Privacy Policy

PRIVACY POLICY FOR THE MALTA HERITAGE HUNT
Last updated: [11th April 2025]

1. Introduction
1.1 The Malta Heritage Hunt (hereinafter “we,” “us,” or “our”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and safeguard your personal information in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Maltese Data Protection Act (Chapter 586 of the Laws of Malta), and other applicable data protection legislation.
1.2 By using our services or by accessing our website, you acknowledge that you have read, understood, and agree to the terms of this Privacy Policy. If you do not agree to this policy, please do not use our Services.

2. Data Controller
2.1 For the purposes of this Privacy Policy and applicable data protection laws, The Malta Heritage Hunt is the “Data Controller” responsible for deciding how we hold and use your personal data.

3. Information We Collect
3.1 Personal Data You Provide

  • Contact Details: When you book a tour, contact us, or otherwise interact with our Services, we may collect your name, email address, phone number, and other relevant contact details.

  • Booking Details: We may collect information relating to your bookings or purchases (e.g., chosen date, number of participants, payment information).

  • Tour Participation: We may gather information on your participation, including any feedback you provide or images taken with your consent during the tours.

3.2 Data Collected Automatically

  • Technical Information: When you visit our website, we may automatically collect technical information such as your IP address, browser type, device information, and pages visited.

  • Cookies and Similar Technologies: We use cookies and other tracking technologies to enhance your online experience, analyse site traffic, and administer our website. You can adjust your browser settings to refuse all or some browser cookies or to alert you when cookies are being sent.

3.3 Special Categories of Personal Data
We do not intentionally collect special categories of personal data (e.g., race, religion, health information) unless it is directly relevant for health and safety reasons during our tours and you have provided your explicit consent.

4. Lawful Bases for Processing
4.1 We process your personal data only when permitted by law and in line with the GDPR and Maltese data protection legislation. Our lawful bases for processing include one or more of the following:

  • Performance of a Contract: We process your data to provide you with the Services you have requested or booked, including managing bookings and communicating about your participation.

  • Legal Obligations: We may process personal data to comply with our legal obligations under Maltese and EU law (e.g., accounting, tax, public authorities’ requests).

  • Legitimate Interests: We may use your data for our legitimate interests in improving our Services, enhancing security, and conducting internal analytics, provided that these interests do not override your fundamental rights and freedoms.

  • Consent: Where required by law, we will rely on your consent (e.g., for sending marketing communications). You have the right to withdraw consent at any time by contacting us using the details in Section 11.

5. How We Use Your Information
5.1 Providing and Managing Bookings

  • To process your reservations, communicate with you about your chosen activity, and provide customer support.

5.2 Operational and Administrative Purposes

  • To maintain and improve our Services, develop new services, and ensure the security of our website and related systems.

5.3 Marketing Communications

  • Where you have given consent or otherwise permitted by law, we may send you email newsletters, promotional offers, and updates about our tours. You can opt out of receiving these marketing communications at any time by clicking the unsubscribe link provided in the email or by contacting us directly.

5.4 Analytics and Performance

  • To measure usage of, and interactions with, our website and Services, and to analyse trends and improve user experience.

5.5 Legal Compliance

  • To comply with relevant laws, regulations, or legal processes, and where necessary to establish, exercise, or defend legal claims.

6. Information Sharing
6.1 We do not sell or rent your personal data to third parties.
6.2 We may share your personal data with:

  • Service Providers: Third-party vendors who assist in delivering our Services (e.g., payment processors, IT service providers), but only to the extent necessary for them to perform their functions and in compliance with data protection laws.

  • Legal and Regulatory Authorities: If required to do so by law, court order, or if necessary to protect our rights or the rights of others.

  • Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, we may disclose your personal data to the buyer or prospective buyer, subject to confidentiality obligations.

7. Data Retention
7.1 We will retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including satisfying any legal, accounting, or reporting requirements.
7.2 Once the retention period has expired, we will securely destroy or anonymise your personal data in accordance with applicable laws and regulations.

8. Your Rights
8.1 You have several rights under GDPR and Maltese data protection legislation:

  • Right of Access: Request a copy of the personal data we hold about you.

  • Right to Rectification: Request that we correct any personal data that is inaccurate or incomplete.

  • Right to Erasure (“Right to be Forgotten”): Request the deletion of your personal data where there is no lawful basis for us to continue processing it.

  • Right to Restrict Processing: Request the restriction of the processing of your personal data in certain circumstances.

  • Right to Data Portability: Obtain a copy of your personal data in a structured, commonly used, and machine-readable format and transfer it to another controller.

  • Right to Object: Object to the processing of your personal data where we rely on legitimate interests or where processing is for direct marketing purposes.

  • Right to Withdraw Consent: Where our processing is based on your consent, you may withdraw it at any time.

8.2 To exercise any of these rights, please contact us using the details provided in Section 11. We will respond to your request without undue delay and at the latest within one month, subject to extensions permitted by law.

9. Security Measures
9.1 We implement appropriate technical and organisational measures designed to protect your personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
9.2 While we strive to protect your personal data, no transmission over the internet is completely secure. We cannot guarantee the absolute security of your information, but we will continue to review and enhance our security measures where necessary.

10. International Data Transfers
10.1 If we transfer your personal data outside the European Economic Area (EEA), we will ensure that it is protected in a manner consistent with how it is protected within the EEA. This may be achieved by implementing one of the following safeguards:

  • Transferring personal data to countries recognised by the European Commission as providing an adequate level of data protection;

  • Using standard contractual clauses approved by the European Commission;

  • Relying on other valid transfer mechanisms or derogations as set out in the GDPR.

11. Contact Us
11.1 If you have any questions or concerns about this Privacy Policy or our data processing practices, or if you wish to exercise any of your rights, please contact us at:

  • Email: [Insert Email Address]

  • Phone: [Insert Phone Number]

  • Postal Address: [Insert Postal Address]

11.2 We will endeavour to resolve any queries or concerns you have regarding our processing of your personal data. You also have the right to lodge a complaint with the Maltese Information and Data Protection Commissioner (“IDPC”) or another relevant supervisory authority within the EU/EEA if you believe we have infringed your data protection rights.

12. Changes to this Privacy Policy
12.1 We may update this Privacy Policy from time to time to reflect changes in our practices or for legal or regulatory reasons. When we do so, we will revise the “Last updated” date at the top of this page and, where appropriate, notify you by email or by posting a prominent notice on our website.
12.2 We encourage you to periodically review this page for the latest information on our privacy practices.

By continuing to use our Services, you acknowledge that you have read, understood, and agree to the terms of this Privacy Policy. If you do not agree, please discontinue using our Services. If you have any questions, please do not hesitate to contact us at the details above.