Who is the data controller for VisitMalta.co.uk?

Visit Travel Group Limited, trading as VisitMalta.co.uk, is the data controller. Contact privacy@visitmalta.co.uk for any data-rights request.

What lawful basis do you rely on?

We rely on legitimate interests for analytics and editorial improvement, consent for non-essential cookies and marketing communications, and contract performance where you submit an enquiry or make a referred booking.

How long do you keep my data?

Enquiry messages are retained for 24 months. Marketing-consent records are kept until you withdraw consent plus 2 years for audit. Analytics data is retained for 14 months. Cookie preferences are retained for 12 months.

Will my data be sent outside the UK?

Where any processor is based outside the UK, transfers are governed by the UK International Data Transfer Agreement or UK Addendum to the EU Standard Contractual Clauses. We never sell personal data.

How do I exercise my rights?

Email privacy@visitmalta.co.uk. We will respond within one calendar month as required by UK GDPR Article 12. You may also complain to the Information Commissioner’s Office at ico.org.uk.

Legal

Privacy Policy

How VisitMalta.co.uk collects, uses and protects your personal data under UK GDPR and the Data Protection Act 2018.

Last updated: 11 May 2026

1. Who we are

VisitMalta.co.uk is an independently managed travel and destination platform operated by Visit Travel Group ("VTG", "we", "our", "us").

This website operates with the endorsement of KM Malta Airlines Ltd and the Malta Tourism Authority ("MTA"). However, VisitMalta.co.uk is not the official website of the Malta Tourism Authority or KM Malta Airlines Ltd.

Package holidays and travel products featured on this website are organised and fulfilled by TripX Ltd, an ATOL-registered travel company.

2. What personal data we collect

We only collect data that is strictly necessary to run a useful editorial travel website and to handle the enquiries you choose to send us. Specifically:

Contact form submissions — name, email address, telephone (optional), and the content of your message.
Newsletter sign-ups (if you opt in) — email address and consent record.
Cookie preferences — a small record of which cookie categories you have accepted or declined.
Analytics — aggregated, IP-truncated visitor analytics via our hosting provider (Vercel). We do not run Google Analytics, Facebook Pixel or any cross-site tracking by default.
Ask Malta AI — the text of the question you ask, a temporary session ID and basic technical metadata (user agent, timestamp) so we can answer reliably and prevent abuse. We do not link AI conversations to your identity.
Affiliate-referred bookings — when you click an “Book Your Holiday” link, you leave our site and book directly with our package partner TripX Ltd or with KM Malta Airlines. They become the data controller from that point and apply their own privacy notices.

3. Why we process your data (lawful basis)

Performance of contract — when you submit an enquiry, we use your details to reply to it.
Legitimate interests — to run secure infrastructure, prevent abuse, improve our editorial coverage, and maintain aggregated analytics. We have balanced these interests against your rights and consider them proportionate.
Consent — non-essential cookies, marketing emails and any optional analytics extensions. You may withdraw consent at any time without affecting the lawfulness of prior processing.
Legal obligation — where we are required to retain records for accounting, fraud prevention or to respond to lawful authority requests.

4. Who we share your data with

We share data only with the small number of processors we need to deliver the site:

Vercel — web hosting and server logs.
TripX Ltd — only if you click through to book a holiday package; only the booking data you provide on their site, not from ours.
KM Malta Airlines — only if you click through to their booking flow.
Email service provider — used to deliver replies and newsletters where applicable.

We do not sell, rent or trade personal data. We do not use behavioural advertising networks. We will never share your data with third parties for their own marketing without explicit consent.

5. International transfers

Where any processor operates servers outside the United Kingdom, transfers are governed by the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision. We perform a transfer risk assessment for each processor.

6. How long we keep your data

Enquiry messages: 24 months, then permanently deleted.
Marketing consent records: until withdrawn + 2 years for audit.
Aggregated analytics: 14 months.
Cookie preferences: 12 months, then re-prompted.
Ask Malta AI logs: 30 days, retained only for abuse-prevention; anonymised.
Accounting / tax records: 7 years as required by HMRC.

7. Your rights as a UK data subject

Under UK GDPR you have the right to:

access the personal data we hold about you,
correct inaccurate data,
request erasure where there is no overriding lawful basis to keep it,
restrict or object to processing,
data portability,
withdraw consent at any time, and
complain to the Information Commissioner’s Office (ico.org.uk).

To exercise any of these rights, email privacy@visitmalta.co.uk. We will respond within one calendar month.

8. Cookies

We use a minimal cookie set. See our Cookie Policy for the full breakdown by category, purpose and retention.

9. Security

Data is encrypted in transit (TLS 1.2+) and at rest with our processors. Administrative access is two-factor protected. We review access logs and run vulnerability monitoring on our hosting infrastructure.

10. Changes to this notice

We will update this notice when our processing changes. The “Last updated” date at the top reflects the latest version. Material changes will be communicated by a site-wide notice.

11. Contact

Data protection enquiries: privacy@visitmalta.co.uk
Visit Travel Group Limited — United Kingdom.