Privacy policy

I. RESPONSIBLE ENTITY

BEST DIAMONDS MARKOWSKI SPÓŁKA KOMANDYTOWA, with its registered office in Białystok and its place of business and correspondence address at: ul. Michała Motoszko 28, 15-111 Białystok, Poland, NIP (Tax Identification Number): 542-332-10-91, REGON (Statistical Number): 380786285, entered into the Register of Entrepreneurs of the National Court Register under KRS number: 0000963537, email address: contact@gremari.com, telephone number: +48 85 873 05 70, acting as the Controller of your personal data, hereinafter referred to as the “Controller”, is committed to safeguarding your privacy. Therefore, pursuant to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119, p. 1), hereinafter referred to as the “GDPR”, we hereby provide you with key information regarding the principles governing the processing of your personal data by the Controller, including information about the cookies used on our online platform.

II. APPLICABILITY

The controller collects and processes personal data in accordance with applicable laws, in particular the provisions of the GDPR, and the data processing principles set out therein. We strive to ensure transparency in the data processing activities, and in particular, we always inform you at the time of data collection about the purpose and legal basis for processing – for example, when creating an account on the gremari.com website, entering into an agreement, or subscribing to a newsletter. The controller ensures that personal data is collected only to the extent necessary to achieve the specified purpose and is processed only for as long as it is necessary to fulfill that purpose.

III. CONTOLLER DECLARATION

In the course of processing personal data, the controller ensures their security and confidentiality, as well as access to information about such processing for the data subjects. In the event that, despite the security measures in place, a personal data breach occurs (e.g. a data “leak” or loss), the controller acts in accordance with the provisions of the GDPR and notifies the competent supervisory authority and the affected data subjects in a manner compliant with the applicable legal requirements.

IV. PERSONAL DATA CONTROLLER (“Controller”)

The controller of your personal data in connection with your use of the gremari.com website (hereinafter referred to as the “Service”) is BEST DIAMONDS MARKOWSKI SPÓŁKA KOMANDYTOWA, with its registered office in Białystok and its business and correspondence address at ul. Michała Motoszko 28, 15-111 Białystok, Poland.

The Controller has not appointed a Data Protection Officer (DPO), as it is not required to do so pursuant to Article 37 of the GDPR.

All matters related to the processing of personal data and the exercise of data subject rights may be addressed using the contact details indicated in this Section.

If you have any questions regarding the processing of your personal data or your rights under applicable data protection laws, you may contact us:

a) in writing at the following address: BEST DIAMONDS MARKOWSKI SPÓŁKA KOMANDYTOWA, ul. Michała Motoszko 28, 15-111 Białystok, Poland;

b) by contacting our staff member responsible for assisting users in exercising their data protection rights via: email: contact@gremari.com, telephone: +48 85 873 05 70



V. PURPOSE AND LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA

1. The controller may process the following personal data of users or customers using the Service: first and last name; email address; contact telephone number (if provided in connection with your inquiry); delivery address (street, building number, apartment number, postal code, city, country); residential address/business address/registered office address (if different from the delivery address); data related to the execution of the order, including payment information. In the case of users or customers who are not consumers, the controller may also process the company name and the customer’s tax identification number (NIP). The provision of personal data specified above may be necessary for the conclusion and performance of a Sales Agreement or an agreement for the provision of Electronic Services via the Service. The scope of data required to conclude an agreement is always indicated in advance on the Service website and in the Terms and Conditions of the Online Store.

2. Depending on the features of the Service that you use, we process the personal data you voluntarily provide for the following purposes:

a) Displaying website content – legitimate interest (Article 6(1)(f) GDPR), consisting in the provision of the service and the necessity to protect against abuse.

b) Creating and maintaining a User Account, user authentication – the legal basis is the necessity of processing for the performance of the contract for the provision of the Account service (Article 6(1)(b) GDPR).

c) Services requiring account creation - we process your personal data to provide services that require creating a User Account. Necessity of processing for the performance of services in accordance with the Terms and Conditions (Article 6(1)(b) GDPR).

d) Sending newsletters - your consent (Article 6(1)(a) GDPR).

e) Ensuring the security of online sales services through logging users’ IP addresses - based on Article 6(1)(f) GDPR, our legitimate interest is to ensure the security of electronic services.

f)  Order fulfillment - for the purpose of fulfilling an order placed (including potential complaints):
- The legal basis is the necessity of processing for the performance of the contract (Article 6(1)(b) GDPR);
- The legal basis is the controller’s legal obligation (Article 6(1)(c) GDPR), particularly under tax and accounting regulations.

g) Statistics on the use of specific functionalities of the Service, facilitating its use, and ensuring IT security – Legitimate interest (Article 6(1)(f) GDPR), consisting in facilitating the use of electronic services, improving their functionality, analyzing user activity and shopping preferences.

h) Establishing, pursuing, and enforcing claims – Legitimate interest (Article 6(1)(f) GDPR), consisting in the establishment, exercise, or defense of legal claims before courts and other state authorities.          

i) Sending satisfaction surveys – Legitimate interest (Article 6(1)(f) GDPR), consisting in improving service functionality, conducting satisfaction analyses following a purchase, and evaluating user preferences.

j) Responding to inquiries – Legitimate interest (Article 6(1)(f) GDPR), consisting in responding to inquiries submitted via the contact form or "ask for an offer" option.

k) Handling complaints, requests, and appeals – Legal bases:
- Article 6(1)(b) and (c) GDPR – necessity of processing for the performance of a contract and to comply with a legal obligation;
- Article 6(1)(f) GDPR – legitimate interest of the controller in processing complaints, requests, and appeals.

3. Providing personal data is voluntary; however, in certain cases it is necessary in order to conclude and perform a contract, including a Sales Agreement or an agreement for the provision of Electronic Services via the Service.

Failure to provide personal data marked as mandatory may result in the inability to conclude the contract, create a User Account, process an order, or provide the requested service.

Providing data for marketing purposes, including newsletters and satisfaction surveys, is entirely voluntary and may be withdrawn at any time without affecting other services.

4. As a rule, personal data is collected directly from the data subject.

In certain cases, personal data may also be obtained from third parties, such as payment service providers, courier or postal operators, or entities cooperating with the Controller in the performance of concluded contracts.

In such cases, the Controller processes only the data necessary for the relevant purpose.

VI. DATA RETENTION PERIOD

1. The duration of data processing depends on the type of service provided and the purpose of the processing. The retention period may also result from applicable legal provisions, where they constitute the legal basis for processing.

2. We store your personal data for as long as you maintain a User Account on the Service, for the purposes of providing the Account service and related functionalities, as well as other services provided in accordance with the Terms of Electronic Service Provision. After the Account is deleted, your data will be anonymized, except for specific personal data retained for the purpose of handling complaints and claims related to the use of the controller’s services, as well as for the establishment, exercise, or defense of legal claims.

3. Where the legal basis for processing is the necessity of entering into and performing a contract, the data will be processed for the duration of the service or the fulfillment of the order, until the contract is fully performed and the post-sale period enabling the assertion of certain claims (e.g., warranty or guarantee) has expired.

4. If processing is based on consent, the data will be processed until the consent is withdrawn, or an effective objection or request for erasure is submitted.

5. If the data is processed on the basis of the controller’s legitimate interest, it will be processed for a period that enables the realization of that interest or until an effective objection to the processing is raised, or—in the absence of such objection—until the legitimate interest ceases to exist.

6. Data processed in connection with the "Product Inquiry" functionality will be stored for the duration of the correspondence. If you express further interest in our product/service and accept our pricing proposal, the data will be processed for the purpose necessary to perform the contract, as described in point 5 above.

7. The data retention period may be extended if processing is necessary for the establishment, exercise, or defense of legal claims. After this period, the data may be retained only if and to the extent required by law. Your data will be processed only for as long as we have a legal basis to do so—that is, until:

a) we are no longer subject to a legal obligation requiring data processing,
b) the period for asserting claims related to the contract entered into via the Store by either party has expired,
c) you withdraw your consent, if consent was the legal basis, or you raise an objection to the processing—
whichever applies in the given case and whichever occurs last.

8. Once the data retention period expires, the data is irreversibly deleted or anonymized.

VII. CATEGORIES OF PERSONAL DATA RECIPIENTS

1. In connection with the provision of services by the controller, your personal data may be disclosed to external entities, in particular IT service providers (including those responsible for the operation of IT systems used to provide online services), entities such as banks and payment operators (in cases where you choose an electronic payment method when placing an order), accounting and bookkeeping service providers, courier and postal service providers, carriers or intermediaries acting on behalf of the controller, marketing agencies (within the scope of marketing services), legal or accounting service providers, and other entities providing minor services necessary for the performance of a concluded agreement.

2. Your data may also be disclosed to competent authorities or third parties that request such information based on a valid legal basis obligating the controller to disclose such data, and in accordance with applicable law—we provide your personal data to authorized public authorities upon request, where legally required to do so.

3. The controller acknowledges that the level of personal data protection outside the European Economic Area (EEA) may differ from that ensured under European law. The controller always informs data subjects, at the time of data collection, of any intention to transfer personal data outside the EEA. At present, the controller does not use the services of such entities. The controller transfers personal data outside the EEA only when it is necessary and only when adequate safeguards are in place, primarily through:

  • ooperation with entities located in countries for which the European Commission has issued an adequacy decision;

  • the use of standard contractual clauses adopted by the European Commission;

  • he use of binding corporate rules approved by the competent supervisory authority.

 

VIII. RIGHTS OF THE DATA SUBJECT

1. We ensure the exercise of your rights as set out below. You may exercise these rights by submitting a request using the contact details provided in Section IV above. As a data subject, you have the following rights:

a) Right to rectification of data
You have the right to rectify and complete the personal data you have provided. With regard to other personal data, you have the right to request that we correct such data (if it is inaccurate) and complete it (if it is incomplete).

b) Right to object to the processing of data
You have the right to object at any time to the processing of your personal data, including profiling, if we are processing your data based on our legitimate interest—for example, in connection with compiling usage statistics for the Service, facilitating the use of the Service, or conducting satisfaction surveys.
If your objection is found to be valid and we have no other legal basis for processing your personal data, we will delete the data you objected to.

c) Right to erasure of data (“right to be forgotten”)
You have the right to request the deletion of all or some of your personal data. A request for the deletion of all personal data will be treated as a request for the deletion of your Account.
You have the right to request the erasure of your personal data if:

  • you have withdrawn your consent, to the extent that the data was processed based on that consent;

  • your personal data is no longer necessary for the purposes for which it was collected or otherwise processed;

  • you have objected to the use of your data for marketing purposes;

  • you have objected to the use of your data for statistical analysis of Service usage, and your objection has been accepted as justified;

  • your personal data is being processed unlawfully.

d) Right to restriction of processing
You have the right to request the restriction of the processing of your personal data. Upon submission of such a request, and until it is resolved, we will prevent you from using certain functionalities or services if their use would involve the processing of the data concerned. We will also refrain from sending you any communications, including marketing messages.

You may request restriction of the processing of your personal data in the following cases:

  • if you contest the accuracy of your personal data — processing will be restricted for a period enabling us to verify the accuracy of the data, but for no longer than 7 days;

  • if the processing is unlawful, and you oppose the erasure of your personal data and request the restriction of its use instead;

  • if your personal data is no longer needed for the purposes for which it was collected or otherwise processed, but you require it for the establishment, exercise, or defence of legal claims;

  • if you have objected to the processing of your personal data — in such case, the restriction applies pending the verification whether your objection overrides our legitimate grounds for processing.

e) Right of access
You have the right to obtain confirmation from us as to whether we are processing your personal data, and if so, to:

  • access your personal data;

  • receive information regarding the purposes of processing, categories of personal data processed, recipients or categories of recipients, the envisaged retention period or the criteria used to determine it, the rights granted to you under the GDPR, the right to lodge a complaint with a supervisory authority, the source of the data (if not collected from you directly), the existence of automated decision-making, including profiling, and appropriate safeguards relating to the transfer of personal data outside the European Union;

  • receive a copy of your personal data.

f) Right to withdraw consent
If your data is processed on the basis of your consent, you have the right to withdraw that consent at any time. The withdrawal of consent does not affect the lawfulness of processing carried out prior to its withdrawal.

g) Right to data portability
You have the right to receive your personal data that you have provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller of your choice — for example, to another operator of a similar service. You also have the right to request that we transmit the data directly to such another controller, where technically feasible. We will provide your personal data in a file format that is widely used, machine-readable, and suitable for transfer.

h) Right to lodge a complaint
If you believe that the processing of your personal data violates the provisions of the GDPR or other applicable data protection laws, you have the right to lodge a complaint with the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych).

i) Right to object to direct marketing

You have the right to object at any time, free of charge and without providing any justification, to the processing of your personal data for direct marketing purposes, including profiling related to such marketing.

Upon receipt of an objection, the Controller will immediately cease processing personal data for marketing purposes.

2. If the controller is unable to identify the individual submitting the request based on the information provided, the controller shall request additional information from the applicant. A request may be submitted in person or through a proxy (e.g. a family member).

3. For data security purposes, the controller encourages the use of a power of attorney certified by a notary public or an authorised legal advisor or attorney-at-law, which will significantly expedite the verification of its authenticity.

4. A response will be provided in writing, unless the request was submitted by email or the applicant has requested an electronic form of response.

5. Response time — how quickly do we fulfil your request?
If you exercise one of the rights set out above and submit a corresponding request to us, we will comply with the request or refuse to act on it without undue delay and, in any event, within one month of receipt. Where the request is particularly complex or if we receive a high number of requests, this deadline may be extended by up to two further months. In such cases, we will inform you of the extension and the reasons for the delay in advance.
Due to technical reasons, we always require 24 hours to update the preferences you selected in our systems. Therefore, it is possible that during the update process you may receive an email message from us, even if you have opted out of receiving such communications.

6. Submitting complaints, inquiries, and requests
You may submit complaints, inquiries, and requests to us in connection with the processing of your personal data and the exercise of your rights under the GDPR.

IX. PROFILING
Within the scope of the Service, we may automatically tailor certain content to your individual needs, i.e., carry out profiling by using the personal data you have provided. Before we perform profiling that:

a) produces legal effects concerning you, or
b) similarly significantly affects you,

we will first seek your explicit consent. Please note that you may withdraw your consent at any time. The processing of your personal data prior to the withdrawal of consent remains lawful.

Your personal data may be used in the course of profiling activities. Profiling of personal data by the Controller involves the processing of such data (including through automated means) for the purpose of assessing certain personal aspects, in particular to analyse or predict your preferences and interests in connection with the Controller’s offer.

X. DATA SECURITY
The Controller undertakes efforts to ensure the security of your personal data. The Service uses encrypted data transmission (SSL) during the registration and login processes, which safeguards your identifying data and significantly impedes unauthorized access to your Account by third parties or systems.

To ensure the integrity and confidentiality of personal data, the Controller has implemented the following measures:

a) procedures have been introduced to allow access to personal data solely by authorized persons and only to the extent necessary for the performance of their duties;
b) organizational and technical solutions are applied to ensure that all operations involving personal data are recorded and carried out exclusively by authorized personnel;
c) appropriate actions are undertaken to ensure that subcontractors and other entities cooperating with the Controller provide adequate assurances of applying appropriate data security measures whenever they process personal data on behalf of the Controller;
d) risk analyses are conducted, and the adequacy of data protection measures is monitored against identified threats;
e) where necessary, the Controller implements additional measures aimed at enhancing the security of the data.

XI. COOKIES

The Service uses cookies and similar technologies to ensure its proper functioning, improve its performance, analyze traffic, and—subject to the user’s consent—conduct marketing activities.

Cookies are small text files stored on the user’s end device (computer, smartphone, tablet) when visiting the Service. Cookies may be used for the following purposes:

a) ensuring the proper functioning of the Service (necessary cookies);

b) improving the functionality and performance of the Service;

c) generating anonymous statistics and analytics regarding the use of the Service;

d) marketing purposes, including the display of personalized advertisements, subject to the user’s prior consent.

The legal basis for the use of cookies that are strictly necessary for the operation of the Service is the Controller’s legitimate interest (Article 6(1)(f) GDPR in conjunction with Article 173 of the Polish Telecommunications Law).

The use of analytical and marketing cookies is based on the user’s consent (Article 6(1)(a) GDPR).

Users may manage or withdraw their consent to the use of cookies at any time via the cookie consent tool available on the Service or through their web browser settings.

Detailed information regarding cookies used by the Service, including their types, purposes, and retention periods, is available in the separate Cookies Policy published on the Service website.