Privacy

How Penlog handles your data.

Effective April 29, 2026 · Last updated May 28, 2026

Penlog is a handwritten iPad journal. To do its job — let you write by hand, sync your pages across your devices, and connect to the tools you already use — it has to handle some of your data. This page explains what's collected, where it's stored, who else touches it, and what you can do about any of it. Plain English, no boilerplate.

Who we are

Penlog is operated by RT Indianapolis Holdings LLC, doing business as Penlog, based in Indianapolis, Indiana. You can reach us at privacy@penlog.app or support@penlog.app.

What we collect

Three categories.

Account information

When you sign in with Apple, we receive an Apple-issued user identifier and (if you choose to share) your email address. If you use Apple's private email relay, we only see the relay address. We don't ask for a name, phone number, or any other personal detail to create an account.

Your journal content

Penlog stores the things you make: your handwritten ink (as PencilKit drawing data), any typed blocks and images you add to a page, the date and paper type of each page, the optional notation legend you set for a journal, and exported PDF + PNG snapshots of your pages.

When a page has handwriting on it, Penlog runs OCR to turn that handwriting into structured text — tasks, events, notes, headings — so it can sync to the tools you've connected. The structured text and the OCR result are stored alongside your page.

Free vs. Pro: what actually goes to our servers

Penlog has two tiers and they hit our servers differently. We think this is worth being explicit about.

• Free tier. Your journal lives on your iPad and in your private iCloud account. On our servers we only store the minimum needed to make calendar seeding and the app's account state work: your account row, a lightweight page record for each day you've opened, and any blocks the app needs to render (such as calendar events that you've opted into seeing on the page). We do not upload your handwriting drawing, page PDFs, page PNG renders, or the OCR / structured text of your handwriting. None of that ever leaves your iPad on the free tier.
• Pro tier. When you subscribe, the app turns on the full Supabase mirror. For each page you write, we upload the PencilKit drawing data, a vector PDF, a 300-DPI PNG render, and the OCR result + structured text (tasks, events, notes, headings). This is what makes Notion sync, the agent API, and MCP access work. The data is stored under your account with row-level security; only your authenticated session — or an agent you've explicitly authorized — can read it. Cancelling Pro stops new uploads; existing rows stay in place unless you ask us to delete them (see "Deleting your account" below).

Subscription and product state

If you subscribe to Pro, we store your App Store transaction information — the original transaction ID, status (active, expired, in trial, etc.), and renewal date — so the app knows whether to unlock Pro features. We don't see your credit card; Apple handles billing.

If you generate an API token to use Penlog with MCP-compatible agents, we store a hash of that token (not the token itself) and an audit log of which tools were called by which token. The token plain text is shown to you once at creation; we can't see or recover it.

Penlog also supports OAuth 2.1 connections from third-party MCP clients (such as Claude Desktop). When you authorize an OAuth client, you sign in via Sign in with Apple on the web and explicitly approve the scopes the client is requesting. We store the client's registration (name, redirect URIs) in an oauth_clients table and issue short-lived access tokens (1 hour) with rotating refresh tokens. You can see which clients are connected and revoke any of them from Settings → Agent Access inside the app. Revoking a client immediately invalidates all of its tokens. OAuth clients access the same journal data as API tokens — the scopes and audit logging are identical.

What an agent can actually see and do depends on the scopes you approve:

• read — list your pages, fetch any page's OCR text, structured content (tasks, events, notes, headings), and signed URLs for the page PDF and PNG. Read scope effectively means the agent can read your handwriting as text and download the page image.
• seed — create new task seeds on your daily pages (for example, "add 'pick up dry cleaning' to today"). Seed scope can also create the corresponding row in your connected Notion Tasks database, if you have one.
• write — update an existing task's status (done / not done) or correct its text. Write scope also pushes those changes through to Notion.

No scope grants an agent the ability to write ink, delete pages, or read another user's data. Every tool call an agent makes is recorded in an audit log you can review in the app (Settings → API Tokens → tap a token).

Diagnostics and analytics

Penlog sends anonymous, privacy-respecting usage events to TelemetryDeck — things like "first page synced" or "paywall viewed." TelemetryDeck never receives your IP address. The user identifier they receive is hashed twice (once on your device with a per-device salt, then again on their server with a daily-rotating salt), and event timestamps are rounded to the nearest hour. These events do not include your name, email, journal content, or any other personal detail. Crash reports come from Apple's MetricKit and reach us as aggregate counts, not symbolicated stack traces tied to individuals.

Where your data lives

Two storage layers, on purpose.

• iCloud (your private CloudKit database) — your primary copy. Penlog uses iCloud the same way Apple Notes and Reminders do. Apple, not us, handles the encryption and sync. We don't have access to data stored only in iCloud.
• Supabase (Postgres + Storage, hosted in the United States) — our API mirror. This is what makes connectors and the agent API work. Each page's PDF, PNG, drawing data, structured text, and metadata land here. Access is restricted to your account via row-level security; only your authenticated session can read your rows.

Third parties we send data to

These are the services that touch your data to make Penlog work. We share only what each one needs. The at-a-glance version of this list, with regions and vendor links, lives at penlog.app/subprocessors.

• Apple — Sign in with Apple, iCloud, push notifications (APNs), App Store subscriptions, MetricKit. Standard Apple platform services.
• Supabase — our backend host. Stores the API mirror described above.
• OpenRouter and Novita — the OCR pipeline. When a page is synced, the page image is sent to OpenRouter, which routes the request to Novita to run the GLM-4.6V vision-language model and turn handwriting into structured text. OpenRouter operates a zero-data-retention policy by default: prompts and responses are not stored on their servers (we do not opt into their logging features). Novita is a US-headquartered company (San Francisco) operating a multi-region GPU network; the specific region where any given request runs is not guaranteed and is not disclosed by Novita. Novita's published privacy policy commits that personal information will not be used for model training, but does not publish a specific retention window for inference inputs. If you are in the EU or UK, your image data crosses borders during this step and may be processed in the United States or other regions Novita operates in.
• Cloudflare — fronts our website (penlog.app), the MCP server (mcp.penlog.app), and routes inbound email to *@penlog.app. Standard CDN + email-routing role.
• TelemetryDeck — anonymous analytics. Operated by TelemetryDeck GmbH (Germany); workloads run on EU infrastructure (Microsoft Azure in Amsterdam, AWS in Frankfurt, Hetzner in Germany). TelemetryDeck's policy is that they receive only anonymous data and therefore are not a "processor" under GDPR. They do not publish a specific data retention window. We list them here because we'd rather over-disclose than under-disclose.
• Notion — only if you choose to connect a Notion workspace. We exchange task and event data with the database we create on your behalf. Disconnecting cuts the link immediately.
• Apple Calendar (EventKit) — read-only, on-device. Calendar event titles and times can be seeded onto your daily page if you opt in. Event data does not leave your iPad unless and until that page syncs to Supabase.

We don't sell your data. We don't share it with advertisers. We don't have analytics partners beyond TelemetryDeck.

Connections you choose to make

Notion sync, EventKit, and the agent API are opt-in. You connect them; you can disconnect them. When you disconnect Notion, we delete the OAuth tokens immediately. When you revoke an API token, it stops working within seconds. Disconnecting a connector doesn't delete your existing Penlog data — it just stops new data from flowing through that connector.

Research participation (opt-in)

If you turn on "Help improve Penlog's handwriting OCR" in Settings, we'll occasionally save a copy of a page you write to a private research dataset, along with any optional note you add. We use the dataset to compare OCR models when deciding which one Penlog runs. Participation is off by default and is currently only offered to TestFlight beta testers. You can revoke participation at any time from Settings, remove any individual page from the dataset from the Beta Program list, or email privacy@penlog.app to ask us to delete everything you've shared. We don't share the dataset publicly. We may use a sampled subset of your pages rather than every one.

Your rights and choices

Regardless of where you live, you have these:

• Access — you can read everything Penlog stores about you via the app, or via the API if you're a Pro subscriber.
• Export — every page can be exported as PDF directly from the app. Pro users can pull the full structured data via the REST and MCP APIs.
• Correction — you control your content; edit it in the app.
• Deletion — see below.
• Portability — PDF exports are self-contained; structured data via the API is standard JSON.

EU/UK residents have additional rights under GDPR (objection, restriction, lodging a complaint with your supervisory authority). California residents have rights under the CCPA/CPRA (knowing, deleting, correcting, opting out of sale — we don't sell, but you can still ask). To exercise any of these, email privacy@penlog.app.

Deleting your account

In the app: Settings → Delete Account. That permanently deletes your Penlog account and the data we store on Supabase (pages, files, connectors, tokens, and related rows) as part of the same action. It cannot be undone.

If you can't reach the app, email privacy@penlog.app from the address on your account (or with your account ID from Settings → About) and we'll process deletion manually.

Data stored only in your iCloud account is governed by Apple, not us. Deleting your Penlog account does not remove your iCloud journal copy. Uninstalling Penlog leaves iCloud data intact unless you also delete it via Settings → iCloud → Manage Storage.

Data retention

We keep your data for as long as your account exists. After in-app account deletion, your Supabase data is removed promptly as part of that flow. Aggregate analytics that don't identify you may persist beyond that.

Some specifics on how deletion actually flows through our infrastructure:

• Files (your handwriting drawings, page PDFs, page PNG renders): deleted from our object storage immediately. They are not held in database backups.
• Database rows (page metadata, OCR text, structured content, blocks, task links): deleted from the live database immediately, but persist in encrypted Supabase backups for up to 7 days before aging out. We cannot manually purge a specific row from existing backups; they expire automatically.
• Aggregate analytics: anonymous usage events sent to TelemetryDeck cannot be tied back to you specifically (they're hashed and stripped of identifying information at the source), so there's nothing to delete on a per-user basis from that system.

Security

Penlog uses Apple's standard encryption (in transit and at rest on iCloud), TLS 1.2+ for all network traffic, and row-level security at the database layer so no user can read another's rows. We're a small operation; we follow the standard Apple platform security practices and keep our infrastructure narrowly scoped. No system is unbreakable, and we're not promising otherwise — but if there's ever a breach affecting your data, we'll tell you.

Children's privacy

Penlog is rated 4+ but isn't directed at children under 13. We don't knowingly collect data from children under 13. If you believe a child has provided us data, email us and we'll delete it.

International users

Penlog is operated from the United States. Most of our infrastructure (Apple, Supabase, Cloudflare, OpenRouter, Novita) is US-hosted or US-headquartered. TelemetryDeck is the exception: it runs on EU infrastructure operated by a German company.

If you use Penlog from outside the US, your data is transferred to and processed in the United States. The OCR step in particular routes through OpenRouter (US) to Novita (US headquarters, multi-region GPU network) — your page images may be processed in any region Novita operates in, including outside your home region. By using Penlog you consent to these transfers. If you're in the EU or UK and need a Standard Contractual Clauses (SCC) basis for these transfers, email privacy@penlog.app and we'll work it out.

Changes to this policy

We'll update this page when our practices change. The "Last updated" date at the top tells you when. Material changes — adding a new third-party processor, expanding what we collect — will be announced in-app or by email before they take effect.

Contact

Privacy questions, data requests, or anything else: privacy@penlog.app.

— Rick
RT Indianapolis Holdings LLC · Indianapolis, Indiana