Privacy Policy
Effective date: 28 March 2026. This policy describes how Peni Labs handles your personal data.
1. Who we are
Peni is operated by Peni Labs ("we", "our", or "us"). Peni is a personal reminder application that helps you track items you have borrowed, lent, or owe. We are the data controller in respect of the personal data described in this policy.
For any privacy-related questions or requests, please contact us at privacy@getpeni.com.
2. What personal data we collect
We collect only what is necessary to provide the service. This includes:
- Account information: your email address and the display name you choose when registering.
- Reminder data: titles, due dates, notes, and names associated with your reminders.
- Photos: images you choose to attach to reminders. Photo uploads are entirely optional.
- App preferences: settings such as theme, notification preferences, and any custom preferences you configure.
- Payment data: if you subscribe to Peni Pro, our payment processor handles your card details directly. We receive only confirmation of payment status and a subscription identifier. We never see or store your card number.
- Usage data: basic, non-identifying information about how the service is used, for the purpose of maintaining and improving the service.
We do not collect your location, device contacts, advertising identifiers, or any special category personal data as defined under GDPR.
3. How we use your data
We use your personal data only for the following purposes:
- To create and maintain your account.
- To sync your reminders across your devices.
- To send you reminder notifications, where you have enabled them.
- To process payments for Pro subscriptions.
- To respond to support requests and communications from you.
- To maintain the security and integrity of the service.
- To comply with our legal obligations.
We do not use your data for advertising. We do not sell, rent, or trade your personal data with any third party for their marketing purposes. We do not build advertising profiles from your usage.
4. Third-party service providers
To operate Peni, we engage a small number of carefully selected third-party service providers who process data on our behalf. Each provider is bound by appropriate data processing terms:
- Authentication and database services: we use a third-party provider to manage user authentication and store your reminders and account data securely. Data is encrypted at rest and in transit.
- Hosting and infrastructure: the application is served via a third-party cloud infrastructure provider. Your data does not leave the platform other than as described in this policy.
- Payment processing: Pro subscriptions are processed by a PCI DSS-compliant third-party payment processor. We do not receive or store payment card data. The processor's own privacy policy governs their handling of payment information.
We do not use analytics SDKs, advertising networks, social media tracking pixels, or third-party crash reporting tools that collect personal data.
A full and current list of our sub-processors is available on request at privacy@getpeni.com.
5. Legal basis for processing (GDPR)
Where GDPR applies, we process your personal data on the following legal bases:
- Performance of a contract (Article 6(1)(b)): processing your account and reminder data is necessary to deliver the service you signed up for.
- Legitimate interests (Article 6(1)(f)): maintaining the security of the service, preventing fraud, and improving the service. We balance these interests against your rights and will not process your data where your interests override ours.
- Compliance with legal obligations (Article 6(1)(c)): where we are required to retain or disclose data by applicable law.
- Consent (Article 6(1)(a)): for optional features such as push notifications or photo uploads, where you can withdraw consent at any time from within the app settings.
6. Data retention
We retain your personal data for as long as your account is active. If you delete your account, all associated data — including reminders, notes, photos, and profile information — is permanently deleted within 30 days of your deletion request.
We may retain certain minimal records for longer where required by applicable law, for example for tax or financial compliance purposes. Any retained data is kept only for as long as legally required and is not used for any other purpose.
7. Your rights
Depending on where you are located, you may have the following rights in respect of your personal data:
- Right of access: to request a copy of the personal data we hold about you.
- Right to rectification: to correct any inaccurate data. You can update your display name directly in the app.
- Right to erasure: to request deletion of your account and associated data. You can do this directly in Settings.
- Right to data portability: to request your data in a structured, machine-readable format.
- Right to object: to object to processing based on legitimate interests.
- Right to restrict processing: to ask us to pause processing of your data in certain circumstances.
- Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at privacy@getpeni.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.
8. International data transfers
Our service providers may operate infrastructure in jurisdictions outside the European Economic Area. Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, or equivalent mechanisms under applicable data protection law.
9. Children
Peni is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data without appropriate consent, please contact us at privacy@getpeni.com and we will delete it promptly.
10. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include encrypted data storage, encrypted data transmission (TLS), and access controls limiting who within our organisation can access user data.
No method of transmission or storage is 100% secure. We will notify you and any relevant regulatory authorities of any data breach in accordance with our legal obligations.
11. Changes to this policy
We may update this privacy policy from time to time. If we make material changes, we will notify you by email or by displaying a prominent notice within the app before the changes take effect. The effective date at the top of this page will always reflect the date of the most recent revision.
12. Contact and complaints
If you have any questions, concerns, or requests regarding this policy or our data practices, please contact us:
Peni Labs
privacy@getpeni.com
getpeni.com
If you are based in the EU and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.