Privacy Policy

This Privacy Policy explains how Firehouse Subs ("we," "us," "our," or the "Company") collects, uses, discloses, retains, and protects your personal information when you visit our website at fire-housesub.com, use our digital services, place orders online, participate in our loyalty programs, or otherwise interact with us. We are committed to protecting your privacy and handling your personal information in an open and transparent manner.

This Privacy Policy applies to all personal information collected by Firehouse Subs in connection with our food services, website, mobile applications, and any other digital touchpoints we operate or maintain. Please read this policy carefully before using our website or providing us with your personal information.

By accessing or using our website and services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not use our website or services.

1. Who We Are and How to Contact Us

Firehouse Subs is a food service company operating in Canada, dedicated to providing high-quality submarine sandwiches, meals, and related food and beverage products. We take our responsibilities under Canadian privacy law seriously and are committed to maintaining the trust and confidence of our customers.

For all privacy-related inquiries, requests, or complaints, you may contact us using the following details:

We have designated a Privacy Officer who is responsible for overseeing our compliance with applicable privacy legislation. You may direct all privacy-related inquiries to the email address listed above and mark your correspondence to the attention of our Privacy Officer.

2. Applicable Laws and Legal Framework

As a company operating in Canada, Firehouse Subs complies with the following applicable privacy and data protection legislation:

• The Personal Information Protection and Electronic Documents Act (PIPEDA) — Canada's federal private sector privacy law, which governs the collection, use, and disclosure of personal information in the course of commercial activities.
• Canada's Anti-Spam Legislation (CASL) — which governs electronic commercial messages, including email marketing and promotional communications.
• Provincial Privacy Laws — including applicable provincial legislation such as the Personal Information Protection Act (PIPA) of Alberta and British Columbia, and Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25 / Bill 64), as may be applicable based on where you are located in Canada.

We also acknowledge and align our practices with international standards, including the principles established under the General Data Protection Regulation (GDPR) of the European Union, which serves as a global benchmark for privacy and data protection best practices. While GDPR may not directly apply to all our users, we strive to meet its high standards as part of our commitment to privacy excellence.

3. Personal Information We Collect

We collect various categories of personal information depending on how you interact with us. "Personal information" means any information about an identifiable individual, as defined under PIPEDA and applicable Canadian privacy law.

3.1 Information You Provide Directly

When you interact with us — by creating an account, placing an order, signing up for our loyalty program, making a reservation, or contacting our customer service — you may provide us with:

• Identity Information: First name, last name, username or display name.
• Contact Information: Email address, telephone number, postal address, and province or territory of residence.
• Account Credentials: Username and password used to access your account.
• Order and Transaction Information: Details about food and beverage items you order, order history, payment method type (we do not store full payment card details), billing address, and transaction amounts.
• Dietary Preferences and Allergy Information: If you voluntarily provide information about food preferences, dietary restrictions, or allergies, we may collect and process this data to customize your experience and ensure your safety.
• Loyalty Program Information: Points accumulated, rewards redeemed, and participation history in any promotional programs.
• Communications Content: Messages, feedback, reviews, complaints, or inquiries you send to us via email, contact forms, or social media channels.
• Survey and Feedback Data: Responses you provide when you participate in surveys, competitions, or promotional activities we conduct.

3.2 Information Collected Automatically

When you visit our website or use our digital services, we automatically collect certain technical and usage data, including:

• Device Information: Type of device, operating system, browser type and version, screen resolution, and unique device identifiers.
• Log and Usage Data: IP address, date and time of your visit, pages you viewed, links you clicked, time spent on each page, referring URL, and other browsing behavior on our website.
• Location Data: General geographic location inferred from your IP address. If you grant permission via your browser or mobile device settings, we may collect more precise location data to assist you in finding the nearest Firehouse Subs location.
• Cookie and Tracking Data: Information collected through cookies, web beacons, pixel tags, and similar tracking technologies. Please refer to Section 9 of this Privacy Policy for more details on our use of cookies.
• Session Data: Information about your browsing session including items added to your cart, pages visited, and navigation patterns.

3.3 Information from Third Parties

We may also receive personal information about you from third-party sources, including:

• Social Media Platforms: If you log in to our website or services using a social media account (such as Facebook or Google), we may receive information from that platform as permitted by your privacy settings on that platform, including your name, email address, and profile picture.
• Payment Processors: Our payment processing partners may share transaction confirmation and fraud prevention data with us.
• Marketing and Analytics Partners: We may receive aggregated or anonymized demographic and interest data from third-party analytics and advertising partners.
• Publicly Available Sources: Information that is publicly available, such as information you post on social media relating to our brand or products.

4. How We Use Your Personal Information

We process your personal information only for legitimate and specified purposes, and only when we have an appropriate legal basis to do so. Under PIPEDA, we rely on your knowledge and consent, except where the law authorizes us to collect, use, or disclose information without consent.

4.1 Service Provision and Order Fulfillment

• To process and fulfill your food orders, including delivery or pick-up arrangements.
• To create, manage, and maintain your account with us.
• To manage your loyalty program membership, track points, and process reward redemptions.
• To respond to your inquiries, provide customer support, and resolve complaints or disputes.
• To process payments and manage billing information.
• To notify you about the status of your orders and any changes to your account.
• To provide you with menu information, nutritional content, and allergen details.

4.2 Analytics and Service Improvement

• To analyze how users interact with our website and digital services in order to improve their functionality, performance, and user experience.
• To monitor and analyze trends, usage patterns, and preferences to develop new products, menu items, and services.
• To conduct internal research, business analysis, and reporting.
• To test, maintain, and improve the security and stability of our website and systems.
• To conduct surveys and gather feedback about our products and services.

4.3 Marketing and Communications

• To send you promotional offers, special deals, newsletters, and marketing communications, where you have provided your consent in accordance with CASL requirements.
• To personalize our marketing and advertising content based on your preferences, order history, and browsing behavior.
• To display targeted advertisements on our website and on third-party platforms where you have consented to such targeting.
• To administer contests, sweepstakes, promotions, and other events in which you choose to participate.

You may withdraw your consent to receive marketing communications at any time by clicking the "Unsubscribe" link in any of our emails or by contacting us at [email protected]. Please note that withdrawing consent for marketing communications will not affect our ability to send you transactional or service-related communications.

4.4 Legal and Compliance Purposes

• To comply with applicable laws, regulations, legal processes, and governmental requests.
• To enforce our Terms and Conditions, contracts, and other agreements.
• To detect, prevent, and investigate fraud, security breaches, and other potentially prohibited or illegal activities.
• To protect the rights, property, and safety of Firehouse Subs, our customers, and the public.

5. Disclosure and Sharing of Personal Information

We do not sell your personal information to third parties. We may, however, share your personal information with the following categories of recipients for the purposes described in this Privacy Policy:

5.1 Service Providers and Business Partners

We engage trusted third-party service providers who perform functions on our behalf, including:

• Payment processing and fraud prevention companies
• Food delivery and logistics partners
• Cloud hosting, data storage, and IT infrastructure providers
• Email and marketing automation platforms
• Website analytics providers (such as Google Analytics)
• Customer relationship management (CRM) software providers
• Customer support and help desk service providers

These service providers are contractually required to use your personal information only for the purposes for which it was shared, to maintain appropriate security measures, and to comply with applicable Canadian privacy legislation.

5.2 Legal Requirements and Law Enforcement

We may disclose your personal information when required to do so by law, or when we reasonably believe that disclosure is necessary to:

• Comply with a legal obligation, court order, or government request under Canadian law
• Protect and defend our legal rights or property
• Prevent or investigate possible wrongdoing in connection with our services
• Protect the personal safety of users of our services or the public
• Protect against legal liability

5.3 Business Transfers

In the event of a merger, acquisition, sale of assets, financing, or reorganization of our business, your personal information may be transferred to the acquiring or successor entity. We will notify you via a prominent notice on our website or by email if your personal information becomes subject to a different privacy policy as a result of such a transaction.

5.4 Franchise Partners

As a franchise food operation, we may share certain operational and customer data with franchisee partners operating Firehouse Subs locations in Canada. Such sharing is done only to the extent necessary to fulfill your orders, manage your loyalty account, or provide customer service at a specific franchise location. All franchise partners are required to comply with applicable Canadian privacy law.

5.5 Aggregated or De-Identified Data

We may share aggregated, anonymized, or de-identified data that does not directly identify you with third parties for research, marketing, analytics, and business development purposes.

6. International Data Transfers

Firehouse Subs operates within Canada; however, some of our third-party service providers and partners may be located in other countries, including the United States or other jurisdictions outside Canada. As a result, your personal information may be transferred to, stored, and processed in countries other than Canada, where privacy laws may differ from those in your province or territory.

When we transfer your personal information internationally, we take steps to ensure that adequate protections are in place to safeguard your information in accordance with PIPEDA and applicable provincial privacy legislation, including:

• Entering into data processing agreements that include appropriate contractual clauses requiring recipients to protect personal information to a standard comparable to Canadian requirements
• Verifying that recipient countries have been deemed to provide adequate levels of data protection
• Implementing additional technical and organizational security measures

You acknowledge that by using our services, your personal information may be transferred outside of Canada. You may contact us at [email protected] for more information about our international data transfer practices and the safeguards we have in place.

7. Data Security

We take the security of your personal information seriously and implement a variety of technical, administrative, and physical safeguards designed to protect your personal information from unauthorized access, use, disclosure, alteration, or destruction.

7.1 Security Measures We Implement

• Encryption: We use Secure Sockets Layer (SSL) / Transport Layer Security (TLS) encryption to protect data transmitted between your browser and our website. Sensitive data stored in our systems is encrypted at rest using industry-standard encryption protocols.
• Access Controls: We restrict access to personal information to authorized employees, contractors, and service providers who need it to perform their job functions. Access is governed by role-based permissions and multi-factor authentication where appropriate.
• Firewalls and Intrusion Detection: Our systems are protected by firewalls, intrusion detection systems, and other network security technologies.
• Regular Security Assessments: We conduct periodic security audits, vulnerability assessments, and penetration testing to identify and remediate potential security risks.
• Employee Training: Our staff receive regular training on privacy and security best practices, and we maintain internal policies governing the handling of personal information.
• Incident Response: We have procedures in place to identify, respond to, and notify affected individuals and regulatory authorities in the event of a data breach, as required under PIPEDA's breach of security safeguards reporting requirements.

Despite our best efforts, no method of transmission over the internet or electronic storage is completely secure. While we strive to protect your personal information, we cannot guarantee absolute security. If you believe your personal information has been compromised, please contact us immediately at [email protected].

8. Your Privacy Rights

Under PIPEDA and applicable provincial privacy legislation in Canada, you have the following rights with respect to your personal information. We are committed to honoring these rights and responding to your requests in a timely manner.

8.1 Right of Access

You have the right to request access to the personal information we hold about you. Upon a verifiable request, we will provide you with a copy of your personal information in our possession, along with information about how it has been used and disclosed.

8.2 Right to Correction

You have the right to request the correction of any inaccurate, incomplete, or out-of-date personal information we hold about you. We will take reasonable steps to correct your information and, where appropriate, notify third parties to whom the information has been disclosed.

8.3 Right to Withdrawal of Consent

Where we process your personal information based on your consent, you have the right to withdraw that consent at any time. Please note that withdrawal of consent may affect our ability to provide you with certain services or features. Withdrawal of consent does not affect the lawfulness of any processing conducted prior to its withdrawal.

8.4 Right to Erasure (Deletion)

In certain circumstances, you may have the right to request that we delete your personal information. We will honor such requests where we are not legally required or otherwise legitimately permitted to retain your information.

8.5 Right to Data Portability

You may have the right to request a copy of your personal information in a structured, commonly used, and machine-readable format, and to have that information transferred to another organization where technically feasible.

8.6 Right to Object to Marketing

You have the right to opt out of receiving marketing and promotional communications from us at any time, without providing any reason. You can do so by clicking the "Unsubscribe" link in any marketing email we send, or by contacting us directly.

8.7 How to Exercise Your Rights

To exercise any of the above rights, please submit a written request to us at:

Email: [email protected]
Subject Line: Privacy Rights Request

We may need to verify your identity before processing your request to ensure we do not disclose your information to unauthorized parties. We will respond to your request within 30 days of receipt, as required under PIPEDA. In complex cases, we may extend this period by an additional 30 days with notice to you.

9. Cookies and Tracking Technologies

Our website uses cookies, web beacons, pixel tags, and similar tracking technologies to enhance your browsing experience, analyze website traffic, and personalize content and advertisements.

9.1 What Are Cookies?

Cookies are small text files placed on your device when you visit a website. They allow websites to recognize your device, remember your preferences, and collect information about your interactions with the website.

9.2 Types of Cookies We Use

• Essential Cookies: These cookies are strictly necessary for the operation of our website. They enable core functions such as security, account login, and online ordering. These cookies cannot be disabled without affecting the functionality of the website.
• Performance and Analytics Cookies: These cookies help us understand how visitors interact with our website by collecting and reporting information anonymously. We use tools such as Google Analytics for this purpose.
• Functionality Cookies: These cookies allow our website to remember choices you make (such as your preferred language, location, or saved items in your cart) and provide enhanced, personalized features.
• Marketing and Advertising Cookies: These cookies track your browsing habits to deliver advertising that is more relevant to you and your interests. They may also limit the number of times you see an advertisement and help measure the effectiveness of our advertising campaigns.

9.3 Managing Your Cookie Preferences

You can control and manage cookies through your browser settings. Most browsers allow you to refuse or delete cookies. However, please note that disabling certain cookies may affect the functionality of our website and your ability to use some of our services.

For more detailed information about how we use cookies, the specific cookies we deploy, and how to manage your cookie preferences, please refer to our Cookie Policy, which is available on our website at fire-housesub.com.

10. Data Retention

We retain your personal information only for as long as is necessary to fulfill the purposes for which it was collected, to comply with legal obligations, to resolve disputes, and to enforce our agreements. Our retention periods are determined based on the type of information and the purpose for which it was collected.

Once the applicable retention period has expired, we will securely delete or anonymize your personal information in accordance with our data disposal procedures. In some cases, we may be required to retain certain information for longer periods to comply with legal or regulatory obligations.

11. Children's Privacy

If you are under 18 years of age, please do not use our website or provide us with any personal information. If we become aware that we have inadvertently collected personal information from a child under the age of 18 without appropriate consent, we will take immediate steps to delete such information from our records.

If you are a parent or guardian and you believe that your child has provided us with personal information without your consent, please contact us at [email protected] so that we can promptly address the situation.

12. Links to Third-Party Websites

Our website may contain links to third-party websites, applications, or services that are not operated or controlled by Firehouse Subs. These include, but are not limited to, social media platforms, delivery partner websites, and payment processing pages.

This Privacy Policy applies solely to our website and services. We are not responsible for the privacy practices or content of any third-party websites. We encourage you to review the privacy policies of any third-party websites you visit before providing them with your personal information. Firehouse Subs does not endorse or make any representations about third-party websites, and we disclaim all liability in connection with your use of such websites.

13. Social Media and User-Generated Content

Our website and services may include social media features, such as "Like" buttons, "Share" buttons, and social media login options. These features may collect your IP address, track which pages you visit on our website, and may set a cookie to enable the feature to function properly. Social media features and widgets are either hosted by a third party or hosted directly on our website. Your interactions with these features are governed by the privacy policy of the applicable social media company.

If you submit reviews, comments, or other content through our website or social media channels, please be aware that such content may be visible to other users and to the public. We encourage you not to include sensitive personal information in public posts or reviews.

14. Automated Decision-Making and Profiling

We may use automated decision-making processes, including profiling, to personalize your experience, recommend menu items, deliver targeted marketing, and analyze customer trends. These processes involve analyzing information such as your order history, browsing behavior, location, and stated preferences.

No automated decision-making process we employ produces decisions that have significant legal effects or otherwise significantly affect you in a way that requires human review. If you have concerns about any automated decision made in relation to your account or services, please contact us at [email protected].

15. How to File a Privacy Complaint

If you have concerns about our privacy practices or believe that we have not handled your personal information in accordance with applicable Canadian privacy law, we encourage you to contact us first so that we have the opportunity to address your concerns directly.

15.1 Internal Complaint Process

1. Submit your complaint in writing to [email protected], clearly describing the nature of your concern.
2. We will acknowledge receipt of your complaint within 5 business days.
3. We will investigate your complaint and provide you with a written response within 30 days of receiving it.
4. If we require additional time to investigate, we will notify you and provide a revised timeline.

15.2 Complaint to the Office of the Privacy Commissioner of Canada (OPC)

If you are not satisfied with our response, or if you wish to escalate your complaint, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC), the federal authority responsible for overseeing compliance with PIPEDA:

15.3 Provincial Privacy Commissioners

Depending on your province of residence, you may also have the right to file a complaint with your provincial privacy commissioner:

• Alberta: Office of the Information and Privacy Commissioner of Alberta — www.oipc.ab.ca
• British Columbia: Office of the Information and Privacy Commissioner for BC — www.oipc.bc.ca
• Quebec: Commission d'accès à l'information du Québec (CAI) — www.cai.gouv.qc.ca

16. Changes to This Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time to reflect changes in our business practices, legal requirements, or other operational needs. We will post the revised Privacy Policy on our website at fire-housesub.com and update the "Last Updated" date at the top of this page.

For material changes to this Privacy Policy that affect how we collect or use your personal information, we will make reasonable efforts to notify you in advance, such as by sending a notice to the email address associated with your account or by displaying a prominent notice on our website.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of our website and services after any changes to this Privacy Policy constitutes your acceptance of the revised policy.

17. Consent

By using our website and services, you consent to the collection, use, and disclosure of your personal information in accordance with this Privacy Policy and applicable Canadian privacy legislation. Where required by law, we will obtain your express consent before collecting, using, or disclosing your personal information for any purposes beyond those described in this Privacy Policy.

You may withdraw your consent at any time by contacting us at [email protected]. Please note that withdrawing consent may limit our ability to provide you with certain services or features.

18. Contact Us

If you have any questions, comments, or concerns about this Privacy Policy or our privacy practices, or if you wish to exercise any of your rights under applicable Canadian privacy law, please do not hesitate to contact our Privacy Officer:

This Privacy Policy was last reviewed and updated on June 23, 2026, and is effective as of that date.