1. Scope and controller
This Privacy Policy explains how The Numis House (“TNH”, “we”) collects and uses personal data when you use thenumishouse.com. For the purposes of the EU/UK General Data Protection Regulation (GDPR), India's Digital Personal Data Protection Act, 2023 (DPDP Act), the California Consumer Privacy Act (CCPA/CPRA), and similar laws, the data fiduciary/controller is [Legal Entity Name], India. Contact: privacy@thenumishouse.com.
We serve collectors worldwide and design our practices to meet the strictest applicable standard by default.
2. Data we collect
- Account data: name, display name, email, password (stored as a salted hash — we never see your plain password), country, optional bio and avatar.
- Transaction data: orders, bids, watchlists, shipping addresses, and payment references. Full card/UPI details are processed by our payment providers and never touch our servers.
- Vendor data: business name, country, experience details, and — because we operate KYC checks on sellers of high-value collectibles — identity and address verification documents, and payout account details.
- Content you post: forum threads and replies, collection showcases, and messages to support.
- Technical data: IP address, device and browser information, and usage events (pages viewed, searches, bids placed), collected via cookies and similar technologies as described in our Cookie Policy.
We do not knowingly collect data from children under 18; the Platform is not directed at minors.
3. Why we use your data (purposes and legal bases)
- To provide the Platform — accounts, listings, orders, auctions, forum (performance of contract).
- To run auctions fairly — recording bids with timestamps and bidder identity, displaying bid history under your display name (performance of contract / legitimate interests in market integrity).
- To verify vendors and prevent fraud and money laundering — identity checks, sanctions screening, transaction monitoring (legal obligation / legitimate interests).
- To process payments and payouts through regulated payment providers (performance of contract / legal obligation).
- To communicate service messages — order updates, outbid alerts, application decisions (performance of contract). Marketing emails are sent only with your consent and every one contains an unsubscribe link.
- To improve and secure the Platform — aggregate analytics, abuse prevention, debugging (legitimate interests).
- To comply with law — tax, accounting, export-control, and cultural-property record-keeping obligations (legal obligation).
4. What is public on the Platform
By design, the following are visible to other users: your display name and username, avatar, bio, country (if provided), forum posts, collection showcase items, follower relationships, and your display name in auction bid histories. Your email, addresses, orders, and payment details are never public.
Choose your display name accordingly; you may use a collector pseudonym.
5. Who we share data with
- Payment providers (e.g., Razorpay and, where applicable, other regulated gateways) — to process payments, prevent fraud, and satisfy their own legal obligations.
- Infrastructure providers — our database and hosting providers (e.g., Supabase and our web host) process data on our behalf under data-processing agreements.
- Shipping carriers — name, address, and contact details necessary for delivery and customs declarations.
- Vendors — when you buy from a Vendor, they receive the details needed to fulfil your order (name, shipping address, order contents), and must use them only for fulfilment.
- Professional advisers and authorities — where required by law, court order, tax, customs, or cultural-property authorities, or to establish or defend legal claims.
We do not sell personal data, and we do not share it with third parties for their own advertising.
6. International transfers
Our users are global and our infrastructure providers may process data outside your country (including in India, Singapore, the EU, and the US). Where GDPR applies, transfers rely on adequacy decisions or Standard Contractual Clauses. Where the DPDP Act applies, we transfer data only to countries not restricted by the Indian government.
7. Retention
- Account and profile data: for the life of your account, then deleted or anonymised within 90 days of closure, except as below.
- Transaction, invoicing, and KYC records: retained for the period required by tax, company, and anti-money-laundering law (typically 5–8 years depending on jurisdiction).
- Auction bid records: retained for the life of the platform in anonymised form for market-integrity history; identifiable bid records follow the transaction retention period.
- Forum content: remains on the Platform after account closure but is disassociated from your identity (shown as “retired collector”) unless you request deletion of specific posts.
- Server logs and analytics: up to 13 months.
8. Your rights
Depending on your jurisdiction, you have the right to access, correct, delete, and receive a portable copy of your personal data; to object to or restrict certain processing; to withdraw consent at any time; and to complain to a supervisory authority (in India, the Data Protection Board of India; in the EU, your local DPA; in the UK, the ICO; in California, the AG/CPPA).
Exercise any right by emailing privacy@thenumishouse.com from your account email. We respond within 30 days (or the shorter period your law requires). We will verify your identity before acting, and we may retain data we are legally required to keep (for example, KYC and tax records) even after a deletion request — we will tell you what and why.
California residents: we do not “sell” or “share” personal information as defined by the CCPA/CPRA, and we honour Global Privacy Control signals for any cookies that would otherwise constitute sharing.
9. Security
All traffic is encrypted in transit (TLS). Data is stored with a hosting provider offering encryption at rest, role-based access controls, and row-level security so users can only read the data they are entitled to. Payment credentials are handled exclusively by PCI-DSS-compliant providers. No system is perfectly secure; if a breach affects your data we will notify you and regulators as required by law (including within the timelines of the DPDP Act and GDPR).
10. Changes and contact
We will post any changes here and, for material changes, notify you by email or site banner before they take effect. Contact our privacy team at privacy@thenumishouse.com, or write to [Legal Entity Name], [Registered Address], India.