Privacy Policy

This Privacy Policy explains how LEX RESO LTD (Company Number: 16682470), registered at 128 City Road, London, United Kingdom, EC1V 2NX, operating the Sourcinq platform at sourcinq.com ("Sourcinq," "we," "us," "our"), collects, uses, stores, and protects your personal data when you access or use the Service.

Please read this Policy carefully. By using the Service, you acknowledge that you have read and understood how we handle your personal data as described here.

Note: A US-based entity is currently being established. This Privacy Policy will be updated to reflect the US legal entity and any additional applicable obligations upon its registration.

1. Data Controller

The data controller responsible for your personal data is:

LEX RESO LTD
128 City Road, London, United Kingdom, EC1V 2NX
Company Number: 16682470
Email: [email protected]

As a company registered in England and Wales, Sourcinq is subject to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 as its primary legal framework for processing personal data.

2. Applicable Privacy Regulations

Sourcinq operates globally and acknowledges the privacy rights of users across jurisdictions. This Policy is designed to comply with or be consistent with the following frameworks:

United Kingdom
UK GDPR and Data Protection Act 2018 — primary framework applicable to Sourcinq as a UK-registered entity.

European Union / European Economic Area
EU GDPR (Regulation 2016/679) — applicable to users located in the EEA. Where EU GDPR applies, the rights and protections described in this Policy apply in full.

United States — California
California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) — applicable to California residents. Specific California rights are set out in Section 11.

United States — General
Sourcinq respects US federal and state privacy principles for all US-based users. While the US does not have a single comprehensive federal privacy law, we apply consistent data minimisation and user rights standards across our platform.

Canada
Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial equivalents — applicable to Canadian users.

Asia-Pacific
Personal Data Protection Act (PDPA, Singapore), Personal Data Protection Act B.E. 2562 (Thailand), and equivalent frameworks in other applicable Asian jurisdictions — applicable to users in those regions.

Global Approach
Sourcinq takes a globally consistent approach to privacy. Rights granted to UK and EU users under UK/EU GDPR — including access, rectification, erasure, restriction, and portability — are extended to all users of the platform where practically and legally feasible, regardless of their country of residence.

3. Personal Data We Collect

We collect only the data that is necessary to provide the Service and operate the platform responsibly.

3.1 Account and Registration Data

• Email address — required to create an account, authenticate, and communicate with you regarding your account and the Service.
• Billing address and country — required for sanctions compliance screening (to prevent service to sanctioned jurisdictions) and for applicable tax determination.

3.2 Payment Data

Payment transactions are processed entirely by Stripe, Inc., our payment processor. Sourcinq does not store, process, or have access to your full card number, CVV, or other sensitive payment instrument details. Stripe is PCI DSS Level 1 compliant. For information on how Stripe handles your payment data, please refer to Stripe's Privacy Policy at stripe.com.

We retain records of transaction events (date, amount, plan purchased, payment status) for accounting and legal compliance purposes.

3.3 Search Query Data

• The search inputs you submit — ASIN codes, UPC codes, brand names, and product names — are collected and processed as part of the core Service.
• The Results generated in response to your Queries are stored in your account dashboard.
• Your search history and associated Results remain accessible in your dashboard for as long as your account is active and for 12 months following account deletion.

3.4 Account Preferences and Settings

Settings and preferences you configure within your account dashboard (e.g. notification preferences, display settings) are stored to personalise your experience.

3.5 Technical and Session Data

When you access the Service, we automatically collect certain technical data, including:

• IP address;
• browser type and version;
• device type and operating system;
• pages visited and time spent on the platform;
• session identifiers and timestamps.

This data is used for platform security, fraud prevention, abuse detection, and performance monitoring. It is not used for behavioural advertising.

3.6 Guest and Demo User Data

Unregistered visitors who use the guest demo search feature are subject to session-level tracking, including IP address and session identifiers. This data is collected to prevent abuse of the free demo query limit and is processed on the basis of legitimate interest. See Section 5.2 for further detail.

3.7 Phone Number

We do not collect your phone number at registration. A phone number may be requested on an optional basis if you contact our support team and choose to provide it for communication purposes.

3.8 Communications Data

If you contact us by email or through any support channel, we retain records of that correspondence, including your name (if provided), email address, and the content of the communication.

4. How We Use Your Personal Data

We use your personal data for the following purposes:

5. Legal Basis for Processing (UK GDPR / EU GDPR)

5.1 Contract Performance (Article 6(1)(b))

The majority of data processing on this platform is necessary to perform the contract between you and Sourcinq — specifically, to create and manage your account, process your Queries, deliver Results, and handle billing.

5.2 Legitimate Interests (Article 6(1)(f))

We process certain data on the basis of our legitimate interests, which we have assessed to not be overridden by your rights and interests:

• Platform security and fraud prevention: processing IP addresses, session data, and technical logs to detect and prevent unauthorised access, abuse, and fraudulent activity.
• Demo query abuse prevention: tracking session and IP data for unregistered guest users to enforce the one-demo-query limit and prevent circumvention through multiple sessions or devices.
• Sanctions screening: using billing address and country data to prevent service to users in sanctioned jurisdictions.
• Service improvement: using aggregated, anonymised analytics data to understand how the platform is used and identify areas for improvement.

5.3 Legal Obligation (Article 6(1)(c))

We retain payment transaction records for 7 years to comply with UK tax and accounting law requirements.

5.4 Consent (Article 6(1)(a))

We rely on your consent for:

• sending marketing or promotional communications — you may opt in during registration or at any time via your account settings, and opt out at any time;
• placing non-essential cookies (analytics cookies, including Google Analytics) — managed via our cookie consent banner.

Consent can be withdrawn at any time without affecting the lawfulness of processing prior to withdrawal.

6. Search Query Data and AI Processing — Important Disclosure

6.1 Transmission to AI Sub-processor

When you submit a search Query, your input (ASIN, UPC, brand name, or product name) is processed by our AI sub-processor as part of Sourcinq's core processing pipeline.

This is an essential sub-processing operation — the Service cannot function without it. By using the Service, you acknowledge and consent to your search inputs being processed by our AI sub-processor.

6.2 AI Data Use

Under our data processing agreement with our AI sub-processor, your data is not used to train AI models. We will update this disclosure if our AI provider's data processing terms materially change.

6.3 Storage of Results

Search inputs and the Results generated are stored within your account dashboard for the duration of your account and for 12 months following account deletion. You may delete individual search results from your dashboard at any time.

7. Sub-processors

Sourcinq uses the following third-party service providers (sub-processors) to deliver the Service. Each sub-processor is bound by contractual data protection obligations:

We do not sell, rent, or otherwise disclose your personal data to any third party for their own marketing or commercial purposes.

8. International Data Transfers

Sourcinq's primary infrastructure is hosted on DigitalOcean servers located in the UK/EU region, which means that for most data storage purposes, your data does not leave the UK or EEA.

However, certain sub-processors — specifically Stripe and OpenAI — are based in the United States. When your data is transferred to these processors, the transfer is conducted under appropriate safeguards as required by UK GDPR Article 46, specifically:

• Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO) or the European Commission, as applicable;
• Supplementary technical measures where required by the nature of the transfer.

By using the Service, you acknowledge that your search inputs and payment-related data may be processed in the United States by our sub-processors under these safeguards.

9. Data Retention

We retain your personal data only for as long as necessary for the purposes described in this Policy, or as required by law.

When the applicable retention period expires, data is securely and permanently deleted or anonymised so that it can no longer be attributed to you.

10. Your Rights Under UK GDPR / EU GDPR

If you are located in the UK or EEA, you have the following rights in relation to your personal data:

Right of Access
You may request a copy of the personal data we hold about you.

Right to Rectification
You may request that we correct any inaccurate or incomplete personal data we hold about you.

Right to Erasure ("Right to be Forgotten")
You may request that we delete your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent and there is no other legal basis for processing.

Right to Restriction of Processing
You may request that we restrict how we process your data in certain circumstances — for example, while the accuracy of data is being contested.

Right to Data Portability
Where processing is based on contract performance or consent, and is carried out by automated means, you may request a copy of your data in a structured, commonly used, and machine-readable format.

Right to Object
You may object at any time to processing based on legitimate interests, including profiling. We will cease processing unless we can demonstrate compelling legitimate grounds that override your rights.

Right to Withdraw Consent
Where processing is based on consent (e.g. marketing emails, analytics cookies), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of prior processing.

Right to Lodge a Complaint
If you are in the UK, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk. If you are in the EEA, you may contact your local supervisory authority.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days of receiving your request. In complex cases, we may extend this by a further 30 days, in which case we will notify you of the extension.

11. Additional Rights for California Residents (CCPA / CPRA)

If you are a resident of California, the California Consumer Privacy Act (CCPA) as amended by the CPRA grants you the following additional rights:

Right to Know
You have the right to know what categories and specific pieces of personal information we collect, the purposes for which we use it, and the categories of third parties with whom we share it.

Right to Delete
You have the right to request deletion of personal information we have collected from you, subject to certain exceptions.

Right to Correct
You have the right to request correction of inaccurate personal information we hold about you.

Right to Opt Out of Sale or Sharing
Sourcinq does not sell your personal information, nor do we share it for cross-context behavioural advertising purposes. No opt-out mechanism is required, but we disclose this explicitly for transparency.

Right to Non-Discrimination
We will not discriminate against you for exercising your CCPA rights. Exercising these rights will not affect the price, quality, or availability of our Service.

Categories of Personal Information Collected
Under CCPA categories, we collect: Identifiers (email, IP address, billing address); Commercial information (transaction records, subscription history); Internet or other electronic network activity (search inputs, session data, usage logs).

Do Not Sell or Share My Personal Information
We do not sell or share your personal information. If you wish to make a verifiable consumer request under CCPA, please contact us at [email protected].

12. Additional Rights for Users in Other Jurisdictions

Canada (PIPEDA)
Canadian users have the right to access personal information we hold about them and to challenge its accuracy. Requests may be submitted to [email protected].

Singapore (PDPA), Thailand (PDPA B.E. 2562), and other Asia-Pacific jurisdictions
Users in applicable Asian jurisdictions have rights to access, correct, and in certain cases withdraw consent for the processing of their personal data, consistent with applicable local law. We extend equivalent rights to these users. Requests may be submitted to [email protected].

All Other Users
Regardless of your location, you may contact us at [email protected] to request access to, correction of, or deletion of your personal data. We will respond consistently with the standards described in Section 10.

13. Children and Minors

The Service is intended for users who are 18 years of age or older. Sourcinq does not knowingly collect personal data from any person under the age of 18.

If we become aware that an account has been created by or belongs to a person under 18, we will take steps to terminate the account and delete the associated personal data promptly. If you believe a minor has registered on the platform, please contact us at [email protected].

14. Sanctions Compliance and Geographic Restrictions

To comply with applicable international sanctions obligations, we collect and use your billing address and country to screen against sanctions lists maintained by:

• the Office of Foreign Assets Control (OFAC), United States;
• the Office of Financial Sanctions Implementation (OFSI), United Kingdom;
• the European Union sanctions framework.

Users identified as being located in, or conducting business on behalf of parties in, sanctioned jurisdictions are not permitted to register or use the Service. This screening is carried out as a legal obligation and legitimate interest.

15. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration, or disclosure. These measures include:

• encrypted data transmission (HTTPS/TLS);
• access controls and role-based permissions within the platform;
• payment processing delegated entirely to PCI DSS-compliant Stripe;
• rate limiting and abuse detection on the platform;
• regular security monitoring of infrastructure.

No method of transmission over the internet or electronic storage is completely secure. While we take all reasonable steps to protect your data, we cannot guarantee absolute security.

16. Cookies

Sourcinq uses cookies and similar tracking technologies on its platform. For detailed information about the types of cookies we use, how we use them, and how you can manage your cookie preferences, please refer to our Cookie Policy at sourcinq.com/cookie-policy.

17. Links to Third-Party Sites

The Service may contain links to third-party websites, including supplier websites returned in search Results. Sourcinq is not responsible for the privacy practices of those websites. We encourage you to review the privacy policies of any third-party sites you visit.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal obligations, or platform features. When we make material changes, we will:

• update the "Last Updated" date at the top of this page;
• notify registered users by email and/or via an in-platform notice.

We encourage you to review this Policy periodically. Your continued use of the Service after any update constitutes your acknowledgment of the revised Policy.

19. Contact and Data Requests

For any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact us:

LEX RESO LTD
128 City Road, London, United Kingdom, EC1V 2NX
Company Number: 16682470
Email: [email protected]
Website: sourcinq.com

We aim to respond to all privacy-related requests within 30 days. For complex requests, we may extend this period by a further 30 days and will notify you accordingly.

If you are located in the UK and are not satisfied with our response, you have the right to escalate your complaint to the Information Commissioner's Office (ICO):
Website: ico.org.uk
Telephone: 0303 123 1113

© 2026 LEX RESO LTD. All rights reserved.