SG
SourceGrid
Legal

Privacy Policy

Effective May 12, 2026 · Last updated May 12, 2026. This Privacy Policy is a binding legal agreement between you and SourceGrid LLC and explains, in detail and without ambiguity, what personal information we collect, why we collect it, how we use, share, retain and protect it, and the specific rights you may exercise under applicable law.

1. Identity of the Controller

SourceGrid LLC (“SourceGrid”, “we”, “us” or “our”) is a Florida limited liability company organized and existing under the laws of the State of Florida, United States, with its principal place of business at 7971 NW 21 ST, Doral, Florida 33198, USA. SourceGrid is the data controller responsible for the processing of personal information collected through the website sourcegrid.co, the subdomains www.sourcegrid.co, app.sourcegrid.co, shop.sourcegrid.co and any other digital, telephonic, in-person, electronic-messaging or postal channel operated by SourceGrid in connection with its B2B wholesale activities (collectively, the “Services”).

For all matters relating to this Policy or to the exercise of your rights, you may contact our Privacy Office in writing at sales@sourcegrid.co or by certified mail at the address above, marked “Attn: Privacy Office”.

2. Scope and Acceptance

This Policy applies to every visitor, account holder, applicant, prospective wholesale customer, active wholesale customer, vendor, supplier, brand partner and contractor (each, a “User”) interacting with SourceGrid in any way. By accessing the Services, submitting a form, placing an order, applying for a wholesale account or otherwise communicating with SourceGrid, the User expressly, freely, specifically, informedly and unambiguously consents to the processing described in this Policy and to the Terms & Conditions and Refund Policy that complement it. If the User does not agree, the User must immediately cease using the Services.

3. Categories of Personal Information We Collect

Depending on the User's interaction with us, we may collect the following categories of personal information:

  • Identifiers & contact data: first and last name, business or trade name, business address, residential address (only when used as a business address), email, telephone, country, state, city, IP address, device identifier, online identifier, account credentials.
  • Commercial & business data: Employer Identification Number (EIN) or equivalent tax ID, Resale Tax Certificate or equivalent reseller credential, type of business (salon, beauty supply store, e-commerce seller, distributor), estimated monthly purchase volume, sales channels, brands carried, professional license numbers, website URL.
  • Transactional data: orders placed, invoices, payment status, payment method (last four digits of the card and brand only — full card data is processed by PCI-DSS Level 1 payment processors and never stored by SourceGrid), shipping addresses, returns, claims and credits.
  • Technical & usage data: IP address, browser type and version, operating system, language, time-zone, referrer URL, pages visited, click-stream, session duration, events, error logs, cookie identifiers and similar technologies.
  • Marketing & preference data: newsletter subscriptions, marketing consents, communication preferences, product interests, event attendance.
  • Communications & UGC: emails, support tickets, chat logs, voicemail, recorded calls (where lawful and disclosed at the start of the call), form submissions, reviews and any content you voluntarily share with us.
  • Sensitive identifiers (limited): photographs of physical Resale Tax Certificates and government-issued business documents that may contain identifiers. We do not knowingly request or process Social Security Numbers, government-issued IDs of natural persons, biometric data, precise geolocation, or special categories of data within the meaning of the GDPR (race, ethnicity, religion, health, sexual orientation, etc.).

We do not sell or share personal information of consumers under 16 years of age and our Services are not directed to them.

4. Sources of Personal Information

We collect personal information (i) directly from the User (forms, applications, orders, support requests), (ii) automatically through the Services (cookies, log files, server-side analytics), (iii) from authorized third parties (brand owners, manufacturers, payment processors, shipping carriers, credit-screening agencies, public business registries, sanctions and PEP databases) and (iv) from publicly available sources (corporate registries, trade publications, social media business profiles).

5. Purposes of Processing

We process personal information for the following purposes, each of which is necessary for the legal basis identified in Section 6:

  • Evaluating, opening, maintaining and closing wholesale accounts (including KYC, sanctions screening and credit assessment).
  • Processing orders, invoicing, fulfillment, shipping, returns and customer support.
  • Complying with U.S. federal, Florida state and local tax, customs, anti-money-laundering, anti-terrorism, sanctions, consumer-protection and product-safety obligations.
  • Preventing, detecting and investigating fraud, abuse, chargebacks, channel diversion, counterfeiting and other unlawful conduct.
  • Operating, securing, monitoring, improving and developing the Services.
  • Sending transactional communications (order confirmations, shipping updates, invoices, recalls, legal notices) and, with consent where required, marketing communications.
  • Performing analytics, product research, demand planning and personalization.
  • Defending, exercising or establishing legal claims and enforcing our Terms.

6. Legal Bases for Processing

We rely on one or more of the following legal bases (where the GDPR or analogous regimes apply): (a) performance of a contract to which the User is a party or pre-contractual measures requested by the User; (b) compliance with a legal obligation; (c) legitimate interests pursued by SourceGrid (operating, securing and growing a B2B wholesale business; preventing fraud; conducting B2B marketing) where not overridden by the User's fundamental rights; and (d) consent, which the User may withdraw at any time without affecting the lawfulness of prior processing.

7. How We Share Personal Information

We do not sell personal information for monetary consideration and do not share it for cross-context behavioral advertising as defined under the CCPA/CPRA. We disclose personal information only to:

  • Service providers and processors bound by written contracts containing GDPR/CCPA-compliant data-protection terms — including cloud hosting, database, e-mail, CRM, analytics, customer-support, payment, fraud-prevention, fulfillment and shipping providers.
  • Brand owners and manufacturers for the limited purpose of validating authorized resale, warranty, recall and product-stewardship matters.
  • Professional advisors (legal, tax, audit, insurance) under duty of confidentiality.
  • Government authorities, regulators and law enforcement when required by law, subpoena, court order or to protect our rights, property or safety, or those of others.
  • Successors in interest in connection with any merger, acquisition, financing, reorganization, bankruptcy or sale of all or part of our assets, in which case the recipient will be bound by terms substantially similar to this Policy.

8. International Transfers

Our infrastructure is operated primarily in the United States. If personal information is transferred from the European Economic Area, the United Kingdom, Switzerland, Latin America or any other jurisdiction with cross-border-transfer restrictions, we rely on lawful transfer mechanisms (such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or the data subject's explicit consent) and implement supplementary technical and organizational measures designed to provide an essentially equivalent level of protection.

9. Data Retention

We retain personal information only as long as necessary for the purposes described above, plus the periods required by U.S. federal and Florida state law. As a general rule: (i) transactional, tax and accounting records — seven (7) years from the end of the relevant tax year; (ii) wholesale-account onboarding documents (including resale tax certificates) — for the duration of the relationship and seven (7) years thereafter; (iii) marketing-consent records — until withdrawal of consent plus three (3) years; (iv) website logs — twelve (12) months; (v) recorded calls (where applicable) — twenty-four (24) months. After the applicable period, data is securely deleted, anonymized or archived in cold storage with access controls.

10. Information Security

We implement and maintain administrative, technical and physical safeguards designed to protect personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to. These include, without limitation: TLS 1.2+ encryption in transit; encryption at rest for sensitive documents (including Resale Tax Certificates) using AES-256; least-privilege access control with multi-factor authentication; role-based access management; logging and monitoring; vulnerability scanning; secure software-development practices; vendor-risk management; and a documented incident-response plan. No method of transmission or storage is 100% secure, and the User submits information at their own risk.

11. Data-Breach Notification

In the event of a personal-data breach likely to result in a risk to the rights and freedoms of natural persons, we will, without undue delay and to the extent required by applicable law, notify the competent supervisory authority and the affected individuals in accordance with statutory deadlines (including 30 days for Florida residents under §501.171 Fla. Stat. and 72 hours for individuals where the GDPR applies).

12. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access: request confirmation of whether we process your personal information and obtain a copy.
  • Rectification: request correction of inaccurate or incomplete data.
  • Deletion / Erasure: request deletion subject to lawful retention obligations.
  • Restriction: request restriction of processing in defined circumstances.
  • Portability: receive your data in a structured, commonly used and machine-readable format.
  • Objection: object to processing based on our legitimate interests or for direct marketing.
  • Withdraw consent at any time, without affecting the lawfulness of prior processing.
  • Non-discrimination for exercising your rights, as required by the CCPA/CPRA and similar laws.
  • Lodge a complaint with a competent supervisory authority (in the EU/UK) or attorney general (in the U.S.).

To exercise any right, send a written request to sales@sourcegrid.co from the email associated with your account, including the right being exercised and reasonable identifying information. We will respond within 30 days (extendable by 60 additional days where permitted by law). We may decline requests that are manifestly unfounded, repetitive or excessive, or impose a reasonable fee in such cases.

13. Cookies and Similar Technologies

The Services use strictly-necessary cookies (required for the site to function), preference cookies, security cookies and analytics cookies (to measure usage and improve the Services). Where required by law, non-essential cookies are deployed only after the User has provided consent through our cookie banner. The User may withdraw consent at any time by clearing browser cookies or by adjusting browser settings. Disabling cookies may degrade certain functionalities of the Services.

14. Marketing Communications

We send marketing communications only to (i) Users who have provided express opt-in consent, or (ii) existing wholesale customers in connection with similar products and services, in compliance with the CAN-SPAM Act, TCPA and applicable state law. Every marketing message includes a clear unsubscribe link. You may also unsubscribe by writing to sales@sourcegrid.co.

15. Children's Privacy

The Services are intended exclusively for businesses and adult professional buyers. We do not knowingly collect, solicit or process personal information from children under 16. If you believe a child has provided us with personal information, contact us immediately and we will take reasonable steps to delete it.

16. Third-Party Sites and Brand Channels

The Services may contain links to third-party sites (brand partners, social networks, marketplaces). Those sites are governed by their own privacy policies and SourceGrid is not responsible for their content, privacy practices or processing activities.

17. Automated Decision-Making

We do not subject Users to decisions based solely on automated processing, including profiling, that produce legal effects concerning them or similarly significantly affect them, except where necessary for the performance of a contract or as authorized by law and subject to appropriate safeguards.

18. State-Specific Disclosures

California (CCPA/CPRA): in the past twelve (12) months SourceGrid has collected the categories described in Section 3 for the purposes described in Section 5 and disclosed them only to the recipients described in Section 7. SourceGrid has not sold or shared personal information for cross-context behavioral advertising. California residents may exercise the rights to know, delete, correct, opt-out of sale/sharing and limit use of sensitive personal information by contacting us as described in Section 12. We will not discriminate against residents who exercise these rights.

Other U.S. states (Virginia, Colorado, Connecticut, Utah, Texas, Florida and others with comprehensive privacy statutes): residents may exercise rights of access, correction, deletion, portability and opt-out under their respective state laws by following the procedures in Section 12.

19. Updates to this Policy

We may update this Policy from time to time. The “Last updated” date at the top will reflect any material change. For substantive changes affecting User rights, we will provide reasonable advance notice via the Services or by email. Continued use of the Services after the effective date constitutes acceptance.

20. Contact and Complaints

SourceGrid LLC · Privacy Office · 7971 NW 21 ST, Doral, Florida 33198, USA · sales@sourcegrid.co. If you are not satisfied with our response, you may lodge a complaint with the Florida Attorney General, the U.S. Federal Trade Commission, the California Privacy Protection Agency or the supervisory authority of your jurisdiction.