Skip to content

Privacy Policy

Last updated: February 2026

Peppd is a product of Peppercord Limited (Company No. 06921097), operating under the NotLuck brand. Peppd encompasses our range of QR-powered products, including Pep-enabled Business Cards and Messaging Mugs. We are committed to protecting your privacy and handling your personal data responsibly. This policy explains what data we collect, why we collect it, and your rights in relation to it.

1. Information We Collect

We collect the following categories of personal data:

General (all products)

  • Account information — your name, email address, and password when you create an account.
  • QR scan data — when someone scans a QR code on any of our products, we record the timestamp, approximate location (city level), device type, and referrer information.
  • Usage and analytics data — page views, feature usage, browser type, and basic interaction data to help us improve the service.

Pep-enabled Business Cards

  • Organisation details — your business name, job title, and contact information as entered in your profile.
  • Lead form submissions — when a visitor submits their details through a contact form on your landing page, we collect the information they voluntarily provide (e.g. name, email, phone number, message).

Messaging Mugs

  • Purchaser information — your name, email address, and payment information (processed securely by Stripe) when you buy a Messaging Mug.
  • Message content — text messages, photos, and videos you create and upload for your mug, whether personal messages or Content Pack selections.
  • Media uploads — photos and videos uploaded by purchasers are stored in Supabase Storage and associated with the relevant mug.
  • Recipient access logs — when a recipient scans the mug's QR code, we collect anonymous scan data (timestamp, device type, approximate location) to provide the purchaser with delivery and engagement insights. No account or personal information is required from recipients.

2. How We Use Your Data

We use your personal data for the following purposes:

  • Providing the service — creating and managing your account, generating your landing pages, processing QR code scans, and delivering time-gated messages on Messaging Mugs.
  • Lead delivery — forwarding contact form submissions to you via email and your dashboard (Pep-enabled Business Cards).
  • Content delivery — storing and serving your messages, photos, and videos to mug recipients according to the schedule you set (Messaging Mugs).
  • Payment processing — processing purchases securely through Stripe (Messaging Mugs).
  • Analytics — generating scan statistics and engagement reports visible in your dashboard.
  • Notifications — sending you transactional emails such as lead alerts, account confirmations, and service updates.
  • Service improvement — understanding how the platform is used so we can improve features, performance, and reliability.

We do not sell your personal data to third parties. We do not use your data for targeted advertising.

3. Data Storage and Security

Your data is stored on cloud infrastructure provided by Supabase, which uses data centres located in the UK and EU. We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS) and at rest, secure authentication, and access controls.

While we take reasonable steps to protect your personal information, no method of transmission or storage is completely secure. If you become aware of any security issue, please contact us immediately at hello@peppd.co.uk.

4. Third-Party Services

We use a limited number of third-party services to operate the platform. Each is bound by their own privacy policies and data processing agreements:

  • Supabase — database hosting, authentication, and file storage (including media uploaded for Messaging Mugs).
  • Stripe — payment processing for Messaging Mugs purchases. Stripe handles your card details directly; we do not store your full payment information on our servers.
  • Resend — transactional email delivery (lead notifications, account emails).
  • Netlify — website hosting and deployment.
  • Print Co — physical card and mug production. When you place an order through Print Co, they may receive necessary details (such as your name and delivery address) to fulfil the order.

We do not share your data with any other third parties unless required by law.

5. Cookies

We use minimal cookies. Specifically, we use a single session cookie to keep you logged in after authentication. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

6. Your Rights

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, you have the following rights:

  • Right of access — you can request a copy of the personal data we hold about you.
  • Right to rectification — you can ask us to correct inaccurate or incomplete data.
  • Right to erasure — you can ask us to delete your personal data, subject to certain legal exceptions.
  • Right to data portability — you can request your data in a structured, commonly used format.
  • Right to object — you can object to processing of your data in certain circumstances.
  • Right to restrict processing — you can ask us to limit how we use your data.

To exercise any of these rights, please contact us at hello@peppd.co.uk. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your rights have been infringed.

7. Data Retention

We retain your account data for as long as your account is active. If you delete your account, we will remove your personal data within 30 days, except where we are required by law to retain it (for example, for tax or legal compliance purposes).

Pep-enabled Business Cards: Lead form submissions and scan analytics are retained for the lifetime of the associated card owner's account. When an account is deleted, associated leads and analytics data are also deleted.

Messaging Mugs: Messages, photos, videos, and associated scan data persist until the purchaser deletes them or the purchaser's account is terminated. Purchasers can delete individual messages or all content associated with a mug at any time. Upon account deletion, all associated media and message content is permanently removed.

8. Children's Privacy

Peppd is not designed for or directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us at hello@peppd.co.uk and we will take steps to delete it.

9. Changes to This Policy

We may update this privacy policy from time to time. When we make significant changes, we will notify you by email or by placing a prominent notice on our website. We encourage you to review this page periodically.

10. Contact Us

If you have any questions about this privacy policy or how we handle your data, please contact us:

Peppercord Limited

Company No. 06921097

Nottingham, United Kingdom

Email: hello@peppd.co.uk

Website: peppd.co.uk

← Back to home