Last updated: March 2, 2026
Privacy Notice
1. Who we are
The data controller for MakeFolio is Ezra Cunningham, a sole trader trading as MakeFolio. The controller is an individual person — not a limited company. Contracts with customers are entered into personally by the founder.
Trading address: 124 City Road, London, EC1V 2NX
General contact email: help@make-folio.com
Privacy contact email: help@make-folio.com
MakeFolio is a software-as-a-service portfolio builder that enables creative professionals and developers to create, publish, and share professional portfolios online.
This notice applies to: MakeFolio account holders (registered users), visitors to public or password-protected portfolios hosted on MakeFolio, and visitors to the MakeFolio marketing website.
2. About this notice
This Privacy Notice explains what personal data we collect when you use MakeFolio, why we collect it, how we use it, who we may share it with, how long we keep it, and what your rights are under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
We will update this notice from time to time. The date at the top tells you when it was last revised. Material changes will be communicated by email or by a notice on the product.
3. Personal data we collect about you
We may collect and process the following categories of personal data:
- Account and identity data — email address, display name, username, profile photo, and biography that you provide when creating an account.
- Portfolio content — text, images, videos, documents, and other materials you upload or enter when building your portfolios. This may include personal details you choose to include (for example, your name, contact details, or work history).
- Payment and billing data — billing name, payment method details (processed by Stripe; we do not store full card numbers), and transaction history.
- Communications data — emails you send to us, support requests, and any marketing preferences you set.
- Technical and usage data — IP address, browser type and version, device information, pages visited, and feature usage. Where you have consented to analytics cookies, this data is also processed by PostHog.
- Cookie and device identifiers — see the Cookies and similar technologies section below.
We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us so we can delete it.
3a. Cookies and similar technologies
We use cookies (small text files stored in your browser) and similar technologies to operate MakeFolio. The table below lists every cookie we set, what it does, and how long it lasts.
| Cookie name | Category | Purpose | Duration |
|---|---|---|---|
sb-[project]-auth-token | Strictly necessary | Maintains your authenticated session with MakeFolio. Set by our authentication provider, Supabase. Without this cookie the service cannot recognise you as logged in. | Session (browser close) or up to 7 days |
mf_portfolio_access_token | Strictly necessary | Granted to visitors who unlock a password-protected portfolio. Proves that the correct password was entered so you do not need to re-enter it during your browsing session. Set only when you actively submit the unlock form — by doing so, a temporary cookie will be stored in your browser for 1 hour. | 1 hour |
mf_cookie_consent | Strictly necessary | Stores your cookie consent preferences (whether you have accepted or rejected analytics cookies) so we do not prompt you on every visit. | 1 year |
ph_[key]_posthog | Analytics | Used by PostHog to identify you as a distinct visitor across sessions and to record feature flag states. Only set if you consent to analytics cookies. | Up to 1 year |
ph_[key]_posthog_session | Analytics | Used by PostHog to track a single browsing session for analytics purposes. Only set if you consent to analytics cookies. | Session |
Browser localStorage
We also store a small item in your browser's local storage (not a cookie) called mf_free_tier_banner_dismissed. This records whether you have dismissed the free-plan upgrade notice so we do not show it repeatedly. This data is stored only on your device and is never transmitted to our servers.
Managing your cookie preferences
Strictly necessary cookies cannot be disabled — the service requires them to function. You may accept or reject analytics cookies at any time using the “Cookie preferences” link in the footer of any page, or from your Settings › Privacy & Data page if you are logged in. Withdrawing consent does not affect the lawfulness of any processing carried out before withdrawal.
4. How and why we use your personal data
We use your personal data for the purposes below. Next to each purpose we identify the lawful basis we rely on under Article 6 UK GDPR.
| Purpose | Lawful basis |
|---|---|
| Creating and managing your account | Performance of a contract — Article 6(1)(b). You cannot use the service without an account. |
| Providing and operating the MakeFolio service | Performance of a contract — Article 6(1)(b). |
| Processing payments and managing billing | Performance of a contract — Article 6(1)(b); and compliance with a legal obligation (financial record-keeping) — Article 6(1)(c). |
| Sending transactional and service communications (e.g. receipts, password resets, important product notices) | Performance of a contract — Article 6(1)(b). |
| Sending optional marketing communications about MakeFolio updates or new features (where you have opted in) | Consent — Article 6(1)(a). You may withdraw consent at any time by clicking “unsubscribe” in any marketing email or by emailing help@make-folio.com. |
| Understanding how the product is used in order to improve it (analytics via PostHog) | Consent — Article 6(1)(a) and Regulation 6 of the Privacy and Electronic Communications Regulations (PECR). Analytics cookies are only set after you give consent. You may withdraw consent at any time via the “Cookie preferences” link in the footer. |
| Preventing abuse and protecting service integrity (rate limiting using IP address) | Legitimate interests — Article 6(1)(f). Our legitimate interest is in preventing automated abuse, spam, and denial-of-service attacks. IP addresses used for rate limiting are held transiently in Upstash Redis and are purged automatically after the rate-limit window expires (no longer than 1 hour). We have considered your interests and this processing does not override them. |
| Improving the product and fixing bugs | Legitimate interests — Article 6(1)(f). Our legitimate interest is in maintaining and improving a reliable service. We have considered your interests and do not believe this processing overrides them. |
| Complying with legal obligations | Legal obligation — Article 6(1)(c). |
| Handling enquiries and support requests | Legitimate interests — Article 6(1)(f). It is in both your interest and ours to resolve issues promptly. |
5. Who we share your personal data with
We do not sell your personal data to third parties. We share personal data only with the processors and recipients listed below, each of whom acts under a data processing agreement or equivalent contractual safeguards.
| Processor | Role | Location |
|---|---|---|
| Supabase, Inc. | Database (PostgreSQL), file and media storage, and user authentication | European Union (Ireland, eu-west-1) |
| Stripe, Inc. | Payment processing and subscription management | United States |
| Loops, Inc. | Marketing and transactional email delivery | United States |
| Resend, Inc. | Transactional email delivery | United States |
| Upstash, Inc. | Redis database used for rate limiting and server-side caching. IP addresses are used as rate-limit keys and are purged automatically after the rate-limit window (no longer than 1 hour). | United States / EU (region-dependent) |
| Vercel, Inc. | Application hosting, serverless compute, and content delivery network (CDN) | United States / global edge network |
| PostHog, Inc. | Product analytics — used to understand how the product is used and to improve it. Only receives data where you have consented to analytics cookies. | United States (or EU if PostHog EU Cloud is used) |
We may also disclose personal data if required to do so by law, by a court order, or to protect the rights, property, or safety of individuals.
6. International transfers of personal data
Personal data stored in our primary database and file storage (Supabase) remains within the European Economic Area - specifically in Ireland (eu-west-1) - and is therefore not subject to an international transfer under UK GDPR.
Some of our other sub-processors are headquartered in the United States, a country for which the UK has not yet issued a full adequacy decision under UK GDPR. We ensure that all transfers of personal data to the United States are protected by appropriate safeguards. Specifically, each such processor has in place either the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs), as required by the UK Information Commissioner's Office.
The processors that involve a UK-to-US transfer are: Stripe, Vercel, Loops, Resend, Upstash, Fly.io, and PostHog (where analytics consent has been given). Copies of the relevant agreements are available on request by emailing help@make-folio.com.
7. How long we keep your personal data
We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by law. The table below sets out our retention periods by data type.
| Data | Retention period |
|---|---|
| Account profile and portfolio content | Retained while your account is active. Deleted within 30 days of an account deletion request (subject to any legal hold). |
| Payment and billing records | 7 years from the transaction date to meet tax and accounting legal obligations. |
| Supabase authentication session tokens | Duration of the authenticated session (max 7 days). |
Portfolio access tokens (mf_portfolio_access_token) | 1 hour from the time of issue. |
| Rate-limiting records in Upstash Redis (IP address) | Automatically purged by Upstash within the rate-limit window — no longer than 1 hour. |
| Analytics data in PostHog (where consented) | Up to 1 year from collection. PostHog's own data-retention settings apply. |
| Email delivery logs (Loops / Resend) | Per the processor's own retention policy — typically 30 to 90 days for delivery logs. |
| Support correspondence | 3 years from the date of last contact. |
We will securely delete or anonymise personal data once it is no longer required for the purpose for which it was collected, unless a longer retention period is required or permitted by law (for example, to meet tax and accounting obligations).
8. Security
We take reasonable technical and organisational measures to protect your personal data against accidental loss, unauthorised access, disclosure, alteration, or destruction. These measures include — but are not limited to — using reputable cloud infrastructure with encryption in transit and at rest, restricting access to personal data on a need-to-know basis, and applying available security features provided by our third-party processors.
No method of transmission over the internet or electronic storage is completely secure. While we do our best to protect your personal data, we cannot guarantee its absolute security. If you have reason to believe your interaction with us is no longer secure, please notify us immediately at help@make-folio.com.
9. Your rights under UK GDPR
Depending on the circumstances, you have the following rights in relation to your personal data:
- Right of access — You may request a copy of the personal data we hold about you (commonly known as a Subject Access Request).
- Right to rectification — You may ask us to correct personal data that is inaccurate or incomplete.
- Right to erasure (“right to be forgotten”) — You may ask us to delete your personal data where there is no good reason for us to continue processing it.
- Right to restriction of processing — You may ask us to suspend processing of your personal data in certain circumstances (for example, while you contest its accuracy).
- Right to data portability — Where processing is based on your consent or the performance of a contract and is carried out by automated means, you may ask us to provide your personal data in a structured, commonly used, machine-readable format.
- Right to object — You may object to processing that is based on our legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests or the processing is for the establishment, exercise, or defence of legal claims.
- Right to withdraw consent — Where we rely on consent as the lawful basis, you may withdraw it at any time. Withdrawal does not affect the lawfulness of any processing carried out before withdrawal.
- Rights in relation to automated decision-making — You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects. MakeFolio does not carry out such automated decision-making.
To exercise any of these rights, please email help@make-folio.com. We will respond within one calendar month. We may need to verify your identity before acting on a request. There is no charge for exercising your rights, though we may charge a reasonable fee if requests are manifestly unfounded or excessive.
10. Right to complain to the ICO
If you are unhappy with how we have handled your personal data, please contact us first at help@make-folio.com so we can try to resolve your concern.
You also have the right to lodge a complaint with the UK supervisory authority, the Information Commissioner's Office (ICO):
- Website: ico.org.uk/make-a-complaint
- Telephone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
11. Contact us
For any questions or concerns about this Privacy Notice or about how we handle your personal data, please contact:
Ezra Cunningham (sole trader trading as MakeFolio)
124 City Road, London, EC1V 2NX
Email: help@make-folio.com
12. Related legal documents
Read our Terms and Conditions and Refund Policy.