Main content starts here, tab to start navigating

Privacy Notice

Last updated: 22 May 2024

1. Introduction

This Privacy Notice provides details about our processing of your personal data, including how and why we use your personal data and how we keep it safe. It also explains the rights you have over your personal data. 

The controller responsible for processing your personal data is the Mandolin company or affiliated company ('we', 'us' and 'our') with which you have dealings as a website visitor, customer or prospective customer, a subscriber to our publications or newsletters or with which you otherwise engage or communicate. Specific information relating to the types of personal data processed and our purposes of processing that data is set out below. 

This Privacy Notice covers all jurisdictions in which we operate and/or in which, or to which, we offer our goods or services. We set out specific data protection information in relation to some of these jurisdictions in the Appendices to this Privacy Notice. 

You should read this Privacy Notice so that you know what we do with your personal data. Please also read any other privacy notice that we may provide to you from time to time that may apply to our use of your personal data in specific circumstances. 

Please see the 'How to contact us' section at 16 below for details about how to contact us.  

2. Explanation of terms

In this Privacy Notice:

'personal data' (also referred to in this Privacy Notice as 'personal information') means any information that relates to you from which you can be directly or indirectly identified;

'process' means any activity relating to personal data, including collection, use, sharing, storage and transmission; and

'controller' is a legal term and refers to the company that makes decisions about how and why your personal data is processed and is therefore responsible for ensuring that the processing is done in accordance with relevant data protection laws.

3. How do we obtain your information?

Most of the personal information we process is provided to us directly by you when you engage with us, such as when you complete our web forms in order to make an information request, make an enquiry, attend an event, purchase our goods or services or when you subscribe to our newsletter.

We process personal information about you when you use or interact with our website or apps (as applicable) ("Sites"), create an account, generate or make any content on, or upload to, a Site, including preferences you set (such as choice of language), photographs and videos you upload, conversations and connections you have with other users and comments you make via our messaging services.

When you visit, use or navigate our Sites, we may process certain information about you automatically. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our services, and other technical information which may identify you. This information is primarily needed to maintain the security and operation of our Sites, and for our internal analytics and reporting purposes. Like many businesses, we also collect information through cookies and similar technologies, which you can read more about in our Cookie Policy [(see here)]. 

We may also collect personal information from available sources in the public domain and from other third parties,

In certain circumstances, we will also require certain personal data in order to manage our relationship with you/provide you with our services (e.g., your payment card details to take payment or certain information to enable you to create an account with us). 

Please note that we may combine the personal data that you provide to us with other information we collect about you when you make a reservation through third-party services, such as online restaurant/hotel reservation websites, so that we may process your requests. 

Where we don't need your personal data, we will make this clear, for instance we will explain if any data fields in our forms are optional and can be left blank.

If you submit any personal information relating to another person, you represent that you are authorised by that person to do so and to permit us to use the information in accordance with this Privacy Notice. 

4. What information do we collect?

We collect personal data about you, which may include the following:

Identity and Contact Information: first name, last name, title, postal address, email address and telephone numbers, driving licence, passport, CCTV and photographs.

Personal Details: age, gender and date of birth.

Information collected when you contact us: includes information in emails and other communications with us such as feedback and surveys.

Employment Data: employment details, including employment status, job title, employment address, telephone number and previous employment details.

Diversity, Equality and Inclusion Data: sexual orientation, religion, gender identity and ethnicity and race. 

Preferences: Preferred language, direct marketing and cookie preferences.

Nationality: nationality and citizenship. 

Financial Data: bank account details, tokenised payment card data and billing information.

Technical Data: device identifiers such as internet protocol (IP) address, usernames or similar identifiers, geolocation data, usage and login data.

Health and Medical Information: Health and disability information and dietary requirements.

Payment Information

Any credit/debit card payments and other payments you make through our Sites will be processed by our third-party payment providers. The payment data you submit will be securely stored and encrypted by our payment service providers using up to date industry standards. Please note that aside from card information tokenisation, we do not directly process or store the debit/credit card data that you submit; this is handled by our third-party payment provider.

You may choose to opt out of us holding your card or payment data, although this means that you will need to re-supply us with card/payment details for the purpose of making any future purchases.

5. What are our lawful bases for processing your personal data?

We ensure that we have a lawful basis or bases for processing your personal data. Our lawful bases for processing your personal data (which are based on data protection law requirements in the United Kingdom (UK) and European Economic Area (EEA)) are as follows:

It is necessary in our legitimate interests. We have a legitimate business interest in processing your personal data. Our legitimate interests are in:

  • Providing our products and services.
  • Analyzing, managing, evaluating, and improving our business.
  • Dealing with your queries and feedback.
  • Improving our guests’ experiences
  • Managing reservations
  • Operating our facilities and events.
  • Ensuring the security of our premises, facilities, and property.
  • Detection and prevention of crime.
  • Maintaining the security of our websites.  
  • Communicating with you regarding your reservation.

Where we rely on legitimate interests, we have balanced our rights against your interests, fundamental rights and freedoms and determined that our legitimate interests are not overridden in those circumstances.

  • It is necessary to comply with a legal obligation. We collect and process some information about you to comply with our legal obligations (e.g., in relation to accounting and tax requirements) and keep records as required by law.
  • It is necessary for the performance of a contract between you and us or to take steps at your request prior to entering into the contract, for example, we will need to process your personal data to fulfil a transaction with you to provide our goods or services.
  •  In rare cases, it may be necessary to process your personal data to protect your or another person's vital interests (i.e. your life) – e.g. in emergency circumstances when communicating with first responders or medical professionals – or because it is necessary for the performance of a task in the public interest.
  • In limited circumstances, we may request your consent to process your personal data.

When we process particularly sensitive personal data (also known as special categories of personal data) – e.g., health/disability data, sexual orientation, ethnicity/race or religious beliefs – we have an additional lawful basis for the processing of such personal data based on data protection law requirements in the UK and EEA. In the limited circumstances where we process such personal data:

  • We will request your explicit consent to do so.
  • It is necessary for the establishment, exercise or defence of legal claims.
  • It is necessary for reasons of substantial public interest.
  • The personal data is manifestly made public by you.
  • There may also be very rare occasions where we need to process this information to protect your or another person's vital interests (i.e., your or the other person's life) where you are physically or legally incapable of giving consent.

6. How and why do we use your information?

Please see the table below for details of the different purposes for which we use your personal data, as well as the lawful basis or bases relied upon for each purpose of use:

Purpose

Fulfillment of reservation: We may process information relating to your bookings. This includes bookings in our restaurants. The data may be processed for the purpose of completing your restaurant reservation.

Lawful Basis or Bases

Fulfilment of reservation: We may process information relating to your bookings. This includes bookings in our restaurants. The data may be processed for the purpose of completing your restaurant reservation.    This processing is necessary for the performance of a contract and is necessary for the purposes of our legitimate interests.

For special categories of data this processing is conducted with your explicit consent.


Purpose

Reservation communications: To communicate with you about your visit to our restaurants.

Lawful Basis or Bases

This processing is necessary for the purposes of our legitimate interests.

For special categories of data this processing is conducted with your explicit consent.


Purpose

Purchases: To process transactions, Mandolin may collect data such as your name, purchase, and payment information.

Lawful Basis or Bases

This processing may be necessary for the performance of a contract and Mandolin’s Legitimate Interests.


Purpose

Events: We also may collect information regarding Mandolin events, attendance and ticketing which we require for the purposes of completing your ticket purchase and attendance at the event. Mandolin also uses personal information about attendees to plan and host corporate events, host online forums and social networks in which event attendees may participate.

Lawful Basis or Bases

This processing may be necessary for the performance of a contract and is necessary for the purposes of our legitimate interests.

For special categories of data this processing is conducted with your explicit consent.


Purpose

Response to enquiries: We may process information contained in or relating to any communication that you send to Mandolin. This data may include the communication content and metadata associated with the communication.   

Lawful Basis or Bases

This processing is necessary for the purposes of our legitimate interests to respond to your queries.

For special categories of data this processing is conducted with your explicit consent.


Purpose

Marketing and promotions: To communicate news and promotions to you relating to Mandolin’s products and services, or other marketing or promotional activities. 

Lawful Basis or Bases

This processing is carried out with your consent.


Purpose

To understand your preferences and interests: To be able to improve the customer’s experience.

Lawful Basis or Bases

This processing is necessary for the purposes of our legitimate interests in improving our services.

For special categories of data this processing is conducted with your explicit consent.


Purpose

Detection and prevention of unlawful activity: To obtain legal advice and/or to protect us, our staff and customers and the public against injury, theft, legal liability, fraud, abuse and other misconduct. This includes maintaining the security of our Houses through the use of CCTV. Please note that footage is retained for one calendar month from the date of collection.

Lawful Basis or Bases

This processing is necessary for the purposes of our legitimate interests.


Purpose

To identify usage trends and understand our customer journeys: We will process information about how you use our websites.

Lawful Basis or Bases

This processing is carried out where you consent to non-essential cookies via our website.


Purpose

Website security monitoring: We utilize various tools in order to ensure the security of our website.

Lawful Basis or Bases

This processing is necessary for the purposes of our legitimate interests.


Purpose

Internal business purposes: For our internal business purposes, such as data analysis, audits, market research, developing new products, improving our services, obtaining statistical information, identifying usage trends and visiting patterns, determining the effectiveness of our promotions and meeting contractual obligations.

Lawful Basis or Bases

This processing is necessary for the purposes of our legitimate interests in improving our products and services and for performing a contract.


Purpose

Your Preferences: To understand your preferences and interests and be able to improve your experience of our goods and services.

Lawful Basis or Bases

This processing is necessary for the purposes of our legitimate interests.

For any special categories of personal data processed: explicit consent.


Purpose

Our Sites: To improve, promote and develop our Sites and promote popular conversations, programs and campaigns on the Sites.

Lawful Basis or Bases

This processing is necessary for the purposes of our legitimate interests.


Purpose

Administrative and other communications: To send you important information regarding our Sites, changes to our terms, conditions, and policies, or other administrative information (e.g., information about your reservations, such as reservation confirmations), to enforce our terms and conditions and policies, to provide you with customer/user support and to contact you for public health reasons and to comply with government guidelines, regulations and mandates. 

Lawful Basis or Bases

This processing is necessary for the purposes of our legitimate interests, and it is necessary to comply with a legal obligation.

For any special categories of personal data processed: explicit consent, legal claims, public information, vital interests and substantial public interest. 


Purpose

Our legal duties: To comply with legal and regulatory requirements or demands in accordance with applicable law, a court order, subpoena, or other legal process. 

Lawful Basis or Bases

This processing is necessary to comply with a legal obligation.


Purpose

Corporate Arrangements: To facilitate the sale or potential sale of our business or part of our business. 

Lawful Basis or Bases

This processing is necessary for the purposes of our legitimate interests.


7. Do we share the information we receive?

Sharing within our group

As a global organization, we may share your personal data with our group and affiliated companies in order to provide our services and benefits to you, such as for our general business management and corporate reporting purposes. With your consent, other group or affiliated companies may send information about their products or services to you. We also share personal data where support or functions are provided by other group and affiliated companies, such as in relation to customer services, website hosting and IT support and maintenance.

Sharing outside our group

We may also share your personal data with third party service providers outside our group to provide us with services, such as:

  • card processing or payment service providers; 
  • credit reference agencies; 
  • IT suppliers and contractors (e.g. data hosting providers)
  • analytics providers/ web analytics providers;
  • providers of digital advertising services; 
  • event organizers and
  • providers of CRM, marketing, and sales software solutions.  

We carry out due diligence to check that these service providers have appropriate security in place to protect your personal data and we enter into written contracts with them to impose appropriate security obligations on them.

We may also share your personal data with third parties who act as controllers of that data. We may share your personal data with:

  • consultants and professional advisors, including our lawyers and accountants;
  • prospective sellers, buyers, or other third parties if we transfer, purchase, reorganize, merge, or sell any part of our business;
  • business partners;
  • courts and court-appointed persons/entities;
  • trade associations;
  • our insurers; and
  • government departments and statutory and regulatory bodies, including data protection regulators, law enforcement, and tax/revenue offices


8. Is your personal data sent outside your home country?

Mandolin is a global organisation that operates in many countries. We may share your personal information with other group or affiliated companies, our service providers, and other third parties that may be located in other countries. Although the data protection laws of these various countries may differ from those in your own country, we will take appropriate measures to ensure that your personal information is handled as described in this Privacy Notice and in accordance with the applicable law.

If we transfer your personal data outside the UK or EEA (including to our group or affiliated companies), we will implement appropriate safeguards for that transfer in accordance with the applicable law, such as implementing standard contractual clauses for data transfers approved by the relevant data protection authorities or by transferring your data to countries which have been deemed by the relevant data authorities to provide adequate levels of data protection. If you would like to receive more information on the safeguards that we implement, including copies of relevant clauses of data transfer contracts, please contact us as indicated below.

9. How do we protect your personal data?

We take the security of the personal information we collect seriously. We have implemented and maintain technical and organisational security measures (as required by applicable data protection laws) to protect your personal information from accidental or unlawful destruction, damage, loss, alteration or unauthorised disclosure or access.  

Unfortunately, the transmission of information over the internet or public communications networks can never be completely secure and we therefore cannot 100 per cent guarantee the security of personal data that you provide to us online.


10. For how long will we keep your information?

We will keep your personal data only for as long as is necessary for the purposes outlined in this Privacy Notice, or for the duration required by any legal, regulatory, accounting or reporting requirements, whichever is longer. We will only ever retain your personal data for a limited period of time.

To determine the appropriate retention period for your personal data, we consider the amount, nature and sensitivity of the personal data, the purposes for which we process it, applicable legal requirements or operational retention needs and whether we can achieve those purposes through other means.

Upon expiry of the applicable retention period, we will securely destroy your personal data in accordance with applicable laws and regulations. In some circumstances we may anonymize your personal data so that it can no longer be associated with you, in which case it is no longer personal data. 


11. Automated decision making

Automated decisions are where a computer makes decisions about you without a person being involved. Profiling is the recording and analysis of a person's psychological and behavioural characteristics, to assess or predict their capabilities or to assist in identifying or classifying categories of people.

Mandolin does not make automated decisions about, or profile, its clients or customers.


12. What are your personal data protection rights?

Certain applicable data protection laws give you specific rights in relation to your personal data. In particular, if the processing of your personal data is subject to data protection law in the UK and EEA, you have the following rights in relation to your personal data:

Right of access: If you ask us, we will confirm whether we are processing your personal data and, subject to certain conditions, we will provide you with a copy of that personal data along with certain other details such as the purpose(s) of the data processing. 

Right to rectification: If your personal data is inaccurate or incomplete, you are entitled to ask that we correct or complete it.   Please help us to keep your personal data up to date by letting us know of any changes to your personal data (including changes to your contact details) as soon as possible.

Right to erasure: Subject to certain conditions, you may ask us to delete or remove your personal data, such as where we no longer need the personal data for the purposes for which it was collected or our legal basis for the processing is your consent and you withdraw consent.  

Right to restrict processing: You may ask us to restrict or 'block' the processing of your personal data in certain circumstances, such as where you contest the accuracy of the personal data or object to us processing it. We will tell you before we lift any restriction on processing. 

Right to data portability: You have the right to obtain from us (or to have transferred to another controller) your personal data that we process by automated means on the basis of your consent or necessity for a contract with you. We will provide the personal data in a structured, commonly used and machine-readable format. 

Right to object: You may object to our processing your personal data, and we will stop processing your personal data if (i) we are relying on a legitimate interest to process your personal data, unless we demonstrate compelling legitimate grounds for the processing or (ii) we are processing your personal data for direct marketing purposes.

Right to withdraw consent: If we rely on your consent to process your personal data, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing of your personal data carried out before we received notice that you wished to withdraw your consent.


13. Right of complaint to your data protection authority

If you have a concern about our privacy practices, including the way we handled your personal data, we would appreciate the opportunity to put it right. However, you may be able to make a complaint to your data protection regulator. 

If you are located in the UK, you have the right to complain to the Information Commissioner's Office (ICO) (https://ico.org.uk/).

If you are located in the EEA, you have the right to complain to the competent data protection authority for your jurisdiction, a list of which can be found at https://edpb.europa.eu/about-edpb/board/members_en.


14. Third party notices

This Privacy Notice may contain links to other third party websites. We are not responsible for the content of these other sites and you should read the privacy notices provided by such websites.


15. Changes to this privacy notice

We keep our Privacy Notice under regular review. Any changes we may make to our Privacy Notice in the future will be posted to this Site. Please check back frequently to see any updates or changes to this Privacy Notice.


16. How to contact us

If you have any questions about this notice or how we handle your personal data, please contact our Data Protection Officer at dpo@mandolinrestaurant.com.

Appendix 1

Privacy Notice (United States)

If you have any questions about this notice or how we handle your personal data, please contact our Data Protection Officer at dpo@mandolinrestaurant.com.

The following information is added to the Privacy Notice:

“Do Not Track” requests

Our Sites currently do not respond to “do not track” or similar signals.

Third-Party websites and social media

Our Sites may contain links to other websites, including those of third parties or partners. While we seek to link only to sites that share our high standards and respect for privacy, we cannot be responsible for the privacy practices other websites use. By accessing other third party websites or applications through our Sites, you are consenting to the terms and privacy policies of those websites. It is possible that other parties may collect personally identifiable information about your online activities over time and across different websites when you use our Sites. 

Our Sites may include social media features, such as Facebook “Likes” or “Recommend” buttons, Pinterest, Twitter, Tumblr, and YouTube. These social media features may require cookies to be set to function properly. These features may also collect personal information such as your IP address. These features are governed by the privacy notice/policy of the social media platform. Please review the privacy notice/policy of the social media platforms to learn how they protect your information. 


Users only of legal age of majority

Our services are not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are under 13, do not use or provide any information on this service or on or through any of its features/register on the services or provide any information about yourself to us, including your name, address, telephone number, e-mail address or any screen name or user name you may use. If we learn we have collected or received personal data from a child under 13 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 13 without verifiable parental consent, please contact us at dpo@mandolinrestaurant.com.

Appendix 2

Privacy Notice (California)

We adopt this supplemental privacy notice to comply with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (the 'CCPA').  This notice applies solely to website visitors and customers who reside in the State of California. Any terms defined in the CCPA have the same meaning when used in this notice. 

What information do we collect? 

We may collect the personal information categories listed in below:

Personal information category: Identifiers, such as real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, or other similar identifiers.
Source: Directly from you. For example, from forms you complete.
Sold or shared: We do not sell or share this information.

Personal information category: Categories of personal information described in Cal. Civ. Code § 1798.80(e), such as name, signature, physical characteristics or description, address, telephone number, bank account number, credit card number, debit card number, or any other financial information.
Source: Directly from you. For example, from forms you complete.
Sold or shared: We do not sell or share this information.

Personal information category: Characteristics of protected classifications under state or federal law, such as age, citizenship, and sex (including gender, gender identity, gender expression, pregnancy or childbirth, and related medical conditions).
Source: Directly from you. For example, from forms you complete.
Sold or shared: We do not sell or share this information.

Personal information category: Commercial information, such as records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
Source: Directly from you.  For example, from forms you complete. Indirectly from you. For example, from observing your actions on our Site.
Sold or shared: We do not sell or share this information.

Personal information category: Biometric information
Source: No
Sold or shared: We do not sell or share this information.

Personal information category: Internet or other electronic network activity information, such as browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.
Source: Indirectly from you.  For example, from observing your actions on our Site.
Sold or shared: We do not sell or share this information.

Personal information category: Geolocation data
Source: Directly from you.  For example, from forms you complete.
Indirectly from you. For example, from observing your actions on our Site.     Sold or shared: We do not sell or share this information.

Personal information category: Audio, electronic, visual, thermal, olfactory, or similar information.
Source: Directly from you. For example, from video you upload to our Sites. Indirectly from you. For example, from observing your actions on our Sites (from CCTV footage).
Sold or shared: We do not sell or share this information.

Personal information category: Inferences drawn from other personal information to create a profile about a consumer reflecting a consumer’s preferences, characteristics, and trends.
Source: Indirectly from you. For example, we may combine various piece of personal information to develop inferences.
Sold or shared: We do not sell or share this information.

Personal information category: Sensitive Personal Information (sexual orientation data, data related to race and ethnic origin, disability data, account login information, financial account information, debit and credit card numbers with any required security code, password, or credentials allowing access to an account, and geolocation data).
Source: Directly from you. For example, from forms you complete.
Sold or shared: We do not sell or share this information.

Personal information does not include: publicly available information lawfully made available from government records, deidentified or aggregated consumer information, or information excluded from the CCPA.

How do we use your personal information?

We may use or disclose the personal information as discussed in this Privacy Notice. 

We will not collect additional categories of personal information or use the personal information we collect for material different, unrelated, or incompatible purposes without providing you with notice. 

What are your personal data protection rights?

Residents of the California have certain rights. Please note that the below rights are not absolute, and we may be entitled to refuse requests, wholly or in part, where exceptions under applicable law apply. 

Right to Access

You have the right to access personal information that we may collect or retain about you. If requested, we shall provide you with a copy of your personal information which we collected as permitted by the CCPA.

You also have the right to receive your personal information in a structured and commonly used format so that it can be transferred to another entity ('data portability'). 

Right to Know

You have the right to request that we disclose the following about your personal information, as defined by the CCPA:

  • The specific personal information we may collect;
  • The categories of personal information we may collect;
  • The categories of sources from which we may collect your personal information;
  • The business purpose(s) for collecting or sharing your personal information;
  • The categories of personal information we may disclose for business purposes; and
  • The categories of third parties to whom we may share your personal information.

Right to Opt-Out / Do not sell my personal information

You have the right to opt-out of sharing your personal information with third parties for some purposes, including sharing that may be defined as a sale under applicable laws. You can opt-out of this sharing by clicking on the “Do Not Sell or Share My Information” link at the bottom of our homepage and submitting a request via the authorized methods. 

You also may have a right to opt-out of the use of curtained automated decision-making technology.

Do not share or disclose my sensitive personal information

We collect sexual orientation data, data related to race and ethnic origin, disability data, account login information, financial account information, debit and credit card numbers with any required security code, password, or credentials allowing access to an account, and geolocation data.

Right to deletion

In certain circumstances, you have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (instructions and description below), we will delete, and, as applicable, direct our service providers to delete, your personal information from our records, unless an exception applies.

We may deny your request to delete your personal information if retaining the information is necessary for us or our service providers, subject to certain exemptions in the CCPA.

Right to correct / right to rectification

In certain circumstances, you have the right to request correction of any inaccurate personal information. Upon verifying the validity of a valid consumer correction request, we will use commercially reasonable efforts to correct your personal information as directed, taking into account the nature of the personal information and the purposes of maintaining your personal information.

Right to non/discrimination

We will not discriminate against you for exercising any of your rights under the CCPA. Unless permitted by the CCPA, we will not:

  • Deny you goods or services;
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
  • Provide you with a different level or quality of goods or services; or
  • Suggest that you receive a different price or rate for goods or services or a different level or quality of goods or services. 

California shine the light law

California Civil Code Section 1798.83 permits our visitors who are California residents to request certain information regarding our disclosure of personal data to third parties for their direct marketing purposes. To make such a request, please contact dpo@mandolinrestaurant.com.

Exercising your rights

If you are a resident of California, you can exercise any of your rights as described in this Notice and under the CCPA by emailing us at dpo@mandolinrestaurant.com. Except as provided for under applicable privacy laws, there is no charge to exercise any of your legal rights. However, if your requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may (as permitted under the CCPA):

  • Charge a reasonable fee taking in account the administrative costs of providing the information or taking the action requested; or 
  • Refuse to act on the request and notify you of the reason for refusing the request.

What personal information do i provide to verify my identity?

We take the privacy of your personal information seriously and want to ensure that we provide only you or your authorized agent with your personal information. Applicable law also requires that we verify the identity of each person who makes a request to know what personal information we have about you or to delete the personal information we have about you. To verify your identity, we may ask you to provide your:

  • First name
  • Last name*
  • Middle initial
  • Email address
  • Phone number
  • Order number
  • *required field

How do you verify my identity?

We may verify your identity in a few different ways in order to balance the requirements of the CCPA and our obligation to keep your information private.  When you make your request, you may be asked to answer a few questions about yourself to help us validate your identity. This is a two-step process using information unique to you, such as an order number, a product in an order, an address or email address, etc.

In some instances, we may ask you to provide other documentation to verify your identity. If this happens, we will reach out to you directly with this request.

What if you can’t verify my identity?

If we can’t verify your identity, we will not be able to process your request to know what personal information we have about you or to delete the personal information we have about you. If we are unable to verify your identity with a high degree of certainty, we will only be able to provide a report with category-level information and we may not be able to delete some of your information.

How to submit a request using an authorized agent

An authorized agent is a person or business who has authorization to request to know what personal information we have about you, to delete the personal information we have about you, or to opt out of the sale of personal information on behalf of a California resident. Authorized agents use the same links described above to submit requests.

If you are submitting a request on behalf of another person, we require a valid power of attorney or other documentation demonstrating your authority to submit this request. This can be a letter or other documentation signed by the California resident authorizing you to submit this request. You can download a sample letter from the request form.

How do I send you my documentation?

If you submit a request via email at dpo@mandolinrestaurant.com, you must include the appropriate above listed documentation in order for us to act on your request.

Response timing and format

We will confirm receipt of a request within 10 days and provide information about how we will process the request. We endeavor to substantively respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing.  If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. Any disclosure we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded.  If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

If you wish to appeal our decision, please submit your appeal to the above contact information.  Please clearly denote that it is an appeal.