1. Introduction
This Privacy Policy describes how Portals Labs, Inc. (“Portals,” “we,” “us”) collects, uses, shares, and protects personal information when you use Portals, available at theportal.to and through our apps and APIs (together, the “Services”).
For purposes of the EU and UK General Data Protection Regulation, Portals Labs, Inc. is the controller of your personal information.
2. Scope
This Policy applies to personal information we collect when you visit our website, create an Account, use paid features, participate in the Marketplace, generate content through the AI Lab, or otherwise interact with the Services. It does not cover the privacy practices of third-party services we integrate with; their policies apply to information they collect from you directly.
3. What we collect
Information you give us
- Account information: email address, username, display name, password (hashed), profile picture, date of birth (for age verification), and, if you connect a wallet, your public wallet address.
- Billing information: payment card details, billing address, and tax information, which you provide to our payment processor Stripe. Portals does not store full card numbers.
- Creator payout information: if you sell on the Marketplace, the identity, tax, and bank-account information Stripe Connect collects to pay you.
- Content and activity: games, spaces, asset packs, items, avatars, messages, comments, prompts, AI Outputs, friends, and other information you create or submit.
- Communications: support requests, feedback, and other messages you send us.
Information we collect automatically
- Device and log data: IP address, device and browser type, operating system, language, referring URL, pages and features you use, timestamps, and crash logs.
- Usage analytics: events about how you interact with the Services, collected through Mixpanel and our own systems.
- Cookies and similar technologies: see Cookie Policy.
Information from third parties
- Stripe provides us with information about your payments and payouts, including transaction IDs, amounts, dispute status, and payout identity verification signals.
- AI providers return AI Outputs based on prompts you submit. The specific provider used depends on the feature you invoke. The current list of AI providers — and all other subprocessors we engage — is maintained on our Subprocessors page.
- If you sign in via a third-party identity provider, that provider shares basic profile information with us as you authorize.
4. How we use your information
- To create and operate your Account and deliver the Services.
- To process payments, payouts, and tax reporting.
- To enable the Marketplace, friends, messaging, and social features.
- To run the AI Lab, including sending prompts to third-party AI providers and returning outputs.
- To train, improve, and develop AI systems, using the prompts and AI Outputs from the AI Lab (but not User Content you upload — see the Terms of Service, Section 7).
- To secure the Services, detect and prevent fraud and abuse, and enforce our policies.
- To provide customer support and respond to your requests.
- To send you transactional emails (receipts, account notices, security alerts) and, where permitted, product and marketing emails. You can unsubscribe from marketing emails at any time.
- To understand how the Services are used, through aggregate analytics.
- To comply with law and respond to lawful requests.
5. Legal bases (EU, EEA, UK)
If you are in the EU, EEA, or UK, we process your personal information on the following legal bases:
- Contract: to provide the Services you sign up for (Accounts, paid plans, Marketplace transactions, AI Lab).
- Legitimate interests: to secure the Services, prevent fraud, improve our products, send limited direct marketing about our own services, and analyze aggregate usage — in each case balanced against your rights and interests.
- Consent: for non-essential cookies, for some marketing communications, and where otherwise required. You may withdraw consent at any time without affecting prior processing.
- Legal obligation: to keep tax, payment, and compliance records, and to respond to lawful requests.
7. International transfers
Portals is based in the United States and processes personal information there and in other countries where our service providers operate. When we transfer personal information from the EU, EEA, UK, or Switzerland to a country that has not been deemed to provide an adequate level of protection, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses and the UK Addendum.
If you are located in the EU, EEA, or UK and would like to exercise your data-subject rights or contact Portals about this Policy, please email privacy@theportal.to. We review every request and respond within the time periods required by applicable law.
8. How long we keep data
We keep personal information only as long as we need it for the purposes described in this Policy. The default retention periods below apply unless we are required by law to keep data longer, or unless a longer period is needed to resolve a dispute or enforce our rights:
- Account data: deleted within 30 days after you close your Account, except for data we must keep for legal reasons.
- Financial, tax, and payment records: up to 7 years, as required by tax and anti-money-laundering laws.
- Raw server logs: up to 90 days.
- Analytics events (Mixpanel): retained according to Mixpanel defaults, generally in aggregated form.
- Support communications: up to 3 years after your last message.
- Deleted User Content: a 30-day grace period, after which it is purged from production systems. Copies may persist briefly in backups on a 30-day rotation.
9. Your rights
Depending on where you live, you may have the following rights regarding your personal information:
- Access a copy of your personal information.
- Correct inaccurate or incomplete information.
- Delete your personal information.
- Restrict or object to certain processing.
- Receive your information in a portable format.
- Withdraw consent where processing is based on consent.
- Lodge a complaint with your local data-protection authority. If you are in the EU/EEA, contact your national authority. If you are in the UK, contact the Information Commissioner’s Office (ICO).
To exercise these rights, email privacy@theportal.to. We may need to verify your identity before responding. We will respond within the time period required by applicable law (generally 30 days).
10. California residents
If you are a California resident, the California Consumer Privacy Act, as amended by the CPRA, gives you additional rights:
- The right to know what personal information we collect, use, disclose, and (if applicable) “share” as defined by the law.
- The right to delete personal information.
- The right to correct inaccurate personal information.
- The right to opt out of the “sale” or “sharing” of personal information. Portals does not sell personal information for money. To the extent our use of analytics cookies constitutes “sharing” for cross-context behavioral advertising under the CPRA, you can opt out through the cookie banner and by enabling the Global Privacy Control (GPC) signal in your browser.
- The right to limit use of sensitive personal information.
- The right not to be discriminated against for exercising these rights.
To exercise these rights, email privacy@theportal.to.
11. Children
The Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13. If we learn that we have, we will delete it. If you believe a child under 13 has provided personal information to us, contact privacy@theportal.to.
13. Security
We use administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit, access controls, and regular security reviews. No system is perfectly secure, and we cannot guarantee absolute security. If you believe your Account has been compromised, contact security@theportal.to.
14. Changes to this Policy
We may update this Policy from time to time. If changes are material, we will provide notice (for example, by email or in-product notice) before they take effect. The “Last updated” date at the top shows when this Policy was last revised.
15. Contact
Questions, requests, or complaints about this Policy or our privacy practices? Contact us at privacy@theportal.to, or by mail at Portals Labs, Inc., 4470 W Sunset Blvd #90092, Los Angeles, CA 90027, United States.