Privacy Policy

Last updated: April 15, 2026

Portal AI Inc. ("we", "us", "our") operates Portal, including the Portal One+ mobile application, Telegram bot, agent email service, and website at portal.ai. This policy describes how we collect, use, and protect your information.

Information We Collect

Account information — Email address, Telegram user ID, device identifiers, and authentication tokens.
Conversation data — Messages, voice notes, photos, and files you send to your AI assistant. These are stored on our servers to provide persistent memory across sessions.
Email data — If your agent has an email address, emails sent and received through it are stored as part of your agent's workspace.
Scheduled task data — Reminders, recurring workflows, and other tasks you configure your agent to perform autonomously.
Payment information — Subscription and billing data is processed by Stripe. We store your subscription status, tier, and email address. We do not store credit card numbers or payment credentials — these are held exclusively by Stripe.
Usage data — Session timestamps, message counts, XVT consumption, and service analytics to operate and improve the service.

How We Use Your Information

To provide, maintain, and improve the Portal service
To deliver AI-generated responses to your messages
To persist your conversation history, memory, and preferences across sessions
To send and receive emails on your behalf through your agent's email address
To execute scheduled tasks and reminders you configure
To process subscription payments and manage your billing
To track XVT usage against your subscription tier allowance

Third-Party Services and AI Data Sharing

We use third-party AI model providers to generate AI responses. Your messages and relevant context are sent to these providers for processing. Current providers include:

Anthropic (Claude models) — processes conversation text to generate responses. Anthropic Privacy Policy.
Google (Gemini models) — processes conversation text to generate responses. Google Privacy Policy.
Amazon Web Services (Bedrock) — processes conversation text to generate responses. AWS Privacy Policy.

We may add or change AI providers over time. All providers are selected under agreements that prohibit the use of customer data for model training.

Third-Party Integration Data

If you connect third-party services (such as Google Calendar, Google Sheets, Strava, or others) through your account settings, your agent gains limited access to the specific data you authorized. Examples:

Google Calendar — your agent can read your schedule and create events on your behalf.
Strava — your agent can read your runs, rides, workouts, and training data.

We add new integrations over time. You always choose which services to connect and what data to share — nothing is connected without your explicit action in your account settings.

How integration data is shared with AI models: When you ask your agent about data from a connected service, the relevant data is included in the prompt sent to our AI providers (Anthropic, Google Gemini, or AWS Bedrock) to generate a response. This data is processed in real time and is not retained by the AI providers beyond the duration of the request. It is not used for model training by any provider.

Scope and control: You choose which services to connect. Each integration can be disconnected at any time from your account settings, which immediately revokes your agent's access. Authentication tokens are stored securely per user and are not shared across accounts.

Other Third-Party Services

We use Stripe to process payments. Your payment information is governed by Stripe's Privacy Policy.

We use Resend to deliver emails from your agent's email address. Email content passes through Resend's infrastructure for delivery.

We do not sell your data to any third party.

Data Isolation

Each user has a fully isolated environment — separate workspace, separate memory, separate conversation history. No other user can access your conversations, files, emails, or preferences. Your data is never used to train AI models.

Data Retention, Export, and Deletion

Your data is retained as long as your account is active. If you cancel your subscription, your data is retained for 30 days to allow reactivation, after which it may be permanently deleted.

Export your data. You can download all your data — conversations, memory, files, and anything your agent created — at any time through your account settings page. The export is provided as a standard archive file. You can also email [email protected] and we'll prepare it for you.

Delete your data. You can request deletion of your entire account and all associated data through your account settings page or by emailing [email protected]. Access is revoked immediately. Data is permanently purged from our servers within 30 days, unless we're required by law to retain it longer.

Your Rights

Depending on where you live, you have specific rights over your personal data. We honor all of these regardless of your location — we apply the strictest standard.

Access — You can see what data we hold about you via your account settings or by asking us.
Export / Portability — You can download all your data in a machine-readable format at any time.
Deletion / Erasure — You can delete your account and all associated data. We purge it within 30 days.
Correction — You can correct your data by talking to your agent (it updates your memory and profile) or by contacting us.
Restriction / Objection — You can ask us to stop processing your data. The simplest way is to delete your account.
Withdraw consent — You can stop using the service at any time. Deleting your account withdraws all consent.

EU/EEA residents (GDPR): Our lawful basis for processing is contract performance (providing the service you subscribed to) and legitimate interest (operating and improving the service). You have the right to lodge a complaint with your local data protection authority.

California residents (CCPA): You have the right to know what personal information we collect, to delete it, and to opt out of its sale.

Brazilian residents (LGPD) and Canadian residents (PIPEDA): You have equivalent rights to access, correct, delete, and port your data.

Security

All communication between the app and our servers is encrypted via HTTPS/TLS. Data at rest is stored on secured infrastructure with encrypted disks. API keys and credentials are stored separately from user data and are not accessible to AI agents.

Children's Privacy

Portal is not intended for children under 17. We do not knowingly collect information from children.

Changes to This Policy

We may update this policy from time to time. If we make material changes, we will notify you at least 30 days before they take effect — via a message in the Telegram bot and/or email. Minor clarifications may be posted without advance notice. The "last updated" date at the top always reflects the current version.

Contact

For privacy questions, data requests, or to exercise any of your rights:
[email protected]

For general support:
[email protected]

You can also manage your data directly at portal.ai/me.