Privacy Policy

1. Scope and Application

This Privacy Policy applies to personal information collected through:

• Our website at sourcebay.manus.space and any related subdomains
• Our web-based platform and application services
• Email, telephone, and other communications with us
• Interactions with our customer support and sales teams

This Policy does not apply to information collected offline or by third parties with their own privacy practices, except where we explicitly state otherwise.

2. Information We Collect

2.1 Information You Provide Directly

We collect information you voluntarily provide when using our Services:

• Account Registration: Name, email address, phone number, job title, company name, company address, industry sector, tax identification numbers (for invoicing)
• RFQ Submissions: Technical specifications, CAD drawings, material requirements, quantity, delivery timelines, budget constraints, quality standards, certifications required
• Profile Information: Company description, manufacturing capabilities, certifications, past projects, references
• Communications: Messages sent through our platform, support tickets, feedback, survey responses
• Payment Information: Billing address, payment method details (processed securely through third-party payment processors—we do not store full credit card numbers)
• Verification Documents: Business licenses, certifications, insurance documents, quality management system documentation

2.2 Information Collected Automatically

When you access our Services, we automatically collect:

• Device Information: IP address, browser type and version, operating system, device identifiers, screen resolution
• Usage Data: Pages visited, features used, time spent on pages, click patterns, search queries, RFQ submission history
• Location Data: General geographic location derived from IP address (country, region, city)
• Cookies and Similar Technologies: Session cookies, persistent cookies, web beacons, pixel tags (see Section 12 for details)
• Log Data: Access times, error logs, referring URLs, exit pages

2.3 Information from Third Parties

We may receive information about you from:

• Business Partners: Suppliers and manufacturers in our network who interact with your RFQs
• Data Enrichment Services: Company information, industry data, business verification services
• Public Sources: Publicly available business registries, professional networking sites, company websites
• Analytics Providers: Aggregated usage statistics and behavioral insights

3. How We Use Your Information

We use collected information for the following purposes:

3.1 Service Delivery and Operations

• Create and manage your account
• Process and route RFQs to appropriate suppliers
• Facilitate communication between buyers and suppliers
• Generate and deliver quotes
• Process payments and issue invoices
• Provide customer support and respond to inquiries
• Verify supplier credentials and qualifications

3.2 Platform Improvement and Analytics

• Analyze usage patterns to improve platform functionality
• Conduct research and development for new features
• Perform data analytics and generate business intelligence
• Test and optimize user experience
• Train and improve AI-powered matching algorithms

3.3 Marketing and Communications

• Send transactional emails (account notifications, RFQ updates, quote alerts)
• Deliver marketing communications about our services (with your consent where required)
• Conduct surveys and request feedback
• Provide personalized content and recommendations
• Promote webinars, events, and educational content

3.4 Security and Compliance

• Detect, prevent, and respond to fraud, abuse, and security threats
• Enforce our Terms of Service and other policies
• Comply with legal obligations and regulatory requirements
• Respond to law enforcement requests and legal processes
• Protect the rights, property, and safety of SourceBay, our users, and the public
• Conduct internal audits and quality assurance

3.5 Business Operations

• Facilitate mergers, acquisitions, or asset sales
• Manage business relationships and contracts
• Maintain accurate business records
• Conduct financial reporting and tax compliance

4. Legal Bases for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process personal data based on the following legal grounds:

• Contractual Necessity: Processing is necessary to perform our contract with you (e.g., providing platform services, processing RFQs)
• Legitimate Interests: Processing is necessary for our legitimate business interests, such as improving our services, preventing fraud, and conducting analytics, provided these interests do not override your fundamental rights
• Legal Obligation: Processing is required to comply with applicable laws, regulations, court orders, or governmental requests
• Consent: You have provided explicit consent for specific processing activities (e.g., marketing communications), which you may withdraw at any time
• Vital Interests: Processing is necessary to protect someone's life or physical safety

5. Information Sharing and Disclosure

We share your information in the following circumstances:

5.1 With Suppliers and Manufacturers

When you submit an RFQ, we share relevant information (technical specifications, drawings, quantities, delivery requirements) with matched suppliers in our network to generate quotes. Suppliers are contractually obligated to maintain confidentiality and use information only for quote generation purposes.

5.2 Service Providers and Business Partners

We engage third-party service providers to perform functions on our behalf, including:

• Cloud hosting and infrastructure providers (AWS, Google Cloud, Microsoft Azure)
• Payment processors and financial services
• Email delivery and communication platforms
• Customer relationship management (CRM) systems
• Analytics and business intelligence tools
• Customer support and helpdesk software
• Security and fraud prevention services

These providers have access only to information necessary to perform their functions and are contractually obligated to protect your data.

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on our website before your information becomes subject to a different privacy policy.

5.4 Legal Requirements and Protection

We may disclose your information when required by law or when we believe disclosure is necessary to:

• Comply with legal obligations, court orders, subpoenas, or governmental requests
• Enforce our Terms of Service and other agreements
• Protect the rights, property, or safety of SourceBay, our users, or the public
• Detect, prevent, or address fraud, security, or technical issues
• Respond to claims of intellectual property infringement

5.5 Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you for research, marketing, analytics, or other business purposes.

5.6 With Your Consent

We may share your information for other purposes with your explicit consent or at your direction.

6. International Data Transfers

SourceBay operates globally, and your information may be transferred to, stored, and processed in countries other than your country of residence, including the United States. These countries may have data protection laws that differ from those in your jurisdiction.

When we transfer personal data from the EEA, UK, or Switzerland to other countries, we implement appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions recognizing equivalent data protection standards
• Binding Corporate Rules for intra-group transfers
• Your explicit consent for specific transfers

You may contact us to obtain a copy of the safeguards we have implemented for international data transfers.

7. Data Retention

We retain personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

Our retention periods are based on:

• Account Data: Retained while your account is active and for 7 years after account closure for legal and audit purposes
• RFQ and Transaction Data: Retained for 10 years to support business operations, dispute resolution, and compliance
• Communications: Retained for 3 years for customer service and quality assurance
• Marketing Data: Retained until you opt out or for 2 years of inactivity
• Usage and Analytics Data: Retained in aggregated form indefinitely; individual-level data for 2 years
• Legal and Compliance Records: Retained as required by applicable laws (typically 7-10 years)

After the retention period expires, we securely delete or anonymize your information. You may request earlier deletion subject to legal and operational constraints.

8. Data Security

We implement comprehensive technical, administrative, and physical security measures to protect your information from unauthorized access, disclosure, alteration, and destruction:

• Encryption: Data in transit is encrypted using TLS 1.3; data at rest is encrypted using AES-256
• Access Controls: Role-based access controls, multi-factor authentication, and principle of least privilege
• Network Security: Firewalls, intrusion detection/prevention systems, DDoS protection
• Monitoring: 24/7 security monitoring, logging, and incident response procedures
• Vendor Management: Security assessments and contractual protections for third-party providers
• Employee Training: Regular security awareness training and confidentiality agreements
• Penetration Testing: Annual third-party security audits and vulnerability assessments
• Backup and Recovery: Regular encrypted backups and disaster recovery plans

While we strive to protect your information, no security system is impenetrable. We cannot guarantee absolute security, and you acknowledge the inherent risks of transmitting information over the internet. If you believe your account has been compromised, please contact us immediately at [email protected].

9. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you
• Rectification: Correct inaccurate or incomplete information
• Erasure ("Right to be Forgotten"): Request deletion of your personal data, subject to legal obligations
• Restriction: Limit how we process your information in certain circumstances
• Objection: Object to processing based on legitimate interests or for direct marketing
• Data Portability: Receive your data in a structured, machine-readable format and transmit it to another controller
• Withdraw Consent: Withdraw consent for processing activities that require consent
• Lodge a Complaint: File a complaint with your local data protection authority

To exercise these rights, please contact us at [email protected]. We will respond to your request within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.

Please note that certain rights may be limited by legal obligations, ongoing investigations, or legitimate business needs (e.g., we cannot delete transaction records required for tax compliance).

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with specific rights:

10.1 Right to Know

You have the right to request disclosure of:

• Categories of personal information collected
• Categories of sources from which information was collected
• Business or commercial purposes for collection
• Categories of third parties with whom we share information
• Specific pieces of personal information we have collected about you

10.2 Right to Delete

You may request deletion of personal information we have collected, subject to certain exceptions (e.g., completing transactions, detecting security incidents, complying with legal obligations).

10.3 Right to Opt-Out of Sale/Sharing

We do not "sell" personal information as defined by CCPA. If our practices change, we will update this Policy and provide an opt-out mechanism.

10.4 Right to Correct

You may request correction of inaccurate personal information.

10.5 Right to Limit Use of Sensitive Personal Information

If we process sensitive personal information beyond what is necessary to provide our services, you may request that we limit its use.

10.6 Non-Discrimination

We will not discriminate against you for exercising your CCPA/CPRA rights.

10.7 Authorized Agent

You may designate an authorized agent to submit requests on your behalf. We may require verification of the agent's authority.

To exercise your California privacy rights, email us at [email protected] or call us at +1 630 796 0282. We will respond within 45 days.

11. European Privacy Rights (GDPR)

If you are located in the EEA, UK, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

• Right to lodge a complaint with your supervisory authority (e.g., Information Commissioner's Office in the UK, CNIL in France)
• Right to withdraw consent at any time (without affecting the lawfulness of processing based on consent before withdrawal)
• Right to object to automated decision-making and profiling
• Right to request information about safeguards for international data transfers

Our Data Protection Officer can be reached at [email protected] for GDPR-related inquiries.

EU Representative: SourceBay EU Data Protection Services, 123 Innovation Drive, Dublin, Ireland | Email: [email protected]

12. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience, analyze usage, and deliver personalized content.

12.1 Types of Cookies We Use

• Strictly Necessary Cookies: Essential for platform functionality (e.g., authentication, security, load balancing)
• Performance Cookies: Collect information about how you use our platform to improve performance
• Functional Cookies: Remember your preferences and settings
• Targeting/Advertising Cookies: Deliver relevant advertisements and measure campaign effectiveness

12.2 Third-Party Cookies

We use third-party analytics and advertising services that may set cookies, including:

• Google Analytics (analytics and reporting)
• LinkedIn Insight Tag (B2B advertising and analytics)
• HubSpot (marketing automation and CRM)
• Hotjar (user behavior analytics and heatmaps)

12.3 Managing Cookies

You can control cookies through:

• Browser settings (most browsers allow you to refuse or delete cookies)
• Our cookie consent banner (available on first visit and accessible through settings)
• Opt-out tools provided by advertising networks (e.g., NAI, DAA)
• Browser extensions and privacy tools

Note that disabling certain cookies may limit platform functionality. Strictly necessary cookies cannot be disabled as they are essential for service delivery.

13. Third-Party Services and Links

Our platform may contain links to third-party websites, services, or applications not operated by SourceBay. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

When you interact with suppliers through our platform, you may be subject to their separate privacy policies and terms. SourceBay is not responsible for supplier data practices.

14. Children's Privacy

Our Services are intended for businesses and professionals. We do not knowingly collect personal information from individuals under 18 years of age (or the applicable age of majority in your jurisdiction).

If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete such information promptly. If you believe we have inadvertently collected information from a child, please contact us at [email protected].

15. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technologies, legal requirements, or business operations. When we make material changes, we will:

• Update the "Last Updated" date at the top of this Policy
• Notify you via email (to the address associated with your account)
• Display a prominent notice on our website
• Obtain your consent where required by applicable law

Your continued use of our Services after the effective date of the updated Policy constitutes acceptance of the changes. If you do not agree to the revised Policy, you must stop using our Services and may request account deletion.

16. Contact Us and Data Protection Officer

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We will respond to your inquiry within 30 days (or as required by applicable law). For urgent security matters, please use our 24/7 security hotline.