Privacy Policy
This Privacy Policy explains how ARP Group Ltd collects, uses, stores and protects your personal data when you interact with GestWave products and websites, in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679) and the Maltese Data Protection Act (Chapter 586 of the Laws of Malta).
Last updated: 4 July 2026
1. Data Controller
The Data Controller responsible for the processing of your personal data is:
ARP Group Ltd
227, Triq Salvu Psaila, Birkirkara, BKR 9078, Malta
Phone: +356 27780814
For any question relating to this Privacy Policy or to the processing of your personal data, please contact us using the details above.
2. Scope of this Policy
This Privacy Policy applies to personal data collected through our websites, applications and services (collectively, the "Services"), including GestWave, GestWave Edupro and GestWave VLE, as well as through our commercial relationships, communications and events. It does not apply to third-party websites or services that we do not operate.
3. Categories of personal data we process
Depending on how you interact with us, we may process the following categories of personal data:
- Identification and contact data: full name, job title, organisation, email address, telephone number, postal address.
- Account data: username, password (hashed), user role, authentication metadata.
- Usage and technical data: IP address, device and browser information, log files, pages viewed, date and time of access, referring URLs.
- Content data: information you upload, submit or generate while using the Services (e.g. learning content, documents, messages).
- Commercial and contractual data: purchase history, billing information, correspondence relating to your contract with us.
- Marketing data: preferences regarding communications, consents given or withdrawn.
We do not intentionally collect special categories of personal data (Article 9 GDPR) unless strictly necessary and supported by an appropriate legal basis.
4. Purposes and legal bases of processing
We process your personal data for the purposes listed below, each of which is supported by a legal basis under Article 6 GDPR:
| Purpose | Legal basis |
|---|---|
| Providing, operating and maintaining the Services and your account. | Performance of a contract (Art. 6(1)(b)). |
| Handling requests, enquiries and customer support. | Performance of a contract / pre-contractual steps (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)). |
| Complying with legal, accounting and tax obligations. | Legal obligation (Art. 6(1)(c)). |
| Ensuring security, preventing fraud and abuse, monitoring integrity of the Services. | Legitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)). |
| Analytics and improvement of the Services. | Consent (Art. 6(1)(a)) where required; otherwise legitimate interests (Art. 6(1)(f)). |
| Sending marketing communications and newsletters. | Consent (Art. 6(1)(a)); legitimate interests for existing customers (soft opt-in). |
| Establishing, exercising or defending legal claims. | Legitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)). |
5. Data retention
We retain personal data only for as long as is necessary for the purposes for which it was collected, including satisfying any legal, accounting or reporting requirements. Typical retention periods are:
- Account and contract data: for the duration of the contractual relationship and up to 10 years after termination, in line with Maltese accounting and civil law.
- Support and correspondence: up to 3 years from last contact.
- Marketing data: until consent is withdrawn or the contact is deemed inactive (max. 24 months).
- Technical logs: up to 12 months, unless a longer retention is required for security incidents.
When personal data is no longer necessary, it is securely deleted or anonymised.
6. Recipients and international transfers
We may share your personal data with the following categories of recipients, always under appropriate contractual and technical safeguards:
- Authorised employees and collaborators of ARP Group Ltd.
- Trusted service providers acting as processors (Art. 28 GDPR), such as hosting and cloud infrastructure providers, email delivery services, analytics providers and IT support.
- Professional advisors (lawyers, accountants, auditors) bound by confidentiality.
- Public authorities and law enforcement, where required by law.
Where personal data is transferred outside the European Economic Area (EEA), we ensure an adequate level of protection through mechanisms recognised by the GDPR, such as European Commission adequacy decisions or the Standard Contractual Clauses (Art. 46 GDPR), together with supplementary measures where necessary.
7. Security of processing
We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction or damage, in line with Article 32 GDPR. These include encryption in transit and at rest, access controls, multi-factor authentication, network segmentation, regular backups, logging and monitoring, staff training and periodic security reviews. Further details are available on our Security page.
8. Your rights
Subject to the conditions set out in the GDPR, you have the following rights in relation to your personal data:
- Right of access (Art. 15) — to obtain confirmation of whether we process your data and a copy of it.
- Right to rectification (Art. 16) — to correct inaccurate or incomplete data.
- Right to erasure (Art. 17) — to request deletion of your data, subject to legal exceptions.
- Right to restriction (Art. 18) — to limit processing in specific circumstances.
- Right to data portability (Art. 20) — to receive your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21) — to object to processing based on legitimate interests or for direct marketing at any time.
- Rights related to automated decision-making (Art. 22) — not to be subject to decisions based solely on automated processing producing legal or similarly significant effects.
- Right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before withdrawal.
To exercise your rights, please contact us at secretary@maltaquality.education. We will respond within one month of receipt of your request, in accordance with Article 12 GDPR.
9. Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority if you consider that the processing of your personal data infringes the GDPR. In Malta, the competent authority is the Office of the Information and Data Protection Commissioner (IDPC), Airways House, Second Floor, High Street, Sliema SLM 1549, Malta — email: idpc.info@idpc.org.mt. You may also contact the supervisory authority of your EU country of residence or place of the alleged infringement.
10. Cookies and similar technologies
For information on how we use cookies and similar technologies, and how to manage your preferences, please refer to our Cookie Policy.
11. Children's data
Our Services are not directed at children under the age of 16. Where our Services are used in an educational context, processing of minors' data is carried out on behalf of, and under the responsibility of, the educational institution acting as Data Controller, with ARP Group Ltd acting as Data Processor pursuant to a Data Processing Agreement.
12. Changes to this Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The updated version will be published on this page with a revised "Last updated" date. We encourage you to review this page periodically.
13. Contact
For any question, request or complaint regarding this Privacy Policy or the processing of your personal data, please contact ARP Group Ltd at the address set out in Section 1, or write to secretary@maltaquality.education.
