Privacy Policy
1. Introduction
Support Service LTD ("we," "our," or "us") operates Penfield, an AI memory and knowledge management system ("Service" or "Services").
This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our Services. This policy applies where Support Service LTD acts as a data controller.
For users in the European Economic Area (EEA), United Kingdom, and Switzerland:
The data controller responsible for your personal data is:
- Company Name: Support Service LTD
- Registration Number: 202207793
- VAT Number: BG202207793
- Registered Address: str. Nikola Voinovski 67, fl. 4, ap. 14, Sofia, Bulgaria
- Contact Email: support@penfield.app
2. Data We Collect
2.1 Personal Data You Provide Directly
Identity and Contact Data:
- Name
- Email address
- Account credentials
User Content ("Inputs" and "Outputs"):
- Conversations and prompts you submit to Penfield
- Files, documents, and images you upload
- Memory entries you create
- Responses and outputs generated by the system
- Integration data from third-party services you connect
Feedback:
- Ratings, comments, and suggestions you provide
- Bug reports and support requests
2.2 Data We Collect Automatically
Technical Information:
- Device type and operating system
- Browser information
- IP address and approximate location (derived from IP)
- Device identifiers
- Time zone settings
Usage Information:
- Dates and times of access
- Features used and interactions with the Service
- Search queries
- Pages viewed and navigation paths
- Error logs and performance data
Cookies & Similar Technologies:
We use cookies, scripts, and similar technologies to:
- Manage and secure the Service
- Remember your preferences
- Analyze usage patterns
- Improve Service performance
2.3 Data for AI Model Training
Important: We do NOT use your conversations or content for AI training unless you explicitly opt-in. Even when opted-out, we may use flagged content to improve safety systems and enforce our Usage Policy.
3. How We Use Your Personal Data
We process your personal data for the following purposes:
To Provide and Maintain the Service:
- Create and manage your account
- Process and fulfill your requests
- Provide memory storage and retrieval
- Enable AI-powered features
- Facilitate integrations with third-party services
To Communicate With You:
- Send service-related notifications
- Respond to your inquiries and support requests
- Send updates about features and changes
- Provide marketing communications (with your consent)
To Ensure Safety and Security:
- Prevent and investigate abuse, fraud, and violations of our Usage Policy
- Detect and respond to security incidents
- Protect against unauthorized access
- Enforce our Terms of Service
To Improve the Service:
- Analyze usage patterns and trends
- Conduct research and development
- Debug and fix errors
- Develop new features
To Comply With Legal Obligations:
- Meet regulatory requirements
- Respond to lawful requests from authorities
- Protect our rights and the rights of others
- Resolve disputes
4. Legal Bases for Processing (EU/UK/Swiss Users)
Under GDPR, we rely on the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Providing the Service | Performance of contract (Art. 6(1)(b) GDPR) |
| Account management | Performance of contract |
| Service improvements | Legitimate interests (Art. 6(1)(f) GDPR) |
| Security and fraud prevention | Legitimate interests / Legal obligation |
| Marketing communications | Consent (Art. 6(1)(a) GDPR) |
| Legal compliance | Legal obligation (Art. 6(1)(c) GDPR) |
Legitimate Interests: Where we rely on legitimate interests, we have balanced these against your rights and freedoms. You have the right to object to processing based on legitimate interests.
5. How We Share Your Personal Data
We may disclose your personal data to:
Service Providers and Business Partners:
- DigitalOcean (cloud hosting - New York, USA)
- Cloudflare (CDN, DNS, security services)
- Clerk (authentication services)
Legal and Regulatory Requirements:
- Governmental and regulatory authorities as required by law
- Law enforcement in response to lawful requests
- In connection with legal proceedings
- To protect rights, property, and safety
Business Transfers:
- In connection with a merger, acquisition, or sale of assets
- Your data may be transferred as part of business assets
Important: We do NOT sell your personal data to third parties.
6. International Data Transfers
Your personal data may be transferred to and processed in countries outside the EEA, UK, or Switzerland, including the United States (DigitalOcean hosting).
When transferring data internationally, we ensure adequate protection through:
Standard Contractual Clauses (SCCs):
- EU-approved contractual protections for transfers to countries without adequacy decisions
- We use SCCs approved by the European Commission (Decision 2021/914)
Additional Safeguards:
- Encryption in transit and at rest (AES-256, TLS 1.2+)
- Access controls and authentication
- Regular security audits and assessments
You may request a copy of the safeguards we use by contacting support@penfield.app.
7. Data Retention
We retain your personal data only as long as necessary for the purposes outlined in this policy.
Account Data:
- Retained while your account is active
- After account deletion request: data is soft-deleted for recovery purposes, then permanently deleted
Memory Data:
- Retained indefinitely until you delete them
- You can delete individual memories anytime
Legal Requirements:
- We may retain data longer when required by law or to defend legal claims
De-identified Data:
- We may retain de-identified or aggregated data indefinitely for research and analytics
8. Your Privacy Rights
Depending on your location, you may have the following rights regarding your personal data:
8.1 Rights for EU/EEA/UK/Swiss Users (GDPR)
Right to Access:
- Request a copy of the personal data we hold about you
- Receive information about how we process your data
Right to Rectification:
- Request correction of inaccurate or incomplete data
Right to Erasure ("Right to be Forgotten"):
- Request deletion of your personal data
- Subject to legal exceptions (e.g., compliance, legal claims)
Right to Restrict Processing:
- Request that we limit how we use your data in certain circumstances
Right to Data Portability:
- Receive your data in a structured, machine-readable format
- Request transfer to another service provider where technically feasible
Right to Object:
- Object to processing based on legitimate interests
- Object to direct marketing (you can opt-out anytime)
Right to Withdraw Consent:
- Where processing is based on consent, you may withdraw it anytime
- This does not affect the lawfulness of processing before withdrawal
Right to Lodge a Complaint:
- File a complaint with your local data protection authority
- EU supervisory authorities
- UK Information Commissioner's Office
8.2 How to Exercise Your Rights
To exercise your rights:
- Email us at support@penfield.app
We will respond to verified requests within 30 days (GDPR) or as required by applicable law.
We may request additional information to verify your identity before processing requests.
No Discrimination: We will not discriminate against you for exercising your privacy rights.
9. Data Security
We implement appropriate technical and organizational measures to protect your personal data:
Technical Measures:
- Encryption at rest (AES-256) and in transit (TLS 1.2+)
- Secure authentication and access controls
- Regular security vulnerability assessments
- Automated backup systems
Organizational Measures:
- Least privilege access principle
- Incident response procedures
- Vendor security assessments
While we strive to protect your data, no method of transmission or storage is 100% secure. If you believe your data has been compromised, please contact us immediately at support@penfield.app.
10. Children's Privacy
Our Services are not directed to individuals under 18 years of age. We do not knowingly collect personal data from children.
If you are a parent or guardian and believe your child has provided us with personal data, please contact us at support@penfield.app. We will take steps to delete such information promptly.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect:
- Changes in our practices
- Changes in applicable law
- New features or services
- Feedback from users and regulators
Notification of Changes:
- We will post the updated policy with a new "Last Updated" date
- Material changes will be communicated via email notification or in-app notification
Your Continued Use: Continued use of the Service after changes constitutes acceptance of the updated policy.
12. Cookie Policy
We use cookies and similar tracking technologies:
Essential Cookies: Required for the Service to function (e.g., authentication, security)
Analytics Cookies: Help us understand how users interact with the Service
Preference Cookies: Remember your settings and preferences
Your Choices:
- Browser settings: Most browsers allow you to control cookies
- We honor Global Privacy Control signals
13. Third-Party Links and Services
Our Service may contain links to third-party websites, applications, or services. We are not responsible for the privacy practices of these third parties.
When you interact with third-party services:
- Their privacy policies apply
- Data you share is governed by their terms
- Review their policies before sharing information
14. AI-Specific Considerations
14.1 Model Training and Outputs
Training Data: Our AI models are processed locally using self-hosted infrastructure. We do not send your data to third-party AI providers.
Output Accuracy: AI-generated outputs may contain inaccuracies, including inaccurate personal information. Do not rely on outputs for factual accuracy without verification.
14.2 Your Control Over Training
Opt-Out: You can opt-out of having your conversations used for model improvements in your Privacy Settings.
Memory Feature: If you use our Memory feature (stores preferences and context):
- You control what is stored
- You can view, edit, and delete memories anytime
- Memory data follows the same privacy protections as other content
15. California Residents (CCPA/CPRA)
California residents have specific rights under the California Consumer Privacy Act:
- Right to know what personal information is collected
- Right to know if personal information is sold or shared
- Right to delete personal information
- Right to opt-out of sale/sharing
- Right to correct inaccurate information
We do not "sell" personal information as defined by CCPA.
For CCPA requests, email support@penfield.app.
16. Contact Information
For privacy-related questions, requests, or concerns:
General Inquiries:
- Email: support@penfield.app
- Address: Support Service LTD, str. Nikola Voinovski 67, fl. 4, ap. 14, Sofia, Bulgaria
Regulatory Complaints:
You have the right to lodge a complaint with a supervisory authority: