Privacy Policy

Penlly (“we”, “our”, or “us”) is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your data when you use our AI-powered newsletter platform at penlly.com and any related services (collectively, “the Service”).

Please read this policy carefully. By using the Service, you consent to the practices described here. If you do not agree, please discontinue use of the Service.

2.1 Information You Provide

• Account information: Name, email address, password, phone number, business name, country, and role when you register.
• Profile information: Website URL and other optional fields you choose to complete.
• Billing information: Payment details processed securely by our payment provider. We do not store full card numbers.
• User content: Email campaigns, templates, subscriber lists, and any other content you create or upload.
• Communications: Messages you send to our support team.

2.2 Information Collected Automatically

• Usage data: Pages visited, features used, click patterns, and time spent on the Service.
• Device & browser data: IP address, browser type, operating system, and referring URLs.
• Cookies & similar technologies: Session tokens, preference cookies, and security tokens (CSRF). See Section 8 for details.
• Email analytics: Open rates, click-through rates, and unsubscribe events for campaigns you send (aggregated).

2.3 Information from Third Parties

• Payment processors (e.g., Stripe) share transaction confirmation data with us.
• Email service providers share delivery status and bounce information.

We use the information we collect to:

• Provide, operate, and maintain the Service
• Process transactions and send billing-related communications
• Send transactional emails (account confirmations, password resets)
• Respond to support inquiries and provide customer service
• Monitor and analyze usage patterns to improve the Service
• Train and improve AI models using aggregated, anonymized data
• Detect, prevent, and address fraud, abuse, and security incidents
• Comply with legal obligations
• Send product updates and marketing communications (with your consent, where required by law)

We will not sell your personal information to third parties. We do not use your email campaign content to train AI models without your explicit consent.

If you are located in the European Economic Area (EEA), the UK, or Switzerland, we process your personal data under the following legal bases:

• Contract: Processing necessary to provide the Service you signed up for (account management, email delivery, billing).
• Legitimate interests: Fraud prevention, security monitoring, and improving the Service.
• Consent: Marketing communications and non-essential cookies. You may withdraw consent at any time.
• Legal obligation: Compliance with applicable laws and regulations.

We do not sell, trade, or rent your personal information. We may share your data in the following limited circumstances:

• Service providers: Trusted third-party vendors who assist us in operating the Service (hosting, payment processing, email delivery, analytics). They are contractually obligated to keep your information confidential and use it only for the services they provide to us.
• Legal requirements: When required by law, court order, or governmental authority.
• Business transfers: In connection with a merger, acquisition, or sale of all or substantially all of our assets. You will be notified before your data is transferred and becomes subject to a different privacy policy.
• Protection of rights: When we believe disclosure is necessary to protect the rights, property, or safety of Penlly, our users, or the public.
• With your consent: For any other purpose with your explicit consent.

When you import or collect subscriber email addresses through Penlly, you are the data controller for that data. Penlly acts as a data processor on your behalf.

You are responsible for:

• Obtaining lawful consent from your subscribers before adding them to your lists
• Honoring unsubscribe requests promptly
• Maintaining accurate and up-to-date subscriber information
• Complying with applicable data protection laws (GDPR, CAN-SPAM, CASL, etc.)
• Providing your own privacy policy to your subscribers

We process subscriber data only as instructed by you and in accordance with our Data Processing Agreement (DPA), available upon request at legal@penlly.com.

We retain your personal data for as long as your account is active or as needed to:

• Provide the Service
• Comply with legal obligations
• Resolve disputes and enforce agreements

Specific retention periods:

• Account data: Retained while your account is active and for 30 days after deletion, then permanently erased.
• Billing records: Retained for 7 years for tax and legal compliance.
• Email campaign content: Retained while your account is active; deleted with your account.
• Security logs: Retained for up to 12 months.

You may request deletion of your account and associated data at any time (see Section 9).

We use the following types of cookies and similar technologies:

You can control cookies through your browser settings. Disabling essential cookies will affect the functionality of the Service.

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your personal data (“right to be forgotten”).
• Portability: Receive your data in a structured, machine-readable format.
• Restriction: Request that we limit how we process your data in certain circumstances.
• Objection: Object to processing based on legitimate interests or for direct marketing.
• Withdraw consent: Withdraw any consent you previously gave at any time.

To exercise any of these rights, email us at privacy@penlly.com. We will respond within 30 days. We may need to verify your identity before processing your request.

If you are in the EEA/UK and believe we have not addressed your concern, you have the right to lodge a complaint with your local data protection authority.

We implement industry-standard security measures to protect your personal information, including:

• Encryption in transit (TLS/HTTPS) and at rest (AES-256)
• Bcrypt password hashing — we never store plaintext passwords
• CSRF token protection on all state-changing requests
• Regular security audits and vulnerability assessments
• Strict access controls — employees access data only on a need-to-know basis

Despite our efforts, no security system is 100% impenetrable. If you discover a security vulnerability, please report it responsibly to security@penlly.com.

Penlly is operated from the United States. If you access the Service from outside the US, your data may be transferred to, stored, and processed in the US or other countries where our service providers operate.

For transfers from the EEA, UK, or Switzerland, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission to ensure your data receives adequate protection.

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@penlly.com and we will delete such information promptly.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and/or by placing a prominent notice on the Service prior to the change becoming effective.

Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this page periodically.

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us: