Privacy Policy
Last Updated: 23 June, 2026
PRIVACY POLICY
Governing the Collection, Use, Storage, and Processing of Personal Data across the Bidvers Website, Mobile Application, and All Associated Services
Document | Privacy Policy |
Version | 1.0 |
Effective Date | As displayed on the Platform at time of registration |
Last Updated | June 2026 |
Data Controller (Oman) | Sireen Investment Global Co. |
Data Controller (Europe) | Bee Group Technology Srl (Romania) |
Scope | Global: All Users, Vendors, Hotel Partners, and visitors to the Platform |
Platforms Covered | www.bidvers.com, Bidvers mobile application (iOS and Android), all subdomains, APIs, and related digital services |
DPO / Privacy Contact |
THIS PRIVACY POLICY DESCRIBES HOW BIDVERS COLLECTS, USES, STORES, SHARES, AND PROTECTS YOUR PERSONAL DATA. BY ACCESSING OR USING THE PLATFORM, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY IN ITS ENTIRETY.
TABLE OF CONTENTS
1. Introduction and Commitment to Privacy
2. Data Controllers and Contact Information
6. Legal Bases for Processing (GDPR)
8. Automated Decision-Making and Profiling
9. Data Sharing and Third-Party Recipients
10. International Data Transfers
12. Your Rights as a Data Subject
13. Rights Under Omani Data Protection Law
15. Cookies and Tracking Technologies
18. Vendor and Hotel Partner Data Responsibilities
19. Third-Party Links and Services
21. Changes to This Privacy Policy
22. Complaints and Supervisory Authorities
Schedule A: Cookie and Tracking Technology Register
Schedule B: Sub-Processor Register
Schedule C: Data Subject Rights Comparison Table
1. INTRODUCTION AND COMMITMENT TO PRIVACY
1.1 Bidvers.com ("Bidvers," "we," "us," or "our") is committed to protecting the privacy and personal data of every individual who accesses or uses the Platform, whether as a User (Bidder), Vendor, Hotel Partner, or casual visitor.
1.2 This Privacy Policy (the "Policy") describes the categories of personal data we collect, the purposes for which we process it, the legal bases for processing, the parties with whom we share it, the duration for which we retain it, and the rights you have over your data.
1.3 This Policy applies to all personal data collected through: (a) the Bidvers website at www.bidvers.com and all subdomains; (b) the Bidvers mobile application on iOS and Android; (c) all application programming interfaces (APIs), embedded widgets, and related digital services; (d) email, telephone, and other communications with Bidvers; and (e) in-person interactions at events or conferences where data is collected on behalf of Bidvers.
1.4 This Policy should be read in conjunction with our Terms of Use and Service Agreement (available at www.bidvers.com/terms-of-use) and our Cookie Policy (available at www.bidvers.com/cookie-policy), which are incorporated herein by reference.
1.5 We process personal data in accordance with the General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, the ePrivacy Directive 2002/58/EC as amended, the Personal Data Protection Law of the Sultanate of Oman (Royal Decree No. 6/2022), and all applicable national data protection legislation in the jurisdictions where we operate.
2. DATA CONTROLLERS AND CONTACT INFORMATION
2.1 Dual Data Controller Structure
2.1.1 Bidvers operates a dual data controller structure. The identity of the data controller responsible for processing your personal data depends on your geographic location:
Oman Operations | European & Other Operations | |
Data Controller | Sireen Investment Global Co. | Bee Group Technology Srl |
Registered Jurisdiction | Sultanate of Oman | Romania |
Applicable Data Protection Law | Omani Personal Data Protection Law (Royal Decree No. 6/2022) | GDPR (EU) 2016/679, Romanian Law No. 190/2018, and applicable national implementations |
Privacy Contact | ||
Data Protection Officer | Appointed per Omani PDPL requirements | Appointed per GDPR Article 37 requirements |
2.2 Jurisdictional Determination
2.2.1 The applicable data controller is determined by the country of registration and billing address provided during your account creation. If you are a visitor who has not registered an account, the data controller is determined by your IP-based geographic location at the time of access.
2.2.2 Users and Vendors located in the Sultanate of Oman fall under the controllership of Sireen Investment Global Co.
2.2.3 Users and Vendors located in the European Union, the European Economic Area, or any other country outside the Sultanate of Oman fall under the controllership of Bee Group Technology Srl.
2.3 Joint Controller Arrangements
2.3.1 Where both entities process the same personal data for Platform operations (for example, in cross-border auction transactions), Sireen Investment Global Co. and Bee Group Technology Srl act as joint controllers within the meaning of Article 26 of the GDPR. A joint controller arrangement agreement is in place between the two entities, and a summary of the arrangement is available upon request by contacting privacy@bidvers.com.
2.3.2 Regardless of the joint controller arrangement, you may exercise your data protection rights against and with respect to either entity.
3. DEFINITIONS
3.1 In this Policy, the following terms have the meanings set out below. Terms defined in the Terms of Use and Service Agreement have the same meaning in this Policy unless otherwise stated.
Term | Definition |
Personal Data | Any information relating to an identified or identifiable natural person ("Data Subject"), as defined in Article 4(1) of the GDPR and the Omani PDPL. |
Special Category Data | Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification purposes, health data, or data concerning a person's sex life or sexual orientation (Article 9, GDPR). |
Processing | Any operation performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction. |
Data Controller | The entity that determines the purposes and means of Processing Personal Data. |
Data Processor | An entity that processes Personal Data on behalf of the Data Controller. |
Data Subject | The natural person to whom the Personal Data relates. |
Sub-Processor | A third-party entity engaged by a Data Processor (or by Bidvers directly) to process Personal Data on behalf of Bidvers. |
Consent | A freely given, specific, informed, and unambiguous indication of the Data Subject's wishes, by which the Data Subject signifies agreement to the Processing of their Personal Data. |
Supervisory Authority | An independent public authority established by an EU member state to monitor GDPR compliance, or the relevant Omani regulatory body under the PDPL. |
4. PERSONAL DATA WE COLLECT
4.1 We collect the following categories of personal data, depending on your role on the Platform and your interactions with us:
4.2 Account and Identity Data
- Full legal name (first name, last name);
- Email address;
- Telephone number (including country code);
- Country of residence and billing address;
- Date of birth (for age verification purposes);
- Username and account password (stored in hashed, encrypted form);
- Profile photograph (optional);
- Preferred language and communication preferences.
4.3 Vendor and Hotel Partner Verification Data (KYC)
- Business registration documents, trade licences, and commercial registration numbers;
- Government-issued photo identification (passport, national ID, or equivalent);
- Proof of address (utility bill, bank statement, or equivalent);
- Tax identification number (TIN), VAT registration number, or equivalent fiscal identifier;
- Beneficial ownership information (for corporate Vendors);
- Hotel operating licences and hospitality permits (for Hotel Partners);
- Bank account details and Stripe Connect account information for payout purposes.
4.4 Financial and Transaction Data
- Payment card details (processed and stored exclusively by Stripe; Bidvers does not store full card numbers, CVVs, or sensitive cardholder data);
- Billing address associated with the payment card;
- Transaction history, including auction participation, bids placed, auctions won, amounts charged, refunds processed, and payouts received;
- Commission calculations and payout records;
- Chargeback and dispute records;
- Invoice and receipt data.
4.5 Auction and Behavioural Data
- Auction listings viewed, bid history, and watchlist activity;
- Search queries and browsing patterns on the Platform;
- Auction creation history and Lot listing details (for Vendors);
- Communication between Users and Vendors through the Platform's messaging system;
- Ratings, reviews, and feedback submitted on the Platform.
4.6 Technical and Device Data
- IP address (IPv4 and IPv6);
- Device type, model, operating system, and version;
- Browser type, version, and language;
- Screen resolution and viewport dimensions;
- Unique device identifiers (IDFA, GAID, or equivalent);
- Mobile network carrier and connection type (WiFi, cellular);
- Time zone, locale, and system clock data;
- Referring URL and exit page data.
4.7 Location Data
- Country-level geolocation derived from IP address (collected automatically);
- Precise geolocation from the mobile application (collected only with your explicit, opt-in consent via the device operating system permission dialogue; you may revoke this consent at any time through your device settings).
4.8 Communication Data
- Records of emails, support tickets, live chat conversations, and telephone calls with Bidvers support;
- Feedback and survey responses;
- Content of dispute submissions and supporting evidence.
4.9 Special Category Data
4.9.1 Bidvers does not intentionally collect or process Special Category Data as defined in Article 9 of the GDPR. If you voluntarily disclose Special Category Data to us (for example, in a dispute submission or support communication), we will process it only to the extent strictly necessary to resolve the matter and on the basis of your explicit consent or the establishment, exercise, or defence of legal claims.
5. HOW WE COLLECT YOUR DATA
5.1 Data You Provide Directly
5.1.1 We collect data that you voluntarily provide to us when you:
- Create or update your account on the Platform;
- Complete the KYC verification process (Vendors and Hotel Partners);
- Place a bid, create an Auction, or list a Lot;
- Add or update your payment card through the Stripe integration;
- Submit a dispute, complaint, or support request;
- Respond to surveys, promotions, or feedback requests;
- Communicate with us via email, telephone, live chat, or the Platform's messaging system.
5.2 Data We Collect Automatically
5.2.1 When you access or use the Platform, we automatically collect certain technical, device, and behavioural data through:
- Server logs that record every HTTP request to our infrastructure;
- Cookies and similar tracking technologies (see Section 15 and Schedule A);
- Analytics tools integrated into the Platform (see Section 9 for details on analytics providers);
- Application performance monitoring tools;
- The Stripe payment integration (Stripe collects certain device and browser data as part of its fraud detection systems).
5.3 Data We Receive from Third Parties
5.3.1 We may receive personal data about you from the following third-party sources:
- Stripe: payment verification data, card validation outcomes, fraud risk scores, and chargeback notifications;
- KYC and identity verification providers: verification outcomes, document authentication results, and sanctions screening results;
- Public databases and commercial registries: business registration data, beneficial ownership data, and sanctions lists;
- Law enforcement or regulatory authorities: data provided pursuant to a lawful request or court order;
- Social media platforms: if you choose to register or log in via a social media account (where available), we receive the profile data you authorise for sharing.
5.4 Data We Do Not Collect
5.4.1 Bidvers does not collect: (a) full payment card numbers, CVV codes, or PINs (these are processed exclusively by Stripe); (b) biometric data (fingerprints, facial recognition templates); (c) genetic or health data; or (d) data regarding political opinions, religious beliefs, trade union membership, or sexual orientation, except where voluntarily disclosed by you.
6. LEGAL BASES FOR PROCESSING (GDPR)
6.1 For Users and Vendors located in the European Economic Area, we process your personal data on the following legal bases as defined in Article 6(1) of the GDPR:
Legal Basis | GDPR Article | Processing Activity | Examples |
Performance of Contract | Art. 6(1)(b) | Processing necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering into a contract | Account creation, bid processing, payment processing, auction management, payout disbursement, dispute resolution |
Legitimate Interest | Art. 6(1)(f) | Processing necessary for the legitimate interests pursued by Bidvers or a third party, except where overridden by your fundamental rights and freedoms | Fraud prevention, platform security, analytics, product improvement, internal administration, enforcement of Terms |
Legal Obligation | Art. 6(1)(c) | Processing necessary for compliance with a legal obligation to which Bidvers is subject | Tax reporting, AML/KYC compliance, response to court orders, regulatory reporting, data retention mandates |
Consent | Art. 6(1)(a) | Processing based on your freely given, specific, informed, and unambiguous consent | Marketing communications, non-essential cookies, precise geolocation, optional profiling, surveys |
Vital Interests | Art. 6(1)(d) | Processing necessary to protect vital interests of the Data Subject or another person | Emergency situations involving health or safety (extremely rare) |
Public Interest | Art. 6(1)(e) | Processing necessary for a task carried out in the public interest | Not currently relied upon by Bidvers |
6.2 Where we rely on Consent as the legal basis, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
6.3 Where we rely on Legitimate Interest, we have conducted a Legitimate Interest Assessment (LIA) for each processing activity to ensure that our interests do not override your fundamental rights and freedoms. You may request a copy of the relevant LIA by contacting privacy@bidvers.com.
7. PURPOSES OF PROCESSING
7.1 We process your personal data for the following specific purposes:
7.2 Platform Operations and Service Delivery
- To register, create, and manage your account;
- To verify your identity and eligibility to use the Platform;
- To process bids, manage Auctions, and facilitate the auction process;
- To process payments, charges, refunds, and payouts through Stripe;
- To calculate and deduct the Commission;
- To communicate with you regarding your account, bids, Auctions, and transactions;
- To provide customer support and respond to enquiries;
- To resolve disputes and conduct investigations.
7.3 KYC, Compliance, and Legal Obligations
- To conduct Know Your Customer (KYC) and identity verification for Vendors and Hotel Partners;
- To comply with anti-money laundering (AML) and counter-terrorism financing (CTF) legislation;
- To screen against international sanctions lists;
- To comply with tax reporting and withholding obligations;
- To respond to lawful requests from law enforcement, regulators, and courts;
- To maintain records as required by applicable data retention laws.
7.4 Platform Security and Fraud Prevention
- To detect, prevent, and investigate fraud, unauthorised access, and abuse of the Platform;
- To monitor for suspicious transactions and activity patterns;
- To enforce the Terms of Use and Service Agreement;
- To maintain the security and integrity of our systems, networks, and infrastructure;
- To conduct chargeback investigations and respond to payment disputes.
7.5 Analytics, Product Improvement, and Personalisation
- To analyse usage patterns, feature adoption, and user behaviour in aggregate to improve the Platform;
- To personalise your experience, including displaying relevant Auction categories and search results;
- To conduct A/B testing and feature experiments;
- To generate aggregate, anonymised statistics for internal reporting and benchmarking.
7.6 Marketing and Communications
- To send you promotional and marketing communications about Bidvers services, new features, and relevant Auctions (where you have opted in or where permitted by applicable law under the soft opt-in exception);
- To conduct surveys and collect feedback on your experience;
- To administer promotions, contests, or referral programmes.
7.7 Legal Claims and Corporate Transactions
- To establish, exercise, or defend legal claims;
- To facilitate due diligence in connection with mergers, acquisitions, or corporate restructuring;
- To protect Bidvers's legal rights, property, and safety, and that of our users and the public.
8. AUTOMATED DECISION-MAKING AND PROFILING
8.1 Automated Fraud Detection
8.1.1 Bidvers and its payment processing partner Stripe employ automated fraud detection systems that analyse transaction patterns, device fingerprints, IP geolocation, and behavioural signals to identify potentially fraudulent or high-risk transactions. These systems may automatically flag, delay, or block a transaction pending manual review.
8.1.2 Such automated processing constitutes profiling within the meaning of Article 22 of the GDPR. Where automated decisions produce legal effects or similarly significantly affect you (for example, the blocking of a bid or the suspension of an account), you have the right to:
- Request human intervention in the decision;
- Express your point of view;
- Contest the automated decision.
8.1.3 To exercise these rights, contact disputes@bidvers.com with the relevant transaction or account details.
8.2 Bid Validation
8.2.1 The Platform uses automated validation to ensure bids meet the Minimum Bid requirement, sufficient card authorisation is in place, and the User's account is in good standing. These are necessary contractual checks and do not constitute solely automated decision-making with legal effects.
8.3 No Other Automated Profiling
8.3.1 Beyond fraud detection and bid validation, Bidvers does not engage in automated decision-making that produces legal effects or similarly significantly affects Data Subjects. We do not use automated systems to determine pricing, access to features, or eligibility for services based on profiling.
9. DATA SHARING AND THIRD-PARTY RECIPIENTS
9.1 Bidvers does not sell, rent, lease, or trade your personal data to any third party for marketing, advertising, or commercial purposes.
9.2 We share your personal data only with the following categories of recipients, and only to the extent necessary for the specified purposes:
9.3 Payment Processor: Stripe
9.3.1 We share financial and identity data with Stripe, Inc. and its affiliates for payment processing, card verification, payout disbursement, fraud prevention, and compliance with payment network rules. Stripe acts as an independent data controller for certain processing activities (including its own fraud detection) and as a data processor for others. Stripe's privacy policy governs Stripe's own controllership activities and is available at stripe.com/privacy.
9.4 KYC and Identity Verification Providers
9.4.1 We share Vendor and Hotel Partner identity and business documentation with third-party KYC verification providers who act as data processors on our behalf. These providers conduct identity document authentication, sanctions screening, and adverse media checks. A list of current providers is available in Schedule B.
9.5 Cloud Infrastructure and Hosting Providers
9.5.1 The Platform and its databases are hosted on cloud infrastructure provided by third-party hosting providers who act as data processors. These providers process personal data in accordance with data processing agreements that include Standard Contractual Clauses (SCCs) where required for international transfers (see Section 10).
9.6 Analytics and Performance Monitoring Providers
9.6.1 We use analytics tools to understand Platform usage patterns, diagnose technical issues, and improve product performance. Analytics providers receive pseudonymised or aggregated data wherever possible. Where personal data is shared, it is done on the basis of legitimate interest and subject to data processing agreements.
9.7 Communication and Support Tools
9.7.1 We use third-party email delivery, live chat, and helpdesk tools to facilitate communications with you. These providers act as data processors and process personal data (email address, name, message content) subject to data processing agreements.
9.8 Transaction Counterparties
9.8.1 When you participate in an Auction, we share limited data with the transaction counterparty (the Vendor, for a Winning Bidder; or the Winning Bidder, for the Vendor) to the extent necessary for fulfilment of the Lot. For physical goods, this may include the Winning Bidder's name, shipping address, and contact email. For hotel services, this may include the Winning Bidder's name and booking reference.
9.8.2 We do not share payment card details, financial data, or KYC documentation with transaction counterparties.
9.9 Law Enforcement and Regulatory Authorities
9.9.1 We may disclose personal data to law enforcement agencies, courts, regulatory authorities, financial intelligence units, or other governmental bodies when required to do so by applicable law, court order, regulatory directive, or where disclosure is necessary for the prevention, detection, or investigation of criminal offences, including fraud and money laundering.
9.9.2 Where legally permitted, we will notify you of such disclosure. Where we are prohibited by law from notifying you (for example, under a secrecy obligation in AML legislation), we will comply with the prohibition.
9.10 Corporate Transactions
9.10.1 In the event of a merger, acquisition, divestiture, corporate restructuring, or sale of all or a portion of Bidvers's assets, your personal data may be transferred to the acquiring entity as part of the transaction. We will provide notice and, where required by applicable law, obtain your consent before such transfer. The acquiring entity will assume all obligations under this Privacy Policy.
9.11 Professional Advisors
9.11.1 We may share personal data with our legal counsel, auditors, tax advisors, and other professional advisors for the purpose of obtaining professional advice, subject to professional confidentiality obligations.
10. INTERNATIONAL DATA TRANSFERS
10.1 Cross-Border Processing
10.1.1 As Bidvers operates across the Sultanate of Oman and the European Economic Area, your personal data may be transferred between these jurisdictions and processed in a country other than the country in which it was originally collected.
10.2 Transfers from the EEA
10.2.1 Where personal data collected in the European Economic Area is transferred to a country outside the EEA that has not been deemed to provide an adequate level of data protection by the European Commission, we implement the following safeguards in compliance with Chapter V of the GDPR:
- Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to Article 46(2)(c) of the GDPR, in the form adopted by Commission Implementing Decision (EU) 2021/914;
- A Transfer Impact Assessment (TIA) evaluating the legal framework of the recipient country and any supplementary measures necessary to ensure an essentially equivalent level of protection;
- Supplementary technical and organisational measures where necessary, including encryption in transit and at rest, pseudonymisation, and access controls.
10.3 Transfers from Oman
10.3.1 Where personal data collected in the Sultanate of Oman is transferred outside of Oman, Sireen Investment Global Co. ensures compliance with the cross-border data transfer requirements of the Omani Personal Data Protection Law (Royal Decree No. 6/2022) and any regulations or guidance issued by the relevant Omani supervisory authority.
10.4 Transfers to the United States
10.4.1 Certain sub-processors, including Stripe, are headquartered in the United States. Data transfers to the United States are protected by Standard Contractual Clauses and, where applicable, the EU-U.S. Data Privacy Framework, where the sub-processor has certified its participation.
10.5 Your Rights Regarding Transfers
10.5.1 You may request a copy of the Standard Contractual Clauses or other safeguards in place for any international transfer of your data by contacting privacy@bidvers.com.
11. DATA RETENTION
11.1 General Retention Principle
11.1.1 We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, to comply with our legal and regulatory obligations, to resolve disputes, and to enforce our agreements.
11.1.2 The specific retention periods depend on the category of data and the purpose of processing:
Data Category | Retention Period | Basis |
Account and identity data | Duration of active account plus 3 years after account deletion | Contractual necessity; statutory limitation periods for claims |
KYC / Vendor verification data | Duration of active account plus 5 years after account deletion, or longer if required by AML law | Legal obligation (AML Directive, Omani AML Law) |
Financial and transaction data | Legal obligation (tax and accounting laws, VAT Directive) | |
Auction and behavioural data | Duration of active account plus 1 year after account deletion | Legitimate interest (analytics, product improvement) |
Technical and device data | Legitimate interest (security, fraud prevention, analytics) | |
Location data (precise) | Consent; deleted or anonymised after 6 months | |
Communication and support data | Contractual necessity; legitimate interest (dispute resolution) | |
Dispute records | Legal obligation; legitimate interest (legal claims defence) | |
Marketing consent records | Duration of active account plus 3 years after withdrawal of consent or account deletion | Legal obligation (accountability and compliance records) |
Cookie and tracking data | As specified in Schedule A for each cookie category | Consent (non-essential); legitimate interest (essential) |
Server and access logs | 90 days | Legitimate interest (security monitoring, incident response) |
11.2 Retention After Account Deletion
11.2.1 When you delete your account or request erasure, we will delete or anonymise your personal data within thirty (30) days, except to the extent that retention is required by law, necessary for the resolution of outstanding disputes, or necessary for the establishment, exercise, or defence of legal claims. Data retained for legal purposes will be securely stored with access restricted to authorised personnel only and will be deleted at the expiry of the applicable retention period.
11.3 Anonymisation
11.3.1 Where feasible, we will anonymise personal data rather than delete it. Anonymised data is no longer personal data and may be retained and used indefinitely for statistical, analytical, and product improvement purposes.
12. YOUR RIGHTS AS A DATA SUBJECT (GDPR)
12.1 If you are located in the European Economic Area, you have the following rights under the GDPR. These rights are not absolute and may be subject to exceptions and limitations as provided by applicable law.
Right | Description |
Right of Access (Art. 15) | You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of the data together with information about the purposes, categories, recipients, retention periods, and safeguards for international transfers. |
Right to Rectification (Art. 16) | You have the right to request correction of inaccurate personal data and completion of incomplete personal data without undue delay. |
Right to Erasure (Art. 17) | You have the right to request deletion of your personal data where: (a) it is no longer necessary for the purpose for which it was collected; (b) you withdraw consent; (c) you object to processing and there are no overriding legitimate grounds; (d) the data has been unlawfully processed; or (e) deletion is required by law. This right does not apply where processing is necessary for compliance with a legal obligation or for legal claims. |
Right to Restriction (Art. 18) | You have the right to request restriction of processing where: (a) you contest the accuracy of the data; (b) processing is unlawful and you prefer restriction over erasure; (c) we no longer need the data but you require it for legal claims; or (d) you have objected to processing pending verification of legitimate grounds. |
Right to Data Portability (Art. 20) | You have the right to receive your personal data in a structured, commonly used, and machine-readable format (such as JSON or CSV), and to transmit that data to another controller without hindrance, where processing is based on consent or contract and is carried out by automated means. |
Right to Object (Art. 21) | You have the right to object to processing based on legitimate interest at any time, on grounds relating to your particular situation. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms. You have an absolute right to object to processing for direct marketing purposes at any time, without needing to state a reason. |
Right Not to Be Subject to Automated Decisions (Art. 22) | You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. See Section 8 for details on automated decision-making on the Platform. |
Right to Withdraw Consent (Art. 7(3)) | Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal. |
Right to Lodge a Complaint (Art. 77) | You have the right to lodge a complaint with a supervisory authority in your EU member state of habitual residence, place of work, or place of the alleged infringement. See Section 22 for supervisory authority details. |
12.2 Exercising Your Rights
12.2.1 To exercise any of the above rights, submit a written request to privacy@bidvers.com. We will verify your identity before processing any request. We will respond to your request within thirty (30) days of receipt, extendable by a further sixty (60) days for complex or voluminous requests, with notice to you of the extension and the reasons for it.
12.2.2 We will not charge a fee for processing your request unless it is manifestly unfounded or excessive, in which case we may charge a reasonable fee reflecting our administrative costs, or refuse to act on the request.
13. RIGHTS UNDER OMANI DATA PROTECTION LAW
13.1 If you are located in the Sultanate of Oman, you have the following rights under the Personal Data Protection Law (Royal Decree No. 6/2022):
- The right to be informed about the collection and processing of your personal data;
- The right to access your personal data held by us;
- The right to request correction of inaccurate or incomplete personal data;
- The right to request deletion of your personal data where it is no longer necessary for the purpose for which it was collected or where processing was unlawful;
- The right to withdraw consent at any time where processing is based on consent;
- The right to object to processing of your personal data in certain circumstances;
- The right to data portability where technically feasible;
- The right to lodge a complaint with the relevant Omani supervisory authority.
13.2 To exercise any of these rights, contact privacy@bidvers.com. We will respond within the timeframe prescribed by the Omani PDPL and its implementing regulations.
14. CHILDREN'S PRIVACY
14.1 The Platform is not intended for use by individuals under the age of eighteen (18). We do not knowingly collect personal data from children under 18.
14.2 If we become aware that we have collected personal data from a child under 18 without appropriate parental or guardian consent, we will take immediate steps to delete that data from our systems.
14.3 If you believe that a child under 18 has provided personal data to us, please contact us immediately at privacy@bidvers.com.
15. COOKIES AND TRACKING TECHNOLOGIES
15.1 What Are Cookies
15.1.1 Cookies are small text files placed on your device by our servers or by third-party services integrated into the Platform. They enable the Platform to recognise your device, remember your preferences, and provide certain functionality.
15.2 Categories of Cookies
15.2.1 We use the following categories of cookies and tracking technologies:
Category | Purpose | Legal Basis | Duration | Consent Required? |
Strictly Necessary | Essential for Platform functionality: authentication, security, session management, load balancing | Legitimate Interest (Art. 6(1)(f)); exempt under ePrivacy Art. 5(3) | Session or up to 12 months | No |
Functional | Remember user preferences: language, region, display settings, recently viewed Auctions | Consent (Art. 6(1)(a)) | Up to 12 months | Yes |
Analytics / Performance | Measure Platform usage, page views, session duration, error rates, feature adoption | Consent (Art. 6(1)(a)) | Up to 24 months | Yes |
Advertising / Marketing | Deliver relevant advertisements, measure campaign effectiveness, retargeting | Consent (Art. 6(1)(a)) | Up to 24 months | Yes |
Stripe (Third-Party) | Payment processing, fraud detection, device fingerprinting for card verification | Performance of Contract (Art. 6(1)(b)); Legitimate Interest (Art. 6(1)(f)) | As per Stripe's cookie policy | No (essential for payment) |
15.3 Cookie Consent Management
15.3.1 When you first visit the Platform, you will be presented with a cookie consent banner that allows you to accept or reject non-essential cookies. You may change your cookie preferences at any time through the cookie settings accessible via the footer link on every page of the Platform.
15.3.2 Strictly necessary cookies cannot be disabled as they are essential for the Platform to function. Disabling functional or analytics cookies may degrade your experience on the Platform.
15.4 Browser-Level Controls
15.4.1 You may also control cookies through your browser settings. Most browsers allow you to view, manage, and delete cookies. Please note that blocking all cookies may prevent you from accessing certain features of the Platform.
15.5 Do Not Track
15.5.1 The Platform does not currently respond to "Do Not Track" (DNT) browser signals, as there is no universally accepted standard for DNT compliance. We will update this Policy if a widely adopted standard is established.
15.6 Detailed Cookie Register
15.6.1 A detailed register of all cookies and tracking technologies used on the Platform, including the specific cookie name, provider, purpose, type, and expiration, is set out in Schedule A.
16. DATA SECURITY
16.1 Technical Measures
16.1.1 Bidvers implements appropriate technical measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, including:
- Encryption of data in transit using TLS 1.2 or higher for all communications between your device and the Platform;
- Encryption of sensitive data at rest using AES-256 or equivalent industry-standard encryption;
- Hashing and salting of account passwords using bcrypt or equivalent algorithms;
- Network-level security controls, including firewalls, intrusion detection/prevention systems, and DDoS mitigation;
- Role-based access controls (RBAC) restricting access to personal data to authorised personnel on a need-to-know basis;
- Regular security patching and vulnerability management;
- Secure software development lifecycle (SSDLC) practices, including code review and security testing.
16.2 Organisational Measures
16.2.1 Bidvers implements appropriate organisational measures, including:
- Data protection training for all employees and contractors who process personal data;
- Confidentiality obligations in employment contracts and contractor agreements;
- Data processing agreements with all sub-processors (see Schedule B);
- Regular internal audits and compliance reviews;
- Incident response plan and data breach notification procedures (see Section 17);
- Physical security controls at data centre facilities operated by our hosting providers.
16.3 No Absolute Security
16.3.1 While we employ industry-standard security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately at security@bidvers.com.
16.4 PCI-DSS Compliance
16.4.1 All payment card data is processed, stored, and transmitted exclusively by Stripe, which is certified as a PCI-DSS Level 1 Service Provider. Bidvers does not handle, store, or process full payment card numbers, CVVs, or PINs at any point.
17. DATA BREACH NOTIFICATION
17.1 GDPR Breach Notification
17.1.1 In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, Bidvers will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR.
17.1.2 Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay, in accordance with Article 34 of the GDPR, providing details of the nature of the breach, the data affected, the likely consequences, and the measures taken or proposed to mitigate the impact.
17.2 Omani Breach Notification
17.2.1 For data breaches affecting personal data processed under the jurisdiction of Sireen Investment Global Co., notification will be made to the relevant Omani supervisory authority and affected Data Subjects in accordance with the Omani Personal Data Protection Law and its implementing regulations.
17.3 Breach Response
17.3.1 Bidvers maintains a documented incident response plan that includes procedures for: (a) identification and containment of the breach; (b) assessment of the nature, scope, and severity of the breach; (c) notification to supervisory authorities and affected Data Subjects; (d) remediation and recovery; and (e) post-incident review and improvement.
18. VENDOR AND HOTEL PARTNER DATA RESPONSIBILITIES
18.1 Vendor as Independent Controller
18.1.1 When a Vendor or Hotel Partner receives personal data about a Winning Bidder from the Platform for the purpose of fulfilling a Lot (for example, the Winning Bidder's name and shipping address for physical goods, or the Winning Bidder's name and booking reference for hotel services), the Vendor or Hotel Partner acts as an independent data controller for that data.
18.1.2 As an independent data controller, the Vendor is solely responsible for:
- Processing the Winning Bidder's personal data only for the purpose of fulfilling the Lot;
- Not using the Winning Bidder's data for marketing, profiling, or any other purpose without the Winning Bidder's explicit, separate consent;
- Implementing appropriate technical and organisational security measures to protect the data;
- Complying with all applicable data protection laws in their jurisdiction, including the GDPR (for European Vendors) and the Omani PDPL (for Omani Vendors);
- Responding to data subject rights requests from Winning Bidders regarding data held by the Vendor;
- Deleting or anonymising the Winning Bidder's personal data once the fulfilment obligation is complete, unless retention is required by law.
18.2 Prohibited Use of Bidder Data
18.2.1 Vendors and Hotel Partners must not:
- Sell, rent, share, or disclose Winning Bidder data to any third party for any purpose other than Lot fulfilment;
- Use Winning Bidder data for direct marketing without separate, freely given consent;
- Transfer Winning Bidder data outside of the jurisdiction in which it was collected without appropriate safeguards;
- Retain Winning Bidder data beyond the period necessary for fulfilment and applicable legal retention obligations.
18.3 Vendor Indemnity for Data Breaches
18.3.1 Vendors shall indemnify Bidvers for any loss, damage, fine, penalty, or liability incurred by Bidvers as a result of the Vendor's failure to comply with applicable data protection laws in respect of Winning Bidder data received from the Platform.
19. THIRD-PARTY LINKS AND SERVICES
19.1 The Platform may contain links to third-party websites, services, or applications. This Privacy Policy applies only to data processed by Bidvers. We are not responsible for the privacy practices, data collection, or content of third-party websites.
19.2 We encourage you to review the privacy policies of any third-party services before providing your personal data.
19.3 Where we integrate third-party services into the Platform (such as Stripe for payments), data sharing with those services is described in Section 9 and governed by data processing agreements or the third party's own controller privacy policies, as applicable.
20. MARKETING COMMUNICATIONS
20.1 Opt-In and Soft Opt-In
20.1.1 We will only send you marketing communications where:
- You have provided explicit, freely given consent to receive marketing (opt-in); or
- You are an existing customer and we are marketing our own similar services, and you have not opted out (soft opt-in, as permitted under Article 13(2) of the ePrivacy Directive and applicable national implementations).
20.2 Opt-Out
20.2.1 You may opt out of marketing communications at any time by:
- Clicking the "unsubscribe" link in any marketing email;
- Adjusting your communication preferences in your account settings;
- Contacting support@bidvers.com with the subject line "Unsubscribe.".
20.2.2 Opting out of marketing does not affect your receipt of transactional, legal, account-related, or service communications (such as bid confirmations, payment receipts, and dispute updates), which are necessary for the performance of your contract with Bidvers.
20.3 No Third-Party Marketing
20.3.1 We will never share your personal data with third parties for their own direct marketing purposes without your explicit, prior consent.
21. CHANGES TO THIS PRIVACY POLICY
21.1 Bidvers reserves the right to amend this Privacy Policy at any time to reflect changes in our data processing practices, legal requirements, or Platform functionality.
21.2 For material changes that substantively alter how we collect, use, or share your personal data, or that reduce your data protection rights, we will:
- Post the revised Policy on the Platform with a prominent notice at least thirty (30) calendar days before the effective date;
- Send an email notification to all registered account holders;
- Where required by law, obtain your renewed consent before applying the changes to your data.
21.3 For non-material changes (typographical corrections, formatting, or clarifications), we may update the Policy without prior notice.
21.4 Your continued use of the Platform after the effective date of any material change constitutes acceptance of the revised Policy. If you do not accept any material change, you must cease using the Platform and may request account deletion.
21.5 Prior versions of this Privacy Policy are archived and available upon request by contacting privacy@bidvers.com.
22. COMPLAINTS AND SUPERVISORY AUTHORITIES
22.1 Internal Complaints
22.1.1 If you have any concerns about how we process your personal data, we encourage you to contact us first at privacy@bidvers.com so that we can resolve the matter directly.
22.2 EU Supervisory Authorities
22.2.1 If you are located in the European Economic Area and are dissatisfied with our response, you have the right to lodge a complaint with a supervisory authority in your EU member state of habitual residence, place of work, or place of the alleged infringement.
22.2.2 As Bee Group Technology Srl is established in Romania, the lead supervisory authority is:
Authority | Details |
Name | Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP) |
Address | B-dul G-ral. Gheorghe Magheru nr. 28-30, Sector 1, Bucharest, 010336, Romania |
Website | |
22.3 Omani Supervisory Authority
22.3.1 If you are located in the Sultanate of Oman, you may lodge a complaint with the relevant Omani supervisory authority designated under the Personal Data Protection Law (Royal Decree No. 6/2022).
22.4 Judicial Remedies
22.4.1 In addition to your right to complain to a supervisory authority, you have the right to seek a judicial remedy before the competent courts as described in Section 13.4 of the Terms of Use and Service Agreement.
23. GENERAL PROVISIONS
23.1 Relationship to Terms of Use
23.1.1 This Privacy Policy is supplementary to, and should be read together with, the Terms of Use and Service Agreement. In the event of any conflict between this Policy and the Terms regarding the processing of personal data, this Policy shall prevail.
23.2 Severability
23.2.1 If any provision of this Privacy Policy is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
23.3 Language
23.3.1 This Policy is written in English. In the event of any conflict between the English version and any translation, the English version shall prevail.
23.4 No Waiver
23.4.1 Bidvers's failure to enforce any provision of this Policy shall not constitute a waiver of that provision.
23.5 Entire Privacy Agreement
23.5.1 This Policy, together with the Cookie Policy and any consent forms presented on the Platform, constitutes the entire agreement between you and Bidvers regarding the processing of your personal data, and supersedes all prior privacy-related representations and understandings.
24. CONTACT INFORMATION
Purpose | Oman (Sireen Investment Global Co.) | Europe (Bee Group Technology Srl) |
General Privacy Enquiries | ||
Data Subject Rights Requests | ||
DPO Contact | ||
Cookie Preferences | Via Platform footer link | Via Platform footer link |
Marketing Opt-Out | ||
Security Incidents | ||
Legal Notices |
SCHEDULE A: COOKIE AND TRACKING TECHNOLOGY REGISTER
The following table sets out the cookies and tracking technologies currently used on the Platform. This register is reviewed and updated periodically. The most current version is always available at www.bidvers.com/cookie-policy.
Cookie Name | Provider | Purpose | Type / Duration | Category |
_bid_session | Bidvers (first-party) | Session management and authentication | Session cookie | Strictly Necessary |
_bid_csrf | Bidvers (first-party) | Cross-site request forgery protection | Session cookie | Strictly Necessary |
_bid_consent | Bidvers (first-party) | Stores your cookie consent preferences | Persistent / 12 months | Strictly Necessary |
_bid_lang | Bidvers (first-party) | Remembers your language preference | Persistent / 12 months | Functional |
_bid_recent | Bidvers (first-party) | Stores recently viewed Auctions | Persistent / 30 days | Functional |
_ga | Google Analytics (third-party) | Distinguishes unique visitors | Persistent / 24 months | Analytics |
_ga_[ID] | Google Analytics (third-party) | Maintains session state | Persistent / 24 months | Analytics |
_gid | Google Analytics (third-party) | Distinguishes users | Persistent / 24 hours | Analytics |
__stripe_mid | Stripe (third-party) | Fraud prevention and device identification | Persistent / 12 months | Strictly Necessary |
__stripe_sid | Stripe (third-party) | Fraud prevention session token | Session cookie | Strictly Necessary |
_fbp | Meta / Facebook (third-party) | Advertising attribution and retargeting | Persistent / 90 days | Marketing |
Note: Additional cookies may be set by third-party services integrated into the Platform. This register will be updated accordingly. You can manage your cookie preferences at any time through the cookie settings link in the Platform footer.
SCHEDULE B: SUB-PROCESSOR REGISTER
The following table lists the third-party sub-processors engaged by Bidvers to process personal data on our behalf. This register is reviewed and updated periodically. Material changes to sub-processors will be communicated to Users and Vendors in advance where required by applicable law or our data processing agreements.
Sub-Processor | Purpose | Location / Data Hosting | Safeguards |
Stripe, Inc. | Payment processing, card verification, payout disbursement, fraud detection | United States (with EU data hosting options) | SCCs, EU-U.S. DPF certification, PCI-DSS Level 1 |
[Cloud Provider] | Platform hosting, database storage, compute infrastructure | [To be specified] | SCCs, ISO 27001, SOC 2 Type II |
[KYC Provider] | Identity verification, document authentication, sanctions screening | [To be specified] | SCCs, DPA, ISO 27001 |
[Analytics Provider] | Platform usage analytics, performance monitoring | [To be specified] | SCCs, DPA, data anonymisation |
[Email Provider] | Transactional and marketing email delivery | [To be specified] | SCCs, DPA, TLS encryption |
[Support Platform] | Customer support ticketing, live chat | [To be specified] | SCCs, DPA, access controls |
Note: Entries marked "[To be specified]" will be updated as vendor selection is finalised. You may request the current, complete sub-processor list at any time by contacting privacy@bidvers.com.
SCHEDULE C: DATA SUBJECT RIGHTS COMPARISON TABLE
The following table provides a comparative overview of your data protection rights under GDPR and Omani PDPL:
Right | GDPR (European Users) | Omani PDPL (Oman Users) |
Right of Access | Art. 15: Right to obtain a copy of personal data and supplementary information | Provided under PDPL: Right to access personal data held by the controller |
Right to Rectification | Art. 16: Right to correct inaccurate or incomplete data | Provided under PDPL: Right to correct inaccurate data |
Right to Erasure | Art. 17: Right to deletion ("right to be forgotten") subject to exceptions | Provided under PDPL: Right to request deletion where data is no longer necessary |
Right to Restrict Processing | Art. 18: Right to restrict processing in specified circumstances | Limited provision under PDPL; contact us for details |
Right to Portability | Art. 20: Right to receive data in machine-readable format and transfer to another controller | Emerging provision under PDPL; contact us for details |
Right to Object | Art. 21: Right to object to processing based on legitimate interest or for direct marketing | Provided under PDPL: Right to object to processing in certain circumstances |
Automated Decision-Making | Art. 22: Right not to be subject to solely automated decisions with legal effects | Limited provision under PDPL; Bidvers applies GDPR-equivalent protections |
Withdraw Consent | Art. 7(3): Right to withdraw consent at any time | Provided under PDPL: Right to withdraw consent |
Lodge Complaint | Art. 77: Right to lodge complaint with supervisory authority | Provided under PDPL: Right to lodge complaint with Omani supervisory authority |
Response Timeframe | 30 days, extendable by 60 days | As prescribed by PDPL implementing regulations |
BY USING BIDVERS.COM, THE BIDVERS MOBILE APPLICATION, OR ANY ASSOCIATED SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY IN ITS ENTIRETY.
END OF PRIVACY POLICY