PortSignal — Privacy Policy
Last updated: 23 April 2026
1. Introduction
PortSignal is operated by Signal Ocean Ltd(company number 09297294), a private limited company incorporated in England and Wales, with registered office at 83 Cambridge Street, Pimlico, SW1V 4PS, London, England ("Signal", "we", "us"). Signal is the data controller of personal data processed through the Platform.
This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Platform. We comply with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (GDPR), and other applicable data-protection laws.
For brevity, capitalised terms used here and not defined have the meanings given in the Terms of Service.
2. Data We Collect
| Category | What we collect | Purpose |
|---|---|---|
| Account data | First name, last name, email, phone, company name, country, role/title | Account creation, authentication, communication |
| Anonymous Contributor data | Alias (public); legal identity held in an internal isolated vault | Anonymous publication; internal compliance and payout processing |
| Payment data | Stripe customer ID, billing address, VAT / tax identification number; card details processed directly by Stripe and not stored by us | Billing, invoicing, tax compliance |
| Contributor payout data | Stripe Connect account ID, KYC documents and bank details processed directly by Stripe | Payout processing, tax reporting |
| Usage and security data | API calls, login timestamps, pages visited, features used, IP addresses, magic-link access IPs, rate-limit keys | Platform operation, security monitoring, fraud and sharing detection |
| Data contributions | Lineup records, modifications, confirmations, file uploads | Core platform functionality, audit |
| Support communications | Messages sent to support, contact-form submissions | Customer support, dispute resolution |
Feed content generally relates to companies, vessels, ports, and commodities and is not intended to identify individuals. Where Contributor-uploaded content includes personal data (for example, a named sole trader, agent, or crew member), the Contributor warrants the lawful basis for processing (see Terms §4.1) and indemnifies Signal under Terms §12.2.
3. Legal Basis for Processing
We rely on the following legal bases under the UK GDPR and EU GDPR:
- Contract performance— to provide the Platform, process subscriptions, trials, API access, and payouts.
- Legitimate interests—
- platform analytics and improvement;
- security monitoring, fraud detection, and anti-sharing enforcement (including magic-link and API access-pattern monitoring);
- automated Buyer vetting (see Terms §6); adverse decisions may be reviewed on request to portmarketplace@portsignal.com;
- enforcement of our Terms and protection of legal rights.
- Legal obligation— tax record-keeping, sanctions compliance, and responding to valid legal requests.
- Consent— marketing communications and, where offered in future, SMS notifications.
You may object to processing based on legitimate interests at any time (see §8).
4. How We Use Your Data
- Provide and maintain the Platform and its features.
- Process registrations, Feed publications, subscriptions, trials, and payouts.
- Perform automated Buyer vetting and sanctions screening.
- Monitor Platform access and API usage for security, fraud, and anti-sharing enforcement — never for advertising or commercial profiling.
- Send email about your account, transactions, security events, and material changes to these policies.
- Improve data quality through AI-assisted extraction and normalisation.
- Respond to disputes, investigations, and legal process.
5. Data Sharing and Sub-processors
We share personal data only as necessary to operate the Platform and on appropriate contractual protections. Our sub-processors are:
| Sub-processor | Purpose | Primary region |
|---|---|---|
| Clerk | Authentication, session management | United States |
| Stripe and Stripe Connect | Payments, Connect KYC and payouts, tax, invoices | United States / Ireland |
| Supabase | Primary database hosting (PostgreSQL) | European Union |
| Upstash | Cache, rate limiting, magic-link tokens (Redis) | European Union / United States |
| Vercel | Application hosting, edge delivery, logging | Global edge |
| Anthropic | AI extraction (Claude API) for Contributor uploads | United States |
We use the "separate charges and transfers" model on Stripe Connect: Buyers pay Signal, and Signal calls Stripe Connect to transfer the applicable net amount to the Contributor's Connect account. We do not retain full card or bank numbers.
An updated list of sub-processors is maintained in this section. Material additions will be flagged in updates to this Privacy Policy.
We do not sell personal data to third parties.
Vetted Buyers.Purchased data, including Contributor-provided lineup records, is delivered only to Buyers who have passed our vetting and hold an active subscription. Feed listings are not public. Anonymous Contributors' legal identities are never shared with Buyers.
Enterprise Data Processing Agreements. Enterprise Buyers requiring a bespoke Data Processing Agreement may request one by contacting privacy@thesignalgroup.com.
6. Anonymous Contributors
Anonymous Contributors publish under an alias. The legal identity of an Anonymous Contributor is stored in an isolated vault, logically and encryption-separated from the marketplace alias, and is:
- never shared with Buyers;
- shared with Stripe only as required for KYC and payouts;
- disclosed to law enforcement only on a valid legal order;
- accessible to our compliance personnel only on a legitimate sanctions or fraud-investigation trigger.
7. Data Retention
- Lineup records— retained indefinitely for audit, legal, and tax purposes. Trial-only records: see Terms §5.2.1.
- Account and profile data— archived for 5 years after account deletion, then permanently deleted.
- Contact details (name, email, phone)— anonymised 30 days after account deletion, except where retention is required for an ongoing billing dispute, tax, or other legal obligation.
- Banking and payment details— not retained by Signal; Stripe retains payment records under its own policy.
- Magic-link tokens— expire after 5 days; deleted on expiry.
- API access and security logs— retained for 12 months.
- Subscription and commission history— retained for 7 years for tax and legal compliance.
8. Your Rights
You have the right to:
- Access your personal data;
- Rectify inaccurate or incomplete data;
- Eraseyour personal data (subject to retention requirements and the Terms §5.2.1 trial-data obligation);
- Restrict processing in certain circumstances;
- Data portability— receive your personal data in a structured, machine-readable format;
- Object to processing based on legitimate interest;
- Withdraw consent to marketing communications at any time.
To exercise these rights, contact privacy@thesignalgroup.com. Signal has not formally designated a Data Protection Officer; privacy matters are handled by the Signal Group privacy team at that address.
Supervisory authority.UK users may lodge a complaint with the Information Commissioner's Office (Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF; 0303 123 1113; ico.org.uk). EU users may lodge a complaint with their national supervisory authority.
9. Security
- All data is encrypted at rest (AES-256) and in transit (TLS 1.3).
- Signal Group is certified to ISO/IEC 27001:2022 for information security management.
- Access to user and Feed data is restricted to Signal personnel with a legitimate need-to-know; role-based access controls apply; access is logged and periodically reviewed; all personnel are bound by confidentiality obligations under their employment contract or consultancy agreement.
- Anonymous Contributor legal identities are stored in an isolated vault (see §6).
- Rate limiting is applied to all API endpoints.
- Multi-factor authentication is offered via Clerk; users are strongly encouraged to enable it.
10. Data Breach Notification
In the event of a personal-data breach that is likely to adversely affect you, we commit to notify affected users without undue delay, and within 72 hours of becoming aware of the breach, consistent with UK GDPR Art. 33–34. The notification will describe the nature of the breach, categories of personal data affected, approximate number of users involved, mitigation steps taken, and Signal's contact for queries.
11. Cookies
We use strictly necessary cookiesonly — for authentication, session management, and CSRF protection. We do not currently use analytics, advertising, or tracking cookies, and therefore do not require a consent banner. If we introduce non-essential cookies in the future, we will update this policy and present a consent mechanism before loading them.
12. International Data Transfers
Personal data may be processed in countries outside your country of residence, including the United States (Clerk, Stripe, Anthropic, Vercel) and within the European Economic Area (Supabase, Upstash). Where transfers leave the UK/EEA, we rely on appropriate safeguards including the UK International Data Transfer Agreement, UK Addendum, and EU Standard Contractual Clauses as applicable.
13. Children's Privacy
The Platform is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided personal data to the Platform, please contact privacy@thesignalgroup.com so we can delete it.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting an updated version on the Platform at least 30 days before the change takes effect.
15. Contact
- Privacy and data-protection requests: privacy@thesignalgroup.com
- Platform support and commercial inquiries: portmarketplace@portsignal.com
- Postal address: Signal Ocean Ltd, 83 Cambridge Street, Pimlico, SW1V 4PS, London, England