Privacy.

Plain English: we collect the minimum we need to draft good posts for you, store it securely, never sell it, and let you erase it.

What we collect

• X profile and posts. When you connect X via OAuth, we read your handle, follower counts, recent tweets, and analytics on tweets we post. The tweets are used to build your voice profile.
• Account info. Phone number (for the iMessage layer), email (optional), name, timezone.
• Payment info. Subscription state. Card details are handled by Stripe — we never see or store them.
• Conversations. Drafts, edits, feedback, and chat messages between you and Penwell. We use these to train your voice profile and improve the product.
• Usage analytics.Anonymous pageviews and events via PostHog so we can see what works and what doesn't.

How we use it

• Drafting posts and replies in your voice.
• Coaching you on cadence, pillars, and quality.
• Billing and account operations.
• Improving the product (in aggregate; never sold).

How we store it

Data is hosted on Supabase (eu-west-1). X OAuth tokens are encrypted at rest with AES-256-GCM. Application traffic uses TLS in transit.

Who else sees it (sub-processors)

We use a small number of trusted services. They see only what they need to function:

• Anthropic — generates drafts. Sees the prompts and context we send, including your voice profile.
• X (Twitter) — receives posts we publish on your behalf.
• Supabase — primary database and auth.
• Vercel — application hosting.
• PostHog — product analytics.

Coming soon (we'll update this list before they go live): Stripe for payments, Sendblue/Twilio for iMessage and SMS.

We do not sell your data.

Your controls

• Disconnect X from the integrations page at any time. We delete the OAuth tokens immediately.
• Delete your account from settings. Your row, drafts, and voice profile are deleted within 30 days.
• Export your data— email us and we'll send a JSON dump within 7 days.
• EU/UK rights.If you're in the EU or UK, you have rights of access, rectification, erasure, and portability under GDPR. Email us to use them.

Cookies

We use a session cookie for your dashboard and a small analytics cookie via PostHog for pageview attribution. No third-party advertising trackers.

Children

Penwell is not for anyone under 18. We do not knowingly collect data from minors.

Contact

Privacy questions or data requests: konchristoforou@gmail.com.

last updated · May 19, 2026