Privacy Policy — Penlo

Privacy Policy

Sync, OCR, search, and export your Onyx Boox handwritten notes

Effective: March 24, 2026

1 Who We Are

Penlo is operated by Michał Włosik EFC, ul. Północna 16/5, 54-105 Wrocław, Poland (NIP: 8942747708). In this policy, "we", "us", and "our" refer to the operator. "You" and "your" refer to you, the user of the Penlo web application and associated services (collectively, the "Service").

2 What Penlo Does

Penlo is a web application that syncs handwritten notes from Onyx Boox e-ink tablets via cloud storage providers (Dropbox, OneDrive, and Google Drive), performs AI-powered OCR (optical character recognition) to convert handwriting to searchable digital text, and exports the results to destinations such as Notion, Obsidian-compatible Markdown, and plain text files.

When your Boox device saves a note as a PDF to your connected cloud storage, Penlo detects the change via webhooks, downloads the PDF, processes it through an AI model for handwriting recognition and text cleanup, and stores the resulting text in your Penlo account. Optionally, Penlo can auto-export the cleaned text back to your cloud storage or push it to Notion.

Penlo only accesses files in the specific folder you designate as your Boox sync folder. It does not browse, index, or read any other files in your cloud storage accounts.

3 Eligibility

Penlo is intended for users aged 16 and older. By using the Service, you confirm that you are at least 16 years of age. We do not knowingly collect data from anyone under 16. If we learn that a user is under 16, we will promptly delete their account and associated data.

4 Data We Collect

4.1 Account data

When you create an account, we collect:

  • Email address — used for authentication and account management.
  • Display name and profile photo — provided by Google if you sign in with Google OAuth; used for display within the application.
  • Password — if you sign up with email/password rather than Google OAuth, your password is securely hashed by Supabase Auth and never stored in plain text.
  • Authentication tokens — managed server-side via Supabase Auth to keep you signed in.

4.2 Cloud storage connection data

When you connect a cloud storage provider to sync your Boox notes, we store:

  • Dropbox — OAuth access and refresh tokens, account email, and token expiry time. Used exclusively to read PDFs from your designated Boox folder and optionally write exported text files back.
  • OneDrive — OAuth access and refresh tokens, account email, and token expiry time. Used exclusively to read PDFs from your designated Boox folder and optionally write exported text files back.
  • Google Drive — OAuth access and refresh tokens, account email, and token expiry time. Used exclusively to read PDFs from your designated Boox folder and optionally write exported text files back.

OAuth tokens are stored server-side and are never exposed in client-side code. Tokens are automatically refreshed when they expire. Penlo only accesses the specific sync folder you configure — it does not browse or read any other files in your cloud storage.

4.3 Notebook and note data

For each notebook synced from your Boox device, we store:

  • Notebook metadata — file path, display name, sync mode, sync timestamps, and archive/favourite status.
  • Note versions — a content hash (to detect changes), the PDF storage path, page count, OCR status, and an AI-generated summary.
  • PDF files — a copy of each synced PDF is stored in Supabase Storage so that OCR can be re-run and thumbnails generated.
  • OCR text and word coordinates — the transcribed text for each page, along with word-level bounding box coordinates for text overlay features.
  • Tags — user-created tags and (if enabled) AI-suggested tags applied to notebooks.

4.4 Destination connection data

  • Notion — if you connect Notion as an export destination, we store your Notion OAuth integration token and the selected parent page or database ID. Used exclusively to create or update pages containing your OCR text in your Notion workspace.

4.5 Settings and preferences

Your configuration choices are stored in your user profile on our server. These include: active sync provider, sync folder path, theme preference, OCR and AI processing toggles (auto-OCR, AI summaries, auto-tagging, text cleanup options), export format preferences (Markdown, plain text, Notion), and Obsidian vault configuration (vault name, subfolder).

4.6 API keys and webhook settings

If you use the Penlo REST API, we store:

  • API key — a securely hashed version of your API key and a visible prefix for identification. The full key is shown once at generation and is never stored or retrievable afterwards.
  • Webhook URL and signing secret — if you configure an outbound webhook, we store the endpoint URL and optional HMAC signing secret. Used to send a POST request with OCR results each time a note finishes processing.

4.7 Shared note links

If you create a shareable link for a notebook, a public access token is generated and stored. Anyone with this link can view the notebook's OCR text and thumbnail without logging in. You can revoke shared links at any time.

5 How We Use Your Data

  • Provide the service — authenticate your account, sync notes from your Boox device via cloud storage, perform OCR, and deliver results to your chosen destinations.
  • AI-powered OCR and text processing — relay PDF note content to Google Gemini for handwriting recognition, text cleanup (joining broken lines, fixing spelling, normalising formatting), and summary generation.
  • Auto-export — write Markdown, plain text, or Obsidian-formatted files back to your cloud storage, and/or push pages to Notion, based on your export settings.
  • Webhook delivery — send OCR results to your configured webhook URL for automation integrations (Make.com, Zapier, n8n, etc.).
  • API access — serve your notebook data and OCR text via the REST API when you authenticate with your API key.
  • Settings sync — persist your preferences and configuration across sessions.
  • Customer support — respond to enquiries sent to our contact email.

6 Third-Party Services

Penlo relies on the following third-party services to function:

Google Gemini — AI OCR and text processing
  • PDF note content is sent to Google's Gemini API via server-side edge functions for handwriting recognition, text cleanup, summary generation, and tag suggestion.
  • Content is processed in real time and is not permanently logged by us after processing.
  • Terms: ai.google.dev/terms
Supabase — Backend infrastructure
  • Handles user authentication (email/password and Google OAuth).
  • Stores account data, cloud storage connection tokens, notebook metadata, OCR text, settings, API keys, and webhook configuration.
  • Provides file storage for synced PDF notes and generated thumbnails.
  • Runs edge functions that power the OCR pipeline and webhook processing.
  • Hosted in the EU West region.
  • Privacy policy: supabase.com/privacy
Vercel — Frontend hosting
  • Hosts the Penlo web application (Next.js) and serves API routes for authentication, connection management, and data access.
  • Privacy policy: vercel.com/legal/privacy-policy
Dropbox — Optional cloud sync source and export destination
  • If you connect Dropbox, Penlo reads PDFs from your designated Boox folder and optionally writes exported text files back via the Dropbox API using OAuth tokens you have authorised.
  • We access only the specific folder you configure. We never read, browse, or index other files in your Dropbox.
  • Dropbox sends webhook notifications to Penlo when files change in your account, allowing real-time sync.
  • Privacy policy: dropbox.com/privacy
Microsoft OneDrive — Optional cloud sync source and export destination
  • If you connect OneDrive, Penlo reads PDFs from your designated Boox folder and optionally writes exported text files back via the Microsoft Graph API using OAuth tokens you have authorised.
  • We request only the Files.ReadWrite scope. We access only the specific folder you configure.
  • Microsoft sends change notification webhooks to Penlo when files change, allowing real-time sync.
  • Privacy policy: privacy.microsoft.com
Google Drive — Optional cloud sync source and export destination
  • If you connect Google Drive, Penlo reads PDFs from your designated Boox folder and optionally writes exported text files back via the Drive API using OAuth tokens you have authorised.
  • Google sends webhook notifications to Penlo when files change, allowing real-time sync.
  • Privacy policy: policies.google.com/privacy
Notion — Optional export destination
  • If you connect Notion, Penlo creates or updates pages in your Notion workspace containing your OCR text, summary, and metadata.
  • We access only the specific pages and databases you authorise during the Notion OAuth flow.
  • Privacy policy: notion.so/privacy

7 Data Sharing

We do not sell, rent, or trade your personal data. We share data only in the following circumstances:

  • Third-party service providers — as described in Section 6, strictly to operate the Service's core functionality.
  • Webhook recipients — if you configure an outbound webhook, OCR results (notebook title, text, summary, and tags) are sent to the URL you specify. You control the recipient.
  • Shared links — if you create a public share link for a notebook, the OCR text and thumbnail for that notebook become accessible to anyone with the link.
  • Legal obligations — if required by applicable law, regulation, or valid legal process.
  • Business transfers — in the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity.

8 Data Retention

  • Account data — retained for as long as your account exists. If you delete your account, all your data (notebooks, OCR text, PDFs, tags, connections, settings, API keys) is permanently removed within 30 days.
  • Cloud storage connection tokens (Dropbox, OneDrive, Google Drive) — retained until you disconnect the provider or delete your account.
  • Notebook PDFs and OCR text — retained for the duration of your account. Stored PDFs are copies used for OCR processing and thumbnail generation; your original files on Dropbox, OneDrive, or Google Drive are never modified or deleted by Penlo.
  • Notion integration token — retained until you disconnect Notion or delete your account.
  • API keys — the hashed key is retained until you revoke it or delete your account. The full key is never stored.
  • Webhook settings — retained until you remove the webhook or delete your account.
  • Settings and preferences — retained for the duration of your account.

9 Data Security

We implement the following measures to protect your data:

  • All communication between your browser, our servers, and third-party APIs uses HTTPS/TLS encryption.
  • OAuth tokens for Dropbox, OneDrive, Google Drive, and Notion are stored server-side — never exposed in client-side code.
  • API keys for third-party services (Gemini, cloud storage) are stored as server-side environment variables and never exposed to the client.
  • User API keys are hashed using SHA-256 before storage — only the key prefix is retained in plain text for identification.
  • Authentication is managed via Supabase Auth with automatic session refresh and secure cookie handling.
  • User data in Supabase is protected by row-level security (RLS) policies — each user can only access their own data.
  • Webhook payloads can be signed with HMAC-SHA256 using a user-provided secret for verification.
  • The Supabase backend is hosted in the EU West region.

No system is perfectly secure. While we take reasonable precautions, we cannot guarantee absolute security of data transmitted over the internet.

10 Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — request correction of inaccurate data.
  • Erasure — request deletion of your account and all associated data. You can also self-serve this via Settings → Account → Delete Account.
  • Portability — request your data in a structured, machine-readable format. You can also use the Penlo REST API to export your notebooks and OCR text programmatically.
  • Objection — object to processing of your data for certain purposes.
  • Restriction — request that we limit how we process your data.

To exercise any of these rights, contact us at hello@penlo.app. We will respond within 30 days, or within the timeframe required by applicable law.

11 International Data Transfers

Our authentication and storage infrastructure is hosted in the EU (West region) via Supabase. The Penlo web application is hosted on Vercel, which may serve content from global edge locations. Third-party services including Google Gemini may process data in the United States or other regions. By using the Service, you acknowledge that your data may be transferred to and processed in countries outside your country of residence, which may have different data protection standards.

12 Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Effective date" at the top of this document and, where feasible, notify you via the application or our website. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

13 Contact

If you have questions or concerns about this Privacy Policy or your data, please contact us:

Michał Włosik EFC

ul. Północna 16/5, 54-105 Wrocław, Poland

Email: hello@penlo.app

Web: penlo.app

© 2026 Penlo  ·  penlo.app

© 2026 Penlo. All rights reserved