Last reviewed: 20 May 2026

Privacy Policy

This notice explains how BookItMalta, a trading name of TrueNorthDigital ("BookItMalta", "we", "us"), collects and handles personal data when you browse this website, submit an enquiry, or pay a booking fee for a charter offered by one of our partner operators. We are established in Malta. You can contact our data protection lead at true-northdigital@outlook.com.

What we do — and what we do not do

BookItMalta operates a booking platform. When you enquire about a charter and the operator confirms availability, you pay a €300 booking fee to BookItMalta to secure your date. The charter itself is supplied directly by your chosen partner operator and is a separate contractual and commercial relationship between you and that operator. BookItMalta is the data controller for information you give us during the enquiry-and-booking-fee stage; the operator is the data controller for information you exchange with them about the charter itself.

Personal data we collect

• Enquiry details you submit on a tenant's charter page: name, email, phone, preferred date, alternative dates, party size, tour option, and any free-text message you include.
• Payment information when you pay a booking fee: handled directly by Stripe. We never see or store your card number, CVV, or full bank account details. We receive only a payment confirmation, the amount, the last four digits of your card, and a Stripe customer reference.
• Email correspondence if you reply to any automated booking email — replies go to the operator, with BookItMalta as a fall-back recipient if the operator's mailbox bounces.
• Website interactions: standard server logs (IP address, user agent, request timestamps) retained for up to 30 days for security and debugging.
• Usage analytics via Microsoft Clarity: anonymised session recordings and heatmaps showing how visitors navigate the site — page views, clicks, scrolls, and general device and browser information. Clarity automatically masks text entered into forms and other sensitive content. Clarity loads only after you accept analytics cookies via our consent banner; if you decline, it never runs and sets no cookies. You can change your choice at any time using the "Cookie settings" link in the footer. We use this only to understand and improve how the site works.
• Advertising measurement via the Meta pixel: when you accept cookies, a small Meta (Facebook) script measures actions you take after arriving from our ads — such as page views and submitting an enquiry — so we can see which ads work and show relevant ads to people like you (retargeting). It shares limited interaction data with Meta. The Meta pixel loads only after you accept via our consent banner; if you decline, it never runs and sets no advertising cookies. You can change your choice any time via "Cookie settings" in the footer.

Why we use your data

• To deliver the booking service (contractual necessity): pass your enquiry to the operator, send you confirmation and payment-link emails, process your €300 booking fee, and issue your booking-fee receipt.
• Legal compliance: maintain accounting and VAT records (Malta CFR), and respond to lawful requests from authorities.
• Security and fraud prevention: detect spam enquiries, prevent abuse, and verify Stripe payment signatures.

Who receives your data

We use the following processors, each engaged under a Data Processing Agreement that complies with GDPR:

• Supabase (EU data centre): stores enquiry records, booking records, and operator notes in a database isolated per operator (tenant).
• Stripe (Ireland/EU): processes the €300 booking-fee payment and issues the payment confirmation. Stripe's privacy policy applies to your card data.
• Resend (Delaware/USA): sends transactional emails (enquiry acknowledgement, payment link, booking confirmation). Email content is transmitted via Resend's SMTP infrastructure under EU Standard Contractual Clauses.
• Vercel (Frankfurt/EU primary): hosts the website and serverless functions that handle enquiry submission and webhooks.
• Microsoft Clarity (Microsoft Corporation, USA): provides website analytics — session recordings and heatmaps — so we can see how visitors use the site. Clarity collects usage and device data and masks form inputs by default. Microsoft's privacy statement governs the data it processes.
• Meta Platforms (Meta Platforms Ireland / USA): provides the Meta pixel for advertising measurement and retargeting. When you consent, it receives limited data about your interactions on the site (such as page views and enquiry submissions) associated with Meta cookies. Meta's Data Policy governs how it processes this data, and it runs only with your consent.
• The charter operator you are booking with: receives your name, email, phone, charter date, party size, and message so they can confirm availability and contact you about the charter itself.

We do not sell your data. With your consent, we use the Meta pixel for advertising measurement and retargeting, which shares limited site-interaction data with Meta (an advertising platform); if you decline cookies, no data is shared for advertising. We do not share your data with any other marketing or advertising networks.

International transfers

When data leaves the EU/EEA (Stripe and Resend operate partly from the US, and Microsoft Clarity and the Meta pixel are provided from the US), we rely on the European Commission's Standard Contractual Clauses and the recipient's supplementary safeguards. Copies of the relevant clauses are available on request.

How long we keep your data

• Enquiry records (no booking placed): up to 24 months from the enquiry date.
• Booking records and booking-fee receipts: at least 10 years to meet Malta tax and accounting obligations (Article 50, Income Tax Management Act).
• Server logs: up to 30 days.
• Email delivery logs (Resend): up to 90 days.
• Clarity analytics (session recordings and heatmaps): retained by Microsoft Clarity for up to 30 days.
• Meta pixel advertising data: retained by Meta in line with its data-retention policy (custom-audience data generally up to 24 months); you can manage this via your Meta ad preferences.

Your privacy rights

If you are in the EU/EEA or UK you have the right to:

• Access the personal data we hold about you.
• Request corrections of inaccurate or incomplete information.
• Request deletion or restriction of your data in certain circumstances (note that bookkeeping obligations may prevent full deletion of booking-fee receipts for 10 years).
• Object to processing carried out under legitimate interests.
• Request a copy of your data in a portable format.
• Lodge a complaint with the Office of the Information and Data Protection Commissioner (IDPC) in Malta.

Send requests to true-northdigital@outlook.com. We respond within one month and may ask for proof of identity before sharing information.

How we protect your data

• HTTPS encryption across the entire site, forced redirects to secure pages.
• Per-operator data isolation: each tenant's enquiries and bookings live in a separate Supabase project with row-level security enabled.
• Role-based access to booking records, restricted to BookItMalta's operational team.
• Routine patching of dependencies and monitoring for unusual traffic.

Updates to this policy

We update this policy when we add new processors, change suppliers, or need to comply with law. Significant changes will be communicated by email to confirmed booking-fee payers and via the website footer.

Questions? Email true-northdigital@outlook.com. See also our Terms & Conditions.