Privacy Policy

Effective Date: April 30, 2025

LunchUp.ca ("we", "our", or "us") values your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard your personal information in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws, including in British Columbia, Alberta, and Quebec.

🇨🇦 Your Data Stays in Canada

All LunchUp data is securely hosted in Canada (Montreal region), ensuring your information never leaves Canadian jurisdiction and remains fully compliant with PIPEDA and provincial privacy laws.

Information We Collect

We only collect the minimum personal information necessary to provide our services:

  • Account Information: Parent/Guardian name, email address, and phone number (optional)
  • Student Information: Student first name and last initial, school, grade/classroom
  • Health Information: Optional food allergy information and dietary restrictions (see dedicated section below)
  • Order Information: Meal selections, delivery dates, and order history
  • Payment Information: Transaction details processed by third-party providers (we do not store full payment card information)
  • Technical Information: IP address, browser type, and usage data for security and analytics

How We Use Your Information

We use your information to:

  • Create and manage your account
  • Process and fulfill orders
  • Communicate order confirmations, updates, and service notices
  • Coordinate with schools and vendors for meal preparation and delivery
  • Maintain accurate records for transaction history and customer service

Sharing of Information

We do not sell your personal information. We may share it only with:

  • Schools, for delivery coordination and reporting
  • Vendors, for order preparation and allergy/dietary accommodations
  • Service providers (e.g., payment processors, website hosting) under strict confidentiality agreements
  • As required by law, regulation, or legal process

Health Information (Food Allergies)

Collection and Purpose:

We collect optional health information, specifically food allergy and dietary restriction details, solely to ensure the safe preparation of meals for your child. This information is highly sensitive and receives special protection under PIPEDA.

How We Use Health Information:

  • Communicating allergy information to meal vendors for safe food preparation
  • Preventing cross-contamination and ensuring appropriate meal alternatives
  • Maintaining accurate records for emergency response if needed

Who Can Access This Information:

Health information is shared only with:

  • Vendors: Only the specific vendor preparing meals for your child's order
  • Schools: School administrators for coordination and emergency purposes
  • You: Parents/guardians can access and update this information at any time

Your Rights Regarding Health Information:

  • Providing allergy information is entirely optional but strongly recommended for safety
  • You can update or delete health information at any time through your account
  • You can withdraw consent for processing health information (subject to safety considerations)
  • Health information is retained only while your child is actively using our service, plus 1 year for safety records

Third-Party Service Providers

We work with trusted third-party service providers to operate our platform. These providers may access your personal information only to perform specific services on our behalf:

  • Payment Processing: Helcim (Canadian payment gateway, PCI-DSS compliant) - processes payment transactions securely
  • Email Delivery: Transactional email service for order confirmations and notifications
  • Security Services: Google reCAPTCHA for spam and bot prevention
  • Hosting Infrastructure: Database, file storage, and website hosting (all data stored in Canada)

All service providers are bound by strict confidentiality agreements and are only permitted to use your information for the specific services they provide to us. Core customer data (account information, student profiles, orders, health information) remains in Canada at all times.

Payment Processing

All payments are processed through PCI-compliant third-party payment processors. We do not collect, store, or have access to your full payment card details.

Cookies and Analytics

Our website may use cookies or similar technologies to enhance functionality, improve user experience, and analyze website usage. You can adjust your browser settings to refuse cookies, but some features may not function properly.

Data Storage and Security

🇨🇦 Canadian Data Residency

All LunchUp data, including account information, student profiles, order history, and health information, is stored on secure servers located in Canada (Montreal region). Your information never leaves Canadian jurisdiction, ensuring compliance with PIPEDA and all provincial privacy laws.

We implement industry-standard security measures to protect your personal information:

  • Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security)
  • Encryption at Rest: Data stored on our servers is encrypted using AES-256 encryption
  • Access Controls: Strict authentication and authorization controls limit who can access your data
  • Regular Backups: Automated backups ensure data recovery in case of system failures
  • Security Monitoring: Continuous monitoring to detect and respond to potential security threats

While some service providers (payment processing, email delivery) may process data outside Canada, all core customer data remains within Canadian borders at all times.

Data Retention

We retain personal information only for as long as necessary to provide services, comply with legal obligations, and resolve disputes. Specific retention periods:

  • Account Information: Retained while your account is active, plus 7 years for financial and tax compliance
  • Student Information: Retained while the student is enrolled, plus 1 year after graduation/withdrawal for transition support
  • Health Information (Allergies): Retained while the student is active, plus 1 year for safety records, then securely deleted
  • Order History: Retained for 7 years for accounting and dispute resolution purposes
  • Payment Records: Retained for 7 years as required by Canadian tax law

You may request earlier deletion of your data by contacting us, subject to our legal obligations to retain certain records.

Your Rights

You have the right to:

  • Access and correct your personal information
  • Withdraw consent (subject to legal or contractual restrictions)
  • Request deletion of your personal information

Requests can be made by contacting us at help@lunchup.ca. We may require verification of identity before fulfilling any request.

Security Measures

We use administrative, technical, and physical safeguards to protect your personal information against unauthorized access, use, or disclosure.

Third-Party Websites

Our website may contain links to third-party websites. We are not responsible for the privacy practices of these sites.

Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. The "Effective Date" will indicate the most recent revision.

Contact Us

If you have questions or concerns about this Privacy Policy or our privacy practices:

Email: help@lunchup.ca

Subject Line: Privacy Inquiry

If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca or call toll-free at 1-800-282-1376.

By using LunchUp.ca, you consent to the collection, use, and disclosure of your personal information as described in this Privacy Policy. You may withdraw consent at any time, subject to legal and contractual restrictions.

Privacy Policy | LunchUp Canada - Data Protection & Privacy