Privacy Policy
A plain-English explanation of what personal data Porosi uses, why we use it, who we share it with, how long we keep it and the choices available to you.
Last updated: 15 July 2026.
Porosi helps wholesale suppliers serve their trade customers online. Personal data moves through the platform only where it is needed to run those business workflows, keep accounts secure, support customers or meet legal obligations.
The short version
- A Supplier normally decides how its buyer, order and delivery data is used. Porosi processes that data for the Supplier.
- Porosi decides how data is used for our own website, sales, billing, support, security and service administration.
- We do not sell personal data. Optional analytics storage is not enabled unless permission has been recorded.
- AI-assisted order tools create drafts for people to review; they do not make legal, credit, employment or similarly significant decisions about individuals.
- For a privacy request, email [email protected]. We will either handle it or help route it to the Supplier responsible for the data.
Porosi is operated by Porosi Ltd, registered in England and Wales under company number 17185812. Our registered office is 27 Tenterden Drive, Canterbury, England, CT2 7BH.
Privacy questions and data-rights requests should go to [email protected]. Legal notices should go to [email protected].
2. Controller and processor roles
Supplier is normally the controller and Porosi is normally the processor for personal data that a Supplier or its authorised users add, create, import, sync or otherwise use inside that Supplier's workspace. In practical terms, the Supplier decides why the data is needed and Porosi handles it to provide the platform. This normally covers buyer contacts, customer accounts, order records, delivery details, catalogue access, pricing assignments, invoices and operational records.
Porosi is normally the controller when we decide how data is used to run Porosi itself. This includes website enquiries, demo requests, marketing preferences, billing administration, Supplier onboarding, support, security monitoring, service analytics, abuse prevention, legal compliance and communications with Porosi account owners.
If you are a Buyer using a Supplier-branded portal or app, that Supplier is usually responsible for your account, catalogue, pricing, order and delivery data. Ask the Supplier first if your request is about that business relationship. You can still contact Porosi, and we will help route the request where appropriate.
3. Personal data we collect and process
The exact information depends on how you use Porosi. We collect or process only the categories relevant to the features, account and relationship involved.
| Category | Examples |
|---|---|
| Account and identity data | Name, business email, phone number, password hash, role, permissions, Supplier or Buyer memberships, invitation status, reset or support-access records, device or session identifiers and authentication events. |
| Organisation and trading data | Supplier and Buyer business names, trading contacts, invoice emails, delivery addresses, warehouse or delivery-run assignments, credit limits, delivery fees, pricing tiers, account status and account preferences. |
| Orders, fulfilment, and invoice data | Orders, order and product identifiers, basket contents, order lines, notes, substitutions, delivery dates, picking and packing details, fulfilment status, invoice details, totals, taxes, discounts and related operational documents. |
| Product, catalogue, stock, and reporting data | Product names, categories, images, prices, cost snapshots, tax rates, stock counts and adjustments, warehouse inventory, frequently bought lists, margin and sales reports and analytics generated from operational activity. |
| Integration data | Xero access tokens, refresh tokens, tenant IDs, granted scopes, account mappings, tax mappings, contact IDs, invoice IDs, webhook events, sync statuses, sync errors, stock-sync settings, and similar metadata for QuickBooks, payment, email, or other enabled integrations. |
| AI order and document data | Order emails, files, screenshots, images, PDFs, spreadsheets, text, voice notes, audio transcripts, extracted order rows, suggested product matches, confidence scores, corrections, review history and processing metadata where AI order features are enabled. |
| Device, browser, cookie, and log data | IP address, approximate location derived from IP where enabled, browser and device details, operating system, app version, device or push token, crash diagnostics, activity, audit and security logs, localStorage and sessionStorage identifiers, cookie choices and usage telemetry. |
| Billing, sales, and support data | Plan and subscription details, invoices, payment-processor references, billing contacts, demo requests, email communications, support tickets, authorised admin notes, security-questionnaire responses and customer-relationship records. |
4. Special category data and children
We do not intentionally collect special category data, such as health or biometric information, political or religious beliefs, trade-union membership, or information about a person's sex life or sexual orientation. We also do not intend the Services to hold criminal-offence data. Do not submit this information unless Porosi has expressly agreed in writing and the necessary lawful basis, contract and safeguards are in place.
Porosi is a business service for adults. It is not directed to children, and we do not knowingly collect children's personal data. If you believe a child has supplied personal data to us, email [email protected].
5. Where data comes from
- From you: when you create an account, sign in, place an Order, book a demo, contact support, connect an integration or otherwise use the Services.
- From Suppliers: when admins and authorised users invite staff or Buyers, create customer accounts, upload catalogues, process Orders or manage fulfilment.
- From Buyers: when a Buyer or Buyer organisation supplies account, delivery or Order information.
- From connected services: including Xero, QuickBooks, payment processors, email providers, Apple Push Notification service and device platform providers, app stores, analytics, monitoring, security and support tools.
- From the technology you use: through browsers, mobile apps, APIs, logs, cookies, localStorage, sessionStorage and security systems when you access Porosi.
6. How we use personal data
- Deliver the service: operate Supplier workspaces, Buyer accounts, catalogues, pricing, inventory, Orders, fulfilment, documents, invoices, notifications, reporting and enabled integrations.
- Keep Porosi secure: authenticate users, enforce permissions and tenant boundaries, prevent fraud and misuse, investigate incidents and maintain audit records.
- Support users: answer questions, troubleshoot faults, investigate errors, communicate service changes and improve reliability.
- Provide optional tools: turn documents, messages, images or audio into reviewable draft Order data when AI-assisted features are enabled.
- Run our business: manage subscriptions, billing, taxes, onboarding, demos, procurement, support and customer relationships.
- Communicate: send operational and security notices and, where the law and your preferences allow, relevant product or marketing messages.
- Meet obligations: comply with legal, accounting, tax and regulatory requirements, resolve disputes and enforce agreements.
7. Lawful bases
Where UK GDPR applies and Porosi acts as controller, we use the lawful basis that fits the specific purpose. More than one basis may apply to the same record where it is used for different purposes.
| Lawful basis | How it applies |
|---|---|
| Contract | When processing is needed to enter into or perform our contract with you, such as opening an account, providing a paid service or administering a subscription. |
| Legitimate interests | To secure and improve Porosi, prevent abuse, support customers, operate a B2B service and send relevant business communications, after balancing those interests against your rights. |
| Consent | For optional analytics storage, certain marketing communications, optional app permissions and other processing where permission is required. You may withdraw consent at any time. |
| Legal obligation | When we must keep or use information for tax, accounting, corporate, regulatory, sanctions, security or law-enforcement requirements. |
| Vital interests | Only in rare circumstances where processing is necessary to protect someone from serious harm. |
Where Porosi acts as processor, the Supplier is responsible for choosing the lawful basis and giving its staff, contacts and Buyers the privacy information required for the Supplier's use of their data.
Information needed to provide Porosi
Some account, contact, billing, authentication, Order and delivery details are needed to create an account, supply a requested feature or perform a contract. If required information is not provided, the relevant account, Order, integration, payment or support request may not be possible. Optional fields and permissions are identified in context where practical.
8. AI, document processing, and automation
When a Supplier enables AI-assisted Order tools, Porosi may send relevant messages, files, images, screenshots, audio or text to OpenAI or another configured AI provider. The tool extracts information such as products, quantities, delivery details and notes into a draft Order for an authorised user to check.
These tools assist Order entry and operational review. They are not used by Porosi to make solely automated legal, credit, employment or similarly significant decisions about individuals. AI output can be wrong or incomplete and must be reviewed before fulfilment, invoicing or customer communication.
10. International transfers
Porosi is based in the United Kingdom. Some infrastructure, integration, support and specialist providers operate in the UK, EEA, United States or other countries. Where the law restricts an international transfer, we use an approved route such as UK adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, EU Standard Contractual Clauses where relevant, and additional contractual or technical safeguards where appropriate. Email [email protected] to ask about the safeguard used for a particular transfer or to request a copy where available.
11. Retention
We do not keep every record for the same length of time. Retention depends on why the record exists, the Supplier's instructions where Porosi is processor, account and integration status, security needs, backup cycles, legal and accounting duties, limitation periods and unresolved disputes.
- Account, workspace, customer, catalogue, order, invoice, and integration records are generally retained while the relevant account or subscription is active and for a reasonable period afterwards for export, audit, legal, accounting, and dispute purposes.
- Xero, QuickBooks, payment, push notification, and other integration tokens or identifiers are retained while the integration is connected or as required to complete sync, audit, security, or deletion workflows.
- Security logs, audit logs, application logs, webhook events, and diagnostic records are retained for periods appropriate to detect abuse, investigate incidents, and maintain the Services.
- Backups are retained for limited operational periods and deleted or overwritten on rotation unless preservation is required for legal, security, or continuity reasons.
- Marketing records are kept until you unsubscribe, object, or the data is no longer needed for the relevant business relationship.
When a Supplier asks us to return or delete Customer Data, we follow the applicable agreement and our operational deletion process. We may retain a limited copy where law, security, fraud prevention, backup rotation or an unresolved claim requires it.
12. Security
We use administrative, technical and organisational safeguards designed around the sensitivity and risk of the data. Measures may include TLS in transit, password hashing, access controls, tenant-isolation controls, least-privilege access, audit logging, monitoring, backups, secrets management, secure development, vulnerability management and incident response.
No online service can promise absolute security. You also play a part: use strong passwords, protect credentials and devices, limit admin access, review user permissions and tell us promptly about suspected unauthorised access.
13. Your rights
Depending on the law, our role and the lawful basis, you may have rights to access, correct or delete personal data; restrict or object to its use; and receive or transfer a copy. Some rights have legal limits and do not apply in every situation.
To exercise a right over data Porosi controls, email [email protected]. You can also use an unsubscribe link or available preference control to withdraw a relevant consent. Withdrawal does not affect processing that was lawful before it. We may verify your identity and ask for enough information to find the relevant account or workspace. If a Supplier controls the data, we may refer the request to that Supplier or ask you to contact it directly.
Your right to object
You may object at any time to direct marketing. You may also object to processing based on legitimate interests because of your particular situation. Email [email protected]; for marketing email, you can also use the unsubscribe link in the message.
Please contact us first so we can try to resolve the issue. You also have the right to complain to the UK Information Commissioner's Office: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF; 0303 123 1113; ico.org.uk/make-a-complaint.
15. Changes to this policy
We review this policy as Porosi, our providers and the law change. If an update introduces a materially different use of personal data, we will take reasonable steps to tell affected users or Supplier account owners before that use begins. The date at the top shows when this version was last updated.
16. Contact
- Privacy: [email protected]
- Legal: [email protected]
- General: [email protected]
- Registered office: Porosi Ltd, 27 Tenterden Drive, Canterbury, England, CT2 7BH
Privacy and security requests
Use the privacy address for data rights, Supplier DPA questions, transfer safeguards, subprocessors and security questionnaires.
