Privacy policy

Last updated: April 2025

At Homlunch SAPI de CV (hereinafter “Homlunch”), we respect the privacy of our users, Hosts, and visitors, and recognize the importance of protecting their personal data. This Privacy Policy constitutes Homlunch’s comprehensive Privacy Notice, prepared in accordance with the Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP) and other applicable Mexican legislation. This document explains what information we collect, how we use it, with whom we share it, and what your rights are regarding your personal data.

By registering on or using the homlunch.com platform and Homlunch services, you consent to the processing of your personal data according to the practices described in this Privacy Notice. If you do not agree with any of the terms outlined herein, please do not use the Platform or provide your personal data.

1. Identity and address of the data controller

The entity responsible for the processing of your personal data is Homlunch SAPI de CV, a company legally incorporated under the laws of Mexico, with its registered address in Mérida, Yucatán, Mexico. For the purposes of this Privacy Notice, Homlunch will determine how the personal data collected through the Platform is processed.

You may contact us regarding privacy and data protection at any time by sending an email to hello@homlunch.com  addressed to the "Data Protection Department". We will be attentive to address your inquiries and help you exercise your legal rights related to your personal data.

2. Personal data collected

Homlunch collects various types of personal data from its Users and Hosts in order to offer the Platform’s services. Below are the categories of data we may request or generate, as applicable:

• Identification data: First and last names, date of birth, age, gender, profile image or photo, and for Hosts, a copy of official identification (INE or equivalent), and if necessary, CURP.

• Contact data: Email address, mobile and/or landline number, home address (for Hosts, the address where meals are hosted; for Users, we may eventually request an address for billing or contact purposes).

• Authentication data: A password created by the User to access the Platform; security questions or two-factor authentication tokens (if enabled).

• Demographic and preference data: Information the User chooses to provide about their food preferences, dietary restrictions, language, or other characteristics that help us personalize the service (this data is typically optional).

• Platform-related data: Booking history (dates, Host, amount paid, number of guests), ratings or reviews provided by Users about Hosts (and vice versa), referral codes used, rewards earned through referral programs or other promotions, messages or communications exchanged through the Platform’s internal messaging system between Users and Hosts, and any other recorded interaction (e.g., recent logins, clicks in specific sections, etc. for analytics purposes).

• Financial data: To process payments, we collect, via payment gateways, the necessary information such as credit/debit card number, expiration date, cardholder name, as well as PayPal or other digital payment account information. Note: Homlunch does not directly store your card numbers; this is handled by our payment providers (Stripe, PayPal, etc.). However, we may store transaction identifiers, the last four digits of the card, and the bank provider for reference and verification.

• Location data: When registering a Host, we request the location of the home where meals will be offered. This location may be collected manually (written address) and/or automatically (via GPS or map APIs when the Host marks their location on a map). For Users, we may, with consent, collect approximate location via GPS or address—for example, to show nearby Hosts.

• Multimedia content: Photos of the Hosts' kitchen/dining spaces, images of the dishes they offer, promotional videos (if any), and potentially audio or video recordings of events (these would only be made with consent, in cases where Homlunch organizes promotional content with featured Hosts, for example).

• Sensitive data: As a general rule, Homlunch does not request sensitive personal data (such as health information, religious beliefs, ethnic origin, confidential financial data beyond payment processing, etc.) from its Users or Hosts for regular Platform operations. However, a User may voluntarily disclose sensitive information to a Host in specific contexts (e.g., to communicate food allergies or relevant health conditions). Any such data, to the extent it is shared through the Platform, will be treated with strict confidentiality and solely for the purpose for which the User provided it.

It is important to highlight that all data we request serves specific and legitimate purposes. In every case, we aim to collect only the data that is relevant and appropriate for the intended processing purpose (principle of data minimization).

Homlunch processes your personal data for various purposes, which are classified into primary (necessary to provide the service) and secondary (additional, not essential for the service but which enhance the user experience or provide complementary offerings). These purposes are detailed below:

A. Primary purposes (necessary):

1. Provision of core services: We use your data to enable interaction on the Platform, allowing Users to find and book homemade meals offered by Hosts, and enabling Hosts to receive and manage those bookings. For example, your name, contact details, and profile are used to create your account and present you to others; Hosts see the name (and sometimes photo) of Users who book, and Users see the selected Host's information.

2. Payment processing and commissions: We use the provided financial information to charge Users for bookings via Stripe, PayPal, or other payment gateways, and to transfer corresponding earnings to Hosts. This includes verifying the transaction, registering the payment in our systems, and maintaining internal accounting records.

3. Identity verification and safety: Collecting your official ID (INE or similar—for Hosts, and occasionally for Users) helps verify that registered individuals meet the legal age requirement and promotes community trust. These details may also be used to perform checks against public records solely to reduce platform risk (e.g., preventing identity fraud).

4. Booking communication and coordination: We use your contact details (phone, email) to send booking-related notifications: confirmations, reminders, cancellations, messages from Hosts or Homlunch, etc. For example, after booking, a User may receive an email with reservation details and the Host's address; the Host may get a WhatsApp message with the User's name and phone number to coordinate arrival. These communications are essential to the service.

5. Technical support and customer service: If you contact us for assistance or to report a problem (via email or WhatsApp), we will use the information you provide to help you. We may request additional diagnostic data (e.g., screenshots, device details) to resolve technical issues. We also keep records of support queries to ensure quality and follow-up.

6. Platform security maintenance: We may monitor usage data to detect potentially fraudulent or improper activity on the Platform, protecting all users. For instance, algorithms may flag suspicious logins, repeated cancellations, or inappropriate messages. This allows us to take preventive measures (e.g., additional verification, suspensions) to protect service integrity.

7. Legal compliance: We process and retain the necessary data to fulfill legal obligations, including tax requirements (e.g., keeping transaction records, issuing invoices), consumer protection regulations, or responding to court orders or government requests. For example, if authorities legally request data regarding a User or Host for an investigation, we may comply, provided it is properly justified.

B. Secondary purposes (additional):

1. Service improvement and internal analytics: We may use aggregated usage data to identify trends and user preferences, aiming to improve functionality, Host offerings, or usability. For example, analyzing demand in specific cities or popular meal types. These analyses are usually performed with statistical data, but in some cases (e.g., reviewing a specific booking issue), we may examine individual interactions.

2. Marketing and promotions: With your consent, we may use your contact information to send you promotional messages about Homlunch, including platform updates, new Hosts or experiences, discount coupons, satisfaction surveys, or event invitations. These communications may be sent via email, app push notifications, SMS, or WhatsApp. You may opt out of promotional messages at any time via the opt-out link in the email or by contacting us directly.

3. Referral program: If you participate in our referral program (as a referring or referred Host), we use your data to track referrals and apply corresponding incentives. For example, we log which referral code was used at sign-up and assign rewards accordingly. With your consent, we may publicly mention top referrers in community updates.

4. Testimonials and public content: With your express permission, we may use testimonials, reviews, or images of Users/Hosts to promote the Platform in public channels (e.g., social media posts featuring a highlighted Host with positive User feedback). In such cases, you will be asked for specific consent, and the scope of use will be explained (e.g., if your name, image, or comments will be visible and where).

5. Geolocation for suggestions: If Users enable geolocation in the Homlunch app, we may process real-time location data to suggest nearby Hosts or experiences. This enhances search relevance. This feature is optional and can be enabled/disabled in your device or app settings.

If you do not wish your data to be used for any or all of the above secondary purposes, you can express your refusal at the time of registration (e.g., unchecking the "I want to receive news and promotions" box) or at any later time by emailing our privacy contact. Refusal of secondary uses will not affect your access to the core service but may limit access to added features or benefits.

4. Personal data transfers

Homlunch does not sell or rent your personal data to third parties unrelated to the service. However, during the course of our operations, it may be necessary to share certain data with national or international third parties under the following circumstances:

• With other users or hosts (as applicable): The nature of the Platform requires sharing certain data between booking participants. For instance, when a User confirms a booking, Homlunch provides the Host with essential details: typically the User’s name, phone number, and/or email (for coordination), and any relevant notes (e.g., "allergic to peanuts"). Likewise, the User receives the Host’s contact info and address upon booking confirmation. This exchange is essential to fulfill the service agreement. Both parties agree to use this information solely for the booking and not disclose or misuse it.

• With third-party service providers: Homlunch works with partners and vendors to support operations and may need to share data with them. This includes:

  • Payment gateways (Stripe, PayPal, etc.): To process payments, we share transaction data and, if needed, personal data such as name, email, and amount. These providers manage the data under their own security policies.

  • Hosting and database services: The Platform may be hosted on third-party infrastructure (e.g., AWS, Azure), meaning data is stored on external servers, under confidentiality and security agreements.

  • Messaging and communication services: We use third-party tools (e.g., SMTP services, WhatsApp Business API) to send messages. In doing so, your contact details and message content may pass through those providers' systems, but they are prohibited from using the data beyond the instructed purpose.

  • Professional advisors: Limited data may be shared with legal, accounting, or consulting professionals assisting Homlunch, under confidentiality obligations. For example, in a legal dispute, account and transaction info may be shared with our attorneys.

• With government authorities: Homlunch may disclose personal data to judicial, administrative, or law enforcement authorities when legally required and properly documented. This may include subpoenas, tax inquiries, or criminal investigations. We only share what is strictly necessary and verify the legitimacy of each request.

• Corporate transactions: In the event of a merger, acquisition, asset sale, or similar corporate transaction, personal data may be transferred to the resulting entity. Homlunch will ensure the new party honors this Privacy Notice and will notify you if required by law, offering the chance to object if applicable.

Transfers requiring consent: The above transfers do not require additional consent as they fall within legal exceptions under Mexican data law (LFPDPPP). Homlunch commits not to share your data with other third parties unless we obtain your explicit consent. If a new type of data transfer becomes necessary, you will be informed and, when required by law, asked to authorize it.

International transfers: Given the digital nature of the Platform, some providers (e.g., cloud services, payment processors) may be located outside Mexico. By accepting this Privacy Notice, you authorize international data transfers, with the understanding that Homlunch will ensure these providers commit to confidentiality and data protection standards equivalent to those required under Mexican law. We will ensure any international transfer is covered under legally accepted mechanisms (e.g., countries with adequate protections or data protection clauses).

5. Use of cookies and similar technologies
The Homlunch Platform may use cookies and other tracking technologies (such as web beacons or pixel tags) to automatically collect certain data about your interaction with our service, in order to enhance the user experience and offer personalized features.

• What are cookies? Cookies are small text files stored on your device (computer, smartphone, tablet) when you visit a website. They help remember your preferences (such as your selected language), recognize you on future visits, and understand how you navigate through our pages.

• Types of cookies used: At Homlunch, we mainly use session cookies (which are deleted when you close your browser) and persistent cookies (which remain for a defined period or until you delete them). Some cookies are essential for the basic functioning of the Platform (e.g., keeping your session active, saving navigation items), while others are analytical and performance-related (e.g., Google Analytics may place cookies to help us measure traffic and usage patterns), and others are for functionality or preference (e.g., remembering your preferred city to show local Hosts). We may eventually use advertising cookies if we promote our services on other sites, but currently, Homlunch does not display third-party ads on the Platform.

• User options: You can configure your browser to reject some or all cookies, or to alert you when they are being sent. However, please note that disabling cookies may affect certain features of Homlunch (e.g., your session may be closed or your reservation cart not remembered). We will display a cookie banner or notice on our website, when applicable, to inform you and obtain your consent for non-essential cookies. Continuing to use our site without disabling cookies will be considered consent to their use.

In addition to cookies, we may use third-party tools like Google Analytics, Facebook Pixel, or others that use similar technologies to collect anonymous information about site usage (e.g., pages viewed, time on page, conversions). This information helps us analyze the effectiveness of our campaigns and improve content. These third parties handle the data according to their own privacy policies.

6. ARCO Rights (Access, Rectification, Cancellation, and Objection) and Other Rights
In accordance with Mexican data protection laws, you have the right to exercise your ARCO rights before Homlunch, as defined below:

• Access: The right to request access to your personal data held by Homlunch, as well as information about its processing. This allows you to know what data we have, how we use it, with whom we share it, and the general terms of its processing.

• Rectification: The right to request correction or updating of your personal data if it is inaccurate, outdated, or incomplete. For example, if your name is misspelled or your phone number has changed, you may ask us to correct it.

• Cancellation: The right to request the deletion or cancellation of your personal data from our databases when you believe it is not being processed in accordance with applicable principles, duties, and obligations. If applicable, your data will be blocked and later deleted from our records once it is no longer needed for the original purposes. Note: In some cases, due to legal requirements, we may not be able to delete certain data immediately (e.g., transaction information we must keep for tax compliance or dispute resolution). We will inform you if this is the case.

• Objection: The right to object, for legitimate reasons, to the processing of your personal data. This means you may ask Homlunch to stop processing certain data when: a) a purpose does not require your consent but you have a specific situation that justifies not processing it, or b) for secondary purposes like marketing, simply by expressing your wish not to receive such communications anymore.

In addition to ARCO rights, the law allows you to revoke any consent previously granted to process your data. For instance, if you consented to data use for marketing purposes, you may withdraw that consent, and we will stop using your data for that purpose.

How to exercise these rights: You (or your duly authorized legal representative) may send an ARCO Request at any time to exercise any of the above rights. Please email your request to hello@homlunch.com including at least the following:

• Your name and a way for us to communicate the response (e.g., email or physical address).
• Documents proving your identity (copy of official ID), or in the case of a representative, proof of representation (e.g., power of attorney or signed letter with witnesses).
• A clear and precise description of the personal data and the specific right you wish to exercise. For example: “I request Access to my personal data, specifically my Reservation history and profile data” or “I request Rectification of my last name; it should be X instead of Y.” For Rectification, include supporting documentation if necessary.
• Any additional details that help us locate your data, such as the email used to register with Homlunch or a date range when the data may have been collected.

Once your complete request is received, Homlunch will notify you of the decision within 20 business days. If the request is accepted, the corresponding action will be carried out within the following 15 business days. If your request is incomplete or incorrect, or lacks supporting documentation, Homlunch will ask for the missing information within 5 business days of receipt. You will have 10 business days to respond. Failure to respond will result in your request being considered not submitted.

Responses will be sent via the method you specify (typically email unless another is requested). If Access is granted, we will provide simple copies, electronic files, or on-site consultation of the data, as applicable. For data Cancellation, keep in mind this right is not absolute; we may block and later delete the data after fulfilling mandatory retention periods.

Revoking consent: If you wish to withdraw your consent for a specific processing activity (e.g., stop receiving promotional emails, or revoke consent to retain data after a certain date), you may follow a process similar to the Objection request: submit a request specifying clearly what consent you are revoking. For marketing communications, you can also use the opt-out mechanisms provided in each message.

Limiting use or disclosure: You may also ask Homlunch at any time to limit the use or disclosure of your personal data. For instance, you may request inclusion in our internal opt-out list to stop receiving bulk emails, or ask that certain information no longer be displayed publicly on the Platform (e.g., you may request that your Host profile be hidden while taking a break from offering services). We will fulfill such requests when appropriate and technically feasible.

7. Storage and protection of personal data
Homlunch adopts administrative, technical, and physical security measures to protect your personal data from damage, loss, alteration, destruction, or unauthorized use, access, or processing. These include:

• Access control: Only authorized Homlunch staff or service providers (bound by confidentiality obligations) may access systems and databases with personal data, and only for permitted purposes. Different permission levels are implemented based on role.

• Technical safeguards: We use encryption (SSL/TLS) for transmitting sensitive data (e.g., when you enter your password or payment details). User passwords are stored encrypted or hashed — never in plain text. We also use firewalls, antivirus, and intrusion detection systems.

• Backups: Regular backups are conducted to prevent data loss. These backups are also secured and stored separately. In case of incidents, we have procedures to restore data availability promptly.

• Internal audits and policies: Homlunch trains its staff in privacy and data security and maintains clear internal policies for appropriate data handling. We also conduct periodic reviews and tests of our security measures.

Although we strive to protect your information, no system is infallible or 100% secure. Therefore, we cannot guarantee that no security breach will ever occur. If a data breach significantly affects your personal data, we will notify you as required by law and take immediate corrective measures.

As a user, you also play a role in protecting your data: keep your password confidential, don’t share it with others, and log out after using the Platform, especially on public computers. Homlunch will never ask for your password via email or insecure channels. Please report any suspicious messages to us.

8. Data retention
The personal data you provide will be processed and stored by Homlunch for as long as necessary to fulfill the purposes for which it was collected. In general terms:

• Account and profile data will be retained as long as your account is active. If you deactivate your account or request data cancellation, your information will first be blocked and then securely deleted from our systems, unless a legal or contractual reason exists to keep it longer.

• Transaction-related data (e.g., reservations, payments, billing) may be retained for longer periods, even if you no longer have an active account, when required by tax or legal compliance. For example, tax law may require us to retain financial records for 5 years. We may also retain certain records if there’s a dispute or potential legal claim, until such claims expire.

• Public content you contributed (such as reviews or ratings) may remain visible on the Platform even after your account is closed, as it is linked to past experiences and may benefit other users. However, authorship may be anonymized (e.g., displayed as “Former user” instead of your full name). If you want such content removed, you can request it, and we will assess it on a case-by-case basis, balancing privacy and freedom of expression.

• Data collected for analysis or improvement is anonymized or aggregated, and in such form may be stored indefinitely without identifying individuals.

Once data is no longer needed for its original purposes and no legal obligation remains to retain it, we will securely delete it. In some cases, we may anonymize certain data instead of deleting it (i.e., remove or modify fields so that it can no longer be linked to an identifiable person). Anonymized data is no longer considered personal data and may be used legitimately for statistical purposes.

9. Changes or updates to this privacy notice
Homlunch reserves the right to make modifications or updates to this Privacy Notice at any time, for example, to reflect changes in our information practices, incorporate new legal requirements, or adapt to new services we offer. When there is a substantial change to this Notice, we will inform you through appropriate means, such as posting a prominent notice on our Platform, sending an email to the address you provided, or using other communication channels.

The beginning of this document will indicate the date of the latest update. We encourage you to periodically review this Privacy Policy to stay informed about how we protect your information.

If the changes require your consent, we will request it through the appropriate means (for example, you may see a notification asking for your acceptance of the new terms when logging in). If you continue to use the Homlunch Platform and services once the new Privacy Notice is in effect, we will assume you have read and consented to the corresponding changes.

10. Applicable law and data protection authority

This Privacy Notice is governed by Mexican law, particularly the Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) and its regulations, as well as the Privacy Notice Guidelines issued by the competent authority. Homlunch strives to fully comply with these legal frameworks for the benefit of data subjects.

If you believe that your right to personal data protection has been violated by any conduct from our employees or through our actions or responses, or if you suspect that there has been any breach of the applicable data protection laws, you have the right to file a complaint or claim before the National Institute for Transparency, Access to Information and Protection of Personal Data (INAI) or any authority that may replace it. For more information, you can visit INAI's official website (www.inai.org.mx) and consult the Personal Data Protection section, where the procedures and requirements for such actions are described.

11. Acceptance

By providing your personal data and using the Homlunch Platform, you express your consent to the terms of this Privacy Notice. In particular, you consent to the processing of your data in accordance with the purposes described herein and, if applicable, to their transfer to third parties under the terms indicated.

If Homlunch needs to process your data for a purpose different from those stated, we will inform you of the new purposes and, when legally required, request new authorization.

Homlunch appreciates the trust placed in us by our Users and Hosts. We are committed to protecting your personal data with seriousness and transparency. If you have any further questions regarding this Privacy Notice or any aspect of how we handle your information, please do not hesitate to contact us through the channels provided in Section 1 (Data Protection Department).

Last updated: April 22, 2025

All matters related to privacy and data protection at Homlunch are handled in accordance with applicable Mexican law, always ensuring respect for the principles of lawfulness, consent, information, quality, purpose, loyalty, proportionality, and responsibility in the processing of your personal data.