Privacy Policy

Last updated: 5 April 2026

1. Who we are (data controller)

pronto.mt is a marketplace that connects clients in Malta with local home-service providers. For the personal data covered by this policy, the data controller under Regulation (EU) 2016/679 (the "GDPR") is the operator of the pronto.mt service. You can reach us, including our data protection contact, at privacy@pronto.mt or through the contact page.

2. What we collect

We only collect what the service needs to function:

  • Account data: name, email address, hashed password, the role(s) you sign up as (client, provider).
  • Profile data: avatar, bio (providers), service categories and the areas of Malta you operate in or request services from.
  • Service data: addresses you save, requests you create or receive, scheduled dates, agreed prices, status changes.
  • Communication: messages exchanged through the platform about a specific request, and any contact form submissions.
  • Payment data: handled end-to-end by Stripe. We store references (payment intent, transfer IDs) but never card numbers or banking credentials.
  • Reviews and reputation: ratings and written feedback you publish after a completed service.
  • Technical data: session cookies required to keep you logged in; minimal server logs for abuse prevention and incident response (IP, timestamp, path).

3. Why we process it and on what legal basis

The legal bases from Article 6 GDPR that we rely on, per processing purpose:

  • Providing the service (creating your account, matching clients and providers, delivering requests, holding and releasing payments, displaying reviews) — Art. 6(1)(b), performance of a contract.
  • Keeping the service safe (rate limiting, fraud detection, abuse investigations, audit logs of sensitive mutations) — Art. 6(1)(f), legitimate interests.
  • Complying with legal obligations (tax, accounting, payment regulation, responding to lawful requests from authorities) — Art. 6(1)(c), legal obligation.
  • Transactional email (confirmations, reminders, security alerts) — Art. 6(1)(b). We do not send marketing email.

4. Who we share data with

We do not sell your personal data. We share it with the processors we need to run the service, each bound by a data processing agreement:

  • Supabase — managed Postgres, authentication, storage. Hosted inside the EU.
  • Stripe (including Stripe Connect) — payment processing, KYC/onboarding of providers, holding funds in escrow until the service is completed. Stripe is the independent controller for card and banking data.
  • Vercel — hosting of the Next.js application and edge infrastructure.

We also disclose data when required to do so by law, court order or to protect the vital interests of a user.

5. International transfers

Our primary infrastructure is in the European Union. Where a processor (for example Stripe) transfers data outside the EEA, the transfer is covered by the European Commission's Standard Contractual Clauses and supplementary safeguards documented in that processor's DPA.

6. How long we keep it

  • Account and profile data: for as long as your account is active, plus 30 days after you request deletion (to close in-flight requests and disputes).
  • Service requests and messages: 2 years after completion, to cover the statutory limitation window for contract disputes in Malta.
  • Payment and invoicing records: 10 years, because that is the retention period required by Maltese accounting and tax law.
  • Audit log of sensitive mutations: 2 years, then anonymised.
  • Server and security logs: 90 days.

7. Your rights under the GDPR

Articles 15–22 of the GDPR give you the following rights over your personal data:

  • Access (Art. 15) — obtain a copy of the data we hold about you.
  • Rectification (Art. 16) — correct inaccurate or incomplete data.
  • Erasure (Art. 17) — ask us to delete your account and personal data.
  • Restriction (Art. 18) — ask us to stop processing your data in specific cases.
  • Portability (Art. 20) — receive your data in a machine-readable format and have it transmitted elsewhere.
  • Objection (Art. 21) — object to processing based on our legitimate interests.
  • Withdraw consent — where processing is based on consent, you can withdraw it at any time.

You can exercise access, portability and erasure rights directly from your privacy settings without writing to us. For the other rights, or if something is not working, email privacy@pronto.mt. We respond within one month (Art. 12(3)).

If you believe we have mishandled your data, you have the right to lodge a complaint with the Maltese data protection authority, the Information and Data Protection Commissioner (IDPC).

8. How we protect your data

We implement the technical and organisational measures required by Art. 32 GDPR, including: TLS for all traffic, row-level security in our database so users can only see their own records, hashed passwords with a modern algorithm, a check against the Have I Been Pwned breach corpus on sign-up, rate limiting on authentication and contact endpoints, an append-only audit log of sensitive mutations and a strict Content Security Policy.

9. Cookies

We use only strictly necessary cookies: the Supabase authentication cookies (to keep you logged in) and a small session identifier used for CSRF protection. We do not use advertising, analytics or cross-site tracking cookies, so no consent banner is required under the ePrivacy Directive.

10. Children

pronto.mt is not directed at children under 16. We do not knowingly collect personal data from minors. If you believe a minor has signed up, please let us know and we will delete the account.

11. Changes to this policy

When we make material changes to this policy we publish the new version here and, where the change affects how we process your data, notify you by email before it takes effect.

12. Contact

For any privacy question or to exercise a right you cannot action from the privacy settings, email privacy@pronto.mt or use the contact page.