1. Who We Are

Kuvi Hospitality Taco Ltd (trading as Coyo Taco in the UK, and referred to in this policy as 'Coyo Taco') is the data controller responsible for the personal information we collect and process. In this policy, references to "we", "us", or "our" mean Coyo Taco.

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:

Data Controller: Kuvi Hospitality Taco Ltd (trading as Coyo Taco)

Email: privacy@coyotaco.co.uk

Registered in: England and Wales

2. What Personal Data We Collect

We collect personal data from you in the following categories:

2.1 Name and Contact Information

When you make a reservation, sign up to our mailing list, or contact us, we may collect:

•       Full name

•       Email address

•       Phone number

•       Any other details you provide voluntarily when contacting us

2.2 Marketing Preferences

With your consent, we collect information about your communication preferences, including whether you would like to receive news, offers, and updates from us by email or SMS.

2.3 Loyalty Programme Data

If you join our loyalty programme, we collect and process additional information in order to operate your account and deliver rewards, including:

•       Your name and contact details (as above)

•       Purchase history: items ordered, spend amounts, dates and locations of visits

•       Points balance and transaction history, including points earned and redeemed

•       Redemption history and reward activity

•       Programme preferences and communication choices

This data is used solely to operate your loyalty account and, where you have consented, to send you relevant offers and updates. You can close your loyalty account at any time by contacting us at privacy@coyotaco.co.uk.

2.4 Website Analytics Data

When you visit our website, we automatically collect certain technical information, including:

•       IP address (anonymised where possible)

•       Browser type and version

•       Pages visited and time spent on the site

•       Referring website or source

•       Device type and operating system

This information is collected using cookies and similar technologies. Please see Section 8 (Cookies) for more detail.

3. How We Use Your Data

We use your personal data only for the purposes set out below, and only where we have a lawful basis to do so under the UK GDPR:

•       Managing reservations and bookings (contract performance)

•       Responding to your enquiries (legitimate interests)

•       Operating your loyalty programme account, including tracking points and processing rewards (contract performance)

•       Sending marketing emails or SMS where you have opted in, including loyalty-related offers (consent)

•       Improving our website and customer experience (legitimate interests)

•       Complying with legal obligations (legal obligation)

4. Who We Share Your Data With

We do not sell your personal data. We may share it with the following trusted third-party service providers who act as data processors on our behalf:

4.1 Booking Platforms

If you make a reservation through an online booking system (such as OpenTable), your booking details will be processed by that third-party provider. Please refer to their privacy policy for details on how they handle your data.

4.2 Email and SMS Marketing Providers

We use third-party providers (such as Klaviyo) to manage and send our marketing communications. These providers process your contact details and preferences solely to deliver our messages on our behalf.

4.3 Payment Processors

Payments made in our restaurants or online are processed by third-party payment processors (such as Stripe or Square). We do not store your full card details. Payment processors are required to handle your financial data securely and in compliance with applicable standards.

All third parties are contractually required to keep your personal data secure, use it only for the specified purpose, and comply with applicable data protection law.

5. International Data Transfers

Some of our third-party service providers may be based outside the UK. Where we transfer personal data internationally, we ensure appropriate safeguards are in place, such as standard contractual clauses approved by the UK Information Commissioner's Office (ICO), or transfers to countries with an adequacy decision.

6. How Long We Keep Your Data

We keep your personal data only for as long as necessary for the purposes it was collected, or as required by law:

•       Booking and contact records: 3 years from last interaction

•       Loyalty programme account data: for the duration of your membership, plus 2 years after account closure or last activity

•       Loyalty transaction and points history: 3 years from the date of each transaction

•       Marketing preferences and opt-in records: until you withdraw consent, plus 1 year

•       Website analytics data: up to 26 months (anonymised after 14 months)

•       Financial transaction records: 7 years (legal requirement) 

7. Cookies

Our website uses cookies and similar tracking technologies to improve your experience and help us understand how visitors use the site. We use the following types:

•       Essential cookies: needed for the website to function correctly

•       Analytics cookies: help us understand how visitors use the site (e.g. Google Analytics)

•       Marketing cookies: used to track visits and show relevant promotions

You can control and manage cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of our website.

8. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

•       Right of access: you can request a copy of the personal data we hold about you.

•       Right to rectification: you can ask us to correct inaccurate or incomplete data.

•       Right to erasure: you can ask us to delete your data in certain circumstances.

•       Right to restrict processing: you can ask us to limit how we use your data.

•       Right to data portability: you can request your data in a structured, machine-readable format.

•       Right to object: you can object to processing based on legitimate interests or for direct marketing purposes.

•       Right to withdraw consent: where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at privacy@coyotaco.co.uk. We will respond within one calendar month. 

9. Opting Out of Marketing

You can unsubscribe from our marketing emails or SMS messages at any time by:

•       Clicking the unsubscribe link in any marketing email we send you

•       Replying STOP to any marketing SMS

•       Emailing us at privacy@coyotaco.co.uk

Withdrawing your marketing consent will not affect any other processing we carry out on a different lawful basis.

10. Data Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or misuse. These include secure server infrastructure, encrypted data transfers, and restricted access controls. Where we share data with third parties, we require them to apply equivalent standards of security.

11. Complaints

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

ICO Website: ico.org.uk

ICO Helpline: 0303 123 1113

We would, however, appreciate the chance to address your concerns before you contact the ICO, so please reach out to us first at privacy@coyotaco.co.uk. 

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The most current version will always be available on our website, along with the date it was last updated. We encourage you to review this policy periodically.