SourcingHubSourcingHub
Sign in
Back

Privacy Policy / Aviso de Privacidad Integral

Effective date: 30 de junio de 2026

In accordance with the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP) and its Regulations, the following data controller ("the Controller", "we") is responsible for the processing of your personal data:

  • Controller: José Antonio Villazón Maroney
  • Tax status: persona física con actividad empresarial
  • RFC: VIMA920403DQA
  • Tax regime: Régimen de las Actividades Empresariales en Plataformas Tecnológicas
  • Address for notices (domicilio del responsable): Av. Camino Arenero 150, Int. A-108, Col. San José Río Hondo, C.P. 53810, Naucalpan de Juárez, Estado de México
  • Privacy contact: javillazon92@gmail.com

1. Data we collect

  • Account data: email address, authentication identifiers (including Google OAuth profile basics if you sign in with Google).
  • Billing data: Stripe customer ID, subscription status, invoices. Card data is handled directly by Stripe; we never see or store full card numbers.
  • Usage data: messages, threads, files you upload, AI prompts and outputs, credit ledger entries.
  • Technical data: IP address, user-agent, timestamps, error logs needed to operate the Service securely.

2. Purposes of processing

Primary purposes (required to provide the Service):

  • Create and manage your account and authenticate sessions.
  • Process AI requests and deliver outputs.
  • Process payments and apply credits.
  • Provide customer support and respond to enquiries.
  • Comply with legal, tax and accounting obligations.
  • Prevent fraud, abuse and ensure security of the Service.

Secondary purposes (you may opt out without affecting the Service):

  • Send product updates and educational content by email.
  • Generate aggregated, anonymized analytics to improve the Service.

To opt out of secondary purposes, email javillazon92@gmail.com at any time.

3. Legal basis

Processing is based on (i) the contractual relationship arising from your acceptance of the Terms of Service, (ii) your consent for secondary purposes, (iii) compliance with legal obligations, and (iv) our legitimate interest in operating and securing the Service.

4. Transfers and subprocessors

We share personal data with the following subprocessors, which are required to keep it confidential and only use it to provide their services to us:

  • Supabase — database, authentication and storage hosting.
  • Stripe — payment processing and billing.
  • Lovable — hosting and AI Gateway routing.
  • AI model providers (e.g., Google Gemini) — inference for AI requests. Prompts and attached files are transmitted for the sole purpose of generating a response.

Some subprocessors are located outside Mexico, which implies an international transfer of personal data. By using the Service you consent to such transfers under article 37 of the LFPDPPP, when they are necessary to fulfill the contract you have with us.

We do not sell personal data. We do not use Customer Content to train foundation models.

5. Retention

  • Account and usage data: while your account is active and up to 24 months thereafter.
  • Billing data: up to 5 years, as required by Mexican tax legislation.
  • Security logs: up to 12 months.

6. ARCO rights and information requests procedure

Under the LFPDPPP, you have the following rights regarding your personal data:

  • Access (Acceso): to know what personal data we hold about you and how we use it.
  • Rectification (Rectificación): to correct inaccurate or incomplete data.
  • Cancellation (Cancelación): to request deletion of your data when it is no longer needed for the permitted purposes.
  • Opposition (Oposición): to object to the processing of your data for specific purposes.
  • Revocation of consent: to withdraw consent for secondary purposes at any time.
  • Limitation of use or disclosure: to ask us to stop using or sharing your data in certain ways.

How to submit a request

You may exercise your ARCO rights or submit any privacy-related request by emailing javillazon92@gmail.com with the subject line "ARCO / Privacy Request — SourcingHub". Alternatively, you may send a signed written request to the address for notices listed above.

What your request must include

To allow us to verify your identity and process your request promptly, please include:

  • Your full name and at least one reliable contact method (email or phone).
  • A clear description of the right you wish to exercise or the information you seek.
  • A copy of a valid government-issued ID or equivalent identification document.
  • Your account email address, if you have a registered account, to help us locate your data.
  • Any specific details that help us identify the data in question (e.g., date range, thread IDs, document names).

If you are acting through a legal representative, please also include a power of attorney or authorization document and the representative's identification.

Response time and delivery

We will acknowledge receipt of your request within 5 business days and will respond within 20 business days of the day following receipt, as provided by the LFPDPPP. If the request is complex or incomplete, we may extend the response period once for up to 20 additional business days, notifying you of the extension and the reasons within the original 20-day period.

We will deliver our response to the email address from which the request was sent, or to the contact method you designate. Access requests will include the main data fields we hold, in a readable format, unless you request a specific format that we can reasonably provide.

Costs and limitations

Exercising ARCO rights is free of charge. We may only charge you the direct cost of reproduction or certified delivery if you request additional copies or special delivery, and we will inform you of any such cost before proceeding.

We may deny or limit a request when it is manifestly unfounded, excessive, repetitive, or when the data is required to be kept by law or to fulfill a contract with you. If we deny a request, we will explain the legal basis for the denial in our response.

Correction or withdrawal of a request

You may correct, clarify or withdraw your request at any time before we issue a final response by sending a follow-up email to javillazon92@gmail.com.

Complaints before the data protection authority

If you consider that your data protection rights have not been adequately addressed, you may file a complaint with the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI), in accordance with article 145 of the LFPDPPP and its Regulations.

7. Security

We apply administrative, technical and physical safeguards designed to protect personal data against loss, misuse or unauthorized access. These include encryption in transit (TLS), row-level security in the database, role-based access, and least-privilege secret handling. No system is 100% secure; we will notify affected users and the appropriate authority of any security breach that materially affects their rights, within the terms of the LFPDPPP.

8. Children

The Service is not directed to persons under 18. We do not knowingly collect data from minors. If you believe a minor has provided us data, please contact us so we may delete it.

9. Cookies and similar technologies

We use strictly necessary cookies and local storage for authentication and payments. See our Cookie Policy for details.

10. Changes to this notice

We will publish any update to this Privacy Notice on this page and, where appropriate, notify you by email.

11. Contact

Privacy questions and ARCO requests: javillazon92@gmail.com José Antonio Villazón Maroney, México.

This page is maintained by the app owner. It is not legal advice and does not represent certification by Lovable or any third party. For binding legal terms, consult a qualified attorney in your jurisdiction.