Privacy Policy

PRIVACY POLICY
Last updated: 12/02/2026

1. Who we are (Controller)

This Privacy Policy explains how Ekselera Ventures Ltd processes personal data when you interact with our Websites and, where relevant, our business operations.

Controller contact details

• Legal name: Ekselera Ltd
• Address: Fl 4, Palm Crt Blk A, Triq it-Torri, Munxar, Gozo, Malta
• Email: [email protected]

Data Protection Officer (DPO): We will appoint a DPO if required. If we have not appointed a DPO, you may contact us using the details above.

2. When we act as Processor

If you are a Customer using any of our softwares, Ekselera Ventures generally processes Customer Data (including personal data contained in uploaded documents) as a Processor on the Customer’s instructions. In that context:

• the Customer is typically the Controller;
• our processing is governed by a Data Processing Addendum (DPA);
• if you are an end-client of a Customer, you should direct rights requests to the Customer first (we will assist them where required).

This Privacy Policy mainly covers processing where Ekselera Ventures is the Controller.

3. Personal data we collect (as Controller)

We may collect the following categories:

• Contact and identity data: name, surname, business name, job title, email, phone.
• Enquiry and form data: information you submit in demo requests, contact forms, or messages.
• Marketing preferences: newsletter subscriptions, opt-in/opt-out status.
• Business relationship data: contract details, billing contact details, invoices, payment status.
• Communications: emails, support enquiries (where we act as Controller), call notes.
• Technical and usage data: IP address, device/browser info, log files, approximate location, page interactions.
• Cookie and tracking data: where enabled via consent (see Cookie Policy).

4. Purposes and legal bases

We process personal data for these purposes and legal bases:

1. Responding to enquiries / demo requests — legitimate interests (Article 6(1)(f)) and/or steps prior to entering a contract (Article 6(1)(b)).
2. Providing services to Customers (account admin, billing, service communications) — contract (Article 6(1)(b)) and legal obligation (Article 6(1)(c)) for accounting/tax.
3. Website operation and security (fraud prevention, abuse detection, performance) — legitimate interests (Article 6(1)(f)).
4. Marketing communications — consent where required (Article 6(1)(a)) and/or legitimate interests for B2B relationship marketing where permitted (Article 6(1)(f)), with opt-out.
5. Analytics and improvement — consent where required for cookies/trackers (Article 6(1)(a)) or legitimate interests where strictly necessary and permitted.

5. Recipients of personal data

We may share personal data with:

• hosting and infrastructure providers;
• email and communications providers;
• analytics providers (only where you consent where required);
• CRM and sales tools;
• customer support tools;
• payment providers and banks;
• professional advisers (legal/accounting);
• authorities where required by law.

We limit sharing to what is necessary and require appropriate contractual protections.

6. International transfers

We may transfer personal data outside the EEA where a supplier or support operation is located outside the EEA. Where this happens, we rely on appropriate safeguards such as:

• adequacy decisions (where applicable); and/or
• Standard Contractual Clauses (SCCs) and supplementary measures, as appropriate.

7. Data retention

We keep personal data only as long as necessary:

• Enquiries/leads: typically up to 24 months from last interaction (unless you become a Customer).
• Customer records and billing: typically 7–10 years to comply with legal obligations.
• Security logs: typically 6–12 months (unless needed to investigate incidents).
• Marketing lists: until you unsubscribe/opt out, plus a suppression record to respect your preferences.

Exact retention may vary depending on legal requirements and operational needs.

8. Your rights

You may have the right to:

• access your personal data;
• rectify inaccurate data;
• erase data (in certain cases);
• restrict processing;
• object to processing (including direct marketing);
• data portability (where applicable);
• withdraw consent at any time (where processing is based on consent).

To exercise rights, contact [[email protected]]. We may need to verify your identity.

9. Complaints

You have the right to lodge a complaint with Malta’s supervisory authority, the Information and Data Protection Commissioner (IDPC).

10. Security

We implement appropriate technical and organisational measures designed to protect personal data, such as access controls, encryption in transit where applicable, logging/monitoring, backups, and least-privilege practices. No system is perfectly secure; if you suspect an issue, contact us promptly.

11. Children

Our Websites and Services are not intended for children, and we do not knowingly collect children’s personal data.

12. Automated decision-making

We do not typically carry out automated decision-making producing legal or similarly significant effects. If we introduce this, we will update this Policy.

13. Updates

We may update this Privacy Policy from time to time. The “Last updated” date will change, and material changes may be notified via the Websites or email where appropriate.

DATA PROCESSING ADDENDUM (DPA)
Last updated: 12/02/2026

This DPA forms part of the agreement between:

• Customer (Controller), and
• Ekselera Ventures Ltd. (Processor)

where Ekselera processes personal data on behalf of Customers through the Ziffa Service.

1. Definitions

Terms “personal data”, “processing”, “controller”, “processor”, “supervisory authority” have the meanings in the GDPR.

2. Scope of processing

2.1 Subject-matter: provision of the Ziffa Service (document collection, file organisation, integrations, storage, access controls, and related support).
2.2 Duration: for the Subscription Term plus any agreed export/retention period, then deletion/return per Clause 10.
2.3 Nature and purpose: hosting, accessing, organising, transmitting, and otherwise processing Customer Data to provide the Service and prevent/resolve service and security issues.
2.4 Types of personal data: may include names, contact details, identification numbers, financial documents, correspondence, and other personal data contained in documents uploaded by Customer.
2.5 Categories of data subjects: Customer’s clients, prospects, employees, contractors, and other individuals whose data is included in Customer Data.

Annex 1 (Processing Details) may be used to specify Customer’s exact data categories and instructions.

3. Processor obligations

Ekselera Ventures will:
a) process personal data only on documented instructions from Customer (including as set out in the agreement and this DPA);
b) ensure persons authorised to process personal data are bound by confidentiality;
c) implement appropriate technical and organisational measures consistent with GDPR Article 32;
d) respect conditions for engaging Sub-processors (Clause 5);
e) assist Customer with data subject requests (Clause 7);
f) assist Customer with security, breach notifications, DPIAs, and consultations where required (Clause 8);
g) maintain records of processing as required;
h) delete or return personal data at end of services (Clause 10);
i) make available information necessary to demonstrate compliance and allow for audits under Clause 9.

4. Customer obligations

Customer warrants that:
a) it has a lawful basis to process and provide personal data to Ekselera;
b) its instructions comply with GDPR and other applicable laws;
c) it will not instruct Ekselera to process personal data in a way that violates law;
d) it will manage authorisations and access responsibly (users, roles, credentials).

5. Security measures

Ekselera will implement appropriate technical and organisational measures, which may include (as appropriate):

• access control and least privilege;
• encryption in transit and, where appropriate, at rest;
• logging and monitoring;
• backup and recovery;
• vulnerability management;
• segregation of environments;
• incident response procedures.

Details may be listed in Annex 2 (Security Measures).

6. Assistance with data subject rights

Taking into account the nature of processing, Ekselera will assist Customer by appropriate technical and organisational measures to respond to requests for access, rectification, erasure, restriction, objection, and portability, to the extent Customer cannot do so independently.

7. Personal data breaches

8.1 Ekselera will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Data.
8.2 The notification will include available information reasonably required for Customer to meet its obligations (nature of breach, likely consequences, measures taken/proposed), as information becomes available.
8.3 Ekselera will cooperate with Customer’s reasonable breach-response steps.

8. Audits and compliance information

Customer may audit Ekselera’s compliance:

• no more than once per year unless there is a substantiated incident;
• with reasonable notice;
• during normal business hours;
• subject to confidentiality and security constraints.

Ekselera may satisfy audit requests by providing relevant third-party reports/certifications where available, and will not be required to disclose information that would compromise security or reveal other customers’ confidential data.

9. Return and deletion

At termination/expiry and upon Customer request, Ekselera will:

• provide a reasonable export of Customer Data; and
• delete Customer Data after [30–90] days, unless retention is required by law or agreed for backup/recovery purposes for a limited period.

10. Cross-border transfers

If processing involves transfers outside the EEA, Ekselera will implement an appropriate transfer mechanism (e.g., SCCs) and supplementary measures where necessary.

11. Liability

Liability under this DPA follows the liability provisions in the main agreement/SaaS Terms, except where prohibited by law.

COOKIE POLICY

Last updated: 12/02/2026

1. What cookies are

Cookies are small text files placed on your device when you visit a website. Similar technologies (like pixels and local storage) may be used for similar purposes; we refer to these together as “cookies”.

2. Types of cookies we use

We use the following categories:

1. Strictly necessary cookies
   These are required to operate the Websites securely and reliably (e.g., security, load balancing, consent settings). These do not require consent.
2. Analytics cookies (optional)
   These help us understand how visitors use the Websites (e.g., pages visited, time on site) so we can improve performance and content. These are only set with your consent where required.
3. Marketing cookies (optional)
   These may be used to measure ad effectiveness or personalise marketing. These are only set with your consent where required.

3. Legal basis and consent

• Strictly necessary cookies are used based on our legitimate interests in operating a secure, functional website.
• Analytics and marketing cookies are used only where you provide consent, and you can withdraw consent at any time.

Malta’s IDPC has published specific cookie consent expectations; your implementation should follow an opt-in model for non-essential cookies.

4. Managing cookies

You can manage cookie preferences at any time via “Cookie Settings” on the Website. You can also control cookies through your browser settings, although blocking strictly necessary cookies may impact functionality.

5. Cookie list

We maintain a cookie list describing cookies, providers, purposes, and lifetimes. This list is presented through our cookie consent tool and may change over time.
Cookie list location: [Google Analytics]