Privacy Policy

1. Introduction

PortalPage is a link-in-bio platform that allows users to create a personalized public profile page, aggregate their links, host media, and track engagement analytics. This Privacy Policy governs all data collection, processing, and storage activities associated with:

• Our main website at portalpage.app
• User profile pages at [username].portalpage.app
• Our admin dashboard and account management tools
• Our APIs and integrations
• Any other products or services linking to this policy

By accessing or using PortalPage, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please do not use our services.

We are committed to handling your personal data responsibly and in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and other applicable privacy legislation.

2. Information We Collect

2.1 Account Registration Data

When you create an account with an email address and password, we collect:

• Email address — used for authentication, account recovery, and service communications
• Username / Handle — your public subdomain identifier (e.g., yourname.portalpage.app)
• Password — stored only as a one-way bcrypt hash; we never store your plaintext password
• Page title — the display name for your public profile
• Account creation timestamp
• Email verification status and timestamp

2.2 OAuth / Social Sign-In Data

When you choose to register or log in via a third-party OAuth provider (Google, GitHub, or Discord), we receive limited profile data from that provider. The specific data received is detailed in Sections 3, 4, and 5 below. In all cases, we store:

• Your email address as provided by the OAuth provider
• Your display name (to pre-fill your page title)
• Your profile picture URL (if provided by the platform)
• A provider-specific user ID to link your PortalPage account to your OAuth account
• OAuth access tokens and refresh tokens (stored encrypted for session management only)

We do not store OAuth tokens beyond what is necessary for account linking and session management, and we do not use OAuth tokens to access your data on the provider's platform beyond the initial authentication.

2.3 Profile and Page Content

As you customize your PortalPage profile, we store:

• Profile information — bio, display name, avatar image or emoji, theme color
• Links — titles, URLs, icons, and display preferences for each link you add
• Design settings — background, theme, fonts, button styles, animation preferences
• Media uploads — images, videos, and other files you upload to your page or media library
• Blocks — any content blocks such as text, embeds, or galleries you add to your page
• Custom domain settings — if applicable

2.4 Analytics and Usage Data

To provide you with analytics about your page's performance, we collect the following data when visitors access your public profile page:

• Page views — timestamp and count of visits to your public page
• Link clicks — which links were clicked and when
• Referrer information — the URL from which visitors arrived
• Geographic data — country and region derived from IP address (IP addresses are not stored long-term)
• Device type and browser — general category (mobile/desktop, browser family) derived from user agent strings
• UTM parameters — campaign tracking parameters appended to your link URLs

Analytics data is aggregated and associated with your page, not with individual end users. We do not build individual profiles of your page visitors.

2.5 Support and Feedback Data

If you use our support ticket system, feedback widget, or public roadmap features, we collect:

• The content of your support messages and any attached screenshots
• Ticket status, priority, and category information
• Internal notes added by our support team
• Roadmap votes and feature requests you submit
• Notification preferences and read status

2.6 Technical and Log Data

When you use our platform, our servers automatically collect:

• IP address — used for rate limiting, security monitoring, and coarse geographic analytics; not stored in long-term user records
• Browser type and version
• Operating system
• Timestamps of requests
• Session identifiers — stored in encrypted, server-side sessions
• Error logs — diagnostic information when errors occur
• HTTP request metadata — method, path, response code, duration

3. Google OAuth — Data Access and Use

3.1 What Google Data We Request

When you choose to sign in or sign up with Google, PortalPage requests access to the following Google API scopes:

• email — Your Google account email address, used to create and identify your PortalPage account
• profile — Your basic Google profile, including your display name and profile photo URL
• openid — A stable identifier that allows PortalPage to recognize your Google account without storing your full credentials

3.2 What Google Data We Do NOT Request

We explicitly do not request access to, and will never access:

• Gmail or email content
• Google Drive, Docs, Sheets, or any Google Workspace files
• Google Calendar or contacts
• Google Search history or YouTube watch history
• Google Ads or billing data
• Any other Google service data beyond basic profile and email

3.3 How We Use Google Data

Google user data received by PortalPage is used solely for the following purposes:

• Account creation — to create your PortalPage account using your email as the identifier
• Authentication — to log you in on subsequent visits without requiring a password
• Profile pre-population — your display name is used to pre-fill your PortalPage display name; your profile photo URL may be used as your initial avatar
• Account security — to send you security-related notifications (e.g., new login alerts)

We do not use Google user data to:

• Serve you targeted advertising
• Sell your data to third parties
• Build advertising profiles
• Analyze your behavior across other websites or services

3.4 Google Data Sharing

Data obtained from Google APIs is not shared with third parties, except:

• As required by law or court order
• With service providers who operate our infrastructure (hosting, database), bound by data processing agreements

PortalPage's use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.

3.5 Revoking Google Access

You can revoke PortalPage's access to your Google account at any time by visiting your Google Account Permissions page and removing PortalPage. This will not delete your PortalPage account but will disable Google Sign-In for it. You can always set a password in your account settings to continue using PortalPage.

4. GitHub OAuth — Data Access and Use

4.1 What GitHub Data We Request

When you sign in or sign up with GitHub, PortalPage requests:

• User email — your primary verified GitHub email address, used to create and identify your PortalPage account
• Public profile — your GitHub username, display name, and avatar URL
• GitHub user ID — a stable numeric ID used to link your GitHub account to your PortalPage account

We request read-only access to your public profile only. We do not request access to your repositories, code, organizations, SSH keys, gists, or any other GitHub data.

4.2 How We Use GitHub Data

GitHub data is used solely to create your PortalPage account, authenticate you on login, and pre-populate your profile display name and avatar. We do not use GitHub data for advertising, profiling, or any purpose beyond authentication and initial profile setup.

4.3 Revoking GitHub Access

You can revoke PortalPage's access to your GitHub account at any time by visiting GitHub Settings → Applications → Authorized OAuth Apps and revoking PortalPage. This disables GitHub Sign-In for your account but does not delete your PortalPage account.

5. Discord OAuth — Data Access and Use

5.1 What Discord Data We Request

When you sign in or sign up with Discord, PortalPage requests:

• Email address — your verified Discord account email, used to create and identify your PortalPage account
• Username, display name, bio, and locale — your Discord identity details, used to pre-fill and sync optional profile features
• Avatar, banner, accent color, and avatar decoration data — used for optional Discord profile display features on your PortalPage page
• Discord user ID — used to uniquely link your Discord account to your PortalPage account
• Discord public account flags — used to power optional Discord badge-style display features on your page
• Discord server list and membership data — only used to power optional Discord server and member display features when you enable them

We do not request access to your Discord messages, direct messages, friends list, or chat content. We do not read your server conversations. If you enable Discord display features, PortalPage may request limited server list and membership information needed to render those features on your page.

5.2 How We Use Discord Data

Discord data is used to create your PortalPage account, authenticate you on login, and power optional Discord-linked profile features such as synced profile identity, avatar presentation, and Discord server/member display. We do not use Discord data for advertising or unrelated profiling.

5.3 Revoking Discord Access

You can revoke PortalPage's access to your Discord account at any time through Discord User Settings → Authorized Apps and deauthorizing PortalPage.

6. How We Use Your Information

We use the information we collect to:

6.1 Provide and Operate the Service

• Create and manage your account
• Host and serve your public profile page
• Process and display your links, media, and page content
• Authenticate your identity and maintain session security
• Provide customer support through our ticketing system

6.2 Improve the Service

• Analyze aggregate usage patterns to improve platform features
• Debug and fix errors and technical issues
• Develop new features based on user feedback and usage data
• Monitor platform performance and uptime

6.3 Communicate with You

• Send transactional emails (account creation, email verification, password reset)
• Notify you of support ticket updates and replies
• Send important security notifications (e.g., new login from unrecognized device)
• Inform you of material changes to our Terms of Service or Privacy Policy

We do not send unsolicited marketing emails. You will only receive communications that are directly relevant to your account activity or security.

6.4 Safety and Security

• Detect and prevent fraud, abuse, and unauthorized access
• Enforce our Terms of Service and Acceptable Use Policy
• Comply with legal obligations and respond to lawful requests
• Protect the rights, property, and safety of PortalPage and its users

6.5 Legal Bases for Processing (GDPR)

For users in the European Economic Area (EEA), the UK, and Switzerland, our legal bases for processing personal data are:

• Contract performance — processing necessary to provide the service you signed up for
• Legitimate interests — security monitoring, fraud prevention, service improvement, and analytics
• Legal obligation — complying with applicable laws and regulations
• Consent — where we have requested and you have given explicit consent (e.g., optional communications)

7. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties. We share data only in the following limited circumstances:

7.1 Infrastructure and Service Providers

We use trusted third-party providers to operate our infrastructure. These providers access your data only as necessary to perform services on our behalf and are bound by data processing agreements requiring them to maintain confidentiality and security:

• Hosting and server infrastructure — to store and serve your account data and public pages
• Database services — to persist your account, page, and analytics data
• Email delivery services — to send transactional emails (verification, password reset)
• CDN (Content Delivery Network) — to deliver your media and page assets globally with low latency

7.2 Public Information

Your public profile page (at [handle].portalpage.app) is publicly accessible by default. This includes your page name, bio, profile picture, links, and any content blocks you have added. You can set your page to private in your dashboard settings at any time.

7.3 Legal Requirements

We may disclose your information if we believe disclosure is required to:

• Comply with a valid legal obligation, court order, subpoena, or government request
• Enforce our Terms of Service
• Protect the safety of any person
• Protect against fraud, security threats, or illegal activity
• Protect the rights or property of PortalPage

Where permitted by law, we will notify you of any such legal request before disclosing your data.

7.4 Business Transfers

In the event of a merger, acquisition, bankruptcy, reorganization, or sale of all or a portion of our assets, your information may be transferred to the successor entity. You will be notified via email and/or a prominent notice on our website of any such change in ownership or control. The successor entity would be bound by this Privacy Policy or a substantially similar one.

8. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the service. Specifically:

• Account data — retained for the lifetime of your account and for up to 90 days after deletion to allow for recovery
• Analytics data — retained for up to 24 months in aggregate form, then anonymized or deleted
• Support tickets — retained for 2 years after closure for audit and quality purposes
• Server logs — retained for up to 90 days for security and debugging
• Uploaded media — retained for the lifetime of your account; deleted within 30 days of account deletion
• OAuth tokens — retained only for active sessions; invalidated upon logout or token expiry

When you delete your account, we initiate deletion of your personal data within 30 days, except where we are required by law to retain it longer, or where it is necessary for legitimate security or legal purposes.

9. Your Privacy Rights

9.1 Rights for All Users

Regardless of your location, you have the right to:

• Access — request a copy of the personal data we hold about you
• Correction — request correction of inaccurate or incomplete data
• Deletion — request deletion of your personal data (subject to legal retention requirements)
• Portability — receive your data in a machine-readable format
• Opt-out of communications — unsubscribe from any non-essential email communications

9.2 GDPR Rights (EEA, UK, Switzerland)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have additional rights under the GDPR:

• Right to restriction — request that we limit processing of your data in certain circumstances
• Right to object — object to processing based on legitimate interests or for direct marketing
• Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing
• Right to lodge a complaint — file a complaint with your local data protection authority (DPA)

9.3 California Rights (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:

• Right to know — know what personal information we collect, use, and disclose
• Right to delete — request deletion of your personal information
• Right to correct — request correction of inaccurate personal information
• Right to opt out of sale — we do not sell personal information, so this right is not applicable, but we affirm this commitment
• Right to non-discrimination — we will not discriminate against you for exercising your privacy rights

California residents may exercise these rights by contacting us at [email protected]. We will respond within 45 days as required by law.

9.4 Exercising Your Rights

To exercise any of your privacy rights, please contact us at [email protected]. We will verify your identity before processing requests. We will respond within 30 days (or as required by applicable law).

10. Cookies and Tracking Technologies

PortalPage uses cookies and similar technologies to operate the service. We do not use third-party advertising cookies or tracking pixels.

10.1 Essential Cookies

These cookies are required for the service to function and cannot be disabled:

• Session cookie — maintains your logged-in state; expires when you close your browser or after 30 days of inactivity
• CSRF token — a security token embedded in forms to prevent cross-site request forgery attacks

10.2 What We Do NOT Use

• No third-party advertising or tracking cookies
• No Google Analytics, Facebook Pixel, or similar cross-site tracking
• No fingerprinting or behavioral tracking across websites

Because we only use essential cookies necessary for the service to function, we do not require a cookie consent banner. However, you can disable cookies in your browser settings — doing so will prevent you from logging in or using authenticated features.

11. Third-Party Services and Links

PortalPage integrates with and links to third-party services in the following ways:

• OAuth providers (Google, GitHub, Discord) — covered in Sections 3, 4, and 5 above
• Google Fonts — we load fonts from Google Fonts CDN, which may log your IP address; see Google's Privacy Policy
• Iconify API — used to search and display icons; your icon search queries may be sent to the Iconify API
• External links on user pages — when visitors click links on your public page, they are redirected to external websites governed by those sites' own privacy policies

PortalPage is not responsible for the privacy practices or content of third-party websites. We encourage you to review the privacy policies of any external sites you visit.

12. Children's Privacy

PortalPage is not directed to children under the age of 13 (or 16 in the European Union). We do not knowingly collect personal information from children under these ages.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at [email protected]. We will take steps to delete such information promptly.

We comply with the Children's Online Privacy Protection Act (COPPA) and applicable international regulations regarding children's online privacy.

13. International Data Transfers

PortalPage operates servers that may be located in various countries. If you are located outside the country where our servers are hosted, your personal data may be transferred to and processed in that country, which may have different data protection laws than your country of residence.

For transfers of personal data from the EEA, UK, or Switzerland to countries without an adequacy decision from the European Commission, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) as approved by the European Commission, or other legally recognized transfer mechanisms.

By using PortalPage, you consent to the transfer of your information to countries outside your own, including the processing of your data in countries that may have different data protection laws.

14. Security

We implement industry-standard security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

• Encryption in transit — all data transmitted to and from PortalPage is encrypted using TLS (HTTPS)
• Password hashing — passwords are stored using bcrypt with a high work factor; we never store plaintext passwords
• Session security — sessions use cryptographically random identifiers and are stored server-side
• CSRF protection — all state-modifying requests require a valid CSRF token
• Rate limiting — authentication and API endpoints are rate-limited to prevent brute-force attacks
• Access controls — internal access to user data is restricted to authorized personnel on a need-to-know basis

Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security. In the event of a data breach that affects your personal data, we will notify you and the relevant authorities as required by applicable law.

If you discover a security vulnerability, please report it responsibly to [email protected].

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will:

• Update the "Last Updated" date at the top of this page
• Send an email notification to all registered users for material changes
• Display a notice on our website for a reasonable period after significant changes

Your continued use of PortalPage after any changes to this Privacy Policy constitutes your acceptance of the revised policy. If you do not agree to the changes, please delete your account and stop using our service.

16. Contact Us

If you have any questions, concerns, or requests related to this Privacy Policy or your personal data, please contact us: