Privacy Policy — ExitBid Online Business Auction Platform

1. Information We Collect

1.1 Account Data

When you create an account, we collect information you provide, including:

Display name and email address
Password (stored securely using industry-standard hashing)
Profile information (bio, avatar, phone number if provided)

1.2 Usage Data

We automatically collect certain information when you use the Platform:

IP address and approximate geolocation
Browser type, operating system, and device information
Pages visited, features used, and time spent
Referral source and search queries
Bid history and transaction records

2. How We Use Information

We use the information we collect for the following purposes:

Service delivery — Operating the Platform, processing transactions, and managing your account
Communication — Sending notifications about your auctions, bids, and important account updates
Improvement — Analyzing usage patterns to improve features, performance, and user experience
Security — Detecting and preventing fraud, abuse, and unauthorized access
Legal compliance — Meeting our legal obligations and enforcing our Terms of Service

3. Data Sharing

          We do not sell your personal data. We never have and never will sell your information to third parties for marketing or advertising purposes.
        

We may share information in limited circumstances:

With transaction counterparties — Limited information shared between buyers and sellers as needed to complete transactions
Service providers — Third parties who help us operate the Platform (payment processors, hosting providers, analytics)
Legal requirements — When required by law, legal process, or governmental request
Business transfers — In connection with a merger, acquisition, or sale of assets (with prior notice)

3.1 Service Providers

We use the following third-party providers who process data on our behalf:

Provider	Purpose	Data shared
Supabase	Database, authentication	Account data, content
Cloudflare	Hosting, CDN, DDoS protection	IP address, request metadata
Stripe	Card payment processing	Email, billing info, transaction data
NowPayments	Cryptocurrency payment processing	Transaction data
Resend	Transactional email delivery	Email address, email content

Each provider is bound by data processing agreements and processes data only for the purposes described above.

3.2 Legal Basis for Processing (GDPR)

Purpose	Legal basis
Account creation and management	Contract performance
Listing publication and auction operation	Contract performance
Payment processing	Contract performance
Transactional notifications (bids, auction status)	Contract performance
Fraud prevention and shill-bid detection	Legitimate interest
Platform improvement and usage analysis	Legitimate interest
Tax reporting and legal compliance	Legal obligation

3.3 Data Retention

Data category	Retention period
Account data	Until account deletion + 30 days
Listing and auction records	7 years (legal/tax obligation)
Payment records	7 years (legal/tax obligation)
Support communications	3 years from resolution
Moderation logs (bans, warnings)	Duration of platform operation
IP addresses (security logs)	90 days

After account deletion, we may retain anonymized or aggregated data that can no longer identify you.

4. Data Security

We implement industry-standard security measures to protect your information:

Encryption — All data transmitted to and from ExitBid.io is encrypted in transit and at rest
Access controls — Strict internal access policies limit who can view user data
Regular audits — We conduct periodic security reviews and vulnerability assessments

While we take extensive precautions, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

5. Cookies

ExitBid.io uses minimal browser storage:

Authentication — Session tokens required for login and account access (strictly necessary)
Preferences — Local storage for UI settings such as dismissed notices

We do not use third-party tracking cookies, advertising pixels, or cross-site identifiers. All storage is functionally necessary to operate the Platform.

6. Your Rights

You have the following rights regarding your personal data:

Access — Request a copy of all personal data we hold about you
Correction — Update or correct inaccurate information
Deletion — Request deletion of your account and personal data (subject to legal retention requirements)
Export — Receive your data in a portable, machine-readable format
Opt-out — Unsubscribe from marketing communications at any time

To exercise these rights, contact us at [email protected]. We will respond within 30 days.

6.1 California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), California residents have the following additional rights:

Right to know — What personal information we collect, the sources, the business or commercial purpose for collection, and the third parties with whom we share it.
Right to delete — Request deletion of personal information we have collected (subject to statutory exceptions).
Right to correct — Request correction of inaccurate personal information.
Right to opt-out of sale or sharing — ExitBid.io does not sell or share personal information for cross-context behavioral advertising. There is nothing to opt out of because we don't engage in this practice in the first place.
Right to limit use of sensitive personal information — Request that we limit the use or disclosure of any sensitive personal information we collect.
Right to non-discrimination — We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise your California rights, email [email protected] with the subject line "CCPA Request". We will verify your identity and respond within 45 days (extendable by 45 days with notice).

6.2 European Union & United Kingdom Residents (GDPR / UK GDPR)

Under the General Data Protection Regulation (GDPR) and the UK GDPR, residents of the European Economic Area, United Kingdom, and Switzerland have the following rights:

Right of access — Obtain confirmation that we process your personal data and receive a copy.
Right to rectification — Have inaccurate personal data corrected.
Right to erasure ("right to be forgotten") — Request deletion of your personal data.
Right to restriction of processing — Restrict how we use your data under certain conditions.
Right to data portability — Receive your data in a structured, commonly used, machine-readable format.
Right to object — Object to processing based on legitimate interests, including profiling for direct marketing.
Rights in relation to automated decision-making — Not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.
Right to lodge a complaint — File a complaint with your local supervisory authority if you believe your data is being handled unlawfully.

Legal basis for processing: We process personal data under the following GDPR bases — (a) performance of a contract (operating the Platform and processing transactions), (b) legitimate interests (fraud prevention, service improvement, security), (c) consent (marketing communications, where applicable), and (d) legal obligation (tax, regulatory, and law-enforcement requirements).

International transfers: Personal data may be processed in the United States and other countries where our service providers operate. Where required, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards approved by the European Commission.

To exercise your GDPR/UK GDPR rights, email [email protected] with the subject line "GDPR Request". We will respond within 30 days.

7. Contact

For privacy-related questions or concerns:

Privacy inquiries: [email protected]
General support: [email protected]