Privacy Policy

August 2, 2020

Welcome!

We are glad you want to join us and because we care about your privacy, we are sharing below the information you need to read before you accept this policy and join us fully.

This policy describes what information we collect when you use Lunsj’s sites, services, mobile applications, products, and content (“Services”). It also provides information about how we store, transfer, use, and delete that information, and what choices you have with respect to the information.

This policy applies to Lunsj’s online video meeting tool, including the website and mobile applications, and other Lunsj websites (collectively “the Websites”), as well as other interaction (e.g. customer support conversations, user surveys and interviews etc.) you may have with Lunsj.

This policy applies where we are acting as a Data Controller with respect to the personal data of users of our Services; in other words, where we determine the purposes and means of the processing of that personal data. For content and data that you upload to or make available through the Service (“User Content”), you are responsible for ensuring this content is in accordance with our Terms of Service, and that the content is not violating other users’ privacy.

Who are we?

Lunsj is based in Oscars gate 6a in Oslo, Norway and our goal is to create more engaged, collaborative and inclusive workplaces.

What do we need your data for?

We are collecting your contact details in order to create your account and match you with your colleagues using Lunsj match programs. For this we collect the following: full name, e-mail address, role, office, etc. In order to provide you with the best user experience through analyzing analytics, and some additional reporting features we also need to collect: IP addresses, match program appointment meta data, usage statistics, etc.

How we collect, process, and store information

The following is a list of data we collect, process or store, with the purpose and legal ground listed for each item or group of items having the same purpose and legal ground:

User account information: Users that choose to register in Lunsj, will have to provide a valid email address. The information may be used for the purposes of operating our website, providing our services, ensuring the security of our website and services, maintaining back-ups of our databases and communicating with you. This is required to deliver the Service to you as user, by taking steps, at your request, to enter into and to fulfilling such a contract (Terms of Service) cf. GDPR art. 6 (1) item b.

Biometric information: Through our video conferencing integrations, we will need to process, not control, data that according to GDPR is part of special categories of personal data, like Biometric data. No recordings will be done on Lunsj or our partners side, but in order for a the calls to take place, access to your camera and your microphone are needed.

Transaction information: Customers that choose to purchase a paid version of the Services provide Lunsj (and our payment processors) with billing details such as credit card information, billing email, banking information, location at the time of transaction and/or a billing address. The transaction data may be processed for the purpose of supplying the purchased services and keeping proper records of those transactions. This data may be used for the purpose of delivering the Services to you. Processing this information is required for fulfilling the contract we entered into with you, at your request (our Terms of Service) cf. GDPR art. 6 (1) item b. Additionally, this information needs to be retained in order to comply with accounting and tax regulation cf. GDPR art. 6(1) item c.

Usage information: When you as a user interact with the Services, we collect and process metadata to provide additional context about the way the Service is being used. The usage data may include your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use. The source of the usage data is our server software and our analytics tracking system.

Product Analytics data: Lunsj logs activities by you and other users when the users interact with our websites or apps, when a page is visited or meta data regarding appointments. We will never collect or record the content in appointments.

Technical log data: Like most digital services, our servers automatically collect information when Websites or Services are accessed or used and record it in log files. This log data may include the Internet Protocol (IP) address, the address of the web page visited within the Services, browser type and settings, the date and time the Services were used, information about browser configuration and plugins, language preferences and cookie data.

Device information: Lunsj may collect and process information about devices used to access the Services, including type of device, what operating system is used, device settings, application IDs, unique device identifiers and crash data. Whether we collect and process some or all of this information depends on the type of device used and its settings.

Location information: We receive information from you and other third-parties that helps us approximate your location. We may, for example, use a business address submitted by your employer, or an IP address received from your browser or device to determine approximate location. Lunsj may also collect location information from devices in accordance with the consent process provided by your device. The legal basis for this processing is our legitimate interests cf. GDPR art. 6 (1) item f, namely using this data for the purpose of ensuring the proper administration of our website and business, analyzing the use of the website and services, monitoring and improving our website and services, improving the user experience, preventing abuse, and assisting users with support inquiries. For information about cookies and how to opt out of cookies, see our Cookie Policy.

Customer Support Information: We may process information that you send to us, should you choose to submit a ticket to our support email help@lunsj.ai . If you contact us, we may use your Account, Organization, Transaction or Usage Information to respond. Processing this information it is required for performing the contract we entered into with you, at your request (our Terms of Service), as well as our legitimate interest of handling your requests cf. GDPR art. 6 (1) item f.

Product and Marketing communication: We may process information that you provide to us for the purpose of subscribing to our email newsletters. The notification data may be processed for the purposes of sending you relevant product information or newsletters. The legal basis for this processing is your consent cf. GDPR art. 6 (1) item a.

Service and transactional notifications communication: Sometimes we’ll send you emails about your account, service changes or new policies. You can’t opt out of this type of “service or transactional” emails (unless you delete your account) as they are necessary information for the Services. The legal grounds for processing this information is that it is required for performing our commitment about communicating changes in plans and pricing to you in the contract we entered into with you, at your request (our Terms of Service) cf. GDPR art. 6 (1) item b, and our legitimate interest of communicating important information about your account to, cf. GDPR art. 6 (1) item f.

Correspondence information: We may process information that you choose to share with us if you participate in a focus group, contest, activity or event, apply for a job, interact with our social media accounts or otherwise communicate with Lunsj. The correspondence data may be processed for the purposes of communicating with you and record-keeping. The legal basis for this processing is our legitimate interests cf. GDPR art. 6 (1) item f, namely the proper administration of our website and business and communications with users.

Integrations with external services: You as a participant in a meeting may choose to open one of the integrations we provide (Google and others). We may store data from use of integrations in a local browser storage, and process this to enrich the user experience. This data can be deleted by deleting it from the cache of your browser. When using an integration, metadata like title, thumbnail, dates and share permissions about content selected may be fetched and displayed in the web page. We may store non-personal/non-restricted information (eg. content id and access date) in a local browser storage to display lists of recent opened integrations. Restricted metadata is always stored by the services themselves and requires explicit consent given by the facing user to fetch it. The implementation is in compliance with the service's privacy policies. The information may be used for the purposes of operating our website and providing our services. This is required to deliver the Service to you as user, by taking steps, at your request, to enter into and to fulfilling such a contract (Terms of Service) cf. GDPR art. 6 (1) item b. We at Lunsj are committed to safeguarding the privacy of our users. Our business model is to provide a paid service to users and does not rely on widespread collection of general user data. We will only collect and process information that we need to deliver the service to you, and to continue to maintain and develop the service. Lunsj may collect, store and process various kinds of data, with different legal grounds, as listed below. For the categories of data that require your consent, we will actively ask you for consent before collecting any data.

Providing your personal data to others

We may share information about with third parties in some circumstances, including: (1) with your consent; (2) to a service provider or partner who meets our data protection standards; (3) with academic or non-profit researchers, with aggregation, anonymization; (4) when we have a good faith belief it is required by law, such as pursuant to a subpoena or other legal process; (5) to protect the vital interest of others, when we have reason to believe that doing so will prevent harm to someone or illegal activities.


Our categories of service providers and partners are:
- Hosting/infrastructure/storage providers
- Payment processors
- Analysis tools providers
- Customer Support tools providers
- Marketing and email providers
- Recruiting tools providers Internal communication tools providers

Business Transfers
We may disclose your personal data to any member of our group of companies (this means our subsidiaries, our ultimate holding company and all its subsidiaries) insofar as reasonably necessary for the purposes, and on the legal bases, set out in this policy. In the case where we are involved in a merger, acquisition, bankruptcy, reorganization or sale of assets such that your information would be transferred or become subject to a different privacy policy, we will notify you in advance and give you the option to delete your data before the transfer.

International transfers of your personal data

We strive to keep all stored data within the European Economic Area (EEA), but in some circumstances your personal data may be transferred to countries outside it. You acknowledge that personal data that you submit for publication through our website or services may be available, via the internet, around the world. We cannot prevent the use (or misuse) of such personal data by others.

We have offices and facilities in Norway, but our members work remotely from around the world. The hosting facilities for Account information stored by Lunsj are situated in Ireland. The hosting facilities for Usage information are also situated in Ireland. All data transfers will be protected by appropriate safeguards, namely the use of standard data protection clauses adopted or approved by the European Commission, a copy of which can be obtained from https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en.

Retaining and deleting personal data

Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

We will retain your personal data as follows:
- Transaction information will be retained for a minimum period of 5 years following date of the transaction, and for a maximum period of 10 years following the date of the transaction.

In some cases it is not possible for us to specify in advance the periods for which your personal data will be retained. In such cases, we will determine the period of retention based on the following criteria:
- Account information will be retained until you decide to delete your account from Lunsj.
- Information about you used for Product and Marketing communication will be retained as long as you have given us consent to use this information.
- The period of retention of usage information will be determined based on the need for historical data to determine statistical validity and relevance for product decisions and technical monitoring.

Regardless of the provisions above, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

Changes to this policy

We can change these Terms at any time. If a change is material, we’ll let you know before it takes effect. By using Lunsj on or after that effective date, you agree to the new Terms. If you don’t agree to them, you should delete your account before they take effect, otherwise your use of the Service and Content will be subject to the new Terms.

Managing and deleting your personal information

If you have a Lunsj account, you can access, modify or export your personal information, or delete your account in Settings. If you delete your account, your information and content will be unrecoverable after that time. You may instruct us at any time not to process your personal information for marketing purposes, by adjusting your Privacy settings). We may withhold personal information that you request to the extent permitted by law.  

Do we ensure your GDPR rights?

Yes.

You can access your rights at any point by contacting us at gdpr@lunsj.ai. Below are the rights you have when you use Lunsj:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights in relation to automated decision making and profiling.
- The right to withdraw your consent at any point.
- The right to lodge a complaint to your national supervisoryData Protection Authority.

As a Norwegian company, Lunsj uses the Norwegian Data Protection Authority (Datatilsynet) as a supervising authority. You may find further information on their website: https://www.datatilsynet.no/.

You may contact your national/state supervisory authority, but Lunsj will retain the Norwegian Data Protection Authority as our lead supervisory authority. For any questions regarding your rights or other GDPR issues please contact our DPO Kristian Elset Bø at keb@lunsj.ai.