Privacy Policy

Last updated: February 22, 2026

Overview

Portald is a trading authorization platform that connects AI agents to your brokerage accounts. This policy explains what information we collect, how we use it, and how we protect it. Your privacy and the security of your financial data are fundamental to our service.

Information We Collect

Account Information

Registration DataEmail address, password (hashed), and authentication credentials including passkeys, TOTP secrets (encrypted), and recovery codes.
Profile InformationName and account preferences you choose to provide.

Brokerage Data

OAuth TokensWhen you connect a brokerage account (e.g., Alpaca), we store encrypted OAuth access tokens and refresh tokens to execute trades on your behalf.
Account InformationWe receive and store your brokerage account ID, account status, and buying power to display in your dashboard and enforce trading limits.
Portfolio DataCurrent positions and account balances are retrieved from your brokerage to display portfolio status. This data is refreshed on-demand, not stored permanently.

Trading Activity

Trade RequestsAll trade requests submitted by AI agents, including symbol, quantity, side, and order type.
Approval HistoryRecords of trade approvals, rejections, and modifications you make, with timestamps.
Execution DataOrder confirmations and fill details returned by your brokerage after trades execute.

Agent Data

Agent RegistrationPublic keys, action codes, and metadata for AI agents you authorize.
Agent SessionsSession tokens and activity logs for authenticated agent connections.

Technical Data

Usage LogsIP addresses, browser type, and timestamps for security monitoring and abuse prevention.
Error LogsTechnical errors and exceptions to maintain service reliability.

How We Use Your Information

Execute trades on your behalf via connected brokerages
Display your portfolio and account status
Process AI agent trade requests and approvals
Enforce trading limits you configure

Authenticate your identity and secure your account
Maintain audit trails for compliance
Detect and prevent fraud or unauthorized access
Communicate important account information

Information Sharing

We share your information only in these circumstances:

Brokerage PartnersTrade orders are transmitted to your connected brokerage (e.g., Alpaca Markets) for execution. Your brokerage relationship is governed by their terms and privacy policy. See Alpaca's Disclosures.
Payment ProcessingBilling information is shared with Stripe for payment processing. We do not store full credit card numbers. See Stripe's Privacy Policy.
AI AgentsAgents you authorize receive limited information necessary to submit trade requests, such as available buying power and position data.
Legal RequirementsWe may disclose information if required by law, subpoena, or to protect rights, safety, or property.

We do not sell your personal information or trading data to third parties.

Data Security

Protecting your financial data is critical. We implement multiple layers of security:

Encryption

All traffic encrypted via HTTPS/TLS 1.3
Brokerage tokens encrypted at rest (AES-256-GCM)
TOTP secrets and recovery codes encrypted
Passwords hashed with bcrypt

Access Controls

Passkey authentication (phishing-resistant)
Two-factor authentication (TOTP)
Step-up verification for sensitive actions
Session management with secure tokens

Infrastructure

Hosted on Vercel (SOC 2 Type 2)
Database on Neon (encrypted, isolated)
No persistent servers (serverless architecture)

Monitoring

Rate limiting on sensitive endpoints
Audit logging of all trading activity
Automated security alerts

Brokerage Connection Details

When you connect your brokerage account:

OAuth FlowYou authenticate directly with your brokerage. We never see or store your brokerage username or password.
Limited PermissionsWe request only permissions necessary for trading: account info, positions, and order placement. We cannot withdraw funds.
Token StorageOAuth tokens are encrypted with AES-256-GCM before storage. Decryption keys are managed separately from the database.
RevocationYou can disconnect your brokerage at any time from your dashboard. You can also revoke access directly through your brokerage's settings.

Your Rights and Choices

✓ Access and download your account data✓ Disconnect brokerage accounts at any time✓ Revoke AI agent authorizations✓ View complete trade and approval history✓ Delete your account and associated data✓ Export your data in a portable format

To exercise these rights, visit your account settings or contact privacy@portald.ai.

Data Retention

Account DataRetained while your account is active. Deleted within 30 days of account deletion request.
Trading RecordsTrade history and audit logs retained for 7 years to comply with financial record-keeping requirements.
Brokerage TokensDeleted immediately when you disconnect a brokerage or delete your account.
Technical LogsSecurity and error logs retained for 90 days, then automatically purged.

Children's Privacy

Portald is not intended for users under 18 years of age. We do not knowingly collect information from children. If you believe a child has provided us with personal information, please contact us immediately.

International Users

Portald is operated from the United States. If you access the service from outside the US, your information will be transferred to and processed in the United States. By using the service, you consent to this transfer.

Changes to This Policy

We may update this policy to reflect changes in our practices or legal requirements. We will notify you of significant changes via email or prominent notice on the service. Continued use after changes constitutes acceptance.

Contact Us

For privacy questions, data requests, or concerns, contact us at privacy@portald.ai