Legal

Privacy policy

Last updated: 13 May 2026

Baseline policy. This policy is written to meet the standard requirements of the EU General Data Protection Regulation (GDPR) and the Maltese Data Protection Act, 2018. If you have any questions, email hello@kowdja.com.

1. Who we are

This privacy policy applies to Kowdja, a partnership established in Malta, with its place of business at Flat 2, 50, Triq il-Ħarifa, Mosta MST 4043, Malta and Maltese VAT number MT3270-4603 ("Kowdja", "we", "us", "our"). For matters relating to this policy or your personal data, please contact us at hello@kowdja.com.

Kowdja is the data controller in respect of the personal data described in this policy. We have not designated a Data Protection Officer because we are not required to do so under Article 37 of the GDPR; the partners handle data protection matters directly.

2. The personal data we collect

We only collect personal data that we need to run our website, our products, and our business.

2.1 When you visit our website

  • Technical data — IP address, browser type and version, operating system, the pages you request, the date and time of each request, and the referring URL. This is recorded automatically in server logs.
  • Cookies — see our Cookie policy for a full list.

2.2 When you book a demo or contact us

  • Your name, email address, and (optionally) your phone number;
  • The name and type of your business, and any free-text notes you give us about your venue;
  • Your chosen demo date and time;
  • The contents of any message you send to us by email or through the contact form.

2.3 When you use our products (live merchants)

If your business uses Kowdja POS or our other products, we also process operational data about your account, your venues, your staff, and your transactions. The detailed handling of that data is set out in our separate [Data Processing Agreement], which forms part of the service agreement between Kowdja and your business. In that relationship, Kowdja generally acts as a data processor on your behalf.

3. Why we use it and our legal basis

Under Article 6 of the GDPR, we may only process your personal data if we have a lawful basis to do so. Below is each purpose for which we use your data, together with the lawful basis we rely on.

  • To respond to your demo booking or enquiry — basis: performance of a contract or steps prior to entering one (Art. 6(1)(b)).
  • To send you a confirmation email, calendar invite, and reminders for a booked demo — basis: performance of a contract (Art. 6(1)(b)).
  • To run, secure, and improve our website and products (server logs, anti-abuse, debugging) — basis: our legitimate interest in operating a safe, reliable service (Art. 6(1)(f)). We have weighed this against your rights and consider the impact minimal.
  • To send you product updates we reasonably think you'd want as a prospect or customer — basis: where required, your consent (Art. 6(1)(a)), which you can withdraw at any time; otherwise our legitimate interest (Art. 6(1)(f)) in keeping interested parties informed, subject to your right to object.
  • To comply with legal obligations — for example, retaining accounting and tax records as required under Maltese law — basis: compliance with a legal obligation (Art. 6(1)(c)).

4. Who we share your data with

We do not sell your personal data. We share it only with the following categories of recipient:

  • Service providers we use to run the platform, including our hosting, email-sending, and (if and when introduced) analytics providers. These providers act as our processors and only handle your data on documented instructions, under a written data-processing agreement.
  • Professional advisors (accountants, lawyers, auditors) where strictly necessary.
  • Authorities, regulators, or courts when we are required to disclose data by law.
  • In a corporate transaction, such as a sale, merger, or restructuring, to the acquirer and their advisors, under appropriate confidentiality protections.

Our current key sub-processors are:

  • Vercel Inc. (United States, with EU edge regions) — hosting and delivery of our public website (kowdja.com).
  • Contabo GmbH (Germany) — hosting of our backend application servers.
  • Hetzner Online GmbH (Germany) — hosting of our backend application servers.
  • Resend (Resend Inc.) (United States, with EU sending region) — delivery of transactional emails such as booking confirmations, calendar invites, reschedule and cancellation notices. We do not use Resend or any other platform for marketing emails.

We'll keep this list up to date as our infrastructure evolves; you can ask us for the current list at any time at hello@kowdja.com.

5. International transfers

Most of our processing takes place within the European Economic Area (EEA), on infrastructure based in Germany. Where personal data is transferred outside the EEA — for example, when our website is served through Vercel's global edge network — we rely on appropriate safeguards recognised under the GDPR, including the European Commission's Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework. You can ask us for a copy of those safeguards at any time.

6. How long we keep it

  • Demo bookings and enquiries: kept for up to 24 months from the most recent contact, unless you become a customer or you ask us to delete the record sooner.
  • Customer (merchant) account data: kept for as long as your account is active, and for up to 10 years after termination to meet Maltese statutory record-keeping requirements (in particular under the VAT Act and the Income Tax Management Act).
  • Server logs: kept for up to 30 days for security and debugging.
  • Email outbox records (calendar invites, reschedule and cancellation notices): kept for up to 12 months for audit purposes.

When the period above ends, we either delete the data or anonymise it so that it can no longer be linked to you.

7. Your rights

Subject to the conditions in the GDPR, you have the right to:

  • Access the personal data we hold about you, and get a copy;
  • Rectify inaccurate or incomplete data;
  • Erase your personal data (the "right to be forgotten");
  • Restrict our processing while a dispute is resolved;
  • Receive your data in a portable format and have it transmitted to another controller;
  • Object to processing based on our legitimate interests, including direct marketing;
  • Withdraw consent at any time where we rely on it (this does not affect the lawfulness of processing before withdrawal);
  • Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (we do not currently do this).

To exercise any of these rights, email hello@kowdja.com. We will respond within one month, as required by the GDPR. There is no charge unless your request is manifestly unfounded or excessive.

8. Right to lodge a complaint

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with the Maltese supervisory authority:

Office of the Information and Data Protection Commissioner (IDPC)
Floor 2, Airways House, Triq il-Kbira, Sliema SLM 1549, Malta
Email: idpc.info@idpc.org.mt · Web: idpc.org.mt

9. Security

We take reasonable technical and organisational measures to protect your data against unauthorised access, alteration, disclosure, or destruction. These include encrypted connections (HTTPS) for everything on this site, access controls for our internal tools, and the principle of least privilege for staff. No system is perfectly secure, so if you spot a vulnerability, please tell us at hello@kowdja.com.

10. Children

Our products and website are aimed at businesses, not children. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently done so, please contact us so we can delete it.

11. Automated decisions and profiling

We do not make decisions about you that have legal or similarly significant effects based solely on automated processing.

12. Changes to this policy

If we make material changes to this policy we will update the "Last updated" date above and, where appropriate, notify you by email. The current version is always available at this URL.

13. Legal information

For the purposes of the Maltese E-Commerce Regulations (S.L. 426.02):

  • Name: Kowdja
  • Legal form: Partnership established in Malta
  • Place of business: Flat 2, 50, Triq il-Ħarifa, Mosta MST 4043, Malta
  • VAT number: MT3270-4603
  • Email: hello@kowdja.com