Privacy Policy

Gemcy Gems (PVT) LTD — Privacy Policy

Last updated: September 16, 2025
Company: Gemcy Gems (PVT) LTD
Website: www.ceylongemcy.com

Registered in: Sri Lanka

1. Introduction

Gemcy Gems (PVT) LTD (“we”, “our”, “us”) respects your privacy. This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, and your rights. We operate from Sri Lanka and sell both domestically and internationally. Our handling of personal data follows Sri Lanka’s Personal Data Protection Act (PDPA) and recognized international privacy standards used by e-commerce businesses.

2. Information we collect
We collect personal data you provide and data collected automatically when you use our site:
a. Data you provide: name, billing and shipping address, email, phone number, payment information (tokenized by payment processor), order details, ID documents when required for customs or high-value orders, and any messages you send us.
b. Account & marketing: account username, password (hashed), preferences, marketing consents.
c. Technical & usage data: IP address, browser and device data, cookies, and analytics used to operate and improve the site.
d. Third-party data: where applicable, information from our payment gateways, shipping partners, and verification services.

3. How we use your personal data
We use personal data to:
* Process and fulfill orders, payments, customs and deliveries.
* Communicate about orders, account, and customer service.
* Provide and improve our website, detect fraud, and secure our services.
* Send marketing communications only with your consent; you can unsubscribe anytime.
* Comply with legal obligations (tax, customs, anti-money laundering checks on high-value gem transactions).
* Purpose-based use and minimal collection are our principles.

4. Legal bases for processing (where applicable)
For customers in jurisdictions governed by GDPR or similar laws, our lawful bases include contract performance (order fulfillment), legitimate interests (fraud prevention, site security, service improvement), consent (marketing), and legal compliance when required. For Sri Lankan customers, processing follows the PDPA’s requirements.

5. Sharing and disclosure
We share personal data only as needed:

* Service providers: payment processors, shipping and logistics partners, customs brokers, identity verification providers, cloud/hosting, analytics providers.
* Legal & safety: when required by law, to respond to lawful requests, or to protect rights and safety.
* Business transfers: in the event of a sale/merger (with notice to affected users).
* We require partners/processors to maintain appropriate safeguards and confidentiality.

6. International transfers
Because we ship globally and use international processors, your personal data may be transferred and stored outside Sri Lanka. We take steps to ensure adequate protections (standard contractual clauses, reputable processors) consistent with PDPA/GDPR practice.

7. Cookies & tracking
We use cookies and similar technologies for site functionality, analytics, fraud prevention, and personalized content. You can manage cookie preferences in your browser and via any cookie consent tool on our site.

8. Payment & card data
We do not store raw card numbers on our servers. Card processing is handled by secure third-party payment gateways that tokenize card data; for PCI and other security details, please see the payment provider’s terms. (We collect minimal billing details needed for invoices and customs.)

9. Data retention
We keep personal data only as long as needed for the purpose collected, for legal compliance (e.g., tax laws), dispute resolution, and legitimate business needs. Typical retention: order records and invoices (minimum period required for tax/compliance), marketing until unsubscribe, and account data while account is active.

10. Your rights
Depending on your location and applicable law, you may have the right to:
* Access, correct, or delete your personal data.
* Object to or restrict processing.
* Port your data to another provider.
* Withdraw consent where processing is based on consent.

Opt out of the sale/sharing of personal data (for California residents under CCPA).
To exercise any rights, contact us at the address below. We will verify requests to protect privacy and security.

11. Security
We implement commercially reasonable technical and organizational measures to protect personal data (encryption in transit, access controls, secure hosting). However, no internet system is completely secure; we cannot guarantee absolute security.

12. Children
Our site and services are not intended for children under 16. We do not knowingly collect personal data from children. If you believe we have data of a child, contact us to request deletion.

13. Notification of changes
We may update this Privacy Policy. Material changes will be posted on this page with an updated “Last updated” date.

14. Contact & Data Protection Officer (DPO)
If you have questions, requests, or privacy concerns, contact:
Email: info@ceylongemcy.com
Phone: +94 112361171
Address: NO 5D 65, National Housing Scheme, Raddolugama

If you are in the EEA and we process your data, we will cooperate with supervisory authorities. Sri Lankan customers may also contact the Data Protection Authority of Sri Lanka.