Portaul
Portaul
Policy

Privacy Policy

Last updated: Feb 21, 2025

1. Introduction

Portaul ("we", "us", "our") is committed to protecting and respecting your privacy. This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our practices regarding your personal data and how we will treat it.

Portaul is a product of Portaul Ltd, registered in England and Wales under company number 15613813, with its registered office at 29 Cheniston Gardens, W8 6TG.

For the purpose of the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018, the data controller is Portaul Ltd.

At Portaul, we value your trust and are committed to protecting your privacy. This policy explains what information we collect, why we collect it, and how we use it.

2. Data Protection Officer

We have appointed a Privacy Manager who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact the Privacy Manager using the details set out below:

Portaul Ltd
Email address: [email protected]

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues. (www.ico.org.uk)

3. What Information We Collect


Personal data, or personal information, means any information about an individual from which that person can be identified, whether directly or indirectly. It does not include data where the identity has been removed (anonymous data).


If User Data does not contain PII (Personal Identifiable Information), and it cannot be used to identify a living person, directly or indirectly, it may be considered as Aggregated Data, which is not subject to UK GDPR. Such generic unidentifiable data may be used for scientific statistical analysis for the sole purpose of improving public health and diagnostics.


We collect different types of data to help improve your experience and support our platform's security. Below is a breakdown of the types of information we may collect:

Identity & Contact Information

To create your account and verify your identity, we may collect:

  • Name (or preferred username)
  • Date of birth (to ensure age-appropriate access)
  • Gender identity
  • Email address

Health Information (With Your Consent)

Because Portaul is designed to support your sexual health and STI status sharing, we may collect:

  • Sexual health information (e.g., STI status and test results)
  • Sexual behaviour data (only if you choose to provide it)

Your health data is always treated with the highest level of security and confidentiality.

Profile & Preferences

To tailor your experience, we may collect:

  • Your profile details (username, preferences, interests)
  • Feedback and responses to surveys

Communication & Feedback

To provide customer support and improve our services, we may collect:

  • Emails and messages you send to us
  • Customer service chat transcripts
  • User surveys and feedback

Chat & Messaging Data

Your conversations with other users are private. However, we may collect:

  • Message metadata (e.g., timestamps, frequency of messages)
  • Reports of inappropriate behaviour (to ensure platform safety)

Encryption: Your direct messages are encrypted, meaning no one (including us) can access them.

  • Encryption at the Source: When you send a message, it's encrypted on your device before it leaves. This encryption uses a unique key that only you and the recipient possess.
  • Encrypted in Transit and Storage: The encrypted message travels through our servers and is stored in our database in its encrypted form. This means even if someone were to access our servers, they would only see scrambled data.
  • Decryption at the Recipient: Only the recipient's device, using their unique key, can decrypt and read the message.

Why We Store Encrypted Data

  • To allow you to access your message history across all your devices.
  • To provide a backup of your conversations in case you lose your device.
  • This storage is always done in an encrypted state.

Our Commitment to Your Privacy

  • We have no access to your encryption keys. Therefore, we cannot read your messages.
  • We employ robust security measures to protect our servers and your encrypted data.
  • We have regular security audits performed by independent firms.
  • If legal obligations require us to provide information, we will always strive to provide the least amount of information possible, and will always inform the user of the request, unless legally prohibited.
  • You have full control over your data and can delete your messages or account at any time.
  • We believe in transparency and want you to feel confident that your conversations are secure.

Device & Technical Information

To keep Portaul running smoothly, we collect technical data such as:

  • Your device ID
  • IP address
  • Login data for security purposes

4. How We Collect Your Personal Data


We use different methods to collect data from and about you including through:


  1. Direct interactions: You may give us your Identity, Contact and Health Data by filling in forms or by corresponding with us.
  2. SDKs: We use third-party SDKs to collect certain data to ensure functionality of our platform.
  3. Cookies: We use analytics cookies on our website to enhance your browsing experience.

5. How We Safeguard and Utilise Your Information


We are committed to protecting your privacy and only process your personal data when absolutely necessary for the functioning of our app and services. We do not sell your data or use it for any purposes beyond what's essential for providing our core services. Here's how we process your information:


  1. To Provide Essential App Services: We use your data solely to deliver the core features of our app such as but not limited to:
    • - Registering you as a new user
    • - Facilitating anonymous automated retest updates
    • - Enabling secure sharing of STI test results (only with users you choose)
    • - Generating personalised STI testing recommendations
    • - Managing your account and preferences
  2. Trust Circle Feature: If you opt to join a Trust Circle, your STI status and testing reminders are only shared within that specific circle, and only with your explicit consent. You have full control over your participation and can leave at any time.
  3. App Improvement: We use anonymized, aggregated data to analyse and enhance the app's functionality and user experience. This never involves individual user identification.
  4. Legal Compliance: In some cases, we may need to process your data to comply with legal obligations.

We want to assure you that your personal and health data are treated with the utmost confidentiality and are only used for the specific purposes you've consented to within our app. We do not use your data for marketing, advertising, or any purposes beyond providing and improving our core sexual health services.


Purpose/ActivityType of DataLawful Basis for Processing
To create your user account for the Portaul platform and provide you with its sexual health services (a) Identity, (b) Contact (c) Health (a) Contractual necessity
(b) Explicit Consent (For special category/sensitive personal data, we rely on your explicit consent).
To send you: technical notices and updates; security alerts; support and administrative messages; and customer satisfaction surveys (a) Identity, (b) Contact, (c) Profile (d) Communications Legitimate interest (to ensure users are up-to-date with and service and manage user relationships)
To verify your identity and prevent fraud and to ensure the safety and security of Users Contact (b) If requested or permitted, photo provided as part of profile verification and photo of Government ID Legitimate interests (our legitimate interests to ensure that accounts are not set up fraudulently and to safeguard Users of the site)
To enable users to create Portaul profile and log into the App via third party accounts Identity and contact data from providers of any other accounts you use to log in or connect with your Portaul account (e.g., if you sign in with your Apple ID or Google account) Legitimate interests – it is in our legitimate interests to facilitate access to our services
To send you promotional communications, including information about our services, events, and special offers. (a) Identity (b) Contact, (c) Profile (d) Communications, (f) Technical (a) Explicit Consent
(b) Legitimate interest (We have a legitimate interest in promoting our business and products)
To enable you to share of test results with other users(a) Identity, (b) Health Data (a) User consent
(b) Legitimate interest (to enhance health transparency and improve service functionality)
To secure and maintain the Portaul app and website(a) Technical (a) Legitimate interest (to manage business operations and IT security, prevent fraud, and manage reorganisations)
(b) Compliance with legal obligations
To allow participation in automated anonymous partner notifications based on your test results and interactions within the app (a) Identity, (b) Health Data, (c) Usage (a) User consent
(b) Legitimate interest (to promote public health, enhance reliability, and improve safety)
To contact you in order to run surveys for research purposes and to obtain feedback, and to find out if you want to take part in marketing campaigns contactLegitimate interest (to further develop the app and improve our services)
To improve your experience on the app and enhance app functionality(a) Technical, (b) UsageLegitimate interest (to improve user experience)
To investigate and block Users for reported infringements of our Terms of Service and Community Guidelines. (a) Identity and Profile (Name and user registration details, profile information), (b) Communication (content of messages and photographs) (c) Usage (d) Technical (IP address and IP session information) Legitimate interest (to prevent unauthorized behaviour and to maintain the safety and integrity of our services)
To respond to correspondence and queries that you submit to us, including social media queries (a) Identity (b) Technical (where necessary) (c) Communication - Information provided in query Legitimate interest (to provide efficient customer support, maintain service quality, and manage user relationships)
To defend legal claims, protect legal rights and to protect people from harm This could include any information that is relevant to the issue Legitimate interests – it is in our legitimate interests to protect our legal rights, defend legal claims and to protect our Users and third parties from harm

When You Contact Customer Support


If you contact our Customer Support team through our app, website, feedback page, or any other support channel, we will process your email address, IP address, and any information you provide to assist in resolving your query. We will retain records of our communications with you, including any complaints you submit about other Users (and any complaints received about you), for two years after your account is deleted. However, if we are required to retain this information for legal or regulatory purposes, we may extend the retention period accordingly.

App Improvement and Analysis:


We use anonymised and aggregated data to enhance our app's performance and user experience. This includes


  1. Technical Data: Anonymised information about app functionality and performance.
  2. Usage Patterns: Aggregated, non-identifiable data on how the app is used.

This anonymised data helps us identify general user preferences and refine our business strategy without compromising individual user identities or personal information. We ensure that all data is anonymised to the extent that it cannot be linked back to individuals, thereby respecting user privacy.

6. Data Processing


We process your data using both automated and manual methods:


Automated Processing:
Automated retest notifications are sent based on STI exposure calculations using algorithms that analyse your reported STI status, test dates, and interactions date. These are triggered based on predefined rules and user-reported data.


Manual Processing:

  1. Customer support inquiries may involve manual review of your account data.
  2. Data analysis for app improvement involves aggregated, anonymized data reviewed by our security team.

7. Data Sharing Practices


We are committed to safeguarding your personal data and will not share it with third parties except as explicitly outlined in this Privacy Policy.

No Joint Usage: We do not share your personal data with third parties for joint purposes. This means that we do not engage in arrangements where your data is used collaboratively with another organisation.

Limited Third-Party Access: We do not transfer your personal data to third parties for their independent use. Any access to your data is strictly controlled and limited to what is necessary for the services we provide.

Specific Third-Party Services


Our use of third-party services is essential for delivering our offerings while ensuring compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The following outlines how we engage with these services:


TypeProcessorProcessors Privacy PolicyData CollectedPurpose
Infrastructure and securityAmazon Web Services, Inc.AWS Privacy NoticeAll personal dataStorage of all personal data when you use the App
Email CommunicationsMailGunMailgun Privacy PolicyEmail AddressTo reach you with our notifications
Email CommunicationsMailchimpMailchimp Data Processing AddendumEmail AddressTo reach you with our newsletters
LocationGoogle MapsGoogle Maps Privacy PolicyCoordinates (longitude and latitude)To assist users in locating their nearest testing centres
Push NotificationsFirebasePrivacy and Security in FirebaseDevice IDTo send push notifications (including but not limited to reminders, retest notification, status changes)

We may share your data with the parties listed below for the purposes outlined in this privacy policy:


  • Investigating Insurance Claims: To assess and manage any claims made.
  • Protecting Company Assets: To ensure the security and integrity of our business operations.
  • Legal Compliance: This includes:
    • - Fulfilling financial commitments with you or relevant financial authorities.
    • - Adhering to industry regulatory requirements and self-regulatory schemes.
    • - Conducting necessary business operations, such as administration and due diligence.
    • - Cooperating with authorities to report criminal activity or prevent fraud.
  • Protecting Vital Interests: We process personal data when necessary to protect your vital interests or those of another individual. This includes ensuring that data subjects can be identified and contacted if there are changes in medical knowledge.

Our commitment to safeguarding your personal data aligns with our responsibility to maintain compliance with applicable laws while ensuring the integrity of our services.


8. International Transfers

We do not transfer your personal data outside the UK. If this changes in the future we will update this privacy policy and notify you.

9. Data Security


We use industry-standard security measures to protect your personal data, including:


  • Asymmetric Encryption & Data Security: We use AES-256 encryption for data at rest and secure TLS protocols for all data in transit.
  • Access Control & Defence in Depth: Access to personal data is protected with strict controls and a multi-layered defence-in-depth strategy.
  • Security Audits: We conduct regular security assessments, including penetration testing and independent code audits, to identify and remediate potential vulnerabilities.
  • Breach Response: In the event of a data breach, we will notify the Information Commissioner’s Office (ICO) within 72 hours when required, and promptly inform affected users with transparent details of the incident.

10. Data Retention


In general, Portaul will only store your user data for as long as it is needed to fulfil the purposes for which it was collected, subject to applicable data retention periods imposed upon Portaul by applicable law. Users are free to delete their accounts. If you choose to deactivate your account, it will not be recoverable should you later create another account.

Impact of App Inactivity


If your account becomes inactive, we will retain your personal data for a period of ten years in case you decide to reactivate the services or reinstall the App. After ten years of inactivity, we will delete your personal information. While this is the Portaul data retention standard, you can still ask for your data to be deleted at an earlier date by contacting us. The App covers different periods of users' lifecycle; therefore, retention of your data is needed in some cases to secure your smooth experience.

Portaul will not use your Personally Identifiable Information for anything other than that which you have consented to or otherwise stated above. We may use what is known as aggregated data, which has been de-identified for statistical analysis purposes which is not subject to UK GDPR.

How do we delete your data?


We use industry-standard methods and procedures to ensure that we securely and permanently delete your personal data from our systems so that it is no longer capable of recovery. These procedures can include automated notifications to some of our processors who process your personal data on our behalf.

11. Your Rights and How to Exercise Them

Under the GDPR, you have several rights concerning your personal data. As a Portaul user, you can exercise these rights at any time:

  • Right to Access: You have the right to request a copy of the personal data we hold about you.
  • Right to Rectification: You can ask us to correct any inaccurate or incomplete personal data.
  • Right to Erasure: You can request the deletion of your personal data under certain circumstances.
  • Right to Restrict Processing: You can ask us to restrict the processing of your personal data in specific situations. Portaul respects users' right to restrict the processing of their personal data. We provide several options for users to limit how their data is used:
    • - Health Data Processing: Users can revoke consent for processing their health data directly within the app. This includes STI test results and other sensitive health information.
    • - Automated Partner Notifications: Users have the option to opt out of automated partner notifications through the app settings.
    • - Marketing Communications: Users can opt out of optional marketing communications at any time through the app settings.
    • - Account Deletion: If users choose to revoke consent for health data processing or opt out of core features like automated partner notifications, the app will immediately guide them to the account deletion section. This ensures users can easily and quickly delete their account if they no longer wish to use the app's core features.
    • - In-App Account Management: All these options, including account deletion, are easily accessible within the app's settings, providing users with full control over their data and account status.
  • Right to Data Portability: You can request a copy of your data in a machine-readable format (JSON) or in a TXT format.
  • Right to Object: You can object to our processing of your personal data for direct marketing purposes or based on our legitimate interests.
  • Right to Withdraw Consent: Where we process data based on your consent, you can withdraw this consent at any time.
  • Rights Related to Automated Decision Making: You have the right to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.

11.1 In-App Data Control: How to Access or Delete Your Data

Portaul provides you with direct control over your personal data through the app's settings:

  • Data Access: You can request a copy of your personal data directly through the settings section of the app.
    Navigate to the menu on top left of your homepage → settings → download your data
    Upon request, a copy of your data stored in the app can be provided in a commonly used digital format (JSON and TXT file).
  • Data Deletion: The app settings also include an option to request the deletion of your data. When you initiate this process, we will permanently remove all your personal information from our systems.
    Navigate to the menu on top left of your homepage → settings → delete my account.

Alternative Request Method: You can also email [email protected] to request access or delete your data. Please ensure you use your registered email address when making this request.

11.2 How to Exercise Your Rights

To exercise any of these rights:

  • Use the in-app settings for immediate actions like data access and deletion
  • For more complex requests, contact our Privacy Manager using the contact details provided in Section 2 of this policy.

11.3 Verification Process

To protect your privacy and ensure the security of your data, we will verify your identity before processing any rights requests:

  • For in-app requests, we use your login credentials for verification.
  • For email requests, we'll send a verification code to your registered email address.
  • For sensitive requests, we may require additional proof of identity.

11.4 Response Timelines

  • We will acknowledge your request within 3 business days.
  • We aim to fully respond to all requests within 30 days.
  • If we need more time due to the complexity of the request, we will inform you within the initial 30-day period and may extend the response time by up to two additional months.

11.5 Limitations

While we will always strive to honour your rights requests, please note that in some cases, we may need to retain certain information for legal or operational purposes. We will inform you of any such limitations when responding to your request. Remember that exercising your right to data deletion will result in the termination of your account, and you will no longer be able to use the Portaul services.

12. Cookies and Similar Technologies

We use the following types of cookies and similar technologies for our website:

  • Essential cookies: These are necessary for the website to function and cannot be switched off.
  • Functional cookies: These enable enhanced functionality and personalization.
  • Analytical cookies: These help us improve our website by collecting and reporting information on how you use it.

You can manage your cookie preferences through our cookie consent tool, accessible on our website. Please note that disabling certain cookies may impact the functionality of our website. Cookies are not used on our App.

13. Automated Decision-Making

We use automated decision-making in the following instances:

  • Automated Partner Notifications: Our system automatically detects potential exposure based on your status shares and their STI status. This will lead to an anonymous notification to be sent to users who are exposed during an infective window.
  • Personalised Testing Recommendations: We generate testing schedules based on your reported sexual behaviour and risk factors.
    Important: You have the ability to adjust these personalised testing schedules directly within the app. This feature allows you to tailor the recommendations to your specific needs and preferences.

Logic Involved: Analysing dates of reported positive STI results against dates of potential sexual interactions.
Potential Consequences: Receiving partner notifications or personalised testing recommendations.

14. Data Minimization and Purpose Limitation

We are committed to collecting only the data necessary for the specified purposes outlined in this policy. We will not use your personal data for purposes incompatible with those originally specified without obtaining your consent.

15. Special Category Data Processing

We process special category data (health data related to sexual health) based on your explicit consent (Article 9(2)(a) of the GDPR). We implement the following safeguards to protect this sensitive data:

  • Enhanced encryption methods for storage and transmission
  • Strict access controls and authentication measures for our staff
  • Regular security audits and vulnerability assessments
  • Anonymization techniques for data used in partner notifications

16. Data Breach Notification Procedures

In the event of a personal data breach, we will:

  • Detect and investigate the breach using our security monitoring systems
  • Assess the nature and severity of the breach
  • Notify the ICO within 72 hours of becoming aware of the breach, if required
  • Inform affected users without undue delay when the breach is likely to result in a high risk to their rights and freedoms

We will provide direct notifications to affected users via email or in-app messages, including information about the nature of the breach and recommendations to mitigate potential adverse effects.

17. Regular Policy Reviews

We regularly review and update our Privacy Policy. If Portaul changes its privacy practices, an updated version of this Privacy Policy will reflect those changes and we will notify you of such changes by updating the effective date at the top of this Privacy Policy. Without prejudice to your rights under applicable law, Portaul reserves the right to amend this Privacy Policy from time to time to reflect technological advancements, legal and regulatory changes, and good business practices. Portaul may email you with notification of any material changes.

18. Children's Privacy

Our service is intended for use by individuals who are 18 years of age or older. We do not knowingly collect or process personal data from anyone under the age of 18. If we become aware that we have collected personal data from an individual under 18, we will take steps to delete that information as quickly as possible.

To verify user age and prevent underage individuals from using our app:

  • We require users to enter their date of birth during the registration process
  • We may use age verification APIs to cross-check the provided information

If we accidentally collect data from underage users, we will:

  • Immediately suspend the account
  • Delete all personal data associated with the account within 72 hours
  • Notify the parent or guardian if contact information is available

19. Changes to This Privacy Policy

We keep our privacy policy under regular review. This version was last updated on February 20, 2024. Historic versions can be obtained by contacting us.

20. Contact Us

If you have any questions about this privacy policy or our privacy practices, please contact our Privacy Manager in the following ways:

Portaul Ltd
Email address: [email protected]

By providing this comprehensive privacy policy, Portaul demonstrates its commitment to protecting user privacy and complying with GDPR and other relevant data protection regulations. We strive to maintain the highest standards of data security and transparency in our data processing activities.

If you have questions or comments, feel free to email us at [email protected]

PortaulCyber essentials certified plus

© 2026 Portaul Inc. All rights reserved.

PRODUCT

COMPANY

COMMUNITY

SUPPORT

Get Portaul
Scan to download