Privacy Policy

Effective date: 18 May 2026 — Version 1.4 (updated 5 June 2026)

1. Who we are, how to contact us and DPO

PennaSystems is operated by a sole trader (Personligt ejet Mindre Virksomhed / PMV) based in Denmark, registered with Erhvervsstyrelsen under CVR number 46522036. References to "we", "us", or "PennaSystems" in this policy refer to that registered sole trader, whose statutory operator details (including the operator’s name) are set out in our Impressum.

We are the data controller for personal data we collect about you directly (your account data, your usage of the platform, your interactions with our marketing site and emails) — and we act as a controller strictly for the data necessary for billing, account administration and security and audit logging. Where you use the platform to send invoices, messages, files or bookings to your own clients, you are the data controller for your clients' personal data and we are your data processor under GDPR Art. 28. The Data Processing Agreement governing that relationship is incorporated into our Terms of Service and the data flows are described in §3 below.

Contact:

PennaSystems (CVR 46522036)
privacy@pennapay.com

We respond to ordinary enquiries within 5 business days and to GDPR data subject requests within 30 days as required by GDPR Art. 12(3).

Data Protection Officer: PennaSystems has not appointed a Data Protection Officer. Under GDPR Art. 37(1), a DPO is mandatory only where an organisation's core activities consist of regular and systematic monitoring of data subjects on a large scale (Art. 37(1)(b)) or large-scale processing of special-category data (Art. 37(1)(c)). As a micro-enterprise (PMV) we do neither — we do not process personal data, special-category or otherwise, on a large scale — and so do not meet the Art. 37(1) thresholds. All privacy enquiries are handled directly by the operator at privacy@pennapay.com. We will reassess this position as the platform grows.

2. Scope of this policy

This Privacy Policy covers personal data we process across:

• the public marketing website at pennapay.com — including the free invoice maker, FAQ, pricing pages, template pages and any "notify me when X launches" forms;
• the parent-brand site at pennasystems.com;
• the authenticated application at app.pennasystems.com and all included modules (PennaPay, PennaSchedule, PennaConnect, PennaShare, PennaWelcome, PennaProfit, PennaVentory, PennaFolio, PennaClock);
• the PennaSystems mobile application;
• transactional emails we send to you and to your clients on your behalf — account, invoice, booking, message, contract, welcome-package and platform notifications;
• the cookie banner and cookie-consent records on the sites listed above.

This Privacy Policy does not cover:

• websites and services operated by your clients or by other third parties that link to or from PennaSystems pages;
• payment-page surfaces operated by Stripe — Stripe's own privacy policy applies once you are on Stripe Checkout;
• third-party authenticator apps you use for two-factor authentication, or password managers you use to store PennaSystems credentials.

For the specific cookies and similar technologies set in your browser, see §9 below and our separate Cookie Policy.

3. Personal data we collect and why

Account data (you, the freelancer who signs up):

• Name, email address, password hash — to create and secure your account.
• CVR number (Danish Central Business Register) or equivalent EU VAT identification number — to enforce our business-to-business signup gate (see Terms of Service §9) and to populate invoices you send to your clients with the correct tax information. We validate Danish CVR numbers against the public CVR API (cvrapi.dk) and EU VAT numbers against VIES at signup.
• Business name, logo, billing address, business email, phone, tax/VAT numbers, OSS registration details — to populate invoices you send to your clients.
• Payment method — handled entirely by Stripe. We never see or store your card number.
• Two-factor authentication credentials: a TOTP secret if you enable an authenticator app and the public key plus credential metadata for any passkey/WebAuthn device you register. Private keys never leave your device.
• Last-login IP address — captured to send you a security alert when a new IP address logs in to your account. We store only the most recent login IP, not a history.
• Mobile push token — only if you install the PennaSystems mobile app and enable push notifications.

These categories of personal data: identity data (name), contact data (email, address, phone), business identifiers (CVR/VAT, business name, logo), authentication data (password hash, 2FA secrets, passkey credentials, session tokens), technical data (last-login IP, push token).

Client data (data about your clients and other end-recipients, entered by you or submitted to you through the platform):

• Client name, email, address, phone, VAT number — to create invoices, quotes and messages.
• EU VAT-number validation at invoice time: when you issue a zero-rated reverse-charge invoice to a business in another EU country, your client's (the buyer's) VAT number is transmitted to the European Commission's VIES service (VAT Information Exchange System) so we can confirm it is registered for cross-border trade. The VIES consultation reference and result returned by the Commission are then stored on the invoice as a contemporaneous good-faith audit trail and retained for 5 years under the Danish Bookkeeping Act (Bogføringsloven § 10). This is a distinct processing operation from the one-time validation of your own business's VAT number at signup, described in the account-data section above; the recipient (the EU Commission) is a public authority operating a statutory verification registry, not a commercial subprocessor.
• Invoices, line-item descriptions, payment status and the immutable "client snapshot" captured at invoice-send time — to provide invoicing and bookkeeping continuity.
• PennaSchedule booking data: client name, email, phone, the date/time of the booking and the answers to any custom intake fields you have defined. Important: if you define custom fields that ask about health, religion, sexual orientation, or other categories listed in GDPR Art. 9, the answers are special-category personal data and you must have an Art. 9 lawful basis (typically explicit consent) before collecting them. The platform does not gate Art. 9 collection technically — that judgement is yours as the controller.
• PennaConnect conversation data: message bodies and attachments exchanged between you and your clients through the platform.
• PennaShare deliverable files: files you upload to share with clients. Download links are time-limited (see Terms of Service §7).
• PennaWelcome client-onboarding data: project briefs, the questions you ask clients during onboarding and the answers clients submit, agreement-acceptance flags and timestamps.
• PennaProfit expense records: vendor name, amount, currency, description and any receipt image you upload. Receipt images may be processed by our AI subprocessor (Anthropic) for optical-character recognition only when you actively use the OCR feature — see §5.
• Contract e-signature evidence: the signatory's name, email, IP address and timestamp captured at the moment of signing — for non-repudiation.
• Audit log entries: the IP address captured when a client views a public invoice portal, downloads a deliverable file, or signs a contract — to give you an audit trail of client interactions with the platform.
• You are the data controller for your clients' personal data. We process it as your data processor, on your documented instructions, in accordance with GDPR Article 28. The Data Processing Agreement between us is incorporated into the Terms of Service.

These categories of personal data about your clients: identity data (name), contact data (email, address, phone), transactional data (invoices, payment status), content data (messages, files, brief answers), evidence data (IP addresses captured for e-signature and portal-access audit trails) and — only if you choose to collect them via custom booking fields — special-category data under GDPR Art. 9.

Usage data (automatically collected when you use the service):

• Log data: IP address, browser type, pages visited, timestamps — for security monitoring and debugging.
• Session tokens — to keep you logged in.
• Security alert emails: when a login from an unrecognised IP address is detected, that IP address is included in the notification email sent to you via Resend (see §5).
• AI-feature audit records: which AI feature was invoked, when, token count, cost and the input/output payload — for cost monitoring and abuse prevention. Retention is disclosed in §7.
• Income records derived from Stripe webhooks when your clients pay you: the gross amount, currency, exchange rate to DKK at receipt time, customer country and the underlying Stripe payment-intent ID — for your profit-and-loss reporting and Danish tax compliance.

These categories of personal data: technical data (IP, browser, timestamps, session tokens), audit data (AI-invocation records, income records).

Marketing list (only if you opt in):

• If you submit a "notify me when X launches" form on pennapay.com, we store the email address you provided plus the IP address and browser user-agent captured at submission for abuse prevention. Retention is disclosed in §7. We do not buy, sell, or rent marketing lists.

4. Why we process your data (legal basis under GDPR Article 6)

• Contract performance (Art. 6(1)(b)): We process your account data and your clients' data (on your instructions as our controller) to deliver the PennaSystems service you signed up for — invoicing, scheduling, messaging, file delivery, contract signing and the related platform operations.
• Legal obligation (Art. 6(1)(c)): We retain certain financial records (subscription invoices we issue to you, income records derived from your Stripe payments) for 5 years as required by the Danish Bookkeeping Act (Bogføringsloven § 10) and we apply equivalent retention to records required under EU VAT Directive 2006/112/EC where applicable.
• Legitimate interests (Art. 6(1)(f)): We process log data, security audit data, AI-invocation audit data and abuse-prevention metadata (e.g. notify-signup IP/user-agent) to protect the platform, our users and our subprocessors from abuse, fraud and misuse. We have weighed these interests against your privacy rights and consider them not to override your reasonable expectations.
• Consent (Art. 6(1)(a)): We use consent for non-essential cookies and analytics identifiers (loaded only after you accept analytics through the cookie banner — see §9), for any optional marketing communications you opt into and for any per-feature AI consent toggles you can set per client.

5. Who we share your data with (subprocessors)

We do not sell your data. We share it only with the following subprocessors, each bound by a Data Processing Agreement that incorporates the EU Standard Contractual Clauses (or, where applicable, the EU–US Data Privacy Framework) and limits processing to the purposes specified below. For full details — exact data categories, retention behaviour, transfer mechanism and link to each vendor's privacy policy — see our Subprocessors page, which is the authoritative always-current list.

• Stripe, Inc. (USA) — payment processing and subscription billing. EU–US Data Privacy Framework.
• Resend, Inc. (USA) — transactional email delivery. Standard Contractual Clauses.
• Railway Corp. (USA) — cloud application hosting and managed PostgreSQL database. Standard Contractual Clauses.
• Cloudflare, Inc. (USA) — CDN, DDoS protection and R2 object storage for user-uploaded files. Standard Contractual Clauses.
• Anthropic, PBC (USA) — AI-assisted features (only when you actively use them). Standard Contractual Clauses. See subsection 5.1 below.
• Functional Software, Inc. / Sentry (USA) — application error tracking. Standard Contractual Clauses. PII is scrubbed from error payloads before transmission.
• Expo Technology, Inc. (USA) — mobile push notification delivery. Standard Contractual Clauses.
• PostHog, Inc. (EU Cloud — Frankfurt, DE) — product and web analytics. Data stored in EU (AWS eu-central-1); no transfer outside the EEA.
• Ghost Foundation (Ghost Pro, USA) and Mailgun (USA, via Ghost) — newsletter platform and its email-delivery subprocessor, used only for users who opt in to PennaSystems newsletters. Standard Contractual Clauses.

We will notify you by email at least 30 days before adding any new subprocessor that will process your personal data, giving you the opportunity to object and terminate your account before the change takes effect.

Optional integrations. If you connect a third-party account (for example, a Meta / Facebook Messenger or Instagram account) to PennaConnect, we process the resulting messages solely on your behalf, as your processor, to operate the integration you enabled — subject to that third party's own privacy terms, under which the third party acts as an independent (or joint, with you) controller rather than as a PennaPay subprocessor. These integrations are off by default and listed, with their controller relationships and transfer basis, on our Subprocessors page.

5.1 AI-assisted features (Anthropic)

PennaSystems includes optional AI-assisted features that help you draft invoice line items, compose emails, generate proposals, polish client briefs, build portfolio styles and run OCR on receipt images. These features use the Anthropic Claude API.

• When AI processing occurs: only when you explicitly activate an AI feature (clicking "Draft email with AI", "Suggest invoice items", "Scan receipt", etc.). AI features do not process your data in the background.
• What is sent to Anthropic: the specific content you submit at the time of use — a partial invoice, an email draft, a brief, a receipt image. Account credentials, full client lists and unrelated data are not sent.
• Receipt OCR (PennaProfit): when you choose to scan a receipt, the raw receipt image is sent to Anthropic for optical-character recognition. Receipts may contain vendor names, tax IDs and last-four card digits. We treat OCR as opt-in per receipt; you can disable AI features entirely in your account settings to switch this off.
• Special-category data: The AI-assisted and OCR features are not intended for special-category data (e.g. health or medical information). Do not submit receipts, messages, or other content containing such data for AI processing.
• Per-client AI consent toggles: for AI features that operate on a specific client's data (e.g. composing an email to a named client), you can set per-client AI consent settings that disable AI processing for that client. Your default at signup is opt-in for your own data and opt-out for clients you have not explicitly enabled.
• Anthropic's data handling: under Anthropic's Commercial API Terms, your data is not used to train models. Inputs and outputs are retained by Anthropic for up to 30 days for abuse monitoring and safety classification, then deleted. Anthropic may retain User-Safety classifier results beyond that window solely to enforce their Usage Policy. See our Subprocessors page for the legal transfer basis.
• Automated decision-making: AI features produce suggestions, not decisions. You always review and edit the output before it is sent or saved. AI features do not constitute solely-automated decision-making under GDPR Article 22.
• Opting out: you can disable AI features in your account settings. Disabling does not affect any other feature of PennaSystems.

6. International data transfers

Most of our subprocessors are based in the United States. Personal data is transferred under one of the following GDPR-recognised mechanisms:

• EU–US Data Privacy Framework (DPF): Stripe is DPF-certified.
• Standard Contractual Clauses (SCCs): Resend, Railway, Cloudflare, Anthropic, Sentry, Expo, Ghost (and via Ghost, Mailgun). We have signed SCCs with each.
• No transfer: PostHog operates from EU servers (Frankfurt, AWS eu-central-1); no transfer outside the EEA occurs.

Cloudflare R2 storage region: deliverable files (PennaShare) and receipt images (PennaProfit) stored in our Cloudflare R2 bucket are subject to Cloudflare's data-locality controls. We are in the process of pinning the bucket to a European jurisdiction; until that pinning is confirmed in writing by Cloudflare, treat the storage location as the United States under the SCCs cited above. We will update this disclosure as soon as the EU pin is confirmed.

We document Transfer Impact Assessments (TIAs) for each US-based transfer to evaluate whether the receiving country's legal regime offers adequate protection.

We monitor for changes in adequacy decisions and transfer mechanisms (for example, if a subprocessor obtains DPF certification, loses it, or the framework is invalidated by the CJEU) and will update this disclosure within a reasonable period of any material change. Registered users will be notified by email if a change materially affects how their data is transferred.

If you have specific concerns about a particular transfer or want to receive a copy of the relevant SCCs, contact us at privacy@pennapay.com.

7. Data retention

• Account data: retained while your account is active. When you request deletion we soft-delete your account immediately so you can no longer log in or use the service; the underlying user record is then held in a restorable state for 30 days. After the 30-day grace period your account is permanently erased: the data you created on the platform (your invoices, contacts, messages, conversations, uploaded files and similar records) is deleted and the underlying user record is reduced to an anonymous tombstone — your email address, password hash, security credentials, last-login IP address, push token and similar identifiers are nulled, leaving only an internal anonymous identifier, the account-creation timestamp, the deletion timestamp and the timestamp of your acceptance of our Terms retained for audit and legal-defence purposes. This final erasure runs automatically once the grace period has passed and cannot be reversed. We fulfil erasure requests by permanently erasing your personal data, except for records we are legally required to retain — notably our own subscription-billing records under the Danish Bookkeeping Act (Bogføringsloven § 10), kept for 5 years under GDPR Art. 17(3)(b). You can request an immediate manual purge before the 30 days elapse by emailing privacy@pennapay.com; we will action manual purges within 30 days of receipt.
• Inactive accounts: if your account remains inactive for an extended period, we may close it. Closure follows the same soft-delete process described above — your login credentials and personal identifiers are removed — while any records we are legally required to keep (e.g. bookkeeping records under Danish Bogføringsloven § 10) are retained for their full mandated period and never deleted early.
• Invoices and bookkeeping records you create for your clients: deleted within 30 days of your account deletion request, in line with our role as data processor (GDPR Art. 28). As the data controller for these records, you are responsible for retaining them in your own bookkeeping system for the 5-year period required by Danish Bogføringsloven § 10. Use the data export tool in Settings to download and store a copy before deletion.
• Subscription invoices PennaSystems issues to you (for your platform subscription) are retained for 5 years from the end of the financial year to which they relate, as required by Danish Bogføringsloven § 10 governing our own bookkeeping records.
• Server logs: kept for 90 days then rotated and deleted, except where a security incident under investigation requires longer retention. In that case, only the logs relevant to the incident are preserved, and only for as long as the investigation requires.
• AI inputs and outputs sent to Anthropic: retained by Anthropic for up to 30 days per their Commercial API Terms, then deleted by Anthropic. PennaSystems itself does not retain a separate copy of AI inputs/outputs beyond what is needed to present the result in your session.
• Marketing "notify me" signups: if you sign up to be notified when a forthcoming module launches, your email address and the abuse-prevention metadata captured at sign-up (IP address and browser user-agent) are retained for 18 months and then automatically deleted, in line with GDPR Art. 5(1)(e) storage limitation. Email privacy@pennapay.com at any time to unsubscribe and erase the record immediately.
• Support correspondence: retained for 2 years from the close of the matter, then deleted, unless required longer for legal-defence purposes.
• AI audit logs: we keep a structured audit record of each AI-feature invocation (which feature, when, token count, cost and the input/output payload) for up to 12 months to monitor cost and abuse, then delete it. If your account is deleted before that window, the user ID on the audit row is nulled but the row itself is retained as part of the organisation's billing audit until the organisation is fully purged.

8. Your rights under GDPR

As a data subject in the EU/EEA you have the following rights regarding personal data we hold about you:

• Right of access (Art. 15): you can request a copy of the personal data we hold about you and information about how we process it.
• Right to rectification (Art. 16): you can request that we correct inaccurate personal data or complete incomplete data.
• Right to erasure (Art. 17): you can request that we delete your personal data, subject to legal obligations that may require us to retain certain records (notably the 5-year retention under Danish Bogføringsloven § 10 for our own subscription invoices to you, and the deletion-delay disclosed in §7 above).
• Right to restriction of processing (Art. 18): you can request that we restrict how we process your data in certain circumstances (e.g. while you contest the accuracy of the data).
• Right to data portability (Art. 20): you can receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller. PennaSystems provides a data export tool in Settings; you can also request the data by emailing us.
• Right to object (Art. 21): you can object to processing based on legitimate interests; we will assess your objection and stop the processing unless we demonstrate compelling legitimate grounds that override your interests.
• Right to withdraw consent (Art. 7(3)): where we rely on consent (for example, non-essential cookies or analytics identifiers — see §9), you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.
• Rights regarding automated decision-making (Art. 22): PennaSystems does not make decisions about you based solely on automated processing. AI features produce suggestions that you review and approve.

To exercise any of these rights, email privacy@pennapay.com with the words "GDPR request" in the subject line. We will respond without undue delay and in any event within one month of receipt of your request as required by GDPR Art. 12(3); if your request is complex we may extend this by a further two months and will tell you why in writing. There is no fee for ordinary requests; only manifestly unfounded or excessive repeated requests may be subject to a reasonable fee or refusal, in accordance with Art. 12(5).

9. Cookies and similar technologies

PennaSystems uses a minimal set of strictly-necessary cookies (your authenticated-session token and your language preference) and one consent-gated analytics identifier (the PostHog visitor ID, stored in browser localStorage rather than as a cookie). We do not set advertising, retargeting, or cross-site tracking cookies of any kind.

For the complete table — every cookie and similar identifier set by pennapay.com, pennasystems.com and app.pennasystems.com, with name, domain, purpose, lifetime and which party sets it — see our separate Cookie Policy.

Consent: non-essential analytics identifiers (currently only the PostHog visitor ID) are loaded only after you grant analytics consent through the cookie banner shown on first visit. You can withdraw consent at any time by clearing your browser's localStorage for our domains, by using your browser's cookie controls, or by emailing privacy@pennapay.com. Withdrawing consent does not affect the lawfulness of processing that took place before withdrawal.

Cloudflare Web Analytics sets no cookies and creates no client-side identifiers, and operates without consent under the ePrivacy strictly-necessary exemption.

10. Security and breach notification

We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit (TLS 1.3) and at rest, restricted administrative access secured with two-factor authentication, segregated production credentials and continuous logging. We rely on industry-standard practices from our subprocessors (Railway, Cloudflare, Stripe) for the underlying infrastructure security.

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify Datatilsynet without undue delay and, where feasible, within 72 hours of becoming aware of the breach (GDPR Art. 33). If the breach is likely to result in a high risk, we will also notify you directly without undue delay (GDPR Art. 34).

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our processing activities, the subprocessors we use, or applicable law. Material changes will be communicated to registered users by email or in-app notification at least 30 days before they take effect, except where shorter notice is required to address a security or legal issue. The current version is always available at pennapay.com/privacy.html.

12. Complaints to the supervisory authority

If you believe we have not adequately handled your request or that our processing of your personal data violates GDPR, you have the right to lodge a complaint with a data protection supervisory authority. The competent supervisory authority for PennaSystems is:

Datatilsynet (the Danish Data Protection Agency)
Carl Jacobsens Vej 35
2500 Valby, Denmark
datatilsynet.dk · [email protected]

You may also lodge a complaint with the supervisory authority in your EU/EEA country of residence or place of work, or in the country where the alleged infringement took place (GDPR Art. 77(1)).