Privacy Policy

This Privacy Policy explains how DEF (referred to as “we”, “us” or “our”) collects, uses and protects personal data when you visit our website, create an account, make a purchase, sign up to our newsletter, or otherwise interact with us. We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act (Chapter 586 of the Laws of Malta).

Our website is not intended for minors. We do not knowingly collect personal data relating to children. If you have reason to believe that a minor has provided us with personal data, please contact us immediately at dpo@saw.com.mt and we will take steps to address this.

If you have any questions regarding this policy or how we handle your data, please contact us at: Dpo@saw.com.mt.

1. Updates

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The latest version will always be available on this website. Where changes are material, we will notify you by email or by a prominent notice on the website and, where required, seek your re-acceptance of the updated policy. For all other changes, your continued use of the website after the revised date constitutes your acceptance of those changes. We encourage you to review this page periodically. This policy was last reviewed in April 2026.

2. What Amounts to Personal Data?

Personal data means any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.

We collect personal data when you browse our website, create a customer account, place an order, contact us, or sign up to receive our newsletter. Details of each collection method are set out in Section 3 below.

3. How Do We Collect Personal Data?

We collect personal data through the following methods:

• Account registration: when you create a WooCommerce customer account, you provide your name, email address, billing address, shipping address and a password.

• Checkout and purchases: when you place an order (whether as a registered customer or as a guest), you provide your name, email address, billing address, shipping address, phone number and payment details. Payment card data is processed directly by Stripe and is not stored on our systems.

• Contact and enquiry form: when you submit our contact form, you provide your name, email address and the content of your message.

• Newsletter sign-up: when you subscribe to our newsletter via Mailchimp, you provide your name and email address.

• Job applications: when you submit a job application through our website, you provide personal data including your name, email address, contact details and any information contained in your CV or covering letter.

• Automated technologies: when you visit our website, certain data is collected automatically via cookies and similar tracking technologies, including Google Analytics, Hotjar, Google Ads, Meta Pixel, LinkedIn Pixel and Cloudflare. Please refer to our Cookie Policy for full details.

• Email marketing interactions: when you open or click links in our marketing emails sent via Mailchimp, standard tracking data (open rates and click activity) is recorded via web beacons embedded in those emails.

4. What Personal Data Do We Process?

We process the following categories of personal data:

• Identity data: first name and last name.

• Contact data: email address, phone number, billing address and shipping address.

• Account data: WooCommerce customer account credentials, order history, saved addresses and wishlist.

• Transaction and financial data: order details, payment confirmation records and transaction history. Payment card details are processed by Stripe and are not retained by us.

• Communications data: the content of messages submitted through our contact form and any correspondence with us by email.

• Marketing and communications preferences: your subscription status, email preferences, and engagement data (open rates and click activity) recorded via Mailchimp.

• Technical and usage data: IP address, browser type and version, device type, operating system, pages visited, session behaviour, heatmap data and click recordings collected via Google Analytics, Hotjar and Cloudflare.

• Advertising interaction data: data collected via Google Ads remarketing pixel, Meta (Facebook) Pixel and LinkedIn Pixel relating to your interactions with our website for the purposes of targeted advertising on those platforms.

We do not process special categories of personal data (such as health, biometric, religious or ethnic data), nor do we process data relating to criminal convictions or offences.

5. How Do We Use Your Personal Data?

We use your personal data for the following purposes:

• To process and fulfil orders: to confirm purchases, process payments via Stripe, arrange delivery, issue invoices and handle returns or complaints.

• To manage customer accounts: to create and maintain your WooCommerce account, including your order history, saved addresses and wishlist.

• To respond to enquiries: to review and respond to messages submitted through our contact form.

• To send transactional communications: to send order confirmations, dispatch notifications, and other service-related emails necessary for the performance of your purchase.

• To send marketing communications: to send promotional emails and newsletters to opted-in subscribers via Mailchimp, including information about new products, offers and promotions. You may unsubscribe at any time.

• To display targeted advertising: to show you relevant advertisements on Google, Meta (Facebook/Instagram) and LinkedIn based on your interactions with our website, using remarketing pixels. This processing only occurs where you have given your consent via our cookie banner.

• To analyse and improve our website: to use anonymised analytics data from Google Analytics and behavioural data from Hotjar (including heatmaps and session recordings) to understand how visitors use our website and to improve its content and performance.

• To comply with legal obligations: to maintain financial and transaction records as required by Maltese tax and accounting law.

• To process job applications: to review and assess applications submitted through our careers form, and to contact applicants regarding their application. Application data will be retained for a maximum of two years.

6. Legal Bases of Processing Personal Data

We rely on the following legal bases for processing your personal data:

• Performance of a contract (Article 6(1)(b) GDPR): processing your order, managing your customer account, processing payment, arranging delivery and sending transactional communications are all necessary to perform the contract for the sale of our products.

• Legal obligation (Article 6(1)(c) GDPR): we are required by Maltese tax law to retain financial and transaction records for a period of seven years.

• Legitimate interests (Article 6(1)(f) GDPR): we have a legitimate interest in responding to enquiries submitted through our contact form, understanding how our website is used via anonymised analytics, and sending marketing emails to existing customers (soft opt-in). We have assessed that these interests do not override your fundamental rights and freedoms.

• Consent (Article 6(1)(a) GDPR): where you have actively opted in, we rely on consent for: newsletter subscriptions via Mailchimp; the placement of analytics cookies (Google Analytics, Hotjar); advertising and remarketing cookies (Google Ads, Meta Pixel, LinkedIn Pixel); and email open/click tracking via Mailchimp web beacons. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

7. Recipients

We share your personal data with the following third-party recipients:

• Stripe, Inc.: payment processing provider. Stripe processes payment transactions and handles all payment card data. We do not store card data on our systems. Stripe is based in the United States and also acts as an independent data controller for its own fraud prevention and financial compliance obligations.

• Mailchimp (Intuit Inc.): email marketing platform. Mailchimp processes subscriber names and email addresses and delivers our marketing campaigns and newsletters. Mailchimp also records email open and click activity via web beacons. Mailchimp is based in the United States.

• Google LLC: provider of Google Analytics, Google Search Console and Google Ads remarketing. Google receives anonymised analytics data about visits to our website and advertising interaction data via the Google Ads pixel. Google is based in the United States.

• Meta Platforms, Inc.: provider of the Meta (Facebook) Pixel, which collects data about your interactions with our website for the purposes of targeted advertising on Facebook and Instagram. Meta is based in the United States and acts as an independent data controller in respect of data collected through its pixel.

• LinkedIn Ireland Unlimited Company: provider of the LinkedIn Insight Tag (advertising pixel), which collects data about your interactions with our website for the purposes of targeted advertising on LinkedIn. LinkedIn operates under the governance of LinkedIn Ireland and transfers data to the United States.

• Hotjar Ltd: provider of heatmapping and session recording services. Hotjar records anonymised visitor behaviour on our website, including mouse movements, clicks and scrolling. Hotjar is based in Malta but processes data on servers in the European Union and the United States.

• Cloudflare, Inc.: provider of content delivery network and security services. Cloudflare processes connection data to route traffic and protect our website. Cloudflare is based in the United States.

We do not sell, rent or share your personal data with any other third parties for their own purposes. We do not permit our data processors to use your personal data other than for the purposes we specify. In the event of a corporate merger, acquisition or sale of assets, your personal data may be transferred to any successor entity, which will be required to honour the commitments made in this Privacy Policy.

8. Automated Decision-Making and Profiling

We do not carry out any automated decision-making or profiling that produces legal or similarly significant effects on you.

Please note that Stripe, our payment processor, may carry out automated fraud screening as part of its payment processing services. This is carried out by Stripe acting as an independent data controller in fulfilment of its own legal and regulatory obligations. For further information, please refer to Stripe’s Privacy Policy at stripe.com/privacy.

Meta, Google and LinkedIn may use data collected via their respective advertising pixels to create audience profiles and determine which advertisements to show you on their platforms. This processing is carried out by those platforms acting as independent data controllers and is governed by their respective privacy policies.

9. Data Retention

We retain personal data only for as long as is necessary for the purposes for which it was collected. When personal data is no longer required, it is securely deleted or anonymised. The appropriate retention period is determined by the nature of the data, the purpose of processing, and any applicable legal obligations.

• Financial and transaction records: retained for seven years from the date of the transaction in accordance with Maltese tax and accounting obligations.

• Customer account data: retained for as long as your account remains active. If your account is closed or inactive for an extended period, we will delete or anonymise your data unless retention is required for legal or dispute resolution purposes.

• Order and purchase records: retained for seven years in line with financial record-keeping obligations, or for such longer period as may be required for the resolution of a dispute or warranty claim.

• Enquiry and contact form data: retained for a maximum of two years from the date of the enquiry.

• Marketing and newsletter data: retained for as long as you remain subscribed. Marketing data is reviewed annually and deleted upon unsubscription or withdrawal of consent.

• Website analytics and behavioural data: Google Analytics user-level data is retained for 14 months by default. Hotjar session recordings are retained in accordance with Hotjar’s own data retention settings.

• Job application data: retained for a maximum of two years from the date of application, unless the applicant is appointed, in which case the data will be retained as part of their employment record.

10. Your Rights

Under the GDPR, you have the following rights in relation to your personal data:

• Right of access: you may request a copy of the personal data we hold about you.

• Right to rectification: you may request that we correct any inaccurate or incomplete data we hold about you.

• Right to erasure: you may request that we delete your personal data where there is no longer a legitimate reason for us to retain it. Please note that this right is not absolute and may be limited where we are required to retain data to comply with a legal obligation or to establish, exercise or defend legal claims.

• Right to restriction of processing: you may request that we restrict the processing of your data in certain circumstances, for example while the accuracy of your data is being verified.

• Right to data portability: you may request that we transfer your personal data to you or to another organisation in a structured, commonly used and machine-readable format, where processing is based on contract or consent and carried out by automated means.

• Right to object: you may object to our processing of your personal data where we rely on legitimate interests as our legal basis. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests. You have an absolute right to object to processing for direct marketing purposes.

• Right to withdraw consent: where we rely on consent as a legal basis (for example, for newsletter subscriptions or advertising cookies), you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

• Right to human intervention: where any decision is made by solely automated means and produces legal or similarly significant effects on you, you have the right to request human review of that decision.

To exercise any of the above rights, please contact us at dpo@saw.com.mt. We will respond to all legitimate requests without undue delay and in any event within one month of receipt. We may need to verify your identity before processing your request. Where a request is made on your behalf by a third party, we may also ask for proof of authorisation.

You also have the right to lodge a complaint with the supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement. See Section 12 for details of our Lead Supervisory Authority.

11. Keeping Your Data Secure

We take appropriate technical and organisational measures to protect your personal data from accidental loss, unauthorised access, use, alteration or disclosure. Payment card data is handled exclusively by Stripe and is not stored on our systems. Access to customer and order data is restricted to authorised personnel only. Our website is protected by Cloudflare’s security and content delivery services.

Please note that the transmission of information over the internet is never completely secure. While we take all reasonable steps to protect your data, we cannot guarantee the security of data transmitted to our website.

We have adopted procedures to deal with any actual or suspected personal data breach. Where a breach is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by applicable law.

12. Complaints

If you have a concern about the way we handle your personal data, we encourage you to contact us in the first instance at Dpo@saw.com.mt so that we may address your concern directly.

You also have the right to lodge a complaint with our Lead Supervisory Authority, the Information and Data Protection Commissioner (IDPC), which is the Maltese authority responsible for data protection matters:

Address: Level 2, Airways House, High Street, Sliema, Malta

Email: idpc.info@idpc.org.mt

Website: https://idpc.org.mt

Telephone: +356 2328 7100

13. Provision of Personal Data Relating to Third Party Data Subjects

If you provide us with personal data relating to another individual: for example, a different delivery address or the details of a gift recipient: you confirm that you are authorised to share that data on their behalf and that you have informed them of how their data will be used in accordance with this Privacy Policy. We will process such data only for the purposes of fulfilling your order.

International Transfers

Several of our third-party service providers are based in the United States, which has not been the subject of a general adequacy decision by the European Commission. The transfer of personal data to these organisations is carried out on the basis of Standard Contractual Clauses approved by the European Commission, which provide appropriate safeguards for the protection of your personal data. For further information on countries recognised by the European Commission as providing an adequate level of data protection, please refer to the European Commission’s list of adequate countries.

The relevant providers and their privacy policies are as follows:

• Stripe: stripe.com/privacy

• Mailchimp: mailchimp.com/legal/privacy

• Google: policies.google.com/privacy

• Meta: facebook.com/privacy/policy

• LinkedIn: linkedin.com/legal/privacy-policy

• Hotjar: hotjar.com/legal/privacy

• Cloudflare: cloudflare.com/privacypolicy

Cookie Policy

Last updated: April 2026

1. What Are Cookies?

Cookies are small text files placed on your device when you visit a website. They are widely used to make websites work correctly, remember your preferences, and provide information to the website owner about how the site is being used.

This Cookie Policy explains what cookies we use on this website, why we use them, and how you can control them. It should be read alongside our Privacy Policy, which sets out how we handle your personal data more broadly.

2. How We Use Cookies

We use cookies across five categories: to ensure our website and shop function correctly; to understand how visitors use our site; to display relevant advertising on third-party platforms; to remember your preferences and shopping activity; and to track engagement with our marketing emails.

When you first visit our website, a cookie consent banner will appear. Necessary cookies are set automatically as they are essential to the operation of the site. All other cookies are only set with your prior consent.

You can change your cookie preferences at any time by clicking the cookie settings option on our website.

3. Necessary Cookies

These cookies are essential for the website and shop to function correctly. They cannot be switched off and do not require your consent. Without them, core features such as the shopping cart, checkout and account login would not work. We are required to inform you of their use.

Cookie Name	Provider	Type	Purpose	Expiry
__cky_uuid	CookieYes	Necessary	Assigns a unique ID to the visitor to remember their cookie consent preferences.	1 year
cookieyes-consent	CookieYes	Necessary	Stores the visitor’s cookie consent state for the current domain.	1 year
__cky_opt_out	CookieYes	Necessary	Records whether the visitor has opted out of non-essential cookies.	1 year
__cf_bm	Cloudflare	Necessary	Distinguishes between humans and automated bots to protect the website from malicious traffic.	30 minutes
_cfuvid	Cloudflare	Necessary	Used for rate limiting helps distinguish individual users sharing the same IP address to prevent abuse.	Session
woocommerce_cart_hash	WooCommerce	Necessary	Helps WooCommerce determine when the cart contents have changed and need to be refreshed.	Session
woocommerce_items_in_cart	WooCommerce	Necessary	Tracks whether the visitor has items in their cart to display the correct cart icon.	Session
wp_woocommerce_session_*	WooCommerce	Necessary	Maintains the visitor’s shopping session, including cart contents and checkout progress.	2 days
woocommerce_recently_viewed	WooCommerce	Necessary	Tracks recently viewed products to enable the recently viewed products feature.	Session
wordpress_logged_in_*	WordPress	Necessary	Confirms that the user is logged in to their customer account and who they are.	Session
wordpress_test_cookie	WordPress	Necessary	Checks whether the browser accepts cookies required for login functionality.	Session
wp-settings-*	WordPress	Necessary	Stores user interface preferences for the WordPress admin area.	1 year

4. Analytics Cookies

These cookies help us understand how visitors interact with our website. The data collected is used to improve the website’s content, structure and performance. These cookies are only set with your prior consent.

Cookie Name	Provider	Type	Purpose	Expiry
_ga	Google Analytics	Analytics	Registers a unique ID used to generate statistical data on how you use the website.	2 years
_ga_*	Google Analytics	Analytics	Used by Google Analytics 4 to persist session state and measure site engagement.	2 years
_gid	Google Analytics	Analytics	Registers a unique ID used to generate statistical data on how you use the website.	24 hours
_gat	Google Analytics	Analytics	Used to throttle the rate of requests to Google Analytics servers.	1 minute
_hjSessionUser_*	Hotjar	Analytics	Assigns a unique Hotjar user ID to the visitor for the duration of the session. Used for heatmapping and session recording.	1 year
_hjSession_*	Hotjar	Analytics	Holds current session data. Ensures subsequent requests in the session window are attributed to the same session.	30 minutes
_hjFirstSeen	Hotjar	Analytics	Identifies whether this is the visitor’s first session used for Hotjar analytics reporting.	Session
_hjIncludedInSessionSample_*	Hotjar	Analytics	Determines whether the visitor’s session is included in the session recording sample for the site.	2 minutes
_hjAbsoluteSessionInProgress	Hotjar	Analytics	Detects the first pageview session of the visitor used to limit data collection frequency.	30 minutes

5. Marketing and Advertising Cookies

These cookies are used to show you relevant advertisements on third-party platforms such as Google, Facebook, Instagram and LinkedIn based on your interactions with our website. They track your browsing activity across sites to build a profile of your interests. These cookies are only set with your prior consent.

Cookie Name	Provider	Type	Purpose	Expiry
_gcl_au	Google Ads	Marketing	Used by Google Ads to store and track conversions from ads. Helps measure the effectiveness of advertising campaigns.	3 months
_fbp	Meta (Facebook)	Marketing	Used by Meta to deliver, measure and improve the relevance of advertisements on Facebook and Instagram.	3 months
_fbc	Meta (Facebook)	Marketing	Stores the last Facebook click ID used to attribute conversions to specific ad clicks.	3 months
_li_fat_id	LinkedIn	Marketing	Used by LinkedIn’s Insight Tag for cross-site conversion tracking, retargeting and analytics.	30 days
lidc	LinkedIn	Marketing	Used by LinkedIn for routing and to facilitate data centre selection.	1 day
AnalyticsSyncHistory	LinkedIn	Marketing	Stores information about the time a sync with the lms analytics cookie took place.	30 days
UserMatchHistory	LinkedIn	Marketing	LinkedIn Insight Tag used for audience matching.	30 days

6. Preference Cookies

These cookies allow the website to remember choices you have made and provide a more personalised experience. They are not strictly necessary to browse the website but enhance its functionality. These cookies are only set with your prior consent.

Cookie Name	Provider	Type	Purpose	Expiry
woocommerce_wishlist_*	WooCommerce	Preference	Stores the items you have added to your wishlist so they are remembered between visits.	1 year
wc_fragments_*	WooCommerce	Preference	Stores cart data in the session storage to avoid repeated server requests when browsing.	Session

7. Email Tracking

In addition to cookies on our website, we use standard tracking technologies in our marketing emails sent via Mailchimp. These include web beacons, small invisible images embedded in emails which allow us to see whether an email has been opened, and which links have been clicked.

This tracking only takes place within our marketing emails, not on our website. It applies only to subscribers who have opted in to receive our newsletter. You may opt out of email tracking by unsubscribing from our mailing list at any time using the unsubscribe link in any of our emails, or by contacting us directly.

8. Managing Your Cookie Preferences

You can manage or withdraw your consent to non-essential cookies at any time by clicking the cookie settings option on our website. Withdrawing consent will not affect the lawfulness of any processing that took place before you withdrew it.

You can also control cookies directly through your browser settings. Most browsers allow you to refuse, delete or be notified when a cookie is set. Please note that disabling certain cookies, particularly necessary cookies, will affect the functionality of our website and shop. For guidance on managing cookies in your browser, visit www.aboutcookies.org.

For advertising cookies set by third-party platforms, you can also manage your preferences directly through those platforms:

• Google Ads: adssettings.google.com

• Meta (Facebook/Instagram): facebook.com/ads/preferences

• LinkedIn: linkedin.com/psettings/guest-controls/retargeting-opt-out

9. Third-Party Privacy Policies

Some cookies on this website are set by third-party providers. Their data practices are governed by their own privacy policies:

• Google Analytics / Google Ads: policies.google.com/privacy

• Hotjar: hotjar.com/legal/privacy

• Meta (Facebook): facebook.com/privacy/policy

• LinkedIn: linkedin.com/legal/privacy-policy

• Mailchimp: mailchimp.com/legal/privacy

• Cloudflare: cloudflare.com/privacypolicy

• CookieYes: cookieyes.com/privacy-policy

10. Updates to This Cookie Policy

We may update this Cookie Policy from time to time to reflect changes in the cookies we use or for legal or regulatory reasons. The latest version will always be available on this website. We encourage you to review this page periodically.

11. Contact Us

If you have any questions about our use of cookies, please contact us at Dpo@saw.com.mt.