Privacy Policy

Effective Date: June 28, 2026  |  Last Updated: June 28, 2026

1. Introduction and Our Commitment to Privacy

Firehouse Subs ("we," "us," "our," or "the Company") is committed to protecting the privacy and security of your personal information. As a food service provider operating in Canada, we understand the trust you place in us when sharing your personal data, and we take that responsibility seriously.

This Privacy Policy applies to all personal information collected through our website fireehousessub.com, our mobile applications, our in-store services, loyalty programs, promotional activities, online ordering systems, and any other services we provide (collectively referred to as "Services"). By accessing or using our Services, you acknowledge that you have read, understood, and agree to the terms outlined in this Privacy Policy.

Our privacy practices comply with Canada's federal privacy legislation, including the Personal Information Protection and Electronic Documents Act (PIPEDA), as well as applicable provincial privacy laws, including the Personal Information Protection Act (PIPA) in Alberta and British Columbia, and Quebec's Act respecting the protection of personal information in the private sector (Law 25). We also align our practices with international standards, including the principles of the General Data Protection Regulation (GDPR), which is widely regarded as the global benchmark for data privacy.

We are dedicated to ensuring that your personal information is handled responsibly, transparently, and with the highest standards of security and confidentiality.

2. Who We Are

For the purposes of this Privacy Policy, the data controller responsible for your personal information is:

If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal information, please contact us using the details provided in Section 16 of this policy.

3. Information We Collect

We collect various types of personal information depending on how you interact with our Services. Below is a comprehensive overview of the categories of data we may collect:

3.1 Personal Identification Information

When you create an account, place an order, join our loyalty program, participate in a promotion, or contact us, we may collect:

• Full name
• Email address
• Phone number
• Date of birth (for age verification and birthday promotions)
• Mailing and billing address
• Username and password (for account-based services)
• Profile photograph (if voluntarily provided)

3.2 Payment and Transaction Information

When you make purchases through our Services, we collect transactional data including:

• Payment card information (credit or debit card numbers, expiry dates, CVV codes — processed securely through third-party payment processors)
• Billing address
• Order history, including items purchased, quantities, and prices
• Transaction identifiers and confirmation numbers
• Gift card numbers and balances

Please note: We do not store complete payment card information on our own servers. All payment processing is handled by PCI-DSS compliant third-party payment processors.

3.3 Usage and Behavioral Data

We automatically collect certain information when you visit our website or use our mobile application:

• Pages visited and time spent on each page
• Browsing patterns and navigation paths through our website
• Search queries made within our platform
• Menu items viewed, added to cart, or purchased
• Frequency and timing of visits
• Features used and interactions with our Services
• Referring URLs (the website you visited before ours)
• Exit pages

3.4 Device and Technical Information

We collect technical information about the devices you use to access our Services:

• IP address
• Device type, model, and operating system
• Browser type and version
• Screen resolution and language settings
• Unique device identifiers
• Mobile network information
• Time zone settings
• Crash data and performance logs

3.5 Location Information

With your consent, we may collect precise or approximate location data to:

• Help you find the nearest Firehouse Subs location
• Facilitate delivery order routing
• Provide location-based promotions and offers
• Improve our Services in your region

You can control location permissions through your device settings at any time.

3.6 Communications and Customer Service Data

When you communicate with us, we may collect:

• Content of emails, messages, or feedback forms submitted to us
• Records of telephone calls (where permitted by applicable law and with appropriate notice)
• Customer service inquiry records
• Survey responses and feedback
• Social media interactions and mentions

3.7 Loyalty Program and Promotional Data

If you participate in our loyalty or rewards program, we collect:

• Rewards points balances and redemption history
• Promotional offer redemptions
• Participation in contests and sweepstakes
• Communication preferences

3.8 Cookie and Tracking Technology Data

We use cookies and similar tracking technologies to collect data about your interactions with our website. For detailed information, please refer to Section 11 (Cookie Policy Summary) of this Privacy Policy.

4. How We Collect Your Information

We collect personal information through several methods:

• Directly from you: When you register for an account, place an order, fill out forms, contact our customer service team, participate in surveys or promotions, or otherwise voluntarily provide information to us.
• Automatically: Through cookies, web beacons, pixel tags, and other tracking technologies when you visit our website or use our mobile application.
• From third parties: We may receive information from business partners, social media platforms (if you log in using a social media account), analytics providers, advertising networks, and payment processors.
• From public sources: Publicly available information may be combined with the data we hold about you in limited circumstances.

5. How We Use Your Information

We use the personal information we collect for specific, legitimate purposes as outlined below. We process your data only where we have a valid legal basis to do so under PIPEDA and applicable provincial privacy laws.

5.1 Service Provision and Order Fulfillment

The primary purpose for which we collect your personal information is to provide you with our food services and related offerings, including:

• Processing and fulfilling your food orders (dine-in, takeout, or delivery)
• Managing your account registration and authentication
• Administering our loyalty and rewards program
• Processing payments and preventing fraudulent transactions
• Sending order confirmations, receipts, and delivery updates
• Responding to your inquiries and customer service requests
• Managing gift card programs

5.2 Marketing and Promotional Communications

With your consent, we may use your information to:

• Send you promotional emails, newsletters, and special offers
• Notify you about new menu items, seasonal specials, and limited-time promotions
• Send birthday or anniversary offers as part of our loyalty program
• Conduct targeted advertising campaigns on third-party platforms
• Personalize the content and offers you see on our website and app
• Re-engage you with relevant content based on your order history and preferences

You may withdraw your consent to marketing communications at any time by using the unsubscribe link in any marketing email we send, or by contacting us at [email protected].

5.3 Analytics and Service Improvement

We use data analytics to understand how our Services are used and to continuously improve them:

• Analyzing website traffic patterns and user behavior
• Evaluating the performance of marketing campaigns
• Understanding customer preferences and food ordering trends
• Optimizing our menu offerings and pricing strategies
• Improving website functionality, navigation, and user experience
• Conducting internal research and business intelligence reporting

5.4 Legal Compliance and Security

We may process your personal information to:

• Comply with applicable laws, regulations, and legal obligations under Canadian federal and provincial law
• Respond to lawful requests from government authorities and law enforcement agencies
• Detect, prevent, and investigate fraud, unauthorized access, or other illegal activities
• Enforce our terms of service and other agreements
• Protect the rights, property, and safety of our customers, employees, and business
• Maintain accurate business records as required by Canadian tax and business regulations

5.5 Business Operations

We may also use your information for internal business purposes such as:

• Staff training and quality assurance
• Business planning and forecasting
• Franchise operations and management reporting
• Insurance and risk management purposes

6. Disclosure and Sharing of Your Personal Information

We respect the confidentiality of your personal information and do not sell your data to third parties. However, we may share your information in the following circumstances:

6.1 Service Providers and Business Partners

We engage trusted third-party service providers who perform services on our behalf. These providers are contractually obligated to protect your information and may only use it for the specific purposes for which we engage them. Such providers may include:

• Payment processors: To securely handle financial transactions
• Delivery platforms: To fulfill delivery orders and coordinate logistics
• Cloud storage and hosting providers: To store data securely
• Email and communication service providers: To send transactional and marketing communications
• Analytics providers: Such as Google Analytics, to understand website performance
• Customer relationship management (CRM) software providers
• Marketing and advertising technology platforms
• Loyalty program technology providers
• Fraud prevention and identity verification services

6.2 Franchise Operators

If you visit or interact with a franchise-operated Firehouse Subs location, relevant transaction and order data may be shared with the respective franchisee to fulfill your order and provide customer service. Franchise operators are required to maintain privacy practices consistent with this policy.

6.3 Legal and Regulatory Disclosures

We may disclose your personal information if required to do so by law or in response to:

• Court orders, subpoenas, or other legal processes
• Requests from federal, provincial, or municipal law enforcement or regulatory authorities
• Requirements under the Income Tax Act, the Excise Tax Act, or other Canadian tax legislation
• Obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act

6.4 Business Transfers

In the event that Firehouse Subs undergoes a merger, acquisition, corporate restructuring, sale of assets, or similar transaction, your personal information may be transferred to the acquiring entity as part of the transaction. We will notify you of any such change and ensure that the recipient organization maintains appropriate privacy protections consistent with this policy.

6.5 With Your Consent

We may share your personal information with other third parties where you have provided us with express consent to do so.

7. Data Security

We take the security of your personal information very seriously and have implemented a comprehensive set of technical, administrative, and physical safeguards to protect your data against unauthorized access, use, disclosure, alteration, or destruction.

7.1 Technical Security Measures

• Encryption: All data transmitted between your browser and our servers is protected using Secure Socket Layer (SSL) / Transport Layer Security (TLS) encryption protocols. Sensitive data at rest is also encrypted.
• Firewalls and intrusion detection: Our network infrastructure is protected by advanced firewall systems and intrusion detection/prevention tools.
• Access controls: Access to personal information is strictly limited to authorized personnel on a need-to-know basis, using role-based access controls and multi-factor authentication.
• Regular security assessments: We conduct periodic vulnerability scans and penetration testing to identify and remediate security weaknesses.
• PCI-DSS compliance: Our payment systems comply with the Payment Card Industry Data Security Standard to protect cardholder data.

7.2 Administrative Security Measures

• Employee training on data privacy and security practices
• Confidentiality agreements with staff and third-party service providers
• Internal data governance policies and procedures
• Incident response and data breach notification procedures

7.3 Data Breach Response

In the unlikely event of a privacy breach that poses a real risk of significant harm to individuals, we will notify affected individuals and the Office of the Privacy Commissioner of Canada (OPC) in accordance with the breach notification requirements under PIPEDA. We maintain records of all privacy breaches as required by law.

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is completely secure. We encourage you to use strong passwords, keep your account credentials confidential, and notify us immediately if you suspect any unauthorized access to your account.

8. Your Privacy Rights

As a resident of Canada, you have several rights regarding your personal information under PIPEDA and applicable provincial legislation. We are committed to honoring these rights promptly and transparently.

8.1 Right of Access

You have the right to request access to the personal information we hold about you, including information about how we use and disclose it. We will provide this information within 30 days of receiving your written request, or we will notify you if an extension is needed.

8.2 Right to Correction

If you believe that the personal information we hold about you is inaccurate, incomplete, or outdated, you have the right to request that we correct or update it. You may also update your account information directly through your online profile.

8.3 Right to Withdraw Consent

Where our processing of your personal information is based on your consent, you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of any processing carried out before your withdrawal. Please note that withdrawing consent to certain processing activities may affect our ability to provide certain services to you.

8.4 Right to Deletion (Right to be Forgotten)

In certain circumstances, you may request the deletion of your personal information from our records. We will honor such requests where we are not required by law or legitimate business purposes to retain the data. Quebec residents have enhanced rights to deletion under Law 25.

8.5 Right to Data Portability

Under Quebec's Law 25 and in alignment with GDPR principles, you may have the right to receive your personal information in a structured, commonly used, and machine-readable format, and to have that data transmitted to another organization where technically feasible.

8.6 Right to Object to Automated Decision-Making

If we use automated decision-making processes (including profiling) that produce legal or similarly significant effects on you, you have the right to request human review of such decisions and to object to their application.

8.7 Right to Opt Out of Direct Marketing

You have the right to opt out of receiving direct marketing communications from us at any time. You can do this by:

• Clicking the "unsubscribe" link at the bottom of any marketing email
• Updating your communication preferences in your account settings
• Contacting us at [email protected]

8.8 Exercising Your Rights

To exercise any of your privacy rights, please submit a written request to us using the contact details in Section 16. We may need to verify your identity before processing your request. We will respond to all legitimate requests within the timeframes required by applicable Canadian privacy law.

9. Data Retention

We retain your personal information only for as long as is necessary to fulfill the purposes for which it was collected, to comply with legal and regulatory obligations, and to resolve disputes or enforce agreements.

9.1 Retention Periods

Once the applicable retention period has expired, we will securely delete, anonymize, or aggregate your personal information in a manner that prevents its reconstruction or re-identification.

10. Children's Privacy

We are committed to protecting the privacy of minors. Our website, online ordering platform, and loyalty program are designed for and restricted to individuals who are 18 years of age or older. By using our Services, you represent and warrant that you are at least 18 years old.

If we become aware that we have inadvertently collected personal information from a child under the age of 18 without verifiable parental consent, we will take immediate steps to delete such information from our records. If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact us immediately at [email protected] so that we can investigate and take appropriate corrective action.

This policy is consistent with the requirements of Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and the principles outlined in the Convention on the Rights of the Child.

11. Cookie Policy Summary

Our website uses cookies and similar tracking technologies (such as web beacons, pixel tags, and local storage objects) to enhance your experience, analyze website traffic, and deliver personalized content and advertisements.

11.1 Types of Cookies We Use

• Strictly Necessary Cookies: Essential for the operation of our website, including enabling you to log in, place orders, and use core features. These cannot be disabled.
• Performance and Analytics Cookies: These cookies collect information about how visitors use our website, helping us identify pages that are popular and understand how users navigate our site. We use tools such as Google Analytics for this purpose.
• Functional Cookies: These remember your preferences, such as your preferred language, location, and order history, to provide a more personalized experience.
• Targeting and Advertising Cookies: These are used to deliver advertisements that are more relevant to you and your interests. They may also be used to limit the number of times you see an advertisement and to measure the effectiveness of advertising campaigns.

11.2 Managing Cookie Preferences

Upon your first visit to our website, you will be presented with a cookie consent banner that allows you to accept or decline non-essential cookies. You can also manage your cookie preferences at any time through your browser settings. Please note that disabling certain cookies may impact the functionality of our website and your ability to use certain features.

For more detailed information about the specific cookies we use, how long they persist, and how to manage them, please review our full Cookie Policy available on our website.

We comply with Canada's Electronic Commerce Protection Regulations under CASL regarding electronic tracking and commercial messages.

12. International Data Transfers

Firehouse Subs operates primarily in Canada; however, some of our third-party service providers, technology partners, and cloud infrastructure providers may be located outside of Canada, including in the United States or other jurisdictions.

When we transfer your personal information outside of Canada, we take steps to ensure that adequate protection is in place, including:

• Entering into data processing agreements with our service providers that incorporate appropriate contractual protections for personal data
• Verifying that our international partners maintain privacy and security standards equivalent to or greater than those required under Canadian law
• Conducting due diligence on the privacy and security practices of third-party processors prior to engagement
• Where applicable, relying on adequacy decisions, standard contractual clauses, or other recognized transfer mechanisms consistent with GDPR-aligned international best practices

By using our Services, you acknowledge that your personal information may be processed in countries outside of Canada where privacy laws may differ from those in your province or territory. We remain responsible for the personal information we share with third-party service providers and take contractual measures to ensure its protection.

Under PIPEDA, we are accountable for personal information that is transferred to a third party for processing, and we use contractual or other means to provide comparable levels of protection while the information is being processed by those parties.

13. Canada's Anti-Spam Legislation (CASL) Compliance

We are fully committed to complying with Canada's Anti-Spam Legislation (CASL), which governs the sending of commercial electronic messages (CEMs) and the use of electronic tracking devices.

We will only send you marketing or promotional emails, text messages, or other electronic communications where:

• You have provided express consent to receive such communications; or
• We have implied consent based on a prior existing business relationship (such as a recent purchase or account registration), in which case consent is time-limited

Every commercial electronic message we send will clearly identify Firehouse Subs as the sender and will include an easy, functional mechanism for you to unsubscribe at no cost. All unsubscribe requests will be processed within 10 business days as required by CASL.

14. Third-Party Links and Services

Our website may contain links to third-party websites, social media platforms, delivery applications, and other external services. This Privacy Policy applies only to our own Services and does not govern the privacy practices of any third parties. We encourage you to review the privacy policies of any third-party websites or services you visit before providing them with your personal information.

We are not responsible for the privacy practices, content, or security of any third-party websites or services. The inclusion of a link to a third-party website does not constitute our endorsement of that website or its privacy practices.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our privacy practices, applicable laws, or business operations. When we make material changes to this policy, we will:

• Update the "Last Updated" date at the top of this page
• Post a prominent notice on our website informing users of the changes
• Send a notification to registered account holders via email where the changes are significant

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal information. Your continued use of our Services following the posting of any updates constitutes your acknowledgment of the revised policy. Where required by law, we will obtain your consent before implementing material changes to how we process your personal information.

16. Contact Us — Privacy Inquiries

We have designated a Privacy Officer who is responsible for overseeing our compliance with this Privacy Policy and applicable Canadian privacy legislation. If you have any questions, concerns, or requests related to this Privacy Policy or the handling of your personal information, please contact us:

When submitting a privacy inquiry or rights request, please include:

• Your full name and contact information
• A description of your request or concern
• Sufficient information to allow us to verify your identity
• Any supporting documentation relevant to your request

We will acknowledge receipt of your inquiry within 5 business days and aim to provide a full response within 30 days. If we require additional time due to the complexity of your request, we will notify you of the extension and the reasons for it, as permitted under PIPEDA.

17. Filing a Complaint with the Privacy Commissioner

If you are not satisfied with our response to your privacy inquiry or believe that we have not handled your personal information in compliance with applicable Canadian privacy law, you have the right to file a complaint with the relevant privacy authority.

17.1 Office of the Privacy Commissioner of Canada (OPC)

17.2 Provincial Privacy Commissioners

Depending on your province of residence, you may also have the right to file a complaint with a provincial privacy commissioner:

• Alberta: Office of the Information and Privacy Commissioner of Alberta — www.oipc.ab.ca
• British Columbia: Office of the Information and Privacy Commissioner for British Columbia — www.oipc.bc.ca
• Quebec: Commission d'accès à l'information du Québec (CAI) — www.cai.quebec.ca

We encourage you to first contact us directly to resolve any privacy concerns before escalating to a regulatory authority. We are committed to working with you in good faith to address any issues you may have.

18. Glossary of Key Terms