AethelGem Privacy Policy

To provide a personalized luxury shopping experience, we collect the following types of information: **1.1 Information You Provide Directly** • Account Information: Name, email address, password (encrypted) • Profile Data: Avatar, preferred language, currency, timezone settings • Communication Records: Your communications with our customer support **1.2 Information Collected Automatically** • Technical Data: IP address, browser type and version, device type, operating system, screen resolution • Usage Data: Access times, session duration, clickstream data, page navigation paths, search queries • Location Data: Approximate geographic location (city/region level) based on IP address • Cookies and Similar Technologies: See our Cookie Policy for details

We process your personal information based on the following legal grounds: **2.1 Performance of Contract (GDPR Art. 6(1)(b))** • Creating and managing your user account • Providing personalized product recommendations and shopping guidance • Processing your requests and inquiries **2.2 Legitimate Interests (GDPR Art. 6(1)(f))** • Analyzing user behavior to improve website functionality and user experience • Detecting and preventing fraud, abuse, or security incidents • Conducting market research and business analysis **2.3 Legal Obligation (GDPR Art. 6(1)(c))** • Complying with applicable laws and regulations • Responding to lawful requests from law enforcement **2.4 Your Consent (GDPR Art. 6(1)(a))** • Sending marketing communications (you can unsubscribe anytime) • Using non-essential cookies and analytics tools • Participating in user surveys or feedback collection

**3.1 Amazon Associates Affiliate Disclosure** AethelGem is a participant in the Amazon Associates Program. When you click on product links and redirect to Amazon to make a purchase: • Amazon uses cookies to track the referral source • We may earn a commission from qualifying purchases (at no extra cost to you) • Your purchase activity is subject to Amazon's Privacy Policy **3.2 Third-Party Service Providers** We only share data with the following types of service providers when necessary: • Cloud service providers (database hosting, CDN) • Analytics services (Google Analytics - IP anonymization enabled) • Authentication services (Google OAuth, GitHub OAuth) • Email service providers **3.3 Data Sharing Principles** • We do **NOT** sell your personal information to any third parties • All third-party service providers are bound by Data Processing Agreements (DPA) • We only share the minimum data necessary to provide services • Third-party providers may not use your data for their own purposes

Depending on your location, you have the following rights: **4.1 Right to Access** You have the right to obtain a copy of the personal data we hold about you and information about how we process it. **4.2 Right to Rectification** You have the right to request correction of inaccurate or incomplete personal data. **4.3 Right to Erasure (Right to be Forgotten)** You have the right to request deletion of your personal data when: • The data is no longer necessary for the purposes collected • You withdraw consent and there is no other legal basis • You object to processing and there are no overriding legitimate grounds • The data has been unlawfully processed **4.4 Right to Restrict Processing** In certain circumstances, you have the right to request restriction of processing of your personal data. **4.5 Right to Data Portability** You have the right to receive your data in a structured, commonly used, and machine-readable format and to transmit it to another controller. **4.6 Right to Object** You have the right to object at any time to processing based on legitimate interests, as well as to direct marketing. **4.7 CCPA-Specific Rights (California Residents)** • Right to Know: Information about categories and specific pieces of personal information collected • Right to Delete: Request deletion of your personal information • Right to Opt-Out of Sale: We do not sell personal information, but you have the right to explicitly opt out • Right to Non-Discrimination: Exercising your privacy rights will not result in discriminatory treatment **How to Exercise Your Rights:** Please email privacy@aethelgem.com. We will respond to your request within 30 days.

We implement multi-layered security measures to protect your data: **5.1 Transmission Security** • Full-site HTTPS (TLS 1.3) encryption for all transmissions • JWT token authentication for API requests • Re-authentication required for sensitive operations **5.2 Storage Security** • Passwords encrypted using bcrypt algorithm • Industry-standard encryption for database storage • Regular security audits and vulnerability scans **5.3 Access Control** • Role-Based Access Control (RBAC) • Principle of least privilege • Employee data access logging **5.4 Incident Response** In the event of a data breach, we will notify relevant supervisory authorities and affected users within 72 hours of discovery.

We retain your data only for as long as necessary to fulfill the purposes for which it was collected: **6.1 Account Data** • Active accounts: Retained until you delete your account • Deleted accounts: Data purged within 30 days of deletion **6.2 Analytics Data** • Anonymized analytics data may be retained indefinitely for service improvement • Personal identifiers deleted or anonymized after 26 months **6.3 Legal Requirements** • Data required by applicable laws (e.g., tax records) retained according to statutory periods

Our servers may be located in different countries/regions. When we transfer data outside your country: • For EU users: Data transfers are based on Standard Contractual Clauses (SCCs) approved by the European Commission • We ensure recipients provide a level of protection equivalent to GDPR • Personal information of Chinese users is primarily stored on servers within China

Our services are not directed to children under 16 years of age. If we discover that we have inadvertently collected personal information from a child, we will delete it immediately. Please contact us if you believe we may have information from a child.

We use cookies and similar technologies to enhance your experience. Please see our Cookie Policy for details, including: • Types of cookies we use and their purposes • How to manage your cookie preferences • Third-party cookie usage

We may update this Privacy Policy from time to time. Significant changes will be notified through: • Website announcements • Email notifications (where applicable) • Updated "Last Updated" date at the top of this page Continued use of our services constitutes acceptance of the updated policy.

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us: **Privacy Contact** • Email: privacy@aethelgem.com • Response Time: We will respond to your request within 30 days **Legal Contact** • Email: legal@aethelgem.com If you are dissatisfied with how we handle your data, you have the right to lodge a complaint with the data protection supervisory authority in your jurisdiction.