Privacy Policy

Portmux Data Co. ("Portmux," "we," "us," or "our") provides platform-agnostic data migration services to businesses. This Privacy Policy explains what personal information we collect, how we use and share it, and the choices you have. It applies to visitors of portmux.com (the "Site"), people who contact us through the Site, and individuals whose data is processed during a customer migration engagement.

This Policy does not cover the privacy practices of third-party platforms (e.g., Salesforce, HubSpot, NetSuite, Snowflake) from or to which we migrate data — those platforms have their own policies and are independently responsible for the data they hold.

1. Who We Are & How To Contact Us

Portmux Data Co. is a Missouri-based business operating from Kansas City, MO, United States. For any questions about this Policy, to exercise your rights, or to report a privacy concern, contact us at:

• Email: Ryan@untappedconnections.com
• Phone: 913-755-8164

2. The Two Roles We Play

Portmux acts in two distinct capacities, and the rules that apply depend on which role we're in for a given piece of data:

• Controller — for information collected through the Site (visitors, prospects, contact form submissions, marketing recipients) and for information about our customer contacts (account administrators, billing contacts). We decide what to collect and why.
• Processor — for the customer data we migrate on behalf of our customers (records, fields, attachments, and any personal data contained within a source system that we move to a destination). Our customer is the controller; we process that data only on their documented instructions under a Data Processing Agreement (DPA).

3. Information We Collect

3.1 Information you give us

• Contact form / inbound inquiries: name, business email, company, phone (optional), and the message/scoping details you submit.
• Scoping & engagement information: source and destination systems, approximate record volumes, timelines, and other details you share while we scope a migration.
• Customer account information: billing contact, signing authority, and engagement administrators once you become a customer.
• Direct correspondence: emails, calls, and messages you send us.

3.2 Information we collect automatically

• Site analytics (Google Analytics 4): pages viewed, referring URL, approximate location (city/region), device type, browser, and similar non-identifying telemetry. GA4 sets cookies and may collect a pseudonymous identifier. IP addresses are masked/truncated by GA4 before storage.
• Server logs: IP address, user agent, timestamp, and URL of each request, retained briefly for security, abuse prevention, and diagnostics.
• Cookies & similar technologies: see Section 8 below.

3.3 Customer migration data (when we act as Processor)

During an engagement we may process personal data contained inside our customer's source systems — for example contact records, employee records, customer support tickets, attachments, or activity history. The categories, volumes, and sensitivity of this data are defined by the customer in the DPA and engagement scope. We do not use customer migration data for our own purposes and we delete it from our staging infrastructure on the timeline specified in the DPA (typically within 30–90 days of cutover, see Section 7).

4. How We Use Information

We use the information we collect (in our role as controller) for the following purposes:

• Respond to contact form submissions and scoping inquiries.
• Schedule and conduct discovery calls, deliver proposals, and execute engagements.
• Send service-related communications (kickoff materials, status updates, invoices, cutover notifications).
• Send occasional marketing email about new connectors, case studies, or migration guides (you can unsubscribe at any time — see Section 9).
• Operate, secure, and improve the Site (analytics, abuse prevention, debugging).
• Comply with legal obligations, enforce our agreements, and protect our rights.

For customer migration data processed under the DPA, we use it only to perform the migration services on the customer's documented instructions.

5. Legal Bases (EU/UK Visitors)

If you are in the European Economic Area, United Kingdom, or Switzerland, our legal bases for processing your personal information are:

• Performance of a contract — to deliver migration services to our customers and respond to scoping requests.
• Legitimate interests — to operate and secure the Site, prevent fraud and abuse, send relevant business communications, and grow our business in a manner that respects your privacy.
• Consent — for non-essential cookies and marketing email, where required by local law.
• Legal obligation — to meet tax, accounting, and other statutory requirements.

6. How We Share Information

We do not sell or rent personal information. We share it only as described below:

• Subprocessors and service providers we use to operate the business, under written contracts that restrict their use of the data. Current subprocessors include:
  • Google Workspace — business email and document collaboration
  • Google Analytics 4 — Site usage analytics
  • Resend — transactional email delivery
  • Stripe — payment processing (when applicable)
  • GitHub — source code and content storage
  • Replit — Site hosting and application runtime
  • Major cloud infrastructure providers (e.g., AWS, Google Cloud, Microsoft Azure) — migration staging and compute, scoped per engagement
  We update this list as our vendor relationships change; the current list is available on request.
• Customer-directed sharing — for migration data, we send data to the destination platform the customer has selected.
• Legal & safety — to comply with a subpoena, court order, or other legal process; to protect our rights, property, or safety, or that of our customers or others; and to investigate fraud or security incidents.
• Business transfers — if Portmux is involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred to the successor entity, subject to this Policy (or a substantially similar successor policy).

7. Data Retention

• Contact form submissions & correspondence: retained for as long as needed to respond, and afterward for a reasonable period for record-keeping and to protect our legal interests.
• Customer account records: retained for the duration of the customer relationship and a reasonable period afterward to satisfy tax, accounting, and legal obligations.
• Customer migration data (Processor): retained only for the duration of the migration engagement and deleted on the timeline specified in the DPA, typically within 30–90 days after cutover, unless the customer requests earlier deletion or a defined rollback window is in effect.
• Server logs & analytics: retained for short periods consistent with operational needs and the provider's defaults (e.g., GA4 default of 14 months).
• Backups: may persist briefly beyond active deletion, on a rolling rotation, before being overwritten in the normal course.

8. Cookies & Tracking Technologies

We use a small number of cookies and similar technologies:

• Strictly necessary — required for the Site to function (e.g., session, security).
• Analytics — Google Analytics 4, to understand aggregate usage patterns. GA4 uses cookies and assigns a pseudonymous identifier; IP addresses are not stored.

You can control cookies through your browser settings and opt out of GA4 specifically using the Google Analytics Opt-out Browser Add-on. Blocking cookies may affect some Site functionality.

9. Your Rights & Choices

Depending on where you live, you may have the following rights regarding personal information we hold about you as a controller:

• Access — request a copy of the personal information we hold about you.
• Correction — ask us to fix inaccurate or incomplete information.
• Deletion — ask us to delete personal information, subject to legal exceptions.
• Portability — receive your information in a structured, machine-readable format.
• Objection / restriction — object to or restrict certain processing, including direct marketing.
• Withdraw consent — where we rely on consent, you can withdraw it at any time.
• Opt out of marketing email — use the unsubscribe link in any marketing message or email us directly.
• U.S. state rights — residents of California, Colorado, Connecticut, Texas, Virginia, and other states with consumer privacy laws have additional rights, including the right not to be discriminated against for exercising them. We do not sell personal information or share it for cross-context behavioral advertising as those terms are defined under U.S. state laws.

To exercise any of these rights, email us at Ryan@untappedconnections.com. We will respond within the timeframes required by applicable law. If you are an end user whose data we hold as a Processor on behalf of a customer, please contact that customer (the data controller) directly; we will support their response.

10. International Data Transfers

Portmux is based in the United States and our infrastructure is operated primarily in the United States. If you are located outside the U.S., the information we collect will be transferred to and processed in the U.S., which may have data-protection laws different from your jurisdiction. Where required by law, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and the UK Addendum.

11. Security

We use commercially reasonable administrative, technical, and physical safeguards designed to protect personal information against loss, misuse, and unauthorized access, disclosure, alteration, or destruction. These include encryption in transit and at rest where applicable, least-privilege access controls, audit logging, and security monitoring. No system is perfectly secure, but we work hard to maintain a high bar and to keep our practices aligned with widely recognized industry standards.

12. Children's Privacy

The Site and our services are intended for businesses and individuals over the age of 18. We do not knowingly collect personal information from children under 13 (or the equivalent minimum age in your jurisdiction). If you believe we have collected such information, contact us and we will delete it.

13. Third-Party Links

The Site may link to third-party websites or services that we do not control. We are not responsible for their content or privacy practices. Review their privacy policies before providing any information.

14. Changes To This Policy

We may update this Policy from time to time. When we do, we will update the "Last Updated" date at the top of the page and, for material changes, take additional steps such as posting a notice on the Site or notifying you by email. Continued use of the Site after an update constitutes acceptance of the revised Policy.

15. Questions

Questions, comments, or complaints? Email Ryan@untappedconnections.com. If you are in the EEA or UK and believe we have not addressed your concern adequately, you also have the right to lodge a complaint with your local data-protection authority.

This Policy is provided for informational purposes and does not constitute legal advice. For jurisdiction-specific requirements (e.g., GDPR, UK GDPR, CCPA/CPRA, HIPAA, U.S. state privacy laws) that apply to your business, consult qualified legal counsel.