Last updated: 28 May 2026 — Version 1.3
PennaSystems (CVR 46426061, operated by Johanna Aliséa Valérianne Rævdal Walther) engages the following third-party companies to deliver the service. Each subprocessor is bound by a Data Processing Agreement (DPA) and must process data only for the specified purpose, under documented instructions, with appropriate security measures in place.
Transfer to non-EEA countries relies on one of these legal mechanisms:
| Processor | Country | Purpose | Data processed | Transfer basis | Privacy policy |
|---|---|---|---|---|---|
| Stripe, Inc. | USA | Payment processing and subscription management for PennaSystems subscriptions | Billing name, email, payment method metadata, subscription history. Card numbers are tokenised by Stripe and never transmitted to PennaSystems. | EU–US DPF | stripe.com/privacy |
| Resend, Inc. | USA | Transactional email delivery (account verification, password reset, invoice notifications, system alerts) | Recipient email address, email subject and body (security-alert emails contain the IP address of the triggering login), and delivery timestamps. No marketing profiling. | SCCs | resend.com/legal/privacy-policy |
| Railway Corp. | USA | Cloud application hosting and managed PostgreSQL database | All platform data stored in the database: user accounts, invoices, contacts, messages, file references, billing records. Data is encrypted at rest (AES-256) and in transit (TLS 1.2+). | SCCs | railway.app/legal/privacy |
| Cloudflare, Inc. | USA (R2 object storage pinned to EU jurisdiction) | Content delivery network (CDN), DDoS protection, and R2 object storage for user-uploaded files | Static assets, user-uploaded files (invoices, profile images, deliverable files, receipt images), anonymised web analytics via Cloudflare Web Analytics (no cookies, no cross-site tracking). IP addresses processed transiently for routing and security. R2 object storage is pinned to Cloudflare's EU jurisdiction (EEUR location) — uploaded files are stored on EU infrastructure. Cloudflare Inc. is a US company, so SCCs still apply to the corporate relationship. | SCCs | cloudflare.com/privacypolicy |
| Anthropic, PBC | USA | AI-assisted features: invoice line-item suggestions, email drafting, proposal generation, invoice field suggestions, and similar in-product AI tools. Only invoked when you actively use an AI feature. | Invoice content, message drafts, and field values submitted via AI features at the time of use. Anthropic does not use this data to train models under their Commercial API Terms. Inputs and outputs are retained by Anthropic for up to 30 days for abuse monitoring and safety classification, then automatically deleted. Anthropic may retain User Safety classifier results beyond that window solely to enforce their Usage Policy. | SCCs | anthropic.com/privacy |
| Functional Software, Inc. (Sentry) | USA | Application error tracking and performance monitoring | Sanitised stack traces, request paths (URL path only, no query-string values), error messages, and browser/OS information when an application error occurs. PII scrubbing is configured at the source to exclude email addresses, IP addresses, authentication tokens, names, and payment data from all error payloads. | SCCs | sentry.io/privacy |
| Expo Technology, Inc. | USA | Push notification delivery for the PennaSystems mobile app | Device push token and notification payload (event type and brief description). No message content is stored by Expo beyond the delivery attempt. Only users with the mobile app installed and push notifications enabled are affected. | SCCs | expo.dev/privacy |
| PostHog, Inc. | EU Cloud (Frankfurt, DE) | Product and web analytics across marketing pages and the authenticated app (pennapay.com, pennasystems.com, app.pennasystems.com) | Page views, feature usage events, session IDs. A random visitor ID is stored in localStorage for session continuity (no cookies set). For logged-in users the PennaSystems user ID is linked to events. No advertising profiles. Person profiles created for authenticated users only. | EU Cloud — data stays in EU (AWS eu-central-1, Frankfurt) | posthog.com/privacy |
| Ghost Foundation (Ghost Pro) | USA | Newsletter platform for founder content and product update communications. Stores subscriber data for users who opt in to PennaSystems newsletters. Active from Month 2 of operations. | Subscriber email address, name (if provided at opt-in), subscription status, and email engagement events (opens, clicks). Only affects users who voluntarily subscribe to PennaSystems newsletters — not all platform users. | SCCs | ghost.org/privacy |
| Mailgun Technologies, Inc. (via Ghost Pro) | USA | Email delivery infrastructure used by Ghost Pro to send newsletter issues to subscribers. Mailgun is Ghost Pro's transactional email sub-processor and is not contracted directly by PennaSystems. | Recipient email address, email subject and body (newsletter content), and delivery timestamps. Processed by Mailgun on behalf of Ghost Pro under Ghost's sub-processing chain. Only affects newsletter subscribers. | SCCs | mailgun.com/legal/privacy-policy |
When you use PennaSystems to send invoices, messages, or files to your clients, you are the data controller for your clients' personal data and PennaSystems is your data processor under GDPR Art. 28. The same subprocessors listed above also process your clients' data (e.g. Railway stores client contact details; Resend delivers invoice emails to client addresses) on a processor-of-processor basis. Our DPA with each subprocessor covers this sub-processing chain.
You remain responsible for ensuring you have a lawful basis to process your clients' data and to use a service like PennaSystems on their behalf.
No subprocessors have been removed to date. This table will be updated when vendors are replaced or removed, including the date of termination.
We will notify registered users by email at least 30 days before adding any new subprocessor that will process personal data. The notification will identify the new vendor, the categories of data they will process, and the legal transfer mechanism that applies (DPF, SCCs, or EU residency). If you object to the new subprocessor, you may terminate your account before the change takes effect and receive a pro-rata refund for any prepaid, unused portion of an annual plan.
Material changes to this Subprocessors page itself (for example, removal of a vendor, or a change in transfer mechanism for an existing vendor) will be reflected here within 30 days and noted in the page version date below. We monitor for changes in adequacy decisions (such as the EU–US Data Privacy Framework) and will update this disclosure if a vendor's transfer mechanism changes.
For questions about a specific subprocessor, to request a copy of the relevant DPA / SCC, or to exercise any of your GDPR rights, contact privacy@pennapay.com. We respond to ordinary enquiries within 5 business days and to GDPR data subject requests within 30 days as required by GDPR Art. 12(3).