← Back

Privacy Policy

Effective from launch date · Last updated February 2026

1. Data Controller

Penrose is operated by Steve Chalmers. For questions about this policy or your data, contact us at me@stevechalmers.uk.

2. Data We Collect

We collect and process the following categories of data:

  • Account information — your name, email address, and password hash (managed by Supabase Auth).
  • Email content — fetched on-demand from your email provider via IMAP. Email content is not persistently stored on our servers.
  • Encrypted credentials — your IMAP/SMTP credentials are encrypted with AES-256 and stored in Supabase. We never store them in plain text.
  • Payment data — processed by Stripe. We do not store card numbers or bank details. We store your Stripe customer ID and subscription status.
  • Subscription and usage data — your plan tier, trial status, and feature usage.

3. AI Processing

Email content is sent to Anthropic's Claude API for features such as summarisation, draft generation, and inbox analysis. Under Anthropic's commercial API terms, your data is not used to train their models.

Web search queries are sent to Tavily when you use the AI assistant's web search feature.

4. Third-Party Processors

  • Supabase — database and authentication
  • Anthropic — AI processing (Claude API)
  • Stripe — payment processing
  • Google — OAuth sign-in (optional)
  • Tavily — web search for the AI assistant
  • Vercel — application hosting

5. Legal Basis for Processing

  • Contract performance — processing your email and account data to provide the service you signed up for.
  • Legitimate interest — security monitoring, fraud prevention, and service improvement.
  • Consent — where applicable, such as optional marketing communications.

6. Cookies

Penrose uses essential cookies only — specifically, Supabase authentication session cookies required for the service to function. We do not use analytics, tracking, or advertising cookies. Essential cookies are exempt from consent requirements under UK PECR regulation 6(4).

7. Data Retention

  • Account data is retained while your account is active and deleted upon request.
  • Email content is not persistently stored — it is fetched from your email provider on each session.
  • AI interactions are not retained after your session.
  • Payment records are retained as required by law (typically 6 years for tax/accounting purposes).

8. Your Rights

Under the UK Data Protection Act 2018 and UK GDPR, you have the following rights:

  • Right of access (Section 45) — request a copy of the data we hold about you.
  • Right to rectification — correct inaccurate personal data.
  • Right to erasure — request deletion of your data.
  • Right to restriction — restrict how we process your data.
  • Right to data portability — receive your data in a structured format.
  • Right to object — object to processing based on legitimate interest.

To exercise any of these rights, contact me@stevechalmers.uk. You can also export your data at any time from Settings.

You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

9. International Transfers

Some of our processors (Supabase, Anthropic, Stripe, Vercel) are based in the United States. Data transfers are protected under appropriate safeguards, including standard contractual clauses and the processors' own data protection commitments.

10. Children

Penrose is not intended for users under the age of 16.

11. Changes to This Policy

If we make material changes to this policy, we will notify you by email. Continued use of the service after notification constitutes acceptance of the updated policy.

12. Supervisory Authority

Our supervisory authority is the UK Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Questions? Email me@stevechalmers.uk