Privacy Policy

1. Who We Are

Auctum ("Auctum," "we," "us," or "our") provides a revenue attribution and lead management platform for home service businesses and marketing agencies. Our service connects to GoHighLevel CRM sub-accounts, advertising platforms (Google Ads, Meta Ads), and field service software to track lead performance and attribution.

For questions about this Privacy Policy, contact us at: privacy@auctum.io

2. Scope of This Policy

This policy applies to:

• Account holders and users — individuals who create an Auctum account or use the dashboard on behalf of a business.
• End-customer data (leads) — contact information and behavioral data about the clients' customers that flows through our platform as part of delivering the service.
• Visitors — individuals who visit auctum.io without registering.

3. Data We Collect

3.1 Account & Billing Data

• Name, email address, and password (hashed — never stored in plaintext)
• Company name and billing address
• Payment method details — processed directly by Stripe; Auctum does not store card numbers or CVVs
• Subscription tier and usage metrics

3.2 Integration Credentials

• GoHighLevel API keys and Location IDs
• Google Ads customer IDs and OAuth tokens
• Meta Ads pixel IDs and API tokens
• CallRail account credentials

Integration credentials are stored encrypted at rest and are used solely to read and write data on your behalf within those platforms.

3.3 Lead & Attribution Data (Business Data)

As part of the core service, we process lead records that your business generates, including:

• Contact information: names, email addresses, phone numbers
• Lead source, campaign attribution, and UTM parameters
• Timestamps of contact attempts, appointments, and conversions
• Deal values and revenue attribution scores
• Decay scores, speed-to-lead metrics, and engagement flags

You own this data. We process it as a data processor on your behalf.

3.4 Usage & Technical Data

• Log data: IP addresses, browser type, pages visited, and timestamps
• API request logs retained for security and debugging
• Session data and authentication tokens (short-lived; 15-minute access tokens)

4. How We Use Your Data

We use the data we collect for the following purposes:

• Service delivery — processing lead events, computing attribution scores, triggering automations, and syncing conversions to ad platforms
• Billing — calculating plan usage, processing subscription payments via Stripe, and enforcing plan limits
• Security — detecting and preventing unauthorized access, rate limiting, and maintaining audit logs
• Support — diagnosing issues when you contact us
• Communications — sending transactional emails (password resets, billing receipts). We do not send marketing emails without your explicit opt-in.
• Product improvement — aggregated, anonymized usage analytics to improve features. We do not use your lead data for this purpose.

5. Data Sharing & Third Parties

We do not sell your data. We share data only in the following limited circumstances:

• Stripe — payment processing. Stripe's privacy policy applies to payment data.
• GoHighLevel — we read and write to your GHL sub-account via the API you configure. Data flows are governed by your agreement with GHL.
• Google Ads / Meta Ads — we push offline conversion data to your ad accounts at your direction. This data is governed by your agreements with those platforms.
• Infrastructure providers — our hosting stack (Railway for the API, Neon for the database, Redis Cloud for caching, Cloudflare for edge delivery). These providers act as sub-processors and are bound by data processing agreements.
• Legal requirements — if required by law, court order, or to protect rights and safety, we may disclose data to law enforcement or regulatory authorities.
• Business transfer — in the event of a merger or acquisition, data may be transferred as part of the transaction. You will be notified in advance.

6. Data Retention

• Active accounts — data is retained for the duration of your subscription.
• After cancellation — account and lead data is retained for 90 days to allow for reactivation or data export, then permanently deleted.
• Billing records — retained for 7 years as required by financial regulations.
• Security logs — retained for 12 months.
• Backups — encrypted database backups are retained for 30 days and then purged.

7. Data Security

We implement industry-standard security controls including:

• All data in transit encrypted via TLS 1.2+
• All data at rest encrypted via AES-256
• Passwords hashed with bcrypt (cost factor 12) — never stored in plaintext
• JWT access tokens with 15-minute expiry; refresh tokens with 30-day expiry, rotated on each use
• Token revocation on logout via Redis blocklist
• Rate limiting on all authenticated endpoints (300 requests/minute per user)
• Per-IP rate limiting on login (10 attempts/15 min), registration, and password reset
• Strict tenant isolation — no query can return data belonging to another customer account
• Security headers (X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, Permissions-Policy) on all responses
• Audit logs for all sensitive actions (role changes, password changes, impersonation)

No system is perfectly secure. If you believe your account has been compromised, contact security@auctum.io immediately.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you
• Correction — request correction of inaccurate data
• Deletion — request deletion of your account and associated data
• Portability — request an export of your lead data in CSV format
• Objection — object to certain types of processing
• Restriction — request that we restrict processing in certain circumstances

To exercise any of these rights, email privacy@auctum.io. We will respond within 30 days.

9. GDPR (EU/EEA Users)

If you are located in the European Union or European Economic Area, the following additional terms apply:

• Legal basis for processing: We process your personal data on the basis of (a) contract performance — to deliver the service you subscribed to; (b) legitimate interests — for security monitoring and fraud prevention; and (c) legal obligations — for financial record-keeping.
• Data transfers: Auctum stores data on servers located in the United States. By using our service, you consent to the transfer of your data to the US. We rely on Standard Contractual Clauses (SCCs) for international data transfers where required.
• DPA: Customers who require a Data Processing Agreement (DPA) for GDPR compliance should contact privacy@auctum.io.

10. CCPA (California Residents)

If you are a California resident, you have the right to:

• Know what personal information we collect and how it is used
• Request deletion of your personal information
• Opt out of the "sale" of personal information — we do not sell personal information
• Non-discrimination for exercising your privacy rights

To submit a verifiable consumer request, contact privacy@auctum.io.

11. Cookies

Auctum uses cookies and similar technologies for:

• Authentication — httpOnly session cookies for secure token storage
• Preferences — storing UI settings (not used for tracking)

We do not use third-party advertising cookies. If we add analytics tools in the future, this policy will be updated and you will be notified.

12. Children's Privacy

Auctum is a B2B platform not directed at individuals under 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us personal data, contact privacy@auctum.io and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email and update the "Last Updated" date above. Continued use of the service after the effective date constitutes acceptance of the updated policy.

14. Contact

Questions, requests, or concerns about this Privacy Policy:

• Email: privacy@auctum.io
• Mail: Auctum, Attn: Privacy, [Company Address]