Privacy Policy

GavelHop is a product and service operated by 2616232 Alberta Inc. In this Privacy Policy, "GavelHop," "2616232 Alberta Inc." (or "the Company"), "we," "us," and "our" refer to 2616232 Alberta Inc., an Alberta corporation. All data handling, privacy obligations, and processing by the Company are conducted under the legal authority and responsibility of 2616232 Alberta Inc.

Our Privacy Officer is reachable at privacy@gavelhop.ca.

2616232 Alberta Inc. handles personal information in accordance with the Personal Information Protection and Electronic Documents Act (Canada) ("PIPEDA") and the Personal Information Protection Act (Alberta) ("PIPA"). If you are in another Canadian province or outside Canada, we will also respect the privacy laws that apply to you to the extent they are not inconsistent with Canadian federal or Alberta law.

• To create, operate, maintain, and secure your account;
• To provide the subscription Service, display auction information, and apply your province filter;
• To process payments and manage renewals;
• To communicate with you about your account, subscription, transactional notices, service changes, and (if you consent) marketing;
• To detect, investigate, and prevent fraud, abuse, and unauthorized access;
• To comply with legal obligations, respond to lawful requests, and enforce our Terms;
• To develop, test, and improve the Service using aggregated or de-identified data.

We collect your information with your consent, either expressly (for example, when you check the consent box on signup) or implicitly through your use of the Service for its intended purpose. You may withdraw consent at any time by cancelling your account; please note that without your personal information we cannot provide the Service.

We do not sell, rent, or trade your personal information. We share it only with:

• Service providers acting on our instructions under contractual privacy protections, such as our hosting provider (Hetzner Online GmbH, data centres in Helsinki, Finland), our domain and DNS provider (Cloudflare), our email-delivery provider, and our payment processor;
• Legal and regulatory authorities when we are compelled by a lawful order, subpoena, warrant, or similar process;
• A successor entity in connection with a merger, acquisition, corporate reorganization, or sale of assets, in which case we will require the successor to honour the commitments in this Policy;
• Anyone you direct us to share it with.

Your personal information is stored and processed on servers located in Helsinki, Finland (Hetzner Online GmbH). Finland is a member of the European Economic Area and is recognized by the European Commission as providing an adequate level of data protection. Backups may be stored in the same or a different jurisdiction. While your data is abroad, it may be accessible to the authorities of that country under applicable local law.

• Active accounts: for as long as your subscription remains active.
• Cancelled accounts: up to 24 months after cancellation for billing reconciliation, dispute resolution, tax compliance, and fraud prevention, after which we delete or irreversibly anonymize the record.
• Audit logs: up to 36 months.
• Mandatory records (financial, tax): for the period required by applicable law, typically seven (7) years.

• Passwords stored as one-way bcrypt hashes — we cannot read or recover them;
• All traffic to and from the Service encrypted with TLS (HTTPS);
• SQLite database files stored on an encrypted volume, accessible only by privileged server users;
• Access to production systems restricted to public-key SSH with no root or password login;
• Firewall restricting inbound traffic to ports 22, 80, and 443 only;
• Daily off-site backups;
• Audit logs for administrative and authentication events.

Subject to PIPEDA and PIPA, you have the right to:

• Access the personal information we hold about you;
• Correct inaccurate or incomplete personal information;
• Withdraw consent for any processing based on consent (subject to the consequence that we may be unable to continue providing the Service);
• Request deletion of your personal information, subject to our legal and contractual retention obligations;
• Complain to a supervisory authority, including the Office of the Privacy Commissioner of Canada (priv.gc.ca) or the Office of the Information and Privacy Commissioner of Alberta (oipc.ab.ca).

To exercise any of these rights, email privacy@gavelhop.ca from the address on your account or include enough information for us to verify your identity. We will respond within thirty (30) days.

We use a single first-party session cookie (gh_session) to keep you logged in. It is set with the Secure, HttpOnly, and SameSite=Lax attributes, expires thirty (30) days after your last login, and is destroyed on logout. We do not set third-party tracking cookies and we do not run third-party advertising or analytics scripts that profile individual users.

The Service is not directed to individuals under the age of eighteen (18), and we do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, please contact privacy@gavelhop.ca and we will delete the information.

If there is a breach of security safeguards involving your personal information that creates a real risk of significant harm to you, we will notify you and the Office of the Privacy Commissioner of Canada as required by PIPEDA and PIPA.

We may update this Policy from time to time. If the changes are material, we will notify you by email or by prominent notice on the Service at least thirty (30) days before they take effect.

You can also file a complaint with the Office of the Privacy Commissioner of Canada or the Office of the Information and Privacy Commissioner of Alberta.