Last updated: 8 April 2026

This Privacy Policy explains how MaltaCode (“we”, “us”, “our”) collects, uses, stores and protects your personal data when you visit maltacode.eu, contact us, or use our web hosting, web design or FileMaker development services.

We comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the Maltese Data Protection Act (Chapter 586 of the Laws of Malta), and the ePrivacy Directive (2002/58/EC) as transposed into Maltese law.

1. Who we are (data controller)

The data controller responsible for your personal data is:

MaltaCode
Dick Impens
Victoria, Gozo — Malta
Email: maltacode@gmail.com
Phone: (+356) 99 66 98 71

2. What personal data we collect

We collect different categories of personal data depending on how you interact with us:

2.1 Information you give us directly

Contact form / quote requests: name, email address, phone number, company name, and any details you choose to include in your message.
Hosting and web design clients: billing name, business name, billing address, VAT number, payment details (processed by our payment providers, not stored by us), domain registration details, website content you upload.
FileMaker development clients: any data you share with us during a project, including database content, screen captures and access credentials, all handled under a separate confidentiality agreement.
.mt domain registrations: the personal and company information required by NIC (Malta) Limited to register a domain on your behalf (ID-card number, address, contact details, certificate of incorporation).
Reviews and testimonials: name, optional photo, star rating and review text you choose to submit through our reviews form.

2.2 Information collected automatically

Server logs: IP address, browser user-agent, referring page, requested URL, date and time of request, HTTP status code, and bytes transferred. These are kept by our web server for security and troubleshooting.
Analytics (only with your consent): if you accept analytics cookies, we use Google Analytics 4 to measure aggregated, pseudonymised visitor behaviour (pages viewed, session duration, device type, country). IP addresses are anonymised before storage.
Cookies and similar technologies: see Section 8 below.
Spam protection: our contact and reviews forms use Google reCAPTCHA Enterprise, which collects device and behavioural signals to distinguish humans from bots. See Google’s privacy policy.

3. Legal bases for processing

Under Article 6(1) GDPR we process your personal data on one or more of the following legal bases:

Performance of a contract (Art. 6(1)(b)) — when you order hosting, commission a website or engage us for FileMaker work, we need to process your data to deliver the service.
Compliance with a legal obligation (Art. 6(1)(c)) — for example, retaining accounting records for the period required by Maltese tax law.
Legitimate interests (Art. 6(1)(f)) — for example, keeping server logs to protect our infrastructure, or replying to a contact-form enquiry. Where we rely on legitimate interests, we have balanced our interest against your rights and freedoms.
Consent (Art. 6(1)(a)) — for analytics cookies and any optional marketing communications. You can withdraw consent at any time, with no effect on the lawfulness of processing carried out before withdrawal.

4. How we use your data

To respond to enquiries you submit through our contact form, by email, by phone or via WhatsApp.
To provide and operate our hosting, web design and FileMaker services and to communicate with you about them.
To send invoices, payment reminders and service-related notices.
To register and renew .mt domains on your behalf with NIC (Malta) Limited.
To improve and secure our website and infrastructure.
To comply with our legal, tax and accounting obligations under Maltese law.
To publish reviews and testimonials you have explicitly submitted for that purpose.
If you have given consent, to measure aggregated website usage with Google Analytics 4.

5. Who we share your data with

We share personal data only with carefully selected processors who provide essential services on our behalf, and only to the extent strictly necessary. All processors are bound by data-processing agreements (DPAs) compliant with Article 28 GDPR.

Hetzner Online GmbH (Germany / Finland) — our hosting infrastructure provider. EU-based, GDPR-compliant.
NIC (Malta) Limited — for .mt domain registrations. Malta-based.
Google Ireland Limited — Google Analytics 4 (only with your consent) and reCAPTCHA Enterprise (legitimate interest, spam protection).
FreshBooks (Canada) — invoicing and accounting. Canada has an EU adequacy decision.
Bunq B.V. (Netherlands) — payment processing for hosting subscriptions.
Bank of Valletta (Malta) — bank-transfer payment processing (planned).

We do not sell, rent or trade your personal data to third parties for marketing purposes.

We may disclose personal data when required by law, by court order, or to protect our rights, property or safety, or that of others.

6. International transfers

Most of our processors are based in the EU/EEA. Where personal data is transferred outside the EEA (for example, to FreshBooks in Canada, or to Google services), the transfer is protected by:

An adequacy decision of the European Commission (e.g. Canada, United Kingdom);
The EU–US Data Privacy Framework, where applicable;
Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented where necessary by additional technical and organisational safeguards.

7. How long we keep your data

Contact-form enquiries: up to 24 months from last contact, then deleted.
Active client records: for the duration of the service contract and for as long as you remain a client.
Closed client records: retained for the period necessary to comply with Maltese tax and accounting law (currently up to 9 years after the end of the relevant tax year).
Invoices and accounting records: retained for the minimum period required by the Income Tax Management Act and VAT Act of Malta (currently 9 years from the end of the year to which they relate).
Server logs: 30 days, then automatically deleted.
Backups: rolling 30-day window. Personal data may persist in encrypted backups for up to 30 days after deletion from live systems.
Analytics data: 14 months, as configured in Google Analytics 4.
Reviews and testimonials: until you ask us to remove them.

8. Cookies and similar technologies

Our website uses a small number of cookies, grouped into two categories:

Strictly necessary cookies — required for the website to function (e.g. remembering your cookie-consent choice, keeping you logged in to the WordPress admin). These are set without consent on the basis of Article 5(3) of the ePrivacy Directive.
Analytics cookies (Google Analytics 4) — only set after you click “Accept” on our cookie banner. Used to count visitors and measure aggregated usage. You can withdraw consent at any time by clicking the “Cookie settings” link in the footer.

We do not use any advertising, tracking or social-media cookies.

9. Your rights under GDPR

As a data subject under the GDPR, you have the following rights, which you can exercise free of charge by contacting us:

Right of access (Art. 15) — obtain a copy of the personal data we hold about you.
Right to rectification (Art. 16) — correct inaccurate or incomplete data.
Right to erasure / “right to be forgotten” (Art. 17) — ask us to delete your data, subject to legal retention obligations.
Right to restriction of processing (Art. 18).
Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format.
Right to object (Art. 21) — object to processing based on legitimate interests.
Right to withdraw consent (Art. 7(3)) — where processing is based on consent.
Right not to be subject to automated decision-making (Art. 22).

To exercise any of these rights, email maltacode@gmail.com. We will respond within 30 days, as required by Article 12(3) GDPR. We may ask you to verify your identity before disclosing personal data.

10. Right to lodge a complaint

If you believe we have breached your data-protection rights, you have the right to lodge a complaint with the Maltese supervisory authority:

Information and Data Protection Commissioner (IDPC)
Floor 2, Airways House
High Street, Sliema SLM 1549, Malta
Tel: (+356) 2328 7100
Email: idpc.info@idpc.org.mt
Website: https://idpc.org.mt

You may also complain to the supervisory authority of your country of residence within the EU/EEA.

11. Security measures

We take appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, including:

HTTPS (TLS 1.3) on all websites and APIs.
Encrypted backups with restricted access.
SSH key-based access only to all servers.
Regular security updates of our operating systems, web server and CMS software.
Web Application Firewall and brute-force protection.
Strong password and two-factor authentication on administrative accounts.
Server-side malware scanning.

In the unlikely event of a personal-data breach affecting your rights and freedoms, we will notify the IDPC within 72 hours and, where required by Article 34 GDPR, inform affected data subjects without undue delay.

12. Children

Our services are aimed at businesses and adults. We do not knowingly collect personal data from children under 16 years of age. If you believe we have inadvertently collected data from a child, please contact us and we will delete it.

13. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements or other factors. The “Last updated” date at the top of this page indicates when the policy was last revised. Material changes will be communicated to active clients by email.

14. Contact us

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:

MaltaCode — Dick Impens
Victoria, Gozo — Malta
Email: maltacode@gmail.com
Phone: (+356) 99 66 98 71