Privacy Policy

  1. Introduction Hidden Gems Malta (“we,” “our,” or “us”) is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our website and services at hiddengemsmalta.com.

This policy complies with the General Data Protection Regulation (GDPR) and Maltese data protection laws.

Platform Notice: Our marketplace operates on the Sharetribe platform, provided by Sharetribe Oy (Finland). This policy covers data processing by both Hidden Gems Malta and our platform provider.

  1. Data Controller Information Data Controller: Hidden Gems MaltaBusiness Type: Sole Trader (Self-Employed)VAT Number: MT 3221-1303Address: Triq il-Flotta 130, Gzira GZR1074, MaltaEmail: contact@hiddengemsmalta.comPhone: +356 99766306

  2. Information We Collect 3.1 Personal Information You Provide When you use our platform, we may collect:

Account Information:

•	Full name
•	Email address
•	Phone number
•	Date of birth (for age verification)
•	Country of residence

Booking Information:

•	Billing address
•	Number of participants
•	Special requirements or preferences
•	Emergency contact information

Payment Information:

•	Credit/debit card details (processed securely by third-party payment processors)
•	Billing address
•	Transaction history

Communication Data:

•	Messages sent through our platform
•	Customer service inquiries
•	Reviews and ratings you submit

3.2 Information We Collect Automatically Technical Data:

•	IP address
•	Browser type and version
•	Device information
•	Operating system
•	Referring website
•	Pages visited and time spent
•	Click-through data

Cookies and Tracking:

•	Session cookies (essential for platform functionality)
•	Analytics cookies (to understand user behavior)
•	Marketing cookies (with your consent)

3.3 Information from Third Parties • Payment processing information from our payment providers • Social media information if you choose to connect social accounts • Reviews and ratings from experience providers about your participation

  1. How We Use Your Information 4.1 Primary Purposes We use your personal data to:

Provide Our Services:

•	Process and manage your bookings
•	Facilitate communication between you and experience providers
•	Send booking confirmations and important updates
•	Provide customer support

Platform Operations:

•	Maintain and improve our website functionality
•	Ensure platform security and prevent fraud
•	Analyze usage patterns to enhance user experience
•	Manage user accounts and preferences

Legal Compliance:

•	Comply with applicable laws and regulations
•	Respond to legal requests and prevent illegal activities
•	Maintain records as required by law

4.2 Marketing Communications (With Consent) With your explicit consent, we may use your information to:

•	Send promotional emails about new experiences
•	Provide personalized recommendations
•	Share special offers and discounts
•	Send newsletters about Malta tourism

You can withdraw consent at any time by unsubscribing or contacting us.

  1. Legal Basis for Processing Under GDPR, we process your personal data based on:

Contract Performance: Processing necessary to fulfill our services and booking agreements Legitimate Interests: Improving our platform, preventing fraud, and business operations Legal Obligation: Complying with tax, accounting, and other legal requirements Consent: Marketing communications and non-essential cookies (you can withdraw anytime)

  1. Information Sharing and Disclosure 6.1 Experience Providers We share necessary booking information with experience providers, including:

    • Your name and contact details • Number of participants • Special requirements • Booking details and preferences

Important: Experience providers are independent third parties with their own privacy policies. We encourage you to review their policies as well.

6.2 Platform Provider (Sharetribe) Sharetribe as Data Processor:

•	Sharetribe Oy (Finland) acts as our data processor for platform infrastructure
•	They process personal data solely on our instructions and for our purposes
•	Data processing is governed by a Data Processing Agreement with adequate safeguards
•	Sharetribe does not access or use your personal data for their own purposes
•	Data may be processed and stored in Finland (EU/EEA) with appropriate security measures

What Sharetribe Processes:

•	Technical data necessary for platform operation
•	User account information for authentication
•	Transaction data for booking functionality
•	Communication data sent through the platform

6.3 Service Providers We may share data with trusted third-party service providers who help us operate our platform:

Payment Processors:

•	Secure processing of payment transactions
•	Fraud prevention and security monitoring

Analytics Providers:

•	Plausible Analytics (GDPR-compliant, privacy-focused analytics)
•	Website performance monitoring

Customer Support:

•	Help desk and communication tools
•	Booking management systems

6.4 Legal Requirements We may disclose your information when required by law or to:

•	Comply with legal processes or government requests
•	Protect our rights, property, or safety
•	Prevent fraud or illegal activities
•	Enforce our Terms and Conditions

6.5 Business Transfers In the event of a merger, acquisition, or sale of assets, your information may be transferred to the new entity, subject to the same privacy protections.

  1. International Data Transfers 7.1 Data Processing Locations Your data may be processed in:

    • Malta (primary location) • Finland (Sharetribe platform infrastructure) • Other EU/EEA countries • Third countries with adequate protection (as determined by the European Commission)

7.2 Safeguards for Data Transfers Within EU/EEA:

•	Finland (Sharetribe) is within the EU/EEA, ensuring adequate data protection
•	All transfers within EU/EEA are subject to GDPR protections

Outside EU/EEA: When we transfer data outside the EU/EEA, we ensure appropriate safeguards through:

•	Standard Contractual Clauses approved by the European Commission
•	Adequacy decisions by the European Commission
•	Certification schemes and codes of conduct
  1. Data Security 8.1 Security Measures We implement appropriate technical and organizational measures to protect your data:

Technical Safeguards:

•	SSL encryption for data transmission
•	Secure servers and databases hosted by Sharetribe
•	Regular security updates and patches
•	Access controls and authentication

Organizational Measures:

•	Staff training on data protection
•	Limited access to personal data on a need-to-know basis
•	Regular security assessments
•	Incident response procedures

8.2 Platform Security • Sharetribe maintains SOC 2 Type II compliance • Data is encrypted in transit and at rest • Regular security audits and penetration testing • 24/7 monitoring and incident response

8.3 Payment Security • We do not store credit card information on our servers • Payment data is processed by PCI DSS compliant payment processors • All financial transactions are encrypted and secure

  1. Data Retention 9.1 Retention Periods We retain your personal data only as long as necessary:

Account Data: Until you delete your account or request deletion Booking Data: 7 years for tax and accounting purposes Marketing Data: Until you unsubscribe or withdraw consent Technical Data: Typically 2 years for analytics purposes Platform Data: Subject to Sharetribe’s retention policies for technical infrastructure

9.2 Deletion Process When retention periods expire, we securely delete or anonymize your data unless we have a legal obligation to retain it longer. Data stored by Sharetribe is deleted according to their data retention policies.

  1. Your Rights Under GDPR As a data subject, you have the following rights:

10.1 Access Right You can request a copy of all personal data we hold about you.

10.2 Rectification Right You can request correction of inaccurate or incomplete personal data.

10.3 Erasure Right (“Right to be Forgotten”) You can request deletion of your personal data in certain circumstances.

10.4 Restriction Right You can request that we limit how we use your personal data.

10.5 Portability Right You can request a copy of your data in a structured, machine-readable format.

10.6 Objection Right You can object to processing based on legitimate interests or for marketing purposes.

10.7 Withdrawal of Consent You can withdraw consent for marketing communications or non-essential cookies at any time.

10.8 How to Exercise Your Rights To exercise any of these rights, contact us at:

•	Email: contact@hiddengemsmalta.com
•	Phone: +356 99766306
•	Mail: Triq il-Flotta 130, Gzira GZR1074, Malta

We will respond to your request within 30 days.

Note: For data processed by Sharetribe on our behalf, we will coordinate with them to fulfill your rights requests.

  1. Cookies Policy 11.1 What Are Cookies Cookies are small text files stored on your device when you visit our website. They help us provide a better user experience.

11.2 Types of Cookies We Use Essential Cookies (Always Active):

•	Session management and login functionality
•	Shopping cart and booking process
•	Security and fraud prevention
•	Basic website functionality

Analytics Cookies (With Consent):

•	Plausible Analytics (GDPR-compliant, privacy-focused)
•	No personal data collection or cross-site tracking
•	Aggregated usage statistics only

Marketing Cookies (With Consent):

•	Personalized advertising (if enabled)
•	Social media integration
•	Remarketing campaigns

11.3 Managing Cookies You can control cookies through:

•	Our cookie consent banner
•	Your browser settings
•	Third-party opt-out tools

Note: Disabling essential cookies may affect website functionality.

  1. Children’s Privacy Our services are not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately.

  2. Changes to This Privacy Policy We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will:

    • Post the updated policy on our website • Update the “Last updated” date • Notify you of significant changes via email or website notice • Obtain new consent if required by law

  3. Supervisory Authority You have the right to lodge a complaint with the Malta Information and Data Protection Commissioner if you believe we have not handled your personal data in accordance with data protection laws.

Malta Information and Data Protection CommissionerWebsite: idpc.org.mtEmail: idpc.info@gov.mtPhone: +356 2328 7100

  1. Contact Us If you have any questions about this Privacy Policy or our data practices, please contact us:

Hidden Gems MaltaEmail: contact@hiddengemsmalta.comPhone: +356 99766306Address: Triq il-Flotta 130, Gzira GZR1074, Malta

We are committed to resolving any privacy concerns you may have.

By using Hidden Gems Malta, you acknowledge that you have read and understood this Privacy Policy and consent to the collection and use of your information as described.