Privacy Policy

This is the current version of our Privacy Policy. We will update the date above when material changes are made.

1. Who we are

Kepll Ltd (company number 17185436) of 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom operates the Kepll e-commerce pricing platform at kepll.com. We are registered with the UK Information Commissioner's Office (ICO) as a data controller (registration reference ZB807490). For general enquiries contact info@kepll.com. For data protection matters contact admin@kepll.com.

2. Information we collect

Depending on how you use Kepll, we may process the following categories of personal data:

  • Account data — name, email address, authentication credentials, subscription plan, billing references, and support correspondence.
  • Integration data — OAuth tokens and API credentials for connected sales channels (Amazon, Shopify, Etsy, eBay), encrypted at rest, plus product, inventory, pricing, and order data synced from your stores.
  • End-customer data on behalf of merchants — where you connect a store, we may process your buyers' or customers' order and transaction data solely to provide pricing, analytics, and related services to you. You remain responsible for ensuring you have a lawful basis to share this data with us.
  • Usage and technical data — log files, IP address, browser type, device identifiers, cookies, and similar telemetry needed to operate and secure the service.
  • AI chat data — messages you send to the Kepll AI assistant, limited conversation history, and read-only account summaries used to personalise responses.

3. How we use artificial intelligence

Kepll uses large language models (LLMs) and related machine-learning techniques to power features such as profit-focused price recommendations, arbitrage and market verification, trend analysis, and the in-app AI chat assistant. AI outputs are informational; you remain responsible for commercial decisions.

When requests are routed through our DeepSeek API proxy, identifiable personal data in user-supplied text (such as email addresses, phone numbers, postal addresses, and likely person names) is automatically masked with opaque tokens before transmission to DeepSeek. The mapping used to restore values in responses is kept in server memory for that request only and is not logged, stored, or sent to clients.

When market or competitor data is used with AI, we rely on aggregated statistics (for example median competitor prices and competitor counts) rather than identifiable consumer profiles.

For the AI chat feature, your messages and relevant read-only account context are transmitted to third-party LLM providers configured for our service — commonly DeepSeek, and where enabled Anthropic (Claude), OpenAI, or other providers managed through our AI gateway. You should not enter passwords, payment card details, government IDs, or other highly sensitive data in chat. Our AI Chat Terms of Use apply alongside this policy.

4. Legal bases for processing

We process personal data where necessary to perform our contract with you, to comply with legal obligations, where we have a legitimate interest (such as securing and improving the service, subject to your rights), or where you have given consent (for example accepting AI chat terms or optional marketing).

5. Data sharing and sub-processors

We do not sell your personal data. We share data only with trusted service providers who process it on our instructions to deliver the service, under data processing agreements where required by law.

Categories of sub-processors may include: cloud hosting and database infrastructure; payment processing (Stripe); email and notification delivery; e-commerce platform APIs you connect; and AI/LLM providers (including DeepSeek, Anthropic, and OpenAI when configured). A current list is available on request from admin@kepll.com.

Where personal data is transferred outside the United Kingdom or European Economic Area, we implement appropriate safeguards such as the UK International Data Transfer Agreement and/or EU Standard Contractual Clauses.

6. Security and retention

Platform credentials and tokens are encrypted using AES-256-GCM. Access to production systems is restricted and audited. We retain personal data only for as long as needed for the purposes below, after which data is deleted or anonymised:

  • Account and profile data — while your account is active, then up to 30 days after you delete your account or we close it (whichever is sooner), unless a longer period is required by law (for example tax or accounting records, typically up to 6 years in the UK).
  • Store integration data (products, orders, pricing) — while your account is active and connected stores remain linked; deleted when you disconnect a store or delete your account, subject to the 30-day account wind-down above.
  • Authentication sessions (refresh_token cookie and session records) — up to 30 days from sign-in, or up to 90 days when you choose “Remember me”; revoked immediately on logout or password change.
  • Unverified registrations — automatically deleted after 24 hours if the email address is not verified.
  • Password-reset and email-verification tokens — 1 hour and 24 hours respectively, then deleted.
  • AI chat messages — not stored in our database; conversation context exists only in your browser session and in transient server memory during a request. Your AI chat terms acceptance timestamp is kept on your account while it remains active.
  • Security and audit logs (IP address, user agent, sign-in events) — typically up to 12 months, unless needed longer to investigate incidents or meet legal obligations.

7. Your data protection rights

If you are in the United Kingdom or European Economic Area, you have rights under UK GDPR / EU GDPR including access, rectification, erasure, restriction, portability, and objection to certain processing. Where processing is based on consent, you may withdraw consent at any time. To exercise your rights, email admin@kepll.com. You may also lodge a complaint with the ICO (ico.org.uk) or your local supervisory authority.

8. Cookies and similar technologies

We use a small number of cookies and browser storage technologies. We do not use advertising or third-party analytics cookies. Details:

  • refresh_token (strictly necessary) — httpOnly cookie that keeps you signed in; expires after 30 days (90 days with “Remember me”) or when you log out.
  • NEXT_LOCALE (strictly necessary) — remembers your language preference for the site.
  • pp-auth (strictly necessary) — local browser storage for your access token so the dashboard can call our API securely alongside the httpOnly session cookie.
  • kepll-cookie-notice-dismissed (functional) — remembers that you dismissed our cookie notice so it is not shown again.

9. Children

Kepll is a business-to-business service for e-commerce sellers and is not directed at children. You must be at least 16 years old to create an account. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact admin@kepll.com and we will delete it promptly.

10. Changes to this policy

We may update this Privacy Policy from time to time. The effective date at the top of this page will change when we do. Material changes may be notified via the service or email where appropriate.