1. INTRODUCTION
This Privacy Policy describes how Gem4me Development Ltd ("Company", "we", "us", or "our") collects, uses, stores, and protects personal data in connection with the website https://gem.team/ (the "Website") and related services.
This Privacy Policy is prepared in compliance with the applicable laws of the Republic of Mauritius, including the Data Protection Act 2017 ("DPA 2017") and regulations made thereunder, as well as internationally recognized data protection standards.
The Company is committed to handling personal data in a transparent, secure, and lawful manner. We collect minimal personal data necessary for our legitimate business purposes and implement appropriate technical and organizational measures to protect the integrity and confidentiality of such data.
This Privacy Policy applies to all users of the Website https://gem.team/ and explains: the identity of the data controller; the types of personal data collected and the purposes of processing; the legal bases for processing; how data is securely stored and with whom it may be shared; data retention periods; your rights as a data subject; cross-border data transfers; and how to contact us regarding data protection matters.
2. DATA CONTROLLER
For the purposes of the DPA 2017 and this Privacy Policy, the data controller responsible for your personal data is:
Gem4me Development Ltd
Company Registration Number: C199162
Date of Incorporation: 24 July 2023
Category: Global Business Company, Limited by Shares
Registered Office Address:
Premier Financial Services Limited
Premier Business Centre, 10th Floor
Sterling Tower, 14 Poudriere Street
Port Louis, Mauritius
Email: support@gem.team
As the data controller, the Company determines the purposes and means of processing personal data and is responsible for ensuring compliance with applicable data protection laws.
3. SCOPE OF APPLICATION
This Privacy Policy applies to all personal data processed by the Company in connection with the Website https://gem.team/ including, but not limited to:
(a) Personal data provided by users through the Website's contact forms, registration forms, or other interactive features;
(b) Personal data collected automatically when users access or use the Website;
(c) Personal data received from third-party sources in connection with the Website services.
This Privacy Policy does not apply to third-party websites that may be linked from the Website. Users are encouraged to review the privacy policies of any third-party websites they visit.
4. CATEGORIES OF PERSONAL DATA COLLECTED
In accordance with the data minimization principle under Section 21 of the DPA 2017 (Principles relating to processing of personal data), the Company collects only the personal data that is adequate, relevant, and limited to what is necessary for the purposes of processing. We collect the following categories of personal data:
4.1 Information Provided Directly by Users
Through the Website's contact form and other interactive features, we may collect: full name; email address; job title or position; company or organization name; telephone number (if provided); and the content of messages or inquiries submitted.
4.2 Information Collected Automatically
When users access the Website, our server-side logging systems may automatically collect: IP address; browser type and version; operating system; device type; date and time of access; pages viewed and links clicked; referring website or source; and general geographic location (country/city level) derived from IP address. This information is collected through server logs and does not rely on client-side tracking technologies.
4.3 Information from Third Parties
We may receive aggregated, anonymized statistical information from third-party service providers (such as hosting or CDN providers) to help us understand Website performance and usage patterns. Such information does not identify individual users.
5. LEGAL BASES FOR PROCESSING
In accordance with Section 28 of the DPA 2017 (Lawful processing), the Company processes personal data only where there is a lawful basis for doing so. The legal bases upon which we rely are as follows:
5.1 Consent (Section 28(1)(a) DPA 2017)
Where you have provided your explicit, informed, and freely given consent to the processing of your personal data for one or more specific purposes, in accordance with the conditions set out in Section 24 of the DPA 2017 (Conditions for consent). This applies specifically to marketing communications and newsletters. You have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
5.2 Performance of a Contract or Pre-Contractual Steps (Section 28(1)(b)(i) DPA 2017)
Where processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract. This includes processing contact form submissions to respond to your inquiries about our services.
5.3 Legal Obligation (Section 28(1)(b)(ii) DPA 2017)
Where processing is necessary for compliance with a legal obligation to which the Company is subject under Mauritian law or other applicable legislation.
5.4 Legitimate Interests (Section 28(1)(b)(vii) DPA 2017)
Where processing is necessary for the purposes of legitimate interests pursued by the Company or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. Our legitimate interests include: ensuring the security and proper functioning of the Website; analyzing Website usage through server logs to improve our services; preventing fraud and unauthorized access; responding to general inquiries submitted through the contact form; and conducting business communications.
6. PURPOSES OF DATA PROCESSING
The Company processes personal data for the following specific purposes:
6.1 Communication and Inquiry Response: To respond to inquiries submitted through the Website, provide requested information, and maintain communication with users interested in our services. Legal basis: pre-contractual steps (Section 28(1)(b)(i)) or legitimate interests (Section 28(1)(b)(vii)).
6.2 Service Provision: To provide, maintain, and improve the services offered through the Website. Legal basis: contract performance (Section 28(1)(b)(i)) or legitimate interests (Section 28(1)(b)(vii)).
6.3 Website Functionality and Improvement: To analyze user interactions with the Website through server logs, identify areas for improvement, optimize user experience, and ensure content relevance. Legal basis: legitimate interests (Section 28(1)(b)(vii)).
6.4 Security: To detect, prevent, and respond to potential security threats, protect the Website and users from unauthorized access, and maintain the integrity of our systems. Legal basis: legitimate interests (Section 28(1)(b)(vii)) and legal obligation (Section 28(1)(b)(ii)).
6.5 Legal Compliance: To comply with applicable legal and regulatory requirements, respond to lawful requests from authorities, and establish, exercise, or defend legal claims. Legal basis: legal obligation (Section 28(1)(b)(ii)).
6.6 Marketing Communications: With your explicit consent only, to send marketing communications about our products and services. You may opt out of such communications at any time by using the unsubscribe link included in each marketing email or by contacting us at support@gem.team. Legal basis: consent (Section 28(1)(a)).
The Company will not process personal data for purposes incompatible with those for which the data was originally collected, unless we have obtained your consent or have another lawful basis for such processing.
7. DATA RETENTION
In accordance with the storage limitation principle under Section 21 of the DPA 2017, the Company retains personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law. Our retention periods are as follows:
Contact and Communication Data: Personal data collected through the Website's contact form (name, email address, company name, inquiry content) is retained for up to two (2) years from the date of the last interaction or until you request deletion, whichever occurs first.
Technical and Usage Data: Automatically collected data (IP addresses, device information, server logs) is retained for up to one (1) year for security and analytics purposes.
Legal and Regulatory Retention: Where required by Mauritian law or other applicable legislation, certain data may be retained for longer periods. If applicable, extended retention periods (up to seven (7) years) may apply only where the Company provides regulated services subject to anti-money laundering, financial reporting, tax, or accounting obligations, and only to data collected in connection with such regulated services — not to general Website contact form data or technical logs. Such extended retention may also apply where data is required for ongoing legal proceedings or potential disputes.
Data Deletion and Anonymization: Upon expiration of the applicable retention period, or upon valid request for deletion, personal data will be securely deleted or irreversibly anonymized in accordance with Section 27 of the DPA 2017 (Duty to destroy personal data).
8. DATA SHARING AND DISCLOSURE
The Company does not sell, rent, or trade personal data to third parties. We may share personal data only in the following circumstances:
8.1 Service Providers
We may engage trusted third-party service providers to perform functions on our behalf. Categories of recipients include: hosting and infrastructure providers; CDN and WAF (web application firewall) providers; email service providers; and customer support vendors (if any). Such providers are contractually bound to process personal data only on our instructions and in accordance with this Privacy Policy and applicable data protection laws.
8.2 Legal Requirements
We may disclose personal data where required by law, regulation, or legal process, including: in response to lawful requests from law enforcement, regulatory authorities, or courts; to comply with legal obligations under Mauritian law; to protect the rights, property, or safety of the Company, our users, or the public; and to prevent or investigate possible wrongdoing.
8.3 Corporate Transactions
In the event of a merger, acquisition, reorganization, or sale of assets, personal data may be transferred as part of such transaction. Where feasible and permitted by law, we will notify affected users of any change in data controller and provide the opportunity to object to the transfer or request deletion of data in accordance with applicable law.
8.4 With Consent
We may share personal data with third parties where you have provided explicit consent for such sharing.
9. CROSS-BORDER DATA TRANSFERS
In accordance with Section 36 of the DPA 2017 (Transfer of personal data outside Mauritius), the Company may transfer personal data outside of Mauritius only where appropriate safeguards are in place. Such transfers may occur when:
(a) The recipient country has been determined to provide an adequate level of data protection;
(b) The transfer is subject to appropriate safeguards, such as standard contractual clauses, binding corporate rules, or other approved mechanisms;
(c) The transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
(d) You have explicitly consented to the transfer after being informed of the potential risks; or
(e) The transfer is otherwise permitted under the DPA 2017.
Where personal data is transferred outside Mauritius, we implement additional technical and organizational measures to ensure the continued protection of your data.
10. YOUR RIGHTS AS A DATA SUBJECT
Under Part VII of the DPA 2017 (Rights of Data Subjects), you have the following rights with respect to your personal data:
Right of Access (Section 37 DPA 2017): You have the right to obtain confirmation as to whether your personal data is being processed, access to such data, and information about the purposes of processing, categories of data, recipients, and retention periods.
Right Not to Be Subject to Automated Decision-Making (Section 38 DPA 2017): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you, except where such decision is necessary for a contract, authorized by law, or based on your explicit consent. The Company does not engage in automated decision-making or profiling that produces legal effects concerning Website users.
Right to Rectification, Erasure or Restriction of Processing (Section 39 DPA 2017): You have the right to request: (a) correction of inaccurate personal data and completion of incomplete data; (b) deletion of your personal data where the data is no longer necessary for the purposes for which it was collected, you withdraw consent (where consent is the basis for processing), you object to processing and there are no overriding legitimate grounds, the data has been unlawfully processed, or deletion is required for compliance with a legal obligation; (c) restriction of processing where you contest the accuracy of the data, the processing is unlawful but you oppose deletion, we no longer need the data but you require it for legal claims, or you have objected to processing pending verification of legitimate grounds.
Right to Object (Section 40 DPA 2017): You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to processing for direct marketing, we will cease such processing. Where you object on other grounds, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
Right to Withdraw Consent: Where processing is based on consent (such as for marketing communications), you may withdraw your consent at any time in accordance with Section 24 of the DPA 2017. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
To exercise any of these rights, please contact us using the details provided in Section 16 (Contact Information) of this Privacy Policy. In accordance with Section 41 of the DPA 2017 (Exercise of rights), we will respond to your request within thirty (30) days. We may extend this period where permitted by applicable law (for example, in case of complex or numerous requests), and we will inform you of any extension and the reasons for it. We may request verification of your identity before processing your request.
Note: Certain additional rights, including the right to data portability, may apply under the GDPR where applicable. Please refer to Section 15 (Additional Terms for European Union Citizens) for details.
11. CHILDREN'S PRIVACY
The Website and our services are not intended for children. For the purposes of this Privacy Policy:
(a) As a matter of internal policy, we do not target or intentionally collect personal data from individuals under the age of eighteen (18) years. If you are under 18, please do not submit personal data via the Website.
(b) Under applicable data protection laws, including Section 30 of the DPA 2017 (Personal data of child), where the processing of personal data is based on consent and relates to a child under the age of sixteen (16) years, such processing is lawful only if consent is given or authorized by the holder of parental responsibility over the child.
If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete such data as soon as practicable. If you believe that a child has provided personal data to us, please contact us immediately using the details provided in Section 16 (Contact Information).
12. USE OF COOKIES AND SIMILAR TECHNOLOGIES
We do not use marketing, advertising, or analytics cookies on the Website. As of the Effective Date of this Privacy Policy, we do not intentionally deploy any first-party cookies or similar client-side tracking technologies that are not strictly necessary for the operation of the Website.
The Website operates using the following technical mechanisms:
Server-side logging: Our servers automatically record certain information (as described in Section 4.2) when you access the Website. This logging occurs entirely on our servers and does not place any cookies or tracking identifiers on your device.
Infrastructure and security providers: Our hosting, content delivery network (CDN), and web application firewall (WAF) providers may set strictly necessary technical cookies solely for security and performance purposes (such as anti-bot protection, DDoS mitigation, or load balancing). These are not used for tracking, analytics, or marketing. Any data collected by these providers is processed in accordance with their privacy policies and our data processing agreements.
If we decide to implement additional cookies or similar technologies in the future, we will: update this Privacy Policy to provide detailed information about the types of cookies used and their purposes; implement appropriate consent mechanisms where required by law; and provide you with the ability to manage your cookie preferences.
13. DATA SECURITY
In accordance with Section 31 of the DPA 2017 (Security of processing), the Company implements appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. Our security measures include:
Encryption: Personal data is encrypted during transmission using TLS/SSL protocols. Where appropriate and technically feasible, data at rest is protected using industry-standard encryption or equivalent security measures provided by our infrastructure providers.
Access Controls: Access to personal data is restricted to authorized personnel on a need-to-know basis. All personnel with access to personal data are subject to confidentiality obligations.
Network Security: We employ firewalls, intrusion detection and prevention systems, and secure network architecture to protect our systems from unauthorized access.
Regular Assessments: We conduct regular security assessments, vulnerability scans, and audits to identify and address potential security risks.
Backup and Recovery: We maintain regular data backups and disaster recovery procedures to ensure data availability and integrity.
Staff Training: Our personnel receive regular training on data protection and security practices.
While we strive to implement and maintain robust security measures, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security of personal data.
14. DATA BREACH NOTIFICATION
In accordance with Sections 25 and 26 of the DPA 2017, in the event of a personal data breach, the Company will take the following actions:
Notification to the Data Protection Commissioner (Section 25 DPA 2017): Where a personal data breach has occurred, we will notify the Data Protection Commissioner without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach. Where notification is not made within 72 hours, we will provide reasons for the delay.
Communication to Data Subjects (Section 26 DPA 2017): Where the breach is likely to result in a high risk to your rights and freedoms, we will communicate the personal data breach to you without undue delay, unless: appropriate technical and organizational protection measures were applied to the affected data (such as encryption); subsequent measures have been taken to ensure the high risk is no longer likely to materialize; or notification would involve disproportionate effort, in which case a public communication or similar measure will be used.
Documentation: We will document all personal data breaches, including the facts relating to the breach, its effects, and the remedial actions taken.
15. ADDITIONAL TERMS FOR EUROPEAN UNION (EU) CITIZENS
The Company recognizes the importance of protecting the personal data of European Union citizens and is committed to complying with the General Data Protection Regulation (EU) 2016/679 ("GDPR") where GDPR applies pursuant to Article 3 GDPR (territorial scope). GDPR may apply where we offer services to individuals in the EU/EEA or monitor their behavior within the EU/EEA. This section provides additional information for EU users whose personal data is subject to GDPR.
Legal Bases Under GDPR: We process personal data of EU residents on the following legal bases: consent (Article 6(1)(a) GDPR) — for marketing communications only; performance of a contract or pre-contractual steps (Article 6(1)(b) GDPR) — for responding to inquiries and providing services; legal obligation (Article 6(1)(c) GDPR); and legitimate interests (Article 6(1)(f) GDPR) — for Website security, server log analytics, and general business communications.
Your Rights Under GDPR: EU residents have the rights specified under Articles 15-22 of the GDPR, including: the right of access (Article 15); right to rectification (Article 16); right to erasure / right to be forgotten (Article 17); right to restriction of processing (Article 18); right to data portability (Article 20); right to object (Article 21); and rights related to automated decision-making and profiling (Article 22).
Right to Data Portability: Under Article 20 of the GDPR, where processing is based on consent or contract and carried out by automated means, EU residents have the right to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller. Note: This right is provided under GDPR and is not separately available under the Mauritius DPA 2017.
International Data Transfers: Where your personal data is transferred outside the European Economic Area, we ensure adequate protection through: transfers to countries with an adequacy decision from the European Commission; use of Standard Contractual Clauses (SCCs) adopted by the European Commission; or other appropriate safeguards as required by the GDPR.
Children's Data Under GDPR: For EU residents, where consent is required for data processing in relation to information society services, we do not knowingly process personal data of children under the age of 16, or such lower age (not below 13) as may be permitted by applicable EU Member State law pursuant to Article 8 GDPR.
Right to Lodge a Complaint: If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.
Data Protection Officer: The Company has not appointed a Data Protection Officer as it is not required to do so under Article 37 GDPR. All data protection inquiries and requests are handled via the contact details provided in Section 16 (Contact Information).
16. CONTACT INFORMATION
If you have any questions or concerns regarding this Privacy Policy, the processing of your personal data, or wish to exercise your rights as a data subject, please contact us at:
Gem4me Development Ltd
Premier Financial Services Limited
Premier Business Centre, 10th Floor
Sterling Tower, 14 Poudriere Street
Port Louis, Mauritius
Email: support@gem.team
Website: https://gem.team/
We are committed to responding to all inquiries and requests within thirty (30) days. We may extend this period where permitted by applicable law (for example, in case of complex or numerous requests), and we will inform you of any extension and the reasons for it.
Complaints to the Data Protection Commissioner: If you believe that your data protection rights have been violated, you have the right to file a complaint with the Data Protection Office of Mauritius:
Data Protection Office
5th Floor, SICOM Tower
Wall Street, Ebene
Republic of Mauritius
Email: dpo@govmu.org
Website: https://dataprotection.govmu.org/
17. GOVERNING LAW AND JURISDICTION
This Privacy Policy shall be governed by and construed in accordance with the laws of the Republic of Mauritius, including the Data Protection Act 2017 and any regulations, guidelines, or directives issued thereunder.
Any disputes arising out of or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of Mauritius, without prejudice to your right to lodge a complaint with the Data Protection Commissioner or, where applicable, a supervisory authority in your country of residence.
18. UPDATES TO THIS PRIVACY POLICY
The Company reserves the right to modify or update this Privacy Policy at any time to reflect changes in our practices, legal requirements, or operational needs. Any updates will be posted on the Website with a revised "Effective Date."
For material changes that significantly affect how we process personal data, we will provide prominent notice on the Website and, where feasible and appropriate, notify you by email prior to the changes taking effect.
Your continued use of the Website after the posting of changes constitutes your acknowledgment and acceptance of the updated Privacy Policy. We encourage you to review this Privacy Policy periodically to stay informed about our data protection practices.
19. LANGUAGE
This Privacy Policy is drafted in English. If this Privacy Policy is translated into any other language for convenience, the English version shall prevail in the event of any inconsistency or conflict.
Effective Date: January 14, 2026
Last Updated: January 14, 2026