PRIVACY POLICY

This Privacy Policy explains how we collect, use, share, and protect personal data when you visit our sites, use our apps or dashboards, or interact with landing pages, links, QR codes, and forms created with our Services.

• The Data We Collect

  A. Data you provide to us

  1. Account data (name, email, password, billing details, company).
  2. Profile settings and customer support messages.
  3. Form/booking configurations you create (field names, options, etc).

  B. Data collected automatically

  1. Usage logs, IP address, general location (derived from IP), browser/OS, referral URLs.
  2. Link and QR metrics (click counts, timestamps, geolocation at country/region level where configured, referrers, device type).
  3. Cookies and similar technologies (see Cookie Policy).

  C. Data from third parties

  1. Data from integrations you enable (e.g., social platforms), per your authorization.
  2. Service providers (fraud/abuse prevention, payments, analytics, customer support).

  D. End-user data you collect using Peachy

  When you embed forms or bookings on Peachy pages, or drive traffic through Peachy links/QRs, you may collect personal data from your end users. For this end-user data, you are the controller; Peachy is your processor and processes that data to provide the Services per your instructions and any applicable DPA.

  Children

  Our Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13. Customers must not solicit such data through Peachy forms without complying with applicable child-privacy laws.

• Purposes of Processing

  1. Provide, maintain, and secure the Services; route and resolve links/QRs; render pages and forms.
  2. Analytics and product improvement.
  3. Protect against fraud/abuse, malware, phishing, and illegal content.
  4. Customer support; account, billing, and invoicing.
  5. Legal compliance (including responding to lawful requests). Marketing and communications (with consent where required).

• Legal Bases (EEA/UK)

  Where GDPR/UK GDPR applies, we rely on: contract necessity, legitimate interests (e.g., service security and non-invasive analytics), consent (e.g., non-essential cookies and certain marketing), and legal obligations (e.g., tax, accounting).

• Cookies and Similar Technologies

  We use cookies/SDKs/pixels to operate the site, measure performance, and—if enabled—personalize or measure ads. In the UK/EU, we obtain consent before setting non-essential cookies and provide granular controls including a 'reject all' option. See our Cookie Policy for details.

• 'Sale,' 'Sharing,' and Targeted Advertising (US State Laws)

  Peachy does not sell personal information for money. Some US state laws define 'sale' or 'sharing' more broadly to include certain advertising or analytics disclosures. Where law treats those disclosures as a sale or sharing, we honor your right to opt out, including via legally recognized signals such as Global Privacy Control (GPC). Controls are available in our cookie banner and account settings.

• How We Share Information

  Service providers/processors (hosting, security, analytics, payments, customer support) under contracts limiting use to our instructions. Integrations you enable (sharing controlled by you and subject to the third party’s terms). Corporate transactions (merger, acquisition) with appropriate safeguards. Legal/safety (compliance with law; protection from harm or abuse).

• Data Retention

  We keep personal data only as long as necessary for the purposes described and to meet legal, accounting, or reporting requirements. We retain click/QR analytics in aggregate after de-identification.

• International Data Transfers

  We may transfer personal data to countries outside your own (e.g., to processors or group entities). For EEA/UK personal data, we use appropriate safeguards—EU Standard Contractual Clauses (SCCs) and/or the UK International Data Transfer Agreement/Addendum (as applicable)—with transfer risk assessments. For Asia-Pacific transfers, we apply the jurisdiction-specific safeguards set out in the Regional Disclosures below.

• Security

  We use technical and organizational measures appropriate to the nature of the data and risks (e.g., encryption in transit, access controls, monitoring). No method is 100% secure.

• Your Rights

  EEA/UK (GDPR/UK GDPR)

  You may have rights to access, rectify, erase, restrict, port, and object to processing, and to withdraw consent at any time. You can lodge a complaint with your local data protection authority.

  US State Privacy Rights

  Residents of some US states have rights to access, delete, correct, and obtain copies of data, and to opt out of targeted advertising, sale/sharing, and certain profiling. We recognize Global Privacy Control (GPC) and other legally-recognized signals where required. Email requests via [privacy@peachy.io]. We will verify and respond within statutory timelines.

  Do Not Track

  We do not respond to DNT signals, but we honor legally-recognized signals such as Global Privacy Control 'GPC' where required.

• Automated Decision-Making

  We do not engage in solely automated decisions that produce legal or similarly significant effects about you.

• Third-Party Links and Services

  Third-party sites, SDKs, or pixels are governed by their own policies. Review those policies before enabling integrations.

• Changes

  We may update this Privacy Policy from time to time. If changes materially affect you, we will notify you via the Services or email, consistent with applicable law.

• Contact

  If you have any questions about our data and privacy issue, please contact us through privacy@peachy.io.

• Regional Disclosures

  We will not use your personal data for direct marketing unless we have your prior consent (or indication of no objection). When seeking consent, we will describe the intended marketing purpose, the types of data used, and the classes of marketing subjects. You may withdraw consent at any time via the methods in 'Your Rights.' Personal data originating in Hong Kong may be transferred outside Hong Kong. Although section 33 of the PDPO (cross-border transfer restriction) has not commenced, we adopt contractual safeguards recommended by the Privacy Commissioner to ensure protection comparable to Hong Kong law.