Skip to content
Policy

Privacy Policy

Last updated: May 6, 2026

Last updated: May 1, 2026

This Privacy Policy explains how Portfolio Mentor (referred to as “we”, “us” or “our”) collects, uses, stores, transfers, and protects information when you visit, register on, or use Portfolio Mentor (the “Service”). We are committed to protecting your privacy and to complying with the EU General Data Protection Regulation (GDPR), the United Kingdom Data Protection Act 2018, the California Consumer Privacy Act of 2018 (CCPA), the California Privacy Rights Act (CPRA), and other applicable data protection laws.

If you have any question about how your personal data is handled, contact our Data Protection Officer at [email protected]. We aim to answer privacy-related correspondence within five business days and always within the thirty-day window required by GDPR Article 12.

1. Information We Collect

We only collect information that we genuinely need to deliver, secure, and improve the Service. The categories below describe everything we collect.

1.1 Account Information

  • Identifiers,full name, professional title (optional), and a verified email address.
  • Authentication credentials,a salted, one-way hash of your password (we never store the plain text). If you sign in with Google, Apple, or LinkedIn, we receive a stable user identifier and the email address registered with that provider, never your social password.
  • Profile preferences,interface language, time zone, notification settings, and accessibility preferences you set in your account.

1.2 Portfolio Content

  • The architecture portfolios, drawings, plans, renderings, photographs, and supporting documents (collectively “User Content”) that you upload for AI review.
  • Metadata extracted from those uploads (file size, page count, embedded dpi, color profile) so we can route them through the correct review pipeline.
  • Reviewer notes, scores, comments, and revision history generated by our AI for each upload.

1.3 Usage and Technical Data

  • Pages and features you view, the order in which you view them, and the time spent on each, collected in anonymized form for product improvement.
  • Device information including operating system, browser type and version, screen resolution, and approximate (city-level, never street-level) geolocation derived from the IP address.
  • Diagnostic data such as crash reports, console errors, performance traces, and request identifiers used to investigate technical issues.

1.4 Billing and Transaction Data

  • Subscription tier, billing cycle, currency, and renewal date.
  • Last four digits of the payment card, card brand, and country of issuance, full card numbers are processed by our payment partners (Stripe and PayPal) and never reach our servers.
  • VAT or sales tax identifiers when you provide them for invoicing purposes.

1.5 Communications

  • Support tickets, replies, and any attachments you choose to share to resolve an issue.
  • Email engagement signals (opens and clicks) for transactional and marketing emails, we use these to respect unsubscribe requests and to detect bounce loops.

2. How We Use Your Information

We process the information described above for the following purposes.

  • Service delivery,to authenticate you, store your portfolios, run the AI review, and present your results.
  • Account management,to send service-critical messages such as password resets, billing receipts, security notifications, and policy changes.
  • Customer support,to respond to your support tickets and to improve our help documentation.
  • Fraud prevention and security,to detect abusive sign-ups, account takeovers, brute-force attempts, and other illegal activity.
  • Compliance,to meet our legal obligations for tax reporting, accounting, and law-enforcement requests served on valid legal process.
  • Service improvement,to analyze aggregate, anonymized usage patterns and to improve our AI models. We do not use individual portfolios to train any model unless you explicitly opt in via a separate, granular consent flow.
  • Marketing,to send product news, tips, and promotional offers if (and only if) you have explicitly opted in. You can unsubscribe with one click from any marketing email.

3. Legal Bases for Processing (GDPR Article 6)

We rely on the following legal bases under GDPR Article 6:

  • Performance of a contract,when processing is necessary to deliver the Service you signed up for.
  • Legitimate interests,for analytics, fraud prevention, and product improvement, balanced against your fundamental rights and freedoms. We document each balancing test internally and update it whenever the relevant processing changes.
  • Consent,for marketing communications, optional cookies, and any AI-training opt-in. Consent is granular, recorded with timestamp and IP, and revocable at any time without affecting prior processing.
  • Legal obligation,for tax, accounting, and bona fide law-enforcement requests.

4. Portfolio File Handling

Your uploaded portfolio files receive special-category protection within our infrastructure.

  • Files are encrypted in transit using TLS 1.3 with strong cipher suites (AEAD only) and at rest using AES-256-GCM with keys managed in a hardware security module.
  • Only you can access your portfolios from your account dashboard, they are not visible to other users, and our staff cannot view them without an explicit, audit-logged support request from you.
  • Files are automatically deleted from primary storage thirty days after the review is complete unless you choose to retain them in your dashboard. Deleted files are unrecoverable after fourteen further days, when our backup rotation purges them as well.
  • We do not share, publish, sell, lease, or barter your portfolio content to any third party for any purpose.

5. Cookies, Pixels, and Tracking Technologies

We use a small number of strictly necessary cookies for authentication and session management, and we use optional analytics cookies (Google Analytics 4 with IP anonymization enabled) to understand how the Service is used in aggregate. You can manage your cookie preferences at any time from the cookie banner or from our dedicated Cookie Policy, which describes every cookie we use, its purpose, and its retention period.

6. Sharing Your Information

We share information only with the following categories of recipients, and only for the purposes listed.

  • Payment processors,Stripe and PayPal, used to process subscription billing. They are independent controllers for the payment data you submit to them.
  • Cloud infrastructure providers,Amazon Web Services and Cloudflare, used to host the Service. Both are bound by Data Processing Agreements that meet GDPR Article 28 requirements.
  • Email service providers,Postmark for transactional email and SendGrid for marketing email. They process recipient lists strictly to deliver the messages we trigger.
  • Analytics providers,Google Analytics 4 with IP anonymization, Plausible Analytics, and Microsoft Clarity for session replays. Session replays are sampled and PII fields (passwords, payment data, free-text personal information) are masked at the source.
  • Customer support tooling,Helpscout for ticket management. Helpscout receives only what is necessary to answer your ticket.
  • Law enforcement,only in response to a valid subpoena, search warrant, or equivalent legal process. We publish an annual transparency report with aggregate counts of such requests.

We do not sell your personal information, and we do not share it with data brokers under any circumstance.

7. Your Rights

Subject to local law, you have the following rights regarding your personal data.

  • Access,request a copy of all personal data we hold about you, in a structured machine-readable format.
  • Rectification,request correction of inaccurate or incomplete data.
  • Erasure (“right to be forgotten”),request deletion of your account and all associated data.
  • Restriction,limit how we process your data while a complaint is investigated.
  • Portability,export your data in JSON or CSV format and transfer it to another service.
  • Objection,object to processing for direct marketing or for purposes based on legitimate interest.
  • Withdraw consent,at any time, where processing is based on consent. Withdrawal does not affect prior processing.
  • Lodge a complaint,with your national data protection authority. EU residents can find their authority at edpb.europa.eu.

To exercise any right, email [email protected]. We respond within thirty days as required by GDPR Article 12 and almost always within five business days in practice.

8. Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected.

  • Account profile, as long as your account is active.
  • Uploaded portfolios, thirty days after review unless you mark them for retention. Backups purge within fourteen further days.
  • Review results, as long as your account is active so you can compare iterations.
  • Billing records, seven years from the issuing date, as required by EU and US tax law.
  • Support tickets, twenty-four months after closure, then anonymized for analytics.
  • Marketing-engagement metrics, twenty-four months from the last interaction.

If you close your account, we delete all personal data within sixty days, except records we are legally required to retain as listed above.

9. Children

The Service is not intended for users under the age of sixteen. We do not knowingly collect personal data from children under sixteen. If you believe a child has registered, contact us immediately and we will delete the account and any associated data without delay.

10. International Transfers

Our infrastructure is hosted in the European Union (Frankfurt, Germany) and the United States (Northern Virginia). Transfers outside the EEA are protected by the European Commission Standard Contractual Clauses (June 2021 update) and supplementary technical safeguards including encryption, pseudonymization, and access logging. A copy of our SCCs is available on request.

11. Security

We follow industry best practices to protect personal data, including:

  • TLS 1.3 in transit, AES-256-GCM at rest, and HSM-managed keys.
  • Mandatory two-factor authentication for staff accessing production systems.
  • Continuous vulnerability scanning, quarterly penetration testing by an independent firm, and a public bug-bounty program.
  • Strict separation between staging and production data, staff cannot copy production data to staging or to development laptops.

If we detect a breach affecting your data, we will notify you and the relevant supervisory authority within seventy-two hours of discovery, in line with GDPR Article 33.

12. Automated Decision-Making

The AI scoring engine is the only automated processing that materially affects you, and the result is advisory only. You can request a human review of any AI-generated score by emailing support, we will rerun the analysis with manual oversight at no charge.

13. Changes to This Policy

We will notify you by email at least thirty days before any material change to this Privacy Policy takes effect. Non-material clarifications (typo fixes, broken-link repairs) may be applied without prior notice but will be noted in the revision log at the bottom of this page. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

14. Contact

Questions about this Privacy Policy? Email our Data Protection Officer at [email protected]. For postal correspondence, write to Portfolio Mentor, Data Protection Officer.

Free Portfolio Review AI-powered, instant results
Analyze Now

Ready to level up your portfolio?

Join 12,000+ architects using PortfolioMentor AI

Start Free Now