PenPlot

Privacy Policy

This Policy explains how PenPlot collects, uses, discloses, retains, and protects your personal data under Thailand’s Personal Data Protection Act B.E. 2562 (2019) (the “PDPA”).

Last updated: 20 June 2026 · v1.0

1. Who we are

PenPlot (“PenPlot”, “we”, “us”, or “our”) operates the website and AI story-writing service available at penplot.co (the “Service”). For the purposes of the PDPA, PenPlot is the data controller responsible for the personal data processed through the Service.

This Privacy Policy (this “Policy”) describes the personal data we process, the purposes and lawful bases for processing it, the parties with whom we share it, and the rights available to you under the PDPA. If you have any question about this Policy or about how we handle your personal data, please contact us at support@penplot.co.

In this Policy, “personal data” means any information relating to an identified or identifiable natural person, as defined under the PDPA.

2. Scope of this Policy

This Policy applies to the personal data we process when you visit penplot.co, create an account, generate or edit stories, publish to the community feed, or otherwise interact with the Service. It does not apply to any third-party website or service that we link to but do not operate or control, each of which is governed by its own privacy policy.

3. Personal data we collect

Account and profile data

  • Your name (display name), email address, and, where you register by email, a securely hashed password.
  • Where you sign in with Google, your profile image and basic Google account identifiers.
  • Your email-verification status.

Content you create

  • The prompts, ideas, instructions, story text, titles, and cover images that you generate or edit.
  • The stories you publish to the community feed, together with the likes and remixes you make.

Billing and subscription data

  • Your credit balance and a ledger of credit transactions (grants, usage, and refunds).
  • Your subscription status and billing records. Payments are processed by our payment provider, Polar; we do not collect or store your full payment card number.

Technical and usage data

  • Your IP address, browser type and user-agent, and device and session information.
  • Authentication session tokens and security and rate-limiting signals.
  • Your language and theme preferences, which are stored locally in your browser.

We do not intentionally collect sensitive personal data within the meaning of section 26 of the PDPA, such as data concerning health, religion, or biometric data. Please do not enter sensitive personal data, whether relating to yourself or to any other person, into story prompts or other content.

Where we indicate that certain personal data is necessary to provide the Service, declining to provide it may mean that we are unable to create or maintain your account or to deliver the relevant feature.

4. How we collect your personal data

We collect personal data:

  • Directly from you, when you register, sign in, create or edit stories, subscribe, or contact us.
  • Automatically, through cookies and similar technologies and through your interaction with the Service.
  • From third parties, including Google (where you choose to sign in with Google) and Polar (your subscription and payment status).

5. Purposes and lawful bases for processing

We process your personal data only where a lawful basis under the PDPA applies. The purposes for which we process your personal data, and the corresponding lawful bases, are as follows:

  • To provide and operate the Service, your account, and AI generation and editing — necessary for the performance of our contract with you (section 24(3)).
  • To process payments, subscriptions, and credits, and to maintain accounting and tax records — necessary for the performance of our contract and for compliance with our legal obligations (sections 24(3) and 24(6)).
  • To keep the Service secure, prevent abuse and fraud, enforce rate limits, and maintain logs — necessary for our legitimate interests (section 24(5)).
  • To improve, troubleshoot, and develop the Service — necessary for our legitimate interests (section 24(5)).
  • To send you service-related communications, such as verification and account notices — necessary for the performance of our contract.
  • To send optional marketing and product-update emails — on the basis of your consent (section 19), which you may withdraw at any time.
  • To comply with applicable law and respond to lawful requests from competent authorities — necessary for compliance with our legal obligations (section 24(6)).

Where we rely on our legitimate interests, we balance those interests against your rights and freedoms, and you may object to such processing as described in section 13.

6. How your content is processed by AI

When you generate or edit a story, the text you submit — your prompt, your selection, or the document you are editing — is transmitted to our AI provider, OpenRouter, and to the underlying AI model providers to which it routes your request, so that the requested text or image can be generated and returned to you. This processing is necessary in order to deliver the feature you have requested.

Please do not include in your prompts or stories any real personal data relating to yourself or others, any confidential information, or any other material that you would not wish to be processed by a third-party AI provider.

7. Disclosure of your personal data

We do not sell your personal data. We disclose it only to service providers that process personal data on our behalf (our data processors), and only to the extent necessary to operate the Service:

  • Neon — managed database hosting.
  • Vercel — application hosting, content delivery, and image storage via Vercel Blob.
  • OpenRouter and the AI model providers to which it routes requests — generation and editing of story text and cover images.
  • Polar — subscription billing and payment processing.
  • Google — authentication where you choose to sign in with Google.
  • Upstash — rate limiting and abuse prevention.
  • The email and analytics providers we use to operate and communicate about the Service.

We may also disclose personal data where required or permitted by law, in order to enforce our Terms of Service, or to protect the rights, safety, or property of PenPlot, our users, or the public. Stories that you publish, together with your display name, are visible to anyone, as described in section 10.

8. International transfers

Certain of our service providers are located outside Thailand. As a result, your personal data may be transferred to, and processed in, countries whose data-protection standards may differ from those of Thailand. Where we transfer personal data abroad, we do so in reliance on a lawful ground under sections 28 and 29 of the PDPA — for example, because the transfer is necessary for the performance of our contract with you, or because appropriate safeguards are in place with the relevant provider.

9. Cookies and similar technologies

We use a limited set of cookies and similar technologies:

  • Strictly necessary cookies — required to sign you in and to keep your session secure. The Service cannot function without these.
  • Preference storage — your language and theme settings, which are stored locally in your browser.

We do not use third-party advertising or cross-site tracking cookies. You may clear or block cookies through your browser settings; however, the Service may not function properly without strictly necessary cookies.

10. Content you make public

If you publish a story to the community feed, that story and your display name become visible to anyone, including persons who are not signed in, and may be indexed by search engines. You may unpublish a story at any time from the editor; however, copies may persist in caches or with persons who have already viewed it.

11. How long we retain your personal data

We retain your personal data only for as long as necessary for the purposes set out in this Policy, applying the following criteria:

  • Account and content data — for as long as your account remains active. After you delete your account, we delete or anonymise your personal data within a reasonable period, except where we are required to retain it for longer.
  • Billing, payment, and tax records — for the period required by Thai law.
  • Security and access logs — for a limited period appropriate to our security and fraud-prevention needs.
  • Backups — until purged in the ordinary course of our backup-rotation cycle.

12. How we protect your personal data

We implement appropriate technical and organisational measures designed to protect your personal data, including encryption in transit, hashed passwords, access controls, and the use of reputable infrastructure providers. No method of transmission or storage is wholly secure, however, and we therefore cannot guarantee the absolute security of your personal data.

13. Your rights under the PDPA

Subject to the conditions and exceptions provided under the PDPA, you have the following rights in respect of your personal data:

  • The right of access — to obtain a copy of your personal data and information about how we process it.
  • The right to rectification — to have inaccurate or incomplete personal data corrected.
  • The right to erasure — to request the deletion or anonymisation of your personal data.
  • The right to restriction — to request that we suspend the use of your personal data.
  • The right to data portability — to receive your personal data in a machine-readable format and to have it transmitted to another controller where technically feasible.
  • The right to object — to object to certain processing, including processing carried out on the basis of our legitimate interests.
  • The right to withdraw consent — to withdraw, at any time, any consent you have previously given, without affecting the lawfulness of processing carried out before such withdrawal.
  • The right to lodge a complaint — to complain to the Personal Data Protection Committee (the “PDPC”) if you consider that we have not complied with the PDPA.

To exercise any of these rights, please contact us at support@penplot.co. We may need to verify your identity before responding, and we will respond within 30 days of receiving your request, or within such other period as the law permits.

14. Minors

The Service is intended for users who have the legal capacity to enter into a binding contract and is not directed to minors. Where a user is a minor, the Service may be used only with the consent of, or under the supervision of, the holder of parental responsibility over that minor, in accordance with section 20 of the PDPA. If you believe that a minor has provided us with personal data without the required consent, please contact us at support@penplot.co and we will take appropriate steps to delete it.

15. Changes to this Policy

We may update this Policy from time to time. Where we make material changes, we will revise the “Last updated” date above and, where appropriate, notify you through the Service. Your continued use of the Service after the revised Policy takes effect constitutes your acceptance of it.

16. How to contact us

If you have any question about this Policy, wish to exercise any of your rights, or have a concern about how we handle your personal data, please contact us at support@penplot.co. You also have the right to lodge a complaint with the Personal Data Protection Committee (PDPC) of Thailand.