Privacy Policy
This policy explains what PEPR collects, why, where it lives, and what control you have over it. PEPR is a business-to-business capacity-planning tool used by manufacturing teams; this policy is written for the people on those teams and for the procurement and security reviewers who vet PEPR before it’s adopted.
Last updated:
A note on this document. This is a starter policy reflecting how PEPR is operated today. It has not been reviewed by external counsel, and we make no claim of formal compliance with any specific regulatory regime. If your organization requires a tailored data-processing agreement or a security questionnaire, please reach out — see “Contact” below.
Who PEPR is
PEPR is operated by a single founder and is headquartered in the European Union. The product, its infrastructure, and all customer data are hosted in the EU (see “Where data is stored” below). For anything in this policy, the data controller you are dealing with is the PEPR founder, reachable at 77eran@gmail.com.
What data we collect
We collect only what we need to run the service. Specifically:
- Account data. Your email address, an account password (stored only as a hash by our authentication provider — we never see the cleartext), and an optional display name. For users created via invite, we also store the role you were given and the organization you belong to.
- Organization metadata. The organization name and contact information that a PEPR administrator enters when your org is provisioned.
- Operational data you enter. This is the data PEPR exists to manage — bills of materials, process routes, stations, resources (people pools and equipment), capacity targets, calendars, and the planning results we compute from them. You choose what goes in.
- Automatic technical data. Standard server logs from our hosting providers — including IP address, request path, user agent, timestamps, and error traces — used for security, abuse prevention, rate limiting, and debugging.
We do not collect: payment or credit-card information (there is no payment flow in the product today), precise geolocation beyond what an IP address implies, advertising identifiers, or biometric data. PEPR has no third-party product analytics — there is no Google Analytics, Mixpanel, Segment, Posthog, Hotjar, FullStory, or similar tracker embedded in the app.
How we use the data
We use the data above to provide and operate the service:
- To authenticate you and decide what you are allowed to see and change.
- To run the capacity engine and other product features against the data you have entered, and to render the results back to you.
- To keep tenants isolated from each other. PEPR enforces tenant and project boundaries in the database itself using Postgres row-level security: managers in the same organization cannot see each other’s projects, viewers cannot write, and suspended or pending organizations are locked out of project data. This is enforced below the UI, not by the UI.
- To investigate security incidents, diagnose errors, and prevent abuse, using the server logs described above.
- To send essential transactional email — invites, password resets, signup confirmations, and security notices.
What we don't do with your data
- We don’t sell your data to anyone.
- We don’t share your data with third parties for advertising, marketing, or profiling.
- We don’t train machine-learning models on the operational data you put into PEPR (BOMs, routes, capacity numbers, organization data, etc.).
- We don’t look inside your project data for any purpose other than supporting you or resolving an incident you have asked us to investigate.
Where data is stored
All customer data is stored in the European Union. Specifically, our primary database, authentication store, and object storage are hosted on Supabase in the Frankfurt region, and our application runtime on Vercel is pinned to the Frankfurt (“fra1”) region. Data is not intentionally transferred outside the EU as part of normal operation. If a sub-processor (below) processes a small amount of operational data outside the EU as part of their own platform — for example, to route a transactional email — we will note it here when we become aware of it.
Sub-processors
PEPR relies on a small number of trusted infrastructure providers to run the service. Each one is contracted to process data only on PEPR’s instructions and to apply commercially appropriate security controls.
- Supabase — managed Postgres database, authentication, file storage, and transactional auth emails (signup confirmation, password reset). EU region.
- Vercel— application hosting, serverless runtime, and edge / runtime logging. PEPR is pinned to Vercel’s Frankfurt region.
- Resend — may be used to send other transactional product email (for example, invitation notifications from PEPR itself). Only the recipient email address and the message content are shared with Resend.
If you would like a current, dated list of sub-processors for a vendor review, email us and we will send one.
Data retention
We retain data only as long as it is useful for running the service or as long as you ask us to:
- Account data is kept while your account is active. When you ask us to delete your account, we delete the account record and the personal data tied to it.
- Project and operational data is kept while your organization is active. When an organization asks us to delete its data, we delete the projects, BOMs, routes, stations, resources, calendars, targets, and computed results that belonged to it.
- Server and runtime logs follow our hosting providers’ default retention, which for Vercel runtime logs is on the order of 90 days. Logs are used for security and debugging and are not used for analytics.
Some backups may persist for a short period after deletion as part of standard disaster-recovery rotation. Backups are encrypted and access-controlled and are not used for any other purpose.
Your rights
Wherever you are, you can ask us to do the following with the personal data PEPR holds about you. We aim to respond within a reasonable time and may need to verify that the request comes from you.
- Access. Email us to request a copy of the personal data we hold about you.
- Deletion. Email us to delete your account and the data tied to it. Project data owned by your organization may need to be deleted by an administrator of that organization, or by us at their request.
- Correction. Most fields are editable directly in the product (your name, your organization’s data, the project data you own). For anything you can’t edit yourself, email us.
- Portability. Email us and we will provide your personal data in a machine-readable format.
All of these requests go to 77eran@gmail.com.
Children
PEPR is a business-to-business tool intended for use by professionals at manufacturing organizations. It is not designed for, marketed to, or intended to be used by anyone under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data to PEPR, contact us and we will delete it.
Security
We take a defense-in-depth approach to keeping your data safe:
- All traffic to PEPR is served over HTTPS with modern TLS.
- Passwords are hashed by our authentication provider — we do not store, log, or have access to cleartext passwords.
- Tenant isolation is enforced inside the database via Postgres row-level security, not just in the application code.
- The privileged database key that can bypass row-level security is confined to a small set of server-only modules. It is never shipped to the browser.
- Authentication uses asymmetric (ES256) JWT signing, so session tokens can be verified without round-tripping to the auth server on every request.
- We follow the principle of least privilege for service accounts and database roles.
No service can guarantee perfect security. Please pick a strong, unique password for your PEPR account, do not share it, and let us know immediately if you suspect your account has been compromised.
Changes to this policy
We will update this page from time to time as PEPR evolves — for example, when we add a sub-processor or change how a feature handles data. When we do, we will move the “Last updated” date at the top of this page. We encourage you to re-read this policy periodically and especially after the date changes.
Contact
For any privacy question, data request, or concern about how your data is handled by PEPR, email us at 77eran@gmail.com. We read everything that comes to that address.

