Privacy policy
SEAN REVIEW: legal counsel must approve the language covering each of the three regimes (Australian Privacy Act 1988, EU GDPR, PIPL). The defaults below are conservative and disclose more than the minimum, which is the safer posture pre-review.
1. Who collects the data
Sourzi is operated from Sydney, Australia by the founder, with a sourcing team based in Shanghai Pudong, China. Sourzi is the data controller (under GDPR) and personal-information handler (under PIPL) for the data described below. The contact point for privacy enquiries is sourcing@sourzi.com.
2. What we collect
When you submit the email-capture form on a tool or reference page, we record your email address, the page URL you submitted from, the source position (inline or sticky), the timestamp, and the user-agent string of your browser. The user-agent is retained only for spam triage and is never used to track you across the web.
When you create an account, we record your email address and, if you set one, a password hashed by Supabase. We do not store passwords in plain text or hashed by Sourzi directly; the hashing is delegated to Supabase Auth.
When you pay for a subscription, Stripe handles the card-data collection and storage. Sourzi receives a Stripe customer identifier, an indication of subscription status, and the billing periods. We do not see or store card numbers, expiry dates, or CVV.
We record anonymised funnel events (tool used, signup prompted, paywall hit, checkout started) to measure the conversion path. These events carry no advertising identifiers and are not sold or licensed to third parties.
3. How we use it
The email address is used to authenticate your account through magic-link sign-in, to deliver the lead-magnet PDF you requested, and to send service notifications (account, billing, security). It is not added to a marketing list unless you separately opt in.
Funnel events drive product decisions about which tools to build next, which paywall messages convert, and where the signup form needs work. They are aggregated for reporting and never combined with third-party identifiers to profile individuals.
4. Where the data is stored
The Supabase database that holds your account and the email-capture rows is hosted in the United States by default. Stripe handles card data in its own infrastructure under PCI-DSS controls. Vercel hosts the website and the analytics on a global edge network. Where you are located in the EU, the EU data-residency option may be enabled on request.
5. International transfers
Personal data is transferred between Australia, the United States, and the European Union as part of normal service operation. Where the recipient is outside the EU or the United Kingdom, transfers rely on Standard Contractual Clauses or equivalent safeguards. PIPL-regulated transfers out of China rely on the PIPL standard contract for cross-border transfers where applicable.
6. Lawful bases (GDPR)
We rely on three lawful bases: consent (for the lead-magnet email capture), performance of a contract (for account and subscription handling), and legitimate interest (for funnel events and security monitoring). You can withdraw consent at any time by emailing the address in section 1.
7. Your rights
You have the right to request a copy of the personal information we hold about you, to correct inaccurate information, to request deletion, to object to processing, and (under GDPR and PIPL) to data portability. To exercise any of these rights, email sourcing@sourzi.com from the address associated with your account. We respond within thirty days; PIPL requests are handled within the timeframes specified by the regulation.
Australian users may also lodge a complaint with the Office of the Australian Information Commissioner. EU users may lodge a complaint with their local supervisory authority. Chinese users may lodge a complaint with the Cyberspace Administration of China.
8. Retention
Account data is retained while your account remains active and for twelve months afterwards, then deleted. Funnel events are retained for twelve months. Email-capture rows are retained for thirty-six months, then deleted. Stripe billing records are retained per Stripe's own retention schedule and applicable tax law.
9. Sharing
We do not sell personal information. Personal data is shared only with the processors required to deliver the service: Supabase (database and auth), Stripe (payments), Vercel (hosting), and a transactional email provider for magic-link and billing emails. Each processor is bound by a data-processing agreement consistent with the relevant regime.
10. Cookies and analytics
Sourzi uses one essential cookie (the session cookie for signed-in users) and two analytics services (Vercel Analytics and Google Analytics 4). The analytics fire only after explicit consent on first visit, recorded via the cookie banner on the page. You can withdraw consent at any time through the same banner.
11. Children
The service is directed at procurement professionals and is not intended for users under sixteen. We do not knowingly collect data from children under sixteen. If you become aware that a child has provided personal data, contact the address in section 1 and we will delete the records.
12. Security
We use HTTPS site-wide, HttpOnly session cookies, and Supabase row-level security policies on the database. Card data is never stored on Sourzi infrastructure; Stripe handles it under PCI-DSS Level 1 controls. No system is impregnable; if a breach affecting your personal data occurs, we will notify you and the relevant regulator within the timeframes required by the applicable regime.
13. Changes
We may update this policy from time to time. Material changes will be notified to active account holders by email at least fourteen days before they take effect.
14. Contact
Privacy enquiries: sourcing@sourzi.com or the contact page.