Privacy Policy | PORTALD

Overview

PORTALD is a trading name of IT BOFFINS LTD, a company registered in England and Wales with company number 12408554. This Privacy Policy explains how PORTALD handles personal data when you visit the website, create or use a business account, access a client portal, complete forms, upload files, accept agreements, connect Xero or manage billing.

We use clear privacy information because UK GDPR requires personal data to be handled lawfully, fairly and transparently.
The exact data processed depends on how a business configures its portal and which features are enabled.
A business using PORTALD may also need to give its own customers a privacy notice explaining how that business uses personal data inside its portal.
This policy should be read with our Terms of Service and any data processing agreement that applies to a business workspace.

Who is responsible for your data

Data protection law distinguishes between a controller, which decides why and how personal data is used, and a processor, which processes personal data on behalf of a controller.

IT BOFFINS LTD, trading as PORTALD, is usually the controller for website enquiries, demo requests, business account administration, billing, service security, product analytics, support messages and our own legal compliance.
The business that creates a PORTALD workspace is usually the controller for customer records, customer contacts, uploaded files, form answers, agreement documents, agreement acceptances and portal instructions that it manages through PORTALD.
PORTALD is usually the processor for that customer portal data, acting on the business's instructions to host, secure, display, transmit and support it.
Where a business connects Xero or another third-party integration, the business remains responsible for deciding what data should be connected and shown to its customer portal users.
If you are an invited client portal user and your request relates to data controlled by the business that invited you, we may direct you to that business or help them respond.

Registered office: 20 Tanners Drive, Blakelands, Milton Keynes, England, MK14 5BN.

Personal data we may collect

We collect or receive personal data directly from you, from the business that invited you, from team members using a workspace, from connected integrations and from technical systems that keep the service running.

Identity and contact data, such as name, email address, phone number, business name, role, customer organisation and portal invitation details.
Account data, such as login credentials, authentication events, password reset records, tenant memberships, user roles, workspace settings and support preferences.
Business and portal data, such as customer records, contact records, portal branding, support email addresses, custom domains, forms, files, agreement templates, assignment records and acceptance history.
Uploaded content, such as documents, images, proofs of address, IDs, job photos, financial documents, completed forms and other files a business or client portal user chooses to upload.
Xero integration data, such as OAuth connection details, linked contacts, invoice references, invoice status, amounts, dates and simplified finance views where a business connects Xero.
Technical data, such as IP address, device and browser details, user agent, page views, session events, audit logs, security logs, error logs and cookie or similar technology identifiers.
Communications data, such as demo requests, support messages, feedback, email delivery records and administrative correspondence.

How we use personal data

We use personal data only where we have a lawful reason. The lawful basis may differ depending on whether we are acting as controller or processor.

To provide the service, including account creation, sign-in, customer invitations, tenant routing, portal access, file delivery, form completion, agreement acceptance, workspace settings and support.
To manage subscriptions, payments, billing, plan limits, customer service, onboarding and service communications.
To keep PORTALD secure, including authentication, access control, tenant isolation, audit logging, abuse prevention, malware or file validation signals, troubleshooting and incident response.
To operate integrations, including Xero-connected invoice views and any email, hosting, storage, file-scanning, analytics or monitoring provider needed for enabled features.
To improve PORTALD, including product diagnostics, aggregated usage insights, testing, debugging and service reliability work.
To meet legal, tax, accounting, regulatory, dispute resolution and record-keeping obligations.
To send marketing or product updates where permitted by law and your choices. You can opt out of marketing messages at any time.

Common lawful bases include contract, legitimate interests, consent, legal obligation and, where a business controls portal data, the business's own lawful basis under UK GDPR.

Client portal data

A client portal is controlled by the business that invited the client. PORTALD provides the software infrastructure and access controls that allow that business to operate the portal.

The inviting business decides which customers are added, which contacts are invited, what forms and agreements are assigned, which files are shared, and which Xero information is visible.
Client portal users should contact the inviting business first for questions about why data is requested, how long it is kept, or whether a file, form answer or agreement record should be corrected or deleted.
PORTALD may process portal activity records, IP addresses and user agents to provide security, audit history and evidence of actions such as agreement acceptance.
Customer passwords are scoped to the relevant business portal. The same email address may have different credentials for different business portals.
We do not sell client portal content or use it for unrelated advertising.

Files, forms and agreements

PORTALD may store and process sensitive operational documents because businesses use the service for real customer work.

Files may include business records, job photos, onboarding documents, identity documents, financial records, certificates, statements or other material chosen by a business or portal user.
Form answers may include contact details, business information, supporting files, free-text answers and other information requested by the business.
Agreement records may include agreement text, version snapshots, assignment details, acceptance timestamps, user details, IP addresses and user agents.
Businesses should request only the information they need, explain why they need it, and avoid collecting special category or high-risk information unless appropriate safeguards are in place.
PORTALD may use validation, security checks, storage controls and audit logs to protect these records and manage access.

Xero and integrations

Some businesses use PORTALD with third-party integrations. These features may involve additional processing.

When a business connects Xero, PORTALD uses the authorised connection to retrieve and display relevant invoice or contact information for that business and its permitted client portal users.
Xero remains a third-party service with its own terms, privacy notices, permissions and security model.
File-scanning providers may process uploaded file metadata or content where a business has configured scanning for production use.

Cookies and similar technologies

PORTALD may use cookies, local storage and similar technologies to run the website, remember sessions, protect accounts, measure service performance and understand how the product is used.

Strictly necessary cookies support login, security, routing, load balancing, fraud prevention and core service functionality.
Preference cookies or local storage may remember user interface choices or portal settings where enabled.
Analytics or performance technologies may help us understand website visits, product usage, errors and reliability, subject to the consent rules that apply.
You can control cookies through your browser settings, but blocking necessary cookies may stop parts of PORTALD from working.

Where non-essential analytics or marketing cookies are used, PORTALD provides appropriate cookie information and consent controls.

International transfers

Some providers may process personal data outside the UK. When this happens, we use safeguards required by data protection law.

Safeguards may include UK adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, contractual controls and provider due diligence.
Where a business requires data residency or additional transfer controls, that must be agreed in writing before the relevant data is processed.
Third-party integrations may transfer data according to their own terms and privacy arrangements.

How long data is kept

We keep personal data only for as long as needed for the purpose it was collected, including service delivery, security, legal, accounting, dispute and backup purposes.

Business account and billing records are kept while the account is active and for a reasonable period afterwards for tax, contract and dispute purposes.
Client portal content is kept according to the business workspace settings, the business's instructions, any data processing agreement and practical backup deletion cycles.
Security logs, audit logs and agreement acceptance evidence may be kept for longer where needed to protect accounts, evidence important actions or resolve disputes.
Demo enquiries and marketing records are kept until they are no longer needed or you opt out, subject to any lawful suppression list we need to keep.
Backups are deleted or overwritten on a rolling basis according to our backup procedures.

Your data protection rights

Depending on the context and legal basis, you may have rights over your personal data under UK GDPR.

You may have the right to ask for access to your data, correction of inaccurate data, deletion of data, restriction of processing, objection to processing, data portability and withdrawal of consent.
Some rights are not absolute. For example, data may need to be retained for legal claims, security, tax, audit or contractual reasons.
If your request relates to a client portal controlled by a business, we may need to pass the request to that business or ask you to contact them directly.
To make a request to PORTALD, contact hello@portald.co.uk.
You also have the right to complain to the UK Information Commissioner's Office at ico.org.uk/make-a-complaint.

Security

We use technical and organisational measures designed to protect personal data. Security also depends on how each business configures and manages its workspace.

PORTALD uses account authentication, tenant-scoped access controls, portal membership checks, audit logs and server-side permission checks.
Businesses should use strong passwords, limit team access, remove users who no longer need access, keep customer contact details accurate and review connected integrations.
No online system can be guaranteed to be completely secure. If you believe an account, portal, file or integration has been accessed without permission, contact us promptly.
We may notify affected customers, users, regulators or businesses where required by law or where notice is needed to reduce harm.

Children and regulated data

PORTALD is intended for business use and is not designed for children.

Users must not create accounts for children or knowingly invite children into portals unless this has been expressly agreed and the required safeguards are in place.
Businesses must not use PORTALD for special category, criminal offence, medical, financial-regulated or other high-risk data unless their plan and written agreement permit it.
If you believe a child has provided personal data to PORTALD without appropriate authority, contact us so the issue can be reviewed.

Changes and contact

We may update this Privacy Policy as PORTALD develops, legal requirements change or new features are added.

The latest version will be posted on this page with a new update date.
Where changes are material, we will take reasonable steps to bring them to the attention of affected users or businesses.
Questions about this policy can be sent to hello@portald.co.uk.
You can also read our Terms of Service.

Overview

We use clear privacy information because UK GDPR requires personal data to be handled lawfully, fairly and transparently.
The exact data processed depends on how a business configures its portal and which features are enabled.
A business using PORTALD may also need to give its own customers a privacy notice explaining how that business uses personal data inside its portal.
This policy should be read with our Terms of Service and any data processing agreement that applies to a business workspace.

Who is responsible for your data

Data protection law distinguishes between a controller, which decides why and how personal data is used, and a processor, which processes personal data on behalf of a controller.

IT BOFFINS LTD, trading as PORTALD, is usually the controller for website enquiries, demo requests, business account administration, billing, service security, product analytics, support messages and our own legal compliance.
The business that creates a PORTALD workspace is usually the controller for customer records, customer contacts, uploaded files, form answers, agreement documents, agreement acceptances and portal instructions that it manages through PORTALD.
PORTALD is usually the processor for that customer portal data, acting on the business's instructions to host, secure, display, transmit and support it.
Where a business connects Xero or another third-party integration, the business remains responsible for deciding what data should be connected and shown to its customer portal users.
If you are an invited client portal user and your request relates to data controlled by the business that invited you, we may direct you to that business or help them respond.

Registered office: 20 Tanners Drive, Blakelands, Milton Keynes, England, MK14 5BN.

Personal data we may collect

Identity and contact data, such as name, email address, phone number, business name, role, customer organisation and portal invitation details.
Account data, such as login credentials, authentication events, password reset records, tenant memberships, user roles, workspace settings and support preferences.
Business and portal data, such as customer records, contact records, portal branding, support email addresses, custom domains, forms, files, agreement templates, assignment records and acceptance history.
Uploaded content, such as documents, images, proofs of address, IDs, job photos, financial documents, completed forms and other files a business or client portal user chooses to upload.
Xero integration data, such as OAuth connection details, linked contacts, invoice references, invoice status, amounts, dates and simplified finance views where a business connects Xero.
Technical data, such as IP address, device and browser details, user agent, page views, session events, audit logs, security logs, error logs and cookie or similar technology identifiers.
Communications data, such as demo requests, support messages, feedback, email delivery records and administrative correspondence.

How we use personal data

We use personal data only where we have a lawful reason. The lawful basis may differ depending on whether we are acting as controller or processor.

To provide the service, including account creation, sign-in, customer invitations, tenant routing, portal access, file delivery, form completion, agreement acceptance, workspace settings and support.
To manage subscriptions, payments, billing, plan limits, customer service, onboarding and service communications.
To keep PORTALD secure, including authentication, access control, tenant isolation, audit logging, abuse prevention, malware or file validation signals, troubleshooting and incident response.
To operate integrations, including Xero-connected invoice views and any email, hosting, storage, file-scanning, analytics or monitoring provider needed for enabled features.
To improve PORTALD, including product diagnostics, aggregated usage insights, testing, debugging and service reliability work.
To meet legal, tax, accounting, regulatory, dispute resolution and record-keeping obligations.
To send marketing or product updates where permitted by law and your choices. You can opt out of marketing messages at any time.

Common lawful bases include contract, legitimate interests, consent, legal obligation and, where a business controls portal data, the business's own lawful basis under UK GDPR.

Client portal data

A client portal is controlled by the business that invited the client. PORTALD provides the software infrastructure and access controls that allow that business to operate the portal.

The inviting business decides which customers are added, which contacts are invited, what forms and agreements are assigned, which files are shared, and which Xero information is visible.
Client portal users should contact the inviting business first for questions about why data is requested, how long it is kept, or whether a file, form answer or agreement record should be corrected or deleted.
PORTALD may process portal activity records, IP addresses and user agents to provide security, audit history and evidence of actions such as agreement acceptance.
Customer passwords are scoped to the relevant business portal. The same email address may have different credentials for different business portals.
We do not sell client portal content or use it for unrelated advertising.

Files, forms and agreements

PORTALD may store and process sensitive operational documents because businesses use the service for real customer work.

Files may include business records, job photos, onboarding documents, identity documents, financial records, certificates, statements or other material chosen by a business or portal user.
Form answers may include contact details, business information, supporting files, free-text answers and other information requested by the business.
Agreement records may include agreement text, version snapshots, assignment details, acceptance timestamps, user details, IP addresses and user agents.
Businesses should request only the information they need, explain why they need it, and avoid collecting special category or high-risk information unless appropriate safeguards are in place.
PORTALD may use validation, security checks, storage controls and audit logs to protect these records and manage access.

Xero and integrations

Some businesses use PORTALD with third-party integrations. These features may involve additional processing.

When a business connects Xero, PORTALD uses the authorised connection to retrieve and display relevant invoice or contact information for that business and its permitted client portal users.
Xero remains a third-party service with its own terms, privacy notices, permissions and security model.
File-scanning providers may process uploaded file metadata or content where a business has configured scanning for production use.

Cookies and similar technologies

PORTALD may use cookies, local storage and similar technologies to run the website, remember sessions, protect accounts, measure service performance and understand how the product is used.

Strictly necessary cookies support login, security, routing, load balancing, fraud prevention and core service functionality.
Preference cookies or local storage may remember user interface choices or portal settings where enabled.
Analytics or performance technologies may help us understand website visits, product usage, errors and reliability, subject to the consent rules that apply.
You can control cookies through your browser settings, but blocking necessary cookies may stop parts of PORTALD from working.

Where non-essential analytics or marketing cookies are used, PORTALD provides appropriate cookie information and consent controls.

International transfers

Some providers may process personal data outside the UK. When this happens, we use safeguards required by data protection law.

Safeguards may include UK adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, contractual controls and provider due diligence.
Where a business requires data residency or additional transfer controls, that must be agreed in writing before the relevant data is processed.
Third-party integrations may transfer data according to their own terms and privacy arrangements.

How long data is kept

We keep personal data only for as long as needed for the purpose it was collected, including service delivery, security, legal, accounting, dispute and backup purposes.

Business account and billing records are kept while the account is active and for a reasonable period afterwards for tax, contract and dispute purposes.
Client portal content is kept according to the business workspace settings, the business's instructions, any data processing agreement and practical backup deletion cycles.
Security logs, audit logs and agreement acceptance evidence may be kept for longer where needed to protect accounts, evidence important actions or resolve disputes.
Demo enquiries and marketing records are kept until they are no longer needed or you opt out, subject to any lawful suppression list we need to keep.
Backups are deleted or overwritten on a rolling basis according to our backup procedures.

Your data protection rights

Depending on the context and legal basis, you may have rights over your personal data under UK GDPR.

You may have the right to ask for access to your data, correction of inaccurate data, deletion of data, restriction of processing, objection to processing, data portability and withdrawal of consent.
Some rights are not absolute. For example, data may need to be retained for legal claims, security, tax, audit or contractual reasons.
If your request relates to a client portal controlled by a business, we may need to pass the request to that business or ask you to contact them directly.
To make a request to PORTALD, contact hello@portald.co.uk.
You also have the right to complain to the UK Information Commissioner's Office at ico.org.uk/make-a-complaint.

Security

We use technical and organisational measures designed to protect personal data. Security also depends on how each business configures and manages its workspace.

PORTALD uses account authentication, tenant-scoped access controls, portal membership checks, audit logs and server-side permission checks.
Businesses should use strong passwords, limit team access, remove users who no longer need access, keep customer contact details accurate and review connected integrations.
No online system can be guaranteed to be completely secure. If you believe an account, portal, file or integration has been accessed without permission, contact us promptly.
We may notify affected customers, users, regulators or businesses where required by law or where notice is needed to reduce harm.

Children and regulated data

PORTALD is intended for business use and is not designed for children.

Users must not create accounts for children or knowingly invite children into portals unless this has been expressly agreed and the required safeguards are in place.
Businesses must not use PORTALD for special category, criminal offence, medical, financial-regulated or other high-risk data unless their plan and written agreement permit it.
If you believe a child has provided personal data to PORTALD without appropriate authority, contact us so the issue can be reviewed.

Changes and contact

We may update this Privacy Policy as PORTALD develops, legal requirements change or new features are added.

The latest version will be posted on this page with a new update date.
Where changes are material, we will take reasonable steps to bring them to the attention of affected users or businesses.
Questions about this policy can be sent to hello@portald.co.uk.
You can also read our Terms of Service.

Overview

Who is responsible for your data

Personal data we may collect

How we use personal data

Client portal data

Files, forms and agreements

Xero and integrations

Cookies and similar technologies

Who we share data with

International transfers

How long data is kept

Your data protection rights

Security

Children and regulated data

Changes and contact

Overview

Who is responsible for your data

Personal data we may collect

How we use personal data

Client portal data

Files, forms and agreements

Xero and integrations

Cookies and similar technologies

Who we share data with

International transfers

How long data is kept

Your data protection rights

Security

Children and regulated data

Changes and contact