Privacy Policy
Last updated: March 2026
1. Who we are
PinkPepper.io ("PinkPepper", "we", "us", "our") is the data controller for the personal data processed through this website and service. PinkPepper is an AI-assisted food safety compliance platform for EU and UK food businesses.
If you have any privacy questions or wish to exercise your rights, contact us at support@pinkpepper.io.
2. Data we collect
We collect the following categories of personal data:
- Account data: email address, name, and password (hashed) when you register.
- Billing data: payment method details and billing address, processed by Stripe. We do not store card numbers.
- Usage data: chat messages, uploaded images, generated documents, conversation history, and usage counters (message counts, export counts).
- Technical data: IP address, browser type, device identifiers, log data, and cookies. See our Cookie Policy.
- Communications: messages you send to us via the contact form or email.
3. How we use your data
| Purpose | Lawful basis |
|---|---|
| Provide and maintain the service (account, chat, exports) | Contract performance |
| Process subscription payments | Contract performance |
| Send transactional emails (account confirmation, billing receipts) | Contract performance |
| Enforce usage limits and detect abuse | Legitimate interests |
| Improve the service and troubleshoot issues | Legitimate interests |
| Comply with legal obligations (e.g., tax records) | Legal obligation |
| Respond to your support or review requests | Contract performance / Legitimate interests |
4. Data retention
- Free accounts: chat messages and conversations are retained for 30 days from creation, then automatically deleted.
- Plus and Pro accounts: chat messages and conversations are retained for the lifetime of the account.
- Account data: retained while your account is active. Upon verified deletion, your account and associated data are removed within 30 days.
- Billing records: retained for 7 years to comply with financial and tax obligations.
5. Who we share your data with
We use the following third-party processors to deliver the service:
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | EU (Frankfurt) |
| Vercel | Hosting and edge delivery | EU / Global CDN |
| Groq | AI language model inference (chat) | US (covered by SCCs) |
| OpenAI | Embeddings and image analysis | US (covered by SCCs) |
| Stripe | Payment processing | US / EU (covered by SCCs) |
| Resend | Transactional email delivery | US (covered by SCCs) |
We do not sell your personal data. We do not share your data with third parties for advertising or marketing purposes.
6. International transfers
Some of our processors (Groq, OpenAI, Stripe, Resend) are based in the United States. Where personal data is transferred outside the European Economic Area or the UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and the UK International Data Transfer Agreement (IDTA) as the legal mechanism for those transfers.
Groq and OpenAI process your prompts and outputs solely for the purpose of generating responses; neither provider uses your inputs or outputs to train their models under our API agreements.
7. Your rights
Under GDPR and UK GDPR you have the following rights regarding your personal data:
- Access: request a copy of the personal data we hold about you.
- Rectification: ask us to correct inaccurate or incomplete data.
- Erasure: request deletion of your personal data ("right to be forgotten"), subject to our legal retention obligations.
- Portability: receive your data in a structured, machine-readable format.
- Restriction: ask us to restrict processing of your data in certain circumstances.
- Objection: object to processing based on legitimate interests.
- Withdrawal of consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email support@pinkpepper.io. We will respond within one month. We may need to verify your identity before acting on a request.
8. Children's data
PinkPepper is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at support@pinkpepper.io and we will delete it.
9. Security
We implement appropriate technical and organisational measures to protect your personal data including TLS encryption in transit, AES-256 encryption at rest, row-level security in our database, and restricted access controls. See our Security page for full details.
10. Cookies
We use essential cookies for authentication and session management, and a preference cookie to store your cookie consent choice. See our Cookie Policy for the full inventory.
11. Right to complain
If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with a supervisory authority:
- Ireland (EU): Data Protection Commission (DPC)
- United Kingdom: Information Commissioner's Office (ICO)
We would appreciate the opportunity to address your concerns before you contact a regulator, so please reach out to us first at support@pinkpepper.io.
12. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or via an in-app notice at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.