1. Controller And Contact

1.1.The controller of your personal data is BidFinance spolka z ograniczona odpowiedzialnoscia, ul. Kacik 4, 30-549 Krakow, Poland, entered in the register of entrepreneurs under KRS number 0000975000, NIP 6793240675, REGON 522206447.

1.2.You can contact BidFinance about privacy matters by email at info@bidfinance.pl or by post at the address above with the note "Personal data".

2. Scope Of This Policy

2.1.This Policy applies to personal data processed when you visit BidFinance websites, access the BidFinance platform, use an account, act for a company participating in auctions, exchange documents or messages, submit bids or official offers, receive service or marketing communications, or contact BidFinance.

2.2.Capitalised terms not defined in this Policy have the meanings given to them in the applicable BidFinance terms and conditions or platform rules.

3. How We Obtain Data

3.1.We usually receive personal data directly from you, for example when you register, accept legal documents, use the platform, submit a question, upload a document, configure two-factor authentication, sign an official offer, or contact us.

3.2.We may also receive your data from the company you represent, another authorised user of that company, a BidFinance internal user, a seller or buyer involved in a platform process, a marketing contact source, LinkedIn, or a service provider supporting platform operation.

4. Categories Of Personal Data

4.1.We process account and profile data, including first name, last name, business email address, phone number, company affiliation, job title or role, permissions, administrator status, country assignment, language preference, account status, invitation details, password hashes, acceptance timestamps for legal documents, and two-factor authentication settings.

4.2.We process platform activity and transaction data, including auction participation, admitted buyer and seller relationships, bids, auto-bid or walkaway settings, offer selections, official-offer signatures, signer name, signer email, signer IP address, transaction milestones, reports, notifications, read status, presence or last-seen signals, workflow locks, and audit events.

4.3.We process communication and content data, including questions and answers, private messages, announcements, support correspondence, uploaded files, file names, file metadata, generated reports, document downloads, email delivery logs, marketing campaign recipients, unsubscribe records, consent notes, and contact preferences.

4.4.We process technical and security data, including IP address, user agent, session identifiers in hashed form, session timestamps, cookies or similar browser storage, CSRF/security markers, rate-limit signals, SMS challenge metadata, malware-scanning metadata, application diagnostics, and logs required to operate and secure the platform.

5. Purposes And Legal Bases

5.1.We process personal data to create and manage accounts, verify users and companies, provide secure access, authenticate users, operate auctions, support document exchange, enable questions, announcements, bids, offers, transaction workflows, reports, notifications, and customer support. Where the user acts for a company, the legal basis is usually BidFinance's legitimate interest in performing and administering the platform relationship with that company.

5.2.We process data to maintain security, prevent misuse, enforce permissions, keep audit trails, investigate incidents, run rate limits, scan uploaded files, maintain session integrity, and protect BidFinance, platform participants, and the integrity of completed actions. The legal basis is BidFinance's legitimate interest in secure and reliable platform operation.

5.3.We process data to send service emails, invitations, reminders, password resets, two-factor SMS codes, legal notices, transaction communications, and operational notifications. The legal basis is performance of platform obligations, legitimate interest, or legal obligation depending on the message.

5.4.We process data for B2B marketing, including buyer contact management, campaign preparation, campaign sending, unsubscribe handling, and contact preference management. The legal basis may be legitimate interest, consent, or another applicable basis depending on the source of the contact and the relevant communication rules.

5.5.We process data to comply with legal obligations, accounting or tax duties, regulatory requests, dispute handling, and establishment, exercise, or defence of claims. The legal basis is legal obligation or legitimate interest as applicable.

6. Cookies And Similar Technologies

6.1.BidFinance uses necessary cookies and similar browser storage to keep users signed in, maintain secure sessions, remember security context, support CSRF protection, and enable core platform functionality.

6.2.Where non-essential cookies or similar technologies are used, we apply the consent or preference rules required by applicable law, including the Polish Electronic Communications Law. More details are provided in the Cookie Policy available on the BidFinance website.

7. Recipients And Service Providers

7.1.Personal data may be shared with the company you represent, authorised users from sellers or buyers involved in a relevant auction or transaction, BidFinance internal users, support personnel, legal and accounting advisers, and public authorities where required by law.

7.2.Personal data may also be processed by selected service providers that support hosting, databases, storage, email delivery, SMS delivery, malware scanning, monitoring, security, backups, and platform maintenance. Current technical integrations may include PostgreSQL and Redis infrastructure, Azure services, SMTP email providers, Azure Communication Services, Messaging Connect or Infobip routes for SMS, and malware-scanning providers where configured.

7.3.Service providers acting for BidFinance must process personal data under appropriate confidentiality, security, and data processing obligations.

8. International Transfers

8.1.BidFinance aims to use infrastructure and service providers appropriate for European business processing. Some providers or social media services may involve processing outside the European Economic Area.

8.2.Where personal data is transferred outside the EEA, BidFinance relies on an applicable transfer mechanism such as an adequacy decision, standard contractual clauses, or another safeguard allowed under the GDPR. LinkedIn processes data under its own privacy policy when you interact with BidFinance on LinkedIn.

9. Retention

9.1.Account, company, auction, transaction, document, audit, and acceptance records are kept for as long as needed to provide the platform, maintain auditability, comply with legal obligations, resolve disputes, and protect the integrity of completed platform actions.

9.2.Session, two-factor challenge, technical, security, and diagnostic records are kept for periods appropriate to security and operational needs unless a longer period is required for incident investigation, legal obligations, or claims.

9.3.Marketing contact and campaign data is kept until it is no longer needed for the relevant business purpose, the contact opts out, the data is removed during data hygiene, or another retention requirement applies. Unsubscribe or do-not-contact records may be kept to respect the opt-out.

9.4.After an account or company is deleted or deactivated, some data may still be retained where necessary for legal obligations, platform auditability, fraud prevention, dispute resolution, or establishment, exercise, or defence of claims.

10. Your Rights

10.1.Subject to the conditions set out in the GDPR, you may request access to your personal data, rectification, erasure, restriction of processing, data portability, and information about processing. Where processing is based on consent, you may withdraw consent at any time without affecting earlier lawful processing.

10.2.Where processing is based on legitimate interests, you may object to processing for reasons connected with your particular situation. You may also object to direct marketing at any time.

10.3.You can exercise your rights by contacting info@bidfinance.pl or by post at the controller address. You also have the right to lodge a complaint with the President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw, Poland.

11. Automated Decision-Making

11.1.BidFinance does not use personal data for decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you.

12. Changes To This Policy

12.1.BidFinance may update this Privacy Policy to reflect changes in platform functionality, providers, legal requirements, or processing practices. Material changes may be communicated by email, platform notification, or another appropriate channel before or when the change becomes effective.