Privacy Policy
Version of 01/07/2026(Privacy Charter) of Pepobio (pepo.bio) Translation provided for information purposes. In the event of any divergence of interpretation, the French version prevails.
1. Preamble
This Privacy Policy explains how your personal data are collected, used and protected when you use the Pepobio platform (the “Platform”), accessible at pepo.bio and its subdomains. “Personal data” means any information enabling you to be identified, directly or indirectly.
It forms an integral part of the General Terms and Conditions of Use and Sale of the Platform.
2. Data controller
The data controller is Arnaud Poullet, a natural person acting as a self-employed person on a complementary basis, Avenue de Tervueren 99, 1040 Etterbeek, registered with the CBE under number 1039.745.968. Contact for any question relating to data protection: support@pepo.bio.
No data protection officer (DPO) has been appointed, as such an appointment is not mandatory in view of the activity.
Sellers and joint responsibility. When you place an order, some of your data are transmitted to the Seller concerned for the performance of the sale and the collection. The Seller acts as a separate data controller for its own purposes. Any statistics provided to Sellers are aggregated and anonymised (for example the evolution of their sales) and do not allow you to be identified. If you choose, by ticking the box provided for that purpose, to be kept informed of the news of a producer, your contact details are used for those mailings by the Seller concerned, acting as data controller, with the Platform acting as processor; you may withdraw your consent at any time, in particular via the unsubscribe link included in each mailing.
3. Data we collect
Depending on your use of the Platform, we may collect:
- Account / order data: surname, first name, e-mail address, telephone number and, where applicable, address.
- Order data: Products ordered, Seller, pick-up point and slot, amount, order history.
- Payment data: processed directly by our payment provider Mollie. We do not store your full card data; we keep a transaction reference and the payment status.
- Approximate location data: postal code entered to search for Products and producers nearby.
- Technical data: data strictly necessary for operation (session, security, language preference, cookie choices).
- Communications: messages you send us (contact form, e-mail).
- Usage data (audience measurement): aggregated navigation events (pages and Products viewed, searches, additions to basket), tied to a temporary identifier kept only in your browser tab, collected without cookies to measure and improve the Platform.
4. Purposes and legal bases
We process your data for the following purposes, on the legal bases indicated (Article 6 of the GDPR):
Purpose
Legal basis
Account management and performance of the order (matchmaking, payment collection, collection)
Performance of the contract (Art. 6.1.b)
Payment processing and fraud prevention
Performance of the contract and legitimate interest (Art. 6.1.b and f)
Customer service, complaints and dispute follow-up
Performance of the contract and legitimate interest (Art. 6.1.b and f)
Accounting, tax and legal obligations (including the DAC7 reporting of sellers' revenues)
Legal obligation (Art. 6.1.c)
Improvement and security of the Platform
Legitimate interest (Art. 6.1.f)
Marketing communications (newsletter), where applicable
Consent (Art. 6.1.a)
5. Recipients of the data
Your data are only communicated to the recipients necessary for the purposes described:
- the Seller concerned by your order, for the preparation and the collection;
- our payment provider (Mollie), for the processing of payments, which acts as an independent data controller (see below);
- our technical service providers (hosting, cloud infrastructure, e-mail sending, audience measurement), acting as processors;
- the competent authorities, where the law so requires.
We do not sell your personal data to third parties.
Our main processors and technical service providers are the following:
Provider
Purpose
Data location
Aiven (managed PostgreSQL and Valkey)
Database and cache (storage of account and order data)
European Union, Google Cloud infrastructure (europe-west1 region, Belgium)
Google Cloud (Cloud Run, Cloud Storage)
Application hosting (stateless server) and image storage
European Union (europe-west1 region, Belgium)
Amazon Web Services (SES)
Sending of transactional e-mails (confirmations, collection reminders)
European Union (Ireland, eu-west-1 region); access from a third country possible (see section 6)
Content delivery network (CDN)
Delivery of static content and images (distribution network)
Worldwide network (edge caching)
Independent data controllers. Some recipients are not processors acting on our instructions, but independent data controllers, which themselves determine the purposes and means of the processing and are responsible for their own legal obligations. This is in particular the case of Mollie, our payment provider: as a regulated payment institution, Mollie processes payment data for its own purposes (execution of the payment, legal obligations and anti-fraud and anti-money-laundering obligations) and acts as an independent data controller. Processing by Mollie is governed by its own privacy statement, available on its website. The Sellers on the Platform may also act as separate data controllers for their own purposes (see section 2).
6. Transfers outside the European Union
We favour hosting and service providers located in the European Union (our database, our application, the storage of images and the sending of our e-mails via Amazon Web Services SES are configured in European Union regions, Ireland as regards e-mails). The use of providers belonging to groups established outside the European Economic Area (such as Amazon Web Services) may nevertheless involve access to data from a third country. Where applicable, such access or transfer is governed by appropriate safeguards within the meaning of the GDPR (in particular the standard contractual clauses of the European Commission or an adequacy decision, such as the EU-US Data Privacy Framework where applicable).
7. Retention period
We keep your data only for the period necessary for the purposes pursued:
- Account data: for the lifetime of the account, then deleted or anonymised within a reasonable period after its closure.
- Order and invoicing data: kept in accordance with legal accounting obligations, in principle 7 years.
- Marketing data: until you withdraw your consent or after a reasonable period of inactivity.
- Cookies and trackers: according to the durations indicated in the Cookie Policy (see section 10).
- Audience-measurement events: kept for a maximum of 12 months, then deleted.
8. Your rights
In accordance with the GDPR, you have the following rights concerning your data:
- right of access (Art. 15): to obtain a copy of the data concerning you;
- right to rectification (Art. 16): to correct inaccurate or incomplete data;
- right to erasure (Art. 17): to have your data deleted where the conditions are met;
- right to restriction (Art. 18) of processing;
- right to data portability (Art. 20): to receive your data in a structured, commonly used format;
- right to object (Art. 21), in particular to processing based on legitimate interest and to direct marketing;
- right to withdraw your consent at any time, without retroactive effect, where the processing is based on it.
To exercise these rights, contact us at support@pepo.bio. We may ask you to prove your identity. We respond within one month, which may be extended if necessary.
Complaint. You have the right to lodge a complaint with the Data Protection Authority (DPA): Rue de la Presse 35, 1000 Brussels, https://www.autoriteprotectiondonnees.be.
9. Security
We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss or alteration (encryption of communications, access control, use of recognised providers). As no system is infallible, we cannot guarantee absolute security, but we undertake to react diligently in the event of an incident, in accordance with our notification obligations.
10. Cookies and trackers
In v1, the Platform uses cookies and trackers that are strictly necessary for its operation (session, security, storage of the language and of your choices). These cookies do not require your prior consent, but are described here for transparency.
Audience measurement cookies and other non-essential trackers. If we activate audience measurement tools (for example PostHog) or other trackers that are not strictly necessary, they will only be placed after your consent has been obtained via a dedicated banner allowing you to accept or refuse, by purpose, with the same ease.
Cookie
Purpose
Duration
session
Authentication. Keeps a user (customer, seller or administrator) logged in. Encrypted; contains only the user identifier and an “administrator” flag. HttpOnly, Secure.
Session cookie; deleted when the browser closes; also cleared on logout.
oauth_state
Security (CSRF protection). Placed only during a login via Facebook, to bind the authentication round trip to the same browser. Single use, removed on return. HttpOnly, Secure.
Session cookie; valid for approximately 10 minutes (duration of the login state token).
bkt
Shopping basket of visitors who are not logged in. Links an anonymous visitor to their basket during browsing and checkout. HttpOnly, Secure.
Session cookie; deleted when the browser closes.
i18n_pref_locale
Language preference. Remembers the interface language chosen (FR/NL/EN) in order to keep it from one page to the next. Set client-side (not HttpOnly).
Session cookie.
All the cookies above are strictly necessary for the operation of the Platform and do not require your prior consent. To date, no audience measurement cookie or non-essential tracker is used; should that change, they would only be placed after your consent has been obtained, and this table would be updated accordingly.
Our own audience measurement (cookie-free). To understand how the Platform is used and to improve it, we record aggregated navigation events (pages and Products viewed, searches, additions to basket), linked to a temporary identifier stored only in your browser tab for the duration of your visit and never written to a cookie. This measurement is first-party — the data stays on our own servers and is never shared with a third party — and relies on no cookie or persistent identifier, so it does not require your consent. The legal basis is our legitimate interest in measuring and improving our service; these events are kept for a maximum of 12 months (see section 7).
11. Data of minors
The Platform is not intended for minors. We do not knowingly collect data concerning persons under 16 years of age. If you believe that a minor has provided us with data, please contact us so that we can delete them.
12. Amendment of this policy
We may amend this Privacy Policy in order to adapt it to legal developments or to changes in our services. The applicable version is the one published on the Platform. We invite you to consult it regularly at https://pepo.bio/fr-be/confidentialite.
End of the Privacy Policy. The French version is the authoritative version.