Back to Home

    Privacy Policy

    Last updated: October 3, 2025

    1. About

    Belum Inc. ("Belum," "we," "us," "our") provides SourceSight, a B2B platform for supplier, spend and procurement intelligence. This Privacy Policy explains how we collect, use, disclose and safeguard personal information in connection with our Services. Capitalized terms not defined here have the meanings in our Terms of Service.

    2. Scope

    This Policy applies to personal information processed by us on:

    • Our sites and apps: belum.ai, sourcesight.io, and subdomains
    • Our web, mobile, and API Services
    • Related online support and enterprise offerings

    (collectively, the "Services").

    This Policy doesn't cover third-party websites or services, even if integrated with our Services. Our processing of employee/candidate data may be covered by separate notices.

    3. What We Collect

    The personal information we collect depends on how you or your organization use the Services.

    3.1 Information you provide

    • Account & Admin Info: name, business email, role, organization, authentication factors, and preferences.
    • Billing/Payments: handled by our processor (e.g., Stripe). We receive limited details such as payment status, last-4 of card, and billing contact; we do not store full card numbers or CVV.
    • Communications: support tickets, requests, feedback, survey responses.
    • Customer Data (may include personal information): data you or your users upload to the platform (supplier, spend, contract and approval records, documents, notes). You control this content; we process it under your instructions per our DPA.
    • Candidate Info (if you apply for a job): resume/CV, profile links, and communications.

    3.2 Information collected automatically

    • Technical/Usage Data: device/browser info, IP address, timestamps, pages and features used, telemetry and logs, API usage, performance metrics.
    • Cookies and similar tech: used for core functionality, analytics, and (if enabled) product messaging. See "Your Choices" for controls.

    3.3 Information from others

    • Your organization/SSO/IdP: to provision users and roles.
    • Integrations you enable: we receive data that you instruct us to exchange with connected systems (e.g., ERP/finance tools).

    4. How We Use Personal Information

    We process personal information for:

    • Providing and securing the Services: account setup, authentication, provisioning, usage metering, support, incident detection, fraud prevention.
      Legal basis: contract; legitimate interests; legal obligations.
    • Service communications: notices about features, security, renewals, and policy changes.
      Legal basis: contract; legal obligations; legitimate interests.
    • Product analytics and improvement: to understand performance and improve reliability and usability.
      Legal basis: legitimate interests.
    • AI features and model improvement: generate insights and recommendations; enhance models using de-identified or aggregated data only. Enterprise customers may opt out of model improvement at any time by written notice; operational processing to provide the Service continues. "De-identified" means altered and/or aggregated so no individual, household, or customer organization can reasonably be identified.
      Legal basis: legitimate interests; contract (for AI features you enable).
    • Compliance and enforcement: to comply with law, respond to lawful requests, and enforce agreements and policies.
      Legal basis: legal obligations; legitimate interests.
    • Marketing (B2B): send product updates and event info to business contacts. You can opt out anytime. We do not sell personal information.
      Legal basis: consent where required; otherwise legitimate interests.

    We do not use full payment card data or PHI for model training. We don't make automated decisions that produce legal or similarly significant effects without human review.

    5. How We Share Personal Information

    We share personal information with:

    • Your organization and authorized users: according to your admin settings and role permissions. Some features may show user names, avatars and activity context to collaborators.
    • Processors/service providers: cloud hosting, security, logging, email delivery, product analytics, payment processing, and customer support, bound by confidentiality and processing agreements.
    • Integration providers you enable: data exchanges you configure are governed by the third party's terms and privacy notices.
    • Legal/compliance: to comply with law or protect rights, safety, and the integrity of the Service.
    • Corporate transactions: in connection with a merger, acquisition, financing or sale of assets, subject to appropriate safeguards.

    We do not disclose Customer Data to third parties for their independent advertising or sell personal information. If we ever use third-party advertising pixels on public marketing pages, you'll have cookie controls and opt-out options.

    6. International Transfers

    We operate primarily in the United States. Where applicable, we rely on:

    • Adequacy decisions (where available), and/or
    • Standard Contractual Clauses (SCCs) for EEA/Swiss/UK transfers plus the UK Addendum, implemented in our Customer DPA and with our sub-processors.

    7. Data Privacy Framework (DPF)

    Belum complies with the EU-U.S. DPF, UK Extension, and Swiss-U.S. DPF as set by the U.S. Department of Commerce. If there's a conflict between this Policy and the DPF Principles, the DPF Principles govern. To learn more or view our certification, see: https://www.dataprivacyframework.gov/. The U.S. FTC has jurisdiction over our DPF compliance. We remain liable under DPF for certain onward transfers to agents. Independent recourse is available via JAMS Data Privacy Dispute Resolution Program at no cost. Binding arbitration is available under DPF conditions. We may be required to disclose personal information to public authorities for lawful requests.

    8. Your Choices

    • Email marketing: opt out via the link in our emails or by contacting us. Transactional and security notices will still be sent.
    • Cookies & analytics: manage preferences through your browser/device settings. Mobile app tracking controls vary by OS.
    • AI & content training: enterprise admins can opt out of model improvement by notifying legal@belum.ai (operational processing continues to deliver the Service).
    • Do Not Track / GPC: we honor Global Privacy Control signals for state privacy opt-outs where applicable.

    9. Your Privacy Rights

    Depending on your location, you may have rights to access, correct, delete, restrict/object to processing, portability, and to withdraw consent. We'll verify requests and respond as required by law. If we process your personal information on behalf of your organization, we may redirect your request to your admin. Appeal rights are provided where required.

    Submit requests: privacy@belum.ai

    U.S. State Disclosures (including CCPA/CPRA)

    • We do not sell personal information as defined by state laws.
    • We do not share personal information for cross-context behavioral advertising from the Service.
    • Non-discrimination: we won't discriminate against you for exercising your rights.

    10. Data Retention

    We retain personal information for as long as needed to provide the Services and for legitimate business, security, and legal purposes. Upon account termination, you may export Customer Data for 30 days (except in cases of abuse/illegality/repeat infringement). We delete active copies within 90 days, with encrypted backups purged within 12 months, except where longer retention is required by law or necessary for dispute resolution.

    11. Security

    We implement appropriate technical and organizational measures to protect personal information. Good-faith security research is welcome with prior written notice to security@belum.ai and adherence to our disclosure guidelines.

    12. Children

    Our Services are for business users 18+ and are not directed to children. We do not knowingly collect personal information from children. If you believe a minor has provided personal information, contact us and we will delete it.

    13. Changes to This Policy

    We may update this Policy to reflect changes to our practices or legal requirements. We'll post the revised Policy and, where required, notify admins in advance of material changes.

    14. Contact

    Belum Inc.

    If you're in the EEA/UK and need to contact our DPO or representatives, use legal@belum.ai; representative details will be provided upon request.

    Annex: Key Definitions

    Customer Data:
    data you or your users upload or generate in the Service; you control it.
    De-identified data:
    data altered/aggregated so no individual, household, or customer organization is reasonably identifiable.
    Processor/Service Provider:
    a vendor processing personal information on our behalf under contract.
    Sub-processor list:
    Available upon request
    DPA:
    /legal/dpa

    © 2025 Belum. All rights reserved.