Privacy Policy

Your privacy is important to us. This Privacy Policy describes how BidBolt LLC ("BidBolt," "we," "us," or "our") collects, uses, shares, and protects your personal information when you use our website at BidBolt.app, our mobile applications, and related services (collectively, the "Services"). It also explains your legal rights with respect to that information.

• We may review, update, and amend this Privacy Policy from time to time, consistent with our business needs and applicable laws. We encourage you to check back periodically for updates. Your continued use of the Services after changes are posted constitutes your acceptance of the updated Privacy Policy. We are the data controller of your information.
• You may choose not to provide certain optional Personal Data; however, doing so may limit our ability to provide you with the full scope of our Services or the best possible user experience.
• By using the Services, you confirm that you have read and understood this Privacy Policy and our Terms of Service (together, the "Agreement"). The Agreement governs your use of BidBolt.app. We will collect, use, and maintain information consistent with the Agreement.

What Personal Data Do We Collect?

When using our Services — including bidding on auctions, purchasing products, or participating in livestream events — you may be asked to create an account and provide personal information. Below is a summary of the categories of data we collect:

Information You Provide Directly

• Account Data: To use features such as placing bids, you must create an account. We collect your first name, last name, username, email address, and password, and assign you a unique account identifier.
• Profile and Contact Data: You may optionally provide a phone number (for SMS or WhatsApp notifications), billing address, shipping address, and a profile avatar image. Your decision to provide this data is voluntary, but withholding it may limit certain features.
• Financial Data: We collect limited payment information to process transactions. Most financial data is handled by our payment processor, Square (Block, Inc.). We store only tokenized card references (card brand, last four digits, expiration date, and billing ZIP code) — we never store full card numbers. Please review Square's Privacy Policy here to understand how they handle your payment data.
• Digital Signatures: When you pick up items won at auction, we may capture a digital signature to confirm receipt. This signature is stored securely in association with your order record.
• User-Generated Content: If you use our support ticket system, participate in livestream chat, or submit refund requests, the text content you provide is stored and associated with your account.
• Notification Preferences: You may configure per-category notification preferences (e.g., outbid alerts, pickup reminders) across email, push notification, and SMS channels. These preferences are stored with your account.

Information Collected Automatically

• Log and Usage Data: Our servers automatically collect diagnostic and performance information when you access the Services, including your IP address, browser type, device information, pages viewed, actions taken, timestamps, and error reports.
• Device Data: We collect information about the device you use to access the Services, such as device type, operating system, unique device identifiers, and mobile carrier information.
• Push Notification Tokens: If you enable push notifications (on web or mobile), we store a device token issued by Firebase Cloud Messaging (FCM) to deliver notifications to your device. You can disable push notifications at any time through your browser or device settings.

Information from Device Features

• Camera Access: Our mobile app may request camera access to scan product barcodes (UPC codes) for inventory lookup. Camera data is processed locally on your device and is not transmitted to our servers. No photos are taken or stored unless you explicitly upload an image (e.g., a profile avatar).

Children's Data

We do not knowingly collect data from or market to children under 18 years of age. By using the Services, you represent that you are at least 18 or that you are the parent or guardian of a minor and consent to such minor's use. If we learn that personal information from a user under 18 has been collected, we will take reasonable measures to delete it promptly. If you become aware of any such data, please contact us.

Third-Party Service Providers

We use the following third-party services to operate and improve the Services. Each provider receives only the minimum data necessary to perform its function:

• Google Cloud Platform & Firebase: Our infrastructure provider. Handles data storage (Cloud Firestore), user authentication (Firebase Auth), file storage (Cloud Storage), push notifications (Firebase Cloud Messaging), and server-side processing (Cloud Functions). All data is stored in the United States (us-central1 region). See Google's Privacy Policy here.
• Square (Block, Inc.): Our payment processor. Receives tokenized payment card data, billing information, and customer identifiers to process charges, refunds, and saved payment methods. See Square's Privacy Policy here.
• Brevo (Sendinblue): Our messaging platform. Receives email addresses, phone numbers, and names to send transactional emails (e.g., order confirmations, bid notifications), marketing campaigns, SMS notifications, and WhatsApp messages. Brevo also provides delivery analytics (e.g., whether an email was opened or bounced) for internal service quality purposes. See Brevo's Privacy Policy here.
• Google Gemini AI (via Genkit): We use Google's Gemini AI model to power product-related features, including generating optimized auction listing descriptions, extracting product information from uploaded images, and providing customer support assistance. Product images and text content may be sent to Google's AI services for processing. No user PII (names, emails, etc.) is sent to the AI model. See Google's AI Privacy terms here.
• Google Cloud Vision: We use Google's image analysis service to moderate uploaded profile avatars for inappropriate content (SafeSearch). Only image files are sent for analysis — no user PII is included.
• LiveKit: When livestream auction features are enabled, we use LiveKit as our video streaming infrastructure. Your unique account identifier is used to generate a session access token — no other personal data is shared with LiveKit. See LiveKit's Privacy Policy here.
• Cloudflare: We use Cloudflare to serve and cache media assets (product images) via a content delivery network. Cloudflare processes standard web request data (IP addresses, request headers) but does not receive user account information. See Cloudflare's Privacy Policy here.

How Do We Use Your Information?

We process personal data to operate, improve, understand, and personalize our Services. Specifically, we use your data for the following purposes:

• To create, maintain, and secure your account.
• To process bids, payments, refunds, and order fulfillment.
• To send transactional communications, including bid confirmations, outbid alerts, won-auction notifications, pickup reminders, and order receipts via email, push notification, SMS, or WhatsApp based on your preferences.
• To send promotional emails, newsletters, and marketing materials (with your consent).
• To power AI-assisted features such as optimized listing descriptions, product information extraction from images, and customer support assistance.
• To moderate uploaded content (e.g., profile avatars) for compliance with our community standards.
• To enable real-time features such as live bidding updates and livestream auction participation.
• To personalize your experience and deliver content relevant to your interests.
• To analyze usage trends and improve our website, mobile app, and service offerings.
• To detect and prevent fraud, abuse, and illegal activity.
• To respond to law enforcement requests and comply with applicable law, court orders, or governmental regulations.

We will not collect additional categories of Personal Data or use collected data for materially different, unrelated, or incompatible purposes without providing you notice.

Does BidBolt Share My Personal Information?

We do not sell your personal information to third parties. BidBolt shares personal information only as described below:

• Service Providers: We share data with the third-party providers listed above (Square, Brevo, Google Cloud, LiveKit, Cloudflare) solely to perform their contracted functions. Each provider is contractually obligated to protect your data and prohibited from using it for any purpose other than the services they provide to us.
• Business Transfers: If BidBolt is involved in a merger, acquisition, or sale of assets, user information may be transferred as part of that transaction. Any successor entity will remain subject to the commitments in this Privacy Policy unless you consent otherwise.
• Legal Compliance and Protection: We may disclose personal information to comply with applicable law, respond to valid legal process, enforce our Terms of Service, or protect the rights, property, or safety of BidBolt, our users, or the public. This includes sharing data with other organizations for fraud prevention.

Cookies and Similar Technologies

We use a small number of first-party cookies that are essential to the operation of our Services. We do not use third-party advertising or tracking cookies.

Cookies We Use

• Authentication Cookies (Strictly Necessary): Set by Firebase Auth to maintain your login session. Without these, you would need to sign in on every page visit. These cannot be disabled while using the Services.
• Preference Cookies (Functional): We set a small number of cookies to remember your preferences, such as sidebar layout state (expires after 7 days) and whether you have previously visited the site (expires after 1 year). These enhance your experience but do not track you across other websites.

We do not use performance tracking cookies, targeting cookies, or any cookies that build advertising profiles. No data from our cookies is shared with third-party advertisers.

Data Retention

We retain your personal data for as long as your account is active or as needed to provide you with the Services. Specific retention periods include:

• Account Data: Retained for the lifetime of your account. If you request account deletion, we will remove your personal data within 30 days, except where retention is required by law.
• Transaction Records: Order history, payment records, and bid history are retained for a minimum of 7 years for tax, legal, and regulatory compliance purposes.
• Push Notification Tokens: Device tokens are automatically removed when they become invalid or when you disable notifications.
• Support Tickets and Chat Messages: Retained for up to 3 years after resolution for quality assurance and dispute resolution purposes.
• Server Logs: Automatically purged after 90 days.

Your Legal Rights

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request that we correct inaccurate or incomplete data.
• Deletion: Request deletion of your personal data where there is no compelling reason for continued processing. Note that some data may be retained as required by law (see Data Retention above).
• Objection: Object to processing of your data for direct marketing purposes or where we are relying on a legitimate interest.
• Restriction: Request that we suspend processing of your data in certain circumstances, including:
  • You believe the data is inaccurate and want us to verify it.
  • Our use of the data is unlawful, but you prefer restriction over deletion.
  • You need us to retain data for legal claims even though we no longer require it.
• Data Portability: Request a copy of your data in a structured, machine-readable format.
• Withdraw Consent: Where processing is based on consent, you may withdraw it at any time. This will not affect the lawfulness of processing performed before withdrawal.

To exercise any of these rights, contact us at [email protected]. We will respond to verified requests within 30 days.

How to Opt Out of Communications

• Promotional Emails: You may opt out by clicking the "unsubscribe" link in any promotional email, or by updating your notification preferences in your account settings.
• Push Notifications: Disable push notifications through your browser settings or your mobile device's notification settings.
• SMS and WhatsApp: Reply STOP to any SMS message, or update your notification preferences in your account settings. You may also contact us directly to opt out.

Please note that you cannot opt out of transactional communications (e.g., order confirmations, payment receipts) as these are necessary to fulfill our contractual obligations to you.

Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals. Because no industry standard for DNT compliance has been adopted, our Services do not currently respond to DNT signals. However, as noted above, we do not use third-party tracking or advertising cookies, and we do not track your activity across other websites.

How Do We Protect Your Information?

• We implement industry-standard administrative, physical, and technical security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.
• All data in transit is encrypted using TLS (Transport Layer Security). Sensitive data at rest is encrypted using Google Cloud's default encryption mechanisms.
• Payment card information is tokenized by Square before reaching our systems — we never receive, process, or store full card numbers.
• Access to personal information is restricted to authorized personnel who require it for legitimate business purposes and who are bound by confidentiality obligations.
• We use automated content moderation (Google Cloud Vision SafeSearch) to screen uploaded images for inappropriate content.
• While we strive to use commercially acceptable means to protect your personal information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we continuously review and improve our security practices.
• Unauthorized access to or misuse of personal information stored on our systems is a violation of law, and BidBolt will investigate and pursue all available legal remedies against any party responsible for such unauthorized access.

Mobile Application

BidBolt is available as a mobile application for iOS and Android. In addition to the data collection described above, the mobile app may request the following device permissions:

• Camera: Used to scan product barcodes. Images are processed locally on your device and are not transmitted to our servers unless you explicitly upload them.
• Push Notifications: Used to deliver real-time auction alerts and order updates. You can grant or revoke this permission at any time through your device settings.

The mobile app does not access your contacts, GPS location, microphone, or filesystem beyond the permissions described above.

Contact Details

BidBolt

• Email: [email protected]

If you are submitting a request on behalf of another person, you must provide proof of authorization to act on their behalf. We may ask the individual to verify their identity directly with us. We may deny a request from an authorized agent that does not provide adequate proof of authorization.