Privacy policy

Surf Creative Solutions Ltd. (“Surf,” “we,” or “our”) is committed to respecting and protecting your privacy. This Privacy Policy describes how we collect, use, store, and protect personal data when you interact with our platform, whether as a customer, seller, or visitor.

We process your data in compliance with the General Data Protection Regulation (GDPR), Malta’s Data Protection Act (Chapter 586), and other applicable Maltese data protection laws, including any specific requirements related to law enforcement data handling and exemptions outlined in the Restriction of Data Protection (Obligations and Rights) Regulations. Our goal is to ensure all data processing activities are conducted fairly, transparently,and securely.

1. Who we are

Surf Creative Solutions Ltd. operates as the data controller, responsible for determining the purpose and means of processing your personal data. We are committed to upholding the highest standards of data protection.

2. Contact Information

If you have questions, concerns, or requests regarding your personal data, please contact us at:

• Email: info@surf.mt/gdpr@surf.mt
• Phone: +356 77215267
• Address: EOffice 9, Level 3B, Centris Business Gateway II, Triq is-Salib tal-Imriehel, Zone 3, Central Business District, Birkirkara CBD 3020, Malta.

3. Types of Data Collected

Surf collects various types of personal data to provide its services, comply with legal obligations, and improve user experience. This section outlines the categories of data collected based on user interactions with our platform,covering customers, sellers, visitors, influencer applicants, and employees.

a. Data Collected from Sellers

Surf collects certain data from sellers to facilitate onboarding, product listings, financial transactions, and legal compliance:

• Identity and Business Information:
  • Business Registration Name: Used to verify the seller’s business entity and for regulatory purposes.
  • VAT Number: Required for tax compliance and regulatory reporting. 
  • Registered Business Address: For official communication and identity verification.

• Contact Information:
  • Full Name and Role of Representative: Identifies the individual managing the seller account.
  • Email Address and WhatsApp Number: Used for account-related communication, support, and notifications.          
• Banking and Financial Details:
  • Bank Account Information: Required for secure payment processing and payouts.
• Product Listings and Details:
  • Product Information: Product descriptions, prices, stock levels, and metadata necessary for managing listings on Surf’s platform.
• Usage and Access Information: Login Activity and Session Details:Tracks login times, IP addresses, and session duration for security,
  platform stability, and usage insights.

b. Data Collected from Customers

Customer data is essential for managing orders, providing support,and personalizing the experience on Surf’s platform:

• Personal Information:
  • Full Name: Used for personalized interactions and identifying customers.
  • Email Address and Phone Number: Necessary for order updates, customer service inquiries, and transactional communication.  

• Shipping and Billing Details:
  • Shipping Address: Needed for order fulfillment, tracking, and delivery.
  • Billing Address: Required for verifying payment details and legal compliance with invoicing. 

• Order and Transaction Data:
  • Order History and Purchase DetailsTracks product purchases, order status, and payment methods (processed securely by third parties, such as Stripe).
  • Refund and Return Information: Necessary for managing returns and refunds in accordance with customer rights and Surf’s policies.  

• Geolocation Data:
  • Location Information: Collected with consent and used for marketing purposes, such as targeted ads on platforms like Facebook and Google.

c. Data Collected from All Users (Customers, Sellers, and Visitors)

Surf collects technical and browsing data from everyone who visits or interacts with the website. This data helps us optimize services, maintain security, and enhance the user experience.

• Browsing and Interaction Data:
  • Session Information: Tracks pages visited, time spent on each page, and interactions to improve website structure and usability.
  • Clickstream Data: Collects anonymous data on popular pages and user interactions. 

• Device and Technical Information:
  • IP Address, Browser Type, and Device Information: Used for security, troubleshooting, and ensuring the website’s compatibility across different devices.

• Cookies and Tracking Technologies:
  • Strictly Necessary Cookies:Essential for site functionality (e.g., remembering login sessions and cart items).
  • Functional Cookies: Enable additional services such as social media sharing. 
  • Marketing Cookies: Used for targeted advertising and analytics, including Facebook Pixel. 
  • Performance Cookies: Collect anonymous data to help analyze website performance and improve user experience. (See our Cookie Policy for details on managing cookies.) 

d. Data Collected from Influencer Applicants and Employees

Surf occasionally collects data from individuals interested in joining the platform as influencers or employees. This data is used strictly for reviewing applications, managing employment records, and ensuring compliance with employment regulations.

• For Influencer Applicants:
  • Application Information: Includes Curriculum Vitae (CV) and personal details such as full name, contact information, educational background, professional experience, and social media links.
  • Communication Details: Used for discussing collaboration opportunities. 
  • Collection Method: Collected via email as noted on Surf’s website. 

• For Employees:
  • Employment Records: Includes full name, contact information, national ID, work history, references, and emergency contacts.
  • Payroll and Benefits Information: Bank account details, tax information, and other financial data necessary for payroll and benefits.
  • Performance and Evaluation Data: Tracks performance evaluations, role responsibilities, and work-related feedback.
  • Health and Safety Information: Data related to workplace safety and any required health information, as per legal employment requirements.
  • Collection Method: Typically collected during recruitment, onboarding, and as needed throughout employment.

Surf handles influencer and employee data confidentiality and in accordance with GDPR and Maltese Employment and Industrial Relations Act (EIRA, Chapter 452), and other relevant labor  regulations to ensure compliance with local laws.

4. Additional Data Sources

In certain cases, we may collect data from third-party sources to enhance our services and verify seller information.

• Third-Party Service Providers:We may receive aggregated data from advertising and analytics partners like Google Analytics to understand user demographics, interests, and improve our marketing strategies.

• Publicly Available Sources:To verify seller information and ensure accuracy, Surf consults publicly accessible resources such as:
  • VATify.eu: Used to verify VAT numbers and ensure compliance with EU VAT regulations.
  • Malta Business Registry (MBR): For verification of registered businesses in Malta.
  • Other publicly available databases and resources, consulted as necessary, to support data accuracy and compliance.

5. Purpose, Legal Basis, and Duration of Processing

Surf processes personal data for specific purposes, each with a clear legal basis under GDPR and defined retention periods. Personal data is retained only as long as necessary to fulfill the purposes described below, after which it is securely deleted or anonymized.

• Contractual Necessity: Processing is required to fulfill a contract with the user or seller. For example, Surf needs user details to complete orders and facilitate payment processing.
• Legitimate Interest: Processing supports Surf’s business interests, including WhatsApp as a preferred communication channel with users and sellers for updates, support, and inquiries, without overriding data subject rights.
• Legal Obligation: Surf retains certain data to comply with legal requirements, such as tax documentation.
• Consent: Certain processing, such as marketing communications or influencer applications, requires explicit user consent. Users can withdraw this consent at any time, ending the processing for that purpose.

6. Disclosure of Personal Data

We may disclose your personal data in the following circumstances:

• To comply with legal obligations or respond to lawful requests by public authorities, including to meet national security or law enforcement requirements.
• To protect our rights, privacy, safety, or property, and/or that of our affiliates, you, or others.
• In connection with a sale, merger, or other business reorganization, your data may be disclosed to potential buyers or joint venture partners under appropriate confidentiality measures.

a. Third-Party Sharing and Compliance Measures

Surf shares personal data with third parties only to the extent necessary to operate and enhance our services. We have strict agreements in place with third parties to ensure your data is processed in compliance with GDPR and other applicable regulations. These partners include:

• Service providers for payment processing, marketing, and analytics.
• Logistics and fulfillment providers to manage order deliveries.
• Advertising platforms to reach our audience with relevant content and offers.

b. Data Processing Agreements

All third parties handling your data on our behalf are subject to Data Processing Agreements (DPAs) that enforce compliance with GDPR standards. These agreements include provisions to:

• Limit data processing to only necessary and approved activities.
• Require appropriate technical and organizational security measures.
• Ensure data is processed confidentially and securely.

7. International Data Transfers

When Surf transfers data outside the European Economic Area (EEA), we adhere to GDPR requirements for data protection. Transfers are only made when necessary and with adequate protection measures in place.

a. Safeguards for Cross-Border Data Transfers

For cross-border data transfers, Surf implements the following safeguards:

• Standard Contractual Clauses: When transferring data outside the EEA, we employ Standard Contractual Clauses approved by the European Commission to ensure the security and legality of the transfer.
• Binding Corporate Rules: For transfers within our organization, we follow strict internal policies that align with GDPR principles.

b. Standard Contractual Clauses 

Our agreements with third-party service providers outside the EEA incorporate Standard Contractual Clauses (SCCs) where required. These clauses provide specific guarantees around data security, privacy, and compliance with GDPR requirements.

8. Cookies and Tracking Technologies

Surf uses cookies and similar tracking technologies to enhance your experience on our platform. Cookies help us understand user preferences, optimize site performance, and deliver targeted advertisements.

a. Types of Cookies Used

• Strictly Necessary Cookies: Essential for site functionality, like maintaining your login session.
• Functional Cookies: Enable extra features, such as saving your preferences.
• Performance Cookies: Collect anonymous data to analyze website performance and improve user experience.
• Marketing Cookies: Used to personalize advertising and measure ad effectiveness.

b. Managing Cookie Preferences

You can manage or disable cookies through your browser settings or via our cookie preference tool on the site. For more details, please refer to our Cookie Policy.

c. Link to Detailed Cookie Policy

For a more detailed overview of the cookies we use and their purposes, please review our Cookie Policy.

9. Changes to the Privacy Policy

We may update our Privacy Policy to reflect changes in our practices or relevant laws. We encourage you to review this page periodically for any updates.

a. Notification of Policy Updates

When we make significant changes to our Privacy Policy, we will notify you via email or through prominent notices on our website to keep you informed.

b. Effective Date of Last Update

This Privacy Policy was last updated on 07/11/2024.

10. Contact Information for GDPR Queries

If you have any questions, concerns, or requests regarding the processing of your personal data, or if you would like to exercise your rights under the General Data Protection Regulation (GDPR), please contact our data protection team.

• Data Protection Officer (DPO): Ashwini Kumar
• Email: gdpr@surf.mt
• Phone: +356 77215267
• Postal Address:
  Surf Creative Solutions Ltd.
  Attn: Ashwini Kumar - Data Protection Officer
  Office 9, Level 3B, Centris Business Gateway II, Triq is-Salib tal-Imriehel, Zone 3,
  Central Business District, Birkirkara CBD 3020, Malta.

Our team is committed to addressing your queries promptly and transparently. We aim to respond to GDPR-related inquiries within one month, as required under GDPR regulations.

11. Definition of main terms