Privacy Policy
Orderista is committed to protecting your privacy and the security of your personal data.
This Privacy Policy explains why and how your personal information is collected through the use of our website/app and our Services. By accessing our website/app and using our Services, you agree to be bound by our Terms, including this Privacy Policy.
“Services” means, without limitation, our website/app, and our Ordering Platform (the “Platform”). This Privacy Policy applies to all users of our Services. Some provisions apply specifically to Orderista Merchants (“Merchant/s”) and to Merchant customers who place orders (“End User/s”); where provisions apply to a specific category, this will be explicitly stated.
This Policy only applies to personal data we obtain (from you or third parties) in connection with our Services. It does not apply to personal data collected by third parties during your communications with them or your use of their products or services.
Updates. We may update this Privacy Policy from time to time to reflect changes in our practices or in law. We will update the effective date accordingly. Please review periodically.
Who we are
We are Orderista, a commercial partnership registered in Malta (“we”, “us”, the “website/app”).
You can contact our Data Protection Officer at [email protected].
Personal data we use
We gather and use different types of personal data you provide when using our website/app, or that is generated through your use of our Services, including:
User information
Such as name, date of birth, email address, phone number, and any other details requested for registration and/or continued use of our Services.
Payment information
Information related to your chosen payment method (e.g., credit/debit card details). All such information is processed in accordance with the Payment Card Industry Data Security Standard.
Transactional information
Records of orders placed with our Merchants, including date/time, payment method, and the amount and nature of the order. We also record details for failed, attempted, rejected, and aborted/unsuccessful transactions.
Device, tracking, and other online information
Details such as IP address, browser type, geolocation, unique device identifier, IDFA, hardware model, OS and version, software, preferred language, serial numbers, device motion, mobile network information, and location data. Information on dates/times of access, elements viewed/used, crashes, other system activity, and the third-party site or service used immediately before accessing our website/app.
Cookies and similar technologies
We may collect information from your devices through cookies and similar technologies (e.g., preferences, pages viewed, links clicked, URLs visited before/after using our Services). See our Cookies Policy below for details.
Profiling and analytical information
We may conduct profiling and analysis based on your name, location data, age, transactions, account activity, and other relevant data points.
Other information we may collect
Information about how you contribute to or communicate with/through our Services (e.g., social media comments, customer support interactions), as well as responses to surveys, feedback forms, or other market research.
How we process your personal data on behalf of the Merchants
We primarily process your personal data when you place orders for services from our Merchants using our Platform. When we process personal data in this way, we act at the direction of the Merchant, and the Merchant’s terms of service and privacy policy apply to the collection, processing, and use of your personal data (including any processing by us). For details, review the relevant Merchant’s terms and privacy policy.
How we use your personal data
| Purpose / Activity | Lawful basis for processing |
|---|---|
| Provision, improvement, and personalization of our Services and your experience on our website/app and Platform, including showing order history, offering payment options, recommending products/Merchants/Establishments, customizing highlights, and improving our Services based on usage. | Contractual necessity (performance of the user agreement). If not applicable, our legitimate interests in providing a good service. |
| Product research and development: develop, test, and improve our services; troubleshoot; develop or improve the User Services; analyze use and interactions. | Necessary for our legitimate interests to develop our business and improve the customer journey. |
| Advertise, market, and promote Orderista, including personalized communications or advertisements about our services. | Consent or necessary for our legitimate interests to develop our business and improve the customer journey. |
| Communicate with you about the User Services (product updates, account, policy/terms changes) and respond to your queries. | Consent or necessary for our legitimate interests to develop our business and improve the customer journey. |
| Authentication, integrity, security, and safety: authenticate your account; provide secure payment and user experience; detect, investigate, and prevent malicious conduct, fraudulent activity, or unsafe experiences; address security threats; protect public safety; secure the User Services. | Necessary for our legitimate interests to detect or prevent fraudulent activities. |
| Legal reasons: comply with law or respond to valid legal process (including from law enforcement/government), and enforce or investigate potential violations of our terms or policies. | Necessary for us to comply with legal obligations. |
Failing to provide your personal data
If you fail to provide personal data when requested, we may be unable to provide products/services or to process an application to register an account. Information we need is usually identified by asterisks.
How long we keep your personal data
We retain personal data for as long as necessary to fulfil the purposes for which it was collected, including to meet legal, accounting, or reporting requirements, to establish or defend legal claims, or for compliance purposes.
To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure, the purposes of processing and whether they can be achieved by other means, and applicable legal requirements.
Your rights over your personal data
Subject to applicable law, you may ask us to take the following actions regarding your personal data we hold:
Right of access
Request information about our processing of your personal data and access to your personal data. We will respond within thirty (30) days, extendable for complex requests (we will notify you if extended).
Right of correction
Request that we update or correct inaccuracies. We will rectify within thirty (30) days or explain why no change was made. You may complain to the relevant authority if you disagree.
Right of deletion
Request erasure where there are no compelling reasons for continued storage/processing, including where processing is unlawful; the original purpose has been fulfilled; or you withdraw consent / successfully object and no overriding legitimate grounds apply. We will respond within thirty (30) days. We may refuse where retention is necessary for legitimate interests (e.g., legal/regulatory compliance, defence of legal claims, tax calculations). We will explain if we refuse; you may complain to the authority.
Right of transfer (data portability)
Request that we transfer a machine-readable copy of your personal data to you or to a third party of your choice.
Right to restrict processing
You may request that we suspend processing where: the accuracy of data is contested (pending verification); processing is unlawful and you prefer restriction to erasure; data is no longer needed for processing but is required for legal claims; or you have objected based on our legitimate interests and verification is pending. We will respond within thirty (30) days. During restriction, storage is permitted but further processing requires consent (subject to exemptions). We will inform you before lifting a restriction. We may refuse if the request is manifestly unfounded or excessive; if so, we will explain and you may complain to the authority.
Right to object
Object to processing where we rely on legitimate interests, and to processing for direct marketing. We will respond within thirty (30) days and explain if we do not agree; you may complain to the authority.
Right to withdraw consent
When we rely on your consent, you can withdraw it at any time.
Right relating to automated decision-making
You have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects. This does not apply where you provided explicit consent, where necessary to enter into or perform a contract, or to meet legal/regulatory obligations. Where applicable, you may request human involvement, express your view, or contest the decision.
Exercising these rights
Submit requests via email to [email protected]. We may need specific information to confirm your identity.
If you disagree with any aspect of our processing or our decisions, you may file a complaint with the Office of the Maltese Information and Data Protection Commissioner (IDPC): https://idpc.org.mt/file-a-complaint/.
Contact
Data Protection Officer: [email protected]