Privacy Policy.

Last updated · 2026-06-05

1. Scope

This Privacy Policy describes how sourceBOLD collects, uses, retains, and shares information when you use sourcebold.com or the sourceBOLD portal. “sourceBOLD,” “we,” “us,” or “our” means Proovn LLC, a Utah limited liability company headquartered in Saratoga Springs, Utah, doing business as sourceBOLD.

sourceBOLD is a business-to-business contractor sourcing platform. The information we process is, by design, information about people interacting with us in a professional capacity — engineering leaders evaluating our service, contractors engaged through us, recruiters who source candidates. We do not knowingly process information about individuals under 18.

2. Information we collect

From visitors to the marketing site

When you submit our contact form on /who-we-are or the “Get started” inquiry modal:

• Your name and work email (required)
• Company name (optional)
• The role you select or your typed description of what you’re seeking (optional)
• Team-size estimate, if you select one
• The page you submitted from (for our triage routing)
• Your message text (free-form)

We do not require any other information from public-site visitors. We do not run third-party advertising pixels and do not set advertising cookies. Our analytics are cookieless and aren’t designed to identify you — see our Cookie Policy.

From authenticated portal users

If you sign in to the portal (as a Client, Independent Contractor, Recruiter, or member of the sourceBOLD internal team), we process the information you provide for that role — including your name, email, role assignment, and any documents you upload as part of onboarding (e.g., W-9 / W-8BEN, identity documents, payout banking details). The specific data flows for each role are documented in your engagement’s MSA or the Independent Contractor Agreement.

Automatically

We automatically receive and log:

• Standard request metadata (IP address, user-agent string, request path, timestamp) — used for operational security, abuse detection, and error monitoring.
• An HTTP-only session cookie when you sign in. This cookie is functional/essential and is never sold or shared.
• If you enable multi-factor authentication, an encrypted MFA secret stored on your user record.

We separately maintain a cryptographic audit log that records sensitive state changes (account purges, payouts, contract signings, override actions). This audit log is tamper-evident — see Security.

Cookies

See our Cookie Policy for a full inventory of what we set, why, and how to manage your choices.

3. How we use it

We use the information described above to:

• Respond to inquiries from prospective clients and recruiters.
• Operate the portal: authentication, role-based access, contract signing, invoicing, payouts, and reimbursements.
• Comply with legal and tax obligations (e.g., U.S. tax-form collection for contractors, AML/KYC checks where applicable).
• Detect, investigate, and prevent abuse, fraud, and security incidents.
• Improve the Site and the portal — including measuring how the Site and the portal are used, with privacy-friendly, cookieless analytics that don’t identify you.

4. Sharing & subprocessors

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.

We share information with the following subprocessors so they can perform a specific function on our behalf. Each one is bound by a written agreement that restricts use of the data to that function.

• Stripe — client invoicing, ACH collection, payment-method storage.
• Wise — contractor payout dispatch (cross-border).
• Resend — transactional email delivery (password resets, MFA, payout notices, contact-form notifications).
• Vercel — application hosting, request routing, blob storage for uploaded documents, and privacy-friendly cookieless analytics for our site (no cookies, no cross-site identifiers; designed not to collect personally identifiable information).
• Neon — managed Postgres database.
• Upstash — rate limiting / login-attempt throttling.
• Sentry — server- and client-side error tracking.
• Cloudflare — Turnstile bot-detection challenge on the contact and Get-started forms. Turnstile uses a one-time challenge token rather than cookies.

Customers who require a Data Processing Addendum (DPA) for their procurement or compliance program may request one as part of MSA negotiation by emailing admin@sourcebold.com.

We may also share information when required by law (e.g., in response to a valid subpoena or court order), in connection with a merger or asset sale (subject to appropriate confidentiality and continued protection of the information), or with your express consent for a specific purpose.

5. Retention

• Marketing-site contact-form and Get-started submissions: 24 months from submission, then deleted on our quarterly cleanup cadence.
• Portal account data: for the duration of the active engagement plus the period required by applicable tax and contractor-compliance regulations (typically up to seven years for financial records).
• Audit-log entries: retained for the life of the platform record — the cryptographic chain depends on persistence.
• Server request logs: 30 days, then aggregated or deleted.

You can request earlier deletion of your personal information — see Your rights and choices below. We may decline a deletion request in specific cases where retention is required by law (e.g., tax records during a regulatory retention window).

6. Security

The portal implements these technical controls today:

• Zero-trust default-deny architecture. Every server boundary checks role and identity before responding.
• Field-level encryption. Sensitive identifiers (payout banking, government IDs) are encrypted at rest using AES-256-GCM with a key derived via PBKDF2 (100,000 iterations).
• Tamper-evident audit log. Every sensitive state change writes a row to an append-only audit log with a cryptographic hash chain. Tampering with any row breaks the chain.
• Multi-factor authentication. MFA is available for all accounts and required for state-changing administrative actions.
• Rate limiting. Login endpoints are protected against credential-stuffing via per-IP and per-account limits.
• Compliance purge workflow. Executive Administrators can hard-delete a user record on request; the deletion is audit-logged and protected against accidentally removing the last active administrator.

No system is perfectly secure. In the event of a confirmed material security incident affecting personal information, we will notify the relevant regulators within 72 hours of confirmation where applicable law allows that timeline, and we will notify affected individuals without unreasonable delay. We may delay notification only when a law-enforcement agency directs us to, or when delay is necessary to investigate the incident or restore system integrity.

7. Your rights and choices

Subject to applicable law, you may request that we:

• Access the personal information we hold about you.
• Correct inaccurate personal information.
• Delete your personal information.
• Provide a portable copy of your personal information in a machine-readable format.
• Opt out of any sale or sharing of your personal information (we do neither today; this remains your right going forward).
• Limit our use of sensitive personal information to the purposes necessary to provide the service.

To exercise any of these rights, email admin@sourcebold.com with the subject “Privacy request.” We’ll acknowledge receipt within 10 business days and respond substantively within 30 days (or longer where the applicable state law permits an extension and we notify you of it). We will not discriminate against you for exercising these rights.

When we delete personal information at your request, fields referencing you in our records are nulled or redacted. The corresponding audit-log row itself remains so the cryptographic hash chain stays intact — the chain is what lets us prove tamper-evidence to regulators and auditors. We can also retain personal information where required by law (e.g., U.S. tax records during the statutory retention window); when that’s the case, the response will name which categories were retained and why.

We honor the Global Privacy Control (GPC) browser signal as an opt-out of any sale, sharing, or targeted advertising. We don’t sell or share personal information, run targeted advertising, or set non-essential cookies today, so there is nothing for the signal to switch off — but if that ever changes, a GPC signal is treated as an opt-out by default, with no separate request required.

Do not sell or share my personal information: sourceBOLD does not sell personal information and does not share it for cross-context behavioral advertising. If our practices change, this section will be updated and an opt-out mechanism will be added here.

8. State-specific notices

The following notices apply if you are a resident of one of these U.S. states. The substantive rights are described in Section 7; the notices below describe what each state additionally requires.

California (CCPA / CPRA)

The following table summarizes our collection and disclosure of personal information in the language of California Civil Code §1798.110.

• Categories collected: identifiers (name, email, IP); commercial information (your inquiry and the role you indicated); internet activity (request-path and user-agent logs); professional or employment information (your company and role). We do not collect biometric, geolocation, or sensitive personal information from marketing-site visitors.
• Sources of collection: directly from you (via the contact and Get-started forms) and automatically from your browser (request-path, user-agent, IP).
• Business purposes: responding to inquiries, operating the portal, meeting legal and tax obligations, detecting abuse and fraud, and improving the Site — as detailed in Section 3.
• Categories of recipients: the subprocessors named in Section 4, each bound by a written agreement that restricts use of the data to their assigned function. We do not sell personal information and do not share it for cross-context behavioral advertising.
• Retention: the periods described in Section 5.

Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA)

You may exercise the rights described in Section 7, including the right to opt out of (i) the sale of personal information, (ii) targeted advertising, and (iii) profiling in furtherance of decisions that produce legal or similarly significant effects. None of these activities apply today, but the rights are reserved for you regardless. We recognize universal opt-out signals (Global Privacy Control) and you have the right to appeal a denial of your request — replies will include appeal instructions when applicable.

Utah (UCPA)

You may exercise the rights described in Section 7. Utah residents may also direct us not to process sensitive personal information; we do not process sensitive personal information from marketing-site visitors.

9. Children’s privacy

The Site and the portal are intended for use by individuals 18 or older in a professional capacity. We do not knowingly collect personal information from children under 13 (under COPPA) or under 18 (broader best practice). If you believe a child has submitted personal information to us, please contact admin@sourcebold.com and we will promptly delete it.

10. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we’ll update the “Last updated” date at the top. Material changes will be highlighted with a banner or equivalent notice on the Site for a reasonable period.

11. Contact

For privacy questions or to exercise any of the rights above:

• Email: admin@sourcebold.com
• Postal: sourceBOLD, 212 E Crossroads Blvd #218, Saratoga Springs, UT 84045