Privacy Policy

Name: Porcia
Price: 15 USD
Availability: InStock
Rating: 4.8 (50 reviews)
Author: Porcia

Effective Date: March 2, 2026
Last Updated: March 2, 2026
Version: 1.0

1. Introduction

This Privacy Policy explains how Arunkumar Chaubey, an individual resident of India, doing business as Porcia, collects, uses, shares, and protects information when you use our website at porcia.org, our application at app.porcia.org, our browser extension (when available), our integrations, and any related services (collectively, the "Service").

Porcia is a B2B SaaS platform that helps businesses discover, manage, and optimize their software spend through email intelligence, SSO discovery, a browser extension, AI-powered negotiation, and vendor intelligence.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you are using the Service on behalf of an organization, you represent that you are authorized to accept this Privacy Policy on that organization's behalf.

If you do not agree with this Privacy Policy, please do not use the Service.

Contact Us:

General: hello@porcia.org
Privacy Inquiries: privacy@porcia.org
Security: security@porcia.org

2. Definitions

Customer means the business or organization that subscribes to Porcia
Authorized User means an individual granted access to Porcia by a Customer
Customer Data means any data submitted to or collected by Porcia on behalf of a Customer through use of the Service
Personal Data means any information relating to an identified or identifiable natural person
Processing means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion
Subprocessor means a third-party service provider engaged by Porcia to process Customer Data
Workspace means a Customer's isolated environment within the Porcia platform

3. Roles and Responsibilities

3.1 When Porcia Is a Data Processor

When a Customer connects integrations (email, SSO, browser extension) or uploads data to Porcia, the Customer is the Data Controller and Porcia is the Data Processor. This applies to:

Employee directory data obtained via SSO integrations
Email content and metadata forwarded to or synced by Porcia
Browser extension usage data collected from Authorized Users
Contracts and vendor documents uploaded by Customers
Any other Customer Data submitted through the Service

In this capacity, Porcia processes Customer Data only on the Customer's documented instructions and in accordance with our Data Processing Addendum (DPA).

3.2 When Porcia Is a Data Controller

Porcia acts as a Data Controller for:

Account registration and profile data of Authorized Users
Billing and payment information
Usage analytics and telemetry about how the Service is used
Communications with our team (support, sales, feedback)
Website visitor data (cookies, IP addresses, browsing behavior on porcia.org)
Aggregated, anonymized benchmarking data

4. Data We Collect

4.1 Account and Identity Data

When you register for Porcia, we collect:

Data	Purpose
Full name	Account identification, in-app display
Work email address	Authentication, notifications, communications
Company/organization name	Workspace creation, billing
Job title/role	Personalization (optional)
Password	Authentication (hashed with bcrypt; never stored in plaintext)
Profile photo	In-app display (optional)
Workspace name and slug	Workspace identification

4.2 Email Integration Data

Porcia's email intelligence feature allows you to forward vendor emails to a unique Porcia address or connect your email via OAuth.

What we collect:

Email metadata: Sender address, recipient address, subject line, timestamp, message ID
Email content: Full email body text
Email attachments: Documents attached to forwarded emails (e.g., invoices, contracts, receipts)
OAuth tokens: Gmail or Outlook access and refresh tokens (encrypted and stored in AWS Parameter Store)

What we extract from emails:

Vendor name and contact information
Pricing and subscription details
Contract renewal dates and terms
Invoice amounts and payment terms
Service terms and changes

What we do NOT do with email data:

We do not use email data to serve advertisements
We do not use email data to train generalized AI models
We do not sell or share email data with third parties for their own purposes
We do not allow human access to email content except where necessary for customer support (with your consent), security incident investigation, or legal obligation

Google API Limited Use Disclosure: Our use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.

4.3 SSO Integration Data

When a Customer connects an identity provider (Google Workspace, Microsoft Azure AD / Entra ID, or Okta), Porcia accesses:

Data	Source
Employee names and email addresses	Identity provider directory
Job titles	Identity provider directory
Group/team memberships	Identity provider directory
Application assignments and permissions	Identity provider directory
Login frequency and last login timestamps	Identity provider directory
Application metadata (names, descriptions, logos)	Identity provider directory

OAuth scopes requested:

Google Workspace: Directory API — read user, group, and app data
Azure AD (Microsoft Entra ID): Directory.Read.All, Application.Read.All
Okta: okta.apps.read, okta.users.read

Important notes:

SSO data is synced automatically every 24 hours while the integration is active
The Customer (employer) is the data controller for employee data accessed via SSO
We strongly recommend that Customers inform their employees when Porcia is integrated with their identity provider
OAuth credentials are encrypted and stored in AWS Parameter Store

4.4 Browser Extension Data

Current Status: The Porcia browser extension is documented but not yet deployed to the Chrome Web Store. The following describes planned data collection when the extension is released.

Planned data collection:

URLs of SaaS applications visited (only known SaaS domains)
Time spent on each SaaS application
Login events to SaaS applications
Extension telemetry (errors, performance data)

Privacy commitments:

The extension will only track activity on known SaaS application domains
The extension will never track personal websites or general internet activity
The extension will require explicit user installation and consent
Users will be able to pause or disable tracking at any time

4.5 Vendor and Subscription Data

Vendor names and contact information
Subscription details (pricing, number of seats, billing frequency)
Contract documents uploaded by you
Renewal dates and contract terms
Negotiation history and outcomes
Invoice and payment records

4.6 Billing and Payment Data

We use Dodo Payments as our third-party payment processor.

What Dodo Payments collects: Credit/debit card information, billing address
What Porcia stores: Billing name, billing address, payment method type, transaction history, subscription status
What Porcia does NOT store: Full credit card numbers, CVVs, or raw payment credentials

4.7 Usage and Analytics Data

Feature usage data (pages visited, buttons clicked, features used)
Session duration and frequency
IP address
Device type, operating system, and browser information
Referring URL
Error logs and performance metrics

We use PostHog for product analytics and Sentry for error tracking.

4.8 Communication Data

Support tickets and chat messages
Feedback and feature request submissions
Email communications with our team

We use cookies and similar technologies for session management, security, analytics, and preferences. See our Cookie Policy for full details.

5. How We Use Data

5.1 To Provide and Operate the Service

Create and manage your account and Workspace
Process and analyze vendor emails to discover subscriptions, contracts, and renewals
Sync and analyze SSO data to discover applications and usage
Track SaaS application usage via the browser extension (when available)
Provide AI-powered contract analysis and negotiation recommendations
Generate vendor intelligence and pricing benchmarks
Display dashboards, reports, and insights

5.2 AI Processing

Porcia uses AI models provided by Microsoft Azure OpenAI Service (via Azure AI Foundry) for various analysis and automation features.

Critical commitments regarding AI:

No model training: Your data is NOT used to train, fine-tune, or improve any AI model
Human-in-the-loop: All AI-generated negotiation emails require your explicit approval
Logging: AI prompts and outputs are logged for 30 days for debugging, then automatically deleted
Accuracy: AI-generated content may contain errors. Not legal, financial, or professional advice

For more details, see our AI Data Usage Policy.

5.3 Billing and Payments

Process subscription payments via Dodo Payments
Generate and deliver invoices
Manage subscription upgrades, downgrades, and cancellations
Comply with tax and financial reporting obligations

5.4 Product Improvement and Analytics

Understand how features are used to prioritize development
Identify and fix bugs and performance issues
Conduct A/B testing and improve user experience
Analyze usage patterns (in aggregate) to guide product decisions

5.5 Security and Fraud Prevention

Detect and prevent unauthorized access, fraud, and abuse
Monitor for anomalous activity
Enforce our Terms of Service and Acceptable Use Policy
Investigate security incidents

5.6 Communications

Send transactional emails (account confirmations, password resets, integration notifications)
Respond to support requests and feedback
Send product updates and feature announcements (you can opt out)
Send marketing communications (only with your explicit consent; you can unsubscribe)

5.7 Legal Compliance

Comply with applicable laws, regulations, and legal processes
Respond to lawful requests from government and regulatory authorities
Enforce our legal rights and resolve disputes

6.1 With Subprocessors

We share data with third-party service providers who help us operate the Service. See our Subprocessor List for the current list.

Key subprocessors:

Provider	Purpose	Location
Amazon Web Services (AWS)	Cloud hosting, database, storage	United States
Microsoft Azure OpenAI	AI processing	United States
Pinecone	Vector database (no customer PII)	United States
Brevo	Transactional email delivery	EU / United States
Dodo Payments	Payment processing	Varies
PostHog	Product analytics	United States / EU
Sentry	Error tracking	United States

6.2 As Required by Law

We may disclose data if required to:

Comply with applicable law, regulation, or legal process
Protect the rights, property, or safety of Porcia, our Customers, or the public
Enforce our Terms of Service
Investigate potential violations

6.3 In Connection with a Business Transfer

If Porcia is involved in a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data becomes subject to a different privacy policy.

6.4 Aggregated and Anonymized Data

Porcia may use aggregated, anonymized data derived from Customer Data to:

Improve our vendor intelligence database
Provide market insights and pricing benchmarks
Enhance AI-generated recommendations
Publish industry reports

Our commitments:

Data is stripped of all identifying information
We will never attempt to re-identify anonymized data
Customers may opt out by contacting privacy@porcia.org

We may share your data with third parties when you have given us explicit consent.

6.6 What We Do NOT Do

We do NOT sell your Personal Data
We do NOT share your data for advertising or marketing purposes
We do NOT use your email, SSO, or browser data to serve advertisements

7. International Data Transfers

7.1 Where Your Data Is Stored

Your data is primarily stored in the United States on Amazon Web Services (AWS) infrastructure.

7.2 Transfers from the EU/EEA/UK

If you are in the EU/EEA/UK, your data may be transferred to the United States. We protect such transfers using:

Standard Contractual Clauses (SCCs) approved by the European Commission
Data Privacy Framework (DPF) certifications (where applicable)
Supplementary measures including encryption and access controls

8. Data Retention

Data Type	Retention Period
Active account data	While your account is active
Data after account deletion	Deleted within 30 days
Raw email content	90 days from receipt
Parsed email metadata	While account active; deleted within 30 days of account deletion
SSO integration data	While integration active; deleted within 30 days of disconnection
Browser extension data	While extension active; deleted within 30 days of uninstallation
AI processing logs	30 days
Billing and payment records	7 years (tax and legal compliance)
Aggregated, anonymized data	Indefinitely (contains no Personal Data)
Backup copies	90 days after deletion from production

9. Data Security

We implement technical and organizational measures to protect your data:

Encryption in transit: TLS 1.2+ for all connections
Encryption at rest: AES-256 for databases and storage
Secrets management: AWS Parameter Store with encryption
Access controls: Role-based access control (RBAC), workspace isolation
Password security: bcrypt hashing
Input validation: Sanitization of all user inputs
CSRF protection: Anti-CSRF tokens on all forms
API security: Rate limiting, authentication, request validation
Monitoring: Real-time error tracking, performance monitoring, security monitoring
Audit logging: All sensitive actions logged

For more information, see our Security Page.

10. Your Rights

Right of Access: Request a copy of your Personal Data
Right to Rectification: Request correction of inaccurate data
Right to Erasure: Request deletion of your Personal Data
Right to Restrict Processing: Request that we limit how we use your data
Right to Data Portability: Receive your data in a machine-readable format
Right to Object: Object to processing based on legitimate interest
Right to Withdraw Consent: Withdraw consent at any time
Right to Lodge a Complaint: File a complaint with your supervisory authority

10.2 Rights Under CCPA/CPRA (California)

Right to Know: Know what Personal Information is collected and how it's used
Right to Delete: Request deletion of your Personal Information
Right to Correct: Request correction of inaccurate information
Right to Opt-Out: We do NOT sell Personal Information
Right to Non-Discrimination: Not be penalized for exercising rights

We do NOT sell Personal Information.

10.3 How to Exercise Your Rights

Email: privacy@porcia.org
In-App: Account Settings → Privacy & Data
Response Time: 30 days (GDPR), 45 days (CCPA)

Legal Basis	Processing Activities
Contract Performance	Providing the Service, managing account, processing emails/SSO, billing
Consent	Marketing communications, optional analytics, browser extension
Legitimate Interest	Product improvement, security, fraud prevention, aggregated analytics
Legal Obligation	Tax records, regulatory compliance, legal process

12. Children's Privacy

Porcia is a B2B service designed for business use. The Service is not directed at individuals under 16. We do not knowingly collect Personal Data from children.

13. Third-Party Links

The Service may contain links to third-party websites. We are not responsible for their privacy practices.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time.

Material changes: We will notify you by email and/or in-app notice at least 30 days before changes take effect.

Minor changes: We will update the "Last Updated" date.

15. Contact Us

Privacy Team: privacy@porcia.org
General: hello@porcia.org
Security: security@porcia.org

Arunkumar Chaubey
Doing business as Porcia
C/13 Mangalmurti Society, Ghatkopar West
Mumbai, Maharashtra, India
Phone: +91 8097907763

Version History:

v1.0 (March 2, 2026) - Initial release