AuctionIQ
Privacy
Effective April 29, 2026

Privacy Policy

A plain-English document. Defined terms are bolded. Headings are linked from the table of contents below.

Table of contents
  1. § 01Introductionp. 01
  2. § 02Information you providep. 02
  3. § 03Information collected automaticallyp. 03
  4. § 04Information from third partiesp. 04
  5. § 05Comparable sales datap. 05
  6. § 06How we use your informationp. 06
  7. § 07No sale of personal datap. 07
  8. § 08AI, machine learning, and model improvementp. 08
  9. § 09What we send to AI providersp. 09
  10. § 10No automated decisions with legal effectp. 10
  11. § 11How we share your informationp. 11
  12. § 12Legal disclosures and business transfersp. 12
  13. § 13User content and license to usp. 13
  14. § 14Limits on publication of user contentp. 14
  15. § 15SMS, phone numbers, and TCPA consentp. 15
  16. § 16SMS content and retentionp. 16
  17. § 17Data retentionp. 17
  18. § 18Securityp. 18
  19. § 19Cookies and tracking technologiesp. 19
  20. § 20Cookie choices and Do-Not-Trackp. 20
  21. § 21Your rights and choicesp. 21
  22. § 22Exercising your rightsp. 22
  23. § 23California residents (CCPA / CPRA)p. 23
  24. § 24EEA, UK, and similar jurisdictions (GDPR)p. 24
  25. § 25GDPR rights and complaintsp. 25
  26. § 26Children's privacy (COPPA)p. 26
  27. § 27International transfersp. 27
  28. § 28Changes to this policyp. 28
  29. § 29Contact usp. 29
§ 01

Introduction

AuctionIQ is operated by Apex Technology LLC ("we," "us," or "our"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the AuctionIQ platform and any related services (collectively, the "Service").

By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described here, do not use the Service.

Short version. We collect only what we need to operate the Service, we do not sell your personal data, and we give you controls to manage and delete your information. We do use aggregated, de-identified content you submit to improve our valuation, extraction, and identification models — see §4.

§ 02

Information you provide

2.1 Information you provide. When you register and use the Service, you may provide:

  • Account information — email address, display name, password (stored as a bcrypt hash), profit/ROI/fee defaults, preferred AI provider, and market/ZIP preferences
  • Phone number (optional) — only if you choose to add one to your profile, primarily to receive SMS alerts
  • SMS consent metadata — if you opt in to SMS alerts, we record the timestamp, the phone number consent was given for, and the disclosure-text version, as required by the TCPA and to prove the consent was captured (see §7)
  • Auction and lot data — auction-house names, URLs, lot titles, descriptions, bid amounts, end times, purchase prices, taxes, premiums, condition notes, quantities, and resale values you enter or paste
  • Item images — photographs you upload for valuation, identification, inventory, or documentation purposes
  • Invoices and receipts — PDFs or other files you upload for automated extraction of lots won, hammer prices, premiums, taxes, and totals
  • URLs and pasted text — links or content you submit to Smart Import or similar features for parsing
  • Barcode / UPC / EAN values — captured when you scan or submit a barcode for item identification
  • Payment information — handled by our third-party payment processor (Stripe); we receive tokens and billing metadata (plan, period, status) but do not store full card numbers
  • Communications — messages, feedback, or support requests you send to us, including email contents you forward (e.g., auction receipts)
§ 03

Information collected automatically

2.2 Information collected automatically. When you use the Service, we automatically collect:

  • Log data — IP address, browser type, operating system, referring URLs, and pages visited
  • Usage data — features used, actions taken, session duration, and performance telemetry (e.g., page-load and web-vitals metrics)
  • Device identifiers — browser fingerprint and device type, primarily for security and rate limiting
  • Error and crash reports — stack traces and session context, used to diagnose issues
  • Cookies and similar technologies — see §10
§ 04

Information from third parties

2.3 Information from third parties. If you sign in via a third-party OAuth provider (Google, Microsoft / Azure AD, Apple), we receive:

  • Your name and email address as provided by that service
  • A unique identifier from the provider — we do not receive or store your password for that service
  • Profile image URL, where made available
§ 05

Comparable sales data

We also retrieve comparable sales data from third-party sources (e.g., eBay, LiveAuctioneers, Reverb, Discogs, public auction records) to power valuations and market-insights features. That data relates to items, not individuals, and is stored at the account level only to the extent needed to serve your queries — but is used in aggregate to build a shared comp dataset (see §4).

§ 06

How we use your information

We use the information we collect to:

  • Provide, operate, and maintain the Service and your account
  • Generate AI-assisted fair-market-value estimates based on your item data
  • Run automated extraction and identification features — parsing auction pages, invoices, images, and barcodes into structured lot records
  • Process and manage your auction-lot tracking, bid records, inventory, and post-sale workflow
  • Send transactional communications — account verification, password resets, SMS-consent confirmations, billing receipts, and service notifications
  • Send optional alert communications you have opted into — including in-app, email, and (with explicit TCPA consent) SMS alerts
  • Respond to your support requests and inquiries
  • Monitor and improve the accuracy of our valuation, extraction, and identification models using aggregated or de-identified data (see §4)
  • Detect, investigate, and prevent fraud, abuse, and security incidents
  • Enforce our Terms of Service and meet our legal obligations (tax, accounting, dispute response)
§ 07

No sale of personal data

We do not sell your personal information.

§ 08

AI, machine learning, and model improvement

AuctionIQ uses AI and machine-learning models throughout the Service — for valuation, semantic search, automated extraction, image identification, and barcode lookup. This section explains what data goes where.

4.1 Third-party AI providers (inference). We send certain content you submit to third-party AI providers to generate Service outputs. These providers are contractually bound to use data only to serve our requests and are not permitted to train their general foundation models on your content:

  • OpenAI — used for valuation reasoning and extraction prompts, depending on your preferred provider
  • Anthropic — used for valuation reasoning and extraction prompts, depending on your preferred provider
  • Google Cloud Vision — used for image-based identification (logo, label, text, and web detection) when you use the item-identification feature
§ 09

What we send to AI providers

Content sent to these providers may include item descriptions, photos, invoice text, auction URLs, and pasted listing text, as needed to produce the requested output. We do not send your email address, phone number, or payment details to these providers.

4.2 Our own models and comp data. We use aggregated or de-identified data derived from your User Content to improve our in-house valuation, extraction, and identification systems, including:

  • Training and tuning in-house retrieval, embedding, and ranking models
  • Improving automated parsing of auction pages, invoices, and images
  • Building and refining a shared comparable-sales ("comp") dataset that powers valuations for all users, including market-insights dashboards
  • Calibrating confidence thresholds and category-specific similarity thresholds
§ 10

No automated decisions with legal effect

Aggregated and de-identified data used for these purposes is stripped of account identifiers before use in model training or published analytics. We will not publicly attribute identifiable User Content to you without your permission.

4.3 No automated decisions with legal effect. Outputs of our AI systems — valuations, bid recommendations, identifications, extracted invoice data — are informational aids only. They are not used to make decisions about you that produce legal or similarly significant effects (such as credit, employment, or insurance eligibility). You are always responsible for reviewing outputs before acting on them (see Terms of Service §4 and §6). This commitment is consistent with the rights of EEA / UK data subjects under Article 22 of the GDPR.

§ 11

How we share your information

5.1 Service providers. We share information with trusted vendors who help us operate the Service. Each is contractually bound to use your data only as directed, to maintain appropriate security, and not to sell or repurpose it:

  • Cloud hosting and database — Render (web/worker hosting), managed PostgreSQL, managed Redis, and Cloudflare R2 (object storage for images)
  • Payment processing — Stripe (subscription billing and payment-method management)
  • Email delivery — SendGrid (transactional and alert emails)
  • SMS delivery — Twilio (alert SMS, only after explicit consent — see §7)
  • AI inference — OpenAI, Anthropic, Google Cloud Vision (see §4.1)
  • Reference data — Discogs, barcode-lookup providers (for item identification)
  • Error tracking and performance monitoring — Sentry; product analytics — Plausible
  • Authentication — Google, Microsoft, Apple (only if you sign in via OAuth)
§ 12

Legal disclosures and business transfers

5.2 Legal requirements. We may disclose your information if required by law, subpoena, court order, or other governmental authority, or when we believe in good faith that disclosure is necessary to protect our rights, prevent fraud, or ensure the safety of our users or the public.

5.3 Business transfers. If Apex Technology LLC is involved in a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service prior to the transfer and any change in the applicable privacy policy.

5.4 Aggregated / de-identified data. We may publish or share aggregated or de-identified information that cannot reasonably be used to identify you — for example, category-level valuation trends or source-coverage statistics.

We do not sell personal data. We do not sell, rent, or trade your personal information to third parties.

§ 13

User content and license to us

You retain ownership of the content you upload to or create within the Service — including item descriptions, photos, invoices, notes, and lot data ("User Content"). As described in our Terms of Service §12, you grant us a limited license to host, store, reproduce, process, transmit, display, and modify User Content solely to:

  • Operate and provide the Service to you
  • Improve the Service, including training and tuning internal valuation, extraction, and identification models on aggregated or de-identified data
  • Generate anonymized, aggregated comp data and market analytics
§ 14

Limits on publication of user content

We will not publicly publish identifiable User Content of yours without your permission, except as necessary to operate the Service (for example, to generate shareable links you explicitly create).

§ 15

SMS, phone numbers, and TCPA consent

SMS (text-message) alerts are opt-in only. You can use the Service without ever providing a phone number.

Before we send you any SMS alerts, we capture your affirmative consent through an in-app disclosure and checkbox, and we store: (a) the timestamp of your consent, (b) the exact phone number the consent applies to, and (c) the version identifier of the disclosure text you agreed to. This record exists to document compliance with the federal Telephone Consumer Protection Act (TCPA) and equivalent state laws.

  • Your phone number and consent metadata are stored on your user record and are not sold or shared with marketers
  • Your phone number is transmitted to our SMS provider (Twilio) solely to deliver messages you have opted in to receive
  • If you change your phone number on your profile, any existing SMS consent is automatically invalidated and must be re-granted
  • If we materially change the disclosure, the version bumps and your prior consent is invalidated until you re-consent
  • You can revoke consent at any time in Settings, or by replying STOP to any AuctionIQ text message
§ 16

SMS content and retention

SMS content consists of the alert types you enable in your Notification Preferences (e.g., bid exceeds your max, auction ending soon, valuation changes). We do not send marketing SMS.

SMS consent records are retained for at least four (4) years after consent revocation to defend against potential TCPA disputes, as is standard industry practice.

For a complete public-facing description of the SMS opt-in workflow, the message types we send, frequency, and opt-out instructions, see our SMS Messaging Policy.

§ 17

Data retention

We retain your account data for as long as your account is active. If you delete your account, we will delete or anonymize your personal information within 30 days, except where we are required to retain it to comply with legal obligations (including tax and billing records), resolve disputes, or enforce our agreements.

Auction-lot and inventory data you have entered is associated with your account and will be deleted or de-identified upon account deletion. Aggregated and de-identified data (including comp data derived from your submissions) may be retained after account deletion because it is no longer associated with you.

Server logs, error reports, and security telemetry are retained for up to 90 days for security and debugging purposes. Payment records (invoices, receipts, billing history) are retained for seven (7) years for tax and accounting compliance.

§ 18

Security

We implement commercially reasonable technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction. These include TLS-encrypted data transmission, hashed password storage (bcrypt), JWT-based authentication with short-lived tokens, row-level tenant isolation, access controls limited to authorized personnel, admin audit logging, and network isolation of production services.

No method of internet transmission or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.

Breach notification. In the event of a confirmed data breach that materially affects your rights, we will notify affected users within 72 hours in accordance with applicable law.

§ 19

Cookies and tracking technologies

10.1 What we use. We use the following types of cookies and similar storage:

  • Essential cookies and local storage — required for authentication, session management, and CSRF protection (e.g., JWT-token storage)
  • Usage analytics — Plausible, a privacy-respecting, cookie-free aggregate analytics tool, used to understand which features are used and where users encounter problems.
  • Measurement and advertising tags — Google Tag Manager loads tags including Google Analytics 4, Google Ads, and Meta Pixel to measure sign-ups, subscription conversions, and campaign performance; user identifiers sent to these tags are hashed, and Consent Mode v2 is applied for EU and UK visitors.
  • Error and performance telemetry — Sentry error reporting and web-vitals capture; session replay may be enabled at low sampling rates
§ 20

Cookie choices and Do-Not-Track

10.2 Your choices. You can control cookies through your browser settings. Disabling essential cookies will prevent the Service from functioning properly. We do not currently respond to Do Not Track signals.

§ 21

Your rights and choices

Depending on your location, you may have the right to:

  • Access — request a copy of the personal information we hold about you
  • Correction — request that we correct inaccurate or incomplete information
  • Deletion — request that we delete your personal information, subject to legal retention requirements
  • Portability — request your data in a structured, machine-readable format
  • Objection — object to certain processing activities
  • Restriction — request that we restrict processing of your data in certain circumstances
  • Withdrawal of consent — withdraw consent for SMS alerts or other consent-based processing at any time
§ 22

Exercising your rights

To exercise any of these rights, contact us at support@auctioniq.net. We will respond within 30 days (or 45 days where applicable law permits an extension for complex requests). We may need to verify your identity before fulfilling your request.

§ 23

California residents (CCPA / CPRA)

11.1 California residents. If you are a California resident, you have rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA / CPRA), including:

  • The right to know what categories of personal information we collect, the sources, the purposes, and the third parties with whom we share it (described in §2, §3, §4, and §5 above)
  • The right to delete personal information we have collected from you, subject to legal retention exceptions
  • The right to correct inaccurate personal information we maintain
  • The right to limit use of sensitive personal information
  • The right to opt out of sale or sharing for cross-context behavioral advertising
  • The right to non-discrimination for exercising any of the above
§ 24

EEA, UK, and similar jurisdictions (GDPR)

11.2 EEA / UK / GDPR. If you are in the EEA, UK, or a similar jurisdiction, the legal bases on which we process your personal information are:

  • Performance of a contract — operating the Service, processing your subscription, and delivering features you have requested
  • Legitimate interests — fraud prevention, security, service improvement, and model training on de-identified data, balanced against your rights and freedoms
  • Consent — SMS alerts, optional features, and any other processing where we ask for explicit opt-in
  • Compliance with legal obligations — tax, accounting, and regulatory record-keeping
§ 25

GDPR rights and complaints

EEA / UK data subjects have the right to access, correct, erase, restrict, port, and object to processing of their personal data, and to withdraw consent at any time. You also have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (GDPR Article 22) — see §4.3 for our commitment on this point.

You may lodge a complaint with the supervisory authority in your jurisdiction.

§ 26

Children's privacy (COPPA)

The Service is not directed to children under the age of 13 (or the equivalent minimum age in your jurisdiction), and we do not knowingly collect personal information from children under that age, consistent with the Children's Online Privacy Protection Act (COPPA).

Our Terms of Service additionally require that users be at least 18 years old (or the age of majority in their jurisdiction) to use the Service. If we learn that we have collected personal information from a child in violation of this policy, we will delete it promptly. If you believe we may have collected such information, please contact us at support@auctioniq.net.

§ 27

International transfers

The Service is operated in the United States. If you are accessing the Service from outside the United States, your information will be transferred to, stored, and processed in the United States or other countries where our service providers operate. Laws in those countries may differ from the laws of your country of residence.

For transfers from the EEA, UK, or Switzerland to the United States, we rely on appropriate safeguards (such as Standard Contractual Clauses) where required by applicable law. By using the Service, you consent to this transfer.

§ 28

Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting a prominent notice in the Service at least 30 days before the change takes effect. Your continued use of the Service after the effective date constitutes acceptance of the revised policy.

§ 29

Contact us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: