Skip to main content
BullionBidder

Privacy Policy

Last updated: 27 June 2026

This Privacy Policy describes how BullionBidder ("we", "us", "our") collects, uses, and protects personal information. We comply with Quebec's Act respecting the protection of personal information in the private sector (Law 25), Canada's PIPEDA, and the EU General Data Protection Regulation (GDPR) where applicable.

1. Who we are

BullionBidder is an auction-catalog analysis tool operated by Services Informatiques OrdiMedix S.E.N.C. (a Quebec partnership). We can be reached at the email address listed in the Contact section below. For Quebec Law 25 purposes, the person responsible for the protection of personal information is Luis Flores, Partner of the firm, reachable at info@ordimedix.com.

2. What information we collect

We collect as little personal information as possible. Specifically: (a) auction catalog files (PDF, Excel, or CSV) you choose to upload. The original file is read in your browser and is never stored. For PDFs, only the extracted plain text is sent over briefly to finish reading it, then discarded; for some lots whose text is incomplete, that lot's image is also sent transiently to our AI provider to read whatever the text was missing (such as weight or fineness), and that image is not copied, republished, or stored (see §3 and §7); (b) basic technical information sent automatically by your browser (IP address, browser type, referring page) for security and analytics. We also keep basic, cookieless counts of how features are used (for example how often a tool runs, which metal pages are popular, and the country level our visitors come from), as operational data needed to run and improve the service. These counts store no IP address and record only the country code (such as CA or US) your connection resolves to. For signed-in users an event may be linked to your account so we can measure active use; that link is severed when you delete your account, and the records are purged after 13 months; (c) email addresses if you contact us; (d) account information for authenticated users, which varies by sign-in method: email address always; for email-code (OTP) users, only the email address; for email+password users, a bcrypt-hashed password (we never see, store, or transmit your plaintext password); for Google sign-in users, your Google profile name, profile picture URL, and Google account identifier (we never receive your Google password); (e) for logged-in users who choose to use them, your own annotations and tracking data: manual lot corrections (your edits to metal, weight, or purity for a specific lot, plus any optional note), and bid-history entries (your bid amount, win/loss outcome, optional note, and a loose lot identifier consisting of the catalog filename and lot number). These are user-created records about your own bidding activity, not the auction-house catalog content. Your lot corrections stay private to your account by default. When you make a correction you may tick an optional box to share it, which sends the factual data of that edit (metal, weight, purity), along with any note you added and a link to your account, so our staff can review the suggestion before it helps improve our coin data for everyone. Your note and that account link are used only for that review, are never shown to other users, and are both deleted when you close your account. If you leave the box unticked the correction never leaves your account (see Terms §5); (f) for logged-in users who save a catalog to their library, the catalog data needed to show that catalog again: per-lot metal, weight, purity, and grade we computed, the lot number and the lot's description text from the catalog (so you can see what each lot was), plus the catalog's filename, date, and lot count. This is not the original uploaded file, which is never stored. We keep this so your saved catalogs are there when you return (Free keeps your most recent, paid tiers keep multiple), and it is retained until you delete it or close your account; (g) for Pro subscribers, billing information (full credit card number, expiry, CVC, billing address) is collected and processed exclusively by our payment provider Stripe (stripe.com), which is PCI-DSS Level 1 certified. We never see, store, or transmit your card data. Stripe shares back to us only what we need to manage your subscription: a Stripe customer ID, current subscription status, the last 4 digits of your card, the card brand, and the country plus postal-code prefix required for sales-tax calculation. All of items (a) to (f) above are stored encrypted at rest in our authentication provider (Supabase); billing data in (g) lives only at Stripe. How we use your email: transactional messages only. That means sign-in codes, a one-time account onboarding message, subscription and billing notices (account onboarding/welcome, subscription upgrade and downgrade confirmations, renewal receipts, payment problems, cancellation), and replies to messages you send us. We do not send marketing or promotional email, newsletters, or re-engagement campaigns, and we do not sell or rent your email address.

3. How we handle your auction catalog files (Bring Your Own Data)

Your catalog file (PDF, Excel, or CSV) is processed entirely inside your browser using client-side libraries. The original file is never uploaded to our servers. For PDFs, we receive only the extracted text strings (typically a few hundred kilobytes) for parsing, and that text is discarded after the response is returned. For some lots whose text is incomplete, the app also sends that lot's image to our AI provider (Google) to read whatever the text was missing, such as the weight or fineness. The image is used only to produce that reading. We do not copy, republish, or store the image on our servers, and our provider does not retain it; the original catalog file still never leaves your browser. This happens only for lots that need it, and you can tell which lots were read this way. For spreadsheets, parsing happens 100% client-side, so the file's contents never leave your machine (we record only the filename, to label the catalog in your library). If instead you paste a lot list, that pasted text is sent to our server only to parse it, and it is discarded the same way after the response is returned. We do not retain catalog content. We do cache the extracted result for each lot you process (the metal, weight, and purity we read, plus a short verdict note). The cache is stored under your own account so re-processing the same lot is free for 30 days, and it is deleted when you close your account. It holds no copy of your original file and cannot be used to rebuild your catalog.

4. How your data is protected

All connections to BullionBidder are encrypted in transit using TLS 1.3, and we ship the HSTS preload header so browsers refuse to fall back to plain HTTP. Data stored in our authentication provider's database (Supabase, hosted on AWS) is encrypted at rest using AES-256, including backups. Account passwords (for email+password sign-in) are never stored in plaintext, they are hashed with bcrypt before being saved, so neither we nor the database operator can recover them. Session cookies are marked Secure and SameSite=Lax, which means they cannot be sent over unencrypted connections and are not exposed to cross-site requests. We also enforce a strict Content-Security-Policy that limits what code can run on our pages. API credentials for third-party services (Stripe, eBay, Google AI, the Supabase service role) are kept exclusively on the server and never sent to your browser. Catalog files you upload are parsed entirely inside your browser and never reach our servers in their original form. This is what 'encryption in transit' and 'encryption at rest' mean in practice, and it matches the security posture used by mainstream banks, email providers, and SaaS tools. We do not, however, provide 'end-to-end encryption' in the strict cryptographic sense (where even the service operator cannot decrypt your data), doing so would require client-held keys and would prevent us from offering features like cross-device sync, AI extraction, and account recovery. If your threat model requires that level of protection, BullionBidder is not the right tool for you.

5. Cookies and local storage

We use essential browser storage to remember your preferences (currency, settings, manual lot overrides, language, theme). We also keep basic cookieless counts of feature usage on our own servers as operational data to run and improve the service (see §2(b)); this sets no cookies and does no cross-site tracking. Two further categories are off by default and run only if you opt in through the consent banner, where declining is as easy as accepting. First, privacy-respecting analytics: when you allow them we use Vercel's analytics, which are cookieless and collect aggregate usage (page views, performance) with no personal information. Second, advertising measurement: when you allow it we load the Google Ads tag (gtag.js), which sets advertising cookies and lets Google tell us when one of our ads brought you to the site (conversion measurement). If you do not opt in to advertising, no Google Ads cookie or script is loaded at all. We do not sell your personal information, and we do not build cross-site advertising profiles ourselves beyond this conversion measurement.

6. Use of AI services

We use Google's Gemini models, run on Google Cloud's Vertex AI, in three cases. When our automatic reader cannot identify a lot, we send that lot's title and notes so the model can extract the details. When the reader does identify a lot, we send the same title and notes plus the metal, weight, and purity we read so the model can double-check that reading. And when a lot's text is incomplete, we send that lot's image so the model can read what the text was missing, such as the weight or fineness (see §2 and §3). In all three cases we send no other personal information. We never send your name, email, IP address, or any identifier alongside lot data. Google processes this data as a service provider under the Google Cloud Data Processing Addendum and does not use it to train its models. We keep the cached result for up to 30 days to avoid duplicate calls.

7. Data retention

Original uploaded files (PDF, Excel, CSV): never stored. The extracted catalog text we send over to finish reading a PDF is discarded after each request (zero retention). Saved catalogs (your library): when you save a catalog, we keep the catalog data needed to show it again (the metal, weight, purity, and grade we computed for each lot, the lot number and the lot's description text so you can see what each lot was, plus any corrections you made), but not the original uploaded file, which is never stored. The Free tier keeps your most recent saved catalog, paid tiers keep multiple, and it is retained until you delete it or close your account. AI results cache: 30 days, then it expires automatically. Bidding records (tracked bids, manual corrections): retained for the life of your account. Account information: retained for the life of your account plus the period required by tax/accounting law (typically 7 years in Canada). Server logs containing IP addresses: 30 days. Contact-form messages: anonymous messages, and resolved or spam-flagged tickets, are deleted after 24 months, and an open ticket from a signed-in user is kept until it's resolved. Deleting your account erases your saved catalogs, bidding records, and account data. You may request earlier deletion at any time by contacting us.

8. Who we share with

We do not sell personal information. We share data only with: (a) infrastructure providers strictly necessary to run the service: Vercel for hosting, Supabase for authentication, Google Cloud (Vertex AI) for AI extraction, eBay for marketplace data, and Stripe for payment processing (for subscribers, see §2(g)). We also use Resend to send the transactional emails described in this policy, which receives your email address. When you use the contact form, Resend also carries the name and message you send us, so we can read and reply. We use Sentry for error monitoring, which may receive a technical error report tied to your account identifier so we can fix bugs. And we use Upstash to enforce rate limits, which receives your IP address to count requests and stop abuse. We also use Cloudflare for bot and abuse protection on our sign-in, sign-up, password-reset, and contact forms (Cloudflare Turnstile), which receives your IP address to verify you are a person and not a bot. If you opt in to analytics, Vercel also provides cookieless, aggregate usage analytics with no personal information. If you opt in to advertising measurement, we load Google's advertising tag (Google Ads / gtag.js), which sets cookies and shares conversion data with Google so we can measure which ads bring visitors to the site. You can decline this (and analytics) on the consent banner, and nothing advertising-related loads if you do. All such providers are bound by data-processing agreements. (b) Law enforcement, only when required by a valid legal order under Canadian law. Note: when you click an outbound listing or dealer link from BullionBidder, the URL carries an affiliate tracking identifier so the marketplace or dealer can attribute the referral to us. eBay links use the eBay Partner Network; dealer links (such as Kitco and Money Metals) use the Awin affiliate network. We may earn a small commission on resulting purchases. This is disclosed at the point of click and does not affect what you pay.

9. Your rights

Under Quebec Law 25, PIPEDA, and GDPR you have the right to: access your personal information, correct inaccuracies, request deletion ("right to be forgotten"), withdraw consent, request data portability in a structured machine-readable format, and lodge a complaint with a data protection authority (Commission d'accès à l'information du Québec, the federal Office of the Privacy Commissioner of Canada, or your local EU supervisory authority). To exercise any of these rights, email our person responsible for the protection of personal information (Luis Flores) at info@ordimedix.com, we respond within 30 days.

10. Automated decision-making and AI

Our service uses automated processing (an automatic text reader and Google's Gemini AI model, run on Google Cloud's Vertex AI) to evaluate auction lots and single items. These evaluations are advisory only, they do not produce legal effects or significantly affect you. You always make the final bidding or purchasing decision. You have the right to know the principal factors and parameters used by these systems: we evaluate items based on stated weight, declared purity, current bid or asking price, any stated buyer's premium, your configured shipping cost, and live or historical spot prices for the relevant metal. You may request a manual review by contacting us.

11. Cross-border data transfers

We use providers located in the United States (Vercel for application hosting, Supabase for authentication and user data storage on AWS US West, Google Cloud (Vertex AI) for AI extraction, eBay for marketplace data, Stripe for payment processing, Resend for transactional email, Sentry for error monitoring, Upstash for rate limiting, and Cloudflare for bot and abuse protection) and outside it (Awin, our affiliate network for dealer links such as Kitco and Money Metals, which operates internationally including the United Kingdom and European Union; it receives only the referral click identifier when you choose to click an outbound dealer link, not your account data). Before transferring personal information outside Quebec, we conducted a Privacy Impact Assessment as required by Quebec Law 25, and concluded that the providers offer adequate protection through their certifications (SOC 2 Type II, ISO 27001) and standard contractual clauses.

12. Data breaches

If we discover a confidentiality incident posing a risk of serious harm, we will notify the Commission d'accès à l'information du Québec, affected individuals, and any other applicable regulators within the timeframes required by law (typically without unreasonable delay).

13. Changes to this policy

Material changes will be announced on this page and, where reasonably practical, by email to registered users. The "last updated" date at the top of this policy reflects the most recent revision.

14. Contact

Questions, complaints, or requests to exercise your rights: write to info@ordimedix.com or send a note via our contact form and select the 'Privacy / data-rights matter' topic. For Quebec Law 25 purposes, the person responsible for the protection of personal information is Luis Flores, Partner of Services Informatiques OrdiMedix S.E.N.C. (the operator of BullionBidder), reachable at info@ordimedix.com. For general product support: info@bullionbidder.com. For DMCA/copyright notices: write to info@bullionbidder.com with 'DMCA' in the subject line.