Legal

Privacy Policy

How Penwood handles your data: what is collected, why, who else sees it, how long it stays, and your rights.

Effective May 14, 2026.

This page explains what data Penwood collects from you, why, and what you can do about it.

Who is "Penwood"

Penwood is operated by Penwood Health LLC, a New Jersey limited liability company registered with the New Jersey Department of the Treasury. Reach me through the contact form at penwood.com/contact.

What I collect

Contact form (penwood.com/contact). When you fill out the contact form you give me your first name, last name, email address, optionally your company, and a message. That is all.

Newsletter signup (penwood.com/writing). When you sign up for the Penwood newsletter you give me your email address. Nothing else.

Behind the scenes. Penwood tracks page views via a HubSpot cookie: which pages you visit, how long you stay, which links you click. The cookie holds a non-identifying ID until you submit the contact form. If you do submit, the cookie ID gets linked to your contact record so I can see which page brought you in.

Analytics. Penwood also uses Google Analytics to count pageviews and three specific actions: contact form submissions, clicks on the booking button, and newsletter signups. Nothing else. Google Analytics only runs after you click Accept on the cookie banner. If you click Reject, no analytics data leaves your browser.

Why I collect it

To respond to you when you ask me to. To send you the newsletter when you ask me to send it. To understand what readers care about so I can write more of what is useful and less of what is not.

I do not sell data. I do not buy data. I do not share data with anyone outside the processors below.

Legal basis (for EU/UK readers). Contact form submissions: legitimate interest in responding to inquiries you initiate. Newsletter: your consent, withdrawable any time via the unsubscribe link. Google Analytics: your consent, as captured by the cookie banner. HubSpot page-view tracking: your consent, as captured by the cookie banner.

Who else sees it

Penwood is a one-person practice. I rely on a few platforms to keep it running. Each of them sees a slice of the data above:

  • HubSpot stores contact form submissions and tracks page views for contact form attribution. Their privacy policy: hubspot.com/data-privacy/privacy-policy
  • Google Analytics counts pageviews and the three actions above. Google sees what page you're on, what country your IP geo-locates to, and which device you're using. No name, no email, no contact details. Their policy: policies.google.com/privacy
  • CookieYes shows you the cookie banner and remembers your choice. They store your consent state (accept or reject) in a cookie on your browser. Their policy: cookieyes.com/privacy-policy/
  • Google Workspace runs the inbox at penwood.com. If you correspond with me by email, the messages live in Google's servers.
  • Mailgun (via Ghost Pro) sends the newsletter. Mailgun is the email-delivery provider Ghost bundles. Your email address sits in their system so they can send you what I write.
  • Cloudflare handles DNS for penwood.com. They see request metadata (IP addresses, basic timing) but not the contents of any form you submit.
  • Stripe handles transactions if you ever pay Penwood for advisory work. They see what is needed to charge a card. I never see or store your card details.

That is the full list. No advertising networks. No data brokers. No re-targeting platforms.

Where this data lives. All processors named above are US-based. If you are in the EU or UK, your data is transferred to the US under each provider's Standard Contractual Clauses or equivalent safeguards approved by the European Commission and the UK ICO.

How long I keep it

Contact form submissions stay in HubSpot for as long as we have a working relationship plus three years after our last interaction.

Newsletter subscribers stay in Ghost until you unsubscribe. Every newsletter has an unsubscribe link at the bottom. One click and you are gone. When you unsubscribe, your email moves to a suppression list so I never accidentally re-add you. That list stays.

Email correspondence stays in my Gmail until I retire the practice or you ask me to delete it.

How I protect it. Every page on penwood.com loads over HTTPS. Data in transit is encrypted. The processors named above all maintain SOC 2 Type II or ISO 27001 certifications and encrypt data at rest. I keep my credentials in a password manager and use two-factor authentication on every system that holds Penwood data. If I ever discover a security breach affecting your data, I will notify you and the relevant supervisory authority within 72 hours of becoming aware.

Your rights

You have the right to:

  • See what I have on you. Ask and I will send you the record.
  • Correct anything that is wrong. Ask and I will fix it.
  • Delete all of it. Ask and I will purge your record from every system named above within 30 days.
  • Take it with you. Ask and I will export your record in a portable format.

To make any of these requests, send a message via the contact form at penwood.com/contact.

If you are in the EU or UK, GDPR applies and these rights are stronger. If you are in California, the CCPA gives you similar rights.

If you are in the EU or UK and you think I've mishandled your data, you also have the right to complain to your national data protection authority. In the UK, that's the Information Commissioner's Office (ico.org.uk). In the EU, it's whichever supervisory authority covers your country.

Cookies

Penwood sets these cookies:

  • CookieYes consent cookie remembers your accept/reject decision so the banner doesn't reappear on every page. Set when you make a choice; persists for one year.
  • Google Analytics cookies count unique visitors and track a session. Only set if you click Accept on the cookie banner. Persist for two years.
  • HubSpot tracking cookie links your contact form submission to the page you came from. Only set if you click Accept on the cookie banner. Persists for thirteen months unless you clear it.
  • Ghost member cookie keeps you signed in to the newsletter after you click the magic link. Persists for as long as you are signed in.

No advertising cookies. No tracking pixels. No third-party trackers beyond the processors named above.

A note for EU visitors. When you first land on penwood.com you'll see a banner asking you to accept or reject non-essential cookies. Everything non-essential is denied by default until you choose. If you click Reject, neither the HubSpot cookie nor the Google Analytics cookies above ever load. You can change your choice at any time by clearing cookies for penwood.com in your browser settings.

Children

Penwood is a B2B advisory practice. The site is not directed to children and I do not knowingly collect data from anyone under 16. If you are a parent or guardian and believe a child has submitted information through the site, send a message via the contact form and I will delete it.

How to reach me

For anything in this policy, send a message via the contact form at penwood.com/contact.