Privacy Policy

Last updated May 27, 2026

PenJot ("we", "us") transcribes images and PDFs of handwritten and printed notes into Markdown and diagrams. This policy explains what we collect, how we use it, and the choices you have. It applies to the PenJot website, dashboard, REST API, MCP server, and inbound email service.

Information we collect

  • Account & profile. Your name, email address, and a securely hashed password. Each account is given a unique inbound email address and a workspace name.
  • Content you submit. The images and PDFs you upload, email, or send via the API or MCP, along with the Markdown transcriptions, titles, descriptions, and diagram sources we generate from them. Original files are stored so you can view and re-download them.
  • Email ingestion data. When you forward notes to your PenJot address, we process the message and store identifiers (such as the message ID and a checksum) to route and de-duplicate it. If you restrict your inbox, we store the list of approved sender email addresses.
  • Integrations. If you connect Dropbox, we store the OAuth access and refresh tokens, your Dropbox account email, and the destination folder so we can sync transcriptions on your behalf.
  • Billing. If you subscribe to a paid plan, payments are handled by Stripe. We store your Stripe customer and subscription identifiers and your plan status, but we never see or store your full card number.
  • API access. Tokens you create for the REST API and MCP server are stored only as a hashed digest, along with their name, scopes, and last-used time.
  • Technical & session data. To keep your account secure we record session details such as IP address and browser user-agent. We also keep operational logs and per-transcription metadata (provider, model, and cost) for billing and reliability.

How we use your information

  • To transcribe your notes and deliver the resulting Markdown and diagrams.
  • To operate, secure, and improve the service and prevent abuse.
  • To route inbound email to the correct account and honor your sender restrictions.
  • To process payments, manage subscriptions, and track usage against plan limits.
  • To sync transcriptions to integrations you have explicitly connected.
  • To respond to support requests and send service-related notices.

AI transcription

The content you submit is sent to Anthropic's API to produce transcriptions. Anthropic processes this content on our behalf to return a result and, per its terms, does not use API inputs or outputs to train its models. We only send what is necessary to perform the transcription you requested.

Service providers

We share data with a small number of providers strictly to run PenJot:

  • Anthropic — AI transcription of your submitted content.
  • Stripe — payment processing and subscription management.
  • Dropbox — optional syncing of transcriptions, only if you connect it.
  • Hosting & email infrastructure — to store data and deliver inbound and outbound mail.

We do not sell your personal information or your note content, and we do not share it for advertising.

Data retention

We retain your account information and content for as long as your account is active. Deleted artifacts are soft-deleted and removed in due course. When you close your account, we delete or anonymize your personal data and content, except where we must retain limited records (for example, billing history) to meet legal obligations.

Your choices & rights

  • Access, correct, export, or delete your notes and account data from the dashboard, or by contacting us.
  • Restrict who can email your inbox by enabling sender restrictions and managing approved senders.
  • Disconnect integrations such as Dropbox at any time, which revokes the stored tokens.
  • Revoke API and MCP tokens at any time.

Depending on where you live, you may have additional rights under laws such as the GDPR or CCPA. Contact us to exercise them.

Security

We protect your data with encryption in transit, hashed passwords and API tokens, and account-level access controls so your content is only visible within your own account. No method of transmission or storage is perfectly secure, but we work to safeguard your information.

Children

PenJot is not intended for children under 13, and we do not knowingly collect their personal information.

Changes to this policy

We may update this policy from time to time. When we make material changes, we will revise the "last updated" date above and, where appropriate, notify you.

Contact

Questions about this policy or your data? Email us at support@penjot.com.