Privacy Policy

Last updated: 29 March 2026

This policy covers PennaPay, operated by PennaSystems. PennaPay is a UK-based invoicing platform for freelancers and small businesses.

1. Who we are

PennaPay is operated by PennaSystems ("we", "us", "our"). Our service is available at pennapay.com. If you have questions about this policy, contact us at [email protected].

2. What information we collect

Account information: When you register for a Pro account, we collect your name, email address, and a hashed password. We do not store your payment card details — these are handled directly by Stripe.

Invoice and business data: We store the invoice data you create — including client names, addresses, line items, amounts, and any notes you add. This data belongs to you and is required to provide the service.

Client data you enter: If you save client profiles, we store their names, email addresses, and billing addresses on your behalf. You are responsible for ensuring you have a lawful basis for processing this data under UK GDPR.

Files you upload (PennaShare): Files you upload are stored securely on Cloudflare R2 (cloud object storage). They are associated with your account and accessible via a unique share link you control.

Usage and technical data: We may collect standard server logs including IP addresses, browser type, and pages visited for security and diagnostic purposes. We do not use third-party analytics tracking scripts.

Payment processing: Subscription billing is handled by Stripe. When clients pay your invoices online, payments are also processed by Stripe. We receive confirmation of payment status but do not see or store full card numbers.

3. How we use your information

To provide and operate the PennaPay service (creating, storing, and sending invoices)
To process subscription billing via Stripe
To send transactional emails (invoice delivery, payment confirmations, overdue reminders) via Resend
To respond to support requests
To detect and prevent fraud or abuse
To improve the service (using aggregated, non-personal usage patterns)

We do not sell your data to third parties. We do not use your invoice data or client data for advertising purposes.

4. Legal basis for processing (UK GDPR)

We process your personal data under the following legal bases:

Contract performance: Processing necessary to provide the service you've signed up for (account management, invoice storage, billing)
Legitimate interests: Security monitoring, fraud prevention, and service improvement
Legal obligation: Retaining billing records as required by UK tax law
Consent: Marketing communications, where you have opted in

5. Data sharing and third parties

We share data only with the sub-processors required to deliver the service:

Stripe (stripe.com) — payment processing for Pro subscriptions and client invoice payments
Resend (resend.com) — transactional email delivery (invoice emails, payment notifications)
Cloudflare R2 (cloudflare.com) — file storage for PennaShare uploads
Railway (railway.app) — application hosting and PostgreSQL database hosting

All sub-processors are contractually bound to handle your data securely and in compliance with applicable data protection law.

6. Data retention

We retain your account data and invoice history for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law (e.g. billing records, which we retain for 7 years under UK tax regulations).

Files uploaded via PennaShare are retained until you delete them from your account.

7. Your rights (UK GDPR)

As a UK resident, you have the right to:

Access — request a copy of the personal data we hold about you
Rectification — request correction of inaccurate data
Erasure — request deletion of your personal data (subject to legal retention requirements)
Portability — request your data in a machine-readable format
Restriction — request that we restrict processing in certain circumstances
Objection — object to processing based on legitimate interests
Withdraw consent — for any processing based on consent

To exercise any of these rights, email [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

8. Cookies

PennaPay uses only essential cookies required for authentication (a secure HTTP-only session cookie to keep you logged in). We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

9. Security

We implement industry-standard security measures including HTTPS encryption in transit, hashed passwords (bcrypt), HTTP-only session cookies, and access controls. However, no system is completely secure — if you discover a security vulnerability, please disclose it responsibly to [email protected].

10. International transfers

Some of our sub-processors (Stripe, Cloudflare, Railway) operate infrastructure in the United States. These transfers are covered by appropriate safeguards (Standard Contractual Clauses or equivalent). Data stored in Railway's EU region remains within the EEA.

11. Children

PennaPay is not intended for users under 16 years of age. We do not knowingly collect data from children. If you believe a child has created an account, please contact us at [email protected].

12. Changes to this policy

We may update this policy from time to time. We'll notify registered users of material changes by email. The current version is always available at pennapay.com/privacy.html with its last-updated date.

13. Contact

For any privacy-related questions or requests: [email protected]