Amidst the changes, some important things at Invaluable remain the same: our commitment to keeping user data safe, our policy of not selling or renting personal information to third parties, and our practice of collecting only the information we need to deliver the services requested. We value your business and have always worked hard to protect users’ personal data, knowing how important your privacy is to you.
Below are the answers to some frequently asked questions about Invaluable’s data management and GDPR. If you have any questions or concerns about your data, please contact our Data Protection Officer at [email protected].
Why was the GDPR created?
GDPR was created to hold companies accountable for their EEA users’ right to privacy and to ensure that users are aware of their rights regarding personal data. This is the first major review of privacy law in Europe since the advent of social media. Approved by the European Union Parliament in April 2016, the new law requires companies to set more stringent guidelines for handling the personal data of EEA users on the internet. The goal of these new guidelines is to set a clear, high standard for how data must be acquired and managed going forward.
At the heart of the new regulations are two requirements: (1) Any entity collecting the personal data of EEA users over the internet must explain exactly what it will do with the data in “clear and plain language,” and (2) The entity must receive explicit consent to move forward with data collection from every consumer in the EEA.
What is the definition of “personal data”?
Personal data includes any information that can be tied to a single user, and which directly or indirectly can be used to identify that user. The data collected varies depending on the company, but includes information like name, email address, location, credit card number, and device identifiers. Personal data does not include fully anonymized or aggregated data that can no longer be linked to a specific person.
Why does Invaluable collect personal data?
Invaluable uses data to operate and improve our services. Data also helps us personalize the user’s journey across our site. We collect data to contact users about their accounts, provide customer service, personalize marketing and advertising, enable the purchase of our subscription services and to detect, mitigate and investigate fraudulent or illegal practices. The provision of all personal information is voluntary but may be necessary in order to use our services.
Who is covered under GDPR?
If you are interacting with a company’s services over the Internet from anywhere in the European Economic Area, you are entitled to the rights outlined in the GDPR regardless of citizenship or permanent residence.
What if I’m not an EEA user?
Invaluable processes the information of all our users the same way. Likewise, we have a policy regarding data protection that applies to everyone. Additional regulations apply under GDPR to EEA users, including the right to appeal to a regulatory authority and the right to be forgotten, or to have your data removed from our site.
Will this have any impact on U.S. data protection laws?
Though GDPR is a European policy, it is setting the tone for data protection regulations worldwide. Invaluable is fully compliant with current U.S. data protection requirements and will continue making improvements as the data landscape changes.
What information does Invaluable collect from users?
The information that Invaluable collects depends on how you are using our site. Some information, like name, address, email address, and phone number, may be collected when you
- browse our site,
- register for an account with us,
- provide us with information via a web form,
- bid at auction,
- update or add information to your account,
- communicate with us, or
- otherwise use our services or enter into our User Agreement.
Financial information, such as a credit card number, will be requested if necessary for a transaction. Other information, like IP address, device type, favorites, or search terms, is collected automatically when you use our services or register for an account.
What are cookies and how does Invaluable use them?
To opt out of cookies, you can change the preferences in your browser to stop accepting cookies or to prompt you before accepting cookies from websites. This process varies from browser to browser, and will decrease the functionality of our site as many of the cookies we use are necessary to operate our services.
How is Invaluable securing my data?
Invaluable has always known that the security of all information – whether private, sensitive, financial, or otherwise – is critical to the success of our business. We have been Payment Card Industry (PCI) compliant since 2014 and were certified in 2016 as Privacy Shield compliant by the European Commission and the U.S. Department of Commerce. Privacy Shield replaced Safe Harbor as the requirement for handling private or personal data. We have controls and systems in place to safeguard security and have been subject to reporting and auditing standards for years.
See our Privacy Shield status here.
What does GDPR do to protect users in the event of a security breach that may have compromised my personal data?
One new regulation that addresses this issue requires companies to inform EEA users of a security breach that may compromise their personal data within 72 hours of the event. The clock starts when the firm first learns of the breach, or when the breach can be safely announced. Previously, it has taken weeks or months for a company to disclose a breach.
Who else has access to my data?
We are committed to the responsible management of your data. We do not rent or sell your data to any third parties for any reason without your consent, but Invaluable does share personal information on a very limited basis with third party companies that help us provide our products and services. For example, we use email tools to send out communications to users and a fraud detection service to ensure the protection of both users and sellers. We require that our third-party vendors use the information only to deliver our product or service and do not keep the information for their own use.
When you win an item on our site, your information is sent to the auction house or gallery responsible for the sale so that the transaction can be completed successfully.
How long does Invaluable keep my personal information?
We retain your personal information as long as necessary to provide the services you requested, or for other essential purposes such as complying with our legal obligations, resolving disputes and enforcing our policies.
For financial data, we adhere to the Payment Card Industry (PCI) Data Security Standard for handling and retention.
Can I access my personal information to update it?
You can review and update your personal information by signing into your account and accessing your My Invaluable page. We also take internal steps to make sure the personal information we have is up to date and accurate.
How can I request that my personal information be removed?
If you would like to submit a request to have your information removed from our records, please contact us at [email protected]. We will process and respond to your request within 30 days. It’s important to know that removal of your data may impact access to our services.
If, for example, you’ve made a purchase with Invaluable, we are required to retain some of your information to complete the service for which the data was collected. We will retain your anonymized data after any identifiers have been deleted from our site.
How can I change my communication preferences?
You may receive some or all of the communications below via email, depending on the preferences you indicated:
- keyword, auction or artist alerts,
- auction registration approvals,
- notices of upcoming auctions, won and lost lots, payment or shipping, and
- blog content or other newsletters.
You can control your promotional email communication in the Email Preferences section of your Invaluable account.