Privacy Policy

Koi Auction is operated by Koi Water Garden Limited, a company registered in England and Wales under company number 03474013.

Our trading and contact address is Dormer Cottage, Spurgrove Lane, Frieth, Henley on Thames, Oxon, RG9 6NU.

Our registered office is The Old Star, Church Street, Princes Risborough, Buckinghamshire, England, HP27 9AA.

You can contact us by email at sales@koicarp.org.uk, by telephone on 01494 882600, or by mobile on 07814 011357.

For data protection purposes, Koi Water Garden Limited is the data controller for personal data processed through koi-auction.com.

This Privacy Policy explains how we collect, use, store, protect and share personal data when you use koi-auction.com.

It applies when you browse the website, create a buyer account, verify your email, complete a buyer profile, place bids, win auctions, make payments, contact us, or arrange collection or delivery.

You should read this Privacy Policy together with our Terms and Conditions and Cookie Policy.

We may collect and use the following personal data:

• your first name and surname;
• your email address;
• your telephone number;
• your house number or house name;
• your street, town, county and postcode;
• your buyer account details;
• your email verification status;
• your buyer profile information;
• your bid history and auction activity;
• details of koi you bid on, win or purchase;
• payment status and payment reference information;
• Stripe customer or payment method reference data;
• collection or delivery information;
• messages, enquiries and support requests;
• technical information such as IP address, browser type, device type, approximate location, session information and security logs.

We do not intentionally collect special category personal data through the website.

We collect personal data when you:

• visit or use the website;
• create a buyer account;
• verify your email address;
• complete or update your buyer profile;
• register a payment method;
• place a bid;
• win an auction;
• make a payment;
• arrange collection or delivery;
• contact us by email, phone or website form.

Some technical data may be collected automatically through cookies, authentication tools, server logs, security tools or similar technologies.

We use personal data to:

• create and manage buyer accounts;
• verify email addresses;
• operate online koi auctions;
• record bids and auction activity;
• identify winning bidders;
• process payments and payment attempts;
• issue receipts, confirmations and service messages;
• arrange collection or delivery;
• contact buyers about bids, purchases or koi welfare;
• provide customer support;
• prevent fraud, fake bidding and misuse;
• protect the website and buyer accounts;
• keep business, tax and accounting records;
• deal with complaints, disputes and legal claims;
• improve the website and buyer experience.

Under UK data protection law, we need a lawful basis for using personal data. Depending on the activity, we may rely on one or more of the following:

Contract: to create and manage your account, operate auctions, record bids, process purchases, arrange collection or delivery, and provide services requested by you.

Legal obligation: to keep tax, accounting, company, payment and transaction records, and to comply with applicable laws.

Legitimate interests: to operate and protect the website, prevent fraud, reduce fake bidding, support customers, maintain records, deal with disputes, and improve our services.

Consent: where required, for example for non-essential cookies or optional marketing communications.

We use buyer account data to allow you to register, log in, verify your email address, complete your buyer profile and prepare to bid.

Email verification helps confirm that you control the email address used to register. This helps reduce fake accounts, failed purchases and misuse of the auction process.

We may use authentication cookies, session data, security logs and account records to keep accounts secure.

When you place a bid, we may record your user account ID, bid amount, bid time, auction item, payment readiness, IP address, and related technical or security information.

We use this information to operate auctions, identify the winning bidder, prevent abuse, investigate disputes and keep appropriate transaction records.

Bids are part of the auction record and may be kept after an auction ends.

Payments may be processed by a third-party payment provider such as Stripe.

We may store payment-related references, such as Stripe customer IDs, payment method status, payment intent references, payment success or failure status, refund references and invoice or receipt records.

We do not store full card numbers on our own website servers. Card details are handled by the payment provider.

The payment provider may process your personal data under its own privacy terms.

If you win an auction or purchase koi, we may use your name, address, telephone number, email address, order details, delivery instructions and collection information to arrange handover.

Where delivery is arranged by us, we may share only the necessary personal data with suitable delivery, courier or transport providers.

We may also contact you about quarantine, timing, koi welfare, weather, temperature, delivery suitability or collection arrangements.

We may use your contact details to respond to enquiries, provide account support, discuss auctions, confirm purchases, arrange collection or delivery, deal with complaints, and send important service messages.

Service messages about your account, bids, payments, purchases, collection, delivery or legal notices are not marketing emails.

We will only send marketing emails where we have a lawful basis to do so.

If we ask for consent to send marketing emails, you can withdraw that consent at any time.

You can unsubscribe from marketing emails by using the unsubscribe instructions provided in the email or by contacting us.

We use cookies and similar technologies as explained in our Cookie Policy.

Some cookies are needed for the website to work, such as login, security, account session and payment-related cookies.

Non-essential cookies, such as analytics or marketing cookies, should only be used where the required consent has been obtained.

We may share personal data with:

• payment providers such as Stripe;
• website hosting providers such as Vercel;
• database and authentication providers such as Appwrite;
• email service providers;
• delivery, courier or transport providers;
• professional advisers such as accountants, solicitors or insurers;
• regulators, law enforcement or public authorities where required by law;
• fraud prevention or security providers where needed.

We do not sell personal data.

Some service providers may process personal data outside the United Kingdom.

Where this happens, we will rely on appropriate safeguards where required by data protection law, such as UK adequacy regulations, approved contractual protections, or provider compliance mechanisms.

We keep personal data only for as long as reasonably necessary for the purpose for which it was collected.

Typical retention periods may include:

• account data: while your account remains active;
• buyer profile data: while your account remains active or while needed for auction, payment, delivery or legal records;
• auction and bid records: for as long as needed to operate auctions, handle disputes and keep transaction records;
• purchase and payment records: for as long as needed for contract, tax, accounting, refund, chargeback, legal or dispute purposes;
• contact messages: for as long as needed to respond and keep appropriate records;
• security logs: for a reasonable period to protect the website and investigate misuse;
• cookie consent records: for a reasonable period to record cookie choices.

We may keep some records for longer where needed for legal claims, fraud prevention, accounting, tax, regulatory or legitimate business reasons.

We use reasonable technical and organisational measures to protect personal data.

These may include account authentication, email verification, server-side database access, access controls, encrypted connections, provider security measures and careful handling of payment information.

No website can guarantee perfect security, but we take appropriate steps to reduce risk.

Depending on the circumstances, you may have rights under UK data protection law to:

• access your personal data;
• correct inaccurate or incomplete data;
• request deletion of your data;
• restrict how we use your data;
• object to certain uses of your data;
• request data portability;
• withdraw consent where processing is based on consent;
• complain to the Information Commissioner’s Office.

These rights are not absolute and may depend on the lawful basis used, legal duties, transaction records, fraud prevention needs and whether we need the information to provide services or keep required records.

If you have questions about this Privacy Policy or how your personal data is used, contact us at sales@koicarp.org.uk.

Please include enough information for us to identify your account or enquiry, but do not send unnecessary sensitive information by email.

If you are unhappy with how we handle your personal data, please contact us first so we can try to resolve the issue.

You also have the right to complain to the Information Commissioner’s Office, which is the UK data protection regulator.

We may update this Privacy Policy from time to time as the website develops.

This may be necessary when we add payment features, buyer profile features, analytics, delivery tools, email tools, new service providers or other website functionality.

The latest version will be published on koi-auction.com.