Platform version (multi-seller). The legally binding version is the German original at /docs/legal/datenschutz.md; this English translation is for information only.
Frank Bull, VOD Auctions / VOD Records
Alpenstrasse 25/1
88045 Friedrichshafen
Germany
Phone: +49 7541 34412
Email: privacy@vod-auctions.com
VOD Auctions is a multi-seller marketplace. For data-protection purposes:
We are not controllers for processing that a Seller carries out on its own responsibility. For questions about Seller processing, please contact the Seller directly (contact details in the listing and on the public Seller profile).
We process personal data only to the extent necessary to provide a functional website and our services. Legal bases: Art. 6(1)(a) (consent), (b) (contract), (c) (legal obligation), (f) (legitimate interest) GDPR.
Hosted by Hostinger International Ltd. Server log files automatically store: browser type/version, OS, referrer URL, hostname, IP address, request time. Legal basis: Art. 6(1)(f) GDPR.
An account is required to bid, buy, or list. Data collected: email, encrypted password, name and shipping address; for sellers additional KYC / tax / payment data (see § 8). Authentication via Supabase Auth (EU region Frankfurt). Stored for the duration of the membership and beyond as required by statute. Legal basis: Art. 6(1)(b) GDPR.
Bid amount, timestamp, pseudonymised user ID, and proxy maximum (internal). Real-time via Upstash Redis (EU region) and Supabase Realtime. Legal basis: Art. 6(1)(b) GDPR.
7.1 Membership payments (Stripe). Stripe Payments Europe, Ltd., Dublin, Ireland. Transmitted: amount, currency, payment method, name, email, billing/shipping address. We store no card or SEPA mandate data. Stripe is PCI DSS Level 1 certified. Privacy: https://stripe.com/privacy. Legal basis: Art. 6(1)(b) GDPR.
7.2 Operator-owned goods (Stripe / PayPal). Same flows as 7.1.
7.3 Third-party goods (Path B / order_intent). Payment runs off-platform directly between buyer and seller. The Platform only stores the status of the process, the seller/buyer link, the lot reference, timestamps, and payment instructions provided by the seller. The Platform itself transmits no data to payment services for those transactions; any processing by the seller and its payment services is the seller's responsibility (see § 2).
8.1 Collection & purpose. During Seller onboarding and operations we process, as needed: name or company, legal form, service-of-process address; email, phone; date of birth (natural persons) or commercial register data (entities); state of tax residence, VAT ID, tax number; § 22f UStG certificate (PDF); bank details or accepted payment channels; identification documents on request; transaction data (count of sales, revenue per seller and calendar year).
Purposes: seller verification, platform operation, abuse prevention, performance of the Seller/Platform contract, fulfilment of statutory recording and reporting obligations (§§ 22f, 25e UStG and PStTG / DAC7). Legal bases: Art. 6(1)(b) (Seller contract), (c) (statutory obligation), (f) (platform and marketplace safety).
8.2 Transmission to the Federal Central Tax Office (BZSt). Where the Seller is a reportable provider under PStTG (German implementation of DAC7) and the de-minimis threshold is exceeded (at least 30 relevant goods transactions and at least EUR 2,000 consideration in the reporting period), we transmit the prescribed provider and transaction data annually to the BZSt. Legal basis: Art. 6(1)(c) GDPR in conjunction with PStTG.
8.3 § 22f / § 25e UStG records. For business Sellers we keep the data required under § 22f UStG (full name and address, VAT ID, tax number, bank details, place of dispatch and destination, time and amount of the transaction, goods description). Retention is generally ten years.
8.4 Retention. Seller and transaction data are kept at least for the statutory retention period (generally ten years). Account data without retention obligation are deleted after end of contract and lapse of relevant claim periods.
To perform the purchase contract we transmit to the respective Seller:
Legal basis: Art. 6(1)(b) GDPR (performance of the contract between buyer and Seller) in conjunction with the Platform Terms. The Seller may use the data exclusively for contract fulfilment; purpose-foreign use (e.g. promotional outreach) is contractually prohibited (see Seller Agreement § 5).
Before checkout a notice is displayed that your shipping data are transmitted to the Seller for performance of the contract.
When using the Platform messaging function between buyer and seller, we store message contents, timestamps, and participants for purposes of contract documentation and abuse prevention. Retention and access are governed in the Platform Terms § 14 and in profile settings. Legal bases: Art. 6(1)(b) and (f) GDPR.
Application data (accounts, bids, orders, listings, images) is stored on Supabase (EU region Frankfurt). Encrypted in transit (TLS) and at rest. Privacy: https://supabase.com/privacy. Legal basis: Art. 6(1)(b) and (f) GDPR.
Upstash Redis (EU region). Temporary data (bid state, session information) is cached and automatically deleted after a short period. Privacy: https://upstash.com/trust/privacy.pdf. Legal basis: Art. 6(1)(f) GDPR.
"DM Sans" and "DM Serif Display" are served self-hosted via next/font. No data is transmitted to Google.
For listing enrichment (prices, tracklists, credits) we use the Discogs API (Zink Media Inc., Portland, USA). No personal user or buyer data is transmitted. Legal basis: Art. 6(1)(f) GDPR.
Transactional emails (registration, bid, award, payment, shipping) via Resend (Resend Inc., USA). Email address and related order/auction data are passed to Resend. Transfers to the USA rest on the EU-US Data Privacy Framework and supplementary safeguards. Privacy: https://resend.com/legal/privacy-policy. Legal basis: Art. 6(1)(b) GDPR.
Brevo (Sendinblue SAS, Paris, France; EU servers). Transmitted by function: email and name, newsletter status, aggregated purchase / bid metrics, and — only with explicit marketing-cookie consent — website behaviour data. Newsletter delivery follows double opt-in via /newsletter or the consent checkbox on /apply. Privacy: https://www.brevo.com/legal/privacypolicy/. Legal bases: Art. 6(1)(a) (consent for newsletter), Art. 6(1)(f) (CRM).
Retention: subscriber records (email, opt-in date, list membership) for as long as the subscription is active. After unsubscribing we keep a minimal suppression record (hashed email + unsubscribe date) to avoid re-adding by mistake and to comply with Art. 21 GDPR; deletion of this record can be requested at any time. Unsubscribe: one-click link in every newsletter footer; alternatively privacy@vod-auctions.com.
Some product images are loaded from partner sites (tape-mag.com, vod-records.com). The IP may be transmitted to those servers (also operated by VOD-Records). Legal basis: Art. 6(1)(f) GDPR.
Google Analytics 4 (Google Ireland Limited, Dublin) is loaded only with explicit consent in the cookie banner. IP anonymisation is active. Privacy: https://policies.google.com/privacy. Opt-out via the banner or the Google Analytics Opt-out Browser Add-on. Legal basis: Art. 6(1)(a) GDPR.
We use technically necessary cookies (session, auth, consent storage) and — on consent — analytics and marketing cookies. Details: Cookie Policy. Legal basis: Art. 6(1)(a) GDPR, § 25 TDDDG.
Right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), objection (Art. 21). Contact: privacy@vod-auctions.com.
You have the right to lodge a complaint with a supervisory authority, for example:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Lautenschlagerstraße 20
70173 Stuttgart
www.baden-wuerttemberg.datenschutz.de
For processing that is solely the responsibility of a Seller (§ 2), please contact the Seller directly.
We do not sell or rent personal data.
Insofar as personal data are transferred to third countries (in particular USA: Resend, Discogs), this rests on the EU-US Data Privacy Framework, the Standard Contractual Clauses (SCC), or supplementary safeguards.
TLS encryption at the highest level supported by your browser for transport, encryption at rest for the database.
Personal data are deleted or blocked as soon as the purpose ends. Storage beyond this period takes place only if required by statutory retention (commercial: 6 years, tax: 10 years, DAC7 / § 22f data: 10 years).
Please refer to the respective privacy notices of these sites.
Last updated: 2026-05-21. German version prevails.