Privacy is structural, not decorative. This policy explains what data we collect, why we collect it, who can see it, how long we keep it, and the rights you have over it. We've kept it as plain as we could without losing the precision the law requires. The summary at the top is honest — read the full policy when you have twelve minutes.
Section I Who we are
The "data fiduciary" (under the Indian Digital Personal Data Protection Act, 2023) and "data controller" (under GDPR) for personal information processed through Gemfinity is MGL Gemfinity Private Limited — incorporated in India, with its registered office in Calicut, Kerala, and operational office in Market, Gujarat. CIN U74999KL2024PTC067834.
Our Data Protection Officer can be reached at privacy@mglgemfinity.com. The DPO is a real person, not a shared inbox — they read and respond to every privacy request personally, with statutory response windows under both DPDPA and GDPR.
Section II What we collect
We collect personal data in five categories. The table below is the complete list — if a piece of data isn't here, we're not collecting it.
Data categories
Last reviewed · Apr 1, 2026Account info
Name, email, phone, password hash, country.
Account creation, login, account recovery, security alerts.
Business info
Company name, GSTIN, registration number, business type, turnover band.
Compliance, KYC, tax invoicing, dealer-program eligibility.
Content data
Stones in your Vault, photos, certificates, valuation requests, marketplace listings.
Service delivery — that's literally why you uploaded it.
Transactional
Subscription payments, marketplace purchases, invoices, tax records.
Billing, accounting, tax compliance under Indian law.
Behavioral
Pages viewed, features used, search queries, error reports, IP, device type.
Product improvement, fraud detection, performance monitoring.
Communications
Support tickets, live chat history, email correspondence with our team.
Support quality, dispute records, training (anonymized).
What we don't collect: precise device location (we use IP-based country only), biometric data, contacts from your phonebook, browser history outside Gemfinity, or any data from third-party social profiles unless you explicitly connect one (Google or Facebook for SSO — and that's just email and name).
Section III How we use it
We use your personal data for the following purposes — and only the following. If we ever need to use your data for a new purpose, we'll ask first.
- To run Gemfinity — generate valuations, store your Vault, deliver Insider content, run the marketplace and Authorized Dealer Program.
- To bill you — process subscription payments, issue tax invoices, handle refunds.
- To keep you safe — detect fraud, enforce our Terms, investigate suspicious activity, respond to security incidents.
- To talk to you — service notifications, support replies, important policy updates.
- To improve the product — aggregate usage analysis (always anonymized), A/B testing, feature research.
- To comply with the law — respond to court orders, regulatory inquiries, tax audits, AML checks.
What we don't do
We don't use your gemstone images, certificate scans, or Vault contents to train MGL Valuer or any other AI model — not without explicit, separate, opt-in consent. The MGL Valuer model is calibrated against public Rapaport benchmarks, licensed VDB marketplace data, and Market trade data we obtain under separate commercial agreements. Your data is yours.
We don't send marketing emails unless you've opted in. We don't share data with advertising platforms. We don't run third-party advertising on Gemfinity at all.
Section IV Legal basis
Under DPDPA 2023 and GDPR, every processing activity needs a legal basis. Ours are:
- Contract — most processing is to deliver the service you signed up for. Without it, we couldn't run your account.
- Legal obligation — tax records, AML/KYC documentation for dealer accounts, regulatory reporting.
- Legitimate interest — fraud prevention, security monitoring, product improvement (always with your interests balanced against ours, and always with the option to object).
- Consent — for things outside the above: marketing emails, optional analytics cookies, AI-training opt-in.
Section V Sharing & disclosure
We share personal data with the following categories of recipients, and no others:
- Service providers who run infrastructure on our behalf — AWS Mumbai (hosting), Stripe and Razorpay (payments), Postmark (transactional email), Sentry (error monitoring). Each is bound by a Data Processing Agreement that limits their use of your data to what we've instructed.
- Marketplace counterparties — when you transact, your name, business name, and shipping details (for physical settlement) are shared with the other party. Nothing else.
- Tax & regulatory authorities — when required by Indian law (Income Tax Department, GST authorities, RBI for cross-border transactions, FIU-IND for AML reporting).
- Legal recipients — courts, law enforcement, or other authorities under valid legal process. We require formal process and notify you where we legally can.
- Acquirers — if Gemfinity is acquired or merges with another company, your data may transfer to the new entity, subject to an obligation to honor this Privacy Policy. We'll notify you 30 days before any such transfer.
We have never sold personal data to third parties, and we have no plans to do so. Selling user data is not part of our business model — and we have no incentive to start.
Section VI International transfers
Your data is primarily stored in AWS Mumbai (ap-south-1). For users in the European Economic Area, we maintain replicas in AWS Frankfurt (eu-central-1) to comply with GDPR data-residency expectations. Both regions are operated by Amazon Web Services under SOC 2 Type II audit.
When data crosses borders — for example, when a Market-based dealer transacts with a buyer in Hong Kong — we rely on the following safeguards: Standard Contractual Clauses approved by the European Commission for transfers out of the EEA, and the cross-border transfer rules under DPDPA 2023 once the central government notifies the list of permitted countries.
We do not transfer personal data to jurisdictions on the FATF "high-risk" list or jurisdictions subject to comprehensive sanctions.
Section VII Your rights
You have the following rights over your personal data — under DPDPA 2023 if you're in India, under GDPR if you're in the EEA, and under both for cross-border traders. To exercise any of them, write to privacy@mglgemfinity.com. Statutory response window: 30 days under DPDPA, 1 month under GDPR.
Right of access
Get a complete copy of all personal data we hold about you, in a machine-readable format.
Right of correction
Have inaccurate data corrected. Most things you can update yourself in account settings.
Right of erasure
Delete your account and personal data — except records we must keep for tax law (7 years).
Right to portability
Receive your data in JSON or CSV — Vault contents, valuation history, settings.
Right to restrict
Pause processing while you contest accuracy or file a complaint. We'll keep but stop using.
Right to object
Object to processing based on legitimate interest (analytics, fraud monitoring at granular level).
Right to complain
To us first; if unresolved, escalate to the Data Protection Board of India or your local supervisory authority.
Right to nominate
Nominate a person to exercise your rights in case of incapacity (DPDPA-specific).
We don't charge for fulfilling rights requests. We may ask for proof of identity to prevent someone else exercising your rights — usually a confirmation from the email address we have on file.
Section VIII Data retention
We keep personal data only as long as we need it for the purpose collected, plus any statutory retention period. Specifics are in the table in Section II — but in summary:
- Active account data — for as long as your account is open;
- Closed account data — 90 days for personal data, longer for transactional records;
- Tax records — 7 years (Income Tax Act, India);
- AML/KYC documentation — 5 years post-relationship (Prevention of Money Laundering Act);
- Behavioral analytics — 24 months identifiable, indefinitely after aggregation;
- Backups — point-in-time backups are purged on a 35-day rolling cycle.
When the retention period ends, we delete the data or irreversibly anonymize it (no person can be identified). Anonymized data may be retained indefinitely for product analytics and research.
Section IXSecurity
We treat security as foundational, not a feature. Our practices include:
- Encryption — AES-256 at rest, TLS 1.3 in transit. Application-layer encryption with per-file keys for dealer-application documents.
- Access control — least-privilege role-based access for our team, mandatory two-factor authentication, quarterly access reviews.
- Monitoring — continuous logging, anomaly detection, automated alerts on credential anomalies.
- Vulnerability management — annual penetration testing by a third party, monthly internal audits, public bug bounty program.
- Incident response — documented playbook with notification commitments under DPDPA (72 hours to the Board, prompt notification to affected users where required).
- Vendor security — every processor goes through a security review and signs a DPA with audit rights.
No system is perfectly secure, but we work hard to make ours as good as it reasonably can be. If you discover a vulnerability, please write to security@mglgemfinity.com — we run a coordinated-disclosure program and offer rewards for valid findings.
Section X Cookies & tracking
We use a small number of cookies and similar technologies. You can manage preferences in your account settings or via the cookie banner that appears on first visit.
You can also enable Do-Not-Track in your browser; we respect it. Browser-level Global Privacy Control signals are honored as a request to opt out of optional tracking.
Section XI Children's privacy
Gemfinity is not directed to children. Under DPDPA 2023, processing of children's personal data (under 18 in India) requires verifiable parental consent — and our service isn't meaningful for minors anyway. We don't knowingly collect data from anyone under 18.
If you believe a minor has created an account, please write to privacy@mglgemfinity.com and we'll close the account and delete the data.
Section XII Contact & DPO
For all privacy-related correspondence — access requests, deletion requests, complaints, security disclosures, or questions about this policy — please write to:
Data Protection Officer
MGL Gemfinity Private Limited
2nd Floor, West Hill Trade Centre
Nadakkavu, Calicut, Kerala 673001
Email: privacy@mglgemfinity.com
Security: security@mglgemfinity.com
General Legal: legal@mglgemfinity.com
If you'd prefer to escalate a privacy concern outside MGL Gemfinity, you may contact the Data Protection Board of India (once notified by the central government) or, for EU residents, your national supervisory authority. We'll always tell you exactly which body has jurisdiction over your specific situation.
Version History
- Apr 1, 2026v2.4Added DPDPA 2023 specific rights and nomination clause; refined cookie categories; added Plain English Summary; updated security practices section.
- Sep 1, 2025v2.3Updated retention table; added Frankfurt as EU replica region; expanded vendor list with Razorpay.
- Apr 15, 2025v2.2Added explicit AI-training opt-out commitment; clarified that we never sell data; introduced transparency report.
- Jan 1, 2025v2.0Major rewrite for DPDPA 2023 compliance; introduced data category table; added rights matrix.
See also · Terms & Conditions
The full master service agreement governing your use of Gemfinity — subscriptions, marketplace rules, dealer program, and Indian governing law.