Privacy

Privacy Policy

How pencilit.in collects, uses, stores, and shares personal information. Last updated 27 May 2026.

Who we are

pencilit.in is operated from Australia and provides a multi-stakeholder scheduling and coordination platform for workspaces and the people they invite. In this policy, "we", "us", and "our" refer to the operator of pencilit.in. This policy explains what personal information we handle, why we handle it, and the choices you have. It is written to reflect the requirements of the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Information we collect

Account information: name, email address, hashed password, passkey credentials, and two-factor authentication settings. Workspace information: workspace name, membership roles, configuration, project metadata, stakeholder records you add, messages you send, internal notes, prerequisites, and audit history. Stakeholder information: contact details and responses provided by invited stakeholders so the workflow can collect availability, prerequisites, and confirmations. Billing information: subscription plan, billing contact, and the payment identifiers returned by our payment processor; we do not store full card numbers. Technical information: IP address, browser and device metadata, request logs, and minimal cookies required to keep you signed in and to protect the service.

How we use information

We use personal information to provide and secure the service, authenticate users, deliver invitations and notifications, run the scheduling and prerequisite workflow, generate finalisation summaries and exports, process subscription payments, prevent abuse, comply with our legal obligations, and respond to support requests. We do not sell personal information, and we do not use stakeholder responses or workspace content to train third-party AI models.

Data hosting and location

Production application data, including workspaces, projects, stakeholders, messages, and audit history, is stored in a managed PostgreSQL database hosted in Australia. We aim to keep primary application data resident in Australia. Limited operational data may be processed outside Australia by the sub-processors listed below where that is necessary to deliver the service (for example, transactional email delivery and payment processing).

Sub-processors we rely on

Stripe processes subscription payments and stores payment instruments on our behalf. Stripe handles cardholder data in accordance with PCI DSS; we only receive non-sensitive identifiers, subscription state, and invoice metadata. Resend delivers transactional email such as sign-in links, invitations, reminders, and finalisation notifications. Email content is limited to the information required for that message. We review our sub-processors before engagement and require them to handle personal information in line with this policy.

Cookies and similar technologies

We use first-party cookies that are strictly necessary to keep you signed in, remember your selected workspace, and protect the service from abuse. We do not use third-party advertising or cross-site tracking cookies. If we add optional analytics in the future, we will update this policy and provide controls before enabling them.

How we share information

Inside a workspace, information you add is visible to other members of that workspace according to their role. Stakeholders you invite see only the project information necessary for them to respond. We share information with sub-processors only to the extent needed to deliver the service. We may disclose information when we are required to by law, to enforce our Terms, or to protect the safety of users and the public.

Retention

We keep account, workspace, project, stakeholder, and audit records for as long as the workspace is active and for a reasonable period afterwards so that records can be restored, exported, or used to meet legal and tax obligations. Backups are retained on a rolling schedule and overwritten in the ordinary course. You can request deletion of your account or workspace data as described below.

Security

We use industry-standard controls including encryption in transit, password hashing, optional passkeys and two-factor authentication, workspace-scoped access, and audit logging on sensitive actions. No service can guarantee absolute security; if we become aware of a data breach likely to result in serious harm we will notify affected users and the Office of the Australian Information Commissioner as required by the Notifiable Data Breaches scheme.

Your rights

Under Australian privacy law you can request access to the personal information we hold about you, ask us to correct information that is inaccurate, and complain if you believe we have mishandled your information. Workspace owners control most workspace content directly through the application. To make a privacy request, contact us using the details below; we will respond within a reasonable time, generally within 30 days. If you are not satisfied with our response, you can contact the Office of the Australian Information Commissioner at oaic.gov.au.

Changes to this policy

We may update this policy from time to time to reflect changes to the service or to legal requirements. When we make material changes we will update the date at the top of this page and, where appropriate, notify workspace administrators by email.

Contact us

For privacy questions, access requests, or complaints, contact us through the contact page. We will acknowledge your request and let you know how we will handle it.

Questions about how we handle your data?

If you have a privacy question, access request, or concern, get in touch and we'll respond.