Privacy Policy

We collect three categories of data:

• Account data — when you sign up, our authentication provider (Clerk) collects your email address, name, and any sign-in identifiers (Google account ID if you sign in with Google). We never see your password.
• Usage data — the number of words you process per day, per tool, plus timestamps. This is needed to enforce free-tier and paid-tier limits and to project costs. We do not store the text of your inputs or outputs beyond what is needed to render the immediate response.
• Billing data — when you subscribe to a paid plan, our payment processor (Stripe) collects your name, billing address, and payment method. We receive a customer ID and the subscription status; we never see your card details.

We do not store the text you submit to any tool (paraphraser, humanizer, AI detector, plagiarism checker, grammar, summarizer, translator) once the response has been rendered to you. We do not use your inputs or outputs to train any model, and we do not share them with any third party other than the inference provider that processes them in real time.

We process personal data for the following purposes and lawful bases under UK GDPR Article 6:

• Provide the service (Article 6(1)(b), performance of contract) — authentication, applying quotas, delivering rewrites and analysis.
• Process payments (Article 6(1)(b)) — billing your chosen plan, applying student discounts.
• Customer support (Article 6(1)(b) and 6(1)(f), legitimate interests) — responding to your emails and resolving issues.
• Service improvement and security (Article 6(1)(f)) — aggregated usage analysis, abuse detection, log monitoring.
• Legal compliance (Article 6(1)(c)) — accounting records, responding to lawful information requests.

We share data with the following sub-processors strictly to deliver the service. Each is bound by a data-processing agreement and processes data on our instructions only.

• Clerk Inc. (United States) — authentication and session management. Receives account data.
• Vercel Inc. (United States) — application hosting. Receives request metadata and may transit input/output text in flight (not stored).
• Stripe Inc. (United States) — payment processing. Receives billing data when you subscribe.
• Amazon Web Services EMEA SARL (Ireland and other regions) — machine-learning inference. Receives input text in flight to generate the response, then discards it.
• Winston AI (Canada) — plagiarism scanning. Receives input text in flight when you use the plagiarism tool, then discards it.

Some providers are located outside the UK / EEA. Where personal data is transferred internationally, we rely on Standard Contractual Clauses or equivalent safeguards under UK GDPR Article 46.

Penshift uses only essential cookies set by our authentication provider for session management. We do not use advertising or analytics cookies. The session cookie expires when your session ends or you sign out.

Account data is retained while your account is active and for 30 days after you delete it (to allow recovery from accidental deletion), then permanently deleted. Usage counters reset daily and are not retained beyond the current rolling window. Billing records are retained for as long as required by tax and accounting law (typically 6 years in the UK). Support emails are retained for 24 months unless you ask us to delete them sooner.

Under UK GDPR you have the following rights:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate data.
• Erasure — request deletion of your data, subject to legal-retention obligations.
• Restriction — limit how we process your data.
• Portability — receive your data in a machine-readable format.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — where processing is based on consent, withdraw it at any time.

To exercise any right, email hello@penshift.com. We respond within 30 days. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local EU supervisory authority.

Penshift is not directed at children under 13 (or under 16 in jurisdictions that apply that threshold). We do not knowingly collect data from children. If you believe a child has created an account, contact us and we will delete it.

We use industry-standard measures to protect data, including TLS encryption in transit, encrypted storage at rest with our hosting and authentication providers, and least-privilege access to internal systems. No system is perfectly secure; if a breach occurs that affects your data, we will notify you and the relevant authority within 72 hours as required by UK GDPR.

We may update this Policy from time to time. Material changes will be communicated by email at least 14 days before they take effect. The “last updated” date at the top of this page reflects the most recent revision.

Penshift LTD is the data controller for your personal data. Privacy enquiries: hello@penshift.com. Penshift LTD is a private limited company registered in England and Wales.