Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Pepper Cloud is a CRM and sales engagement platform headquartered in Singapore, designed for small and medium sized businesses across the APAC region. It tracks leads from web forms, emails, WhatsApp and other messaging channels, then stores contact and behavioural data on AWS infrastructure outside the European Union. Because Pepper Cloud transfers personal data to Singapore and uses identifiers to track website visitors, explicit consent and Standard Contractual Clauses are required for European deployments.
Pepper Cloud is a customer relationship management platform headquartered in Singapore, focused on small and medium sized businesses across South East Asia, India and the Middle East. It bundles a sales pipeline, marketing automation, WhatsApp and email integration, and an AI assistant called AssistAI. Pepper Cloud is hosted on Amazon Web Services and may store EU customer data in APAC regions, which has direct consequences for GDPR compliance when deployed by European companies or for European prospects.
Pepper Cloud collects lead and contact details (name, email, phone, company), behavioural data on web forms, opens and clicks on tracked emails, WhatsApp conversation history, sales pipeline stages and AI scoring outputs. The web tracker uses first party and third party cookies to identify returning visitors and tie them to a CRM record. Server side API calls log IP addresses, user agents and timestamps for security and analytics.
Pepper Cloud is a third party processor. Its tracking cookies and pixel based email opens are not strictly necessary, so they fall under Art. 5(3) of the ePrivacy Directive: prior consent is required before any non essential cookie is set. The CRM also stores personal data outside the European Union, which engages Chapter V of the GDPR. Companies relying on Pepper Cloud must execute Standard Contractual Clauses with Pepper Cloud Solutions Pte Ltd and document a Transfer Impact Assessment as required since the Schrems II ruling of the CJEU.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Visitors must be presented with a consent banner before Pepper Cloud scripts and pixels load. Consent must be freely given, specific, informed, unambiguous, and as easy to refuse as to accept. The chosen Consent Management Platform should block the Pepper Cloud snippet by default, expose Pepper Cloud as a distinct vendor with a clear purpose label, and store proof of consent for the retention period required by the supervisory authority.
Pepper Cloud processes data in Singapore and other AWS APAC regions. Singapore is not covered by an EU adequacy decision, so transfers rely on Standard Contractual Clauses signed with the controller. The Transfer Impact Assessment must evaluate Singaporean surveillance law, the practical risks of access to personal data, and any supplementary technical measures such as encryption at rest and pseudonymisation of customer identifiers.
Document Pepper Cloud in your Article 30 register, sign the Data Processing Agreement and Standard Contractual Clauses, complete a Transfer Impact Assessment, configure your CMP to block the Pepper Cloud tracker until consent is granted, and update your privacy notice to disclose the Singapore transfer. Review email tracking pixels because their use under legitimate interest is increasingly contested by European data protection authorities, particularly the CNIL and the EDPB.
Websites using Pepper Cloud must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Pepper Cloud is used for large scale lead capture, behavioural profiling, or when combined with email and WhatsApp tracking. The Schrems II ruling requires a Transfer Impact Assessment for Singapore.
Sample consent text
We use Pepper Cloud, a CRM platform operated from Singapore, to manage your enquiries, track interactions across our website, emails and messaging channels, and provide personalised follow up. This involves transferring your personal data outside the European Union under Standard Contractual Clauses.
Third-party domains contacted
peppercloud.comapp.peppercloud.comapi.peppercloud.comcdn.peppercloud.comchat.peppercloud.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| pc_session_id | first_party | Session | Maintains the authenticated session of the Pepper Cloud user inside the CRM and on embedded forms or chat widgets. |
| pc_csrf_token | first_party | Session | Stores a CSRF token used to protect form submissions and chat interactions against cross site request forgery. |
| pc_visitor_id | first_party | 1 year | Persistent identifier that links repeated visits and form submissions to a single contact record in the CRM. |
| pc_lead_attribution | first_party | 90 days | Records the source campaign, referrer, and landing page of the visitor in order to attribute lead conversions to the correct sales user and pipeline. |
| pc_chat_state | first_party | 30 days | Remembers the open or closed state of the Pepper Cloud chat widget and the most recent conversation thread for the returning visitor. |
Pepper Cloud places tracking cookies for advertising — comply with GDPR using FlowConsent.
Pepper Cloud embedded forms and chat widgets set first party session cookies, a CSRF token cookie, and persistent identifiers used to attribute submissions to the correct sales user and pipeline. When visitor tracking is enabled, additional cookies record page views and time on site. None of these are strictly necessary for the visitor and they require prior consent in the EU.
Yes. Any Pepper Cloud script that runs on an EU facing site reads or writes information on the device, which falls under Article 5(3) of the ePrivacy Directive. Forms, chat widgets, and tracking pixels must therefore be blocked until the visitor has given specific, informed, and freely given consent through a consent management platform.
Lead capture through a form is usually based on consent, since the contact actively submits their data. Sales follow up and CRM record keeping can rely on legitimate interest or contract performance. Marketing automation, profiling, and WhatsApp campaigns require a distinct opt in, and B2B cold outreach must be backed by a documented balancing test.
Yes. Pepper Cloud is headquartered in Singapore and uses AWS regional infrastructure that may store data in Singapore, India, and the United States. Singapore is not covered by an adequacy decision, so transfers must be governed by Standard Contractual Clauses plus a transfer impact assessment and supplementary measures such as encryption and restricted administrator access.
A DPIA is strongly recommended. Pepper Cloud processes contact data, sales conversations, and behavioural data at scale across email and WhatsApp, often combined into rich profiles, and transfers data to non EEA regions. These factors trigger several criteria of the EDPB guidance on high risk processing.
Sign a Data Processing Agreement and SCCs with Pepper Cloud, list the tool in your record of processing activities, run a DPIA, gate forms and chat behind your consent banner, define retention periods that purge inactive contacts, keep proof of opt in for every marketing channel, and update your privacy notice and cookie policy with a clear description of how Pepper Cloud processes personal data.
EU centric alternatives with stronger data localisation include Pipedrive (EU regions), HubSpot CRM (EU data residency on certain tiers), Sellsy, Axonaut, and Brevo CRM. They cover similar lead capture, pipeline, and marketing automation features while keeping personal data within the EEA when configured correctly.
List each Pepper Cloud cookie by name, type, duration, and purpose, indicate that the data controller is your organisation and that Pepper Cloud Pte Ltd is the processor, mention the international transfers to Singapore and other regions, and provide a link to the Pepper Cloud privacy policy alongside instructions for withdrawing consent.