ABSystems
Legal

Privacy Policy

Last updated: 11 May 2026

This Privacy Policy explains how ABSystems (“ABSystems”, “we”, “us”) collects, uses, shares, and protects personal data when you use our website, software, and related services (the “Service”). ABSystems is the trading name of ABSystems Ltd, a company registered in England and Wales under company number [COMPANY_NUMBER], with its registered office at [REGISTERED_OFFICE_ADDRESS]. You can contact us at any time at team@absystems.io.

We take privacy seriously. If anything here is unclear, email us and we will explain in plain English.

1. Who is the data controller?

For data we collect about the people who sign up for and use the Service (typically auction house staff and their team members), we act as the data controller.

For data that flows through the Service from our customers’ own enquirers (for example, when a member of the public submits a valuation enquiry through an auction house’s embedded form), we act as a data processor on behalf of that auction house. The auction house is the controller of that data and decides how it is used. Our role is limited to processing it on their instructions in order to deliver the Service.

2. What data we collect

Account data. When you sign up we collect your name, work email address, password (stored hashed), organisation name, role, and any team or department settings you configure.

Billing data. When you subscribe we collect a billing email and your Stripe customer reference. Card details are captured and stored by Stripe; we never see or store full card numbers.

Usage data. We log technical information about how you use the Service, including IP address, request paths, user agent, timestamps, error messages, and counts of enquiries processed. We use this for security, debugging, abuse prevention, and billing.

Communications. If you email us, fill in our contact form, or send messages through the Service, we retain those communications.

Enquiry data (processor role).When members of the public submit enquiries through a customer’s embedded form, we receive whatever fields that customer has configured. This typically includes name, email, phone, postcode, a description of the item being valued, item images, and optional UTM tracking parameters from the source page.

Cookies and similar technologies. The Service uses strictly necessary cookies to keep you signed in and to keep your session secure. We do not use third-party advertising or behavioural tracking cookies.

3. Why we use your data and our legal bases

Under the UK GDPR and EU GDPR we rely on the following legal bases:

  • Performance of a contract for delivering the Service to subscribed customers, processing payments, and providing support.
  • Legitimate interests for keeping the Service secure, preventing abuse and fraud, improving the product based on aggregate usage patterns, and contacting customers about important service changes.
  • Legal obligation for tax, accounting, and responding to lawful requests from regulators or courts.
  • Consent where required, for example if we send you marketing emails. You can withdraw consent at any time.

4. Who we share data with

We use a small number of trusted vendors (“sub-processors”) to deliver the Service. Each is bound by contractual data protection commitments.

  • Supabase (database, authentication, file storage). Hosted on AWS infrastructure.
  • Vercel (application hosting and edge network).
  • Stripe (payment processing and subscription management).
  • Resend (transactional email delivery).
  • Anthropic (AI features: enquiry categorisation, lead scoring, valuation drafting). Anthropic does not train its models on data submitted via its API.

We will provide an up-to-date list of sub-processors on request. We will tell affected customers in advance of adding or replacing a sub-processor that materially handles their data.

We do not sell personal data. We do not share data with third parties for their own marketing purposes.

5. International transfers

Because ABSystems serves customers internationally, your data may be processed in the United Kingdom, the European Economic Area, the United States, or other countries where our sub-processors operate. Where data leaves the UK or EEA we rely on adequacy decisions, the UK International Data Transfer Agreement, or Standard Contractual Clauses, alongside supplementary technical measures such as encryption in transit and at rest.

6. How long we keep data

We keep account and billing data for as long as your account is active, and for a reasonable period afterwards (typically up to 7 years) to meet tax and accounting obligations.

Enquiry data submitted by members of the public is retained on behalf of the relevant auction house customer for as long as that customer maintains an active account, or as instructed by them. On account closure we will delete or return enquiry data within 30 days unless we are legally required to keep it.

Server logs are retained for up to 90 days, then deleted or anonymised.

7. Your rights

If you are in the UK, EEA, or another jurisdiction with similar laws, you have the right to:

  • access the personal data we hold about you;
  • request correction of inaccurate data;
  • request deletion of your data (subject to our legal retention obligations);
  • request restriction of, or object to, certain processing;
  • receive your data in a portable, machine-readable format; and
  • withdraw consent where processing is based on consent, without affecting prior processing.

To exercise any of these rights, email team@absystems.io. We aim to respond within 30 days.

If your data was submitted to us through an auction house’s enquiry form, we act as a processor for that house. We may need to refer your request to the relevant auction house, who is the controller of that data.

8. Security

We protect your data with encryption in transit (TLS) and at rest, strict access controls, audit logging, and routine reviews of our sub-processors. No system is perfectly secure; if we ever become aware of a personal data breach affecting you, we will notify affected users and the relevant supervisory authority as required by law.

9. AI features

ABSystems uses AI models to categorise enquiries, score lead quality, generate email drafts, and produce valuation estimates. These features process enquiry text and metadata via Anthropic. Outputs are estimates and assistive suggestions; they are not advice and should be reviewed by a human before action is taken.

10. Cookies

We use only strictly necessary cookies, including session cookies set by Supabase Auth to keep you signed in. We do not use advertising or cross-site tracking cookies and we do not require a cookie consent banner under the UK PECR rules for strictly necessary cookies.

11. Children

The Service is a business product intended for use by people aged 18 or over. We do not knowingly collect data from children.

12. Changes to this policy

We may update this policy from time to time. When we make material changes we will notify customers by email or through the Service and update the “Last updated” date above.

13. Contact and complaints

For any privacy question, email team@absystems.io.

If you are in the UK and you believe we have not handled your data properly, you have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk. If you are in the EEA, you may complain to your local data protection authority.

See also our Terms of Service.