Privacy Policy
How Mediterra Ltd collects, uses, and protects your personal data in accordance with the General Data Protection Regulation (GDPR) and the Malta Data Protection Act (Chapter 586).
Privacy Policy
Last updated: 27 April 2026
This Privacy Policy explains how Mediterra Ltd (“we”, “us”, “our”) collects, uses, stores, and protects personal data in connection with our website at mediterra.ltd (the “Site”). It is written in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Data Protection Act (Chapter 586 of the Laws of Malta).
We are committed to handling your personal data transparently and lawfully. Please read this policy carefully.
1. Data Controller
The data controller responsible for your personal data is:
Cuddly Times Ltd (trading as Mediterra)
Ta Paris Court
Triq Censu Costa
Birkirkara, Malta
Email: privacy@mediterra.ltd
Website: https://mediterra.ltd/
If you have any questions about how we process your personal data, please contact us at the address above.
2. What Data We Collect and How
We collect personal data in the following ways:
a) Contact enquiries
When you submit a message via our contact form or send us an email, we collect your name, email address, and any information you include in your message. This data is used solely to respond to your enquiry.
b) Server and access logs
Our web hosting provider automatically records technical data when you visit the Site, including your IP address, browser type and version, operating system, referring URL, pages visited, and the date and time of your request. This data is used for security, fraud prevention, and diagnosing technical issues.
c) Cookies and similar technologies
We use cookies and similar tracking technologies on our Site. Please see Section 7 (Cookies) for full details.
d) Marketing communications (if applicable)
If you subscribe to our newsletter or opt in to receive updates from us, we will collect your email address and, where provided, your name. You may unsubscribe at any time using the link included in every communication.
We do not knowingly collect personal data from children under the age of 16. If you believe we have inadvertently collected such data, please contact us immediately so we can delete it.
3. Lawful Basis for Processing
Under Article 6 of the GDPR, we rely on the following lawful bases:
| Purpose | Lawful Basis |
|---|---|
| Responding to contact enquiries | Legitimate interests (Art. 6(1)(f)) — to respond to communications addressed to us |
| Server and security logs | Legitimate interests (Art. 6(1)(f)) — to maintain the security and integrity of the Site |
| Sending marketing communications | Consent (Art. 6(1)(a)) — only where you have explicitly opted in |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interests, we have assessed that our interests are not overridden by your rights and freedoms.
4. How We Use Your Data
We use your personal data for the following purposes:
- To respond to your enquiries and provide customer support
- To operate and improve the Site
- To ensure the security and proper functioning of our systems
- To send you marketing or product updates, where you have consented
- To comply with applicable law and legal obligations
- To defend or exercise legal claims where necessary
We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.
5. Data Sharing and Third Parties
We may share your personal data with:
a) Hosting and infrastructure providers
Our Site is hosted on third-party infrastructure. Hosting providers process access log data on our behalf as data processors under appropriate data processing agreements.
b) Email and communication services
If we use a third-party platform to manage email communications, that provider processes your email address on our behalf.
c) Analytics providers
If analytics software is in use on the Site, it may process anonymised or pseudonymised data about Site usage. Where personal data is involved, it is processed under a data processing agreement.
d) Legal and regulatory authorities
We may disclose your data to law enforcement, courts, or regulatory authorities where required by law or to protect our legal rights.
All third-party processors are required to handle your data in compliance with the GDPR and are bound by contractual obligations to maintain appropriate security measures.
6. International Data Transfers
Where personal data is transferred to countries outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR. These safeguards may include Standard Contractual Clauses approved by the European Commission, adequacy decisions, or other appropriate transfer mechanisms.
7. Cookies
We use cookies — small text files stored on your device — to help the Site function and, where applicable, to understand how it is used.
Types of cookies we use:
| Cookie Type | Purpose | Retention |
|---|---|---|
| Strictly necessary | Required for core Site functionality (e.g., session management) | Session or up to 12 months |
| Analytics / performance | Helps us understand how visitors interact with the Site (e.g., pages viewed, referral source). Data is anonymised or pseudonymised where possible. | Up to 13 months |
| Preference | Remembers choices you make (e.g., language or display settings) | Up to 12 months |
Your choices:
When you first visit the Site, you will be informed about our use of cookies. You may accept or decline non-essential cookies. You can also manage or delete cookies at any time through your browser settings. Note that disabling certain cookies may affect the functionality of the Site.
For more information on managing cookies, visit www.aboutcookies.org.
8. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.
| Data Category | Retention Period |
|---|---|
| Contact enquiries (email / form) | Up to 3 years from last contact |
| Server and access logs | Up to 12 months |
| Marketing email list | Until you unsubscribe or withdraw consent |
| Legal / compliance records | As required by applicable law (up to 10 years where legally required) |
When data is no longer needed, we securely delete or anonymise it.
9. Your Rights
Under the GDPR and the Malta Data Protection Act (Chapter 586), you have the following rights in relation to your personal data:
- Right of access (Art. 15 GDPR): You may request a copy of the personal data we hold about you.
- Right to rectification (Art. 16 GDPR): You may request that we correct inaccurate or incomplete data.
- Right to erasure (Art. 17 GDPR): You may request that we delete your personal data in certain circumstances (“right to be forgotten”).
- Right to restriction of processing (Art. 18 GDPR): You may request that we restrict how we use your data in certain circumstances.
- Right to data portability (Art. 20 GDPR): Where processing is based on consent or contract, you may request your data in a structured, machine-readable format.
- Right to object (Art. 21 GDPR): You may object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will cease processing immediately.
- Right to withdraw consent: Where we rely on consent as the lawful basis, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, please contact us at privacy@mediterra.ltd. We will respond within one calendar month of receiving your request, as required by Article 12 of the GDPR. In complex or multiple requests, this period may be extended by a further two months; we will notify you if this is the case.
We will not charge a fee for reasonable requests but reserve the right to charge a reasonable administrative fee, or to refuse, manifestly unfounded or excessive requests.
10. Right to Lodge a Complaint
If you believe we have not handled your personal data in accordance with the GDPR, you have the right to lodge a complaint with the supervisory authority in Malta:
Office of the Information and Data Protection Commissioner (IDPC)
Level 2, Airways House
High Street, Sliema SLM 1549, Malta
Tel: +356 2328 7100
Email: idpc.info@idpc.org.mt
Website: https://idpc.org.mt
You may also lodge a complaint with the supervisory authority in the EU member state where you live or work, if different from Malta.
We encourage you to contact us first at privacy@mediterra.ltd so we can try to resolve any concerns directly.
11. Security
We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These measures include encrypted communications (HTTPS/TLS), access controls, and regular security reviews.
However, no method of transmission over the internet is completely secure. While we take all reasonable steps to protect your data, we cannot guarantee absolute security.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the IDPC within 72 hours in accordance with Article 33 of the GDPR, and will inform affected individuals where required under Article 34.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in law, our practices, or the services we offer. The “Last updated” date at the top of this page will reflect the most recent revision. Where changes are material, we will take steps to bring them to your attention.
We encourage you to review this policy periodically.
13. Contact Us
For any questions, requests, or concerns regarding this Privacy Policy or our data processing practices, please contact:
Cuddly Times Ltd (trading as Mediterra)
Ta Paris Court, Triq Censu Costa, Birkirkara, Malta
Email: privacy@mediterra.ltd
Contact form: mediterra.ltd/contact/