Privacy Policy

1. Data We Collect

We collect only what is needed to provide the service:

• Gem measurement data — refractive index, specific gravity, fluorescence, color, clarity, and other optical properties you enter during an identification session.
• Account information — email address and display name when you create an account via Firebase Authentication. If you sign in with Apple or Google, we receive only what those providers share (typically email and a display name).
• Saved sessions — identification sessions you explicitly save, stored in your Firestore account and synced across your devices.
• Usage analytics — anonymized event data (e.g., which screens you visit, features you use) collected via Firebase Analytics. This is subject to your consent where required by law (EEA users are shown a consent prompt before any analytics are recorded).
• Crash reports — error reports collected via Sentry when the app crashes or encounters an unexpected error. Gem measurement values are stripped from these reports before transmission.
• Subscription and billing data — processed by Stripe (web) or Apple/Google in-app purchase systems (mobile). GemID Labs does not store full payment card details.
• IP addresses — logged transiently by Firebase Hosting and Cloud Functions for security and rate-limiting purposes. IP addresses used for rate limiting are stored as SHA-256 hashes and deleted after 7 days.
• Photos — images you attach to identification sessions using your device camera or photo library (via the image picker). Photos are stored in Firebase Cloud Storage and associated with your account.
• Location data — approximate device location collected via the system location service when you save an identification session. Location is used to record where an identification was performed. You can deny or revoke location permission at any time in your device settings.

2. How We Use Your Data

• To provide identification results — gem measurement data is processed by the decision engine to produce candidate gem lists and test recommendations. This processing happens on-device and in our Cloud Functions.
• To sync your sessions across devices — saved sessions are stored in Firestore and associated with your account so you can access them on any device.
• To manage your subscription — we use your account data and subscription status to grant access to paid features (Hobbyist and Pro tiers).
• To improve the service — aggregate, anonymized analytics help us understand which features are most useful and where the app can be improved. We do not use your individual gem data to train models or algorithms without explicit consent.
• To communicate with you — we may send transactional emails (e.g., subscription receipts, account security notices) to the email address on your account. We do not send marketing emails without your explicit opt-in.
• For security and abuse prevention — IP rate limiting and API key usage monitoring help us protect the service from abuse.

3. Data Retention

• Identification sessions — retained indefinitely in your account until you delete them manually or delete your account.
• Account data — deleted within 30 days of account deletion. You can delete your account from the Settings screen in the app.
• Analytics events — retained per Firebase Analytics default retention settings (up to 14 months).
• Crash reports — retained in Sentry for 90 days.
• IP rate limit records — deleted after 7 days via a scheduled cleanup process.
• Billing records — retained as required by applicable financial regulations (typically 7 years).

4. Third-Party Services

We use the following third-party services, each with their own privacy policies:

• Firebase (Google LLC) — authentication, Firestore database, hosting, and analytics. Google Privacy Policy.
• Sentry — crash reporting and error monitoring. Gem measurement data is stripped before reports are sent. Sentry Privacy Policy.
• Stripe — payment processing for web subscriptions. GemID Labs does not store card numbers. Stripe Privacy Policy.
• Apple In-App Purchase — payment processing for subscriptions purchased on iOS. Subject to Apple's privacy policy.
• Google Play Billing — payment processing for subscriptions purchased on Android. Subject to Google's privacy policy.

We do not sell your personal information to any third party.

5. Your Rights (GDPR — EEA and UK Users)

If you are located in the European Economic Area or United Kingdom, you have the following rights under the General Data Protection Regulation:

• Right of access — you may request a copy of the personal data we hold about you.
• Right to rectification — you may request correction of inaccurate data.
• Right to erasure — you may request deletion of your personal data. You can delete your account directly in the app (Settings › Account › Delete Account), which triggers deletion of your Firestore data within 30 days.
• Right to data portability — you may request a copy of your identification session data in a machine-readable format by contacting privacy@gemid-labs.com.
• Right to object — you may object to processing based on legitimate interests, including analytics.
• Right to withdraw consent — where processing is based on consent (e.g., analytics), you may withdraw consent at any time via Settings › Privacy & Data in the app.

To exercise any of these rights, contact privacy@gemid-labs.com. We will respond within 30 days.

The legal bases for our processing are: performance of a contract (providing the app service), legitimate interests (security, crash monitoring), consent (analytics), and legal obligation (billing record retention).

6. Do Not Sell My Personal Information (CCPA)

If you are a California resident, you have the right to:

• Know what personal information we collect and how it is used.
• Request deletion of your personal information (subject to certain exceptions).
• Opt out of the sale of personal information — which does not apply here, as we do not sell data.
• Non-discrimination for exercising your CCPA rights.

To submit a request, contact privacy@gemid-labs.com or use the in-app Privacy & Data screen.

7. Children's Privacy

GemID is not directed at children under 13 (or under 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, contact privacy@gemid-labs.com and we will delete it.

8. Changes to This Policy

We may update this policy from time to time. When we make material changes, we will update the "Last updated" date below and, where appropriate, notify you via the app or by email. Continued use of the service after changes are posted constitutes acceptance of the updated policy.

9. Contact

For privacy questions, data requests, or concerns, contact us at privacy@gemid-labs.com.

Compton Consulting (DBA GemID Labs), Ohio, United States.