Legal

Privacy Policy

Effective date: 15 January 2026

Pennrows Ltd ("Pennrows", "we", "us", or "our") operates an AI-powered enterprise security platform that scans code for vulnerabilities and monitors executive email for phishing and business email compromise threats. This Privacy Policy describes how we collect, use, disclose, and protect information when you use our services.

1. Information We Collect

We collect information necessary to provide and improve our services:

  • Account information: Name, email address, password (hashed), organisation name, and billing details when you register.
  • Repository metadata: Repository names, commit hashes, file paths, and scan configuration. We do not store raw source code; code is processed ephemerally in isolated containers and purged upon scan completion.
  • Email monitoring data: For connected email accounts, we access messages in read-only mode to evaluate them for threats. We retain only threat classifications, metadata, and blacklist entries—not the full content of non-threat emails.
  • Usage data: API calls, scan counts, token usage, feature usage, and diagnostic logs.
  • Device and browser data: IP address, user agent, and session information.

2. How We Use Information

We use collected information to:

  • Provide, operate, and maintain our security platform
  • Process code scans and email threat analysis
  • Send notifications, alerts, and reports
  • Process payments and manage subscriptions
  • Improve our AI models and detection capabilities
  • Comply with legal obligations and enforce our terms

3. Data Retention

Retention varies by plan tier:

  • Pay As You Go: Findings, scan metadata, and email threat data retained for 30 days.
  • Business and Enterprise: Findings, scan metadata, and email threat data retained for 365 days.
  • Account information and billing records are retained as required for legal and tax purposes.

Raw source code is never stored. Email content is processed in read-only mode; only threat classifications and related metadata are retained.

4. Data Security

We implement industry-standard security measures including encryption at rest (AES-256) and in transit (TLS 1.3), tenant isolation, access controls, and regular security assessments. We are SOC 2 Type II and ISO 27001 certified.

5. International Transfers

Data may be transferred to and processed in countries outside your residence. We use appropriate safeguards including Standard Contractual Clauses where required. Our primary infrastructure is hosted on AWS in regions you select.

6. Your Rights (GDPR / CCPA)

Depending on your jurisdiction, you may have the right to:

  • Access and receive a copy of your personal data
  • Rectify inaccurate data
  • Request erasure ("right to be forgotten")
  • Restrict or object to processing
  • Data portability
  • Withdraw consent where processing is consent-based
  • Lodge a complaint with a supervisory authority (GDPR)
  • Opt out of sale of personal information (CCPA; we do not sell data)

To exercise these rights, contact privacy@pennrows.com. We will respond within 30 days.

7. Cookies

We use essential cookies for authentication and session management, and analytics cookies to improve our services. You can manage cookie preferences in your browser settings.

8. Third-Party Services

We use sub-processors including AWS (infrastructure), Anthropic (AI analysis), Resend (email delivery), and Stripe (payments). Each is bound by data processing agreements. A current sub-processor list is available upon request.

9. Children's Privacy

Our services are not directed at individuals under 16. We do not knowingly collect personal data from children. If you believe we have collected such data, contact privacy@pennrows.com.

10. Changes

We may update this policy from time to time. Material changes will be communicated via email or in-app notice at least 30 days before taking effect. Continued use after the effective date constitutes acceptance.

11. Contact

For privacy-related enquiries: privacy@pennrows.com