Privacy Policy

Last updated: June 12, 2026

What we collect

• Account info: Email address and display name (to create your account and personalize your experience).
• Journal entries: The text you write, including any metadata (dates, tags, entry type). Stored in our PostgreSQL database on a server we control.
• Relationships: Names you mention in entries using @mentions. These are names only — we don't collect contact information about other people.
• Emotions and themes: Extracted from your entries by our AI. Includes emotions (primary and secondary), intensity (1–10), emotional direction (positive/negative), life themes (e.g. relationships, career, health), triggers, and a brief summary. Stored as structured data alongside each entry.
• Explore conversations: Your chats with the Explore AI feature, including the questions you ask and the AI responses.
• User Memory: When you have a meaningful Explore conversation, Pensio extracts key facts you've shared — like names, preferences, patterns, or milestones. These are stored in your account so future conversations have context about you. You can view, deactivate, or permanently delete any memory from Settings → Memories.
• Insights: AI-generated weekly and monthly reports about your emotional patterns, recurring themes, and shifts over time. These are summaries derived from your entries, stored in your account.

What we don't collect

• We don't sell your data. Ever.
• We don't show ads.
• We don't share your journal content with third parties (except the AI providers listed below — and they don't keep it).
• We don't track you across the web.
• We don't build advertising profiles or sell behavioral data.

We may disclose your data if required by law (e.g. a valid court order), but we will only do so when legally obligated and will notify you if permitted.

How we use AI

Pensio uses large language models (LLMs) for two features:

1. Emotion extraction: Your entry text is sent to an LLM to identify emotions. The extracted emotions are stored; the LLM does not retain your text.
2. Explore chat: When you ask a question in Explore, only the journal entries relevant to your question are sent as context to the LLM — not your entire journal. We send the minimum necessary to generate a useful response.
3. User Memory: Pensio stores facts from your Explore conversations (like names and preferences) so future sessions have context. This is stored in your account on our server, not on AI provider servers. You control it entirely — view, deactivate, or delete any memory from Settings.

How this compares to using AI chatbots directly: When you use ChatGPT, Claude, or Gemini through their own apps, your conversations may be used to improve their models unless you opt out. With Pensio, your journal content is never used for AI training, profiling, or marketing — by us or by the AI providers. Your text is processed in-memory and discarded immediately. The only data that persists is what Pensio stores in your account, which you own and can delete at any time.

Connecting external AI assistants (MCP)

If you are on Pensio Pro, you can optionally connect an external AI assistant — such as Claude, Claude Desktop, or Cursor — to Pensio through the Model Context Protocol (MCP). This is off by default and only happens if you create a connection from Settings → Tokens.

• Read-only: A connected assistant can read and search your journal. It cannot create, edit, or delete entries — this is enforced on our servers, not just by the assistant.
• Where your words go: When you ask a connected assistant about your journal, the relevant entries are sent to that tool's own AI model to form the answer. That model runs under the assistant vendor's terms and privacy policy — not Pensio's zero-retention OpenRouter configuration. We cannot control how a third-party AI tool you choose handles that content, so review your assistant's privacy terms before connecting.
• A fully private option: If you self-host Pensio and connect a local AI model (such as Ollama), your entries never leave your own machine — zero third-party egress.
• You stay in control: Each connection is a revocable, device-specific token. Revoke it anytime from Settings → Tokens and the assistant immediately loses access.

What AI does not do

• AI providers do not remember you — there is no persistent profile of you on any AI provider's servers. Pensio's User Memory feature stores facts you share in conversations, but this data lives in your account under your control, not on AI provider infrastructure. You can delete it anytime.
• Your data is never mixed with other users' data when processed by AI. Each request contains only your content, isolated from all other users.
• We do not use your journal content for analytics, product improvement, or internal research.
• AI providers do not build behavioral profiles based on your entries.
• AI models are not personalized or adapted based on your data. Every user's request is processed by the same general-purpose model.

AI providers and data handling

All AI requests are routed through OpenRouter, an API gateway. OpenRouter forwards your request to the AI model and returns the response. We have configured OpenRouter with the no data retention flag via their API — your text is processed in-memory and not stored, logged, or used for training by OpenRouter or the downstream model providers. This means your data exists only for the duration of the request and is not written to disk by AI providers. Requests are not logged, cached, or stored at any layer.

The AI models we currently use:

• Claude by Anthropic — primary model for Explore chat and emotion extraction.
• Gemini by Google — used as an alternative model for some features.

Both Anthropic and Google, when accessed via OpenRouter's zero-retention API, do not store or train on the data sent through these requests. If we change AI providers in the future, we will update this page and maintain the same zero-retention configuration.

Analytics

We use two analytics tools, separated by purpose:

• Google Analytics 4 — on our public marketing pages only (landing page, blog). Tracks page views and traffic sources. IP addresses are anonymized. Not used on any authenticated pages. Loaded only after cookie consent is given.
• PostHog — on the app (authenticated pages). Tracks feature usage with anonymized user IDs (your UUID, not your name or email). No personal information is sent. Autocapture and session recording are disabled — we only track specific events we've defined. Hosted in the EU.

Crash and error reporting

To keep Pensio stable we collect technical diagnostics when something goes wrong — never your journal content:

• Sentry — server-side error reports for the web app. No personal data is attached (PII sending is disabled). Processed in the EU.
• Firebase Crashlytics — crash diagnostics from the Android app (stack trace, device model, OS and app version). No journal content and no email or name are sent, and advertising-ID collection is disabled. The iOS app currently includes no crash reporting.

Cookies

The Pensio app uses only essential cookies:

• Session cookie — keeps you logged in. Expires after 14 days of inactivity.
• CSRF token — prevents cross-site request forgery (a security measure).

Marketing pages may set a Google Analytics cookie if you accept analytics cookies via the consent banner. No tracking cookies are used inside the app. Essential cookies do not require consent under EU ePrivacy rules.

Security

• Encryption in transit: All connections use TLS (HTTPS). We enforce HSTS.
• Encryption at rest: Our server disk uses LUKS full-disk encryption.
• Passwords: Hashed using Argon2id, a memory-hard algorithm resistant to brute-force attacks. We never store plain-text passwords.
• Two-factor authentication: Available via TOTP (authenticator app). Recommended for all accounts.
• Backups: Daily automated database backups, encrypted, retained for 7 days.

Like any online service, Pensio is not immune to security risks. We minimize risk by limiting data exposure, encrypting all stored data at the disk level, and ensuring AI providers do not retain your content. We regularly review our security practices and update them as needed.

Email communications

We send the following types of email:

• Transactional: Password resets, email verification, account security alerts. These are required for the service to work — you cannot opt out.
• Product emails: Weekly insights, streak milestones, inactivity nudges. You can disable any of these individually in Settings → Notifications.
• Newsletter: Product updates and journaling tips. Requires separate opt-in (double opt-in). Unsubscribe in one click from any email.

Every non-transactional email includes a one-click unsubscribe link. We limit product emails to a maximum of 2 per month. We use Brevo to send emails (see Sub-processors below).

Your rights

You own your data. Under GDPR and regardless of where you live, you can:

• Access: All your data is visible in the app. You can also request a machine-readable export by contacting us.
• Export (portability): Download all your entries as Markdown files or JSON from Settings → Export.
• Rectification: Edit your entries and profile information at any time.
• Erasure: Delete your account from Settings. This permanently removes all your data — entries, relationships, insights, and Explore conversations. Deletion is completed within 30 days and is irreversible. Because we prioritize privacy, we cannot recover deleted data — there is no hidden backup or shadow storage.
• Restrict processing: You can disable AI emotion extraction on your entries from Settings. Your entries will still be stored but won't be sent to AI providers.
• Object: You can object to any processing by contacting us at [email protected].
• Memory control: View, deactivate, or permanently delete any fact the AI has remembered about you from Settings → Memories. Deactivated memories are excluded from AI conversations but kept in your account until you delete them.

Data retention

• While your account is active: Your data is stored for as long as you have an account. We do not delete entries unless you do.
• After account deletion: All your data (entries, emotions, relationships, insights, Explore conversations) is permanently deleted from our database within 30 days. Automated backups containing your data expire within 7 days after that.
• AI providers: Do not retain your data at all — processing is in-memory only.

Sub-processors

These are the third-party services that may process your data as part of providing Pensio:

List of third-party sub-processors

Service	Purpose	Data access
OpenRouter	AI API gateway	Entry text (in-memory only, zero retention)
Anthropic (Claude)	AI model provider	Entry text (in-memory only, via OpenRouter zero-retention API)
Google (Gemini)	AI model provider	Entry text (in-memory only, via OpenRouter zero-retention API)
Hostinger	Server hosting	All data (stored on encrypted disk)
Cloudflare	CDN and DDoS protection	Network traffic (passes through, not stored)
PostHog	Product analytics	Anonymous usage events (no journal content, no personal info)
Brevo	Email delivery	Email address, display name, language preference (for transactional and product emails)
Sentry	Error tracking	Technical error reports (may include anonymized request metadata, never journal content). PII sending is disabled.
Google (Firebase Crashlytics)	Crash reporting (Android app)	Crash diagnostics from the Android app — stack trace, device model, OS and app version. No journal content, no email or name. Advertising ID collection is disabled.
Google Analytics 4	Marketing analytics	Anonymized page views on marketing pages only (not inside the app). Loaded only after cookie consent.

Data location

Your data is stored on a dedicated server in Europe (EU), provided by Hostinger. Cloudflare handles CDN and DDoS protection — content passes through their network but is not stored. PostHog analytics data is processed in the EU. Brevo is an EU-based email provider. Error reports (Sentry) are processed in the EU. Crash diagnostics from the Android app are processed by Google (Firebase Crashlytics), which may store them outside the EU under Standard Contractual Clauses. No personal data is transferred outside the EU/EEA except through providers with adequate safeguards (Standard Contractual Clauses or EU adequacy decisions).

Children's privacy

Pensio is not intended for anyone under 16 years of age. We do not knowingly collect personal data from children. If we learn that a user under 16 has created an account, we will delete their account and all associated data promptly. If you believe a child under 16 is using Pensio, please contact us at [email protected].

Data breach notification

In the unlikely event of a data breach that affects your personal data, we will notify you via email within 72 hours of becoming aware of it, as required by GDPR. We will also notify the relevant supervisory authority. The notification will describe the nature of the breach, the data affected, and the steps we are taking to address it.

Legal basis for processing

Under GDPR, we process your data based on:

• Contract: Processing your journal entries, generating insights, and providing the service you signed up for.
• Legitimate interest: Product analytics (anonymized), error tracking, and service security.
• Consent: Marketing emails, newsletter, and analytics cookies on marketing pages.

You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

Changes to this policy

If we make meaningful changes, we'll notify you via email or an in-app notification before the changes take effect. Minor wording updates won't trigger a notice. Previous versions of this policy are available upon request.

Contact and complaints

Questions about your privacy? Email us at [email protected].

If you believe we are processing your data unlawfully, you have the right to lodge a complaint with a data protection supervisory authority in your country of residence.