To place a click & collect order or register your loyalty card you will be required to supply contact and personal information, this information is collected through our online systems provider, MCR Systems and shared with Tortilla. We also collect basic contact data when you use the Free WiFi within our stores. We at Tortilla respect your right to privacy. However, because the internet is not a secure information transmission medium, we have implemented security measures to minimise the risk of loss, misuse or alteration of the personal information submitted to this site.


All orders placed online will be confirmed by email if you have provided an email address.


Any information we gather from your visit is confidential and will not be divulged to other parties without your consent.


If your name is on our database and you request that we remove or alter it, we will do so within 72 hours of receiving your request. To request removal, let us know by sending us an email using the feedback form on this site: and selecting ‘Data Request’ in the enquiry form.


All email addresses and full name regarding customer feedback / complaints / compliments are recorded for tracking purposes. To request removal, let us know by sending us an email using the feedback form on this site: and selecting ‘Data Request’ in the enquiry form. 



By submitting personal information, you agree that we may use your personal information, IP address, or any other identifying information to monitor statistics on the site and administer upkeep of the service.


We may use the contact details you have provided to us to contact you for matters related to the service. If you would like us to not contact you via a particular channel, let us know by sending us an email using the feedback form on this site.


We may use personal and profile data to tailor your experience on our interactive services.

Users who submit personal information should be aged 16 years or older. Minors should obtain permission from their parents or legal guardians before submitting personal information.

Tortilla does not store any credit card information you may supply, and all transactions are handled in a secure environment.


We may transfer information outside the European Economic Area.


What are Cookies?

Cookies are small text files which are stored on a user’s computer or mobile device. They are used to differentiate one user from another and to pass information from page to page during a single user’s website session.


What Cookies do we use?

  1. a)
    Our main site does not collect any cookies, however, we use Google Analytics as a service to analyse web based traffic to our website and identify which pages are being used. Google Analytics tracking uses cookies in order to provide meaningful reports which help us understand how visitors engage with our site. Google Analytics cookies do not collect personal data about website visitors.

For more information on Google Analytics please click here.


If you wish to prevent being tracked by Google Analytics across all websites please click here.

Registration Information
Registered Name: Mexican Grill Ltd
Registration Number: 05553988
Registered in England & Wales

Registered Address:
Mexican Grill Limited t/a Tortilla
1st Floor
Evelyn House
142-144 New Cavendish Street



What is this Privacy Policy for?

This privacy policy is for the loyalty and cashless website and mobile application (On Android, iPhone and Windows Phone) maintained and served by MCR Systems and governs the privacy of its users who choose to use it. 

The policy sets out the different areas where user privacy is concerned and outlines the obligations & requirements of the users, the mobile app, the website and website owners. Furthermore the way the website and mobile app processes, stores and protects user data and information will also be detailed within this policy.


The Website and App

The website and its owners take a proactive approach to user privacy and ensure the necessary steps are taken to protect the privacy of its users throughout their visiting experience. The website complies to all UK national laws and requirements for user privacy.


Use of Cookies

This website uses and requires cookies to better the users experience while visiting the website. A notice of cookie use is displayed on the users first visit to the website to comply with recent legislation requirements. 

Cookies are small files saved to the user’s computers hard drive that track, save and store information about the user’s interactions and usage of the website. This allows the website, through its server to provide the users with a tailored experience within this website. Users are advised that if they wish to deny the use and saving of cookies from this website on to their computers hard drive they should take necessary steps within their web browsers security settings to block all cookies from this website and its external serving vendors. 

This website uses tracking software to monitor its visitors to better understand how they use it. This software is provided by Google Analytics which uses cookies to track visitor usage. The software will save a cookie to your computers hard drive in order to track and monitor your engagement and usage of the website, but will not store, save or collect personal information. You can read Google’s privacy policy here for further information


Information Collected

On some parts of the website and app, you may be required or asked to provide some limited personal information in order to enable the provision of certain servers (e.g sales enquiry, gain access to our solutions). MCR may store this information manually or electronically. By supplying this information you are consenting to MCR holding and using it for the purposes for which it was provided. Information provided will be kept for as long as is necessary to fulfil that purpose. 

We may also collect information about your computer, including where available; your IP address, operating system and browser type, for system administration and to report aggregate information to our webmasters. This is statistical data about our users’ browsing actions and patterns which does not identify any individual and allows us to ensure that content from our site is presented in the most effective manner for you and for your computer.



How Collected Information Is Used

Personal information provided to MCR Systems by you will only be used for the purpose stated when the information is requested. Personal information will not be sold to third parties, or provided to direct marketing companies or other such organisations without your permission. Personal information collected and/or processed by MCR Systems is held in accordance with the provisions of the Data Protection Act 1998. 

Demographical and statistical information about user behavious may be collected and used to analyse the popularity and effectiveness of MCR Systems website and solutions. Any disclosure of this information will be in aggregate form and will not identify individual users.


How Collected Information Is Stored

Information which you provide to us will ordinarily be stored on our secure servers. Which are hosted by third party contractors. No information is transferred to a destination outside the European Economic Area (“EEA”). By submitting personal information, you agree to allow us to store and process the data. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy. 

We may disclose your personal information to third parties if we are under a duty to disclose or share such information in order to comply with any legal obligation or to protect the rights, property or safety of MCR systems, its customers or others.


Contact & Communication

Users contacting this website and/or its owners do so at their own discretion and provide any such personal details requested at their own risk. Your personal information is kept private and stored securely until a time it is no longer required or has no use, as detailed in the Data Protection Act 1998. Every effort has been made to ensure a safe and secure form to email submission process but advise users using such form to email processes that they do so at their own risk. 

This website and its owners use any information submitted to provide you with further information about the products / services they offer or to assist you in answering any questions or queries you may have submitted. This includes using your details to view any purchase or sale information made by you. These details are not passed on to any third parties.


External Links

Although this website only looks to include quality, safe and relevant external links, users are advised to adopt a policy of caution before clicking any external web links mentioned throughout this website. (External links are clickable text / banner / image links to other websites, similar to; Google or MCR Systems

The owners of this website cannot guarantee or verify the contents of any externally linked website despite their best efforts. Users should therefore note they click on external links at their own risk and this website and its owners cannot be held liable for any damages or implications caused by visiting any external links mentioned.


Resources & Further Information

Data Protection Act 1998 
Privacy and Electronic Communications Regulations 2003 
Privacy and Electronic Communications Regulations 2003 – The Guide 
Google Privacy Policy 


Any changes we may make to our Privacy Policy in the future will be posted on this page and, where appropriate, notified to you by email. 

Any queries or concerns about privacy on MCR websites or applications should be sent by email to or addressed to the Data Protection Officer, MCR Systems, Vantage House, Vantage Park, Leicester, LE4 9LJ. 

This policy was last updated 01.04.2018


Food For Thought – Market Force

Please view the privacy policy for Market Force for more details.


Free WiFi – Wireless Social

Data Protection Act – 2018
(GDPR or Data Protection Bill)
Wireless Social is committed to ensuring that all its processes act in full compliance with the law
at all times. On May 25th 2018 a new Data Protection Act will become law across the UK, the
provisions in this law will also include the General Data Protection Regulations as agreed across
the EU member states. This will not be affected if Britain leaves the EU.


The following document outlines the core information that a customer or supplier of Wireless
Social may require in order to follow their own compliance procedures.


Consent for marketing is a core fundamental of the new Act. Wireless Social allows its customers
to be compliant with the easy addition of an opt-in marketing box during the login process.
This allows a specific message to be displayed alongside a tick-box so the user can opt-in to
marketing messages. In order to be compliant the consent message must indicate the party or
parties that will be sending marketing messages.

It is important to note that access to the Wi-Fi service must not be dependent on the user opting
in to marketing.


A consent message can name multiple parties, this means that the customer can obtain
permission to market directly, along with a sponsor or interested party.


As the Wireless Social product is a global product it is possible to pre-tick the consent box
(requiring explicit removal of the tick), this method is not compliant for marketing purposes in the
UK/EU, but may be acceptable in other countries.


A customer does not have to ask for consent if they are not using the service to obtain contacts
for marketing.

Personally Identifiable Information (PII)
PII information is collected as part of the login journey, this information is outlined below:
Data is either via user- input web form or from social media network after user permission is


Via form log-in – Name, date of birth, email, MAC address
Via Social Media log-in – all the above, plus potentially a user’s Facebook likes.
This is configurable by the customer, the only compulsory PII info captured is email address, and
there is the ability for the customer to add completely custom form inputs.
Additionally the platform can capture location data (MAC address and signal strength and/or
approximated x/y coordinate), network/device data (IP addresses, connection times, data usage)
and operational data (session state, etc). This is hardware and device specific and typically
captured as part of presence services.

No financial data is collected or stored at any point.
PII data is automatically removed after 13 months of inactivity, or on request. When anonymising,
any data that can be used to identify an individual is removed, but session/network/demographic
(age, gender) data is kept indefinitely.


Data Transmission
All data is transmitted securely, any external connections must be SSL or similar secure

Wireless Social cannot send data to an insecure API connection, all connections must be
encrypted end-to-end.


Data between the customer portal and the customer is via http, ensuring encrypted data
transmission at all times. Customers must ensure data transmitted to themselves is secure and
Wireless Social cannot take any responsibility once data has been retrieved or viewed on the
provided systems.


Data Storage
We use the services of a third party to store data which is done as follows.
Primary data is held at Amazon Web Services (AWS) servers: Data is securely stored in Dublin.
The infrastructure covers several zones in AWS Dublin so there is back up if a particular zone/data
center becomes unavailable. AWS have additional EMEA hosting centers in London and
Frankfurt, which would be the default option in the event of a Dublin failure.


For non-UK/EU data AWS is still used located in Ireland, with additional data centers in Singapore
and California.


Wireless Social has secure data storage facilities in Lancashire, these are monitored 24/7 and
utilised for the onward transmission of data to customer CRM platforms and industry analysis.


Data Entry / Extraction
Data entry is user input through Wi-Fi access, via network stats, or from customer’s vendor
location engines (depending on the vendor). Data can be viewed via the analytics portal where it
can also be downloaded in CSV format, or can be extracted via API.


Data is also transmitted securely to customers CRM or Single Customer View platforms. Data is
only transmitted to customer’s partners at the request of customers. We require verification of a
customer’s identity prior to authorizing such a transfer.


Wireless Social may utilise a 3rd party data-processing service for the purposes of providing
industry analysis or reports to customers – this data is only utilised for this purpose and is stored
and processed according to industry standards.


Data Correction / Right to be forgotten / Data requests
Data Subjects can request to view the information held about themselves.
Data subjects can submit corrections to Wireless Social directly.


A subject may request to be forgotten, these requests will be processed by the Data Protection
Team and on successfully validating the request data will be removed from the Wireless Social
system. Requests to partners should be submitted individually, Wireless Social may as part of
this process ask the Data Subject if they want partners to be informed of their request for further


Data correction is processed using the same methods.

Data requests, once verified are processed and all data is returned in standard readable formats.
20th February 2018