tags, local storage, and similar tracking technologies to enhance your browsing experience, analyze site traffic, and deliver relevant advertising.

7.1 Types of Cookies We Use

  • Strictly Necessary Cookies: Essential for the basic functionality of our website, such as maintaining your shopping cart, enabling you to log in to your account, and ensuring secure transactions. These cookies cannot be disabled.
  • Performance and Analytics Cookies: Used to collect information about how visitors use our website, including which pages are most visited and whether users encounter error messages. We use tools such as Google Analytics for this purpose.
  • Functional Cookies: Allow our website to remember your preferences and choices (such as your preferred location or language) to provide a more personalized experience.
  • Targeting and Advertising Cookies: Placed by our advertising partners to build a profile of your interests and serve you relevant advertisements on our website and on third-party sites.

7.2 Managing Cookie Preferences

You can control and manage cookie settings through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, and set preferences for different types of websites. Please note that disabling certain cookies may impact the functionality of our Services.

For more detailed information about the cookies we use, their purposes, and how to manage them, please refer to our Cookie Policy available on our website at costvida.rest.

We also honor browser-based "Do Not Track" (DNT) signals and Global Privacy Control (GPC) signals to the extent required by applicable law, particularly under the CCPA/CPRA for California residents.

8. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, to comply with our legal obligations, resolve disputes, enforce our agreements, and support legitimate business operations. Our general retention guidelines are as follows:

Category of Data Retention Period
Account and profile information Duration of account plus 3 years after account closure
Order history and transaction records 7 years (for tax and accounting compliance)
Payment information (tokenized) Duration of account or until payment method is removed
Marketing preferences and communications history 3 years from last interaction or opt-out date
Customer support interactions 3 years from date of interaction
Website usage and analytics data 26 months from date of collection
Cookie data (non-essential) Up to 13 months or as specified in cookie settings
Legal compliance records As required by applicable law, typically 5–7 years

When personal information is no longer required, we securely delete or anonymize it in accordance with our data destruction procedures. Anonymized data that cannot be used to identify an individual may be retained indefinitely for analytical purposes.

9. Children's Privacy

Our Services are intended for use by individuals who are 18 years of age or older. We do not knowingly collect, use, or disclose personal information from children under the age of 13 in violation of the Children's Online Privacy Protection Act (COPPA), or from minors under the age of 18 without verifiable parental consent where required by law.

If you are under 18 years of age, please do not use our Services or provide any personal information to us. If we discover that we have inadvertently collected personal information from a child under 13 without verifiable parental consent, we will take immediate steps to delete that information from our systems.

If you are a parent or guardian and believe that your child under 13 years of age has provided personal information to us without your consent, please contact us immediately at [email protected] and we will take prompt action to investigate and remove such information.

10. International Data Transfers

Costa Vida is a United States-based business and our primary data processing activities occur within the United States. If you access our Services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country of residence.

By using our Services, you acknowledge and consent to the transfer of your information to the United States and its processing in accordance with this Privacy Policy. We take appropriate safeguards to ensure that any international transfers of personal information comply with applicable legal requirements and that your information remains protected to a standard at least as protective as that described in this Privacy Policy.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland and believe that our data processing activities are subject to the General Data Protection Regulation (GDPR) or equivalent laws, please contact us at [email protected] to discuss the specific legal basis and safeguards applicable to your data.

Our website may contain links to third-party websites, applications, social media platforms, and services that are not operated by Costa Vida. This Privacy Policy does not apply to those third-party services. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

We encourage you to review the privacy policy of every website or service you visit before providing any personal information. The inclusion of a link to a third-party website on our site does not imply our endorsement of that website or its privacy practices.

Examples of third-party services you may encounter through our Services include:

  • Google Analytics (analytics and performance measurement)
  • Social media sharing buttons (Facebook, Instagram, X/Twitter)
  • Third-party payment gateways
  • Food delivery platforms (e.g., DoorDash, Uber Eats, Grubhub)
  • Mapping and location services (e.g., Google Maps)

12. Additional U.S. State Privacy Rights

In addition to the California rights described in Section 6, residents of certain other states may have specific privacy rights under their respective state laws. We are committed to complying with applicable state privacy legislation, including but not limited to:

  • Virginia: Consumer Data Protection Act (CDPA)
  • Colorado: Colorado Privacy Act (CPA)
  • Connecticut: Connecticut Data Privacy Act (CTDPA)
  • Utah: Utah Consumer Privacy Act (UCPA)
  • Texas: Texas Data Privacy and Security Act (TDPSA)
  • Oregon: Oregon Consumer Privacy Act (OCPA)

Residents of these states may have rights similar to those described in Section 6, including the rights to access, correct, delete, and obtain a copy of their personal data, as well as the right to opt out of the sale of personal data and targeted advertising. To exercise these rights, please contact us at [email protected].

We will respond to verifiable requests within the timeframes required by the applicable state law, typically within 45 days with a possible extension where permitted.

13. Do Not Sell or Share My Personal Information

Under the CCPA/CPRA and similar state laws, you may have the right to opt out of the sale or sharing of your personal information for cross-context behavioral advertising. While Costa Vida does not sell personal information in the traditional sense of a monetary transaction, we may share certain information (such as cookie identifiers and browsing activity) with advertising partners for targeted advertising purposes, which may qualify as "sharing" under applicable state law.

To opt out of this sharing for advertising purposes, you may:

  • Enable the Global Privacy Control (GPC) signal in your browser, which we will honor as a valid opt-out request.
  • Adjust your cookie preferences through our cookie management tool on our website.
  • Submit an opt-out request by emailing us at [email protected] with the subject line "Do Not Sell or Share My Information."

We do not sell or share the personal information of individuals we know to be under 16 years of age without affirmative authorization as required by the CCPA/CPRA.

14. How to File a Privacy Complaint

If you have concerns about how we handle your personal information or believe that we have not complied with this Privacy Policy or applicable privacy laws, we encourage you to contact us first so that we can attempt to resolve your concern:

Primary Contact for Privacy Complaints:
Email: [email protected]
Website: costvida.rest
Subject Line: "Privacy Complaint"

We will acknowledge receipt of your complaint within 10 business days and aim to provide a substantive response within 30 days. If you are not satisfied with our response, you have the right to escalate your complaint to the appropriate regulatory authority:

14.1 Federal Trade Commission (FTC)

The Federal Trade Commission (FTC) is the primary federal consumer protection agency in the United States and enforces federal privacy and data security laws under the FTC Act. If you believe a company is engaging in unfair or deceptive practices regarding your personal information, you can file a complaint with the FTC:

  • Online: ftc.gov/complaint
  • Phone: 1-877-FTC-HELP (1-877-382-4357)
  • Mailing Address: Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580

14.2 California Residents — California Privacy Protection Agency (CPPA)

If you are a California resident and believe your CCPA/CPRA rights have been violated, you may file a complaint with the California Privacy Protection Agency (CPPA):

You also have the right to bring a private cause of action under California Civil Code Section 1798.150 in the event of certain data breaches involving your non-encrypted or non-redacted personal information.

14.3 Other State Attorneys General

Residents of other states with applicable privacy laws may file complaints with their respective state Attorney General's office. Most state attorneys general have consumer protection divisions that handle privacy-related complaints.

15. Changes to This Privacy Policy

We reserve the right to update, modify, or revise this Privacy Policy at any time to reflect changes in our business practices, applicable laws, or technological developments. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this Privacy Policy.
  • Post a prominent notice on our website homepage or within the Services alerting you to the changes.
  • Send an email notification to the email address associated with your account for significant changes that materially affect your privacy rights.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of our Services after any modifications to this Privacy Policy constitutes your acknowledgment of the updated terms and your agreement to be bound by them.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please do not hesitate to contact us through any of the following channels:

Company Costa Vida
Email [email protected]
Website costvida.rest

We are committed to resolving your privacy concerns promptly and transparently. Our team will acknowledge your inquiry within 5 business days and provide a substantive response as quickly as possible, and in any event within the timeframes required by applicable law.

Thank you for trusting Costa Vida with your personal information. We are dedicated to protecting your privacy and providing you with a safe, enjoyable, and personalized dining experience. Your trust is important to us, and we continuously strive to uphold the highest standards of data privacy and security.

This Privacy Policy was last updated on April 22, 2026, and is effective as of that date.