Privacy policy

Aurelia London Ltd ("we", "us", "our") is committed to protecting the privacy of every visitor to our website and every Client of our atelier. This Privacy Policy explains what personal data we collect, how we use it, the legal bases on which we rely, and the rights you have under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller

The data controller is Aurelia London Ltd, 14 Hatton Garden, London EC1N 8AT. Our Data Protection Officer can be reached at [email protected].

2. Personal Data We Collect

• Identity and contact data — full name, postal address, email address, telephone number, title.
• Transaction data — details of pieces purchased, payment method (we do not store full card numbers; payments are processed by Stripe Payments UK Ltd), invoices and delivery confirmations.
• Atelier data — measurements, ring sizes, design preferences, photographs of work in progress (with your consent).
• Technical data — IP address, browser type and version, time-zone setting, device identifiers, pages visited on this website.
• Marketing data — your preferences in receiving communications from us.

3. How We Use Your Data and the Legal Basis

• To respond to enquiries and provide quotations — performance of a contract or pre-contract steps at your request.
• To produce, deliver and insure your jewellery — performance of a contract.
• To comply with hallmarking, anti-money-laundering and tax obligations — legal obligation.
• To operate, secure and improve this website — legitimate interests.
• To send occasional editorial newsletters and private-view invitations — your consent, withdrawable at any time.

4. Disclosure of Your Data

We share personal data only with carefully selected processors bound by written agreements: our hosting provider (Cloudflare), payment processor (Stripe), insured carriers (Royal Mail Special Delivery, Brink's), the London Assay Office, our independent gemmological laboratory (GIA), and our chartered accountants. We never sell or rent personal data.

5. International Transfers

Where personal data is transferred outside the United Kingdom, we rely on UK Adequacy Regulations or the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, and we apply appropriate technical and organisational safeguards.

6. Data Retention

Enquiry data is retained for 24 months. Order and accounting records are retained for 7 years to comply with HMRC requirements. Anti-money-laundering records are retained for 5 years after the end of the business relationship. Marketing preferences are retained until you withdraw consent.

7. Your Rights

Under the UK GDPR you have the right to access, rectify, erase, restrict, port or object to the processing of your personal data, and to lodge a complaint with the Information Commissioner's Office (ico.org.uk). To exercise any of these rights please write to [email protected]; we respond within one month.

8. Security

We employ TLS 1.3 encryption in transit, AES-256 encryption at rest, role-based access control, and an annually renewed Cyber Essentials Plus certification. Despite this, no system is impervious; we therefore notify the ICO and affected Clients of any data breach likely to result in a high risk to their rights and freedoms within 72 hours of becoming aware.

9. Changes to This Policy

We review this policy at least annually. Material changes are notified by email to active Clients and posted on this page; the date below is updated accordingly.