Privacy Policy

Last Updated: January 2025

🔒 Your Security is Our Priority

Discover Gozo uses enterprise-grade security measures to protect your data. Your passwords, personal information, and account data are protected with industry-standard encryption and security practices. We continuously monitor and update our security measures to ensure your information remains safe.

At Discover Gozo, we are committed to protecting your privacy and being transparent about how we collect, use, and protect your information. This Privacy Policy explains our practices regarding location data and analytics collection.

1. Information We Collect

Location Data (With Your Consent)

When you enable location features in our app and consent to location analytics, we collect:

Approximate location coordinates: We collect your location data (latitude and longitude) with reduced precision (rounded to approximately 100 meters) to protect your privacy.
Location accuracy: Information about the accuracy of the location data provided by your device.
Timestamp: When the location data was collected.

Device and Usage Information

We automatically collect certain information about your device and how you use our app:

Device type (mobile, tablet, desktop)
Browser and operating system information
Screen resolution and viewport size
Language preferences
Time zone
Pages visited and features used
Search queries (anonymized)

2. How We Use Your Information

Our primary purpose: We use location and usage data solely to improve tourism services, infrastructure planning, and visitor experiences in Gozo.

Specifically, we use the collected data to:

Improve tourism services: Understand how visitors explore Gozo to enhance recommendations and services.
Infrastructure planning: Identify popular areas and routes to help plan transportation, facilities, and services.
Enhance user experience: Improve app functionality, features, and content based on usage patterns.
Analytics and insights: Generate aggregated, anonymized reports about tourism patterns and trends.

3. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your location data based on your explicit consent. You have the right to:

Give or withdraw consent at any time
Access your personal data
Request deletion of your data
Object to processing of your data
Data portability (receive your data in a structured format)

4. Data Protection and Privacy Measures

Anonymization and Privacy

Precision reduction: Location coordinates are rounded to approximately 100 meters to prevent precise identification.
Anonymous identifiers: We use anonymous browser-based identifiers that cannot be linked to your personal identity.
Aggregation: Data is aggregated and analyzed in groups to prevent individual identification.

Data Security

All data is transmitted using secure, encrypted connections (HTTPS)
Data is stored on secure servers with appropriate access controls
We implement industry-standard security measures to protect against unauthorized access

5. Our Security Measures

We take the security of your information seriously. Discover Gozo employs enterprise-grade security measures to protect your data and ensure your privacy.

Password Protection

Advanced encryption: All user passwords are encrypted using bcrypt, the industry gold standard for password security
Unbreakable security: Even if someone gains access to our database, passwords remain secure and cannot be reverse-engineered
Zero breach risk: Passwords are hashed with military-grade encryption that makes them virtually impossible to crack

Account Protection

Brute force prevention: Our system automatically limits login attempts to prevent unauthorized access attempts
Rate limiting: Only 5 login attempts are allowed per IP address every 15 minutes, protecting your account from automated attacks
Session security: Every login is tracked and validated through secure session management
Multi-layered authentication: Multiple security checks ensure only authorized users can access accounts

File Upload Security

Smart validation: Only safe, approved file types can be uploaded to our servers
Malware protection: All uploads are automatically scanned and validated to prevent harmful files
Path traversal prevention: Advanced security measures block attempts to access unauthorized server directories
Automatic sanitization: All uploaded files are automatically cleaned and secured before processing

Network Security

HTTPS encryption: All data transmitted between your device and our servers is encrypted using TLS/SSL
CORS protection: Strict origin controls ensure only authorized websites can communicate with our API
CSRF protection: Cross-site request forgery protection prevents unauthorized commands from other websites
Security headers: Multiple security headers protect against common web attacks including XSS and clickjacking

Data Access Controls

Strict authentication: All administrative access requires multi-factor authentication
Role-based access: Data access is restricted based on user roles and permissions
Activity logging: All administrative actions are logged for security auditing
Regular security audits: We regularly review and update our security measures

Protection Against Common Attacks

SQL injection prevention: All database queries use parameterized statements to prevent SQL injection attacks
XSS protection: Cross-site scripting attacks are prevented through input sanitization and output encoding
DDoS mitigation: Rate limiting and request throttling protect our servers from denial-of-service attacks
Error message protection: Error messages never reveal sensitive system information to potential attackers

Security Standards Compliance: Our security measures address the OWASP Top 10 security risks and follow industry best practices used by major technology companies. We continuously update our security measures to protect against emerging threats.

Security Monitoring

Real-time monitoring: We continuously monitor our systems for suspicious activity
Automated alerts: Unusual patterns or potential security threats trigger immediate alerts
Incident response: We have procedures in place to quickly respond to any security incidents
Regular updates: Security patches and updates are applied promptly to maintain the highest level of protection

Your Role in Security

While we implement comprehensive security measures, you can also help protect your account:

Choose a strong, unique password for your account
Never share your login credentials with others
Log out from shared or public devices
Keep your device and browser updated
Report any suspicious activity immediately

6. Data Retention

We retain location analytics data for a maximum of 12 months, after which it is automatically deleted. Aggregated, anonymized reports may be retained longer for historical analysis, but these cannot be linked to individual users.

7. Data Sharing

We do not sell, rent, or share your personal location data with third parties.

We may share aggregated, anonymized statistics with:

Tourism authorities and government agencies for infrastructure planning
Research institutions for tourism studies (only in anonymized, aggregated form)

Any shared data is completely anonymized and cannot be used to identify individual users.

8. Your Rights and Choices

Consent Management

You can manage your consent preferences at any time:

Opt-in: Accept location analytics tracking when prompted
Opt-out: Withdraw consent at any time through app settings
Location features: You can use location features (GPS, map navigation) without consenting to analytics tracking

Your GDPR Rights

If you are located in the European Economic Area (EEA), you have the following rights:

Right to access: Request a copy of your personal data
Right to rectification: Request correction of inaccurate data
Right to erasure: Request deletion of your data ("right to be forgotten")
Right to restrict processing: Request limitation of how we process your data
Right to data portability: Receive your data in a structured, machine-readable format
Right to object: Object to processing of your data
Right to withdraw consent: Withdraw consent at any time

9. Children's Privacy

Our app is not intended for children under 16 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make changes, we will:

Update the "Last Updated" date at the top of this policy
Notify you of significant changes through the app
Request new consent if the changes affect how we process your data

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

Email: [email protected]
Subject: Privacy Policy Inquiry

We will respond to your inquiry within 30 days as required by GDPR.

12. Governing Law

This Privacy Policy is governed by the laws of Malta and the European Union's General Data Protection Regulation (GDPR). If you are located outside the EEA, your use of this app constitutes consent to the processing of your data as described in this policy.

← Back to App