Grubhub may collect and use sensitive information including your precise location, health-related inferences (such as dietary restrictions or health conditions suggested by your orders), and potentially religious or other beliefs inferred from your food choices.
This analysis describes what Grubhub's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Health-related and belief-related inferences drawn from food ordering data represent a sensitive category of personal information that carries heightened privacy risk, particularly if shared or used beyond the immediate service context.
Interpretive note: The scope of health-related and belief-related inferences drawn from order data is not precisely defined in the document, and whether these inferences are shared with advertising partners is not explicitly confirmed or excluded.
Grubhub may infer sensitive information about your health, dietary needs, or beliefs based on what you order, and may use these inferences to personalize your experience; California residents have the right to limit how this sensitive information is used.
Cross-platform context
See how other platforms handle Sensitive Personal Information Collection and Use and similar clauses.
Compare across platforms →Monitoring
Grubhub has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We may use this information to: (i) provide and improve the Platform and Services; (ii) personalize your Grubhub experience; (iii) detect and prevent fraud, abuse, or other harmful activities; and (iv) for other purposes described in this Privacy Policy. We may also use inferences we draw from your information, including information that may indicate health conditions, dietary preferences, or religious beliefs, to personalize your experience and for other purposes described in this Privacy Policy.— Excerpt from Grubhub's Grubhub Privacy Policy
1) REGULATORY LANDSCAPE: CPRA establishes a distinct category of sensitive personal information (SPI) and requires businesses to provide consumers with the right to limit its use and disclosure to what is necessary to perform the services. The California Privacy Protection Agency enforces SPI obligations. Health-related inferences may also engage HIPAA if Grubhub is classified as a business associate, though this is unlikely given Grubhub's role as a food ordering platform. The FTC has increasingly scrutinized health data practices under its general unfairness authority. 2) GOVERNANCE EXPOSURE: Medium. The collection of precise geolocation and the drawing of health or belief-related inferences from order data creates SPI obligations under CPRA. If Grubhub uses these inferences for advertising or shares them with partners, additional restrictions apply. The adequacy of the 'Limit the Use of My Sensitive Personal Information' mechanism requires ongoing operational audit. 3) JURISDICTION FLAGS: California CPRA creates the clearest SPI framework and heightened exposure. Colorado, Connecticut, Virginia, and Texas privacy laws also recognize sensitive data categories that may include health and precise geolocation. Illinois residents may have additional protections if inferences touch on biometric data. EU/UK residents would have rights under GDPR Article 9 if health-related data is processed. 4) CONTRACT AND VENDOR IMPLICATIONS: Any service provider or partner receiving SPI must be bound by contracts limiting use to disclosed purposes. If advertising partners receive health-related inferences, this may violate CPRA's restrictions on SPI sharing for advertising. Data processing agreements should be audited to confirm SPI is excluded from behavioral advertising pipelines. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should conduct a data inventory specifically for SPI categories, confirm the 'Limit the Use' mechanism is functional and honored, and verify that health-related inferences are not included in data sets shared with ad networks or trusted partners. Privacy impact assessments for inference-drawing processes are advisable given the sensitivity of derived health and belief-related data.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Health-related and belief-related inferences drawn from food ordering data represent a sensitive category of personal information that carries heightened privacy risk, particularly if shared or used beyond the immediate service context.
Grubhub may infer sensitive information about your health, dietary needs, or beliefs based on what you order, and may use these inferences to personalize your experience; California residents have the right to limit how this sensitive information is used.
ConductAtlas has identified this type of provision across 2 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Grubhub.