Lunch Money’s Privacy Policy

Last Modified: June 12, 2025

We at Lunchbag Labs Inc. ("us," "we," "our" or "Lunch Money") respect your privacy, and we are committed to protecting it by complying with this policy (our "Privacy Policy") and being transparent about our privacy practices.

In this policy, we explain how we collect, use, process, and share your personal information when you communicate directly with us or within our community, as well as when you access and use the websites, applications, and other offerings we provide, including https://lunchmoney.app/, its related mobile applications and our API (collectively, the "Services").

When we talk about your “information” in this Privacy Policy, we are referring to personal information about an identifiable individual (which includes personal information that can be used on its own or with other information to identify, contact, or locate you).

Our Privacy Policy applies to anyone using our Services (whether paid or unpaid), but it does not apply to third parties’ privacy practices and policies, except to the extent we use third parties to store or process your data. Third parties that you engage with should have their own privacy policies, which are their responsibility.

If you have any questions, concerns or requests relating to this Privacy Policy, please contact us at [email protected] (our "Contact Information").

A Quick Summary.

We recommend reading this entire Privacy Policy, but here are a few answers to the most common privacy questions we get asked:

Does Lunch Money have access to my money?

No. Lunch Money is an application that only has “read-only” access to your synced bank accounts.

Does Lunch Money have access to my banking credentials?

No. We never have access to your banking credentials.

Does Lunch Money sell my information?

Never. We do not (and will not!) sell any information about our customers to others.

Is my information secure?

It is. We use industry standard security protocols across wherever we can. That, coupled with the fact we don’t have access to your bank credentials, means your information is safe and secure.

Again, please read the rest of this document, but we thought it’d be helpful to answer some of your most important questions right at the start.

The Types of Information We Collect About You & How We Collect Them.

To provide our Services to you, we collect and receive the following information:

1. Information About You (That You Provide Directly to Us). When you engage with our Services or communicate with us directly, we collect the information you provide. From time to time, we may also ask you about your experience engaging with our Services or your interest in products and services relating to our Services, and we collect the information you provide in response. Here are some examples of the information about you that we collect: (A) your name and email address when you create an account using our Services; (B) your user name and other information you provide when engaging with our Discord channel or communicating with us directly; and (C) your name and certain payment information (like the last 4 digits of your credit card) when you pay for a subscription to our Services; (D) your phone number when you enable and use 2-factor authentication to access our Services; and (E) the transaction data you upload when using our Services.
2. Information About Your Access and Use of Our Services. We may collect information about when you log in to our Services and how you interact with the Services, which can include information about the Services’ features you use and how you interact with them. For example, this can occur when you report issues with our Services through troubleshooting channels or when you leave a review about us and our Services. We also automatically track certain information about your use of the Services, which you can read more about in the Cookies & Automated Technologies section below.
3. Information You Provide Through Interactive Features. You may provide information to us through interactive features we make available to you. For instance, if we offer you the opportunity to engage with certain software (like Stripe, when you purchase a subscription to our Services) and you provide information about yourself while engaging with that software, your information may be shared with that third-party software and us.
4. Financial Information from Third Party Sources. When using our Services, you’re invited to import bank transaction data and crypto wallet data. If you provide bank transaction data or information about your crypto holdings to us, we will collect it and use it to provide our Services to you. In any case, however, we do not save or store your banking or cryptocurrency credentials, nor do we have access to your bank accounts or crypto wallets. To provide you with further security, we only request and receive “read-only” data, meaning we have no ability to move, access or otherwise deal with your money. You retain complete control over your finances, and we have no ability to change that.
5. Other Information from Third-Party Sources. We may receive information about you from other sources, such as the software providers you use to access or engage with our Services or the third-party sources you instruct us to collect information from. The information we collect from these third-party sources (like Discord) may include demographic information, contact information (like your name and email address) and information about your profile on those platforms. This information can also include information that identifies your connection type, settings, operating system, browser type, IP address, URLs of referring/exit pages, device identifiers, and crash data.
6. Non-Personal Information. We may also collect non-personal information when we receive information directly from you or from third-party sources. Non-personal information is information that does not directly or indirectly reveal your identity or directly relate to an identifiable individual (such as statistical or aggregated information). Statistical or aggregated data does not directly identify a specific person, and we may derive non-personal statistical or aggregated data from the information we receive. For example, we may aggregate information to calculate the percentage of users accessing a specific feature of our Services.

We do not intend for children under the age of 18 to use our Services, and we do not knowingly collect information about individuals under the age of 18. If you are under the age of 18, please do not use our Services or provide any information to us. If you believe we might have any information from or about a child under 18, please contact us using the Contact Information above.

More About the Financial Information We Collect.

When using our Services, you’re invited to import bank transaction or crypto wallet data directly.

When you import bank transaction data, we do not save or store your banking credentials. All bank transaction data is provided through Plaid.

When you import bank transaction data via Plaid, we receive the following information:

• Account transaction information, which includes transaction amounts, dates, types and a description of the transaction.
• Account details, which includes account name, type and balance.

Similarly, when you import information about your crypto wallet into our Services, we do not save or store your wallet credentials. Instead, the read-only data is provided through an API that you connect to our systems.

When you import crypto wallet information via an API, we receive the following information:

• Your API Key.
• The types of cryptocurrency in your wallet and the amounts held.

How We Use Your Information.

We do not sell your information to anyone for any reason. We use the information you provide for the purpose you intended and as outlined in this Privacy Policy. For example, if you provide us with your telephone number for the purposes of enabling 2-factor authentication, we will only use that information to authenticate your access to our Services, and we will not send you marketing information via SMS simply because you provided your telephone number.

When we collect and use your information, we only do so for the following purposes:

1. To provide the Services to you.
2. To provide customer support and improve the Services.
3. To provide you with the information, products or services that you request from us or our service providers (like Plaid).
4. To provide you with notices and information relevant to your use of our Services.
5. To improve our offerings and customer experience.
6. To feature positive feedback (that you have publicly provided) about our Services.
7. To help you engage with our customer interactive experiences (like our Discord channel).
8. To combine information about you with other information we receive from third parties, when, for example, we add your crypto wallet information into your Lunch Money account.
9. To comply with applicable laws and obligations or to enforce our legal rights.
10. For any other purpose with your consent.

Where you have provided your consent to the collection, use, and transfer of your personal information, you may have the legal right to withdraw your consent under certain circumstances. To withdraw your consent, please contact us using the Contact Information (detailed above). Please note that if you withdraw your consent, we may not be able to provide you with access to and/or use of our Services and other offerings.

Data Security & Retention

Protecting your information is important to us. That is why we take steps to protect your information from unauthorized access, destruction and misuse. All the steps we take to protect your information will be commensurate with the sensitivity of the information we collect and reasonable in the circumstances.

Here are a few examples of how we keep your information secure:

1. We use trustworthy partners. We only use vetted service providers when handling your most sensitive data.
2. We use encryption technology. Here are just a few ways we keep your data secure with encryptions:
   1. All attachments uploaded to our platform are two-layer encrypted and stored in Google Cloud Storage.
   2. All files uploaded to our platform are only accessible via ephemeral-signed URLs.
   3. All your data is AES-256 encrypted.
3. We can’t access your financial accounts. When you connect our Services to your financial account providers, we only have read-only access to your bank information. That means we can’t move your funds or change your accounts in any way.

Additionally, to help protect your data, we will not store your data for longer than we need it unless you agree otherwise or the law permits us to keep the information for a longer period of time. If we anonymize your data, however, you agree we may use that anonymized information as we choose and keep the data for longer periods of time.

In any case and despite our efforts, using the internet is never risk-free. As a result, we cannot guarantee the security of your data, and – ultimately – you use the internet at your own risk.

Cookies & Automated Technologies

We use automated technologies to help us improve your user experience. To do that, we may store your preferences, remember you for future visits to our Services, or otherwise gather information about how our Services are used.

Our automated technologies may include browser cookies, flash cookies, or web beacons, and we may use them to collect information about your devices and internet use.

A cookie is a small piece of data – a text file – that a website asks your browser to store on your device to remember information about you, such as your language preference or login information, that can later be retrieved to identify you when you return to our Services.

For example, we may collect data about the tools and mechanisms you use to access our Services, including your IP address, browser, or operating systems. We may also collect information about your visits to our Services, such as location data, web traffic data and what you do with our Services.

Our automated technologies may also collect information about your online activities over time or on others’ websites, using methods like behavioral tracking. If you wish to opt out of behavioural tracking, please contact us using the Contact Information outlined above.

When we use automated technologies (like cookies), the information we collect is generally statistical in nature. Nevertheless, it may include personal information or otherwise be associated with the information we collect, as described in this Privacy Policy.

If you wish to disable our cookies, you can typically disable them by changing your browser settings. In most modern browsers, you can block or delete cookies by clicking Settings > Privacy > Cookies.

To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.youradchoices.ca.

Before deciding to delete our cookies, please note that some of our cookies are necessary to access the essential features of the Services, and we recommend that you leave cookies enabled. If you choose to disable our cookies, some of our Services’ functionality may no longer be available to you.

When We Share Your Information with Others

We may share your information when one of the following circumstances applies:

1. With Your Consent. We may share your information with others with your consent or to fulfill the purpose for which you provided the information.
2. For Business Purposes. We provide information to vendors and service providers to help us provide the Services to you. Examples of our service providers include hosting or infrastructure providers, our customer relationship management providers, email providers, collaboration tools, Stripe (for payment processing) and other service providers we use to run our Services.
3. For Corporate Transactions. We may share information with actual or prospective acquirers, their representatives, and other relevant participants in the event of a merger, a reorganization of our business, or another similar transaction.
4. For Legal Reasons. We may share your information if we believe that it is necessary to comply with any legal obligation or process, such as responding to a government or regulatory request. Likewise, we may share your information if we believe that it is necessary to enforce our rights or the rights of our customers or users.

Who We Share Your Information With

We limit how we share your information, only providing it to the following:

1. Our affiliates, successors or, if we change our business or corporate structure, the ultimate operator of our Services.
2. Service providers and others with whom you consent or otherwise direct us to share your information with.
3. Contractors, service providers, and others that support our business, who provide the software we need to provide our Services to you.
4. Governmental authorities or courts, as required by law, or as is necessary to protect your rights, our rights, or the rights of others.

Please note that you may have opportunities to provide information directly to third parties through application programming interfaces (APIs) we offer. If you use our API, please review our API Terms of Service posted on our website.

International Processing, Transferring and Storing Your Information

We may choose to process, transfer or store your information in countries different from where you live. For example, we store Lunch Money’s data in the United States, which may have privacy requirements that are more or less comprehensive than the privacy obligations applicable to our relationship with you. Nevertheless, we will implement appropriate technical and organizational measures to ensure our contractors and service providers protect your data.

By using our Services or providing your information to us, you agree to us processing, transferring, or storing your information in other countries. You may obtain more information about our international processing, transfer and storage practices using the Contact Information noted above to contact our designated privacy officer.

Retaining & Deleting Your Information

We will only retain your personal information for as long as necessary to fulfill the purposes we collected it for, unless the law requires or permits otherwise. We may also keep information for the purposes of satisfying any legal, accounting, or reporting requirements applicable to us.

The length of time we keep your information for will generally depend on the type of information collected, why it was collected, and the sensitivity of the information. If, at any time, you wish to have your information deleted, please contact us.

Here are some examples of how and when we delete information provided to us:

1. At the end of a trial-period. If you sign up for a trial subscription to use our Services and you do not purchase a paid subscription at the end of the trial period, your data will be deleted within 1 month following the end of your trial period.
2. At your request. If you ask us to cancel your subscription to our Services, your data will be deleted within 2 weeks (or less) following the date of your cancellation request.

When we retain information, we may also choose to anonymize your personal information so that it can no longer be associated with you, and we may use such anonymous and de-identified data for our legitimate business purposes.

Accessing and Updating Your Information

We strive to keep the information we collect accurate and current, and we invite you to contact us when your information has changed. Privacy laws applicable to our relationship with you may give you the right to request access to the information we collect about you and often allow you to correct outdated information.

If you wish to access or correct your information, please contact us using the Contact Information above. Likewise, please contact us if you have any concerns or complaints about how we use or collect your information.

Please note that we may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause the information to be incorrect.

Additionally, in accordance with our data retention practices and applicable law, we may destroy or limit access to certain information we collect about you. Nevertheless, we will provide access to your personal information, subject to exceptions set out in applicable privacy legislation. Examples of such exceptions include:

• Information that is part of a formal dispute resolution process.
• Information that is about another individual that would reveal their personal information or confidential commercial information.
• Information that is prohibitively expensive to provide.

If we are unable to provide you with access to your information, we will explain why (subject to applicable law about these sorts of disclosures).

Privacy Practices Applicable to Certain Geographies

There are European privacy laws, including the European General Data Protection Regulation (GDPR), that can apply to you, our customer. To the extent these laws apply, we provide additional rights for our European customers.

With respect to the information that we collect when you use the Services, we are the data controller for that information and our service providers (with whom we share your information) are the data processors. Our lawful basis for collecting this information is to fulfill our agreement(s) with you, our legitimate interest in providing the Services to you, or to comply with our legal obligations. In some instances, our lawful basis for processing your information may also be your consent.

If the GDPR applies to our relationship with you, you may exercise your right to:

1. to request information about whether and which personal data is processed by us, and the right to demand that personal data is rectified or amended.
2. to request that personal data should be deleted.
3. to demand that the processing of personal data should be restricted.
4. to withdraw your consent to the processing and use of your data completely or partially at any time with future application.
5. to obtain your personal data in a common, structured and mechanically readable format.
6. to contact our data protection officer if there are any questions, comments, complaints or requests in connection with our statement on data protection and the processing of your personal data.
7. to complain to the responsible supervisory authority if believed that the processing of your personal data is in violation of the legislation.

Additionally, residents of the EEA and Switzerland may file a complaint with a data protection authority.

Any disputes arising out of or related to this Privacy Policy will be handled in accordance with the dispute resolution process indicated in your contract with us that refers to this Privacy Policy, if applicable.

Please contact us (using the Contact Information above) if you have any questions about exercising any of the above rights.

Changes to Our Privacy Policy

It is our policy to post any changes we make to our Privacy Policy on this page. Should we make any significant changes to our Privacy Policy and how we engage with your information, we will notify you. We also encourage you to periodically review our Privacy Policy to check for updates. The date the Privacy Policy was last revised is identified at the top of the page. Your continued access and use of the Services will be deemed to be your acceptance of this Privacy Policy.