|
This auction site is provided in partnership by two organizations:
- "Habitat for Humanity Toronto", who is operating this auction and all proceeds raised will go to that organization.
- RealDecoy is the company that build, maintains and hosts RealAuction.
Each organization has its own privacy policy on how and why it collects personal information.
Habitat for Humanity Toronto's Privacy Policy
PREFACE
Your personal information is only collected, used and disclosed by [ORGANIZATION
NAME] in accordance with this Privacy Policy, and only that information which
is needed to run the auction is collected.
Please Note: This system does not ask for nor require credit card information or SIN
information. Only winning bidders need provide payment information, which is
not handled through the realauction.ca website. If you are the winning bidder,
do not send credit card information over email.
[ORGANIZATION NAME] collects this personal information solely for the purposes of managing
the online auction service and maintaining responsible commercial relations
with you, including but not limited to payment, delivery, and marketing. This
information may also be used by [ORGANIZATION NAME] to notify registrants about
future auctions.
CONSENT
Your personal information will not be used for any other purpose without your
consent. If you wish to withdraw consent, or have any questions or concerns
about our information-handling practices with respect to this site, you may
contact the auction administrator at [CONTACT INFO FOR PERSON RUNNING THE
AUCTION].
RealDecoy's Privacy Policy
PREFACE
RealDecoy respects the privacy of visitors to this website and those who participate in
the auctions that occur on it. Your personal information is only collected,
used and disclosed by RealDecoy in accordance with this section of the Privacy
Policy.
You can visit this auction site without telling us who you are or revealing any
information about yourself. Personal information is collected when you
specifically and knowingly provide it by registering for an auction.
DEFINITIONS
"RealDecoy" – The company that built and maintains this website (www.realauction.ca). It
has no hand, other than technical support, in the operation of this auction.
"Client" – The organization that is conducting this auction, their staff, and any other person
authorized by this organization to administer the auction.
"Item" – An item that is up for auction on the realauction.ca website.
"Personal Information" – Any information that can be used to distinguish, identify or
contact a specific individual. The type of information found on a business
card (name, business title, business address) or publicly available
information, such as a public directory listing of your name, address,
telephone number and email address, is not considered to be personal
information under the law.
"Registrant" – A user who has registered with this site to participate (i.e. bid) in an
auction.
"System" – The sum of the RealAuction technology, including code, scripts, database, etc.
"System Administrator" – Any RealDecoy staff member tasked with maintaining or
upgrading the site, or is responsible for the operation and security of the
server.
"User" – A participant or public observer of the auction site.
REALDECOY’S ACCESS TO PERSONAL INFORMATION
RealDecoy requires personally identifiable information for site security and
maintenance/upgrade purposes. RealDecoy has access to all the auctions that
are running on the www.realauction.ca website.
Personal information can be accessed through a password-protected administrative section
of each auction website. The client has access to this section in order to
administer the auction and system administrators have access for security and
maintenance purposes only. The database where personal information is stored
can only be directly accessed through a secure shell command interface to which
only RealDecoy has access.
Personal information stored in the database is erased at the request of the client when
the auction is complete.
No Cross-Auction Sharing
The realauction.ca website may run several auctions at once, each with its own
directory. Private information from each auction sub-site is stored
independently from the others and there is no facility for one client to access
another’s information. Furthermore, RealDecoy does not pass personal information
from one client to another—either through this system or through other means.
TECHNOLOGY USED
Counters
There is a counter in the database of how many times each item is viewed. This does not
store any personally identifiable information about the viewer. This information persists for the duration of the auction.
Member Table:
The following information is stored for each user that signs up:
The login name (username)
Encoded password (cannot be retrieved)
First name
Last name
Address
City
Province
Country
Postal code
Daytime phone number & time during the day when they can be contacted
Evening phone number & time in the evening when they can be contacted
Email address
Date and time when the user registered
The last time that the user's information was updated
All of these fields except password are available to the system administrator and the
client. All fields except registration date and when a user’s information was
last updated are available to the user. Note that only the login name is
available to other users of the system. That is, users do not see information
about other users of the system except for their login name and the amount they
bid for an item. Other than that, all users are anonymous to one another.
Reports
The system can generate a number of reports, including a comprehensive list of users, bid
histories of an item or a user, a summary of completed items, and more. Some
of these reports can be exported and downloaded as Excel files.
All of these reports are generated "on the fly" and there is no record or file stored
on the server when these reports are generated. This method prevents an
unauthorized user who may gain access to the server from being able to see a
user’s personal information.
MEASURES TAKEN BY REALDECOY TO ENSURE INFORMATION SECURITY
RealDecoy treats the security of private information stored on the server with a great
deal of care: the same infrastructure that powers the auction site powers the
corporate services for the company.
- Server operating system – The server operating system is updated as security related
patches are released, and only services required for the proper operation of
the server are enabled. The Linux operating system is used due to its superior
security track record.
- Server hosting facility – The server is hosted in a secure hosting facility with
round-the-clock security. All visitors are required to sign-in and sign-out
and be accompanied by security at all times while in the facility.
- Server monitoring – The server is regularly monitored for intrusion or abnormal
behaviour. Daily log monitoring reports are emailed to the system
administrator.
- Development server – RealDecoy uses separate development and production servers for
upgrades to the system. This allows new code to be tested prior to deployment
without risking personal information.
- OWASP-aware development – The system is developed to follow the Open Web Application
Security Project top ten guidelines for application security.
- Encrypted access to server – The server team uses Secure Shell to encrypt maintenance
related activity on the server. This means that the commands and tasks
performed by the system administrators pass through a secure tunnel and cannot
be intercepted by a third party.
- Passwords – Passwords are hashed using MD5 technology. Primary keys are 32 character
strings which make it harder for someone to track which users have made bids on
what items.
|
