Aztec Tacos

Privacy Policy

Last updated: May 24, 2026

1. Introduction

This Privacy Policy explains how Aztec Tacos Inc. (“Aztec Tacos,” “we,” “us,” or “our”), operating at 77 Montréal Road, Vanier, Ottawa, Ontario K1L 6E8, Canada, collects, uses, discloses, and protects personal information through our website aztectacos.ca (the “Website”) and related services.

We are committed to protecting your privacy in accordance with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Ontario privacy legislation. By using our Website, you consent to the practices described in this policy.

2. Personal Information We Collect

We collect personal information that you voluntarily provide when you use our Website. The type of information depends on the service you use:

Online Pickup Orders

Name, phone number, email address (optional), order details and item selections, modifier notes, special dietary notes, pickup time preference, and payment information processed through Stripe.

Reservation Requests

Name, phone number, email address (optional), party size, preferred date and time, meal period, and any special requests or notes you provide.

Contact Form

Name, email address, phone number (optional), subject, and the content of your message.

Newsletter

Email address only.

Automatically Collected Information

When you visit our Website, certain technical information may be collected automatically, including:

  • IP address (used for security, rate limiting, and fraud prevention).
  • Browser type, operating system, and device information (collected by security services).
  • Pages visited and referring URL (aggregate, anonymous analytics data collected by Plausible Analytics — no personal data, no cookies).

3. How We Use Your Information

  • Order fulfilment: To confirm, prepare, and manage your pickup orders, calculate pricing and applicable taxes (Ontario HST 13%), and coordinate pickup timing.
  • Reservation management: To receive, review, confirm, or decline reservation requests and communicate seating details.
  • Customer communication: To respond to your contact form messages, answer questions, and provide customer support.
  • Newsletter: To send periodic promotional emails, special offers, and restaurant news if you have opted in. You may unsubscribe at any time.
  • Payment processing: To process online payments securely through Stripe, verify transactions, and handle refund requests.
  • Operational notifications: To send order confirmations, reservation status updates, and pickup readiness alerts via email.
  • Security and fraud prevention: To protect the Website from abuse, detect fraud, prevent unauthorized access, enforce rate limits, and verify visitors using Cloudflare Turnstile.
  • Website improvement: To analyze aggregate usage patterns and improve design, functionality, and performance.
  • Legal obligations: To comply with applicable laws, regulations, tax requirements, and accounting standards.
  • Dispute resolution: To investigate and resolve complaints, chargebacks, or disputes related to orders or payments.

4. Legal Basis for Processing

Under PIPEDA, we process your personal information on the following lawful grounds:

  • Consent: You provide consent when you submit information through our forms (orders, reservations, contact, newsletter).
  • Contractual necessity: Processing is necessary to fulfil your order or reservation request.
  • Legitimate interests: We process certain information for security, fraud prevention, and service improvement, where those interests are not overridden by your privacy rights.
  • Legal compliance: We process information as required for tax, accounting, and other legal obligations.

5. Payment Information

All online card payments are processed securely by Stripe, Inc. Your card details are transmitted directly to Stripe through their PCI-DSS compliant payment infrastructure. Aztec Tacos does not receive, process, store, or have access to your full card number, CVV code, or payment credentials at any time.

We receive from Stripe only: a transaction reference ID, transaction amount, payment status, and timestamp. This information is used solely for order management, accounting, tax records, and dispute resolution.

Stripe’s handling of your payment information is governed by Stripe’s Privacy Policy.

Important: Do not include payment credentials, card numbers, CVV codes, government identification, health information, passwords, or other sensitive data in order notes, reservation requests, contact forms, or emails.

6. Disclosure of Information

We do not sell, rent, trade, or disclose your personal information to third parties for their own marketing purposes. We may share information only as follows:

Service Providers

We share information with trusted third-party service providers who process data only on our behalf:

  • Stripe — Payment processing and fraud prevention.
  • Render — Website and application hosting.
  • Neon (PostgreSQL) — Database hosting and storage.
  • Resend — Transactional and newsletter email delivery.
  • Cloudflare — Website security (Turnstile bot protection).
  • Plausible Analytics — Privacy-focused, cookie-free website analytics (no personal data shared).

Legal Requirements

We may disclose personal information if required by law, court order, subpoena, or government request, or to protect the rights, property, or safety of Aztec Tacos, our customers, or the public.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal information may be transferred to the successor entity. You will be notified of any such change.

7. Cross-Border Data Transfers

Some of our service providers operate in or maintain servers in the United States and other countries outside Canada. Your personal information may be processed and stored in jurisdictions where privacy laws differ from those in your province. By using our Website, you consent to the transfer of your information to jurisdictions outside Canada. We take reasonable steps to ensure our service providers maintain a comparable level of protection.

8. Data Retention

We retain personal information only as long as reasonably necessary for the purposes collected, or as required by law:

  • Order records: Retained for accounting and tax purposes as required by the Canada Revenue Agency (CRA) — a minimum of six (6) years. After the retention period, personal details (name, phone, email, notes) are automatically anonymized while financial records are preserved.
  • Reservation records: Retained for up to one (1) year for operational purposes, then anonymized or deleted.
  • Contact form submissions: Retained for up to one (1) year, then deleted.
  • Newsletter subscriptions: Retained until you unsubscribe or request deletion.
  • Security logs: IP addresses, failed login attempts, and related security records are retained for up to ninety (90) days.
  • Stripe webhook records: Retained for the same period as order records for reconciliation and dispute resolution.

When personal information is no longer needed, it is securely deleted or anonymized.

9. Data Security

We implement reasonable administrative, technical, and organizational measures to protect your personal information, including:

  • Encrypted data transmission using TLS/SSL (HTTPS) for all communications.
  • Secure, hashed and salted credential storage (bcrypt).
  • Two-factor authentication (TOTP) for all administrative accounts.
  • CSRF protection on all form submissions.
  • Content Security Policy (CSP) headers with nonce-based script execution.
  • Rate limiting against brute-force attacks and automated abuse.
  • Bot protection via Cloudflare Turnstile on all public forms.
  • Account lockout policies after repeated failed authentication attempts.

No method of transmission or storage is 100% secure. We cannot guarantee absolute security.

10. Data Breach Notification

In accordance with PIPEDA’s mandatory breach notification requirements (in effect since November 1, 2018), if we experience a breach of security safeguards involving your personal information that creates a real risk of significant harm to you, we will:

  • Notify you as soon as feasible after the breach is discovered, describing the nature of the breach, the personal information involved, and the steps we are taking to reduce the risk of harm.
  • Report the breach to the Office of the Privacy Commissioner of Canada (OPC).
  • Notify any other organization or government institution that may be able to reduce the risk of harm.
  • Maintain records of all breaches of security safeguards for a minimum of twenty-four (24) months, whether or not they meet the threshold for notification.

Notification will be provided directly to you by email (if available) or by other means appropriate in the circumstances, and will include information about what you can do to protect yourself.

11. Consent

Under PIPEDA, we obtain your consent in the following ways:

Express Consent

We obtain your express, affirmative consent when you:

  • Submit an online order with your name, phone number, and payment details.
  • Submit a reservation request with your contact information.
  • Submit a message through our contact form.
  • Subscribe to our newsletter by entering your email address and clicking “Join.”

Implied Consent

Consent may be implied in limited circumstances where personal information is required to complete a transaction you have initiated (for example, providing your phone number so we can contact you about an order issue, or processing payment information through Stripe to complete a purchase you have requested).

Withdrawing Consent

You may withdraw your consent to the collection, use, or disclosure of your personal information at any time by contacting us. Please note:

  • Withdrawal of newsletter consent can be done immediately via the unsubscribe link or by emailing us.
  • Withdrawal of consent for order or reservation data may not apply retroactively to records we are legally required to retain (e.g., tax records under CRA requirements).
  • Withdrawal of consent may affect our ability to provide services to you (e.g., we cannot process an order without a name and phone number).

We will inform you of the consequences of withdrawing consent before processing your request.

12. Automated Decision-Making

Our Website uses limited automated processes in the following areas:

  • Rate limiting: Automated systems track IP addresses to prevent abuse, excessive form submissions, and brute-force attacks. Exceeding rate limits may temporarily block access.
  • Bot detection: Cloudflare Turnstile automatically assesses form submissions to determine whether they originate from a real person or an automated bot.
  • Payment fraud detection: Stripe uses automated systems to assess transaction risk and detect potentially fraudulent payments.
  • Account security: Our system automatically locks administrative accounts after repeated failed login attempts.

No automated decisions are made that produce significant legal effects or similarly significant consequences for guests based on profiling. If you believe an automated system has incorrectly affected your ability to use our services, please contact us and a human will review the situation.

13. Your Rights Under PIPEDA

Under PIPEDA, you have the following rights:

  • Right of access: Request a copy of the personal information we hold about you.
  • Right of correction: Request correction of inaccurate or incomplete personal information.
  • Right to withdraw consent: Withdraw consent to collection, use, or disclosure at any time, subject to legal or contractual restrictions. Withdrawal may affect our ability to provide certain services.
  • Right to challenge compliance: Challenge our compliance with PIPEDA by contacting our Privacy Officer. If your concern is not resolved, you may file a complaint with the OPC.
  • Right to unsubscribe: Unsubscribe from our newsletter at any time via the unsubscribe link or by contacting us.
  • Right to complain: File a complaint with the Office of the Privacy Commissioner of Canada at 30 Victoria Street, Gatineau, QC K1A 1H3, or by calling 1-800-282-1376.

To exercise any right, contact us below. We will respond within thirty (30) days as required by PIPEDA. Identity verification may be required. There is no fee for making a request, except in limited cases where PIPEDA permits a minimal charge for reproduction costs.

14. Cookies and Tracking

Our Website uses a limited number of essential cookies and browser storage technologies. We do not use advertising cookies or third-party tracking pixels. For full details, see our Cookie Policy.

15. Children’s Privacy

Our Website and online ordering services are not directed at children under thirteen (13). We do not knowingly collect personal information from children under 13. If we become aware of such collection, we will promptly delete that information. If you believe a child has provided us personal information, please contact us immediately.

16. Third-Party Links

Our Website may contain links to third-party websites (Google Maps, social media, Stripe). We are not responsible for the privacy practices of those sites. We encourage you to review their privacy policies.

17. Canada’s Anti-Spam Legislation (CASL)

We comply with Canada’s Anti-Spam Legislation (CASL). We send commercial electronic messages only with your express consent via our newsletter form. Each message includes our business name, contact information, and a clear unsubscribe mechanism. Unsubscribe requests are processed within ten (10) business days.

Transactional messages (order confirmations, reservation updates, contact replies) are exempt from CASL consent requirements as they relate to services you have requested.

18. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, services, or legal requirements. Material changes will be reflected by an updated “Last updated” date. Continued use of the Website after changes constitutes acceptance of the updated policy.

19. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or your personal information:

Aztec Tacos Inc.

Attn: Privacy Officer

77 Montréal Road, Vanier, Ottawa, ON K1L 6E8, Canada

Email: contact@aztectacos.ca

Phone: (613) 741-9998

We will acknowledge receipt and respond within thirty (30) days.