Your Data Rights

Last updated: May 1, 2026

Portfolio Mentor is committed to protecting the rights of users in the European Economic Area (EEA), the United Kingdom, and Switzerland under the General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and the Swiss Federal Act on Data Protection. This page is the comprehensive reference for everything GDPR-related at Portfolio Mentor.

1. Your GDPR Rights in Full

If you are an EEA, UK, or Swiss resident, you have the following rights regarding your personal data. Each right is exercisable free of charge unless the request is manifestly unfounded or excessive (in which case we may charge a reasonable administrative fee or refuse to act).

• Right of Access (Article 15),request confirmation that we are processing your data, a copy of that data, and information about how it is used, who it is shared with, and how long it will be retained.
• Right to Rectification (Article 16),correct inaccurate or incomplete data.
• Right to Erasure / “Right to be Forgotten” (Article 17),request deletion of your personal data when it is no longer needed for the purpose collected, when you withdraw consent, when the data was unlawfully processed, or when erasure is required to comply with a legal obligation.
• Right to Restrict Processing (Article 18),limit how we use your data while we investigate a contested accuracy claim, while we evaluate a legitimate-interest objection, or while you decide whether to assert a legal claim.
• Right to Data Portability (Article 20),receive your data in a structured, machine-readable format (we provide JSON and CSV) and to transmit it to another controller without hindrance from us.
• Right to Object (Article 21),object to processing for direct-marketing purposes (always honored absolutely) or for processing based on legitimate interest (honored unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms).
• Right to Withdraw Consent (Article 7),at any time, where processing is based on consent. Withdrawal does not affect prior processing.
• Right Not to be Subject to Solely Automated Decision-Making (Article 22),including profiling that produces legal or similarly significant effects. Our AI scores are advisory and do not produce such effects, but you may still request human review of any score.
• Right to Lodge a Complaint (Article 77),with your national data-protection authority.

2. Legal Bases for Processing

We process personal data under the following GDPR Article 6 bases:

• Performance of a contract (Article 6(1)(b)),to deliver the Service you signed up for, including authentication, file storage, AI review, and billing.
• Legitimate interest (Article 6(1)(f)),for analytics in aggregate form, fraud prevention, security monitoring, and product improvement, balanced against your rights and freedoms via documented balancing tests.
• Consent (Article 6(1)(a)),for marketing communications, non-essential cookies, and any opt-in to use your portfolio for AI training.
• Legal obligation (Article 6(1)(c)),to comply with tax, accounting, anti-money-laundering, and law-enforcement requirements.

3. Categories of Personal Data We Process

• Identity and contact data (name, email, country).
• Authentication data (password hash, MFA seed, session tokens).
• Profile and preference data (language, time zone, notifications).
• Portfolio content uploaded for review (your User Content).
• Usage and technical data (page views, clicks, browser, device, IP).
• Billing data (subscription, currency, last-four card digits).
• Communications (support tickets, replies, attachments).

We do not knowingly process special-category data (health, biometric, race, religion) unless you choose to embed it in a portfolio or share it in a support ticket, in which case we treat it with the additional safeguards required by Article 9.

4. International Data Transfers

Some of our infrastructure providers are located outside the EEA. When we transfer personal data outside the EEA, we rely on the following safeguards:

• Adequacy decisions where the European Commission has determined that the destination country offers an adequate level of protection (currently includes the UK, Switzerland, and several others).
• Standard Contractual Clauses (June 2021 update) approved by the European Commission, with each module appropriate to the controller-processor relationship.
• Supplementary technical safeguards,encryption in transit, encryption at rest, pseudonymization, and access logging.

A copy of our SCCs is available on request.

5. Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected, or longer where required by law. The full retention schedule is published in our Privacy Policy.

6. Data Protection Officer

Our Data Protection Officer is responsible for overseeing our compliance with the GDPR. You can contact the DPO at [email protected] for any GDPR-related request. We respond within thirty days as required by Article 12 and almost always within five business days in practice.

7. How to Exercise a Right

To exercise any of your rights, email [email protected] from the address on your account, or use the in-app “Privacy Center” panel under your account settings. We may need to verify your identity before processing the request, particularly for access, deletion, and portability requests, to make sure we do not deliver your data to someone else who has acquired your email address. Verification typically involves answering a confirmation challenge sent to your registered email.

8. Subject Access Request Format

When you request access to your data, we deliver:

• A JSON archive containing your profile, preferences, billing history, and review metadata.
• A CSV summary of all account events with timestamps.
• The original portfolio files you uploaded, in their original format.
• A human-readable PDF report describing the categories of data, the purposes, the recipients, and the retention period.

The archive is delivered via a one-time download link valid for seven days.

9. Breach Notification

If we detect a personal-data breach affecting your data, we will notify you and the relevant supervisory authority within seventy-two hours of discovery, in line with GDPR Articles 33 and 34. The notification will describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures we have taken or propose to take to address the breach and to mitigate its effects.

10. Supervisory Authority

If you believe we have violated your GDPR rights, you have the right to lodge a complaint with your national data-protection authority. A current list of EEA authorities is available at edpb.europa.eu. UK residents can complain to the ICO at ico.org.uk. We always prefer to resolve complaints directly first, please give us a chance.

11. Changes to this GDPR Statement

We will update this statement when our processing changes, when the law changes, or when supervisory-authority guidance changes. Material changes are announced by email at least thirty days in advance. The revision log at the bottom of this page tracks every change.

12. Contact

Data Protection Officer, Portfolio Mentor. Email [email protected].