Privacy Notice (Template) — Portiva

Last updated: 10 January 2026

This privacy notice explains how Portiva (an AI financial advisor app with a net worth dashboard, AI chat, and AI-generated reports) collects and uses your personal information.

1) Who we are (data controller) and how to contact us

Controller: Portiva [Ltd] (the “Controller”)

Email: privacy@yourdomain.com

Address: [Your business address]

If you have questions about this notice or want to exercise your rights, contact us using the details above.

2) What information we collect

We collect information in these categories:

A. Account and identity information

  • Name, email address, password (hashed), and account settings.

B. Financial profile information (what you type in)

  • Income/salary, debts, assets, savings, pensions/investments (high-level), monthly spending/budgets (if you provide them), goals, and other financial notes you choose to enter.

C. Chat and content you provide

  • Messages you send to our AI financial planner, and any files/text you upload (if the feature exists).
  • Feedback you provide about outputs (e.g., “thumbs up/down”, corrections).

D. Usage and device information

  • App interactions (pages viewed, features used), approximate location (from IP address), device/browser info, and log data (timestamps, error logs).

E. Cookies / similar technologies (website/app)

  • Cookies that help the service work, and (if enabled) analytics cookies.

We don’t intentionally collect “special category” data (e.g., health info, religion). Please don’t share it in chats or uploads.

3) Why we use your information (purposes) and our lawful bases

We use your information to:

Provide the service (Contract)

  • Create and manage your account.
  • Build your net worth dashboard and show insights based on the information you enter.
  • Generate AI responses and AI-written reports from your inputs.

Improve and protect it (Legitimate interests)

  • Troubleshoot bugs, monitor performance, prevent fraud/abuse, and keep the platform secure.
  • Improve product quality and user experience (e.g., understanding which features are used).

Communicate with you (Contract / Legitimate interests)

  • Send service messages (e.g., verification emails, important changes).
  • Respond to support requests.

Meet legal obligations (Legal obligation)

  • Comply with applicable laws, respond to lawful requests, and maintain records where required.

Optional marketing (Consent, where required)

  • If we send marketing emails, we’ll ask first where consent is required, and you can opt out anytime.

The ICO explains that privacy notices should be clear about what you collect, why you collect it, and who you share it with. (ICO)

4) Who we share your information with (including AI and hosting vendors)

We don’t sell your personal information.

We share information only as needed with service providers (processors) who help us run Portiva, such as:

AI vendors (for chat + report generation)

  • We send the text you provide (and relevant financial context needed to answer) to our AI provider(s) to generate responses.
  • AI provider(s): [Name of AI vendor(s), e.g., OpenAI]
  • We limit what we send where possible and require vendors to protect the data under contract.

Hosting, storage, and infrastructure

  • Cloud hosting, databases, file storage, and monitoring.
  • Hosting provider(s): [e.g., Vercel / AWS / GCP — list what you use]

Email/communications

  • Providers that send verification emails and service notifications.
  • Email provider(s): [e.g., Postmark / SendGrid]

Analytics (if enabled)

  • Providers that help us understand usage (e.g., page views, feature adoption).
  • Analytics provider(s): [e.g., Google Analytics / PostHog]

Professional advisers and legal requirements

  • Professional advisers (lawyers/accountants) under confidentiality where needed.
  • Law enforcement/regulators if we’re required to comply with a legal request.

Add the exact vendor names you use. The ICO’s small-org generator is designed to help you produce a tailored notice you can copy/paste and brand. (ICO)

5) International transfers

Some vendors may process data outside the UK. When that happens, we use appropriate safeguards (for example, contractual protections) to help protect your information.

6) How long we keep your information (retention)

We keep personal information only as long as necessary for the purposes above:

  • Account + financial profile: while your account is active. If you delete your account, we’ll delete or anonymise this data within [30/60/90 days], unless we must keep some of it for legal, security, or dispute reasons.
  • Chat history and generated reports: kept while your account is active (so you can refer back), unless you delete it or request deletion (where applicable).
  • Support messages: typically kept for [12–24 months] after the ticket closes.
  • Security logs: typically kept for [30–180 days].

Set periods that match what you actually do.

7) Your rights (and how to use them)

Under UK data protection law, you have rights that may include:

  • Access (ask for a copy of your data)
  • Rectification (correct inaccurate data)
  • Erasure (delete your data in certain situations)
  • Restriction (limit how we use it in certain situations)
  • Portability (receive certain data in a usable format)
  • Objection (object to processing based on legitimate interests)
  • Withdraw consent (where we rely on consent)

To exercise your rights, email privacy@yourdomain.com. You also have the right to complain to the Information Commissioner’s Office (ICO) if you’re unhappy with how we handle your data. (ICO)

8) Automated decision-making

We use AI to generate guidance and summaries based on the information you provide. We do not make decisions that produce legal or materially significant effects about you without human involvement. (If that changes, we’ll update this notice.)

9) Security

We use appropriate technical and organisational measures designed to protect your information (e.g., access controls, encryption in transit, monitoring). No system is 100% secure, but we work to protect your data.

10) Changes to this notice

We may update this notice from time to time. We’ll post the latest version in the app/website and update the “Last updated” date.

ICO guidance (handy for your final version)

  • A privacy notice generator aimed at small organisations/start-ups. (ICO)
  • Guidance on what to include in a privacy notice (what you collect, why, sharing, retention, rights, etc.). (ICO)

If you tell us what vendors you’re actually using for AI, database, email, and analytics, we’ll replace the placeholders so this is publish-ready.