Privacy Policy

1. Quick summary

This policy explains what personal data we collect when you use Biddurs, why we collect it, who we share it with, and the rights you have over your data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Who we are (the data controller)

Robert Scotts Commerce Ltd("Biddurs", "we") is the data controller for personal data we collect via this site. Our registered office and ICO registration number appear in the footer of the site. Contact for data protection enquiries: privacy@biddurs.com.

3. What data we collect

Account data — your email, name, phone number, business details (if you register as a business buyer), VAT number (if you provide one), and password (stored as a one-way hash; we cannot see it).

Bidding & purchase data — the bids you place, the lots you win, what you paid, when, and to which delivery address.

Payment data — we never store your full card number. Card details go directly from your browser to Stripe, our PCI-compliant payment processor. We hold only a card token (Stripe's reference), the last four digits, card brand and expiry. That token is what lets us charge your card when you win.

Communications— when you contact us by email or via the lot Q&A panel, we keep a record of the exchange.

Technical data — your IP address (used for fraud-prevention rate-limiting and security logs), browser user-agent string, and basic device info.

Marketing consent — whether you opted in to email or SMS marketing, and when.

4. Why we collect it (legal bases)

• Performance of contract — account data, bidding data, payment data and delivery address are needed to operate the auction and fulfil orders you make.
• Legal obligation — VAT, accounting and anti-money-laundering rules require us to keep certain transaction records.
• Legitimate interest — fraud prevention, debt recovery, security logs, internal analytics on overall site performance (no individual targeting).
• Consent — marketing communications, optional cookies, and any other use we ask permission for. You can withdraw consent at any time.

5. How long we keep it

• Account records — for the life of your account, then up to 7 years after closure for tax/audit purposes.
• Invoices and payment records — 7 years (HMRC requirement).
• Marketing consent log — for as long as you have an opt-in active, plus 2 years afterwards to evidence consent if challenged.
• Email verification & password-reset tokens — minutes to hours, then deleted.
• Security logs — 90 days unless an incident requires longer.

6. Who we share data with

We share data only with the third parties that help us run the platform, under written processing terms:

• Stripe (Ireland) — payment processing and card storage.
• Resend (USA) — transactional email delivery.
• Twilio / Vonage (where applicable, when SMS is enabled) — opt-in SMS delivery for ending-soon alerts.
• Vercel (USA) — site hosting.
• Railway (USA, with European DB region) — database hosting.
• Yodel / Royal Mail / DPD — delivery carriers; we share the delivery name and address only for the parcel being shipped.
• Sentry (USA, if enabled) — error monitoring; we configure it to scrub PII.

We will also share data where we're required to by law (e.g. a court order, HMRC enquiry, police request with proper authority), or where necessary to defend or pursue a legal claim (e.g. recovering an unpaid invoice). We do not sell your data to third-party advertisers.

7. International transfers

Some of our processors are based outside the UK (typically the USA). Where data is transferred outside the UK we rely on the UK's adequacy regulations (where in force), the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, and/or each processor's certification under the UK-US Data Bridge. Processors are contractually bound to UK GDPR-equivalent protection.

8. Security

• All traffic is HTTPS-encrypted in transit.
• Passwords are stored as one-way bcrypt hashes — we cannot read them.
• Payment card details are tokenised; we never see your full PAN.
• Production database access is restricted to a small number of authorised personnel with multi-factor authentication.
• We rate-limit authentication and password-reset endpoints to deter brute-force attacks.

We will notify the Information Commissioner's Office (ICO) and affected users without undue delay (and in any event within 72 hours of becoming aware) of any personal-data breach that poses a risk to your rights and freedoms.

9. Your rights (UK GDPR)

You have the right to:

• Access the personal data we hold about you (a "subject access request" or SAR).
• Rectify data you believe is inaccurate or incomplete.
• Erase data (the "right to be forgotten"), subject to our legal obligations to retain transaction records.
• Restrict processing of your data in certain circumstances.
• Object to processing based on legitimate interests, or for direct marketing (where opt-in marketing applies, simply withdraw consent).
• Data portability — receive a copy of data you've given us in a structured, machine-readable format.
• Withdraw consent at any time where consent is the legal basis.
• Complain to the ICO — see section 14.

To exercise any of these rights, email privacy@biddurs.com. We'll respond within 30 days. We may ask for identity verification before we release personal data.

10. Marketing communications

Marketing emails and SMS are opt-in only. We ask at signup and you can change the preference any time from Account → Profile & settings, or by clicking unsubscribe in any marketing message. Transactional emails (bid confirmations, invoices, dispatch notifications) are not marketing and continue regardless of marketing preferences — they're how the platform works.

11. Cookies

We use cookies in three categories:

• Strictly necessary — session, CSRF, authentication. These are essential to operate the site and don't require consent.
• Functional — remember settings like display preferences. Set only after you interact with them.
• Analytics / marketing — currently none enabled. If we add analytics or marketing pixels in future, we'll show a consent banner and only set them after you opt in.

12. Children

Biddurs is a B2B and 18+ B2C platform. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, contact us and we will delete it.

13. Changes to this policy

We may update this policy from time to time. The version number and effective date at the top will change. If we make material changes (especially to what we collect or who we share with) we'll email registered users.

14. Contact & complaints

For data protection enquiries: privacy@biddurs.com.

If you're unhappy with how we've handled your data, you have the right to complain to the UK Information Commissioner's Office: ico.org.uk/make-a-complaint. Helpline 0303 123 1113.