Skip to content
Porosi logoporosi
Book a Demo
Legal

Privacy Policy

This Privacy Policy explains how Porosi Ltd collects, uses, shares, stores, and protects personal data across the Porosi website, supplier dashboard, buyer portal, mobile apps, APIs, integrations, support, billing, and related services.

Last Updated: 29 April 2026.

Porosi is a business-to-business wholesale ordering platform. We process data so suppliers can manage products, trade customers, buyer accounts, orders, fulfilment, invoices, inventory visibility, integrations, reporting, support, and related operations.

Porosi is operated by Porosi Ltd, a company registered in England and Wales with company number 17185812. Our registered office is 27 Tenterden Drive, Canterbury, England, CT2 7BH.

You can contact us about privacy at [email protected] or about legal matters at [email protected].

2. Controller and processor roles

Supplier is normally the controller and Porosi is normally the processor for personal data that a Supplier or its authorised users upload, create, import, sync, or ask Porosi to process inside a Supplier workspace. This includes most buyer contacts, customer accounts, order records, delivery details, catalogue access, pricing assignments, invoices, and operational records.

Porosi is normally the controller for the data we use to run our own business, including website enquiries, demo requests, marketing preferences, billing administration, supplier onboarding, support, security monitoring, service analytics, abuse prevention, legal compliance, and communications with Porosi account owners.

If you are a Buyer using a Supplier-branded Porosi portal or app, the Supplier that invited you is usually responsible for deciding why and how your account and order data is used. We may need to refer some privacy requests to that Supplier.

If a separate signed agreement, data processing addendum, order form, or enterprise agreement applies, that document may contain additional privacy, security, retention, transfer, or audit commitments.

3. Personal data we collect and process

Depending on how the Services are used, we may collect or process the following categories of personal data.

Category Examples
Account and identity data Name, business email, phone number, password hash, user role, permissions, tenant memberships, buyer account memberships, invite status, reset tokens, support access tokens, device or session identifiers, token versions, and authentication events.
Organisation and trading data Supplier and buyer business names, trading contacts, invoice emails, delivery addresses, warehouse or run assignments, credit limits, delivery fees, pricing tiers, account status, and account preferences.
Orders, fulfilment, and invoice data Orders, order IDs, product variant IDs, basket contents, order lines, notes, substitutions, delivery dates, picking and packing information, fulfilment status, invoice numbers, invoice statuses, totals, taxes, discounts, and related operational documents.
Product, catalogue, stock, and reporting data Product names, categories, images, prices, cost snapshots, tax rates, stock counts, stock adjustments, warehouse inventory, frequently bought lists, margin and sales reports, and analytics generated from operational activity.
Integration data Xero access tokens, refresh tokens, tenant IDs, granted scopes, account mappings, tax mappings, contact IDs, invoice IDs, webhook events, sync statuses, sync errors, stock-sync settings, and similar metadata for QuickBooks, payment, email, or other enabled integrations.
AI order and document data Order emails, uploaded files, screenshots, images, PDFs, spreadsheets, text, voice notes, audio transcripts, extracted order rows, product matching decisions, confidence scores, corrections, review history, and processing metadata where AI order features are enabled.
Device, browser, cookie, and log data IP address, approximate location from IP where enabled, browser type, user agent, operating system, app version, device token, push notification token, device platform, crash diagnostics, activity logs, audit logs, security logs, localStorage and sessionStorage identifiers, cookie preferences, and usage telemetry.
Billing, sales, and support data Plan details, subscription records, invoices, payment processor references, billing contact details, demo requests, email communications, support tickets, admin notes, security questionnaire responses, and customer relationship records.

4. Special category data and children

We do not intentionally collect special category data such as health information, biometric data, political opinions, religious beliefs, trade union membership, sex life or sexual orientation data, or criminal offence data. Users must not submit this type of data unless Porosi has expressly agreed in writing and a suitable lawful basis, contract, and safeguards are in place.

Porosi is intended for business use and is not directed to children. We do not knowingly collect personal data from children. If you believe a child has provided data to us, contact [email protected].

5. Where data comes from

  • Directly from you when you create an account, sign in, place orders, book a demo, contact support, connect an integration, or use the Services.
  • From Supplier admins and authorised users who invite team members or buyers, create customer accounts, upload catalogues, process orders, or manage fulfilment.
  • From Buyers and buyer organisations that submit account details, delivery details, order notes, and order requests.
  • From connected services such as Xero, QuickBooks, payment processors, email providers, Apple Push Notification service and device platform providers, app stores, analytics, monitoring, security, and support tools.
  • Automatically from devices, browsers, mobile apps, APIs, logs, cookies, localStorage, sessionStorage, and security systems when the Services are accessed.

6. How we use personal data

  • To provide, operate, maintain, secure, and improve the Services.
  • To authenticate users, enforce permissions, protect tenant isolation, prevent fraud, detect misuse, and respond to security incidents.
  • To manage supplier workspaces, buyer accounts, product catalogues, pricing tiers, inventory visibility, orders, fulfilment, picking slips, invoices, notifications, reporting, and analytics.
  • To sync or exchange data with connected integrations, including accounting, payment, email, notification, app store, analytics, support, and monitoring providers.
  • To process documents, messages, images, and audio into reviewable draft order data where AI order features are enabled.
  • To provide customer support, troubleshoot issues, investigate errors, maintain logs, and communicate service updates.
  • To manage subscriptions, billing, taxes, renewals, account administration, demos, procurement, and customer relationships.
  • To send service messages, security notices, product updates, and marketing communications where permitted by law and your preferences.
  • To comply with legal, accounting, tax, regulatory, dispute resolution, and enforcement obligations.

7. Lawful bases

Where UK GDPR or similar laws apply and Porosi acts as controller, we rely on one or more of the following lawful bases.

Lawful basis How it applies
Contract To provide the Services, process subscriptions, support accounts, manage access, and communicate about service delivery.
Legitimate interests To secure and improve the Services, prevent abuse, support customers, run B2B operations, understand platform performance, and send relevant business communications, unless overridden by individual rights.
Consent For optional cookies or similar technologies, certain marketing communications, optional app permissions, or other processing where consent is required.
Legal obligation For tax, accounting, corporate, regulatory, security, sanctions, dispute, or law-enforcement obligations that apply to Porosi.
Vital interests Only in rare circumstances where processing is necessary to protect someone from serious harm.

Where Porosi acts as processor, the Supplier is responsible for identifying the lawful basis for its processing and for giving appropriate notices to its users and Buyers.

8. AI, document processing, and automation

If AI order features are enabled, Porosi may process order messages, files, images, screenshots, audio, or text through OpenAI or another configured AI provider to extract product names, quantities, delivery details, notes, and other order information into a draft that a Supplier can review. AI output should be checked by an authorised user before it is relied on for fulfilment, invoicing, or customer communication.

We use AI and matching logic to assist with order entry and operational review, not to make legal, financial, credit, employment, or similarly significant decisions about individuals without human involvement.

9. Sharing and subprocessors

We may share personal data with the following categories of recipients where needed for the purposes described in this policy.

  • Suppliers, Buyers, authorised team members, admins, and invited users within the relevant Porosi workspace.
  • Hosting, database, storage, backup, content delivery, monitoring, logging, security, and incident response providers.
  • Email, messaging, notification, and communications providers, including Apple Push Notification service and device platform providers for mobile and web push delivery.
  • Accounting and finance integrations, including Xero and QuickBooks, where a Supplier connects those services.
  • Payment processors, banks, card networks, fraud checks, billing platforms, and tax providers where payments or subscriptions are enabled.
  • OpenAI or another configured AI provider where AI order, transcription, document extraction, or matching features are enabled.
  • Analytics, product telemetry, customer support, CRM, and feedback tools where used to run and improve the Services.
  • Professional advisers, insurers, auditors, prospective investors or acquirers, courts, regulators, law enforcement, and other parties where required for legal, corporate, or dispute purposes.

We do not sell personal data. We require service providers that process personal data for us to use it only for authorised purposes and to apply appropriate confidentiality, security, and data protection obligations.

10. International transfers

Porosi is based in the United Kingdom. Some providers, integrations, support tools, and infrastructure partners may process personal data in the UK, EEA, United States, or other countries. Where transfer restrictions apply, we use safeguards such as adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, EU Standard Contractual Clauses, transfer risk assessments, and supplementary technical or contractual measures where appropriate.

11. Retention

We keep personal data only for as long as reasonably necessary for the purposes described in this policy, the relevant customer agreement, the Supplier's instructions where Porosi acts as processor, legal obligations, dispute handling, security, backup rotation, and legitimate business records.

  • Account, workspace, customer, catalogue, order, invoice, and integration records are generally retained while the relevant account or subscription is active and for a reasonable period afterwards for export, audit, legal, accounting, and dispute purposes.
  • Xero, QuickBooks, payment, push notification, and other integration tokens or identifiers are retained while the integration is connected or as required to complete sync, audit, security, or deletion workflows.
  • Security logs, audit logs, application logs, webhook events, and diagnostic records are retained for periods appropriate to detect abuse, investigate incidents, and maintain the Services.
  • Backups are retained for limited operational periods and deleted or overwritten on rotation unless preservation is required for legal, security, or continuity reasons.
  • Marketing records are kept until you unsubscribe, object, or the data is no longer needed for the relevant business relationship.

If a Supplier asks us to delete or return Customer Data and no legal or contractual reason requires retention, we will follow the applicable agreement and our operational deletion procedures.

12. Security

We use administrative, technical, and organisational measures designed to protect personal data. These may include TLS in transit, access controls, password hashing, tenant isolation controls, least-privilege access, audit logging, monitoring, backup practices, secrets management, secure development practices, vulnerability management, and incident response procedures.

No online service can be guaranteed to be completely secure. You are responsible for using strong passwords, protecting credentials, limiting admin access, reviewing user permissions, and promptly telling us about suspected unauthorised access.

13. Your rights

Depending on where you are and the context in which data is processed, you may have rights to access, correct, delete, restrict, object to processing, receive a copy of, or transfer your personal data. You may also withdraw consent where consent is the lawful basis, without affecting processing carried out before withdrawal.

To exercise rights about data Porosi controls, email [email protected]. We may need to verify your identity and may ask for information to locate the relevant account or workspace. If your request concerns data controlled by a Supplier, we may direct the request to that Supplier or ask you to contact them directly.

You can also complain to the UK Information Commissioner's Office. Their head office postal address is: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Telephone: 0303 123 1113. Website: ico.org.uk.

14. Cookies and similar technologies

We use cookies, localStorage, sessionStorage, and similar technologies for authentication, security, tenant routing, account context, preferences, support flows, registrations, product autosave, analytics where enabled, and optional marketing where consent is required. Details are set out in our Cookie Policy.

15. Changes to this policy

We may update this Privacy Policy from time to time. If changes materially affect how we use personal data, we will take reasonable steps to notify affected users or Supplier account owners before or when the change takes effect, depending on the nature of the change. The latest version will be posted on this page with the updated date.

16. Contact

Privacy and security requests

Use the privacy address for data rights, supplier DPA questions, subprocessors, and security questionnaires.

Email [email protected]