Privacy Policy

1. Introduction

AuctionFlow, Inc. ("AuctionFlow," "we," "us," or "our") is committed to protecting your privacy and safeguarding the personal information you share with us. This Privacy Policy describes how we collect, use, disclose, and protect information when you use the AuctionFlow platform, website, mobile applications, and related services (collectively, the "Service").

We believe transparency is fundamental to trust. This policy is written in plain language so you can understand exactly what data we handle and why. If you have questions after reading this policy, please do not hesitate to contact us at the address provided at the end of this document.

2. Information We Collect

We collect information in several categories to provide, improve, and secure the Service:

Account Information

When you register for an account, we collect your name, email address, phone number, business name, billing address, and account credentials. Auction operators may also provide business registration details and tax identification numbers.

Bidding Activity

We record all bidding activity on the platform, including bids placed, bid amounts, proxy bid maximums, bid timestamps, bid retractions, and auction outcomes. This data forms part of our immutable bid audit trail and is essential for maintaining auction integrity and resolving disputes.

Payment Details

When you make payments through the platform, our PCI DSS Level 1 compliant payment processor collects payment card numbers, bank account details, and billing information. AuctionFlow does not store raw card numbers — all card data is tokenized by our payment processor.

Usage Analytics

We automatically collect technical and usage data including IP addresses, browser type and version, operating system, device identifiers, pages viewed, features used, session duration, referral URLs, and interaction patterns. This information helps us improve the Service and diagnose technical issues.

3. How We Use Information

We use collected information for the following purposes:

1. To provide, operate, and maintain the auction platform and all related services
2. To process bids, payments, settlements, and refunds
3. To verify user identity and prevent fraudulent activity, shill bidding, and unauthorized access
4. To maintain immutable bid audit trails for dispute resolution and regulatory compliance
5. To communicate with you about your account, auctions, and platform updates
6. To analyze usage patterns and improve platform performance, features, and user experience
7. To enforce our Terms of Service and protect the rights and safety of our users
8. To comply with legal obligations, court orders, and regulatory requirements
9. To send marketing communications (only with your consent, and you may opt out at any time)

4. Information Sharing

We do not sell your personal information. We may share information in the following circumstances:

Third-Party Payment Processors

We share payment information with PCI DSS compliant payment processors to facilitate transactions, process refunds, and prevent payment fraud. These processors are contractually obligated to use your information only for the purposes of providing payment services.

Auction Operators

When you register for or participate in an auction, certain information (such as your name, contact details, and bidding history for that auction) is shared with the auction operator to facilitate the transaction and post-sale logistics.

Legal Requirements

We may disclose your information when required by law, subpoena, court order, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a law enforcement request.

Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you via email or prominent notice on the Service before your information becomes subject to a different privacy policy.

5. Data Security

We take the security of your data seriously and implement industry-standard safeguards to protect your information:

1. All data in transit is encrypted using TLS 1.3 protocols
2. All data at rest is encrypted using AES-256 encryption
3. Our security practices are aligned with SOC 2 Type II trust service criteria
4. We conduct annual third-party penetration testing and weekly automated vulnerability scans
5. Access to personal data is restricted to authorized personnel on a need-to-know basis
6. All employees complete mandatory annual security awareness training
7. We maintain a documented incident response plan with escalation procedures

While we strive to protect your information using commercially reasonable measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Specific retention periods include:

1. Account data: retained for the duration of your account plus 30 days after deletion request
2. Bid audit trail data: retained indefinitely as required for auction integrity and regulatory compliance
3. Payment records: retained for seven (7) years in accordance with financial record-keeping requirements
4. Usage analytics: retained in aggregated, anonymized form indefinitely; identifiable analytics data retained for twenty-four (24) months
5. Communication records: retained for three (3) years

7. Your Rights

Depending on your location and applicable law, you may have the following rights regarding your personal information:

1. Right of access: You may request a copy of the personal information we hold about you
2. Right to correction: You may request correction of inaccurate or incomplete personal information
3. Right to deletion: You may request deletion of your personal information, subject to legal retention requirements
4. Right to portability: You may request your data in a structured, commonly used, machine-readable format
5. Right to restrict processing: You may request that we limit how we use your data in certain circumstances
6. Right to object: You may object to processing of your data for direct marketing purposes
7. Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, please contact us at privacy@getauctionflow.com. We will respond to your request within thirty (30) days. We may require identity verification before processing your request.

8. Cookies and Tracking

We use cookies and similar tracking technologies to operate the Service, remember your preferences, analyze usage, and deliver relevant content. Cookies are small data files stored on your device that help us recognize you and improve your experience.

For detailed information about the cookies we use, their purposes, and how to manage your cookie preferences, please see our Cookie Policy.

9. Children's Privacy

The AuctionFlow Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18 without parental consent, we will take steps to delete that information promptly. If you believe we have inadvertently collected information from a minor, please contact us immediately at privacy@getauctionflow.com.

10. International Data Transfers

AuctionFlow is headquartered in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers maintain facilities. These countries may have data protection laws that differ from the laws of your country.

When we transfer personal data from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on appropriate safeguards such as Standard Contractual Clauses approved by the European Commission, or other legally valid transfer mechanisms to ensure your data receives adequate protection.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email (sent to the address associated with your account) or by posting a prominent notice on the Service at least thirty (30) days before the changes take effect.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. The "Last updated" date at the top of this page indicates when this policy was last revised.

12. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: