Sourced
Sign inSign up
Legal · 001

Privacy Policy

Last updated: [DATE] Effective: [DATE]

Draft for legal review. This is a starting template that reflects the data-minimization commitments described in Sourced's design. A licensed attorney must review this document before it is published or relied upon. Bracketed text marks fields that need to be filled in or decided.

The short version

Sourced is built on a simple promise: we collect only what we need to run the platform, and we never sell your data. No advertising profiles. No tracking pixels from third parties. No data sold to brokers, marketers, or AI training companies. If we need new data for a new feature, we will ask before we collect it.

This is a longer, formal version of the same promise.

1. Who we are

Sourced is operated by [LEGAL ENTITY NAME], a [STATE] [ENTITY TYPE], located at [ADDRESS]. We can be reached at [PRIVACY EMAIL — e.g. privacy@sourced.app].

For users in the European Economic Area, the United Kingdom, or Switzerland, our data protection contact is [EU REPRESENTATIVE OR INTERNAL DPO CONTACT].

For users in California, you have specific rights under the California Consumer Privacy Act (CCPA). See Section 11.

2. What we collect, and why

We organize this by purpose, so you can see exactly why each piece of data exists.

2.1 To create an account

We collect:

  • Your email address (used for sign-in, password reset, security notifications, and platform announcements you've opted into).
  • A username that you choose, which is public.
  • A display name that you choose, which is public.
  • A hashed password, or an OAuth identifier from your authentication provider (e.g., Google).
  • The timestamp of your account creation.

We do not collect: your phone number (unless you opt into two-factor authentication later), your real legal name (unless required for payouts — see Section 2.4), your physical address (same exception), your date of birth (we collect only that you self-attest you are 13 or older, per Section 9), your gender, your race or ethnicity, or any biometric data.

2.2 To make the platform work

When you use Sourced, we collect:

  • The content of posts and comments you publish, plus any media you upload to those posts.
  • The sources you cite on content posts (URLs, titles, publishers, excerpts).
  • Your reactions (insightful, agree, disagree, sourced, thanks) and which posts you reacted to.
  • Your friendships (who you've added, who has added you).
  • Your blocks (who you have blocked).
  • The timestamps of these actions.

This data exists because Sourced cannot function without it. A social platform necessarily knows who is connected to whom and what they've said.

2.3 For security and fraud prevention

We collect, in our server logs, for a limited time:

  • The IP address from which you connect to Sourced.
  • Your user agent (browser and operating system version your browser reports).
  • The time and outcome of authentication attempts.
  • For ad and promotion fraud detection: which posts you saw and when, in aggregate.

These logs are retained for up to 90 days, then deleted, except where a specific log entry is part of an active security investigation or is required by law to be retained longer.

We do not use this data to build advertising profiles. We do not share it with marketers. We use it only to detect abuse, fix bugs, and meet our legal obligations.

2.4 If you receive payouts (content tier creators only)

If you choose to receive ad revenue or promotion-fee distributions, we use Stripe Connect to handle payments. Stripe — not Sourced — collects:

  • Your legal name, address, and date of birth (for identity verification).
  • Your taxpayer identification number (SSN, EIN, or equivalent for non-US users).
  • Your bank account or debit card details, for receiving payouts.
  • Documentation Stripe uses for "Know Your Customer" (KYC) and anti-money-laundering compliance.

Sourced does not see or store your taxpayer ID, bank details, or full SSN. We see only:

  • Your Stripe Connect account ID.
  • Your KYC status (verified / not verified / restricted), so we know whether to allow withdrawals.
  • The amounts of payouts requested and completed, for our own accounting and your wallet display.
  • The 1099-NEC reporting status at year end (Stripe generates and files the form; we receive a record that it was filed).

Stripe's own privacy practices are governed by their privacy policy, available at https://stripe.com/privacy.

2.5 If you advertise or promote a post (paying users)

If you pay to promote one of your content-tier posts, we collect:

  • The promotion details (which post, dates, amount paid, impressions delivered).
  • The payment record from Stripe (Sourced does not see your card number directly; Stripe handles it).

2.6 Cookies and similar technology

We use cookies — small files your browser stores — for two purposes only:

  • Essential cookies: keeping you signed in, remembering your language preference, securing your session against tampering. These cannot be disabled because the platform cannot function without them.
  • Analytics cookies: see Section 4.

We do not use third-party advertising cookies. We do not allow trackers from advertising networks, social networks, or data brokers on our pages.

3. What we do not collect

We want this to be specific, not vague. Sourced does not:

  • Build advertising profiles about you, on our site or anywhere else.
  • Track you across other websites or apps.
  • Allow third-party advertising trackers, pixels, or fingerprinting on Sourced.
  • Sell, rent, or trade your personal data to anyone.
  • Share your data with data brokers.
  • Use your posts, comments, or messages to train AI models, except as described in Section 6 (where AI is used for moderation and source verification of your content on Sourced itself, not for training models distributed elsewhere).
  • Read your private direct messages for advertising or profiling purposes. (Note: as of Phase 1, Sourced does not offer direct messages at all.)
  • Collect contact lists from your phone, email, or other accounts.
  • Collect your precise location (GPS). We may infer your country and region from your IP address for legal compliance, fraud prevention, and showing you the right language.
  • Use deceptive design ("dark patterns") to obtain consent for data collection.

4. Analytics

We use a self-hosted, privacy-respecting analytics tool (currently [PostHog or alternative]) to understand how Sourced is used. The analytics:

  • Run on infrastructure we control, not a third-party service that resells data.
  • Are scoped to sourced.app only — they do not follow you to other sites.
  • Anonymize IP addresses before storage.
  • Do not use cross-site tracking cookies.

You can opt out of analytics in your account settings. Opting out does not affect any platform functionality.

5. Who can see what

5.1 Public posts (content tier)

Content-tier posts are public by default. That means:

  • Anyone with an internet connection can see them, including search engines that may index them.
  • Once published, you should assume they are findable indefinitely, even if you later delete them — quoted, archived, or screenshotted by others.

5.2 Friends-only posts (status, personal)

These are visible only to people you've accepted as friends. We do not allow non-friends to view them. Note however:

  • Friends can screenshot, quote, or share your friends-only content. The technical platform restricts access; it cannot prevent a friend from copying.
  • We may access friends-only content for moderation if a friend reports it for a violation of our Community Guidelines, or if law requires us to (Section 8).

5.3 What other users see about you

By default, other users can see:

  • Your username, display name, member-since date, reputation score, and your public posts.
  • If they are your friend, your personal and status posts.
  • Comments you've made on any post they can see.
  • Your reactions on posts they can see.

Other users cannot see: your email, your IP address, your friend list (unless you choose to make it public in settings, if such a setting exists), your blocks, your wallet balance, your payout setup status, your moderation history.

5.4 What Sourced staff can see

A small number of authorized Sourced personnel can access user data only when necessary to:

  • Investigate a moderation report or a security incident.
  • Provide customer support that you've requested.
  • Comply with a valid legal request.
  • Maintain or repair the platform.

Access is logged. We do not browse user content for entertainment or for any commercial purpose unrelated to the above.

6. AI moderation and source verification

Sourced uses an AI model (currently [OpenAI / Anthropic — to be confirmed]) to:

  • Check posts for violations of Community Guidelines (spam, abuse, hate speech, content that endangers minors).
  • Verify whether a cited source actually supports the claim made in a content-tier post.

When we send your post or source citation to this AI provider, we send only the content of that specific post or citation, not your account history, friend graph, or other personal data. The AI provider's terms with us prohibit them from using this content to train their models. [Confirm with chosen provider's data processing agreement.]

If you'd prefer that we use a different model or process moderation manually, we cannot accommodate per-user variation in moderation, but you can request review of any decision via the appeal process (Section 13).

7. Data retention

We keep data for as long as it is needed for the purpose it was collected, then delete or anonymize it. Specifically:

| Data | Retention | |------|-----------| | Active account data (profile, posts, friends, reactions) | While your account is open | | Server logs (IP, user agent, auth attempts) | Up to 90 days | | Ad event records | 90 days, then anonymized | | Payout records | 7 years (US tax requirement) | | Moderation decisions and reports | 3 years from resolution | | Deleted posts | 30 days in soft-delete (recoverable), then permanent deletion | | Closed accounts | 30 days in soft-delete, then deletion of personal data; anonymized post history may remain if other users have engaged with it (their reactions and comments are theirs, not yours) | | Backups | Up to 90 days; restoration of a deleted account from backup occurs only in the case of accidental deletion within the 30-day soft-delete window |

8. When we share data with others

We share data only in these specific situations:

  • Service providers that operate Sourced infrastructure: hosting (Supabase, Vercel), payments (Stripe), error monitoring (Sentry), email delivery ([Postmark / Resend / specify]), AI moderation ([OpenAI / Anthropic]). These providers are contractually limited to processing data for Sourced's purposes only.
  • Legal compliance: if we receive a valid subpoena, court order, or other legal demand we believe to be lawful and properly scoped, we will comply with it. Where law allows, we will notify you first so you have an opportunity to challenge the demand.
  • Safety: if we believe in good faith that disclosure is necessary to prevent imminent serious harm to a person, we may share data with appropriate authorities.
  • Business transfers: if Sourced is acquired or merges with another company, your data would be part of that transaction. The acquiring entity would be bound by this Privacy Policy or you would be notified of changes in advance.
  • Aggregated, non-identifying statistics: we may publish aggregate data (e.g., "Sourced has 50,000 monthly active users") that does not identify any individual user.

We do not share data with: advertising networks (we don't run third-party ads), data brokers, AI model trainers (except moderation as described in Section 6), or anyone else for marketing or profiling purposes.

9. Children

Sourced is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has created an account, please contact us at [PRIVACY EMAIL] and we will delete the account.

For users 13–17, parental involvement is encouraged. We do not currently offer specific parental controls; this may change as the platform matures.

10. Your rights

Regardless of where you live, you can:

  • Access the personal data we hold about you, by exporting your data from your account settings.
  • Correct inaccurate personal data by editing your profile or contacting us.
  • Delete your account and the personal data associated with it, from your account settings.
  • Object to specific uses of your data by contacting us.

If you live in the EEA, UK, or Switzerland, you have additional rights under the GDPR, including the right to data portability, the right to restrict processing, and the right to lodge a complaint with your local data protection authority. The legal bases on which we process your data are: (a) performance of our contract with you (most platform functions), (b) our legitimate interests in operating and securing the platform, (c) your consent (for optional features like analytics), and (d) compliance with legal obligations (tax records, lawful demands).

If you live in California, see Section 11.

To exercise any of these rights, contact [PRIVACY EMAIL]. We will respond within the timeframes required by applicable law (generally 30 days, sometimes 45).

11. California residents (CCPA / CPRA)

You have the right to:

  • Know what personal information we collect, use, disclose, and (if applicable) sell or share. We do not sell your personal information. We do not share it for cross-context behavioral advertising.
  • Delete your personal information, subject to certain exceptions.
  • Correct inaccurate personal information.
  • Limit our use of "sensitive personal information." We do not collect sensitive personal information as defined by the CCPA other than account credentials, which we use only to authenticate you.
  • Not be discriminated against for exercising any of these rights.

To exercise these rights, contact [PRIVACY EMAIL] or use the in-account export and deletion controls. We may need to verify your identity before fulfilling certain requests.

12. International users and data transfers

Sourced is operated from [COUNTRY]. If you access Sourced from another country, your data is transferred to and processed in [COUNTRY] and other countries where our service providers operate. We rely on appropriate safeguards for international transfers, including the European Commission's Standard Contractual Clauses where applicable.

13. Appeals and disputes

If a moderation decision affected you (post hidden, comment removed, account restricted), you can appeal through the in-app appeal process. Appeals are reviewed by a human moderator and resolved within [TIMEFRAME].

If you have a privacy complaint we have not resolved, you can contact your local data protection authority. EEA users can find contact information at https://edpb.europa.eu/about-edpb/about-edpb/members_en. UK users can contact the ICO at https://ico.org.uk.

14. Changes to this policy

We will notify you in advance of material changes to this policy by email and via an in-app notice. Routine clarifying edits (typo fixes, link updates) may be made without notice; we will note the "Last updated" date at the top.

15. Contact

For privacy questions or to exercise your rights:

  • Email: [PRIVACY EMAIL]
  • Mail: [LEGAL ENTITY NAME], [ADDRESS]

This policy is licensed for use by Sourced only. It draws on common privacy-policy structures but reflects Sourced's specific commitments to data minimization. It must be reviewed by a licensed attorney familiar with US, EU, and applicable state law before publication.