Last updated: 7 May 2026
SM Worx Group Ltd, trading as Portal Worx ("we", "us", or "our"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use the Portal Worx platform and related services (the "Service").
This policy applies to all users of the Service worldwide, including organisation administrators, team members, clients, and visitors to our website at portal-worx.com. SM Worx Group Ltd is a company incorporated in England and Wales (United Kingdom), company number 17223018, and is registered with the Information Commissioner's Office (ICO) under registration number [ICO_REGISTRATION_NUMBER]. Because we offer the Service to users in the United Kingdom, South Africa, and other regions, this policy is designed to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the Protection of Personal Information Act 4 of 2013 (POPIA) of South Africa, the EU General Data Protection Regulation (EU GDPR) where applicable, and other applicable data protection laws in the jurisdictions where our users are located.
We collect the following information when you create an account and use the Service:
When you use the Service, we automatically collect:
We use essential cookies for authentication and security. We also use Cloudflare Turnstile for bot protection during account registration, which may use similar technologies to verify you are a real user. For detailed information, please see our Cookie Policy.
On our public marketing site (portal-worx.com) we use Plausible Analytics to measure aggregate, anonymous traffic — page views, traffic sources, country-level geography, and device type. Plausible does not use cookies, does not store IP addresses, does not assign persistent identifiers, and does not collect personal data. No cross-site or cross-device tracking takes place, and the data cannot be linked back to an individual visitor. Because no personal data is processed, this analytics use does not require consent under UK GDPR or the ePrivacy Directive.
We use your personal information for the following purposes:
If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data on the following legal bases:
Because we offer the Service to users in South Africa, we are a "responsible party" under the Protection of Personal Information Act 4 of 2013 (POPIA). We process personal information in accordance with the eight conditions for lawful processing set out in Chapter 3 of POPIA, including accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation. We have appointed an Information Officer registered with the South African Information Regulator; you can reach them via privacy@portal-worx.com.
Your profile information, project contributions, and messages are visible to other members of your organisation based on their role and the privacy settings configured by your organisation's administrators. Organisation administrators (Superadmin and Admin roles) can view and manage user accounts within their workspace.
We share information with trusted third-party service providers who assist us in operating the Service. Each provider processes data only for the specific purposes described below and is bound by appropriate data protection agreements:
| Provider | Purpose | Data Processed |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, database (RDS), file storage (S3), content delivery (CloudFront), and email delivery (SES) | All Service data, stored and processed on AWS infrastructure |
| Stripe | Payment processing for subscription billing | Billing details, payment method information, subscription status |
| Cloudflare (Turnstile) | Bot protection and fraud prevention during account registration | Device interaction signals, IP address |
| Google (Maps API) | Location display and mapping for project locations | Project location coordinates and addresses |
| OpenAI | AI-powered project summary generation (US-based; data processed under OpenAI's API data-usage policy with a 30-day retention default) | Project name, description, location, start/end dates, names of assigned team members, recent activity entries (which include the names of users who performed each action), document category and uploader names, gallery folder names, and report metadata. Email addresses, passwords, profile pictures, document/image/report content, and direct messages are not sent |
We will notify users of any material changes to our sub-processor list by updating this policy and providing at least 30 days' notice before a new sub-processor begins processing personal data. For further detail on sub-processor obligations, please refer to our Data Processing Agreement.
Portal Worx offers optional AI-powered features, including project summary generation. When you use these features, the following data is sent to OpenAI for processing:
The following data is not sent to OpenAI:
OpenAI processes this data on US infrastructure under OpenAI's API data-usage policy and does not use API inputs or outputs to train its models. OpenAI retains API request logs for up to 30 days for abuse and trust-and-safety review unless a Zero Data Retention agreement is in place. We log AI usage internally for rate-limiting and credit-tracking purposes only.
AI features are entirely optional. If you do not wish project context to be sent to OpenAI, simply do not invoke the AI summary generation feature; core platform functionality is not affected. We do not currently offer a per-organisation opt-out toggle, but we are working on one for a future release — organisations with strict data-residency requirements should contact us at privacy@portal-worx.com before enabling AI features for their team.
AI-generated content is provided for informational purposes only and may contain inaccuracies. You should review AI outputs before relying on them for business decisions.
We may disclose your information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of SM Worx Group Ltd, our users, or the public. We will notify affected users of such disclosures where legally permitted.
We do not sell, rent, or trade your personal information to third parties for marketing, advertising, or any other purposes. We do not use your data to build advertising profiles or engage in behavioural targeting.
Portal Worx uses a multi-tenant architecture with PostgreSQL schema-level isolation. Each organisation's data is stored in a separate database schema, providing true database-level separation — not just row-level filtering. This means your organisation's data is structurally isolated from all other organisations.
Primary data storage and processing — including the application database (Amazon RDS), file storage (Amazon S3), media delivery (Amazon CloudFront), and transactional email (Amazon SES) — is hosted in the AWS eu-west-2 (London) region. We may add additional AWS regions in future to improve performance or to meet customer data-residency requirements; we will update this policy and notify users at least 30 days in advance if we add a region that changes where personal data is stored.
Limited data is processed outside the eu-west-2 region by sub-processors with global infrastructure: Stripe (payment processing, US/EU/UK), Cloudflare (bot protection, globally distributed edge network), Google (Maps API for project location display, US), and OpenAI (AI project summaries, US). See Section 5.2 and our Data Processing Agreement for the full sub-processor list. For information on international data transfers, see Section 11.
We implement industry-standard security measures to protect your data, including:
All uploaded files (documents, images, reports) are stored on Amazon S3 with tenant-prefixed paths, ensuring storage-level isolation between organisations. Files are accessed via time-limited, signed URLs — there is no direct public access to any stored files.
We perform automated database backups via Amazon RDS for disaster-recovery purposes. Backup snapshots are retained for up to 7 days after the snapshot is taken, after which they are permanently destroyed by AWS. This means a small window may exist between an account-level deletion and the deletion of corresponding backup data. Backup data is encrypted at rest, stored in the same region as the primary database, and is only ever restored to recover from operational incidents — never used for analytics, profiling, or any other purpose.
We retain your data for the following periods:
| Data Type | Retention Period | Reason |
|---|---|---|
| Active account data | Duration of your subscription | Contract performance |
| Deleted items (projects, documents, reports) | 30 days in trash, then permanently deleted | Accidental deletion recovery |
| Account deletion | 30-day grace period, then permanent deletion | Allows cancellation of deletion request |
| Direct messages | Lifetime of the sending user's account; on permanent deletion the message body is anonymised in-place. Senders can also delete individual messages at any time (hard delete on both sides). | Peer-to-peer collaboration record + GDPR Article 17 (right to erasure) |
| Security audit logs | Up to 365 days | Security monitoring and legal compliance |
| Email delivery logs | 90 days | Delivery tracking and troubleshooting |
| Billing records | 7 years (archived) | Tax and legal compliance |
| Password reset tokens | 1 hour | Security (single-use, time-limited) |
| Expired trial data | Preserved until you request deletion | Allows reactivation without data loss |
| Database backups | Up to 7 days from snapshot creation | Operational disaster recovery (Amazon RDS automated snapshots) |
| Consent records (terms acceptance, audit trail) | Lifetime of the account + 7 years | Contract dispute and regulator-inquiry windows |
Automated cleanup processes run daily to remove expired data in accordance with these retention periods.
If you are located in the EEA or the United Kingdom, you have the following rights under the GDPR:
Under the Protection of Personal Information Act (POPIA), you have the right to:
To exercise any of these rights, please contact us at privacy@portal-worx.com. We will acknowledge your request within 5 business days and provide a substantive response within a maximum of 30 days from receipt. If we require an extension, we will inform you of the reason and the expected timeframe.
For GDPR erasure requests, you can also submit a request directly through the platform's account settings, which will begin the 30-day grace period automatically. You may cancel the deletion during this grace period.
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority:
The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete it promptly. If you believe a child has provided us with personal information, please contact us at privacy@portal-worx.com.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
SM Worx Group Ltd is incorporated in the United Kingdom and serves users globally. Our primary production database and file storage are hosted in the AWS London region (eu-west-2). Your information may be transferred to and processed in countries other than your own where our sub-processors operate (see Section 5.2).
When we transfer personal data internationally, we ensure appropriate safeguards are in place:
The Service is available to users worldwide. Regardless of where you are located, we apply the same high standard of data protection to all users. Our privacy practices are built to meet the requirements of the UK GDPR, EU GDPR, and POPIA — among the most comprehensive data protection frameworks globally. All users benefit from these protections, even if your country does not have equivalent data protection legislation.
If you are located in a jurisdiction with its own data protection laws (such as Brazil's LGPD, Canada's PIPEDA, Australia's Privacy Act, or any other applicable legislation), we acknowledge that you may have additional rights under your local laws. Where your local data protection laws grant you rights that go beyond those described in this policy, those rights apply to you in addition to the rights set out here.
By using the Service from outside the United Kingdom, you acknowledge that your personal data will be transferred to and processed in the United Kingdom and other countries where our infrastructure and sub-processors operate, as described in Section 11. We ensure that appropriate safeguards are in place for all such transfers.
If you have questions about how your local data protection laws apply to your use of the Service, please contact us at privacy@portal-worx.com and we will do our best to assist you.
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when this policy was last revised.
If you have questions or concerns about this Privacy Policy or our data practices, please contact us:
SM Worx Group Ltd (trading as Portal Worx), a company incorporated in England and Wales (company number 17223018, registered office: 48a Durham Road, SW20 0TW), is the data controller for personal information processed through the Service. Where an organisation administrator has invited you to use the Service, your organisation may also act as a data controller for certain processing activities. Please refer to our Data Processing Agreement for further details on controller and processor responsibilities.
