1. Overview
PM Portfolio (“the App”) is a mobile portfolio application for iOS and Android, designed to showcase product management work. Access to portfolio content is by invitation only via passwords shared by the portfolio owner.
The App does not create user accounts and does not require registration. This Privacy Policy explains what data is collected, how it is used, and your rights regarding that data.
We are committed to transparency and minimal data collection. The App is designed with a privacy-first architecture — we collect only the data necessary to deliver the portfolio experience.
2. Data We Collect
The App collects minimal data, most of which is anonymous:
From Viewers (password holders)
- Password usage counts — anonymous counts of how many times a shared password has been used. No personal identity is attached.
- AI chat messages — if you use the PM AI conversational feature, your messages are sent to our server for processing. Messages are not stored on our servers or in any database. They are processed in real time and discarded.
- AI usage telemetry — anonymous metrics (message count, token usage) per session, linked only to a password identifier and session ID. Anonymous users (those who have not entered a password) are tracked with an anonymous sequential identifier (e.g., “Anonymous 1”, “Anonymous 2”) — no personally identifiable information is collected.
- Performance traces — automatic, anonymous measurements of app launch time, screen rendering, and network request timing, collected by Firebase Performance Monitoring.
- Device integrity signals — Firebase App Check uses Apple DeviceCheck (iOS) and Google Play Integrity (Android) to verify the device is genuine. No personal data is collected through this process.
From the Administrator (portfolio owner)
- LinkedIn profile data — the administrator may upload their own LinkedIn profile PDF or URL for structured data extraction. This data includes professional information (name, work history, education, skills) and is processed via the Anthropic Claude API.
- Portfolio content — case studies, skills, testimonials, and other content entered through the admin CMS.
Data We Do NOT Collect
- Names, email addresses, or phone numbers of viewers
- IP addresses of viewers
- Location data, GPS coordinates, or geo-location information
- Photos, contacts, or files from your device
- Advertising identifiers
- Browsing history or cross-app tracking data
3. How We Use Data
Data collected is used exclusively to:
- Display portfolio content to authorized viewers.
- Process AI chat messages in real time to provide conversational responses about the portfolio owner’s professional experience.
- Monitor password usage to help the portfolio owner manage access.
- Track anonymous AI usage metrics for rate limiting and capacity management.
- Identify and fix performance issues and crashes.
- Extract structured data from the administrator’s LinkedIn profile (admin-initiated only).
We do not use data for advertising, profiling, or any purpose unrelated to the operation of the App.
4. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA), United Kingdom, and Switzerland, our legal basis for processing data is legitimate interest (Article 6(1)(f) GDPR):
- Performance monitoring and crash reporting — legitimate interest in maintaining a stable, performant application.
- Password usage tracking — legitimate interest in managing access to private content.
- AI processing — legitimate interest in providing the conversational portfolio feature; processing is initiated by the viewer’s action of sending a message.
- AI usage telemetry — legitimate interest in rate limiting, capacity management, and preventing abuse of the AI feature.
We do not rely on consent as a legal basis because the App does not collect personally identifiable information from viewers. The administrator processes their own data voluntarily.
5. Third-Party Services
The App uses the following third-party services to operate:
| Service |
Provider |
Purpose |
Data Shared |
| Firebase Firestore |
Google LLC |
Content storage |
Portfolio content, password hashes, anonymous usage counts |
| Firebase Storage |
Google LLC |
Image hosting |
Admin-uploaded portfolio images |
| Firebase Performance Monitoring |
Google LLC |
App performance |
Anonymous device type, OS version, network timing traces |
| Firebase App Check |
Google LLC |
Device integrity |
Device attestation tokens (no PII) |
| Apple DeviceCheck |
Apple Inc. |
iOS device verification |
Device attestation (no PII) |
| Google Play Integrity |
Google LLC |
Android device verification |
Device attestation (no PII) |
| Claude API |
Anthropic PBC |
AI processing |
Chat messages (real-time, not stored); admin LinkedIn data (on request) |
| Google Cloud Secret Manager |
Google LLC |
Secure key storage |
No user data — stores only API keys and system secrets |
All Claude API calls are made server-side from our Firebase Cloud Functions. The API key is stored in Google Cloud Secret Manager and is never exposed to the client application. Anthropic states that data sent via their API is not used to train their models. For details, see Anthropic’s Privacy Policy.
No data is sold to or shared with any other third parties for commercial purposes.
6. Data Security
We take the following measures to protect data:
- Encryption in transit — all communication between the App, Cloud Functions, and third-party services uses HTTPS/TLS encryption.
- Encryption at rest — data stored in Firebase Firestore and Cloud Storage is encrypted at rest by Google Cloud.
- Secret management — API keys and sensitive credentials are stored in Google Cloud Secret Manager with IAM access controls, not in source code or environment variables.
- Password hashing — viewer passwords are stored as bcrypt hashes. Plaintext passwords are never persisted.
- CORS restrictions — server endpoints only accept requests from authorized origins (pmportfolio.app and Firebase Hosting preview URLs).
- JWT authentication — admin endpoints are protected by signed JSON Web Tokens verified on every request.
- On-device storage — session tokens are stored in iOS Keychain / Android Keystore via flutter_secure_storage. Cached content uses on-device Hive storage.
- Rate limiting — AI chat endpoints enforce per-session rate limits to prevent abuse and manage capacity.
7. Data Retention
| Data Type |
Retention Period |
| Performance traces |
90 days (Firebase default) |
| AI usage telemetry |
90 days |
| Password usage counts |
Until the password is deactivated by the portfolio owner |
| AI chat messages |
Not stored — processed in real time and discarded |
| GCP Cloud Function access logs |
30 days (Google Cloud default) |
| Portfolio content |
Indefinitely, until deleted by the administrator |
| Anonymous user identifiers |
Session-scoped — discarded when the session ends |
8. International Data Transfers
The App’s backend infrastructure is hosted on Google Cloud Platform and Anthropic’s API servers, both located in the United States. If you access the App from outside the United States, your data may be transferred to and processed in the US.
For users in the EEA, UK, and Switzerland, these transfers are protected by:
- Google: Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework.
- Anthropic: Standard Contractual Clauses (SCCs) as outlined in Anthropic’s data processing terms.
9. Cookies and Tracking Technologies
The App is a native mobile application and does not use cookies. There are no web-based trackers, advertising pixels, or cross-app tracking technologies.
On-device storage is limited to:
- Session tokens — stored securely in iOS Keychain / Android Keystore for authentication persistence.
- Content cache — portfolio content cached locally using Hive for offline performance. This data is not transmitted to any third party.
10. Children’s Privacy
The App is not intended for children under the age of 13 (or under 16 where required by local law). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us at hello@productbuilderacademy.com and we will promptly delete it.
11. Your Rights
Depending on your jurisdiction, you may have the following rights:
GDPR (EEA, UK, Switzerland)
- Right to access — request what data is associated with your usage.
- Right to rectification — request correction of inaccurate data.
- Right to erasure — request deletion of your data.
- Right to restrict processing — request limitation of how your data is used.
- Right to data portability — receive your data in a structured format.
- Right to object — object to processing based on legitimate interest.
- Right to lodge a complaint with your local data protection authority.
CCPA (California, USA)
- Right to know what personal information is collected.
- Right to delete personal information.
- Right to opt out of the sale of personal information — we do not sell personal information.
- Right to non-discrimination for exercising your privacy rights.
Since the App does not collect personally identifiable information from viewers, there is typically no personal data to retrieve or delete. If you have concerns or wish to exercise any of these rights, please contact us at hello@productbuilderacademy.com.
12. California “Do Not Sell” Disclosure
PM Portfolio does not sell, rent, or share personal information with third parties for their direct marketing purposes. We do not participate in data brokers or ad exchanges. No action is required on your part to opt out, as there is nothing to opt out of.
13. AI Transparency
The App includes a conversational AI feature called “PM AI” that allows viewers to ask questions about the portfolio owner’s professional experience. Here is how it works:
- Processing: Messages are sent to our server-side Cloud Functions, which forward them to the Anthropic Claude API for processing. Responses are returned to the App in real time.
- No storage: Neither our servers nor Anthropic store your chat messages. Messages are processed in real time and immediately discarded.
- No training: Anthropic does not use data sent via their API to train their AI models.
- Context: The AI has access to the portfolio owner’s professional information (work history, skills, case studies) that is already publicly displayed in the App. It does not have access to any viewer data.
- Anonymous tracking: AI usage is tracked with anonymous identifiers only. Authenticated users are identified by their password label; anonymous users receive a sequential identifier (e.g., “Anonymous 1”, “Anonymous 2”). No IP addresses or geo-location data is used for identification.
- Rate limiting: Usage limits are enforced per session to manage capacity. The portfolio owner can view aggregate anonymous usage statistics but cannot see individual chat messages.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in the App’s features or applicable law. When we make changes:
- The “Effective date” at the top of this page will be updated.
- Material changes will be communicated through the App.
Continued use of the App after changes are posted constitutes acceptance of the updated policy.
15. Contact Us
For privacy-related questions, data requests, or concerns:
Email: hello@productbuilderacademy.com
Website: pmportfolio.app