Privacy Policy

Introduction

Penomic ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered consulting workflow platform.

We designed Penomic with privacy as a core principle. Your conversations and uploaded documents are processed on isolated AI infrastructure under contractual no-train terms — they are never used to train any AI model.

Information We Collect

Account Information

• Name and email address when you create an account
• Company information for team and enterprise accounts
• Payment information (collected and processed by Stripe — we never store full card numbers)
• Authentication identifiers when you sign in via Google or LinkedIn (we receive only the fields you authorize on the consent screen)

Conversation & Document Data

• Messages you send to the platform and the responses generated for you
• Documents and files you upload for research, analysis, or deliverable generation
• Generated outputs (presentations, models, research summaries) saved to your account
• Editing history and template preferences

Usage Data

• Log data including IP address, browser type, and access times
• Feature usage, credit consumption, and interaction patterns
• Device information and operating system

How We Use Your Information

• To provide and maintain the platform and the services you request
• To process your conversations and generate the deliverables you ask for
• To meter credit usage, bill subscriptions, and prevent abuse
• To improve our product (in aggregate, never by training models on your content)
• To communicate with you about your account, security, and product updates
• To comply with legal obligations and enforce our Terms of Service

AI & Model Providers

Important: Your conversations, uploaded documents, and generated outputs are NOT used to train AI models — not by us, not by any third-party model provider we route to.

We route inference requests to a small set of enterprise-grade AI providers under contracts that contractually prohibit training on customer content and impose short data-retention windows on prompt and response data held provider-side.

We do not sell your data to advertisers or data brokers, and we do not use your conversations for advertising.

Data Retention & Deletion

Conversations & Generated Content: Your conversations and generated deliverables are retained in your account until you delete them or close your account. You can delete individual conversations and outputs at any time from the in-app interface.

Uploaded Documents: Documents you upload for processing are stored in your account workspace and remain available to you until you remove them. Temporary processing artifacts (for example, intermediate retrieval indexes) are purged within 30 days of last use.

Account Closure: When you close your account, your conversations, uploaded documents, and generated outputs are deleted from active systems within 30 days. We retain transactional, billing, and security log records for the period required by law and our legitimate business interests.

Backups: Data may persist in encrypted backups for up to 90 days after deletion, after which it is purged.

Data Security

We implement security measures to protect your data:

• Encryption for data at rest and in transit (TLS 1.2+)
• Secure cloud infrastructure with managed key storage
• Role-based access controls and authentication requirements for our staff
• Regular security testing and dependency monitoring
• User-controlled deletion of conversations, documents, and account data

Cookies & Similar Technologies

We use cookies and similar technologies to keep you signed in, remember your preferences, secure your session, and understand how the product is used. We use a small set of categories:

• Essential: Session, authentication, and CSRF protection. Required for the product to function.
• Functional: Remembering UI preferences (theme, sidebar state).
• Analytics: Aggregated, privacy-focused product analytics. No third-party advertising cookies.

You can control cookies through your browser settings. Disabling essential cookies will prevent you from signing in.

Third-Party Services

We work with carefully selected third-party service providers:

• Cloud infrastructure and hosting providers
• Payment processing (Stripe)
• Email delivery for transactional account messages
• AI model providers under contractual no-train terms (see "AI & Model Providers" above)
• Privacy-respecting product analytics
• Customer support tooling

Your Rights

Depending on your location, you may have the right to:

• Access the personal information we hold about you
• Correct inaccurate personal information
• Delete your personal information
• Export your data in a portable format
• Object to or restrict certain processing
• Withdraw consent where applicable

To exercise any of these rights, email contact@penomic.ai with the subject line "Privacy Rights Request." We respond within the time required by your local law (typically 30 days).

California Residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act:

• The right to know what personal information we collect, use, disclose, and retain
• The right to delete personal information we collect from you
• The right to correct inaccurate personal information
• The right to opt out of the sale or sharing of personal information
• The right to limit use of sensitive personal information
• The right not to be discriminated against for exercising these rights

We do not sell or share personal information for cross-context behavioral advertising. To exercise CCPA rights, email contact@penomic.ai with the subject line "California Privacy Request."

European Economic Area / United Kingdom

For users in the EEA and UK, our legal bases for processing include:

• Contract performance (providing our services)
• Legitimate interests (improving our platform, preventing abuse, and securing the service)
• Legal compliance (meeting regulatory and tax requirements)
• Consent (where explicitly provided)

International data transfers are protected by appropriate safeguards including Standard Contractual Clauses where required. For data protection inquiries, email contact@penomic.ai.

Children's Privacy

Penomic is not intended for children under 16 and we do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, contact contact@penomic.ai and we will delete it.

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

• Email: contact@penomic.ai