Grubhub's privacy record is among the worst in the industry. FTC enforcement documented systematic deception about data practices. Now owned by European company Just Eat Takeaway, your data may flow internationally with different privacy standards. The settlement requires changes, but the underlying business model remains data-intensive.
| Data Type | Collected | Shared | Sold |
|---|---|---|---|
| Order History | Yes | Just Eat Network | Yes (CA definition) |
| Location Data | Yes | Delivery Partners | Yes (CA definition) |
| Phone/Contact Info | Yes | Restaurants (historically) | No (post-settlement) |
| Browsing Behavior | Yes | Advertisers | Yes (CA definition) |
| Payment Information | Yes | Payment Processors | No |
The FTC found Grubhub created fake restaurant websites that intercepted customer contact information and orders. Customers thought they were dealing with restaurants directly while Grubhub collected their data.
Just Eat Takeaway is based in the Netherlands. Your data may be transferred to Europe and shared across Just Eat's international operations, subject to different privacy frameworks.
Grubhub added restaurants to its platform without consent, collecting menu data and potentially customer information from orders made to these unauthorized listings.
Grubhub provided phone numbers to restaurants that routed through Grubhub's systems, allowing them to record calls and collect data on orders that appeared to be direct to restaurants.
The FTC settlement requires Grubhub to: