Privacy Policy — Yachts & Bids
Effective date: June 2, 2026 · Last updated: June 2, 2026 · Policy version: 1.0
This Privacy Policy explains how Yachts & Bids ("Yachts & Bids," "we," "us," or "our") collects, uses, discloses, and protects personal information when you use yachtsandbids.com and our related services (the "Platform").
Yachts & Bids is an online auction venue that connects boat sellers and bidders and provides the auction software. We are not a broker, dealer, auctioneer-of-record, escrow agent, or party to the sale of any vessel. This affects how your information flows: in particular, the purchase price of a vessel never passes through us — it is handled by a separate, independent licensed marine escrow/title partner (see Section 5). We hold only our own funds (a refundable bidding deposit and the buyer's premium) via our payment processor.
This Policy is written to comply with:
- the federal Personal Information Protection and Electronic Documents Act (PIPEDA);
- British Columbia's Personal Information Protection Act (BC PIPA);
- Canada's Anti-Spam Legislation (CASL) for commercial electronic messages; and
- where applicable to United States users, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA) — see Section 13.
1. Who we are and how to contact us (Privacy Officer)
Under PIPEDA and BC PIPA we are accountable for personal information in our control and have designated a Privacy Officer.
- Organization: Yachts & Bids
- Privacy Officer / contact: Privacy Officer
- Email: yachtsandbids@agentmail.to
- Location: British Columbia, Canada
If you have a question, an access/correction request, or a complaint about how we handle your personal information, contact the Privacy Officer first (see Sections 11 and 12).
2. Scope — who and what this Policy covers
This Policy applies to personal information about:
- Visitors who browse the Platform;
- Waitlist subscribers (bidders who request early access);
- Boat submitters / prospective sellers who submit a vessel for a possible future auction;
- Registered account holders, including bidders, sellers, and people who comment or watch listings; and
- Buyers and sellers in a closing (a transaction following a winning bid).
It does not cover:
- the independent practices of third parties we connect you with or rely on (for example, the escrow/title partner, a marine surveyor, or third-party websites you reach via links) — those parties have their own privacy policies and are independent controllers/organizations for the information you provide to them directly; and
- de-identified or aggregated data that can no longer reasonably identify you.
3. The personal information we collect
We collect only the personal information needed for the purposes described in Section 4. The categories below map to the actual stages of using the Platform.
3.1 Lead-capture data (before you have an account)
- Waitlist: your email address and the role you indicate (bidder), and the date you joined.
- Boat submissions: your name, email address, phone number, and details about the vessel you are offering (year, builder, model, type, length, location, asking price, and free-text details). Note that vessel location and free-text details may indirectly reveal information about you.
3.2 Account and profile data
- Account credentials managed by our authentication provider (email address; if you use a password, it is stored only as a salted hash by the provider — we do not see it; optional Google/Apple sign-in identifiers if you use them);
- Display name, optional avatar, and notification preferences;
- Email-verification status and timestamp;
- Phone number (in normalized format) and phone-verification status — phone verification is required before bidding and is performed via an SMS one-time-passcode provider; and
- your role/capabilities (bidder, seller, admin) and account status.
3.3 Identity-verification (KYC) data
To deter fraud and to support the transaction (and because our escrow/title partner will require verified identity), we run identity verification on the winning buyer and the seller at the closing stage (and, depending on bid value, may require it earlier). Through our identity-verification provider you may be asked to provide:
- your full legal name, date of birth, and residential address;
- an image of a government-issued identity document (e.g., driver's licence or passport); and
- a selfie / liveness image matched against the document.
This is sensitive personal information and is treated with heightened safeguards (Section 10). Wherever possible, our identity-verification provider collects and retains the document images, so that we receive only a verified pass/fail result plus the minimal verified attributes rather than storing raw ID images ourselves.
3.4 Payment data
- We use Stripe as our payment processor for the only two amounts we ever charge: a refundable bidding deposit (held to qualify you to bid) and, if you win, the buyer's premium (our service fee — 5% of the hammer price, minimum CAD $250, maximum CAD $10,000, disclosed before you bid).
- Stripe collects and processes your card / payment-method details directly. We do not store full card numbers. We retain only tokens and limited references (e.g., a Stripe customer ID, a payment-method token, the last four digits / card brand as surfaced by Stripe) and the status of the deposit and premium charges.
- The vessel purchase price is never collected or held by us. You wire it to the independent escrow/title partner (Section 5).
3.5 Bidding, listing, and transaction data
- Your bids (amount and timestamp), your watchlist and saved searches, your comments / questions on listings, and (for sellers) your listing content and vessel/title disclosures, including HIN, declared title type, and known-flaws and lien disclosures;
- Your record of agreements accepted — which version of the Auction Rules / Terms / Buyer or Seller Agreement you accepted, when, and the IP address from which you accepted (clickwrap assent records); and
- Closing/transaction records — the state of a closing, deposit and premium charge status, identity-verification status, references to the escrow file, and signed documents (purchase agreement, bill of sale).
3.6 Device, usage, and technical data
- IP address, browser and device type, operating system, pages viewed, referring/exit pages, approximate location derived from IP, and timestamps;
- Cookies and similar technologies and analytics events (Section 6); and
- Communications you send us (support emails, messages) and our records of them.
3.7 Information from third parties
We may receive information about you from:
- our payment processor (Stripe) — charge results, payment-method metadata, fraud signals;
- our identity-verification provider — verification results and verified attributes;
- our escrow/title partner and any marine surveyor — transaction, title, lien, and survey status relevant to a closing; and
- sign-in providers (Google/Apple) if you choose social login.
We do not purchase personal information from data brokers.
3.8 Information we do not knowingly collect
The Platform is for adults only (Section 12). We do not knowingly collect personal information from anyone under the age of majority in their jurisdiction (19 in British Columbia).
4. Why we collect it, how we use it, and our basis for doing so
Under PIPEDA and BC PIPA we may collect, use, and disclose personal information only for purposes that a reasonable person would consider appropriate, and generally only with your consent (express or implied) or where the law otherwise permits. We use your personal information to:
| Purpose | Examples | Basis under PIPEDA / BC PIPA |
|---|---|---|
| Provide and operate the Platform | Create and manage your account; run the auction software; record bids; manage watchlists/saved searches; display listings and comments | Necessary to provide the service you requested (consent implied by use) |
| Respond to lead capture | Add you to the waitlist; review and follow up on a boat submission | Consent (you submitted the information for this purpose) |
| Verify identity and prevent fraud | KYC on winning buyer/seller; phone verification; deter shill bidding, multiple accounts, default abuse; sanctions/risk screening | Consent and our legitimate need to detect/prevent fraud and unlawful activity (PIPEDA s.7 / BC PIPA exceptions) |
| Process our own charges | Hold/capture/refund the bidding deposit; charge the buyer's premium via Stripe | Necessary to perform the service / collect our fee |
| Facilitate a closing | Share the minimum data needed with the escrow/title partner and surveyor so they can do their work (lien/PPSA search, title clearing, payoff, transfer) | Necessary to complete the transaction you entered into |
| Communicate with you | Transactional emails (verification, bid/outbid, win, closing status, receipts, security) via our email provider | Necessary to provide the service (transactional messages are exempt from CASL consent) |
| Marketing (optional) | Newsletters, new-listing alerts, promotions | Express opt-in consent only (CASL — Section 9) |
| Analytics and improvement | Understand and improve site performance and features | Consent / legitimate interest, using cookies as described in Section 6 |
| Security and integrity | Authentication, rate-limiting, abuse detection, audit logging, account suspension | Necessary to secure the service |
| Comply with law | Respond to lawful requests; meet record-keeping, tax, and anti-fraud obligations; enforce our Terms | Required or permitted by law |
We will not use your personal information for a new purpose materially different from those above without obtaining your consent or as permitted by law.
5. How we share / disclose personal information
We disclose personal information only as described here. We do not sell your personal information.
5.1 Service providers and partners
We share the minimum necessary information with vendors and partners who help us run the Platform. Each is bound by contract to protect the information and use it only for the services they provide to us (or, for independent partners, for the transaction). Key recipients:
- Stripe (payment processing and, where used, identity verification) — payment-method and charge data; identity-verification data. Stripe processes data in the United States and elsewhere.
- Our identity-verification provider — KYC document and selfie data and verification results.
- Our marine escrow / title partner — buyer and seller identity, contact, and transaction details needed to open escrow, run the PPSA / lien search, clear and transfer title, pay off any existing loan, and release funds. This partner is an independent organization and the escrow agent of record — not us.
- A marine surveyor (where engaged through the Platform) — information needed to schedule and conduct a survey/sea-trial.
- Supabase (database, authentication, file storage, edge functions) — account, profile, bid, listing, and closing data.
- Resend (transactional and, with consent, marketing email delivery) — your email address and message content.
- Our analytics provider (Vercel Analytics) — device/usage data (Section 6).
- Our SMS one-time-passcode provider — your phone number, to send verification codes.
- Vercel (hosting / CDN).
5.2 Between users (limited)
To keep us a neutral venue, buyer–seller communication is mediated by the Platform, and sellers do not receive buyers' contact details through us. Your display name, your public comments, and your bids (which may be shown in a transparent, Cars-&-Bids-style bid history) are visible to other users; we do not publicly display your email, phone, legal name, or ID data. At the closing stage, the escrow/title partner will exchange identity and transaction details between the parties as needed to complete the sale.
5.3 Legal, safety, and business transfers
We may disclose personal information: (a) to comply with applicable law, a subpoena, court order, or lawful request (including from regulators); (b) to enforce our Terms or investigate fraud, security incidents, or abuse; (c) to protect the rights, safety, or property of any person; and (d) in connection with a merger, financing, acquisition, or sale of assets, subject to confidentiality and notice as required by law.
5.4 No sale of personal information
We do not, and will not, sell your personal information, and we do not disclose it for third-party cross-context behavioural advertising.
6. Cookies, analytics, and similar technologies
We use cookies and similar technologies to keep you signed in, remember preferences, secure the Platform, and understand usage.
- Strictly necessary (authentication/session, security, load-balancing) — required for the Platform to work.
- Functional — remember preferences (e.g., display settings).
- Analytics — measure traffic and feature use via Vercel Analytics.
Where required, we will ask for your consent to non-essential cookies through a cookie banner, and you can withdraw or change your choices at any time. You can also control cookies through your browser settings; disabling some cookies may break parts of the Platform. Because we do not sell or share personal information for advertising, we do not respond differently to browser "Do Not Track" signals.
7. KYC / identity-verification data handling (sensitive information)
Because identity-verification data is sensitive, we apply the following:
- We collect it only at the point it is needed (winning buyer and seller at closing, and earlier only where required by bid value or risk).
- Wherever possible, the government-ID image and selfie are collected and stored by our identity-verification provider, and we receive only the verification result and the minimal verified attributes (e.g., name, date of birth, address) needed for the transaction and to pass to the escrow/title partner.
- Access to verification data is restricted to authorized personnel and systems on a need-to-know basis, and access is logged.
- We retain verification results and necessary attributes per the schedule in Section 10 and then delete or de-identify them.
8. Where your information is processed — cross-border transfer
Yachts & Bids is operated from Canada, but several of our service providers (notably Stripe, and potentially our hosting, analytics, identity-verification, and email providers) store or process personal information in the United States and/or other countries. As a result, your personal information may be transferred to, stored in, and processed in the United States and elsewhere, where it may be accessible to courts, law enforcement, and government authorities under the laws of those jurisdictions.
We use service providers that are contractually bound to provide a comparable level of protection to that required under Canadian privacy law. By using the Platform, providing information, and (where requested) consenting, you acknowledge this cross-border processing.
9. Marketing communications and CASL consent
- Transactional / service messages (account verification, bid and outbid notices, win notices, closing and payment updates, security alerts) are necessary to provide the Platform and are sent without separate marketing consent.
- Marketing / promotional messages (newsletters, general new-listing alerts, promotions) are sent only with your express opt-in consent, as required by CASL. We will:
- obtain a clear, affirmative opt-in (no pre-checked boxes);
- identify ourselves and provide our contact information in each message; and
- include a working unsubscribe mechanism in every commercial electronic message, honoured promptly (within the period CASL requires).
You can withdraw marketing consent at any time without affecting service messages. We keep records of consent (what you consented to, when, and how).
10. Data retention and security
10.1 Retention
We keep personal information only as long as necessary for the purposes it was collected, to provide the service, and to meet legal, tax, accounting, and dispute-resolution obligations, after which we delete or de-identify it. Indicative schedule:
| Data | Indicative retention |
|---|---|
| Waitlist email | Until you unsubscribe or we close the waitlist, then deleted/de-identified |
| Boat submission (declined / not listed) | 12–24 months, then deleted |
| Account and profile data | For the life of the account, then up to 24 months after closure |
| Bids, listings, comments, transaction/closing records | Tied to limitation periods + tax records (typically 6–7 years) |
| KYC / identity-verification results | Only as long as needed for the transaction and fraud-prevention, then deleted or de-identified |
| Payment records (Stripe references, charge status) | As required for tax/accounting (typically 6–7 years) |
| Clickwrap consent / agreement-acceptance records | As long as needed to prove assent + the applicable limitation period |
| Server / security logs | Up to 12 months |
10.2 Security
We use reasonable administrative, technical, and physical safeguards appropriate to the sensitivity of the information, including: encryption in transit (TLS); payment tokenization (we do not store full card numbers); access controls and row-level security in our database; restricting sensitive data to authorized, authenticated personnel on a need-to-know basis; audit logging of administrative actions; multi-factor authentication on administrative access; rate-limiting and abuse detection; and use of reputable processors with their own security programs.
No method of transmission or storage is perfectly secure. If a privacy breach occurs that creates a real risk of significant harm, we will notify affected individuals and the relevant authority (including the Office of the Privacy Commissioner of Canada and/or the BC Office of the Information and Privacy Commissioner) as required by applicable law, and keep records of breaches as required.
11. Your privacy rights and how to exercise them
Subject to applicable law and limited exceptions, you have the right to:
- Access the personal information we hold about you and be told how it has been used and to whom it has been disclosed;
- Correct information that is inaccurate or incomplete;
- Withdraw consent (subject to legal or contractual restrictions) — note that withdrawing consent for information necessary to provide the Platform may mean we can no longer offer some or all services to you, and withdrawing marketing consent will stop marketing but not service messages;
- Unsubscribe from marketing at any time (Section 9);
- Ask questions or complain about our handling of your personal information.
To exercise any right, contact our Privacy Officer (Section 1). To protect your information, we will verify your identity before acting on a request, and we will respond within the time required by law (generally 30 days under PIPEDA, subject to permitted extensions). We do not charge a fee for reasonable access requests except as permitted by law, and we will tell you in advance if a fee applies. If we deny a request, we will explain why and tell you how to escalate.
12. Children
The Platform is intended for adults only and is not directed to children. You must be at least the age of majority in your jurisdiction (19 in British Columbia) to register, bid, or transact, because a winning bid forms a binding contract. We do not knowingly collect personal information from minors; if we learn we have, we will delete it.
13. United States users — CCPA/CPRA notice
If you are a California resident, the CCPA/CPRA may apply to your personal information. This section is provided for transparency and applies to the extent the law's thresholds are met. Where it applies:
- Categories collected: identifiers (name, email, phone, IP, account IDs); customer records (payment-method metadata, transaction history); commercial information (bids, listings, purchases); internet/network activity (usage, analytics); geolocation (approximate, from IP); and sensitive personal information (government-ID and identity-verification data, account credentials) used only to verify identity, provide the service, and prevent fraud — not to infer characteristics.
- Purposes and sharing: as described in Sections 4 and 5.
- We do not "sell" or "share" (as those terms are defined under CPRA, including for cross-context behavioural advertising) your personal information.
- Your rights: to know/access, delete, correct, opt out of sale/sharing, limit the use of sensitive personal information, and not be discriminated against for exercising your rights. Exercise them via the contact in Section 1; we will verify your identity and you may use an authorized agent.
Residents of other U.S. states with comprehensive privacy laws (e.g., Virginia, Colorado, Connecticut, Texas, Utah) may have similar rights; contact us to exercise them.
14. Third-party links and services
The Platform may link to third-party sites and services (including the escrow/title partner, surveyors, and payment pages). We are not responsible for their privacy practices. Review their policies before providing information.
15. Changes to this Policy
We may update this Policy from time to time. We will post the updated version with a new "Last updated" date and version number, and, for material changes, provide additional notice (e.g., by email or an in-Platform notice) and, where required, seek renewed consent. Your continued use of the Platform after an update means you accept the revised Policy, except where your express consent is required.
16. How to contact us or make a complaint
Contact our Privacy Officer first (Section 1). If you are not satisfied with our response, you may contact:
- the Office of the Privacy Commissioner of Canada — www.priv.gc.ca; and/or
- the Office of the Information and Privacy Commissioner for British Columbia (OIPC BC) — www.oipc.bc.ca.