Privacy Policy

Effective date: 18 May 2026 — Version 1.1 (updated 20 May 2026)

1. Who we are

PennaSystems is operated by Rune Rævdal Walther, a sole trader (Personligt ejet Mindre Virksomhed / PMV) based in Denmark, registered with Erhvervsstyrelsen under CVR number 46426061. References to "we", "us", or "PennaSystems" in this policy refer to Rune Rævdal Walther.

Contact: rrwalther@pm.me — Banevænget 5C, 5270 Odense N, Denmark

2. What data we collect and why

Account data (you, the freelancer who signs up):

• Name, email address, password hash — to create and secure your account.
• Business name, logo, billing address — to populate invoices you send to your clients.
• Payment method — handled entirely by Stripe. We never see or store your card number.

These categories of personal data: identity data (name), contact data (email, address), authentication data (password hash), business data (logo, business name).

Client data (data about your clients, entered by you):

• Client name, email, address, phone — to create invoices and messages.
• Invoice history, file uploads, messages — to provide the core service.
• You are the data controller for your clients' data. We process it as your data processor, on your instructions, in accordance with GDPR Article 28.

These categories of personal data about your clients: identity data (name), contact data (email, address, phone), transactional data (invoice history), content data (messages, file uploads).

Usage data (automatically collected):

• Log data: IP address, browser type, pages visited, timestamps — for security monitoring and debugging.
• Session tokens — to keep you logged in.

These categories of personal data: technical data (IP, browser, timestamps), authentication data (session tokens).

3. Legal basis for processing (GDPR Article 6)

• Contract performance (Art. 6(1)(b)): We process your account data and client data to deliver the service you signed up for.
• Legitimate interests (Art. 6(1)(f)): We process log and security data to protect the platform from abuse.
• Legal obligation (Art. 6(1)(c)): We retain certain financial records as required by Danish accounting law (Bogføringsloven).
• Consent (Art. 6(1)(a)): We use consent for non-essential cookies and any optional marketing communications.

4. Who we share your data with

We do not sell your data. We share it only with the following sub-processors, each bound by a Data Processing Agreement. For full details including data categories and transfer mechanisms, see our Subprocessors page.

• Stripe, Inc. (USA) — payment processing. EU–US Data Privacy Framework.
• Resend, Inc. (USA) — transactional email delivery. Standard Contractual Clauses.
• Railway Corp. (USA) — cloud hosting and database. Standard Contractual Clauses.
• Cloudflare, Inc. (USA) — file storage (R2) and CDN. Standard Contractual Clauses.
• Anthropic, PBC (USA) — AI-assisted features (only when you use them). Standard Contractual Clauses.
• Functional Software, Inc. / Sentry (USA) — error tracking. Standard Contractual Clauses.
• Expo Technology, Inc. (USA) — mobile push notifications. Standard Contractual Clauses.
• PostHog, Inc. (EU Cloud — Frankfurt, DE) — product and web analytics. Data stored in EU (AWS eu-central-1); no transfer outside EU.

We will notify you at least 30 days before adding any new sub-processor.

5. AI-assisted features

PennaSystems includes optional AI-assisted features that help you draft invoice line items, compose emails, and generate proposals. These features use the Anthropic Claude API.

• When AI processing occurs: Only when you explicitly activate an AI feature (e.g. clicking "Draft email with AI" or "Suggest invoice items"). AI features do not process your data in the background.
• What is sent to Anthropic: The specific content you submit at the time of use (a partial invoice, an email draft, a brief). Account credentials, client lists, and unrelated data are not sent.
• Anthropic's data handling: Under Anthropic's Commercial API Terms, your data is not used to train models. Inputs and outputs are retained by Anthropic for up to 30 days for abuse monitoring, then deleted. See our Subprocessors page for the legal transfer basis.
• Automated decision-making: AI features produce suggestions, not decisions. You always review and edit the output before it is sent or saved. AI features do not constitute automated decision-making under GDPR Article 22.
• Opting out: You can disable AI features in your account settings. Disabling does not affect any other feature of PennaSystems.

6. International data transfers

Most of our subprocessors are based in the United States. Personal data is transferred under one of the following GDPR-recognised mechanisms:

• EU–US Data Privacy Framework (DPF): Stripe is DPF-certified.
• Standard Contractual Clauses (SCCs): Resend, Railway, Cloudflare, Anthropic, Sentry, Expo. We have signed SCCs with each.
• No transfer: PostHog operates from EU servers (Frankfurt, AWS eu-central-1); no transfer outside the EEA occurs.

We document Transfer Impact Assessments (TIAs) for each US-based transfer to evaluate whether the receiving country's legal regime offers adequate protection. These TIAs are available on request.

If you have specific concerns about a particular transfer or want to receive a copy of the relevant SCCs, contact us at rrwalther@pm.me.

7. Data retention

• Account data: retained while your account is active, then soft-deleted for 30 days (restorable), then permanently erased.
• Invoices and bookkeeping records you create for your clients: deleted within 30 days of your account deletion request, in line with our role as data processor (GDPR Art. 28). As the data controller for these records, you are responsible for retaining them in your own bookkeeping system for the 5-year period required by Danish Bogføringsloven § 10. Use the data export tool in Settings to download and store a copy before deletion.
• Subscription invoices PennaSystems issues to you (for your plat