Privacy Policy

Last updated: June 11, 2026

Source & Sell ("we", "us", or "our") operates the wholesale marketplace at sourcensell.com (the "Site"), a US-based trading operation in California. This policy explains what information we collect when you use the Site, how we use it, who we share it with, and the choices you have. The Site is a business-to-business service, so the information we handle is primarily business contact information. This policy should be read together with our Terms of Service and Cookie Policy.

Information we collect

We collect only what we need to run the marketplace and respond to your inquiries:

• Account information. When you register, we collect your name, email address, company name, and a password. Passwords are stored only as a salted bcrypt hash — we never store or see your plain-text password.
• RFQ details. When you submit a request for quote, we collect the contact details you provide: name, business email, phone number, company, your message, and the products you are interested in.
• Cart contents. The products and quantities you add to your cart, so your cart persists between visits.
• Server logs. Like most websites, our servers automatically record technical data such as IP address, browser user agent, and request timestamps. We use these for security and troubleshooting.
• Cookies. A small number of first-party cookies needed for sign-in and your cart, described in our Cookie Policy.

When you submit an RFQ or a seller application, the Site also sends a transactional email containing your submission to our operations inbox so our team can respond.

How we use information

• to operate the Site, maintain your account, and keep your cart available;
• to review and respond to your RFQs and prepare quotes;
• to review seller applications;
• to secure the Site, prevent abuse, and troubleshoot problems;
• to improve the catalog and the Site experience;
• to comply with legal obligations.

We do not use your information for third-party advertising, and we do not send marketing email lists — email from us relates to your account, your RFQs, or the operation of the Site.

How we share information

We do not sell personal information, and we do not share it for cross-context behavioral advertising or any other third-party marketing. We disclose information only in these limited situations:

• Suppliers and logistics partners — only as needed to prepare your quote or fulfill an order you have agreed to, for example sharing your delivery details with a freight provider.
• Service providers — companies that help us run the Site, currently cloud hosting (Amazon Web Services) and email delivery providers. They process information on our behalf and only as needed to provide their service.
• Legal compliance — when required by law, legal process, or to protect the rights, safety, and security of the Site, our users, or others.
• Business transfers — if we are involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, and we will continue to handle it as described in this policy.

Data retention

We keep personal information only as long as we have a reason to. In practice:

• Account information is kept while your account is active, and for a reasonable period after closure so we can handle follow-up questions and meet our obligations; it is then deleted or de-identified.
• RFQs and related correspondence are kept as ordinary business records of the inquiries and transactions they relate to, including for as long as tax, accounting, or other legal requirements apply.
• Cart contents are kept while your cart is active; guest carts expire with the cart cookie, after at most 12 months.
• Server logs are short-lived — kept on a rolling basis for security monitoring and troubleshooting, then overwritten or deleted.

If you ask us to delete your information, we honor the request except for the specific records we need to keep for legal, accounting, security, or dispute-resolution purposes — and we will tell you if that is the case.

Security

We protect information in transit with TLS encryption, store passwords only as bcrypt hashes, and use HttpOnly session cookies so your sign-in token is not readable by scripts in the browser. Access to operational data is limited to the team that needs it. No system can be guaranteed 100% secure, but we work to keep protections current and proportionate to the data we hold.

Your privacy rights

Wherever you are located, you can ask us to access the information we hold about you, correct it, delete it, or provide a copy of it in a portable, readily usable format. To make a request, contact us through the Help Center and include the email address you used on your account or RFQ so we can locate your records.

We verify each request before acting on it — normally by confirming that you control the email address associated with the records, and, where needed, by asking for one or two additional details that we use only for verification. An authorized agent may submit a request on your behalf if they provide proof of your written authorization; we may still confirm the request with you directly. We respond within the time required by applicable law, and if we decline a request we will explain why; you can ask us to reconsider by replying through the same channel.

California privacy rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the "CCPA"), gives you the right to:

• Know and access. Request the personal information we have collected about you, including the categories of information, the sources, the purposes, and the parties to whom it is disclosed.
• Correct. Ask us to fix inaccurate personal information.
• Delete. Ask us to delete your personal information, subject to the exceptions the law allows.
• Portability. Receive a copy of the information you provided to us in a portable, readily usable format.
• Opt out of sale or sharing. We do not sell personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined by the CPRA — and we have not done so in the preceding 12 months — so there is no sale or sharing to opt out of.
• Limit sensitive personal information. The only sensitive personal information we hold is your account password, stored as a bcrypt hash and used solely to sign you in — a use the CCPA permits without a separate limit option.
• Non-discrimination. We will not deny you service, charge you different prices, or otherwise retaliate against you for exercising any privacy right.

In CCPA terms, the categories of personal information we collect are identifiers and professional information (name, business email, phone number, company), commercial information (cart contents and RFQ history), and internet activity (server logs). We collect them directly from you or your device, and we disclose them only for the business purposes described in this policy. Submit CCPA requests through the channel described under "Your privacy rights" above; the same verification and authorized-agent rules apply.

Other US state privacy laws

Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws have similar rights to access, correct, delete, and obtain a copy of personal information, and to opt out of targeted advertising, the sale of personal data, and certain profiling. We do not engage in targeted advertising, do not sell personal data, and do not profile anyone in a way that produces legal or similarly significant effects. You can exercise these rights — and appeal a decision — through the channel described under "Your privacy rights" above.

International visitors (EEA and UK)

The Site is operated from the United States, and the information you submit is transferred to, processed, and stored in the United States, where data-protection laws may differ from those in your jurisdiction. We apply the practices described in this policy to all information we handle, wherever it comes from.

If you use the Site from the European Economic Area or the United Kingdom, our legal bases for processing under the GDPR and UK GDPR are:

• Contract. Operating your account and handling your RFQs and quotes — processing needed to perform a contract with you or to take steps at your request before entering one.
• Legitimate interests. Securing the Site, keeping server logs, preventing abuse, and running a business-to-business service, balanced against your rights and interests.
• Consent. Where required — and you may withdraw consent at any time without affecting earlier processing.
• Legal obligation. Retaining records we are required to keep.

In addition to the rights described above, you may restrict or object to certain processing, and you have the right to lodge a complaint with your local data-protection supervisory authority — in the UK, the Information Commissioner's Office — though we would welcome the chance to address your concern directly first.

Do Not Track and Global Privacy Control

Some browsers send "Do Not Track" or Global Privacy Control (GPC) signals. We do not track visitors across third-party websites, and we do not sell or share personal information, so we already operate the way these signals request: the Site works the same with or without them, and enabling them costs you nothing.

Children

The Site is a business-to-business service for adults acting on behalf of a business. It is not directed to children, and we do not knowingly collect personal information from anyone under 16. If you believe someone under 16 has provided us personal information, contact us through the Help Center and we will delete it.

Changes to this policy

We may update this policy as the Site evolves. When we do, we will revise the "Last updated" date at the top of this page — which is also the date each version takes effect — and material changes may be flagged on the Site. Your continued use of the Site after changes take effect means the updated policy applies.

Contact us

For privacy questions or requests, reach us through the contact options in the Help Center.