Back

Privacy Policy

Last updated: June 2026

1. Who we are

Di Peppi ("we", "us", "our") is a Lebanese premium gourmet delicacies company operating at www.dipeppi.com. This privacy policy explains how we handle personal data collected through our online shop, B2B trade portal, mobile apps, and website.

2. What data we collect

Essential cookies & storage. We store a small session token in your browser's local storage to keep you logged in. We do not use third-party advertising cookies or cross-site tracking cookies.

Aggregate analytics & error monitoring. We use Vercel Analytics (cookie-less, anonymized page views and Web Vitals) and Sentry (error monitoring) to keep the site fast and to learn when something is broken. These services receive your IP address and user-agent string for the duration of a request; they do not place persistent identifiers in your browser. We do not share this data with advertisers.

Account & login. When you sign in or sign up we collect your name, email address, and/or phone number to send a one-time password (OTP). OTP codes are currently delivered by email; we may also offer delivery by SMS to your phone number in the future. We do not store passwords.

Orders & delivery. When you place an order we collect your delivery address, map pin (optional), delivery phone number, and order details (items, quantities, totals). This is used to process and deliver your order.

Wallet. If you use the prepaid wallet we store your balance and transaction history to process payments and refunds.

B2B trade access. When you request a wholesale account we collect your company name, contact name, email, phone, MOF number, VAT number, and the official business document you upload. This is used solely to verify eligibility.

3. How we use your data

We use your data only to:

  • Authenticate you and keep your session secure
  • Process and deliver orders placed through the shop, mobile apps, or trade portal
  • Send login codes, order confirmations, and status updates by email (and by SMS in the future, where you use phone-based login or opt in)
  • Manage your wallet balance and transaction history
  • Review and approve B2B trade access applications

We do not sell, rent, or share your personal data with third parties for marketing purposes.

4. Data storage & security

Your data is stored in Google Firebase (Firestore and Cloud Storage) on servers located in the European Union and/or United States. Firebase is certified under ISO 27001 and SOC 2/3. We enforce HTTPS-only access, HTTP security headers (HSTS, CSP, X-Frame-Options), and restrict Firebase API access to our own domain.

5. Third-party processors

We rely on the following processors to operate the service. Each receives only the minimum data needed for its role:

  • Google Firebase (Ireland / United States) — hosting of Firestore database, Cloud Storage, and Cloud Functions. Receives all account, order, and wallet data.
  • Vercel (United States) — website hosting and cookie-less aggregate analytics. Receives request IP and user-agent for the duration of each request.
  • Sentry (United States) — error monitoring. Receives error stack traces, request IP, and user-agent when something breaks.
  • Resend (United States) — transactional email delivery (OTP login codes, order confirmations, status updates). Receives your email address and the message content.
  • SMS delivery provider (planned) — if we introduce SMS delivery of login codes or order updates, a specialised SMS provider will receive only your phone number and the message content. We will update this policy with the provider's name before enabling SMS.

We do not sell, rent, or share your personal data with any party other than the processors listed above, and only to the extent necessary to provide the service.

6. Cookies

We use essential local storage only for the session key that keeps you logged in. We do not use cross-site tracking cookies or advertising cookies. The aggregate analytics and error-monitoring services described in section 2 are cookie-less and do not place persistent identifiers in your browser.

7. Your rights

You may request access to, correction of, or deletion of your personal data at any time.

Deleting your account. In our mobile app you can permanently delete your account yourself at any time: go to Profile → Delete my account. This removes your login and personal details (name, contact details, saved addresses). Records we are legally required to keep — such as past orders and invoices for tax and accounting purposes — are retained but stripped of identifying personal data.

You can also request access, correction, or deletion by emailing us at info@dipeppi.com. We will respond within 30 days. Full account-deletion instructions are available at dipeppi.com/account-deletion.

8. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of this page will reflect any changes. Continued use of our services after an update constitutes acceptance of the revised policy.

9. Contact

For privacy-related questions, contact us at info@dipeppi.com.

© 2026 Di Peppi. All rights reserved.