Your privacy matters to us. This policy explains what personal data GEMMACOL collects, why we collect it, how we use it, and what rights you have under the EU General Data Protection Regulation (GDPR) and Spanish data protection law (Ley Orgánica 3/2018, LOPDGDD).
1. Who We Are
The data controller responsible for your personal data is:
GEMMACOL is a direct supplier of Colombian emeralds operating as a B2B trade company. We connect the global jewelry industry with Colombian emerald production.
2. Data We Collect
Information you provide directly
Name, company name, and job title
Email address and telephone number
Postal/billing address
Purchase and order history
Messages and enquiries submitted via our contact or availability forms
Business contact information from trade directories or industry events attended by both parties
Analytics data from Google Analytics 4 (aggregated and anonymised where possible)
3. How We Use Your Data
We use your personal data for the following purposes:
Processing and fulfilling your orders and trade enquiries
Responding to your messages and requests
Sending you our newsletter and market updates (with your consent)
Inviting you to events, webinars, and trade shows relevant to your profile
Improving the performance, content, and usability of our website
Complying with our legal obligations under Spanish and EU law
Preventing fraud and ensuring the security of our systems
Managing our business relationship with you
We do not use your data for automated decision-making or profiling that produces significant legal effects.
4. Legal Basis for Processing
We process your personal data on one or more of the following legal bases under Article 6 GDPR:
Contract — processing is necessary to fulfil a contract with you or to take pre-contractual steps at your request (e.g., processing orders and enquiries).
Legitimate interests — we have a legitimate business interest in maintaining our trade relationships, marketing our services to existing business contacts, and improving our website, provided those interests are not overridden by your rights.
Consent — for newsletter subscriptions and non-essential cookies, we rely on your freely given consent, which you may withdraw at any time.
Legal obligation — where processing is required to comply with applicable law (e.g., invoicing, tax records).
5. Sharing Your Data
We do not sell your personal data. We may share it with:
Service providers acting as data processors on our behalf — such as email marketing platforms, hosting providers, payment processors, and analytics tools — under appropriate data processing agreements.
Logistics and shipping partners — solely as necessary to fulfil an order (name, address, contact details).
Professional advisors — accountants, lawyers, or auditors where required.
Public authorities — where required by law or legal process.
All third-party processors are bound by contractual obligations to protect your data and use it only for the specified purpose.
6. Data Retention
We retain your personal data only as long as necessary for the purposes for which it was collected:
Customer and trade records — kept for 6 years after the last transaction, in line with Spanish commercial and tax law requirements.
Newsletter subscribers — retained until you unsubscribe or withdraw consent.
Enquiry and contact forms — retained for up to 2 years from the date of last contact.
Website analytics data — aggregated data retained for up to 26 months via Google Analytics.
When data is no longer needed, it is securely deleted or anonymised.
7. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
AccessRequest a copy of the personal data we hold about you.
RectificationAsk us to correct inaccurate or incomplete data.
ErasureRequest deletion of your data where there is no compelling reason to continue processing.
RestrictionAsk us to limit how we use your data in certain circumstances.
PortabilityReceive your data in a structured, commonly used format.
ObjectionObject to processing based on legitimate interests or for direct marketing.
Withdraw ConsentWithdraw consent at any time without affecting prior processing.
Lodge a ComplaintFile a complaint with the Spanish Data Protection Authority (AEPD).
To exercise any of these rights, contact us at privacy@gemmacol.com. We will respond within 30 days. You may also contact the Spanish supervisory authority, the Agencia Española de Protección de Datos (AEPD), at www.aepd.es.
8. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include:
SSL/TLS encryption for all data transmitted via our website
Access controls and role-based permissions for internal systems
Regular security assessments of our hosting and service providers
Staff awareness of data protection obligations
In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, notify affected individuals without undue delay.
9. International Transfers
Some of our service providers may be located outside the European Economic Area (EEA). Where personal data is transferred to a third country, we ensure adequate safeguards are in place, such as:
Standard Contractual Clauses (SCCs) approved by the European Commission
Transfers to countries with an adequacy decision by the European Commission
You may request details of the specific safeguards in place by contacting us at privacy@gemmacol.com.
10. Cookies
Our website uses cookies to enhance your experience and to collect analytics data. For full details of the cookies we use, their purpose, and how to manage your preferences, please refer to our Cookie Policy.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The date at the top of this page indicates when the policy was last revised. We encourage you to review this page periodically.
Where changes are material, we will notify you via email (if you are a registered contact) or by posting a notice on our website.
12. Contact & DPO
For any questions about this Privacy Policy or to exercise your rights, please contact us:
