Portuo Logo
Portuo Logo

Privacy Policy

1. Privacy at a Glance

General Information

The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to personally identify you.

Data Collection on This Website

Who is responsible for data collection on this website?
Data processing on this website is carried out by the website operator. You can find their contact details in the "Controller" section of this privacy policy.

How do we collect your data?
Your data is collected in part by you providing it to us. This may include data you enter during registration, for example.

Other data is collected automatically or with your consent by our IT systems when you visit the website. This is primarily technical data (e.g., internet browser, operating system, or time of page access). This data is collected automatically as soon as you enter this website.

2. Controller

Nils Hoffmann

Geierstraße 14

22305 Hamburg

Phone: +49 15773311400

Email: info@portuo.com

The controller is the natural or legal person who, alone or jointly with others, determines the purposes and means of processing personal data.

3. Notice on Data Processing for Our Customers

Portuo is a platform on which companies (our customers) operate portals for their own end customers. In this context, there are two different roles:

  • For our direct customers (portal operators): We are the controller for your master data (registration data, payment data, usage data).
  • For data of our customers' end customers:We act as a Processor within the meaning of Art. 28 GDPR. In this relationship, our customer (the portal operator) is the "Controller".

If you as a customer use our platform and process personal data of third parties (e.g., your end customers) there, we process this data exclusively according to your instructions. The conclusion of a Data Processing Agreement (DPA) is part of the terms of use.

4. Storage Duration

Unless a more specific storage period has been stated in this privacy policy, your personal data will remain with us until the purpose for data processing no longer applies. If you assert a legitimate request for deletion or revoke consent to data processing, your data will be deleted within 30 days, unless we have other legally permissible reasons for storing your personal data (e.g., tax or commercial law retention periods).

5. Legal Basis for Data Processing

We process your personal data on the basis of the following legal grounds:

  • Consent (Art. 6(1)(a) GDPR) – You have given your consent to the processing of your data for a specific purpose.
  • Contract Performance (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which you are a party or for pre-contractual measures.
  • Legal Obligation (Art. 6(1)(c) GDPR) – Processing is necessary for compliance with a legal obligation.
  • Legitimate Interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of our legitimate interests, unless your interests override.

6. Your Rights as a Data Subject

You have the following rights regarding your personal data:

  • Right of Access (Art. 15 GDPR) – You can request information about your personal data processed by us.
  • Right to Rectification (Art. 16 GDPR) – You can request the correction of inaccurate data or the completion of your data.
  • Right to Erasure (Art. 17 GDPR) – You can request the deletion of your data, unless legal retention obligations exist.
  • Right to Restriction (Art. 18 GDPR) – You can request the restriction of processing of your data.
  • Right to Data Portability (Art. 20 GDPR) – You can request that we provide your data in a structured, commonly used, and machine-readable format.
  • Right to Object (Art. 21 GDPR) – You can object to the processing of your data at any time.
  • Right to Lodge a Complaint (Art. 77 GDPR) – You have the right to lodge a complaint with a supervisory authority. The competent authority is the supervisory authority of your place of residence, workplace, or place of the alleged infringement.

7. SSL/TLS Encryption

This site uses SSL/TLS encryption for security reasons and to protect the transmission of confidential content. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line. When SSL/TLS encryption is enabled, the data you transmit to us cannot be read by third parties.

8. Hosting and Content Delivery

Vercel (Website Hosting)

This website is hosted by Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. We have configured the Frankfurt (fra1) server region so that all requests are processed via EU servers.

Each time you access our website, server log data is automatically collected:

  • IP address (anonymized)
  • Date and time of the request
  • Accessed page / URL
  • Browser type and version
  • Operating system
  • Referrer URL

This data is collected to ensure operation and for troubleshooting (Art. 6(1)(f) GDPR). Vercel is certified under the EU-US Data Privacy Framework.

Storage duration: Server log files are stored for a maximum of 14 days and then deleted, unless longer storage is required due to concrete indications of unlawful use.

More information: https://vercel.com/legal/privacy-policy

Supabase (Database & Storage)

We use Supabase for hosting our database, authentication, and file storage. Supabase is a service of Supabase Inc. Our data is stored on servers in Frankfurt am Main (EU).

When using Supabase, technically necessary data such as IP address and access time are processed. Processing is based on our legitimate interests (Art. 6(1)(f) GDPR) in secure and efficient provision of our services.

More information: https://supabase.com/privacy

Bunny Fonts

For displaying fonts, we use Bunny Fonts, a privacy-friendly service from BunnyWay d.o.o. from Slovenia. No personal data is transmitted to or stored by third parties when using this service.

More information: https://bunny.net/privacy

9. Public Website and Customer Portal

We distinguish between the public website (portuo.com) and customer portals (your-company.portuo.com). Different data is processed depending on the area:

Public Website (without login)

When visiting our public pages, only minimal data is processed:

  • Server log data (see Hosting section)
  • For portal creation: Email address for verification

Analytics tools (Google Analytics) are only used after your explicit consent (see Section 18). Advertising trackers are not used.

Customer Portal (after login)

After logging into a customer portal, additional data is processed that is necessary for using the service:

  • User account data (name, email, phone)
  • Uploaded documents and attachments
  • Tickets, comments, and conversations
  • Notification settings
  • Read status (which content you have already seen)
  • Authentication cookie for the session

This data is processed exclusively for contract performance (Art. 6(1)(b) GDPR). No analytics tools are used in the customer portal – Google Analytics runs exclusively on the public website (portuo.com).

10. Registration and User Account

You can register on our website to use additional features. Registration is only permitted for persons aged 18 and over. During registration, we process the following data:

  • Email address
  • Name
  • Password (stored encrypted)
  • Phone number (optional)

When using our services, the following additional data is processed:

  • Uploaded documents and their metadata
  • Tickets and comments
  • Notification settings
  • Read status of documents, tickets, and announcements

Processing is for contract performance (Art. 6(1)(b) GDPR). Data will be deleted as soon as it is no longer necessary for the purpose of its collection and no legal retention obligations apply.

11. Cookies and Local Storage

We use technologies that store information on your device or access it (e.g., cookies, local storage). We only use technologies that are strictly necessary to provide portal functions (e.g., login status). Consent is not required for this pursuant to § 25(2)(2) TTDSG.

NameTypePurposeDuration
sb-*-auth-tokenLocal StorageAuthentication / Session8 hours
cookie-consentLocal StorageStores your cookie settingsUnlimited
Only with consent (Google Analytics):
_gaCookieDistinguishing visitors2 years
_ga_*CookieStores session state2 years

The legal basis for the use of technically necessary storage is Art. 6(1)(f) GDPR (legitimate interests). Analytics cookies (Google Analytics) are only set after your explicit consent (Art. 6(1)(a) GDPR).

12. Email Delivery (Brevo)

For sending emails, we use the Brevo service (formerly Sendinblue) from Brevo GmbH, Köpenicker Str. 126, 10179 Berlin.

We send exclusively transactional emails that are necessary for using the service:

  • Password reset
  • Portal invitations
  • Notifications about new documents, tickets, or comments
  • Email address changes

When using this service, the following data is transmitted to Brevo:

  • Recipient's email address
  • Email content
  • Technical metadata (timestamp, message ID)

Processing is for contract performance (Art. 6(1)(b) GDPR). We do not send marketing emails or newsletters via Brevo. A data processing agreement pursuant to Art. 28 GDPR has been concluded with Brevo. Brevo is a German company and processes data within the EU.

More information: https://www.brevo.com/de/legal/privacypolicy/

13. Payment Provider (Stripe)

For payment processing, we use the Stripe service from Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland.

When using Stripe, the following data is processed:

  • Payment data (credit card number, expiration date, etc.)
  • Billing address
  • Email address
  • Transaction data

Fraud Prevention: For fraud prevention and payment authentication, Stripe collects technical data about the device used (so-called device fingerprinting). This is based on our legitimate interest in secure payment processing (Art. 6(1)(f) GDPR).

Processing of payment data is for contract performance (Art. 6(1)(b) GDPR). Stripe is certified under the EU-US Data Privacy Framework. A data processing agreement pursuant to Art. 28 GDPR has been concluded with Stripe.

More information: https://stripe.com/de/privacy

14. File Storage

Uploaded documents and attachments are stored in Supabase Storage. Data is stored on servers in Frankfurt am Main (EU). Access to files is protected by authentication and permission checks. Processing is for contract performance (Art. 6(1)(b) GDPR).

15. Data Processors

We use the following data processors with whom data processing agreements pursuant to Art. 28 GDPR have been concluded:

ProviderPurposeLocation
Vercel Inc.Website hostingFrankfurt (EU)*
Supabase Inc.Database, Auth, StorageFrankfurt (EU)
Brevo GmbHEmail deliveryGermany (EU)
Stripe Payments EuropePayment processingIreland (EU)
BunnyWay d.o.o.Fonts (CDN)Slovenia (EU)
Google Ireland Ltd.Web analytics (only with consent)Ireland (EU)*

* Vercel Inc. and Google Ireland Ltd. are certified under the EU-US Data Privacy Framework. Vercel servers are configured in the Frankfurt (fra1) region. Google Analytics is only activated with consent.

16. Data Transfer to Third Countries

Insofar as we use tools from providers based in the USA (Vercel, Supabase, Stripe), we point out the following:

The USA is considered a safe third country within the meaning of the GDPR, provided that the providers are certified under the EU-US Data Privacy Framework. We regularly check this certification. All US providers we use are certified accordingly at the time of this privacy policy.

As a fallback, we have agreed on the Standard Contractual Clauses (SCC) of the EU Commission with these providers to ensure an adequate level of data protection even if the Data Privacy Framework should cease to apply.

17. Data Sharing

Your personal data will only be shared with third parties if this is necessary for contract performance (e.g., to the data processors mentioned above), you have expressly consented, or we are legally obligated to do so.

18. Web Analytics (Google Analytics)

We use Google Analytics 4, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"), to analyze and improve the use of our website.

Consent Required

Google Analytics is only activated with your explicit consent activated. Without your consent, no analytics cookies are set and no data is transmitted to Google. You can revoke your consent at any time by clicking on "Cookie Settings" in the footer.

Processed Data

When Google Analytics is activated, the following data is processed:

  • Truncated IP address (IP anonymization is enabled)
  • Pages visited and time spent
  • Browser and operating system used
  • Referrer URL (where you came from)
  • Approximate location (country/region)

Legal Basis and Purpose

Processing is based on your consent (Art. 6(1)(a) GDPR). We use the data exclusively to improve our website and our offering. No use for advertising purposes.

Data Transfer

Google is certified under the EU-US Data Privacy Framework. A data processing agreement exists with Google. As a fallback, the Standard Contractual Clauses (SCC) of the EU Commission have been agreed.

More information: https://policies.google.com/privacy

We do not use advertising trackers (such as Facebook Pixel).

19. Changes to This Privacy Policy

We reserve the right to adapt this privacy policy so that it always complies with current legal requirements or to implement changes to our services. The new privacy policy will then apply to your next visit.

Last updated: December 2025

© 2026 Portuo. The safe haven for your client relationships.

Imprint