Legal

Privacy Policy.

Last updated · 2026-05-23

On this page

1. Scope

This Privacy Policy describes how sourceBOLD collects, uses, retains, and shares information when you use sourcebold.com or the sourceBOLD portal. “sourceBOLD,” “we,” or “us” means sourceBOLD, a Utah company headquartered in Saratoga Springs, Utah.

sourceBOLD is a business-to-business contractor sourcing platform. The information we process is, by design, information about people interacting with us in a professional capacity — engineering leaders evaluating our service, contractors engaged through us, recruiters who source candidates. We do not knowingly process information about individuals under 18.

2. Information we collect

From visitors to the marketing site

When you submit our contact form on /who-we-areor the “Get started” inquiry modal:

  • Your name and work email (required)
  • Company name (optional)
  • The role you select or your typed description of what you’re seeking (optional)
  • Team-size estimate, if you select one
  • The page you submitted from (for our triage routing)
  • Your message text (free-form)

We do not require any other information from public-site visitors. We do not run third-party advertising pixels today; if and when we do, the use of those pixels will be governed by your cookie-consent choice.

From authenticated portal users

If you sign in to the portal (as a Client, Independent Contractor, Recruiter, or member of the sourceBOLD internal team), we process the information you provide for that role — including your name, email, role assignment, and any documents you upload as part of onboarding (e.g., W-9 / W-8BEN, identity documents, payout banking details). The specific data flows for each role are documented in your engagement’s MSA or the Independent Contractor Agreement.

Automatically

We automatically receive and log:

  • Standard request metadata (IP address, user-agent string, request path, timestamp) — used for operational security, abuse detection, and error monitoring.
  • An HTTP-only session cookie when you sign in. This cookie is functional/essential and is never sold or shared.
  • If you enable multi-factor authentication, an encrypted MFA secret stored on your user record.

We separately maintain a cryptographic audit log that records sensitive state changes (account purges, payouts, contract signings, override actions). This audit log is tamper-evident — see Security.

Cookies

See our Cookie Policy for a full inventory of what we set, why, and how to manage your choices.

3. How we use it

We use the information described above to:

  • Respond to inquiries from prospective clients and recruiters.
  • Operate the portal: authentication, role-based access, contract signing, invoicing, payouts, and reimbursements.
  • Comply with legal and tax obligations (e.g., U.S. tax-form collection for contractors, AML/KYC checks where applicable).
  • Detect, investigate, and prevent abuse, fraud, and security incidents.
  • Improve the Site and the portal — including measuring how the marketing site is used only if you’ve consented to analytics cookies.

4. Sharing & subprocessors

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.

We share information with the following subprocessors so they can perform a specific function on our behalf. Each one is bound by a written agreement that restricts use of the data to that function.

  • Stripe — client invoicing, ACH collection, payment-method storage.
  • Wise — contractor payout dispatch (cross-border).
  • Resend — transactional email delivery (password resets, MFA, payout notices, contact-form notifications).
  • Vercel — application hosting, request routing, blob storage for uploaded documents.
  • Neon — managed Postgres database.
  • Upstash — rate limiting / login-attempt throttling.
  • Sentry — server- and client-side error tracking.

We may also share information when required by law (e.g., in response to a valid subpoena or court order), in connection with a merger or asset sale (subject to appropriate confidentiality and continued protection of the information), or with your express consent for a specific purpose.

5. Retention

  • Marketing-site contact-form and Get-started submissions: 24 months from submission, then deleted on our quarterly cleanup cadence.
  • Portal account data: for the duration of the active engagement plus the period required by applicable tax and contractor-compliance regulations (typically up to seven years for financial records).
  • Audit-log entries: retained for the life of the platform record — the cryptographic chain depends on persistence.
  • Server request logs: 30 days, then aggregated or deleted.

You can request earlier deletion of your personal information — see Your rights and choices below. We may decline a deletion request in specific cases where retention is required by law (e.g., tax records during a regulatory retention window).

6. Security

The portal implements these technical controls today:

  • Zero-trust default-deny architecture. Every server boundary checks role and identity before responding.
  • Field-level encryption. Sensitive identifiers (payout banking, government IDs) are encrypted at rest using AES-256-GCM with a key derived via PBKDF2 (100,000 iterations).
  • Tamper-evident audit log. Every sensitive state change writes a row to an append-only audit log with a cryptographic hash chain. Tampering with any row breaks the chain.
  • Multi-factor authentication. MFA is available for all accounts and required for state-changing administrative actions.
  • Rate limiting. Login endpoints are protected against credential-stuffing via per-IP and per-account limits.
  • Compliance purge workflow. Executive Administrators can hard-delete a user record on request; the deletion is audit-logged and protected against accidentally removing the last active administrator.

No system is perfectly secure. We will notify affected individuals and the appropriate regulators about security incidents in accordance with applicable law and within the timelines the law requires.

7. Your rights and choices

Subject to applicable law, you may request that we:

  • Access the personal information we hold about you.
  • Correct inaccurate personal information.
  • Delete your personal information.
  • Provide a portable copy of your personal information in a machine-readable format.
  • Opt out of any sale or sharing of your personal information (we do neither today; this remains your right going forward).
  • Limit our use of sensitive personal information to the purposes necessary to provide the service.

To exercise any of these rights, email admin@sourcebold.com with the subject “Privacy request.” We’ll acknowledge receipt within 10 business days and respond substantively within 30 days (or longer where the applicable state law permits an extension and we notify you of it). We will not discriminate against you for exercising these rights.

We honor the Global Privacy Control (GPC) browser signal as an opt-out of any sale, sharing, or targeted advertising. When your browser asserts GPC, our cookie banner will not appear and your consent for analytics defaults to denied.

Do not sell or share my personal information: sourceBOLD does not sell personal information and does not share it for cross-context behavioral advertising. If our practices change, you will be able to opt out at the link we add to this page and the footer.

8. State-specific notices

The following notices apply if you are a resident of one of these U.S. states. The substantive rights are described in Section 7; the notices below describe what each state additionally requires.

California (CCPA / CPRA)

Categories of personal information we collect, in the language of California Civil Code §1798.140: identifiers (name, email, IP); commercial information (your inquiry and the role you indicated); internet activity (request-path and user-agent logs, plus cookie data if you consent); professional or employment information (your company and role). We collect this from you directly via the forms on this Site, or automatically from your browser. We do not collect biometric, geolocation, or sensitive personal information for marketing-site visitors. We do not sell personal information and do not share it for cross-context behavioral advertising. We retain personal information for the periods described in Section 5.

Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA)

You may exercise the rights described in Section 7, including the right to opt out of (i) the sale of personal information, (ii) targeted advertising, and (iii) profiling in furtherance of decisions that produce legal or similarly significant effects. None of these activities apply today, but the rights are reserved for you regardless. We recognize universal opt-out signals (Global Privacy Control) and you have the right to appeal a denial of your request — replies will include appeal instructions when applicable.

Utah (UCPA)

You may exercise the rights described in Section 7. Utah residents may also direct us not to process sensitive personal information; we do not process sensitive personal information from marketing-site visitors.

9. Children’s privacy

The Site and the portal are intended for use by individuals 18 or older in a professional capacity. We do not knowingly collect personal information from children under 13 (under COPPA) or under 18 (broader best practice). If you believe a child has submitted personal information to us, please contact admin@sourcebold.com and we will promptly delete it.

10. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we’ll update the “Last updated” date at the top. Material changes will be highlighted with a banner or equivalent notice on the Site for a reasonable period.

11. Contact

For privacy questions or to exercise any of the rights above: