Privacy Policy

Effective date: April 2026

1. Who We Are

Zero Loop Labs Ltd ("we", "us", "our") is the data controller for personal data processed through getpeppr and the getpeppr.dev website. We are registered in England & Wales, Company No. 17035492.

Zero Loop Labs Ltd
17 Heronforde
London W13 8JE
United Kingdom
privacy@getpeppr.dev

2. Data We Collect

2.1 Waitlist Registrations

When you join our waitlist, we collect:

Email address
Date and time of registration
IP address (for spam prevention, not stored long-term)

2.2 Developer Accounts & API Usage

When you create an account and use the getpeppr API, we collect:

Account credentials (name, email — managed via Clerk)
API keys (stored as one-way SHA-256 hashes — we cannot recover plaintext keys)
Invoice data you submit via the API (sender/receiver details, line items, amounts)
API usage logs (timestamps, document IDs, response codes)
Billing information (managed via Stripe — we do not store card numbers)

2.3 Live Chat

We use Crisp (Crisp IM SAS, France) to provide a live chat widget on our website and dashboard. Crisp may set cookies on your device to maintain chat sessions and remember conversation history. These cookies are functional and are not used for advertising or cross-site tracking.

2.4 Website Analytics

We do not use Google Analytics or similar tracking services. Apart from the cookies set by Crisp for live chat functionality (see section 2.3), no additional tracking cookies are placed by the marketing website.

2.5 Peppol Identifier Verification (KYB / Trust Layer)

To comply with our obligations as an OpenPeppol-accredited Integrator (UK EDIRA scheme) and to prevent fraud on a business-to-business payment network, when you add a production Peppol identifier we verify it against the relevant public business registry:

UK companies (scheme GB:CRN) → Companies House (UK government registry)
Belgian enterprises (scheme 0208) → VIES (European Commission VAT Information Exchange System)
German VAT numbers (scheme 9930) → VIES (note: Germany withholds the registered name from VIES responses per member-state privacy policy; we verify only VAT validity)
French SIREN (scheme 0225) → VIES (SIREN derived to VAT per the French key algorithm)

The verification compares your declared company name to the registry's name and returns a verdict (match / mismatch / not found). We retain a minimized audit record — provider, verdict, similarity score, country code, last four characters of the identifier, verification date — for 7 years from the verification date, per UK Money Laundering Regulations 2017 retention requirements. The raw registry name and address are not stored in the default audit record. After 7 years, the record is automatically purged by a monthly job.

3. Legal Basis for Processing

Consent (Article 6(1)(a) GDPR) — for waitlist emails and marketing communications. You may withdraw consent at any time by using the unsubscribe link included in our emails, or by contacting us at privacy@getpeppr.dev.
Contract (Article 6(1)(b) GDPR) — for account management, API access, invoice processing, and billing. This data is necessary to provide the service.
Legitimate interests (Article 6(1)(f) GDPR) — for security monitoring, fraud prevention, and improving service reliability.
Legal obligation (Article 6(1)(c) GDPR) — for retaining financial records as required by UK law, and for retaining KYB verification evidence under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.
Multi-angle basis — Peppol identifier verification: We verify business registrations (section 2.5) under the combined authority of Article 6(1)(b) (contract necessity — our Terms of Service require a verified identifier before production sends), Article 6(1)(f) (legitimate interest in fraud prevention on a business-to-business payment network), and Article 6(1)(c) (legal obligation — OpenPeppol accreditation imposes Know-Your-Business duties on Integrators).

4. How We Use Your Data

To send waitlist updates and product announcements (consent-based)
To provide, operate, and improve the getpeppr API service
To process invoices and transmit them to the Peppol network via our access point provider
To manage billing and subscriptions via Stripe
To detect and prevent abuse, fraud, and security incidents
To comply with legal and regulatory obligations

5. Third-Party Processors and Data Sources

We share data with trusted processors under Data Processing Agreements:

Clerk — identity and authentication management (US, Standard Contractual Clauses)
Stripe — payment processing (US/EU, Standard Contractual Clauses)
Storecove — Peppol network access point for invoice delivery (Netherlands/EU)
Crisp — live chat support widget (Crisp IM SAS, France)
Neon — serverless Postgres database hosting (EU region)
Resend — transactional email delivery (US, Standard Contractual Clauses)
Upstash — rate limiting and API response caching (EU region, Ireland)
Vercel — website and API hosting (US, Standard Contractual Clauses)

For Peppol identifier verification we additionally query public business registries operated by independent data controllers (we do not transfer personal data to them — we only read published registry records):

Companies House UK — UK government company registry (public registry, UK)
European Commission VIES — EU VAT Information Exchange System (public service, EU)

We do not sell your personal data to third parties.

6. International Transfers

Some processors are located outside the UK/EEA. Where data is transferred internationally, we rely on Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreements (IDTAs) as safeguards.

7. Data Retention

Waitlist emails: until the product launches or you request deletion by emailing privacy@getpeppr.dev
Account data: for the duration of your account, plus 30 days after account deletion to allow recovery; after which your data is permanently removed
Invoice data: retained by our access point provider in accordance with their retention policy; 7 years for financial records required under UK law
API usage logs: retained for 90 days, then automatically purged in accordance with GDPR Article 5(1)(c) (data minimisation)
API response cache: up to 24 hours for idempotency and performance (automatically purged)
Rate limiting data: IP addresses stored transiently (up to 15 minutes) for abuse prevention, then automatically deleted
Billing records: 7 years (UK tax law)
Peppol identifier verification records (Trust Layer): minimized audit record (provider, verdict, similarity score, country, last four characters of identifier, verification date) retained for 7 years from the verification date, per UK Money Laundering Regulations 2017; automatically purged on the 1st of each month

8. Your Rights

Under UK GDPR, you have the right to:

Access — request a copy of data we hold about you
Rectification — ask us to correct inaccurate data
Erasure — ask us to delete your data ("right to be forgotten"), subject to legal retention obligations
Portability — receive your data in a machine-readable format
Restriction — ask us to limit how we process your data
Object — object to processing based on legitimate interests
Withdraw consent — at any time, without affecting lawfulness of prior processing

To exercise any right, email privacy@getpeppr.dev. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority.

9. Security

We implement appropriate technical and organisational measures including TLS encryption in transit, SHA-256 hashing of API keys, IP-based rate limiting, and access controls. No method of transmission over the internet is 100% secure.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email (to registered users) or a notice on this page. Continued use of the service after changes constitutes acceptance.

11. Contact

Questions about this policy? Email us at privacy@getpeppr.dev.