Privacy Policy

The Sourcing Vault Limited

Company No. 16443781  |  Last Updated: March 2026

Data Controller: The Sourcing Vault Limited  |  Contact: [email protected]

This Privacy Policy explains how The Sourcing Vault Limited collects, uses, stores, and shares your personal data. It is issued in accordance with Articles 13 and 14 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Please read it carefully.

1. Who We Are

The Sourcing Vault Limited ("TSV", "we", "us", "our") is registered in England and Wales under company number 16443781, with its registered office at 167-169 Great Portland Street, 5th Floor, London, England, W1W 5PF.

We operate The Sourcing Vault platform, a property deal marketplace connecting property deal sourcers (Vault Members) with property investors. We are the Data Controller for the personal data we collect via our platform and website.

We are registered with the Information Commissioner's Office (ICO) as a data controller. You can contact us regarding any data protection matter at: [email protected]

We have not formally appointed a Data Protection Officer (DPO) as we are not legally required to do so under Article 37 UK GDPR. Our data protection contact for all enquiries is reachable at the email address above.

2. Personal Data We Collect

We collect the following categories of personal data, depending on how you interact with us:

Examples

Identity data - Full name, date of birth, photo identification documents

Contact data - Email address, telephone number, postal address

Financial data - Proof of funds, payment information, transaction records, bank details for refunds

Compliance & verification data - AML/KYC documentation, ICO registration numbers, redress scheme membership details, proof of professional status

Technical data - IP address, browser type, device type, operating system, cookies and tracking data, session logs

Platform usage data - Login activity, pages visited, deal enquiries submitted, documents accessed

User-submitted content - Messages sent via the platform, uploaded documents, property data, deal information

We collect personal data directly from you when you register an account, submit an enquiry, complete a form, or communicate with us. We may also receive personal data about you from Deal Sourcers or other third parties in connection with a property transaction.

3. How and Why We Use Your Personal Data

Under the UK GDPR, we must have a lawful basis for processing your personal data.

Where we rely on legitimate interests as our lawful basis, we have carried out a balancing test and are satisfied that our interests do not override your rights and freedoms. You have the right to object to processing based on legitimate interests — see Section 8 for details.

4. Who We Share Your Personal Data With

We do not sell your personal data to any third party. We share your personal data only in the following circumstances:

Deal Sourcers (Vault Members): Where you enquire about or proceed with a property opportunity, we will share your contact and relevant identity data with the Deal Sourcer responsible for that listing, to the extent necessary to facilitate the transaction.

Vendors and their representatives: Where relevant, your contact details may be shared with property vendors or their solicitors to progress a transaction you are involved in.

Platform and technology providers: We use GoHighLevel (HighLevel, Inc.) as our CRM and platform infrastructure. GoHighLevel processes personal data on our behalf as a data processor under a Data Processing Agreement incorporating Standard Contractual Clauses (see Section 6 on international transfers).

AML and identity verification providers: We use approved third-party providers to conduct identity and anti-money laundering checks as required by the Money Laundering Regulations 2017.

Payment processors: Payment data is processed by our payment provider(s) for the purpose of collecting subscription fees and sourcing fee payments.

Professional advisers: We may share data with our solicitors, accountants, or insurers on a confidential basis where necessary.

Third-party service providers we introduce to you: Where you agree to be introduced to a third party (such as a mortgage broker or solicitor), we will share your contact details with them for the purpose of that introduction. We will tell you at the time of any such introduction. You are under no obligation to proceed.

Regulatory or legal authorities: We may disclose data where required to do so by law, court order, or regulatory authority, including the ICO, HMRC, or law enforcement agencies.

All third-party data processors with whom we share personal data are required to handle it in accordance with applicable UK data protection law and are bound by appropriate contractual safeguards.

5. How Long We Keep Your Personal Data

We retain personal data only for as long as is necessary for the purpose for which it was collected, or as required by law. The table below sets out our standard retention periods by data category:

Account and registration data - Duration of account + 6 years after closure - Limitation Act 1980 (contractual claims); legitimate interests

AML / KYC verification records - 5 years from end of business relationship - Money Laundering Regulations 2017, Reg. 40

Transaction and payment records - 6 years from date of transaction - HMRC record-keeping requirements; Limitation Act 1980

Deal enquiry and correspondence records - 6 years from date of last interaction - Limitation Act 1980; legitimate interests (dispute resolution)

Investor property purchase records - 6 years from completion or last activity - Limitation Act 1980; contractual necessity

Complaints records - 6 years from resolution - Limitation Act 1980; legitimate interests

Marketing consent records - Duration of consent + 3 years after withdrawal - Demonstrating lawful basis for processing (ICO guidance)

Platform usage and technical logs - Up to 12 months - Legitimate interests (security and service improvement)

Cookie data - Per cookie consent preferences; max 13 months for analytics - ICO cookie guidance; PECR

Where data is no longer required, we will securely delete or anonymise it. In some cases, we may anonymise personal data (so it can no longer be attributed to you) for statistical or analytical purposes, in which case we may retain it indefinitely.

We will review and, where appropriate, update retention periods annually. If there is a specific legal claim or regulatory investigation involving your data, we may retain it for longer than the standard periods above.

6. International Data Transfers

The Sourcing Vault Limited is based in England and Wales. Your personal data is processed primarily within the UK. However, we use a number of third-party software platforms to operate our business, some of which are based in the United States of America — a country outside the UK (a "third country") for the purposes of the UK GDPR. Transfers of personal data to third countries are restricted transfers and must be protected by an appropriate safeguard.

6.1 Categories of Third-Party Processors

We use third-party processors in the following categories, all of which may involve the transfer of personal data outside the UK:

CRM and platform infrastructure — software used to manage contacts, deals, communications, and platform operations

Payment processing — platforms used to collect subscription fees, sourcing fee payments, and process refunds

Advertising and lead generation — platforms used to run paid advertising campaigns and capture enquiries

Productivity and communications — tools used for email, document management, internal team messaging, and video calls

Chatbot and messaging automation — tools used to automate conversations via Instagram and WhatsApp

Analytics — tools used to understand how our website is used and improve our services

6.2 Transfer Safeguards

Where personal data is transferred outside the UK, we ensure that each transfer is protected by at least one of the following lawful safeguards under Chapter V of the UK GDPR:

UK International Data Transfer Addendum (UK IDTA): The UK-specific addendum to the EU Standard Contractual Clauses (SCCs), issued by the ICO under Section 119A(1) of the Data Protection Act 2018. This is the primary contractual mechanism for restricted transfers from the UK to third countries.

UK Extension to the EU-US Data Privacy Framework (UK-US Data Bridge): A UK adequacy framework under which certified US organisations commit to data protection standards equivalent to UK GDPR. Where a processor holds current certification, this provides an additional or alternative safeguard.

Standard Contractual Clauses with UK Addendum: EU SCCs (European Commission Decision 2021/914) with the UK Addendum attached, converting them into a compliant UK transfer mechanism.

All third-party processors are bound by Data Processing Agreements — either bespoke agreements with TSV or their published standard DPA terms incorporating the above mechanisms, which we accept as part of our use of those services. We take reasonable steps to verify that each processor maintains current certification or contractual commitments. If a transfer mechanism is invalidated or a processor's certification lapses, we will implement an alternative lawful safeguard without undue delay.

6.3 Sub-Processor List

A full list of the specific third-party sub-processors we currently use — including the name of each processor, the category of data processed, the country of processing, and the applicable transfer safeguard — is maintained as a separate, publicly accessible document at: www.thesourcingvault.co.uk

This list is reviewed and updated whenever a new processor is added or removed. The date of last update is shown on the page.

You may also request further information about any of our transfer arrangements, including copies of applicable DPA provisions, by contacting us at [email protected].

7. How We Protect Your Personal Data

We implement appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include:

Encryption of personal data in transit and at rest

Access controls and role-based permissions restricting access to personal data to authorised personnel only

Secure login and authentication protocols for platform access

Regular review of our data protection practices and security procedures

Data Processing Agreements with all third-party processors

No method of transmission over the internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with our obligations under Article 34 UK GDPR.

8. Your Rights Under UK GDPR

Under the UK GDPR and Data Protection Act 2018, you have the following rights in relation to your personal data:

Right

What it means

Right of access (Art. 15)

You can request a copy of the personal data we hold about you (a Subject Access Request).

Right to rectification (Art. 16)

You can ask us to correct inaccurate or incomplete personal data.

Right to erasure (Art. 17)

You can ask us to delete your personal data where there is no longer a lawful reason to retain it. This right is not absolute and may be subject to legal retention obligations.

Right to restrict processing (Art. 18)

You can ask us to pause processing of your data in certain circumstances, for example while a dispute about accuracy is resolved.

Right to data portability (Art. 20)

Where processing is based on consent or contract, you can request your data in a structured, machine-readable format.

Right to object (Art. 21)

You can object to processing based on legitimate interests or for direct marketing purposes. We must stop processing for direct marketing immediately on receipt of an objection.

Rights related to automated decision-making (Art. 22)

We do not currently carry out solely automated decision-making that produces legal or similarly significant effects. If this changes, we will update this policy and inform you.

Right to withdraw consent (Art. 7)

Where processing is based on your consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of your rights, please contact us in writing at [email protected]. We will respond to all requests within one calendar month. In complex or numerous requests, we may extend this by a further two months, in which case we will notify you.

We will not charge a fee for exercising your rights unless a request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to comply.

9. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies. Cookies are small text files placed on your device that help us provide and improve our services.

9.1 Types of Cookies We Use

Strictly necessary cookies: Essential for the operation of the website. These cannot be switched off. They are set in response to actions such as logging in or completing forms.

Analytics and performance cookies: These help us understand how visitors use our website so we can improve it. We use analytics tools for this purpose. These cookies only run with your consent.

Functional cookies: These allow the website to remember preferences you have set (such as language or region). These cookies only run with your consent.

9.2 Managing Cookies

When you first visit our website, you will be presented with a cookie consent banner allowing you to accept all cookies, accept only essential cookies, or manage your preferences. You can change your preferences at any time via your browser settings or by clearing your cookies.

Analytics cookies are retained for a maximum of 13 months in accordance with ICO guidance. Strictly necessary cookies are retained only for the duration of your session or as otherwise required for platform function.

For more information on managing cookies, visit: www.ico.org.uk/for-the-public/online/cookies

10. Links to Third-Party Websites

Our platform and website may contain links to third-party websites. We are not responsible for the privacy practices or content of those websites. We encourage you to read their privacy policies before providing any personal data to them.

11. Children's Data

Our services are not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data about a child, please contact us immediately at [email protected] so that we can delete it.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email or via a prominent notice on our website prior to the change becoming effective.

The date at the top of this policy indicates when it was last updated. We encourage you to review this policy periodically.

13. Your Right to Complain to the ICO

If you are unhappy with how we have handled your personal data, we ask that you contact us first so that we can try to resolve the matter. You can contact us at [email protected].

You also have the right to lodge a complaint at any time with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:

Information Commissioner's Office (ICO)

Website: www.ico.org.uk

Helpline: 0303 123 1113

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

14. Contact Us

For all data protection enquiries, to exercise your rights, or to raise a concern about our use of your personal data, please contact us at:

The Sourcing Vault Limited

Data Protection Contact

167-169 Great Portland Street, 5th Floor, London, England, W1W 5PF

Email: [email protected]

Website: thesourcingvault.co.uk

The Sourcing Vault Limited | Company No. 16443781 | Registered in England & Wales | Governed by UK GDPR & Data Protection Act 2018