ProPortalBusiness logoProPortalBusiness
Legal — Privacy

Privacy Policy

Your data is yours. This policy explains exactly what ProPortalBusiness collects, why we collect it, who we share it with, and the rights you have under the UK GDPR and EU GDPR.

Last updated: 30 May 2026

1. Who we are

ProPortalBusiness ("ProPortalBusiness", "we", "us", "our") is a United Kingdom-based subscription billing and client portal platform for freelancers, sole traders, and independent professionals. We act as the data controller for personal data you submit to operate your account, and as a data processor for the personal data your own clients submit through your portal.

For any privacy enquiry, contact us at Support@ProPortalBusiness.com.

2. Data we collect

  • Account data: name, email, password hash, business name, business type, phone number, address, industry, and website.
  • Customer content: clients, projects, invoices, time entries, contracts, files, and messages you create inside ProPortalBusiness.
  • Billing data: processed by Stripe; we never store full card numbers. We keep the last four digits, card brand, and Stripe customer ID.
  • Usage data: log files, IP address, browser type, device information, and pages visited — used for security and product reliability.
  • Cookies and similar storage: strictly-necessary session cookies, plus opt-in analytics. See section 8.

4. How we use your data

We use personal data to:

  • operate, secure, and improve the ProPortalBusiness platform;
  • authenticate you and your team members;
  • process subscription payments through Stripe;
  • send transactional emails (invoices, contract signatures, portal invitations, receipts);
  • provide customer support;
  • comply with our legal obligations.

We do not sell your personal data and we do not use customer content to train AI models.

5. Sub-processors

We rely on a small set of carefully chosen sub-processors. Each is bound by a Data Processing Agreement (DPA) and may only process your data on our documented instructions.

  • Supabase (EU region) — managed Postgres database, authentication, and file storage. Primary data processor under a GDPR-compliant DPA.
  • Stripe — payment processing, subscription billing, and customer billing portal.
  • Cloudflare — DDoS protection, edge runtime, and content delivery.
  • Resend — transactional email delivery (invoices, contract requests, portal invites).

6. International transfers

Your data is hosted primarily in the European Union. Where data leaves the UK or EEA, we rely on the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, and — where applicable — the EU–US Data Privacy Framework.

7. Data retention

We keep account data while your account is active and for up to 90 days after deletion to allow for recovery and dispute resolution. Invoicing and financial records are retained for the period required by HMRC and UK tax law — typically six to seven years from the end of the relevant tax year. After the retention period expires, data is permanently deleted or irreversibly anonymised.

8. Cookies and similar storage

We use a small number of strictly necessary cookies and local storage entries to keep you signed in, remember your currency preferences, and store your cookie choices. Analytics and marketing cookies are only set if you explicitly opt in via our consent banner. You can change your choices at any time.

9. Your rights

Under the UK GDPR and EU GDPR you have the right to:

  • access your personal data (Article 15);
  • rectify inaccurate or incomplete data (Article 16);
  • erase your data (Article 17);
  • restrict processing (Article 18);
  • data portability — receive a copy in a machine-readable format (Article 20);
  • object to processing based on legitimate interests (Article 21);
  • withdraw consent at any time without affecting the lawfulness of prior processing.

You can exercise the rights of access, portability, and erasure self-service from Settings → Privacy & data in your account — export a full JSON copy of your data or permanently delete your account. For any other request, email Support@ProPortalBusiness.com and we will respond within 30 days. UK users may also lodge a complaint with the Information Commissioner's Office (ICO); EU users may complain to their local supervisory authority.

10. UK GDPR and EU GDPR compliance

ProPortalBusiness is committed to the principles of the UK GDPR and EU Regulation 2016/679. In particular:

  • Lawful basis: every processing activity has a documented legal basis (section 3).
  • Data minimisation: we collect only what is needed to operate the service.
  • Purpose limitation: we do not repurpose your data or sell it.
  • Processor agreements: all sub-processors are bound by signed DPAs.
  • Security: TLS 1.2+ in transit, AES-256 at rest, row-level security, principle of least privilege, audited admin access, regular encrypted backups.
  • Breach notification: we will notify the ICO within 72 hours of becoming aware of a personal data breach, and affected users without undue delay where required.

11. Security

We protect your data with TLS 1.2+ in transit, AES-256 encryption at rest, row-level security policies scoped to each authenticated user, server-side authorisation gates on sensitive endpoints, the principle of least privilege for staff access, encrypted off-site backups, and a documented incident-response procedure.

12. Children

ProPortalBusiness is intended for business use and is not directed at children under 16.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-app notice at least 30 days before they take effect.

14. Contact

ProPortalBusiness — United Kingdom
Email: Support@ProPortalBusiness.com