Last Updated: January 2026

At Penny, we take your privacy seriously. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our service.

1.Information We Collect

Account Information

When you create a Penny account, we collect:

  • Email address
  • Name (if provided through your authentication provider)
  • Timezone preference

Bank Account Information

Through our integration with GoCardless Open Banking, we collect:

  • Bank account name (as provided by your bank)
  • Account currency
  • Current account balance
  • GoCardless account and requisition identifiers
  • Connection status and expiry dates

Important: We never collect or store your bank login credentials. Authentication happens directly between you and your bank through the Open Banking framework.

Notification Configuration

We store your notification preferences:

  • Notification channels (email, Discord webhook URLs)
  • Scheduled notification time
  • Channel enable/disable status

Service Logs

We automatically collect:

  • Notification delivery status (success/failure)
  • Error messages for troubleshooting
  • Timestamps of service operations

We do not track your browsing behaviour, use analytics tools, or employ session replay technology.

2.How We Use Your Information

We use your information solely to:

  • Deliver the Service: Retrieve your bank balance and send daily notifications
  • Communicate: Send service updates, security alerts, and re-authorisation reminders
  • Maintain Security: Detect and prevent unauthorised access
  • Improve Reliability: Troubleshoot errors and improve service stability
  • Comply with Law: Meet legal obligations under UK financial services and data protection regulations

We will never:

  • Sell your personal information to third parties
  • Use your data for advertising or marketing purposes
  • Share your balance information with anyone except you
  • Track your behaviour across other websites

3.Legal Basis for Processing (UK GDPR)

We process your personal data under the following legal bases:

  • Contract: To provide the service you've signed up for
  • Consent: For optional features like Discord notifications (you can withdraw consent at any time)
  • Legitimate Interests: To improve service reliability and security
  • Legal Obligation: To comply with UK financial services regulations and data protection laws

4.Third-Party Services

We share your data only with service providers essential to operate Penny:

GoCardless

  • Purpose: Bank account connection and balance retrieval via Open Banking
  • Data Shared: Account identifiers and connection status
  • Location: UK/EU
  • Their Role: Regulated Open Banking provider (authorised by the UK Financial Conduct Authority)

Clerk

  • Purpose: User authentication and account management
  • Data Shared: Email address and authentication tokens
  • Location: Primarily EU/UK data centers
  • Their Role: Identity and access management provider

Resend

  • Purpose: Email delivery for notifications and service communications
  • Data Shared: Email address and notification content
  • Location: EU-based infrastructure
  • Their Role: Transactional email service

Neon

  • Purpose: Database hosting
  • Data Shared: All account, bank, and notification data
  • Location: EU data centers
  • Their Role: PostgreSQL database provider

5.Data Storage and Security

Where We Store Your Data

  • Database: Hosted in EU data centers (Neon)
  • Email Infrastructure: EU-based servers (Resend)
  • Authentication: EU/UK regions (Clerk)

All your data remains within the UK and European Union.

How We Protect Your Data

  • All data encrypted in transit using TLS/HTTPS
  • Database encryption at rest
  • Access controls and authentication on all systems
  • Regular security monitoring
  • Minimal data retention (see below)

Data Retention

  • Notification logs: Automatically deleted after 30 days
  • Balance history: Only current and previous balance stored (no historical archive)
  • Account data: Retained while your account is active
  • Deleted accounts: All data permanently deleted within 7 days of account deletion

We do not create or maintain backups of deleted data.

6.Your Rights (UK GDPR)

Under UK data protection law, you have the right to:

Access

Request a copy of all personal data we hold about you. We will provide this in a structured, commonly used format.

Rectification

Correct any inaccurate or incomplete information in your account settings.

Erasure (Right to be Forgotten)

Request deletion of your account and all associated data. We will permanently delete all your information within 7 days.

Restriction

Request we limit processing of your data in certain circumstances.

Data Portability

Receive your data in a portable format to transfer to another service.

Object

Object to processing based on legitimate interests.

Withdraw Consent

Withdraw consent for optional features (like Discord notifications) at any time without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, contact us at penny@cording.dev.

We will respond to all requests within 30 days.

7.Cookies

Penny uses minimal cookies necessary for the service to function:

Essential Cookies

Clerk (our authentication provider) sets cookies in your browser to:

  • Keep you logged in across sessions
  • Maintain session security
  • Prevent cross-site request forgery (CSRF) attacks

These cookies are essential for the service to work and cannot be disabled.

No Tracking Cookies

We do not use:

  • Analytics or tracking cookies
  • Advertising cookies
  • Third-party tracking scripts
  • Session replay or behaviour tracking tools

8.Open Banking and PSD2 Compliance

Penny operates under the UK's Open Banking framework, implementing the Second Payment Services Directive (PSD2). This means:

  • We access your bank data with your explicit consent through a regulated provider (GoCardless)
  • We can only read balance information—no transaction details, no payment capabilities
  • Bank connections automatically expire after 90 days maximum for your security
  • You can revoke access at any time through Penny or directly through your bank's Open Banking management interface
  • Your bank is required to provide secure authentication for the connection

9.Children's Privacy

Penny is not intended for use by anyone under 18 years of age. We do not knowingly collect information from children. If we discover we have collected data from someone under 18, we will delete it immediately.

10.Data Breaches

In the unlikely event of a data breach affecting your personal information:

  • We will notify you via email within 72 hours of becoming aware
  • We will report to the UK Information Commissioner's Office (ICO) as required by law
  • We will take immediate steps to secure our systems and prevent further breaches
  • We will provide clear information about what data was affected and what steps you should take

11.International Data Transfers

Your data is stored and processed exclusively within the United Kingdom and European Union. We do not transfer personal data outside these regions.

If our infrastructure changes in future to include services outside the UK/EU, we will:

  • Update this Privacy Policy with advance notice
  • Ensure adequate protections through UK GDPR-approved mechanisms
  • Provide you with the option to withdraw consent if you're uncomfortable with the changes

12.Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements.

When we make changes:

  • We'll update the "Last Updated" date at the top of this page
  • We'll notify you via email at least 30 days before material changes take effect
  • Continued use of Penny after changes take effect means you accept the updated policy

We will never reduce your privacy protections without giving you the option to delete your account first.

13.Your Choices

You have control over your data:

  • Notification Channels: Enable or disable channels at any time from your dashboard
  • Notification Schedule: Change your notification time whenever you like
  • Bank Connection: Disconnect your bank account from your dashboard or revoke access through your bank
  • Account Deletion: Permanently delete your account and all data at any time

14.Contact Us

For privacy questions, data requests, or to exercise your rights:

Email: penny@cording.dev
Website: Penny.co.uk/privacy

Complaints

You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) if you believe we have mishandled your personal data:

UK Information Commissioner's Office
Website: ico.org.uk
Helpline: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We encourage you to contact us first so we can try to resolve any concerns directly.

15.Transparency Promise

This Privacy Policy is written in plain English because we believe you deserve to understand exactly how your data is used. If anything is unclear, please ask us at penny@cording.dev and we'll be happy to explain.