Privacy Policy

Last updated: 14 June 2026

1. Controller and applicable law

The controller responsible for your personal data is Portare, canton Aargau, Switzerland - hello@portare.org (see our Imprint). This notice applies to our website and the logged-in customer area at go.portare.org.

We process personal data in accordance with the Swiss Federal Act on Data Protection (revDSG / FADP, in force since 1 September 2023) and its ordinance (DSV). Where we offer our services to people in the European Economic Area, the EU General Data Protection Regulation (GDPR) applies in addition. Terms like "personal data" and "processing" are used as defined in those laws.

2. What we collect

• Account data: name, email address, country, and (when you provide it) shipping address and phone number.
• Order data: the listing links and preferences you submit, ship-to details, order notes, status and tracking information.
• Payment-related data: deposit amounts, method and reference. We do not store card numbers.
• Sign-in data: if you use "Sign in with Google", we receive your verified email address, name and a Google account identifier.
• Technical data: IP address, browser/device information, session and security logs.
• Usage/analytics data: aggregate, privacy-friendly usage statistics of our website (see Cookies below).

3. Why we use it and our legal bases

• To provide the service - create your account, process and fulfil orders, ship items, communicate with you (performance of a contract).
• To run and secure our systems - authentication, fraud and abuse prevention, logging (legitimate interests).
• To comply with law - accounting, tax, customs and sanctions obligations (legal obligation).
• Analytics and service improvement - on the basis of consent or legitimate interests, depending on the tool and your choices.

4. Who we share it with (processors and partners)

We share personal data only as needed to run the service, with:

• Email delivery - Brevo (Sendinblue), to send verification, password-reset and order/status notifications.
• Sign-in - Google, if you choose "Sign in with Google".
• WhatsApp / Meta - only if you choose to contact us via WhatsApp. Our site shows a WhatsApp button (a plain link); no data is sent to Meta unless and until you click it and start a chat, at which point WhatsApp opens under your own account and your number and messages are shared with Meta as an independent processor. The button loads no Meta tracking code.
• Carriers - e.g. DHL, Swiss Post, FedEx and customs brokers, who receive the recipient and address details needed to ship and clear your parcel.
• Payment providers - your bank, Wise/Revolut or similar to receive transfers, and our card payment processor for card payments. The processor handles the card data; we do not receive or store full card numbers.
• Analytics provider - for aggregate website statistics.

Our application database is self-hosted on our own server in Europe; we do not sell your data or share it for third-party advertising.

5. International transfers

Some providers (for example Google) may process data outside Switzerland/the EEA. Where that happens, we rely on the safeguards foreseen by Art. 16 ff. revDSG and Art. 44 ff. GDPR - countries with an adequate level of protection as recognised by the Swiss Federal Council / EU Commission, or appropriate guarantees such as standard contractual clauses (with the Swiss addendum where needed). Shipping necessarily involves transferring delivery details to the destination country.

5a. No automated decision-making or high-risk profiling

We do not make automated individual decisions within the meaning of Art. 21 revDSG / Art. 22 GDPR, and we do not carry out high-risk profiling. Order handling decisions are made by people.

6. How long we keep it

We keep account and order data for as long as your account is active and as needed to provide the service, then for the periods required by law (e.g. accounting/customs records are typically retained for ten years under Swiss law). Security logs are kept for a limited period. You can ask us to delete data we are not legally required to keep.

7. Your rights

Subject to applicable law, you have the right to access, rectify, erase, restrict or object to processing of your personal data, to data portability, and to withdraw consent at any time (without affecting prior processing). To exercise these, email hello@portare.org. You may also lodge a complaint with a supervisory authority - in Switzerland, the Federal Data Protection and Information Commissioner (FDPIC); in the EU, your local data-protection authority.

8. Cookies (EU ePrivacy / Swiss TCA)

We currently use only strictly necessary cookies, all first-party, in the logged-in customer area:

• portare_session - keeps you signed in (HttpOnly, Secure; expires after at most 30 days or on logout).
• _csrf and a short-lived sign-in state cookie - protect your account against cross-site request forgery during forms and Google sign-in (minutes to session lifetime).

Under the EU ePrivacy rules (Directive 2002/58/EC) and Swiss telecommunications law, such strictly necessary cookies do not require consent, which is why you do not see a cookie banner. We set no advertising, tracking or third-party cookies. If we ever introduce non-essential cookies (for example consent-based analytics), we will ask for your consent first via a banner and update this notice. Any web statistics we use are configured to work without cookies and without identifying you.

9. Security

We protect your data with measures including encryption in transit (HTTPS), hashed passwords, server-side sessions, a database that is not exposed to the public internet, and least-privilege access. No system is perfectly secure, but we work to protect your information.

10. Changes

We may update this notice; the current version is published here with its "last updated" date.

11. Contact

Privacy questions: hello@portare.org.