Privacy policy
Surf Creative Solutions Ltd. (“Surf,” “we,” or “our”) is committed to respecting and protecting your privacy. This Privacy Policy describes how we collect, use, store, and protect personal data when you interact with our platform, whether as a customer, seller, or visitor.
We process your data in compliance with the General Data Protection Regulation (GDPR), Malta’s Data Protection Act (Chapter 586), and other applicable Maltese data protection laws, including any specific requirements related to law enforcement data handling and exemptions outlined in the Restriction of Data Protection (Obligations and Rights) Regulations. Our goal is to ensure all data processing activities are conducted fairly, transparently,and securely.
1. Who we are
Surf Creative Solutions Ltd. operates as the data controller, responsible for determining the purpose and means of processing your personal data. We are committed to upholding the highest standards of data protection.
2. Contact Information
If you have questions, concerns, or requests regarding your personal data, please contact us at:
- Email: info@surf.mt/gdpr@surf.mt
- Phone: +356 77215267
- Address: EOffice 9, Level 3B, Centris Business Gateway II, Triq is-Salib tal-Imriehel, Zone 3, Central Business District, Birkirkara CBD 3020, Malta.
3. Types of Data Collected
Surf collects various types of personal data to provide its services, comply with legal obligations, and improve user experience. This section outlines the categories of data collected based on user interactions with our platform,covering customers, sellers, visitors, influencer applicants, and employees.
a. Data Collected from Sellers
Surf collects certain data from sellers to facilitate onboarding, product listings, financial transactions, and legal compliance:
- Identity and Business Information:
- Business Registration Name: Used to verify the seller’s business entity and for regulatory purposes.
- VAT Number: Required for tax compliance and regulatory reporting.
- Registered Business Address: For official communication and identity verification.
- Contact Information:
- Full Name and Role of Representative: Identifies the individual managing the seller account.
- Email Address and WhatsApp Number: Used for account-related communication, support, and notifications.
- Banking and Financial Details:
- Bank Account Information: Required for secure payment processing and payouts.
- Product Listings and Details:
- Product Information: Product descriptions, prices, stock levels, and metadata necessary for managing listings on Surf’s platform.
- Usage and Access Information: Login Activity and Session Details:Tracks login times, IP addresses, and session duration for security,
platform stability, and usage insights.
b. Data Collected from Customers
Customer data is essential for managing orders, providing support,and personalizing the experience on Surf’s platform:
- Personal Information:
- Full Name: Used for personalized interactions and identifying customers.
- Email Address and Phone Number: Necessary for order updates, customer service inquiries, and transactional communication.
- Shipping and Billing Details:
- Shipping Address: Needed for order fulfillment, tracking, and delivery.
- Billing Address: Required for verifying payment details and legal compliance with invoicing.
- Order and Transaction Data:
- Order History and Purchase DetailsTracks product purchases, order status, and payment methods (processed securely by third parties, such as Stripe).
- Refund and Return Information: Necessary for managing returns and refunds in accordance with customer rights and Surf’s policies.
- Geolocation Data:
- Location Information: Collected with consent and used for marketing purposes, such as targeted ads on platforms like Facebook and Google.
c. Data Collected from All Users (Customers, Sellers, and Visitors)
Surf collects technical and browsing data from everyone who visits or interacts with the website. This data helps us optimize services, maintain security, and enhance the user experience.
- Browsing and Interaction Data:
- Session Information: Tracks pages visited, time spent on each page, and interactions to improve website structure and usability.
- Clickstream Data: Collects anonymous data on popular pages and user interactions.
- Device and Technical Information:
- IP Address, Browser Type, and Device Information: Used for security, troubleshooting, and ensuring the website’s compatibility across different devices.
- Cookies and Tracking Technologies:
- Strictly Necessary Cookies:Essential for site functionality (e.g., remembering login sessions and cart items).
- Functional Cookies: Enable additional services such as social media sharing.
- Marketing Cookies: Used for targeted advertising and analytics, including Facebook Pixel.
- Performance Cookies: Collect anonymous data to help analyze website performance and improve user experience. (See our Cookie Policy for details on managing cookies.)
d. Data Collected from Influencer Applicants and Employees
Surf occasionally collects data from individuals interested in joining the platform as influencers or employees. This data is used strictly for reviewing applications, managing employment records, and ensuring compliance with employment regulations.
- For Influencer Applicants:
- Application Information: Includes Curriculum Vitae (CV) and personal details such as full name, contact information, educational background, professional experience, and social media links.
- Communication Details: Used for discussing collaboration opportunities.
- Collection Method: Collected via email as noted on Surf’s website.
- For Employees:
- Employment Records: Includes full name, contact information, national ID, work history, references, and emergency contacts.
- Payroll and Benefits Information: Bank account details, tax information, and other financial data necessary for payroll and benefits.
- Performance and Evaluation Data: Tracks performance evaluations, role responsibilities, and work-related feedback.
- Health and Safety Information: Data related to workplace safety and any required health information, as per legal employment requirements.
- Collection Method: Typically collected during recruitment, onboarding, and as needed throughout employment.
Surf handles influencer and employee data confidentiality and in accordance with GDPR and Maltese Employment and Industrial Relations Act (EIRA, Chapter 452), and other relevant labor regulations to ensure compliance with local laws.
4. Additional Data Sources
In certain cases, we may collect data from third-party sources to enhance our services and verify seller information.
- Third-Party Service Providers:We may receive aggregated data from advertising and analytics partners like Google Analytics to understand user demographics, interests, and improve our marketing strategies.
- Publicly Available Sources:To verify seller information and ensure accuracy, Surf consults publicly accessible resources such as:
- VATify.eu: Used to verify VAT numbers and ensure compliance with EU VAT regulations.
- Malta Business Registry (MBR): For verification of registered businesses in Malta.
- Other publicly available databases and resources, consulted as necessary, to support data accuracy and compliance.
5. Purpose, Legal Basis, and Duration of Processing
Surf processes personal data for specific purposes, each with a clear legal basis under GDPR and defined retention periods. Personal data is retained only as long as necessary to fulfill the purposes described below, after which it is securely deleted or anonymized.
Purpose of Processing |
Legal Basis |
Examples of Data Usage |
Data Retention Period |
Account Creation and Management |
Contractual necessity |
Used to create and manage user and seller accounts |
Retained while account remains active; deleted upon closure |
Order Processing and Fulfillment |
Contractual necessity |
Processes shipping and billing information for orders |
7 years (to comply with tax and legal requirements) |
Marketing and Personalized Advertising |
Consent |
Sends promotional offers and personalized ads |
Until user withdraws consent or as allowed by GDPR |
Customer Support and Service Improvements |
Legitimate interest |
Assists in resolving user queries, includes WhatsApp communication |
Retained until support issues are fully resolved |
Fraud Detection and Security |
Legitimate interest |
Monitors suspicious activity to protect user accounts |
Retained throughout the business relationship |
Regulatory Compliance and Reporting |
Legal obligation |
Maintains records for tax compliance and regulatory audits |
As mandated by Maltese law and GDPR |
Employee and Payroll Management |
Contractual necessity and legal obligation |
Manages payroll, benefits, and performance tracking |
Duration of employment plus additional statutory requirements |
Influencer Applications |
Consent |
Reviews applications from prospective influencers |
Retained for 6 year post-application if not engaged |
Analytics and Website Performance |
Legitimate interest |
Tracks browsing behavior to improve user experience |
Retained for 2 years in aggregated, anonymized format |
- Contractual Necessity: Processing is required to fulfill a contract with the user or seller. For example, Surf needs user details to complete orders and facilitate payment processing.
- Legitimate Interest: Processing supports Surf’s business interests, including WhatsApp as a preferred communication channel with users and sellers for updates, support, and inquiries, without overriding data subject rights.
- Legal Obligation: Surf retains certain data to comply with legal requirements, such as tax documentation.
- Consent: Certain processing, such as marketing communications or influencer applications, requires explicit user consent. Users can withdraw this consent at any time, ending the processing for that purpose.
6. Disclosure of Personal Data
We may disclose your personal data in the following circumstances:
- To comply with legal obligations or respond to lawful requests by public authorities, including to meet national security or law enforcement requirements.
- To protect our rights, privacy, safety, or property, and/or that of our affiliates, you, or others.
- In connection with a sale, merger, or other business reorganization, your data may be disclosed to potential buyers or joint venture partners under appropriate confidentiality measures.
a. Third-Party Sharing and Compliance Measures
Surf shares personal data with third parties only to the extent necessary to operate and enhance our services. We have strict agreements in place with third parties to ensure your data is processed in compliance with GDPR and other applicable regulations. These partners include:
- Service providers for payment processing, marketing, and analytics.
- Logistics and fulfillment providers to manage order deliveries.
- Advertising platforms to reach our audience with relevant content and offers.
b. Data Processing Agreements
All third parties handling your data on our behalf are subject to Data Processing Agreements (DPAs) that enforce compliance with GDPR standards. These agreements include provisions to:
- Limit data processing to only necessary and approved activities.
- Require appropriate technical and organizational security measures.
- Ensure data is processed confidentially and securely.
7. International Data Transfers
When Surf transfers data outside the European Economic Area (EEA), we adhere to GDPR requirements for data protection. Transfers are only made when necessary and with adequate protection measures in place.
a. Safeguards for Cross-Border Data Transfers
For cross-border data transfers, Surf implements the following safeguards:
- Standard Contractual Clauses: When transferring data outside the EEA, we employ Standard Contractual Clauses approved by the European Commission to ensure the security and legality of the transfer.
- Binding Corporate Rules: For transfers within our organization, we follow strict internal policies that align with GDPR principles.
b. Standard Contractual Clauses
Our agreements with third-party service providers outside the EEA incorporate Standard Contractual Clauses (SCCs) where required. These clauses provide specific guarantees around data security, privacy, and compliance with GDPR requirements.
8. Cookies and Tracking Technologies
Surf uses cookies and similar tracking technologies to enhance your experience on our platform. Cookies help us understand user preferences, optimize site performance, and deliver targeted advertisements.
a. Types of Cookies Used
- Strictly Necessary Cookies: Essential for site functionality, like maintaining your login session.
- Functional Cookies: Enable extra features, such as saving your preferences.
- Performance Cookies: Collect anonymous data to analyze website performance and improve user experience.
- Marketing Cookies: Used to personalize advertising and measure ad effectiveness.
b. Managing Cookie Preferences
You can manage or disable cookies through your browser settings or via our cookie preference tool on the site. For more details, please refer to our Cookie Policy.
c. Link to Detailed Cookie Policy
For a more detailed overview of the cookies we use and their purposes, please review our Cookie Policy.
9. Changes to the Privacy Policy
We may update our Privacy Policy to reflect changes in our practices or relevant laws. We encourage you to review this page periodically for any updates.
a. Notification of Policy Updates
When we make significant changes to our Privacy Policy, we will notify you via email or through prominent notices on our website to keep you informed.
b. Effective Date of Last Update
This Privacy Policy was last updated on 07/11/2024.
10. Contact Information for GDPR Queries
If you have any questions, concerns, or requests regarding the processing of your personal data, or if you would like to exercise your rights under the General Data Protection Regulation (GDPR), please contact our data protection team.
- Data Protection Officer (DPO): Ashwini Kumar
- Email: gdpr@surf.mt
- Phone: +356 77215267
- Postal Address:
Surf Creative Solutions Ltd.
Attn: Ashwini Kumar - Data Protection Officer
Office 9, Level 3B, Centris Business Gateway II, Triq is-Salib tal-Imriehel, Zone 3,
Central Business District, Birkirkara CBD 3020, Malta.
Our team is committed to addressing your queries promptly and transparently. We aim to respond to GDPR-related inquiries within one month, as required under GDPR regulations.
11. Definition of main terms
Glossary |
|
GDPR |
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural person with regard to the processing of personal and on the free movement of such data and repealing Directive 95/46/EEC (General Data Protection Regulation) |
Processing
|
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction |
Controller |
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data |
Data Protection Officer – DPO |
For the purposes of this privacy policy the Controller (Surf Creative Solutions LTD) appointed a DPO to carry out the following tasks: To review the compliance with GDPR and other applicable EU or national legislation in relation to the protection of personal data. To advise Surf Creative Solutions LTD about legislative developments and methods of compliance with its obligations under GDPR and other applicable law. To cooperate with the supervisory authority. |
Personal data |
Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. |