Introduction & Scope
Legacy Diamonds & Gemstones ("Legacy," "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, retain, disclose, and safeguard your personal information when you visit our website at legacydiamondsandgemstones.com, engage our private client services, make enquiries, or otherwise interact with us.
This Policy applies to all individuals whose personal data we process, including prospective clients, existing collectors, business partners, website visitors, and individuals who contact us through any channel including WhatsApp, Instagram, email, our web enquiry forms, or telephone. It applies to personal data processed in connection with our global operations across the United States, the United Kingdom, the European Union, Japan, South Korea, Australia, Singapore, and all other markets in which we operate.
By using our website or services, you acknowledge that you have read and understood this Privacy Policy. Where we are required by applicable law to obtain your consent before processing your personal data, we will do so explicitly. This Policy does not apply to third-party websites, applications, or services that may be linked from our website; those third parties maintain their own privacy practices for which we bear no responsibility.
This Policy is a living document and is reviewed no less than annually. The date at the top reflects the most recent substantive revision. Material changes are communicated to our active clients by email before they take effect. Continued engagement with our services following any update constitutes acceptance of the revised terms.
Data Controller
The data controller responsible for your personal information is Legacy Diamonds & Gemstones. For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), UK GDPR, and analogous national data protection frameworks, Legacy Diamonds & Gemstones acts as the primary data controller of all personal information processed in connection with our website and private client services.
Controller Details| Detail | Information |
|---|---|
| Trading Name | Legacy Diamonds & Gemstones |
| Website | legacydiamondsandgemstones.com |
| Privacy Enquiries | support@legacydiamondsandgemstones.com |
| WhatsApp (USA) | +1 (209) 328-4413 |
| India Office (Mumbai HQ) | Live Chat — Available via website |
| Operating Markets | USA, UK, EU, Japan, Korea, Australia, Singapore, India, UAE, Switzerland |
Where applicable law requires the appointment of a local representative or Data Protection Officer ("DPO"), the relevant contact details are provided in Section 15 (Contact & Supervisory Authorities) of this Policy. Clients in the European Economic Area or United Kingdom who wish to raise a formal complaint regarding our data practices are encouraged to contact our privacy team in the first instance before escalating to a supervisory authority.
Information We Collect
We collect personal information only to the extent necessary to provide our services, fulfil our legal obligations, and maintain the standard of private client care that Legacy is known for. The categories of personal information we may collect are set out below.
Information You Provide DirectlyIdentity Data: Full name, salutation, title, date of birth (where required for AML purposes), nationality, passport or government identity number (where required for AML compliance or high-value transaction verification).
Contact Data: Email address, telephone number (including WhatsApp), postal address, country of residence. Where you contact us via Instagram Direct, we may retain a record of that conversation linked to your Instagram handle.
Transaction & Enquiry Data: Details of stones or jewellery you enquire about or commission, product preferences, investment range, diamond type preferences, bespoke design requirements, occasion details, and any correspondence related to the provision of our services.
Financial Verification Data: Where required by our Anti-Money Laundering obligations (see Section 13), we may collect proof of funds documentation, source of wealth information, certified identity documents, and related compliance materials. This data is processed only to the extent mandated by applicable law and is handled with the highest level of security.
Communications Data: Records of your communications with us via any channel, including email, our web enquiry forms, WhatsApp, Instagram, and telephone. Where permitted and notified, calls may be recorded.
Information Collected AutomaticallyUsage Data: When you visit our website, we automatically collect certain technical data, including your IP address, browser type and version, operating system, referring URL, pages visited, time spent on pages, and the date and time of your visit. This data is collected through our web analytics systems.
Cookie Data: We use cookies and similar tracking technologies as described in Section 10 of this Policy. This may include session cookies, persistent cookies, and pixel tags that collect information about your browsing behaviour on our website.
Device Data: Information about the device you use to access our website, including device identifiers, screen resolution, and language preferences, where relevant to providing a consistent browsing experience.
Information From Third PartiesWe may receive information about you from third parties in limited circumstances, including: referrals from existing Legacy clients; publicly available information from professional directories or business registries (where relevant to B2B partner due diligence); information from Zoho CRM and related Zoho services we use to manage our client relationships; and information from payment processors or financial institutions in connection with transaction verification. We do not purchase marketing lists or acquire personal data from data brokers.
We do not seek to collect special categories of personal data (as defined under GDPR Article 9) such as health information, racial or ethnic origin, religious beliefs, or political opinions. If you volunteer such information in correspondence with us, we will not use it for any purpose other than responding to your specific request, and we will delete it at the earliest practicable opportunity.
Lawful Bases for Processing
We process your personal data only where we have a valid lawful basis to do so. The primary legal bases upon which we rely, and the processing activities associated with each, are described below.
Contractual Necessity (Art. 6(1)(b)): Processing required to fulfil our contractual obligations to you or to take steps at your request prior to entering a contract. This covers responding to enquiries, processing commissions, managing bespoke orders, and delivering purchased items.
Legitimate Interests (Art. 6(1)(f)): Processing necessary for our legitimate business interests, including maintaining client records, improving our services, personalising client communications, protecting against fraud, and administering our CRM. We balance our interests against your rights and will not override your fundamental privacy interests.
Legal Obligation (Art. 6(1)(c)): Processing required to comply with our legal obligations, including Anti-Money Laundering regulations, tax reporting requirements, and obligations under applicable consumer protection and financial services law.
Consent (Art. 6(1)(a)): Where we rely on your consent — for example, for non-essential cookies or for sending you marketing communications — we will ask for explicit, informed, and freely given consent. You may withdraw consent at any time without prejudice to the lawfulness of processing carried out before withdrawal.
Under Japan's APPI, we process personal information on the basis of necessity for fulfilling an agreement with you, compliance with legal obligations, protection of your vital interests, or pursuit of our legitimate business purposes where your rights are appropriately protected. We will not use your personal information for purposes beyond those notified at the time of collection without your separate consent.
Under Korea's PIPA, we process personal information on the basis of your consent, necessity for performance of a contract to which you are a party, necessity for compliance with a legal obligation to which we are subject, or necessity for the pursuit of a legitimate interest that does not override your rights and interests. Where consent is the basis, we provide a clear and separate consent notice specifying the purpose of collection, items of personal information collected, period of retention, and the right to refuse.
Under Australia's Privacy Act and the Australian Privacy Principles (APPs), we collect, use, and disclose personal information only for the primary purpose for which it was collected, or for secondary purposes where you would reasonably expect such use, where you have consented, or where required or permitted by law. We collect personal information by lawful and fair means and do not collect personal information by unlawful or unfair means.
For California residents, we process personal information in accordance with the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA/CPRA"). We do not sell or share your personal information for cross-context behavioural advertising. Your rights under CCPA/CPRA are described fully in Section 9 of this Policy. We also observe applicable privacy laws in other US states where we have clients, including the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), and Connecticut Data Privacy Act (CTDPA), to the extent they apply to our operations.
Under Singapore's PDPA, we collect, use, and disclose personal data only with your consent or as permitted under applicable exceptions, for purposes that a reasonable person would consider appropriate in the circumstances. We provide you with reasonable access to your personal data and allow you to correct it. We are committed to protecting your personal data using security arrangements no less stringent than those we would apply to our own confidential data.
How We Use Your Information
We use personal information collected from you for the following purposes, each of which is underpinned by a lawful basis identified in Section 4.
| Purpose | Details | Lawful Basis |
|---|---|---|
| Service Delivery | Responding to private enquiries, processing commissions, managing bespoke orders, arranging delivery of acquired pieces, coordinating private viewings and appointments | Contract; Legitimate Interests |
| Client Relationship Management | Maintaining records of preferences, past acquisitions, and communications within our Zoho CRM system to provide personalised, consistent service across interactions | Legitimate Interests; Contract |
| Communications | Responding to enquiries; sending service-related updates; notifying you of items matching your stated preferences (where you have consented to such communications) | Contract; Consent; Legitimate Interests |
| Marketing | Sending curated editorial content, new collection notices, and invitations to private viewing events — only where you have expressly consented or where permitted by applicable law | Consent |
| Legal Compliance | Meeting our obligations under Anti-Money Laundering regulations, tax law, export controls, sanctions screening, and other applicable financial services regulations | Legal Obligation |
| Fraud Prevention & Security | Detecting, investigating, and preventing fraudulent, unauthorised, or illegal activity; protecting the integrity of our operations and the security of our clients | Legitimate Interests; Legal Obligation |
| Website Analytics | Understanding how visitors use our website, identifying areas for improvement, measuring the effectiveness of our content, and ensuring technical performance | Consent (where required); Legitimate Interests |
| Legal Proceedings | Establishing, exercising, or defending legal claims; complying with court orders, regulatory demands, or lawful requests from competent authorities | Legal Obligation; Legitimate Interests |
We will not use your personal information for any purpose that is incompatible with the purposes set out above without first notifying you and, where required, obtaining your consent. Where we process data for direct marketing, you always have the right to object and we will honour that request promptly.
Disclosure of Your Information
Legacy Diamonds & Gemstones does not sell, rent, or trade your personal information to third parties for their own marketing purposes. We may disclose your information to the following categories of recipients, and only to the extent necessary for the stated purpose.
Service Providers & Data ProcessorsWe engage trusted third-party service providers who process personal data on our behalf as data processors. These include: Zoho Corporation (CRM, SalesIQ live chat, email marketing, and customer support platform — Zoho India instance); delivery and logistics partners including Brinks and comparable specialist high-value couriers; payment processing and financial verification partners; our website hosting and technical infrastructure providers; and professional advisors including legal counsel, accountants, and auditors who are bound by professional obligations of confidentiality.
All third-party processors are subject to written data processing agreements that require them to implement appropriate technical and organisational security measures, prohibit them from using your data for any purpose beyond our instructions, and require them to return or destroy your data upon termination of the engagement.
Law Enforcement & Regulatory AuthoritiesWe may disclose your personal information to law enforcement agencies, regulatory bodies, government authorities, or courts in any jurisdiction where we are required or permitted to do so by applicable law, or where necessary to protect the safety of any person, prevent fraud, or respond to a valid legal process. In jurisdictions with AML reporting obligations (see Section 13), we may be required to disclose information to financial intelligence units or equivalent bodies without your knowledge or consent, where applicable law prohibits such notification.
Business TransfersIn the event of a merger, acquisition, restructuring, or sale of all or a portion of our business, your personal information may be transferred as part of that transaction. We will notify you by email or prominent notice on our website before your personal information is transferred or becomes subject to a different privacy policy, and will provide you with the opportunity to opt out of such a transfer where applicable law permits.
With Your ConsentWe may disclose your personal information to other parties where you have given explicit consent. For example, where you request a referral to a specialist gemological laboratory, appraiser, or insurance provider, we may share your contact details with that party with your prior authorisation.
Legacy Diamonds & Gemstones does not sell personal information and has not done so in the preceding twelve months. For California residents, this means we do not engage in the "sale" or "sharing" of personal information as defined under CCPA/CPRA. We do not sell data to data brokers, advertising networks, or other commercial third parties.
International Data Transfers
Given the global nature of Legacy's private client practice — operating across New York, London, Dubai, Singapore, Tokyo, Sydney, Geneva, and Mumbai — your personal information will inevitably be processed in countries other than your country of residence. We take all necessary steps to ensure that any international transfer of your personal data is conducted lawfully and with appropriate safeguards in place.
Where we transfer personal data from the EEA or UK to a country that the relevant supervisory authority has not determined provides an adequate level of protection, we rely on one or more of the following safeguards: Standard Contractual Clauses (SCCs) approved by the European Commission or UK ICO; or Binding Corporate Rules where applicable. A copy of the relevant safeguards may be obtained by contacting us at the address in Section 15.
Under Japan's APPI, where we transfer your personal information outside Japan to a third-party recipient, we implement measures equivalent to APPI standards, including contractual requirements imposed on the recipient to maintain equivalent protections. Japan has recognised the EU's adequacy standard and the European Commission has recognised Japan's APPI framework as adequate for EU data flows.
For transfers of personal information outside the Republic of Korea, we comply with PIPA Article 28-8 by obtaining your consent or relying on applicable statutory grounds. Where consent is obtained, we disclose the recipient's name, country of destination, purpose of transfer, items of personal information transferred, period of retention, and the method of withdrawal of consent.
For cross-border transfers from Australia, we comply with APP 8 by taking reasonable steps to ensure that overseas recipients handle your personal information in a manner consistent with Australia's Privacy Act, or by disclosing to you that we are unable to ensure such protection and obtaining your consent to the transfer on that basis.
For cross-border transfers from Singapore, we comply with Section 26 of the PDPA by ensuring that the overseas recipient is bound by legally enforceable obligations to provide a standard of protection at least comparable to PDPA requirements, through contractual arrangements or other approved mechanisms.
Our primary data processing infrastructure for client relationship management is hosted by Zoho Corporation on its India-region servers (crm.zoho.in). Zoho maintains ISO 27001 certification and is compliant with GDPR, CCPA, and other applicable data protection frameworks. Further details of Zoho's security and compliance certifications are available at zoho.com/security.
Data Retention
We retain personal information only for as long as is necessary for the purposes for which it was collected, to comply with our legal obligations, to resolve disputes, and to enforce our agreements. The following retention schedule applies as a general guide; specific retention periods may be longer where required by applicable law or shorter where you exercise your right to erasure and no overriding legal basis exists for continued retention.
| Category | Retention Period | Basis |
|---|---|---|
| Active Client Records | Duration of client relationship + 7 years | Legitimate Interests; potential legal claims |
| Transaction Records | 7 years from transaction date | Tax law; AML regulatory requirements |
| AML/KYC Documentation | Minimum 5 years from end of relationship; up to 10 years where required by applicable AML law | Legal obligation (UK MLR 2017, EU AMLD6, US BSA, AUSTRAC, Japan, Korea, Singapore requirements) |
| Enquiry Records (non-converting) | 2 years from last contact | Legitimate Interests |
| Website Analytics Data | 26 months (aggregated/anonymised thereafter) | Legitimate Interests |
| Marketing Consent Records | Until consent is withdrawn + 3 years | Legal obligation (evidence of consent) |
| Legal Dispute Records | Duration of proceedings + 6 years | Legitimate Interests; Legal obligation |
| Job Applicant Records | 6 months (unsuccessful applications); 2 years with consent for future roles | Legitimate Interests; Consent |
Upon expiry of the applicable retention period, personal information is securely deleted or anonymised so that it can no longer be linked to any individual. We conduct periodic audits of our data holdings to ensure compliance with this schedule. Where retention is extended beyond the standard period by a specific legal obligation, we will document the reason for the extension.
Your Rights
Depending on your country of residence, you have a number of rights in relation to the personal information we hold about you. These rights are described below on a jurisdiction-by-jurisdiction basis. We do not charge a fee to exercise any of these rights and will respond to verified requests within the timeframes required by applicable law.
Universal Rights — All JurisdictionsRight to Erasure ("Right to be Forgotten"): Under GDPR Article 17, you may request that we delete your personal data where it is no longer necessary for the purpose it was collected, where you withdraw consent, where you object to processing and there are no overriding legitimate grounds, where the data has been unlawfully processed, or where erasure is required by law. We will honour erasure requests subject to legal retention obligations.
Right to Restriction of Processing: Under GDPR Article 18, you may request that we restrict the processing of your data in certain circumstances, such as while a correction request is pending or where you have objected to processing.
Right to Data Portability: Under GDPR Article 20, where processing is based on consent or contract and is carried out by automated means, you may receive your personal data in a structured, commonly used, and machine-readable format, and request that we transmit it to another controller where technically feasible.
Right to Object: Under GDPR Article 21, you have the right to object at any time to the processing of your personal data for direct marketing purposes (which we will honour unconditionally and immediately) or where we rely on legitimate interests (in which case we will assess whether our interests override yours).
Response Timeframe: We will respond to GDPR/UK GDPR rights requests within one calendar month of receipt of a verifiable request. Where a request is complex or numerous, we may extend this period by a further two months with prior notification.
Right to Know (Categories & Specific Pieces): California residents may request disclosure of the categories of personal information we collect, the categories of sources, the business purpose for collection, the categories of third parties we share with, and the specific pieces of personal information we hold.
Right to Delete: California residents may request deletion of personal information we have collected, subject to applicable exceptions.
Right to Correct: California residents may request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: We do not sell or share personal information as defined by CCPA/CPRA. No opt-out is required, but you may contact us to confirm this.
Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes other than those permitted under CCPA/CPRA Section 1798.121.
Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA/CPRA right.
Response Timeframe: We will respond to verifiable California consumer requests within 45 days of receipt, extendable by a further 45 days with prior notification. Requests may be submitted to support@legacydiamondsandgemstones.com or by telephoning +1 (209) 328-4413.
Japanese residents have the right to request disclosure, correction, addition, deletion, and suspension of use of their personal information held by us, and the right to request that we cease providing their personal information to third parties. Requests must be submitted in writing to the contact address in Section 15. We will respond within a reasonable period and in accordance with APPI requirements. Where we are unable to comply, we will provide the reason for refusal.
Korean residents have the right to access, correct, delete, and suspend the processing of their personal information. You also have the right to withdraw any consent previously given and to receive a copy of your personal information in a structured, machine-readable format (data portability). Korean residents may exercise these rights by submitting a written request to the contact details in Section 15. We will respond within 10 days of a receipt of a verifiable request.
Australian residents have the right to access the personal information we hold about them (APP 12), to request correction of information that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13), and to complain to the Office of the Australian Information Commissioner (OAIC) if they believe we have breached the APPs. We will respond to access and correction requests within 30 days of receipt.
Singapore residents have the right to access and correct their personal data under Sections 21 and 22 of the PDPA. We will respond to access requests within 30 calendar days. You also have the right to withdraw consent at any time, with reasonable notice, subject to legal or contractual restrictions. Upon withdrawal of consent, we will inform you of the likely consequences of withdrawal and cease the relevant processing.
To exercise any of the rights described in this Section, please contact our privacy team at support@legacydiamondsandgemstones.com. We may need to verify your identity before processing your request. We will not use identity verification information for any purpose other than fulfilling the rights request.
Cookies & Tracking
Our website uses cookies and similar tracking technologies to enhance your browsing experience, analyse usage patterns, and support the functionality of our site. A cookie is a small text file placed on your device by a website. Cookies serve several purposes, from enabling core website functions to collecting analytics data that helps us improve our services.
Categories of Cookies We Use| Category | Purpose | Consent Required |
|---|---|---|
| Strictly Necessary | Essential for the website to function. These include cookies that enable navigation, security, and access to secure areas. Cannot be disabled. | No (exempt) |
| Functional | Remember your preferences and choices (such as language, country, or previously selected options) to provide a more personalised experience. | Where required by law |
| Analytics | Help us understand how visitors interact with our website through data such as pages viewed, time on site, and traffic sources. We use this data in aggregate to improve performance. | Yes |
| Zoho SalesIQ | Powers our live chat widget, enabling real-time client support. Zoho SalesIQ may set cookies to identify returning visitors and maintain chat session continuity. | Yes |
| Zoho CRM Analytics | Used to measure the performance of our web enquiry forms and attribute form submissions to their source. Set by Zoho's WebFormAnalyticsServeServlet. | Yes |
Where required by applicable law — including the EU ePrivacy Directive as transposed into national law, UK PECR, and equivalent rules in other jurisdictions — we will request your consent before placing non-essential cookies. You may withdraw or modify your cookie preferences at any time by contacting us or through your browser settings. Please note that disabling certain cookies may affect the functionality of some features of our website.
Most browsers allow you to control cookies through their settings preferences. For more information about how to do so, please visit the help section of your browser or consult www.allaboutcookies.org. We do not currently respond to Do-Not-Track browser signals, as there is no consistent industry standard for this technology.
Security Measures
The confidentiality of our clients' personal and transactional information is a matter of the highest priority at Legacy Diamonds & Gemstones. We implement technical, administrative, and physical security measures appropriate to the sensitivity of the data we process and the risks associated with its potential unauthorised access, disclosure, alteration, or destruction.
Technical SafeguardsAll data transmitted between your browser and our website is encrypted using Transport Layer Security (TLS). Our Zoho CRM infrastructure — which processes enquiry form data, client records, and communications — is hosted on Zoho's India-region servers which are certified to ISO 27001:2013 and SOC 2 Type II standards. Zoho's data centres employ physical access controls, redundant power and cooling, and continuous security monitoring. Enquiry data submitted via our web forms is transmitted directly to Zoho's CRM via their secured Web-to-Lead API over HTTPS. We do not store payment card data on our own systems.
Organisational SafeguardsAccess to personal data within our organisation is restricted on a strict need-to-know basis. Staff members who have access to client information are subject to confidentiality obligations and receive training on data protection responsibilities. We conduct periodic reviews of our security practices and update our controls in response to evolving threats. Supplier and partner relationships are governed by contractual data processing agreements that impose equivalent security obligations.
Data Breach ResponseIn the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where required by applicable law, within 72 hours of becoming aware of the breach (GDPR Article 33; UK GDPR; applicable national equivalents). Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay. Our breach response procedures are tested and reviewed annually.
While we implement robust security measures, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee the absolute security of information transmitted to or from our website or stored on our systems. We encourage you to take appropriate precautions on your end, including using strong passwords and keeping your devices and software updated.
Children's Privacy
Our website and private client services are not directed to, nor intended for use by, individuals under the age of 18 years. We do not knowingly collect personal information from minors. The acquisition of fine jewellery and investment-grade diamonds is a transaction for legally competent adults, and our services are offered exclusively on that basis.
If we become aware that we have inadvertently collected personal information from a person under the age of 18 without the requisite parental or guardian consent, we will take immediate steps to delete that information from our systems. If you believe that we may have collected information from a minor, please contact us at support@legacydiamondsandgemstones.com and we will respond promptly.
In jurisdictions where higher age thresholds apply for digital consent (for example, the age of 16 under certain EU member state implementations of GDPR Article 8, or the age of 13 under COPPA in the United States), we observe those thresholds accordingly.
Anti-Money Laundering Compliance
Legacy Diamonds & Gemstones deals in high-value goods — natural diamonds, coloured gemstones, and fine jewellery — and is accordingly subject to Anti-Money Laundering ("AML") and Counter-Terrorism Financing ("CTF") regulations across all jurisdictions in which we operate. These regulations impose obligations on us to verify the identity of clients, understand the source of funds in high-value transactions, and report certain transactions to the relevant financial intelligence authorities. This section describes those obligations and their implications for your personal data.
Legal Framework by JurisdictionLegacy is subject to the UK Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 ("MLR 2017") as a High Value Dealer ("HVD") registered with HMRC. We are required to apply Customer Due Diligence ("CDD") measures — including verifying client identity and source of funds — for cash transactions or series of linked transactions equivalent to €10,000 or more (approximately £8,500 at current rates, but subject to regulatory guidance). We are also required to file Suspicious Activity Reports ("SARs") with the National Crime Agency ("NCA") where we have knowledge or suspicion of money laundering or terrorist financing.
Within EU member states, Legacy's operations are subject to the requirements of the EU Sixth Anti-Money Laundering Directive ("6AMLD") and transposing national legislation. We apply CDD for transactions of €10,000 or more in cash or linked transactions meeting that threshold, and Enhanced Due Diligence ("EDD") for higher-risk clients or transactions, including Politically Exposed Persons ("PEPs").
In the United States, Legacy is subject to the Bank Secrecy Act ("BSA") and FinCEN regulations applicable to dealers in precious stones and metals. We are required to maintain an AML programme, verify client identity for covered transactions, and file Currency Transaction Reports ("CTRs") and Suspicious Activity Reports where applicable. The Anti-Money Laundering Act of 2020 and the Corporate Transparency Act have expanded our AML obligations, which we monitor and implement on an ongoing basis.
In Australia, Legacy complies with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 ("AML/CTF Act") as supervised by AUSTRAC. We apply Customer Identification Procedures ("CIP") for designated services and thresholds, and file Threshold Transaction Reports ("TTRs") and Suspicious Matter Reports ("SMRs") as required.
Legacy's operations in Japan, Korea, and Singapore are subject to equivalent AML/CTF frameworks administered by the relevant national financial intelligence units — the Japan Financial Intelligence Center (JAFIC), Korea Financial Intelligence Unit (KoFIU), and Singapore's Suspicious Transaction Reporting Office (STRO), respectively. We comply with local CDD, record-keeping, and reporting obligations in each of these jurisdictions.
For clients subject to our AML/CDD obligations, we will collect and process the following categories of personal data: full legal name; date of birth; nationality and country of residence; certified identity documents (passport or national identity card); residential or business address; proof of source of funds or wealth documentation; details of the relevant transaction; and any other information required to complete our risk assessment. This processing is carried out under our legal obligations and you cannot opt out of it while still proceeding with a regulated transaction.
AML/KYC records are retained for a minimum of five years from the end of the client relationship, and up to ten years where required by applicable law. We may be required by law to share this information with regulatory authorities and financial intelligence units. We are legally prohibited in some jurisdictions from disclosing to you that a SAR or equivalent report has been filed.
Our AML Programme is reviewed annually and is overseen by our designated Compliance Officer. Legacy takes its obligations to prevent financial crime with the utmost seriousness, and the integrity of our client relationships depends on strict adherence to these standards.
Policy Changes
We review this Privacy Policy at least annually and update it to reflect changes in our practices, applicable law, regulatory guidance, and the services we offer. The version number and effective date at the top of this document indicate the most recent substantive revision.
Where changes to this Policy are material — meaning they significantly affect your rights or how we process your personal data — we will provide advance notice by email to active clients (using the most recent email address on record) no less than 14 days before the changes take effect. For non-material changes, such as clarifications of existing text, corrections of typographical errors, or updates reflecting minor operational changes, we will update the Policy directly with a revised effective date.
Where applicable law requires us to obtain fresh consent for any new processing activity, we will do so before commencing that processing. Your continued use of our website or services following the effective date of a revised Policy constitutes your acknowledgement of and agreement to the updated terms, to the extent permitted by applicable law. If you do not agree to a material change, you may contact us to discuss your options, including the exercise of your rights under Section 9.
Prior versions of this Policy are available upon request by contacting support@legacydiamondsandgemstones.com. We maintain an internal archive of all published versions for audit and compliance purposes.
Contact & Supervisory Authorities
If you have any questions, concerns, or requests relating to this Privacy Policy or our data practices, we invite you to contact our privacy team directly. We are committed to resolving privacy concerns promptly and transparently.
Privacy Contact| Channel | Details |
|---|---|
| support@legacydiamondsandgemstones.com | |
| WhatsApp (USA) | +1 (209) 328-4413 |
| India Office (Mumbai HQ) | Live Chat — Available via website |
| Website | legacydiamondsandgemstones.com/contact-us/ |
We aim to respond to all privacy-related enquiries within five business days. For formal rights requests, the response timeframes specified in Section 9 apply. Where a request is complex or requires additional verification, we will acknowledge receipt promptly and keep you informed of our progress.
Supervisory AuthoritiesIf you are not satisfied with our response to a privacy concern, or if you believe we have processed your personal data in breach of applicable law, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction. The principal authorities are listed below.
| Jurisdiction | Authority | Website |
|---|---|---|
| European Union | Lead supervisory authority in your EU member state of residence (list maintained by the European Data Protection Board) | edpb.europa.eu |
| United Kingdom | Information Commissioner's Office (ICO) | ico.org.uk |
| USA (California) | California Privacy Protection Agency (CPPA) | cppa.ca.gov |
| Japan | Personal Information Protection Commission (PPC) | ppc.go.jp |
| Korea | Personal Information Protection Commission (PIPC) | pipc.go.kr |
| Australia | Office of the Australian Information Commissioner (OAIC) | oaic.gov.au |
| Singapore | Personal Data Protection Commission (PDPC) | pdpc.gov.sg |
We would encourage you to contact us first so that we have the opportunity to address your concern directly. Most privacy issues can be resolved quickly and informally, and we take all feedback on our data practices seriously. Should you ultimately prefer to escalate to a supervisory authority, we fully support your right to do so and will cooperate with any regulatory investigation.
Privacy Policy Version 2.0 · Effective 21 April 2026 · Legacy Diamonds & Gemstones · All rights reserved. This document is protected by copyright and may not be reproduced or adapted without prior written consent.