Privacy policy.

The Stone Atlas, LLC ("we," "our," "us") is a small US-based gemstone dealer. We collect the minimum information needed to ship stones and answer questions — and nothing else. This page explains exactly what we hold, why, and how you control it.

What we collect

Data	When	Purpose
Name, billing & shipping address, email, phone	At checkout	Fulfill your order, comply with customs paperwork
Order history	Auto	Customer service, returns, repeat purchases
Account credentials (email + hashed password)	If you create an account	Sign-in only — we never see your password
Payment details	At checkout	Processed by Shopify Payments / Shop Pay. We never see or store full card numbers.
Subscription billing	If you subscribe	Recurring charges via Shopify; tokenized — we never see card data
Newsletter email	If you opt in	Field reports + new-arrival announcements (unsubscribe anytime)
Analytics	Anonymized	Pages viewed, referrer source, device class. Aggregated only.
Customer-care emails	If you write to us	Answer questions. Stored 3 years then deleted.

What we do NOT do

• We don't sell your data. Ever. To anyone.
• We don't run third-party retargeting pixels by default. No Meta Pixel, no TikTok Pixel, no Pinterest Tag. We may add them later — if we do, you'll see them in this page with an opt-out option.
• We don't share email lists. Subscriber lists never leave our Klaviyo / Shopify Email systems. Not with partners. Not with affiliates.
• We don't use behavioral profiling. No "you might also like based on 47 data points" — our recommendations are based purely on the stone you're currently viewing (family + origin tags).
• We don't use dark-pattern consent banners. If we ever need consent, it's a clear yes/no — equal-weight buttons, no manipulation.
• We don't ship data outside required vendors. Shopify (US/EU), Klaviyo (US), shipping carriers (USPS/UPS/DHL). That's the full list.

Third-party services we use

We disclose every vendor that touches your data:

Service	Why	Their privacy policy
Shopify Inc.	Storefront, checkout, payments, hosting	shopify.com/legal/privacy
Shop Pay	Accelerated checkout (if you choose it)	shop.app/policies/privacy
Klaviyo	Newsletter, abandoned-cart emails (if opted in)	klaviyo.com/legal/privacy-policy
Google Analytics 4	Anonymized site analytics (IP-anonymized, no personal IDs)	policies.google.com/privacy
USPS / UPS / DHL	Shipping (we share address + name only)	Their respective policies
GIA / AGL	Only if you request lab certification	Their respective policies

Cookies

We use the minimum cookies needed to make the site work:

• Essential cookies — cart, login, security. Cannot be disabled (the site won't work).
• Analytics cookies — anonymized GA4. You can disable in your browser without breaking the site.
• Shop Pay cookies — only set if you choose Shop Pay at checkout.

We do not currently use advertising cookies. If we add any (e.g. for paid retargeting campaigns), we'll deploy a clear cookie consent banner with a one-click reject option before any non-essential cookie loads.

Your rights

Under GDPR (EU/UK), CCPA/CPRA (California), PIPEDA (Canada), and equivalent regulations, you can:

• Access — request a full export of every piece of data we hold about you.
• Correct — fix anything inaccurate.
• Delete — "right to be forgotten." We delete everything except records we're legally required to keep (order receipts for 7 years for US tax law).
• Restrict — pause processing while a complaint is reviewed.
• Port — get your data in a machine-readable format to take elsewhere.
• Object — opt out of any specific use (e.g. marketing emails) without affecting essential service.
• Withdraw consent — unsubscribe, opt out, or revoke at any time.
• Sale opt-out (California) — we already don't sell, so this is automatic, but you can confirm in writing.
• Lodge a complaint with your local data protection authority if you think we've mishandled anything.

To exercise any of these, email privacy@thestoneatlas.com with your request and the email address on file. We respond within 14 days, usually within 48 hours.

Data retention

Data type	How long we keep it
Order records (legal/tax requirement)	7 years
Account data	Until you delete it, or 2 years of inactivity
Newsletter subscribers	Until you unsubscribe
Customer-care emails	3 years then deleted
Anonymized analytics	14 months (GA4 default)
Server logs (IP addresses)	30 days then rotated

International transfers

Some vendors (Shopify, Klaviyo, Google) store data in the United States. EU/UK data transfers rely on Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework where applicable. Shopify is certified under the Data Privacy Framework.

Security

All connections use TLS 1.3 encryption. Payment data is handled by Shopify Payments at PCI-DSS Level 1 (the highest tier). Passwords are bcrypt-hashed — we never see plaintext. Two-factor authentication is available on customer accounts.

If we discover a breach affecting your personal data, we notify you within 72 hours of detection (in line with GDPR Article 33 and California breach-notification law).

Children's data

The Stone Atlas is not intended for users under 16. We do not knowingly collect data from minors. If you believe a child has provided us with personal data, email privacy@thestoneatlas.com and we'll delete it immediately.

Updates to this policy

We update this policy whenever we add or remove a vendor, or change how we handle data. The "Updated" date at the top reflects the most recent change. Material changes that affect your rights will be notified by email (if you have an account or subscription) at least 30 days before they take effect.

Contact

Privacy questions, requests, or concerns:

• Email: privacy@thestoneatlas.com
• Mail: The Stone Atlas, LLC · PO Box 17422 · the US · USA

For California-specific requests, you can also call or use this form (currently email is the only channel — we will add a form when CCPA traffic justifies it).