PortalKitPortalKit
PlatformAboutBlogPricing
Log InGet Started

Legal

Privacy
Policy.

Last updated: 12 June 2026

How we collect, use, and protect your personal data — and the rights you have over it.

Contents

  • 1. Introduction
  • 2. Data controller
  • 3. Information we collect
  • 4. How we use your data
  • 5. Data sharing
  • 6. Data retention
  • 7. Your rights
  • 8. Security
  • 9. Cookies
  • 10. Do Not Track
  • 11. Children's privacy
  • 12. Changes to this policy
  • 13. Contact

Related policies

  • Terms of Service →
  • Cookie Policy →
  • Security →

Questions?

legal@portalkit.com
01

Introduction

PortalKit (“we”, “our”, or “us”) operates the PortalKit platform (“Service”). This Privacy Policy explains how we collect, use, share, and protect personal information when you use the Service.

By using PortalKit, you agree to the collection and use of information in accordance with this policy. If you do not agree with any part of this policy, you should stop using the Service.

This policy applies to all users of the Service, including freelancers, agencies, and their end clients who access client portals. Where we refer to “you” in this document, we mean any person whose personal data we process in connection with the Service.

02

Data controller

PortalKit is the data controller for personal data processed under this policy. If you are located in the European Union or United Kingdom, we act as a controller within the meaning of the General Data Protection Regulation (GDPR) and the UK GDPR respectively.

If you are located in Australia, this policy also applies to us as an organisation covered by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Our contact details are provided in Section 13 below.

03

Information we collect

Account information

When you create a PortalKit account, we collect your email address, full name, and business name. This information is required to create and identify your account.

Payment information

Payments are processed by Stripe, Inc. We do not store your full card number, CVV, or bank account details on our servers. Stripe is our payment processor and handles all payment data subject to their own Privacy Policy. We receive only a masked card identifier and transaction status from Stripe.

Usage data

We collect information about how you use the Service, including pages visited, features used, actions taken, and error events. This data is used to improve the Service and is not linked to your identity for advertising purposes.

Client portal data

Files, messages, invoices, milestones, and other content you upload or create within the Service are stored on our infrastructure. This content belongs to you and is processed solely to provide the Service you have requested.

Log and device data

We automatically collect log data including your IP address, browser type and version, operating system, referring URL, and request timestamps when you access the Service. This data is used for security monitoring and abuse prevention.

Communications

If you contact us by email or through a contact form, we retain the content of your message and your contact details to respond to your enquiry and improve our support processes.

04

How we use your data

We use collected information to:

  • Create and maintain your account and provide the Service
  • Process transactions and send payment-related communications
  • Send transactional emails, such as portal activity notifications, invoice receipts, and account security alerts
  • Send product update and onboarding emails where you have not opted out
  • Respond to support requests and improve our customer support processes
  • Monitor and analyse usage patterns to improve and develop the Service
  • Detect, prevent, and address fraud, abuse, and security incidents
  • Comply with applicable legal obligations
  • Enforce our Terms of Service

Our legal bases for processing (under GDPR) are: performance of a contract (providing the Service), legitimate interests (security, fraud prevention, service improvement), legal obligation (compliance requirements), and consent (marketing emails, optional analytics). You may withdraw consent at any time without affecting the lawfulness of prior processing.

We will not send you unsolicited marketing emails. Where we send product update emails, you may unsubscribe at any time via the link in the email or by contacting us directly.

05

Data sharing and disclosure

We do not sell, rent, or trade your personal data with third parties for their own marketing purposes. We share data only in the following circumstances:

Service providers (sub-processors)

We use the following third-party services to operate the platform. Each provider processes data only as directed by us and is bound by appropriate data processing agreements:

  • Supabase — database hosting, user authentication, and file storage
  • Stripe, Inc. — payment processing and Stripe Connect for freelancer payouts
  • Resend — transactional email delivery
  • Railway / Vercel — application hosting and serverless infrastructure
  • Sentry — error monitoring and application performance monitoring

Legal requirements

We may disclose your information if required by law, court order, or government authority, or if we believe in good faith that disclosure is reasonably necessary to protect our rights, your safety, or the safety of others, or to investigate fraud or a security incident.

Business transfers

In the event of a merger, acquisition, financing, reorganisation, or sale of company assets, your information may be transferred as part of that transaction. We will notify affected users by email at least 30 days before your data becomes subject to a materially different privacy policy.

With your consent

In any other circumstance, we will only share your data with your explicit consent.

06

Data retention

We retain your account data for as long as your account is active and for up to 30 days after account deletion, to allow for account recovery. After that period, personal data is permanently and irreversibly deleted from our systems.

Certain financial records (such as invoice and payment information) may be retained for up to 7 years where required by applicable tax or accounting laws.

Server log data is retained for 90 days for security monitoring purposes, then automatically deleted.

You may request deletion of your data at any time by contacting us at privacy@portalkit.com. We will confirm deletion within 30 days unless retention is required by law.

07

Your rights

Depending on your location, you have the following rights regarding your personal data. To exercise any of these rights, contact us at privacy@portalkit.com. We will respond within 30 days of receiving a verified request.

  • Access — request a copy of the personal data we hold about you.
  • Rectification — request correction of inaccurate or incomplete data.
  • Erasure — request deletion of your personal data (“right to be forgotten”), subject to legal retention obligations.
  • Portability — receive your data in a structured, commonly used, machine-readable format.
  • Restriction — request that we temporarily stop processing your data in certain circumstances.
  • Objection — object to processing based on our legitimate interests.
  • Withdraw consent — where processing is based on consent, withdraw it at any time.

If you are located in the EU or UK, you have the right to lodge a complaint with your local supervisory authority (e.g. the ICO in the UK, or your national data protection authority in the EU).

If you are located in Australia, you have the right to make a complaint to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au if you believe we have mishandled your personal information.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know, delete, and opt out of the sale of personal information. We do not sell personal information.

08

Security

We implement industry-standard security measures including TLS 1.3 encryption in transit and AES-256 encryption at rest for all data stored on our platform. Client portal access is controlled by time-limited, cryptographically signed tokens rather than passwords. We conduct regular internal security reviews and engage third-party security researchers through our responsible disclosure programme.

No method of transmission over the internet or electronic storage is 100% secure. While we use commercially reasonable measures to protect your information, we cannot guarantee absolute security.

To report a security vulnerability, please see our Security page.

09

Cookies

We use cookies and similar technologies to keep you signed in, protect against cross-site request forgery, remember your preferences, and understand how the platform is used. We do not use cookies for advertising or cross-site tracking.

For a full breakdown of the cookies we use and how to manage them, see our Cookie Policy.

10

Do Not Track

Some browsers offer a “Do Not Track” (DNT) signal. Because there is no consistent industry standard for responding to DNT signals, we do not currently respond to them. You can manage tracking preferences by adjusting your browser cookie settings or opting out of analytics in your account Settings → Privacy.

11

Children's privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you become aware that a child has provided us with personal data, please contact us at privacy@portalkit.com immediately. We will take steps to delete the information promptly.

12

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by email or by a prominent notice within the Service at least 14 days before the change takes effect.

The “Last updated” date at the top of this page indicates when the policy was last revised. Continued use of the Service after changes become effective constitutes your acceptance of the updated policy.

13

Contact

For questions, concerns, or requests relating to this Privacy Policy or your personal data, contact us at:

PortalKit

privacy@portalkit.com

We aim to respond to all privacy-related enquiries within 5 business days.

PortalKitPortalKit

Built for freelancers.
Loved by clients.

Product

  • Platform
  • Pricing
  • Security

Company

  • About
  • Blog
  • Guides

Support

  • Contact
  • Leave a Feedback

© 2026 PortalKit. All rights reserved.

Privacy PolicyTerms of ServiceCookie Policy