Skip to main content
Portfolio Pro
AI-First Development

Privacy Policy

PortfolioPro LLC is committed to protecting your privacy and ensuring transparency in how we collect, use, and protect your personal information.

Last updated: January 15, 2025

1. Information We Collect

Personal Information: When you sign up for Portfolio Pro, we collect:

  • Email address (for account creation and communication)
  • Name (for personalization)
  • GitHub profile information (if you sign in with GitHub)
  • Google profile information (if you sign in with Google)

Usage Information: We automatically collect:

  • Learning progress and completion status
  • Code submissions and project work
  • Platform interaction data
  • Device and browser information
  • IP address and location data

Payment Information: Processed securely through Stripe. We don't store credit card information.

2. How We Use Your Information

  • Provide and improve our educational platform
  • Track your learning progress and provide personalized recommendations
  • Send important updates about your account and our service
  • Process payments and manage subscriptions
  • Provide customer support
  • Analyze platform usage to improve our content and features
  • Comply with legal obligations

3. Information Sharing

We do not sell, trade, or rent your personal information. We may share information only in these limited circumstances:

  • Service Providers: With trusted third parties who help us operate our platform (e.g., Stripe for payments, Supabase for data storage)
  • Legal Requirements: When required by law or to protect our rights and users' safety
  • Business Transfers: In connection with a merger, acquisition, or sale of assets (with advance notice)

4. Data Security

We implement industry-standard security measures:

  • Encryption in transit and at rest
  • Secure authentication through OAuth providers
  • Regular security audits and updates
  • Limited access to personal data on a need-to-know basis
  • Secure hosting infrastructure with SOC 2 compliance

5. Your Rights and Choices (GDPR & CCPA)

Under GDPR (if you're in the EU/EEA) and CCPA (if you're in California), you have comprehensive rights regarding your personal data:

Right to Access (GDPR Art. 15)

Request a copy of all personal data we hold about you, including how it's used and who it's shared with.

How to exercise: Download your data from your account settings or email privacy@portfoliopro.dev.

Response time: Within 30 days (GDPR) or 45 days (CCPA)

Right to Rectification (GDPR Art. 16)

Update or correct inaccurate or incomplete personal information.

How to exercise: Update your profile in account settings or contact support.

Right to Erasure / Deletion (GDPR Art. 17)

Request deletion of your account and associated personal data ("Right to be Forgotten").

How to exercise: Request account deletion from your account settings.

Note: 30-day grace period applies. Financial records retained for 7 years per legal requirements.

Right to Data Portability (GDPR Art. 20)

Receive your personal data in a structured, machine-readable format (JSON).

How to exercise: Export your data (includes learning progress, projects, preferences).

Right to Restrict Processing (GDPR Art. 18)

Request that we limit how we process your personal data in certain circumstances.

How to exercise: Contact privacy@portfoliopro.dev with your request.

Right to Object (GDPR Art. 21)

Object to processing of your personal data for direct marketing, profiling, or legitimate interests.

How to exercise: Manage preferences in account settings or click "unsubscribe" in any marketing email.

Right to Withdraw Consent (GDPR Art. 7)

Withdraw consent for data processing at any time without affecting prior lawful processing.

How to exercise: Update consent preferences in account settings.

Right to Lodge a Complaint

If you believe we've violated your privacy rights, you can file a complaint with your local data protection authority.

6. Cookies and Tracking Technologies

We use cookies and similar technologies to provide and improve our services. You have full control over non-essential cookies.

Types of Cookies We Use

  • Strictly Necessary (Always Active):
    • Authentication and session management
    • Security and fraud prevention (CSRF tokens)
    • Essential platform functionality
  • Analytics (Optional):
    • Google Analytics 4 (anonymized IP, 26-month retention)
    • PostHog (session recordings with input masking)
    • Usage patterns and performance metrics
  • Marketing (Optional):
    • Advertising campaign tracking (UTM parameters)
    • Conversion tracking for paid ads
  • Preferences (Optional):
    • Theme selection (dark/light mode) and language
    • Editor settings and code preferences
    • Dashboard customization

Cookie Duration

  • Session Cookies: Deleted when you close your browser
  • Authentication Cookies: 30 days (or until logout)
  • Preference Cookies: 1 year
  • Analytics Cookies: 26 months (Google Analytics standard)

Managing Cookie Preferences

You can manage your cookie preferences at any time:

  • Update cookie preferences in your account settings
  • Use browser settings to block or delete cookies (though this may affect platform functionality)
  • Browser Do-Not-Track (DNT) signals are respected for analytics

Note: Disabling necessary cookies will prevent you from using core platform features.

Third-Party Services

We use the following third-party services that may set their own cookies:

7. Data Retention and Deletion

We retain your personal data only as long as necessary for the purposes outlined in this policy or as required by law.

Retention Periods

  • Active Accounts: Data retained while your account is active
  • Account Deletion: 30-day grace period (allows reactivation)
  • Learning Progress: 3 years after account closure
  • AI Analysis History: 1 year from creation
  • Security Events: 2 years (legal requirement)
  • Purchase History: 7 years (tax and accounting requirements)
  • Marketing Leads: 2 years or until unsubscribe

Automatic Deletion

We automatically delete data that exceeds its retention period, except for records that must be retained by law (e.g., financial transactions, tax records).

Account Deletion Process

  1. Request account deletion from your account settings
  2. Your account is marked for deletion (30-day grace period)
  3. During the grace period, you can cancel the request by logging in
  4. After 30 days, your account and associated data are permanently deleted
  5. You receive a confirmation email once deletion is complete

Note: Financial records are retained for 7 years per legal requirements, even after account deletion.

8. International Data Transfers and Privacy Shield

Our services are primarily hosted in the United States. If you're accessing our service from outside the US, your information may be transferred to, stored, and processed in the US or other countries.

GDPR Compliance for EU/EEA Users

For users in the European Union, European Economic Area, or United Kingdom, we ensure GDPR-compliant data transfers through:

  • Standard Contractual Clauses (SCCs): EU-approved data transfer agreements with our sub-processors
  • Adequacy Decisions: We use service providers in countries deemed adequate by the EU Commission where possible
  • Data Processing Agreements: All third-party processors sign GDPR-compliant DPAs
  • UK GDPR: We comply with UK data protection laws post-Brexit

Our Sub-Processors

We work with the following sub-processors who may process your data:

  • Supabase (US): Database hosting and authentication
  • Stripe (US): Payment processing
  • OpenAI (US): AI-powered code review and assistance
  • Vercel (US): Web hosting and CDN
  • Google Analytics (US): Website analytics (with anonymization)

All sub-processors are bound by GDPR-compliant data processing agreements.

Data Security During Transfer

  • All data transfers use TLS 1.3 encryption
  • Data at rest is encrypted using AES-256
  • Multi-factor authentication required for administrative access
  • Regular security audits and penetration testing

9. Children's Privacy (COPPA & GDPR)

Portfolio Pro is not intended for children under 16 years of age (or 13 in countries where that's the minimum age). We do not knowingly collect personal information from children.

  • Age Verification: Users must be at least 16 years old to create an account (13 with verifiable parental consent)
  • Parental Consent: For users aged 13-15, we require verifiable parental consent before collecting any personal data
  • Discovery of Underage Users: If we learn we've collected data from a child without proper consent, we will delete it within 30 days

Parents or guardians who believe their child has created an account without permission should contact privacy@portfoliopro.dev.

10. Automated Decision-Making and Profiling

We use automated decision-making and profiling in limited circumstances to enhance your learning experience:

  • Learning Recommendations: AI algorithms suggest lessons and projects based on your progress and skill level
  • Code Quality Assessment: Automated analysis of your code submissions for feedback
  • Difficulty Adjustment: Platform adapts content difficulty based on your performance

Your Rights: Under GDPR Article 22, you have the right to:

  • Not be subject to solely automated decisions
  • Request human review of automated decisions
  • Express your point of view on automated decisions
  • Contest automated decisions

Note: Our AI-powered features are designed to assist, not make final decisions about your learning outcomes. Human review is always available upon request.

11. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify Authorities: Report to relevant data protection authorities within 72 hours (GDPR requirement)
  • Notify You: Inform affected users without undue delay via email
  • Provide Details: Describe the nature of the breach, likely consequences, and measures taken
  • Remediation: Take immediate steps to secure systems and prevent further breaches

We maintain comprehensive security monitoring and incident response procedures to minimize breach risks.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or service offerings.

  • Material Changes: We will notify you via email at least 30 days before significant changes take effect
  • Minor Updates: Non-material changes will be posted on this page with an updated "Last updated" date
  • Consent Required: For changes requiring new consent under GDPR, we'll request explicit opt-in

We encourage you to review this Privacy Policy periodically. Continued use of our service after changes constitutes acceptance, except where additional consent is required.

13. Contact Us & Data Protection Officer

If you have questions about this Privacy Policy, want to exercise your data rights, or need to report a concern:

PortfolioPro LLC

General Inquiries:

support@portfoliopro.dev

Data Protection Officer:

privacy@portfoliopro.dev

For GDPR requests, data subject rights, and privacy concerns

GDPR Representative (EU):

gdpr@portfoliopro.dev

For EU/EEA-specific inquiries

Response Times:

  • Data Subject Requests: 30 days (GDPR) / 45 days (CCPA)
  • Privacy Questions: 5 business days
  • Breach Notifications: Immediate (as required)

πŸ“‹ Quick Links for Data Rights:

14. AI Transparency & EU AI Act Compliance

Portfolio Pro uses artificial intelligence (AI) systems for code review, personalized learning recommendations, and content suggestions. In compliance with the EU AI Act (Regulation 2024/1689) and AI transparency best practices:

πŸ€– AI Systems We Use:

  • Code Review AI: OpenAI GPT-4 models for analyzing user code, suggesting improvements, and detecting bugs
  • Learning Recommendations: Machine learning algorithms to suggest lessons, projects, and learning paths
  • Content Search: Natural language processing for semantic search across lessons and documentation
  • Progress Analytics: AI-powered insights into learning patterns and skill development

AI Training Data:

  • Third-Party Models: We use OpenAI's GPT-4 models, which are trained on publicly available internet data (we do not control this training data)
  • Your Data: Your code submissions are sent to OpenAI for analysis but are NOT used to train their models (per our Data Processing Agreement with OpenAI)
  • Internal Models: Our learning recommendation algorithms are trained on aggregated, anonymized user progress data (not personal information)

AI Limitations & Risks:

  • Not Always Accurate: AI code reviews may contain errors, miss bugs, or suggest suboptimal solutions
  • Potential Bias: AI models may exhibit biases present in their training data (e.g., favoring certain programming styles or frameworks)
  • Context Limitations: AI cannot fully understand your project requirements, business logic, or specific use cases
  • Not a Substitute: AI assistance does not replace human learning, code review by peers, or professional development practices

Human Oversight & Your Rights:

  • No Fully Automated Decisions: AI does not make final decisions about your grades, certifications, or account status (human review is always involved)
  • Right to Explanation: You can request an explanation of how AI suggestions or recommendations were generated
  • Right to Contest: You can disagree with AI-generated feedback and request human review at any time
  • Opt-Out Options: You can disable AI code reviews in your settings (though this may limit some features)

Bias Mitigation Measures:

  • Regular audits of AI outputs for fairness and accuracy
  • Diverse training data for our internal recommendation models
  • User feedback mechanisms to report biased or inappropriate AI responses
  • Transparency reports published annually on AI performance and bias metrics

πŸ“§ Contact for AI Concerns:

Email: support@portfoliopro.dev

Report AI bias, request explanations, or ask about our AI systems.

15. International Privacy Rights

In addition to GDPR (EU/EEA) and CCPA (California), we comply with privacy laws in other jurisdictions:

πŸ‡§πŸ‡· Brazil (LGPD - Lei Geral de Proteção de Dados)

If you are in Brazil, you have the following rights under LGPD (Law No. 13.709/2018):

  • Confirmation of data processing and access to your data
  • Correction of incomplete, inaccurate, or outdated data
  • Anonymization, blocking, or deletion of unnecessary data
  • Portability of your data to another service provider
  • Information about public/private entities with whom we share data
  • Information about the possibility of refusing consent
  • Revocation of consent at any time

Legal Basis: We process your data based on consent, contract fulfillment, legal obligations, and legitimate interests (LGPD Art. 7).

Brazilian Data Protection Contact: privacy@portfoliopro.dev

πŸ‡¨πŸ‡¦ Canada (PIPEDA - Personal Information Protection and Electronic Documents Act)

If you are in Canada, your data is protected under PIPEDA and provincial laws (e.g., Quebec's Law 25). You have rights to:

  • Know why your personal information is collected, used, or disclosed
  • Access your personal information held by us
  • Challenge the accuracy and completeness of your data
  • Withdraw consent for certain uses of your data
  • File complaints with the Privacy Commissioner of Canada

Cross-Border Transfers: Your data may be processed in the United States (where our servers are located). We use Standard Contractual Clauses and other safeguards to protect your data.

Canadian Privacy Contact: privacy@portfoliopro.dev

To file a complaint: Privacy Commissioner of Canada

πŸ‡¦πŸ‡Ί Australia (Privacy Act 1988 - Australian Privacy Principles)

If you are in Australia, your data is protected under the Privacy Act 1988 and the 13 Australian Privacy Principles (APPs). You have rights to:

  • Know what personal information we hold about you
  • Access and correct your personal information
  • Make a complaint about how we handle your personal information
  • Opt-out of direct marketing communications

Overseas Disclosure: Your data may be disclosed to overseas recipients (e.g., US-based servers, OpenAI). We take reasonable steps to ensure recipients comply with Australian privacy standards.

Australian Privacy Contact: privacy@portfoliopro.dev

To file a complaint: Office of the Australian Information Commissioner (OAIC)

🌍 Other Jurisdictions

We also respect privacy laws in other jurisdictions, including:

  • Japan: Act on the Protection of Personal Information (APPI)
  • South Korea: Personal Information Protection Act (PIPA)
  • Singapore: Personal Data Protection Act (PDPA)
  • India: Digital Personal Data Protection Act (DPDPA) 2023
  • Switzerland: Federal Act on Data Protection (FADP)

If you are in a jurisdiction not listed here, please contact us at privacy@portfoliopro.dev to discuss your privacy rights under local law.

🌐 Global Privacy Contact:

For any international privacy inquiries: privacy@portfoliopro.dev

We respond to all privacy requests within 30 days (or as required by applicable law).

16. Legal Framework Summary

This Privacy Policy complies with:

  • GDPR (EU General Data Protection Regulation 2016/679) - For EU/EEA users
  • UK GDPR (UK Data Protection Act 2018) - For UK users
  • EU AI Act (Regulation 2024/1689) - AI transparency and accountability requirements
  • CCPA/CPRA (California Consumer Privacy Act) - For California residents
  • COPPA (Children's Online Privacy Protection Act) - For users under 13
  • ePrivacy Directive (Cookie Law) - For EU/EEA users
  • LGPD (Brazilian General Data Protection Law) - For Brazilian users
  • PIPEDA (Canada Personal Information Protection) - For Canadian users
  • Privacy Act 1988 (Australian Privacy Principles) - For Australian users

Lawful Basis for Processing (GDPR):

  • Consent (Art. 6(1)(a)): Analytics, marketing communications, optional cookies
  • Contract (Art. 6(1)(b)): Account creation, service delivery, payment processing
  • Legal Obligation (Art. 6(1)(c)): Tax records, security monitoring, fraud prevention
  • Legitimate Interests (Art. 6(1)(f)): Platform improvements, security, customer support