Privacy Policy

CoPortal Digital (Pty) Ltd (registration number K2026315446), trading as CoPortal (“we”, “us”, “our”), is a private company incorporated in South Africa that operates the software-as-a-service platform at coportal.io. We are the responsible party for personal information processed through this platform, as defined in the Protection of Personal Information Act 4 of 2013 (“POPIA”).

Our Information Officer is contactable at hello@coportal.io.

We collect and process the following categories of personal information:

• Account holders (subscribers): Full name, email address, password (hashed — never stored in plain text), business name, business address, VAT number, bank details (for display on invoices only).
• Team members: Full name, email address, role within the workspace.
• Your clients (data subjects you add): Name, company name, email address, phone number, and any notes you enter. By adding a client’s personal information, you confirm you have a lawful basis to do so.
• Payment information: We do not store card numbers or banking credentials. Payments are processed by Paystack, who applies their own security standards (PCI-DSS).
• Usage data: We collect minimal technical data (error logs, timestamps) necessary to operate the service. We do not use third-party analytics trackers or advertising cookies.
• Uploaded files: Documents, images, and other files you upload in connection with projects are stored on our infrastructure.
• Receipts and expense records: Receipt photos or PDFs you upload to the expense vault, together with the vendor, amount, VAT split, currency, tax category, date, and any notes you enter. We compute and store a SHA-256 hash of every uploaded receipt for audit integrity. These records are subject to tax-retention rules (see section 7).
• Project update photos and client responses: Photos you attach to project update posts, together with any acknowledgement, reply, approval, or change-request your clients submit through the portal. Client response records include the responder’s email, the response type, and any free-text note they choose to send back.
• AI-processed content: When you use AI-assisted features (such as generating quotes, invoices, or meeting summaries), the content you submit for processing is sent to OpenAI, Anthropic, and/or Google Gemini. We do not send client personal information to AI providers beyond what you explicitly include in an AI prompt or document generation request.

We process personal information only for the following purposes:

• To provide, operate, and improve the CoPortal service
• To send transactional emails (invoices, proposals, payment confirmations, password resets, team invitations)
• To send payment reminder emails on behalf of subscribers to their clients
• To integrate with third-party accounting and business software (Xero, QuickBooks, Sage Business Cloud, Microsoft Business Central) at the subscriber’s explicit request — only invoice, client, and project data the subscriber chooses to sync is transmitted
• To deliver automation events to third-party apps via Zapier at the subscriber’s explicit request
• To authenticate team members via Single Sign-On (SSO) through Google Workspace or Microsoft 365 at the Enterprise subscriber’s configuration
• To generate AI-assisted content (quote descriptions, invoice line items, meeting summaries, and similar) using OpenAI, Anthropic, and Google Gemini APIs — only content you explicitly submit for AI processing is sent to these providers
• To check your availability and create booking events via Google Calendar OAuth, when you connect your Google account to the scheduling feature (see section 4 for detail on the specific data accessed)
• To process payments through Paystack
• To comply with legal obligations

We do not sell, rent, or trade personal information to third parties. We do not use personal information for advertising or marketing profiling.

When you connect your Google account to enable CoPortal’s scheduling features, we request the following Google OAuth scopes:

• calendar.freebusy — reads only free/busy time windows from your Google Calendar to compute your availability for booking slots. CoPortal does not read the titles, descriptions, attendees, or any other details of your existing calendar events.
• calendar.app.created — creates and manages only the calendar events that CoPortal itself generates (e.g. booking confirmations). CoPortal does not access, modify, or delete any events it did not create.

How we use this data: Calendar access is used solely to check your availability and to create booking events on your behalf. We do not analyse, export, or use calendar data for any other purpose.

Storage: OAuth access and refresh tokens are stored encrypted. No calendar event content (titles, descriptions, attendee details) is stored on CoPortal’s servers — only the free/busy time windows retrieved in real time for availability computation.

Retention & deletion: Stored tokens and any Google-derived availability data are removed when you disconnect your Google Calendar connection from CoPortal’s settings, or when you close your CoPortal account. You can also revoke access at any time from your Google Account at myaccount.google.com/permissions.

Google’s use of information received from CoPortal is subject to the Google API Services User Data Policy, including the Limited Use requirements.

To deliver the service, we share data with the following sub-processors. Each is subject to their own privacy policy and data processing obligations:

Where personal data is transferred outside South Africa, we ensure that appropriate safeguards are in place, including contractual protections with each sub-processor. Our AI sub-processors' data processing addenda — incorporating EU Standard Contractual Clauses and a UK Addendum where applicable — are auto-incorporated into our commercial terms with each provider and are publicly available:

• Anthropic: anthropic.com/legal/data-processing-addendum
• OpenAI: openai.com/policies/data-processing-addendum
• Google (Gemini API / Cloud): cloud.google.com/terms/data-processing-addendum

As a data subject, you have the following rights, which you may exercise by contacting us at hello@coportal.io:

• Right to access: Request a copy of personal information we hold about you.
• Right to correction: Request correction of inaccurate or incomplete information.
• Right to deletion: Request deletion of your personal information. Workspace owners can close a workspace, team members can delete their CoPortal account, and client portal users can delete their portal account. Deletion requests remain subject to legal, accounting, contractual, security, and abuse-prevention retention needs.
• Right to object: Object to the processing of your personal information in certain circumstances.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Right to complain: You have the right to lodge a complaint with the Information Regulator of South Africa at inforegulator.org.za.

We will respond to requests within 30 days of receipt.

We retain personal information only for as long as needed to provide the service, secure the platform, comply with law, and maintain required financial and contractual records.

• Workspace accounts: Personal login data is retained while an account remains active. Team members may delete their own CoPortal account. Workspace owners may close the workspace, which removes workspace-owned data from CoPortal's live systems, subject to any lawful retention obligations.
• Client portal accounts: A client or invited contact may delete their portal account from the client portal. This removes their portal login link and PIN from CoPortal, but the underlying client, quote, invoice, message, and project records may continue to be retained by the workspace owner.
• Financial, contractual, and audit records: Invoices, payment records, signed quotes, communications, and related audit data may be retained for as long as reasonably necessary to comply with legal, tax, accounting, dispute-resolution, fraud-prevention, or evidentiary obligations.
• Receipts and expense records: Receipt images and the corresponding expense entries are retained for the period required by tax law in the subscriber’s jurisdiction. For South African subscribers, this is at least five (5) years from the end of the relevant tax period under the Tax Administration Act and the Value-Added Tax Act, extending to seven (7) years where the Companies Act applies. Each receipt is stored alongside an immutable SHA-256 hash so that the integrity of the original file can be verified on audit. We compute a tax-retention deadline at upload time and decline early erasure of these records (see “Tax retention overrides erasure” below).
• Project updates and client responses: Project update posts and the audit trail of client acknowledgements, replies, approvals, and change requests are retained for the lifetime of the project plus any retention required for dispute-resolution or contractual evidence.
• Uploaded files: Files remain until deleted by the subscriber or removed as part of workspace closure, except where they form part of retained financial, contractual, or dispute records.
• Email and processor logs: Transactional email records, payment processor records, and hosting/security logs may be retained by our subprocessors under their own retention schedules.
• Backups and short-term replicas: Deleted information may remain in encrypted backups or system replicas for a limited period until those backups age out in the ordinary course.

Tax retention overrides erasure. Where you exercise a right of deletion (under POPIA section 24, or equivalent rights under the UK GDPR, EU GDPR, the Australian Privacy Act, the New Zealand Privacy Act, or the Singapore PDPA) over a record that we are legally obliged to retain — including receipts, invoices, signed quotes, payment records, and the corresponding tax registers — we will instead restrict processing of that record to the purposes required to satisfy our legal obligations until the applicable retention window passes, and only then delete it. We will confirm in writing when this exception is being applied and explain which retention rule is engaged. Where a receipt is deleted at the subscriber’s request, the corresponding expense row may be retained in restricted form for the remainder of the retention period.

Where we do not need to retain identifying information, we may delete, de-link, or anonymise personal account data while retaining the underlying business record.

CoPortal uses only strictly necessary cookies required for authentication and session management (provided by Supabase). We do not use advertising cookies, analytics trackers, or any third-party tracking pixels. No cookie consent banner is required as all cookies are functionally essential.

We implement appropriate technical and organisational measures to protect personal information, including:

• All data transmitted via HTTPS/TLS encryption
• Passwords hashed using industry-standard algorithms (managed by Supabase Auth)
• Email OTP verification for client portal access and selected onboarding flows
• Per-person portal PINs for sensitive quote-signing and invoice-payment actions
• Optional authenticator-app MFA for workspace users
• Row-level security policies restricting data access to the workspace it belongs to
• API keys and secrets stored as environment variables, never in source code
• Payment data never stored on our servers — handled by PCI-DSS compliant Paystack

No system is completely immune to security incidents. In the event of a data breach affecting your personal information, we will notify you and the Information Regulator as required by POPIA.

When you use CoPortal to manage your clients, you are the responsible party for your clients' personal information. We process it solely on your instructions as an operator. You are responsible for:

• Obtaining your clients' consent or establishing another lawful basis for processing
• Informing your clients that their data is processed via CoPortal
• Responding to your clients' data rights requests regarding their information

The Service is intended for business use by adults (18+). We do not knowingly collect personal information from anyone under the age of 18. If you believe a minor has provided us with personal information, please contact us at hello@coportal.io.

We may update this Privacy Policy from time to time. For material changes, we will notify subscribers by email at least 14 days before the new policy takes effect. The current version is always available at coportal.io/privacy.

For any privacy-related queries, data rights requests, or concerns, contact our Information Officer:

CoPortal Digital (Pty) Ltd (trading as CoPortal)
Registration number: K2026315446
Email: hello@coportal.io
Website: coportal.io