Privacy Policy

Effective Date: May 20, 2026 | Last Updated: May 20, 2026

This Privacy Policy describes how Firehouse Subs ("we," "us," or "our") collects, uses, discloses, and protects your personal information when you visit our website at flrehousesups.com, use our online ordering services, participate in our loyalty programs, or otherwise interact with us. We are committed to protecting your privacy and handling your personal information in a transparent, lawful, and responsible manner.

By accessing or using our website, placing an order, signing up for our newsletter, or engaging with our digital platforms, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with any part of this Policy, please discontinue use of our services immediately.

As a business operating in Canada, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), applicable provincial privacy legislation including Alberta's Personal Information Protection Act (PIPA) and British Columbia's Personal Information Protection Act (PIPA BC), and the Canada Anti-Spam Legislation (CASL). We also follow the principles of the General Data Protection Regulation (GDPR) as an internationally recognized standard for best practices in privacy and data protection.

1. Who We Are

Firehouse Subs is a food service business operating in Canada. We provide restaurant dining services, online food ordering, catering arrangements, and loyalty reward programs to our customers. Our digital presence is managed through our official website, flrehousesups.com.

For all privacy-related inquiries, please contact us at:

Business Name: Firehouse Subs
Email: [email protected]
Website: flrehousesups.com

2. Information We Collect

We collect various types of personal information depending on how you interact with our services. Personal information is defined under PIPEDA as any information about an identifiable individual. Below is a detailed breakdown of the categories of data we collect.

2.1 Personal Identification Information

When you create an account, place an order, sign up for our loyalty program, or contact us directly, we may collect:

Full name
Email address
Phone number
Mailing or delivery address
Date of birth (where applicable, for age verification or promotional purposes)
Username and password (encrypted) for account access

2.2 Transaction and Order Information

When you place an order or make a purchase through our platform, we collect:

Order history and details (items ordered, quantity, special instructions)
Payment method type (e.g., credit card, debit card — note: full card numbers are not stored by us)
Billing information
Delivery address and preferences
Loyalty points earned and redeemed

2.3 Usage and Behavioral Data

When you browse our website or use our digital services, we automatically collect:

Pages visited and time spent on each page
Links clicked and navigation patterns
Search queries made on our website
Referring URLs and exit pages
Frequency and timing of visits
Cart abandonment data

2.4 Device and Technical Information

We collect technical information about the device and connection used to access our services, including:

IP address
Browser type and version
Operating system and platform
Device identifiers (mobile device ID, etc.)
Screen resolution and language settings
Time zone settings

2.5 Location Data

With your consent, we may collect approximate or precise location data to help you find the nearest Firehouse Subs location, provide accurate delivery estimates, and offer location-based promotions. You may disable location sharing through your device settings at any time.

2.6 Communications and Feedback

When you contact us via email, contact forms, or customer service channels, we may collect:

The content of your messages
Survey responses and feedback
Reviews and ratings you submit
Records of your customer service interactions

2.7 Cookie and Tracking Data

We use cookies and similar tracking technologies on our website. Please refer to Section 8 of this Policy and our separate Cookie Policy available on our website for detailed information about how we use cookies.

2.8 Information from Third Parties

We may also receive information about you from third parties, including:

Third-party delivery platforms and food ordering aggregators
Social media platforms if you choose to connect your account or interact with our social pages
Analytics providers
Payment processors

3. How We Use Your Information

Under PIPEDA, we are required to collect, use, and disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances. We use the information we collect for the following purposes:

3.1 Service Provision and Order Fulfillment

Processing and fulfilling your food orders, including delivery and pickup
Managing your account and loyalty program membership
Processing payments and issuing receipts and invoices
Communicating with you about your orders, reservations, or catering requests
Providing customer support and resolving complaints or disputes

3.2 Marketing and Promotional Communications

Sending you promotional emails, newsletters, and special offers (with your consent as required under CASL)
Personalizing your experience by showing relevant menu items, promotions, and content
Administering contests, sweepstakes, and loyalty reward programs
Notifying you of new menu items, seasonal offerings, and restaurant news

You may withdraw your consent to receive marketing communications at any time by clicking the "unsubscribe" link in any marketing email or by contacting us at [email protected]. Opting out of marketing does not affect our ability to send you transactional communications (e.g., order confirmations, receipts).

3.3 Analytics and Service Improvement

Analyzing usage patterns to improve website functionality and user experience
Conducting market research and customer satisfaction surveys
Developing new products, services, and features based on customer preferences
Monitoring and improving the performance of our website and digital platforms
Testing and debugging technical issues

3.4 Legal and Regulatory Compliance

Complying with applicable Canadian federal and provincial laws and regulations
Responding to lawful requests from government authorities or law enforcement
Enforcing our Terms and Conditions and other legal agreements
Detecting, preventing, and investigating fraud, security breaches, or other illegal activities
Protecting the rights, property, and safety of our business, employees, and customers

3.5 Operational and Business Purposes

Managing business operations, including staffing, inventory, and logistics
Conducting internal audits and financial reporting
Facilitating business transactions such as mergers, acquisitions, or asset sales

4. Legal Basis for Processing

Under PIPEDA, the lawful basis for processing personal information is meaningful consent, either express or implied, depending on the sensitivity of the information and the circumstances of collection. Specifically:

Express Consent: Required for sensitive personal information, marketing communications, and certain uses of your data beyond the original purpose of collection.
Implied Consent: Applies when you voluntarily provide personal information for an obvious purpose, such as providing your delivery address when placing a food order.
Legitimate Business Purposes: Certain uses of data, such as fraud prevention, security, and legal compliance, may be conducted without explicit consent where a reasonable person would expect such use.

Where we rely on GDPR principles as a best practice benchmark, we also recognize the following legal bases: performance of a contract, compliance with a legal obligation, protection of vital interests, and legitimate interests, provided they do not override your fundamental rights and freedoms.

5. Sharing Your Information with Third Parties

We do not sell, rent, or trade your personal information to third parties for their independent marketing purposes. We may share your information in the following circumstances:

5.1 Service Providers and Business Partners

We engage trusted third-party service providers who assist us in operating our business and providing services to you. These providers are contractually bound to use your information only for the purposes we specify and to maintain appropriate security standards. Service providers may include:

Payment processing companies (e.g., credit card processors)
Food delivery and logistics partners
Email marketing platforms and communication services
Website hosting and cloud infrastructure providers
Customer relationship management (CRM) software providers
Analytics and data analysis service providers
Loyalty program management platforms
IT support and cybersecurity service providers

5.2 Legal Requirements and Law Enforcement

We may disclose your personal information if required to do so by law or in response to valid legal processes, including:

Court orders, subpoenas, or other legal obligations
Requests from law enforcement or government agencies under applicable Canadian law
To prevent fraud, protect national security, or respond to emergency situations involving risk to life

5.3 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of all or part of our business assets, your personal information may be transferred to the acquiring entity. We will notify you of any such transfer and the resulting changes to this Privacy Policy.

5.4 With Your Consent

We may share your information with other third parties when you have provided explicit consent for us to do so, such as when you choose to participate in a co-branded promotion or partner loyalty program.

6. Data Security

We take the security of your personal information seriously and have implemented a range of technical, administrative, and physical safeguards to protect your data from unauthorized access, disclosure, alteration, or destruction. These measures include:

6.1 Technical Safeguards

Secure Sockets Layer (SSL) / Transport Layer Security (TLS) encryption for data transmitted between your browser and our website
Encryption of sensitive stored data, including passwords (hashed and salted)
Firewalls, intrusion detection systems, and regular security patching
Tokenization of payment card information through PCI DSS-compliant payment processors
Regular vulnerability assessments and penetration testing

6.2 Administrative Safeguards

Access controls limiting personal data to authorized personnel on a need-to-know basis
Employee training on privacy and data security best practices
Privacy impact assessments for new projects involving personal data
Contractual data protection obligations with all third-party service providers

6.3 Physical Safeguards

Secured physical access to data processing facilities
Locked storage for any physical records containing personal information
Secure disposal of physical and electronic records at end-of-life

Despite our best efforts, no security system is entirely impenetrable. In the event of a data breach that poses a real risk of significant harm to you, we will notify you and the Office of the Privacy Commissioner of Canada (OPC) as required under PIPEDA's mandatory breach reporting requirements (in force since November 1, 2018).

7. Your Privacy Rights

Under PIPEDA and applicable provincial privacy laws, you have the following rights regarding your personal information:

7.1 Right of Access

You have the right to request access to the personal information we hold about you, including information about how it has been used and to whom it has been disclosed. We will provide this information within 30 days of receiving a valid request, or notify you of an extension if more time is needed.

7.2 Right to Correction

If you believe that the personal information we hold about you is inaccurate, incomplete, or outdated, you have the right to request that we correct or update it. We will make reasonable efforts to correct the information promptly.

7.3 Right to Withdraw Consent

You may withdraw your consent for our use of your personal information at any time, subject to legal and contractual restrictions. Withdrawing consent may affect our ability to provide certain services to you, and we will inform you of the consequences before your consent is withdrawn.

7.4 Right to Deletion

In certain circumstances, you may request the deletion of your personal information. We will honor such requests where we are not legally obligated to retain the data and where retaining it is no longer necessary for the purposes for which it was collected.

7.5 Right to Data Portability

While not explicitly codified under PIPEDA at all levels, we adopt the GDPR-aligned best practice of allowing you to request a copy of your personal data in a structured, commonly used, machine-readable format so that it can be transferred to another service provider where technically feasible.

7.6 Right to Object to Automated Decision-Making

If we use automated processes to make decisions about you that significantly affect your interests (such as automated credit assessments or profiling for marketing), you have the right to request human review of such decisions.

How to Exercise Your Rights

To exercise any of the rights described above, please submit a written request to us at:

Email: [email protected]

Subject Line: Privacy Rights Request

We may need to verify your identity before processing your request. We will respond within the timeframes required by applicable law.

8. Cookies and Tracking Technologies

Our website uses cookies, web beacons, pixel tags, and similar tracking technologies to enhance your browsing experience, analyze website traffic, and support our marketing efforts. Below is a brief overview of our cookie practices.

8.1 Types of Cookies We Use

Category	Purpose	Examples
Essential Cookies	Necessary for the website to function properly (e.g., maintaining your session, keeping items in your cart)	Session cookies, login tokens
Performance Cookies	Collect anonymous usage data to help us understand how visitors use our website	Google Analytics, Hotjar
Functional Cookies	Remember your preferences and personalize your experience	Language settings, saved addresses
Marketing Cookies	Track your browsing activity to deliver targeted advertising and measure campaign effectiveness	Facebook Pixel, Google Ads

8.2 Managing Your Cookie Preferences

When you first visit our website, you will be presented with a cookie consent banner allowing you to accept or decline non-essential cookies. You can also manage your cookie preferences at any time through your browser settings. Please note that disabling certain cookies may affect the functionality of our website.

For full details about the specific cookies we use, their duration, and how to opt out, please review our dedicated Cookie Policy, available on our website at flrehousesups.com.

9. Data Retention

We retain your personal information only for as long as is necessary to fulfill the purposes for which it was collected, to comply with legal obligations, resolve disputes, and enforce our agreements. The following general retention periods apply:

Data Category	Retention Period
Account and registration data	Duration of account plus 2 years after deletion request
Order and transaction records	7 years (required for tax and financial compliance under Canadian law)
Marketing preferences and consent records	3 years after last interaction or until consent is withdrawn
Customer service communications	3 years from date of last communication
Website usage and analytics data	26 months (anonymized after initial processing period)
Cookie and tracking data	As specified in our Cookie Policy (typically 1-2 years)
Security logs and fraud prevention records	Up to 5 years

Upon the expiry of the applicable retention period, we will securely delete or anonymize your personal information in accordance with our data disposal procedures.

10. Children's Privacy

Important: Our services are intended for individuals who are 18 years of age or older. We do not knowingly collect personal information from individuals under the age of 18.

Firehouse Subs does not direct its website or online ordering services to minors under the age of 18. We do not knowingly solicit or collect personal information from children under 18 years of age. If you are under 18, please do not provide any personal information through our website or services.

If we discover that we have inadvertently collected personal information from a child under 18 without verifiable parental consent, we will take immediate steps to delete such information from our records. If you are a parent or guardian and believe that your child under 18 has provided us with personal information, please contact us immediately at [email protected].

This practice is consistent with the protections afforded to minors under PIPEDA and Canada's evolving digital privacy framework, as well as internationally recognized best practices established under GDPR and the Children's Online Privacy Protection Act (COPPA) principles.

11. International Data Transfers

Firehouse Subs operates primarily within Canada; however, some of our third-party service providers may be located in other countries, including the United States and other jurisdictions. As a result, your personal information may be transferred to, stored in, and processed in countries outside of Canada.

When transferring personal information outside of Canada, we take steps to ensure that your data receives an adequate level of protection consistent with the requirements of PIPEDA. These steps may include:

Entering into data processing agreements with international service providers that include contractual data protection clauses
Ensuring that receiving countries have been assessed for adequate data protection standards
Implementing Standard Contractual Clauses (SCCs) aligned with GDPR principles where applicable
Conducting due diligence on the privacy and security practices of international vendors

Please note that when personal information is transferred to another jurisdiction, it may become subject to the laws of that jurisdiction. Foreign governments, courts, law enforcement, or regulatory agencies may be able to obtain access to your information in accordance with the laws of the foreign jurisdiction. We will use contractual means to require foreign recipients to provide privacy protection comparable to what exists in Canada.

By using our services and providing us with your personal information, you acknowledge and consent to the potential transfer of your information to jurisdictions outside of Canada as described in this section.

12. Third-Party Links and Platforms

Our website may contain links to third-party websites, social media platforms, delivery applications, or partner services. These third-party sites have their own privacy policies, and we do not accept responsibility or liability for their privacy practices or content. We encourage you to review the privacy policies of any third-party sites you visit.

Our website may include social media features such as the Facebook "Like" button, Instagram share tools, or embedded content from platforms such as YouTube. These features may collect your IP address and the page you are visiting, and may set cookies to enable the feature to function properly. Your interactions with these features are governed by the privacy policy of the respective third-party social media company.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our business practices, applicable laws, or privacy standards. When we make material changes to this Policy, we will:

Update the "Last Updated" date at the top of this page
Post a prominent notice on our website
Send an email notification to registered account holders (where required by law or where changes significantly affect your rights)

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of our website or services after the posting of changes constitutes your acceptance of the updated Privacy Policy.

14. How to File a Privacy Complaint

If you have concerns about how we handle your personal information, we encourage you to contact us first so that we have an opportunity to address your concerns directly.

14.1 Internal Complaint Process

Submit your complaint in writing to [email protected] with the subject line "Privacy Complaint."
Include your name, contact information, and a detailed description of your concern.
We will acknowledge receipt of your complaint within 5 business days.
We will investigate the matter and provide you with a written response within 30 days of receipt, unless an extension is necessary and communicated to you.

14.2 Escalating Your Complaint to the Privacy Commissioner

If you are not satisfied with our response or believe that we have violated your privacy rights under PIPEDA, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC):

Office of the Privacy Commissioner of Canada

30 Victoria Street

Gatineau, Quebec K1A 1H3

Toll-free: 1-800-282-1376

Website: www.priv.gc.ca

Online Complaint Form: Available at https://www.priv.gc.ca/en/report-a-concern/

Residents of Alberta and British Columbia may also file complaints with the respective provincial privacy commissioners:

Office of the Information and Privacy Commissioner of Alberta: www.oipc.ab.ca

Office of the Information and Privacy Commissioner for British Columbia: www.oipc.bc.ca

15. Contact Us

If you have any questions, requests, or concerns regarding this Privacy Policy or our privacy practices, please do not hesitate to contact our Privacy Officer:

Firehouse Subs — Privacy Inquiries

Email: [email protected]

Website: flrehousesups.com

We are committed to working with you to resolve any privacy concerns in a fair, timely, and transparent manner. Our Privacy Officer is responsible for overseeing compliance with this Privacy Policy and applicable privacy laws.

Summary of Key Rights Under PIPEDA: You have the right to know what personal information we collect, why we collect it, and how it is used. You may access your personal information held by us, request corrections, withdraw consent, and file complaints with the Office of the Privacy Commissioner of Canada. These rights are fundamental to our commitment to treating your personal data with respect and care.

This Privacy Policy was last reviewed and updated on May 20, 2026. It applies to all personal information collected by Firehouse Subs through the website flrehousesups.com and related services as of this date.