Privacy Policy

1. Who We Are

Zero Loop Labs Ltd ("we", "us", "our") is the data controller for personal data processed through getpeppr and the getpeppr.dev website. We are registered in England & Wales, Company No. 17035492.

Zero Loop Labs Ltd
17 Heronforde
London W13 8JE
United Kingdom
privacy@getpeppr.dev

2. Data We Collect

2.1 Developer Accounts & API Usage

When you create an account and use the getpeppr API, we collect:

• Account credentials (name, email — managed via Clerk)
• API keys (stored as one-way SHA-256 hashes — we cannot recover plaintext keys)
• Invoice data you submit via the API (sender/receiver details, line items, amounts)
• API usage logs (timestamps, document IDs, response codes)
• Billing information (managed via Stripe — we do not store card numbers)

2.2 Live Chat

We use Crisp (Crisp IM SAS, France) to provide a live chat widget on our website and dashboard. Crisp may set cookies on your device to maintain chat sessions and remember conversation history. These cookies are functional and are not used for advertising or cross-site tracking.

2.3 Website Analytics

We do not use Google Analytics or similar tracking services. Apart from the cookies set by Crisp for live chat functionality (see section 2.2), no additional tracking cookies are placed by the marketing website.

2.4 Peppol Identifier Verification (KYB / Trust Layer)

To comply with our obligations as an OpenPeppol-accredited Integrator (UK EDIRA scheme) and to prevent fraud on a business-to-business payment network, when you add a production Peppol identifier we verify it against the relevant public business registry:

• UK companies (scheme GB:CRN) → Companies House (UK government registry)
• Belgian enterprises (scheme 0208) → VIES (European Commission VAT Information Exchange System)
• German VAT numbers (scheme 9930) → VIES (note: Germany withholds the registered name from VIES responses per member-state privacy policy; we verify only VAT validity)
• French SIRENE/SIRET identifiers (schemes 0002 / 0009) → VIES (SIREN root derived to VAT per the French key algorithm)

The verification compares your declared company name to the registry's name and returns a verdict (match / mismatch / not found). We retain a minimized audit record — provider, verdict, similarity score, country code, last four characters of the identifier, verification date — for 7 years from the verification date, per UK Money Laundering Regulations 2017 retention requirements. The raw registry name and address are not stored in the default audit record. After 7 years, the record is automatically purged by a monthly job.

2.5 Newsletter

When you subscribe to our newsletter (the EU e-Invoicing Mandate Tracker), we collect:

• Your email address
• The date, IP address, and browser used at signup (consent proof under UK GDPR)
• Your subscription status (pending / confirmed / unsubscribed)

We process this data on the legal basis of consent (Article 6(1)(a) GDPR) for the sole purpose of sending the EU e-Invoicing Mandate Tracker newsletter. We use double opt-in: you must click a confirmation link before any newsletter content is sent to you.

Processor: We use Resend (Resend.com Inc., USA) to deliver emails. Email delivery data is governed by Resend's privacy policy and a Data Processing Agreement we have in place.

Retention: We retain your data while you are subscribed. If you unsubscribe, we keep a record (email + status = "unsubscribed") to ensure we never email you again, indefinitely unless you request full erasure via privacy@getpeppr.dev.

You can unsubscribe at any time using the link in any newsletter email, or by emailing privacy@getpeppr.dev.

3. Legal Basis for Processing

• Consent (Article 6(1)(a) GDPR) — for product announcements and marketing communications. You may withdraw consent at any time by using the unsubscribe link included in our emails, or by contacting us at privacy@getpeppr.dev.
• Contract (Article 6(1)(b) GDPR) — for account management, API access, invoice processing, and billing. This data is necessary to provide the service.
• Legitimate interests (Article 6(1)(f) GDPR) — for security monitoring, fraud prevention, and improving service reliability.
• Legal obligation (Article 6(1)(c) GDPR) — for retaining financial records as required by UK law, and for retaining KYB verification evidence under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.
• Multi-angle basis — Peppol identifier verification: We verify business registrations (section 2.4) under the combined authority of Article 6(1)(b) (contract necessity — our Terms of Service require a verified identifier before production sends), Article 6(1)(f) (legitimate interest in fraud prevention on a business-to-business payment network), and Article 6(1)(c) (legal obligation — OpenPeppol accreditation imposes Know-Your-Business duties on Integrators).

4. How We Use Your Data

• To send product announcements and service updates (consent-based, with one-click unsubscribe)
• To provide, operate, and improve the getpeppr API service
• To process invoices and transmit them to the Peppol network via our access point provider
• To manage billing and subscriptions via Stripe
• To detect and prevent abuse, fraud, and security incidents
• To comply with legal and regulatory obligations

5. Third-Party Processors and Data Sources

We share data with trusted processors under Data Processing Agreements:

• Clerk — identity and authentication management (US, Standard Contractual Clauses)
• Stripe — payment processing (US/EU, Standard Contractual Clauses)
• Storecove — Peppol network access point for invoice delivery (Netherlands/EU)
• Crisp — live chat support widget (Crisp IM SAS, France)
• Neon — serverless Postgres database hosting (EU region)
• Resend — transactional email delivery (US, Standard Contractual Clauses)
• Upstash — rate limiting and API response caching (EU region, Ireland)
• Vercel — website and API hosting (US, Standard Contractual Clauses)

For Peppol identifier verification we additionally query public business registries operated by independent data controllers (we do not transfer personal data to them — we only read published registry records):

• Companies House UK — UK government company registry (public registry, UK)
• European Commission VIES — EU VAT Information Exchange System (public service, EU)

We do not sell your personal data to third parties.

6. International Transfers

Some processors are located outside the UK/EEA. Where data is transferred internationally, we rely on Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreements (IDTAs) as safeguards.

7. Data Retention

• Account data: for the duration of your account, plus 30 days after account deletion to allow recovery; after which your data is permanently removed
• Invoice data: retained by our access point provider in accordance with their retention policy; 7 years for financial records required under UK law
• API usage logs: retained for 90 days, then automatically purged in accordance with GDPR Article 5(1)(c) (data minimisation)
• API response cache: up to 24 hours for idempotency and performance (automatically purged)
• Rate limiting data: IP addresses stored transiently (up to 15 minutes) for abuse prevention, then automatically deleted
• Billing records: 7 years (UK tax law)
• Peppol identifier verification records (Trust Layer): minimized audit record (provider, verdict, similarity score, country, last four characters of identifier, verification date) retained for 7 years from the verification date, per UK Money Laundering Regulations 2017; automatically purged on the 1st of each month

8. Your Rights

Under UK GDPR, you have the right to:

• Access — request a copy of data we hold about you
• Rectification — ask us to correct inaccurate data
• Erasure — ask us to delete your data ("right to be forgotten"), subject to legal retention obligations
• Portability — receive your data in a machine-readable format
• Restriction — ask us to limit how we process your data
• Object — object to processing based on legitimate interests
• Withdraw consent — at any time, without affecting lawfulness of prior processing

To exercise any right, email privacy@getpeppr.dev. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority.

9. Security

We implement appropriate technical and organisational measures including TLS encryption in transit, SHA-256 hashing of API keys, IP-based rate limiting, and access controls. No method of transmission over the internet is 100% secure.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email (to registered users) or a notice on this page. Continued use of the service after changes constitutes acceptance.

11. Contact

Questions about this policy? Email us at privacy@getpeppr.dev.