Privacy Statement — CarAuction

1. Who We Are

CarAuction ("we", "us", "our") operates the car auction platform at this website. We act as the data controller for personal data collected through the Platform. For data-related enquiries, contact us at [email protected].

2. Data We Collect

We collect the following categories of personal data:

Account data: name, email address, phone number, password hash.
Activity data: bids placed, auctions won, vehicles viewed, purchases made.
Payment data: transaction IDs and payment status. Full card details are handled by Stripe and never stored on our servers.
Technical data: IP address, browser type, device identifiers, pages visited, session duration.
Authentication data: OAuth tokens (Google), OTP codes (temporary), refresh tokens (hashed).
Communications: emails or messages you send to our support team.

3. How We Use Your Data

Purpose	Legal basis
Running auctions and processing bids	Contract performance
Processing payments via Stripe	Contract performance
Sending outbid and auction-won notifications	Contract performance
Email verification and account security	Legitimate interest
Fraud detection and account lockout	Legitimate interest
Improving the Platform (analytics)	Consent
Personalised advertising	Consent
Legal compliance and record keeping	Legal obligation

4. Cookies

We use cookies and similar technologies. You can manage your preferences via the Cookie Settings panel accessible in the site footer. For details on which cookies we use, see the categories in that panel:

Necessary: session cookies, CSRF tokens, authentication state.
Analytics: aggregate usage data to improve the Platform (e.g. page view counts).
Marketing: interest-based advertising on partner platforms.

5. Data Sharing

We share data only with:

Stripe — payment processing.
Twilio — SMS OTP delivery.
Resend — transactional email.
Cloudflare — file storage and CDN.
Sentry — anonymised error reporting.
Law enforcement — when required by valid legal process.

We do not sell your personal data.

6. Data Retention

Account data is retained for the duration of your account plus 3 years after closure for legal and tax purposes. Bid history is retained for 7 years. Technical logs are retained for 90 days. OTP and password reset tokens are deleted immediately after use or expiry.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

Access the personal data we hold about you;
Correct inaccurate data;
Request deletion of your data (subject to legal retention requirements);
Restrict or object to processing;
Data portability;
Withdraw consent at any time (without affecting prior processing).

Submit requests to [email protected]. We will respond within 30 days.

8. Security

We implement industry-standard security measures including TLS encryption in transit, bcrypt password hashing, rate limiting, and account lockout policies. No transmission over the internet is 100% secure; we cannot guarantee absolute security.

9. Children

The Platform is not directed at children under 18. We do not knowingly collect data from minors. If you believe we have inadvertently collected such data, contact us immediately.

10. Changes

We may update this Privacy Statement periodically. Material changes will be communicated via email. The "Last updated" date at the top of this page reflects the latest revision.