El Pollo Loco

Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about which types of your personal data (hereinafter also referred to as "data") we process for which purposes and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offering").

The terms used are not gender-specific.

Effective: April 16, 2025

Table of Contents

• Preamble
• Controller
• Overview of Processing
• Relevant Legal Bases
• General Information on Storage and Deletion
• Rights of Data Subjects
• Provision of the Online Offering and Web Hosting
• Plugins and Embedded Functions and Content

Controller

Joshua Brunke
Über der Kieckwiese 3
38729 Langelsheim
Germany

Email address: joshuabrunke1@gmail.com

Phone: +49(5383)9079151

Overview of Processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of Processed Data

• Usage data.
• Meta, communication, and procedural data.
• Log data.

Categories of Data Subjects

• Users.

Purposes of Processing

• Provision of our online offering and user-friendliness.
• Information technology infrastructure.

Relevant Legal Bases

Relevant legal bases under the GDPR: The following provides an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence. If more specific legal bases are applicable in individual cases, we will inform you of these in the privacy policy.

• Consent (Art. 6 para. 1 sentence 1 lit. a GDPR) – The data subject has given their consent to the processing of personal data concerning them for a specific purpose or purposes.
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR) – The processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national regulations on data protection apply in Germany. These include, in particular, the Federal Data Protection Act (BDSG). The BDSG contains specific provisions on the right to access, the right to erasure, the right to object, processing of special categories of personal data, processing for other purposes, and transmission and automated decision-making in individual cases including profiling. In addition, data protection laws of the individual federal states may apply.

Reference to the applicability of the GDPR and the Swiss DSG: These privacy notices are intended to inform under both the Swiss DSG and the GDPR. Therefore, please note that for broader spatial applicability and comprehensibility, the terms of the GDPR are used. However, the legal meaning of the terms remains as defined by the Swiss DSG where applicable.

General Information on Storage and Deletion

We delete personal data we process in accordance with legal requirements as soon as the consents upon which processing is based are revoked or no further legal bases for processing exist. This applies when the purpose of processing no longer applies or the data is no longer needed. Exceptions apply if legal obligations or special interests require longer storage or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons or that is necessary for legal prosecution or to protect the rights of others must be archived accordingly.

Our privacy notices include additional information on the retention and deletion of data specific to certain processing procedures.

If multiple retention or deletion deadlines are specified, the longest period always applies.

If a deadline does not expressly begin on a specific date and is at least one year, it automatically starts at the end of the calendar year in which the event triggering the deadline occurs. In the case of ongoing contractual relationships in which data is stored, the triggering event is the termination or other end of the legal relationship.

Data that is no longer stored for its originally intended purpose but retained due to legal requirements or other reasons will only be processed for the purposes that justify their retention.

Additional Notes on Processing, Procedures and Services:

• Retention and Deletion of Data: The following general deadlines apply to retention and archiving under German law:
  • 10 years – for books and records, annual financial statements, inventories, management reports, opening balances, and documentation necessary for understanding these (§ 147 para. 1 no. 1 in conjunction with para. 3 AO, § 14b para. 1 UStG, § 257 para. 1 no. 1 in conjunction with para. 4 HGB).
  • 8 years – booking receipts such as invoices and cost receipts (§ 147 para. 1 nos. 4 and 4a in conjunction with para. 3 sentence 1 AO, and § 257 para. 1 no. 4 in conjunction with para. 4 HGB).
  • 6 years – other business documents: received business letters, copies of sent business letters, other documents relevant to taxation such as time sheets, cost sheets, calculation documents, price tags, and payroll documents not already considered booking receipts (§ 147 para. 1 nos. 2, 3, 5 in conjunction with para. 3 AO, § 257 para. 1 nos. 2 and 3 in conjunction with para. 4 HGB).
  • 3 years – data necessary for considering potential warranty and damage claims or similar contractual rights and processing related inquiries, stored for the duration of the standard statutory limitation period of three years (§§ 195, 199 BGB).

Rights of Data Subjects

As a data subject, you have various rights under the GDPR, particularly Articles 15 to 21 GDPR:

• Right to object: You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions. If your personal data is processed for direct marketing, you have the right to object at any time to such processing for marketing purposes, including profiling related to direct marketing.
• Right to withdraw consent: You have the right to withdraw consent at any time.
• Right of access: You have the right to obtain confirmation whether data concerning you is being processed, and to access such data and further information in accordance with the law.
• Right to rectification: You have the right to request the completion or correction of your data in accordance with the law.
• Right to erasure and restriction: You have the right to request immediate deletion of your data or to restrict its processing, in accordance with legal requirements.
• Right to data portability: You have the right to receive the data concerning you, which you provided, in a structured, commonly used, machine-readable format, or to request transfer to another controller.
• Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with a supervisory authority, in particular in your habitual residence, place of work, or place of the alleged infringement, if you believe the processing of your data violates the GDPR.

Provision of the Online Offering and Web Hosting

We process users' data in order to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to deliver content and functions of our online services to the user's browser or device.

• Types of data processed: Usage data (e.g. page views, dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); meta, communication and procedural data (e.g. IP addresses, timestamps, IDs, involved persons); log data (e.g. logins, access times).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Provision of our online offering and user-friendliness; IT infrastructure.
• Retention and deletion: According to section "General Information on Storage and Deletion".
• Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Additional notes on processing, procedures and services:

• Online offering provided on rented storage space: We use hosting providers to provide our online offering using storage space, computing power, and software; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Plugins and Embedded Functions and Content

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). These can include, for example, graphics, videos, or city maps (collectively referred to as "content").

The integration always requires that these third-party providers process the IP address of users, as they cannot send the content to their browser without it. The IP address is therefore required for the display of these contents or functions. We aim to only use content whose providers use the IP address solely to deliver content. Third-party providers may also use so-called pixel tags (invisible graphics also called "web beacons") for statistical or marketing purposes. The pixel tags can evaluate information such as visitor traffic on pages of this website. Pseudonymous information can also be stored in cookies on users' devices and may include technical information about browsers and operating systems, referring websites, visit times, and other details about the use of our online offering. This data may also be combined with such information from other sources.

Notes on legal basis: If we ask users for their consent to use third-party providers, the legal basis for processing data is consent. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economic, and user-friendly services). Please also refer to this privacy policy’s section on the use of cookies.

• Types of data processed: Usage data (e.g. page views, dwell time, click paths, device types and operating systems used, interactions); meta, communication and procedural data (e.g. IP addresses, timestamps, IDs, involved persons).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Provision of our online offering and user-friendliness.
• Retention and deletion: As described in "General Information on Storage and Deletion". Cookies may be stored for up to 2 years.
• Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Additional notes on processing, procedures and services:

• Integration of third-party software, scripts or frameworks (e.g. jQuery): We use software obtained from other providers’ servers to present and improve the usability of our online offering. These providers process users’ IP addresses to deliver the software to their browsers and may process it for security, analytics, or service optimization purposes; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
• Google Fonts (self-hosted): Fonts are provided via our own server for a user-friendly display of our online offering; Service provider: Fonts are hosted locally; no data is sent to Google; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Note on the use of cookies: Cookies are small text files that are stored on your device when you visit our website. They help us to improve your experience on our site and to provide you with relevant content. You can manage your cookie preferences in your browser settings.

Created with the free privacy policy generator by Dr. Thomas Schwenke (opens in a new tab)