Penling penguin markPenling
Sign inStart free trial
Legal

Privacy Policy

Last updated: 30 May 2026
A note before the legal stuff

This policy explains what data we collect when you use Penling, why we collect it, who we share it with, and what rights you have over it. We've tried to write it the way we'd want to read it - plainly, without unnecessary legalese - but we've kept the structure that privacy regulations require, because we want you to be able to find what you need.

If you have any questions about anything in this policy, email us at privacy@penling.com and we'll answer them.

1. Who we are

Penling is a spec-driven workspace for teams using AI to build software. This privacy policy applies to the Penling website at penlingapp.com and the Penling application.

The entity responsible for handling your data (“we,” “us,” or “Penling” in this document) is:

Argile Focus
ABN: 98 119 266 814

If you have questions about this policy, or want to exercise any of the rights described below, contact us at privacy@penling.com.

2. What data we collect

We collect three kinds of data: data you give us, data your team's work generates, and data we collect automatically when you use Penling.

Data you give us when you sign up

  • Your name and email address. We need these to create your account and contact you about your workspace.
  • Your company or organization name, if you provide one.
  • Authentication identifiers if you sign in with Microsoft, Google, or GitHub. We receive a unique identifier from these providers along with your email address - we don't see or store your password for these accounts.
  • Your password, if you create an account using email and password. We store this as a one-way hash; we cannot read it.

Data your team's work generates

When your team uses Penling, the product stores the work you do inside it. This includes:

  • Specifications, focus areas, and plans your team writes.
  • Build events and decisions captured as AI agents work on your specifications through our MCP integration.
  • Comments, clarifications, and other contributions team members make as the work progresses.

This is your data. You own it. We process it on your behalf so the product can do what you signed up for.

Data we collect automatically

  • Usage data through Google Analytics - information about which pages you visit, how long you stay, which features you use, and basic information about your device (browser type, operating system, approximate location based on IP address).
  • Cookies - see Section 8 below for details on what cookies we use and how to control them.
  • Log data - when you use the product, our servers record information like your IP address, the time of your request, and what you did. We use this for security and troubleshooting.

We do not collect or process special categories of data (health information, biometric data, sexual orientation, political opinions, religious beliefs, etc.) and ask that you not put such information into Penling.

3. Why we collect it and our lawful basis for doing so

We collect data for these reasons:

  • To provide Penling to you - your account data, your team's specifications, and the work your team does in the product are needed for the product to function. (Lawful basis: performance of a contract.)
  • To communicate with you - about your account, billing, important product changes, and customer support. (Lawful basis: performance of a contract and legitimate interests.)
  • To improve Penling - usage analytics help us understand how the product is used so we can make it better. (Lawful basis: legitimate interests.)
  • To process payments - we use Stripe to handle subscriptions and billing. (Lawful basis: performance of a contract.)
  • To keep Penling secure - we monitor for fraud, abuse, and security threats. (Lawful basis: legitimate interests and legal obligations.)
  • To comply with the law - including financial record-keeping, tax obligations, and responding to lawful requests from authorities. (Lawful basis: legal obligations.)

4. Who we share your data with

We share data with a small number of trusted service providers who help us run Penling. We only share what each provider needs to do its job, and we contract with each of them to handle your data responsibly.

Service provider
What they do
What we share
Amazon Web Services
Hosts the Penling application and stores your data
Account data, specifications, and all product content
Supabase
Provides our database and authentication infrastructure
Account data, authentication identifiers, specifications
Anthropic
Provides the LLM (Claude) that drafts plans and works on specifications
Specifications and related content you submit for AI processing
Stripe
Processes payments and manages subscriptions
Your name, email, billing details, and payment information
Resend
Sends transactional emails
Your name and email address
Google Analytics
Provides website and product usage analytics
Pseudonymous usage data and limited device information
Microsoft, Google, GitHub
Authentication (if you choose to sign in with one of these)
We receive an identifier and your email address from them

A specific note on AI processing

When your team uses Penling to generate plans or work with AI on specifications, your content is sent to Anthropic's API to be processed by Claude.

We use Anthropic's API in a configuration that - under Anthropic's terms - means your content is not used to train Anthropic's models. Anthropic processes your content only to return a response to our API request, and then discards it according to their data retention policies.

You can read Anthropic's privacy practices at anthropic.com/legal/privacy.

When we share data outside this list

We will only share your data outside this list in three situations:

  • If you ask us to, for example by integrating Penling with another tool of your choice.
  • If a law requires us to, such as a valid subpoena or court order. We will resist overbroad requests and tell you about them when we are allowed to.
  • If we're involved in a merger or acquisition, in which case the acquirer would inherit our obligations under this policy or notify you of changes.

We do not sell your data. We do not share your data with advertisers.

5. Where your data is stored

Penling's application and all customer data are hosted on AWS in Australia (Sydney region). Our database, file storage, and application logs are all stored in Australian data centres.

If you are accessing Penling from outside Australia - particularly from the European Union, the United Kingdom, or the United States - your data will be transferred to and processed in Australia. This is a cross-border transfer under privacy laws in many jurisdictions.

Some of our service providers may process data outside Australia - for example, Anthropic's API processes data in the United States, Stripe processes payments through their global infrastructure, and Google Analytics processes data through Google's international systems. We've selected these providers because they have appropriate safeguards for cross-border data transfers.

6. How long we keep your data

We keep your data for as long as you have an active Penling account. If you cancel your account or your subscription lapses:

  • Your account data and your team's content is kept for 30 days after cancellation, then permanently deleted. This gives you a window to change your mind or export your data.
  • Billing records are kept for seven years after your last transaction, as required by Australian tax law.
  • Anonymous usage analytics may be kept indefinitely in aggregated form for product improvement.
  • Backups are retained for 30 days before being purged.

You can request deletion of your data at any time by emailing privacy@penling.com. We'll confirm deletion within 30 days, except for data we're required to keep by law (like billing records).

7. Your rights over your data

Depending on where you live, you have a range of rights over your data. Penling honours all of these rights for all customers, regardless of location.

Right to know
GDPR, CCPA, Australian Privacy Act
What data we have about you and how we use it.
Right to access
GDPR, CCPA
Your data and receive a copy of it in a portable format.
Right to correct
GDPR, Australian Privacy Act
Inaccurate or incomplete data.
Right to delete
GDPR, CCPA, Australian Privacy Act
Your data, with some limitations for data we are legally required to keep.
Right to restrict
GDPR
Or object to certain processing.
Right to portability
GDPR, CCPA
Receive your data in a machine-readable format.
Right to opt out
CCPA
Of sale or sharing of personal information. We don't sell or share personal information for advertising.
Right to non-discrimination
CCPA
For exercising any of these rights.
Right to complain
GDPR, OAIC, ICO
To your local data protection authority.

To exercise any of these rights, email privacy@penling.com. We'll respond within 30 days. We may need to verify your identity before making changes to your data.

8. Cookies

We use cookies and similar technologies to make Penling work and to understand how it's being used.

EssentialThese keep you logged in, remember your preferences, and allow the product to function. You can't turn these off; without them, Penling won't work.
AnalyticsUsed by Google Analytics to understand how the site and product are being used. You can turn these off in your browser settings or via our cookie banner.
FunctionalUsed to remember your preferences (like UI settings). You can turn these off, but the product may not remember your choices between sessions.

We do not use advertising or marketing cookies. You can manage cookies through your browser settings at any time.

9. Security

We take reasonable precautions to keep your data safe:

  • All connections to Penling use TLS encryption (HTTPS).
  • Data at rest is encrypted in our database.
  • Passwords are stored as one-way hashes - we cannot read them, even if we wanted to.
  • Access to production systems is limited to a small number of authorised team members, and access is logged.
  • We use third-party providers (AWS, Supabase, Stripe, Anthropic) who are subject to their own rigorous security standards.

No system is completely secure. If something goes wrong and your data is exposed in a breach, we'll notify you and the relevant authorities as quickly as we can - and within the timeframes required by law (72 hours for GDPR, “as soon as practicable” for the Australian Notifiable Data Breaches scheme).

10. Children

Penling is a B2B product for engineering teams, not a service for children. We don't knowingly collect data from anyone under 18. If you believe a child has signed up for Penling, contact us at privacy@penling.comand we'll delete the account.

11. Changes to this policy

We may update this policy from time to time. When we do:

  • For minor changes (clarifications, typo fixes, formatting), we'll update the “Last updated” date at the top of this page.
  • For significant changes (new data collection practices, new sub-processors, changes to how we share data), we'll notify you by email at least 30 days before the changes take effect, and you'll have the chance to close your account if you don't agree.

Old versions of this policy are kept in our internal records. If you'd like to see a previous version, email privacy@penling.com.

12. How to contact us

For any questions about this privacy policy, or to exercise any of your rights under it:

Email: privacy@penling.com

If you're not satisfied with our response, you have the right to lodge a complaint with:

  • Australia: The Office of the Australian Information Commissioner (OAIC), oaic.gov.au
  • European Union: Your local data protection authority, edpb.europa.eu
  • United Kingdom: The Information Commissioner's Office (ICO), ico.org.uk
  • California: The California Privacy Protection Agency, cppa.ca.gov