Privacy Policy
1. Who we are
This Privacy Policy explains how Chilli Pepper Enterprises Ltd (company number 14522885, registered office Fleming Court, Leigh Road, Eastleigh, United Kingdom, SO50 9PD) ("we", "us", "our") handles personal data in connection with the Chilli Pepper service ("the Service"). We are based in the United Kingdom and comply with the UK GDPR and the Data Protection Act 2018.
Our data-protection contact is hello@chillipepper.online.
2. Our two roles
As a data controller
For the personal data of the people who hold a Chilli Pepper account — names, email addresses, login details, billing information — we decide how and why it is processed, so we act as the data controller. This policy governs that data.
As a data processor
For the data you and your team enter into the Service (your financial models, project plans, and anything you choose to store, which may include personal data about your own staff or contacts), you decide how and why it is processed — so you are the controller and we act only as your processor. We process that data on your instructions, as set out in section 5 and your Terms.
3. What we collect (as controller)
- Account data — your name, work email, company name, and password (stored only in hashed form by our authentication provider).
- Usage data — basic logs of how the Service is used, for security, troubleshooting and improving the product.
- Billing data — when paid plans are active, limited billing details. Card payments are handled by our payment provider; we do not store full card numbers.
- Communications — emails you send us (e.g. support requests).
4. Why we process it & our lawful basis
- To provide the Service — performance of our contract with you.
- To secure and improve the Service, and prevent abuse — our legitimate interests in running a safe, reliable product.
- To take payment — performance of our contract.
- To send service and account emails (e.g. verification, password resets, important notices) — contract / legitimate interests. We do not send marketing email without your consent.
- To meet legal obligations — e.g. tax and accounting records.
5. Customer data we process on your behalf
When you enter data into Smart Budget or Smart Project, we process it solely to provide the Service to you. We do not access, use, or disclose it except as needed to operate and support the Service, to comply with law, or on your instructions. You are responsible for having a lawful basis for any personal data you put into the Service and for informing the relevant individuals as required. On termination, we handle this data as described in section 8.
6. Who we share data with
We do not sell personal data. We share it only with service providers ("sub-processors") who help us run the Service, under contracts that require them to protect it. Our current sub-processors include:
- Supabase — database and authentication hosting (data held in the EU/Ireland).
- Netlify — website and application hosting.
- Resend — sending transactional email.
- Stripe — payment processing and subscription billing, including VAT calculation (Stripe Tax). Stripe may process limited billing data outside the UK/EEA; see section 7.
We may also disclose data if required by law or to protect our legal rights.
7. Where your data is stored
Our primary database is hosted in the EU (Ireland). Some sub-processors may process limited data outside the UK/EEA; where they do, we rely on appropriate safeguards (such as the UK International Data Transfer Agreement or equivalent) to protect it.
8. How long we keep it
We keep account data for as long as your account is active, and for a reasonable period afterwards to meet legal, accounting and security needs. Billing and financial records are retained for 6 years to meet UK tax and accounting requirements. After you cancel, we make your Customer Data available for export for at least 30 days, then delete or anonymise it unless we are required by law to keep it longer (for example, financial records as noted above).
9. Your rights
Under UK data-protection law you have the right to access, correct, delete, or restrict processing of your personal data, to object to certain processing, and to data portability. To exercise any of these, email hello@chillipepper.online. Note that for data we process on a customer's behalf (section 5), individuals should usually contact that customer (the controller) directly; we will assist our customer in responding.
10. Security
We take appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls, row-level database security isolating each company's data, and hashed password storage. No system is perfectly secure, but we work to protect your information and will notify you and the ICO of a personal-data breach where legally required.
11. Cookies
We use only the cookies and similar storage necessary to run the Service — for example, to keep you signed in. We do not use advertising or third-party tracking cookies.
12. Changes to this policy
We may update this policy from time to time. Material changes will be notified by email or in-app notice. The version and effective date are shown at the top of this page.
13. Contact & complaints
For any privacy question or to exercise your rights, contact hello@chillipepper.online. If you are not satisfied with our response, you have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.