Privacy PolicyLast updated: 2026-04-04

This Privacy Policy explains how Peppost collects, uses, shares, and protects personal data when you use our services. It is part of our Terms of Service.

Peppost is operated by Ingram Technologies SRL ("Peppost", "we", "us", "our"). Questions regarding this Privacy Policy should be sent to privacy@peppo.st.

Who We Are and Our Role

For account, billing, support, and product-usage data about your own account, Peppost acts as a data controller.

When you use Peppost to transmit invoices or other documents containing personal data of third parties (for example your customers or suppliers), you generally act as the data controller and Peppost acts as your data processor for that data.

If you need a separate data processing agreement (DPA), contact legal@peppo.st.

Personal Data We Collect

Depending on how you use the Service, we may collect:

  • Account and contact data: email, company name, country, VAT number, company number, and address as retrieved from your Stripe account during onboarding.
  • Billing data: credit purchase history, payment status, and limited payment metadata from Stripe.
  • Invoice and business data: invoice metadata, customer names, tax identifiers, and amounts processed through the Peppol network.
  • Connected service data: data received when you connect your Stripe account via OAuth, including account identifiers and access tokens.
  • Technical and usage data: IP address, device/browser information, app events, error logs, and security events.
  • Support and communication data: messages, support requests, and feedback you send us.

We do not sell your personal data and we do not use your invoice or financial data for third-party advertising.

How We Use Personal Data

We use personal data to:

  • provide, operate, and maintain the Service;
  • authenticate users via Stripe Connect OAuth and secure accounts;
  • process credit purchases and invoice deliveries via the Peppol network;
  • deliver support, service notices, and transactional communications;
  • detect, prevent, and investigate fraud, abuse, or security incidents;
  • comply with legal and regulatory obligations;
  • improve product performance, reliability, and user experience.

Legal Bases Under GDPR

Where GDPR applies, we rely on one or more of the following legal bases:

  • Performance of a contract: to provide the Service you requested.
  • Legitimate interests: to secure, monitor, improve, and support the Service.
  • Legal obligation: to comply with tax, e-invoicing, accounting, or other legal requirements.
  • Consent: where consent is required (for example certain optional communications).

How We Share Personal Data

We may share personal data with:

  • Service providers and subprocessors that host infrastructure or provide functionality (such as database hosting, application hosting, payment processing, and e-invoicing network access);
  • Peppol network access point providers to deliver invoices to recipients on the Peppol network;
  • Professional advisers (for example legal, accounting, or audit advisers) under confidentiality obligations;
  • Competent authorities when required by law, regulation, court order, or valid legal request;
  • Corporate transaction parties in connection with a merger, acquisition, financing, reorganization, or sale of assets.

Our primary infrastructure providers currently include Supabase, Vercel, Stripe, and Scrada (Peppol access point).

International Data Transfers

When personal data is transferred outside the European Economic Area (EEA), we use appropriate safeguards required by applicable law, such as adequacy decisions and/or Standard Contractual Clauses.

Data Retention

We keep personal data only for as long as necessary for the purposes described in this Policy, including:

  • while your account is active;
  • as needed to provide the Service and support;
  • as required by applicable accounting, tax, e-invoicing, audit, or other legal retention obligations;
  • as necessary to resolve disputes and enforce agreements.

When data is no longer required, we delete or anonymize it within a reasonable period, except where legal retention obligations apply.

Cookies and Tracking

We use strictly necessary cookies and similar technologies for authentication, session management, security, and core product functionality.

We may use privacy-respecting analytics to understand service usage and improve the product. We do not use third-party advertising cookies.

Security

We use reasonable technical and organizational safeguards to protect personal data, including encryption in transit (TLS), access controls, and security monitoring.

No method of transmission or storage is completely secure. We cannot guarantee absolute security.

If we identify a personal data breach, we will take appropriate mitigation steps and provide legally required notifications.

Your Rights

If you are in the EEA (and in other regions where similar rights apply), you may have the right to:

  • access your personal data;
  • rectify inaccurate personal data;
  • request deletion of personal data;
  • request restriction of processing;
  • object to certain processing;
  • request data portability;
  • withdraw consent (where processing is based on consent).

To exercise these rights, contact privacy@peppo.st. We may need to verify your identity before processing your request.

Where required by law, we will respond to verified requests within applicable legal timelines.

You also have the right to lodge a complaint with the Belgian Data Protection Authority (Autorite de protection des donnees / Gegevensbeschermingsautoriteit) or your local supervisory authority.

Children's Privacy

The Service is not intended for anyone under 18, and we do not knowingly collect personal data from children.

Business Transfers

If Peppost or substantially all of its assets are acquired, personal data may be transferred as part of that transaction, subject to applicable law.

Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice through the Service or by email.

How to Contact Us

For privacy questions or rights requests: privacy@peppo.st

For support: support@peppo.st

For legal matters: legal@peppo.st