Privacy Policy

Where To Lunch (“we”, “our”, or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. It is written in compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

By using the Service, you consent to the practices described in this policy.

2.1 Information you provide

• Account information — your name, email address, and profile picture, obtained via Google or LinkedIn OAuth when you sign in.
• Profile preferences — dietary requirements, cuisine preferences, and suburb preferences you set in your profile.
• Lunch plans — restaurant selections, dates, and co-attendees associated with plans you create or join.

2.2 Information collected automatically

• Usage data — pages visited, features used, and interactions with the Service, collected via server logs.
• Device information — browser type, operating system, and IP address for security and analytics purposes.
• Session data — authentication session tokens stored in HTTP-only cookies.

2.3 Information from third parties

• Public profile information provided by Google or LinkedIn at sign-in, limited to what you have authorised those platforms to share.

We use the information we collect to:

• Provide, maintain, and improve the Service.
• Generate personalised AI-powered restaurant recommendations.
• Enable group lunch coordination features.
• Send transactional notifications (e.g. lunch plan updates) via email.
• Detect and prevent fraudulent or abusive activity.
• Comply with legal obligations.

We will not use your information for any purpose incompatible with the purpose for which it was collected without your consent.

We do not sell, rent, or trade your personal information. We may share it only in the following circumstances:

• Service providers — trusted third-party vendors (e.g. Neon for database hosting, Vercel for deployment, Resend for email delivery) who process data on our behalf under strict data processing agreements.
• Other users — your display name and profile picture are visible to other members of lunch plans you join.
• Legal requirements — when required by law, court order, or governmental authority.
• Business transfers — in connection with a merger, acquisition, or sale of assets, with advance notice to you.

We use HTTP-only cookies solely for authentication session management. We do not use third-party advertising cookies or cross-site tracking.

You can configure your browser to refuse cookies, but this may prevent you from signing in to the Service.

We retain your personal information for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete or anonymise your personal information within 30 days, except where we are required to retain it for legal or compliance purposes.

We implement industry-standard technical and organisational measures to protect your information, including TLS encryption in transit, encrypted database connections, and access controls limited to authorised personnel.

No method of transmission over the internet is completely secure. While we strive to protect your data, we cannot guarantee absolute security.

Under the Australian Privacy Principles, you have the right to:

• Access the personal information we hold about you.
• Request correction of inaccurate or incomplete information.
• Request deletion of your account and associated data.
• Opt out of non-essential communications.
• Lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

To exercise these rights, contact us at hello@wheretolunch.app. We will respond within 30 days.

The Service is not directed at children under 18 years of age. We do not knowingly collect personal information from anyone under 18. If we become aware that we have inadvertently collected such information, we will delete it promptly.

The Service may contain links to third-party websites (e.g. restaurant listings on Broadsheet or Timeout). We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies.

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice on the Service at least 14 days before they take effect. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

This Privacy Policy is governed by the laws of Victoria, Australia. For privacy enquiries or complaints, contact us at:

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC).