Account & sign-in

• Sign-in is handled through Google OAuth — we never see your password.
• Sessions are signed and scoped to your account. Sign out from any device clears all sessions.
• You can review and revoke active sessions from Account → Security.

Data in transit and at rest

• All traffic between your browser and our servers is encrypted with TLS 1.3.
• Data on our servers is stored in an encrypted managed database with automatic backups.
• We do not store payment card numbers — billing is handled through our payments provider.

Permissions the extension requests

The Chrome extension requests only the permissions it needs to read auction listings (Copart and IAAI sites) and persist your data locally. We don’t read other tabs, your browsing history, or any data outside the auction sites you actively visit.

Reporting a vulnerability

If you’ve found a security issue, email auctionmatepro@gmail.com with details. We respond within 2 business days. We don’t run a paid bug bounty yet, but we credit responsible disclosure publicly when permitted.