Portal AI Platform Privacy Policy

Last updated: July 8, 2026

Portal AI Inc. (“Portal”, “we”, “us”, or “our”) operates Portal AI Platform, including platform.portal.ai, CoreX private access, Portal APIs, dashboards, keys, prepaid credits, modules, documentation, and related services (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, retain, and protect information in connection with the Service.

This policy applies to the developer and business platform. Portal One+ consumer assistant services may have additional or separate privacy terms.

1. Information We Collect

We collect the following categories of information:

California Notice at Collection

This table summarizes the categories of personal information we collect, where they come from, how we use them, whether they are sold or shared for cross-context behavioral advertising, and the general retention period.

CategorySourcePurposeDisclosed toSold/shared?General retention
Account identifiers and contact informationYou, your organization, authentication systemsAccount creation, authentication, support, notices, complianceHosting, security, support, communications providersNoAccount life plus legal/compliance period
Customer Data, including prompts, messages, files, API payloads, context, outputs, and call-content logs where enabledYou and your authorized usersProvide, route, secure, support, troubleshoot, review, and improve the safety, reliability, quality, and functionality of the ServiceInfrastructure/model providers and subprocessors needed to deliver, secure, support, and comply with the ServiceNoNo longer than thirty (30) days unless a shorter route, account setting, order form, or retention exception applies
Billing and transaction informationYou, Stripe or payment processors, marketplace/partner flowsPayments, invoices, taxes, refunds, chargebacks, credits, commissions, accountingPayment processors, tax/accounting providers, fraud/security providersNoAs required for tax, accounting, payment, legal, and dispute records
Service Data and usage metadataGenerated by use of the ServiceMetering, billing, routing, reliability, security, abuse prevention, support, product healthHosting, security, analytics, monitoring, support providersNoAs needed for operations, security, finance, compliance, and de-identified analytics
Device, network, and approximate location informationBrowser, device, network requestsSecurity, fraud prevention, session management, abuse detection, complianceHosting, security, monitoring providersNoAs needed for security, fraud prevention, and legal/compliance records
Compliance and eligibility informationYou, your organization, public/compliance sources, payment processorsSanctions/export, procurement, tax, fraud, business eligibility, enterprise reviewCompliance, payment, tax/accounting, legal providersNoAs required for legal, compliance, audit, and business records

We do not sell personal information and do not share personal information for cross-context behavioral advertising. If we later collect sensitive personal information for a supported enterprise use case, the applicable order form, DPA, or notice will describe that processing before collection.

2. How We Use Information

We use information to:

3. Authorized Access and Reviews

The Service is technically operated by Portal. That means Portal systems, authorized Portal personnel, and approved providers may access, process, or review Customer Data when reasonably necessary to deliver responses, operate routing and tools, provide support, debug issues, investigate abuse, fraud, security, or policy signals, comply with law, resolve billing or usage disputes, maintain platform reliability, and improve the safety, quality, and functionality of the Service.

We use administrative, technical, and organizational controls designed to limit Customer Data access to authorized purposes and appropriate personnel. Technical or administrative review of Customer Data is not model training, and we do not use Customer Data to train, fine-tune, or improve AI models.

4. Our Infrastructure

The Service runs on Portal’s own proprietary infrastructure, which provides access to AI capabilities through Portal routing, controls, modules, and API surfaces. To generate a response, your prompt and relevant context are processed through our platform and, where needed, by infrastructure providers or model providers that help deliver the Service.

We do not publicly disclose the specific composition of our infrastructure or the identities of underlying providers because they are confidential. We require providers and subprocessors involved in processing Customer Data to process it only for service delivery under no-training, confidentiality, security, and limited-retention obligations.

5. Account Isolation

Each customer’s account, API keys, usage, and Customer Data are logically isolated from other customers. We use tenant separation and access controls designed so that one customer cannot access another customer’s Customer Data, keys, usage, or account environment.

6. No Training. No Sale. No Unauthorized Sharing.

We do not use Customer Data to train, fine-tune, or improve AI models, and we do not permit providers or subprocessors involved in delivering the Service to do so. We do not sell Customer Data or personal information.

Portal will not route Customer Data to any provider for which Portal has not confirmed contractual or published policy terms prohibiting model training, fine-tuning, or model improvement on Customer Data for that route.

We disclose Customer Data only to subprocessors and providers strictly necessary to deliver, secure, support, or comply with the Service; to comply with law; to enforce our terms; to protect rights, safety, and security; or with your instruction or consent. We do not disclose Customer Data for cross-context behavioral advertising.

7. Subprocessors and Providers

We use a limited set of subprocessors and providers for functions such as payment processing, hosting, security, monitoring, customer support, communications, and the underlying model and infrastructure layer. Public materials may list subprocessors by role and category to protect the confidentiality of Portal’s infrastructure. Enterprise customers may request additional subprocessor information under NDA or a written data processing arrangement where required by applicable law.

8. Retention

Retention depends on the data category and route:

These retention windows describe transient processing of API inputs and outputs on the Platform. Where a Platform feature is expressly designed to store data on your behalf, such as customer-visible logs, history, or a stateful module you enable, that data is retained for the life of the feature or your account per its settings, as described where the feature is offered. Persistent agent memory is a Portal One+ consumer feature governed by the Portal One+ Privacy Policy.

Upon account closure or written request, we delete or return Customer Data within thirty (30) days unless retention is required or permitted as described above.

9. Your Rights

Depending on where you are located, you may have rights to access, export, correct, delete, restrict, or object to processing of personal data, and to withdraw consent where processing is based on consent. We respond to privacy requests as required by applicable law. Where a right does not legally apply, we may still respond on a voluntary or commercially reasonable basis. Regional rights may include rights under the California Consumer Privacy Act as amended by the CPRA, the EU GDPR, the UK GDPR, and other applicable laws.

California residents may have the right to know, access, correct, delete, opt out of sale or sharing, limit certain uses of sensitive personal information, and not be discriminated against for exercising privacy rights. We do not sell personal information or share it for cross-context behavioral advertising.

To exercise rights, contact privacy@portal.ai. We respond to verifiable privacy requests within 45 days where required, and may extend by an additional 45 days where permitted with notice.

We maintain and use de-identified data without attempting to re-identify it, except as permitted by law to test de-identification safeguards. Authorized agents may submit requests on your behalf at privacy@portal.ai; we may verify your identity and the agent’s authorization directly with you. We will not discriminate against you for exercising your privacy rights.

10. International Transfers

Customer Data is processed in the United States unless otherwise agreed. Where personal data originating in the EEA, UK, Switzerland, or other regulated regions is transferred to Portal in the United States, we rely on appropriate transfer mechanisms, such as the EU Standard Contractual Clauses and the UK International Data Transfer Addendum, as described in our Data Processing Agreement.

11. Security

We use reasonable administrative, technical, and organizational measures designed to protect information, including HTTPS/TLS in transit, encrypted disks or equivalent protections at rest, role-based or purpose-based access controls where technically feasible, credential separation, monitoring, logging, and incident response processes. No system can be guaranteed perfectly secure.

12. Cookies and Similar Technologies

We may use cookies, local storage, and similar technologies for authentication, security, preferences, analytics, fraud prevention, and service operation. If we later use advertising cookies or sell/share personal information as defined by applicable privacy law, we will update this policy and provide required opt-out mechanisms before doing so.

13. Children’s Privacy

The Service is not intended for children under 18. We do not knowingly collect personal information from children through the Service.

14. Changes to This Policy

We may update this policy from time to time. If we make material changes, we will provide notice before they take effect where required by law or where the changes materially reduce your rights. The “Last updated” date above reflects the current version.

We will not use a policy update to retroactively authorize training of Customer Data or materially more permissive Customer Data use without appropriate notice and consent.

15. Contact

Privacy and data requests: privacy@portal.ai

General support: support@portal.ai