Privacy Policy

Information we collect

Account information. When you sign up, we collect your email address, your name (if provided), and authentication credentials. Authentication is handled by Supabase, our identity provider.

Deal and document information. When you generate contracts, we collect the information you enter about your real estate transactions and store the drafts and revisions Penlo produces. If you upload forms, we store those uploads.

Payment information. Payments are processed by Stripe. Penlo does not store your full card number, CVV, or other payment instrument data. Stripe shares limited billing information with us — typically the last four digits of the card, the expiration, and the brand — for invoicing and account management.

Usage data. We collect anonymized analytics about how Penlo is used — pages visited, features used, error logs — to improve the product.

How we use your information

We use the information we collect to:

• Provide and improve the Penlo service.
• Generate contract drafts on your behalf.
• Process payments and manage your subscription.
• Communicate with you about your account, billing, and the service.
• Comply with legal obligations.
• Detect and prevent fraud, abuse, or unauthorized access.

AI processing

Generating contracts requires sending information about your deal to Anthropic's Claude API. By using Penlo, you consent to this processing.

Anthropic's commercial API operates under terms that include the following protections: your inputs and outputs are not used to train Anthropic's models by default, data is processed in secure data centers, and retention is limited per Anthropic's data policies. You can review Anthropic's privacy practices at anthropic.com/legal/privacy.

Information sharing

We share information with the following service providers to operate Penlo:

• Anthropic — for AI processing of contract drafts.
• Supabase — for authentication and database storage.
• Stripe — for payment processing.
• Resend — for transactional email delivery.

We may also disclose information when required by law, to protect the rights and safety of Penlo or others, or in connection with a corporate transaction such as a merger or sale of assets.

We do not sell your personal information.

Your rights

You have the right to:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete information.
• Delete your account and associated personal information.
• Export your data in a portable format.
• Opt out of non-essential communications.

To exercise these rights, contact hello@penlo.app.

California privacy rights (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act, including the rights to know, delete, correct, and opt out of the sale or sharing of personal information. Penlo does not sell or share personal information for cross-context behavioral advertising. You will not be discriminated against for exercising your privacy rights.

Data security

We use industry-standard security measures including encryption in transit (TLS), encryption at rest, and access controls. No method of transmission or storage over the internet is 100% secure, and we cannot guarantee absolute security.

Data retention

We retain your information for as long as your account is active or as needed to provide the service. After account closure, we may retain limited information for legal, regulatory, or operational purposes.

Children's privacy

Penlo is not intended for users under the age of 18, and we do not knowingly collect personal information from minors. If we learn that a minor has provided us with personal information, we will delete it.

Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or through the service. Continued use of Penlo after changes constitutes acceptance.