Privacy Policy

Information We Collect

We only collect the minimum personal information necessary to provide our services:

• Account Information: Parent/Guardian name, email address, and phone number (optional)
• Student Information: Student first name and last initial only (e.g., "Emma S."), school, and classroom — so parents can identify orders for each of their children
• Health Information: Optional food allergy information and dietary restrictions (see dedicated section below)
• Order Information: Meal selections, delivery dates, and order history
• Payment Information: Transaction reference and amount only (full card details are handled directly by our PCI-DSS Level 1 certified processor and never reach LunchUp)
• Technical Information: IP address, browser type, and minimal usage logs for security, abuse prevention, and service reliability

Information We Do Not Collect

We do not collect — and never have access to — the following:

• Student full last names, student ID numbers, photos, or school records of any kind
• Credit card numbers, CVV codes, or any raw payment data — all transactions are handled directly by Helcim (Level 1 PCI-DSS certified)
• We never sell, rent, or share your data with advertisers, data brokers, or any third party for marketing purposes

Children's Information

LunchUp is designed for use by parents and guardians, not by students. We follow additional best practices for the protection of minors' information:

• All accounts are created and managed by parents or guardians — students do not log in or create accounts
• Consent for the collection of children's information is obtained directly from a parent or guardian at registration
• Children's personal information is limited to first name + last initial, classroom, and optional allergy information — only what is strictly needed to deliver meals safely
• We do not collect or store student last names, student ID numbers, photos, school records, or behavioural data of any kind
• Parents or guardians may access, correct, or delete their child's information at any time by contacting hello@lunchup.ca

How We Use Your Information

We use your information to:

• Create and manage your account
• Process and fulfill orders
• Communicate order confirmations, updates, and service notices
• Coordinate with schools and vendors for meal preparation and delivery
• Maintain accurate records for transaction history and customer service

Sharing of Information

We do not sell your personal information. We may share it only with:

• Schools, for delivery coordination and reporting
• Vendors, for order preparation and allergy/dietary accommodations
• Service providers operating on Canadian infrastructure (AWS Montreal for hosting, Helcim for payments) under strict confidentiality agreements
• As required by law, regulation, or legal process

Health Information (Food Allergies)

Collection and Purpose:

We collect optional health information, specifically food allergy and dietary restriction details, solely to ensure the safe preparation of meals for your child. This information is highly sensitive and receives special protection under PIPEDA.

How We Use Health Information:

• Communicating allergy information to meal vendors for safe food preparation
• Preventing cross-contamination and ensuring appropriate meal alternatives
• Maintaining accurate records for emergency response if needed

Who Can Access This Information:

Health information is shared only with:

• Vendors: Only the specific vendor preparing meals for your child's order
• Schools: School administrators for coordination and emergency purposes
• You: Parents/guardians can access and update this information at any time

Your Rights Regarding Health Information:

• Providing allergy information is entirely optional but strongly recommended for safety
• You can update or delete health information at any time through your account
• You can withdraw consent for processing health information (subject to safety considerations)
• Health information is retained only while your child is actively using our service, plus 1 year for safety records

Third-Party Service Providers

We work with trusted third-party service providers to operate our platform. These providers may access your personal information only to perform specific services on our behalf:

• Hosting Infrastructure: Amazon Web Services (AWS) — application servers and database hosted in Canada (Montreal region)
• Payment Processing: Helcim — Level 1 PCI-DSS certified (the highest certification level in the payment industry), with payment processing operated on Canadian infrastructure in Montreal
• Bot Protection: Vercel BotID for spam and abuse prevention on sign-up, login, and sensitive forms

All service providers are bound by strict confidentiality agreements and are only permitted to use your information for the specific services they provide to us. All LunchUp customer data — account information, student profiles, orders, and health information — is stored and processed in Canada.

Payment Processing

All payments are processed by Helcim, a Level 1 PCI-DSS certified payment processor — the highest certification level in the payment industry. LunchUp never collects, stores, or has access to your credit card number, CVV code, or any raw payment data. Cardholder data is encrypted using AES-256 encryption and protected in transit with TLS 1.2 or higher.

Cookies and Analytics

Our website may use cookies or similar technologies to enhance functionality, improve user experience, and analyze website usage. You can adjust your browser settings to refuse cookies, but some features may not function properly.

Data Storage and Security

We implement industry-standard security measures to protect your personal information:

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher (Transport Layer Security)
• Encryption at Rest: Data stored on our servers is encrypted using AES-256 encryption
• Access Controls: Strict authentication and authorization controls limit who can access your data
• Regular Backups: Automated backups ensure data recovery in case of system failures
• Security Monitoring: Continuous monitoring to detect and respond to potential security threats

Data Retention

We retain personal information only for as long as necessary to provide services, comply with legal obligations, and resolve disputes. Specific retention periods:

• Account Information: Retained while your account is active, plus 7 years for financial and tax compliance
• Student Information: Retained while the student is enrolled, plus 1 year after graduation/withdrawal for transition support
• Health Information (Allergies): Retained while the student is active, plus 1 year for safety records, then securely deleted
• Order History: Retained for 7 years for accounting and dispute resolution purposes
• Payment Records: Retained for 7 years as required by Canadian tax law

You may request earlier deletion of your data by contacting us, subject to our legal obligations to retain certain records.

Your Rights

You have the right to:

• Access and correct your personal information
• Withdraw consent (subject to legal or contractual restrictions)
• Request deletion of your personal information

Requests can be made by contacting us at hello@lunchup.ca. We may require verification of identity before fulfilling any request.

Security Measures

We use administrative, technical, and physical safeguards to protect your personal information against unauthorized access, use, or disclosure.

Third-Party Websites

Our website may contain links to third-party websites. We are not responsible for the privacy practices of these sites.

Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. The "Effective Date" will indicate the most recent revision.

Contact Us

If you have questions or concerns about this Privacy Policy or our privacy practices:

If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca or call toll-free at 1-800-282-1376.

By using LunchUp.ca, you consent to the collection, use, and disclosure of your personal information as described in this Privacy Policy. You may withdraw consent at any time, subject to legal and contractual restrictions.