Back
Privacy Policy for CollabPortals
Effective Date: 28th July 2025
CollabPortals is a product owned and operated by Vibrant Cactus Ltd, a company based in London, UK with company number 16614387. This Privacy Policy explains how we collect, use, and protect personal information when you use CollabPortals.
We are committed to maintaining the trust and confidence of our users and customers, and we take your privacy seriously.
1. Who We Are
Vibrant Cactus Ltd ("we", "us", or "our") is the legal entity behind CollabPortals. We are registered in the United Kingdom and founded by Matthew Shepherd, who also serves as our Data Protection Officer.
Product: CollabPortals
Company: Vibrant Cactus Ltd
Contact Email: privacy@collabportals.com
Registered Address: 18A Wolsey Mews, London, NW5 2DX
Data Protection Officer: Matthew Shepherd
2. Roles Under Data Protection Law
Under the UK GDPR and other relevant data protection laws:
We act as a data controller with respect to the name and email address you provide directly to us when signing in to the portal. This is the data we use for your authentication and management of your access to CollabPortals.
We act as a data processor on behalf of our customers for all other data that is accessed from their Airtable bases through our platform. In this scenario, our customers are the data controllers, determining the purposes and means of processing this data.
3. What Personal Data We Collect
a. Data You Provide to Us (as Data Controller)
When you use CollabPortals, we collect:
Email address: Used for authentication (sending login codes, verifying identity).
Name: This is used to personalize your experience.
This information is collected directly from you and is used to verify your identity and allow secure access to the relevant Airtable-based portal.
b. Data Accessed From Airtable (as Data Processor)
By configuring CollabPortals to connect with your Airtable base, our customers may provide us access to personal data stored in their Airtable bases. This may include:
Names
Contact details (e.g., email addresses, phone numbers)
Other personal or sensitive information that our customers choose to store in their Airtable bases.
We do not control or determine the nature or categories of this data. It is owned and managed solely by the customer who integrates their Airtable base with CollabPortals. We process this data strictly according to our customers' instructions as defined by their configuration of CollabPortals.
4. How We Use Your Data
a. For Data We Control (Your Login Data)
We use your email address and name (if provided) for the following purposes and based on the following legal bases under the UK GDPR:
To verify your identity and provide secure access to portals: This processing is necessary for the performance of a contract with you, allowing you to use the CollabPortals service.
To send authentication emails (e.g., 6-digit login codes): This is also necessary for the performance of a contract to facilitate your secure login.
To store temporary login codes: When you request a login code, a 6-digit code is generated and stored temporarily for a maximum of 15 minutes in our secure MongoDB database (with a Time-To-Live expiration) or transiently in memory. This code is automatically deleted after this period or immediately after successful login, whichever comes first. This is necessary for the performance of a contract to enable your secure login.
To communicate with you regarding your portal access or essential service updates: This is processed based on our legitimate interests to ensure the proper functioning and security of our service, and to provide you with important information related to your use of CollabPortals.
b. For Data We Process (Airtable Data)
We process Airtable data only as necessary to deliver the portal functionality as configured by our customers. For example:
Displaying specific Airtable records to external users based on permissions set by our customers.
Allowing external users to view, submit, or update data within specific fields based on granular access rules defined by our customers.
We do not store Airtable data on our servers, except transiently in memory when actively processing user requests (e.g., fetching data for display, processing an update). Once the request is fulfilled, the data is discarded from our systems.
5. Data Retention
Your email and login data (as controller) are stored securely and retained only as long as necessary to provide the service, to fulfill our contractual obligations, or as required by law.
Airtable data (as processor) is not persisted on our servers. We process it in real-time and discard it once it has served its purpose for the current session or request.
6. Security
We use industry-standard security practices to protect your data. These include:
Encrypted communication (HTTPS): All data transmitted between your browser and our servers is encrypted.
Secure session handling: We implement robust measures to protect your active sessions.
Strict access control: Access to backend systems and data is tightly controlled and monitored.
Our hosting provider, Vercel, implements its own security measures, including network security and infrastructure protection.
Our database providers, MongoDB and Redis, employ their own robust security features, including data encryption (at rest and in transit) and access controls, as detailed in their respective security documentation.
7. Sharing of Data
We do not sell, rent, or trade your personal information. We may share data only with:
Service Providers: We engage trusted third-party service providers who assist us in operating and delivering our service. These include:
Vercel: For hosting and deploying our application.
MongoDB: For our primary database storage (e.g., for user login data, temporary codes).
Redis: For caching and temporary data storage that supports application performance (e.g., session data).
Resend: For sending authentication emails and other service-related communications.
Stripe: For processing payments for your subscription to CollabPortals. Stripe acts as an independent data controller for the payment information you provide to them. Please review Stripe's Privacy Policy for more information on how they handle your payment data.
These service providers are bound by contractual agreements to protect your data and only process it according to our instructions.
Legal Authorities: If required by applicable law, court order, or governmental request.
Business Transfers: In connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business by another company. In such an event, your data would be transferred as part of the assets but would remain subject to this Privacy Policy.
8. Your Rights
Depending on your jurisdiction and the nature of the data processing, you may have the following rights regarding your personal data:
Right to Access: Request access to your personal data that we hold about you.
Right to Rectification: Request correction of inaccurate or incomplete personal data.
Right to Erasure (Right to be Forgotten): Request deletion of your personal data where there is no compelling reason for its continued processing.
Right to Restriction of Processing: Request that we limit the way we use your personal data.
Right to Object: Object to the processing of your personal data in certain circumstances (e.g., for direct marketing).
Right to Data Portability: Request a copy of your personal data in a structured, commonly used, machine-readable format to transfer to another service.
Right to Withdraw Consent: Where we rely on your consent as the legal basis for processing, you have the right to withdraw that consent at any time.
If we act as a data processor (i.e., for data accessed from Airtable), please contact the data controller (i.e., the Airtable workspace owner who configured CollabPortals) to exercise your rights, as they are responsible for your data in that context. We will assist our customers as necessary to fulfill such requests.
9. Cookies and Tracking
CollabPortals does not use tracking cookies for advertising or profiling purposes. We may use essential cookies that are strictly necessary for the operation of the service, such as:
Session Cookies: To manage your login state and maintain your session securely (e.g., remembering you are logged in for the duration of your visit).
Authentication Cookies: To facilitate the login process and keep you authenticated.
These cookies are temporary and are typically deleted when you close your browser or log out. You can configure your browser to reject cookies, but this may affect the functionality of CollabPortals.
10. International Transfers
As Vibrant Cactus Ltd is a UK-based company, your data will primarily be processed within the UK. However, some of our service providers operate globally. This means your personal data may be transferred to, and stored in, jurisdictions outside your home country, including countries outside the UK and European Economic Area (EEA), such as the United States.
When we transfer your personal data internationally, we ensure appropriate safeguards are in place to comply with applicable data protection laws, including the UK GDPR. These safeguards may include:
Standard Contractual Clauses (SCCs): We rely on UK-approved Standard Contractual Clauses (or their equivalent) to ensure that your data receives an adequate level of protection when transferred to countries not deemed to have an adequate level of data protection by the UK.
Relying on countries with adequacy decisions where applicable.
By using CollabPortals, you acknowledge and agree to such international transfers as described in this policy.
11. Data Breach Notification
We take data security very seriously. In the unlikely event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authorities (e.g., the ICO in the UK) without undue delay, in accordance with our legal obligations under the UK GDPR.
12. Children's Privacy
CollabPortals is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that information promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by posting the new Privacy Policy on our website or through other appropriate communication channels (e.g., email notification or a prominent notice within the portal). Your continued use of CollabPortals after any such changes constitutes your acceptance of the revised Privacy Policy.
14. Contact Us
If you have any questions, concerns, or requests regarding your personal data or this Privacy Policy, please contact our Data Protection Officer:
Matthew Shepherd
Data Protection Officer
Email: privacy@collabportals.com
Company: Vibrant Cactus Ltd
Address: 18A Wolsey Mews, London, NW5 2DX