Privacy Policy

Xalata - xalata.com

Effective Date: 2026-05-12 | Version: 1.0

Table of Contents

1. Who We Are
2. Legal Framework
3. Legal Bases for Processing
4. Personal Data We Collect
5. How We Use Your Data
6. Owner Contact Details and Lead Data
7. Cookies and Browser Storage
8. Data Sharing
9. International Transfers
10. Data Retention
11. Your Rights
12. Security
13. Children
14. Automated Decision-Making
15. Phone Numbers and Communications Privacy
16. Changes to this Policy
17. Contact

1. Who We Are

Data Controller: Xalata, established in Malta.

Contact: Available via the Contact Us page at xalata.com.

We operate a digital property platform focused on Malta and Gozo, including listing, search, membership contact access, and estate-agent onboarding and lead-sharing features. Where intermediation features are provided, they are provided only to the extent lawfully permitted and, where required, through duly licensed or authorised persons.

This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our website, messaging services, and related features (the "Platform"). It should be read together with our Terms of Service and Cookie Policy.

2. Legal Framework

We process personal data in accordance with:

• the General Data Protection Regulation (EU) 2016/679 ("GDPR");
• the Data Protection Act (Chapter 586 of the Laws of Malta); and
• applicable subsidiary legislation and guidance issued by the Information and Data Protection Commissioner ("IDPC").

3. Legal Bases for Processing

Depending on the activity, we rely on the following legal bases under Article 6(1) of the GDPR:

• Contract (Article 6(1)(b)): account creation, authentication, profile management, subscription administration, service delivery, and communications necessary to perform our agreement with you.
• Legitimate interests (Article 6(1)(f)): fraud prevention, security, abuse detection, platform moderation, service improvement, audit logging, and protection of our rights and the rights of other users.
• Consent (Article 6(1)(a)): for specific processing activities where consent is required, including certain messaging interactions and optional data sharing (such as sharing search preferences with estate agents). You may withdraw consent at any time.
• Legal obligation (Article 6(1)(c)): where processing is necessary to comply with Maltese or EU law, including responding to lawful requests from authorities.

4. Personal Data We Collect

We collect personal data in the following categories:

4.1 Account and Identity Data

• Mobile telephone number (used as your primary identifier and for login verification);
• Name (first name and last name, where provided);
• Email address;
• Date of birth and gender (where provided);
• Account creation date, last access date, and related timestamps.

4.2 Estate Agent Onboarding Data

If you apply for estate agent access, we additionally collect:

• Licence number (issued under the Property Market Agency Act, Chapter 644);
• Identity document number (ID card or passport);
• Corporate profile URL (optional); and
• Compliance confirmation and submission timestamps.

4.3 Property Search Preferences

• Search criteria (property type, locality, price range, financing status);
• Whether you have opted to share preferences with estate agents.

4.4 Subscription and Billing Data

• Subscription status, plan, and billing cycle;
• Third-party payment processor customer and subscription identifiers;
• Billing event timestamps.

We do not store your full payment card details. These are held by our third-party payment processor.

4.5 Technical and Security Data

• IP address (full and truncated);
• Browser type, version, and operating system;
• Device type (desktop, mobile, tablet);
• User agent string, referrer, and language headers;
• Approximate geographic location derived from your IP address (country, region, and city) obtained via third-party geolocation services during login;
• Session identifiers, CSRF tokens, and device-security cookie tokens.

4.6 Audit and Moderation Data

• Login attempt records (including device, browser, and geolocation metadata);
• Owner contact reveal records (including the listing referenced, timestamp, IP address, and user agent);
• Contact form and abuse report submissions (including name, email, phone, message content, IP address, user agent, and timestamp);
• Content moderation flags and enforcement records; and
• Webhook and billing event records.

4.7 Communications Data

• Messages sent and received through our WhatsApp-based service flows;
• Email verification records and status; and
• Service notifications and administrative messages.

4.8 Property Listing and Sales-Confirmation Data

Where a property is prepared, submitted, or managed through our listing workflow, we may process:

• Owner or company name;
• Listing contact name, mobile number(s), and email address;
• Preferred communication channels;
• Authority basis and authority notes;
• Viewing contact details;
• Listing-source metadata; and
• Confirmation and compliance fields (including lawful-owner or authorised confirmations and related notes).

This may include free-text notes provided by users or staff in connection with listing preparation and publication controls.

5. How We Use Your Data

We use your personal data for the following purposes:

• To create, authenticate, and manage your Account;
• To verify your identity and mobile number through one-time code login;
• To administer your subscription and process billing events;
• To provide membership-gated features, including access to owner contact details;
• To operate the estate agent onboarding, approval, and lead-sharing workflows;
• To collect, verify, and manage listing-contact and authority/compliance information required to prepare, publish, moderate, and administer property listings;
• To send you service communications, including verification codes, account notifications, and status updates;
• To verify your email address;
• To moderate content, detect prohibited material, and enforce our Terms of Service;
• To prevent and detect fraud, abuse, spam, and unauthorised access;
• To maintain security and audit logs;
• To respond to your contact form submissions and abuse reports;
• To comply with legal obligations; and
• To protect our rights, property, and the safety of our users.

6. Owner Contact Details and Lead Data

When a Paying Member accesses owner contact details through the Platform, this constitutes a disclosure of personal data (the property owner's telephone number). We log each disclosure event for audit and compliance purposes.

Recipients as data controllers: When you access owner contact details or lead data through the Platform, you receive personal data for which you become a data controller under the GDPR. You are responsible for handling that data lawfully, including in compliance with the GDPR principles of purpose limitation, data minimisation, and storage limitation.

Lead data (derived from user search preferences shared voluntarily by users who opted in) may be disclosed to approved estate agents. Users may withdraw from lead sharing at any time by editing their search preferences.

7. Cookies and Browser Storage

We use strictly necessary cookies only:

• Session cookie: used for secure login sessions and CSRF protection. This cookie expires when the browser is closed.
• Persistent device-security cookie: a random device token used for security controls such as device registration, device-session continuity checks, and forced logout when a device is removed or no longer authorised. This cookie is long-lived (up to approximately one year unless cleared earlier).

These cookies are not used for analytics, advertising, profiling, or behavioural tracking, and are not used to track browsing activity across unrelated websites.

We may use temporary browser-side storage for limited operational purposes during a single session. This data does not persist across sessions or devices.

If we introduce additional non-essential cookies in the future, we will update this Policy and our Cookie Policy and, where required, obtain your consent.

8. Data Sharing

We do not sell or rent your personal data.

We may share personal data in the following circumstances:

8.1 Service Providers

We use trusted third-party service providers to operate the Platform. These providers process personal data on our behalf, under our instructions, and are bound by data processing agreements in accordance with Article 28 of the GDPR. Categories of providers include:

• Payment processing;
• Messaging and communication delivery;
• Email delivery;
• Cloud hosting and content delivery;
• Geolocation services (for approximate location lookup based on IP address during login); and
• Frontend asset delivery.

8.2 Estate Agents

Where you opt to share your search preferences with estate agents, your search criteria and mobile number may be shared with approved estate agents who have active access. This sharing is based on your consent and may be withdrawn at any time.

8.3 Owner Contact Details

Property owner telephone numbers are disclosed to Paying Members through membership features. Owners' contact details are stored in our systems and shared only in this context.

8.4 Legal and Regulatory

We may disclose personal data where required by law, regulation, court order, or lawful request from a competent authority, including law enforcement, the IDPC, or the Malta Communications Authority.

9. International Transfers

Some of our service providers may process personal data outside the European Economic Area ("EEA"). Where this occurs, we ensure that appropriate safeguards are in place in accordance with Articles 44-49 of the GDPR, which may include:

• EU adequacy decisions;
• Standard Contractual Clauses approved by the European Commission; or
• Other appropriate safeguards recognised under the GDPR.

10. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Policy, unless a longer retention period is required or permitted by law. Our general retention periods are:

Data Category	Retention Period
Account data	Lifetime of your account plus up to 24 months after closure or last activity
Estate agent onboarding data	Lifetime of your account plus up to 24 months; identity document numbers deleted earlier where no longer needed
Subscription and billing records	Duration of the subscription plus the period required for financial and tax record-keeping under Maltese law
Property listings and images	While active, plus up to 12 months after removal or deletion
Property listing-contact and sales-confirmation metadata	While the related listing or account remains active, plus up to 24 months after removal or closure, unless longer retention is required for legal, regulatory, or dispute purposes
Owner contact reveal logs	Up to 24 months
Login attempt and security logs	Up to 12 months
Contact form and abuse report records	Up to 12 months
Moderation and enforcement records	Up to 12 months
Technical logs	Up to 180 days
Backups	Rolling basis, typically no longer than 35 days
Webhook and billing event records	Up to 24 months

Where data is subject to a legal hold, investigation, or dispute, we may retain it beyond the periods above as necessary.

11. Your Rights

Under the GDPR, you have the following rights in relation to your personal data:

• Access (Article 15): the right to obtain confirmation of whether your data is being processed and to receive a copy of it.
• Rectification (Article 16): the right to have inaccurate data corrected or incomplete data completed.
• Erasure (Article 17): the right to request deletion of your data where it is no longer necessary, where consent is withdrawn, or where processing is unlawful.
• Restriction (Article 18): the right to request that we limit the processing of your data in certain circumstances.
• Data portability (Article 20): the right to receive your data in a structured, commonly used, machine-readable format where processing is based on consent or contract and carried out by automated means.
• Objection (Article 21): the right to object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
• Withdrawal of consent (Article 7(3)): where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

How to exercise your rights: Please contact us via the Contact Us page on the Platform. We may need to verify your identity before processing your request. We will respond within one month, or inform you if an extension is necessary.

Right to lodge a complaint: You may lodge a complaint with the Information and Data Protection Commissioner (IDPC), 2, Airways House, High Street, Sliema SLM 1549, Malta, or with the supervisory authority in your Member State of habitual residence.

12. Security

We apply technical and organisational measures to protect your personal data, including access controls, encryption in transit, secure session management, and monitoring. However, no system is completely secure, and we cannot guarantee absolute security.

You are responsible for protecting your own devices, mobile number, and account credentials, and for reporting any suspected unauthorised access to us promptly.

13. Children

The Platform is intended for persons aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe that a person under 18 has used the Platform, please contact us so that we can delete the relevant data.

14. Automated Decision-Making

We may use automated tools for content moderation, including detection of prohibited images and non-compliant content. These tools may result in the automatic removal of content. Such moderation is carried out on the basis of our legitimate interests in maintaining a safe and lawful platform.

We do not make decisions based solely on automated processing that produce legal effects or similarly significantly affect you, except where permitted by law.

15. Phone Numbers and Communications Privacy

We do not publicly display your phone number on property listings. Your mobile number is used as your account identifier and for login verification. Communication with users is facilitated through our messaging infrastructure.

Owner telephone numbers are disclosed only to Paying Members through the contact reveal feature and are not publicly visible on the Platform.

16. Changes to this Policy

We may update this Privacy Policy from time to time. Updates will be posted on the Platform with a revised effective date. Where a change is material, we will use reasonable efforts to bring it to your attention. Your continued use of the Platform after the effective date of a revised Policy constitutes acknowledgement of the updated terms.

17. Contact

For questions, data-protection requests, or complaints regarding this Privacy Policy, please contact us via the Contact Us page at xalata.com.

Last updated: 2026-05-12. Version: 1.0.