Compliance

Set up GDPR consent collection, automatic data retention periods, subject access exports, and right-to-be-forgotten erasure across 46 supported countries.

Pro plan and above for full compliance features. Consent collection is available on Starter and above.

Portico includes built-in tools for GDPR and data protection. These features help you collect consent, retain data responsibly, and respond to client requests.

Country and framework detection

In Settings > Client experience > Compliance, select your operating country. Portico supports 46 countries and detects the applicable compliance framework (GDPR, CCPA, PIPEDA, and others) based on your selection.

Starter plan and above.

Configure what consent to collect before the onboarding form starts. Go to Settings > Client experience and set up consent types:

  • Privacy policy — link to your privacy policy. Clients must accept before proceeding.
  • Terms of service — link to your terms. Clients must accept before proceeding.
  • Custom consent — define your own consent types with custom text and links.

When a client accepts consent, Portico records the timestamp, consent type, and client identifier. These records are stored in the onboarding's Compliance tab and cannot be modified after creation.

Data retention

Pro plan and above.

Set an automatic retention period for client response data. After the configured number of days, Portico permanently deletes response data from completed onboardings. This helps you meet data minimization requirements.

Configure data retention in Settings > Client experience > Compliance. You set the number of days after onboarding completion before data is cleaned up.

Data retention is irreversible. Once response data is deleted, it cannot be recovered. Make sure you have exported anything you need before the retention period expires.

Data export (subject access request)

When a client requests a copy of their data, go to Settings > Compliance and generate a full export for that client. The export includes:

  • All form responses across all onboardings.
  • Uploaded files.
  • Consent records.
  • Activity history and timestamps.

The export is packaged as a downloadable file you can share with the client.

Data erasure (right to be forgotten)

To permanently delete a client's response data, go to Settings > Compliance and submit an erasure request. This removes:

  • All form responses for the specified client.
  • Uploaded files.
  • Signature data.

Erasure is logged with a timestamp and reason for your records. The action is irreversible. Client metadata (name, email) is retained for the audit log unless you also delete the client record.

Audit trail

Every onboarding maintains a complete activity log:

  • When the onboarding was sent, opened, and completed.
  • Every field submission, approval, and rejection with timestamps.
  • Consent acceptance events.
  • Signature events with IP addresses.
  • Payment events.
  • Reminder delivery events.

You can view the audit trail on the onboarding detail page under the History tab. For API access, use the Events endpoint.

E-signature compliance

Signature fields in Portico record:

  • The signature image.
  • Signer's IP address.
  • Timestamp (UTC).
  • The client's name and email.

This information is stored as part of the onboarding record and is available in the client portal for the signer to review.

Frequently asked questions

Is Portico GDPR compliant?
Yes. Portico supports GDPR consent collection, data export for subject access requests, and right-to-be-forgotten erasure. Full compliance features are on Pro and above; consent collection is available on Starter.
How many countries does Portico support for compliance?
46 countries with localized consent text, data residency awareness, and region-appropriate privacy controls.
Can I set automatic data retention periods?
Yes. Configure automatic data cleanup in Settings to delete response data after a period you define.