Client Privacy Notice
Last updated September 25, 2023, v. 3.0
Introduction
GIA values the privacy of your personal data. This Client Privacy Notice (“Notice”) describes GIA’s policies and practices regarding our processing, including collection, use, and handling, of your personal data in connection with a client relationship with you or your employer (such as persons who submit gems to us for grading). This Notice is incorporated into your Client Agreement.
If you use GIA websites other than the GIA Client Portal and My Laboratory (collectively, the “GIA Client Sites”), then your use of those other GIA websites and any information that you submit to us through these other GIA websites will be governed by the GIA website Privacy Notice, and, if you are a student, by our Student Privacy Notice.
Privacy Office and Data Controller
If you have any questions or concerns about this Notice or our use of your personal data, please contact GIA’s Privacy Office.
The data controller for your personal data is the entity to which you submit your gem(s) for grading, and the Gemological Institute of America, Inc. For a complete list of locations and the respective data controllers, click here.
Interpretation and Translation
This Notice has been created, drafted and prepared in the English language. Subsequently, the English versions have been translated into different languages for convenience. In case of any discrepancy, unless otherwise prohibited by law, the English language version of this Notice shall take precedence over any translation of this Notice into any other language.
Personal Data Collection, Use and Processing
In connection with your client relationship with GIA, GIA collects personal data about you (whether online, in-person, or through other means) from the following sources: directly from you; from your employer or other entities within your organization; from our affiliated entities, including our subsidiaries and branch offices; from service providers; and automatically as you access the GIA Client Sites.
We use your personal data for the purposes described in further detail in the table below, including to facilitate your experience with GIA and to provide you with laboratory services and related products. We share your personal data with our GIA affiliated entities and others as described in this Notice. We do not share your personal data with non-affiliated entities for their own marketing purposes.
Providing your personal data is voluntary. Please note, however, that without your personal data, we may be unable to provide you with the laboratory services and related products you request.
Types of Personal Data We Collect
In connection with your or your employer’s client relationship with us, GIA collects the following categories of personal data, as permitted by applicable law:
1. Directly from Individuals Who Are Our Clients
- General contact information (title, first name, last name, home address, mailing address, phone number(s), email address)
- Business information (business name, doing business as (“DBA”), address, phone number(s), business email address, website address, principals and company officers)
- Government identifiers (driver’s license, passport, government-issued identification with photograph, tax identification number, business license number, business license document, GSTIN number with code (India only), voter registration card, permanent resident alien card, vehicle license plate number (as applicable))
- Additional information for identity verification (date of birth, residency)
- Financial information (billing information, payment information, bank account number, banking institution, payment card information, third party payer information)
- Images and recordings (call recording, electronic video and audio monitoring and surveillance, film, photographs)
- General contact information of the representative (title, first name, last name, home address, mailing address, phone number(s), personal email address)
- Business information (business name, doing business as (“DBA”), address, phone number(s), business email address, website address, beneficial owners, principals, company officers, and authorized representatives such as employees, agents, contractors, couriers or any other person(s) acting on your behalf; in some circumstances, we will obtain this information about you from a colleague who is listing you as an authorized representative at your company)
- Government identifiers (driver’s license, passport, government-issued identification with photograph, tax identification number, business license number, business license document, GSTIN number with code (India only), voter registration card, permanent resident alien card, vehicle license plate number (as applicable))
- Additional information for identity verification (date of birth, residency)
- Financial information (billing information, payment information, bank account number, banking institution, payment card information, third party payer information)
- Images and recordings (call recording, electronic video and audio monitoring and surveillance, film, photographs
- Verification/background check services (We collect personal data from background check providers to verify your identity and credibility as well as creditworthiness)
Purposes for Which We Use Personal Data
- Review and process an account application;
- Process and administer your gem submission;
- Process, administer payments, refunds, credits;
- Assist with quality assurance, training, respond to inquiries, complaints, and provide customer service;
- Ensure that GIA provides services to individuals and entities who engage in ethical business practices, are not sanctioned individuals or entities and who comply with all applicable laws and regulations;
- Ensure compliance with applicable laws including sharing your data with law enforcement and service providers;
- Monitor compliance with our existing policies and procedures;
- Investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, or violations of our Terms of Use, this Notice, or our Client Agreement where we believe it is appropriate;
- Respond to formal or informal government or regulatory body requests;
- Ensure the integrity and security of GIA’s premises and processes;
- Deliver publications and subscriptions;
- Help us determine what advertisements to direct to you, to place on our websites and where to advertise our services; and
- Direct marketing, for example, as permitted by applicable law, to send you news and newsletters, special offers and promotions, or to contact you about products or information we think may interest you in accordance with our opt in /opt out practices. We may send these communications through postal mail, electronic mail, or SMS (available in some markets only).
Client Application Process
- Purpose: For review and approval of account application.
Client Financial Services
- Purpose: To administer your account.
Security
- Purpose: To ensure the security and integrity of GIA premises and for the safety of our employees, clients, students, visitors and others; and for emergency security purposes.
- Purpose: To ensure the integrity and security of GIA’s premises and processes.
Call Recording
- Purpose: For quality assurance, training, responding to inquiries and providing customer service.
Types of information we collect include without limitation: your name and other personal data you provide during the phone call.
Persons Under the Age of Majority
If you are under the age of majority in your country (a “minor”), please do not attempt to send any information about yourself to us. In the event that we learn that we have inadvertently collected personal data from a minor without verification of parental consent, we will promptly delete that information.
Automatically Collected Data
GIA client websites (“GIA Client Sites”) collect certain information automatically and store it in log files. The information includes internet protocol (“IP”) addresses, the region or general location where your computer or device is accessing the internet, browser type, operating system and other usage information about your use of GIA Client Sites. We use this information to help us design our services to better suit our users’ needs. We may also use your IP address to help diagnose problems with our server and to administer GIA Client Sites, analyze trends, track visitor movements, and gather broad demographic information that assists us in identifying visitor preferences.
Information About Our Use of Cookies
GIA Client Sites use cookies to distinguish you from other users of these sites. This helps us provide you with a good experience when using GIA Client Sites and also allows us to improve these sites. Our Cookie Policy provides you with information about the cookies and similar technologies we use, and our purpose for using them.Information About Our Use of Other Technologies (Web beacons, pixel tags and other technologies): Clear GIFs are tiny graphics with a unique identifier, similar in function to cookies. Clear GIFs are small pieces of code embedded invisibly on web pages, not stored on your hard drive, which often work in conjunction with cookies. We may use clear GIFs in connection with GIA Client Sites to, among other things, track the activities of users, help us manage content and compile statistics about use of these sites. We and our service providers also use web beacons in HTML emails to you help us track email response rates, measure the success of our marketing campaigns, identify when our emails are viewed and track whether our emails are forwarded.
Analytics: We work with service providers (including Google Analytics and Flurry) who conduct analytics to help us track and understand how visitors use GIA Client Sites. If you prefer not to participate in Flurry, please follow the instructions provided at http://www.flurry.com/. Google Analytics is a web analytics service provided by Google that uses cookies to help us analyze how users use GIA Client Sites. The information generated by the cookies about your use of the services will be transmitted to and stored by Google on servers in the United States. If you access the GIA Client Sites through different devices, Google may associate your devices with one another. Google has developed the Google Analytics opt-out browser add-on for the Google Analytics JavaScript (ga.js, analytics.js, dc.js). You can prevent Google’s collection and use of the data it collects as defined in its policy by downloading and installing this browser plug-in: https://tools.google.com/dlpage/gaoptout?hl=en-GB. For more information about Google Analytics cookies, please see Google’s help pages (https://support.google.com/analytics/answer/6004245) and privacy policy (https://www.google.com/intl/en/policies/privacy/).
Do Not Track: Currently, our systems do not recognize browser “do not track” requests. You may however disable certain tracking as discussed in our Cookie Policy.
Opting In and Out of Email and SMS Marketing Communications
In certain cases, we may send you marketing communications via direct mail, email or SMS (available in select markets only) about GIA’s various products, services, newsletters or general updates of GIA and GIA affiliated entities. For email and SMS, we may send these communications when we have obtained your electronic contact details in the context of the sale of our goods or services or with your opt-in consent. These marketing communications relate to our gem grading products and services. In other cases, we may also ask you to consent to receiving our marketing communications, which you can freely withdraw. If you no longer wish to receive marketing and promotional communications from us, you may opt out by emailing our Privacy Office or as follows: email: click the “unsubscribe” option; SMS: text STOP in response to the text message. If you opt out of receiving marketing communications from us, please note that we will continue to communicate with you if such is necessary for the performance of the contract between us and you or your employer (i.e., our client) (e.g., communications regarding your ongoing relationship and for customer service related purposes).Retention of Personal Data
As a general matter, we do not retain personal data for longer than is required or appropriate for the purposes for which it was collected, unless a longer or shorter period is necessary for our legal obligations, or customs of the industry, or to defend a legal claim, or to comply with legal, accounting, regulatory or reporting requirements, and consistent with applicable law.Security of Personal Data
We take reasonable steps to protect your personal data by using technical, physical and organizational measures that are designed to protect against unauthorized or unlawful use, alteration, unauthorized access or disclosure, accidental or wrongful destruction, and loss.We also take steps to limit access to your personal data to those persons who need to have access to it for one of the purposes listed in this Notice.
Disclosure, Transfer and Storage of Personal Data
We share and jointly use your personal data (please see “Types of Personal Data We Collect” regarding the types of personal data we jointly use) with other GIA affiliated entities for the following purposes: to assist us in performing the services that you have requested, which may include transferring your gem to a different location for grading purposes; for billing and collections; to host your data; to assist us in our marketing efforts; to assist us in performing our legal compliance obligations, such as validating your ability to do business with us; to protect our rights and property and the rights and property of others; and for any other purpose as set forth in this Notice and permitted by applicable law. The data controller will be responsible for your personal data jointly used with other GIA affiliated entities. Depending upon where you submit your gem(s) for grading, all of your personal data will be transferred to and stored in either our India or United States location. We will rely on agreements based on the standard contractual clauses to validly transfer your personal data to these countries, which are located outside the European Economic Area.We also share your personal data with non-affiliated vendors and suppliers that provide products and services to GIA or its affiliated entities (e.g., payment processing, transmission of marketing emails, web hosting, couriers, your authorized representatives). These entities do not use your information for their own purposes, including marketing purposes, but rather act on the instructions of GIA. As an example of our sharing with third party service providers, we may disclose certain information (such as your email address) with non-affiliated parties such as Facebook (more information on Facebook Custom Audience here or see above) so that we can better target ads and content to you, and others with similar interests on these non-affiliated parties’ platforms or networks (“Custom Audiences”). We may also work with ad networks and marketing platforms that enable us and other participants to target ads to Custom Audiences submitted by us and others. To opt out of being included in our Custom Audiences going forward, email us at privacy@gia.edu.
We may also disclose your personal data to another entity in connection with, including during negotiations of, an acquisition or merger, sale or transfer of a business unit or assets, bankruptcy proceeding, or as part of any other similar business transfer. We may also disclose your personal data when we believe it is necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person or violations of this Notice. GIA may also make personal data available to other parties such as legal and regulatory authorities and law enforcement upon their request and/or where we believe appropriate to do so. When transferring personal data to GIA affiliated entities and non-affiliated entities (which may be located outside the country in which your personal data was collected and may not guarantee the same level of protection) we have executed legally necessary contracts with the recipients of your data.
Updates to this Notice
GIA may amend this Notice from time to time as laws change; and as our organization, products and services change. The revisions will take effect on the publication date of the amended Notice, as stated, and supersede all previous Notices regarding our privacy practices.Unless prohibited by applicable law, we reserve the right to amend the Notice at any time, for any reason, without notice to you, other than the posting of the amended Notice at this site.
Rights of California Residents
Pursuant to Section 1798.83 of the California Civil Code, residents of California have the right to request from a business, with whom the California resident has an established business relationship, certain information regarding the types of personal information the business shares with third parties for direct marketing purposes by such third party, and the identities of the third parties with whom the business has shared such information during the immediately preceding calendar year. To see a copy of the information disclosure provided by GIA pursuant to Section 1798.83 of the California Civil Code, please contact GIA using one of the methods described in this Notice.California Automated License Plate Recognition (“ALPR”) Usage
GIA’s employees and contractors responsible for physical security use ALPR technology (the “ALPR Technology”) as vehicles enter and pass through the GIA campus in Carlsbad, California. The ALPR Technology enables automated detection of vehicle information, including license plate details. The ALPR Technology and the data it collects (the “ALPR Data”) is accessed and used by GIA employees and contractors who are responsible for managing physical security at the GIA campus. ALPR Technology and ALPR Data is used for purposes of restricting access to authorized vehicles and maintaining the safety and security of the GIA campus. Relevant GIA employees and contractors are trained to use ALPR Technology and ALPR Data in a manner that complies with this Privacy Notice and applicable law. ALPR Data may be shared with law enforcement. ALPR Data is not sold by GIA. Use of ALPR Technology and ALPR Data is monitored by GIA’s legal, information security, and compliance functions for purposes of security and compliance with applicable law. GIA deploys security measures in alignment with its company security policies that are designed to maintain the accuracy of ALPR Data. GIA will correct known errors in the ALPR Data. ALPR Data will be retained by GIA in accordance with its record retention policies, and GIA will refer to applicable legal requirements in order to determine when to destroy retained ALPR Data. The title of the official custodian of the ALPR Technology at GIA responsible for implementing this section of the Privacy Notice is the Sr. Manager, Security Operations.Additional Information for Residents of the European Union (“EU”), or where applicable and required by the laws of your jurisdiction
To the extent the GDPR or other law granting particular rights to data subjects applies to you, you have the following rights with regard to our processing of your personal data:
- Right to access, correct and delete your personal data: GIA will use reasonable measures designed to ensure that all personal data is correct. You also have a responsibility to ensure that changes in personal circumstances (for example, change of address, bank account, etc.) are notified to GIA so that we can ensure that your personal data is up-to-date.
- Right to withdraw consent: In the event your personal data is processed on the basis of your consent, you have the right to withdraw consent at any time by sending an email to Privacy Office specifying your request, without affecting the lawfulness of processing based on consent before its withdrawal.
- Data portability: To the extent that we use your personal data on the basis of consent for the performance of a contract and that personal data is processed by automatic means, you have the right to receive all such personal data that you have provided to GIA in a structured, commonly used and machine-readable format, and also to require us to transmit it to another data controller where this is technically feasible.
- Right to restrict personal data use: You have the right to restrict our use of your personal data where (i) you contest the accuracy of the personal data; (ii) the use is unlawful but you do not want us to erase the personal data; (iii) we no longer need the personal data for the relevant purposes, but you require it for the establishment, exercise or defense of legal claims; or (iv) you have objected to our personal data use justified on our legitimate interests pending verification as to whether GIA has indeed compelling interests to continue the relevant personal data use.
- Lodge a complaint: You also have the right to lodge a complaint with a supervisory authority, in particular in your country of residence, if you consider that the collection and use of your personal data violates this Notice or applicable law.
Legal Bases We Rely on When Processing Your Personal Data
Where EU data protection law applies, and where applicable under other applicable data protection laws, we process your personal data for the purposes set out in Appendix A, under the following legal bases:
- Our Contract With You. Our processing is necessary to perform our obligations under a contract with you or to perform steps requested by you prior to entering into a contract with you (e.g., to verify the information you have provided to us).
- Our Legitimate Interests. Our processing is necessary for our legitimate interests, including to protect the security of our services; to protect the health and safety of you or others; to establish, protect and defend our legal rights and interests; to prevent fraud and verify identity and authorization of clients; to understand and analyze usage trends; and to improve our products and services.
- Legal Compliance. Where our processing is required to comply with applicable law (for example, to maintain your payment transaction history for tax reporting purposes): e.g., in response to subpoenas, court orders and other lawful requests by regulators, courts and law enforcement agencies, or related to national security requests.
- Your Consent. When we have your express consent as defined by applicable law.
Please note that certain personal data may be exempt from the requests described above pursuant to applicable laws, and that certain rights may only be exercisable in certain jurisdictions, in accordance with applicable laws. If you have any questions or concerns about this Notice or our use of your personal data, please contact GIA’s Privacy Office or, if you are located in India, our Grievance Officer, and if you are located in South Africa, our Information Officer, at any time. In your local jurisdiction, you may also have the right to lodge a complaint with a supervisory authority if you consider that our processing of your personal data violates applicable law.
Appendix A: Our Purposes and Legal Bases for Processing Personal Data
of Individuals Located in the European Union
Our Processing Purpose(s) | Our Legal Bases in the EU |
Providing Support and Services
|
To perform our contract with you or take steps to enter into a contract with you Our Legitimate Interest |
Verification
|
To perform our contract with you or take steps to enter into a contract with you Our Legitimate Interest |
Personalize Services and Ads
|
Our Legitimate Interest Your Consent (for online advertising) |
Marketing and Promotions
|
Our Legitimate Interest Your Consent (where you have opted-in) |
Legal Compliance
|
Comply with Law Our Legitimate Interests |
Protect Legal Rights and Prevent Misuse
|
Our Legitimate Interests To perform our contract with you or take steps to enter into a contract with you |
General Business Operations
|
Our Legitimate Interests Legal Obligation |