1. Introduction
Portal Worx (Pty) Ltd ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use the Portal Worx platform and related services (the "Service").
This policy applies to all users of the Service, including organisation administrators, team members, and visitors to our website at portal-worx.com.
2. Information We Collect
2.1 Information You Provide
We collect the following information when you create an account and use the Service:
- Account information: Name, email address, password (hashed), job title, company name, location, and timezone
- Organisation information: Company name, subdomain, contact email
- Project data: Project names, descriptions, locations, dates, and associated documents, images, and reports
- Communications: Direct messages, document comments, and notification preferences
- Billing information: Subscription plan, billing interval, and payment details (processed securely by our payment provider)
- Feedback: Support requests, feedback submissions, and screenshots you voluntarily provide
2.2 Information Collected Automatically
When you use the Service, we automatically collect:
- Device information: Browser type and version, operating system, viewport dimensions
- Usage information: Pages visited, features used, timestamps of activity
- Network information: IP address, referring URL
- Performance data: Page load times and browser console errors (for debugging purposes)
2.3 Cookies
We use essential cookies for authentication and security. For detailed information, please see our Cookie Policy.
3. How We Use Your Information
We use your personal information for the following purposes:
- Providing the Service: To operate, maintain, and deliver the features of the platform
- Authentication: To verify your identity and manage your account access
- Communication: To send you account notifications, security alerts, trial expiration notices, and support responses
- Billing: To process payments, manage subscriptions, and send billing-related communications
- Security: To detect and prevent fraud, abuse, and security threats through audit logging
- Improvement: To analyse usage patterns and improve the Service
- Legal compliance: To comply with applicable laws and regulations
4. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), we process your personal data on the following legal bases:
- Contract: Processing necessary to provide the Service you have subscribed to
- Legitimate interest: Processing for security monitoring, service improvement, and fraud prevention
- Legal obligation: Processing required to comply with applicable laws
- Consent: Where you have given explicit consent for specific processing activities
5. Data Sharing and Disclosure
5.1 Within Your Organisation
Your profile information, project contributions, and messages are visible to other members of your organisation based on their role and permissions. Organisation administrators can view and manage user accounts within their workspace.
5.2 Service Providers
We share information with trusted third-party service providers who assist us in operating the Service:
- Amazon Web Services (AWS): Cloud hosting, database, file storage, email delivery (AWS SES), and content delivery (CloudFront)
- Payment processor: Secure payment processing for subscription billing
These providers are contractually obligated to use your data only for the purposes of providing services to us and are bound by appropriate data protection agreements.
5.3 Legal Requirements
We may disclose your information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Portal Worx, our users, or the public.
5.4 No Selling of Data
We do not sell, rent, or trade your personal information to third parties for marketing or advertising purposes.
6. Data Storage and Security
6.1 Multi-Tenant Isolation
Portal Worx uses a multi-tenant architecture with PostgreSQL schema-level isolation. Each organisation's data is stored in a separate database schema, ensuring logical separation from other organisations.
6.2 Data Location
Your data is stored on servers operated by Amazon Web Services (AWS). Data may be stored and processed in the regions where AWS operates its infrastructure.
6.3 Security Measures
We implement industry-standard security measures, including:
- Encryption of data in transit (TLS/SSL)
- Secure password hashing
- HTTP-only, secure cookies for authentication tokens
- CSRF protection on all state-changing requests
- Comprehensive audit logging of security events
- Rate limiting on sensitive endpoints
- UUID-based file naming for data pseudonymisation
7. Data Retention
- Active accounts: Data is retained for the duration of your subscription
- Deleted items: Soft-deleted items (projects, documents, reports) are retained in a trash folder for 30 days before permanent deletion
- Account deletion: When you request account deletion, there is a 30-day grace period. After that, all organisation data is permanently deleted
- Audit logs: Security audit logs are retained for compliance purposes as required by applicable law
- Expired trials: Data from expired trial accounts is preserved until you request deletion
8. Your Rights
8.1 GDPR Rights (EEA Users)
If you are located in the EEA, you have the following rights:
- Access: Request a copy of the personal data we hold about you
- Rectification: Request correction of inaccurate personal data
- Erasure: Request deletion of your personal data (right to be forgotten)
- Restriction: Request restriction of processing of your data
- Portability: Request your data in a machine-readable format
- Objection: Object to processing based on legitimate interest
- Withdraw consent: Withdraw consent at any time where processing is based on consent
8.2 POPIA Rights (South African Users)
Under the Protection of Personal Information Act (POPIA), you have the right to:
- Be notified that your personal information is being collected
- Request access to your personal information
- Request correction or deletion of your personal information
- Object to the processing of your personal information
- Lodge a complaint with the Information Regulator
8.3 Exercising Your Rights
To exercise any of these rights, please contact us at privacy@portal-worx.com. We will respond to your request within 30 days. For GDPR erasure requests, you can also submit a request through the platform's account settings.
9. Children's Privacy
The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete it.
10. International Data Transfers
Your information may be transferred to and processed in countries other than your own. When we transfer data internationally, we ensure appropriate safeguards are in place, including standard contractual clauses approved by relevant data protection authorities.
11. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when this policy was last revised.
12. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, please contact us:
