Privacy Policy

Effective from: 25.05.2025

I. Introductory Provisions

The purpose of this Privacy Policy (hereinafter referred to as the “Policy”) is to provide you, as users of the AreteApp and Diamond Studio platforms, your representatives, or potentially other affected individuals (hereinafter collectively referred to as “data subjects”), with comprehensive information on how UMARUTTI s.r.o., as the data controller (hereinafter referred to as “Controller” or “we”), collects, uses, stores, and otherwise processes your personal data.

The Controller is committed to protecting your personal data in full compliance with the applicable legal regulations of the Czech Republic and the European Union. The processing of personal data is carried out primarily in accordance with the following legal regulations:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – hereinafter referred to as “GDPR”).
Act No. 110/2019 Coll., on the processing of personal data, as amended (hereinafter referred to as “Personal Data Processing Act”).
Act No. 253/2008 Coll., on certain measures against the legalization of proceeds from crime and the financing of terrorism, as amended (hereinafter referred to as “AML Act”).
Act No. 480/2004 Coll., on certain services of the information society and amending certain acts, as amended, in relevant cases.

The Controller is aware that in addition to these general regulations, there may be specific legal obligations, such as those arising from Act No. 253/2008 Coll., on certain measures against the legalization of proceeds from crime and the financing of terrorism, as amended (hereinafter referred to as “AML Act”), which may in certain cases modify or limit the exercise of certain rights of data subjects in order to fulfill public interest and ensure the effectiveness of measures against money laundering and the financing of terrorism.

This Policy is designed to be clear, understandable, and transparent, as required by the principles of GDPR. The AreteApp and Diamond Studio platforms are primarily intended for wholesale (B2B) cooperation with business entities. However, the Controller is aware that within this cooperation, personal data of individuals represented by or acting for these business entities (e.g., employees, statutory bodies) is processed. Furthermore, in connection with the Diamond Studio platform, the Controller may act as a data processor for its users who present goods to their own clients through this platform. Details regarding this role are provided in the Terms of Use of the AreteApp and Diamond Studio platforms and in the relevant sections of this Policy.

II. Data Controller

The data controller of your personal data is the business company:

UMARUTTI s.r.o.

Registered office: Kozí 916/5, Staré Město, 110 00 Prague 1

Company ID: 41690885

VAT ID: CZ41690885

Registered in the Commercial Register maintained by the Municipal Court in Prague, section C, file 3999.5

Contact details for personal data protection matters:

Email: [email protected]

Phone: +420 606 751 525

Contact person: Vladimír Kondratěnko

Address: Umarutti s.r.o., Kozí 916/5, 110 00 Prague 1, Czech Republic

For inquiries and exercising rights in the area of personal data protection, you can use the above email, or contact the data protection officer's contact details provided below, if appointed, or the specialized contact listed in Chapter XIV of this Policy. Ensuring a clear and accessible communication channel for personal data protection matters is a priority for the Controller so that data subjects can effectively exercise their rights under GDPR.

III. Data Protection Officer (DPO)

The company UMARUTTI s.r.o. has appointed a Data Protection Officer who oversees compliance with the processing of personal data with legal regulations across all company activities, including wholesale and retail sales. The Data Protection Officer is Mr. Vladimír Kondratěnko, the managing director of the company. You can contact the officer regarding any matters related to the processing of your personal data and the exercise of your rights under GDPR. The contact details of the Data Protection Officer are as follows: Email [email protected], phone +420 606 751 525, postal address Kozí 916/5, 110 00 Prague 1.

For effective communication regarding personal data protection matters, we recommend primarily using the email address [email protected].

IV. Principles of Personal Data Processing

The Controller strictly adheres to the fundamental principles set out in Article 5 of the GDPR when processing your personal data. These principles form the basic framework for all processing operations and are binding for the Controller. They are as follows:

Lawfulness, fairness, and transparency:

Personal data is processed based on at least one valid legal basis, fairly, and in a manner that is understandable and open to the data subjects.

Purpose limitation:

Personal data is collected for specific, explicitly stated, and legitimate purposes and must not be further processed in a manner that is incompatible with those original purposes.

Data minimization:

The personal data processed is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. This is reflected, for example, in the design of registration forms and the scope of information required for individual services.

Accuracy:

The Controller ensures that the personal data processed is accurate and, where necessary, kept up to date. It takes all reasonable measures to ensure that personal data which is inaccurate, considering the purposes for which it is processed, is erased or rectified without delay.

Storage limitation:

Personal data is kept in a form which permits identification of data subjects only for as long as is necessary for the purposes for which the data is processed. After this period, the data is either erased or anonymized, unless otherwise provided by law.

Integrity and confidentiality:

Personal data is processed in a manner that ensures its appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage using appropriate technical or organizational measures.

Accountability of the Controller:

The Controller is responsible for compliance with the above principles and must be able to demonstrate this compliance.

The statement of these principles is not merely a formal requirement; the Controller actively implements these principles into its internal processes and daily operations to ensure the actual protection of your personal data.

V. Purposes of Processing, Categories of Personal Data, Legal Basis, and Retention Period

This chapter provides a detailed overview of the purposes for which the Controller processes your personal data, what categories of personal data are relevant for these purposes, on what legal basis it does so, and for how long your personal data will be retained. The clarity of this information is key to fulfilling the principle of transparency under the GDPR.

The following table summarizes the main processing activities of personal data carried out by the Controller:

Purpose of Processing	Categories of Processed Personal Data	Legal Basis for Processing (under GDPR)	Retention period of personal data
1. Registration and management of the user account on the AreteApp and Diamond Studio platforms	Identification data (first name, last name of the contact person, company name, company registration number, VAT number), contact details (email, phone number, registered office/business address), login details (username, password – in securely hashed form).	Performance of the contract (provision of services of the platform according to the Terms of Use) – Article 6(1)(b) GDPR.	For the duration of your registration on the platform. After account cancellation, some data may be retained for the time necessary to protect the legal claims of the Administrator (generally 3-5 years). The Terms of Use provide for the possibility of data export within 30 days of account cancellation; thereafter, the data will be deleted or anonymized unless legal regulations require longer retention.
2. Processing and handling of goods orders (diamonds, jewelry, etc.)	Identification and contact details of the Buyer (as stated above), order details, delivery address, billing information, payment information.	Performance of the purchase contract – Article 6(1)(b) GDPR.	For the time necessary to fully process the order. Subsequently, for the period established by the relevant legal regulations for archiving (typically 10 years for tax documents).
3. Fulfillment of obligations in the area of AML	Identification data of the client, copies of identity documents, information on the origin of funds, and other data required by AML law.	Fulfillment of a legal obligation – GDPR (in connection with AML law).	Generally 10 years from the transaction or termination of the relationship.
4. Provision of functionalities of the Diamond Studio platform (Administrator in the role of processor)	Personal data of clients of the User of the Diamond Studio platform that the User uploads.	Performance of the personal data processing agreement. The User is responsible for ensuring their own legal basis.	For the duration of service provision and in accordance with the User's instructions.
5. Communication with users and customer support	First name and last name, email address, phone number, content of communication.	Legitimate interest of the Administrator in providing support – GDPR. Alternatively, performance of the contract.	For the time necessary to address the inquiry. Subsequently, they may be retained for a reasonable period (e.g., 1-3 years).
6. Sending commercial communications (marketing)	Email address, first name and last name, address (for postal shipments), data from public sources (name, last name, address for B2B postal marketing), possibly information about preferences or purchase history.	For existing B2B customers (email): Legitimate interest – GDPR, § 7(3) of Act No. 480/2004 Coll. For B2B entities in the jewelry sector (mail): Legitimate interest – Article 6(1)(f) GDPR (see below). For other cases: Consent – Article 6(1)(a) GDPR.	Until consent is revoked or an objection is raised. For one-time postal campaigns: One-time, no later than the raising of an objection.
7. Analysis of platform usage and their improvement	IP address, device and browser data, platform usage data, cookie data.	For necessary cookies: Legitimate interest – GDPR. For other cookies: Consent – GDPR.	According to the type of cookie, specified in the Cookie Policy.
8. Ensuring security and protection of legal claims	IP addresses, system logs, transaction data, communication content.	Legitimate interest of the Controller – GDPR.	For as long as necessary, subsequently for the duration of limitation periods (generally 3-5 years).
9. Fulfillment of other legal obligations	Various categories of personal data according to specific obligations.	Fulfillment of legal obligation – GDPR.	For the period specified by the relevant regulation.

Specifics of processing for AML purposes: Processing of personal data for the purpose of fulfilling obligations under the AML Act (point 3 of the table) is governed by specific rules set forth by the AML Act. These rules, particularly § 17a (restriction of information obligation) and § 38 (duty of confidentiality) of the AML Act, may limit the exercise of some of your rights as a data subject (e.g., the right to information about processing, the right of access) in order not to jeopardize the purpose of AML measures and ongoing investigations. More detailed information about these restrictions is provided in Chapter IX of this Policy.

Important clarification regarding the role of the Controller and Processor:

It is essential to distinguish between situations where UMARUTTI s.r.o. acts as the controller of your personal data and situations where it acts as a processor.

UMARUTTI s.r.o. as the controller: In most of the cases described above, particularly during your registration, processing of your orders, fulfillment of AML obligations, marketing communication with you, or analysis of our platform usage, we are the controller of your personal data. This means that we determine the purposes and means of processing.

UMARUTTI s.r.o. as the processor: If you use the Diamond Studio platform to present goods to your own clients and enter their personal data into this platform, then you (as a user of Diamond Studio) are the controller of this data and UMARUTTI s.r.o. acts in the role of processor. We process this data only based on your instructions and in accordance with the data processing agreement. In such a case, it is your obligation as the controller to inform your clients about the processing of their personal data and to ensure a valid legal basis for this processing. This Policy primarily relates to activities where UMARUTTI s.r.o. is the controller.

Legal basis legitimate interest:

If legitimate interest of the Controller (Article 6(1)(f) GDPR) is stated as the legal basis for processing, the Controller always carefully assesses (through a so-called balancing test) whether this interest does not outweigh your interests or fundamental rights and freedoms. You have the right to object to such processing, as described in Chapter IX of this Policy.

Specifics of processing for the purposes of direct mail marketing (Legitimate interest):

A specific case of processing based on legitimate interest is the sending of printed promotional offers (acquisition catalogs) via postal mail. For this purpose, the following applies:

Právní základ: Legal basis: Processing is necessary for the purposes of the legitimate interests of the Controller within the meaning of Article 6(1)(f) GDPR.
Kategorie: Categories of personal data: We process only data obtained from publicly available sources, specifically: name, surname, and address of business entities operating in the jewelry sector.
Účel: Purpose: The purpose is to send promotional offers via postal mail. There is no automatic individual decision-making within the meaning of Article 22 of the regulation.
Legitimate interest: Our legitimate interest lies in direct marketing of our products and services to relevant business entities. Recital 47 of the GDPR states that "processing of personal data for the purposes of direct marketing may be regarded as processing carried out for legitimate interests." Act No. 40/1995 Coll., on the regulation of advertising, allows the dissemination of unsolicited advertising in printed form, provided that it does not disturb the addressee and that the addressee has not previously indicated that they do not wish to receive it. The Controller has conducted an assessment and concluded that considering the public source of data, the B2B nature of communication, the relevance of the offer to the addressed entities, the coverage of costs by the Controller, and the possibility to refuse further sending at any time, the interests or rights of data subjects do not outweigh the legitimate interest of the Controller.
Doba uchování: Retention period: Personal data for this purpose will be processed on a one-time basis for sending, but no longer than until an objection to processing is raised or the right to erasure is exercised.
Příjemci: Recipients: Other recipients may include persons providing technical and delivery services related to sending on behalf of the Administrator. Personal data will not be transferred to a third country.

VI. Sources of Personal Data

The Administrator obtains personal data from the following sources:

Directly from data subjects: This most often includes data that you provide to us when registering on the AreteApp or Diamond Studio platforms, when filling out order forms, when communicating with us (via email, phone, through contact forms), or when you upload content or enter information within the user interface of the platforms.
Automatically while using the platforms: When you visit and interact with our websites and platforms, we may automatically collect certain information, such as your IP address, the type and version of your browser, device type, operating system, pages visited, time spent on pages, actions taken, and other technical data. This data is often collected through cookies and similar technologies.
From publicly available sources: For the purpose of verifying your identity and authorization to act on behalf of a business entity, as well as for fulfilling obligations in the area of AML, we may obtain data from publicly available registers and databases, such as the commercial register, trade register, ARES, records of beneficial owners, etc. For the purposes of direct mail marketing (name, surname, address of B2B entities), publicly available sources may also be used.
From third parties: In the context of the Diamond Studio platform (data of our B2B clients' customers). The responsibility for the legality of obtaining this data lies with our B2B clients. In exceptional cases, we may obtain data from business partners if there is a legal basis for doing so.

Transparency regarding data sources is important to us, especially if the data does not come directly from you.

VII. Recipients of Personal Data and Transfers to Third Countries

The Administrator may make your personal data available or transfer it to the following categories of recipients:

Payment service providers and payment gateways. These providers are independent controllers.
Transport and logistics companies.
Delivery and postal service providers.
IT service providers and technical support. These are usually processors.
Accountants, tax and legal advisors, auditors. They may be processors or controllers.
State authorities and public authorities (e.g., FAÚ, Police of the Czech Republic).
Providers of marketing and communication tools. These are usually processors.
Any other specific recipients, of which you will be informed.

If some recipients are in the position of processors, the Administrator has a contract with them in accordance with Article 28 of the GDPR, which ensures the protection of your rights.

Transfer of Personal Data to Third Countries:

The Administrator primarily seeks to process data in the EU/EEA. Some IT service providers may be located outside the EU/EEA. If a transfer to a third country occurs, it is always in accordance with Chapter V of the GDPR, based on:

A decision by the European Commission on adequate protection; or
Standard contractual clauses (SCC); or
Other appropriate safeguards.

You have the right to request a copy of these guarantees. The administrator conducts regular audits of suppliers.

VIII. Security of Personal Data

The administrator has adopted and maintains appropriate technical and organizational measures to ensure the protection of your personal data, in accordance with Article 32 of the GDPR and taking into account the state of technology, costs, and risks. These measures include:

Physical access control.
Access control to information systems (identities, passwords, MFA, need-to-know principle).
Data encryption (during transmission and storage).
Data backup.
Network security (firewalls, intrusion detection).
Vulnerability updates and management.
Employee training.
Procedures for handling security incidents (including reporting to the ÚOOÚ).
Data minimization.

You are also responsible for protecting your access credentials. We recommend choosing strong passwords and changing them regularly. No data transmission is 100% secure, so please exercise caution.

IX. Rights of Data Subjects

The GDPR grants you a number of rights that you can exercise. The administrator is obliged to respond within one month (this period may be extended by two months). Please note that the exercise of certain rights may be limited by the AML law (§ 17a, § 38).

You have the following rights:

Right of access (Article 15 GDPR):

The right to obtain confirmation of processing and access to data and information. It may be limited by the AML law.

Right to rectification (Article 16 GDPR):

The right to rectify inaccurate data and to complete incomplete data. It may be limited by the AML law.

Right to erasure (Article 17 GDPR):

The right to have data erased under certain conditions. It is not absolute; there are exceptions (e.g., AML law).

Right to restriction of processing (Article 18 GDPR):

The right to restrict processing in certain cases. It may be limited by the AML law.

Right to data portability (Article 20 GDPR):

The right to obtain and transfer data if the processing is based on consent or a contract and is carried out automatically.

The right to object (Article 21 GDPR):

The right to object to processing based on legitimate interest. If data is processed for direct marketing purposes (including sending postal offers), you have the right to object at any time, and the data will not be further processed.

Rights related to automated decision-making (Article 22 GDPR):

The right not to be subject to a decision based solely on automated processing with significant effects, with exceptions.

The right to withdraw consent (Article 7(3) GDPR):

The right to withdraw consent at any time if processing is based on it. Withdrawal of consent must be easy.

The right to lodge a complaint (Article 77 GDPR):

The right to lodge a complaint with a supervisory authority (in the Czech Republic, the Office for Personal Data Protection - ÚOOÚ).

How to exercise your rights:

You can exercise your rights by email or by post to the contacts listed in Chapter II or XIV. Please provide sufficient identification and specification of your request. We may ask you for additional verification of your identity.

X. Cookies and Similar Technologies

Our websites and platforms use cookies and similar technologies to ensure functionality, improve comfort, analyze, and personalize. Cookies are small text files stored on your device.

Detailed information about the types of cookies, purposes, legal basis, and validity period can be found in our Cookie Policy, which is available on the website. Here you will also find information on how to manage your preferences and consent.

XI. Automated Decision-Making and Profiling

We inform you about the use of automated decision-making and profiling.

Automatizované rozhodování s právními účinky: Automated decision-making with legal effects: The controller does not carry out such decision-making. Key decisions are made with human review.

Profilování: Profiling for other purposes: We may use profiling for content and offer personalization and for segmentation for marketing purposes. This does not have legal or significant effects under Article 22 GDPR. You have the right to object to this.

If we were to implement automated decision-making under Article 22 in the future, we will inform you in advance.

XII. Complaints and Contact Details of the Supervisory Authority

If you believe that there has been a violation of the GDPR, you have the right to lodge a complaint with the Office for Personal Data Protection (ÚOOÚ).

Contact details of ÚOOÚ:

Address: Pplk. Sochora 27, 170 00 Prague 7

Phone: +420 234 665 111

Email: [email protected]

Web: www.uoou.gov.cz

Data box ID: qkbaa2n3

However, we recommend contacting us first; we will try to address your suggestions.

XIII. Changes to these Principles

The administrator is entitled to change these Principles. You will be informed of changes by publication on the website. In the case of substantial changes, we may also inform you by email.

We recommend regularly monitoring the current wording. The date of the last update is indicated at the beginning of the document. By continuing to use the platforms after the changes take effect, you express your consent.

XIV. Contact Information for Personal Data Protection Matters

For any inquiries, requests, suggestions, or complaints, please contact:

Email: [email protected]

Phone: +420 606 751 525

Contact person: Vladimír Kondratěnko

Address: Umarutti s.r.o., Kozí 916/5, 110 00 Prague 1, Czech Republic

Language Clause:

This document may be executed in Czech and in other language versions. In the event of any discrepancies between the Czech version and any other language version, the Czech version shall prevail. The only legally binding version of this document is the Czech language version. All translations into other languages are provided for informational purposes only and are not legally binding.