Sourcebae ("Sourcebae", "we", "our", or "us") is an AI workforce infrastructure platform operated by Shethink Private Limited, a company incorporated in India with its registered office in Indore, Madhya Pradesh. Sourcebae provides credentialed domain experts, data annotation, data collection, Reinforcement Learning from Human Feedback (RLHF), Large Language Model (LLM) evaluation, red-teaming, and human-in-the-loop services to enterprise clients globally.

We are committed to protecting your privacy and handling personal data with transparency, accountability, and in compliance with applicable data protection laws, including:

• The General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR;
• The Digital Personal Data Protection Act, 2023 of India ("DPDP Act");
• The California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA/CPRA"); and
• Other applicable data protection and privacy laws in jurisdictions where we operate.

This Privacy Policy explains how we collect, use, disclose, store, transfer, and safeguard personal data when you access or use https://sourcebae.com, our platforms (including Sourcebae Portal, Homans.ai, and SalesFlow), AI-powered tools, dashboards, CRM features, integrations, and related services (collectively, the "Services").

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of the Services.

This Privacy Policy applies to all personal data processed by Sourcebae in connection with our Services, including data relating to:

• Visitors to our website (https://sourcebae.com)
• Candidates, domain experts, and freelancers registering with or engaged through our platform
• Enterprise clients and their authorized representatives
• Employees, contractors, and workforce members of Sourcebae
• Vendors, suppliers, and business partners

Depending on the context, Sourcebae acts in one of two roles:

Data Controller / Data Fiduciary: When we determine the purposes and means of processing personal data - for example, when we collect candidate data through our own website, manage our workforce, or engage with vendors.

Data Processor / Data Processor under the DPDP Act: When we process personal data on behalf of our enterprise clients under their instructions - for example, when we perform annotation, RLHF, or evaluation work on data supplied by clients. In such cases, the client is the Data Controller/Data Fiduciary, and our processing is governed by the Data Processing Agreement (DPA) or equivalent contract signed with that client.

"Personal Data" / "Personal Information" means any information relating to an identified or identifiable natural person, as defined under GDPR, the DPDP Act, and CCPA/CPRA.

"Processing" means any operation performed on personal data, including collection, recording, storage, use, disclosure, transfer, and deletion.

"Data Subject" / "Data Principal" / "Consumer" means the individual to whom the personal data relates.

"Sensitive Personal Data" means categories of personal data requiring enhanced protection under applicable law, such as data concerning health, biometric data, racial/ethnic origin, religious beliefs, sexual orientation, or financial information.

We collect the following information when you register, apply for roles, engage with clients, or contact us:

• Identity data: name, date of birth, gender (optional)
• Contact data: email address, phone number, postal address
• Professional data: company name, role, business details, resume/CV, employment history, skills, certifications, educational qualifications, professional licenses (e.g., medical registration numbers, bar council IDs, CA membership numbers)
• Interview and assessment data: interview responses, including audio/video recordings, written assessments, and evaluation outputs
• Client engagement data: client hiring requirements, communications, and feedback
• Commercial data: billing, invoicing, tax identifiers, bank/payment information, and contractual information
• Government-issued identifiers (where legally required): PAN, Aadhaar (for limited KYC purposes), passport details (for cross-border engagements)

When you use the Services, we may automatically collect:

• Device and technical data: IP address, browser type, operating system, device identifiers, time zone
• Usage data: pages visited, time spent, clicks, navigation paths, and interaction data
• Cookies and similar tracking technologies (see Section 10)
• Log files and performance data

We may receive limited data from:

• Job boards, recruitment partners, and referral sources
• Analytics and performance measurement tools
• Social login providers (if you choose to sign in with such services)
• Public professional profiles (e.g., LinkedIn) where you have made such information publicly available
• Background verification agencies (with your consent, where required for client engagements)

When we provide data annotation, collection, RLHF, evaluation, or red-teaming services to enterprise clients, we may process personal data contained within datasets supplied by those clients. We process such data strictly in accordance with the client's instructions and the Data Processing Agreement (DPA) or equivalent contract in place.

We process personal data for the following purposes:

• To provide and operate our recruitment, staffing, and AI workforce services
• To match candidates with relevant job opportunities and client engagements
• To deliver AI-assisted screening, vetting, and interview analysis through our platforms (including SAIRA)
• To operate dashboards, CRM tools, and workflows for enterprise clients
• To communicate with users regarding services, updates, and support
• To invoice clients, process payments, and manage contractual obligations
• To improve platform functionality, reliability, and user experience
• To detect, prevent, and respond to fraud, security incidents, and misuse of the Services
• To comply with legal, regulatory, tax, and contractual obligations
• To enforce our terms of service and protect our legal rights

Sourcebae does not sell personal data, nor do we use personal data for third-party advertising or profiling unrelated to the Services.

Under the GDPR and UK GDPR, we rely on the following legal bases to process your personal data:

Consent (Article 6(1)(a)): Where you have given us clear, informed, and specific consent for a defined purpose (e.g., optional marketing communications, sensitive data processing, specific integrations such as Gmail sync).

Contractual Necessity (Article 6(1)(b)): Where processing is necessary to perform a contract with you or to take steps at your request before entering into a contract (e.g., processing your application, delivering services you requested).

Legal Obligation (Article 6(1)(c)): Where processing is necessary to comply with applicable laws (e.g., tax, labor, anti-money laundering regulations).

Legitimate Interests (Article 6(1)(f)): Where processing is necessary for our legitimate business interests, provided such interests are not overridden by your rights and freedoms (e.g., platform security, fraud prevention, service improvement, business operations).

Where we process special categories of personal data (GDPR Article 9), we do so only with your explicit consent or where another lawful basis under Article 9(2) applies.

You have the right to withdraw consent at any time where processing is based on consent. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

For Data Principals in India, Sourcebae processes personal data in accordance with the Digital Personal Data Protection Act, 2023 ("DPDP Act").

Sourcebae processes personal data on the following lawful bases under the DPDP Act:

• Free, specific, informed, and unambiguous consent from the Data Principal;
• Performance of a contract or provision of a service requested by the Data Principal;
• Compliance with legal obligations; and
• Other legitimate uses recognized under the DPDP Act.

As a Data Principal under the DPDP Act, you have the right to:

• Obtain a summary of the personal data being processed and the processing activities undertaken;
• Request correction, completion, updating, or erasure of your personal data;
• Nominate another individual to exercise your rights in the event of death or incapacity;
• Readily available grievance redressal through Sourcebae; and
• Withdraw consent previously given.

For grievances under the DPDP Act, please contact our designated point of contact:

Email: connect@sourcebae.com
Sourcebae (Shethink Private Limited), Indore, Madhya Pradesh, India

We will acknowledge your grievance within a reasonable timeframe and respond in accordance with the DPDP Act. If you are dissatisfied, you may escalate to the Data Protection Board of India.

If you are a California resident, you have the following rights under the CCPA/CPRA:

Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of such information, the business or commercial purposes for collecting it, and the categories of third parties with whom we share it.

Right to Delete: You may request deletion of personal information we have collected, subject to certain exceptions.

Right to Correct: You may request correction of inaccurate personal information.

Right to Opt Out of Sale or Sharing: Sourcebae does not sell personal information and does not share personal information for cross-context behavioral advertising.

Right to Limit Use of Sensitive Personal Information: You may request that we limit the use of sensitive personal information to purposes specifically permitted under the CCPA/CPRA.

Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise these rights, email connect@sourcebae.com. We will verify your identity before processing the request and respond within the timeframes required by law (generally 45 days, extendable once by an additional 45 days where reasonably necessary).

You may also designate an authorized agent to submit requests on your behalf.

Sourcebae uses artificial intelligence and automated systems, including our SAIRA platform, to assist with:

• Resume and profile screening
• Interview analysis, scoring, and reporting
• Candidate-role matching and ranking
• Workflow automation

AI-generated outputs produced by Sourcebae's platforms are decision-support tools only. Final hiring, engagement, and evaluation decisions remain under human control. AI outputs may not always be accurate, complete, or definitive, and should not be relied upon as the sole basis for any decision affecting you.

Under Article 22 of the GDPR, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects concerning you.

Where automated processing is used in a way that could produce such effects, you have the right to:

• Request human intervention in the decision;
• Express your point of view regarding the decision; and
• Contest the decision.

To exercise these rights, contact connect@sourcebae.com. A qualified member of our team will review your request and respond within a reasonable timeframe.

Only after explicit user consent, Sourcebae may access:

• Gmail email messages and threads (read-only access only)
• Email metadata (sender, recipient, subject line, timestamps)
• Basic Google profile information (name and email address)

Sourcebae does not:

• Send emails on your behalf
• Modify, delete, or create emails
• Access unrelated inbox content

Gmail data is used strictly to:

• Display email conversations between users and their clients
• Provide communication context inside the Sourcebae CRM or admin dashboard
• Improve productivity and communication tracking

Gmail data is never used for advertising, marketing, profiling, or training AI models.

Email data may be temporarily cached to improve performance. Data is retained only for as long as required to provide the feature. Users may disconnect Gmail at any time, after which access tokens are revoked.

Sourcebae does not sell, rent, or share Gmail data. Access is limited strictly to the authenticated user and authorized internal systems required to deliver the service.

We apply the following safeguards for Gmail data:

• Secure OAuth token storage
• Encrypted data transmission
• Restricted internal access controls

Users can revoke Gmail access at any time through Google Account permissions or by disconnecting Gmail within the Sourcebae application. Once revoked, Sourcebae immediately stops accessing Gmail data.

We use cookies and similar technologies to operate and improve our Services. Cookies fall into the following categories:

Strictly Necessary Cookies: Required for the core functioning of the website (e.g., authentication, security, load balancing). These cannot be disabled.

Functional Cookies: Enable enhanced functionality and personalization (e.g., remembering preferences).

Analytics / Performance Cookies: Help us understand how users interact with the Services so we can improve them.

Marketing Cookies: Used to deliver relevant content and measure campaign performance. Only set with your consent where required by law.

You can control cookies through your browser settings or through any cookie consent mechanism we display on our website. Disabling certain cookies may limit functionality.

We may share personal data with the following categories of recipients:

Internal teams and group entities: Employees, contractors, and affiliates of Sourcebae and Shethink Private Limited who require access to perform their roles.

Enterprise clients: Candidate data, interview outputs, and evaluation results are shared with clients to facilitate hiring and engagement decisions. Such sharing is governed by our contracts with clients.

Service providers and sub-processors: Third-party vendors that support our operations, including cloud infrastructure providers, email and communication platforms, payment processors, analytics providers, and authentication services. All such providers are required to process personal data only for specified purposes and to maintain appropriate security safeguards through contractual obligations.

Professional advisors: Auditors, lawyers, accountants, and consultants where necessary.

Legal and regulatory authorities: Where required by law, regulation, legal process, or enforceable governmental request.

In business transactions: In connection with a merger, acquisition, reorganization, or sale of assets, subject to appropriate confidentiality and data protection obligations.

We do not sell personal data to third parties for advertising or profiling purposes.

A current list of key sub-processors can be provided to enterprise clients on request as part of our Data Processing Agreement (DPA).

Sourcebae is headquartered in India, and personal data may be processed and stored in India or in other countries where our service providers operate.

Where we transfer personal data from the European Economic Area (EEA), the United Kingdom, or other jurisdictions with data transfer restrictions to countries that have not been deemed to provide an adequate level of protection, we implement appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission;
• UK International Data Transfer Agreement or UK Addendum to the EU SCCs, where applicable;
• Supplementary technical and organizational measures as appropriate;
• Other lawful transfer mechanisms recognized under applicable law.

You may request a copy of the relevant transfer safeguards by contacting connect@sourcebae.com.

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, or reporting requirements. Our general retention approach is:

Candidate and expert profiles: Retained for the duration of the relationship and for a reasonable period thereafter to support future opportunities, or until the Data Principal requests deletion.

Client records and contracts: Retained for the duration of the engagement and for the period required under applicable contract law, tax law, and statute of limitations.

Financial and tax records: Retained in accordance with applicable tax and accounting regulations (typically 7-8 years under Indian law).

Employee and contractor records: Retained in accordance with applicable labor and employment laws.

Website analytics and log data: Retained for a limited period consistent with the purpose for which it was collected.

Gmail Sync data: Retained only for as long as the integration is active. Deleted upon disconnection.

When personal data is no longer required, we delete it securely or anonymize it so it can no longer be associated with an identifiable individual.

Sourcebae implements reasonable technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. Our security practices include:

Access controls: Role-based access to systems and data, with access limited to authorized personnel on a need-to-know basis.

Authentication: Use of strong passwords and multi-factor authentication (MFA) for access to sensitive systems.

Encryption: Personal data is encrypted in transit using industry-standard TLS protocols. Sensitive data at rest is protected through encryption where technically feasible.

Confidentiality obligations: All employees, contractors, domain experts, and vendors are bound by written confidentiality agreements.

Secure development practices: Application security practices aligned with industry standards, including OWASP guidelines, applied to our platforms.

Monitoring and logging: Logging and monitoring of critical systems to detect unusual or unauthorized activity.

Incident response: Internal procedures to identify, contain, and respond to security incidents, including notification to affected individuals and regulators where required by law.

Vendor due diligence: Reasonable due diligence on third-party service providers handling personal data, including contractual data protection obligations.

Sourcebae continues to mature its information security program and is actively working toward formal alignment with internationally recognized security frameworks. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. In the event of a personal data breach affecting your rights and freedoms, we will notify affected individuals and regulators in accordance with applicable law.

Subject to applicable law, Data Subjects in the EEA, UK, and other GDPR-adjacent jurisdictions have the following rights:

Right of access: Obtain confirmation of whether we process your personal data and a copy of that data.

Right to rectification: Request correction of inaccurate or incomplete personal data.

Right to erasure (right to be forgotten): Request deletion of personal data in certain circumstances.

Right to restrict processing: Request restriction of processing in certain circumstances.

Right to data portability: Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

Right to object: Object to processing based on legitimate interests or direct marketing.

Right to withdraw consent: Withdraw consent at any time where processing is based on consent.

Right to lodge a complaint: Lodge a complaint with a supervisory authority, such as the Information Commissioner's Office (ICO) in the UK, or your local EU supervisory authority.

To exercise these rights, email connect@sourcebae.com. We will respond within the timeframes required by applicable law (generally one month under GDPR, extendable by two additional months for complex requests).

We may need to verify your identity before fulfilling your request to protect against unauthorized access.

Our Services are intended for users 18 years of age or older. We do not knowingly collect personal data from children under 18. Under the DPDP Act, processing personal data of children (individuals below 18 in India) requires verifiable parental consent and is subject to additional restrictions.

If you believe we have inadvertently collected personal data from a minor, please contact us at connect@sourcebae.com and we will take steps to delete such information promptly.

Our Services may contain links to websites, applications, or services operated by third parties. We are not responsible for the privacy practices or content of such third parties. We encourage you to review their privacy policies before providing personal data.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be notified through appropriate channels (e.g., website notice, email). The "Last Updated" date at the top of this policy indicates when it was last revised.

Your continued use of the Services after the effective date of any updated Privacy Policy constitutes your acceptance of the updated terms.

For any privacy-related questions, requests, or concerns, please contact:

Sourcebae (Shethink Private Limited)
Attention: Privacy Team / Grievance Officer
Email: connect@sourcebae.com
Address: Indore, Madhya Pradesh, India

For enterprise clients requiring a Data Processing Agreement (DPA), Standard Contractual Clauses, or additional documentation, please contact connect@sourcebae.com.