Privacy Statement

Updated 30.11.25

1. Introduction

Portal Ltd. ("Portal," "we," "us") provides the universal API infrastructure and connectivity layer for physical access. We act as a data processor for property operators, hotels, and developers ("Clients") to manage secure access credentials for their buildings.

We value privacy as a fundamental right. This Privacy Statement outlines how we handle data on behalf of our Clients to deliver our Services.

2. Our Role: The Data Processor

It is critical to distinguish our role from that of our Clients:

  • The Data Controller: The Hotel, Property Manager, or Developer who uses Portal is the Data Controller. They determine why and how guest data is collected. They own the relationship with the guest.
  • The Data Processor: Portal is the Data Processor. We process data solely on the instructions of the Controller to fulfill the specific service of granting physical access. We do not own guest data, nor do we use it for our own independent marketing purposes.

(Note: We act as a Controller only for business-to-business data required to manage your commercial account with us, such as your billing details and admin staff logins.)

3. Information We Process (On Behalf of Clients)

To provide our API and Dashboard services, we process the following data categories strictly as instructed by the Data Controller (the Hotel/Operator):

A. End User (Guest) Data

This data is received programmatically from the Property Management System (PMS) or input by the Client:

  • Booking Context: Guest Name, Reservation Dates (Check-in/out), and Room Assignments.
  • Credential Delivery: Phone number or email address (processed solely to deliver the digital key via WhatsApp, SMS, or Email).
  • Access Telemetry: Encrypted digital key payloads, card serial numbers (CSNs), or PIN codes required to operate the hardware.
  • Activity Logs: Operational timestamps of when a credential interacted with a lock (e.g., "Room 204 unlocked at 14:00").

B. Client Account Data (B2B)

To manage our commercial relationship with you (the Client), we collect:

  • Staff Logins: Names and business emails of your employees using the Portal Dashboard.
  • Billing Information: Payment methods and invoice details.

4. How We Use Data

We process data strictly to deliver the Infrastructure Service:

  1. Provisioning Access: Translating booking data into a valid physical credential (e.g., Apple Wallet Pass, PIN, or Bluetooth Key).
  2. Service Reliability: Monitoring API uptime, battery status, and hardware connectivity.
  3. Security & Auditing: Maintaining an immutable log of access events to protect the property and its guests.
  4. Compliance: Fulfilling legal or regulatory obligations in the jurisdictions where the property is located.

We do not sell, rent, or monetize Guest Data.

5. Data Sharing & Sub-Processors

We share data only as necessary to execute the service:

  • The Controller (You): We provide full visibility of access logs and guest status back to the Hotel/Operator.
  • Hardware Partners: We transmit encrypted credential data to lock manufacturers (e.g., Assa Abloy, Salto) strictly to authorize the physical hardware.
  • Infrastructure Sub-Processors: We use trusted third-party infrastructure (e.g., AWS for hosting, Twilio for SMS) under strict Data Processing Agreements (DPAs).

6. Security & Data Retention

We treat access control as critical infrastructure.

  • Security: We employ bank-grade encryption (AES-256) for data at rest and TLS 1.2+ for data in transit. We maintain strict Role-Based Access Control (RBAC) for internal staff.
  • Retention: We retain guest data only for the duration defined by the Data Controller (the Hotel) or as required by law. Once the retention period expires, data is securely deleted or anonymized.

7. International Transfers

Portal operates globally across 38+ countries. For data transfers originating from the EEA/UK, we rely on Standard Contractual Clauses (SCCs) and adequacy decisions to ensure GDPR compliance regardless of where the data is processed.

8. Your Rights (Data Subject Requests)

  • For Guests (End Users): If you wish to access, correct, or delete your data, please contact the Hotel or Property Manager directly. As the Data Processor, we cannot process these requests without instruction from the Controller. We will assist the Hotel in fulfilling your request.
  • For Clients (Admins): You can manage your business account data directly via the Portal Dashboard.

9. Contact Us

For privacy inquiries, DPA requests, or security reports:

  • Email: privacy@tryportal.com

Software
DashboardGuest KeysPortal APISDK + Components
Solutions
HotelsMulti-property Operators (Q2 26)Co-working (Q2 26)
Company
BlogAbout PortalChangelogPricingContactRequest a DemoFor Investors
Legal
Privacy StatementEULAVDPSecurityDeveloper NDA
Portal is the universal access layer between digital bookings and physical spaces. We power mobile keys and automated access for the world’s leading hotels, operators, and platforms.
© Portal Technologies 2025