Privacy Policy

• —Account data — your email and authentication details (passwords are hashed; we never store them in plain text).
• —Your thesis notes — the reasons you write for holding a position, and your decisions over time. Encrypted at rest and scoped to your account.
• —Portfolio data— tickers and rough sizing you enter, or positions read from a brokerage you connect (read-only). We don't ingest your trade history.
• —Preferences — alert tone, delivery and quiet-hours settings.
• —Payment data — handled by Stripe. We receive confirmation and limited metadata (such as your email, the amount, and whether payment succeeded). We never see or store your full card number.
• —Usage & device data — basic logs, and limited analytics to keep the service working and improve it.

• —To provide the service: monitor your theses, generate alerts and digests, and run your account.
• —To process the founding presale and any future subscription, and send you receipts.
• —To communicate with you about your account, security, and material changes.
• —To keep penKeep secure, debug problems, and improve the product.

We do not sell your data, and we do not use your thesis notes to train public AI models, or for advertising.

Where GDPR applies, we rely on:

• —Contract — to deliver the service you signed up for and process your purchase.
• —Legitimate interests — to secure, maintain and improve penKeep, kept in balance with your rights.
• —Consent — for anything optional (for example, marketing emails), which you can withdraw at any time.
• —Legal obligation— to keep records we're required to keep (such as for tax).

We use a small set of trusted processors who act on our instructions. Each handles only what it needs to:

• —Stripe — payment processing.
• —Resend — transactional and digest emails.
• —Railway — cloud hosting and database.
• —AI providers ([Anthropic, OpenAI, Google]) — to analyse public market information against the claims in your thesis. We send the minimum needed and use providers that do not train their models on our API data.
• —Market-data & filing sources — to fetch the public information we monitor.

We may also disclose data if required by law, or as part of a business transfer, in which case we'll tell you.

Some processors are outside your country (for example, in the US). Where we transfer personal data internationally, we rely on appropriate safeguards such as Standard Contractual Clauses.

We keep your data while your account is active and as long as needed to provide the service. After you delete your account we remove your personal data within a reasonable period, except where we must keep limited records (such as payment records for tax) for the period required by law.

Depending on where you live, you may have the right to access, correct, delete, export, or restrict use of your data, and to object to or withdraw consent for certain processing. To exercise any of these, email [privacy@penkeep.io] — we respond within 30 days (and aim for sooner). You can also complain to your local data-protection authority (in the UK, the ICO).

We use the minimum cookies needed to keep you signed in and the site working, plus limited analytics. We don't use advertising cookies. [If you add analytics that require consent, link your cookie settings here.]

penKeep is not for anyone under 18, and we don't knowingly collect their data.

We'll update this policy as penKeep evolves and revise the date above. If a change is material, we'll give reasonable notice.