Sub-processors
Who else touches your data.
This page lists every third-party vendor ("sub-processor") that handles Penlog data on our behalf, what role they play, where they're based, and what they see. The full privacy policy is the controlling document — this is the at-a-glance reference for App Review, EU/UK data-protection inquiries, and anyone who just wants to know who's in the loop.
We notify users in-app or by email before adding a material new sub-processor. We don't share data with advertising networks or data brokers, and Penlog isn't part of any cross-context tracking ecosystem.
| Vendor | Role | Region | Data touched |
|---|---|---|---|
| Apple Inc. | Sign in with Apple, iCloud (CloudKit), push notifications (APNs), App Store subscriptions, MetricKit crash + performance metrics. | United States | Apple user identifier, optional email (or Apple private-relay address), subscription transaction state, aggregate crash/performance signals. |
| Supabase Inc. | Primary backend host. Postgres database, object storage, edge functions, OAuth identity for the agent API. | United States | Account record, page metadata, blocks, OCR text + structured content (Pro only), PencilKit drawing data + PDF + PNG renders (Pro only), connector tokens, MCP API tokens (hashed), audit log. |
| OpenRouter, Inc. | LLM gateway. Routes the OCR request that turns a page image into structured text. | United States | Page PNG image (transient, in-request only — zero-data-retention policy; logging features not enabled). |
| Novita AI | GPU inference provider behind OpenRouter. Runs the GLM-4.6V vision-language model on the page image. | United States (San Francisco HQ; multi-region GPU network) | Page PNG image (per Novita's policy, not used for model training; retention window not publicly disclosed). |
| Cloudflare, Inc. | CDN + DNS for penlog.app, reverse proxy for mcp.penlog.app, inbound email routing for *@penlog.app. | United States (global edge network) | Standard request metadata (IP, user-agent, timestamps) for the website + MCP gateway. Email-routing metadata for inbound mail. |
| TelemetryDeck GmbH | Anonymous product analytics. Receives event names (e.g. "first_page_synced") and a double-hashed, daily-rotating user identifier with no IP address. | European Union (Microsoft Azure Amsterdam, AWS Frankfurt, Hetzner Germany) | Anonymous event signals. No journal content, no email, no name, no IP. |
| Resend (Resend, Inc.) | Outbound transactional email relay (sender domain penlog.app). | United States | Recipient email address, subject + body of any transactional message Penlog sends you. |
| Notion Labs, Inc. | Optional connector. Only engaged if you authorize a Notion workspace. | United States | Tasks, events, daily-page text + image you choose to sync. Disconnecting removes our access tokens immediately. |
EU / UK data transfers
Penlog is operated from the United States. Most sub-processors above are US-headquartered; TelemetryDeck is the EU-based exception. If you're a user in the EU or UK and you need Standard Contractual Clauses (SCCs) covering the transfer of your data to the United States, email privacy@penlog.app and we'll execute them with you.
Changes
Material updates to this list (a new vendor, a vendor's role expanded beyond what's listed here) will be announced in-app or by email at least 14 days before the change takes effect, and the "Last updated" date above will reflect the latest revision.
— Rick