Privacy Policy

CoPortal (“we”, “us”, “our”) operates the software-as-a-service platform at coportal.io. We are the responsible party for personal information processed through this platform, as defined in the Protection of Personal Information Act 4 of 2013 (“POPIA”).

Our Information Officer is contactable at hello@coportal.io.

We collect and process the following categories of personal information:

• Account holders (subscribers): Full name, email address, password (hashed — never stored in plain text), business name, business address, VAT number, bank details (for display on invoices only).
• Team members: Full name, email address, role within the workspace.
• Your clients (data subjects you add): Name, company name, email address, phone number, and any notes you enter. By adding a client’s personal information, you confirm you have a lawful basis to do so.
• Payment information: We do not store card numbers or banking credentials. Payments are processed by Paystack, who applies their own security standards (PCI-DSS).
• Usage data: We collect minimal technical data (error logs, timestamps) necessary to operate the service. We do not use third-party analytics trackers or advertising cookies.
• Uploaded files: Documents, images, and other files you upload in connection with projects are stored on our infrastructure.
• AI-processed content: When you use AI-assisted features (such as generating quotes, invoices, or meeting summaries), the content you submit for processing is sent to OpenAI and/or Google Gemini. We do not send client personal information to AI providers beyond what you explicitly include in an AI prompt or document generation request.

We process personal information only for the following purposes:

• To provide, operate, and improve the CoPortal service
• To send transactional emails (invoices, proposals, payment confirmations, password resets, team invitations)
• To send payment reminder emails on behalf of subscribers to their clients
• To integrate with third-party accounting software (Xero, QuickBooks) at the subscriber’s explicit request
• To generate AI-assisted content (quote descriptions, invoice line items, meeting summaries, and similar) using OpenAI and Google Gemini APIs — only content you explicitly submit for AI processing is sent to these providers
• To process payments through Paystack
• To comply with legal obligations

We do not sell, rent, or trade personal information to third parties. We do not use personal information for advertising or marketing profiling.

To deliver the service, we share data with the following sub-processors. Each is subject to their own privacy policy and data processing obligations:

Where personal data is transferred outside South Africa, we ensure that appropriate safeguards are in place, including contractual protections with each sub-processor.

As a data subject, you have the following rights, which you may exercise by contacting us at hello@coportal.io:

• Right to access: Request a copy of personal information we hold about you.
• Right to correction: Request correction of inaccurate or incomplete information.
• Right to deletion: Request deletion of your personal information. Subscribers may delete their account via Settings; we will permanently delete all associated data within 30 days.
• Right to object: Object to the processing of your personal information in certain circumstances.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Right to complain: You have the right to lodge a complaint with the Information Regulator of South Africa at inforegulator.org.za.

We will respond to requests within 30 days of receipt.

We retain personal information only as long as necessary for the purposes described in this policy:

• Active accounts: Data is retained for the duration of the subscription plus a 30-day grace period after cancellation or deletion.
• Deleted accounts: All personal data is permanently deleted within 30 days of account deletion.
• Uploaded files: Deleted on account closure. Individual files may be deleted earlier by the subscriber at any time.
• Email logs: Transactional email records are retained by Resend in accordance with their data retention policy (typically 30 days).

CoPortal uses only strictly necessary cookies required for authentication and session management (provided by Supabase). We do not use advertising cookies, analytics trackers, or any third-party tracking pixels. No cookie consent banner is required as all cookies are functionally essential.

We implement appropriate technical and organisational measures to protect personal information, including:

• All data transmitted via HTTPS/TLS encryption
• Passwords hashed using industry-standard algorithms (managed by Supabase Auth)
• Row-level security policies restricting data access to the workspace it belongs to
• API keys and secrets stored as environment variables, never in source code
• Payment data never stored on our servers — handled by PCI-DSS compliant Paystack

No system is completely immune to security incidents. In the event of a data breach affecting your personal information, we will notify you and the Information Regulator as required by POPIA.

When you use CoPortal to manage your clients, you are the responsible party for your clients' personal information. We process it solely on your instructions as an operator. You are responsible for:

• Obtaining your clients' consent or establishing another lawful basis for processing
• Informing your clients that their data is processed via CoPortal
• Responding to your clients' data rights requests regarding their information

The Service is intended for business use by adults (18+). We do not knowingly collect personal information from anyone under the age of 18. If you believe a minor has provided us with personal information, please contact us at hello@coportal.io.

We may update this Privacy Policy from time to time. For material changes, we will notify subscribers by email at least 14 days before the new policy takes effect. The current version is always available at coportal.io/privacy.

For any privacy-related queries, data rights requests, or concerns, contact our Information Officer:

CoPortal
Email: hello@coportal.io
Website: coportal.io