Supplemental Privacy Policy California, Virginia, Colorado, Connecticut, Utah

Last Revised: January 5, 2023

This Supplemental Privacy Policy and Notice (“Supplemental Policy”) applies only to information collected about individuals residing in California, Colorado, Virginia, Utah, or Connecticut (“Consumer(s),” “you,” “your”) and supplements the information contained in the Website and Mobile App Privacy Policy. It provides information required under the California Consumer Privacy Act of 2018 and as amended by the California Privacy Rights Act of 2020 (collectively, the “CCPA”), the Colorado Privacy Act of 2021 (the “CPA”), the Virginia Consumer Data Protection Act of 2021 (the “VCDPA”), the Utah Consumer Privacy Act of 2022 (the “UCPA”), and the Connecticut Data Privacy Act of 2022 (“CDPA”) and any and all regulations arising therefrom.

This Supplemental Policy describes Einstein Noah Restaurant Group, Inc., Bruegger’s Enterprises, Inc., Noah’s New York Bagels Company, Inc., and Manhattan Bagel Company, Inc. (together “Bagel Brands” “We,” “Us,” and “Our”) practices regarding the collection, use, and disclosure of Personal Information and provides instructions for submitting data subject requests. Some portions of this Supplemental Policy apply only to consumers of particular states, and we have indicated where those portions are state-specific.

If you are unable to review or access this Supplemental Policy due to a disability, you may contact us at data_privacy@bagelbrands.com or einsteinbros.com/contact/, to access this Supplemental Policy in an alternative format.

Definitions Specific to this Policy

  • Consumer” means a natural person who resides in California, Colorado, Virginia, Utah and Connecticut and to whom we offer information, goods, or services. For purposes of this Supplemental Policy, this term includes natural persons who reside in California and engage with us as part of business-to-business transactions.
  • Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Consumer or household. Personal Information includes “personal data” as that term is defined in the CPA, VCDPA, UCPA, and CDPA. Personal Information also includes “Sensitive Personal Information,” as defined below.
  • Sensitive Personal Information” means Personal Information that reveals a Consumer’s: 1) Social security, driver’s license, state identification card, or passport number; 2) Account log-in, financial account number, debit card number, or credit card number in combination with any required security or access code, password, or credentials allowing access to the individual’s account; 3) Precise geolocation; 4) Racial or ethnic origin; 5) Religious beliefs; 5) Union membership; 6) Contents of email or text messages, unless we are the intended recipient; 7) Genetic data; 8) Biometric information used to uniquely identify the Consumer, and 9) Health, sex life, or sexual orientation. Sensitive Personal Information also includes “sensitive data” as that term is defined in the CPA, VCDPA, UCPA, and CDPA.
  • Third Party” means a person or organization which is not a Consumer, Vendor, or an entity owned or controlled by us and as defined by the CCPA, CPA, VCDPA, UCPA, and CDPA.
  • Vendor” means a “service provider,” “contractor,” or “processor” which collects, stores, or otherwise handles data for us, as those terms are defined in the CCPA, CPA, VCDPA, UCPA, and CDPA.

Other terms used in this Supplemental Policy may be defined under the CCPA, CPA, VCDPA, UCPA, or CDPA, and they shall have the meanings described in those statutes. If there are variations between such definitions in different laws, you will be covered by the definition that applies in your state. For example, if you are a Virginia consumer, terms defined in the VCDPA shall apply to you if they are used in this Supplemental Policy.

The Personal Information We Collect and Disclose

The chart below shows the categories of Personal Information we may collect; examples of Personal Information in each category; types of sources from which each category of Personal Information is collected; the business purposes for which each category of Personal Information is collected; and the types of Vendors or Third parties with whom that category of Personal Information is shared. As this chart shows, we may share or sell Personal Information to Third Parties or disclose certain Personal Information to Vendors for business purposes.

Category of Personal Information Examples Sources from Which This Personal Information is Collected Business Purposes for Collection Types of Vendors or Third Parties with Whom This Personal Information is Shared, Sold or Disclosed
Unique Identifiers Real name, signature, alias, address, unique personal identifier, online identifier, IP address, email address, account name, advertising ID, loyalty or gift card ID -Directly from you by telephone, our websites, our mobile apps
-Social media
-Other individuals
-Rewards programs
-Analytics providers
-Vendors
-Franchisees
-Business partners
-Provide information, products and services
-Security, credit or fraud prevention
-Provide customer service and assess satisfaction
-Personalize customer experience
-Improve products and services
-Improve marketing and customer communications
-Comply with legal requirements
Disclosed:
-Service providers
-Contractors
-Stored value account administrator
-Franchisees
-Affiliates
Shared or Sold:
-Online advertising partners
-Analytics providers
-Vendors
-Business partners
Contact and Financial Information Name, address, telephone, email, credit card number, debit card number, or any other financial information -Directly from you by telephone, our websites, our mobile apps
-Claims management
Providers
-Franchisees
-Gift card provider
-Complete transactions
-Other services and discounts
-Process claims
-Prevent fraud
-Track purchase history
Disclosed:
-Card processor and service providers
-Contractors
-Vendors
-Franchisees
-Gift card provider
Shared or Sold:
-None
Characteristics of Protected Classifications Name, address, telephone, email, credit card number, debit card number, or any other financial information -Directly from you by telephone, our websites, our mobile apps
-Claims management
Providers
-Franchisees
-Gift card provider
-Complete transactions
-Other services and discounts
-Process claims
-Prevent fraud
-Track purchase history
Disclosed:
-Card processor and service providers
-Contractors
-Vendors
-Franchisees
-Gift card provider
Shared or Sold:
-None
Characteristics of Protected Classifications Age, gender, race, marital status -Survey data from analytics provider -Consumer classifications for marketing and analytics Disclosed:
-Service providers
-Contractors
Shared or Sold:
-None
Commercial Information Records of products or services purchased, or considered, or other purchasing or consuming histories or tendencies -Directly from you via our website, telephone, mobile app, in-person
-Direct communication
with you
-Other individuals
-Rewards programs
-Social media interaction with you
-Marketing agencies
-Franchisees
-Business partners
-Provide you with goods and services
-Invite participation in
surveys and feedback
-Customer service communications
-Improve promotions
-To provide rewards to loyalty club members
Disclosed:
-Service providers
-Rewards administrator
-Franchisees
-Contractors
-Stored value account administrator
Shared or Sold:
-Business partners
-Marketing providers
-Analytics providers
-Social media
-Affiliates
-Vendors
Internet or Other Electronic Activity Browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement -Directly from you via our website
-Direct communication
with you
-Social media interaction with you
-Marketing agencies
-Provide you with information, goods and services
-To provide rewards to loyalty club members
-Invite participation in
surveys and feedback
-Customer service communications
-Improve promotions
-To monitor click through rate
Disclosed:
-Service providers
-Contractors
Shared or Sold:
-Business partners
-Marketing providers
-Analytics providers
-Social media
Geolocation Data Device location -From your digital device
-Direct communication
with you
-Provide you with goods and services
-Customer service communications
-Improve promotions
Disclosed:
-Service providers
Shared or Sold:
-Business partners
-Marketing providers
-Analytics providers
-Social media
Professional or Employment-Related Information Work history, Industry -Survey data from analytics provider -Customer service communications
-Improve promotions
Disclosed:
-Service providers
-Contractors
Shared or Sold:
-None
Education Information Education level -Survey data from analytics provider -Customer service communications
-Improve promotions
Disclosed:
-Service providers
-Contractors
Shared or Sold:
-None
Inferences Drawn from Other Categories to Create a Profile Profile reflecting preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes, knowledge of food preferences -Directly from you via our website
-Direct communication with you
-Social media interaction with you
-Survey data from analytics provider
-Marketing
agencies
-Provide you with goods and services
-Customer service communications
-Improve promotions
-To understand other data points on people
Disclosed:
-Service providers
Shared or Sold:
-Business partners
-Marketing providers
-Analytics providers
-Social media
-Affiliates
-Online advertising partner

Sensitive Personal Information We Collect and Disclose

Category of Sensitive Personal
Information
Sources
From Which This
Sensitive Personal
Information is Collected
Business
Purposes for Collection
Types of Vendors or Third Parties with Whom This Sensitive Personal Information is Shared, Sold or Disclosed
Account log-in, financial account, debit card number, plus an access code -Directly from you
you via our website
-Complete transactions
-Offer services and discounts
-Prevent fraud
Disclosed:
-Service Providers
-Contractors
Shared or Sold:
-None
Racial or Ethnic Origin -Survey data from analytics provider -Customer service communications
-Improve promotions (e.g. before specific religious holidays)
Disclosed:
-Service Providers
-Contractors
Shared or Sold:
-None

We will not collect a category of Personal Information not listed above or use that Personal Information for a business purpose not listed above, without first providing you with notice.

Retention of Data

We intend to retain each category of Personal Information described above only for as long as necessary to fulfill the purpose for which it was collected, or a related and compatible purpose consistent with the average Consumer’s expectation, and to comply with applicable laws and regulations. We consider the following criteria when determining how long to retain Personal Information: why we collected the Personal Information; the nature of the Personal Information; the sensitivity of the Personal Information; our legal obligations related to the Personal Information, and risks associated with retaining the Personal Information.

Your Rights to Your Personal Information

California, Colorado, Virginia, Utah, and Connecticut consumers have certain rights with respect to the collection and use of their Personal Information. Those rights vary by state. As required by the CCPA, we provide detailed information below regarding the data subject rights available to California consumers. Colorado, Virginia, Utah, and Connecticut consumers have similar rights and can find more detail by referencing the CPA, VCDPA, UCPA, or CDPA, as applicable.

You have the right to request certain information regarding the Personal Information we have collected about you. You may make such a request up to twice in a 12- month span. Please note that there are circumstances in which we may not be able to comply with your request, including when we cannot verify your request or when there is a conflict with our own obligations to comply with other legal or regulatory requirements. We will notify you following submission of your request, if this is the case.

Right to Receive Information on Privacy Practices.

You have the right to receive the following information at or before the point of collection:

  • The categories of Personal Information to be collected;
  • The purposes for which the categories of Personal Information are collected or used;
  • Whether or not that Personal Information is sold or shared with Third Parties or disclosed to Vendors;
  • If the business Collects Sensitive Personal Information, the categories of Sensitive Personal Information to be Collected, the purposes for which it is Collected or used, and whether that information is Sold or Shared; and
  • The length of time the business intends to retain each category of Personal Information, or if that is not possible, the criteria used to determine that period.

We have provided such information in this Supplemental Policy, and you may request further information about our privacy practices by contacting us as at the contact information provided below.

Right to Know and Right to Access.

You have the right to request certain information we have collected about you. You have the right to request:

  • Specific pieces and categories of Personal Information we collected about you;
  • The categories of sources from which Personal Information was collected;
  • The purposes for which Personal Information was collected, shared, sold, or processed;
  • The categories of Personal Information we shared, sold or disclosed; and
  • The categories of Vendors or Third Parties with whom we shared, sold or disclosed Personal Information.

Right to Delete.

You have the right to request that we delete certain Personal Information that we have collected.

Right to Correct.

You have a right to request that we correct any inaccurate Personal Information we may retain about you.

Right to Opt-Out of the Sale and Sharing of Your Personal Information.

You have the right to opt-out of the Sale and Sharing of your Personal Information with Third Parties, and the right to opt out of the processing of Personal Information for targeted advertising purposes, as defined in the CCPA, CPA, VCDPA, UCPA, and CDPA.

We Sell and Share Personal Information, or process Personal Information for targeted advertising purposes. In the past twelve months, we have Sold or Shared the categories of Consumer Personal Information as listed in this Supplemental Policy. As a Consumer, you have the right to opt-out of the Sale and/or Sharing of your Personal Information and of the processing of Personal Information for the purpose of targeted advertising. We do not knowingly Sell or Share Personal Information of Consumers under 16 years of age.

If you would like to request that We do not sell your Personal Information pursuant to the requirements of the CCPA, click here, email help@bagelbrands.com, or call us at einsteinbros.com/contact/. The link will take you to an interactive webform that you can complete and submit to make a request to opt out; if you use the telephone number, you will be guided through a process that will allow you to submit a request.

If you use an authorized agent to submit your request to opt-out, We will request that the agent provide Us with proof that he, she, or they has been authorized by you to act on your behalf. The CCPA requires you to provide the authorized agent written permission to exercise your rights under the CCPA.

If you opt-out of the sale of your Personal Information, we will wait at least 12 months before asking you if we may sell or share your Personal Information. You have the right to opt-in to the sale of your Personal Information after you have opted out. If you would like to opt-in to the sale or sharing of your Personal Information, please email us at data_privacy@bagelbrands.com, or call us at einsteinbros.com/contact/. Opting-in is a two-step process in which you will first clearly request to opt-in, and then separately confirm that choice.

Right to Limit the Use of Your Sensitive Personal Information. You have the right to instruct us to limit the use and disclosure of your Sensitive Personal Information to only that which is necessary to perform the services or provide the goods reasonably expected by an average Consumer or for specific business purposes defined by applicable law. However, we do not use Sensitive Personal Information for purposes beyond those authorized by the CCPA.

Right to Non-discrimination. You have a right to exercise the above rights and we will not discriminate against you for exercising these rights. Please note that a legitimate denial of a request to access, delete, or opt-out is not discriminatory, nor is charging a fee for excessive or repetitive requests, as permitted by the CCPA.

Instructions to Exercise your Rights. If you would like to make any of the data requests listed above, please click here, email us at data_privacy@bagelbrands.com, or call us at einsteinbros.com/contact/. The link will take you to an interactive webform that you can complete and submit to make a request for information that we will then verify. If you use the telephone number, you will be guided through a process that will allow you to submit a verifiable request, and the level of verification will depend on the request being submitted.

You may designate an authorized agent to exercise your rights under the CCPA on your behalf. Such individual must have power of attorney, or be an authorized agent registered with the relevant Secretary of State.

Right to Appeal. You have the right to appeal our decisions about your data subject requests. If you choose to appeal a decision, your request will move from IT Dept to our Legal Department for review.  If you would like to appeal a decision regarding your data request, please click here, email us at data_privacy@bagelbrands.com or call us einsteinbros.com/contact/.  Please state that your request is an “Appeal,” and describe the date and nature of your original request.

Verification Process

When you submit a request to exercise your Data Subject Rights, we may ask you to provide information that will enable us to verify your identity.

If you designate an authorized agent to exercise your rights on your behalf, we may require that you or the authorized agent do the following:

  • Verify your identity with us directly.
  • Provide proof of your signed written permission for the authorized agent to submit a request on your behalf.

We may deny a request from an authorized agent on your behalf if the authorized agent does not submit proof that he, she, or it has been authorized by you to act on your behalf if we request such proof.

Personal Information of Minors

Our online content is not intended for children or minors under the age of sixteen years. Accordingly, we do not knowingly store information from minors under the age of sixteen years except as required pursuant to applicable law. If you believe that a child has submitted personal information to us, please contact us at data_privacy@bagelbrands.com or 1-800-962-6786, option 3, and we will delete the information.

Financial Incentives For Consumers

Certain of Our companies (but not all) offer a loyalty/rewards program (each, a “Rewards Program”) as a financial incentive to consumers who allow Us to retain and share their Personal Information.  These incentives generally include complimentary or discounted products, and other special offers.  For more information on Our Rewards Programs, visit https://bagelbrands.com/loyalty-program-terms-and-conditions/.  When exercising your rights under this Supplemental Policy, if you request that we delete all personal information that we have about you, this will effectively prevent access to your Rewards Program account and/or your participation in our Rewards Programs and, correspondingly, must treat such an election as a withdrawal from all of Our companies’ Rewards Programs, and your account for the Rewards Programs will be terminated. Upon termination of your Rewards Program account, (1) all points, rewards and other offers associated with your account will be deemed forfeited, for which no consideration will be given, and (2) if your account has a U.S. dollar funds balance loaded on the account, your funds balance will be transferred by us from your account to a substitute funds access code which will be sent separately by us to you by email.

We estimate the average value of a Rewards Program is $10 per year (which may be higher or lower as to a specific Rewards Program).  We arrived at such value by estimating the approximate retail value of complimentary or discounted products provided through a Rewards Program.

Additional California Privacy Rights

Shine the Light Request. California Civil Code Section § 1798.83 permits users of our website who are California residents to request certain information regarding our disclosure of personal information to other parties for their direct marketing purposes. To make such a request, please send an email to us at data_privacy@bagelbrands.com with the subject “Shine the Light Request.”

Changes to Our Supplemental Policy

Bagel Brand reserves the right to amend this Supplemental Policy at our discretion and at any time. When we make changes to this Supplemental Policy, we will post an updated policy on our website with the revised date.

Additional Information

If you would like additional information regarding our Supplemental Policy, please contact us at data_privacy@bagelbrands.com or einsteinbros.com/contact/, or at

Einstein Noah Restaurant Group, Inc.
1720 S. Bellaire St.
Attn: Skybox
Denver 80222

Return to the start of our Supplemental Policy