Privacy Policy & GDPR

Last updated: June 6, 2026

1. Who We Are

SourcAuto is operated by Eegix CommV. based in Belgium. For GDPR purposes, we act as the Data Controller for personal data you provide when using the Service.

Contact: hello@sourcauto.com

2. Data We Collect

  • Account data: name, email address, password hash (bcrypt). Collected when you register.
  • Search criteria: make, model, price ranges, and other search parameters you configure.
  • Usage data: last login timestamp, search run logs. Used for monitoring system health.
  • Billing data: handled entirely by Paddle.com (Merchant of Record). We receive a customer ID and subscription status; we never store your card details.
  • Client data: name, email, and company of clients you add (Professional/Agency plans). You are responsible for having a lawful basis to store this data.

3. Legal Basis for Processing

  • Contract performance (Art. 6(1)(b) GDPR): processing your account data and search criteria to deliver the Service.
  • Legitimate interests (Art. 6(1)(f) GDPR): system logs and security monitoring.
  • Legal obligation (Art. 6(1)(c) GDPR): retaining billing records as required by Belgian tax law.

4. Cookies

We use only a single session cookie (sa_session) to keep you logged in. This cookie is strictly necessary for the Service to function; it is deleted when you log out or close your browser. We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

No cookie consent banner is required for strictly necessary cookies under EU law (ePrivacy Directive).

5. Data Sharing

We do not sell, rent, or share your personal data with third parties for their own purposes. We share data only with:

  • Paddle.com — payment processor and Merchant of Record, acting as a separate data controller for billing.
  • Our hosting provider — processes data as a data processor under a DPA, within the EU/EEA.

6. Data Retention

Account data is retained for as long as your account is active. If you delete your account, personal data is deleted within 30 days, except where retention is required by law (e.g., billing records for 7 years under Belgian tax legislation). Anonymised usage statistics may be retained indefinitely.

7. Your Rights

Under the GDPR you have the right to:

  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erase your data ("right to be forgotten") (Art. 17)
  • Restrict processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing (Art. 21)

To exercise any of these rights, email hello@sourcauto.com. We will respond within 30 days. You also have the right to lodge a complaint with the Belgian Data Protection Authority (dataprotectionauthority.be).

8. Security

Passwords are stored as bcrypt hashes. All data is transmitted over HTTPS. Database access is restricted to application credentials. We apply principle-of-least-privilege access controls throughout.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified by email to registered users at least 14 days before they take effect.