Privacy Policy

Effective 2026-05-19

Penno is built to need as little of your data as possible — ideally none. This page describes what that means in practice.

TL;DR

What we collect

None of your finance data. None of your personal data. Other than the optional AI Insights feature described below, the app makes no network calls about your transactions, debts, recurring entries, budgets, or categories — that content stays on your device in budget-planner.db. Your individual transactions are never transmitted to us or anyone else. We also do not ask for, generate, or store your name, email, phone number, address, date of birth, government ID, IP address, precise location, or any other identifier that could be used to recognise you as a specific person.

Anonymous product analytics. Penno uses PostHog to collect aggregated, anonymous usage data — both on the website (getpenno.com) and inside the app. This helps us see which screens get used, which features matter, and where the experience breaks. Specifically:

We do not use Plaid, Firebase, Mixpanel, Amplitude, Segment, AdMob, Meta Audience Network, or any advertising / data-broker SDK. PostHog is the only third-party data collector in the binary, and its scope is described above.

You can independently verify what leaves the device. Apple's privacy report on your device will show outbound connections to r.getpenno.com (our PostHog reverse proxy), to ai.getpenno.com only if you use AI Insights, and to Apple's own services — nothing else.

AI Insights (optional)

AI Insights is an optional feature included with the one-time Penno Pro unlock. It stays off until you open it, and the first time you run it Penno asks for your explicit consent. If you never turn it on, nothing in this section applies and no finance data leaves your device.

When you tap "Analyze" and accept the prompt, Penno sends a summary of the selected month to our AI provider to generate the written insights:

AI-generated insights are informational only and are not financial advice.

What we store

Your budget data — categories, transactions, recurring entries, debts, debt payments, and settings — is stored locally on your device in a SQLite database file named budget-planner.db. This file lives in the Penno app container on your device.

Apple iOS will automatically include this app container in your iCloud Backup if you have iCloud Backup enabled on your device. This is iOS-level behavior, not something Penno controls. You can exclude Penno from iCloud Backup in your device's iCloud settings if you prefer.

Separately, Penno offers an optional iCloud backup that you control. When you turn it on in Settings → iCloud and tap Back Up, Penno saves a single backup file to your own iCloud account; tapping Restore brings it back. Both are manual actions you take — there is no automatic or background upload. The backup file lives only in your own iCloud; Penno never receives it and cannot read it, and you can delete it from your iCloud at any time.

Notifications

Penno schedules local notifications on your device — for example, a day-before reminder for a recurring charge, or a stale-debt nudge. These notifications are scheduled by the iOS notification system itself; they do not require a server-side push.

If you allow notifications during onboarding, the only data involved is the local schedule on your device. Nothing is transmitted to Penno or any third party.

Export and sharing

When you choose to export your data to a CSV or XLSX file through the in-app Export feature, the file is created on your device and then handed to the iOS system share sheet. From there, you choose where it goes — Files, iCloud Drive, email, AirDrop, or any other share target available on your device.

Penno itself does not send the file anywhere. The data leaves the app only when you explicitly direct it through the share sheet.

Third parties

We do not sell, lease, or share your finance data with anyone. We do not have your finance data; there is nothing to share.

The third parties involved in Penno's operation are:

Cookies and tracking

The Penno landing page (getpenno.com) sets a small set of first-party cookies / local-storage entries used by PostHog to (a) tie events from the same browsing session together and (b) deduplicate visitor counts over time. These are not used for advertising and not shared with any advertising network. There are no third-party advertising cookies, no Facebook Pixel, no Google Ads tag.

The mobile app uses no advertising identifiers (no IDFA, no IDFA-equivalents). PostHog inside the app uses a random anonymous device ID stored in the app's own sandbox; it is reset when you delete the app.

Opting out: the app uses no advertising identifiers, so there is no App Tracking Transparency prompt and Penno does not appear under iOS Settings > Privacy & Security > Tracking. To stop the app's anonymous analytics, delete the app — that clears the locally stored anonymous device ID. On the website you can use browser tools (Do Not Track, private mode, content blockers) to block requests to r.getpenno.com; the site remains fully functional without analytics.

Children

Penno is not directed to children. We do not knowingly collect any information from children. Because we do not collect information from anyone, this is the same statement that applies to every user — there is no special data path for children's data.

Your rights

Your finance data lives on your device, fully under your control. You can:

For the anonymous PostHog analytics described above: because no identity is attached, we have no way to look up "your" events on the server side. You can, however, block analytics entirely:

If you believe events from your specific device should be deleted on the PostHog side, contact us at the address below with the approximate time window and we will issue a data deletion request to PostHog. Because the events are anonymous we may not be able to isolate yours, but we will cooperate in good faith.

Changes to this policy

If we materially change this policy we will update this page and the effective date above. Material changes affect the data-handling practices of the app; non-material changes are clarifications or typo fixes.

Contact

Questions about privacy: [email protected].