Privacy Policy

Malta's Garage ("we", "us", "our") is committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR) and Maltese law. This policy explains what data we collect, why, and your rights.

Data controller: Malta's Garage, Malta. For privacy enquiries contact us via the Contact page.

When you register: name, email address, and password (stored as a secure hash).

When you set up your profile: display name, phone number, location (city), and optional profile photo.

When you sell: pickup address (shown only to buyer after purchase), Stripe account details for receiving payments.

When you buy: delivery address, payment information (processed directly by Stripe - we never see or store your card details).

Automatically: IP address, browser type, pages visited, and timestamps - used for security and to improve the service.

• To create and manage your account
• To facilitate transactions between buyers and sellers
• To process payments securely via Stripe
• To send order confirmations and status updates
• To resolve disputes and enforce our Terms of Service
• To detect and prevent fraud and abuse
• To comply with legal obligations

• Contract: processing necessary to fulfil your orders and manage your account
• Legal obligation: tax records, anti-money-laundering checks
• Legitimate interest: fraud prevention, platform security, service improvement
• Consent: marketing emails (you can unsubscribe at any time)

We do not sell or rent your personal data to third parties. We share data only where necessary:

• Other users: your display name and city are visible to other users. Your full address is shared only with your buyer/seller after a completed transaction.
• Stripe: payment processing. Stripe is PCI-DSS compliant. See Stripe's Privacy Policy.
• Authorities: if required by Maltese or EU law.

We retain your account data for as long as your account is active. Transaction records (orders, payments) are kept for 7 years to comply with Maltese tax law - even after account deletion, these records are anonymised and retained for legal compliance.

When you delete your account, we permanently remove your personal data: email address, password, display name, profile photo, bio, phone number, location, conversations, and notification preferences.

As an EU resident you have the right to:

• Access - request a copy of the data we hold about you
• Rectification - correct inaccurate or incomplete data via your Profile
• Erasure - delete your account and personal data via Account Settings ("right to be forgotten")
• Restriction - ask us to limit how we process your data
• Portability - receive your data in a machine-readable format
• Object - opt out of processing based on legitimate interest or direct marketing

To exercise any of these rights, use our Contact page or your Account Settings. You also have the right to lodge a complaint with the Information and Data Protection Commissioner (IDPC) of Malta.

We use HTTPS encryption, hashed passwords, and role-based access controls. Payment data is handled entirely by Stripe and never touches our servers. Despite our efforts, no system is 100% secure - please use a strong, unique password for your account.

We use essential cookies to keep you logged in and protect against cross-site request forgery. See our Cookie Policy for details.

We may update this policy from time to time. Significant changes will be communicated by email. The date at the top of this page always reflects the latest version.