Gemalli

Privacy Policy

Effective date:

This Privacy Policy explains how Gemalli, operated by Lux-Promo, collects, uses, retains, and shares personal data when you use the Platform. It applies to all users: Manufacturers, Buyers, and visitors.

1. Who We Are

Gemalli is a B2B lead-generation platform for Ukrainian manufacturers operated by Lux-Promo. For the purposes of EU data protection law, Lux-Promo acts as the data controller for personal data processed through the Platform.

Contact for data protection inquiries — email: editorial@gemalli.com, with the subject line "Privacy / Data Request".

2. Data We Collect

We collect the following categories of personal data:

2.1 Account and Profile Data

  • Business email address (used as account identifier and for notifications)
  • Display name and, for Manufacturer accounts, company name, company description, and publicly listed contact details
  • Profile photo or logo (if uploaded)
  • Role type: Manufacturer or Buyer

2.2 Manufacturer-Specific Data

  • Product listings, descriptions, images, and associated metadata
  • Director profiles (name, biography, photo) if voluntarily added
  • Blog post content and bylines
  • Certification documents uploaded for display purposes

2.3 Buyer-Submitted Inquiry Data

  • RFQ content: inquiry description, product category, volume, target delivery country
  • Email address and company details submitted in the RFQ form

2.4 Telegram Bot Subscriber Data

  • Telegram chat_id for users who opt into Telegram notification delivery
  • No additional Telegram profile data is stored beyond what is necessary to deliver notifications

2.5 Analytics Data

  • Page view events collected by Plausible Analytics (privacy-first, no cookies, no fingerprinting, no personally identifying data — aggregates only)
  • Referrer, page path, country (derived from IP, not stored), device category

2.6 Error Monitoring Data

  • JavaScript error stack traces collected by Sentry
  • PII is scrubbed from Sentry payloads before transmission: email addresses, names, and other identifiers are replaced with anonymised identifiers

2.7 Technical and Security Data

  • Server-side logs (user ID, request path, timestamp) retained for security and debugging purposes; email addresses are not logged
  • IP addresses (short-term retention for anti-fraud and rate-limiting; not linked to long-term profile data)

3. Lawful Basis for Processing

We process personal data on the following legal bases under GDPR Article 6:

  • Account creation and management — Contract (Art. 6(1)(b)): necessary to provide the Platform service.
  • RFQ delivery to Manufacturers — Contract (Art. 6(1)(b)).
  • Transactional email notifications — Contract (Art. 6(1)(b)).
  • Telegram bot notifications — Consent (Art. 6(1)(a)): opt-in required.
  • Analytics (Plausible) — Legitimate interest (Art. 6(1)(f)): privacy-preserving, no cookies.
  • Marketing communications — Consent (Art. 6(1)(a)): opt-in required at signup.
  • Error monitoring (Sentry, PII-scrubbed) — Legitimate interest (Art. 6(1)(f)): essential for platform security and reliability.
  • Fraud prevention and sanction screening — Legal obligation (Art. 6(1)(c)) combined with legitimate interest.
  • Subscription billing (when live) — Contract (Art. 6(1)(b)).

4. How We Use Your Data

We use the data we collect to:

  • Operate the Platform: create and manage accounts, display Manufacturer profiles and product listings to Buyers, and process and route RFQ submissions to the appropriate Manufacturer.
  • Send notifications: transactional emails (RFQ alerts, account confirmations, password resets) and optional Telegram notifications via the Gemalli bot for subscribed Manufacturers.
  • Monitor performance and errors: Sentry receives PII-scrubbed error reports; Plausible receives anonymised page analytics.
  • Ensure platform security: IP-based rate limiting, Cloudflare Turnstile anti-bot verification on public-writable endpoints (RFQs), and audit logging of administrative actions.
  • Comply with legal obligations: retain data as required by applicable law and cooperate with lawful authorities where required.

5. Data Retention

  • Account profile data — until account deletion plus a 30-day purge cycle.
  • RFQ submissions — 24 months from the submission date.
  • Manufacturer Content (products, blog, profiles) — until the relevant content is removed or the account is deleted.
  • Telegram chat_id — until notification opt-out or account deletion.
  • Sentry error events (PII-scrubbed) — 90 days per Sentry default.
  • Plausible analytics — aggregated, with no time limit on aggregates; raw event retention per Plausible defaults.
  • Server logs — 30 days.
  • Billing records (when live) — as required by applicable accounting and tax law (typically 5–7 years).

After the stated retention period, data is deleted or anonymised such that it can no longer be attributed to an individual.

6. Data Sharing and Processors

We do not sell personal data to data brokers, advertisers, or any third party for commercial gain.

Personal data submitted to the Platform — account data, RFQ submissions, and Manufacturer Content — is stored in our self-hosted PostgreSQL database and MinIO object storage, both running on server infrastructure operated directly by Lux-Promo. This data is not held by a third-party managed cloud database or storage provider.

We share data only with the following processors and infrastructure providers, each operating under a data processing agreement or equivalent terms:

  • Server hosting provider — provides the EU-based server that runs the Platform. Data shared: whatever is processed on the server in the course of operating the Platform. Location: EU.
  • Transactional email provider (SMTP) — delivers RFQ alerts, account confirmations, and password-reset emails. Data shared: recipient email address and email content.
  • Plausible — privacy-first website analytics. Data shared: anonymised, aggregated page events. No cookies, no cross-site tracking. Location: EU.
  • Sentry — error monitoring and performance tracing. Data shared: PII-scrubbed error traces — email addresses, names, and identifiers are replaced with anonymised values before transmission. Location: US (Standard Contractual Clauses apply).
  • Telegram — delivers optional notifications to Manufacturers who opt in to Telegram alerts. Data shared: Telegram chat_id and notification message text. Applies only to users who actively link a Telegram account.
  • Cloudflare — provides the Turnstile anti-bot challenge on public submission forms (RFQ and Manufacturer application). Data shared: IP address and challenge-response data, used solely to distinguish humans from bots. Location: global (Standard Contractual Clauses apply).

No other third parties receive your personal data in a form that identifies you.

7. International Data Transfers

Some processors and providers listed in Section 6 — for example, Sentry and Cloudflare — are located outside, or operate globally beyond, the European Economic Area. Where this is the case, transfers are governed by:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914), incorporated in data processing agreements with each relevant processor;
  • Adequacy decisions where applicable.

You may request a copy of the applicable transfer mechanism by contacting us at editorial@gemalli.com.

8. Your Rights Under GDPR

If you are located in the EEA, UK, or another jurisdiction with equivalent data protection law, you have the following rights:

  • Right of access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
  • Right to erasure (Art. 17): Request deletion of your personal data (the "right to be forgotten"), subject to legal retention obligations.
  • Right to data portability (Art. 20): Receive your personal data in a structured, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interest (e.g. marketing analytics).
  • Right to restrict processing (Art. 18): Request that we restrict processing of your data in certain circumstances.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent (marketing communications, Telegram notifications), you may withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at editorial@gemalli.com with the subject line "GDPR Data Request — [Right Type]". We will respond within 30 days. We may request identity verification before fulfilling a request.

If you believe we have processed your data unlawfully, you have the right to lodge a complaint with the supervisory authority in your country of residence.

9. Cookies and Tracking

9.1 Cookies We Set

The Platform sets the following cookies:

  • Session cookie (name: b2b_session): strictly necessary for authentication — it identifies your signed-in session and is set only after you log in. No consent required.
  • Locale preference (name: NEXT_LOCALE): strictly necessary to remember your language choice. No consent required.

9.2 Analytics

Plausible Analytics is used for aggregated site analytics. Plausible does not use cookies and does not track users across sites. No consent is required for Plausible.

9.3 No Third-Party Advertising Cookies

The Platform does not use any advertising networks, tracking pixels, or retargeting cookies. No consent banner is needed for advertising purposes.

9.4 Cookie Consent

Because the Platform uses only strictly necessary cookies (authentication, locale) and a cookie-free analytics tool (Plausible), the consent banner shown on first visit is presented for transparency — the default state requires no acceptance of non-essential cookies, because none are set.

10. Data Security

We implement the following technical and organisational measures to protect your personal data:

  • Row-Level Security (RLS): all database tables containing user data have RLS enabled, enforcing tenant-level data isolation at the database layer.
  • Self-hosted, network-isolated data stores: the PostgreSQL database and MinIO object storage run on server infrastructure operated by Lux-Promo and are not exposed to the public internet — the database is reachable only by the application over a private network.
  • Encryption in transit: all data transmitted between your browser and the Platform uses TLS 1.2 or higher.
  • Access control: internal access to personal data is restricted to personnel with a legitimate operational need.
  • Audit logging: administrative actions are recorded in an append-only audit log.
  • Backup retention: database backups are retained for a limited retention window and then deleted.

Despite these measures, no system is completely immune to security incidents. In the event of a personal data breach that is likely to result in risk to individuals, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, in accordance with GDPR Articles 33–34.

11. Children's Data

The Platform is a B2B service intended exclusively for business professionals and legal entities. It is not directed at or intended for use by persons under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us at editorial@gemalli.com and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will notify registered users via email and update the "Effective date" at the top of this document. We encourage you to review this policy periodically.

13. How to Contact Us / Submit a Data Request

For any privacy-related inquiry, data subject right request, or complaint — email: editorial@gemalli.com, with the subject line format "Privacy / Data Request — [Request Type]".

We will acknowledge your request within 5 business days and respond substantively within 30 days. For complex requests, this period may be extended by an additional 60 days, in which case we will inform you within the initial 30-day period.

14. Effective Date

This Privacy Policy is effective as of 14 May 2026. The previous version (if any) is superseded on that date.

Privacy Policy — Gemalli