Privacy Policy

Effective 2026-05-19

Penno is built to need as little of your data as possible — ideally none. This page describes what that means in practice.

TL;DR

We do not collect your finance data. Transactions, debts, budgets, and categories stay on your device — we never see them and never receive them.
We do not collect your personal data. No name, no email, no phone, no address, no government ID, no precise location, no advertising identifier.
Penno does not require an account, signup, or login. No user identifier of any kind is created.
Penno does not connect to your bank or any financial institution.
We do collect anonymous product analytics (page views, taps, screen flow) through PostHog to understand how the app and site are used. No identity attached. Full disclosure below.
Delete the app and the local data is gone with it. Anonymous analytics events already sent cannot be tied back to you.

What we collect

None of your finance data. None of your personal data. The app makes zero network calls about your transactions, debts, recurring entries, budgets, or categories — that content stays on your device in budget-planner.db and is never transmitted to us or anyone else. We also do not ask for, generate, or store your name, email, phone number, address, date of birth, government ID, IP address, precise location, or any other identifier that could be used to recognise you as a specific person.

Anonymous product analytics. Penno uses PostHog to collect aggregated, anonymous usage data — both on the website (getpenno.com) and inside the app. This helps us see which screens get used, which features matter, and where the experience breaks. Specifically:

Events: screen views, taps, navigation flow, app version, OS version, locale, device type.
No identity: we do not call PostHog's identify API. No person profile is created (personProfiles: 'identified_only'). PostHog auto-generates a random anonymous device ID stored locally — we cannot map it back to you, and you can reset it by deleting the app.
No PII: no email, no name, no phone number, no precise location, no IP address persisted on our side. PostHog discards IP after geo-resolution to country level.

We do not use Plaid, Firebase, Mixpanel, Amplitude, Segment, AdMob, Meta Audience Network, or any advertising / data-broker SDK. PostHog is the only third-party data collector in the binary, and its scope is described above.

You can independently verify what leaves the device. Apple's privacy report on your device will show outbound connections to r.getpenno.com (our PostHog reverse proxy) and to Apple's own services — nothing else.

What we store

Your budget data — categories, transactions, recurring entries, debts, debt payments, and settings — is stored locally on your device in a SQLite database file named budget-planner.db. This file lives in the Penno app container on your device.

Apple iOS will automatically include this app container in your iCloud Backup if you have iCloud Backup enabled on your device. This is iOS-level behavior, not something Penno controls. You can exclude Penno from iCloud Backup in your device's iCloud settings if you prefer.

Notifications

Penno schedules local notifications on your device — for example, a day-before reminder for a recurring charge, or a stale-debt nudge. These notifications are scheduled by the iOS notification system itself; they do not require a server-side push.

If you allow notifications during onboarding, the only data involved is the local schedule on your device. Nothing is transmitted to Penno or any third party.

Export and sharing

When you choose to export your data to a CSV or XLSX file through the in-app Export feature, the file is created on your device and then handed to the iOS system share sheet. From there, you choose where it goes — Files, iCloud Drive, email, AirDrop, or any other share target available on your device.

Penno itself does not send the file anywhere. The data leaves the app only when you explicitly direct it through the share sheet.

Third parties

We do not sell, lease, or share your finance data with anyone. We do not have your finance data; there is nothing to share.

The third parties involved in Penno's operation are:

Apple Inc. — hosts the app on the App Store and operates the underlying iOS platform. Governed by Apple's privacy policy.
PostHog Inc. — receives the anonymous product analytics described above. Data is hosted in PostHog's US Cloud and routed through our reverse proxy at r.getpenno.com. Governed by PostHog's privacy policy and their data processing addendum.

Cookies and tracking

The Penno landing page (getpenno.com) sets a small set of first-party cookies / local-storage entries used by PostHog to (a) tie events from the same browsing session together and (b) deduplicate visitor counts over time. These are not used for advertising and not shared with any advertising network. There are no third-party advertising cookies, no Facebook Pixel, no Google Ads tag.

The mobile app uses no advertising identifiers (no IDFA, no IDFA-equivalents). PostHog inside the app uses a random anonymous device ID stored in the app's own sandbox; it is reset when you delete the app.

Opting out: on iOS you can deny App Tracking Transparency consent and / or turn off analytics for individual apps via iOS settings. On the website you can use browser tools (Do Not Track, private mode, content blockers) to block requests to r.getpenno.com; the site remains fully functional without analytics.

Children

Penno is not directed to children. We do not knowingly collect any information from children. Because we do not collect information from anyone, this is the same statement that applies to every user — there is no special data path for children's data.

Your rights

Your finance data lives on your device, fully under your control. You can:

Edit any entry through the app's UI
Export all data via the in-app Export feature
Delete the app to remove all local data

For the anonymous PostHog analytics described above: because no identity is attached, we have no way to look up "your" events on the server side. You can, however, block analytics entirely:

Website: block requests to r.getpenno.com with your browser's content-blocker, use private / incognito mode, or enable Do Not Track.
App: deny App Tracking Transparency on first launch (when prompted) and / or revoke analytics consent through iOS Settings > Privacy & Security > Tracking. Deleting the app resets the anonymous device ID.

If you believe events from your specific device should be deleted on the PostHog side, contact us at the address below with the approximate time window and we will issue a data deletion request to PostHog. Because the events are anonymous we may not be able to isolate yours, but we will cooperate in good faith.

Changes to this policy

If we materially change this policy we will update this page and the effective date above. Material changes affect the data-handling practices of the app; non-material changes are clarifications or typo fixes.

Contact

Questions about privacy: support@getpenno.com.