Privacy Policy

This Privacy Policy explains how AuctionSift ("we," "us," or "our") handles information when you use our website, dashboard, and exports (the "Service"). It also describes how we handle information about individuals who are not users of the Service but whose names appear in public tax-deed records we aggregate (see Section 14).

Use of the Service is also governed by our Terms of Service.

The Service is operated by K5 Labs LLC, a California limited liability company doing business as AuctionSift. K5 Labs LLC is the data controller for the personal information described in this Policy. For questions about this Policy or to exercise any of the rights described below, contact us at [email protected] or by mail at the address in Section 18.

We collect the categories of information listed below. We do not collect social security numbers, government IDs, precise geolocation, biometric identifiers, or health information, and we do not receive full payment-card numbers.

We collect information in three ways:

• Directly from you — when you create an account, upload auction lists, write notes, or contact support.
• Automatically — when you use the Service, through first-party cookies, server logs, and error-tracing tools.
• From third parties — billing events from Stripe; public records from county clerks, recorders, assessors, and tax collectors (for enrichment and the buyer database); and, for non-user contacts in the buyer database, skip-tracing results from BatchData.

We use information for the following purposes:

• Provide and operate the Service, including rendering dashboards, running exports, and fulfilling your credit or seat allocation;
• Authenticate you and keep your account secure;
• Bill you and maintain tax and accounting records;
• Prevent fraud, abuse, and violations of our Terms of Service;
• Improve the Service — debug errors, measure feature usage, and prioritize work;
• Send transactional email (receipts, security alerts, renewal reminders) and, if you opt in, marketing email that you can unsubscribe from at any time;
• Comply with legal obligations, enforce our agreements, and respond to lawful requests.

We do not sell your personal information, we do not share it for cross-context behavioral advertising, and we do not use your uploaded content or prompts to train foundation models.

The Service is offered to users in the United States. If you access it from a jurisdiction that requires a legal basis for processing (such as the EU/UK under the GDPR), our bases are: performance of a contract (to provide the Service you requested), our legitimate interests (to secure, operate, and improve the Service and to prevent fraud), your consent (for optional marketing email), and compliance with legal obligations.

We share information only in these limited cases:

• Sub-processors — vendors that process data on our behalf to deliver the Service. Each is listed in Section 8, operates under a data-processing agreement, and may only use the data to perform the services we direct.
• Within your organization — on the Team plan, administrators can see member activity and manage seats.
• Legal and safety — to comply with law, a subpoena, or a lawful government request; to enforce our Terms; or to protect the rights, property, or safety of any person.
• Business transfer — if we are involved in a merger, acquisition, financing, or sale of assets, your information may be transferred with reasonable notice and continuing protections.

We update this list when we add or change a sub-processor. Material changes are announced here and, where practical, by email. If you would like to receive advance notice of sub-processor changes, email us at [email protected].

We use a small number of first-party cookies that are necessary for the Service, including an authentication session cookie set by our sign-in system. We use Umami for product analytics in a cookieless configuration. We do not set third-party advertising cookies, do not load advertising pixels, and do not use cross-site tracking.

We honor the Global Privacy Control (GPC) signal sent by supporting browsers as a request to opt out of any "sale" or "sharing" of personal information. We do not respond to the legacy Do Not Track (DNT) header because it has been deprecated.

We keep information only as long as we need it.

• Account data — until you delete your account, then up to 24 months in limited internal systems for fraud prevention and legal defense;
• Billing and tax records — 7 years, as required by U.S. tax law;
• Uploaded content and user-scoped enrichment — same as your account;
• Shared county-scale enrichment cache — retained to operate the Service for all users; never identifies you;
• Imagery from Google Maps Platform — retained only within the limits set by Google's terms, typically no more than 30 days for most layers;
• Application and security logs — 90 days;
• Buyer-database entries — retained until an opt-out is received, after which a suppression record is kept indefinitely to ensure we do not re-ingest the individual;
• Backups — deleted on the next scheduled backup-rotation cycle after the primary record is deleted.

We use TLS for data in transit and AES-256-GCM encryption for sensitive fields at rest. Passwords are hashed using industry-standard algorithms by our authentication provider. Access to production systems is limited to personnel who need it, protected by multi-factor authentication, and logged. Error payloads are scrubbed of personal information before being sent to our error-monitoring tool.

No system is perfectly secure. If you discover a vulnerability, please report it to [email protected].

Depending on where you live, you may have the right to:

• Access the personal information we hold about you;
• Correct inaccurate information;
• Delete your information, subject to limited exceptions (for example, records we must keep for tax or legal reasons);
• Receive a portable copy of your information;
• Opt out of marketing email using the unsubscribe link in any message;
• Opt out of any "sale" or "sharing" of personal information (we do not engage in either, but we honor requests and GPC signals);
• Appeal a denied request, where your state provides an appeal right.

To exercise a right, email us at [email protected] from the address on your account, or submit a request from your account settings. We will verify your identity and respond within 45 days (extensions permitted by law where needed). We will not discriminate against you for exercising a right.

If you are a California resident, you have the rights described in Section 12 under the California Consumer Privacy Act, as amended by the CPRA. In the 12 months before this Policy was last updated, we collected the categories of information listed in Section 3 (identifiers, commercial information, internet or other electronic network activity, and inferences drawn from the foregoing) for the business purposes described in Section 5. We did not sell or share personal information for cross-context behavioral advertising, and we did not knowingly collect or sell the personal information of minors under 18.

You may designate an authorized agent to submit a request on your behalf with a signed permission. We will honor verifiable opt-out preference signals, including GPC.

AuctionSift maintains a database of historical tax-deed and tax-lien purchases drawn from public records filed with county clerks and recorders. This is used internally to understand market activity, to generate aggregate "investor-activity" product features, and to send limited outreach email to buyers who may be interested in the Service. Individuals in this database are not users of the Service and have not created accounts.

We collect, from public records and skip-tracing vendors:

• Name, mailing address, and APN associated with a recorded deed;
• Date of the recording and the selling jurisdiction;
• Business-entity affiliations from Secretary of State records where applicable;
• Best-available contact email obtained from skip-tracing vendors, used solely to send a small number of outreach messages.

We do not sell or license the buyer database. Product features that surface buyer activity are aggregated or de-identified where practical.

If you received outreach from AuctionSift and want to be removed, email [email protected] with the subject "OPT OUT" or click the unsubscribe link in the email you received. We will remove your record and keep a suppression entry indefinitely so we do not re-ingest you from future public records.

You may also request access, correction, or deletion under Section 12. Because you are not a user, we may ask you to verify your identity by confirming a detail from the public record (such as the APN associated with your filing).

We do not knowingly collect personal information from children under 13 in violation of the Children's Online Privacy Protection Act (COPPA). The Service is not directed to users under 18. If you believe a child has provided personal information to us, please contact [email protected] so we can delete it.

AuctionSift is operated from the United States and its sub-processors are primarily located in the United States. If you access the Service from outside the United States, you understand that your information will be transferred to and processed in the United States, which may have different data-protection laws than your country.

We may update this Policy from time to time. For material changes we will provide at least 30 days' advance notice by email to the address on your account and by posting the updated Policy on the Service. The "Last updated" date at the top of this page reflects the current version.

Privacy questions and requests, security reports, and legal notices may all be sent to [email protected].

Formal legal notices may also be sent by mail to: