This Data Protection Privacy Notice provides information about the ways in which BidX1 collects, stores and uses personal data relating to individuals (i.e., data subjects). BidX1 fully respects your right to privacy, and your data protection rights. BidX1 is fully committed to compliance with the General Data Protection Regulation (“GDPR”), the Data Protection Acts and Anti-Money Laundering/Combatting the Financing of Terrorism (AML/CFT) legislation relevant to each of the countries we provide services in (the “Law’).
1. Who are BidX1?
BidX1 is a digital property company that provides a digital platform where users across the globe can buy or sell property in the different markets we operate in - BidX1 has currently operations in Ireland, the United Kingdom, South Africa, Spain, and Cyprus. See BidX1.com for information regarding the property investment services we offer.
2. What information will you collect? Why do you collect information about me?
Under GDPR, Personal Data is defined as: “any information relating to an identified or identifiable natural person (‘data subject’).” Such data may include, but is not limited to, a person’s name and address; Date of Birth or records relating to a person’s employment relationship.
“Processing” means any action performed on personal data, including collection, recording, storage, erasure or destruction. BidX1 is the ‘Data Controller’ in respect of the Personal Data processed.
BIDX1 has introduced a range of policies and procedures, which it reviews regularly, in order to ensure it complies with the requirements as defined by the law to ensure that Personal Data we process is:
- processed in a way that is fair, lawful and transparent;
- collected for a specified, explicit and legitimate purpose and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary;
- accurate, complete and up-to-date;
- retained no longer than is necessary for the purpose(s) for which it was obtained, taking into account legislative or audit requirements; and
- processed in a manner that ensures appropriate security.
2.1 The type of information that BidX1 may collect from you includes:
- Your identity & contact name, copies of ID (which may include your date of birth), PPS number (or foreign equivalent), online user identifiers (such as your login details), IP addresses, cookie identifiers, email addresses and contact phone numbers.
- Bank account details, credit/debit card details, authorised signatory details, information relating to power of attorney arrangements.
- Information you provide to us about others or others provide to us about you. An example relates to information concerning bidder and purchaser details for a property when somebody is registering to bid at an auction. Before you disclose information to us about another person, you need to be sure that you have their agreement to do so.
- Sensitive categories of data - we may hold information about you which includes sensitive personal data. We will only hold this data when we need to for the purposes of the service, we provide to you or where we have a legal obligation to do so. We are required to process sensitive personal data when we seek your passport ID or driving license ID in the context of compliance with our anti-money laundering obligations.
- The information which you have consented to us using such as allowing us to contact and send you property related communications on a periodic basis. We also collect information about your internet activity using the technology known as cookies which can often be controlled through internet browsers. A cookie is a little piece of text that our server places on your device when you visit any of our websites or apps. A cookie helps us to make our website work better for you.
- We use technologies to automatically collect information about your internet browser settings or Internet Protocol (IP) address, login information, location-based data and google analytics to improve our website offerings to you and to enhance your online visit to us.
- We may also collect CCTV images at our office locations (but only for security reasons and to help prevent fraud or crime). We will also hold information on data access, correction, restriction, deletion, porting and complaints relating to you.
- Using FullStory, we collect all data relating to your digital auction experience on our platform in order to manage user-experience problems and queries. Please refer to section 4 below.
2.2 There are a number of reasons why BidX1 collects information. We need to know how to contact you, we need to be certain of your identity and we need to understand your circumstance and digital experience so that we can offer you the best possible customer experience. We also need to ensure compliance with the Law.
3. How do you collect information about me? And when do you do so?
We collect information about you in a number of different ways. Some examples include:
- When you set up an account with us online.
- When you register with us to participate in an auction.
- When you make a request to be added to our marketing database. When you use our website.
- When you or others give us information verbally or in writing. This information may be by way of registration forms, viewing attendee sheets, through correspondence with us or if you make a complaint.
4. How do you use my information?
- We may use your personal data for matters such as confirming your identity, to help us in the processing of an application for one of our services or to improve your customer experience with us.
- Your data is used to manage and administer your account. Your data is also used to process transactions. An example is where you have provided us with your credit or debit card information or if you have provided us with your bank account details.
- We may use your data to contact you by post, phone, text message, email or social media using our website or other means but not in a way that is contrary to your instructions to us, legitimate interest or contrary to law. We may monitor and record our conversations when we speak on the telephone (to check your instructions to us and for training and quality purposes) but will advise you if we are doing so. Your data may also be used to recover debts you may owe and to manage and respond to a complaint or appeal that you have.
- We may also use your data to manage our business for our legitimate interests, such as gathering location information from your mobile phone or another electronic device you may use to interact with us. Another legitimate interest of BidX1 is to conduct marketing activities such as direct marketing (provided that you have not objected to us using your details in this way) and research, including customer surveys, analytics, and related activities.
- Your data may be used to carry out strategic planning and business portfolio management. This could include compiling and processing your information for audit, statistical or research purposes (including, in some instances, making your data anonymous) to help us understand trends in our customer behaviour and to understand our risks better, including providing management information, operational and data risk management.
- We may use your data to protect our business, reputation, resources and equipment, to manage network and information security (developing, testing and auditing our websites and other systems, dealing with accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services).
- We protect your information with security measures under laws that apply, and we meet international standards in doing so. We keep our equipment, files, and buildings secure. Personal data could be used to prevent and detect fraud, dishonesty and other crimes (such as preventing someone from trying to steal your identity), including using CCTV at BidX1 office premises.
- BidX1 may in the future wish to sell, transfer or merge part or all of its business or assets or to buy a new business or the assets of another business or enter into a merger with another business. If so, we may disclose your personal information under strict duties of confidentiality to a potential buyer, transferee, merger partner or seller and their advisers, so long as they agree to keep it confidential and to use it only to consider the possible transaction.
- We need to use your information to manage and administer legal and compliance matters within BidX1, including compliance with regulatory, legislative and voluntary codes of practice to which we have committed. Furthermore, we use your data to enhance your digital experience on our website and to resolve all website related queries. We use your data to comply with your information rights, to establish your identity and to comply with laws and regulations concerning the prevention of money laundering, fraud, and terrorist financing. As a result, we may need to disclose information to the government and other statutory bodies. Your data may be used to comply with binding court orders, search warrants, requests to assist the Gardai/Police Authorities with the investigation or prevention of an offence and orders relating to requests for mutual legal assistance in criminal matters received from foreign law enforcement agencies.
- In relation to properties which we offer for sale, legal documentation is uploaded onto our website by Solicitors acting on behalf of Vendors. This documentation is uploaded for the sole purpose of allowing interested parties to carry out due diligence prior to placing a bid in relation to a property. The legal documentation will generally only be available to view for the marketing period relating to an auction, unless a property has sold prior to, or is withdrawn prior to, the auction. If a property is unsold at auction the legal documents will remain available for a 7-day period only post the auction.
- FullStory is a session replay web application which is used to help improve customer experience, study website usability and customer behaviour as well as handle customer service queries. We use FullStory to enable us to record all digital auction interactions on our website to improve your customer experience.
FullStory will capture data of your interaction with our website, the following information may be recorded:
• Mouse movements
(except sensitive information1)
Usage patterns illuminate areas of a website that are confusing or underused, allowing web designers to improve their customer experience and build better features.
• Device type
• Operating system
• Viewfinder size
• Script errors
• IP address2
Bugs and errors are often particular to a specific web browser or device type. This information helps developers build and ship fixes faster
• Pages visited
• URL parameters
• Session duration
Knowing the most popular pages and sources of referral traffic help product managers and marketers improve the quality of content and advertising.
Data controllers may only send this data with consent or legal basis.
• Display name
• Email address
• App-specific data3
Account information helps web teams understand your unique experience and troubleshoot any problems you may be having.
Please take note that FullStory will not record passwords, payment information, and Social Security numbers. Furthermore, FullStory does not use collected information for their own purposes and BidX1 have sole ownership of and access to recorded data.
Should you have any specific queries regarding FullStory and our website, please contact us directly.
5. Does BidX1 use automated processing or analytics? What is the legal basis?
We do not use automated processing in relation to the information we collect from you as part of our business.
BidX1 uses analytics for statistical purposes only. This enables us to make more informed business decisions, including improving the quality of services we can offer.
6. Do you share my information with anyone else?
We only share your information with a certain number of other parties and only as necessary. Examples of information sharing here include:
- Your authorised representatives. This would include your Attorney (under a Power of Attorney) and any other party authorised by you to receive your personal data.
- Third parties we need to share your information with, in order to facilitate payments (for example, stripe, SWIFT, credit card issuers and merchant banks) and those you explicitly ask us to share your information with (such as third-party professional service providers e.g. mortgage brokers).
- In the event that you are proposing to purchase a property from us which we are offering for sale, we may disclose your data to the vendor of that property in order for your offer to be assessed.
- Companies that provide support services for the purposes of ensuring compliance with our legal and regulatory requirements and or protecting our legitimate interests. Your personal information remains protected when our service providers use it. We only permit service providers to use your information in accordance with our instructions, they will have appropriate measures in place to protect your information. Our service providers include AML/CFT experts that complete the necessary business and client assessments and customer due diligence to ensure that we comply with our obligations, Marketing and Market Research companies, IT and Telecommunication Service Providers, Software Development Contractors, Data Processors, Debit/Credit Card Companies, Computer Maintenance Contractors, Printing Companies, Property Contractors, Document Storage and Destruction Companies, Business Advisers, Debt Collection Agencies, Auditors and other Consultants, including Legal and Regulatory Advisers.
- With regard to AML/CFT verification specifically, we share personal data with our service provider “Know Your Customer”- see https://knowyourcustomer.com/ for further information.
- Statutory and regulatory bodies (including central and local government) and law enforcement authorities. These bodies include the likes of The Data Protection Commissioner/Authorities, the Property Regulatory Authorities, An Garda Síochána/police authorities/enforcement agencies, the Revenue Commissioners, the Criminal Assets Bureau and the US, EU and other designated authorities in connection with combating financial and other serious crime.
7. What about links on your website to other sites and social media?
Our Site may, from time to time, contain links to and from other websites and web platforms. In addition, third parties’ websites may also provide links to our Site. If you follow a link to any of those websites or web platforms, please note that those websites and web platforms have their own privacy policies and that we do not accept any responsibility or liability for those policies. Please check those policies before you submit any personal data to those websites. We do not accept, and we disclaim, any responsibility for the privacy statements and information protection practices of any third-party website (whether or not such websites are linked on or to the Site). These links are provided to you for convenience purposes only, and you access them at your own risk. It is your responsibility to check the third-party website’s privacy statements before you submit any personal data to their websites.
8. How long does BidX1 hold onto my information?
The length of time we hold your data depends on a number of factors, such as regulatory and statutory requirements. Other considerations are the type of data we hold about you, whether the data is required for a legal dispute and whether you or a regulatory authority ask us to keep it for a valid reason.
As a general rule, the retention period is 8 years. However, if you request that BidX1 delete your data (prior to this 8-year period elapsing) we shall process your request unless there is a valid reason not to delete the data (such as a requirement to hold onto your data as we have a legal obligation to do so).
9. What happens if I do not provide the requested information to BidX1?
Sharing information with us is in both your interest and ours. We need your information in order to provide our services to you, fulfil any legal contracts we have with you, to manage our business for our legitimate interests and to comply with our legal obligations.
You can choose not to share information with us but must understand that this may limit the services we are able to provide to you. We may not be able to provide you with certain services that you request. For example, if you do not provide us with all requested information when registering for an auction, we may not be able to approve you to bid on a property.
10. What is the legal basis for BidX1 using my information?
The legal basis for the processing of personal data by BidX1 is dependent on the purpose for which the processing is being carried out i.e necessary for the performance of a contract; necessary for legitimate interests and where you have given consent. We will use your data and may share that data where:
- Its use is necessary in relation to a service or a contract that you have entered into or because you have asked for something to be done so that you can enter into a contract with us or so that we can provide a service to you.
- Its use is in accordance with our legitimate interests. When we process your information for our legitimate interests, we ensure that there is a fair balance between our legitimate interest and your fundamental rights and freedoms. We may use your personal information to manage our everyday business needs including internal reporting, market research, to progress and respond to legal claims, to ensure appropriate IT security and to prevent fraud. Our legitimate interest here is the effective management of our business. We may use your personal information for marketing reasons, i.e., to update you in relation to property related matters. Our legitimate interest here is to connect with you and to update you on properties and services we provide which may be of interest to you. You will always have an option to unsubscribe from marketing communications every time we contact you.
- Its use is necessary because of a legal obligation that applies to us.
- You have consented to the using of your data (including special categories of data) in a specific way. Where you have made clearly sensitive categories of data available about yourself public.
- Where the processing of special categories of data is necessary for the establishment, exercise or defence of legal claims.
11. Does BidX1 process my information outside the jurisdictions we are operating in?
Where services are provided in the European Economic Area (EEA) BidX1 does not generally transfer information about you outside this jurisdiction. Your information is stored on secure systems within the premises of BidX1 and with providers of secure information storage.
In certain circumstances, we may allow the transfer of information about you outside the EEA by our service providers, but only if they agree to act solely on our instructions and to protect your information to the same standard that applies in the EEA. Where we authorise the processing/transfer of your personal information outside of the EEA, we require your personal information to be protected as per GDPR requirements.
BidX1 South Africa
BidX1 operates globally including South Africa and provides services to users across different jurisdictions. As part of our operations, it may be necessary to transfer your personal data to locations outside of South Africa.
By using our services, you acknowledge and agree that your personal data may be transferred outside of South Africa. BidX1 takes steps to ensure that any such transfers comply with applicable data protection laws, including the Protection of Personal Information Act (POPIA), and that appropriate safeguards are in place to protect your personal data.
12. What rights do I have under GDPR?
You have several rights in relation to how we use your information, and we have significant obligations in this regard.
You have the right to:
- Access the information we hold on you; this is referred to as a Subject Access Request (SAR); We would encourage you to submit written access requests where possible, to avoid disputes over the details, extent, or timing of an access request. When you contact us to ask about your information, we may ask you to identify yourself. This is to help protect your data. If you make your request electronically, we will, where possible, provide the relevant information electronically unless you ask us otherwise.
- Request that inaccurate information is corrected, and incomplete or out of date information updated.
- Request the erasure or restriction of your personal data which we hold where the personal information is no longer necessary, where you have withdrawn your consent or where you feel that there is no lawful reason for us to process your personal data. Where data still needs to be kept, e.g., for a legal obligation or for legitimate purposes we will automatically delete it as soon as the retention period ends.
- Object to particular uses of your personal data where the legal basis for our use of your data is our legitimate business interests. However, doing so may have an impact on the services we can / are willing to provide.
- Object to use of your personal data for direct marketing purposes. This right can be exercised by opting out of direct marketing using the means provided.
- Obtain a transferable copy of certain data which can be transferred to another provider, known as “the right to data portability”. This right applies where personal information is being processed based on consent or for the performance of a contract and the processing is carried out by automated means. The right also permits the transfer of data directly to another provider where technically feasible.
- Withdraw consent at any time, where any processing is based on consent. If you withdraw your consent, it will not affect the lawfulness of processing based on your consent before its withdrawal.
- We shall process your request without undue delay. In most instances, we will process your request within one calendar month. If we are unable to deal with your request fully within a calendar month (due to the complexity or number of requests), we may extend this period by a further two calendar months. Should this be necessary, we will explain the reasons why.
- You also have the right to complain to BidX1, the Data Protection Commissioner or another supervisory authority. If you have a complaint about the use of your personal information, please let BidX1 know, and we shall seek to resolve your issue as soon as possible. If you wish to make a complaint to BidX1 you may do so in person, by telephone, in writing or by email. Please be assured that all complaints received by us will be fully investigated. We ask that you supply as much information as possible to help us to resolve your complaint quickly.
13. How do I contact BidX1 and/or your Data Protection Officer?
The data controller responsible for your information is BidX1. If you have any questions about how your personal data is gathered, stored, shared or used or if you wish to exercise any of your data rights or wish to contact our Data Protection Officer - please note the following contact details:
- E-mail: firstname.lastname@example.org
- Telephone: +353 (0)1 667 3388
- Postal Address: BidX1, 2 Shelbourne Buildings, Crampton Avenue, Dublin 4, D04 W3V6
If you are not satisfied with how BidX1 is dealing with your complaint, you have the right to lodge a complaint with BidX1’s lead supervisory authority, the Irish Data Protection Commissioner or your local supervisory authority. Please refer to Annex 1 for jurisdiction specific data protection authorities’ details.
Jurisdiction specific data protection authorities
Republic of Ireland
Data Protection Commission
Co. Laois. 12
Tel: +353 (0)761 104 800
Fax: +353 57 868 4757
Information Commissioner’s Office (ICO)
Telephone: 0303 123 1113
Fax: 01625 524510
Office of the Commissioner for Personal Data Protection
Tel: +357 22818456
Fax: +357 22304565
Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan, 6
Tel: 901 100 099 - 912 663 517
Republic of South Africa
The Information Regulator (South Africa)
316 Thabo Sehume Street
Tel: 012 406 4818
Fax: 086 500 3351