Privacy Policy

The controller of the personal information collected through this platform is:

• Legal name: TPCT Auction
• Tax ID (NIF/CIF):
• Address: Via Ripalta Nuova 2, 26010 Ripalta Cremasca (Cremona), Italia
• Privacy email: privacy@tpctauction.com
• Telephone: +393337943289
• Companies Register:

This text has been prepared in accordance with Regulation (EU) 2016/679 (GDPR), Spanish Organic Law 3/2018 (LOPDGDD), and Spanish Law 34/2002 (LSSI-CE). Because the operator is established in the European Union, EU privacy law governs the processing of your personal information regardless of the user's location.

We process the following categories of personal information depending on the type of relationship with the platform:

• Registration data: first name, last name, date of birth, postal address, email, telephone, username, and hashed password.
• Identity verification (KYC) data: ID document or passport, verification selfie, and, where appropriate, proof of address, in compliance with anti-money-laundering and consumer protection regulations.
• Transactional data: bidding history, awarded lots, tokenized payment methods, invoices, applicable fees, and refundable deposits.
• Browsing data: IP address, device type, browser, operating system, access logs, security events, and data derived from cookies (see Cookie Policy).
• Communications: messages exchanged with the support team and incident records.

We do not collect special categories of data (health, ideology, etc.) unless voluntarily provided by the user as part of a complaint.

Your personal information will be processed for the following purposes:

• Account registration, identification, and authentication on the platform.
• Identity verification (KYC) and prevention of fraud, money laundering, and terrorist financing.
• Participation in auctions: bid validation, lot adjudication, fee calculation, and the application of strikes for non-payment.
• Payment processing, invoicing, refunds, and compliance with accounting and tax obligations.
• Logistics management (preparation, dispatch, and delivery of awarded lots).
• Customer support, complaint handling, and dispute resolution, including authenticity or conformity disputes.
• Operational notifications: bid confirmations, award alerts, payment reminders, security alerts.
• Automated detection of anomalous behavior (fraudulent proxy bidding, shill bidding, multi-account use).
• Commercial communications and personalized marketing, only where the user has given express consent.
• Compliance with legal obligations and responses to requests from competent authorities.

Each purpose is based on one of the following legal grounds set out in Article 6 GDPR:

• Performance of a contract (Art. 6(1)(b) GDPR): account management, auction participation, adjudication, payments, and shipping.
• Compliance with a legal obligation (Art. 6(1)(c) GDPR): tax, accounting, commercial, and anti-money-laundering obligations.
• Legitimate interest (Art. 6(1)(f) GDPR): platform security, fraud prevention, service improvement, internal administration, and out-of-court or judicial claims.
• Consent (Art. 6(1)(a) GDPR): commercial communications, non-essential cookies, and advertising profiling.

The user may withdraw consent at any time, without affecting the lawfulness of prior processing.

Personal information will be kept for the time strictly necessary for the purposes described and, thereafter, for the legally applicable limitation periods:

• Account and transactional data: for the duration of the contractual relationship and, after its termination, for 10 years for accounting and tax purposes (Article 30 of the Spanish Commercial Code).
• KYC and AML data: for 10 years after the last transaction, in accordance with Spanish Law 10/2010.
• Browsing data and cookies: as set out in the Cookie Policy (max. 24 months).
• Complaints, support, and communications: up to 6 years from resolution, the ordinary civil limitation period (Article 1964 of the Spanish Civil Code).
• Marketing: until consent is withdrawn.

Once these periods elapse, the data will be deleted or duly anonymized.

Your personal information may be shared with the following recipients, always with an appropriate legal basis:

• Payment providers (Stripe, Inc. and affiliates): payment tokenization, authorization, and reconciliation.
• Object storage providers (European MinIO/S3): encrypted hosting of images and documents.
• Transactional email providers (Stalwart Mail): sending operational notifications.
• Managed DNS providers (PowerDNS): domain name resolution.
• Logistics and shipping companies: only data strictly necessary to deliver the lot.
• Tax, accounting, and legal advisers: as data processors under contract.
• Competent authorities: Tax Agency, Spanish Data Protection Agency (AEPD), law enforcement, judges, and courts, where there is a legal obligation.

All processors are bound by contracts compliant with Article 28 GDPR.

As a general rule, personal information is processed within the European Economic Area (EEA). Where any provider (e.g., Stripe infrastructure) involves a transfer outside the EEA —including to the United States— such transfers are based on one of the mechanisms provided in Chapter V GDPR: an adequacy decision of the European Commission (such as the EU–US Data Privacy Framework where applicable), Standard Contractual Clauses, Binding Corporate Rules, or the explicit consent of the data subject.

You may request a copy of the safeguards applied by writing to privacy@tpctauction.com.

The GDPR grants data subjects the following rights:

• Access: obtain confirmation of whether we process your data and, where applicable, a copy thereof.
• Rectification: correct inaccurate or incomplete data.
• Erasure («right to be forgotten»): request deletion when the data are no longer necessary or processing is unlawful, without prejudice to legal retention periods.
• Objection: object to processing based on legitimate interest or to commercial communications.
• Restriction of processing: request a temporary suspension of processing.
• Portability: receive the data in a structured, commonly used format and transmit them to another controller.
• Not to be subject to automated decisions, including profiling that produces significant legal effects.
• Withdrawal of consent at any time.

You may exercise any of the above rights by sending a request to privacy@tpctauction.com or by mail to Via Ripalta Nuova 2, 26010 Ripalta Cremasca (Cremona), enclosing a copy of an identity document.

We will respond within a maximum of one month from receipt, extendable by two further months in cases of complexity or large volumes of requests.

TPCT Auction has appointed a Data Protection Officer (DPO), who can be contacted directly at privacy@tpctauction.com for any matter relating to the processing of your personal information or the exercise of your rights.

Without prejudice to any other administrative or judicial remedy, the data subject may lodge a complaint with the Spanish Data Protection Agency (AEPD), in particular where they consider that the processing of their data infringes the regulations in force or that they have not been satisfied in the exercise of their rights.

• Web: https://www.aepd.es
• E-Office: https://sedeagpd.gob.es
• Postal address: C/ Jorge Juan, 6, 28001 Madrid (Spain).

The platform uses automated algorithms for the following purposes:

• Proxy bidding: automatic execution of bids within the maximum limit set by the user.
• Fraud detection (anomaly detection): identification of suspicious patterns such as shill bidding, multi-account use, or abusive automated sniping.
• Catalog personalization: auction recommendations based on browsing history, where the user has given consent.

These systems do not produce significant legal effects without human intervention, except for precautionary blocking of accounts on serious suspicion of fraud, a decision that can be reviewed at the request of the data subject under Article 22 GDPR.

TPCT Auction reserves the right to update this Privacy Policy to reflect regulatory, case-law, or platform changes. Any substantive amendment will be notified to the user at least 30 days in advance via the registered email address and/or by means of a prominent notice on the platform.

Continued use of the service after the entry into force of the changes constitutes acceptance of the new version. The date of the last update appears at the beginning of this document.