Privacy Policy

Effective as of: 25.05.2025

I. Introductory Provisions

The purpose of this Privacy Policy (hereinafter the “Policy”) is to provide you, as users of the AreteApp and Diamond Studio platforms, your representatives, or, as applicable, other affected natural persons (hereinafter collectively the “data subjects”), with comprehensive information on how UMARUTTI s.r.o., as the controller of personal data (hereinafter the “Controller” or “we”), collects, uses, stores, and otherwise processes your personal data.

The Controller undertakes to protect your personal data in full compliance with the applicable legal regulations of the Czech Republic and the European Union. The processing of personal data is carried out primarily in accordance with the following legal regulations:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – hereinafter “GDPR”).
Act No. 110/2019 Coll., on the processing of personal data, as amended (hereinafter “Personal Data Processing Act”).
Act No. 253/2008 Coll., on certain measures against the legalization of proceeds of crime and the financing of terrorism, as amended (hereinafter “AML Act”).
Act No. 480/2004 Coll., on certain information society services and on amendments to certain acts, as amended, in relevant cases.

The Controller is aware that, in addition to these general regulations, there may be specific statutory obligations, such as those arising from Act No. 253/2008 Coll., on certain measures against the legalization of proceeds of crime and the financing of terrorism, as amended (hereinafter “AML Act”), which may, in certain cases, modify or limit the exercise of certain rights of data subjects in order to fulfil the public interest and ensure the effectiveness of measures against money laundering and terrorist financing.

This Policy is designed to be clear, comprehensible, and transparent, as required by the principles of the GDPR. The AreteApp and Diamond Studio platforms are primarily intended for wholesale (B2B) cooperation with business entities. However, the Controller is aware that, within the framework of such cooperation, personal data of natural persons who represent or act for these business entities (e.g., employees, statutory bodies) are processed. Furthermore, in connection with the Diamond Studio platform, the Controller may act in the role of a processor of personal data for its users who, through this platform, present goods to their own clients. Details regarding this role are set out in the Terms of Use of the AreteApp and Diamond Studio platform and in the relevant sections of this Policy.

II. Personal Data Controller (Data Controller)

The controller of your personal data is the business company:

UMARUTTI s.r.o.

Registered office: Kozí 916/5, Staré Město, 110 00 Prague 1

Company ID No.: 41690885

VAT ID No.: CZ41690885

Entered in the Commercial Register maintained by the Municipal Court in Prague, Section C, File 3999.5

Contact details for personal data protection matters:

Email: [email protected]

Telephone: +420 606 751 525

Contact person: Vladimír Kondratěnko

Address: Umarutti s.r.o., Kozí 916/5, 110 00 Prague 1, Czech Republic

For the purposes of inquiries and exercising rights in the area of personal data protection, you may use the above email address, or contact the contact details of the Data Protection Officer listed below, if appointed, or the dedicated contact provided in Chapter XIV of this Policy. Ensuring a clear and accessible communication channel for personal data protection matters is a priority for the Controller so that data subjects can effectively exercise their rights under the GDPR.

III. Data Protection Officer (Data Protection Officer - DPO)

UMARUTTI s.r.o. has appointed a Data Protection Officer who oversees compliance of personal data processing with legal regulations across all of the company’s activities, including both wholesale and retail sales. The Data Protection Officer is Mr. Vladimír Kondratěnko, the company’s managing director. You may contact the Data Protection Officer in all matters related to the processing of your personal data and the exercise of your rights under the GDPR. The contact details of the Data Protection Officer are as follows: Email [email protected], telephone +420 606 751 525, postal address Kozí 916/5, 110 00 Prague 1.

For efficient communication in personal data protection matters, we recommend primarily using the email address [email protected].

IV. Principles of Personal Data Processing

When processing your personal data, the Controller strictly complies with the fundamental principles set out in Article 5 of the GDPR. These principles form the basic framework for all processing operations and are binding on the Controller. These are the following principles:

Lawfulness, fairness and transparency:

Personal data are processed on the basis of at least one valid legal basis, fairly and in a manner that is understandable and open to data subjects.

Purpose limitation:

Personal data are collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those original purposes.

Data minimisation:

The personal data processed are adequate, relevant and limited to what is strictly necessary in relation to the purposes for which they are processed. This is reflected, for example, in the design of registration forms and the scope of information required for individual services.

Accuracy:

The Controller ensures that the personal data processed are accurate and, where necessary, kept up to date. It takes all reasonable steps to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

Storage limitation:

Personal data are kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed. After this period, the data are either erased or anonymised, unless legal regulations provide otherwise.

Integrity and confidentiality:

Personal data are processed in a manner that ensures appropriate security, including protection by means of suitable technical or organisational measures against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Controller accountability:

The Controller is responsible for compliance with the above principles and must be able to demonstrate such compliance.

The listing of these principles is not merely a formal requirement; the Controller actively implements these principles in its internal processes and day-to-day operations to ensure genuine protection of your personal data.

V. Purposes of Processing, Categories of Personal Data, Legal Basis and Retention Period

This chapter provides a detailed overview of the purposes for which the Controller processes your personal data, which categories of personal data are relevant for these purposes, the legal basis on which it does so, and the period for which your personal data will be retained. The clarity of this information is key to fulfilling the GDPR transparency principle.

The following table summarises the main personal data processing activities carried out by the Controller:

Purpose of processing	Categories of processed personal data	Legal basis for processing (under the GDPR)	Retention period for personal data
1. Registration and management of a user account on the AreteApp and Diamond Studio platforms	Identification data (first name, last name of the contact person, company name, Company ID No., VAT ID No.), contact details (e-mail, phone number, registered office/establishment address), login credentials (username, password – in a securely hashed form).	Performance of a contract (provision of platform services under the Terms of Use) – Art. 6(1)(b) GDPR.	For the duration of your registration on the platform. After account cancellation, certain data may be retained for the period necessary to protect the Controller’s legal claims (typically 3–5 years). The Terms of Use provide for the possibility to export data within 30 days of account cancellation; thereafter, the data will be deleted or anonymized unless legal regulations require longer retention.
2. Processing and fulfilment of orders for goods (diamonds, jewellery, etc.)	Identification and contact details of the Buyer (as stated above), order details, delivery address, invoicing details, payment information.	Performance of a purchase contract – Art. 6(1)(b) GDPR.	For the period necessary to fully fulfil the order. Subsequently, for the period required by applicable legal regulations for archiving (typically 10 years for tax documents).
3. Fulfilment of obligations in the area of AML	Client identification data, copies of identity documents, information on the source of funds, and other data required by the AML Act.	Compliance with a legal obligation – GDPR (in conjunction with the AML Act).	Typically 10 years from the execution of the transaction or termination of the relationship.
4. Provision of Diamond Studio platform functionalities (Controller acting as a processor)	Personal data of the User’s clients of the Diamond Studio platform that the User uploads.	Performance of a personal data processing agreement. The User is responsible for ensuring its own legal basis.	For the duration of the service provision and in accordance with the User’s instructions.
5. Communication with users and customer support	First name and last name, e-mail address, phone number, content of communication.	The Controller’s legitimate interest in providing support – GDPR. Alternatively, performance of a contract.	For the period necessary to handle the enquiry. Subsequently, they may be retained for a reasonable period (e.g., 1–3 years).
6. Sending commercial communications (marketing)	E-mail address, first name and last name, address (for postal mailings), data from public sources (first name, last name, address for B2B postal marketing), and, where applicable, information about preferences or purchase history.	For existing B2B customers (e-mail): Legitimate interest – GDPR, Section 7(3) of Act No. 480/2004 Coll. For B2B entities in the jewellery industry (post): Legitimate interest – Art. 6(1)(f) GDPR (see below). For other cases: Consent – Art. 6(1)(a) GDPR.	Until consent is withdrawn or an objection is raised. For one-off postal campaigns: One-off, at the latest until an objection is raised.
7. Analysis of platform usage and their improvement	IP address, device and browser data, platform usage data, cookie data.	For necessary cookies: Legitimate interest – GDPR. For other cookies: Consent – GDPR.	Depending on the type of cookie, as specified in the Cookie Policy.
8. Ensuring security and protection of legal claims	IP addresses, system logs, transaction data, communication content.	Legitimate interest of the Controller – GDPR.	For the period strictly necessary, subsequently for the duration of the limitation periods (typically 3–5 years).
9. Compliance with other statutory obligations	Various categories of personal data depending on the specific obligation.	Compliance with a legal obligation – GDPR.	For the period stipulated by the relevant regulation.

Specifics of processing for AML purposes: The processing of personal data for the purpose of fulfilling obligations under the AML Act (item 3 of the table) is governed by specific rules set out in the AML Act. These rules, in particular Section 17a (restriction of the information obligation) and Section 38 (duty of confidentiality) of the AML Act, may limit the exercise of some of your rights as a data subject (e.g., the right to information about processing, the right of access) in order not to jeopardize the purpose of AML measures and ongoing investigations. More detailed information about these restrictions is provided in Chapter IX of these Policy.

Important clarification regarding the role of the Controller and the Processor:

It is essential to distinguish between situations where UMARUTTI s.r.o. acts as the controller of your personal data and situations where it acts as a processor.

UMARUTTI s.r.o. as the Controller: In most of the cases described above, in particular when you register, we process your orders, fulfill AML obligations, communicate with you for marketing purposes, or analyze the use of our platforms, we are the controller of your personal data. This means that we determine the purposes and means of processing.

UMARUTTI s.r.o. as the Processor: If you use the Diamond Studio platform to present goods to your own clients and you enter their personal data into this platform, then you (as a Diamond Studio user) are the controller of such data and UMARUTTI s.r.o. acts in the role of the processor. We process these data only on the basis of your instructions and in accordance with the personal data processing agreement. In such a case, it is your obligation as the controller to inform your clients about the processing of their personal data and to ensure a valid legal basis for such processing. These Policy primarily apply to activities where UMARUTTI s.r.o. is the controller.

Legal basis legitimate interest:

Where the Controller’s legitimate interest (Article 6(1)(f) GDPR) is stated as the legal basis for processing, the Controller always carefully assesses (through a so-called balancing test) whether its interest does not override your interests or fundamental rights and freedoms. You have the right to object to such processing, as described in Chapter IX of these Policy.

Specifics of processing for the purposes of direct postal marketing (Legitimate interest):

A special case of processing based on legitimate interest is the sending of printed advertising offers (acquisition catalogs) via postal mail. The following applies for this purpose:

Právní základ: Legal basis: Processing is necessary for the purposes of the Controller’s legitimate interests within the meaning of Article 6(1)(f) GDPR.
Kategorie: Categories of personal data: We process only data obtained from publicly available sources, specifically: first name, last name, and address of business entities operating in the jewelry industry.
Účel: Purpose: The purpose is to send advertising offers via postal mail. No automated individual decision-making within the meaning of Article 22 of the Regulation takes place.
Legitimate interest: Our legitimate interest consists in direct marketing of our products and services to relevant business entities. Recital 47 GDPR states that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” Act No. 40/1995 Coll., on the Regulation of Advertising, allows the dissemination of unsolicited advertising in paper form provided it does not annoy the addressee and provided the addressee has not previously indicated that they do not wish to receive it. The Controller carried out an assessment and concluded that, in view of the public source of the data, the B2B nature of the communication, the relevance of the offer to the contacted entities, the Controller’s payment of the costs, and the possibility to refuse further mailings at any time, the interests or rights of the data subjects do not override the Controller’s legitimate interest.
Doba uchování: Retention period: Personal data for this purpose will be processed on a one-off basis for sending, however no longer than until an objection to the processing is raised or the right to erasure is exercised.
Příjemci: Recipients: Other recipients may include persons providing the Controller with technical and delivery services related to sending. Personal data will not be transferred to a third country.

VI. Sources of Personal Data (Sources of Personal Data)

The Controller obtains personal data from the following sources:

Transparency regarding data sources is important to us, especially if the data do not originate directly from you.

VII. Recipients of Personal Data and Transfers to Third Countries

The Controller may make your personal data available or transfer it to the following categories of recipients:

If some recipients act as processors, the Controller has concluded with them a contract pursuant to Article 28 GDPR, which ensures the protection of your rights.

Transfers of personal data to third countries:

The Controller primarily seeks to process data in the EU/EEA. Some IT service providers may be located outside the EU/EEA. If a transfer to a third country occurs, it is always in accordance with Chapter V GDPR, i.e., on the basis of:

You have the right to request a copy of these safeguards. The Controller conducts regular audits of suppliers.

VIII. Security of Personal Data (Security of Personal Data)

The Controller has adopted and maintains appropriate technical and organizational measures to ensure the protection of your personal data, in accordance with Article 32 GDPR and taking into account the state of the art, costs, and risks. These measures include:

You are also responsible for protecting your access credentials. We recommend choosing strong passwords and changing them. No data transmission is 100% secure; therefore, please exercise caution.

IX. Rights of Data Subjects (Rights of Data Subjects)

The GDPR grants you a number of rights that you may exercise. The Controller is obliged to respond within one month (the period may be extended by two months). Please note that the exercise of certain rights may be limited by the AML Act (§ 17a, § 38).

You have the following rights:

Right of access (Art. 15 GDPR):

The right to obtain confirmation as to whether personal data are being processed and access to the data and information. It may be limited by the AML Act.

Right to rectification (Art. 16 GDPR):

The right to have inaccurate data rectified and incomplete data completed. It may be limited by the AML Act.

Right to erasure (Art. 17 GDPR):

The right to have data erased under the specified conditions. It is not absolute; exceptions apply (e.g., the AML Act).

Right to restriction of processing (Art. 18 GDPR):

The right to restrict processing in certain cases. It may be limited by the AML Act.

Right to data portability (Art. 20 GDPR):

The right to obtain and transmit data, where the processing is based on consent or a contract and is carried out by automated means.

Right to object (Art. 21 GDPR):

The right to object to processing based on legitimate interest. If the data are processed for direct marketing purposes (including sending postal offers), you have the right to object at any time and the data will no longer be processed.

Rights related to automated decision-making (Art. 22 GDPR):

The right not to be subject to a decision based solely on automated processing with significant effects, subject to exceptions.

Right to withdraw consent (Art. 7(3) GDPR):

The right to withdraw consent at any time if the processing is based on it. Withdrawal of consent must be easy.

Right to lodge a complaint (Art. 77 GDPR):

The right to lodge a complaint with a supervisory authority (in the Czech Republic, the UOOU).

How to exercise your rights:

You may exercise your rights by e-mail or by post using the contact details provided in Sections II or XIV. Please provide sufficient identification and specify your request. We may ask You for additional identity verification.

X. Cookies and similar technologies (Cookies and Similar Technologies)

Our websites and platforms use cookies and similar technologies to ensure functionality, improve convenience, enable analytics, and provide personalization. Cookies are small text files stored on Your device.

Detailed information about the types of cookies, purposes, legal basis, and retention period can be found in our Cookie Policy, which is available on the website. There you will also find information on how to manage your preferences and consent.

XI. Automated decision-making and profiling (Automated Decision-Making and Profiling)

We inform You about the use of automated decision-making and profiling.

Automatizované rozhodování s právními účinky: Automated decision-making with legal effects: The Controller does not carry out such decision-making. Key decisions are made with human review.

Profilování: Profiling for other purposes: We may use profiling to personalize content and offers and for segmentation for marketing purposes. This does not have legal or similarly significant effects under Art. 22 GDPR. You have the right to object to this.

If we were to introduce automated decision-making under Art. 22 in the future, we will inform You in advance.

XII. Complaints and contact details of the supervisory authority (Complaints and Contact Details of the Supervisory Authority)

If You believe that the GDPR has been infringed, You have the right to lodge a complaint with the Office for Personal Data Protection (UOOU).

UOOU contact details:

Address: Pplk. Sochora 27, 170 00 Prague 7

Phone: +420 234 665 111

E-mail: [email protected]

Website: www.uoou.gov.cz

Data box ID: qkbaa2n3

However, we recommend that you contact us first; we will try to resolve your concerns.

XIII. Changes to these Policies

The Controller is entitled to amend these Policies. You will be informed of changes by publication on the website. In the event of material changes, we may also inform you by email.

We recommend that you regularly review the current wording. The date of the last update is stated at the beginning of the document. By continuing to use the platforms after the changes take effect, you express your consent.

XIV. Contact details for personal data protection matters

For any questions, requests, suggestions, or complaints, please contact:

Email: [email protected]

Phone: +420 606 751 525

Contact person: Vladimír Kondratěnko

Address: Umarutti s.r.o., Kozí 916/5, 110 00 Prague 1, Czech Republic

Language Clause / Language Clause:

This document may be executed in Czech and in other language versions. In the event of any discrepancies between the Czech version and any other language version, the Czech version shall prevail. The only legally binding version of this document is the Czech language version. All translations into other languages are provided for informational purposes only and are not legally binding.