Legal

Privacy Policy

Last updated: 19 May 2026

Plain-language summary: aucti collects only what's needed to run your charity event on the platform. Personal information stays in Canada where possible. We never sell donor data. You can ask us to access, correct, or delete your information at any time by emailing ryan@aucti.ca.

Contents

Who we are
What we collect
Why we collect it
Who we share with
Where it's stored and for how long
Cookies and analytics
Your rights
Children's data
Changes to this policy
How to contact us

1. Who we are

aucti is a product of aucti.io inc., a Canadian company based in Ottawa, Ontario. We provide event-management software for charity events — silent auctions, live auctions, cash calls, attendee registration, and reporting. This Privacy Policy governs our website at aucti.ca and the aucti application at aucti-web.vercel.app.

For privacy questions, our designated contact is Ryan Short, reachable at ryan@aucti.ca.

2. What we collect

From website visitors

Pages visited, referring URL, approximate location (city-level), browser/device type — via Google Analytics.
If you submit the early-access or demo-request form: your name, email address, and organization.

From customers (charities running events on aucti)

Account information: organization name, slug, admin contact email, role assignments.
Event configuration: event name, dates, branding, item catalogues, pricing tiers, cash call settings.
Authentication data: magic-link tokens, Google OAuth identifiers if used.
Billing data (when paid tiers launch): handled by Stripe; we receive only a customer reference, not card numbers.

From guests bidding on events

Name, email, optional phone, optional shipping address, paddle number, attendance type.
Bidding activity: bids placed, items won, cash call pledges.
Tax-receipt detail: amount paid, fair-market-value of items received, computed receipt amount (per CRA P-184).

3. Why we collect it

aucti collects personal information for the following purposes only:

Provide the service the charity has signed up for (run their auction, accept bids, generate reports).
Communicate with you about your account, event, or receipt.
Operate, maintain, and improve the platform (debugging, security, capacity planning).
Process payments through our payment provider (when paid tiers launch).
Comply with Canadian law, including CRA receipting rules and CASL.

We do not sell personal information. We do not use guest, donor, or event data to train AI models that serve other organizations.

We share personal information only with the third-party processors needed to run aucti. Each operates under a data-processing agreement and is bound to use the data only for the purposes we direct.

Supabase — database and authentication. Hosted in Canada where available.
Vercel — application hosting and serverless functions.
Anthropic and OpenAI — large-language-model APIs used by our AI features (item generation, brand intake, live auction transcription). Both honour zero-retention API agreements; we do not consent to model training on customer data.
Stripe — payment processing (when paid tiers launch).
Resend or equivalent — transactional email delivery.
Google Analytics — website usage analytics on aucti.ca only. IP anonymization is enabled.

We will disclose information when required by Canadian law (court order, lawful warrant, regulatory enforcement). If we ever sell or transfer aucti.io inc., we will give you advance notice so you can export or delete your data before the change takes effect.

5. Where it's stored and for how long

Where Canadian data residency is available with our providers (Supabase, Vercel), we use it. Some processors (Anthropic, OpenAI, Stripe) store data in the United States; we minimize what crosses the border, and zero-retention agreements with our AI providers mean LLM requests are not stored after processing.

Retention defaults:

Active customer data — for as long as the account is active.
Closed event data — retained for 7 years to support CRA audit obligations on tax receipts, then permanently deleted.
Marketing leads (early-access list) — until you unsubscribe.
Analytics — Google Analytics default retention (currently 14 months for events, 26 months for user data).

6. Cookies and analytics

aucti.ca uses Google Analytics for product-improvement insights only. We do not use third-party advertising or retargeting cookies.

The aucti application uses only the cookies required to keep you signed in (Supabase Auth session storage) and to remember accessibility settings.

You can disable analytics cookies in your browser at any time. Aucti will still function normally.

7. Your rights

Under PIPEDA you have the right to:

Access the personal information we hold about you.
Request that we correct inaccurate or incomplete information.
Withdraw consent for any optional processing.
Request deletion of your personal information, subject to legal retention obligations (e.g. tax receipts retained for 7 years).
Make a complaint to the Office of the Privacy Commissioner of Canada if you believe we are not handling your data correctly.

Email ryan@aucti.ca with any access, correction, or deletion request. We aim to respond within 30 days.

8. Children's data

aucti is not directed to children under 18 and we do not knowingly collect information from minors. If you believe a child has provided us with personal information, please contact us and we will delete it.

9. Changes to this policy

We may update this Privacy Policy from time to time as the product evolves. The "Last updated" date at the top reflects the most recent revision. Material changes will be communicated to active customers by email before they take effect.

10. How to contact us

aucti.io inc.
Ottawa, Ontario, Canada
Email: ryan@aucti.ca