Penguin Translator

Privacy Policy

Last updated: 8 May 2026

Who controls Penguin Translator

Penguin Translator ("we", "us", "our") is an AI translation service operated in France by Wil as a sole proprietorship. This policy explains what personal data we process, why we process it, how long we keep it, who receives it, and what rights you have under the GDPR, UK GDPR, CCPA/CPRA, and other applicable laws. The data controller is Wil, reachable at wil.8dev@gmail.com. We have not appointed a formal Data Protection Officer; privacy requests can be sent to the same address.

If any English provision conflicts with a translated version, the English version prevails.

Summary

  • We collect only what is needed to run the service: account data, translation inputs and outputs, limited billing metadata, and technical logs.
  • Translation inputs are routed through the Vercel AI Gateway to configured model providers so the service can return a result. We do not sell your data and we do not use your content to train public AI models.
  • Anonymous traffic is rate-limited using a salted SHA-256 hash of your IP address rather than storing the raw IP long-term.
  • We use essential cookies and lightweight analytics only. There are no advertising cookies or cross-site ad trackers on the product site.
  • You can access, correct, delete, export, or restrict your data and complain to your supervisory authority, including the CNIL in France.

Data we collect

  • Account data: your email address and a Clerk user ID when you create an account. We may also receive your name and avatar if you sign in with a third-party provider (Google, GitHub, etc.).
  • Translation content: the source text you paste, any optional context you provide, and the AI-generated translation. Recent translations are kept in your private history (Upstash Redis) so you can reuse them.
  • Document content (Pro/Premium): files you upload for translation are stored in Vercel Blob to deliver the result. You can delete them at any time from the Documents page.
  • Usage data: request timestamps, request and character counts, plan tier, locale, user-agent, country code derived from your IP, and quota counters used to enforce daily / per-minute rate limits.
  • Billing data: when you subscribe through Polar, Polar processes your payment details directly. We only receive a subscription identifier, plan tier, status, and an invoice reference. We never see your full card number.
  • Diagnostic data: error reports captured by Sentry (stack traces, browser info, the URL you were on). Sentry is configured to scrub form values and request bodies.
  • Cookies and local storage: a Clerk session cookie (essential, signed-in users only); a theme preference and last-used target language stored locally in your browser. No advertising cookies. No cross-site tracking.

Purposes and legal bases (GDPR Art. 6)

  • Provide the translation service and your account — Performance of a contract (Art. 6.1.b).
  • Process subscription payments and invoices — Performance of a contract (Art. 6.1.b) and Legal obligation (Art. 6.1.c) for accounting / VAT records.
  • Security, abuse prevention, rate-limiting — Legitimate interest (Art. 6.1.f): keeping the service available, fighting bots and quota abuse.
  • Service-quality analytics and bug-tracking (Vercel Analytics, Sentry) — Legitimate interest (Art. 6.1.f).
  • Service-related transactional emails (sign-up confirmation, security alerts, plan changes) — Performance of a contract (Art. 6.1.b).
  • Compliance with legal obligations and lawful requests — Legal obligation (Art. 6.1.c).

Subprocessors and international transfers

We use the following subprocessors to run the service. Each is bound by a Data Processing Agreement (DPA) or equivalent contract.

  • Vercel Inc. (USA, with EU edge regions) — hosting, serverless functions, document storage (Vercel Blob), Vercel Analytics, AI Gateway (proxy to model providers).
  • Clerk, Inc. (USA) — user authentication, session management.
  • Upstash, Inc. (USA, EU regions available) — Redis for rate-limit counters, translation cache and history, document metadata.
  • Third-party model providers accessed through the Vercel AI Gateway (USA) — large-language-model inference for translations. We configure providers that do not use API inputs and outputs to train their public models under their API data-usage terms.
  • Polar Software Inc. (USA, EU billing partners) — checkout, subscription management, invoicing, tax handling.
  • Functional Software, Inc. dba Sentry (USA) — error monitoring.

Some of these subprocessors are based in or transfer data to the United States. We rely on the European Commission's adequacy decision for the EU-US Data Privacy Framework where the subprocessor is certified, and otherwise on the EU Standard Contractual Clauses (Module 2 or 3) as supplemented by appropriate technical and organisational measures. You can request a copy of the relevant transfer mechanism by emailing wil.8dev@gmail.com.

Retention periods

  • Account data: kept for as long as your account exists. Deleted within 30 days after you ask us to delete the account, except where retention is required by law.
  • Translation history: stored in Redis with a rolling cap (most recent entries per user); you can clear it from the UI at any time. The translation cache (anonymised by content hash) is kept for up to 30 days to speed up repeated requests.
  • Uploaded documents: kept until you delete them; orphaned documents older than 90 days are purged automatically.
  • Usage and security logs: rate-limit counters reset every minute / day; raw access logs are kept up to 90 days.
  • Billing records: kept for 10 years to comply with French accounting and tax law (Code de commerce L123-22).
  • Sentry error events: kept for 90 days then auto-deleted.
  • Anonymous identifiers (salted IP hashes used for anti-abuse): kept for up to 30 days.

Your rights

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the right to access your personal data, rectify inaccurate data, request erasure ("right to be forgotten"), restrict or object to certain processing, request data portability (a machine-readable copy), and withdraw consent at any time where processing is based on consent. You can exercise these rights by emailing wil.8dev@gmail.com; we reply within one month. You also have the right to lodge a complaint with a supervisory authority — in France, the CNIL; in the UK, the ICO; or your local data protection authority.

California residents (CCPA/CPRA): you have the right to know what personal information we collect, to request deletion, to correct inaccurate information, and to opt out of any "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under the CCPA/CPRA, and we do not use personal information for cross-context behavioural advertising. To exercise your rights, email wil.8dev@gmail.com.

Security

  • All traffic is encrypted in transit using HTTPS / TLS 1.2 or higher.
  • Secrets and API keys are stored in Vercel's encrypted environment, never in source code, and rotated when an employee or contractor leaves.
  • Strong Content Security Policy, HSTS preload, X-Frame-Options DENY, and other defence-in-depth headers are enforced on every response.
  • Authentication and session management are handled by Clerk, which provides bot detection, password breach checks and optional multi-factor authentication.
  • Rate-limiting at the edge throttles abusive clients before they reach the application.
  • We notify affected users without undue delay and within 72 hours of becoming aware of a personal data breach where required by GDPR Art. 33-34.

Children

The service is not directed to children. You must be at least 16 years old to use Penguin Translator (or the lower age permitted by your local law, but never under 13). If we learn that we have collected personal data from a child below this age without verifiable parental consent, we will delete it. Contact wil.8dev@gmail.com to report such a case.

Changes to this policy

We may update this Privacy Policy. When we make material changes, we will update the "Last updated" date at the top of this page and, for signed-in users, send a short notice by email. Continued use of the service after the new effective date means you accept the updated policy.

Résumé en français

Penguin Translator est Ă©ditĂ© par Wil, entrepreneur individuel basĂ© en France. Nous traitons votre adresse e-mail (via Clerk), vos textes et documents traduits (via la Vercel AI Gateway et ses fournisseurs de modĂšles), des donnĂ©es techniques de sĂ©curitĂ© et, si vous ĂȘtes abonnĂ©, des identifiants de facturation gĂ©rĂ©s par Polar. Aucune publicitĂ©, aucune revente de donnĂ©es, aucun entraĂźnement de modĂšles publics sur votre contenu selon les conditions API de nos prestataires. Vous disposez des droits RGPD et pouvez nous Ă©crire Ă  wil.8dev@gmail.com.

Privacy Policy — Penguin Translator