GDPR Statement
This GDPR Statement describes how BidFinance applies GDPR principles to the BidFinance 2.0 platform, websites, and related business communications.
GDPR Statement
This GDPR Statement describes how BidFinance applies GDPR principles to the BidFinance 2.0 platform, websites, and related business communications.
1. Purpose
1.1.This Statement is a general compliance document. Detailed notices for data subjects are provided in the Privacy Policy, Cookie Policy, platform terms, registration flows, invitations, and marketing communications where applicable.
1.2.BidFinance reviews this Statement when the platform, providers, processing categories, supported countries, or legal requirements materially change.
2. Controller
2.1.The controller is BidFinance spolka z ograniczona odpowiedzialnoscia, ul. Kacik 4, 30-549 Krakow, Poland. Privacy questions may be sent to info@bidfinance.pl or the current privacy contact published by BidFinance.
2.2.BidFinance may act as controller for platform users, seller and buyer representatives, company administrators, internal users, potential customers, suppliers, business partners, marketing contacts, and persons whose data appears in materials processed through auction and transaction workflows.
3. Data Categories
3.1.BidFinance processes account and profile data, company and contact data, security and authentication data, session data, two-factor authentication metadata, auction and transaction records, bids, auto-bid settings, uploaded files, Q&A, private messages, announcements, official offers, reports, notifications, email delivery records, marketing contact records, unsubscribe records, audit events, and technical diagnostics.
3.2.The platform may also process personal data included in files or messages uploaded by sellers, buyers, internal users, or other authorised participants.
4. Purposes And Legal Bases
4.1.Personal data is processed to create accounts, manage access, authenticate users, operate auctions, exchange documents, support bids and transactions, generate reports, deliver notifications, provide support, maintain security, prevent misuse, keep audit trails, comply with legal obligations, handle claims, and maintain B2B marketing contacts.
4.2.The legal bases may include performance of a contract, steps before entering a contract, legitimate interests, legal obligations, and consent where required by applicable electronic communication or marketing rules.
5. Processors And Recipients
5.1.Data may be accessed by authorised BidFinance personnel, the company represented by the user, relevant seller or buyer users involved in an auction or transaction, advisers, public authorities where required by law, and selected service providers.
5.2.Technical providers may include hosting, database, Redis, Azure Blob Storage, SMTP/email, Azure Communication Services, Messaging Connect or Infobip SMS routes, malware scanning, monitoring, backups, security, and platform maintenance providers, depending on the configured environment.
6. Transfers, Retention, And Rights
6.1.BidFinance aims to use infrastructure suitable for European business processing. If personal data is transferred outside the EEA, BidFinance relies on an adequacy decision, standard contractual clauses, or another lawful transfer mechanism under the GDPR.
6.2.Data is retained for as long as necessary for platform operation, auditability, legal obligations, dispute resolution, security, and claims. Data subjects may exercise the rights provided by the GDPR, including access, rectification, erasure, restriction, portability, objection, withdrawal of consent where applicable, and complaint to the competent supervisory authority.
7. Security And Accountability
7.1.BidFinance applies technical and organisational measures appropriate to risk, including HTTPS, role-based access control, least privilege, hashed passwords and session tokens, secure session cookies, upload limits, file type controls, authenticated document downloads, audit logging, environment separation, and configurable malware scanning.
7.2.BidFinance maintains accountability documentation, including records of processing activities, processor records, security policies, retention rules, incident procedures, data-subject request procedures, and evidence of training for personnel with access to personal data.