Pendro
Legal

Privacy policy

Last updated

We take your privacy seriously. This policy explains what information Pendro collects, how it's used, and the choices you have. We try to write it the way a person would, not the way a lawyer would.

1. What we collect

When you sign up, we collect the minimum needed to run your account: your email address, your display name, and (for Google sign-in) your profile photo. We store everything you explicitly put into your projects — site copy, images, blog posts, form submissions — so we can render and serve them.

We do not buy data, scrape data, or load third-party tracking scripts onto your site. We do not have a Facebook Pixel. We do not have a Google Tag Manager. The only network calls your published site makes are the ones you explicitly add (e.g. a Calendly embed).

2. How we use it

  • To authenticate you and keep you signed in.
  • To render your projects, your blog posts, and your forms on the public subdomain you publish to.
  • To send you transactional email (sign-in magic links, password resets, billing receipts). We don't send marketing email unless you opt in.
  • To detect and prevent abuse (e.g. one account spawning hundreds of subdomains pointing at illegal content).

3. Who we share data with

We share the minimum necessary with three categories of sub-processors:

  • Hosting — Vercel and Supabase host the app and database.
  • Email — Resend sends sign-in links and system notifications.
  • Auth — Google (only when you sign in with Google) provides your basic profile.

We don't sell or rent your data. We don't share it for advertising. We don't share it with AI training pipelines.

4. Your rights

You can:

  • Export your projects as JSON from project settings at any time.
  • Delete your account from the dashboard — this also deletes all your projects, blog posts, form submissions, and uploaded media. There is no soft-delete trail.
  • Email us at hello@pendro.co for a copy of any data we hold on you that the export doesn't include.

5. Cookies

We use exactly one cookie: the session cookie issued by Auth.js. It's set to HttpOnly, Secure, SameSite=Lax, scoped to the parent zone so it works across app.pendro.co and pendro.co. It contains an opaque session id, not your data. There's no analytics cookie, no ad cookie, no tracking cookie.

6. Contact

Questions about this policy? Email hello@pendro.co. We read every message and reply within two business days.