Skip to main content
Silent Auction Gallery Logo SAG
  • Auctions
Login Sign Up

Privacy Policy

Effective Date: March 20, 2026  ·  Last Updated: March 20, 2026

GDPR CCPA COPPA FERPA PCI-DSS 3.2.1 WCAG 2.1 AA
/ Home / Terms of Service

Contents

  1. Overview
  2. Data Controller
  3. Data We Collect
  4. How We Use Data
  5. Legal Bases (GDPR)
  6. Children (COPPA)
  7. Student Records (FERPA)
  8. Data Sharing
  9. Data Retention
  10. Payment Data (PCI-DSS)
  11. Your Rights — GDPR
  12. Your Rights — CCPA
  13. Cookies
  14. Security
  15. International Transfers
  16. Policy Changes
  17. Contact / DPO

1. Overview

Silent Auction Gallery ("SAG," "we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains what data we collect, why we collect it, how we use and protect it, and what rights you have over your data.

This policy applies to all users of the Platform at SAG.live, including students, teachers, school administrators, bidders, and visitors. It is designed to comply with:

  • GDPR — General Data Protection Regulation (EU/UK)
  • CCPA — California Consumer Privacy Act
  • COPPA — Children's Online Privacy Protection Act
  • FERPA — Family Educational Rights and Privacy Act
  • PCI-DSS 3.2.1 — Payment Card Industry Data Security Standard

By using the Platform, you consent to the data practices described in this Privacy Policy. If you do not agree, please do not use the Platform.

2. Data Controller

For the purposes of GDPR and other applicable privacy laws, the data controller is:

Silent Auction Gallery

Website: https://sag.live

Email: SilentAuctionGallery@gmail.com

For data subject requests (access, deletion, portability, correction), contact us at the email above with the subject line "Privacy Request."

3. Data We Collect

We collect data in three ways: information you provide directly, information collected automatically, and information from third parties.

3.1 Information You Provide

Category Data Elements Who Provides
Identity First name, last name, date of birth All users
Contact Email address, mobile phone number All users
Authentication Hashed password, TOTP secret (2FA), backup codes All users
School Affiliation School name, school ID, teacher/student role Students, Teachers, School Admins
Artwork Uploaded images, artwork title, artwork description Students
Payment Payment token (not raw card data — see Section 10) Bidders
Consent Records Date/time of Terms acceptance, GDPR consent flags All users

3.2 Information Collected Automatically

  • Session data — JWT tokens, session identifiers, login timestamps, IP address at login.
  • Audit logs — critical actions (bids placed, account changes, admin actions) logged for compliance.
  • Device/browser data — browser type, operating system, referrer URL (collected via server logs).
  • Real-time activity — WebSocket connection metadata for live bid delivery.

3.3 Information from Third Parties

  • Payment processors (Stripe, Square, PayPal, Authorize.net) — payment status confirmations and fraud signals. We never receive raw card numbers.
  • School enrollment data — where Teachers invite Students by email, the Teacher provides the Student's email address on the Student's behalf.
  • NCES API — public school directory data (school names, districts) used to populate the school selection during registration. No personal data is sourced from NCES.

4. How We Use Data

We use your data only for the purposes described below:

  • Account creation and management — to register, authenticate, and maintain your account.
  • Platform operation — to display auctions, process bids, manage artwork submissions, and deliver real-time updates.
  • Payment processing — to charge winning bidders and remit proceeds to schools.
  • Communications — to send registration confirmations, bid notifications, auction results, and support responses via email and SMS.
  • Security — to detect fraud, enforce account lockout policies, and protect the integrity of auctions.
  • Compliance — to maintain audit logs and consent records as required by GDPR, FERPA, COPPA, and PCI-DSS.
  • Platform improvement — aggregate, anonymized analytics to understand usage patterns (no personal identifiers retained).

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

5. Legal Bases for Processing GDPR

For users in the European Union or United Kingdom, we process your personal data under the following legal bases (Article 6 GDPR):

Processing Purpose Legal Basis
Account creation and login Contract (Art. 6(1)(b)) — necessary to provide the service
Bid processing and payment Contract (Art. 6(1)(b))
Email/SMS notifications Contract (Art. 6(1)(b)) / Consent (Art. 6(1)(a)) for marketing
Fraud detection and security Legitimate interests (Art. 6(1)(f))
Audit and compliance logs Legal obligation (Art. 6(1)(c))
Children's data (COPPA) Consent of parent/guardian (Art. 6(1)(a) + Art. 8)

6. Children's Privacy COPPA

The Platform supports school-based participation by students who may be under 13 years of age. We take children's privacy seriously and comply fully with the Children's Online Privacy Protection Act (COPPA).

6.1 Data Minimization for Children

For users under 13, we collect only the minimum data necessary:

  • First name and last name
  • School and teacher affiliation
  • Email address (used only for login and critical notifications)
  • Artwork submissions

We do not collect phone numbers, payment information, or location data from users under 13. We do not permit children under 13 to bid.

6.2 Parental Consent

Children under 13 may only use the Platform after a Teacher has confirmed that verifiable parental consent has been obtained through the School's enrollment process. SAG relies on Schools and Teachers to obtain this consent as part of their educational programs.

6.3 Parental Rights

Parents and legal guardians may at any time:

  • Request to review all personal information collected about their child.
  • Request correction of inaccurate information.
  • Request deletion of their child's account and all associated personal data.
  • Revoke consent to any future collection.

Submit requests to SilentAuctionGallery@gmail.com with the subject "COPPA Parental Request." We will respond within 5 business days.

7. Student Education Records FERPA

Information collected from students in connection with their school's use of the Platform is treated as an education record under the Family Educational Rights and Privacy Act (FERPA).

7.1 Access Controls

Student education records on the Platform are accessible only to:

  • The student themselves (if 18+ or an eligible student under FERPA)
  • The student's parent or legal guardian (for students under 18)
  • The student's Teacher and School Administrator
  • SAG platform staff with a legitimate educational interest

7.2 No Third-Party Disclosure

SAG does not disclose student education records to any third party without prior written consent from the eligible student or their parent/guardian, except:

  • As permitted under FERPA's "school official" exception (to operate the Platform).
  • As required by a court order or applicable law.
  • In a genuine health or safety emergency.

7.3 Audit Logging

All access to student education records is logged. Schools may request access logs for their students at any time.

7.4 Data Retention

Student education records are retained for 3 years from the date of the student's last activity on the Platform, then permanently deleted or anonymized in accordance with FERPA guidelines.

8. Data Sharing

We share your personal data only in the following limited circumstances:

8.1 Service Providers

We engage the following categories of service providers who process data on our behalf under strict data processing agreements:

  • Payment processors — Stripe, Square, PayPal, Authorize.net (payment tokenization and processing)
  • Email delivery — Gmail SMTP / other SMTP providers (transactional email)
  • SMS provider — Twilio (two-factor authentication and notifications)
  • Hosting — Linux VPS / Docker infrastructure (application and database hosting)

These providers are contractually prohibited from using your data for their own purposes beyond the services they provide to us.

8.2 Legal Requirements

We may disclose personal data if required by law, subpoena, court order, or if we reasonably believe disclosure is necessary to protect the rights, property, or safety of SAG, our users, or the public.

8.3 Business Transfers

If SAG is involved in a merger, acquisition, or sale of assets, your personal data may be transferred. We will provide notice and, where required by law, seek your consent before any such transfer.

8.4 No Sale of Personal Data

SAG does not sell, rent, trade, or lease personal data to any third party for commercial or marketing purposes.

9. Data Retention

We retain personal data for as long as necessary to provide the Platform and comply with our legal obligations. Specific retention periods:

Data Category Retention Period Reason
Account data Duration of account + 30 days after deletion request Service operation
Student education records 3 years from last activity FERPA compliance
Transaction records 7 years Financial/tax compliance
Audit logs 3 years Security and compliance
Consent records Duration of relationship + 5 years GDPR accountability
Payment tokens Duration of account (then deleted) PCI-DSS
Server logs (IP, device) 90 days Security monitoring

After the applicable retention period, data is permanently deleted or irreversibly anonymized.

10. Payment Data PCI-DSS 3.2.1

The Platform processes payments in full compliance with PCI-DSS 3.2.1. Key principles:

  • No raw card data stored. SAG never receives or stores full payment card numbers, CVVs, or PINs. All card entry occurs on the payment processor's secure page or via their hosted JavaScript element.
  • Tokenization only. After a card is submitted to the processor, we receive only a non-reversible payment token. This token is stored in an encrypted vault and used solely for future charges related to auction wins.
  • HTTPS/TLS everywhere. All data transmitted between your browser and our servers is encrypted via TLS 1.2 or higher.
  • No card data in logs. Our application and server logs are configured to mask or exclude any payment data.

Our payment partners (Stripe, Square, PayPal, Authorize.net) are independently PCI-DSS certified. Their respective privacy policies govern how they handle payment data on their systems.

11. Your Rights — GDPR GDPR

If you are located in the European Union, European Economic Area, or United Kingdom, you have the following rights under the GDPR:

Access

Request a copy of all personal data we hold about you.

Correction

Request correction of inaccurate or incomplete data.

Erasure

Request deletion of your data ("right to be forgotten") subject to legal retention requirements.

Portability

Receive your data in a structured, machine-readable format.

Restriction

Request that we restrict processing of your data in certain circumstances.

Objection

Object to processing based on legitimate interests.

Withdraw Consent

Withdraw any consent given at any time, without affecting prior lawful processing.

Complaint

Lodge a complaint with your national data protection authority (e.g., ICO in the UK).

To exercise any GDPR right, email SilentAuctionGallery@gmail.com with the subject "GDPR Data Request." We will respond within 30 days. Identity verification may be required.

12. Your Rights — CCPA CCPA

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights:

  • Right to Know — request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
  • Right to Delete — request deletion of personal information we have collected, subject to certain exceptions (e.g., legal compliance, security).
  • Right to Opt-Out of Sale — SAG does not sell personal information, so this right is not currently applicable. If this changes, we will notify you and provide an opt-out mechanism.
  • Right to Non-Discrimination — we will not deny you service, charge different prices, or provide a different quality of service because you exercise your CCPA rights.

To exercise CCPA rights, email SilentAuctionGallery@gmail.com with the subject "CCPA Privacy Request." We will respond within 45 days.

13. Cookies & Local Storage

The Platform uses the following storage mechanisms:

Name / Type Purpose Duration
JWT Access Token (localStorage) Authentication — keeps you logged in 15 minutes
JWT Refresh Token (httpOnly cookie) Session renewal without re-login 7 days
schoolTheme (localStorage) Remembers your school's visual theme preference Persistent (until cleared)
CSRF Token (session cookie) Cross-site request forgery protection Session

We do not use third-party advertising or analytics cookies. The Platform does not track you across other websites.

You can clear localStorage and cookies through your browser settings at any time. Doing so will log you out of the Platform.

14. Security

We implement industry-standard technical and organizational security measures to protect your personal data:

  • Encryption in transit — TLS 1.2+ for all data between your browser and our servers.
  • Password hashing — bcrypt with 12 salt rounds. We never store plaintext passwords.
  • Multi-factor authentication — TOTP-based 2FA available to all users.
  • Account lockout — accounts are locked for 30 minutes after 5 consecutive failed login attempts.
  • SQL injection prevention — all database queries use parameterized statements.
  • XSS prevention — all user-generated content is encoded on output.
  • CSRF protection — SameSite cookie attributes and CSRF tokens on state-changing requests.
  • Security headers — HSTS, CSP, X-Frame-Options: DENY, X-Content-Type-Options: nosniff via Helmet.js.
  • Fraud detection — velocity checks, duplicate detection, and geographic anomaly alerts on payments.

Despite these measures, no system is completely secure. In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users and relevant authorities as required by applicable law.

15. International Data Transfers

The Platform is hosted on servers in the United States. If you access the Platform from the EU, EEA, or UK, your personal data may be transferred to and processed in the United States, which may not provide the same level of data protection as your home jurisdiction.

Where such transfers occur, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs) with our service providers, or
  • Transfers to processors that participate in a recognized adequacy framework.

For more information about our international transfer mechanisms, contact us at SilentAuctionGallery@gmail.com.

16. Policy Changes

We may update this Privacy Policy from time to time to reflect changes in our data practices, the Platform, or applicable law. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page.
  • Send a notification email to registered users.
  • Display a banner on the Platform for 30 days after the change.

Where required by law (e.g., material changes to how we use children's data), we will seek fresh consent before the change takes effect.

17. Contact & Data Protection Officer

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Silent Auction Gallery — Privacy Team

Email: SilentAuctionGallery@gmail.com

Subject line: "Privacy Request"

Website: https://sag.live

If you are in the EU/EEA and are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority. A list of EU supervisory authorities is available at edpb.europa.eu.

Also see our Terms of Service for the full legal framework governing your use of the Platform.

About SAG

Silent Auction Gallery supports education through art.

Quick Links

  • Auctions

Legal

  • Privacy Policy
  • Terms of Service

Follow Us

f 𝕏 📷

© 2026 Silent Auction Gallery. All rights reserved.