SAM Privacy Policy

Effective date: May 24, 2026  |  Last updated: May 24, 2026

This Privacy Policy describes how Penni Tech LLC ("Penni Tech," "we," "our," or "us") collects, uses, stores, shares, and protects information when you use SAM, our business intelligence and marketing automation platform ("SAM" or the "Service").

By using SAM, you agree to the practices described in this policy. If you do not agree, please do not use the Service.

1. Who we are

Penni Tech LLC
Washington, DC / Maryland / Virginia
Contact: pennitechllc@gmail.com

We are the data controller for information you provide to us when using SAM.

2. Information we collect

2a. Information you provide directly

When you set up your SAM account and complete onboarding, you provide:

• Business profile information: company name, industry, target audience, services and pricing, brand voice, goals, and workflow preferences
• Account credentials: email address and a password (passwords are hashed and never stored in plaintext)
• Optional uploads: documents, spreadsheets, or other files you choose to import

2b. Information from connected platforms

When you connect a third-party platform to SAM (such as Facebook Pages, Instagram, LinkedIn, Google Business Profile, or Plaid for banking), we receive only the data you authorize. For Facebook integrations, this includes:

• Facebook Page identifiers and names of Pages you choose to connect
• Business Portfolio metadata for the portfolio you authorize
• A Page-scoped access token that allows SAM to publish content to your Page on your behalf
• Engagement metrics for posts SAM publishes to your Page (e.g., reach, likes, comments)

We do not access your personal Facebook profile, friends list, private messages, or any Pages or assets you do not explicitly select during the OAuth consent flow.

2c. Information generated by SAM

As you use the Service, SAM generates and stores:

• Marketing content drafts produced by our AI marketing assistant ("the CMO")
• Approval and publish history showing which content you reviewed, edited, and published
• Decision logs capturing how AI suggestions were generated, for transparency and debugging

2d. Technical information

We automatically collect basic technical data: timestamps of actions, IP addresses for session security, and standard web server logs. We do not use third-party advertising trackers or analytics services that share data with advertisers.

3. How we use information

We use the information we collect to:

• Operate and maintain SAM and its features
• Generate marketing content tailored to your business profile
• Publish content to your connected channels only after your explicit approval (or, where you have enabled auto-publish for a specific channel, according to your configured rules)
• Display post performance and engagement metrics back to you
• Diagnose and fix technical issues
• Communicate with you about your account, security, and service updates

4. AI processing partners

SAM uses large language models from Anthropic, PBC (the "Claude" family of models) to generate marketing content, reason about your business context, and power the AI assistant features. When SAM uses these models, the relevant context (such as your business profile excerpt and the specific question or task) is sent to Anthropic's API for processing.

Anthropic processes this data on our behalf as a data processor and, per Anthropic's published API policies, does not use API inputs or outputs to train its models. You can review Anthropic's privacy practices at https://www.anthropic.com/legal/privacy.

We may add additional AI processing partners in the future (for example, AWS Bedrock). We will update this policy to disclose any new partners.

5. How we share information

We share your information only in the following circumstances:

• With AI processing partners as described in Section 4
• With platform APIs you have connected — for example, when you approve a post, SAM transmits that content to Facebook via the Pages API
• With service providers that help us operate SAM (hosting, infrastructure), bound by appropriate data-protection terms
• When required by law — to comply with a valid legal request, court order, or government inquiry
• To protect rights and safety — to investigate suspected fraud, violations of our terms, or threats to safety

We do not sell your personal information. We do not share data across customer tenants — SAM uses per-tenant database isolation (row-level security) so your data is logically separated from every other customer's data.

6. How we store and protect information

• Data isolation: Each customer's data is stored in a logically isolated tenant scope using PostgreSQL row-level security. Queries from one tenant cannot access data belonging to another tenant.
• Encryption in transit: All connections to SAM use HTTPS (TLS 1.2 or higher).
• Encryption at rest: Sensitive data is stored on encrypted volumes.
• Access controls: Only authorized personnel at Penni Tech can access production systems, and access is logged.
• Access tokens: Third-party API tokens (such as Facebook Page Access Tokens) are stored with restricted access and rotated periodically.

No system is perfectly secure. If you believe your SAM account or any connected data has been compromised, contact us immediately at the email above.

7. Your rights and controls

You have the following controls over your data in SAM:

• Access: Request a copy of the data SAM stores about you and your business.
• Correction: Update your business profile and connected account information at any time through the SAM dashboard.
• Deletion: Request deletion of your account and associated data by emailing us at the address above. We will delete or anonymize your data within 30 days of a verified request, except where retention is required by law.
• Disconnect a channel: Disconnect any connected platform (Facebook, Instagram, LinkedIn, Google Business Profile, Plaid) at any time from the SAM dashboard. Disconnection removes the locally stored access token.
• Revoke at the source: To fully revoke SAM's access at the platform level, visit the platform's own settings:
  • Facebook: Business Manager → Business Settings → Integrations → Apps → SAM CMO Publisher → Remove
  • Other platforms have analogous revocation pages

Depending on where you live, you may have additional rights under laws like the California Consumer Privacy Act (CCPA) or the EU General Data Protection Regulation (GDPR). Contact us to exercise any such rights.

8. Data retention

We retain your data for as long as your account is active and as long as needed to provide the Service. After account deletion, we may retain limited records (for example, audit logs of publishing attempts) for up to 12 months for fraud prevention, security investigations, and legal compliance, after which they are deleted or anonymized.

9. Children's privacy

SAM is intended for use by businesses and is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.

10. International users

SAM is operated from the United States. If you use the Service from outside the U.S., you understand that your information will be transferred to, stored in, and processed in the United States, where data-protection laws may differ from those in your jurisdiction.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top. For significant changes, we will notify you through the SAM dashboard or by email before the changes take effect.

12. Contact us

For any questions about this Privacy Policy, your data, or to exercise your rights:

Penni Tech LLC
Email: pennitechllc@gmail.com