# Privacy Policy **Last updated:** May 2026 Pensum is operated by Product Experience Group ("we", "us", "our"). This policy describes how we handle your data when you use the Pensum Obsidian plugin, CLI, MCP server, website, and related services. **The short version:** Your vault data stays on your device. We don't see it, store it, or process it. The only data that reaches our servers is your license key (for validation), payment metadata (when you subscribe), and the brief transit of content through our infrastructure when you actively use managed-mode AI features. We do not retain that content. For a visual breakdown of exactly what data flows where, see [Architecture & data flow](/docs/how-it-works/architecture/). ## What stays on your device - **Your entire vault.** All tasks, meeting notes, project files, wiki entries, and any other markdown content. Pensum reads and writes files in your vault locally. None of this data is transmitted to our servers. - **Pensum's internal index** (`.pensum/index.json`). A local file Pensum maintains so it doesn't have to re-scan your whole vault every time you open it. It lives inside your vault and only moves between devices via whatever sync you already use (Obsidian Sync, iCloud, Syncthing, etc.). - **API keys.** Your AI provider keys (Anthropic, OpenAI, Google Gemini, Deepgram) live in Obsidian's OS-backed keychain via the `SecretStorage` API. Pensum's plugin settings hold only the secret's name, never the key value itself. They are never transmitted to Pensum's servers. They are sent only to the corresponding AI provider when you use AI features. - **Meeting recordings.** Audio files are stored locally in your vault. They are never sent to Pensum's servers. ## What leaves your device ### License validation When you enter a Pro license key, the plugin sends your **license key** and a **random device ID** to our license server (`api.pensum.dev`) to verify your license. This happens on activation and approximately every 7 days. No vault data, file names, task content, or usage patterns are included in this request. ### AI provider calls (Pro BYO) When you use AI features with your own API keys, your device sends data directly to the AI provider (Anthropic, OpenAI, Deepgram, or whichever provider you configure). This includes: - **Smart Capture / Smart Triage:** task descriptions and your project list - **Meeting transcription:** audio file sent to your chosen transcription provider (OpenAI Whisper, Deepgram, AssemblyAI) - **Meeting summarization / action extraction:** transcript text sent to your chosen text-AI provider - **Stub expansion:** wiki stub title and source context sent to your chosen text-AI provider These calls go directly from your device to the provider. Pensum's servers are not involved. Your provider's privacy policy governs how they handle this data. ### AI provider calls (Pro All-in-One) When you use AI features on the All-in-One plan, data is routed through our worker (`api.pensum.dev`) which calls the chosen provider with Pensum's keys. We sharpen our claim as follows: - **Text AI calls (Smart Capture, summarization, action extraction):** Prompts pass through our worker transiently and are sent to OpenAI or Anthropic. We do not store the prompt or response content. We log only billing metadata: account, model, timestamp, and a success/failure flag. - **Transcription, audio under 20 minutes:** Audio is streamed through our worker directly to Deepgram. We do not write audio to disk on our side. Transcript is returned to your plugin and discarded from our worker's memory. We log only billing metadata: account, timestamp, and duration. - **Transcription, audio over 20 minutes:** Audio is uploaded to a transient staging bucket (R2) with a 1-hour TTL backstop. Deepgram fetches it asynchronously. When Deepgram returns the transcript, we push it to your plugin, then delete both the audio and the transcript from our infrastructure immediately on receipt confirmation. Under normal conditions, audio is in our infrastructure for minutes, not hours. Deepgram's data processing agreement specifies no model training on customer data and no retention beyond processing. Visual diagrams of these flows are on the [Architecture & data flow](/docs/how-it-works/architecture/) page. ### Contact form and support When you use the contact form or email support@pensum.dev, we receive your email address and message. These are used solely to respond to your inquiry. Support messages are stored for up to 90 days. ## Analytics ### License server Our license server records server-side events for billing, abuse detection, and product analytics: license validations, subscription lifecycle, managed-mode AI calls, and transcription jobs. These events include account metadata (your account ID, plan, timestamps, success/failure, duration where applicable) but never include prompt text, transcript content, audio, task descriptions, or anything about how you use Pensum locally. Analytics data is stored inside our Cloudflare account using Cloudflare Workers Analytics Engine. No third-party analytics vendor receives this data. ### Marketing website We use Cloudflare Web Analytics for the marketing site (pensum.dev). Cloudflare Web Analytics is cookie-free and does not track users across sites. It reports aggregated metrics (pageviews, referrers, country-level geography) and respects Do Not Track. ### Plugin The Pensum plugin does not collect any telemetry or analytics. It does not bundle any analytics SDK. The plugin makes outbound network requests only for license validation (Pro users), managed-mode AI calls (Pro All-in-One users who choose managed mode), and plugin updates (handled by Obsidian's built-in update mechanism). ## Cookies The Pensum website does not use tracking cookies. Essential cookies may be set by our infrastructure providers (Cloudflare) for security purposes (e.g., bot protection). ## Third-party services | Service | What it receives | Their privacy policy | |---|---|---| | Anthropic | Text AI request content (when you use text AI features in either BYO or managed mode) | [anthropic.com/privacy](https://www.anthropic.com/privacy) | | OpenAI | Text AI request content (when you choose OpenAI); transcription audio (when you use BYO transcription with OpenAI Whisper) | [openai.com/privacy](https://openai.com/privacy) | | Deepgram | Transcription audio (when you use BYO Deepgram or managed-mode transcription) | [deepgram.com/privacy](https://deepgram.com/privacy) | | Polar.sh | Payment information (when you purchase Pro) | [polar.sh/legal/privacy](https://polar.sh/legal/privacy) | | Cloudflare | Web traffic (hosting, DNS, server-side analytics) | [cloudflare.com/privacypolicy](https://www.cloudflare.com/privacypolicy/) | ## Data retention | Data | Retention | |---|---| | License records | Active for the duration of your subscription; deleted 90 days after cancellation | | Contact form submissions | 90 days | | License validation logs | 90 days (aggregated, no PII) | | Vault data | Local to your device; we never have it | ## Your rights You have the right to: - **Access** any personal data we hold about you (limited to: license key, email from purchase, device IDs) - **Delete** your data by emailing support@pensum.dev - **Port** your vault data at any time (it's already markdown files on your device) - **Opt out** of AI features (turn off in settings; no data sent to providers) For EU/UK residents: you may exercise your rights under GDPR by contacting support@pensum.dev. Our merchant-of-record (Polar.sh) acts as data processor for payment information. ## Children Pensum is not directed at children under 13. We do not knowingly collect data from children. ## Changes We may update this policy. Material changes will be communicated via the Pensum plugin (update notes) and posted here. The "last updated" date at the top reflects the most recent revision. ## Contact Product Experience Group Email: support@pensum.dev