Privacy · Updated 2 May 2026

What we keep, and what we never do.

We are a small house. We collect what we need to certify a stone, ship it to you, and answer your questions. Nothing else. This page tells you exactly what that means.

What we collect

When you contact us through WhatsApp, email, or our inquiry form, we receive whatever you choose to send: typically your name, country, the stone you are interested in, and how you would like to be reached.

When you place an order, we additionally collect a shipping address, a phone number for the courier, and any identification documents required by Sri Lanka customs and the importing country (passport copy, business registration where applicable). Payment is handled by our bank or an escrow provider — we do not store card numbers.

When you visit this site, our infrastructure provider logs your IP address, browser, and the pages you viewed for security and performance reasons. These logs are rotated within 14 days.

How we use it

  • To answer your inquiry and recommend stones that match your brief.
  • To prepare export paperwork, certificates of origin, and lab reports.
  • To arrange insured shipping with FedEx, DHL, or Malca-Amit and to coordinate customs clearance in your country.
  • To comply with Sri Lankan and international anti-money-laundering and gemstone export regulations.
  • To send you the certificate verification details and post-purchase care guidance.

We do not use your information for advertising, profiling, or automated decision-making. We do not sell, rent, or trade contact details. Ever.

If you are in the European Economic Area or the United Kingdom, our legal bases for processing are:

  • Contract — to fulfil a sale, ship a stone, and provide certification.
  • Legitimate interests — to respond to inquiries, prevent fraud, and secure our systems.
  • Legal obligation — to satisfy export, tax, and AML requirements in Sri Lanka and your country.
  • Consent — for any optional communication you opt into. You may withdraw at any time.

Who we share with

Personal data leaves our hands only when it is necessary to deliver your stone or comply with the law. Specifically:

  • Gemmological laboratories — GIA, GRS, SSEF, AGL — receive the stone and a request reference, never your contact details.
  • Couriers — FedEx Priority, DHL Express, Malca-Amit — receive the shipping address and phone for delivery.
  • Banks & escrow — receive the bank-level details required to clear your payment.
  • Customs authorities — Sri Lanka Customs and the customs office in the destination country, where required by law.
  • Site infrastructure — Cloudflare (CDN, DDoS protection) and our hosting provider hold transient request logs as described above.

Retention

Inquiry messages: 24 months from last contact. Order records, invoices, and export paperwork: 10 years, the minimum required by Sri Lanka tax and gemstone export law. Server logs: 14 days. Backup snapshots: rotated within 90 days. After these periods, data is irreversibly deleted or anonymised.

Your rights

Wherever you live, you may write to us at privacy@gemstore.lk to:

  • Ask what data we hold about you.
  • Correct or update anything that is wrong.
  • Request erasure of data we no longer need to keep.
  • Receive a portable copy of your data.
  • Object to or restrict certain processing.
  • Lodge a complaint with the Sri Lanka Data Protection Authority or your local supervisory authority (in the EU/UK).

We respond to verified requests within 30 days.

Cookies and analytics

This site uses a single first-party preference cookie (gs_theme) to remember your colour preference. We do not run third-party analytics, ad pixels, or social trackers on this site. If we ever add anonymous, privacy-respecting analytics, we will update this page and ask for consent first where required.

International transfers

We are based in Sri Lanka. When you contact or buy from us, your data is processed in Sri Lanka and, where shipping requires it, in the destination country. For EU/UK customers, transfers outside the EEA rely on Standard Contractual Clauses with our processors, plus additional safeguards where applicable.

Contact

For any privacy question or to exercise a right above, write to:

Data Protection · GEMSTORE.LK
Email: privacy@gemstore.lk
Postal: GEMSTORE.LK, Eheliyagoda, Sabaragamuwa Province, Sri Lanka

We may update this policy when our practices or the law change. The Effective date below tells you when. Material changes are highlighted at the top of this page for 60 days.

Effective 2 May 2026 Governing law Sri Lanka Contact legal@gemstore.lk