Your information, handled with care.

1. Who we are

Jamrock Jerk is a New York City-based mobile food service company specializing in authentic Jamaican cuisine and traditional live-fire Jamaican Jerk. We are the controller of the personal information collected through this site for the purposes described below.

2. Information we collect

We collect information you provide directly, information generated by your use of the site, and information from third-party services we use to operate.

2.1 Information you provide directly

• Catering inquiries. When you use the catering estimator at /catering, we collect your name, email address, phone number, event date and service window, event address (which we geocode for travel-time calculation), expected guest count, package selection, menu preferences and quantities, drink-flavor selections, optional concierge preference, loading-dock or alternate-delivery information, and any notes you choose to include.
• Contact form. When you use /contact we collect your name, email, phone, the topic you select, and the body of your message.
• Account information. The customer portal uses passwordless “magic link” authentication. We store the email address you sign in with and a hashed session token. We do not store passwords on the customer side.
• Estimates and contracts. When we generate an estimate or contract on your behalf, we store the quote inputs, the rendered estimate, the generated contract, and (after you electronically sign) your typed signature name, signing IP address, signing user-agent string, timestamp, and acknowledgement that you have read and agree to the agreement.
• Job applications. Applications submitted via the /careers link are handled by our operations portal (jamrock-lms); that system's privacy practices govern data submitted through job application flows.

2.2 Information collected automatically

• Request metadata. Like every web service, our hosting platform records standard HTTP request data (IP address, request path, user-agent string, referer, timestamps) for security, rate-limiting, and operational diagnostics.
• Cookies and similar technologies.We use cookies strictly for functional purposes — a session cookie set after a successful magic-link login (so you stay signed in), and Next.js preview cookies for staging-content review. We do not use third-party analytics, advertising, or cross-site tracking cookies on this site.
• Live operations data. The homepage and locations page surface live cart-fleet figures (count of carts in service, neighborhoods being served, total seconds of grilling). These are aggregate operational metrics and contain no personal information.

2.3 Information from third parties

• Geocoding.When you type an event address into the catering estimator, that address is sent to Google's Places, Geocoding, and Distance Matrix APIs to verify the address and compute travel time. Google receives the address text and our API key.
• Reviews (when configured). Aggregate review scores displayed on our site (when enabled) are fetched server-side from Google Places and Yelp Fusion. We receive only the aggregate rating/count, not individual reviewer information.

3. How we use information

We use the information we collect to operate our catering business and deliver the services you request. Specifically:

• Prepare, send, and execute your catering estimate, contract, deposit invoice, and service-day logistics.
• Send transactional emails relating to your inquiry, estimate, signed contract, deposit, magic-link sign-in, and event-day coordination.
• Authenticate you to the customer portal so you can review your estimates, edit them within the customer-edit window, sign your contract, and view PDFs.
• Coordinate with the catering team and dispatch via our internal operations portal.
• Maintain records of past engagements for accounting, legal compliance, and operational continuity.
• Improve and secure the website, the catering portal, and our operations — including detecting and preventing fraud, abuse, and unauthorized access.
• Respond to general inquiries, press requests, partnership proposals, and employment questions submitted via the contact form.

Our legal bases for processing personal information are: the performance of a contract with you (so we can deliver the service you requested), our legitimate interests in running a safe and effective business, your consent where required (for example, to send marketing communications — we currently do not send marketing emails), and compliance with applicable legal obligations.

4. How we share information

We do not sell your personal information, and we do not share it with third parties for their independent marketing purposes. We share information only in the limited circumstances below:

4.1 Service providers (subprocessors)

We share information with vendors who process it on our behalf to operate the service. Each is bound by contractual and technical safeguards. Current subprocessors:

• Netlify (Netlify, Inc.). Web hosting, serverless functions, edge delivery, and durable storage for content overrides.
• Google Cloud / Firebase (Google LLC). Firestore database used for the catering customer portal, estimates, and contract lifecycle records. Google Workspace handles our business email.
• Google Maps Platform. Address autocomplete (Places API), address geocoding (Geocoding API), and travel-time calculation (Distance Matrix API) for catering logistics.
• Resend (Resend, Inc.). Transactional email delivery (magic-link sign-in, estimate confirmation, contract notifications, contact form replies).
• Square (Block, Inc.). Online ordering for pickup runs entirely on Square at the separate domain jamrockjerknyc.com and is governed by Square's Privacy Notice. We retrieve our menu catalog and unit prices from Square to display on this site.
• Cloudflare R2 (Cloudflare, Inc.). Object storage for the larger video assets embedded on the marketing site.
• Register.com. DNS hosting for jamrockjerkny.com.

4.2 Internal operations portal

Catering inquiries and signed contracts are forwarded to our internal operations portal (the “jamrock-lms” system) so our catering team can confirm, schedule, and fulfill your event. The portal is operated by Jamrock Jerk and access is restricted to authorized employees.

4.3 Legal compliance and protection

We may disclose information when we believe in good faith that disclosure is necessary to comply with a legal obligation, court order, or government request; to establish, exercise, or defend legal claims; to protect the rights, safety, or property of Jamrock Jerk, our customers, or others; or in connection with the sale or transfer of all or part of our business.

5. Cookies and tracking

We use cookies only for functional purposes. We do not use advertising cookies, third-party analytics cookies, or cross-site tracking on this site.

• Session cookie. Set when you sign in to the customer portal via a magic link; allows you to navigate the portal without re-signing in each page load. Cleared when you sign out or the session expires.
• Preview cookies. Next.js bypass cookies used internally to review draft content during admin editing.

You can clear cookies at any time via your browser's settings. Doing so will sign you out of the customer portal and you'll need to request a new magic link to sign back in.

6. Data retention

We retain personal information only as long as needed for the purposes described in this policy, including to comply with our legal, accounting, and regulatory obligations.

• Catering inquiries that do not progress to a contract are retained for up to 24 months for service-quality follow-up, then deleted.
• Estimates, contracts, and event records are retained as business records for at least seven (7) years, consistent with applicable tax and contract-law obligations in New York.
• Email logs (transactional sends, contact-form submissions) are retained for up to 24 months for support and compliance purposes.
• Account information in the customer portal is retained while your account is active. If you request deletion, we will remove or anonymize identifying information except where retention is legally required.

7. Security

We take reasonable administrative, technical, and physical measures to protect your information against unauthorized access, alteration, disclosure, or destruction. Specifically:

• All site traffic is delivered over HTTPS with TLS encryption.
• Customer-facing authentication uses passwordless short-lived magic links rather than passwords.
• Session tokens are signed server-side with a secret key rotated and stored as an environment variable.
• Personal information at rest is held in our Firestore database with access restricted to authorized server-side processes.
• Internal access to operational systems is limited to authorized employees and contractors with a documented need to access the data.

No method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security but we work continually to improve our safeguards.

8. Your rights and choices

Depending on your location, you may have certain rights regarding your personal information. We honor the rights below for all individuals regardless of jurisdiction, to the extent reasonably practicable.

8.1 California residents (CCPA / CPRA)

• Right to know. You may request the categories of personal information we have collected, the sources, the purposes of collection, and the categories of third parties with whom we have shared the information.
• Right to delete. You may request that we delete personal information we have collected from you, subject to legal exceptions.
• Right to correct. You may request that we correct inaccurate personal information we maintain about you.
• Right to opt out of sale or sharing. We do not sell or share personal information for cross-context behavioral advertising; there is nothing to opt out of in that respect.
• Right to non-discrimination. We will not deny you services, charge a different price, or provide a different level of service because you exercised your CCPA rights.

8.2 European Economic Area, United Kingdom, and Switzerland (GDPR / UK GDPR)

If you are in the EEA, UK, or Switzerland, you have the right to access the personal data we hold about you; request rectification of inaccurate or incomplete data; request erasure (the “right to be forgotten”); restrict our processing of your data; receive a portable copy in a structured machine-readable format; and object to processing based on our legitimate interests. You also have the right to withdraw consent at any time where processing is based on consent, and the right to lodge a complaint with your local supervisory authority.

8.3 How to exercise your rights

Send a request to catering@jamrockjerkny.com with the subject line “Privacy request.” We may need to verify your identity before fulfilling the request, for example by confirming the email address or phone number associated with your account. We will respond within the timeframes required by applicable law.

9. International data transfers

Jamrock Jerk operates in the United States and our service providers may store and process personal information in the United States and other countries. Where required by law, we rely on appropriate safeguards (including the European Commission's Standard Contractual Clauses) for transfers of personal information out of the EEA, UK, or Switzerland.

10. Children's privacy

This site is intended for adults arranging food service for events. It is not directed at children under 13 (or under 16 in jurisdictions with a higher age threshold), and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us at the address above and we will take prompt steps to delete it.

11. Third-party websites

This site links out to third-party services including the Square-hosted ordering page at jamrockjerknyc.com, our social media accounts, our operations portal at portal.jamrockjerkny.com, and external review and mapping services. Those third parties operate under their own privacy practices and we are not responsible for their policies. We encourage you to review the privacy notices of any third-party service you use.

12. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our subprocessors, or applicable law. When we make a material change, we will update the “Last updated” date at the top of the policy and, where appropriate, notify affected customers via the email address associated with their account. The version of this policy in effect when you interact with the service governs that interaction.