01 · 30-day file retention
Uploaded resumes, generated artefacts, and intermediate files vanish thirty days after they are created.
02 · No PII in analytics
We track totals, not contents. The structured-log pipeline redacts the keys most likely to carry PII before any renderer sees them.
03 · LLM providers opted out of training
Every provider integration sends the vendor's documented training opt-out flag. Your inputs and the model outputs are not used to train future models.
04 · Waitlist
The waitlist signup keeps your email in two places: the waitlist_signups Postgres row and the Resend audience. We do not put it anywhere else — not in usage_events, not in Sentry breadcrumbs, not in any third-party analytics tool (we don't run one).
05 · Where your data lives
The full enumeration of third-party processors Penned routes personal information through. Each row records what we send, the processing region, retention window, and the opt-out or control surface available to you.
| Processor | What we send | Region | Retention | Opt-out / control |
|---|---|---|---|---|
| Clerk | email, full name, password (managed by Clerk), session tokens | Clerk default region | until account deletion + Clerk's 30-day retention | DELETE /v1/me anonymises the Penned-side user row; the Clerk account is the upstream identity record and remains until deleted via Clerk's user dashboard or API. Automatic Clerk cascade is a cycle-91+ candidate. |
| Supabase Postgres | applications, workflow_states, application_outputs, application_feedback, files (metadata) | ap-southeast-2 (Sydney) | 30 days for files (br-015); 7 years for payments (br-016); indefinite for users until deletion | RLS policies (br-059) |
| Supabase Storage | uploaded resumes (PDF/DOCX), JDs, generated artifacts | ap-southeast-2 | 30 days (br-015) | retention sweep nightly (Inngest) |
| Resend | transactional + waitlist emails (recipient + body) | EU + US | 30 days | DELETE /v1/me anonymises the Penned-side user row; broadcast Resend audiences (e.g. penned-beta-cohort) are NOT auto-removed today and the operator unsubscribes affected addresses on request. Automatic Resend-audience cascade is a cycle-91+ candidate. |
| Inngest | workflow event payloads (job_meta, fit_score, error messages) | US | 7 days | opted out of customer-content training |
| Sentry | exception traces, breadcrumbs, request metadata | US | 90 days | PII scrubbing enabled (send_default_pii=False); before_send filters |
| PostHog | structured analytics events (no resume content; no JD content per br-103) | US | 1 year | events scrubbed at emit per br-021 |
| Anthropic | resume text, JD text, intermediate workflow state (claude-opus-4-7 for state-1/2/4-11) | US | 30 days API logs | X-Anthropic-Do-Not-Train: true header attached to every request via the SDK default-headers (br-022) |
| OpenAI | resume + JD text (gpt-5.4 for state-3 devil's-advocate only) | US | 30 days API logs | OpenAI-Skip-Training: true header attached to every request via the SDK default-headers (br-022) |
| Vercel | request logs, deploy events, function execution metadata | global edge; primary US | 30 days | passes through; not a data processor in strict sense |
06 · Cross-border disclosure
Per Australian Privacy Principle 8 (cross-border disclosure of personal information), Penned discloses that Anthropic, OpenAI, PostHog, Sentry, Resend, and Inngest are all US-based processors. The operator has a reasonable belief that each of these processors complies with privacy frameworks substantially similar to the Australian Privacy Act, based on each vendor's published Data Processing Addendum and contractual commitments. The operator monitors this position; if substantial-similarity status materially changes for any processor, this disclosure will be updated and affected users notified by email.