Last updated July 10, 2026

Privacy Policy

Effective date: July 10, 2026 · Last updated: July 10, 2026

The short version: Penny gives you an anonymous account by default — when you first open the app we create an account with a random identifier, and we never ask for your email, name, or password. Your chats with AI characters are sent to our AI service providers to generate the character's replies, images, and voice messages, and are processed by our analytics tooling for quality, safety, and abuse monitoring. We do not use your chats to train our own AI models, and we do not sell your personal information. To measure our ad campaigns we share limited app-usage events and identifiers with Meta; your device's advertising identifier is included only if you explicitly allow tracking when iOS asks. You can delete your account and its data in the app at any time (Settings → Delete Account). Penny is for adults only — you must be 18 or older to use it.

This Privacy Policy explains in detail what information Penny Labs LLC ("Penny Labs," "we," "us") collects when you use the Penny iOS app and related services (together, the "Service"), how we use and share it, and the choices and rights you have. This policy is incorporated into our Terms of Service. If you do not agree with it, please do not use the Service.

1. Who We Are

Penny Labs LLC is a company based in the United States. For purposes of the EU and UK General Data Protection Regulation, Penny Labs LLC is the data controller of the personal information described in this policy; under US state privacy laws, we are the "business." This policy covers the Penny iOS app, our website at pennylabs.net, and the backend services that power them.

For any privacy question or request, contact us at [email protected].

2. Information We Collect

Information you provide

  • Account basics. Penny accounts are anonymous by default. When you first launch the app, we automatically create an account for you under a randomly generated identifier — we do not collect your email address, real name, or a password. You then choose a username and may optionally upload an avatar image.
  • Date of birth. We ask for your date of birth during onboarding to verify that you are at least 18 years old. See Children's Privacy.
  • Chat messages. The messages you send to AI characters, including edits, reactions, and regeneration requests. Your conversation history is stored so your chats persist across sessions and characters can maintain context.
  • Personas. Optional profiles you write to describe the identity you adopt in chats. Personas can include whatever details you choose to add, such as a name, age, gender, pronouns, appearance details, occupation, a short bio, and an avatar.
  • Preferences and activity. Characters you favorite or like, chat customization choices, content preferences selected during onboarding, and in-app settings.
  • Communications. Anything you send us directly, such as feedback or support emails, and the optional reason you give if you delete your account.

A note on what you type in chats: your messages may contain anything you choose to share. Please do not share sensitive personal information in your conversations — for example health or medical details, government identification numbers, financial account details, precise location, or similar information about yourself or anyone else. Chats exist for entertainment roleplay with fictional AI characters; they are not a place for information you would not want processed by the systems described in this policy.

Information created when you use the Service

  • AI-generated content. Images and voice messages generated by characters in your chats are stored and associated with your account so you can view and replay them.
  • Usage and analytics data. Events describing how the app is used — screens viewed, features used, onboarding steps completed, session counts, and crash or error reports that help us fix bugs.
  • Device information. Device model, iOS version, and app version.
  • Coarse location. A one-time, IP-derived approximate location collected when verifying a marketing-campaign visit — country, region, city, postal code, and the approximate coordinates associated with your IP address — together with your IP address and device details (brand, model, and operating-system information), used solely for ad-campaign attribution. We never access GPS or request location permissions.
  • Push notification token. If you enable notifications, a device token that lets us deliver them. Declining or disabling notifications means no token is collected.
  • Subscription status. Whether you have an active Penny Pro subscription and related receipt data from Apple, managed through RevenueCat. Apple processes all payments; we never receive your payment card details.
  • Advertising identifier (IDFA). Only if you grant permission through Apple's App Tracking Transparency prompt. If you decline, we do not collect or use your advertising identifier. See Analytics, Advertising & Tracking.

Voice input

If you use the hold-to-talk feature, your speech is converted to text using Apple's speech-recognition service, which may process the audio on your device or on Apple's servers depending on your device and language settings. Penny receives only the resulting transcribed text, which becomes a normal chat message. We do not receive or store audio recordings of your voice.

What we do not collect

  • No email address, real name, phone number, or password (unless you choose to email us).
  • No precise GPS location.
  • No contacts, and no access to your photo library beyond the specific images you choose to upload as an avatar or the photos you choose to save to your camera roll.
  • No browsing or activity data from other apps or websites, unless you opt in to tracking via App Tracking Transparency as described below.

3. How We Use Your Information

  • To provide the Service. Generating character replies, images, and voice messages; maintaining your conversation history and context (including memory features that let characters reference things you told them earlier); operating personas, favorites, galleries, and chat customization.
  • To run your account and subscription. Creating and maintaining your anonymous account, enforcing the 18+ age gate, checking subscription entitlements, and honoring free-tier limits.
  • To improve and debug the app. Analyzing aggregate usage, diagnosing crashes and errors, and understanding which features work.
  • For safety and abuse prevention. Monitoring for content that violates our Terms of Service or the law, preventing fraud and abuse of generation limits, and enforcing our policies. Automated systems may scan prompts and AI outputs for prohibited content.
  • To send notifications, if you enable them.
  • For marketing attribution. Measuring whether our ad campaigns work, using the one-time coarse location check described above and, only with your App Tracking Transparency consent, the advertising identifier.
  • To comply with law and respond to lawful requests.

Model training: Penny Labs does not use your chat content to train its own AI models. Your messages are sent to our AI providers solely to generate responses to you, as described in the next section. This matches the commitment in our Terms of Service.

4. AI Processing of Your Chats

Penny is an AI app: character replies, images, and voice messages are produced by machine-learning models operated by third-party providers. To make that work, the content of your conversations is transmitted to those providers when you use the corresponding feature:

  • Text replies: your chat messages, relevant conversation history, and active persona details are sent to OpenRouter, which routes them to its underlying AI model providers to generate the character's response.
  • Images: when you request a photo in chat, a prompt derived from the conversation is sent to Runware to generate the image.
  • Voice messages: character message text is sent to DeepInfra to synthesize speech in the character's voice.
  • Quality and abuse monitoring: chat prompts and AI responses, along with model, token, and cost metadata, are processed through PostHog's LLM analytics so we can monitor response quality, generation costs, errors, and abuse.

These providers process your content on our behalf to deliver the Service. Penny Labs does not use your chats to train AI models, and we send chat content to providers only to generate responses and operate the Service — not for the providers' independent advertising or marketing purposes. By using Penny's chat, image, and voice features you consent to this processing; if you do not want your messages processed by AI providers, do not use the Service, since AI generation is the core of what Penny does.

5. How We Share Information

We do not sell your personal information, and we share it only as described here. We use the following service providers, each bound by agreements requiring them to protect your information and to use it only to provide their services to us:

  • Supabase — authentication and our primary database (accounts, chats, personas, preferences).
  • Cloudflare — hosting of our backend, content delivery, and storage of media such as avatars and generated images and audio.
  • OpenRouter and its underlying model providers — generation of AI text responses (see AI Processing).
  • Runware — AI image generation.
  • DeepInfra — text-to-speech generation of character voice messages.
  • PostHog — product analytics, crash and error reporting, and LLM analytics for chat quality, cost, and abuse monitoring. Session replay is disabled — we do not record your screen.
  • RevenueCat — subscription management and entitlement checks; receives Apple receipt data, your account identifier and username, device information and identifiers, your push token if notifications are enabled, the Facebook SDK's anonymous ID, and, if applicable, Apple's privacy-preserving Search Ads attribution token.
  • Apple — App Store distribution and all payment processing. We never receive your payment card details.
  • Meta (Facebook SDK) — ad-campaign measurement and attribution. The SDK logs app events (such as installs, app launches, and purchases) together with an app-scoped anonymous ID, your account identifier, and — if you enable notifications — your push token. Your device's advertising identifier (IDFA) is collected and shared only after you grant App Tracking Transparency consent (see the next section).
  • geolocation-db.com — a one-time IP-based lookup of approximate location used to verify marketing-campaign attribution (see "Coarse location" above for what this includes).

We may also disclose information: (a) to comply with law, regulation, legal process, or enforceable governmental request; (b) to enforce our Terms of Service and investigate potential violations; (c) to detect and prevent fraud, security issues, or harm to the rights, property, or safety of Penny Labs, our users, or the public; and (d) in connection with a merger, acquisition, financing, or sale of assets, in which case the successor remains bound by commitments at least as protective as this policy and we will notify you of any such change.

6. Analytics, Advertising & Tracking

Analytics. We use PostHog as our first-party analytics service to understand feature usage, measure onboarding and paywall performance, count sessions, and capture crash and error reports. Analytics events are associated with your random account identifier, username, signup date, and device model. Session replay is disabled: we do not record video of your screen or your keystrokes.

App Tracking Transparency (ATT). Penny does not track you across other companies' apps and websites unless you explicitly allow it. If iOS presents the tracking prompt and you tap "Allow," we collect your device's advertising identifier (IDFA) and share it with Meta to measure which of our ad campaigns brought you to Penny; the identifier is also attached to our analytics for the same attribution purpose. If you tap "Ask App Not to Track" — or never see the prompt — the Facebook SDK's advertiser ID collection stays off and no advertising identifier is collected or shared. Note that the app-event logging described in How We Share Information occurs regardless of your ATT choice, but it never includes your advertising identifier without your consent. You can revoke consent at any time in iOS Settings → Privacy & Security → Tracking; from that point, collection stops.

Apple Search Ads. If you found Penny through an Apple Search Ads placement, we may receive Apple's privacy-preserving attribution token (via RevenueCat) confirming the campaign. This token does not identify you and does not require ATT consent.

Do Not Track and Global Privacy Control. The Penny app is not a web browser and does not respond to browser-based Do Not Track or Global Privacy Control signals. The controls that govern tracking in Penny are the ATT prompt and iOS tracking settings described above, and the opt-out rights in Section 10.

7. Data Retention & Deletion

We keep your information for as long as your account is active, so your chats, personas, generated media, and settings are there when you return.

Deleting your account. You can delete your account directly in the app at any time: Settings → Delete Account. You can also request deletion by emailing [email protected]. When your account is deleted, we delete or de-identify the personal information associated with it — including your account record, chat history, personas, and stored media — and instruct our service providers to do the same for data they hold on our behalf.

Limited exceptions apply: we may retain specific information where required by law (for example, transaction records for tax and accounting purposes), where needed to resolve disputes, enforce our agreements, or prevent fraud and abuse (for example, evidence of serious Terms violations), and residual copies may persist in encrypted backups for a limited period until those backups are purged on their normal cycle. De-identified or aggregated data that can no longer be linked to you may be retained for analytics.

Revoking consent. Consent-based processing can be withdrawn at any time without deleting your account: disable tracking in iOS Settings → Privacy & Security → Tracking, and disable notifications in iOS Settings → Notifications.

8. Your Privacy Rights & Choices

Regardless of where you live, we extend these rights to all Penny users:

  • Access — ask what personal information we hold about you and receive a copy.
  • Correction — fix inaccurate information (your username, avatar, and personas can be edited directly in the app).
  • Deletion — delete your account and associated data in-app or by email, as described in Section 7.
  • Portability — receive an export of the information you provided, in a commonly used format.

To exercise any right, use the in-app controls or email [email protected]. Because accounts are anonymous, we verify requests by confirming control of the account making the request (for example, by asking you to submit the request from within the app or provide information only the account holder would know). We respond within the timelines required by applicable law — generally within 30 to 45 days. An authorized agent may submit a request on your behalf with proof of authorization. We will never discriminate against you for exercising your privacy rights.

9. European Privacy Rights (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data on these legal bases:

  • Performance of a contract (Art. 6(1)(b)) — operating your account and delivering the Service, including transmitting your chats to AI providers to generate responses, storing your conversation history, and managing subscriptions.
  • Legitimate interests (Art. 6(1)(f)) — product analytics, debugging and crash reporting, service improvement, securing the Service, and detecting and preventing fraud, abuse, and content that violates our Terms. We balance these interests against your rights and use the least data necessary.
  • Consent (Art. 6(1)(a)) — tracking via the advertising identifier (ATT), push notifications, and any other optional processing we ask you about. You can withdraw consent at any time as described in Section 7, without affecting the lawfulness of processing before withdrawal.
  • Legal obligation (Art. 6(1)(c)) — retaining records and responding to lawful requests where required.

You have the rights of access, rectification, erasure, restriction of processing, data portability, and objection (including to processing based on legitimate interests), and the right to withdraw consent. We do not make automated decisions about you that produce legal or similarly significant effects. To exercise these rights, use the in-app controls or email [email protected]; we respond within one month. You also have the right to lodge a complaint with your local data protection supervisory authority, though we would appreciate the chance to address your concern first.

10. California & Other US State Privacy Rights

This section supplements the rest of the policy for residents of California (CCPA/CPRA) and other US states with similar privacy laws (such as Virginia, Colorado, Connecticut, and Texas). In the preceding 12 months (or since launch, if shorter) we have collected these categories of personal information:

  • Identifiers — random account identifier, username, push token, and (only with ATT consent) advertising identifier. Purpose: operating your account, notifications, ad attribution.
  • Personal information categories under Cal. Civ. Code §1798.80(e) — date of birth. Purpose: 18+ age verification.
  • Commercial information — subscription status and Apple receipt data. Purpose: managing your subscription.
  • Internet or electronic network activity — app usage events, device model, OS and app version, crash data. Purpose: analytics, debugging, service improvement.
  • Coarse geolocation — one-time IP-derived approximate location (country, region, city, postal code, approximate coordinates) and IP address. Purpose: marketing-campaign attribution.
  • Audio, electronic, or visual information — your uploaded avatar and the AI-generated images and voice messages in your chats. Purpose: providing the Service.
  • User content — chat messages, personas, favorites. Purpose: providing the Service, safety, and abuse prevention.

Sources: you, your device, Apple, and our service providers. Recipients: the service providers listed in Section 5, each for the stated purpose.

Sale and sharing. We do not sell personal information, and we have not sold it in the preceding 12 months. Under the CPRA's definition of "sharing" (disclosure for cross-context behavioral advertising), our disclosures to Meta for ad-campaign measurement may qualify: app-usage events and identifiers are sent to Meta as described above, and if you grant App Tracking Transparency consent, your advertising identifier is shared with Meta for ad-campaign attribution. You can opt out of this sharing at any time by declining the ATT prompt, revoking consent in iOS Settings → Privacy & Security → Tracking, or emailing [email protected]. We do not share any other personal information for advertising, and we do not knowingly sell or share the personal information of anyone under 16.

Sensitive personal information. We collect your date of birth for age verification, and your chats may incidentally contain sensitive information you choose to type. We use such information only to provide the Service and for the safety purposes described above — we do not use it to infer characteristics about you, so no "Limit the Use of My Sensitive Personal Information" mechanism is required. We again encourage you not to include sensitive details in chats.

California residents have the rights to know/access, delete, correct, opt out of sale or sharing, limit use of sensitive personal information, and not be discriminated against for exercising these rights. Exercise them in-app (Settings → Delete Account for deletion) or by emailing [email protected]. Verification and authorized-agent procedures are described in Section 8.

11. International Data Transfers

Penny Labs is a US company, and your information is processed and stored in the United States, where privacy laws may differ from those in your country. If you use the Service from outside the US, your information is transferred to the US. For users in the EEA, UK, and Switzerland, we rely on appropriate safeguards for such transfers — including standard contractual clauses and equivalent contractual protections in our agreements with service providers — where applicable law requires them.

12. Children's Privacy

Penny is an adults-only service. It is not directed to, and may not be used by, anyone under 18. We enforce this with a date-of-birth age gate during onboarding, and our Terms of Service require every user to be at least 18.

We do not knowingly collect personal information from anyone under 18, and under no circumstances from children under 13 (consistent with COPPA). If we learn that an account belongs to someone under 18, we will terminate the account and delete its data promptly. If you are a parent or guardian and believe a minor has created an account or provided us personal information, contact [email protected] and we will delete it.

13. Security

We use reasonable technical and organizational measures to protect your information, including encryption in transit (TLS) for all communication between the app and our servers, access controls that restrict who and what can read your data (database rows are protected by per-user access rules), and media files stored under user-scoped keys with long, unguessable identifiers. Our service providers are selected and contracted with security obligations appropriate to the data they handle.

No method of transmission or storage is 100% secure, and we cannot guarantee absolute security. If a breach affecting your personal information occurs, we will notify you and the relevant authorities as required by applicable law.

14. Changes to This Policy

We may update this Privacy Policy as the Service, our providers, or the law changes. When we do, we will revise the "last updated" date at the top. If a change is material, we will give you advance notice in the app before it takes effect. Your continued use of the Service after a change takes effect means you accept the updated policy; if you do not, you can stop using the Service and delete your account at any time.

15. Contact Us

Questions, concerns, or requests about this policy or your personal information:

We aim to respond to every privacy inquiry promptly, and within the timelines required by law.