Privacy Policy

We collect three categories of data:

• Account data — when you sign up, our authentication provider (Clerk) collects your email address, name, and any sign-in identifiers (Google account ID if you sign in with Google). We never see your password.
• Usage data — the number of words you process per day, per tool, plus timestamps. This is needed to enforce free-tier and paid-tier limits and to project costs. We do not store the text of your inputs or outputs beyond what is needed to render the immediate response.
• Account metadata held by Clerk on our behalf — your current plan tier (Free / Student / Pro / Studio), subscription start and renewal dates, your Stripe customer identifier, your personal referral code, the count of paid referrals you have generated, (where applicable) the identifier of the user who invited you, and (for the Student plan) your verified academic email plus the date that verification was completed. These fields exist only to operate quotas, billing, the referral programme, and student verification.
• Billing data — when you subscribe to a paid plan, our payment processor (Stripe) collects your name, billing address, and payment method. We receive a customer ID and the subscription status; we never see your card details.

We do not store the text you submit to any tool (paraphraser, humanizer, AI detector, plagiarism checker, grammar, summarizer, translator) once the response has been rendered to you. We do not use your inputs or outputs to train any model, and we do not share them with any third party other than the inference provider that processes them in real time.

When an unexpected error occurs we send a diagnostic event to our error-monitoring sub-processor (see Section 4). These events contain a stack trace, the URL of the page or API route that errored, the browser type, and a timestamp. They are configured to exclude your IP address, request headers, cookies, and the text you submitted. Where a small sample of sessions is captured for debugging, all user-entered text and form input is masked client-side before transmission.

We process personal data for the following purposes and lawful bases under UK GDPR Article 6:

• Provide the service (Article 6(1)(b), performance of contract) — authentication, applying quotas, delivering rewrites and analysis.
• Process payments (Article 6(1)(b)) — billing your chosen plan, applying student discounts.
• Customer support (Article 6(1)(b) and 6(1)(f), legitimate interests) — responding to your emails and resolving issues.
• Service improvement and security (Article 6(1)(f)) — aggregated usage analysis, abuse detection, log monitoring.
• Legal compliance (Article 6(1)(c)) — accounting records, responding to lawful information requests.

We rely on a small number of sub-processors strictly to deliver the service. Each is bound by a data-processing agreement and processes data on our instructions only. The categories of recipients are:

• Authentication provider — operates sign-in and session management. Receives account data.
• Cloud hosting provider — runs the Penshift application. Receives request metadata and may transit input/output text in flight (not stored).
• Payment processor (Stripe Inc.) — handles subscription billing. Receives billing data when you subscribe; we never see your card details.
• AI inference providers — generate rewrites, detection scores, and summaries. Receive input text in flight to produce the response, then discard it. Inputs are not used to train any model.
• Plagiarism-scanning provider — runs the plagiarism check. Receives input text in flight when you use that tool, then discards it.
• Error-monitoring provider — captures crashes, exceptions, and performance traces from the application so we can debug bugs and outages. Receives stack traces, page URL, browser type, and timestamps. Does not receive your IP address, request headers, cookies, or the text you submit. A small percentage of sessions may be recorded for replay; in those cases all rendered text and form input is masked on your device before being sent.

A current list of the specific named sub-processors behind these categories is available on request to [email protected].

Some providers are located outside the UK / EEA. Where personal data is transferred internationally, we rely on Standard Contractual Clauses or equivalent safeguards under UK GDPR Article 46.

Penshift uses only essential cookies set by our authentication provider for session management. We do not use advertising or analytics cookies. The session cookie expires when your session ends or you sign out.

For aggregate traffic insights we use a cookieless page-view counter built into our hosting platform. It records the URL you visited, the referring page, your country, and your device class (desktop / mobile / tablet); it does not set cookies, does not store your IP address, does not use a persistent identifier, and does not build a cross-session profile. Because it sets no cookies, no consent banner is required under PECR.

If you participate in our referral programme we process additional data to operate it. When you generate a referral link we assign a short alphanumeric code to your account. When a person opens any Penshift page using a link that contains your code, a first-party cookie (pen_ref) is set on that visitor's browser for up to 30 days; that cookie contains only your referral code, no other identifying information. If the visitor then creates a Penshift account, we record on their account the identifier of the inviter so the reward can be issued when they later complete a paid subscription. Where automated tracking is not yet active, this attribution is performed manually by our team after you contact us. We may compare anonymised payment-method fingerprints between an inviter and an invitee for the sole purpose of detecting self-referral abuse; we do not see card numbers and we do not retain the fingerprint past the integrity check. You may opt out of the referral programme at any time by emailing [email protected]; we will deactivate your code and remove referral-specific data from your account.

Penshift does not make automated decisions that produce legal or similarly significant effects on you. Quota enforcement is mechanical (a counter is compared to a cap), AI-detector scores and plagiarism scores are presented to you as information rather than used to take action against your account, and referral-abuse heuristics flag activity for human review only — we do not auto-suspend accounts based on these signals.

Account data is retained while your account is active and for 30 days after you delete it (to allow recovery from accidental deletion), then permanently deleted. Usage counters reset daily and are not retained beyond the current rolling window. Referral metadata (paid-referral entries) is retained for the duration of your account and for 6 years thereafter where it forms part of an applied billing credit, to comply with accounting law. Billing records are retained for as long as required by tax and accounting law (typically 6 years in the UK). Support emails are retained for 24 months unless you ask us to delete them sooner.

Under UK GDPR you have the following rights:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate data.
• Erasure — request deletion of your data, subject to legal-retention obligations.
• Restriction — limit how we process your data.
• Portability — receive your data in a machine-readable format.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — where processing is based on consent, withdraw it at any time.

To exercise any right, email [email protected]. We respond within 30 days. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local EU supervisory authority.

Penshift is not directed at children under 13 (or under 16 in jurisdictions that apply that threshold). We do not knowingly collect data from children. If you believe a child has created an account, contact us and we will delete it.

Penshift offers an optional Chrome extension that brings the workbench to any text field on the web. The extension is single-purpose: rewriting and analysing text you explicitly select or focus on.

• What it reads — only the specific text you select on a page (when you highlight 10+ characters and click the Penshift button or use the right-click menu) or the contents of the editable field you focus and click the Penshift corner button on. The extension does not read, scan, or transmit anything else from any page you visit.
• What it sends to our servers — only that selected or focused text is sent to penshift.app, alongside a short-lived authentication token from your Penshift session. If you have saved a writing sample under “Match my voice” or typed instructions in “Custom” mode, that sample or those instructions are attached to the request as additional context for the rewrite. The text and any attached context travel over TLS to the same backend that powers the workbench, are processed in flight by our inference providers, and are then discarded — not stored, not logged for training, not retained beyond the immediate response.
• What it stores locally on your device— the extension uses Chrome's local extension storage (not synced to any server) to keep: your last-used paraphrase mode and any custom instructions you have typed; your saved “Match my voice” writing sample; the text of your last 10 rewrite results so you can recover them in the toolbar popup; the list of websites you have toggled the extension off on; and a small flag recording whether you have already seen the first-run onboarding tooltip. None of this is transmitted to any server. Removing the extension or clearing extension data deletes it immediately.
• Background activity — every ten minutes the extension makes a single network request to penshift.app to refresh the toolbar badge that shows whether you are signed in. No page content is sent on these requests; they carry only your authentication token. There is no other background activity, no scheduled scanning, and no telemetry.
• What it does not do — no analytics, no advertising tracking, no cross-site profiling, no telemetry on which pages you visit, no scraping of page contents you have not explicitly selected or focused.
• Permissions — the extension requests storage (for the local data described above), cookies (so the authentication SDK can sync your session with penshift.app), contextMenus (to register the right-click actions), alarms (to schedule the 10-minute badge refresh), activeTab (so the toolbar popup can read the hostname of the current tab when you choose to disable the extension on a particular site), and host_permissions for penshift.app and its authentication subdomain (so it can call the Penshift API and refresh your session).
• Uninstalling — removing the extension from chrome://extensions deletes all extension-side state immediately. Your Penshift account is unaffected.

We use industry-standard measures to protect data, including TLS encryption in transit, encrypted storage at rest with our hosting and authentication providers, and least-privilege access to internal systems. No system is perfectly secure; if a breach occurs that affects your data, we will notify you and the relevant authority within 72 hours as required by UK GDPR.

We may update this Policy from time to time. Material changes will be communicated by email at least 14 days before they take effect. The “last updated” date at the top of this page reflects the most recent revision.

Penshift LTD is the data controller for your personal data. Privacy enquiries: [email protected]. Penshift LTD is a private limited company registered in England and Wales, company number 17189590.