Pencil Logo

Privacy Policy

Effective Date: October 21, 2025

High Agency, Inc. ("we," "our," or "us") values your privacy. This Privacy Policy explains what information we collect, why we collect it, and how you can control it.

1. What we collect

When you use Pencil, we collect:

Mandatory information

  • Your email address
  • Your role or job title
  • Your primary AI coding tool
  • A short description of how you plan to use Pencil

Optional information

  • Your company URL
  • Your LinkedIn or X (Twitter) profile URL

When you use Pencil, we also automatically collect some technical information — things like what features you use and how often. We use this data to understand what's working and what needs improvement.

Additionally collected (service operation & security). We collect limited device and log data (e.g., IP address, browser/IDE version, OS, timestamps). If you use our IDE/Editor extensions, we process authentication tokens and minimal usage/diagnostic events required to operate core features, and any content you intentionally send to our servers when invoking features that require server-side processing. We do not collect your source code or keystrokes unless you explicitly send content to our servers.

Onboarding forms. Where we use third-party forms (e.g., Google Forms) to collect access requests, we collect the fields you submit there (which may include the items above).

2. How we use your information

We use your information to:

  • Let you sign in and personalize your onboarding
  • Improve Pencil based on how people actually use it
  • Communicate about updates, new features, or policy changes
  • Keep our systems secure and reliable

We also use questionnaire responses to prioritize access, operate the extension(s), authenticate requests, and prevent abuse and fraud.

3. Legal bases (EEA/UK)

Where GDPR/UK GDPR applies, we rely on: Consent (e.g., marketing emails, optional form fields), Legitimate interests (service operation, security, abuse/fraud prevention, product improvement/analytics), Contract (providing requested access and features), and Legal obligations (responding to lawful requests).

4. Analytics

We use PostHog to understand how people use Pencil.

PostHog collects usage data (e.g., clicks, time spent in features, device/browser information, and error logs). In our implementation, these events are linked to your profile so we can provide product analytics, support, and security. We don't use analytics for advertising. We may also create aggregated or anonymized statistics that no longer identify you.

This helps us improve performance and prioritize what to build next. We don't use analytics to track your personal activity outside of Pencil, and we don't sell or rent your data.

If analytics involve international transfers outside the EEA/UK, we rely on appropriate safeguards (e.g., Standard Contractual Clauses).

5. International transfers

If we transfer personal data outside the EEA/UK, we use appropriate safeguards such as EU Standard Contractual Clauses (and, for the UK, the UK Addendum/IDTA) or rely on another valid transfer mechanism.

6. Emails and communication

We use Loops to send onboarding and product emails.

You can unsubscribe from marketing emails anytime using the link inside the email.

Transactional emails necessary to provide the service (e.g., access confirmations) may still be sent.

We share data with processors acting on our instructions, including Loops (email), PostHog (analytics), and Google (Google Forms) where forms are used. We may also use cloud hosting, storage, and security providers. We do not sell or rent your data. We enter into data-processing agreements with all processors and require appropriate security measures.

7. How we store and protect data

Your data is stored securely using modern encryption and access controls.

We keep it only as long as needed to run Pencil or as required by law.

If you delete your account or ask us to remove your information, we'll do so within a reasonable timeframe unless we're legally required to keep it.

Typical retention periods

Waitlist/questionnaire data: 24 months or until you request deletion.

Diagnostic logs: 12 months.

Marketing contacts: until you unsubscribe or request deletion. We may retain minimal suppression records to honor your unsubscribe request. Where legally required or necessary to establish, exercise, or defend legal claims, we may retain limited data for longer. Backups may persist for up to 30 days before they are overwritten.

8. Your rights

Depending on your location (including the EU/UK), you may have the right to access, rectify, erase, object to or restrict processing, and request data portability. You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal, and you can complain to your local data protection authority. To exercise your rights, contact hq@pencil.dev. We may ask you to verify your identity and will respond within 30 days where required by law.

9. Children

Pencil isn't intended for children under 16, and we don't knowingly collect their information.

10. Changes

We may update this Privacy Policy from time to time.

If we make major changes, we'll post an update here or notify you directly.

11. Contact us

Controller: High Agency, Inc.

Mailing address: High Agency Inc., 440 N BARRANCA AVE #2993, COVINA, CA 91723

Questions? Email hq@pencil.dev.