This Privacy Policy explains how Porter ("we", "us", "our") collects, uses, stores, and protects personal data when you use our visitor management platform ("Service"). We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
1. Who We Are
Porter is a visitor management SaaS platform that helps organisations manage visitor check-ins, contractor compliance, and workplace security.
Business Automation Ltd (company number 15847293), trading as Porter, registered at Suite 4, The Innovation Centre, Leeds, LS1 4AP, United Kingdom. Our Data Protection Officer can be contacted at [email protected].
2. What Data We Collect
We collect the following categories of personal data:
- Account data: name, email address, organisation name, role
- Visitor data: visitor name, email address, phone number, company name, check-in and check-out times, purpose of visit, host name
- Photo data: visitor photographs captured during check-in (where enabled by the organisation)
- Document data: signed NDAs, contractor certifications, compliance documents
- Usage data: login times, feature usage, browser type, IP address
- Billing data: payment method details (processed and stored by Stripe; we do not store card numbers)
3. Why We Collect It
We collect personal data for the following purposes:
- Service provision: to operate the visitor management platform, process check-ins, and deliver core features
- Security: to maintain an auditable record of site visitors for workplace safety and security
- Compliance: to help organisations meet regulatory requirements, including health and safety obligations
- Communication: to send host notifications, visitor confirmations, and service-related emails
- Improvement: to analyse usage patterns and improve the Service
4. How We Use Your Data
- Provide and maintain the visitor management Service
- Send real-time notifications to hosts when visitors arrive
- Generate analytics reports on visitor volume, trends, and patterns
- Process payments and manage subscriptions
- Provide customer support
- Send service updates and important notices
- Detect and prevent fraud or abuse
5. Legal Basis for Processing
We process personal data under the following legal bases:
- Contract: processing necessary to perform our contract with you (providing the Service)
- Legitimate interests: improving our Service, ensuring security, and preventing fraud
- Legal obligation: compliance with applicable laws and regulations
- Consent: where required, such as for marketing communications or optional photo capture
6. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.
We retain your data for the duration of your account plus 12 months. Visitor check-in records are retained for 24 months after the visit. Billing records are retained for 7 years in accordance with tax obligations.
7. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access: request a copy of the personal data we hold about you
- Right to rectification: request correction of inaccurate or incomplete data
- Right to erasure: request deletion of your personal data ("right to be forgotten")
- Right to data portability: receive your data in a structured, machine-readable format
- Right to object: object to processing based on legitimate interests
- Right to restrict processing: request that we limit how we use your data
- Right to withdraw consent: withdraw consent at any time where processing is based on consent
To exercise any of these rights, please contact us using the details in Section 12. We will respond within 30 days.
8. Data Processors and Sub-processors
We use the following third-party processors to deliver the Service:
- Authentication: handled internally using custom JWT-based authentication (no external auth processor)
- Stripe: payment processing and subscription management
- Resend: transactional email delivery
- Hosting provider: cloud infrastructure and data storage
Our cloud infrastructure is hosted by Amazon Web Services (AWS) in EU (Ireland). A complete list of sub-processors is maintained and available upon request by contacting [email protected].
9. Cookies
We use cookies and similar technologies for the following purposes:
- Essential cookies: required for authentication, session management, and security
- Analytics cookies: to understand how the Service is used and improve performance
You can manage cookie preferences through your browser settings. Disabling essential cookies may affect your ability to use the Service.
10. Data Security
We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS) and at rest, access controls, regular security assessments, and incident response procedures.
11. International Data Transfers
Some of our sub-processors may process data outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.
Where our sub-processors are based outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure an adequate level of data protection.
12. Contact Information
If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:
- Data Protection Officer: [email protected]
- General support: [email protected]
- Postal address: Business Automation Ltd, Suite 4, The Innovation Centre, Leeds, LS1 4AP, United Kingdom
- Supervisory authority: Information Commissioner's Office (ICO), United Kingdom
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on our website and updating the "Last updated" date. We encourage you to review this policy periodically.