1. Introduction

This Privacy Policy explains in detail the nature, scope, and purposes of the personal data (hereinafter also referred to as “data”) that we process. It applies to all instances of data processing carried out by our organization – including but not limited to the provision of our services, as well as the operation of our websites, mobile applications, and external digital platforms such as our social media profiles (collectively referred to as the “Online Service”). Unless stated otherwise, all terminology used in this Privacy Policy is intended to be gender-neutral.

2. Controller Information

GypsumWorks Malta
24 Konservatorju
Il-Furjana, Malta

Email: hello@gypsumworks-malta.com

3. Overview of Data Processing Activities

We process a variety of personal data in the course of our operations. These include core identification details (master data), payment and transaction-related information, geographical location data, and various contact details. Additionally, we may handle content provided by users, contract-related information, data concerning the usage of our services, technical metadata, communication logs, procedural records, and log file data generated during system access. The individuals affected by this processing are diverse and may include current and prospective clients, employees, communication partners, users of our services, business partners, and, in some cases, other third parties. Our data processing serves a wide range of purposes, including the fulfilment of contractual obligations, communication, and the implementation of appropriate security measures. It also supports activities such as direct marketing, reach and conversion tracking, audience segmentation, user profiling, administrative procedures, feedback and support processes, public relations, the promotion of our services, and the smooth running of internal business operations – particularly in areas like IT infrastructure and payment processing. All processing activities are carried out in accordance with applicable data protection regulations.

4. Legal Bases for Data Processing

Our processing of personal data is carried out in accordance with the legal provisions of the General Data Protection Regulation (GDPR). Depending on the specific circumstances of processing and the relationship with the data subject, we rely on one or more of the following legal bases: Where the data subject has given explicit consent for one or more specific purposes, processing is based on Article 6(1)(a) GDPR. If the processing is necessary for the performance of a contract to which the data subject is a party, or to take steps prior to entering into a contract at the data subject’s request, we rely on Article 6(1)(b) GDPR. In cases where processing is required to comply with a legal obligation applicable to us, such as tax or commercial laws, Article 6(1)(c) GDPR serves as the legal basis. Finally, where processing is necessary for the purposes of our legitimate interests or those of a third party – provided such interests are not overridden by the data subject’s rights or freedoms – we process data pursuant to Article 6(1)(f) GDPR. It is also important to note that, in addition to the GDPR, national data protection rules apply in Malta. These include the Data Protection Act (Chapter 586 of the Laws of Malta) and regulatory instruments issued by the Information and Data Protection Commissioner (IDPC). Such provisions may introduce additional requirements or safeguards, for instance regarding sensitive data, cross-border data transfers, or automated decision-making. Where specific legal bases differ from the general framework outlined here, we provide further clarification within the respective sections of this Privacy Policy.

5. Security Measures

To ensure the protection of personal data, we implement technical and organizational security measures that align with legal standards. These measures are carefully selected based on the current state of technology, the cost of implementation, the nature and scope of data processing, and the potential risks to the rights and freedoms of individuals. Our security framework includes both physical and digital safeguards to maintain the confidentiality, integrity, and availability of data. Access control procedures are in place for both physical premises and electronic systems. Data transmission and input access are protected, backups are performed regularly, and data environments are logically separated. In addition, we have implemented internal procedures to support the exercise of data subject rights, the lawful deletion of data, and effective responses to security threats. We also apply privacy by design and privacy by default principles, ensuring that data protection is embedded in the technical architecture of our systems from the outset. To secure data exchanged via our Online Service, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), are cryptographic protocols that encrypt the transfer of data between browsers and our servers. This ensures that unauthorized parties cannot intercept or manipulate transmitted information. A URL beginning with “https://” in your browser bar indicates that the encrypted connection is active.

6. Transmission of Personal Data

As part of our processing operations, personal data may be disclosed to or shared with other companies, organizational units, or individuals, provided this is legally permissible and necessary for the intended purpose. Recipients may include service providers entrusted with tasks such as IT infrastructure, technical support, analytics, or marketing, as well as providers of integrated third-party services or content. In all such cases, we take care to comply with applicable data protection laws and enter into appropriate data processing agreements or contractual safeguards with the respective recipients, thereby ensuring that your personal data is handled in a secure and compliant manner.

7. International Data Transfers

In some instances, we transfer personal data to countries outside the European Union (EU) or the European Economic Area (EEA) – so-called third countries. Such transfers may occur when we engage service providers located in these jurisdictions or when data is otherwise disclosed or accessed across borders. All cross-border data transfers are carried out in compliance with applicable data protection regulations. Where no adequacy decision exists for a third country, we rely on legally approved safeguards such as Standard Contractual Clauses (SCCs) issued by the European Commission or obtain explicit consent from the data subject. For data transfers to the United States, we primarily rely on the EU-U.S. Data Privacy Framework (DPF), which was recognized by the European Commission as providing an adequate level of protection on 10 July 2023. Where applicable, we also conclude Standard Contractual Clauses with U.S.-based service providers to offer additional contractual safeguards. This layered approach ensures robust protection of your data, even in the event of changes to the DPF. For each service provider, we indicate in this Privacy Policy whether DPF certification or SCCs apply.

Further information about the DPF and a list of certified U.S. organizations can be found here:
https://www.dataprivacyframework.gov

Transfers to other third countries follow the same principles. Depending on the jurisdiction, we rely on adequacy decisions, contractual safeguards (such as SCCs), or – where appropriate – your explicit consent. An overview of the European Commission’s adequacy decisions and international transfer mechanisms is available at:
https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en

8. Data Retention and Deletion

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected or to comply with legal obligations. Once this purpose no longer applies or the data subject withdraws consent, we delete the data – unless continued storage is legally required or justified by overriding legitimate interests. Typical examples include statutory retention obligations under commercial or tax law, which may require us to retain invoices or contract documents for several years. Additionally, we may store data for the defence of legal claims or to assert our own rights, or those of third parties. Unless otherwise specified, retention periods begin at the end of the calendar year in which the event triggering the obligation occurs – such as the termination of a contract. For ongoing relationships (e.g. customer accounts), data may be retained until the relationship ends and all obligations have been fulfilled. Further details about retention and deletion timelines can be found in the respective sections of this Privacy Policy.

9. Rights of Data Subjects

As a data subject under the GDPR, you have a number of rights regarding the processing of your personal data: You have the right to object at any time to processing based on legitimate interests or public tasks (Art. 6(1)(e) or (f) GDPR), particularly in the case of direct marketing. You may also withdraw your consent at any time with future effect, where processing is based on consent (Art. 7(3) GDPR). Additionally, you are entitled to obtain access to your data (Art. 15 GDPR), to request rectification of inaccurate or incomplete data (Art. 16 GDPR), and to demand the erasure of your personal data where permitted by law (Art. 17 GDPR). In certain circumstances, you may also request a restriction of processing (Art. 18 GDPR) or exercise your right to data portability (Art. 20 GDPR), allowing you to receive your data in a commonly used, machine-readable format or transmit it to another controller. If you believe that your rights have been violated, you have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). In Malta, the competent authority is the Information and Data Protection Commissioner (IDPC). You may also contact the supervisory authority in your place of residence or place of work.

10. Business Services

In the context of our contractual and commercial activities, we process personal data relating to our clients, interested parties, and business partners (collectively referred to as “contractual partners”). This includes any data necessary to establish, execute, or manage business relationships, as well as for related communication – including pre-contractual correspondence such as responding to enquiries. The data we process in this context typically includes identifying information (e.g. full name, residential address, customer ID), contact details (such as phone number, email, or mailing address), contract-related information (e.g. subject and duration of the contract), and payment data (such as bank details, invoice records, or transaction history). This information is used to fulfil our contractual obligations – including the delivery of agreed services, providing updates, or handling warranty claims and service disruptions. Furthermore, we process such data to ensure smooth and cost-effective business operations, maintain legal compliance, and safeguard the integrity and security of our IT systems and operations. This may require us to work with external partners such as transport companies, telecom providers, financial institutions, legal or tax advisors, and public authorities. Where permissible by law, we only disclose personal data to third parties when necessary for the purposes described above or where legally required. If we intend to use personal data for additional purposes, such as marketing, we inform the data subjects separately and request consent where necessary. Contractual partners are informed in advance – for instance, through online forms or direct contact – which data is necessary. Visual markers (such as asterisks or colour highlights) may be used to indicate required fields. Data is retained for the duration of the contractual relationship and typically deleted after the expiration of statutory warranty periods – usually four years – unless longer retention is legally mandated (e.g. by tax laws, which may require retention of up to ten years). If data is stored in a customer account, retention depends on the continuation of that relationship. Any data collected during the provision of services is deleted in accordance with contractual and statutory timelines.

11. Business Processes and Procedures

We also process personal data within the scope of general business activities that go beyond individual client relationships. This includes data relating to customers, clients, service recipients, and – in some cases – third parties such as patients, legal clients, or business contacts. Processing may occur as part of existing contractual relationships or during the initiation of such relationships. This data is used to support internal processes such as customer relationship management, project coordination, sales and marketing operations, accounting, invoicing, and financial administration. It helps us optimize business performance, manage workflows, improve service offerings, and comply with legal requirements. Moreover, such data processing enables reliable and secure communication with clients, partners, and employees. Data categories processed in this context include master data (e.g. name, address, contact information), payment details (e.g. bank information, invoice history), contractual records (e.g. service agreements or contract durations), and various forms of content data (e.g. messages or media provided by the user). We may also collect usage data from online interactions (e.g. website visits, device types), communication metadata (e.g. IP addresses, timestamps), and log data (e.g. system access records). The individuals concerned may include clients and prospective clients, communication partners, employees, business contacts, and other third parties, including users of our websites and platforms. We retain this data in accordance with the principles outlined in the section “Data Retention and Deletion” and process it based on legal grounds including the performance of contracts, compliance with legal obligations, and our legitimate interest in maintaining efficient and legally compliant operations.

12. Provision of the Online Service and Web Hosting

In order to make our Online Service available and ensure it operates reliably and securely, we process technical and usage-related data whenever users access or interact with our website, applications, or hosted content.  This includes typical usage metrics such as pages visited, session durations, click paths, device types, and operating systems, as well as metadata like IP addresses, timestamps, user identifiers, and communication logs. Where applicable, content created or transmitted by users (such as messages or uploaded media) may also be processed. These processing activities are essential for delivering the Online Service, ensuring system functionality, and protecting the infrastructure from abuse or technical failures. They help us maintain server stability, perform diagnostics, and implement security measures.

To host our Online Service, we rely on external hosting providers who offer server space, processing capacity, and software infrastructure. This includes the handling of user requests, emails, and backups. Access to our Online Service is automatically logged in server log files, which may include file names, access times, data volumes, status codes, browser types, operating systems, referrer URLs, IP addresses, and the requesting provider. These logs are used exclusively for operational monitoring and abuse prevention and are stored for a maximum of 30 days unless longer retention is required for legal or security-related reasons.

Email traffic – including sending, receiving, and storing messages – is also managed by our hosting partners. While data transmission is generally secured, email content is not always end-to-end encrypted and may be accessible during routing via mail servers. We therefore recommend encrypting sensitive content where possible.

The hosting providers we use include:
– ALL-INKL.COM – Neue Medien Münnich, Hauptstraße 68, 02742 Friedersdorf, Germany
Privacy Policy: https://all-inkl.com/datenschutzinformationen
– Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany
Privacy Policy: https://www.hetzner.com/legal/privacy-policy

All data processed in the context of hosting and service provision is handled based on our legitimate interest in delivering a secure, high-performance digital service (Art. 6(1)(f) GDPR).

13. Use of Cookies and Similar Technologies

Our Online Service uses cookies and comparable technologies such as web beacons, tracking pixels, and local storage to optimize the user experience and ensure technical functionality. Cookies are small text files that are placed on users’ devices via their browsers. These technologies allow us to identify users across sessions, store preferences, and analyse usage patterns. We differentiate between four types of cookies: essential cookies are necessary for the basic operation of the website, including session control and security features. Functional cookies enhance the user experience by enabling personalized features, such as language selection. Performance cookies collect anonymized usage statistics to help us improve performance and identify errors. Marketing cookies track user behaviour across sites to deliver personalized advertising.We use a cookie consent management tool (also referred to as a “cookie banner” or “consent manager”) to inform users of the cookies we use and to obtain their consent. Users can choose which categories of cookies they wish to accept. Consent can be withdrawn at any time through the same tool. Essential cookies are processed based on legitimate interest (Art. 6(1)(f) GDPR), while all other cookies require explicit consent (Art. 6(1)(a) GDPR). Cookies may be stored either temporarily, as session cookies that are deleted when the browser is closed, or for longer durations as persistent cookies, which remain stored on the device until manually deleted or expired. Users can manage cookie preferences through their browser settings, including disabling cookies entirely or selectively. Additionally, browser extensions or private browsing modes may limit data collection. Please note that disabling essential cookies may impair functionality.

14. Blogs and Publication Platforms

Within our Online Service, we may provide access to blogs or other content publication formats. In these areas, users may be able to submit posts, comments, or other contributions. Such content is typically published alongside the contributor’s username or author alias and a timestamp. We advise users to exercise caution when sharing personal information in public comments and recommend using pseudonyms. Contributions may be permanently visible unless otherwise stated, and may be removed or anonymised in accordance with our moderation policy and applicable laws. Users may also be offered the option to subscribe to comment threads. If this feature is available, subscribers receive a confirmation email to verify ownership of the submitted email address. Subscriptions can be cancelled at any time. The types of data processed in this context include contact details (such as email addresses), content data (e.g. blog entries and comments), and technical metadata (including IP addresses and time of submission). This processing supports the publication of user content, interaction within the community, security (e.g. spam prevention), and traceability in line with our accountability obligations. Legal bases include consent (Art. 6(1)(a) GDPR) where applicable, and our legitimate interest (Art. 6(1)(f) GDPR) in maintaining a moderated, interactive platform.

15. Contact and Request Management

When users contact us – whether via contact forms, email, phone, or social media – we process the data provided in order to respond to the enquiry and manage subsequent communication. Where applicable, requests may be stored in a ticketing or customer relationship management (CRM) system to ensure proper follow-up. The nature and extent of processed data depends on the information voluntarily submitted by the user, but typically includes name, contact information, message content, and technical metadata such as IP addresses and timestamps. Where applicable, we may also record the status and handling of the enquiry within a CRM system, along with internal follow-up notes. We recommend that users refrain from submitting sensitive personal information unless absolutely necessary. We process this data for the purposes of responding to user requests, providing support or information, maintaining customer relations, and documenting enquiries. Data is deleted as soon as it is no longer required and no statutory retention periods apply. Depending on the context, processing is based on the need to perform pre-contractual or contractual measures (Art. 6(1)(b) GDPR), consent (Art. 6(1)(a) GDPR), or our legitimate interest in maintaining effective communication and documentation (Art. 6(1)(f) GDPR).

16. Communication via Messenger Services

To facilitate direct communication, we may use messaging platforms such as WhatsApp, Signal, or Telegram, particularly for client support or quick-response communication. These services are operated by independent third-party providers, whose privacy policies and data practices apply in addition to this Privacy Policy. Users should be aware that messenger platforms may collect metadata (such as timestamps, device data, and user IDs), and – depending on the service – the message content itself. While some platforms offer end-to-end encryption, we cannot guarantee full security across all communication pathways. Using messenger services is voluntary and typically requires the user to initiate contact. If preferred, users may reach us via alternative channels such as email, telephone, or contact form. We process messenger communication data (including contact details, messages, images, attachments, and metadata) for the purposes of providing support, answering enquiries, and maintaining client relationships. The legal bases are consent (Art. 6(1)(a) GDPR) where applicable, performance of contract or pre-contractual communication (Art. 6(1)(b) GDPR), and our legitimate interests (Art. 6(1)(f) GDPR) in offering convenient communication channels.

Messenger platforms we may use include:

Users may opt out of messenger-based communication at any time by notifying us. Upon request, we will cease using that communication method.

17. Newsletters and Electronic Notifications

We may send newsletters and other electronic notifications (collectively referred to as “newsletters”) to inform users about our services, updates, offers, or relevant developments within our company or industry. Such communications are sent only with prior consent or where permitted by law (e.g. within the scope of an existing customer relationship). The subscription process uses a double opt-in method, whereby users confirm their subscription through a follow-up email. The subscription, confirmation, and delivery process is logged for compliance and legal documentation purposes. This includes storing the user’s IP address and timestamps. Our newsletters may include embedded tracking mechanisms such as web beacons or tracking links. These tools collect technical data (e.g. browser type, time of access, IP address) and behavioural insights (e.g. whether the email was opened, links clicked). This enables us to analyse engagement and optimize our communications accordingly. We process contact information (such as names and email addresses), usage data (such as open and click rates), and relevant metadata for these purposes. The legal basis is typically consent (Art. 6(1)(a) GDPR), or our legitimate interest (Art. 6(1)(f) GDPR) in client communication and direct marketing – particularly in B2B contexts. Subscribers may unsubscribe at any time via a link included in every message or by contacting us directly. Unsubscribing revokes consent for future communications. For accountability purposes, we may retain documentation of consent for up to three years after unsubscription.

18. Marketing Communication via Email, Mail, Fax or Phone

We may use various communication channels – including email, telephone, postal mail, or fax – to contact individuals for direct marketing purposes. This includes promotional content such as service updates, product information, special offers, or event invitations, as well as relationship management with existing or prospective clients. Such communications are carried out either based on prior consent (Art. 6(1)(a) GDPR) or a legitimate interest (Art. 6(1)(f) GDPR), for example when promoting our own services to existing clients or business partners in a B2B context. In some cases, call details (such as time, date, number dialled, or staff member involved) may be logged for documentation or quality assurance purposes. However, phone conversations are not recorded unless this is clearly communicated and explicitly agreed to by the parties involved. You may object to receiving marketing messages via any channel at any time. Once such an objection has been registered, we will no longer use your contact information for that purpose. We process contact data (e.g. name, phone number, email, postal address), communication content, technical metadata (e.g. time of contact, communication method), and – in the case of email – interaction data (such as open rates and clicks). This supports our marketing, client retention, and business development efforts. Contact details used for marketing purposes are stored until the data subject withdraws consent or objects to further communication. Where applicable, consent documentation (such as opt-in logs) may be retained for up to three years to fulfil legal accountability obligations.

19. Web Analytics, Monitoring and Optimization

To better understand how our Online Service is used and to continuously improve performance, usability, and security, we use web analytics tools and related technologies. These tools collect behavioural data such as visited pages, session durations, click paths, navigation patterns, and technical characteristics of the devices used. Where possible, we apply pseudonymization or anonymization techniques, such as truncating IP addresses or aggregating data into statistical reports. This helps us identify usage trends, technical errors, and user preferences while protecting individual privacy. The types of data processed in this context include general usage data, metadata (such as browser types and screen resolutions), device information (e.g. operating system, language settings), and tracking data (such as unique IDs or cookies). This data is used for audience measurement, performance monitoring, UX improvements, and technical troubleshooting. The legal basis is consent (Art. 6(1)(a) GDPR) where required – particularly in connection with cookies – or our legitimate interest (Art. 6(1)(f) GDPR) in system optimization and service delivery. Details of specific analytics providers (e.g. Google Analytics, Matomo) are provided in the section “Plugins and Embedded Features or Content”. Users can opt out of analytics via the cookie banner, browser settings, privacy plugins, or – where applicable – platform-specific opt-out links.

20. Online Marketing

We process personal data for online marketing purposes, including the display of interest-based advertising and campaign performance analysis. This may involve the use of cookies, pixels, and other technologies to track user behaviour across different websites and platforms. User interactions (such as visited pages, clicks, time spent, or purchase intent) may be used to build interest profiles, segment audiences, and display relevant advertising. This process is sometimes referred to as profiling, although it does not involve fully automated decision-making with legal effects unless explicitly stated and consented to. Data processed includes usage patterns, tracking identifiers, browser and device information, IP-based location data, and communication metadata. Online marketing serves several purposes, including personalized content delivery, retargeting, conversion tracking, audience segmentation, and campaign performance optimization. We rely on consent (Art. 6(1)(a) GDPR) where legally required – for example when using cookies or third-party platforms – or on legitimate interest (Art. 6(1)(f) GDPR), particularly in B2B or internal campaign contexts. Specific platforms and tools used (such as Google Ads, Meta/Facebook Ads, LinkedIn Campaign Manager) are listed in the relevant sections of this Privacy Policy. Opt-out options include cookie banner settings, in-platform preferences (e.g. Facebook or Google ad settings), or general opt-out portals such as:

https://optout.networkadvertising.org
https://www.youronlinechoices.com

21. Social Media Presences

We maintain official pages and profiles on various social media platforms (e.g. Facebook, Instagram, LinkedIn) to communicate with users, build our brand, and provide updates or support. When users visit our profiles, platform providers may process their personal data for their own purposes, including behavioural analysis and personalized advertising. We have no influence over these platform-controlled processes. We ourselves only process user data when they actively engage with our pages – for instance, by commenting, messaging, or reacting to posts. Such data is used solely to respond to interactions, evaluate engagement, or moderate content. Where applicable, we are jointly responsible with platform providers under Article 26 GDPR, particularly for insights and analytics features. In such cases, joint controller agreements define the scope and responsibilities of each party. We may process usernames, profile information, public posts, interaction data (likes, shares, messages), and technical metadata (IP address, browser information). These activities serve the purposes of external communication, community management, brand visibility, customer support, and engagement monitoring. Legal bases include consent (Art. 6(1)(a) GDPR) if granted to the platform, and legitimate interest (Art. 6(1)(f) GDPR) on our part.

Examples of platforms and policies:
– Facebook/Instagram – Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland
Privacy Policy: https://www.facebook.com/privacy/policy
Joint Controller Agreement: https://www.facebook.com/legal/terms/page_controller_addendum
– LinkedIn – LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
Privacy Policy: https://www.linkedin.com/legal/privacy-policy
Joint Controller Agreement: https://legal.linkedin.com/pages-joint-controller-addendum 

Since most platforms operate globally, personal data may be transferred outside the EU – particularly to the USA. These transfers are generally protected by Standard Contractual Clauses (SCCs) and, where applicable, the EU-U.S. Data Privacy Framework.

22. Plugins and Embedded Features or Content

Our Online Service integrates external elements and features from third-party providers, such as graphics, fonts, maps, videos, social media buttons, or interactive tools. These are embedded in our website to enhance functionality and improve user experience. When such elements are loaded, user data – particularly IP addresses and browser information – may be transmitted to the respective providers, much like when visiting their websites directly. Some providers also use tracking technologies (e.g. cookies or pixels) for analytical or marketing purposes. We only load such content after obtaining user consent, unless a compelling legitimate interest exists. The external providers are responsible for their own data processing practices, as governed by their privacy policies. The types of data processed include usage and device information, technical metadata (such as timestamps and referrer URLs), and any embedded content (e.g. videos, map coordinates). In some cases, tracking technologies may be activated. This processing supports the integration of third-party services, improved interactivity, analytics, and, where applicable, marketing purposes. Legal bases include consent (Art. 6(1)(a) GDPR) and/or legitimate interest (Art. 6(1)(f) GDPR).

Examples include:
– Google Maps, provided by Google Ireland Ltd., for map display and location services
Privacy Policy: https://policies.google.com/privacy – Consent required
– YouTube, also provided by Google Ireland Ltd., for video content
Privacy Policy: https://policies.google.com/privacy – Consent required
– Google Fonts, served locally or via CDN, for web typography
Privacy Policy: https://policies.google.com/privacy – Legitimate interest if hosted locally; otherwise, consent

Users can manage the loading of such content through browser settings, script blockers, or by refusing consent in the cookie banner.

23. Amendments and Updates to This Privacy Policy

We reserve the right to update or modify this Privacy Policy to reflect changes in our practices, technologies, or legal obligations. Updates will be published on this page. We encourage users to review this Privacy Policy regularly. In cases where updates involve significant changes to how data is processed – particularly with regard to consent or the introduction of new technologies – we will inform users separately and request renewed consent if necessary. The current version of the Privacy Policy is always available via our Online Service.