Pencil Logo

Privacy Policy

Effective Date: February 5, 2026

High Agency, Inc. ("we," "our," or "us") values your privacy. This Privacy Policy explains what information we collect, why we collect it, and how you can control it.

1. What we collect

When you use Pencil, we collect:

Mandatory information

  • Your email address
  • Your role or job title
  • Your primary AI coding tool
  • A short description of how you plan to use Pencil

Optional information

  • Your company URL
  • Your LinkedIn or X (Twitter) profile URL

When you use Pencil, we also automatically collect some technical information — things like what features you use and how often. We use this data to understand what's working and what needs improvement.

Additionally collected (service operation & security). We collect limited device and log data (e.g., IP address, browser/IDE version, OS, timestamps). If you use our IDE/Editor extensions, we process authentication tokens and minimal usage/diagnostic events required to operate core features. Any Inputs/Outputs submitted for processing are handled transiently and are not stored or recorded on our servers (including logs, telemetry, caches, or storage). We do not collect your source code or keystrokes. If you explicitly submit content for processing, it is processed transiently and not stored or recorded on our servers.

Onboarding forms. Where we use third-party forms (e.g., Google Forms) to collect access requests, we collect the fields you submit there (which may include the items above).

Inputs & Outputs (content). Pencil may process content you submit ("Inputs") and generate results ("Outputs") to provide requested features. We do not store or record any Inputs or Outputs on our servers (including in logs, telemetry systems, caches, or storages). Inputs/Outputs are stored only on your local device for your convenience (e.g., browser localStorage or your OS filesystem).

2. How we use your information

We use your information to:

  • Let you sign in and personalize your onboarding
  • Improve Pencil based on how people actually use it
  • Communicate about updates, new features, or policy changes
  • Keep our systems secure and reliable

We also use questionnaire responses to prioritize access, operate the extension(s), authenticate requests, and prevent abuse and fraud.

3. Legal bases (EEA/UK)

Where GDPR/UK GDPR applies, we rely on: Consent (e.g., marketing emails, optional form fields), Legitimate interests (service operation, security, abuse/fraud prevention, product improvement/analytics), Contract (providing requested access and features), and Legal obligations (responding to lawful requests).

4. Analytics

We use PostHog to understand how people use Pencil.

PostHog collects usage data (e.g., clicks, time spent in features, device/browser information, and error logs). In our implementation, these events are linked to your profile so we can provide product analytics, support, and security. We don't use analytics for advertising. We may also create aggregated or anonymized statistics that no longer identify you.

Analytics events do not include user Inputs or Outputs (no prompts, no generated content, no source code). We use analytics only to understand feature usage, performance, reliability, and security signals.

This helps us improve performance and prioritize what to build next. We don't use analytics to track your personal activity outside of Pencil, and we don't sell or rent your data.

If analytics involve international transfers outside the EEA/UK, we rely on appropriate safeguards (e.g., Standard Contractual Clauses).

4a. Third-party image providers

Pencil may use third-party services to generate or source images, including Reve Image (reve.art), Google Gemini Nano Banana, and Unsplash. We may change or add providers over time. When you use image-related features, we may share the minimum necessary information and any content you intentionally submit to fulfill your request with these third-party providers. Your use of third-party services is also subject to their own terms and policies, and we are not responsible for the accuracy, availability, or licensing terms of third-party content.

We do not store or record Inputs/Outputs on our servers; third-party providers may have their own retention practices under their policies.

5. International transfers

If we transfer personal data outside the EEA/UK, we use appropriate safeguards such as EU Standard Contractual Clauses (and, for the UK, the UK Addendum/IDTA) or rely on another valid transfer mechanism.

6. Emails and communication

We use Loops to send onboarding and product emails.

You can unsubscribe from marketing emails anytime using the link inside the email.

Transactional emails necessary to provide the service (e.g., access confirmations) may still be sent.

We share data with processors acting on our instructions, including Loops (email), PostHog (analytics), and Google (Google Forms) where forms are used. We may also use cloud hosting, storage, and security providers. We do not sell or rent your data. We enter into data-processing agreements with all processors and require appropriate security measures.

These providers process account data and operational metadata; they do not receive or store user Inputs/Outputs from Pencil.

7. How we store and protect data

Inputs/Outputs are not stored on our servers. They may be stored locally on your device (e.g., localStorage or filesystem), and you can delete them by clearing local storage or removing local files.

Your data is stored securely using modern encryption and access controls.

We keep it only as long as needed to run Pencil or as required by law.

If you delete your account or ask us to remove your information, we'll do so within a reasonable timeframe unless we're legally required to keep it.

Typical retention periods

The retention periods below apply to account data and operational metadata only and do not include Inputs/Outputs (which are not stored on our servers).

  • Waitlist/questionnaire data: 24 months or until you request deletion.
  • Diagnostic logs: 12 months (designed not to contain Inputs/Outputs).
  • Marketing contacts: until you unsubscribe or request deletion. We may retain minimal suppression records to honor your unsubscribe request. Where legally required or necessary to establish, exercise, or defend legal claims, we may retain limited data for longer. Backups may persist for up to 30 days before they are overwritten.

8. Your rights

Depending on your location (including the EU/UK), you may have the right to access, rectify, erase, object to or restrict processing, and request data portability. You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal, and you can complain to your local data protection authority. To exercise your rights, contact hq@pencil.dev. We may ask you to verify your identity and will respond within 30 days where required by law.

9. Children

Pencil isn't intended for children under 16, and we don't knowingly collect their information.

10. Changes

We may update this Privacy Policy from time to time.

If we make major changes, we'll post an update here or notify you directly.

11. Contact us

Controller: High Agency, Inc.

Mailing address:

High Agency Inc.

440 N BARRANCA AVE #2993

COVINA, CA 91723

Questions? Email hq@pencil.dev.