AuctionHawkBack to home

Privacy Policy

Last updated: February 2026

1. Who We Are

Auction Hawk ("we", "us", "our") operates the website auctionhawk.app. We are a UK-based company committed to protecting your privacy and personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data Controller contact: [email protected]

2. Data We Collect

We collect the following categories of personal data:

  • Account data: Name, email address, hashed password
  • eBay authorisation data: Encrypted OAuth tokens, eBay user ID, and marketplace preferences (we never collect your eBay password)
  • Bidding data: Bid amounts, auction items, schedules, and outcomes
  • Usage data: Pages visited, feature usage, browser type, and IP address
  • Payment data: Processed securely by our payment provider; we do not store full card details

3. How We Use Your Data

We use your personal data to:

  • Provide and operate the auction sniping service
  • Place bids on eBay on your behalf at times you specify
  • Send notifications about bid outcomes and auction updates
  • Analyse and improve our Service
  • Communicate service updates and changes
  • Comply with legal obligations

4. Legal Basis for Processing

We process your data under the following legal bases:

  • Contract: Processing necessary to provide the Service you've signed up for
  • Legitimate interest: Service improvement, fraud prevention, and analytics
  • Consent: Marketing communications (which you can withdraw at any time)
  • Legal obligation: Tax records and regulatory compliance

5. Data Security

We take data security seriously. All eBay OAuth tokens are encrypted at rest. Data in transit is protected using TLS encryption. We implement Row Level Security on our database to ensure customers can only access their own data. We follow OWASP security guidelines and conduct regular security reviews.

6. Data Sharing

We share data only with:

  • eBay: To place bids on your behalf (via their official API)
  • Infrastructure providers: Supabase (database), Vercel (hosting), Railway (backend) -- all with appropriate data processing agreements
  • Payment processor: For subscription billing

We never sell your personal data to third parties.

7. Cookies

We use the following types of cookies:

  • Essential cookies: Required for the Service to function (authentication, session management)
  • Analytics cookies: Help us understand how visitors use our site (can be declined)
  • Preference cookies: Remember your settings such as currency preference

You can manage cookie preferences via the consent banner shown on your first visit.

8. Your Rights

Under the UK GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Restrict processing
  • Data portability
  • Object to processing
  • Withdraw consent at any time

To exercise these rights, contact us at [email protected]. We will respond within 30 days.

9. Data Retention

We retain your data for as long as your account is active. After account deletion, we retain anonymised analytics data for up to 12 months. Legal and financial records are retained as required by law (typically 6 years).

10. International Transfers

Some of our infrastructure providers operate outside the UK. Where data is transferred internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the ICO.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be notified via email. The "last updated" date at the top of this page indicates when the policy was last revised.

12. Contact & Complaints

For privacy inquiries: [email protected]

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.