Last updated: 29 May 2026
Privacy Policy
We collect only the data we need to run the auction marketplace and keep it secure. We never sell your personal data, and we do not use advertising cookies or tracking pixels. You have full rights under GDPR to access, correct, or delete your information by emailing privacy@sellwiki.live.
1. Introduction & Data Controller
This Privacy Policy describes how SellWiki Operations (the Data Controller, referred to as SellWiki, we, us, or our) collects, uses, stores, and shares personal data in connection with the SellWiki online auction marketplace (the Platform). This policy applies to all users of the Platform, including visitors, registered Buyers, and registered Sellers.
SellWiki Operations is established in Italy. Our primary contact for data protection matters is privacy@sellwiki.live. We process personal data in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, or GDPR) and the Italian Codice in materia di protezione dei dati personali (D.Lgs. 196/2003, as amended by D.Lgs. 101/2018). Where we process data on behalf of users in the United Kingdom, we also observe the requirements of the UK GDPR and the Data Protection Act 2018.
2. Information We Collect
We collect personal data directly from you when you register an account, interact with the Platform, or contact us. We also collect limited data automatically when you access the Platform.
The categories of data we collect are as follows:
- Account data — your legal name, email address, bcrypt-hashed password (we never store passwords in plain text), and country of residence.
- Bid history — a record of all Bids you have placed, including Lot ID, Bid amount, timestamp, and outcome (won, outbid, or reserve not met).
- Lot listing data (Sellers only) — Lot titles, descriptions, photographs, starting prices, reserve prices, and category classifications submitted when creating a listing.
- Payment metadata — transaction identifiers, Hammer Prices, Buyer's Premium and Seller Commission amounts, payout records, and Stripe-generated payment intent identifiers. We do not store card numbers, bank account numbers, or full payment instrument details; these are held exclusively by Stripe.
- Delivery address (Buyers only) — the shipping address you provide at checkout. This is shared with the Seller for the purpose of fulfilling your Order and is not used for any other purpose.
- Preferences and settings — your display currency selection (EUR or USD), email notification preferences, and watchlist contents.
- Usage and technical data — IP address (anonymised after 30 days), browser type and version, operating system, page views, session duration, and error logs. This data is collected for security, fraud prevention, and abuse detection purposes only.
3. How We Use Your Information
We rely on the following legal bases under Article 6 GDPR for our processing activities:
- Performance of a contract (Article 6(1)(b)) — The majority of our processing is necessary to provide the auction marketplace to you. This includes maintaining your account, processing Bids, managing Lot listings, facilitating payment, processing payouts, and operating the Buyer Protection scheme. Without this processing, we cannot provide the service.
- Compliance with legal obligations (Article 6(1)(c)) — We process certain data to comply with applicable law, including anti-money-laundering regulations, tax reporting obligations, and requirements imposed by payment network operators.
- Legitimate interests (Article 6(1)(f)) — We process usage and technical data to detect and prevent fraud, abuse, shill bidding, and other prohibited conduct; to maintain Platform security; and to improve the reliability of our service. Our legitimate interests in fraud prevention and platform integrity are not overridden by your interests where we implement appropriate safeguards, including data minimisation and short retention periods for raw log data.
- Consent (Article 6(1)(a)) — We will only send you marketing or promotional emails if you have given explicit, informed consent to receive them. You may withdraw this consent at any time by clicking the unsubscribe link in any marketing email or by updating your preferences in your account settings. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
4. Third-Party Processors
We share personal data with carefully selected third-party processors who provide infrastructure services necessary to operate the Platform. Each processor is bound by a data processing agreement and may only use your data on our documented instructions.
- Stripe(Stripe Payments Europe, Limited, Ireland) — payment processing, Stripe Connect KYC, and payout services. Stripe processes card details, bank account information, and identity documents directly. Data may be transferred to Stripe, Inc. in the United States under Standard Contractual Clauses (SCCs). Stripe is an independent data controller for its own regulatory compliance purposes; see Stripe's privacy policy at stripe.com/privacy.
- Neon(Neon Inc.) — PostgreSQL database hosting. All persistent application data, including account records and bid history, is stored in Neon's EU-region infrastructure. Data does not leave the EEA in connection with Neon's provision of database services.
- Cloudflare R2(Cloudflare, Inc.) — object storage for Lot photographs. Images are served from Cloudflare's global edge network with the EU primary storage region. Cloudflare acts as a processor under a Data Processing Addendum.
- Pusher(Pusher Ltd, UK/EU) — real-time WebSocket connections used to deliver live bid updates. Bid event data (Lot ID, current price, timestamp) is relayed through Pusher's EU-region infrastructure. No persistent personal data is stored by Pusher.
- Resend (Resend Inc., United States) — transactional email delivery (bid confirmations, auction close notifications, account emails). Email addresses and message content are transmitted to Resend under SCCs. Resend does not use your email address for its own marketing purposes.
- Upstash (Upstash Inc.) — Redis-based rate limiting for authentication and bid submission endpoints, and background job queues. Data processed by Upstash is minimal and ephemeral; Upstash operates EU-region infrastructure. No persistent personal data is stored.
- Vercel(Vercel Inc., United States) — application hosting and serverless function execution. Request logs containing IP addresses may be processed by Vercel's global edge infrastructure. These transfers are governed by Vercel's Data Processing Agreement incorporating SCCs.
We do not sell your personal data to any third party, and we do not share your data with advertisers or data brokers.
5. Cookies & Local Storage
SellWiki uses only strictly necessary cookies and a small number of functional cookies. We do not use analytics cookies, advertising cookies, or third-party tracking pixels on the Platform itself. A full list of cookies and their purposes is set out in our Cookie Policy.
Strictly necessary cookies include the authentication session token (which keeps you logged in), a CSRF protection token (which prevents cross-site request forgery attacks), and an OAuth callback URL cookie (which facilitates the sign-in flow). These cookies are first-party, session-scoped, and set by the Platform's authentication system. Under the ePrivacy Directive, strictly necessary cookies do not require prior consent because they are essential to providing the service you have requested.
6. International Transfers
Some of our third-party processors are located outside the European Economic Area. Where we transfer personal data to processors in countries that have not received an adequacy decision from the European Commission, we rely on the Standard Contractual Clauses adopted by Commission Implementing Decision 2021/914 (Module 2: Controller to Processor) to ensure an adequate level of protection for your personal data.
Specifically, data transferred to Stripe Inc. (United States), Resend Inc. (United States), and Vercel Inc. (United States) is governed by SCCs. Cloudflare, while operating a global network, stores primary Platform data in EU-region infrastructure, and transfers to Cloudflare's US entity are also covered by SCCs. Copies of the relevant SCC agreements are available on request at privacy@sellwiki.live.
7. Retention
We retain personal data for as long as necessary to fulfil the purposes for which it was collected, subject to the longer periods required by applicable law. Our standard retention periods are as follows:
- Account data and bid records — retained for the lifetime of your account, and for 6 years after account closure or the last transaction, to satisfy tax compliance and legal record-keeping obligations under Italian and EU law.
- Payment metadata — retained for the same period as account data (6 years after last transaction) for the same legal compliance reasons.
- Marketing consent records — retained for 3 years from the date of last activity (last email opened or last preference update), enabling us to demonstrate compliance with consent requirements.
- Technical and usage logs — IP addresses are anonymised after 30 days. Aggregated, non-personal log data may be retained indefinitely for Platform security analysis.
- Inactive accounts — if your account has had no activity for 24 consecutive months, we will notify you at your registered email address. If you do not respond within 90 days of that notification, your account will be deleted at the 36-month mark. Transaction records and data subject to legal retention requirements are anonymised rather than deleted where deletion would conflict with legal obligations.
8. Your Rights (GDPR)
Subject to applicable conditions and exceptions, you have the following rights under the GDPR in relation to your personal data:
- Right of access (Article 15) — to obtain confirmation of whether we process your personal data, and if so, a copy of that data together with information about the processing.
- Right to rectification (Article 16) — to have inaccurate or incomplete personal data corrected without undue delay.
- Right to erasure (Article 17) — to request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, where you have withdrawn consent, or where we have no legitimate grounds for continued processing. This right is subject to overriding legal retention requirements.
- Right to restriction of processing (Article 18) — to request that we restrict processing of your data while a disputed accuracy claim or objection is resolved, or where processing is unlawful but you prefer restriction to deletion.
- Right to data portability (Article 20) — to receive your personal data in a structured, commonly used, machine-readable format (JSON), and to transmit it to another controller where technically feasible, where processing is based on consent or contract.
- Right to object (Article 21) — to object at any time to processing based on legitimate interests. We will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
- Right to withdraw consent — where processing is based on your consent, to withdraw that consent at any time without affecting the lawfulness of prior processing.
You can exercise your right of access and portability (download a structured copy of your data) and your right to erasure (close your account) directly and immediately from Account → Privacy & data once signed in. To exercise any other right, or if you prefer to do so by email, contact privacy@sellwiki.live with sufficient information to verify your identity and describe your request. We will respond within 30 days; for complex or numerous requests, this period may be extended by a further two months with notice to you. We do not charge a fee for exercising your rights unless a request is manifestly unfounded or excessive.
If you are dissatisfied with our response to your request, or if you consider that our processing infringes the GDPR, you have the right to lodge a complaint with the Garante per la protezione dei dati personali (Italian Data Protection Authority), Piazza Venezia 11, 00187 Roma, or at garanteprivacy.it. You may also lodge a complaint with the supervisory authority in your EU member state of habitual residence.
9. Children
The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we hold personal data relating to a child under the age of 18 who registered without parental consent, we will delete that data promptly and close the associated account.
If you are a parent or guardian and believe that your child has registered for an account on the Platform, please contact us at privacy@sellwiki.live and we will take immediate action.
10. Security
We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Our security measures include:
- bcrypt password hashing with a work factor appropriate to current hardware capabilities
- HTTPS (TLS 1.2 or higher) for all data in transit
- JWT-based session tokens with short expiry windows
- No storage of payment card details or bank account numbers on our systems
- Rate limiting on authentication and bid submission endpoints to prevent brute-force and automated attacks
- Audit logs for all administrative actions with access restricted to authorised personnel
- Regular review of third-party processor security practices and data processing agreements
No security measure is infallible. We cannot guarantee absolute security of data transmitted over the internet. You are responsible for maintaining the confidentiality of your account credentials and for notifying us promptly of any suspected unauthorised access.
11. Data Breaches
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the Garante per la protezione dei dati personali without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR. The notification will include the nature of the breach, the categories and approximate number of individuals and data records affected, the likely consequences, and the measures taken or proposed to address the breach.
Where a breach is likely to result in a high risk to your rights and freedoms — for example, if account credentials or payment metadata are exposed — we will notify you directly without undue delay in accordance with Article 34 GDPR, describing the nature of the breach, the name and contact details of our data protection contact, the likely consequences, and the measures taken to address and mitigate the breach.
12. Changes
We may update this Privacy Policy from time to time to reflect changes in our data processing practices, changes in applicable law, or changes in the services we provide. For material changes — meaning changes that affect how we process your data in a way that may be adverse to your interests or rights — we will provide at least 30 days' prior notice by email to your registered address and by a prominent notice on the Platform homepage.
Your continued use of the Platform after the effective date of any revised Privacy Policy constitutes your acknowledgment of the changes. If you do not accept the revised policy, you should stop using the Platform and may request account deletion in accordance with your right to erasure.
13. Contact
For all data protection queries, requests to exercise your rights, or questions about this Privacy Policy, please contact us at privacy@sellwiki.live. Please include “Data Privacy Request” in the subject line and sufficient information to allow us to verify your identity.
For formal written notices concerning data protection, our postal address is: Data Protection Officer, SellWiki Operations, c/o [Registered Agent TBD], Italy. We are in the process of appointing a Data Protection Officer; in the interim, all data protection correspondence is handled by our legal team.