Privacy Policy

Effective Date: 1st April 2026

This Privacy Policy describes how SPCX Private Limited (“Company”, “we”, “us”, or “our”) collects, uses, shares, stores and protects personal and business information in connection with the Website www.source.one and the “source.one” and “sell.source” Apps on Android and iOS (together, the “Platform”). It applies to all users of the Platform, including buyers, sellers/suppliers, logistics partners and visitors accessing only marketing content and blog and shall be considered a part of and read along with the Platform Terms and Conditions.

1. Interpretation and Definitions:

The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural

Definitions:

For the purpose of this Privacy Policy:

Account means a unique account created for You to access our Services.

Cookies are small files that are placed on Your computer, mobile device or any other device when you visit a Website. Cookies help the website recognise your device and store certain information like Your browsing history on that website.

Device means any device that can access the Services such as Computer, a cellphone or any digital appliance.

Personal Data is any information/data about an individual who is identifiable by or in relation to such data 

Service refers to the Platform.

Service Provider means any natural person or legal entity that processes Personal Data on behalf of the Company. This includes third-party companies or individuals engaged or appointed by the Company to facilitate the provision of the Service, to provide the Service on behalf of the Company, to perform services related to the Service, or to assist the Company in monitoring and analyzing the use of the Service.

You/you means the individual accessing or using the Service or the company or other legal entity on behalf of which such individual is accessing or using the Service, as applicable. 

2.  Data Controller and Contact Details
   
   

   1. Entity responsible for data processing: SPCX Private Limited, CIN U51909PN2018PTC178336, having its registered office at 1st Floor, Duggal Plaza, S. No. 692 A/3C, Premnagar, Bibvewadi, Pune, Maharashtra 411037.

   2. Contact for privacy and legal notices: compliance@source.one , Tel: +91 9614063333, Postal: as above.

   3. We have not formally designated a separate data protection officer or grievance officer as of the date of this Policy, but the above contact details may be used for privacy‑related queries and grievances.
      
      

3. Scope and Relationship with Terms and Conditions
   
   

   1. This Privacy Policy must be read together with the Terms and Conditions. Capitalized terms used but not defined in this Policy shall have the meanings assigned to them in the Terms and Conditions.

   2. By accessing or using the Platform, and by providing any personal or business information to us, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, storage and disclosure of your information as described herein, to the extent such consent is required under applicable law.
      
      

4. Categories of Information We Collect

   1. Information Provided Directly by You

1. Registration and account data (mainly business‑oriented):

• Mobile numbers and other contact details of authorised users;

• Company name, GSTIN, PAN and other business identifiers;

• Registered office and/or billing/shipping addresses;

• Names and basic details of authorised signatories or contact persons, where provided.

2. Platform usage and transaction data:

• Order history, transaction values, product types, delivery details and related commercial information;

• Communications with us or via the Platform (for example, in‑app messages, WhatsApp messages, and relevant call logs, where applicable), which may be used for support, operations and dispute resolution;

3. Support and grievance data: details you provide when you contact us for support, feedback, complaints or legal/privacy grievances, including any communications through WhatsApp, email, phone or web forms.

2. Information Collected from Third Parties and Public Sources

1. We may obtain information about you and your business from:

• Third‑party KYC/verification providers such as Karza or Probe42, including corporate data, registration details and financial/credit information, for the purposes described in this Policy;

• Public sources such as government registries and other publicly available databases (for example, to verify GSTIN, company details or director information);

• Group entities, specifically Source Re Solutions Private Limited (a subsidiary of SPCX Private Limited) in relation to shared platforms and services.

3. Information About Cookies and Similar Technologies

1. We may use cookies and similar technologies on the Website and Apps, including:

• Session cookies;

• Persistent cookies;

• Web beacons, pixels or SDKs in the Apps.

2. The specific third‑party analytics or marketing tools (such as Google Analytics or others) and any retargeting/behavioural advertising campaigns may evolve over time and will be reflected in updated versions of this Policy, including where we implement cookie banners and granular cookie preference mechanisms, if and as adopted.

3. You can instruct Your browser to refuse all Cookies. However, if You don’t accept Cookies, You may not be able to use some parts of our Services. By continuing to use the Service without modifying your browser settings to refuse cookies, you consent to our use of cookies as described in this Policy.

4. Device and App Permissions

1. The Apps may request access to operating system‑level permissions, such as:

• Location (for logistics, routing or service optimisation);

• Camera (for scanning documents, uploading images, etc.);

• Microphone (for certain communication features, if implemented).

2. Permission prompts will typically appear at the OS level. You may choose to grant or revoke such permissions via your device settings; however, some features may not function properly if requisite permissions are disabled.

5. Purposes and Legal Bases of Processing

We process personal and business data for the following purposes:

• Account creation, authentication and management, including verifying your identity and authorisation, and managing multiple accounts linked to your GSTIN.

• Order processing and fulfilment, including inventory allocation, logistics coordination, invoicing, collections and after‑sales support.

• Customer support and dispute resolution, including via WhatsApp, calls and in‑app communication channels, and for maintaining relevant logs for evidentiary purposes.

• Risk assessment, credit evaluation and fraud prevention, including background verification using third‑party providers, internal credit models and publicly available data, and automated or semi‑automated flags or controls where implemented.

• Compliance with legal obligations, including tax, company law, anti‑money laundering, sanctions and other regulatory requirements, and responding to lawful requests from government authorities.

• Analytics, service improvement and business operations, including internal reporting, product development, performance monitoring and anonymised or aggregated analytics, with reasonable safeguards.

• Marketing and communications, including sending you information about our products, features, offers or events, subject to your consent where required by law. You may opt‑out or withdraw consent for such communications as specified below.

• Use of testimonials and case studies, with appropriate consent, including the use of names, designations, company names, titles and video content for promotional and marketing purposes.

• To contact You: To contact You by email, telephone calls, SMS, or other equivalent forms of electronic communication, such as a mobile application’s push notifications regarding updates or informative communications related to the functionalities, products or contracted services, including the security updates, when necessary or reasonable for their implementation.

• To provide You with news, special offers and general information about other goods, services and events which we offer that are similar to those that you have already purchased or enquired about, unless You have opted not to receive such information.

6. Data Sharing and Disclosures

   1. Within the Group and with Service Providers

1. We may share personal and business data, on a need‑to‑know basis and under appropriate confidentiality and data protection arrangements, with:

• Source Re Solutions Private Limited, a subsidiary of SPCX Private Limited, which shares the same website and may be involved in operating certain products or services, for the purposes of providing integrated services and support;

• Logistics partners and transporters, to the extent necessary to arrange delivery and pick‑up of products, including sharing delivery addresses, contact details and basic order information;

• Banks and financial institutions, for arranging or maintaining facilities for us or for our SourcePlus‑type offerings (currently, user data is shared with bankers for Company facilities rather than for SourcePlus credit partners acting independently);

• Collection agencies and legal partners, in relation to recovery of dues, where we may share basic transactional and customer data necessary for such purposes;

• IT, hosting and infrastructure providers, including on‑premise infrastructure and AWS, and other cloud or analytics providers as may be used, for hosting, backup and operational purposes;

• Marketing, communication and analytics vendors (e.g., SMS/WhatsApp

•  service providers, email providers, analytics tools), to the extent such vendors are engaged and as necessary to send communications or analyse Platform usage.

• With your Consent, we may disclose Your personal information for any other purpose with Your Consent.

2. Disclosures Required by Law or in Corporate Transactions

We may disclose your information:

• Where required under applicable law, regulation, legal process or governmental request;

• To protect and defend our rights, property and interests, including in connection with legal claims or disputes;

• In connection with any merger, acquisition, restructuring, financing, sale of assets, or similar corporate transaction involving us, in which case reasonable safeguards will be implemented for such transfers.

7. Cross‑Border Transfers

As of the date of this Policy, we do not intentionally transfer user data outside India. Our primary infrastructure is on‑premise and/or on AWS hosted within India. If, in future, cross‑border transfers become necessary (for example, due to vendor locations), such transfers will be undertaken in compliance with applicable Indian data protection requirements and under appropriate contractual safeguards, and this Policy will be updated accordingly.

8. Data Storage, Security and Internal Governance

   1. Hosting: Our systems and databases are currently hosted using a combination of on‑premise infrastructure and AWS (Amazon Web Services).

   2. Security measures: We implement reasonable technical and organisational security measures, which may include:

• Encryption of data in transit and/or at rest, as appropriate;

• Access controls and role‑based access mechanisms for internal users;

• Regular backups and disaster recovery procedures;

• Vendor contracts that include data protection, confidentiality and breach notification obligations, where written agreements are executed.

3. We maintain internal controls, training and role‑based access regimes to protect data handled by operations, finance, technology and marketing teams.

4. While we employ reasonable safeguards, no method of transmission over the internet or electronic storage can be guaranteed to be completely secure. You are responsible for maintaining the security of your devices and login credentials and for promptly notifying us of any suspected unauthorised access to your Personal Data.

9.  Data Retention and Anonymisation

   1. We retain account information, transaction and invoicing data, support communications and related records for at least eight (8) years, or for such longer period as may be required for legal, tax, regulatory or evidentiary purposes.

   2. After the expiry of required retention periods, we may either securely delete or irreversibly anonymise/aggregate data so that it can no longer be used to identify individuals, while retaining it for analytics or statistical purposes.

   3. Where users request closure of accounts or deletion of data, we will honour such requests to the extent feasible and legally permitted. You may update, amend or delete your information at any time by signing in to your Account, if you have one, and visiting the account settings section that allows you to manage your personal information. You may also contact us to request access to, correct, or delete any personal information that you have provided to us. However, we may be required to retain certain information for statutory record‑keeping, dispute resolution or legitimate business interests. 
      
      

10. . Legal and Regulatory Compliance

    1. We primarily target compliance with applicable laws of India, including Digital Personal Data Protection Act, 2023 and privacy framework and sector‑specific guidelines, as applicable to our business model. Where we rely on foreign data protection regimes or serve users from other jurisdictions, supplemental measures may be adopted and reflected in updated versions of this Policy.

    2. We continuously monitor relevant legal developments affecting polymers, chemicals and logistics businesses and aim, where necessary, to incorporate any applicable safety, labelling, hazardous material handling or sanctions‑related obligations into our operations and contractual frameworks.
       
       

11.  User Rights

    1. Subject to applicable law and our legitimate interests and legal obligations, users may have the following rights in relation to their personal data:

• Right to access and obtain a copy of personal data held by us;

• Right to rectify or update inaccurate or incomplete data;

• Right to request erasure (deletion) of personal data, subject to statutory retention requirements;

• Right to withdraw consent to processing for marketing or other consent‑based purposes, without affecting prior lawful processing;

• Right to object to or request restriction of certain processing, where provided by applicable law.

2. Requests to exercise the above rights may be submitted through any of the channels notified under applicable law and as may be operationally implemented by us, including (where available) in‑app settings, email, or web forms. Specific mechanisms may be updated from time to time and reflected in revised versions of this Policy.

12.  Grievance Redressal and Dispute Resolution

    1. General support: Operational support is primarily provided through “Help & Support” channels, including WhatsApp‑based support, as implemented on the Platform.

    2. Legal/privacy grievances: For concerns relating to privacy, data protection or this Policy, you may contact us at compliance@source.one  or write to our registered office address. We aim to respond within reasonable timelines in line with applicable legal requirements.

    3. The parties may, where feasible, seek to resolve disputes through online dispute resolution or mediation mechanisms, prior to initiating arbitration or court/tribunal proceedings, as described in the Terms and Conditions.
       
       

13. Third‑Party Platforms and Links

1. Third-Party Websites, Platforms, Payment Gateways and Links

1. The Platform may contain links to, or be integrated with, third-party websites, applications, platforms, tools and services (including, without limitation, logistics tracking portals, payment gateways, banks, government portals, social media pages, app stores such as Google Play Store and Apple App Store, and communication platforms such as WhatsApp) that are not owned, controlled or operated by SPCX Private Limited (collectively, “Third-Party Platforms”). 

2. Any link, integration or access route to a Third-Party Platform is provided for your convenience only and does not constitute or imply any endorsement, recommendation, guarantee, warranty, representation or sponsorship by SPCX Private Limited in respect of such Third-Party Platform or its operators, or any association, partnership or joint venture between SPCX Private Limited and such operators, unless expressly stated in a separate written agreement.

3. Your access to and use of any Third-Party Platform (including any data you choose to provide to such Third-Party Platform, any transactions you undertake through it, and any consents you grant to it) are solely between you and the relevant third party, and are governed by the terms and conditions, privacy policies and other rules of such Third-Party Platform. We strongly encourage you to carefully review the applicable terms and privacy notice of each Third-Party Platform before using it or sharing any information with it.

4. SPCX Private Limited does not control, and is not responsible for, the content, accuracy, security, privacy practices, availability or functioning of any Third-Party Platform, or for any collection, use, disclosure, storage, security measures or retention of your information by such Third-Party Platforms. Any information (including personal data, payment information or business information) that you provide directly to a Third-Party Platform will be subject to that Third-Party Platform’s own privacy policy and security practices, and not this Privacy Policy.

2. Payment Gateways and Banking Channels

1. For processing payments in connection with transactions carried out through the Platform, we may enable or facilitate payments via one or more payment gateways, banks and other payment system providers (“Payment Partners”). As of the date of this Policy, SPCX Private Limited does not itself collect or store complete payment instrument details such as payment card numbers or UPI virtual payment addresses; such details, where applicable, are ordinarily collected and processed by Payment Partners or banks, subject to their own terms and privacy policies. 

2. In order to enable payment processing, we may share with Payment Partners limited transactional and customer information (for example, your name or entity name, order details, amount payable, and limited contact details) strictly as necessary for processing payments, refunds or chargebacks, reconciling transactions, and complying with applicable law. Payment Partners may in turn share with us limited information such as payment status, truncated card details, or reference numbers to allow us to reconcile and confirm payments.

3. Payment Partners and banks are independent controllers or processors of payment information and operate under their own contractual arrangements and regulatory obligations. SPCX Private Limited does not control, and is not responsible for, the security, accuracy or legality of any collection, storage, use or disclosure of payment information by Payment Partners or banks, or for any errors, delays, interruptions, failed transactions, reversals, chargebacks, unauthorised access or security incidents occurring on or attributable to such third-party systems.

4. To the maximum extent permitted by applicable law, SPCX Private Limited disclaims all liability for any loss, damage, cost or expense (whether direct, indirect, incidental, consequential or otherwise) arising out of or in connection with:

   • your use of any Payment Partner or banking interface (including any unauthorised or fraudulent transactions, data breaches or security incidents on their systems);

   • any act or omission of Payment Partners or banks in processing, declining, reversing or delaying your payments or refunds; or

   • any non-compliance by Payment Partners or banks with applicable laws, regulations, network rules or industry standards.

3. Analytics, Marketing and Communication Tools

1. We may use Third-Party Platforms and tools for analytics, marketing, communication and customer support purposes (for example, SMS/WhatsApp service providers, email delivery services, analytics providers, and platforms used for lead generation or campaign management). These providers may receive certain limited data (such as your contact details and usage-related information) in order to perform services on our behalf, under contractual arrangements that include confidentiality and data-protection obligations, where written agreements are executed. 

2. We may communicate with you through email, WhatsApp, and in app for transactional updates, customer support, and also for marketing and promotional purposes. You may opt out of receiving marketing communications at any time by unsubscribing or opt-out instructions provided. 

3. We may also analyse your usage of the Platform, transaction history and preferences to provide personalised communications, recommendations, and targeted campaigns 

4. Certain Third-Party Platforms used for analytics or advertising may deploy cookies, SDKs or similar technologies when you visit the Website or use the Apps. Any data collection and tracking by such Third-Party Platforms is subject to their respective privacy notices and cookie policies, and may be based on their independent legal bases or consents obtained by them. Our use of such tools will be reflected in updated versions of this Policy, including where we implement cookie banners and granular consent mechanisms.

4. No Sale of Personal Data

1. We do not share your personal data with third parties for their independent marketing or profiling purposes that are unrelated to the Services, nor do we “sell” your personal data for consideration, as of the date of this Policy. Any sharing with Third-Party Platforms is limited to the purposes and categories described in this Privacy Policy and is carried out under appropriate safeguards where applicable.

5. General Disclaimer for Third-Party Platforms

1. When you click on, access or otherwise engage with any Third-Party Platform through the Platform, you do so at your sole risk. To the maximum extent permitted by law, SPCX Private Limited shall not be liable for any loss, damage or other consequences arising, directly or indirectly, from:

   • your reliance on any content, information, advice, representations, products or services provided on or through any Third-Party Platform;

   • any unauthorised access to, use, loss, theft, corruption or compromise of your data, payment information or credentials occurring on or through any Third-Party Platform;

   • any viruses, malware, security vulnerabilities, interruptions, errors or other issues originating from or attributable to any Third-Party Platform; or

   • any act, omission, negligence or default of the operators of any Third-Party Platform.

2. Nothing in this Clause limits or excludes any liability that cannot be limited or excluded under applicable law, but any such liability of SPCX Private Limited shall be subject to the limitations set out in the Terms and Conditions and in this Privacy Policy, as applicable.

14. Children’s Data

The Platform is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that personal data of an individual below 18 has been collected without appropriate authorisation, we will take reasonable steps to delete such data, subject to any statutory retention requirements.

15. Changes to this Privacy Policy

    1. We may update or modify this Privacy Policy from time to time to reflect changes in laws, technologies, our practices or business operations. Updated versions will be published on the Website and/or Apps, with the effective date indicated at the top of the Policy.

    2. Material changes may be notified through the Platform (for example, via in‑app notifications), and, where required by law, we may seek your renewed consent. Continued use of the Platform after the effective date of any updated Policy will be deemed acceptance of such updated Policy.
       
       

16. Governing Law and Jurisdiction

This Privacy Policy shall be governed by and construed in accordance with the laws of India. Any disputes arising out of or in connection with this Policy shall be subject to the dispute resolution mechanisms and jurisdictional provisions set out in the Terms and Conditions.

17. Contact US

        If you have any questions about this Privacy Policy

        You can contact us: compliance@source.one

***