Privacy Policy

Your privacy matters to us. It is GemForge Ltd’s policy to respect your privacy regarding any personal data we may collect about you when you access our website, use our services or otherwise communicate with us.

Who we are

GemForge Ltd, trading as GemForgeLabs, is a company incorporated under the laws of the Republic of Seychelles (referred to as “GemForgeLabs”, “we”, “us” or “our” in this privacy policy).

This privacy policy applies to our website and services available via gemforgelabs.io.

• Data controller: GemForge Ltd (trading as GemForgeLabs)

• Jurisdiction: Republic of Seychelles

• Contact email for privacy matters: [email protected]

If you have any questions about this privacy policy or our privacy practices, you can contact us using the email address above.

Applicability of this privacy policy

This privacy policy describes how GemForgeLabs processes personal data as a “data controller” for example when:

• you create and use an account on our platform;

• you browse our website; or

• you otherwise interact or communicate with us.

Our services may also be provided to organisations (such as companies, training partners or educational institutions) for professional use by their staff and other authorised users. In those cases, we may process personal data as a “data processor” on behalf of that organisation under a separate agreement.

Where we act as a data processor, our processing of your personal data is governed primarily by that agreement and the organisation’s privacy notice, not by this privacy policy (except where we expressly state otherwise).

What data we collect

“Personal data” (or “personal information”) means any information relating to an identified or identifiable natural person. It does not include data where the identity has been removed (see “Aggregated Data” below).

We may collect and process the following categories of personal data about you:

Identity Data

• First name and last name

• Username and password

• Any social or external profiles you choose to link to your GemForgeLabs account

Contact Data

• Email address

• Postal address (where provided)

• Telephone number (where provided)

Profile Data

• User biography or profile description

• Preferences and settings

• Feedback and survey responses

Occupation Data

• Job title and role

• Employer or organisation (where applicable)

Financial Data

• Bank account details (if required for payments we receive from you)

• Payment card details (processed via our payment providers – we will usually not store full card details ourselves)

Transaction Data

• Records of payments to and from you

• Details of products and services you have purchased or subscribed to

Technical Data

• Internet protocol (IP) address

• Login data and session identifiers

• Browser type and version

• Time zone setting and approximate location

• Types and versions of browser plug-ins

• Operating system and platform

• Other technical information about the devices you use to access our website and services

Usage Data

Information about how you use and interact with our website, products and services, for example:

• Progress, completions and outcomes for activities, certifications or “labs”

• Badges, certifications or achievements earned

• Features you interact with and how often

• Time spent on different parts of the platform

• Interaction patterns and other behavioural data relating to your use of the services

Aggregated Data

We may also create and use Aggregated Data, such as statistical or demographic information. Aggregated Data may be derived from your personal data but is not considered personal data in law if it does not directly or indirectly reveal your identity.

For example, we may aggregate Usage Data to calculate:

• the percentage of users who access a particular lab, module; course or

• the average time users take to complete a given activity.

We will maintain Aggregated Data in a de-identified form and will not attempt to re-identify it unless required by law. If we ever combine Aggregated Data with personal data in a way that could identify you, we treat the combined data as personal data and use it in accordance with this privacy policy. We may share Aggregated Data that does not identify you with third parties where permitted by law.

How we collect your data

We use different methods to collect data from and about you, including:

1. Direct interactions

You may give us personal data directly when you:

• create or update a user account;

• subscribe to our services or publications;

• participate in our platform activities or events;

• request customer support;

• respond to surveys or provide feedback; or

• otherwise contact or communicate with us.

This may include Identity Data, Contact Data, Profile Data and Occupation Data.

2. Automated technologies or interactions

As you interact with our website and use our services, we automatically collect Technical Data and Usage Data. We may use cookies and similar technologies to support this (see our separate cookies notice where applicable).

3. Third parties or publicly available sources

We may receive personal data about you from third parties, for example:

• payment providers, when you purchase products or services from us;

• analytics or advertising partners (in de-identified or pseudonymised form, where applicable);

• your employer or organisation, where they provide user details so that you can access our services as an authorised user.

Legal basis for processing your data

GemForgeLabs is subject to the Data Protection Act 2023 of the Republic of Seychelles (Act 24 of 2023), which sets out principles and legal bases for processing personal data.

We will only use your personal data where we have a valid legal basis to do so. Depending on the context, we may rely on:

1. Performance of a contract

   • Where processing is necessary to enter into or perform a contract with you (for example, providing you with an account and access to our platform, or delivering a paid subscription).

2. Legitimate interests

   • Where processing is necessary for our legitimate business interests (or those of a third party) and your interests and fundamental rights do not override those interests – for example, to improve and secure our services, prevent abuse and manage our relationship with you.

3. Compliance with a legal obligation

   • Where processing is necessary for us to comply with legal or regulatory obligations under Seychelles law (for example, financial reporting or responding to lawful requests from authorities).

4. Consent

   • Where you have given us your explicit consent to process your data for specific purposes (for example, certain types of marketing). You can withdraw your consent at any time (see “Your data protection rights” below).

We always consider the potential impact on you (both positive and negative) before relying on our legitimate interests and do not use your personal data for activities where those interests are overridden by your rights and freedoms.

What we use your data for

We use your personal data in a manner consistent with this privacy policy and applicable law, including for the following purposes:

1. Provision of services

We use information such as your Identity Data, Contact Data, Occupation Data, Technical Data and Usage Data to:

• provide you with access to our platform and services;

• set up and administer your account;

• manage subscriptions and billing;

• provide content and features relevant to your account type; and

• notify you about changes to our services or your account.

We process this data mainly on the basis that it is necessary for the performance of a contract with you or to take steps at your request before entering into a contract.

2. Personalising your experience

We use Usage Data and Profile Data to tailor your experience on the platform, for example by:

• recommending certifications or labs aligned with your goals and previous activity;

• surfacing content that matches your skill level or interests;

• providing automated hints, guidance or feedback based on how you interact with the platform.

This processing is carried out where it is necessary for the performance of our contract with you and/or necessary for our legitimate interests in delivering an effective and engaging learning platform.

3. Customer support

We use Identity Data, Contact Data, Technical Data and Usage Data to:

• respond to your support queries and requests;

• perform troubleshooting and issue resolution;

• assist with password resets and account recovery.

This processing is generally necessary for the performance of a contract with you.

4. Communications

We may use your personal data to communicate with you about:

• your account and activity (e.g. welcome messages, subscription confirmations, service notifications);

• important changes to our terms, policies or services;

• service-related updates, such as maintenance or new features.

These communications are sent where necessary for the performance of a contract with you and/or our legitimate interests in keeping you informed about your use of our services.

5. Prize promotions and events

Where you choose to participate in competitions, promotions or events, we may use Identity Data, Contact Data and relevant Usage Data to:

• administer entries;

• award prizes or recognition;

• verify eligibility and compliance with rules.

6. Monitoring, maintaining and improving our services

We use Technical Data and Usage Data for analytics, measurement and service improvement, including to:

• understand how users interact with our website and platform;

• ensure that the services function as intended;

• fix bugs and improve performance;

• develop new content, features and capabilities.

This processing is based on our legitimate interests in running, improving and developing our services.

7. Safety and security

We use Technical Data and Usage Data to protect the safety and security of our users, platform and services, for example to:

• detect, prevent and respond to malware, fraud, abuse or other malicious activity;

• monitor for cheating or other violations of our terms;

• protect our rights, property and users.

This processing is based on our legitimate interests in ensuring the security and integrity of our services.

8. Legal and compliance

We may process any of the categories of personal data listed above where necessary to:

• comply with legal obligations (for example, tax, accounting or regulatory requirements);

• respond to valid legal requests from courts, regulators or law enforcement; Global Practice Guides

• establish, exercise or defend legal claims.

Marketing communications

Where permitted by law and where we have a valid legal basis (typically your consent or our legitimate interests, depending on the circumstances), we may use your Contact Data and Usage Data to send you information about:

• updates to our services and features;

• usage summaries, progress stats or recommendations;

• news, events and content that may be of interest to you.

You can opt out of marketing communications at any time by following the unsubscribe instructions in the email or by contacting us using the details above.

We will not send you marketing communications where the law requires your prior consent unless we have obtained that consent.

How we store and protect your data

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, misuse, loss, alteration or destruction, in line with the requirements of the Seychelles Data Protection Act 2023.

These measures include:

• storing personal data on secure servers;

• limiting access to those employees, contractors and service providers who have a business need to know;

• processing personal data only according to our documented instructions and subject to duties of confidentiality;

• using appropriate security controls and safeguards.

We retain personal data only for as long as reasonably necessary to fulfil the purposes for which it was collected, including for legal, regulatory, tax, accounting and reporting purposes.

In some cases, we may anonymise or aggregate your personal data (so that it can no longer be associated with you) for research or statistical purposes. In that case, we may use this information indefinitely without further notice to you.

Our website may contain links to external sites that are not operated by us. We have no control over the content or practices of those sites and cannot accept responsibility or liability for their privacy policies. We recommend you review the privacy policies of any third-party sites you visit.

If you have questions about how we handle your data, please contact us using the details above.

Who we share your personal data with

We do not sell your personal data. We may share personal data only in the limited circumstances below:

1. Public information on our platform
   Some limited user information may be visible to others on our platform, for example on leaderboards or public aspects of user profiles (such as username, rank, badges or completed activities), where you choose to participate in such features.

2. Service providers
   We may share personal data with trusted third-party service providers that support our business operations, such as:

   • website and data hosting providers;

   • payment processors;

   • customer communications and email providers;

   • analytics and product improvement services.

3. These third parties process personal data on our behalf and according to our instructions, and are bound by appropriate confidentiality and security obligations.

4. Professional advisers
   We may share personal data with our professional advisers (such as lawyers, auditors, bankers and insurers) where reasonably necessary for the purposes of obtaining professional advice or managing our business.

5. Authorities and legal disclosures
   We may disclose personal data to governmental, legal, regulatory, tax or similar authorities, or law enforcement officials, where required by law or where we reasonably consider it necessary to protect our legitimate interests or the rights and safety of others.

6. Corporate transactions
   If we are involved in a corporate transaction, such as a merger, restructuring, acquisition or sale of all or part of our business, personal data may be transferred as part of that transaction, subject to appropriate safeguards.

International transfers

Given the nature of online services and our use of third-party providers, your personal data may be transferred to and processed in countries outside Seychelles.

When we transfer personal data outside Seychelles, we take steps to ensure a comparable level of protection in line with the requirements of the Seychelles Data Protection Act 2023.

• transferring data only to countries or organisations that provide a comparable level of protection for personal data; or

• putting in place suitable contractual safeguards or other recognised mechanisms for cross-border transfers.

Your data protection rights

Under the Seychelles Data Protection Act 2023 and, where applicable, other data protection laws, you may have the following rights in relation to your personal data:

1. Right of access

   • You can request confirmation that we process your personal data and ask for a copy of that data.

2. Right to rectification

   • You can ask us to correct personal data that you believe is inaccurate or incomplete.

3. Right to erasure

   • In certain circumstances, you can request that we delete your personal data – for example, where the data is no longer necessary for the purposes for which it was collected, or where you withdraw consent and we have no other legal basis for processing.

4. Right to restrict processing

   • You can ask us to restrict the processing of your personal data in certain situations (for example, while we are verifying the accuracy of the data or where you have objected to processing).

5. Right to object to processing

   • You may object to our processing of your personal data where we rely on legitimate interests as the legal basis. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or processing is needed for legal claims.

6. Right to data portability

   • Where technically feasible and applicable, you may request that we provide your personal data in a structured, commonly used and machine-readable format, and/or transmit that data to another organisation.

7. Right to withdraw consent

   • Where we rely on your consent to process personal data, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing before it was withdrawn.

We will respond to requests to exercise these rights within the timeframes required by applicable law and, where a specific timeframe is not prescribed, within a reasonable period.

To exercise any of these rights, please contact us using the email address listed in the “Who we are” section.

How to contact us

If you have any questions, requests or concerns about this privacy policy or how we handle your personal data, please contact us at:

• Email: [email protected]

Changes to this privacy policy

We may update this privacy policy from time to time for example, to reflect changes in our services, our practices or applicable law.

When we make material changes, we will notify you by updating the policy on our website and, where appropriate, by other means (such as email or an in-service notification).

Your continued use of our services after the updated policy becomes effective will be taken as acceptance of the changes, to the extent permitted by law.