Privacy Policy
Last updated March 27, 2026. This policy explains how Portlo collects, uses, and protects your personal data.
1. Introduction
This Privacy Policy explains how Portlo ("we," "us," or "our") collects, uses, shares, and protects personal data when you use our website and service. We are committed to protecting your privacy and handling your data transparently. This policy applies to all users of the Service, including freelancers (account holders) and their clients (portal visitors).
2. Data controller
Portlo is the data controller responsible for your personal data processed through the Service. For questions about data processing, contact us at legal@portlo.io.
3. Information we collect
We collect the following categories of personal data: Account information: Email address, display name, profile photo (optional), and authentication credentials when you create an account. Portal content: Project names, client names, email addresses, company names, phone numbers, file uploads, invoice details, proposal and contract content, task information, and messages you create within portals. Payment information: We do not store credit card numbers. Stripe, our payment processor, handles all card data. We store Stripe customer and subscription identifiers, invoice amounts, payment status, and receipt URLs. Signature data: When electronic signatures are used, we collect the signer's name, signature image, IP address, user agent, and timestamp for audit purposes. Usage data: We collect analytics events related to how you interact with the Service, including pages visited, features used, and actions taken. This is collected through PostHog with person_profiles set to "identified_only." Portal access data: For email-verified portals, we process the client's email address and a hashed one-time password (OTP). We may log IP addresses when IP logging is enabled on a portal. Technical data: Browser type, device information, and IP address collected automatically through server logs and analytics.
4. Legal basis for processing (EEA/UK users)
If you are in the European Economic Area (EEA) or the United Kingdom, we process your personal data based on the following legal grounds: Contract performance: Processing necessary to provide the Service you signed up for, including account management, portal hosting, file storage, invoicing, and payment processing. Legitimate interests: Product improvement, security, fraud prevention, and analytics to understand how the Service is used, where these interests are not overridden by your rights. Consent: Where you have given explicit consent, such as opting into analytics cookies or marketing communications. You may withdraw consent at any time. Legal obligation: Processing required to comply with applicable laws, such as tax record-keeping or responding to lawful requests from authorities.
5. How we use your data
We use personal data to: (a) provide, maintain, and improve the Service; (b) authenticate users and secure accounts; (c) host and deliver portal content to your clients; (d) process subscription billing and invoice payments through Stripe; (e) send transactional emails such as OTP codes, payment confirmations, and invoice notifications; (f) provide customer support; (g) analyze usage patterns to improve the product; (h) detect and prevent fraud, abuse, and security incidents; (i) comply with legal obligations.
6. Data sharing and third-party processors
We do not sell your personal data. We share data with the following categories of service providers who process data on our behalf: Firebase (Google Cloud): Authentication, database storage, and file storage. Data may be processed in the United States. Stripe: Payment processing for subscriptions and client invoice payments. Subject to Stripe's privacy policy. Resend / SendGrid: Transactional email delivery (OTP codes, payment notifications, invitations). PostHog: Product analytics. Configured to track identified users only. We may also disclose data if required by law, court order, or governmental request, or to protect the rights, property, or safety of Portlo, our users, or the public.
7. International data transfers
Portlo is designed for global use. Your data may be transferred to and processed in countries outside your country of residence, including the United States, where our infrastructure providers operate. For transfers from the EEA/UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions where applicable, or other lawful transfer mechanisms. You may contact us for more information about the specific safeguards in place.
8. Data retention
We retain your personal data for as long as your account is active or as needed to provide the Service. Specifically: Account data: Retained until you request account deletion. Portal content: Retained for as long as the portal exists. Deleted portals and their content are removed within 30 days. Payment records: Retained for the period required by applicable tax and accounting laws (typically 7 years). Analytics data: Aggregated and anonymized after 24 months. Security logs: Retained for up to 12 months for fraud detection and incident response. After the applicable retention period, data is deleted or anonymized.
9. Your rights
Depending on your location, you may have the following rights regarding your personal data: Access: Request a copy of the personal data we hold about you. Rectification: Request correction of inaccurate or incomplete data. Erasure: Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements. Restriction: Request that we limit processing of your data in certain circumstances. Data portability: Request your data in a structured, machine-readable format. Objection: Object to processing based on legitimate interests, including profiling. Withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing. Lodge a complaint: You have the right to lodge a complaint with your local data protection authority. To exercise these rights, contact us at legal@portlo.io. We will respond within 30 days (or sooner if required by applicable law).
10. Data security
We implement appropriate technical and organizational measures to protect your data, including: encryption of data in transit (TLS); secure authentication through Firebase; hashing of sensitive tokens (OTP codes stored as SHA-256 hashes); scoped access controls for portal data; payment card data handled exclusively by Stripe (PCI DSS compliant). No method of transmission or storage is 100% secure, but we take reasonable steps to protect your information.
11. Children's privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at legal@portlo.io and we will take steps to delete it.
12. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service at least 30 days before the changes take effect. We encourage you to review this page periodically. The "Last updated" date at the top indicates when this policy was last revised.
13. Contact us
If you have questions about this Privacy Policy or our data practices, contact us at: Email: legal@portlo.io