This policy covers the GavelGap Chrome extension (the "Extension") and the gavelgap.com website (the "Site"), collectively the "Service." It explains what we collect, why, who we share it with, and how you can opt out or delete your data.
GavelGap is an independent third-party tool. We are not affiliated with, sponsored by, or endorsed by GovDeals, Liquidity Services Inc., eBay Inc., Google LLC, or any government agency.
When you open a GovDeals listing while the Extension is installed, it analyses the page locally and sends a "scan event" to our backend. Each scan event contains:
If your auction has ended when you revisit a listing, the Extension may also send an "outcome event" recording whether the listing sold, the final bid price (visible publicly on the page), and a SHA-256 hash of the winning bidder's username — never the raw username.
chrome.storage.sync on your device. The ZIP itself is not transmitted to our backend; only the derived distance-in-miles is sent with scan events.We use a small number of vendors to run the Service. They process data on our behalf:
| Vendor | What they handle | Privacy policy |
|---|---|---|
| Supabase | Database hosting (Postgres). All scan events, feedback, outcomes, waitlist emails, and support messages are stored here. | supabase.com/privacy |
| Cloudflare | Website hosting (Pages), API proxy (Workers), and DNS for gavelgap.com. Receives request metadata including your IP address (used for routing and DDoS protection; we do not log IPs ourselves). | cloudflare.com/privacypolicy |
| Resend | Email delivery for support replies. Sees the contents of email notifications we send. | resend.com/legal/privacy-policy |
| eBay | The Extension fetches public sold-listing search results from ebay.com to estimate resale values. Your search query is the cleaned listing title. | ebay.com |
| Google Shopping | Used as a fallback when eBay returns few results. The Extension fetches public Google Shopping search results with the cleaned listing title. | policies.google.com/privacy |
| OpenStreetMap Nominatim | Geocoding seller city/state to estimate shipping distance. We send city + state strings; no personal data. | openstreetmap.org |
| NHTSA vPIC | Decoding Vehicle Identification Numbers for vehicle listings. Sends the VIN (no PII). | nhtsa.gov |
We do not sell your data to advertisers, data brokers, or other third parties. We do not run ad networks on the Site or Extension at this time.
chrome.storage.local on your device. Removed when you uninstall the Extension or clear browser storage for it.The Site sets a Cloudflare bot-management cookie (__cf_bm) to distinguish humans from bots. We do not set advertising or analytics cookies. The Extension uses Chrome's local storage APIs (chrome.storage.local / chrome.storage.sync) to keep your device ID and preferences; these are not cookies and are not accessible to other websites.
To clear your local device ID, ZIP, and cached data: in Chrome, open chrome://extensions → GavelGap → "Site settings" or "Clear data" → reload the extension. Or uninstall the Extension entirely.
To remove server-side scan / feedback / outcome rows associated with your anonymous device ID, send a request to gavelgap.com/support with the topic "Account / data" and check the "Include my anonymous device ID" box so we can find your rows. We will delete them within 30 days and confirm by email.
Disable or uninstall the Extension. There is no separate telemetry toggle yet; we plan to add one. Until then, uninstall = full opt-out.
Email us via gavelgap.com/support with topic "Account / data" and your waitlist email. We'll remove you and confirm.
You have the right to know what personal information we collect about you, to request deletion of that information, and to opt out of the "sale" or "sharing" of personal information (we do neither). To exercise these rights, contact gavelgap.com/support. We will not discriminate against you for exercising them.
You have the right to access, rectify, erase, restrict, and port your personal data, and to object to processing. To exercise these rights, contact gavelgap.com/support. Our lawful basis for processing scan telemetry is your consent (installing the Extension); our basis for processing waitlist / support emails is your contractual request.
The Service is not directed to children under 13 (or under 16 in the EU/UK). We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.
All traffic to and from gavelgap.com and api.gavelgap.com uses HTTPS / TLS 1.2+. Server-side tables enable Postgres row-level security; only a privileged Edge Function can write or read them. We use a small number of well-known vendors (above) and rotate access tokens periodically. No system is perfectly secure; if you discover a vulnerability, please report it via gavelgap.com/support.
Our database is hosted in the United States (Supabase, AWS us-east-1). Cloudflare's edge serves the Site from data centers worldwide. If you're outside the U.S., your data is transferred to and processed in the U.S.
We may update this policy as the product evolves. Material changes will be posted here with an updated "Last updated" date. If we make a significant change (e.g., adding a new third-party data processor, adding ads), we'll prominently notify visitors on the Site.
Questions about this policy, requests for data deletion, or anything else privacy-related — gavelgap.com/support (topic: "Account / data" works best). We typically respond within 1–2 business days.