Privacy Policy
Last updated: 2026-05-19
This Privacy Policy explains how Soumni SAS ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our platform at soumni.com ("the Platform"). We are committed to protecting your privacy in accordance with Algerian Law 18-07 on Personal Data Protection (as amended by Law 25-11, July 2025).
1. Data We Collect
We collect the following personal information when you register and use the Platform: your full name, email address, and wilaya (region). If you sign in with Google, we receive your email address and display name from your Google account. If you upload an avatar photo, we store it for your profile.
For sellers only: we collect a national ID photo for identity verification. The photo is permanently deleted after verification — only a cryptographic hash (SHA-256) is retained for duplicate prevention. National ID photos are never stored long-term. Buyers are not required to provide any identity documents.
We store your wallet balance and transaction history (deposits, holds, releases, refunds). Wallet balances are visible only to you through row-level security policies.
We collect IP addresses in audit logs for security purposes. We do not collect device information, browser fingerprints, or any form of tracking data.
2. How We Use Your Data
We use your data solely for operating the auction platform: verifying your identity (sellers), processing auction registrations and bids, managing your wallet and deposit holds, facilitating the deal process between buyers and sellers, sending essential notifications (OTP codes, auction updates, payment reminders), and maintaining platform security through audit logs.
3. Data Protection
All data is transmitted over TLS (HTTPS). Sensitive data at rest is protected by Supabase's database encryption.
Row-level security (RLS) policies ensure that users can only access their own data. Wallet balances, auto-bid amounts, and personal information are never exposed to other users.
National ID numbers are stored as SHA-256 hashes — the original number cannot be recovered from the hash. This is used solely for duplicate detection.
National ID photos follow a verify-then-delete pattern: the photo is used for identity verification and then permanently deleted. This complies with the data minimization principle of Law 18-07 Article 9.
4. Data Retention
We retain your data for the minimum period necessary:
- Profile data: retained for the lifetime of your account. Immediately anonymized upon account deletion.
- National ID photos: deleted immediately after seller verification (verify-then-delete).
- Wallet transactions and bid history: 5 years after creation, as required by financial record-keeping laws.
- Ratings: retained indefinitely for platform integrity. Anonymized upon account deletion.
- Notifications: 180 days for unread, 90 days for read notifications.
- Car photos: 1 year after the vehicle is sold or withdrawn.
- Inspection photos: 2 years (retained as evidence for legal and insurance purposes).
- IP addresses in audit logs: 6 months.
- Device information: not collected.
5. Your Rights
Under Algerian Law 18-07, you have the following rights:
Data export: You can request a full export of your personal data in JSON format. Exports include your profile, wallet history, bids, auction registrations, ratings, notifications, and disputes. Exports are limited to one per 24 hours and the download link expires after 24 hours.
Account deletion: You can request permanent deletion of your account. A 7-day grace period applies during which you can cancel the deletion by logging back in. After the grace period, your profile is permanently anonymized and associated data is handled according to the retention schedule above.
Account deletion may be blocked if you have: active auction registrations, a won auction pending payment, pending deposit requests, active vehicle listings, open disputes, or a positive wallet balance. You must resolve these before requesting deletion.
Both data export and account deletion require identity re-verification via OTP for security.
6. Third-Party Services
We share limited data with the following service providers:
- Twilio: Phone numbers are shared for SMS delivery (OTP codes and notifications). Twilio does not log message content.
- Supabase: All platform data is hosted on Supabase infrastructure. Supabase acts as our data processor.
- Vercel: Request logs (IP addresses and URLs) are processed by Vercel as our hosting provider.
We do not share data with advertising networks, analytics third parties, or data brokers. We do not sell your personal data.
8. Legal Basis
Our data processing is governed by Algerian Law 18-07 on Personal Data Protection (amended by Law 25-11, July 2025). We process data on the basis of: your explicit consent given during registration, contractual necessity for providing auction services, and legal obligations for financial record-keeping.
The enforcement authority is ANPDP (Autorité Nationale de Protection des Données à Caractère Personnel). We are committed to phased compliance with all ANPDP requirements, including formal declaration filing and cross-border data transfer authorization for our cloud infrastructure.
9. Children's Privacy
The Platform is not intended for use by anyone under 18 years of age. We do not knowingly collect personal data from minors. If we learn that we have collected data from a minor, we will promptly delete it.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. We will notify registered users of material changes through in-app notifications. Your continued use of the Platform after changes are posted constitutes acceptance of the revised Privacy Policy.
11. Contact Us
For questions about this Privacy Policy or to exercise your data rights, contact us at support@soumni.com.