Privacy Policy

This Privacy Policy describes how PennyLens, Inc. (“PennyLens”, “we”, “us”) collects, uses, stores, and shares personal data across the dashboard at app.pennylens.com, the marketing site at pennylens.com, the JavaScript SDK, and any related APIs (collectively, the “Service”).

PennyLens operates in two distinct roles depending on the data:

• Controller. For account, billing, and marketing data we collect directly from customers, we determine the means and purposes of processing — and we are the Controller under the GDPR / UK GDPR (and the “business” under CCPA/CPRA).
• Processor. For behavioral data captured by the SDK from visitors to our customers’ websites, we process on behalf of the customer (the “Site Owner”), under their instructions. We are the Processor (and the “service provider” under CCPA/CPRA). Visitors to those sites are “End Users”.

Where we act as a Processor, the Site Owner remains the Controller of End-User personal data and is responsible for posting an appropriate privacy notice on its properties.

• Personal Data — any information that can identify a person, directly or indirectly. Includes IP addresses prior to anonymization, account email, and pseudonymous user identifiers passed via PennyLens.identify().
• Customer Data — all data submitted by the Site Owner or its End Users through the SDK or APIs, including events, recordings, and traits.
• Sensitive Personal Information (CPRA term) — categories the SDK is explicitly designed not to collect by default (see “What we never collect”).
• Subprocessor — a third-party vendor PennyLens engages to help deliver the Service. Listed at /subprocessors.

Account data (we act as Controller)

• Name, email address, password hash, and authentication identifiers.
• Billing data (processed by Stripe — we never store full card numbers).
• Usage telemetry of the dashboard itself: pages visited, features used, errors.
• Support correspondence and any data you choose to send us by email.

Behavioral data (we act as Processor for the Site Owner)

• Page views, click coordinates, scroll depth, mouse movement, and DOM mutations captured via rrweb.
• Custom events the Site Owner chooses to track (e.g. signup_completed).
• Form-field interactions with values masked by default.
• Device, browser, operating system, language, and a coarse-grained city/country derived from the IP address before it is discarded.
• User identifiers passed by the Site Owner through PennyLens.identify() and any traits attached to them.

What we never collect

• Raw IP addresses — anonymized at ingest by truncating the final octet (IPv4) or the last 80 bits (IPv6) before the event is written to storage.
• Sensitive Personal Information as defined under CPRA — including full payment-card data, social security numbers, precise geolocation under 1 km, biometric identifiers, health information, racial or ethnic origin, religious beliefs, sex life or sexual orientation.
• Form values matched by our redaction rules (passwords, full card numbers, SSNs).
• Contents of any element explicitly marked data-pl-mask or data-pl-ignore by the Site Owner.
• Audio or video streams of any kind.

We process personal data only for the following purposes:

We do not sell personal data, share it for cross-context behavioral advertising, or use Customer Data to train third-party AI models.

The marketing site sets only strictly-necessary cookies. The dashboard sets a session cookie for authentication. The PennyLens SDK does not set third-party cookies; it uses first-party local-storage entries described below.

The marketing site itself uses no analytics cookies and no third-party tag manager. We eat our own dog food: pennylens.com is monitored by PennyLens, with all the masking and anonymization defaults turned on.

Where data is stored

All Customer Data is stored on AWS in eu-west-1 (Ireland) by default. Business plan customers can pin data to eu-central-1 (Frankfurt) or us-east-1 (N. Virginia). Behavioral data does not leave the customer’s chosen region.

Account data (controlled by PennyLens) is stored in eu-west-1 regardless of the customer’s choice for Customer Data, because we centralize billing and support in the EU.

Default retention

• Session recordings — 7 days (Free), 30 days (Pro), 90 days (Business). On expiry the recording itself is deleted; aggregate metrics derived from it remain.
• Events and aggregates — 14 months on Free, 24 months on paid plans.
• Account data — kept while the account is active and for 90 days after closure for billing reconciliation, then deleted.
• Marketing and support correspondence — 24 months from last contact.
• Encrypted backups — rolling 90-day window. Deletions executed via user-facing flows are honored on backup expiry — backups are not restored to bypass a deletion.

Right to be forgotten — Article 17 cascade

When a deletion request is received — whether through the dashboard, the API, or by email — PennyLens runs a verified, end-to-end cascade that removes the affected identifier from every system that holds it. Events, recordings, derived aggregates, and any analytics tied to the identifier are scrubbed within 30 days. Encrypted backups roll over within 90 days and the deletion holds.

The cascade is verified by automated checks before the request is marked complete. We retain only a deletion record (timestamp + hash of identifier) for audit purposes for 24 months.

We engage a small set of vetted vendors to help deliver the Service. Each is bound by a written data-processing agreement, confidentiality terms, and audit obligations. The current list, with locations and processing purposes, is maintained at /subprocessors.

We give 30 days’ written notice before adding or replacing a Subprocessor. Business customers may object in writing within that window and terminate the affected portion of the Service without penalty if we cannot offer a workable alternative.

Aside from Subprocessors, we share personal data only: (i) when legally compelled (with notice to the customer where lawful); (ii) in a corporate-transaction context where the buyer agrees in writing to honor this Policy; or (iii) with the customer’s explicit instruction.

Where personal data is transferred outside the EEA, UK, or Switzerland to a country without an EU Commission / UK adequacy decision, we rely on:

• EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) — Module Two (Controller → Processor) and Module Three (Processor → Sub-Processor), as applicable.
• UK International Data Transfer Addendum to the EU SCCs (issued by the UK ICO under section 119A of the Data Protection Act 2018).
• Swiss Federal Data Protection and Information Commissioner recognition of the EU SCCs with the required Swiss-specific amendments.

Where appropriate we also apply supplementary technical and organizational measures (for example: encryption-at-rest with keys held in the source jurisdiction, pseudonymization before transfer, restricted-access logging) consistent with EDPB Recommendations 01/2020.

A copy of the executed transfer instruments is available on request to legal@pennylens.com.

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Single sign-on, MFA, and least-privilege access for staff.
• Quarterly access reviews and annual third-party penetration tests.
• Centralized audit logging with a 12-month retention.
• Secure development lifecycle: peer-reviewed code, dependency scanning, SAST.
• Breach notification: we notify affected Site Owners within 72 hours of confirming a personal-data breach affecting their data. Site Owners are responsible for End-User notifications under our Processor role.

Penetration-test summaries and the SOC 2 / ISO 27001 attestation roadmap are available to Business customers on request to security@pennylens.com.

Report a vulnerability to security@pennylens.com. We acknowledge within one business day and aim to triage within five.

Subject to applicable law, individuals can request the following with respect to their personal data:

• Access — a copy of personal data we hold about you.
• Correction — fix inaccurate or incomplete data.
• Deletion — request erasure.
• Portability — receive your data in a structured, machine-readable format.
• Restriction — limit our processing in defined circumstances.
• Objection — to processing based on legitimate interest or direct marketing.
• Withdrawal of consent — where consent is the legal basis.
• Lodge a complaint with a supervisory authority (see EEA/UK section below).

We respond within 30 days. We may extend by a further 60 days for complex requests and will tell you in writing if we do.

• Account holders — manage in dashboard settings or email privacy@pennylens.com.
• End Users of customer sites — contact the Site Owner directly. We will assist them in fulfilling your request.

This section provides the disclosures required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”) for California consumers.

Categories of personal information collected (last 12 months)

Sources, purposes, and disclosures

• Sources: directly from the consumer (account signup), from automated collection via the SDK (when an End User visits a Site Owner’s property), and from service providers (Stripe for billing status).
• Purposes: as listed in “Purposes and legal basis” above.
• Disclosed to: Subprocessors listed at /subprocessors (each a “service provider” under CCPA).

We do not sell or share

We do not sell personal information and we do not share personal information for cross-context behavioral advertising, as those terms are defined under CCPA. No financial or other valuable consideration is exchanged for personal information.

Your California rights

• Know — what we collect, use, disclose.
• Delete — request deletion of personal information.
• Correct — request correction of inaccurate personal information.
• Opt out of sale / sharing — not applicable (we don’t).
• Limit use of Sensitive Personal Information — not applicable (we don’t collect it).
• Non-discrimination — we will not discriminate against you for exercising rights.

To exercise your rights email privacy@pennylens.com with the subject “California consumer request”. You may use an authorized agent; we will verify authorization before responding. Verification: we use the email address on file and may request additional confirmation for sensitive requests.

Lead supervisory authority

Our lead supervisory authority under the GDPR one-stop-shop is the Data Protection Commission of Ireland (DPC), reachable at dataprotection.ie. UK residents may contact the Information Commissioner’s Office (ico.org.uk). Swiss residents may contact the FDPIC (edoeb.admin.ch).

EU representative (GDPR Article 27)

PennyLens, Inc. is established in the United States. Our appointed EU representative under Article 27 GDPR is contactable at eu-rep@pennylens.com (we will update this with the named representative firm and address on our public-launch effective date).

UK representative (UK GDPR Article 27)

Our appointed UK representative is contactable at uk-rep@pennylens.com (to be updated with the named representative).

Data Protection Officer

PennyLens has appointed a Data Protection Officer reachable at dpo@pennylens.com. The DPO oversees this Policy, our records of processing, and our handling of data-subject requests.

PennyLens uses machine learning to generate insight recommendations from aggregated, pseudonymized behavioral data. These recommendations are advisory only: they have no direct legal or similarly significant effect on End Users. Site Owners retain full human decision-making over whether to act on a recommendation.

We do not use automated decision-making to profile End Users for cross-context behavioral advertising, credit scoring, employment decisions, or insurance decisions. We do not carry out profiling that produces legal effects within the meaning of GDPR Article 22(1).

If you believe an automated insight has been applied to you in a way that produces a significant effect, contact privacy@pennylens.com and we will investigate and engage human review.

The PennyLens dashboard is not directed at children. We do not knowingly collect personal data from any individual whose age falls below the digital-consent threshold in their jurisdiction. The relevant thresholds vary:

• EU member states — 13 to 16 depending on national derogation (e.g. Germany 16, Ireland 16, France 15, Sweden 13).
• UK — 13 (UK GDPR Article 8 with section 9 DPA 2018 derogation).
• United States — 13 under the Children’s Online Privacy Protection Act (COPPA).

Site Owners deploying PennyLens on properties directed at children must ensure their use of the Service complies with COPPA, the UK Age Appropriate Design Code, and any equivalent national requirements. The Site Owner remains the Controller for End-User personal data captured on their property and is responsible for obtaining any required parental consent. We can support compliance with reasonable instructions but we do not provide age verification.

Where PennyLens acts as Processor for the Site Owner, the relationship is governed by our Data Processing Agreement (“DPA”):

• Free and Pro plans — incorporated by reference into the Terms of Service. The current version is available at /legal/dpa.pdf (last updated with the effective date of this Policy).
• Business plan — receive a customizable DPA executed prior to go-live, including any required Standard Contractual Clauses, UK IDTA addendum, and bespoke audit terms.

Request a Business DPA at legal@pennylens.com. Our standard DPA includes GDPR Article 28 obligations, sub-processor flow-down, breach notification, audit rights, and the international transfer instruments above.

Session replay and behavioral inference involve systematic monitoring within the meaning of GDPR Article 35(3)(c). PennyLens has conducted a DPIA covering the Service. A redacted summary is available to Business customers on request to legal@pennylens.com.

Site Owners deploying the Service across high-risk processing should conduct their own DPIA reflecting the specific scale and population of their property. We will share relevant technical documentation to support that exercise.

We will email account holders at least 14 days before any material change. Material changes include new categories of data collected, new Subprocessors with cross-border transfer implications, or substantive changes to your rights. Non-material changes (typos, formatting, address updates) may be made without notice.

The previous version remains accessible at /privacy/<date> for one year so you can review what changed.

PennyLens, Inc. · 522 W Riverside Ave, Ste N, Spokane, WA 99201, USA. Privacy and data-subject-rights contacts:

• Privacy and DSR — privacy@pennylens.com
• Data Protection Officer — dpo@pennylens.com
• EU representative — eu-rep@pennylens.com
• UK representative — uk-rep@pennylens.com
• Security — security@pennylens.com
• Legal and DPA — legal@pennylens.com

EU/UK/Swiss individuals may also lodge a complaint with their local supervisory authority. We will cooperate fully with any such authority.