Portal AI Platform Privacy Policy
Last updated: July 8, 2026
Portal AI Inc. (“Portal”, “we”, “us”, or “our”) operates Portal AI Platform, including platform.portal.ai, CoreX private access, Portal APIs, dashboards, keys, prepaid credits, modules, documentation, and related services (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, retain, and protect information in connection with the Service.
This policy applies to the developer and business platform. Portal One+ consumer assistant services may have additional or separate privacy terms.
1. Information We Collect
We collect the following categories of information:
Account and contact information. Name, email address, organization, role, account identifiers, authentication tokens, partner or referral code, and communications with us.
Customer Data. Prompts, messages, inputs, files, API payloads, context, instructions, outputs, and, where enabled or stored, account-visible call content such as response content, reasoning traces, tool-call metadata, and debugging records submitted by or returned to you through the Service.
Billing and transaction information. Package, plan, credit balance, redeem code, purchase amount, tax information, billing status, Stripe customer identifiers, invoices, chargebacks, refunds, and payout or commission information where applicable. Payments are processed by Stripe or another payment processor; we do not store full card numbers or payment credentials.
Service Data and usage metadata. Timestamps, token counts, route or model identifiers, module selection, cost, latency, status, errors, logs, security events, abuse signals, and other operational metadata used to operate, bill, secure, troubleshoot, and improve the Service.
Device and network information. IP address, user agent, approximate location derived from IP, session identifiers, cookies or similar technologies, and request metadata.
Compliance information. Information needed to verify eligibility, prevent fraud, enforce sanctions/export controls, process taxes, manage enterprise procurement, or comply with law.
California Notice at Collection
This table summarizes the categories of personal information we collect, where they come from, how we use them, whether they are sold or shared for cross-context behavioral advertising, and the general retention period.
| Category | Source | Purpose | Disclosed to | Sold/shared? | General retention |
|---|---|---|---|---|---|
| Account identifiers and contact information | You, your organization, authentication systems | Account creation, authentication, support, notices, compliance | Hosting, security, support, communications providers | No | Account life plus legal/compliance period |
| Customer Data, including prompts, messages, files, API payloads, context, outputs, and call-content logs where enabled | You and your authorized users | Provide, route, secure, support, troubleshoot, review, and improve the safety, reliability, quality, and functionality of the Service | Infrastructure/model providers and subprocessors needed to deliver, secure, support, and comply with the Service | No | No longer than thirty (30) days unless a shorter route, account setting, order form, or retention exception applies |
| Billing and transaction information | You, Stripe or payment processors, marketplace/partner flows | Payments, invoices, taxes, refunds, chargebacks, credits, commissions, accounting | Payment processors, tax/accounting providers, fraud/security providers | No | As required for tax, accounting, payment, legal, and dispute records |
| Service Data and usage metadata | Generated by use of the Service | Metering, billing, routing, reliability, security, abuse prevention, support, product health | Hosting, security, analytics, monitoring, support providers | No | As needed for operations, security, finance, compliance, and de-identified analytics |
| Device, network, and approximate location information | Browser, device, network requests | Security, fraud prevention, session management, abuse detection, compliance | Hosting, security, monitoring providers | No | As needed for security, fraud prevention, and legal/compliance records |
| Compliance and eligibility information | You, your organization, public/compliance sources, payment processors | Sanctions/export, procurement, tax, fraud, business eligibility, enterprise review | Compliance, payment, tax/accounting, legal providers | No | As required for legal, compliance, audit, and business records |
We do not sell personal information and do not share personal information for cross-context behavioral advertising. If we later collect sensitive personal information for a supported enterprise use case, the applicable order form, DPA, or notice will describe that processing before collection.
2. How We Use Information
We use information to:
- provide, operate, route, secure, support, and troubleshoot the Service;
- process API requests through Portal’s infrastructure and return outputs to you;
- meter usage, manage credits, process payments, redeem codes, calculate commissions, and maintain billing records;
- authenticate accounts, issue and protect API keys, and prevent unauthorized access;
- detect, prevent, investigate, and respond to fraud, abuse, security incidents, sanctions/export issues, and policy violations;
- communicate about the Service, transactions, support, security, policy changes, and account administration;
- comply with legal, tax, accounting, regulatory, and law-enforcement obligations;
- analyze aggregated or de-identified Service Data to understand reliability, cost, performance, routing, abuse trends, and product health; and
- improve the Service, provided that we do not use Customer Data to train, fine-tune, or improve AI models.
3. Authorized Access and Reviews
The Service is technically operated by Portal. That means Portal systems, authorized Portal personnel, and approved providers may access, process, or review Customer Data when reasonably necessary to deliver responses, operate routing and tools, provide support, debug issues, investigate abuse, fraud, security, or policy signals, comply with law, resolve billing or usage disputes, maintain platform reliability, and improve the safety, quality, and functionality of the Service.
We use administrative, technical, and organizational controls designed to limit Customer Data access to authorized purposes and appropriate personnel. Technical or administrative review of Customer Data is not model training, and we do not use Customer Data to train, fine-tune, or improve AI models.
4. Our Infrastructure
The Service runs on Portal’s own proprietary infrastructure, which provides access to AI capabilities through Portal routing, controls, modules, and API surfaces. To generate a response, your prompt and relevant context are processed through our platform and, where needed, by infrastructure providers or model providers that help deliver the Service.
We do not publicly disclose the specific composition of our infrastructure or the identities of underlying providers because they are confidential. We require providers and subprocessors involved in processing Customer Data to process it only for service delivery under no-training, confidentiality, security, and limited-retention obligations.
5. Account Isolation
Each customer’s account, API keys, usage, and Customer Data are logically isolated from other customers. We use tenant separation and access controls designed so that one customer cannot access another customer’s Customer Data, keys, usage, or account environment.
6. No Training. No Sale. No Unauthorized Sharing.
We do not use Customer Data to train, fine-tune, or improve AI models, and we do not permit providers or subprocessors involved in delivering the Service to do so. We do not sell Customer Data or personal information.
Portal will not route Customer Data to any provider for which Portal has not confirmed contractual or published policy terms prohibiting model training, fine-tuning, or model improvement on Customer Data for that route.
We disclose Customer Data only to subprocessors and providers strictly necessary to deliver, secure, support, or comply with the Service; to comply with law; to enforce our terms; to protect rights, safety, and security; or with your instruction or consent. We do not disclose Customer Data for cross-context behavioral advertising.
7. Subprocessors and Providers
We use a limited set of subprocessors and providers for functions such as payment processing, hosting, security, monitoring, customer support, communications, and the underlying model and infrastructure layer. Public materials may list subprocessors by role and category to protect the confidentiality of Portal’s infrastructure. Enterprise customers may request additional subprocessor information under NDA or a written data processing arrangement where required by applicable law.
8. Retention
Retention depends on the data category and route:
- Customer Data and call-content logs. We retain Customer Data, including prompts, messages, outputs, files, reasoning traces, tool-call metadata, and account-visible call logs where enabled, only as long as necessary to provide the Service, and no longer than thirty (30) days from submission unless a shorter retention route applies, you configure a different retention setting, a written agreement states otherwise, or retention is required or permitted by law, security, fraud prevention, dispute resolution, customer support, debugging, or abuse investigation.
These retention windows describe transient processing of API inputs and outputs on the Platform. Where a Platform feature is expressly designed to store data on your behalf, such as customer-visible logs, history, or a stateful module you enable, that data is retained for the life of the feature or your account per its settings, as described where the feature is offered. Persistent agent memory is a Portal One+ consumer feature governed by the Portal One+ Privacy Policy.
Zero-retention and transient routes. Where available, certain processing routes are zero-retention or transient at the provider layer.
Service Data and billing records. We may retain Service Data, invoices, transaction records, fraud/abuse logs, security logs, tax records, and accounting records for longer periods where needed to operate the Service, comply with law, resolve disputes, detect abuse, or maintain financial records.
Aggregated or de-identified data. We may retain aggregated or de-identified information that does not identify you or include Customer Data content.
Upon account closure or written request, we delete or return Customer Data within thirty (30) days unless retention is required or permitted as described above.
9. Your Rights
Depending on where you are located, you may have rights to access, export, correct, delete, restrict, or object to processing of personal data, and to withdraw consent where processing is based on consent. We respond to privacy requests as required by applicable law. Where a right does not legally apply, we may still respond on a voluntary or commercially reasonable basis. Regional rights may include rights under the California Consumer Privacy Act as amended by the CPRA, the EU GDPR, the UK GDPR, and other applicable laws.
California residents may have the right to know, access, correct, delete, opt out of sale or sharing, limit certain uses of sensitive personal information, and not be discriminated against for exercising privacy rights. We do not sell personal information or share it for cross-context behavioral advertising.
To exercise rights, contact privacy@portal.ai. We respond to verifiable privacy requests within 45 days where required, and may extend by an additional 45 days where permitted with notice.
We maintain and use de-identified data without attempting to re-identify it, except as permitted by law to test de-identification safeguards. Authorized agents may submit requests on your behalf at privacy@portal.ai; we may verify your identity and the agent’s authorization directly with you. We will not discriminate against you for exercising your privacy rights.
10. International Transfers
Customer Data is processed in the United States unless otherwise agreed. Where personal data originating in the EEA, UK, Switzerland, or other regulated regions is transferred to Portal in the United States, we rely on appropriate transfer mechanisms, such as the EU Standard Contractual Clauses and the UK International Data Transfer Addendum, as described in our Data Processing Agreement.
11. Security
We use reasonable administrative, technical, and organizational measures designed to protect information, including HTTPS/TLS in transit, encrypted disks or equivalent protections at rest, role-based or purpose-based access controls where technically feasible, credential separation, monitoring, logging, and incident response processes. No system can be guaranteed perfectly secure.
12. Cookies and Similar Technologies
We may use cookies, local storage, and similar technologies for authentication, security, preferences, analytics, fraud prevention, and service operation. If we later use advertising cookies or sell/share personal information as defined by applicable privacy law, we will update this policy and provide required opt-out mechanisms before doing so.
13. Children’s Privacy
The Service is not intended for children under 18. We do not knowingly collect personal information from children through the Service.
14. Changes to This Policy
We may update this policy from time to time. If we make material changes, we will provide notice before they take effect where required by law or where the changes materially reduce your rights. The “Last updated” date above reflects the current version.
We will not use a policy update to retroactively authorize training of Customer Data or materially more permissive Customer Data use without appropriate notice and consent.
15. Contact
Privacy and data requests: privacy@portal.ai
General support: support@portal.ai