Privacy Policy

We collect information you give us directly and information generated through your use of the platform:

• Account information: Full name, email address, phone number, and profile photo (optional)
• Listing information: Vehicle details, photos, VIN/plate numbers, asking prices, and location
• Transaction information: Bid amounts, auction outcomes, payment method details (card details are handled entirely by Stripe — we do not store card numbers)
• Bank account details: Provided by sellers voluntarily to receive payment from buyers; stored encrypted and only shown to winning buyers
• Usage data: IP address, browser type, pages visited, and session duration for security and analytics
• Communications: Messages sent through our platform, support requests

We collect and use your information to:

• Provide and operate the NZ Wreck Auctions auction marketplace
• Verify your identity and protect against fraudulent listings or bids
• Facilitate completed transactions by sharing contact details between buyer and seller
• Send transactional notifications (auction won, outbid alerts, listing updates)
• Process listing fees and subscription payments via Stripe
• Improve our platform through aggregated, anonymised analytics
• Comply with our legal obligations under New Zealand law

We will never use your information for purposes incompatible with why it was collected.

We share your information only in the following limited circumstances:

• Buyer ↔ Seller contact sharing: When an auction completes with a sale, we disclose the seller's name, phone, and email to the winning buyer — and vice versa — solely to enable them to complete the vehicle transaction. This is disclosed to both parties before auction end.
• Stripe: Our payment processor receives billing information as required to process listing fees. Stripe operates under its own Privacy Policy and is PCI-DSS compliant.
• Supabase: Our database and authentication provider stores your data on infrastructure hosted in Australia, subject to Australian data protection laws comparable to New Zealand's.
• Legal requirements: We may disclose information if required by law, court order, or to protect the rights and safety of others.

We do not sell, rent, or trade your personal information to third parties for marketing purposes. Ever.

• All data is transmitted over encrypted TLS/HTTPS connections
• Passwords are never stored — authentication is managed via secure email magic links or hashed credentials
• Bank account details provided by sellers are stored encrypted at rest
• We apply Row-Level Security (RLS) at the database level — users can only read data they are authorised to see
• We retain your account data for as long as your account is active. On account deletion, personal data is removed within 30 days except where retention is legally required

Under the New Zealand Privacy Act 2020, you have the right to:

• Access the personal information we hold about you
• Correct any personal information that is inaccurate or incomplete
• Request deletion of your account and associated personal data
• Object to the use of your information for purposes you did not expect
• Complain to the Office of the Privacy Commissioner (privacy.org.nz) if you believe your rights have been breached

To exercise any of these rights, email us at privacy@nzwreckauctions.co.nz. We will respond within 20 working days as required by law.

We use essential cookies only:

• Session cookies to keep you logged in
• Security tokens to prevent cross-site request forgery (CSRF)

We do not use advertising cookies, tracking pixels, or third-party analytics that identify you personally. We may use basic, anonymous page-view analytics to understand how our platform is used.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or a prominent notice on the platform at least 14 days before the changes take effect. Your continued use of the platform after that date constitutes acceptance of the updated policy.