Back

Privacy Policy

Version 2026-04-17Effective 2026-04-17
Pending legal review. This document is a placeholder scaffold and has not yet been reviewed by commercial counsel. Commercial terms will be finalised before public launch.

1. Who We Are

Penworth (A.C.N. 675 668 710 PTY LTD) is the data controller for information collected through penworth.ai and its subdomains.

2. Data We Collect

  • Account data. Email address, name, password hash, language preference, country (for tax and compliance).
  • Content. The documents you create, including interview answers, outlines, chapters, and covers.
  • Billing. Handled by Stripe. We store a Stripe customer ID and subscription status; we do not store card numbers.
  • Publishing credentials. When you connect third-party platforms (e.g. Kobo, Google Play Books), we store encrypted OAuth tokens or API keys. Credentials are decrypted only at publish time.
  • Usage data. Pages viewed, actions taken, feature usage. Used to improve the Service and diagnose issues.
  • Device data. IP address, user agent, browser language.

3. How We Use Data

To provide the Service, process payments, operate publishing automation, send transactional email, detect abuse, and comply with legal obligations.

4. Third-Party Processors

We share data with vetted processors under Data Processing Agreements:

  • Supabase (database + authentication, hosted in the EU)
  • Vercel (application hosting + edge network)
  • Stripe (payment processing)
  • Anthropic (AI inference)
  • ElevenLabs (audiobook narration)
  • Ideogram (cover generation)
  • Browserbase (publishing automation)
  • Resend (transactional email)
  • Connected publishing platforms (only when you explicitly publish to them)

5. International Transfers

Your data is processed in jurisdictions including Australia, the EU, and the United States. Transfers are governed by Standard Contractual Clauses where required.

6. Your Rights

You can access, correct, export, or delete your data by emailing support@penworth.ai. We respond within 30 days (or as required by your local law, whichever is shorter).

7. Retention

Account and content data is retained while your account is active. Financial records are retained for 7 years under Australian law. Consent records are append-only and retained for 7 years.

8. Security

Data is encrypted in transit (TLS) and at rest. Publishing credentials are additionally encrypted with AES-256-GCM using per-user keys. Row-Level Security at the database layer prevents one user from reading another user’s content.

9. Children

The Service is not directed to children under 16. We do not knowingly collect data from them.

10. Contact

Privacy enquiries: support@penworth.ai.