Privacy policy

Data controller: K&H Gems DMCC, DMCC Free Zone licensee, Almas Tower, Jumeirah Lakes Towers, Dubai, UAE. Operating office: Jewelry Trade Center, Si Lom, Bangkok 10500, Thailand.

Contact: dpo@topgems.com · WhatsApp +971 58 502 3001. Our representative in the EU is available on request.

Account data — email, name, password hash (bcrypt), optional phone and country, locale preference.

Order data — billing and shipping address, ordered items, invoice total, tax residency, last-4 of card (from Stripe) but never the full PAN.

KYC documents (orders ≥ $15,000) — government-issued ID, proof of address; for orders ≥ $50,000 also source-of-funds documentation. Retention 5 years per UAE AML (Federal Law No. 20 of 2018).

Technical data — IP address, user agent, approximate geolocation (country level), Sentry error reports, pino server logs.

Marketing data — only if you opt in: newsletter subscription status, preferences, Resend delivery events.

We rely on three GDPR Article 6 lawful bases:

Contract (6(1)(b)) — to fulfil your order, ship the parcel, handle returns, provide account access, respond to your enquiries.

Legal obligation (6(1)(c)) — AML, sanctions screening (OFAC SDN, EU sanctions, G7 Russian diamond restrictions), tax records, customs documentation.

Legitimate interest (6(1)(f)) — fraud prevention (Stripe Radar plus our own velocity / freemail / billing-shipping-mismatch rules), cybersecurity, service analytics. You have the right to object to legitimate-interest processing.

Payment: Stripe, Inc. (USD settlement, PCI DSS Level 1), PayPal Holdings, BitPay Inc. (crypto), corresponding banks for wire transfer.

Shipping: DHL Express, Malca-Amit Global Logistics, plus destination-country customs authorities.

Infrastructure: Cloudflare (CDN, DDoS), Hostinger International (VPS), Resend (transactional email), Sentry (error tracking), Plausible (privacy-friendly analytics, no cookies, no personal data).

Compliance: our AML auditor and external counsel, as required. OFAC SDN and EU sanctions screening is performed against public lists only — we do not transmit your personal data to governments unless legally compelled.

Sub-processors are under written data-protection agreements. We do not sell or rent personal data to anyone. Under California CCPA §1798.135, we have nothing to "do not sell" because we never sold.

Your data may be processed in the UAE (UAE Personal Data Protection Law), Thailand (Personal Data Protection Act BE 2562), the EU, the UK, the United States, and Singapore — depending on which sub-processor handles the specific operation. For EU → third-country transfers we rely on the EU Commission's Standard Contractual Clauses (2021/914). Copies of executed SCCs are available to data subjects on request to dpo@topgems.com.

Account data: for as long as your account is active, plus 12 months after closure to handle disputes / chargebacks.

Order records: 10 years, as required by UAE accounting law and EU VAT records.

KYC documents: 5 years after the relationship ends, per UAE AML / FATF recommendations.

Marketing opt-ins: until you unsubscribe, plus 6 months of suppression records so we don't accidentally re-contact you.

Server logs: 90 days (pino), Sentry 90 days default.

Under GDPR (EU), CCPA (California), and the UAE PDP Law you may: access the data we hold on you, correct inaccuracies, request deletion (subject to AML retention requirements), restrict processing, export in machine-readable format, and object to legitimate-interest or direct-marketing processing.

To exercise any right, email dpo@topgems.com with the subject "Data subject request". We verify identity before acting and reply within 30 days (extendable by 60 days for complex requests, with notice). If we refuse a request, you have the right to complain to your national supervisory authority — in the EU start at https://edpb.europa.eu.