Privacy Policy

Last updated: [DATE À COMPLÉTER]

1. Introduction

Welcome to Joalys, the marketplace for gemstones between individuals and professionals.

This Privacy Policy describes how Joalys UK Ltd (hereinafter 'Joalys', 'we', 'our' or 'us') collects, uses, protects and shares your personal data when you use our Joalys platform. We attach great importance to protecting your privacy and are committed to processing your personal data in a transparent, secure manner and in compliance with the General Data Protection Regulation (GDPR) and all applicable data protection laws.

By using the Joalys platform, you accept the practices described in this Privacy Policy. If you do not accept these practices, please do not use our Services.

2. Data Controller

Joalys UK Ltd (Principal Office)

Registered office: 4th Floor Office, 205 Regent Street, London W1B 4HB, England

Registration number (Companies House): Company No. 16757466 (Companies House)

Joalys Paris (Private) Limited (Operational Office - Sri Lanka)

Registered office: Colombo, Sri Lanka

Registration number (Companies House): Company No. PV 00332989

Incorporated: 22 June 2025

Contact email: contact@joalys.com

Phone: [NUMÉRO À COMPLÉTER]

Data Protection Officer (DPO): privacy@joalys.com

Important note: Joalys UK Ltd is a company registered in the United Kingdom, subject to UK GDPR (British Data Protection Regulation). Our data is hosted in the European Union (Ireland) to ensure maximum protection for our European users' data.

For any questions regarding the protection of your personal data or to exercise your rights, you can contact us at the following address: privacy@joalys.com

3. Personal Data Collected

3.1 Data you provide to us directly

a) When creating an account and authenticating

  • First and last name
  • Email address
  • Password (stored encrypted)
  • Phone number (optional)
  • Profile photo (optional)
  • Date of birth (for age verification)
  • Identity provider data (if you use Google or Apple authentication)

b) When creating and participating in purchases

  • Gemstone descriptions (title, description, characteristics)
  • Photographs of the stones you sell
  • Pricing and sales information
  • Transaction history
  • Delivery information: complete postal address, delivery instructions

c) During financial transactions

We do not directly store complete credit card data. This information is processed securely by our payment provider in accordance with PCI-DSS standards.

Payment processor: [NOM DU PROCESSEUR DE PAIEMENT À COMPLÉTER]

3.2 Automatically collected data

When you use the platform, we automatically collect certain technical and usage data:

a) Device data

  • Unique device identifier (UUID)
  • Operating system (version)
  • Application version
  • Language and time zone

b) Geolocation data

  • Your approximate country (via IP address)

We use your approximate location (country level only) to provide you with the best user experience, including suggesting the most appropriate language and currency for your region. This geolocation is also used to determine whether we need to display a cookie consent banner in compliance with local privacy laws (such as GDPR for the European Union). We do not track your precise location, only your country.

Legal basis: Legitimate interest (Article 6(1)(f) GDPR) - improving user experience and ensuring legal compliance.

4. How We Use Your Data

We use your personal data for the following purposes:

Manage your user account and authenticate you
Process financial transactions and gemstone purchases
Communicate with you regarding your orders and our service
Ensure platform security and prevent fraud
Improve our services and develop new features

5. Sharing Your Personal Data

We never sell your personal data to third parties.

We only share your data in the following circumstances:

5.1 Between platform users

As part of the normal use of our Services, some of your data is visible to other users (public profile, necessary transaction information).

5.2 Third-party service providers

Supabase (EU West - Irlande)

Database hosting, authentication, file storage

Location: Union Européenne (Irlande) - EU-WEST-1

Protection measures: Data hosted in the EU, GDPR compliance, encryption in transit (SSL/TLS) and at rest

6. Your Rights Over Your Personal Data

In accordance with GDPR and the Data Protection Act, you have rights over your personal data:

Right of access (Article 15 GDPR)

You have the right to obtain a copy of your personal data

Right to rectification (Article 16 GDPR)

You have the right to request correction of inaccurate or incomplete data

Right to erasure / 'Right to be forgotten' (Article 17 GDPR)

You have the right to request deletion of your personal data

Right to data portability (Article 20 GDPR)

You have the right to receive your data in a structured, machine-readable format

Right to object (Article 21 GDPR)

You have the right to object to the processing of your personal data

To exercise these rights, contact us at:

Email: privacy@joalys.com

Response time: 1 month (extendable to 3 months in case of complexity)

7. Security of Your Data

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, modification, disclosure or destruction.

Technical measures

  • SSL/TLS encryption for all communications
  • Strict access controls and strong authentication
  • Secure infrastructure with firewalls and intrusion detection
  • Access monitoring and logging

Organizational measures

  • Staff training on security and privacy
  • Restricted data access according to the principle of least privilege
  • Confidentiality clauses for all employees and providers
  • Security incident response procedures

Despite our efforts, no transmission method over the Internet is completely secure.

You are responsible for keeping your password confidential and reporting any unauthorized use of your account.

8. Data Retention

We retain your personal data for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Data categoryRetention periodJustification
Active account dataAs long as your account is activeContract execution
Deleted account data30 days after deletionAllow restoration in case of accidental deletion
Transaction and billing data10 years after the transactionAccounting and tax obligations
Security and connection logs12 monthsSecurity, fraud detection, legal obligations (LCEN)

9. Contact and Complaints

To contact us

By email: privacy@joalys.com

By mail:

Joalys UK Ltd

Attention: Data Protection Officer

4th Floor Office, 205 Regent Street

London W1B 4HB, England

Phone: [NUMÉRO DE TÉLÉPHONE À COMPLÉTER]

Right to lodge a complaint

You have the right to lodge a complaint with the competent supervisory authority if you believe that the processing of your personal data constitutes a violation of GDPR or UK GDPR.

Information Commissioner's Office (ICO) - United Kingdom

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom

Phone: +44 (0)303 123 1113

Website: https://ico.org.uk/

CNIL (France) - For French users

3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, France

Phone: +33 (0)1 53 73 22 22

Website: https://www.cnil.fr/

10. Changes to the Privacy Policy

We may modify this Privacy Policy from time to time to reflect changes in our data processing practices, changes to our Services, or legal or regulatory changes.

For substantial changes, we will notify you by email or via a notification in the application, with a 30-day notice before application.

By continuing to use our Services after the changes take effect, you accept the revised Privacy Policy.

Joalys Paris