← Back to GemFlow

Privacy Policy

Last updated: May 2026

1. Who we are

GemFlow is a studio management platform for jewellery makers, operated by GemFlow Ltd, registered in England and Wales. For privacy enquiries contact: privacy@gemflow-ai.com

2. What personal data we collect

  • Account data: your name, email address, and studio name when you sign up
  • Client data you add:your clients' names, email addresses, phone numbers, and communication history
  • Consultation notes and files you upload, including photos and documents
  • Payment information: processed by Stripe — we never store card details
  • Email communications: read via your connected inbox (Nylas) solely to power AI approval features
  • Usage data: pages visited, features used, and login times for product improvement

3. Why we collect it and our lawful basis

  • To provide the GemFlow service — contract necessity (UK GDPR Article 6(1)(b))
  • To send service notifications and product updates — legitimate interest (Article 6(1)(f))
  • To improve the product through usage analytics — legitimate interest
  • With your explicit consent where required by law

4. How we use your data

We use your data only to deliver and improve GemFlow. Specifically:

  • To run your studio account and serve the application
  • To power AI features via OpenAI — data is processed to provide the service and is not used to train AI models
  • To process payments via Stripe
  • To sync your calendar via Calendly
  • To send and receive emails via Nylas on your behalf

We never sell your data to third parties. We never use your clients' data for any purpose other than delivering the service to you.

5. Who we share data with

We use the following sub-processors, all bound by data processing agreements:

  • Supabase — database and file storage (EU/UK infrastructure)
  • OpenAI — AI processing for note extraction and email parsing
  • Stripe — payment processing
  • Nylas — email integration
  • Calendly — scheduling integration
  • Vercel — application hosting

6. Your rights under UK GDPR

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Request deletion of your data ("right to be forgotten")
  • Object to or restrict processing
  • Request a portable copy of your data
  • Withdraw consent at any time without affecting prior processing

To exercise any of these rights, email privacy@gemflow-ai.com. We will respond within 30 days.

7. Data retention

We retain your account data for as long as your account is active. When you delete your account, all personal data is permanently removed within 30 days. Anonymised usage analytics may be retained for product improvement.

8. Cookies

GemFlow uses essential cookies only — specifically for authentication and session management. We do not use advertising, tracking, or third-party analytics cookies.

9. Security

All data is encrypted in transit using TLS and encrypted at rest. We use Supabase's enterprise-grade security infrastructure. Access to personal data is restricted to authorised personnel only.

10. International transfers

Some of our sub-processors (OpenAI, Vercel) are based in the United States. Where data is transferred outside the UK, we ensure appropriate safeguards are in place including Standard Contractual Clauses.

11. Changes to this policy

We will notify you by email of any material changes to this policy. Continued use of GemFlow after notification constitutes acceptance.

12. Contact and complaints

For privacy enquiries: privacy@gemflow-ai.com

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.