Legal
Privacy Policy
Last updated: 15 June 2026
This Privacy Policy explains how Portivo Estate Suite ("we", "us") collects, uses, discloses, and safeguards your information when you use our property management platform (the "Service"). We are committed to protecting your personal data and handling it in line with the UK GDPR and the Data Protection Act 2018.
1. Who we are
Portivo Estate Suite is the data controller for personal data processed about account holders and website visitors, and a data processor for the property, tenant, vendor, and compliance data that customers upload into their workspace (which we process only on the customer's instructions). If you have any questions, contact us at privacy@portivoestatesuite.com.
2. Information we collect
- Account data: name, work email, scrypt-hashed password, organization, and role (Viewer, Staff, Manager, Admin, or Owner).
- Session and security data: hashed session tokens, IP address, and device/browser information used to authenticate you and protect the account.
- Property and tenancy content: properties, units, and tenancies — including tenant names, tenant email addresses, rent amounts, and payment records you log.
- Maintenance content: work orders, attachments, status timelines, and the vendors you assign — including vendor names, emails, phone numbers, and trades.
- Vendor and tenant portal accounts: provisioned login credentials and the invoices (amounts, invoice numbers, payment status) vendors submit through their portal.
- Compliance content: compliance certificates and renewal dates (gas, electrical, fire safety, and similar).
- Documents: files you upload to your workspace, stored as time-limited, organization-scoped signed URLs.
- Arrears and reminders (Professional plan): arrears detection logs and the staged reminder emails sent to tenants.
- Lead-generation data (Professional plan): business contact search data retrieved on your instruction via our lead-generation sub-processor.
- Billing data: subscription and payment status. Card details are handled entirely by Stripe — we never receive or store full card numbers.
- Usage data: log data, device and browser information, and actions taken in the app, used to operate and improve the Service.
- Cookies: essential cookies for authentication and, with your consent, analytics cookies. See our Cookie Policy.
3. How we use your information
- To provide, maintain, and secure the Service and your account.
- To send transactional messages such as maintenance confirmations, compliance reminders, team invitations, and tenant arrears reminders.
- To operate the tenant and vendor portals and process vendor invoices.
- To improve features, troubleshoot issues, and prevent fraud or abuse.
- To comply with legal obligations, including accounting and tax record-keeping.
4. Legal bases for processing
We process personal data under the following legal bases: performance of a contract (to provide the Service), legitimate interests (to secure and improve the Service), consent (for non-essential cookies and marketing), and legal obligation (for example, financial records). For the tenant, vendor, and compliance data inside a customer's workspace, the customer is the controller and we act on their documented instructions.
5. Sharing and sub-processors
We do not sell your personal data. We share it only with vetted sub-processors who help us run the Service, each bound by appropriate safeguards:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting and file storage | EU (Ireland) |
| Vercel | Frontend hosting and CDN | EU edge |
| Render | Backend API hosting | Frankfurt, EU |
| Resend | Transactional email (recipient name and email) | EU |
| Stripe | Payment processing (billing data only) | EU / UK |
| Apollo.io | Lead generation, Professional plan only | US (SCCs) |
6. Data retention
We retain personal data only as long as needed for the purpose it was collected:
- Active accounts and customer content: for the duration of the subscription plus 90 days, then hard-deleted.
- Session tokens: 7 days from issuance, or until logout.
- API request logs: 30 days.
- Arrears reminder logs: 3 years, as evidence for potential legal proceedings.
- Audit trail records: 7 years (legal obligation), anonymised after account deletion.
- Stripe billing records: 7 years (HMRC requirement), managed by Stripe.
7. Security
Passwords are stored using scrypt hashing and session tokens are stored hashed. Data is encrypted in transit (TLS) and access is controlled by organization-scoped, row-level security. Integration credentials are encrypted at rest. We apply least-privilege access and regularly review our controls.
8. Your rights
Subject to applicable law, you have the right to access, correct, delete, restrict, or port your personal data, and to object to processing or withdraw consent. To exercise any right, email privacy@portivoestatesuite.com; we respond within 30 days and can export your data as JSON. You may also lodge a complaint with the Information Commissioner's Office (ICO).
9. International transfers
Your data is primarily processed in the UK/EU (Supabase EU, Vercel EU edge, Render Frankfurt). Where data is transferred outside the UK/EEA — for example, our US-based lead-generation sub-processor — we rely on appropriate safeguards such as the UK International Data Transfer Addendum to the EU Standard Contractual Clauses.
10. Changes to this policy
We may update this policy from time to time. Material changes will be notified in-app or by email. Continued use of the Service after changes take effect constitutes acceptance.