Privacy Policy

1. Who We Are

Zero Loop Labs Ltd ("we", "us", "our") is the data controller for personal data processed through getpeppr and the getpeppr.dev website. We are registered in England & Wales, Company No. 17035492.

Zero Loop Labs Ltd
17 Heronforde
London W13 8JE
United Kingdom
privacy@getpeppr.dev

2. Data We Collect

2.1 Waitlist Registrations

When you join our waitlist, we collect:

• Email address
• Date and time of registration
• IP address (for spam prevention, not stored long-term)

2.2 Developer Accounts & API Usage

When you create an account and use the getpeppr API, we collect:

• Account credentials (name, email — managed via Clerk)
• API keys (stored as one-way SHA-256 hashes — we cannot recover plaintext keys)
• Invoice data you submit via the API (sender/receiver details, line items, amounts)
• API usage logs (timestamps, document IDs, response codes)
• Billing information (managed via Stripe — we do not store card numbers)

2.3 Live Chat

We use Crisp (Crisp IM SAS, France) to provide a live chat widget on our website and dashboard. Crisp may set cookies on your device to maintain chat sessions and remember conversation history. These cookies are functional and are not used for advertising or cross-site tracking.

2.4 Website Analytics

We do not use Google Analytics or similar tracking services. Apart from the cookies set by Crisp for live chat functionality (see section 2.3), no additional tracking cookies are placed by the marketing website.

3. Legal Basis for Processing

• Consent (Article 6(1)(a) GDPR) — for waitlist emails and marketing communications. You may withdraw consent at any time by using the unsubscribe link included in our emails, or by contacting us at privacy@getpeppr.dev.
• Contract (Article 6(1)(b) GDPR) — for account management, API access, invoice processing, and billing. This data is necessary to provide the service.
• Legitimate interests (Article 6(1)(f) GDPR) — for security monitoring, fraud prevention, and improving service reliability.
• Legal obligation (Article 6(1)(c) GDPR) — for retaining financial records as required by UK law.

4. How We Use Your Data

• To send waitlist updates and product announcements (consent-based)
• To provide, operate, and improve the getpeppr API service
• To process invoices and transmit them to the Peppol network via our access point provider
• To manage billing and subscriptions via Stripe
• To detect and prevent abuse, fraud, and security incidents
• To comply with legal and regulatory obligations

5. Third-Party Processors

We share data with trusted processors under Data Processing Agreements:

• Clerk — identity and authentication management (US, Standard Contractual Clauses)
• Stripe — payment processing (US/EU, Standard Contractual Clauses)
• Storecove — Peppol network access point for invoice delivery (Netherlands/EU)
• Crisp — live chat support widget (Crisp IM SAS, France)
• Neon — serverless Postgres database hosting (EU region)
• Resend — transactional email delivery (US, Standard Contractual Clauses)
• Upstash — rate limiting and API response caching (EU region, Ireland)
• Vercel — website and API hosting (US, Standard Contractual Clauses)

We do not sell your personal data to third parties.

6. International Transfers

Some processors are located outside the UK/EEA. Where data is transferred internationally, we rely on Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreements (IDTAs) as safeguards.

7. Data Retention

• Waitlist emails: until the product launches or you request deletion by emailing privacy@getpeppr.dev
• Account data: for the duration of your account, plus 30 days after account deletion to allow recovery; after which your data is permanently removed
• Invoice data: retained by our access point provider in accordance with their retention policy; 7 years for financial records required under UK law
• API usage logs: retained for 90 days, then automatically purged in accordance with GDPR Article 5(1)(c) (data minimisation)
• API response cache: up to 24 hours for idempotency and performance (automatically purged)
• Rate limiting data: IP addresses stored transiently (up to 15 minutes) for abuse prevention, then automatically deleted
• Billing records: 7 years (UK tax law)

8. Your Rights

Under UK GDPR, you have the right to:

• Access — request a copy of data we hold about you
• Rectification — ask us to correct inaccurate data
• Erasure — ask us to delete your data ("right to be forgotten"), subject to legal retention obligations
• Portability — receive your data in a machine-readable format
• Restriction — ask us to limit how we process your data
• Object — object to processing based on legitimate interests
• Withdraw consent — at any time, without affecting lawfulness of prior processing

To exercise any right, email privacy@getpeppr.dev. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority.

9. Security

We implement appropriate technical and organisational measures including TLS encryption in transit, SHA-256 hashing of API keys, IP-based rate limiting, and access controls. No method of transmission over the internet is 100% secure.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email (to registered users) or a notice on this page. Continued use of the service after changes constitutes acceptance.

11. Contact

Questions about this policy? Email us at privacy@getpeppr.dev.