Privacy Policy

Last updated: March 22, 2026

What we collect

• Account info: Email address and display name (to create your account and personalize your experience).
• Journal entries: The text you write, including any metadata (dates, tags, entry type). Stored in our PostgreSQL database on a server we control.
• Relationships: Names you mention in entries using @mentions. These are names only — we don't collect contact information about other people.
• Emotions and themes: Extracted from your entries by our AI. Includes emotions (primary and secondary), intensity (1–10), emotional direction (positive/negative), life themes (e.g. relationships, career, health), triggers, and a brief summary. Stored as structured data alongside each entry.
• Explore conversations: Your chats with the Explore AI feature, including the questions you ask and the AI responses.
• User Memory: When you have a meaningful Explore conversation, Pensio extracts key facts you've shared — like names, preferences, patterns, or milestones. These are stored in your account so future conversations have context about you. You can view, deactivate, or permanently delete any memory from Settings → Memories.
• Insights: AI-generated weekly and monthly reports about your emotional patterns, recurring themes, and shifts over time. These are summaries derived from your entries, stored in your account.

What we don't collect

• We don't sell your data. Ever.
• We don't show ads.
• We don't share your journal content with third parties (except the AI providers listed below — and they don't keep it).
• We don't track you across the web.
• We don't build advertising profiles or sell behavioral data.

We may disclose your data if required by law (e.g. a valid court order), but we will only do so when legally obligated and will notify you if permitted.

How we use AI

Pensio uses large language models (LLMs) for two features:

1. Emotion extraction: Your entry text is sent to an LLM to identify emotions. The extracted emotions are stored; the LLM does not retain your text.
2. Explore chat: When you ask a question in Explore, only the journal entries relevant to your question are sent as context to the LLM — not your entire journal. We send the minimum necessary to generate a useful response.
3. User Memory: Pensio stores facts from your Explore conversations (like names and preferences) so future sessions have context. This is stored in your account on our server, not on AI provider servers. You control it entirely — view, deactivate, or delete any memory from Settings.

How this compares to using AI chatbots directly: When you use ChatGPT, Claude, or Gemini through their own apps, your conversations may be used to improve their models unless you opt out. With Pensio, your journal content is never used for AI training, profiling, or marketing — by us or by the AI providers. Your text is processed in-memory and discarded immediately. The only data that persists is what Pensio stores in your account, which you own and can delete at any time.

What AI does not do

• AI providers do not remember you — there is no persistent profile of you on any AI provider's servers. Pensio's User Memory feature stores facts you share in conversations, but this data lives in your account under your control, not on AI provider infrastructure. You can delete it anytime.
• Your data is never mixed with other users' data when processed by AI. Each request contains only your content, isolated from all other users.
• We do not use your journal content for analytics, product improvement, or internal research.
• AI providers do not build behavioral profiles based on your entries.
• AI models are not personalized or adapted based on your data. Every user's request is processed by the same general-purpose model.

AI providers and data handling

All AI requests are routed through OpenRouter, an API gateway. OpenRouter forwards your request to the AI model and returns the response. We have configured OpenRouter with the no data retention flag via their API — your text is processed in-memory and not stored, logged, or used for training by OpenRouter or the downstream model providers. This means your data exists only for the duration of the request and is not written to disk by AI providers. Requests are not logged, cached, or stored at any layer.

The AI models we currently use:

• Claude by Anthropic — primary model for Explore chat and emotion extraction.
• Gemini by Google — used as an alternative model for some features.

Both Anthropic and Google, when accessed via OpenRouter's zero-retention API, do not store or train on the data sent through these requests. If we change AI providers in the future, we will update this page and maintain the same zero-retention configuration.

Analytics

We use two analytics tools, separated by purpose:

• Google Analytics 4 — on our public marketing pages only (landing page, blog). Tracks page views and traffic sources. IP addresses are anonymized. Not used on any authenticated pages. Loaded only after cookie consent is given.
• PostHog — on the app (authenticated pages). Tracks feature usage with anonymized user IDs (your UUID, not your name or email). No personal information is sent. Autocapture and session recording are disabled — we only track specific events we've defined. Hosted in the EU.

Cookies

The Pensio app uses only essential cookies:

• Session cookie — keeps you logged in. Expires after 14 days of inactivity.
• CSRF token — prevents cross-site request forgery (a security measure).

Marketing pages may set a Google Analytics cookie if you accept analytics cookies via the consent banner. No tracking cookies are used inside the app. Essential cookies do not require consent under EU ePrivacy rules.

Security

• Encryption in transit: All connections use TLS (HTTPS). We enforce HSTS.
• Encryption at rest: Our server disk uses LUKS full-disk encryption.
• Passwords: Hashed using PBKDF2 with SHA-256 (Django's default). We never store plain-text passwords.
• Two-factor authentication: Available via TOTP (authenticator app). Recommended for all accounts.
• Backups: Daily automated database backups, encrypted, retained for 7 days.

Like any online service, Pensio is not immune to security risks. We minimize risk by limiting data exposure, encrypting all stored data, and ensuring AI providers do not retain your content. We regularly review our security practices and update them as needed.

Email communications

We send the following types of email:

• Transactional: Password resets, email verification, account security alerts. These are required for the service to work — you cannot opt out.
• Product emails: Weekly insights, streak milestones, inactivity nudges. You can disable any of these individually in Settings → Notifications.
• Newsletter: Product updates and journaling tips. Requires separate opt-in (double opt-in). Unsubscribe in one click from any email.

Every non-transactional email includes a one-click unsubscribe link. We limit product emails to a maximum of 2 per month. We use Brevo to send emails (see Sub-processors below).

Your rights

You own your data. Under GDPR and regardless of where you live, you can:

• Access: All your data is visible in the app. You can also request a machine-readable export by contacting us.
• Export (portability): Download all your entries as Markdown files or JSON from Settings → Export.
• Rectification: Edit your entries and profile information at any time.
• Erasure: Delete your account from Settings. This permanently removes all your data — entries, relationships, insights, and Explore conversations. Deletion is completed within 30 days and is irreversible. Because we prioritize privacy, we cannot recover deleted data — there is no hidden backup or shadow storage.
• Restrict processing: You can disable AI emotion extraction on your entries from Settings. Your entries will still be stored but won't be sent to AI providers.
• Object: You can object to any processing by contacting us at [email protected].
• Memory control: View, deactivate, or permanently delete any fact the AI has remembered about you from Settings → Memories. Deactivated memories are excluded from AI conversations but kept in your account until you delete them.

Data retention

• While your account is active: Your data is stored for as long as you have an account. We do not delete entries unless you do.
• After account deletion: All your data (entries, emotions, relationships, insights, Explore conversations) is permanently deleted from our database within 30 days. Automated backups containing your data expire within 7 days after that.
• AI providers: Do not retain your data at all — processing is in-memory only.

Sub-processors

These are the third-party services that may process your data as part of providing Pensio:

List of third-party sub-processors

Service	Purpose	Data access
OpenRouter	AI API gateway	Entry text (in-memory only, zero retention)
Anthropic (Claude)	AI model provider	Entry text (in-memory only, via OpenRouter zero-retention API)
Google (Gemini)	AI model provider	Entry text (in-memory only, via OpenRouter zero-retention API)
Hostinger	Server hosting	All data (stored on encrypted disk)
Cloudflare	CDN and DDoS protection	Network traffic (passes through, not stored)
PostHog	Product analytics	Anonymous usage events (no journal content, no personal info)
Brevo	Email delivery	Email address, display name, language preference (for transactional and product emails)
Sentry	Error tracking	Technical error reports (may include anonymized request metadata, never journal content). PII sending is disabled.
Google Analytics 4	Marketing analytics	Anonymized page views on marketing pages only (not inside the app). Loaded only after cookie consent.

Data location

Your data is stored on a dedicated server in Europe (EU), provided by Hostinger. Cloudflare handles CDN and DDoS protection — content passes through their network but is not stored. PostHog analytics data is processed in the EU. Brevo is an EU-based email provider. No personal data is transferred outside the EU/EEA except through providers with adequate safeguards (Standard Contractual Clauses or EU adequacy decisions).

Children's privacy

Pensio is not intended for anyone under 16 years of age. We do not knowingly collect personal data from children. If we learn that a user under 16 has created an account, we will delete their account and all associated data promptly. If you believe a child under 16 is using Pensio, please contact us at [email protected].

Data breach notification

In the unlikely event of a data breach that affects your personal data, we will notify you via email within 72 hours of becoming aware of it, as required by GDPR. We will also notify the relevant supervisory authority. The notification will describe the nature of the breach, the data affected, and the steps we are taking to address it.

Legal basis for processing

Under GDPR, we process your data based on:

• Contract: Processing your journal entries, generating insights, and providing the service you signed up for.
• Legitimate interest: Product analytics (anonymized), error tracking, and service security.
• Consent: Marketing emails, newsletter, and analytics cookies on marketing pages.

You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

Changes to this policy

If we make meaningful changes, we'll notify you via email or an in-app notification before the changes take effect. Minor wording updates won't trigger a notice. Previous versions of this policy are available upon request.

Contact and complaints

Questions about your privacy? Email us at [email protected].

If you believe we are processing your data unlawfully, you have the right to lodge a complaint with a data protection supervisory authority in your country of residence.