Privacy Policy
Last updated: 2026-03-11
This Privacy Policy describes how Portfolio Studio ("we", "us", "our"), based in British Columbia, Canada, collects, uses, stores, and protects your personal information when you use our website and services (the "Service"). By using the Service, you agree to the practices described in this policy.
1. Information We Collect
1.1 Information You Provide
- Account data: Name, email address, and password when you register, or profile information from Google if you sign in with Google OAuth.
- Content data: Prompts, chat conversations, generated code, project metadata, and any files or text you upload to the Service.
- Payment data: When you make a purchase, Stripe (our payment processor) collects your payment information. We receive your Stripe customer ID, transaction history, and plan status but do not store credit card numbers on our servers.
- Domain registrant data: If you purchase a domain through the Service, we collect registrant contact information (name, email, phone number, mailing address) as required by ICANN for domain registration.
- Communications: Any messages you send to us via email for support or inquiries.
1.2 Information Collected Automatically
- Usage data: Pages visited, features used, clicks, and interactions within the Service (collected via Mixpanel when analytics are enabled).
- Session recordings: Anonymized session recordings of product interactions (via Mixpanel, when analytics are enabled).
- Device and technical data: IP address, browser type and version, operating system, device type, and referring URL.
- Cookies and local storage: See our Cookies & Tracking page for details.
2. How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve the Service, including AI-powered code generation, deployment, and hosting.
- Process payments and manage your account and purchases.
- Register and manage domain names on your behalf through our registrar partner.
- Send you transactional emails (account verification, purchase confirmations, domain notifications, security alerts).
- Analyze product usage to improve reliability, performance, and user experience (when analytics are enabled).
- Detect and prevent fraud, abuse, and security threats.
- Comply with legal obligations.
We do not use your prompts, conversations, or generated content to train AI models. Your content is used solely to provide the Service to you.
3. Third-Party Services & Data Sharing
We share information with the following third-party service providers solely as necessary to operate the Service. We do not sell your personal information.
| Service | Data Shared | Purpose |
|---|---|---|
| OpenRouter / Google AI | Prompts, conversation context | AI code generation |
| Stripe | Email, payment details | Payment processing |
| Cloudflare | Deployed site content, visitor traffic | CDN, hosting, DNS |
| OpenProvider | Registrant contact info | Domain registration |
| Mixpanel | User ID, events, device info | Product analytics |
| Flagsmith | Anonymous user ID | Feature flags |
| Resend | Email address | Transactional email |
| E2B | Generated code | Code sandbox preview |
| Google OAuth | OAuth tokens, profile info | Social login |
Each provider operates under their own privacy policy. We may also share information if required by law, legal process, or to protect the rights, property, or safety of Portfolio Studio, our users, or the public.
4. AI-Specific Disclosures
- When you use AI generation features, your prompts and conversation context are sent to third-party AI model providers (currently Google, via OpenRouter) for processing.
- We do not use your prompts or AI-generated outputs to train or fine-tune any AI models. Your content is processed solely to generate a response for you.
- Third-party AI providers process your data according to their own terms and privacy policies. Under standard API terms, most providers do not use API inputs or outputs for model training.
- AI-generated outputs may be stored as part of your project data and are subject to the same retention and deletion policies as other User Content.
5. Data Retention
We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this policy:
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion + 30-day grace period |
| Projects and generated content | Until account deletion |
| Payment and billing records | 7 years (tax and legal requirements) |
| Domain registrant data | 2 years after registration ends (ICANN requirement) |
| Analytics data | Per Mixpanel retention settings |
| Server logs | 90 days |
| Backups | Purged within 30 days of data deletion |
6. Your Rights
Depending on your location, you may have the following rights regarding your personal information:
- Access: Request a copy of the personal information we hold about you. You can export your data from Settings .
- Deletion: Request deletion of your account and personal data. You can delete your account from Settings .
- Correction: Update your personal information through your Profile .
- Portability: Export your data in a machine-readable format via the data export feature.
- Opt out of tracking: Disable analytics and session recording on the Cookies & Tracking page.
- Non-discrimination: We will not discriminate against you for exercising any of your privacy rights.
Do Not Sell: We do not sell your personal information to third parties. We do not share your personal information for cross-context behavioral advertising.
To exercise any of these rights, email us at [email protected] . We will respond within 30 days (or 45 days if an extension is necessary, in which case we will notify you).
7. International Data Transfers
Portfolio Studio is based in Canada. Your data may be processed in Canada, the United States, and other countries where our service providers operate. By using the Service, you consent to the transfer of your information to these countries. Canada is recognized by the European Commission as providing an adequate level of data protection. For transfers to other countries, we rely on the data protection commitments of our service providers.
8. Security
We use commercially reasonable measures to protect your personal information, including:
- Encryption in transit (TLS/HTTPS) for all data transmission.
- Passwords are stored using secure one-way hashing (bcrypt).
- Credit card information is handled entirely by Stripe and never touches our servers.
- Access controls to limit internal access to personal data.
No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
9. Children's Privacy
The Service is not directed at children under 13 (or under 16 in the EEA/UK). We do not knowingly collect personal information from children. If we learn that we have collected information from a child below the applicable age threshold, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at [email protected] .
10. Data Breach Notification
In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users by email within 72 hours of becoming aware of the breach. We will also notify relevant authorities as required by applicable law.
11. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' notice via email or a prominent in-app notification. The "Last updated" date at the top of this page reflects the most recent revision. Your continued use of the Service after the effective date constitutes your acceptance of the updated policy.
12. Contact
If you have questions or concerns about this Privacy Policy or our data practices, contact us at [email protected] .