Privacy Policy

1. Data Controller

CCAuktioner is responsible for the processing of your personal data.

Contact:
CCAuktioner, org. no. 5566255849
Länsmansgatan 17, 282 72 Sösdala, Sweden
Email: info@ccauktioner.se
Website: ccauktioner.se

2. Data We Collect

Buyers (bidders) — when you create an account or place a bid, we collect:

• Name
• Email address
• Phone number
• Postal address (street, postal code, city)
• Bid history, including automatic maximum bids (proxy bids) — which items you bid on, current bid, and your stated maximum
• Watchlist/bookmarked items — which auctions you have saved to follow
• Invoice data — invoices showing won items, prices, and any delivery choice are generated as PDF and emailed to your registered address

We do not collect card or bank account details. Payment is made by you via Swish or bank transfer, and we only store the reference needed to reconcile the payment.

Sellers (consignors) — when you are registered as a seller and consign items, we additionally collect:

• Date of birth (to confirm you are at least 18 years old)
• Personal identity number (personnummer) or company registration number
• Bank account number or bank giro number (for payouts)
• Country of tax residence
• Transaction history (consigned items, hammer prices, commissions, payouts)
• Information about consigned items' condition, provenance, and value

Processing of personnummer. Under Chapter 3, Section 10 of the Swedish Data Protection Act (2018:218), personal identity numbers may be processed only where it is clearly justified having regard to the purpose, the importance of secure identification, or other significant reasons. CCAuktioner processes sellers' personnummer in order to (i) comply with the Bookkeeping Act's requirement to identify counterparties (1999:1078, ch. 7), (ii) fulfil the reporting obligation under DAC7 (Act 2022:1682) toward the Swedish Tax Agency, (iii) report artist resale royalties via BUS (Act 1960:729), and (iv) comply with the Second-Hand Goods Act (1999:271). The personnummer is never disclosed for marketing and is not processed for purposes beyond these legal obligations.

3. Why We Process Your Data

4. How Long We Store Your Data

• Buyer accounts: Until you request deletion, or after 3 years of inactivity.
• Accounting records: 7 years in accordance with the Swedish Bookkeeping Act (1999:1078).
• Seller data (DAC7): At least 5 years from the reporting year, in accordance with Act 2022:1682.
• Login attempts: 15 minutes (brute-force protection only).
• Push subscriptions: Stored until you disable push notifications or your browser revokes the subscription. Inactive subscriptions are automatically deleted when delivery fails.
• Right-of-withdrawal requests: Records of withdrawal requests under the Distance Contracts Act (status, reason, return method, timestamps, admin notes) are retained for 3 years for follow-up and potential ARN proceedings.
• Buyer account deletion: When you request deletion of your buyer account, all personal data is removed — name, email, phone, address, password, and any OAuth identifiers. Bids you placed on completed auctions are retained anonymously in the auction history: the link to your account is removed, but the bid amount and timestamp are kept. The purpose is to preserve the historical integrity of the auction vis-à-vis other bidders and to meet the Bookkeeping Act's requirements. This processing is based on legitimate interest (GDPR Art. 6(1)(f)) and legal obligation (Swedish Bookkeeping Act 1999:1078).

5. Third Parties

We may share your data with the following third parties:

• Web hosting (Loopia AB, Sweden) — the service is hosted with Loopia. All personal data is stored on servers within the EU/EEA. Loopia acts as a data processor and handles the data strictly under our written instructions and a Data Processing Agreement pursuant to GDPR Art. 28.
• 46elks AB (Sweden) — telephony/switchboard. Our telephony service (switchboard number, voicemail and any call recording) is provided by 46elks. Callers' phone numbers, call metadata and — when recording is enabled — the audio are processed by 46elks to connect the call; recordings are downloaded and stored encrypted with us (Loopia, Sweden). 46elks is a data processor within the EU (Sweden) and processes the data under the processor terms in the customer agreement (GDPR Art. 28). See § 7. No third-country transfer.
• Email delivery — outgoing email (invoices, notifications, password resets) is sent via the SMTP relay provided by Loopia. Recipient address and content are processed solely for delivery.
• Anthropic, PBC (USA) — AI categorisation of lots. When our staff enter a lot into the system, the photos of the lot may be sent to Anthropic's Claude (Haiku) model for automatic categorisation, title suggestions, and tag suggestions. The feature is used purely internally in the admin tool and is triggered manually per lot. Images are not used by Anthropic to train models (zero-retention / no-training contractual terms). Transfers to the USA rely on the European Commission's Standard Contractual Clauses (SCC, 2021/914). Anthropic is not certified under the EU-U.S. Data Privacy Framework (DPF). Legal basis: legitimate interest (efficient cataloguing); you may object to this processing under § 10 below.
• Google Maps (USA) — opt-in map on the landing page. Our landing page contains a "Show map" button. No data is sent to Google until you click it. On click an embedded map is loaded from Google and your IP address, User-Agent and Referer are processed by Google under their privacy policy. Your click is stored locally in your browser so the map auto-loads on return visits; clear browser data to revoke. US transfers rely on the EU-U.S. Data Privacy Framework. Legal basis: consent (GDPR art. 6(1)(a)).
• Zettle by PayPal (Secondhand) — when you pay in our secondhand store, product information (product code, price, description) is shared with Zettle/PayPal to enable card payment. Seller personal data is not shared with Zettle; buyer information is processed by Zettle under its own privacy policy.
• Google / Facebook — if you choose to log in via OAuth. Only basic profile information (name, email) is shared. No bidding or payment data.
• Skatteverket (Swedish Tax Agency) — DAC7 reporting for sellers who exceed reporting thresholds.
• BUS (the Visual Artists' Rights Association) — artist resale royalty (följerätt) paid annually on qualifying sales.
• Push notification providers — if you enable push notifications, each notification is delivered via your browser's push service: Google Firebase Cloud Messaging (Chrome/Edge/Android), Apple Push Notification Service (Safari/iOS) or Mozilla autopush (Firefox). The notification payload is end-to-end encrypted using VAPID before it leaves our server, so the push provider cannot read its contents. A unique endpoint URL and technical metadata are however processed by the provider in order to deliver the notification. You can disable push notifications at any time in your account settings — the subscription is then deleted.

We do not sell personal data to third parties.

Your personal data is primarily stored and processed within the EU/EEA. Exception: if you enable push notifications, endpoint URLs and technical metadata may be processed by Google (FCM, USA) or Apple (APNs, USA) to deliver notifications to your device. Contents are encrypted with VAPID (RFC 8291) and cannot be read by the push provider. Transfers rely on the EU-U.S. Data Privacy Framework or standard contractual clauses (SCC).

6. Camera Surveillance in the Store

Our physical second-hand store and its entrances are under camera surveillance around the clock. Signs at the entrances inform visitors of the surveillance in accordance with Section 15 of the Swedish Camera Surveillance Act (2018:1200) and Article 13 GDPR.

Purpose. The surveillance is carried out to prevent, deter and investigate crime (theft, vandalism, threats) and to protect property and people in the store.

Legal basis and balancing test. The processing is based on legitimate interest (GDPR Art. 6(1)(f)). We have assessed that our interest in protecting property and in preventing and investigating crime outweighs the limited intrusion into personal privacy that the surveillance entails. The cameras only cover the inside of the store and its entrances — never the public space outside the premises — and footage is retained for a short period with restricted access, which minimises the intrusion.

Categories of data subjects. Visitors and customers present in the store premises.

Categories of data. Still and moving images (video recordings). No audio is recorded.

Retention period. Recordings are kept for 14 days and then automatically deleted, unless they need to be retained longer to investigate a specific incident or at the request of the Police.

Recipients. Footage is handled internally with restricted access. Where a crime is suspected, relevant footage may be disclosed to the Swedish Police. No data is transferred to a third country.

Data controller. Skånerot AB (reg. no. 556625-5849), trading as CCAuktioner. You have the rights described in § 10 below, including the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY).

7. Recording of Phone Calls and Voicemail

CCAuktioner operates its own telephony service. Incoming calls to our switchboard number may be recorded, and anyone who leaves a message in our voicemail is recorded. This section concerns telephony and is separate from the camera surveillance in § 6 — the statement there that "no audio is recorded" applies only to the store's surveillance cameras, not to phone calls.

What we record. On incoming calls the entire call may be recorded (both parties' speech) after an initial spoken notice has informed about it. In the voicemail we record the message you choose to leave. We also store call metadata: your phone number, the time, the call duration and the action the call led to. Outgoing calls from us are not recorded as a rule; if in an individual case we record an outgoing call we inform you before the recording starts and you may then decline.

Purpose. To ensure the quality of our customer contact, document oral agreements on consignment, bidding, valuation and payout, and to be able to investigate and substantiate matters in complaints and disputes.

Legal basis. Legitimate interest (GDPR Art. 6(1)(f)). We have carried out a balancing test and concluded that our interest in quality assurance, documentation and securing evidence outweighs the limited privacy intrusion the recording entails — in particular because (i) you are informed of the recording at the start of the call and can ask us to switch it off, (ii) the recording is stored encrypted on a server in Sweden with restricted access, (iii) the material is automatically erased after a short time, and (iv) we neither profile you nor share the recording for other purposes. If the call concerns sensitive data (Art. 9) we instead obtain your explicit consent before any recording takes place.

Retention period. Call recordings are automatically deleted after 90 days. Voicemail messages are automatically deleted after 30 days. Call metadata (number, time, duration) may be kept somewhat longer for statistics and troubleshooting, but no longer than 12 months. If a recording is needed to investigate or defend a specific legal claim it may be retained until the matter is concluded.

Your right to object (GDPR Art. 21). Because the processing is based on legitimate interest you have the right to object to recording at any time. You can do so already during the call — just tell us and we will switch off the recording — or afterwards by contacting info@ccauktioner.se, whereupon we erase the recording unless there are compelling legitimate grounds for continued processing or it is needed to establish, exercise or defend a legal claim.

Recipients and processors. Telephony traffic is carried by our telecom operator 46elks AB (Sweden), which is a data processor. Recordings are downloaded from 46elks and stored encrypted at our web host Loopia AB (Sweden) within the EU/EEA. Both are data processors and process the data solely on our instructions and under data processing agreements (GDPR Art. 28). Where a crime is suspected a recording may be disclosed to the Swedish Police. No data is transferred to a third country.

Data controller. Skånerot AB (reg. no. 556625-5849), trading as CCAuktioner. You have the rights described in the "Your Rights" section below, and you may lodge a complaint with the Swedish Authority for Privacy Protection (IMY).

8. Public Price Archive (sold lots)

At ccauktioner.se/priser/ we publish an archive of final prices for sold lots. The archive typically shows title, category, photo, description, sale date and the final hammer price. No information about the seller is published — neither name, initials, town, seller ID nor any other identifying information.

Purpose. Market transparency, historical price documentation, an independent valuation reference for buyers, sellers and third parties, and buyer protection. Publication of final prices is moreover standard industry practice among comparable operators.

Legal basis. Legitimate interest (GDPR Art. 6(1)(f)). We have performed a legitimate-interest assessment (LIA) and concluded that the interest in historical price transparency outweighs the limited privacy intrusion the publication entails — in particular because (i) no seller data is published, (ii) auction prices are already public during the auction itself and the archive is a continuation of that publicity, and (iii) the seller has a reasonable expectation that the sale price will become lasting market information.

Categories of data. Item data: title, category, photograph(s), description, sale date, final price. No seller-identifying data.

Retention. Entries in the price archive are retained indefinitely as a historical price reference, subject to individual review on objection (see below).

Opt-out before sale. The seller may choose that an individual item shall not be included in the archive by ticking the opt-out box at intake or by changing the setting in the seller portal no later than the auction start date. For items where opt-out is activated before the auction starts, neither image nor final price is published in the archive.

Right to object after sale (GDPR Art. 21). Even after a lot has been sold the seller retains the right to object to continued publication by contacting info@ccauktioner.se. CCAuktioner will then carry out an individual assessment of whether compelling legitimate grounds for continued publication exist that override the seller's interests, rights and freedoms, or whether the publication is for the establishment, exercise or defence of legal claims. A reply is given within 30 days. If the objection is upheld, the item's entry (including image) is promptly removed from the archive.

Buyers. The buyer's identity is never published in the price archive.

9. Cookies and Fonts

We use only technically necessary cookies:

Local storage (localStorage)

Other local storage

• Service worker cache (cc-shell-v<n>) — if you install or use CCAuktioner as a Progressive Web App (PWA), the shell pages (home, search, offline page) are cached locally by the service worker so the app works without an internet connection. No personal data is cached. Deleted when you uninstall the PWA, clear site data, or when a new version of the service worker is published.
• Web Push subscription — if you enable push notifications, the browser itself stores the subscription entry (endpoint URL and encryption keys) in its own internal storage. CCAuktioner stores the matching record on the server in order to send notifications. Deleted when you disable push in your account settings or in the browser.

All fonts (Playfair Display, Inter) are self-hosted on our own server. No requests are made to Google Fonts or other external font services, so no IP addresses are transmitted to third parties for font loading.

10. Your Rights

Under GDPR you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure — request deletion of your data, subject to legal retention obligations.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interest.
• Lodge a complaint — with the Swedish Authority for Privacy Protection (IMY) at imy.se.

To exercise your rights, contact us at info@ccauktioner.se.

11. Security

We apply appropriate technical and organisational security measures: encrypted connections (HTTPS), hashed passwords (bcrypt), CSRF protection, brute-force lockout, and regular security reviews.