CastaliaLux
Select French sizes
View the Complete Catalogue →
CASTALIALUX

Privacy Policy

CastaliaLux respects the privacy of every visitor, collector and client. This Privacy Policy explains what personal information we collect, why we use it, how it may be shared and the choices available to you.

Last updated: 16 July 2026

1. Scope of This Policy

This Privacy Policy applies to personal information collected through:

  • castalialux.com;
  • the CastaliaLux Cabinet;
  • Assemblage and Acquisition functions;
  • checkout;
  • private requests;
  • contact forms;
  • email;
  • WhatsApp and other direct communications;
  • authenticity and object-documentation services.

It does not govern independent websites or services operated by third parties.

2. Data Controller

The data controller responsible for the processing of personal information through castalialux.com is:

CastaliaLux LLC, FZ
Meydan Hotel, Ground Floor
Nad Al Sheba
Dubai
United Arab Emirates

Headquartered in Dubai, CastaliaLux maintains an international presence in Hong Kong, London and the United States, serving collectors worldwide.

Privacy enquiries may be submitted through the Contact page available on the CastaliaLux website.

3. The Information We Collect

Depending on how you interact with CastaliaLux, we may collect:

Identity and contact information

  • full name;
  • email address;
  • telephone number;
  • country;
  • delivery and billing addresses.

Account information

  • account identifier;
  • authentication status;
  • saved objects;
  • Cabinet preferences;
  • account activity relevant to security and operation.

Acquisition information

  • objects acquired or requested;
  • order reference;
  • transaction amount and currency;
  • fulfilment and delivery status;
  • returns or service communications;
  • certificates and documentation associated with an object.

Payment-related information

Payments are processed through independent payment providers. We may receive transaction identifiers, payment status, billing details, fraud-screening results and limited payment-method information.

We do not ordinarily receive or store complete payment-card numbers or card security codes.

Communications

We may retain messages, enquiries, private requests, appointment requests, authenticity questions and other correspondence sent to us.

Technical and usage information

We may collect:

  • IP address;
  • device and browser type;
  • operating system;
  • approximate location derived from IP address;
  • referring page;
  • pages viewed;
  • date and time of access;
  • security and diagnostic information;
  • cookie and consent preferences.

4. How We Collect Information

We collect personal information:

  • directly from you;
  • automatically when you use the website;
  • from authentication and payment providers;
  • from delivery and fulfilment partners;
  • from fraud-prevention and security services;
  • from public sources where reasonably necessary for object research, compliance or the protection of legitimate interests.

5. Why We Use Personal Information

We use personal information to:

  • provide and operate the website;
  • create and administer client accounts;
  • maintain the Cabinet and Assemblage;
  • process and fulfil acquisitions;
  • arrange payment, delivery and returns;
  • communicate with clients;
  • respond to private requests and enquiries;
  • provide authenticity certificates and associated records;
  • prevent fraud and unauthorised activity;
  • protect the website, clients and business;
  • meet accounting, tax, customs and legal obligations;
  • improve website performance and client experience;
  • establish, exercise or defend legal claims;
  • send marketing communications where permitted.

6. Legal Bases for Processing

Where applicable data-protection law requires a legal basis, we may process personal information on one or more of the following grounds:

Contract

Processing is necessary to take requested steps before an acquisition or to perform an agreement with you.

Legitimate interests

Processing is necessary for legitimate business interests, including operating the gallery, securing transactions, preventing fraud, answering enquiries, protecting legal rights and improving services, provided those interests are not overridden by your rights.

Legal obligation

Processing is necessary to comply with tax, accounting, customs, sanctions, regulatory or other legal requirements.

Consent

Where required, we rely on consent for particular cookies, marketing communications or other optional processing. Consent may be withdrawn at any time without affecting processing already undertaken lawfully.

7. Payments

Payment information is handled primarily by the payment provider shown during checkout.

The payment provider may independently collect and process:

  • card or account details;
  • billing information;
  • identity-verification data;
  • device information;
  • fraud-prevention information.

Its handling of information is governed by its own privacy terms.

CastaliaLux receives only the information reasonably necessary to confirm, administer and protect the transaction.

8. Authentication and Account Access

Authentication may be provided through secure sign-in links or external authentication providers.

The provider may supply basic account information such as your email address, name and authentication identifier.

You are responsible for maintaining the security of the email account and device used to access CastaliaLux.

9. Delivery and Fulfilment

To fulfil an acquisition, we may share relevant information with:

  • delivery carriers;
  • fulfilment partners;
  • customs brokers;
  • insurers;
  • regional service providers;
  • customs and governmental authorities where required.

The information shared may include the recipient’s name, address, telephone number, email address, order value and customs description.

10. Authenticity Certificates and Object Records

Where an object includes a CastaliaLux Certificate of Authenticity, we may retain a secure record linking:

  • the object;
  • its identifying characteristics;
  • the certificate number or digital identifier;
  • the date of issue;
  • the relevant acquisition or holder record where appropriate.

This record is used to preserve the integrity of the certificate, prevent fraudulent duplication and support future verification requests.

Certificate records may be retained for an extended period because their purpose may continue beyond the original acquisition.

Public certificate verification, where available, should not display unnecessary private client information.

11. Marketing Communications

We may send editorial updates, collection announcements or private-offer communications where:

  • you have requested them;
  • you have consented where consent is required;
  • another lawful basis permits the communication.

Every electronic marketing message should provide a practical means of unsubscribing.

Service messages concerning an account, acquisition, security matter or requested communication are not marketing messages.

12. Cookies and Similar Technologies

We use cookies and similar technologies to:

  • operate essential website functions;
  • maintain secure sessions;
  • remember relevant preferences;
  • understand website performance;
  • detect abuse and technical problems;
  • measure engagement where permitted.

Non-essential cookies should not be activated before valid consent where applicable law requires such consent.

More information is available in the Cookie Policy.

13. How We Share Information

We may share personal information with carefully selected service providers that assist with:

  • website hosting and infrastructure;
  • database and account services;
  • authentication;
  • payment processing;
  • fraud prevention;
  • delivery and fulfilment;
  • communications;
  • analytics;
  • professional advice;
  • legal and regulatory compliance.

Service providers should receive only the information reasonably required for their role and may not use it for unrelated purposes where they act on our behalf.

We may also disclose information:

  • where required by law or lawful authority;
  • to prevent fraud or protect safety and legal rights;
  • in connection with a merger, restructuring, investment, sale or transfer of all or part of the business;
  • with your direction or consent.

CastaliaLux does not sell personal information in the ordinary meaning of selling client data for monetary consideration.

14. International Transfers

CastaliaLux operates internationally, and service providers or fulfilment partners may process information in countries other than the country in which you are located.

Where required, we use appropriate legal and organisational measures for international transfers, which may include contractual safeguards, adequacy mechanisms or another permitted transfer basis.

No internet-based system or international transfer can be guaranteed to be entirely risk-free.

15. Data Retention

We retain personal information only for as long as reasonably necessary for the purpose for which it was collected, including to:

  • maintain an active account;
  • complete and document acquisitions;
  • provide certificates and verification;
  • meet legal, tax and accounting obligations;
  • resolve disputes;
  • prevent fraud;
  • enforce agreements.

Retention periods differ according to the type of information.

Transaction, accounting, customs, fraud-prevention and certificate records may be retained longer than general enquiries or optional marketing information.

When information is no longer required, it may be deleted, anonymised or securely archived as appropriate.

16. Data Security

We use reasonable technical and organisational measures designed to protect personal information against:

  • unauthorised access;
  • accidental loss;
  • unlawful use;
  • alteration;
  • disclosure;
  • destruction.

These measures may include access controls, secure authentication, encrypted transmission, restricted database permissions, logging, monitoring and service-provider review.

No system can guarantee absolute security. You should contact us promptly if you believe your account or personal information has been compromised.

17. Your Rights

Depending on your location and applicable law, you may have the right to:

  • request access to personal information held about you;
  • request correction of inaccurate or incomplete information;
  • request deletion of information;
  • object to certain processing;
  • request restriction of processing;
  • withdraw consent;
  • request a portable copy of eligible information;
  • complain to an appropriate data-protection authority.

Some rights are subject to legal limitations. For example, we may need to retain certain transaction, certificate, fraud-prevention or legal records even after an account-deletion request.

To make a privacy request, contact CastaliaLux through the Contact page and clearly identify the nature of the request.

We may request reasonable information to verify identity before acting on a request.

18. Account Deletion

A request to close or delete an account does not necessarily require deletion of every related record.

We may retain information where reasonably necessary to:

  • comply with law;
  • preserve transaction history;
  • protect certificate integrity;
  • prevent fraud;
  • resolve disputes;
  • establish or defend legal claims.

Information no longer required may be deleted or de-identified.

19. Children’s Privacy

CastaliaLux is not directed to children, and the website is intended for adults capable of entering into binding transactions.

We do not knowingly seek to collect personal information from children.

If you believe that a child has provided personal information without appropriate authorisation, please contact us so that the matter can be reviewed.

20. Third-Party Websites

The website may contain links to external platforms, social networks, payment services or other third-party websites.

Their privacy practices are governed by their own policies. CastaliaLux is not responsible for the independent privacy or security practices of third parties.

21. Automated Security Decisions

Fraud-prevention or payment systems may use automated signals to identify unusual or potentially unauthorised activity.

A transaction may be delayed, declined or referred for additional verification on the basis of these signals.

Where applicable law provides a right to challenge a qualifying automated decision, you may contact us to request further review.

22. Changes to This Policy

We may update this Privacy Policy to reflect changes in the website, services, technology, legal requirements or business operations.

The latest version will be published on this page with a revised “Last updated” date.

23. Contact

For privacy questions or requests concerning personal information, please contact CastaliaLux through the Contact page.

For questions regarding this policy, please contact CastaliaLux through the Contact page.