Privacy Policy
Your privacy matters to us. This policy explains what personal data we collect, why we collect it, and how we protect it — in plain language, in full compliance with GDPR and Belgian law.
Last updated: May 2026
Table of Contents
- 1.Who We Are
- 2.What Data We Collect
- 3.How We Use Your Data & Legal Basis
- 4.How Long We Keep Your Data
- 5.Who We Share Your Data With
- 6.International Data Transfers
- 7.Cookies & Tracking
- 8.Your Rights
- 9.Data Security
- 10.Children
- 11.Changes to This Policy
- 12.Contact & Complaints
Last updated: May 2026. This Privacy Policy applies to all personal data processed by Diamantwerp (V&V Diamonds BV) in connection with the use of diamantwerp.be and the purchase of products. It is drafted in compliance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and the Belgian Data Protection Act of 30 July 2018. Our Cookie Policy forms part of this Privacy Policy.
1. Who We Are
Diamantwerp is the data controller responsible for the personal data collected through diamantwerp.be. We determine the purposes and means of data processing and are accountable under GDPR.
Data Controller: Diamantwerp (trading name of V&V Diamonds BV)
Legal form: Private Limited Company (BV / Besloten Vennootschap)
Registered address: Pelikaanstraat 62, 2018 Antwerp, Belgium
VAT number: BE 0455.839.919
Email: questions@diamantwerp.be
Phone: +32 471 01 79 97
We do not have a formally designated Data Protection Officer (DPO), as we do not meet the thresholds under Article 37 GDPR that require mandatory DPO appointment. For all data protection enquiries, please contact us directly at the address above.
↑ back to contents
2. What Data We Collect
We collect only the personal data that is necessary for the purposes described in this policy. We never collect more data than we need.
Data you provide directly
- Identity data: First name, last name, company name (if applicable).
- Contact data: Email address, telephone number, billing and delivery address.
- Transaction data: Details of products purchased, order history, invoice data, certificate numbers of diamonds purchased.
- Payment data: Payment method, transaction reference. We do not store credit card numbers — card payments are processed exclusively by our third-party payment provider (Stripe/Mollie).
- Communication data: Messages sent via our contact form, email, or live chat; enquiries about specific diamonds.
- Marketing preferences: Newsletter subscription status, email communication preferences (collected via MailerLite).
- Identity verification data: For transactions exceeding €10,000, we may collect a copy of a government-issued identity document, in compliance with Belgian anti-money laundering legislation (AML/CFT — Belgian Act of 18 September 2017).
Data collected automatically
- Technical data: IP address (anonymised), browser type and version, operating system, device type.
- Usage data: Pages visited, time and date of visit, session duration, referring URL, language preference.
- Cookie data: See our Cookie Policy for full details.
Special category data: We do not intentionally collect sensitive personal data (health data, biometric data, racial or ethnic origin, political opinions, etc.). If you voluntarily provide such information in a message, we process it only to respond to your enquiry and do not store it beyond what is necessary.
↑ back to contents
3. How We Use Your Data & Legal Basis
Under GDPR, every processing activity must have a lawful basis. We process your personal data on the following grounds:
Order fulfilment & contract performance — Art. 6(1)(b) GDPR
Processing your order, arranging payment and delivery, issuing invoices, managing returns, and communicating with you about your purchase. This is necessary to perform the contract with you.
Legal obligations — Art. 6(1)(c) GDPR
Retaining invoices and accounting records (Belgian Companies and Associations Code — 7 years). Identity verification for transactions above €10,000 (Belgian AML Act of 18 September 2017). Responding to lawful requests from regulatory authorities or courts.
Legitimate interests — Art. 6(1)(f) GDPR
Fraud prevention and website security. Improving our website through anonymised analytics (Google Analytics 4 with IP anonymisation). Managing customer enquiries and post-sale communication. Detecting and preventing misuse of our services. Our legitimate interests do not override your fundamental rights and freedoms.
Consent — Art. 6(1)(a) GDPR
Sending marketing emails and newsletters (MailerLite) — only to subscribers who have explicitly opted in. Placing non-essential cookies (analytical, functional, marketing) — only after you accept via our cookie banner. You may withdraw consent at any time without affecting the lawfulness of prior processing.
↑ back to contents
4. How Long We Keep Your Data
We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by law.
| Data type | Retention period | Reason |
|---|---|---|
| Order & invoice data | 7 years | Belgian accounting law |
| Customer account data | Duration of account + 2 years | Legal guarantee period |
| Identity verification (AML) | 5 years after transaction | Belgian AML Act |
| Newsletter subscribers | Until unsubscribe + 1 year | Consent-based |
| Contact form / enquiries | 2 years | Legitimate interest |
| Analytics data (GA4) | 14 months (GA4 default) | Anonymised, aggregated |
| Website log files | 90 days | Security / fraud prevention |
After the applicable retention period expires, data is securely deleted or anonymised in a way that makes re-identification impossible.
↑ back to contents
5. Who We Share Your Data With
We do not sell, rent, or trade your personal data. We share data only where necessary, with carefully selected processors and partners who are contractually bound to protect your data.
Payment processing — Mollie / Stripe
Processes card payments, Bancontact, and Apple Pay transactions. Receives name, billing address, email, and transaction amount. Does not store full card details on our behalf.
Delivery / insured courier
Receives name, delivery address, and phone number for the purpose of delivering your order. Specific courier selected per shipment based on destination and insurance requirements.
Website hosting — Combell NV
Our website is hosted on Combell shared hosting infrastructure (Belgium). Combell processes technical data (IP addresses, log files) as a data processor under a Data Processing Agreement.
Email marketing — MailerLite UAB
Processes name and email address for newsletter subscribers. Used only for subscribers who have given explicit consent. MailerLite is GDPR-compliant and processes data within the EU/EEA.
Website analytics — Google Ireland Ltd (GA4)
Processes anonymised usage data (IP anonymisation enabled). Data is used solely to understand aggregate website behaviour. Subject to Google's data processing terms.
Live chat — Chatbase
Processes chat conversation content for the purpose of providing customer support. Conversations may be stored by Chatbase in accordance with their privacy policy.
Diamond sourcing — Rapnet / Rapaport Group
Our diamond inventory is sourced via Rapnet, the international diamond trading network. Order-related data (stone specifications, certificate numbers) may be shared with wholesale suppliers for fulfilment purposes. No personal customer data is shared with Rapnet suppliers beyond what is strictly necessary.
Legal & regulatory authorities
We may share personal data with law enforcement, regulatory authorities, or courts where required by law — including in connection with our AML/CFT obligations under the Belgian Act of 18 September 2017.
Data Processing Agreements: Where required by GDPR Article 28, we have entered into Data Processing Agreements (DPAs) with our processors. These agreements ensure that processors apply appropriate security measures and process data only on our documented instructions.
↑ back to contents
6. International Data Transfers
Some of our third-party processors may transfer or store personal data outside the European Economic Area (EEA). Where such transfers occur, we ensure they are protected by appropriate safeguards:
- Adequacy decisions: Transfers to countries recognised by the European Commission as providing an adequate level of data protection.
- Standard Contractual Clauses (SCCs): EU-approved contractual clauses that impose GDPR-equivalent obligations on the recipient.
- EU-US Data Privacy Framework: For processors established in the United States who are certified under the EU-US Data Privacy Framework (DPF).
Google (GA4) and Meta (Pixel) may transfer data to the United States under Standard Contractual Clauses and/or the EU-US DPF. You may request information about the specific safeguards in place for any transfer by contacting us at questions@diamantwerp.be.
↑ back to contents
7. Cookies & Tracking
Our website uses cookies and similar tracking technologies. A detailed overview of which cookies we use, their purpose, duration, and how to manage them is provided in our dedicated Cookie Policy.
In summary, we use:
- Essential cookies — required for the website and webshop to function (no consent required)
- Analytical cookies — Google Analytics 4 (anonymised, consent required)
- Functional cookies — Chatbase live chat (consent required)
- Marketing cookies — Meta Pixel, MailerLite (consent required)
You can manage your cookie preferences at any time via the cookie settings link in the footer of our website.
↑ back to contents
8. Your Rights
Under GDPR, you have the following rights in relation to your personal data. We will respond to all verified requests within one month (extendable by two months for complex requests, with prior notice).
Right of access (Art. 15 GDPR)
You may request a copy of the personal data we hold about you, along with information about how it is used, where it comes from, and with whom it is shared.
Right to rectification (Art. 16 GDPR)
You may request correction of inaccurate or incomplete personal data we hold about you.
Right to erasure — "right to be forgotten" (Art. 17 GDPR)
You may request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, where you withdraw consent, or where processing is unlawful. This right is subject to legal retention obligations (e.g. invoices must be kept for 7 years).
Right to restriction of processing (Art. 18 GDPR)
You may request that we limit the processing of your data in certain circumstances — for example, while a dispute about accuracy is being resolved.
Right to data portability (Art. 20 GDPR)
Where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, commonly used, machine-readable format for transfer to another controller.
Right to object (Art. 21 GDPR)
You may object at any time to processing based on legitimate interests, including profiling. You have an absolute right to object to direct marketing — including the withdrawal of newsletter consent.
Right to withdraw consent (Art. 7(3) GDPR)
Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. To unsubscribe from our newsletter, use the unsubscribe link in any email or contact us directly.
How to exercise your rights: Send a written request to questions@diamantwerp.be. We may ask you to verify your identity before processing the request. We will not charge a fee for reasonable requests. If we cannot fulfil a request (e.g. due to a legal retention obligation), we will explain why.
↑ back to contents
9. Data Security
We take the security of your personal data seriously. Diamantwerp implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:
- SSL/TLS encryption for all data transmitted between your browser and our website (HTTPS)
- Secure hosting on Combell infrastructure with access controls and regular backups
- Access to personal data limited to staff who need it to perform their duties
- Payment data handled exclusively by PCI-DSS-compliant third-party payment processors — we never store card details
- Regular review of security practices and third-party processor compliance
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Belgian Data Protection Authority within 72 hours and, where required, inform affected individuals without undue delay.
↑ back to contents
10. Children
Our website and services are not directed at children under the age of 16. We do not knowingly collect personal data from minors. If you believe that a child under 16 has provided us with personal data without parental consent, please contact us at questions@diamantwerp.be and we will delete the data promptly.
↑ back to contents
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. The date of the most recent revision is always displayed at the top of this page.
For material changes that significantly affect how we process your data, we will notify you by email (where we hold your email address) or via a prominent notice on our website. We encourage you to review this policy periodically.
↑ back to contents
12. Contact & Complaints
Contact us
For any questions, requests, or concerns about this Privacy Policy or the way we process your personal data, please contact us directly:
Diamantwerp (trading name of V&V Diamonds BV)
Email: questions@diamantwerp.be
Phone / WhatsApp: +32 471 01 79 97
Address: Pelikaanstraat 62, 2018 Antwerp, Belgium
Lodge a complaint
If you believe your data protection rights have been violated and we have not been able to resolve the issue to your satisfaction, you have the right to lodge a complaint with the Belgian supervisory authority:
Gegevensbeschermingsautoriteit (GBA) — Belgian Data Protection Authority
Drukpersstraat 35, 1000 Brussels, Belgium
Website: gegevensbeschermingsautoriteit.be
Email: contact@apd-gba.be
You may also contact the supervisory authority in your country of habitual residence or place of work.
↑ back to contents
