Our Privacy Policy

This Privacy Policy explains how Gozo Harbour Reviews (referred to as “we”, “us” or “our”) collects, uses and protects personal data when you visit our website, make a booking enquiry, or rent one of our holiday apartments. We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act (Chapter 586 of the Laws of Malta).

Our website is not intended for minors. We do not knowingly collect personal data relating to children. If you have reason to believe that a minor has provided us with personal data, please contact us immediately at dpo@saw.com.mt and we will take steps to address this.

Please note that this Privacy Policy applies to bookings and enquiries made directly through our website. Where you book through a third-party platform such as Airbnb or Booking.com, that platform’s own privacy policy will apply to the data they collect from you.

If you have any questions regarding this policy or how we handle your data, please contact us at: dpo@saw.com.mt.

1. Updates

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The latest version will always be available on this website. Where changes are material, we will notify you by email or by a prominent notice on the website and, where required, seek your re-acceptance of the updated policy. For all other changes, your continued use of the website after the revised date constitutes your acceptance of those changes. We encourage you to review this page periodically. This policy was last reviewed in April 2026.

2. What Amounts to Personal Data?

Personal data means any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.

We collect personal data when you submit a booking enquiry through our website, complete a booking and payment, or otherwise communicate with us directly.

3. How Do We Collect Personal Data?

We collect personal data through the following methods:

Direct interactions: when you complete our booking enquiry or contact form, you provide us with your name, email address, preferred dates and any message you include.
Booking and payment processing: when you proceed with a booking, we collect your name, email address, billing address and payment details. Payment card data is processed directly by Stripe and is not stored on our systems.
Booking management: guest profiles are created within Tokeet, our booking management platform, to manage reservations, communications and availability.
Availability synchronisation: we use iCal integration to synchronise availability with third-party platforms such as Airbnb and Booking.com. This sync shares availability data but does not transfer guest personal data to us from those platforms.
Automated technologies: when you visit our website, certain technical data is automatically collected via Google Analytics and Cloudflare. See Section 4 below for further detail.

4. That Personal Data Do We Process?

We process the following categories of personal data:

Identity data: first name and last name.
Contact data: email address.
Booking data: preferred or confirmed dates, property details, booking history and reservation records held within Tokeet.
Financial and transaction data: billing name, billing address, and transaction records. Payment card details are processed by Stripe and are not retained by us.
Communications data: the content of any messages you send through our enquiry form or direct email correspondence.
Technical data: IP address (anonymised), browser type and version, device type, operating system, pages visited and time on page, collected via Google Analytics and Cloudflare.

We do not process special categories of personal data (such as health, biometric, religious or ethnic data), nor do we process data relating to criminal convictions or offences.

5. How Do We Use Your Personal Data?

We use your personal data for the following purposes:

To respond to booking enquiries: to review and respond to enquiries submitted through our contact form.
To process and manage bookings: to confirm reservations, process payments via Stripe, manage your booking within Tokeet, and send you booking confirmations, pre-arrival information and post-stay follow-up communications.
To manage availability across platforms: to synchronise availability data with third-party booking platforms via iCal integration, preventing double bookings.
To comply with legal obligations: to maintain financial and transaction records as required by Maltese tax and accounting law.
To understand website usage: to analyse anonymised traffic data via Google Analytics in order to improve our website.

We do not use your personal data for advertising, behavioural tracking, or any purpose not listed above.

6. Legal Bases of Processing Personal Data

We rely on the following legal bases for processing your personal data:

Performance of a contract (Article 6(1)(b) GDPR): processing your booking enquiry, confirming your reservation, processing payment, and sending booking-related communications are all necessary to perform the contract for the rental of our holiday apartment.
Legal obligation (Article 6(1)(c) GDPR): we are required by Maltese tax law to retain financial and transaction records for a period of seven years.
Legitimate interests (Article 6(1)(f) GDPR): we have a legitimate interest in understanding how our website is used (via anonymised Google Analytics data) in order to improve our website and services. We have assessed that this interest does not override your fundamental rights and freedoms given that the data is anonymised and aggregated.

7. Recipients

We share your personal data with the following third-party recipients:

Tokeet: our booking and property management platform. Tokeet processes guest booking data, manages reservations and sends booking-related communications on our behalf. Tokeet is based in the United States.
Stripe, Inc.: our payment processing provider. Stripe processes payment transactions securely and is responsible for the handling of payment card data. We do not store card data on our systems. Stripe is based in the United States and also acts as an independent data controller in respect of its own fraud prevention and financial compliance obligations.
iCal-integrated platforms (e.g. Airbnb, Booking.com): we use iCal to synchronise availability data with third-party booking platforms. This sync shares availability information only and does not transfer guest personal data. These platforms act as independent data controllers and their own privacy policies apply to any data they collect from you directly.
Google LLC: provider of Google Analytics. Google receives anonymised analytics data about visits to our website. Google is based in the United States.
Cloudflare, Inc.: provider of content delivery network and security services. Cloudflare processes connection data to route traffic and protect our website. Cloudflare is based in the United States.

We do not sell, rent or share your personal data with any other third parties for their own purposes. We do not permit our data processors to use your personal data other than for the purposes we specify. In the event of a corporate merger, acquisition or sale of assets, your personal data may be transferred to any successor entity, which will be required to honour the commitments made in this Privacy Policy.

8. Automated Decision-Making and Profiling

We do not carry out any automated decision-making or profiling that produces legal or similarly significant effects on you.

Please note that Stripe, our payment processor, may carry out automated fraud screening as part of its payment processing services. This is carried out by Stripe acting as an independent data controller in fulfilment of its own legal and regulatory obligations. For further information, please refer to Stripe’s Privacy Policy at stripe.com/privacy.

9. Data Retention

We retain personal data only for as long as is necessary for the purposes for which it was collected. When personal data is no longer required, it is securely deleted or anonymised. The appropriate retention period is determined by the nature of the data, the purpose of processing, and any applicable legal obligations.

Financial and transaction records: retained for seven years from the date of the transaction in accordance with Maltese tax and accounting obligations.
Booking and guest records: retained for a maximum of two years from the date of the stay, unless a longer period is required by law or necessary for the resolution of a dispute.
Enquiry and contact form data: retained for a maximum of two years from the date of the enquiry, or for such longer period as may be necessary if a booking results from the enquiry.
Website analytics data: retained in accordance with Google Analytics data retention settings, which default to 14 months for user-level data.

 

10. Your Rights

Under the GDPR, you have the following rights in relation to your personal data:

Right of access: you may request a copy of the personal data we hold about you.
Right to rectification: you may request that we correct any inaccurate or incomplete data we hold about you.
Right to erasure: you may request that we delete your personal data where there is no longer a legitimate reason for us to retain it. Please note that this right is not absolute and may be limited where we are required to retain data to comply with a legal obligation or to establish, exercise or defend legal claims.
Right to restriction of processing: you may request that we restrict the processing of your data in certain circumstances, for example while the accuracy of your data is being verified.
Right to data portability: you may request that we transfer your personal data to you or to another organisation in a structured, commonly used and machine-readable format, where processing is based on contract or consent and carried out by automated means.
Right to object: you may object to our processing of your personal data where we rely on legitimate interests as our legal basis. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Right to withdraw consent: where we rely on consent as a legal basis, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
Right to human intervention: where any decision is made by solely automated means and produces legal or similarly significant effects on you, you have the right to request human review of that decision.

To exercise any of the above rights, please contact us at dpo@saw.com.mt We will respond to all legitimate requests without undue delay and in any event within one month of receipt. We may need to verify your identity before processing your request. Where a request is made on your behalf by a third party, we may also ask for proof of authorisation.

You also have the right to lodge a complaint with the supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement. See Section 12 for details of our Lead Supervisory Authority.

11. Keeping Your Data Secure

We take appropriate technical and organisational measures to protect your personal data from accidental loss, unauthorised access, use, alteration or disclosure. Payment card data is handled exclusively by Stripe and is not stored on our systems. Access to booking and guest data is restricted to authorised personnel only.

Please note that the transmission of information over the internet is never completely secure. While we take all reasonable steps to protect your data, we cannot guarantee the security of data transmitted to our website.

We have adopted procedures to deal with any actual or suspected personal data breach. Where a breach is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by applicable law.

12. Complaints

If you have a concern about the way we handle your personal data, we encourage you to contact us in the first instance at dpo@saw.com.mt so that we may address your concern directly.

You also have the right to lodge a complaint with our Lead Supervisory Authority, the Information and Data Protection Commissioner (IDPC), which is the Maltese authority responsible for data protection matters:

Address: Level 2, Airways House, High Street, Sliema, Malta

Email: idpc.info@idpc.org.mt

Website: https://idpc.org.mt

Telephone: +356 2328 7100

13. Provision of Personal Data Relating to Third Party Data Subjects

If you provide us with personal data relating to another individual: for example, a fellow guest staying in the apartment: you confirm that you are authorised to share that data on their behalf and that you have informed them of how their data will be used in accordance with this Privacy Policy. We will process such data only for the purposes of managing the booking.

International Transfers

Several of our third-party service providers are based in the United States, which has not been the subject of a general adequacy decision by the European Commission. The transfer of personal data to these organisations is carried out on the basis of Standard Contractual Clauses approved by the European Commission, which provide appropriate safeguards for the protection of your personal data. For further information on countries recognised by the European Commission as providing an adequate level of data protection, please refer to the European Commission’s list of adequate countries.

The relevant providers and their privacy policies are as follows:

Tokeet: tokeet.com/privacy-policy
Stripe: stripe.com/privacy
Google Analytics: policies.google.com/privacy
Cloudflare: cloudflare.com/privacypolicy

Our Cookie Policy

Last updated: April 2026

1. What Are Cookies?

Cookies are small text files placed on your device when you visit a website. They are widely used to make websites work correctly, remember your preferences, and provide information to the website owner about how the site is being used.

This Cookie Policy explains what cookies we use on this website, why we use them, and how you can control them.

2. How We Use Cookies

We use cookies for two purposes: to ensure our website functions correctly, and to understand how visitors use our site so that we can improve it. We do not use cookies for advertising, remarketing or for tracking you across other websites.

When you first visit our website, a cookie consent banner will appear. Necessary cookies are set automatically as they are essential to the operation of the site. Analytics cookies will only be set if you choose to accept them.

You can change your preferences at any time using the cookie settings option on our website.

3. Necessary Cookies

These cookies are essential for the website to function correctly and cannot be switched off. They do not require your consent, but we are required to inform you of their use.

Cookie Name

Provider

Type

Purpose

Expiry

__cky_uuid

CookieYes

Necessary

Assigns a unique ID to the visitor to remember their cookie consent preferences.

1 year

cookieyes-consent

CookieYes

Necessary

Stores the visitor’s cookie consent state for the current domain.

1 year

__cky_opt_out

CookieYes

Necessary

Records whether the visitor has opted out of non-essential cookies.

1 year

__cf_bm

Cloudflare

Necessary

Distinguishes between humans and automated bots to protect the website from malicious traffic.

30 minutes

_cfuvid

Cloudflare

Necessary

Used for rate limiting, helps distinguish individual users sharing the same IP address to prevent abuse.

Session

wordpress_test_cookie

WordPress

Necessary

Checks whether the browser accepts cookies. Required for core WordPress functionality.

Session

wp_lang

WordPress

Necessary

Stores the WordPress language preference (en_US) to display the site in the correct language.

Session

4. Analytics Cookies

These cookies help us understand how visitors interact with our website. All data collected is anonymised and aggregated. These cookies are only set with your prior consent.

Cookie Name

Provider

Type

Purpose

Expiry

_ga

Google Analytics

Analytics

Registers a unique ID used to generate statistical data on how you use the website.

2 years

_ga_*

Google Analytics

Analytics

Used by Google Analytics 4 to persist session state and measure site engagement.

2 years

_gid

Google Analytics

Analytics

Registers a unique ID used to generate statistical data on how you use the website.

24 hours

_gat

Google Analytics

Analytics

Used to throttle the rate of requests to Google Analytics servers.

1 minute

5. Managing Your Cookie Preferences

You can manage or withdraw your consent to analytics cookies at any time by clicking the cookie settings option on our website. Withdrawing consent will not affect the lawfulness of any processing that took place before you withdrew it.

You can also control cookies directly through your browser settings. Most browsers allow you to refuse, delete or be notified when a cookie is set. Please note that disabling certain cookies may affect how the website functions. For guidance on managing cookies in your browser, visit www.aboutcookies.org.

6. Third-Party Privacy Policies

Some cookies on this website are set by third-party providers. Their data practices are governed by their own privacy policies:

Google Analytics: policies.google.com/privacy
Cloudflare: cloudflare.com/privacypolicy
CookieYes: cookieyes.com/privacy-policy

7. Updates to This Cookie Policy

We may update this Cookie Policy from time to time to reflect changes in the cookies we use or for legal or regulatory reasons. The latest version will always be available on this website. We encourage you to review this page periodically.

8. Contact Us

If you have any questions about our use of cookies, please contact us at Dpo@saw.com.mt.