Privacy Policy

Last updated: May 27, 2026

This Privacy Policy explains how Pennedly ("we", "us", "our") collects, uses, stores, and protects information when you use our service at pennedly.com and any associated applications (collectively, the "Service"). We are committed to protecting your privacy and handling your data transparently and in compliance with the EU General Data Protection Regulation (GDPR), Polish data protection law, and other applicable regulations.

1. Who we are

Pennedly is operated by Zakhar Sazanavets as Beneficiary under the business incubator structure of Fundacja Rozwoju Przedsiębiorczości "Twój StartUp" (the "Foundation"), which acts as the legal data controller under GDPR.

Foundation legal details:
Registered office: ul. Żurawia 6/12 lok. 766, 00-503 Warszawa, Poland
Correspondence address: al. Jerozolimskie 123a, 02-017 Warszawa, Atlas Tower, 18th floor, Poland
KRS (Court Registry): 0000442857
NIP (Tax ID): 5213641211
REGON: 14643346700000
Represented by: Michał Jeziorski, Chairman of the Board

For any privacy-related inquiries, contact us at hi@pennedly.com.

2. Information we collect

2.1 Account information

• Email address (provided by you or via Sign in with Apple)
• Display name and profile information you choose to provide
• Authentication credentials (managed by Apple, Google, or our magic-link system)

2.2 Threads account information

When you connect your Threads account via Meta's OAuth flow, we receive and store:

• Your Threads username and user ID
• An encrypted long-lived access token for the Meta Threads API
• Your post history (text content, publish dates, engagement metrics)
• Comments on your posts and their metadata (author, text, timestamps)
• Account-level metrics provided by the Threads API

Access tokens are encrypted at rest using AES-GCM. We never share them with third parties.

2.3 Generated content

Posts and replies generated by Pennedly's AI on your behalf are stored in our database along with the prompts and context used to generate them, so you can review, edit, and revert changes.

2.4 Usage and technical data

• Pages and features you access within the Service
• Approximate location derived from IP address
• Device and browser type
• Error logs and performance metrics

2.5 Payment information

If you subscribe to a paid plan, payment is processed by Stripe (web) or Apple In-App Purchase (iOS). We do not store full payment card numbers — only a payment reference token from the payment provider.

3. Why we collect this information

• Service delivery: to publish posts, retrieve comments, generate AI drafts, and provide analytics on your behalf
• AI personalization: to train our voice-matching system on your historical posts so generated content sounds like you
• Account management: to authenticate you and manage your subscription
• Service improvement: to identify and fix bugs, improve features, and understand usage patterns (in aggregate)
• Legal compliance: to comply with applicable laws and respond to legal requests

4. Legal basis for processing (GDPR)

• Contract performance: most processing is necessary to provide the Service you signed up for
• Consent: for optional features like marketing emails or analytics beyond essentials
• Legitimate interest: for security, fraud prevention, and aggregate analytics
• Legal obligation: for tax, accounting, and compliance requirements

5. Third-party services we use

To deliver the Service, we share necessary data with the following processors:

• Meta Platforms (Threads API) — to publish posts and read account data on your behalf, under Meta's own privacy terms
• OpenAI / Anthropic (via OpenRouter) — to process AI generation requests; your post text may be sent for context
• Cloudflare — for hosting, DNS, email routing, and content delivery
• Railway / hosting provider — to run our backend infrastructure
• Stripe — to process payments (web subscriptions)
• Apple — for Sign in with Apple and In-App Purchase (iOS subscriptions)
• Sentry — for error tracking and debugging

Some of these providers are located outside the EU (United States primarily). Transfers are protected by Standard Contractual Clauses or equivalent safeguards under GDPR Chapter V.

6. How long we keep your data

• Account data: while your account is active, plus up to 30 days after deletion request
• Generated content and post history: while your account is active
• OAuth access tokens: deleted within 24 hours of you disconnecting your Threads account
• Aggregated, anonymized analytics: indefinitely
• Payment records: as required by Polish tax law (typically 5 years)

7. Your rights under GDPR

You have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Request deletion ("right to be forgotten") of your account and associated data
• Export your data in a machine-readable format ("right to data portability")
• Restrict or object to certain processing
• Withdraw consent (where processing is based on consent)
• Lodge a complaint with the Polish Personal Data Protection Office (UODO) or your local supervisory authority

To exercise any of these rights, contact hi@pennedly.com. We respond within 30 days.

8. Cookies

We use only essential cookies required for authentication and core functionality. We do not use third-party advertising or tracking cookies. A cookie banner will appear when applicable to confirm your preferences.

9. Children

Pennedly is not intended for users under 16 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact us immediately and we will delete it.

10. Security

We use industry-standard security measures including encryption in transit (TLS), encryption at rest for sensitive data (OAuth tokens with AES-GCM), access controls, and regular security reviews. No system is completely secure, however, and we cannot guarantee absolute security.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to registered users at least 30 days before they take effect. The "Last updated" date above reflects the most recent revision.

12. Contact

Pennedly (operated under Fundacja Rozwoju Przedsiębiorczości "Twój StartUp")
Email: hi@pennedly.com
Correspondence address: al. Jerozolimskie 123a, 02-017 Warszawa, Atlas Tower, 18th floor, Poland
NIP: 5213641211 · REGON: 14643346700000 · KRS: 0000442857