Privacy Policy

Last updated: November 5, 2025 | Version 1.0

Introduction

PCI Portal ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our PCI DSS compliance platform.

By using our service, you agree to the collection and use of information in accordance with this policy.

Information We Collect

1. Information You Provide

  • Account Information: Name, email address, password (encrypted)
  • Organization Details: Company name, contact information, role
  • Assessment Data: Responses to PCI DSS questionnaires
  • Evidence Files: Documents, screenshots, and other supporting materials
  • Profile Information: Preferences, settings, notification choices

2. Automatically Collected Information

  • Usage Data: Pages visited, features used, time spent
  • Device Information: Browser type, operating system, IP address
  • Cookies: See our Cookie Policy
  • Log Data: Access times, errors, API calls

3. Third-Party Authentication

We use Clerk for authentication. When you sign up, Clerk collects and processes your authentication data according to their Privacy Policy.

How We Use Your Information
  • Provide Services: Enable assessment creation, evidence upload, and compliance reporting
  • Improve Platform: Analyze usage patterns to enhance features and user experience
  • Communication: Send service updates, security alerts, and important notices
  • Support: Respond to your inquiries and provide customer assistance
  • Security: Detect and prevent fraud, abuse, and security incidents
  • Compliance: Meet legal obligations and industry standards
  • Analytics: Understand aggregate usage trends (no personal identification)
Data Security

We implement industry-standard security measures to protect your data:

  • Encryption: All data transmitted using TLS/SSL
  • Database Security: Encrypted at rest using PostgreSQL encryption
  • Access Control: Role-based permissions and multi-factor authentication
  • File Validation: SHA-256 hashing and magic byte verification
  • Audit Logging: Comprehensive logs of all sensitive actions
  • Rate Limiting: Protection against brute force and DDoS attacks

While we strive to protect your data, no method of transmission over the internet is 100% secure.

Data Sharing & Disclosure

We Share Your Data With:

  • Service Providers: Clerk (authentication), Vercel (hosting), Neon (database)
  • Your Organization: Team members within your organization can access shared assessments
  • QSAs/Reviewers: If you grant them access to your assessments

We Do NOT:

  • ❌ Sell your personal information to third parties
  • ❌ Share your assessment data with other organizations
  • ❌ Use your data for marketing without consent
  • ❌ Disclose data except as required by law
Your Rights (GDPR & CCPA)

Depending on your location, you may have the following rights:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Portability: Receive your data in a machine-readable format
  • Restriction: Limit how we process your data
  • Objection: Object to data processing for certain purposes
  • Opt-Out: Unsubscribe from marketing communications

To exercise these rights, contact us at privacy@pci-portal.com

Data Retention

We retain your data for as long as necessary to provide our services and comply with legal obligations:

  • Active Accounts: Data retained while your account is active
  • Completed Assessments: Retained for 7 years (PCI DSS requirement)
  • Evidence Files: Retained for 7 years or as specified by compliance standards
  • Audit Logs: Retained for 3 years minimum
  • Deleted Accounts: Personal data anonymized after 90 days
Children's Privacy

Our service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a minor, please contact us immediately.

International Data Transfers

Your data may be transferred to and processed in countries other than your own. We ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) for EU transfers
  • Privacy Shield certification (where applicable)
  • Data processing agreements with all vendors
Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes via email or a prominent notice on our platform. Continued use of our service after changes constitutes acceptance of the updated policy.

Contact Us

For questions about this Privacy Policy or our privacy practices:

Related Policies
Cookie PolicyTerms of ServiceEnd User License Agreement