1. Controller

ELARION DIAMOND LTD (the “Company”, “we”, “us”, or “our”) is the data controller for the personal data described in this policy.

Registered company name: ELARION DIAMOND LTD

Registered / business address: 71–75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom

Customer support email: support@elariondiamond.com

Website: https://elariondiamond.com/

2. Scope

This Privacy Policy explains how we collect, use, disclose and protect personal data when you visit our website, create an account, purchase products, use our services, contact us, or otherwise interact with us.

3. Categories of personal data we collect

• Identity & contact data: name, email, postal address, phone number.
• Account and credentials: username, password (hashed), authentication tokens.
• Transaction & order data: order history, billing and shipping addresses, invoices.
• Payment data: payment card details are processed by our payment providers — we do not store full card CVV data on our systems.
• Marketing & preferences: marketing consent, subscription preferences, loyalty program data.
• Device & usage data: IP address, browser, device type, cookies and similar technologies, analytics data.
• Customer support & communications: messages, feedback, call recordings (if applicable).
• Referral contacts: when you provide a friend’s contact to send an invitation (you confirm you have their consent).
• Other information you submit: product reviews, images, custom order instructions.

4. Special / sensitive data

We do not normally collect special category (sensitive) personal data (e.g., health, religion, racial/ethnic origin, political opinions). If we ever need to process special category data we will set out the legal basis and get explicit consent or rely on another permitted condition in the law before doing so.

5. Legal bases for processing

We will only process personal data where we have a lawful basis under the UK GDPR/EU GDPR, e.g.:

• Performance of a contract — to process and fulfil orders, deliver products and provide customer service.
• Legal obligation — to comply with tax, accounting, and regulatory obligations.
• Legitimate interests — where our interest in operating the business (fraud prevention, platform security, direct marketing to existing customers) is balanced with your privacy rights — we document these assessments.
• Consent — for marketing emails to individuals when required by law (PECR) and for non-essential cookies and tracking where consent is required. You may withdraw consent at any time.

(We document which basis applies to each processing activity.)

6. Purposes of processing

• Accept and process orders, handle payments, deliver goods and handle returns;
• Provide customer service and respond to queries;
• Prevent and detect fraud and abuse;
• Personalise your shopping experience and recommend products;
• Send transactional messages (order confirmations, shipping notices, account updates);
• Send marketing communications where we have consent or a legal basis (soft opt-in may apply for existing customers under PECR);
• Maintain and improve our website and analytics (with consent where required);
• Meet legal obligations (tax, accounting, regulatory recordkeeping);
• Other legitimate business purposes (e.g., dispute resolution, enforcing our terms).

7. Sharing and processors

We share data with third parties only as necessary, including:

• Payment processors and banks;
• Shipping and fulfilment partners;
• Website hosting, analytics and marketing platforms;
• Customer support providers;
• Professional advisers and auditors;
• Law enforcement and regulators where required.

We use Data Processing Agreements (DPAs) with our processors and require appropriate technical and organisational measures. We maintain a list of our processors on request.

8. International transfers

Where data is transferred outside the UK/EEA (for example to US-based processors), we safeguard transfers using one or more of the following: adequacy decisions, Standard Contractual Clauses (SCCs) / International Data Transfer Agreements (IDTAs), Binding Corporate Rules where applicable, and transfer-impact assessments. Details of international transfers are available on request.

9. Retention

We keep personal data only as long as necessary for the purpose collected and to meet legal obligations. Example retention periods (subject to change and justification):

• Order & transaction records / invoices: 6 years (tax and legal requirements).
• Accounting and payroll records: as required by law (e.g., HMRC obligations).
• Marketing preferences & consent records: until consent is withdrawn + evidence storage for audit.
• Customer account data: stored while account active; inactive accounts are reviewed after [e.g., 3 years] and removed unless otherwise required.
• Analytics data: anonymised for long-term use; identifiable analytics deleted or aggregated.

10. Cookies & tracking

We use essential cookies (no consent required for core functionality) and non-essential cookies (analytics, advertising) for which we obtain clear, granular consent. Our cookie banner allows Accept / Reject / Manage choices and logs consent records. See our Cookie Policy for details.

11. Data subject rights

You have rights under UK GDPR/EU GDPR (where applicable) including: right of access (subject access request), rectification, erasure (right to be forgotten) where applicable, restriction of processing, data portability, objection to processing (including profiling), and withdraw consent.

We respond to requests without undue delay and within one month (extendable by a further two months for complex requests). We verify identity and may refuse manifestly unfounded requests (documented).

12. Marketing

We comply with PECR for electronic marketing. For marketing emails to individuals we will either rely on consent or the soft-opt-in for existing customers where it applies. Each marketing message has an easy unsubscribe link. We keep records of consents and opt-outs.

13. Security

We implement appropriate technical and organisational measures (encryption in transit, access controls, logging, backups, staff training, vulnerability management) and require processors to do the same. Payment card data is handled only by PCI-DSS compliant providers and we do not store sensitive authentication data (CVV) on our systems.

14. Data breach

We maintain a breach response plan. Where a notifiable personal data breach occurs, we will notify the ICO within 72 hours (or explain the delay) and notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms. We keep internal records of all breaches.

15. Children

Our services are not marketed to children under 13 without parental consent. If we collect data from children, we obtain parental consent where required and verify age where appropriate.

16. Automated decision-making / profiling

If we use profiling or automated decision-making that has legal or similarly significant effects, we will disclose this, explain the logic, and provide ways to object or request human review.

17. Changes and contact

We may update this policy; we will publish the updated policy on the website with a new “last updated” date. For questions or data subject requests contact: support@elariondiamond.com or write to ELARION DIAMOND LTD, 71–75 Shelton Street, Covent Garden, London WC2H 9JQ.

If you remain unhappy you have the right to complain to the UK Information Commissioner’s Office (ICO).

18. Legal disclaimer

This policy is our public privacy statement. For legal certainty and business-critical decisions you should review the final policy with legal counsel.