Privacy Policy
Penno is built to need as little of your data as possible — ideally none. This page describes what that means in practice.
TL;DR
- We do not collect your finance data. Transactions, debts, budgets, and categories stay on your device — we never see or receive your individual transactions.
- We do not collect your personal data. No name, no email, no phone, no address, no government ID, no precise location, no advertising identifier.
- Penno does not require an account, signup, or login. No user identifier of any kind is created.
- Penno does not connect to your bank or any financial institution.
- One optional exception: AI Insights (a Pro feature, off by default) sends that month's aggregated category totals — never individual transactions — to our AI provider, and only when you turn it on. Details below.
- We do collect anonymous product analytics (page views, taps, screen flow) through PostHog to understand how the app and site are used. No identity attached. Full disclosure below.
- Delete the app and the local data is gone with it; if you saved an iCloud backup, it stays in your own iCloud until you delete it there. Anonymous analytics events already sent cannot be tied back to you.
What we collect
None of your finance data. None of your personal data.
Other than the optional AI Insights feature described below, the app makes
no network calls about your transactions, debts, recurring entries,
budgets, or categories — that content stays on your device in
budget-planner.db. Your individual transactions are never
transmitted to us or anyone else. We also do not ask for, generate, or store your name, email, phone
number, address, date of birth, government ID, IP address, precise
location, or any other identifier that could be used to recognise you as
a specific person.
Anonymous product analytics. Penno uses PostHog to collect aggregated, anonymous usage data — both on the website (getpenno.com) and inside the app. This helps us see which screens get used, which features matter, and where the experience breaks. Specifically:
- Events: screen views, taps, navigation flow, app version, OS version, locale, device type.
- No identity: we do not call PostHog's
identifyAPI. No person profile is created (personProfiles: 'identified_only'). PostHog auto-generates a random anonymous device ID stored locally — we cannot map it back to you, and you can reset it by deleting the app. - No PII: no email, no name, no phone number, no precise location, no IP address persisted on our side. PostHog discards IP after geo-resolution to country level.
We do not use Plaid, Firebase, Mixpanel, Amplitude, Segment, AdMob, Meta Audience Network, or any advertising / data-broker SDK. PostHog is the only third-party data collector in the binary, and its scope is described above.
You can independently verify what leaves the device. Apple's privacy
report on your device will show outbound connections to
r.getpenno.com (our PostHog reverse proxy), to
ai.getpenno.com only if you use AI Insights, and to Apple's
own services — nothing else.
AI Insights (optional)
AI Insights is an optional feature included with the one-time Penno Pro unlock. It stays off until you open it, and the first time you run it Penno asks for your explicit consent. If you never turn it on, nothing in this section applies and no finance data leaves your device.
When you tap "Analyze" and accept the prompt, Penno sends a summary of the selected month to our AI provider to generate the written insights:
- What is sent: per-category spending and budget totals for the month, your month totals (spent, budgeted, income), the previous month's total spend, and the names and amounts of your active recurring items.
- What is never sent: your individual transactions, their notes, dates, or any line-item detail — only the aggregated figures above.
- How it travels: the request goes to our own proxy at
ai.getpenno.com, which forwards it to Google's Gemini API to generate that one response. It is not stored by us, and your request is sent without any name, email, or account identifier. - No content in analytics: we record only anonymous operational metadata about each request (AI model, token counts, cost, latency, success or failure) in PostHog — never the figures sent or the insight returned.
AI-generated insights are informational only and are not financial advice.
What we store
Your budget data — categories, transactions, recurring entries, debts,
debt payments, and settings — is stored locally on your device in a
SQLite database file named budget-planner.db. This file
lives in the Penno app container on your device.
Apple iOS will automatically include this app container in your iCloud Backup if you have iCloud Backup enabled on your device. This is iOS-level behavior, not something Penno controls. You can exclude Penno from iCloud Backup in your device's iCloud settings if you prefer.
Separately, Penno offers an optional iCloud backup that you control. When you turn it on in Settings → iCloud and tap Back Up, Penno saves a single backup file to your own iCloud account; tapping Restore brings it back. Both are manual actions you take — there is no automatic or background upload. The backup file lives only in your own iCloud; Penno never receives it and cannot read it, and you can delete it from your iCloud at any time.
Notifications
Penno schedules local notifications on your device — for example, a day-before reminder for a recurring charge, or a stale-debt nudge. These notifications are scheduled by the iOS notification system itself; they do not require a server-side push.
If you allow notifications during onboarding, the only data involved is the local schedule on your device. Nothing is transmitted to Penno or any third party.
Export and sharing
When you choose to export your data to a CSV or XLSX file through the in-app Export feature, the file is created on your device and then handed to the iOS system share sheet. From there, you choose where it goes — Files, iCloud Drive, email, AirDrop, or any other share target available on your device.
Penno itself does not send the file anywhere. The data leaves the app only when you explicitly direct it through the share sheet.
Third parties
We do not sell, lease, or share your finance data with anyone. We do not have your finance data; there is nothing to share.
The third parties involved in Penno's operation are:
- Apple Inc. — hosts the app on the App Store and operates the underlying iOS platform. Governed by Apple's privacy policy.
-
PostHog Inc. — receives the anonymous product analytics
described above. Data is hosted in PostHog's US
Cloud and routed through our reverse proxy at
r.getpenno.com. Governed by PostHog's privacy policy and their data processing addendum. - RevenueCat, Inc. — processes the one-time in-app purchase. It receives the App Store purchase receipt and a random anonymous app-user ID it generates (no name, email, or finance data) so your unlock can be validated and restored. Governed by RevenueCat's privacy policy.
- Google LLC — provides the Gemini AI model behind the optional AI Insights feature. Only when you use that feature, the aggregated monthly summary described above is sent to Google's Gemini API through our proxy to generate the response. Governed by Google's privacy policy and the Gemini API terms.
Cookies and tracking
The Penno landing page (getpenno.com) sets a small set of first-party cookies / local-storage entries used by PostHog to (a) tie events from the same browsing session together and (b) deduplicate visitor counts over time. These are not used for advertising and not shared with any advertising network. There are no third-party advertising cookies, no Facebook Pixel, no Google Ads tag.
The mobile app uses no advertising identifiers (no IDFA, no IDFA-equivalents). PostHog inside the app uses a random anonymous device ID stored in the app's own sandbox; it is reset when you delete the app.
Opting out: the app uses no advertising identifiers, so
there is no App Tracking Transparency prompt and Penno does not appear
under iOS Settings > Privacy & Security > Tracking. To stop the
app's anonymous analytics, delete the app — that clears the locally stored
anonymous device ID. On the website you can use browser tools (Do Not
Track, private mode, content blockers) to block requests to
r.getpenno.com; the site remains fully functional without
analytics.
Children
Penno is not directed to children. We do not knowingly collect any information from children. Because we do not collect information from anyone, this is the same statement that applies to every user — there is no special data path for children's data.
Your rights
Your finance data lives on your device, fully under your control. You can:
- Edit any entry through the app's UI
- Export all data via the in-app Export feature
- Delete the app to remove all local data
For the anonymous PostHog analytics described above: because no identity is attached, we have no way to look up "your" events on the server side. You can, however, block analytics entirely:
-
Website: block requests to
r.getpenno.comwith your browser's content-blocker, use private / incognito mode, or enable Do Not Track. - App: the app shows no tracking prompt and uses no advertising identifiers, so it does not appear under iOS Settings > Privacy & Security > Tracking. To stop analytics from the app, delete it — this clears the locally stored anonymous device ID.
If you believe events from your specific device should be deleted on the PostHog side, contact us at the address below with the approximate time window and we will issue a data deletion request to PostHog. Because the events are anonymous we may not be able to isolate yours, but we will cooperate in good faith.
Changes to this policy
If we materially change this policy we will update this page and the effective date above. Material changes affect the data-handling practices of the app; non-material changes are clarifications or typo fixes.
Contact
Questions about privacy: [email protected].