Privacy policy



This is the privacy policy for the customers of Tortilla. The purpose of this policy is to inform you on how we collect and use your data when you visit our Tortilla restaurants, access our website or use our online services, including loyalty, feedback and click & collect.

At Tortilla, we are strongly committed to protecting your personal information. As such, this policy also aims to inform you on what your rights are in relation to your data and how you can exercise these rights.
We are Tortilla Mexican Grill plc, and are the data controller for the personal data which we collect from you at Tortilla restaurants, and when you use the Tortilla website and associated apps.
Tortilla Mexican Grill plc is a limited company registered in England and Wales with registered number 13511888 and VAT registered number 310 0475 61.
Our registered office is 142-144 New Cavendish Street, London, W1W 6YF.




Information on how we use your personal data, along with the types of data we use and why we need to use this data have been listed below:

How We Use Personal Data Types of Personal Data Why We Need This Data Why It Is Important



Financial information: transaction amount, date, branch name & the last 4 digits of your card.


We need this information to process your order


We need to process this data to enter into and perform contracts with you


Find Food Service


Your GPS location and how
far away you are from our restaurants


To help you find our nearest restaurant


It is in our interests to help you find us easily




Your browsing details, including time of visit, how long you stay at each page and your interaction with
our website and app


To ensure both our website and app are working as intended, and to continually improve these platforms


Where you have consented to analytics, it is in our interests to maintain and improve accessibility and functionality of our website and app




Your browsing details including other websites visited, browser and device details, IP address, other cookies stored on your device and your public social media information


To carry out marketing campaigns and send you communications


Where you have consented to marketing, it is in our interest to send you marketing communications




Your static or moving imagery via CCTV surveillance in our restaurants


To ensure your safety and security when you visit our restaurants, assist in the detection and prevention of crime and to abide by health and safety standards


It is in our interests to protect our customers and staff, and maintain health and safety standards in our restaurants


Customer Notices


Your contact details


To notify you of any important changes to our products, services and our organization


It is in our interests to provide you with notice of any changes to our products, services and our organization



In addition to the Personal Data that we collect directly from you (as described in the section immediately above this one), we also collect certain of your Personal Data from third party sources. These sources are broken down in the table below, together with a description of whether they are publicly available or not.

Third party data source Publicly available? Category(ies) or other types of personal data received.

Social Media sites




Identity Data

Contact Data


Recruiters, CV search companies, background check providers and referees, including ATS




Identity Data
Contact Data

Job Application Data


Analytics Providers




Behavioural Data

Technical Data


Collectors of feedback – and any online surveys




Feedback Data
Contact Data


Free Wifi login – Wireless Social




Identity Data

Contact Data

Technical Data


Click & Collect system – Ritual




Identity Data
Contact Data


Loyalty system – MCR




Identity Data
Contact Data
Behavioural Data



We share your personal data amongst entities within the Tortilla family, and with third party companies providing services to us. Your personal data may be:

  • Transferred to third party organisations that provide services to us
  • We use third party information technology companies to support us in providing our services to you, and to help provide, run and manage our internal administrative systems. For example, we use service providers for payment systems, identity management, website hosting and management, data analysis, data back-up, security and storage services.
  • Transferred to government agencies and/or regulators
  • We may also transfer your data to government agencies or regulators to adhere to any legal requirements.


You have a number of rights with regards to your personal data. A list of these rights and how you may exercise them has been included below:

  • Rights to Access Personal Data and Right to Data Portability: You have the right to access your personal data at any point, and may make a request to do so either verbally or in writing. You also have the right to data portability, meaning you may request to receive your personal data in a standard use, machine readable format.
  • Right to Rectification of Personal Data: You have the right to request us to rectify any inaccurate or incomplete personal data we may have on you. If you make this request, we will update your personal data with the correct information provided.
  • Rights to Objection, Restriction and Erasure of Personal Data: You have the right to restrict how your data is being used, and the right to request us to delete your personal data.
  • Right to Withdraw Consent: In any circumstances in which we process data based on consent, you may withdraw your consent at any time.
  • Right to be Informed: You have the right to be informed about how we collect, use and retain your data, which is why we have set out this information within this policy. If you would like further information regarding your data, you may contact us at any time.

To exercise any of these rights, please send an email using the feedback form on this site: and selecting ‘Data Request’ in the enquiry form. Depending on your request, we may ask for further confirmation of your identity or additional information to fulfil your request.

  • The Right to Complain to the ICO: If you wish to make a complaint to us about how we use or retain your personal data, please send an email using the feedback form on this site: and selecting ‘Data Request’ in the enquiry form. You also have the right to lodge a complaint with the data protection authority. The relevant authority for the UK is the Information Commissioner’s Office (ICO). If you wish to file a complaint with the ICO, you may find the following information helpful:



You can read our full cookie policy here.




If you have any questions about this privacy statement or have a question, comment or complaint about our use or retain your personal data, please send an email to our Data Protection Officer using the feedback form on this site: and selecting ‘Data Request’ in the enquiry form.




This is the latest version of our privacy policy, and is in effect as of the “Last Update” date which may be found at the top of the statement. As we may change this policy from time to time, you should check here regularly for the most up-to-date version. The privacy policy can be found on our company website.




For privacy policy regarding our click & collect system, please visit our system provider Ritual.


For privacy policy regarding our feedback system, please visit our system provider


For privacy policy regarding our public wifi system, please visit our system provider Wireless Social.


What is this Privacy Policy for?

This privacy policy is for the loyalty and cashless website and mobile application (On Android, iPhone and Windows Phone) maintained and served by MCR Systems and governs the privacy of its users who choose to use it.

The policy sets out the different areas where user privacy is concerned and outlines the obligations & requirements of the users, the mobile app, the website and website owners. Furthermore the way the website and mobile app processes, stores and protects user data and information will also be detailed within this policy.

The Website and App

The website and its owners take a proactive approach to user privacy and ensure the necessary steps are taken to protect the privacy of its users throughout their visiting experience. The website complies to all UK national laws and requirements for user privacy.

Use of Cookies

This website uses and requires cookies to better the users experience while visiting the website. A notice of cookie use is displayed on the users first visit to the website to comply with recent legislation requirements.

Cookies are small files saved to the user’s computers hard drive that track, save and store information about the user’s interactions and usage of the website. This allows the website, through its server to provide the users with a tailored experience within this website. Users are advised that if they wish to deny the use and saving of cookies from this website on to their computers hard drive they should take necessary steps within their web browsers security settings to block all cookies from this website and its external serving vendors.

This website uses tracking software to monitor its visitors to better understand how they use it. This software is provided by Google Analytics which uses cookies to track visitor usage. The software will save a cookie to your computers hard drive in order to track and monitor your engagement and usage of the website, but will not store, save or collect personal information. You can read Google’s privacy policy here for further information.

Information Collected

On some parts of the website and app, you may be required or asked to provide some limited personal information in order to enable the provision of certain servers (e.g sales enquiry, gain access to our solutions). MCR may store this information manually or electronically. By supplying this information you are consenting to MCR holding and using it for the purposes for which it was provided. Information provided will be kept for as long as is necessary to fulfil that purpose.

We may also collect information about your computer, including where available; your IP address, operating system and browser type, for system administration and to report aggregate information to our webmasters. This is statistical data about our users’ browsing actions and patterns which does not identify any individual and allows us to ensure that content from our site is presented in the most effective manner for you and for your computer.

How Collected Information Is Used

Personal information provided to MCR Systems by you will only be used for the purpose stated when the information is requested. Personal information will not be sold to third parties, or provided to direct marketing companies or other such organisations without your permission. Personal information collected and/or processed by MCR Systems is held in accordance with the provisions of the Data Protection Act 1998.

Demographical and statistical information about user behavious may be collected and used to analyse the popularity and effectiveness of MCR Systems website and solutions. Any disclosure of this information will be in aggregate form and will not identify individual users.

How Collected Information Is Stored

Information which you provide to us will ordinarily be stored on our secure servers. Which are hosted by third party contractors. No information is transferred to a destination outside the European Economic Area (“EEA”). By submitting personal information, you agree to allow us to store and process the data. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy.

We may disclose your personal information to third parties if we are under a duty to disclose or share such information in order to comply with any legal obligation or to protect the rights, property or safety of MCR systems, its customers or others.

Contact & Communication

Users contacting this website and/or its owners do so at their own discretion and provide any such personal details requested at their own risk. Your personal information is kept private and stored securely until a time it is no longer required or has no use, as detailed in the Data Protection Act 1998. Every effort has been made to ensure a safe and secure form to email submission process but advise users using such form to email processes that they do so at their own risk.

This website and its owners use any information submitted to provide you with further information about the products / services they offer or to assist you in answering any questions or queries you may have submitted. This includes using your details to view any purchase or sale information made by you. These details are not passed on to any third parties.

External Links

Although this website only looks to include quality, safe and relevant external links, users are advised to adopt a policy of caution before clicking any external web links mentioned throughout this website. (External links are clickable text / banner / image links to other websites, similar to; Google or MCR Systems)

The owners of this website cannot guarantee or verify the contents of any externally linked website despite their best efforts. Users should therefore note they click on external links at their own risk and this website and its owners cannot be held liable for any damages or implications caused by visiting any external links mentioned.


Data Protection Act 1998

Privacy and Electronic Communications Regulations 2003

Privacy and Electronic Communications Regulations – The Guide

Google Privacy Policy

Any changes we may make to our Privacy Policy in the future will be posted on this page and, where appropriate, notified to you by email.

Any queries or concerns about privacy on MCR websites or applications should be sent by email to or addressed to the Data Protection Officer, MCR Systems, Vantage House, Vantage Park, Leicester, LE4 9LJ.

This policy was last updated 18.03.2021