Privacy Policy
1. Introduction
Marni's Bar & Grill ("we," "us," "our") respects your privacy and is committed to handling your personal information responsibly. This Privacy Policy describes how we collect, use, share, and protect information when you visit marnisoc.com, dine with us, make a reservation, place a catering order, attend an event, or otherwise interact with our business.
By using our website or services, you acknowledge the practices described in this Privacy Policy. If you do not agree, please do not use our website or services.
This Privacy Policy is intended to comply with the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the General Data Protection Regulation ("GDPR") as applicable to EU/UK visitors, the Children's Online Privacy Protection Act ("COPPA"), and all other applicable federal and state privacy laws. To the extent any provision of this Privacy Policy conflicts with applicable law, the applicable law controls.
2. Information We Collect
We collect information you provide directly, information collected automatically when you visit our website, and information from third parties.
Information you provide:
- Name, email address, phone number, and mailing address
- Reservation details (party size, date/time, seating preferences, special occasions)
- Payment information (processed by our payment processor — we do not store full card numbers)
- Dietary restrictions, allergies, and food preferences
- Loyalty program enrollment information and purchase history
- Catering and private event inquiries
- Reviews, photos, social media tags, and other content you submit
- Communications with us, including email, text, voice, and in-person interactions
- Age verification information (date of birth or age confirmation for alcohol service)
- Employment application information, if submitted through the website
Information collected automatically:
- IP address, browser type, device identifiers, operating system
- Pages visited, time spent on pages, referring/exit pages
- Cookies, pixels, and similar technologies (see Section 7 and the separate Cookie Policy)
- General location based on IP address
- Information from in-premise Wi-Fi if you choose to connect
- Precise geolocation data, if you enable location services on your device
Information from third parties:
- Reservation platforms (e.g., OpenTable, Resy, Tock)
- Delivery and ordering platforms (e.g., DoorDash, Uber Eats, Grubhub, Toast, Square)
- Social media platforms when you engage with our pages
- Marketing partners and analytics providers
- Background check vendors for catering deposits or event contracts
3. How We Use Your Information
We use your information to:
- Confirm and manage your reservation, order, or event
- Process payments, deposits, and refunds
- Communicate with you about your booking or order, including reminders and changes
- Operate, administer, and improve our business
- Maintain loyalty programs and gift card accounts
- Send marketing communications (with your consent where required)
- Personalize your experience (e.g., remembering preferences, seating notes)
- Comply with legal obligations, including age-verification for alcohol service
- Prevent fraud, enforce our terms, and protect our staff, guests, and property
- Respond to your inquiries and customer service requests
- Conduct internal research and analytics to improve our menu, service, and operations
- Facilitate online ordering, delivery logistics, and curbside pickup coordination
- Administer contests, sweepstakes, and promotional offers
We do not sell your personal information for monetary consideration. We may share personal information for cross-context behavioral advertising; see Section 6 and Section 10 regarding your rights.
Sensitive Personal Information: To the extent we collect sensitive personal information (as defined under CPRA), including precise geolocation, age/date of birth, and dietary information that may reveal health conditions, we use such information only as necessary to perform the services you request and as otherwise permitted under CPRA Section 1798.121. You have the right to limit our use of sensitive personal information; see Section 10.
4. Legal Bases for Processing (EU/UK Visitors)
If you are located in the European Economic Area or the United Kingdom, we process your personal information under the following legal bases:
- Performance of a contract (e.g., fulfilling your reservation)
- Compliance with legal obligations
- Our legitimate interests (e.g., operating and improving our business, preventing fraud)
- Your consent, where required (e.g., marketing communications)
If we transfer your personal data outside the EEA/UK, we rely on appropriate safeguards such as Standard Contractual Clauses approved by the European Commission, or other legally recognized transfer mechanisms. You may request a copy of the safeguards by contacting us.
5. How We Share Information
We share information with:
- Service providers who help us operate, including reservation platforms, payment processors, point-of-sale systems, email and SMS providers, analytics providers, and IT vendors
- Marketing and advertising partners, including platforms like Google, Meta, and similar (with your consent where required)
- Professional advisors, including attorneys, accountants, and insurers
- Authorities and others where required by law or to protect rights, safety, and property
- In connection with a business transfer, including a merger, acquisition, or sale of assets
We do not share information with third parties for their own independent marketing without your consent.
For a detailed list of the categories of personal information collected, the purposes of collection, and the categories of third parties to whom information is disclosed, please see our Notice at Collection.
6. Cross-Context Behavioral Advertising and "Sale"/"Share" Under California Law
Under the CCPA as amended by the CPRA, certain advertising practices may be classified as a "sale" or "share" of personal information even when no money changes hands. To the extent we engage in such activity, California residents have the right to opt out. You may exercise this right by emailing mg@marnisoc.com.
Opt-Out Methods: You may opt out of the sale or sharing of your personal information by (a) clicking the "Do Not Sell or Share My Personal Information" link in the footer of our website, (b) enabling a Global Privacy Control ("GPC") signal in your browser, or (c) contacting us at mg@marnisoc.com. We recognize and honor GPC signals as a valid opt-out request pursuant to California Code of Regulations, Title 11, Section 7025. When we detect a GPC signal, we will treat it as a request to opt out of the sale and sharing of personal information associated with that browser.
7. Cookies and Tracking Technologies
Our website uses cookies and similar technologies to:
- Maintain essential website functionality
- Remember your preferences
- Analyze website performance and traffic
- Deliver advertising and measure its effectiveness
For detailed information about the cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy. You may also manage cookie preferences through the cookie preference center on our website. We honor Global Privacy Control (GPC) signals as described in Section 6 above.
8. Data Retention
We retain personal information for as long as needed to fulfill the purposes described in this Privacy Policy, comply with legal obligations, resolve disputes, and enforce our agreements. Reservation history may be retained to support loyalty programs and personalized service. Payment records are retained as required by tax and accounting law.
Specific retention periods include: reservation records (7 years for tax/accounting purposes), loyalty program data (duration of active membership plus 2 years), marketing consent records (duration of consent plus 3 years as evidence of consent), CCTV footage (30–90 days unless retained for a specific security investigation), and employment application data (4 years per California record retention requirements). We review and purge data that is no longer needed on a annually basis.
9. Security
We use reasonable administrative, technical, and physical safeguards to protect personal information. However, no system is fully secure, and we cannot guarantee the absolute security of your information.
Payment card information is processed in accordance with Payment Card Industry Data Security Standards (PCI-DSS). We do not store full payment card numbers on our systems. In the event of a data breach affecting your personal information, we will notify you and applicable regulatory authorities as required by California Civil Code Section 1798.82 and other applicable breach notification laws.
10. Your Privacy Rights
Depending on where you live, you may have the following rights:
- Right to know what personal information we have collected, used, disclosed, or sold
- Right to delete personal information we have collected, subject to exceptions
- Right to correct inaccurate personal information
- Right to opt out of sale or sharing of personal information
- Right to limit use of sensitive personal information
- Right to data portability
- Right to non-discrimination for exercising your rights
To submit a request, contact us at mg@marnisoc.com or (562) 594-3800. We may ask you to verify your identity before fulfilling a request. You may authorize an agent to make a request on your behalf with appropriate proof.
Response Timeline: We will acknowledge your request within 10 business days and provide a substantive response within 45 calendar days, as required by CPRA. If we need additional time (up to an additional 45 days), we will notify you of the extension and the reason. If we deny your request in whole or in part, you have the right to appeal by contacting us at mg@marnisoc.com with the subject line "Privacy Rights Appeal." We will respond to appeals within 60 calendar days.
Residents of California, Virginia, Colorado, Connecticut, Utah, Texas, and other states with comprehensive privacy laws may have additional rights under those laws. Residents of the EU/UK have rights under GDPR/UK GDPR, including the right to lodge a complaint with a supervisory authority.
11. Children
Our website and services are not directed to children under 13. We do not knowingly collect personal information from children under 13. If we learn we have collected such information, we will delete it.
California Age-Appropriate Design Code Act (CAADCA): To the extent our website is likely to be accessed by users under 18, we apply data protection impact assessments and default privacy settings as required by the CAADCA (Business & Professions Code Section 22580 et seq.). We do not use personal information of users we know to be under 16 for targeted advertising, sale, or sharing without affirmative authorization (and for users under 13, without parental consent).
12. Third-Party Websites and Services
Our website may link to third-party websites and services. We are not responsible for their privacy practices. Please review their policies before providing personal information.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. The "Effective Date" at the top indicates when it was last revised. Material changes will be communicated through reasonable means, such as a website notice or email.
For material changes that reduce your rights or expand our use of your personal information, we will provide at least 30 days' advance notice via email (if you have provided an email address) or a prominent notice on our website before the changes take effect. Your continued use of our website or services after the effective date of a revised Privacy Policy constitutes acceptance of the revised terms.