Privacy Policy

Privacy Policy

Effective Date: February 24, 2026

This Privacy Policy (“Policy”) describes how Peny, LLC (“Peny”) collects, uses, shares, and safeguards Personal Information when you use the Peny communication platform (the “Platform”).

This Policy is part of Peny's broader legal framework, which includes the Master Services Agreement ("MSA") and Terms of Use ("Terms of Use"), each available at penyapp.com/legal. If you are a Customer or Authorized User acting on behalf of a local government, your use is also governed by a separate agreement with Peny. In the event of conflict, that agreement will control.

By accessing or using the Platform, you consent to the practices described in this Policy.

Capitalized words or phrases used in headings, titles, or section labels are formatted for readability only and are not intended to indicate defined terms unless explicitly stated. Certain other capitalized terms, such as Customer Data and AI Interactions, are defined in Peny's Terms of Use.

With respect to data that Customers or their Authorized Users submit or collect through the Platform, Peny acts as a service provider on the Customer's behalf. Customers determine what information is collected from Residents through forms, submissions, and other Platform features. Peny processes such information only as necessary to provide the Platform and related services. With respect to Resident Account Data, such as name, email address, and home address collected during account creation, and information collected automatically through Platform use, such as device type, IP address, and usage activity, Peny acts as an independent data controller.

Scope and Application

This Policy applies to:

Residents who access or interact with content from one or more Customers using the Platform,
Authorized Users designated by a Customer to manage or publish content,
Visitors to Peny’s public website.

This Policy does not apply to third-party websites, tools, or services linked to or accessed through the Platform. Peny is not responsible for the privacy practices of such third parties.

This Policy also applies to content submitted by individuals through the Platform, including AI Interactions and Resident Submissions, as defined in Peny's Terms of Use.

Defined Terms

Authorized User: An individual designated or permitted by a Customer to access or use the Platform on the Customer's behalf, including elected officials, employees, officers, contractors, or partners acting within the scope of their authority.
Customer: A local government entity (such as a city, county, or other governing body) that subscribes to the Platform and manages its own account and Authorized Users.
Personal Information: Any information that identifies, relates to, describes, or can reasonably be associated with or linked to an individual, such as name, email address, home address, profile photo, IP address, or location data.
Resident: A member of the public who accesses the Platform to view content, ask questions, or engage with information and features made available by a local government through the Platform.

Information Peny Collects

Peny may collect the following categories of information, depending on your role and how you use the Platform:

Account and Contact Information: For Authorized Users and Customers, Peny may collect name, email address, phone number, job title, organization, and similar information provided during account setup or platform use. For Residents, Peny collects the following information during account creation: name, email address, and home address. Residents may also optionally provide a profile photo and may provide additional information voluntarily when submitting questions, comments, or other content through the Platform. If you use the Platform without creating an account, Peny does not collect Account or Contact Information unless you voluntarily provide identifying information during an AI conversation or other interaction.
AI Interactions: Private conversations between an individual and the Platform's AI features, whether or not the individual has created an account. AI Interactions are not shared with any Customer unless the individual explicitly chooses to do so, at which point the shared content becomes a Resident Submission. AI Interactions from unauthenticated users are stored by Peny but are not associated with an identified individual unless the user voluntarily provides identifying information within the conversation.
Cookies and Tracking Technologies: See Section 9 for more information.
Financial Information: Peny does not collect, store, or process payment card numbers, bank account information, or other financial account data. If payment functionality is offered through the Platform, such transactions are processed by third-party payment providers and are subject to those providers' terms and privacy policies.
Location Data: Peny may collect approximate location data based on IP address. If Residents or Authorized Users grant permission through their device settings, Peny may also collect precise geolocation data, such as GPS coordinates, to support location-based features including targeted notifications, geographic content relevance, route-based alerts, and other municipal communication functions. Geolocation data is collected only with the consent of the individual and may be used to improve the relevance and timeliness of content delivered through the Platform. Peny does not sell location data or share it with third-party advertisers.
Resident Submissions: Content directed to a Customer through the Platform. This includes form submissions, which are automatically delivered to the applicable Customer, and AI conversations the Resident explicitly chooses to share. Once directed to a Customer, this content may be accessed and managed by that Customer.
Third-Party Sources: Peny may receive information from third-party services that integrate with the Platform at the direction of a Customer, such as authentication providers or external data sources. Peny processes such information in accordance with this Policy.
Usage Data: Device type, IP address, browser type, operating system, and pages or features accessed. This includes logs, timestamps, and interaction data. This data is collected from all users of the Platform, including those who do not create an account.

The Platform is not intended for individuals under the age of 16. Peny does not knowingly collect Personal Information from children under 16. Peny does not collect date of birth, age, or similar demographic information during account creation and does not independently verify the age of any person accessing the Platform. If Peny becomes aware that Personal Information has been collected from a person under 16 without parental consent, or from a person under 13 regardless of consent, Peny may delete that information and terminate the associated account.

How Peny Uses Information

Peny uses the information Peny collects for the following purposes:

To provide, maintain, and operate the Platform and related services,
To deliver notifications, confirmations, or responses related to submitted content,
To communicate with Customers and Authorized Users,
To respond to questions or feedback submitted by Residents,
To analyze usage trends and maintain system performance,
To comply with legal obligations, including those related to public records or accessibility,
To detect and prevent fraud, abuse, or technical issues.

AI-Generated Responses

The Platform includes an AI assistant that generates responses using content supplied or authorized by Customers. These responses are for general informational purposes only and may be incomplete, outdated, or inaccurate. Peny does not independently verify the accuracy of AI-generated responses and disclaims any liability for reliance on them. Peny does not provide legal, financial, emergency, professional, or official government advice through automated tools.

For more detail on AI-generated content, including disclaimers, emergency limitations, and liability, see Section 7 of Peny's Terms of Use.

How Peny Shares Information

Peny may share Personal Information in the following limited circumstances:

With the applicable Customer: Resident Submissions are shared with the applicable Customer as described in Section 3. AI Interactions that have not been shared by the Resident remain private. Once a Resident Submission reaches a Customer, that Customer may use, retain, or disclose the content in accordance with its own policies and applicable law.
With service providers: Peny may share information with trusted third-party vendors who help operate or improve the Platform (e.g., cloud hosting, analytics, customer support, security). These providers are contractually required to use Personal Information only as necessary to deliver services on Peny's behalf.
For legal compliance: Peny may disclose information if required by law, regulation, subpoena, or valid governmental request.
To protect rights and safety: Peny may share information to detect, investigate, or prevent security issues, fraud, or abuse, and to enforce Peny’s legal rights.
In connection with a business transaction: If Peny is involved in a merger, acquisition, reorganization, or sale of assets, Personal Information may be transferred as part of that transaction. In such event, the acquiring entity will be subject to the terms of this Policy with respect to any Personal Information transferred.

Peny does not share Personal Information for cross-context behavioral advertising. Peny does not sell Personal Information. Depending on your state of residence, you may have additional rights regarding your Personal Information under applicable consumer privacy laws. To exercise any such rights, contact Peny at the contact information in Section 10. Peny will process your request in accordance with applicable law.

Platform Insights and Aggregated Usage

Peny may collect and analyze usage patterns, feature interactions, and anonymized or aggregated data across the Platform to maintain service quality, enhance the Platform experience, and better understand how Residents and Customers engage with the Platform. This may include submission frequency, feature usage trends, or general engagement metrics, but not information that identifies any individual.

Peny may also provide aggregate engagement reports to Customers to help them understand patterns of community interaction. These reports do not include Personal Information.

Data Retention and Security

Peny retains Personal Information only as long as necessary to fulfill the purposes described in this Policy or to comply with applicable law.

Breach Notification: In the event of a security incident involving unauthorized access to or disclosure of Personal Information, Peny will notify affected parties in accordance with applicable breach notification laws.
Customer Departure. If a Customer terminates its relationship with Peny, Resident Submissions directed to that Customer will be handled in accordance with the applicable Master Services Agreement. Resident Account Data and AI Interactions that are not specific to a single Customer will remain under Peny's control and subject to this Policy. Peny will not delete a Resident's account solely because a Customer the Resident followed has left the Platform.
Deletion: Residents may request deletion of their account and all associated data by contacting Peny. Peny does not offer deletion of individual records, submissions, or conversations separate from account deletion. Deletion requests will be processed in accordance with applicable law, subject to any legal retention requirements, anonymization or aggregation that has already occurred, or operational needs of the Platform. If you use the Platform without an account, Peny cannot process individual data access or deletion requests because there is no account or verified identity to associate with your activity.
Retention: Data submitted through the Platform may be retained until deleted by the Resident, by Peny, or at the request of a Customer if the content falls under their domain. Certain submissions may also be retained to comply with records laws or internal system policies.
Security: Peny uses industry-standard safeguards, including encryption, access controls, and system monitoring, to protect data in transit and at rest.

While Peny strives to protect your data, no system can be guaranteed 100% secure. Peny encourages Customers, Authorized Users, and Residents to follow strong security practices, including safeguarding account credentials.

Peny's liability for any claim arising under this Policy is subject to the limitations and disclaimers set forth in Peny's Terms of Use, including the limitation of liability described therein.

Resident Submissions and Control

How Peny handles Resident Submissions and AI Interactions is described in Peny's Terms of Use. In the event of any conflict between this summary and the Terms of Use, the Terms of Use will control.

Resident Submissions remain under Peny's technical control unless formally incorporated into a Customer's internal records, at which point they become Customer Data governed by that Customer's obligations. Peny retains this control to operate the Platform, maintain system integrity, enforce policies, provide support, maintain and operate Platform features, and comply with legal obligations.

Resident Submissions directed to a Customer are managed by that Customer. If you have questions about a submission, contact the relevant local government directly. If you wish to delete your account and all associated data, you may contact Peny at the contact information in Section 10. Peny does not offer deletion of individual records, submissions, or conversations separate from account deletion. Requests to delete content will be honored only to the extent permitted by law. Peny is not responsible for content that has been accessed, archived, exported, or retained by a Customer, or that is subject to public records or legal retention obligations.

If you interact with the AI assistant without an account and choose to share a conversation with a Customer, it will appear as a guest submission. The Customer will be able to view the full conversation, including any personal information you voluntarily included. Peny cannot retrieve, modify, or delete anonymous shared conversations on an individual basis.

Public Records and Individual Rights

Customer Responsibilities: Customers are responsible for complying with applicable laws related to public records, privacy, and accessibility, including how data is collected, published, or archived on the Platform.
Deletion Requests: You may request deletion of your Personal Information by deleting your account as described in Section 7. For Personal Information contained in Resident Submissions directed to a Customer, contact the relevant local government directly. Peny processes requests in accordance with applicable privacy law. If you are an Authorized User, contact the Customer on whose behalf you act regarding account changes or deletion.
Public Records Requests: Some Resident content may be accessed or retained by Customers and may be subject to public records laws under their jurisdiction. Peny does not make legal determinations about what qualifies as a public record and is not responsible for compliance with such laws on behalf of any Customer. Peny is not a system of record or legal compliance service and does not guarantee the preservation, accessibility, or discoverability of content. Customers are solely responsible for determining whether supplemental records systems or compliance tools are necessary to meet their obligations.

Peny will cooperate with Customers in good faith to assist with data-related requests, provided such cooperation does not require Peny to make legal determinations, impose unreasonable operational burdens, or exceed a reasonable scope without separate written agreement.

If Peny receives a subpoena, court order, or other legal process seeking access to Personal Information, Customer Data, or Resident Submissions, Peny will notify the relevant Customer (unless prohibited by law) and provide a reasonable opportunity to object or seek protective relief before disclosure. Peny may charge reasonable fees for administrative costs incurred in responding to such requests.

Cookies and Analytics

Peny uses cookies and similar technologies to improve your experience, understand how the Platform is used, and support Platform functionality.

Analytics: Peny may also use session recording and error tracking tools to monitor Platform performance and monitor Platform performance and maintain the Platform experience. These tools record user interactions within the Platform, including clicks, scrolls, and navigation patterns, for both authenticated and unauthenticated users. These tools are configured to avoid capturing Personal Information where technically feasible, but may capture content displayed on screen during a session.
Cookies: These are small text files stored on your device. They help remember your preferences, keep you signed in, improve navigation, and maintain session continuity across the Platform.

You can modify your browser settings to block or delete cookies at any time. Disabling cookies may affect certain features or functions of the Platform.

Peny does not use cookies to track you across unrelated websites, and Peny does not work with third-party ad networks.

Changes and Contact Information

Peny may update this Policy from time to time to reflect legal, technical, or operational changes. Updated versions will be posted on the Platform and are effective upon posting.

Your continued use of the Platform after a Policy update constitutes your acceptance of the revised version. Peny encourages you to review this Policy periodically.

For questions or concerns about this Policy or Peny’s data practices, contact Peny at:

Peny, LLC

2326 Washington Boulevard, Ogden, UT 84401

privacy@penyapp.com

v.PP20260224