Privacy Policy

Last Updated: January 2025

🔒 Your Security is Our Priority

Discover Gozo implements reasonable technical and organisational measures to protect your data. We take the protection of personal information seriously and regularly review our security practices.

At Discover Gozo, we are committed to protecting your privacy and being transparent about how we collect, use, and protect your information. This Privacy Policy explains our practices regarding location data and analytics collection.

1. Information We Collect

Location Data (With Your Consent)

When you enable location features in our app and consent to location analytics, we collect:

Approximate location coordinates: We collect your location data (latitude and longitude) and use a 100-meter radius for visit analytics to protect your privacy.
Location accuracy: Information about the accuracy of the location data provided by your device.
Timestamp: When the location data was collected.

Device and Usage Information

We automatically collect certain information about your device and how you use our app:

Device type (mobile, tablet, desktop)
Browser and operating system information
Screen resolution and viewport size
Language preferences
Time zone
Pages visited and features used
Search queries (anonymized)

2. How We Use Your Information

Our primary purpose: We use location and usage data solely to improve tourism services, infrastructure planning, and visitor experiences in Gozo.

Specifically, we use the collected data to:

Improve tourism services: Understand how visitors explore Gozo to enhance recommendations and services.
Infrastructure planning: Identify popular areas and routes to help plan transportation, facilities, and services.
Enhance user experience: Improve app functionality, features, and content based on usage patterns.
Analytics and insights: Generate aggregated, anonymized reports about tourism patterns and trends.

3. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your location data based on your explicit consent. You have the right to:

Give or withdraw consent at any time
Access your personal data
Request deletion of your data
Object to processing of your data
Data portability (receive your data in a structured format)

4. Data Protection and Privacy Measures

Anonymization and Privacy

Visit calculation limits: Visits are counted only when a user stays within a 100-meter radius for at least 10 minutes, allowing gaps up to 5 minutes.
Anonymous identifiers: We use anonymous browser-based identifiers that cannot be linked to your personal identity.
Aggregation: Data is aggregated and analyzed in groups to prevent individual identification.

Data Security

All data is transmitted using secure, encrypted connections (HTTPS)
Data is stored on secure servers with appropriate access controls
We implement industry-standard security measures to protect against unauthorized access

5. Security of Your Information

We take the protection of personal information seriously and implement reasonable technical and organisational measures designed to safeguard the information processed through the service.

These measures include:

Secure password storage

User passwords are never stored in plain text. Passwords are securely hashed using bcrypt before being stored in the database.

Encrypted connections

Data transmitted between users and the service is protected using HTTPS encryption when accessing the platform through a secure connection.

Protection against automated abuse

Login endpoints are protected by rate-limiting mechanisms that help prevent automated login attempts and reduce the risk of brute-force attacks.

Secure file uploads

Uploaded files are restricted to approved image formats and validated to prevent unsafe file types. File names are sanitised to prevent path traversal or other file-system attacks.

Database security practices

Database queries use prepared statements and parameterized queries to reduce the risk of SQL injection attacks.

Access control

Administrative access to the system is restricted and requires authenticated login credentials.

Activity logging

Administrative actions within the system are logged to support accountability and help identify unusual or unauthorized activity.

Security maintenance

We regularly review and update our security measures and apply software updates when appropriate to help maintain the security of the platform.

Limitation of security: While we take reasonable steps to protect information, no method of transmission over the Internet or method of electronic storage is completely secure. As a result, we cannot guarantee absolute security.

Your Role in Security

You can also help protect your account by:

Choosing a strong, unique password
Not sharing your login credentials with others
Logging out from shared or public devices
Keeping your device and browser updated
Reporting any suspicious activity immediately

6. Data Retention

We retain location analytics data for a maximum of 12 months, after which it is automatically deleted. Aggregated, anonymized reports may be retained longer for historical analysis, but these cannot be linked to individual users.

7. Data Sharing

We do not sell, rent, or share your personal location data with third parties.

We may share aggregated, anonymized statistics with:

Tourism authorities and government agencies for infrastructure planning
Research institutions for tourism studies (only in anonymized, aggregated form)

Any shared data is completely anonymized and cannot be used to identify individual users.

8. Your Rights and Choices

Consent Management

You can manage your consent preferences at any time:

Opt-in: Accept location analytics tracking when prompted
Opt-out: Withdraw consent at any time through app settings
Location features: You can use location features (GPS, map navigation) without consenting to analytics tracking

Your GDPR Rights

If you are located in the European Economic Area (EEA), you have the following rights:

Right to access: Request a copy of your personal data
Right to rectification: Request correction of inaccurate data
Right to erasure: Request deletion of your data ("right to be forgotten")
Right to restrict processing: Request limitation of how we process your data
Right to data portability: Receive your data in a structured, machine-readable format
Right to object: Object to processing of your data
Right to withdraw consent: Withdraw consent at any time

9. Children's Privacy

Our app is not intended for children under 16 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make changes, we will:

Update the "Last Updated" date at the top of this policy
Notify you of significant changes through the app
Request new consent if the changes affect how we process your data

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

Email: [email protected]
Subject: Privacy Policy Inquiry

We will respond to your inquiry within 30 days as required by GDPR.

12. Governing Law

This Privacy Policy is governed by the laws of Malta and the European Union's General Data Protection Regulation (GDPR). If you are located outside the EEA, your use of this app constitutes consent to the processing of your data as described in this policy.