PENMAN
PENMAN
Get started
Legal document

Privacy Policy PENMAN Pro

This document describes the rules for processing personal data and the use of AI tools within the PENMAN Pro Services.

Data Controller / Service Provider

Fintech Analytics sp. z o.o., ul. Grabiszyńska 251D, 53-234 Wrocław, Poland, registered in the National Court Register (KRS) under no. 0001025699, NIP: 8943207457, REGON: 524783195, website: penmanpro.com.

Effective date: April 23, 2026

Table of Contents

  1. General Provisions
  2. Data Controller and Contact
  3. Scope of Data and Sources
  4. Purposes and Legal Bases
  5. Categories of Recipients and Sub-processors
  6. AI Tools and Data Analysis
  7. Transfers Outside EEA
  8. Data Retention Period
  9. Data Subject Rights
  10. Security
  11. Cookies and Analytics
  12. Policy Changes

I. General Provisions

This Privacy Policy describes the rules for processing personal data in connection with the use of the platform penmanpro.com and the application app.penmanpro.com (hereinafter: "Platform") and the provision of Services by Fintech Analytics sp. z o.o. (hereinafter: "Service Provider").

This document is consistent with the provisions of the Platform Terms of Service, including the section on personal data protection and the use of AI tools.

With respect to data entered into the Platform by the Client (e.g., authors, employees, content imported from the Client's websites), the Client generally remains the Data Controller, and the Service Provider acts as a Processor based on the Data Processing Agreement (DPA) — in accordance with Art. 28 GDPR.

II. Data Controller and Contact

Data Controller: Fintech Analytics sp. z o.o., ul. Grabiszyńska 251D, 53-234 Wrocław, KRS: 0001025699, NIP: 8943207457, REGON: 524783195.

Contact:

  • privacy matters: penman [at] sebbie.pl
  • technical matters and support: penman [at] sebbie.pl
  • formal matters/complaints: penman [at] sebbie.pl

If the Client is the Data Controller for persons whose data is entered into the Platform (e.g., authors, contributors), the Client is responsible for fulfilling information obligations under Art. 13/14 GDPR towards those persons and for ensuring an appropriate legal basis.

III. Scope of Data and Sources

1) Client Data (controller: Service Provider)

  • identification and registration data (e.g., name, tax ID, address),
  • contact data (e.g., email, phone),
  • billing data (e.g., invoice information),
  • account data (login, permissions, change history within the account, AI credit balance and usage history).

2) User Data and content imported by the Client (controller: Client)

  • identification and contact data of authors, editors and team members added by the Client,
  • content of articles, comments and other materials imported from the Client's websites for analysis,
  • technical metadata related to Platform usage (e.g., system event logs).

Prohibition of special category data. The Platform is not intended for processing special category data (Art. 9 GDPR), in particular health data, medical documentation, genetic/biometric data, religious beliefs or political opinions.

IV. Purposes and Legal Bases for Processing

Processing purposes (examples):

  • conclusion and performance of the Agreement and provision of Services (Art. 6(1)(b) GDPR),
  • settlements and tax/accounting obligations (Art. 6(1)(c) GDPR),
  • handling inquiries, complaints, and communication with the Client (Art. 6(1)(b) and (f) GDPR),
  • ensuring Platform security, preventing abuse, technical logs (Art. 6(1)(f) GDPR),
  • improving the Platform and its features (Art. 6(1)(f) GDPR),
  • sending commercial information / newsletter — if available and if consent was given or based on a legally permissible basis.

With respect to data entrusted by the Client, the legal basis for processing on the Client's side is in particular Art. 6 GDPR (depending on the role and purpose), and the Service Provider processes data as a Processor based on Art. 28 GDPR and the DPA.

V. Categories of Recipients and Sub-processors

Data may be disclosed only to the extent necessary for the provision of Services, in particular to:

  • hosting and IT infrastructure providers (e.g., servers, data storage, backups),
  • providers of inquiry handling and communication tools,
  • accounting and payment service providers — for settlements,
  • subcontractors providing technical support/Platform maintenance,
  • AI tool providers — used within the Services (according to section VI).
NameRole / ServiceLocationTransfer basis (if outside EEA)
DigitalOceanHosting / infrastructureEEA / Netherlands
ResendTransactional email / supportOutside EEA / USASCC
OpenAIAI analysis within ServicesOutside EEA / USASCC
AnthropicAI analysis within ServicesOutside EEA / USASCC

The list of service providers is updated on an ongoing basis.

VI. AI Tools and Data Analysis

Within the provision of Services, data entered or provided by the Client may be used solely for analytical, statistical purposes and to support Platform functionality, including using AI-based tools.

AI analysis:

  • does not serve automated decision-making producing legal effects for natural persons,
  • does not constitute profiling within the meaning of Art. 22 GDPR,
  • is performed solely for content analysis, brand visibility analytics, internal linking recommendations and editorial workflows.

Minimization and limitation principles:

  • we transmit to AI tools only data necessary for the given purpose,
  • we apply pseudonymization/aggregation where possible,
  • data is not used to train general AI models outside the scope of providing Services to the Client.

VII. Transfers Outside EEA

If, as part of using sub-processors, data is transferred outside the European Economic Area (EEA), the Service Provider applies appropriate safeguards provided for in Chapter V GDPR, in particular Standard Contractual Clauses (SCC), and implements supplementary measures if required.

VIII. Data Retention Period

  • Client data related to the Agreement — for the duration of the Agreement, then for the statute of limitations period,
  • billing data — for the period required by law (e.g., tax and accounting regulations),
  • data processed in security logs — for the period necessary to ensure security and pursue claims,
  • entrusted data (Users and imported content) — according to the Agreement/DPA and Client decisions as Controller (including deletion after termination of Services).

IX. Data Subject Rights

Data subjects have rights under GDPR, in particular: access to data, rectification, erasure, restriction of processing, data portability, objection, and the right to lodge a complaint with a supervisory authority.

Important. If data was entered into the Platform by the Client, the Client as Controller is the primary addressee of GDPR requests (Art. 15–22). The Service Provider as Processor supports the Client in accordance with the DPA.

X. Security

The Service Provider applies technical and organizational measures adequate to the risks (Art. 32 GDPR), including access control mechanisms, transmission encryption, backups, and security monitoring.

The Client is obliged to maintain confidentiality of access data, properly grant permissions to Users, and use the Platform in accordance with the Terms of Service.

XI. Cookies and Analytics

The Platform may use cookies and similar technologies to ensure Platform functionality, maintain sessions, improve security, and conduct statistics.

  • Essential cookies — necessary for Platform operation.
  • Analytical cookies — help understand how the Platform is used (if used and if consent was given, where required).

Users can change cookie settings in their browser. If a cookie consent banner is active on the Platform, settings can also be changed from there.

XII. Privacy Policy Changes

The Service Provider may update the Privacy Policy in particular in the event of changes in legislation, technological changes, or changes in the scope of sub-processors used (including AI tools). The current version of the document is published on the Platform.

↑ Back to top