Privacy Policy

Introduction

At Portaeu, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our SwitchKit platform and services.

Information We Collect

Account Information

When you create an account, we collect:

• Name and email address
• Company name and role
• Password (encrypted)
• Billing information (processed securely via Stripe)

Usage Data

We automatically collect certain information when you use our services:

• Log data (IP address, browser type, pages visited)
• Device information
• Usage patterns and feature interactions
• Performance and error data

Data Source Credentials

When you connect data sources, we handle credentials according to your chosen connection mode:

• Browser Mode: Credentials never leave your browser
• Vault Mode: Credentials remain in your vault (we only request temporary access)
• Direct Mode: Credentials encrypted with AES-256 and stored securely

How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain our services
• Process data portability requests on your behalf
• Improve and personalize your experience
• Communicate with you about updates, security alerts, and support
• Detect and prevent fraud and abuse
• Comply with legal obligations

Data Security

We implement industry-leading security measures:

• AES-256 encryption for data at rest
• TLS 1.3 for data in transit
• SOC 2 Type II certified infrastructure
• Regular security audits and penetration testing
• Role-based access controls (RBAC)
• Comprehensive audit logging

Data Sharing and Disclosure

We do not sell your personal information. We may share your information only in these circumstances:

• Service Providers: With trusted third parties who help us operate our services (e.g., AWS, Stripe)
• Legal Requirements: When required by law or to protect our rights
• Business Transfers: In connection with a merger, acquisition, or sale of assets
• With Your Consent: When you explicitly authorize us to share your information

Your Rights

Under GDPR and other privacy laws, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data
• Portability: Receive your data in a machine-readable format
• Restriction: Limit how we process your data
• Objection: Object to certain types of processing
• Withdraw Consent: Withdraw consent at any time

To exercise these rights, contact us at privacy@portaeu.com

Data Retention

We retain your information only as long as necessary to provide our services and comply with legal obligations:

• Account Data: Duration of subscription plus 90 days
• Audit Logs: 7 years (to meet compliance and legal requirements)
• Credentials (Direct Mode): Duration of subscription, deleted within 24 hours of account termination
• Credentials (Browser/Vault Mode): Never stored by us
• Exported Data: Deleted immediately after successful delivery (unless you configure retention)
• Backup Data: 30 days in encrypted backups, then permanently deleted

Data Processing Addendum (DPA)

As a data processor, we process personal data on your behalf. Our Data Processing Addendum includes:

• Standard Contractual Clauses (SCCs) for international transfers
• Technical and organizational security measures
• Sub-processor list and notification procedures
• Data subject rights assistance
• Breach notification procedures (within 24 hours)
• Audit rights and cooperation obligations

Enterprise customers receive a signed DPA as part of their agreement. Contact legal@portaeu.com to request a copy.

Sub-Processors

We use the following trusted sub-processors to provide our services:

We notify customers at least 30 days before adding new sub-processors. You may object to new sub-processors by contacting us within 14 days of notification.

Security Incident Response

In the event of a security incident affecting your data:

• Detection: 24/7 monitoring and automated alerting
• Notification: We notify affected customers within 24 hours of discovery
• Investigation: Immediate investigation and containment
• Remediation: Root cause analysis and corrective actions
• Documentation: Detailed incident report provided to affected customers
• Regulatory Notification: We assist with regulatory breach notifications as required

Report security concerns to: security@portaeu.com

Compliance Certifications

Portaeu maintains the following certifications and compliance standards:

• SOC 2 Type II: Annual audit of security, availability, and confidentiality controls
• ISO 27001: Information security management system certification (in progress)
• GDPR: Full compliance with EU General Data Protection Regulation
• EU Data Act: Compliant with EU Data Act requirements (our core business)

Audit reports available to Enterprise customers under NDA. Contact compliance@portaeu.com

Cookies and Tracking

We use cookies and similar technologies to:

• Keep you signed in
• Remember your preferences
• Analyze usage patterns
• Improve our services

You can control cookies through your browser settings. Note that disabling cookies may affect functionality.

International Data Transfers

Your data may be transferred to and processed in countries outside your residence. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

Children's Privacy

Our services are not intended for children under 16. We do not knowingly collect information from children. If you believe we have collected information from a child, please contact us immediately.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through our platform. Your continued use of our services after changes constitutes acceptance.

Contact Us

If you have questions about this Privacy Policy or our data practices, contact us:

For postal correspondence, please contact us via email first and we will provide the appropriate mailing address.