PortfolioX

Privacy Policy

Your privacy matters. Here is how we handle your data.

Last updated: February 18, 2026

1. Introduction

RaiderX, LLC dba PortfolioX ("we," "us," or "our") operates the PortfolioX platform available at portfolio.raiderx.net (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service, including when you connect your financial accounts through our third-party partners. Please read this policy carefully. If you do not agree with the terms of this policy, please do not access or use the Service.

2. Information We Collect

We collect the following categories of information:

2.1 Account Information

Name, email address, and password when you create an account. We store passwords as irreversible cryptographic hashes—we never store or have access to your plaintext password. If you enable multi-factor authentication (MFA), we store your encrypted TOTP secret and hashed backup recovery codes.

2.2 Organization and Team Data

Organization name, team member information, roles and permissions, and subscription plan details. Each organization's data is isolated and inaccessible to other organizations.

2.3 Property and Financial Data

Property addresses, lease details, tenant contact information (name, email, phone), mortgage records (loan amounts, interest rates, balances), property tax records, insurance policies, home warranty details, back rent collection records, and payment amounts you enter or that are generated through the platform. This data is used to provide the portfolio management features of the Service.

2.4 Payment Information

When tenants make rent payments or back rent payments through the platform, payment processing is handled entirely by Stripe, our PCI-DSS Level 1 certified payment processor. We never receive, transmit, or store credit card numbers, bank account numbers, routing numbers, or other payment credentials. We only store Stripe reference identifiers, payment amounts, processing fees, payment status, and payment method type (e.g., "card" or "ACH"—not the actual card or account details).

2.5 Financial Account Data (Plaid)

If you choose to connect your bank accounts or credit cards for transaction matching and accounting purposes, we use Plaid, Inc. ("Plaid") to facilitate that connection. When you use Plaid to connect your financial accounts:

  • Your bank login credentials are entered directly into Plaid's secure interface and are never transmitted to or stored by PortfolioX.
  • Plaid provides us with an access token that allows us to retrieve account and transaction information on your behalf. This token is stored encrypted in our database.
  • We receive and store: institution name, account name, account type, account mask (last 4 digits only), account balances, and transaction history (date, amount, merchant name, category).
  • This data is used solely to match transactions with your property income and expenses for accounting and reporting purposes.
  • You can disconnect your financial accounts at any time through the PortfolioX settings, which will revoke the Plaid access token and stop all future data retrieval.

By connecting your financial accounts, you acknowledge and agree that Plaid's End User Privacy Policy governs Plaid's collection and use of your financial data.

2.6 Uploaded Files

Documents and images you upload, such as insurance documents, lease agreements, and maintenance request photos. Files are stored with private access controls and are only accessible to authorized members of your organization via time-limited signed URLs.

2.7 Usage and Technical Data

Information about how you access and use the Service, including your IP address, browser type, pages visited, and timestamps. This data is used for security monitoring and service improvement.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Service Delivery: Provide, operate, and maintain the portfolio management platform.
  • Payment Processing: Process rent payments, back rent payments, and subscription billing through Stripe.
  • Financial Account Linking: Connect your bank accounts and credit cards via Plaid to retrieve transaction data for matching against your property income and expenses.
  • Accounting and Reporting: Generate profit and loss statements, balance sheets, and financial reports using your property data and linked transaction data.
  • Notifications: Send automated notifications such as payment reminders, tax due date alerts, insurance renewal notices, late payment notifications, and payment confirmations.
  • Support: Respond to your comments, questions, and support requests.
  • Security: Detect, prevent, and address technical issues, security threats, and unauthorized access.
  • Improvement: Monitor and analyze usage trends to improve the Service.

4. How We Do NOT Use Your Information

We want to be clear about what we will never do with your data:

  • We do not sell your personal information or financial data to any third party.
  • We do not use your financial account data for marketing or advertising purposes.
  • We do not share your financial data with unrelated third parties except as described in this policy or with your explicit consent.
  • We do not access your bank login credentials. When you connect financial accounts, your credentials go directly to Plaid and are never transmitted to our servers.

5. Data Storage and Security

We implement industry-standard security measures to protect your data:

  • Encryption in Transit: All data transmitted between your browser and our servers, and between our servers and third-party services, is encrypted using TLS 1.2 or higher. HTTPS is enforced on all connections with HSTS (HTTP Strict Transport Security).
  • Encryption at Rest: Your data is stored in Neon (PostgreSQL database) with AES-256 encryption at rest. Uploaded files are stored in DigitalOcean Spaces with AES-256 server-side encryption.
  • Password Security: Passwords are hashed using bcrypt before storage. We never store or have access to plaintext passwords.
  • Multi-Factor Authentication: TOTP-based multi-factor authentication is available for all organization user accounts, adding a second layer of protection beyond passwords.
  • Multi-Tenant Isolation: All data is scoped to your organization. Our architecture enforces data isolation at the application layer, ensuring no organization can access another's data.
  • Access Controls: Role-based access control (RBAC) with four permission levels (Owner, Admin, Member, Viewer) ensures team members only access data appropriate to their role.
  • Audit Logging: Security-relevant actions are logged with timestamps, user identification, and IP addresses.

While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

6. Third-Party Services

We use the following third-party services to operate the platform. Each service has its own privacy policy governing how they handle data:

  • Stripe (Privacy Policy): Payment processing for rent payments, back rent collection, and subscription billing. PCI-DSS Level 1 certified. Stripe receives and stores payment credentials; PortfolioX only receives reference IDs and payment status.
  • Plaid (Privacy Policy): Bank account linking and transaction data retrieval for accounting purposes. SOC 2 Type II and ISO 27001 certified. Plaid receives and secures your bank credentials; PortfolioX only receives account metadata and transaction data.
  • Neon: PostgreSQL database hosting with encryption at rest and in transit. SOC 2 Type II certified.
  • DigitalOcean Spaces: Secure file and document storage with encryption at rest. SOC 2 Type II and ISO 27001 certified.
  • Vercel: Application hosting and deployment with automatic TLS and DDoS protection. SOC 2 Type II and ISO 27001 certified.
  • Resend: Sending transactional emails such as payment reminders, confirmations, and magic link login emails.

7. Data Sharing

We may share your information only in the following circumstances:

  • With Service Providers: We share data with the third-party services listed in Section 6 solely to provide the Service. These providers are contractually obligated to protect your data.
  • Within Your Organization: Data you enter is accessible to other authorized members of your organization based on their assigned role and permissions.
  • With Your Consent: We may share your information with other parties when you explicitly request or authorize it.
  • Legal Compliance: We may disclose your information if required by law, regulation, legal process, or enforceable governmental request.
  • Protection of Rights: We may share information to protect the rights, property, or safety of PortfolioX, our users, or the public.

8. Your Rights

Depending on your location, you may have certain rights regarding your personal information:

  • Right to Access: Request a copy of the personal data we hold about you.
  • Right to Correction: Request correction of inaccurate or incomplete personal data.
  • Right to Deletion: Request deletion of your personal data, subject to legal retention obligations.
  • Right to Export: Request your data in a commonly used, machine-readable format.
  • Right to Revoke Consent: Withdraw consent for data processing where consent is the legal basis (e.g., disconnect linked financial accounts).
  • Right to Disconnect Financial Accounts: Revoke Plaid access to your bank accounts at any time through the PortfolioX settings. This immediately stops all future data retrieval from the disconnected accounts.

To exercise any of these rights, please contact us at the address below. We will respond to your request within 30 days.

9. Data Retention

We retain your information according to the following schedule:

  • Account Data: Retained while your account is active. Deleted upon account closure at your request.
  • Financial and Property Data: Retained while your account is active or as required by applicable law (e.g., tax recordkeeping requirements).
  • Transaction Data: Plaid transaction data is retained while the financial account is connected. Upon disconnection, previously retrieved transaction data may be retained for accounting records unless you request deletion.
  • Uploaded Files: Retained until you delete them or your account is terminated.
  • Audit Logs: Retained for a minimum of 1 year for security and compliance purposes.
  • Authentication Tokens: Magic link tokens expire after 15 minutes. Session tokens expire after 30 days. Expired tokens are automatically cleaned up.

10. California Privacy Rights (CCPA)

If you are a California resident, you have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources from which that information is collected, the business purpose for collecting the information, and the categories of third parties with whom we share that information. You also have the right to request deletion of your personal information. We do not sell personal information. To make a request, please contact us using the information in Section 13.

11. Children's Privacy

Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child without verification of parental consent, we will take steps to remove that information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new Privacy Policy on this page, updating the "Last updated" date, and sending a notification to your account email address. You are advised to review this Privacy Policy periodically for any changes.

13. Contact Information

If you have any questions about this Privacy Policy, our data practices, or wish to exercise your data rights, please contact us:

RaiderX, LLC dba PortfolioX

Email: support@raiderx.net