Legal

Privacy Policy

Effective date: June 2, 2026

This Privacy Policy explains how Porch (“Porch,” “we,” “us,” or “our”) collects, uses, and shares information about you when you use our platform at getporch.app(the “Service”). By using the Service, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

Account Information

When you create a Porch account, we collect your email address and a username. Account authentication is handled by Clerk, which may also collect your name, profile image, and OAuth identity tokens if you sign in with a third-party provider (e.g., Google). We store a reference to your Clerk user ID in our database.

Content You Upload

We store files you upload or deploy through the Service (HTML, CSS, JavaScript, images, and other static assets) in Cloudflare R2 object storage. These files may contain personal data if you choose to include it in your projects — we do not inspect or process this content.

Access Gate Data

When you use the email-gate feature to restrict access to a Porch, the email addresses you provide as allowed visitors are stored in our database. When a visitor verifies their email via a magic link, we log that access event including the visitor's email address and timestamp. Visitors who receive magic-link emails interact with Porch as part of the access control you configured — we act as a data processor on your behalf for this data.

Usage and Analytics Data

We use the following analytics and monitoring tools, which may set cookies or collect usage data:

  • PostHog — collects page views, click events, and session data for product analytics. Configured with person_profiles: "identified_only" and session recording disabled.
  • Vercel Analytics — collects aggregate page performance and traffic metrics. No cookies are set; data is anonymous.
  • Sentry — collects error reports and stack traces for debugging. May include request metadata.

Analytics are only activated with your cookie consent (see Section 6). You can opt out at any time.

IP Addresses

We process IP addresses for rate limiting (to prevent abuse of magic-link sends and app creation). We store a hashed version of visitor IP addresses in access logs; raw IP addresses are not persisted.

Billing Information

Payment processing is handled entirely by Stripe. We do not store credit card numbers or full payment details. We store a Stripe customer ID and subscription ID in our database. Stripe's privacy practices are governed by Stripe's Privacy Policy.

Communications

We use Resend to send transactional emails, including magic-link access emails and account notifications. We do not send marketing emails without your explicit consent.

2. How We Use Your Information

  • To provide, operate, and maintain the Service
  • To process your subscriptions and billing
  • To send transactional emails (magic links, billing receipts, account notifications)
  • To enforce our Terms of Service and Acceptable Use Policy
  • To detect and prevent fraud, abuse, and security incidents
  • To analyze usage patterns and improve the Service (with consent)
  • To respond to your support requests
  • To comply with legal obligations

3. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA) or United Kingdom, our legal basis for processing your personal data is:

  • Contract performance (Art. 6(1)(b)) — processing your account data, billing, and content hosting is necessary to provide the Service you signed up for.
  • Legitimate interests (Art. 6(1)(f)) — security monitoring, fraud prevention, and product analytics (where consent is given via cookie banner).
  • Legal obligation (Art. 6(1)(c)) — retaining billing records as required by tax and accounting law.
  • Consent (Art. 6(1)(a)) — for optional analytics cookies (PostHog). You may withdraw consent at any time.

4. How We Share Your Information

We share your information only with the following categories of recipients:

Service Providers (Sub-processors)

  • Clerk — authentication and identity management
  • Supabase — database hosting (Postgres)
  • Cloudflare — file storage (R2) and access-gate proxy (Workers)
  • Vercel — compute infrastructure and edge hosting
  • Stripe — payment processing
  • Resend — transactional email delivery
  • PostHog — product analytics (with consent)
  • Sentry — error monitoring

All sub-processors are contractually bound to process data only on our behalf and in accordance with applicable data protection law.

Legal Requirements

We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe disclosure is necessary to protect the rights, property, or safety of Porch, our users, or the public.

Business Transfers

If Porch is acquired by or merged with another company, your information may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.

We do not sell, rent, or share your personal data with third parties for their own marketing purposes.

5. Data Retention

  • Account data — retained as long as your account is active. Deleted within 30 days of account deletion request.
  • Uploaded files — retained in R2 as long as your account is active. Deleted when you delete a Porch or close your account.
  • Access logs — retained for 90 days, then purged.
  • Billing records — retained for 7 years to comply with tax and accounting regulations, even after account deletion.
  • Magic link tokens — one-time use, expire after 15 minutes, purged after use or expiry.
  • Analytics data — subject to PostHog's retention policy (default 1 year).

6. Cookies and Tracking

We use the following types of cookies and similar technologies:

  • Strictly necessary — session cookies set by Clerk for authentication. These cannot be disabled without breaking the Service.
  • Functional — password-gate and email-gate session cookies set on *.getporch.app by our access-gate proxy, enabling returning visitors to skip re-authentication.
  • Analytics (optional) — PostHog cookies for product analytics. Only set after you give consent via our cookie banner. You may withdraw consent at any time by clicking “Manage Cookies” in our footer.

Vercel Analytics does not set cookies and operates without personal identifiers.

7. Your Rights

All users

  • Access — request a copy of the personal data we hold about you.
  • Deletion — request deletion of your account and associated data via Settings → Billing or by emailing privacy@getporch.app.
  • Correction — update your account information at any time.

EEA / UK users (GDPR)

  • Portability — request your personal data in a structured, machine-readable format.
  • Restriction — request that we restrict processing of your data in certain circumstances.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — withdraw analytics consent at any time (does not affect prior processing).
  • Complain — lodge a complaint with your local data protection authority.

California residents (CCPA / CPRA)

  • Right to know what personal information is collected and how it is used
  • Right to delete personal information
  • Right to opt out of the sale or sharing of personal information (we do not sell or share your data)
  • Right to non-discrimination for exercising your privacy rights

To exercise any of these rights, contact us at privacy@getporch.app. We will respond within 30 days (CCPA: 45 days; GDPR: 30 days).

8. Data Transfers

Porch is operated from the United States. If you access the Service from the EEA, UK, or other regions with data protection laws, your information may be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) and our sub-processors' adequacy mechanisms for international transfers.

9. Children's Privacy

The Service is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13 without parental consent, we will delete that information promptly. Contact us at privacy@getporch.app if you believe we have inadvertently collected data from a child under 13.

10. Data Processing Agreement

If you use Porch in a business context and process personal data of EU/UK individuals through the Service, you may require a Data Processing Agreement (DPA). Contact us at privacy@getporch.app to request a DPA.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the Service. Your continued use of the Service after the changes take effect constitutes acceptance of the revised policy.

12. Contact

For privacy-related questions, data subject requests, or to report a privacy concern, contact us at:

We use analytics cookies to improve Porch. Privacy Policy