Security & Trust
Your compliance data is safe with us
PinkPepper is built for regulated food businesses. We take the security of your HACCP plans, SOPs, and operational records seriously — because your auditors do too.
Infrastructure
PinkPepper is hosted on Supabase (database, authentication, and file storage) running on AWS infrastructure in the EU region. Application delivery is handled by Vercel, with edge nodes serving EU traffic locally where possible.
Both Supabase and Vercel maintain ISO 27001-aligned security programmes and publish their own security documentation. You can review their policies via the subprocessor table below.
Encryption
- In transit: All traffic between your browser and PinkPepper is encrypted using TLS 1.2 or higher. Connections to third-party AI providers are also TLS-encrypted.
- At rest: All data stored in Supabase (Postgres and object storage) is encrypted at rest using AES-256, managed by AWS.
- Passwords: We do not store passwords. Authentication is handled by Supabase Auth, which uses industry-standard bcrypt hashing and supports magic-link email sign-in.
Access Control & Data Isolation
Every database query in PinkPepper is subject to Row Level Security (RLS)enforced at the database level by Supabase. This means that even if application-layer logic had a bug, users cannot access another user's conversations, documents, or account data.
Admin access to PinkPepper infrastructure requires authenticated Supabase credentials and is restricted to authorised personnel only.
AI Data Handling
PinkPepper uses two AI providers for its core features:
- Groq(text chat responses) — accessed via API. Per Groq's API terms, your prompts and outputs are not used to train AI models.
- OpenAI(image analysis and semantic search embeddings) — accessed via API. Per OpenAI's API data usage policy, API inputs and outputs are not used to train OpenAI models by default.
Conversation content sent to AI providers is processed in memory for that request only and is not retained by those providers beyond their standard API logging windows. Your HACCP plans and SOPs remain yours.
Data Retention & Deletion
- Free plan: Conversations are retained for 30 days, then automatically deleted.
- Plus / Pro plans: Conversations are retained for the life of the account.
- Account deletion: You can request deletion of your account and all associated data at any time by contacting us. We will action verified deletion requests within 30 days.
- Uploaded images: Images uploaded for analysis are stored temporarily and purged automatically after processing.
GDPR & UK GDPR
PinkPepper is designed to comply with both the EU General Data Protection Regulation (GDPR) and the UK GDPR. Our Privacy Policy describes what personal data we collect, why, and how long we retain it.
For businesses that process personal data using PinkPepper (for example, storing employee records or customer complaint logs in conversations), a Data Processing Agreement (DPA) is available on request. Contact us at support@pinkpepper.io.
Subprocessors
PinkPepper uses the following third-party subprocessors to deliver its service. Each has been selected for its security posture and, where available, GDPR-compliant data processing terms.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication & file storage | AWS (EU region) |
| Vercel | Application hosting & edge delivery | Global CDN (EU nodes available) |
| Groq | AI language model inference (text chat) | United States |
| OpenAI | Embeddings (RAG) & image analysis | United States |
| Stripe | Payment processing & billing | United States / EU |
| Resend | Transactional email delivery | United States |
Report a Security Issue
If you discover a potential security vulnerability in PinkPepper, please report it responsibly by emailing support@pinkpepper.io with the subject line "Security Disclosure". We will acknowledge receipt within 48 hours and work to resolve confirmed issues promptly. We ask that you give us reasonable time to address the issue before any public disclosure.
Last updated: March 2026