Privacy Policy

Sourcemark is consent infrastructure for AI training data. It lets creators declare whether their work is available for AI training, and gives AI companies a machine-readable registry they can query before ingestion.

Sourcemark is operated by Sourcemark Ltd, a company registered in England and Wales, based in London, United Kingdom.

We collect the following categories of information:

Account data

When you create an account, we collect your email address, display name and any optional profile information you choose to provide, such as an avatar image or professional website.

Declaration data

When you create a Sourcemark record, we store the fingerprints (cryptographic and perceptual hashes) generated from your file, along with your declared AI training consent status, timestamp, licensing contact details and any attestation you provide.

Technical data

When you use the service, we automatically collect your IP address, browser type and version, device information, referring URLs, pages visited and session cookies necessary to keep you signed in.

We never receive, store or have access to your original files.

When you select a file in Sourcemark, fingerprinting happens entirely on your device. Only the resulting hashes are sent to our servers. Your images, documents and videos remain on your device at all times.

We use the information we collect to:

• Operate and maintain your account and Sourcemark records
• Publish your declarations in the public registry so they can be verified and queried
• Anchor your records to a public ledger for independent verification
• Provide customer support and respond to enquiries
• Send service-related notifications such as record confirmations and account updates
• Detect abuse, prevent fraud and maintain the security of the service
• Improve the service based on aggregated, anonymised usage patterns

We do not use your personal data for advertising. We do not build profiles for marketing purposes.

We process personal data under the UK General Data Protection Regulation (UK GDPR) on the following grounds:

• Contract performance: processing necessary to provide the Sourcemark service you have signed up for, including creating and maintaining your account and records.
• Legitimate interests: processing necessary for service security, fraud prevention, service improvement and maintaining the integrity of the public registry.
• Consent: where you have given specific consent, such as opting in to non-essential communications. You can withdraw consent at any time.

We do not sell your personal data. We share data only with the following categories of service providers, who process it on our behalf:

• Supabase — database infrastructure, authentication and avatar storage
• Vercel — application hosting, edge delivery and web analytics
• Google— we may use Google Analytics to understand how the service is used in aggregate, Google Search Console to monitor how the site appears in search results, and Google Fonts to serve typefaces. These services may collect technical data such as IP addresses, browser information and page views in accordance with Google's privacy policy

Your public declaration data — including consent status, timestamp, licensing contact and declarer identity where you have chosen to make it visible — is published in the Sourcemark registry by design. This is the core purpose of the service.

We may also disclose data where required by law, regulation or valid legal process.

Account data is retained for as long as your account is active. If you delete your account, we will remove your personal account data within 30 days.

Declaration records are append-only by design. When you update a declaration, the previous version is preserved in the record history. If you request deletion of a record, we will process the request in accordance with your rights, while maintaining the integrity of the registry where required by law.

Technical data such as server logs is retained for up to 90 days for security and debugging purposes, then deleted.

Under the UK GDPR, you have the following rights in relation to your personal data:

• Access — request a copy of the personal data we hold about you
• Rectification — ask us to correct inaccurate or incomplete data
• Erasure — ask us to delete your personal data, subject to legal obligations
• Data portability — request your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interests
• Restriction — ask us to restrict processing in certain circumstances

To exercise any of these rights, contact us at privacy@sourcemark.ai. We will respond within one month.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

Sourcemark uses cookies and similar technologies as follows:

Essential cookies

These are required for the service to function and cannot be disabled. They include session cookies to keep you signed in and preference cookies to remember your display settings such as theme selection.

Analytics cookies

We may use Google Analytics or similar tools to understand how visitors use the service in aggregate. These cookies collect information such as pages visited, time on site and referral source. Where analytics cookies are used, we will ask for your consent before setting them, in accordance with UK PECR. You can withdraw consent at any time through the cookie settings on our site.

We do not use third-party advertising cookies. We do not build profiles for cross-site marketing purposes.

Our infrastructure providers (Supabase and Vercel) may process data in locations outside the United Kingdom, including the United States and the European Economic Area.

Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including standard contractual clauses approved by the UK Information Commissioner, to maintain an equivalent level of data protection.

Sourcemark is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the service before the changes take effect. The “last updated” date at the top of this page reflects the most recent revision.

If you have any questions about this Privacy Policy or how we handle your data, contact us at:

privacy@sourcemark.ai

Sourcemark Ltd
London, United Kingdom