Privacy Policy

1. Introduction

Next Commerce GmbH ("we", "us", "our") operates myBidly and takes the protection of your personal data very seriously. We process your personal data in accordance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and other applicable data protection laws.

This Privacy Policy explains what data we collect, how we use it, who we share it with, and your rights regarding your personal data.

2. Data Controller & Contact

The responsible party for data processing on this website is:

The responsible party is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data (e.g. names, email addresses, etc.).

3. Data We Collect

3.1 Merchant Account Data

When you register as a merchant, we collect:

• Email address (for login and communication)
• Password (encrypted)
• Shop name and business information
• Stripe account details (account ID, onboarding status)

3.2 Customer Bid Data

When end-customers place bids through your widget, we collect:

• Customer name and email address
• Shipping address
• Bid amount
• Payment information (processed by Stripe, not stored by us)

3.3 Technical Data

• IP address (for security and fraud prevention)
• Browser type and version
• Device information
• Session cookies (for authentication)

4. How We Use Your Data

We process your personal data for the following purposes:

• Service Delivery: To provide myBidly platform functionality and process bids
• Payment Processing: To facilitate payments via Stripe (legal basis: contract fulfillment)
• Communication: To send order confirmations, bid notifications, and account updates
• Customer Support: To respond to your inquiries and provide technical assistance
• Security: To prevent fraud, abuse, and unauthorized access
• Legal Compliance: To comply with tax, accounting, and regulatory requirements

5. Data Storage Duration

We store your personal data only as long as necessary for the purposes outlined above:

• Account Data: Until you delete your account, plus 30 days for backup
• Bid Transaction Data: 10 years for accounting and tax compliance
• Email Communications: 2 years or until you request deletion
• Technical Logs: 90 days for security purposes

6. Data Sharing & Third-Party Services

We share your data with the following third parties to provide our services:

6.1 Stripe (Payment Processing)

We use Stripe for payment processing. Stripe processes payment data according to their Privacy Policy. Stripe is PCI-DSS Level 1 certified.

6.2 Email Service (Resend)

We use Resend to send transactional emails (bid confirmations, order notifications). Resend processes data in accordance with GDPR.

6.3 Hosting Provider (Vercel)

Our platform is hosted on Vercel. Server locations are in the EU. Vercel complies with GDPR and has appropriate data processing agreements in place.

6.4 Database (Supabase/PostgreSQL)

Customer and bid data is stored in a PostgreSQL database hosted within the EU with encryption at rest and in transit.

7. Cookies & Tracking

We use the following cookies:

• Session Cookies: Essential for login and authentication (expires when browser closes)
• Language Preference: Stores your selected language (EN/DE)

We do NOT use third-party tracking cookies, advertising cookies, or analytics tools that track you across websites.

8. SSL/TLS Encryption

This website uses SSL/TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or inquiries you send to us as the site operator. You can recognize an encrypted connection by the browser address line changing from "http://" to "https://" and by the lock icon in your browser.

When SSL/TLS encryption is activated, the data you transmit to us cannot be read by third parties.

9. Your Rights Under GDPR

You have the following rights regarding your personal data:

9.1 Right to Access (Art. 15 GDPR)

You can request a copy of all personal data we hold about you.

9.2 Right to Rectification (Art. 16 GDPR)

You can correct inaccurate or incomplete data.

9.3 Right to Deletion (Art. 17 GDPR)

You can request deletion of your data, unless we are required to retain it for legal reasons (e.g., tax compliance, ongoing contracts).

9.4 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your data in a structured, commonly used, and machine-readable format (e.g., CSV, JSON) and transfer it to another provider.

9.5 Right to Withdraw Consent (Art. 7 GDPR)

You can withdraw your consent to data processing at any time by sending an email to info@next-commerce.io. The withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

9.6 Right to Object (Art. 21 GDPR)

You can object to processing of your data for direct marketing purposes at any time.

9.7 Right to Lodge a Complaint (Art. 77 GDPR)

If you believe we have violated data protection laws, you can file a complaint with the competent supervisory authority. The supervisory authority responsible for data protection issues is the State Data Protection Officer of the federal state where our company is based. A list of data protection officers and their contact details can be found at: https://www.bfdi.bund.de.

10. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption in transit (SSL/TLS) and at rest (database encryption)
• Secure authentication with encrypted passwords (bcrypt)
• Regular security audits and vulnerability scanning
• Access controls and role-based permissions
• Automated backups with encryption

Important: We note that data transmission over the Internet (e.g., via email) may have security gaps. Complete protection of data from access by third parties is not possible.

11. Objection to Advertising Emails

The use of contact data published within the framework of the imprint obligation to send unsolicited advertising and information materials is hereby expressly prohibited. The operators of these pages expressly reserve the right to take legal action in the event of unsolicited sending of advertising information, such as spam emails.

12. Unsolicited Personal Data

All personal data provided to us unsolicited (e.g., applications, cover letters with personal data) will not be stored or otherwise processed by us but will be immediately and irrevocably deleted without notification to the sender.

13. Data Protection Officer

The legally required data protection officer is Next Commerce GmbH.

Contact: info@next-commerce.io

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes via email or by posting a notice on our website.

15. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us at: