Privacy Policy

Last updated: 12 February 2026

1. Introduction

SecPortal ("we", "us", "our") is a trading name of XYGEN Ltd, a company registered in England and Wales. We operate the secportal.io platform and any associated sub-domains (collectively, the "Service").

This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and the choices you have in relation to your data. By accessing or using the Service you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this policy, please do not use the Service.

2. Data Controller

For the purposes of applicable data-protection legislation (including, where applicable, the UK General Data Protection Regulation and the Data Protection Act 2018), the data controller is XYGEN Ltd, contactable at legal@secportal.io.

3. Information We Collect

We collect the following categories of information:

3.1 Information You Provide Directly

  • Account Registration Data: Full name, email address, and password (hashed; we never store plaintext passwords). For workspace owners: company or consultancy name.
  • Workspace Content: Client records, engagement details, security findings (including severity ratings, descriptions, remediation notes, CVSS vectors), documents, invoices, messages, and comments you create within the Service.
  • Communications: Any emails, support requests, or feedback you send to us.

3.2 Information Collected Automatically

  • Device & Browser Information: IP address, browser type and version, operating system, device type, and screen resolution.
  • Usage Data: Pages visited, features used, timestamps of actions, referral URLs, and click patterns.
  • Log Data: Server logs containing request metadata such as HTTP method, URL path, response status codes, and response times.

3.3 Information from Third Parties

  • Stripe: When you connect a Stripe account or make a payment, Stripe may share transaction identifiers, payment status, and limited account details with us. We never receive or store full card numbers.
  • Authentication Providers: If you use a magic-link or third-party authentication flow, we receive the email address and authentication token from the identity provider.

4. Legal Bases for Processing

We process your personal data on the following legal bases:

  • Contract Performance: Processing necessary to provide the Service you have signed up for (account management, data storage, invoicing, email notifications).
  • Legitimate Interests: Improving the Service, preventing fraud, ensuring security, and analysing aggregated usage patterns. We balance these interests against your rights and freedoms.
  • Consent: Where you have given explicit consent, for example by agreeing to receive non-essential communications. You may withdraw consent at any time.
  • Legal Obligation: Where processing is required to comply with applicable laws, regulations, or court orders.

5. How We Use Your Information

  • Provide, operate, maintain, and improve the Service.
  • Authenticate users and manage sessions.
  • Process payments, manage subscriptions, and facilitate invoice payments via Stripe Connect.
  • Send transactional emails including account verification, password resets, invoice notifications, payment confirmations, team invitations, and client portal invitations.
  • Generate AI-powered reports and chat responses when you use these features (Pro and Team plans).
  • Monitor for and prevent abuse, fraud, and security threats.
  • Enforce our Terms of Service.
  • Comply with legal obligations and respond to lawful requests from authorities.
  • Produce anonymised, aggregated analytics to understand platform usage (no individual users are identifiable in these analytics).

6. Data Storage, Security & Infrastructure

Your data is hosted on infrastructure provided by our sub-processors (see Section 7). We implement the following security measures:

  • Encryption in Transit: All communications between your browser and our servers are encrypted using TLS 1.2 or higher.
  • Encryption at Rest: Database contents and stored files are encrypted at rest using AES-256 or equivalent.
  • Tenant Isolation: Row-level security (RLS) policies enforce strict data isolation between workspaces. No workspace can access another workspace's data.
  • Role-Based Access Control: Within each workspace, team members are assigned roles (Owner, Admin, Member, Viewer) that restrict access to features and data according to the principle of least privilege.
  • Document Storage: Uploaded files are stored in private storage buckets. Access is granted only through short-lived, signed URLs.
  • Password Security: Passwords are hashed using industry-standard algorithms. We never store or log plaintext passwords.
  • Rate Limiting: Authentication endpoints are rate-limited to mitigate brute-force attacks.

While we take reasonable measures to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security and accept no liability for unauthorised access that occurs despite our reasonable security measures.

7. Third-Party Sub-Processors

We share personal data with the following third-party service providers solely to operate the Service. Each provider processes data in accordance with their own privacy policies and applicable data-protection agreements:

ProviderPurposeData Shared
Supabase (US/EU)Database hosting, authentication, file storageAll workspace content, account data, uploaded documents
Stripe (US)Payment processing, subscription billing, Connect payoutsEmail, payment method tokens, invoice amounts, Stripe account IDs
Resend (US)Transactional email deliveryRecipient email, email subject, email body content
Anthropic (US)AI report generation and chat (Pro/Team plans only)Engagement findings and workspace context sent as prompts. Data is not used to train AI models.
Vercel (US)Application hosting and edge networkServer logs, request metadata, IP addresses
PostHog (US)Product analytics (consent required)Page views, click patterns, device info, IP address (only when user consents)

8. International Data Transfers

Some of our sub-processors are based in the United States. Where data is transferred outside the United Kingdom or the European Economic Area, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or equivalent mechanisms recognised under applicable data-protection law. By using the Service, you acknowledge and consent to such transfers.

9. Data Sharing & Disclosure

We do not sell, rent, or trade your personal data. We disclose data only in the following circumstances:

  • Sub-Processors: As described in Section 7, solely to operate the Service.
  • Within Your Workspace: Data you store in a workspace is accessible to other workspace members according to their assigned roles.
  • Client Portals: If you invite a client to a portal, they can view the engagements and findings you have granted them access to.
  • Legal Requirements: If required by law, regulation, subpoena, court order, or governmental request.
  • Safety & Enforcement: To protect the rights, property, or safety of SecPortal, our users, or the public; or to enforce our Terms of Service.
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred to the successor entity. We will notify you before your data becomes subject to a different privacy policy.

10. Data Retention

  • Account Data: Retained for as long as your account is active, plus a reasonable period afterwards to comply with legal obligations, resolve disputes, and enforce agreements.
  • Workspace Content: Retained for as long as the workspace exists. When a workspace owner requests account deletion, all associated workspace data (clients, engagements, findings, documents, invoices, messages) is permanently deleted within 30 days.
  • Activity Logs: Automatically purged based on your plan tier (Starter: 30 days, Pro: 90 days, Team: 365 days).
  • Server Logs: Retained for up to 90 days for operational and security monitoring purposes, then automatically deleted.
  • Backup Data: Database backups may retain data for up to 30 days after deletion from the live system.

11. Account Deletion

You may request deletion of your account and all associated data at any time by emailing support@secportal.io from the email address associated with your account. Upon receiving a verified deletion request:

  • Your account will be deactivated immediately.
  • All workspace data (clients, engagements, findings, documents, invoices, comments, messages, and activity logs) will be permanently and irreversibly deleted within 30 days.
  • Any active subscriptions will be cancelled and no further charges will be made.
  • Uploaded documents will be removed from storage buckets.
  • Data that has already been shared with third-party sub-processors (e.g. emails delivered via Resend, payments processed via Stripe) is subject to those providers' own retention policies and cannot be recalled by us.

Please note that deletion is permanent and cannot be reversed. We recommend exporting any data you wish to keep before requesting deletion.

12. Your Rights

Depending on your jurisdiction, you may have the following rights under applicable data-protection law:

12.1 United States (CCPA/CPRA — California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
  • Right to Delete: Request deletion of your personal information (see Section 11).
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

Other US states (Virginia, Colorado, Connecticut, Utah, and others) provide similar privacy rights. We extend the rights described above to all US residents regardless of state.

12.2 United Kingdom & European Economic Area (GDPR)

If you are in the UK or EEA, you have the following rights under the UK GDPR / EU GDPR:

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete personal data.
  • Right to Erasure: Request deletion of your personal data (see Section 11).
  • Right to Restriction: Request that we restrict processing of your data in certain circumstances.
  • Right to Data Portability: Request your data in a structured, machine-readable format (CSV/JSON exports are available within the Service).
  • Right to Object: Object to processing based on legitimate interests.
  • Right to Withdraw Consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, email us at legal@secportal.io. We will respond within 30 days (or 45 days for CCPA requests where an extension is necessary). We may request identity verification before processing your request.

13. Cookies & Local Storage

We use the following types of cookies and browser storage:

  • Essential / Authentication Cookies: Required for user authentication and session management. These cannot be disabled without losing access to the Service.
  • Analytics Cookies (consent required): We use PostHog for product analytics to understand how the Service is used and to improve it. These cookies are only set after you give explicit consent via the cookie banner. You can withdraw consent at any time by clearing your browser's local storage.
  • Local Storage: Used to store user preferences (e.g. sidebar state, cookie consent choice) locally on your device.

We do not use advertising cookies, tracking pixels, or cross-site tracking. We do not participate in any ad networks.

14. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will delete it.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify registered users by email at least 14 days before the changes take effect, and update the "Last updated" date at the top of this page. Your continued use of the Service after the effective date constitutes acceptance of the updated policy. If you do not agree with the changes, you should stop using the Service and request account deletion.

16. Contact

For privacy-related enquiries, data requests, or complaints: