PreBookmtPrivacy Policy — PreBookmt
Last updated: 2026-05-14
This Privacy Policy explains how PreBookmt ("we", "us", "the Service") collects, uses, and protects your personal information when you use our mobile application and website. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and the Maltese Data Protection Act (Chapter 586 of the Laws of Malta).
1. Who we are (Data Controller)
PreBookmt is operated by:
- Legal name: Justin Azzopardi, trading as PreBookmt (sole trader)
- Registered address: Bellevue, Triq il-Merkanti, Ghajnsielem GSM 1951, Gozo
- Malta VAT number: MT32819405
- Contact email: privacy@prebookmt.com
- Country of establishment: Malta
For the purposes of GDPR, Justin Azzopardi (t/a PreBookmt) is the Data Controller for personal data processed through the PreBookmt mobile application and website (prebookmt.com).
If you are a business owner using PreBookmt to manage bookings with your own customers, PreBookmt acts as a Data Processor in respect of the personal data of your customers; you remain the Data Controller for that data.
2. Information we collect
2.1 Information you provide
- Account information — full name, email, password (stored hashed), phone number (optional, defaults to Malta +356)
- Profile information — preferred language, profile photo (optional)
- Business information (for business owners) — business name, registered address, opening hours, services, gallery photos, staff names and photos, location data for multi-location businesses
- Booking and order data — services booked, times, special requests, custom-question answers
- Messages — conversations between customers and businesses
- Reviews — ratings and written feedback you post about businesses, optionally tagged to a specific location
2.2 Information collected automatically
- Device information — device type, operating system, app version, time zone
- Usage data — screens viewed, features used, time spent (collected via PostHog, EU region)
- Crash reports and diagnostic data — error logs, stack traces (collected via Sentry, EU region)
- Push notification tokens — Expo Push token, used solely for sending notifications
- Location — only if you grant permission; used to surface nearby businesses in search results. Approximate location only; we do not track precise location continuously.
- IP address — used transiently for rate-limiting, fraud prevention, and to comply with security obligations
2.3 Information from third parties
- Stripe — for subscription payments by business owners, we receive transaction confirmations, the last 4 digits of the card, the card brand, and the billing country. We never receive or store full card numbers.
- Apple / Google — when you sign in via App Store or Play Store, we may receive the account identifier and email associated with your store account.
3. How we use your information
We process your data to:
- Provide and improve the booking, messaging, and discovery features
- Process subscription payments for business owners
- Send transactional notifications (booking confirmations, reminders, payment receipts)
- Send marketing communications (only if you opt in; opt-out is one click in every email)
- Detect and prevent fraud, abuse, and security incidents
- Comply with legal obligations including tax, accounting, and consumer-protection law in Malta and the EU
- Respond to legal requests and enforce our Terms of Service
4. Legal basis for processing (GDPR Article 6)
We rely on the following lawful bases:
| Activity | Lawful basis |
|---|---|
| Creating and operating your account; processing bookings; processing subscription payments | Performance of a contract (Art. 6(1)(b)) |
| Sending transactional emails (booking confirmation, payment receipts, password resets) | Performance of a contract (Art. 6(1)(b)) |
| Sending marketing emails or push notifications | Consent (Art. 6(1)(a)) — you can withdraw consent at any time |
| Fraud detection, security monitoring, product analytics | Legitimate interest (Art. 6(1)(f)) — to keep the platform safe and improve it |
| Retaining transaction records for 7 years | Legal obligation (Art. 6(1)(c)) — Maltese tax and accounting law |
| Cooperating with valid legal requests from law enforcement | Legal obligation (Art. 6(1)(c)) |
5. Who we share your data with (Sub-processors)
We share data only with the following sub-processors, each subject to a Data Processing Agreement and appropriate safeguards:
| Sub-processor | Purpose | Region | Privacy Policy |
|---|---|---|---|
| Supabase | Database hosting, authentication, file storage | EU | https://supabase.com/privacy |
| Stripe | Subscription payment processing | EU + global (SCCs in place) | https://stripe.com/privacy |
| Expo (Expo Push Service) | Delivery of push notifications | US (SCCs in place) | https://expo.dev/privacy |
| PostHog | Anonymised product analytics | EU (eu.i.posthog.com) | https://posthog.com/privacy |
| Sentry | Error and crash monitoring | EU | https://sentry.io/privacy |
| Resend | Transactional email delivery | EU + US (SCCs in place) | https://resend.com/legal/privacy-policy |
| Cloudflare | DNS, CDN, email routing for prebookmt.com | EU + global (SCCs in place) | https://www.cloudflare.com/privacypolicy |
| Vercel | Hosting for prebookmt.com marketing site | EU + global (SCCs in place) | https://vercel.com/legal/privacy-policy |
| Apple, Google | App Store / Play Store distribution and in-app updates | Global (SCCs in place where applicable) | https://www.apple.com/legal/privacy, https://policies.google.com/privacy |
We do not sell your data to advertisers or any third party. We may disclose data to third parties only:
- When required to comply with law, regulation, or valid legal process
- To protect the rights, property, or safety of PreBookmt, our users, or the public
- In connection with a merger, acquisition, or sale of business assets — in which case we will give you advance notice and the opportunity to delete your account
6. Data retention
| Data category | Retention period |
|---|---|
| Account profile data (name, email, phone) | While account is active. Deleted within 30 days of an account deletion request. |
| Business listings, services, gallery photos, staff records, locations | While the business account is active. Deleted within 30 days of account deletion or business deletion. |
| Bookings, payments, invoices, subscription records | 7 years after creation, for Maltese tax and accounting compliance (Income Tax Management Act, VAT Act) — retained in pseudonymised form after account deletion. |
| Messages between customers and businesses | Deleted within 30 days of either party's account deletion. |
| Reviews | Retained while the reviewed business exists. The original reviewer's identity is anonymised after the reviewer deletes their account. |
| Push notification tokens | Deleted on logout or token expiry. |
| Crash reports (Sentry) | 90 days |
| Product analytics (PostHog) | 13 months |
| Email logs (Resend) | 30 days |
| Rate-limit logs | 7 days |
After account deletion, certain records (subscription invoices, booking financial data) are retained in pseudonymised form for the 7-year period above. Identifiable personal data fields are nulled or hashed.
7. Your rights under GDPR
You have the right to:
- Access — request a copy of the personal data we hold about you
- Rectify — correct inaccurate or incomplete data (most fields are user-editable in the app)
- Erase ("right to be forgotten") — delete your account using the in-app "Delete account" option in Settings, or by emailing us. We will action within 30 days, subject to the legal retention obligations in Section 6.
- Restrict — restrict processing in certain circumstances
- Portability — receive your data in a machine-readable format
- Object — object to processing based on legitimate interest or for direct marketing
- Withdraw consent — for any processing based on consent, at any time
- Lodge a complaint with the supervisory authority:
Information and Data Protection Commissioner Level 2, Airways House, Triq Il-Kbira HMR 1100, Floriana, Malta Tel: (+356) 2328 7100 https://idpc.org.mt
To exercise any of these rights, email us at privacy@prebookmt.com. We will respond within 30 days as required by GDPR.
8. International transfers
Some of our sub-processors (Stripe, Expo, Resend, Cloudflare, Vercel, Apple, Google) may process data outside the European Economic Area. Where they do, we rely on:
- The European Commission's Standard Contractual Clauses (SCCs), and/or
- Adequacy decisions where applicable, and/or
- Other safeguards as permitted under Chapter V of the GDPR.
You may request a copy of the relevant safeguards by emailing privacy@prebookmt.com.
9. Security
We use industry-standard technical and organisational measures:
- HTTPS in transit (TLS 1.2+)
- AES-256 encryption at rest (provided by Supabase)
- Row-Level Security (RLS) policies on every database table containing personal data
- Hashed and salted passwords (managed by Supabase Auth)
- Rate-limiting on authentication and sensitive endpoints
- Two-factor authentication (TOTP) available on every account; required for business owner accounts handling subscriptions
- Webhook signature verification on all Stripe events
- Principle-of-least-privilege access to production systems (currently sole-developer)
No system is 100% secure. Please use a strong, unique password and enable two-factor authentication.
10. Data breach notification
If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the Information and Data Protection Commissioner within 72 hours as required by GDPR Article 33. Where the risk is high, we will notify you directly without undue delay (GDPR Article 34).
11. Children's privacy
PreBookmt is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has registered, contact us at privacy@prebookmt.com and we will delete the account.
12. Cookies and similar technologies
Mobile application
The PreBookmt mobile app does not use HTTP cookies. It uses local device storage (AsyncStorage) to persist your session token, language preference, and other essential settings.
Website (prebookmt.com)
The PreBookmt website uses:
- Essential cookies — required for the website to function (session, security, language)
- Analytics cookies — provided by PostHog (EU region) to understand how visitors use the site. These are loaded only after you consent via the cookie banner displayed on first visit.
You can withdraw your consent at any time by clicking "Cookie preferences" in the website footer or clearing cookies in your browser.
For full details see our Cookie Policy.
13. Automated decision-making
We do not engage in automated decision-making that produces legal or similarly significant effects on you. Recommendations in the discovery feed (e.g. "businesses near you") are based on simple, transparent criteria (location, business type, ratings) and do not constitute automated decision-making under GDPR Article 22.
14. Changes to this Policy
We may update this Privacy Policy. Material changes will be notified:
- By email to the address registered on your account, and
- Via an in-app banner on next launch
The "Last updated" date at the top of this Policy reflects the most recent revision.
15. Contact
For any privacy-related questions, requests, or complaints:
Email: privacy@prebookmt.com Postal: Justin Azzopardi t/a PreBookmt, Bellevue, Triq il-Merkanti, Ghajnsielem GSM 1951, Gozo, Malta
For data-protection complaints you may also contact the Information and Data Protection Commissioner of Malta (see Section 7 above).