Skip to content
Back to home

Privacy Policy

Effective Date: May 10, 2026

This Privacy Policy explains how PortEden, operated by TimeVerse Inc. ("PortEden," "we," "us," "our"), collects, uses, shares, and protects personal information when you use our data firewall, security platform, and subscription services (collectively, the "Service"). By using the Service, you acknowledge that you have read and understood this Privacy Policy.

1. Categories of Personal Information Collected

A. Identifiers

  • Email addresses and display names
  • IP addresses
  • Account identifiers and authentication credentials

B. Security and Configuration Data

  • Firewall rules and data access policies you configure
  • Security policy definitions and enforcement settings
  • Audit logs and security event records
  • API access permissions and restrictions

C. Internet and Electronic Network Activity

  • API usage patterns and request logs
  • API interaction records (blocked, allowed, flagged requests)
  • OAuth tokens and authorization data for connected services
  • Service usage logs and activity patterns

D. Data Processed Through the Firewall

  • Content that passes through the data firewall may be temporarily inspected to enforce your security policies
  • Metadata about data access requests (source, destination, type, timestamp)
  • Threat detection signals and anomaly indicators

E. Payment and Billing Information

  • Billing name and email address
  • Billing address (if provided)
  • Transaction history, subscription plan, and billing cycle
  • Payment method type and last four digits of your payment card

Important: Full credit card numbers are collected and processed directly by our payment processor, Stripe, Inc. PortEden does not receive, store, or have access to your full card number.

2. How We Use Your Information

A. Core Service Operations

  • Enforcing data access policies between APIs and your data
  • Filtering, inspecting, and controlling data flows per your configured rules
  • Generating security audit trails and compliance reports
  • Detecting threats and anomalous access patterns

B. Service Improvement

  • Error tracking and debugging
  • Performance monitoring and optimization
  • Improving threat detection and policy enforcement accuracy

C. Communication

  • Security alerts and incident notifications
  • Service announcements and updates
  • Responding to support inquiries

D. Billing and Payments

  • Processing subscription payments and renewals
  • Managing your subscription status (active, cancelled, past due)
  • Sending payment receipts and billing notifications
  • Resolving billing disputes and preventing payment fraud

3. How We Share Information

  • Payment processor (Stripe) — we share billing information with Stripe, Inc. to process payments, manage subscriptions, and prevent fraud. Stripe processes your payment card data directly; PortEden does not have access to full card numbers. Data is transmitted via Stripe's PCI DSS-compliant APIs using TLS encryption. Stripe's use of your data is governed by Stripe's Privacy Policy
  • Service providers — hosting, infrastructure, and email delivery providers operating under strict confidentiality obligations
  • Connected integrations — only as you direct through your authorized connections to third-party AI platforms and services
  • AI assistants you choose to connect (optional) — if you choose to enable the optional MCP server or CLI and connect an AI assistant, data you request is transmitted to the AI provider you selected (for example, Anthropic, OpenAI, or the operator of any MCP client you install), on a per-request basis at your direction, under that provider's own terms and privacy policy. PortEden is not responsible for third-party AI providers. See Section 6 for details
  • Legal requirements — when required by law, subpoena, or court order
  • Business transfers — if we merge, sell assets, or reorganize, the successor entity must honor this Privacy Policy

We do NOT sell your personal information.

4. Cookies and Tracking Technologies

We may use cookies, pixels, and similar tracking technologies to operate and improve the Service. These may include:

  • Essential cookies — required for authentication, session management, and security
  • Analytics — aggregated usage data to understand how the Service is used and improve performance
  • Advertising and conversion pixels — third-party pixels (such as from advertising platforms) may be used to measure the effectiveness of our marketing campaigns. These pixels may collect limited information such as your IP address, browser type, and pages visited

You can control cookies through your browser settings. Disabling essential cookies may impair Service functionality. We honor Do Not Track (DNT) browser signals where technically feasible.

5. Google API Limited-Use Disclosure

PortEden's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We access Google data solely to provide the Service's core functionality — enforcing data access policies, filtering AI agent requests, and generating security audit trails. We do not use Google data for advertising, do not sell it, and do not use it to train generalized AI models. Data is retained only as long as needed for Service operations.

PortEden personnel do not read user emails, files, calendar events, or other Google user data, except (a) with the user's explicit prior consent for support, (b) for security investigations, (c) to comply with legal obligations, or (d) where data has been aggregated and anonymized for internal operations consistent with the Google API Services User Data Policy.

6. Optional: AI Assistants, CLI, and MCP

A. Optional Feature

Connecting an AI assistant to PortEden via the MCP server at mcp.porteden.com or using the PortEden CLI is an optional feature you choose to enable. If you do not connect an AI assistant, none of this section applies to you.

B. How the Data Flow Works

PortEden does not send your data to any AI provider on its own. When you (or an AI client you have authorized) issue a tool call through the MCP server or CLI — for example, asking your AI assistant to summarize an email or create a calendar event — PortEden returns the data necessary to fulfill that specific request to the AI client you have connected. That AI client operates outside PortEden and is controlled by you and the AI provider you selected.

C. Your Decision to Connect

Whether to connect any AI assistant, which provider to use, what scopes to authorize, and what prompts to issue are decisions you alone make. By connecting an AI assistant, you explicitly consent to the user-directed, per-request transmission of selected data to the AI provider you have chosen, for the purpose of fulfilling the requests you initiate.

D. Third-Party AI Providers

AI providers (such as Anthropic, OpenAI, the operator of any MCP client you install, or any other third party) are independent recipients operating under their own privacy policies, retention practices, training practices, and security controls. PortEden does not control and is not responsible for how any AI provider uses, retains, logs, or further processes data after it leaves PortEden. You are responsible for reviewing each AI provider's privacy policy before connecting.

E. What PortEden Does with This Data

PortEden records metadata about MCP tool invocations and CLI commands (tool name, timestamp, requesting token/account, outcome) as part of the audit trail described in Section 1.C. PortEden does not use data accessed through the MCP server or CLI to train generalized AI or machine learning models, does not sell it, and does not use it for advertising.

F. Google User Data and Limited Use

Consistent with Section 5 (Google API Limited-Use Disclosure), PortEden's handling of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements. Google user data is accessed only to fulfill the specific user-facing request you initiate in the moment and is not used by PortEden for AI training or advertising. Any transmission of Google user data to an AI provider you have connected occurs solely at your direction, on a per-request basis, as necessary to provide the user-facing feature you have initiated, with your explicit consent obtained when you connected the AI assistant. PortEden makes no representations on behalf of any AI provider regarding their handling of Google user data; you are responsible for confirming that any AI provider you connect meets your Limited-Use and compliance needs.

G. Revocation

You can disconnect any AI assistant and revoke MCP tokens at any time from your PortEden account. Revocation stops future access but does not recall data already transmitted to an AI provider.

7. Data Collected via Resource Invites

When an Operator sends a Resource Invite (as described in the Terms of Use), PortEden collects and processes personal data from the invited Resource upon their acceptance and OAuth authorization.

A. Personal Data Collected

  • Name and email address of the Resource
  • OAuth tokens and authorization credentials
  • Calendar data (events, scheduling information) — if calendar scope is authorized
  • Email data (messages, metadata) — if email scope is authorized
  • Drive data (files, documents) — if drive scope is authorized
  • Task data (task lists, assignments, task metadata) — if task scope is authorized
  • Data from other connected systems — if additional scopes are authorized

B. Data Recipients

Data collected via Resource Invites is accessible to:

  • The inviting Operator — who directs the synchronization and determines how the synced data is used within their account
  • PortEden — which facilitates the technical synchronization at the Operator's direction and with the Resource's consent

C. Legal Basis for Processing

The legal basis for processing Resource data is explicit consent, obtained through the combination of the consent checkbox (which includes acknowledgment of the security warning and sender identity) and the OAuth authorization flow with the Resource's identity provider (Google or Microsoft).

D. Retention

  • OAuth tokens and synced data are retained for the duration of the active connection between the Resource and the Operator
  • Invite tokens expire after a maximum of 90 days if not accepted
  • Upon disconnection or revocation, OAuth tokens are deleted and active synchronization ceases

E. Data Shared with the Operator

The following data types may be shared with the inviting Operator, depending on the scopes authorized:

  • Calendar — event titles, times, attendees, and scheduling metadata
  • Email — message content, subject lines, sender/recipient information, and metadata
  • Drive — file names, contents, folder structure, and sharing metadata
  • Tasks — task titles, descriptions, assignees, due dates, and completion status
  • Other Connected Systems — data from any additional third-party services or data sources supported by PortEden

F. Third-Party OAuth Processors

Resource Invites rely on OAuth authorization through third-party identity providers. The Resource's data is also subject to the privacy policies of these providers:

G. Deletion and Disconnection Rights

A Resource may revoke access and request deletion of their data at any time by:

  • Removing PortEden's access through their Google or Microsoft account settings
  • Contacting PortEden at support@porteden.com to request data deletion

Upon disconnection, PortEden will delete the Resource's OAuth tokens and cease active synchronization. Data already shared with the Operator prior to disconnection is under the Operator's control and cannot be recalled by PortEden.

H. Nature of the Data Transfer

The transfer of Resource data to the inviting Operator occurs solely at the Resource's direction and is based on the Resource's explicit, informed consent obtained through the consent flow and OAuth authorization. PortEden does not independently determine the purposes of this data transfer — the Operator directs the synchronization, and the Resource authorizes it. PortEden facilitates this transfer as a technical service and processes Resource data only as necessary to perform the Invite Sync functionality. PortEden does not use Resource data for its own commercial purposes, does not sell or rent Resource data, and does not retain Resource data beyond what is required to provide the Service.

I. Breach Notification

In the event of a security incident involving Resource data, PortEden will notify the Operator in a timely manner. The Operator, as the party that directed the data synchronization, is responsible for determining whether and how to notify affected Resources in accordance with applicable law. Where PortEden is independently required by applicable law to notify affected individuals directly, PortEden will comply with the notification requirements of the relevant jurisdiction.

J. Important Disclaimers

  • PortEden does not control how Operators use synced data after access is granted. The Operator is solely responsible for their handling and use of the Resource's data
  • PortEden does not guarantee the identity of the inviting party. Resources must independently verify the sender before authorizing access
  • The consent flow — consisting of a security warning, sender confirmation prompt, and terms checkbox — constitutes informed consent from the Resource
  • PortEden strongly recommends that Resources only authorize invites from known and trusted senders

8. Data Retention and Security

Retention

  • Account data is retained while your account is active
  • Audit logs and security event data are retained per your configuration or for up to 90 days by default
  • Integration tokens are removed upon disconnection
  • Data processed through the firewall is not permanently stored unless required by your audit policy
  • Payment transaction records are retained for up to 7 years for tax and legal compliance purposes
  • Subscription status data is retained while your account is active

Security Measures

We use TLS encryption in transit, AES-256 encryption at rest, role-based access controls, and regular security assessments. Payment processing is PCI DSS compliant via Stripe — PortEden's servers never handle or store full payment card numbers. In the event of a data breach, we will notify affected users as required by applicable law.

Security Disclaimer

Despite our commercially reasonable security measures, no method of electronic transmission or storage is completely secure. We cannot guarantee the absolute security, integrity, or confidentiality of your data. You acknowledge and agree that:

  • The Service is in Beta. Privacy controls — including AI Data Redaction (PII, PHI, PCI, secrets, and other identifiers), field-level masking, allow/block lists, rate limits, and access restrictions — are provided on a best-effort basis. They may not catch every variant or edge case. Test before relying on any control to protect sensitive content. Behavior may change.
  • You should not transmit data to PortEden whose unintended disclosure would cause material harm. PortEden makes no guarantee that any specific category of sensitive data — including PHI, PCI, government-issued identifiers, credentials, trade secrets, or other regulated data — will be redacted, masked, excluded from logs, or kept out of downstream third-party processors or AI providers. If you choose to send such data, you do so at your own risk.
  • Data loss, unauthorized access, or unintended disclosure may occur despite our security measures, including as a result of software bugs, defects, system failures, or vulnerabilities
  • You provide personal information at your own risk
  • You are responsible for maintaining your own security practices, including strong passwords and access controls
  • PortEden shall not be liable for any unauthorized access to, alteration of, or loss of your personal information, except where such liability cannot be excluded under applicable law

Compliance Posture

PortEden provides capabilities that customers may use as part of their own compliance program — data redaction, scoped access, policy enforcement, and audit logging. Compliance with HIPAA, GDPR, SOC 2, ISO 27001, and any other regulatory framework remains the customer's responsibility. PortEden does not certify customers, sign attestations on their behalf, or assume regulatory liability for how customers configure or use the Service.

9. Children's Privacy

The Service is not directed to children under 18. We do not knowingly collect personal information from anyone under 18 years of age. If we learn that we have collected personal information from a child under 18, we will promptly delete it. If you believe a child has provided us with personal information, please contact us at support@porteden.com.

10. International Data Transfers

Your information may be processed and stored in the United States or other countries where our service providers operate. By using the Service, you consent to the transfer of your information to countries that may have different data protection laws than your country of residence. We take reasonable steps to ensure your data is treated securely and in accordance with this Privacy Policy regardless of where it is processed.

11. Your Privacy Rights

All Users

  • Access and correction — log in to your account or email support@porteden.com
  • Data export — request a copy of your data
  • Deletion — delete your account at any time
  • Marketing opt-out — unsubscribe from marketing emails at any time

California (CCPA/CPRA) and Other U.S. State Residents

If you reside in California, Virginia, Colorado, Connecticut, Utah, Florida, Montana, Tennessee, or Texas, you have additional rights under applicable state privacy laws:

  • Know what personal information we collect, use, disclose, and sell
  • Request deletion of your personal information
  • Opt out of the sale or sharing of personal information (we do not sell)
  • Correct inaccurate personal information
  • Limit use of sensitive personal information
  • No discrimination for exercising your rights

To exercise these rights: email support@porteden.com with the subject "Privacy Request" or use your account settings.

Rights of Resources (Invite Sync Participants)

If you are a Resource who has authorized data access through an Invite Sync, all of the privacy rights described above apply to you equally — including but not limited to the right to access, correct, delete, and export your personal data held by PortEden. You may also exercise these rights by disconnecting access through your Google or Microsoft account settings or by contacting us at support@porteden.com. Please note that data already transferred to the Operator is under the Operator's control; requests regarding such data should be directed to the Operator.

12. Changes to This Policy

We may update this Privacy Policy as needed. Material changes will be communicated via email or in-app notification at least 30 days in advance. Continued use after the effective date constitutes acceptance.

13. Governing Law

This Privacy Policy is governed by the laws of the State of Texas, without regard to conflict of law principles. Disputes will be resolved in Travis County, Texas.

14. Contact Us

PortEden — Privacy Inquiries

Email: support@porteden.com

By using the Service, you acknowledge that you have read and understood this Privacy Policy.