Privacy Policy – Stellar Advisory Malta

Datenschutz & Datenverarbeitung (Privacy Policy)

PRIVACY POLICY

Last Updated: [08/10/2025]

1. INTRODUCTION

This Privacy Policy governs the manner in which Stella Advisory Malta Ltd (hereinafter “the Company”, “we”, “us”, or “our”), a company duly registered and incorporated under the laws of Malta, collects, uses, maintains, and discloses information collected from users (hereinafter “User”, “you”, or “your”) of the stellaradvisorymalta.com website and any related services, features, or content offered by the Company (collectively, the “Service”).

This Privacy Policy applies to the Service and all products and services offered by Stella Advisory Malta Ltd. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by the terms of this Privacy Policy.

This Privacy Policy is issued in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – “GDPR”), the Data Protection Act (Chapter 586 of the Laws of Malta), and all other applicable data protection legislation in the European Union and Malta.

2. DEFINITIONS

For the purposes of this Privacy Policy, the following terms shall have the meanings set forth below:

“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

“Processing” means any operation or set of operations performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

“Data Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For the purposes of this Privacy Policy, the Company is the Data Controller of your Personal Data.

“Data Processor” means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Data Controller.

“Data Subject” means any living individual who is the subject of Personal Data and who is using our Service.

“Service” means the stellaradvisorymalta.com website and any related services, applications, features, or content provided by the Company.

“Usage Data” means data collected automatically, either generated by the use of the Service or from the Service infrastructure itself, including but not limited to Internet Protocol addresses, browser types, browser versions, pages visited, time and date of visits, time spent on pages, unique device identifiers, and other diagnostic data.

“Cookies” means small data files stored on your device (computer, tablet, or mobile device) that contain information about your browsing activity.

“Third Party” means any natural or legal person other than the Data Subject, the Data Controller, the Data Processor, and persons who, under the direct authority of the Data Controller or Data Processor, are authorized to process Personal Data.

“Consent” means any freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the Processing of Personal Data relating to them.

“Supervisory Authority” means an independent public authority established by an EU Member State to monitor the application of the GDPR and protect data protection rights.

In Malta, this is the Office of the Information and Data Protection Commissioner.

3. DATA CONTROLLER INFORMATION

Stella Advisory Malta Ltd

86A, Triq Leli Falzon

NXR2609, Naxxar
Malta

Email: hello@stellaradvisorymalta.com

Telephone: 00356 79657076

4. TYPES OF DATA COLLECTED

4.1 Personal Data

While using our Service, we may request that you provide certain personally identifiable information that can be used to contact or identify you. This Personal Data may include, but is not limited to:

Full name (first name and surname)
Email address
Telephone number
Postal address (including street address, city, state/province, postal/ZIP code, and country)
Company name and position (where applicable)
Financial information (for payment processing purposes)
Tax identification number or VAT number (where applicable for business transactions)
National identification number or passport number (where required for regulatory compliance)
Any other information you voluntarily provide to us

4.2 Usage Data

We automatically collect certain information when you access and use our Service (“Usage Data”). This Usage Data may include:

Internet Protocol (IP) address
Browser type and version
Operating system
Device type and unique device identifiers
Pages of our Service that you visit
Date and time of your visit
Time spent on pages
Referring/exit pages
Clickstream data
Geographic location data
Other diagnostic and analytical data

4.3 Tracking and Cookies Data

We employ cookies and similar tracking technologies to monitor activity on our Service and store certain information. Technologies used may include:

Session Cookies: Temporary cookies used to operate our Service and maintain your session
Persistent Cookies: Cookies that remain on your device for a specified period
Preference Cookies: Cookies used to remember your preferences and settings
Security Cookies: Cookies used for security and authentication purposes
Analytical Cookies: Cookies used to analyze how users interact with our Service
Advertising Cookies: Cookies used to deliver relevant advertisements

You may instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to access or use certain portions of our Service. You can manage your cookie preferences through your browser settings.

For detailed information about the cookies we use and their purposes, please refer to our separate Cookie Policy.

4.4 Information from Third-Party Sources

We may receive information about you from third-party sources, including:

Business partners and affiliates
Service providers
Publicly available sources
Professional networks and databases
Marketing and analytics providers
Credit reference agencies (where applicable for business transactions)

5. PURPOSES AND LEGAL BASIS FOR PROCESSING PERSONAL DATA

5.1 Purposes of Processing

Stella Advisory Malta Ltd processes your Personal Data for the following purposes:

Service Provision: To provide, maintain, and improve our Service
Communication: To communicate with you regarding our Service, including notifications about changes, updates, and security alerts
Customer Support: To provide customer care and technical support
Personalization: To allow you to participate in interactive features and personalize your experience
Analysis and Improvement: To analyze usage patterns and gather statistical information to improve our Service
Marketing: To provide you with newsletters, marketing materials, promotional content, and information about services that may be of interest to you (subject to your consent where required)
Security: To monitor usage, detect and prevent fraud, security breaches, and technical issues
Legal Compliance: To comply with applicable EU and Maltese laws, regulations, and legal processes
Contract Performance: To perform our contractual obligations
Business Operations: To manage our business operations, including billing, accounting, and administrative purposes
Due Diligence: To conduct know-your-customer (KYC) and anti-money laundering (AML) checks where required

5.2 Legal Basis for Processing under GDPR

In accordance with Article 6 of the GDPR, our legal basis for collecting and processing your Personal Data depends on the specific data collected and the context in which we collect it. We process your Personal Data only when we have a valid legal basis to do so:

a) Contractual Necessity (Article 6(1)(b) GDPR)

Processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract. This includes:

Providing the services you have requested
Processing payments and transactions
Managing your account
Delivering products or services

b) Consent (Article 6(1)(a) GDPR)

You have provided explicit, freely given, specific, informed, and unambiguous consent for us to process your Personal Data for one or more specific purposes, such as:

Receiving marketing communications
Using non-essential cookies
Participating in surveys or promotional activities
Subscribing to newsletters

You have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

c) Legitimate Interests (Article 6(1)(f) GDPR)

Processing is necessary for the purposes of our legitimate interests or those of a third party, except where such interests are overridden by your fundamental rights and freedoms. Our legitimate interests include:

Improving and developing our Service
Ensuring network and information security
Preventing fraud and misuse of our Service
Understanding how our Service is used
Internal administration and management
Marketing and business development (where not requiring consent)

We have conducted a legitimate interest assessment to ensure that our processing does not override your rights and interests.

d) Legal Obligation (Article 6(1)(c) GDPR)

Processing is necessary to comply with legal obligations to which we are subject under EU or Member State law, including:

Tax and accounting obligations
Anti-money laundering and counter-terrorism financing regulations
Financial services regulations
Court orders or regulatory requirements
Health and safety obligations

e) Vital Interests (Article 6(1)(d) GDPR)

Processing is necessary to protect your vital interests or those of another natural person, particularly in emergency situations.

f) Public Interest (Article 6(1)(e) GDPR)

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us (where applicable).

5.3 Special Categories of Personal Data

We do not generally process special categories of Personal Data as defined in Article 9 GDPR (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation) unless:

You have given explicit consent
Processing is necessary for specific legal purposes as defined in Article 9(2) GDPR
We are required or permitted to do so by law

6. DATA SHARING AND DISCLOSURE

6.1 Service Providers and Data Processors

We may share your Personal Data with third-party service providers who perform services on our behalf. These Data Processors act on our instructions and are contractually bound under Data Processing Agreements compliant with Article 28 GDPR. Categories of processors include:

Web hosting and infrastructure providers
Cloud storage providers
Payment processors and financial institutions
Email service providers and communication platforms
Analytics and data analysis providers
Marketing and advertising partners
Customer relationship management (CRM) providers
Professional advisors (legal, accounting, auditing, consulting)
IT service providers and cybersecurity firms
Document management and archiving services

All Data Processors are required to:

Process Personal Data only in accordance with our documented instructions
Maintain appropriate technical and organizational security measures
Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
Assist us in responding to Data Subject requests
Notify us of any data breaches without undue delay
Delete or return Personal Data upon termination of services
Comply with all applicable provisions of the GDPR

6.2 Business Transfers

In the event that Stella Advisory Malta Ltd is involved in a merger, acquisition, reorganization, asset sale, bankruptcy, insolvency, or similar business transaction, your Personal Data may be transferred as part of that transaction. We will:

Provide advance notice of the transfer via email and/or prominent notice on our Service
Ensure the acquiring entity continues to protect your Personal Data in accordance with this Privacy Policy
Provide you with information about your rights regarding the transfer
Obtain your consent where required by law

6.3 Legal Requirements and Protection of Rights

We may disclose your Personal Data if required to do so by EU or Member State law, or in response to valid requests by public authorities or regulatory bodies, including:

Compliance with legal obligations under Maltese or EU law
Responding to court orders, subpoenas, or judicial proceedings
Cooperation with law enforcement, regulatory authorities, or tax authorities
Protection and defense of our legal rights, property, or safety
Prevention, detection, or investigation of criminal offences, fraud, or security issues
Protection of the rights, property, or safety of our users or the public
Enforcement of our terms of service or other agreements
Defense against legal claims or protection against legal liability

Any such disclosure will be limited to what is necessary and proportionate to fulfill the specific purpose.

6.4 Group Companies

We may share your Personal Data with companies within our corporate group for:

Internal administrative purposes
Consolidated business operations
Service delivery and support
Group-wide compliance and risk management

Such sharing is governed by intra-group data sharing agreements and appropriate safeguards.

6.5 With Your Consent

We may disclose your Personal Data for any other purpose with your explicit and informed consent.

6.6 Anonymized and Aggregated Data

We may share anonymized or aggregated data that does not constitute Personal Data and cannot be used to identify you. Such data is not subject to this Privacy Policy.

7. INTERNATIONAL DATA TRANSFERS

7.1 Transfers Outside the EEA

Your Personal Data may be transferred to, processed, and stored in countries outside the European Economic Area (EEA), including countries that may not provide an equivalent level of data protection as recognized under EU law.

7.2 Transfer Safeguards

When we transfer Personal Data outside the EEA, we ensure appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:

a) Adequacy Decisions (Article 45 GDPR)

Transfers to countries recognized by the European Commission as providing adequate protection

b) Standard Contractual Clauses (Article 46(2)(c) GDPR)

Use of Standard Contractual Clauses approved by the European Commission
Implementation of supplementary measures where necessary to ensure adequate protection

c) Binding Corporate Rules (Article 47 GDPR)

Internal data protection policies approved by supervisory authorities (where applicable within corporate groups)

d) Approved Codes of Conduct and Certification Mechanisms (Article 46(2)(e) and

(f) GDPR)

Adherence to approved codes of conduct or certification mechanisms with binding commitments

e) Derogations for Specific Situations (Article 49 GDPR)

In limited circumstances, relying on specific derogations such as explicit consent or necessity for contract performance

7.3 Right to Information

You have the right to obtain information about the safeguards we have put in place for international transfers. You may request a copy of the relevant safeguards by contacting us.

7.4 Transfer Impact Assessment

We conduct transfer impact assessments to evaluate whether the safeguards we rely upon ensure an adequate level of protection for your Personal Data, taking into account the laws and practices of the destination country.

8. DATA RETENTION

8.1 Retention Principles

Stella Advisory Malta Ltd will retain your Personal Data only for as long as necessary to fulfill the purposes for which it was collected, in accordance with Article 5(1)(e) GDPR (storage limitation principle). We determine retention periods based on:

The nature and sensitivity of the Personal Data
The purposes for which we process the data
Legal, regulatory, tax, accounting, or reporting requirements
Our legitimate interests (e.g., statute of limitations for legal claims)
Industry best practices

8.2 Specific Retention Periods

a) Account and Customer Data

Active account data: Retained for the duration of the contractual relationship
Closed account data: Retained for 7 years after account closure (to comply with financial and tax obligations)

b) Transaction and Financial Records

Payment records: Retained for 7 years from the end of the financial year in which the transaction occurred (as required by Maltese tax law)
Invoices and accounting documents: Retained for 10 years (as required under Maltese Companies Act)

c) Marketing and Communication Data

Marketing consent records: Retained until consent is withdrawn, plus 3 years for evidential purposes
Email communications: Retained for 2 years or until you request deletion
Newsletter data: Retained until you unsubscribe, plus 1 year for suppression purposes

d) Usage and Analytics Data

Website analytics: Retained for 26 months
Log files and technical data: Retained for 12 months unless required longer for security purposes

e) Legal and Compliance Records

KYC/AML documentation: Retained for 5 years after the end of the business relationship (as required by Prevention of Money Laundering Act)
Records related to legal proceedings: Retained for the duration of proceedings plus 6 years

f) Contract-Related Data

Active contracts: Retained for the duration of the contract
Expired contracts: Retained for 6 years after contract termination (statute of limitations for contractual claims in Malta)

g) Correspondence and Support Records

Customer support inquiries: Retained for 3 years from the date of last contact

8.3 Deletion and Anonymization

Upon expiration of the retention period, we will:

Securely delete Personal Data using industry-standard deletion methods
Anonymize data so that it can no longer be associated with you
Archive data in accordance with legal requirements where deletion is not permitted

8.4 Exceptions

We may retain Personal Data for longer periods if:

Required or permitted by applicable law
Necessary for the establishment, exercise, or defense of legal claims
You have specifically consented to longer retention
We have a legitimate interest that overrides the need for deletion (subject to balancing test)

9. DATA SECURITY

9.1 Security Obligations

In accordance with Article 32 GDPR, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account:

The state of the art
The costs of implementation
The nature, scope, context, and purposes of processing
The risks to the rights and freedoms of individuals

9.2 Technical Security Measures

Our technical security measures include:

a) Encryption

Encryption of Personal Data in transit using TLS/SSL protocols (minimum TLS 1.2)
Encryption of Personal Data at rest using industry-standard encryption algorithms
Encrypted backups of all Personal Data

b) Access Controls

Multi-factor authentication for system access
Role-based access control (RBAC) ensuring least privilege principle
Regular access rights reviews and removal of unnecessary privileges
Strong password policies and regular password changes
Automatic session timeouts

c) Network Security

Firewalls and intrusion detection/prevention systems (IDS/IPS)
Network segmentation and isolation of sensitive systems
Virtual private networks (VPNs) for remote access
Regular vulnerability scanning and penetration testing
DDoS protection and mitigation

d) System Security

Regular security patches and updates
Anti-malware and anti-virus protection
Secure software development practices
Regular security assessments and audits
Logging and monitoring of system activities

e) Data Protection

Regular automated backups with off-site storage
Disaster recovery and business continuity plans
Pseudonymization and anonymization where appropriate
Data minimization practices

9.3 Organizational Security Measures

Our organizational security measures include:

a) Policies and Procedures

Comprehensive information security policy
Data breach response and incident management procedures
Data protection impact assessment (DPIA) procedures
Vendor management and third-party risk assessment procedures
Clear desk and clear screen policies

b) Personnel Security

Background checks for employees with access to Personal Data
Confidentiality and non-disclosure agreements
Regular mandatory data protection and security training
Defined roles and responsibilities for data protection
Disciplinary procedures for security violations

c) Physical Security

Restricted physical access to data processing facilities
Surveillance systems and access logs
Secure disposal of physical documents containing Personal Data
Visitor management procedures

d) Governance

Executive management oversight of data protection
Regular security risk assessments
Incident response team and escalation procedures
Continuous improvement of security measures

9.4 Data Breach Response

In the event of a Personal Data breach, we will:

a) Internal Response (within 24 hours)

Activate our incident response team
Contain and assess the breach
Document all actions taken
Investigate the cause and impact

b) Notification to Supervisory Authority (within 72 hours)

Notify the Office of the Information and Data Protection Commissioner of Malta within 72 hours of becoming aware of a breach that poses a risk to individuals’ rights and freedoms (Article 33 GDPR)
Provide required information including nature of breach, categories and numbers of affected individuals, likely consequences, and mitigation measures

c) Notification to Data Subjects (without undue delay)

Notify affected individuals directly if the breach is likely to result in a high risk to their rights and freedoms (Article 34 GDPR)
Provide clear and plain language information about the breach and recommended protective actions

d) Remediation and Prevention

Implement measures to prevent recurrence
Review and update security measures
Maintain comprehensive breach records

9.5 Limitations and User Responsibilities

While we implement robust security measures, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security.

Your Responsibilities:

Maintain confidentiality of account credentials
Use strong, unique passwords
Enable multi-factor authentication where available
Keep your contact information up to date
Report any suspected unauthorized access immediately
Ensure security of your own devices and networks
Log out of your account when finished

9.6 Security Audits

We conduct regular security audits and assessments, including:

Internal security reviews (quarterly)
External penetration testing (annually)
Third-party security audits (as required)
Compliance assessments against ISO 27001 and other standards

10. YOUR DATA PROTECTION RIGHTS UNDER GDPR

10.1 Overview of Rights

As a Data Subject under the GDPR, you have the following rights regarding your Personal Data. These rights are not absolute and may be subject to limitations and conditions as specified in the GDPR.

10.2 Right of Access (Article 15 GDPR)

You have the right to obtain from us:

a) Confirmation of whether we process your Personal Data

b) Access to your Personal Data including:

The purposes of processing
The categories of Personal Data concerned
The recipients or categories of recipients to whom Personal Data has been or will be disclosed
The envisaged period for which Personal Data will be stored
Information about your other rights under GDPR
Information about the source of data (if not collected directly from you)
The existence of automated decision-making, including profiling, and meaningful information about the logic involved

c) A copy of your Personal Data (the first copy is provided free of charge; additional copies may incur a reasonable administrative fee)

10.3 Right to Rectification (Article 16 GDPR)

You have the right to obtain correction of inaccurate Personal Data concerning you without undue delay. You also have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement.

10.4 Right to Erasure / Right to be Forgotten (Article 17 GDPR)

You have the right to obtain erasure of your Personal Data without undue delay where one of the following grounds applies:

a) The Personal Data is no longer necessary in relation to the purposes for which it was collected

b) You withdraw consent on which processing is based and there is no other legal ground for processing

c) You object to processing under Article 21(1) and there are no overriding legitimate grounds for processing

d) You object to processing for direct marketing purposes under Article 21(2)

e) The Personal Data has been unlawfully processed

f) The Personal Data must be erased to comply with a legal obligation under EU or Member State law

g) The Personal Data was collected in relation to the offer of information society services to a child

Exceptions: This right does not apply where processing is necessary for:

Exercising the right of freedom of expression and information
Compliance with a legal obligation under EU or Member State law
Performance of a task carried out in the public interest
Archiving purposes in the public interest, scientific or historical research, or statistical purposes
Establishment, exercise, or defense of legal claims

10.5 Right to Restriction of Processing (Article 18 GDPR)

You have the right to obtain restriction of processing where one of the following applies:

a) You contest the accuracy of Personal Data (for a period enabling us to verify accuracy)

b) The processing is unlawful and you oppose erasure and request restriction instead

c) We no longer need the Personal Data for processing purposes, but you require it for legal claims

d) You have objected to processing pending verification of whether our legitimate grounds override yours

When processing is restricted, Personal Data may only be processed (except for storage) with your consent or for legal claims, protection of rights of another person, or important public interest reasons.

10.6 Right to Data Portability (Article 20 GDPR)

You have the right to:

a) Receive Personal Data concerning you in a structured, commonly used, and machine-readable format (e.g., CSV, JSON, XML)

b) Transmit that data to another controller without hindrance from us

c) Have Personal Data transmitted directly from us to another controller, where technically feasible

This right applies only where:

Processing is based on consent or contract
Processing is carried out by automated means

This right does not adversely affect the rights and freedoms of others.

10.7 Right to Object (Article 21 GDPR)

a) General Right to Object

You have the right to object, on grounds relating to your particular situation, to processing of Personal Data concerning you based on:

Article 6(1)(e) GDPR (public interest or official authority)
Article 6(1)(f) GDPR (legitimate interests)

We shall no longer process Personal Data unless we demonstrate compelling legitimate grounds for processing which override your interests, rights, and freedoms, or for establishment, exercise, or defense of legal claims.

b) Direct Marketing Objection

You have the absolute right to object to processing of your Personal Data for direct marketing purposes at any time, including profiling related to direct marketing. When you object to direct marketing, we will cease processing for such purposes.

c) Scientific/Historical Research and Statistics

You have the right to object, on grounds relating to your particular situation, to processing for scientific or historical research purposes or statistical purposes under Article 89(1) GDPR, unless processing is necessary for a task carried out for reasons of public interest.

10.8 Right Not to be Subject to Automated Decision-Making (Article 22 GDPR)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless such decision:

a) Is necessary for entering into or performance of a contract

b) Is authorized by EU or Member State law with suitable safeguards

c) Is based on your explicit consent

Where automated decision-making is permitted, you have the right to:

Obtain human intervention
Express your point of view
Contest the decision
Obtain an explanation of the decision

10.9 Right to Withdraw Consent (Article 7(3) GDPR)

Where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal of consent:

Does not affect the lawfulness of processing based on consent before withdrawal
Will be as easy as giving consent
Will result in cessation of processing unless another legal basis applies

10.10 Right to Lodge a Complaint (Article 77 GDPR)

You have the right to lodge a complaint with a supervisory authority, in particular:

In the Member State of your habitual residence
In the Member State of your place of work
In the Member State where an alleged infringement occurred

Malta Supervisory Authority:

Office of the Information and Data Protection Commissioner
Level 2, Airways House
High Street, Sliema SLM 1549
Malta

Telephone: +356 2328 7100
Email: idpc.info@idpc.org.mt
Website: https://idpc.org.mt

EU Data Protection Authorities:

A list of supervisory authorities across the EU can be found at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

This right is without prejudice to any other administrative or judicial remedy.

10.11 Exercising Your Rights

How to Exercise Your Rights:

To exercise any of your data protection rights, please contact us using the information provided in Section 3 or Section 20.

Your Request Should Include:

Clear identification of the right(s) you wish to exercise
Sufficient information to enable us to verify your identity
Specific details about your request (where applicable)
Preferred method of response

Verification of Identity:

To protect your privacy and security, we may require verification of your identity before processing requests. This may include:

Providing identification documents
Answering security questions
Confirming information associated with your account

Response Timeframe:

We will respond to your request:

Without undue delay
Within one month of receipt of your request
This period may be extended by two additional months where necessary, taking into account the complexity and number of requests

If we extend the response period, we will inform you within one month of receiving your request and explain the reasons for the delay.

Free of Charge:

Exercising your rights is generally free of charge. However, we may charge a reasonable administrative fee or refuse to act on a request if it is:

Manifestly unfounded
Excessive (particularly due to repetitive nature)

If we refuse your request, we will explain the reasons and inform you of your right to complain to a supervisory authority.

Limitations:

There may be legal reasons why we cannot fulfill certain requests (e.g., legal obligations to retain data, establishment of legal claims). We will explain any such limitations in our response.

11. THIRD-PARTY SERVICES

11.1 Use of Third-Party Services

We use carefully selected third-party service providers to enhance our Service. These providers are located within the EEA or have appropriate safeguards in place for international data transfers.

11.2 Analytics Services

Google Analytics

We use Google Analytics, a web analytics service provided by Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Purpose: To analyze how users interact with our Service and improve user experience

Data Collected:

Pages visited and navigation paths
Time spent on pages
Device and browser information
Geographic location (city-level)
Referral sources
User interactions and events

Legal Basis: Contractual necessity (Article 6(1)(b) GDPR) for processing payments

Payment Processors Used:

[Insert name of payment processor, e.g., Stripe, PayPal]
Location: [Insert location]
Privacy Policy: [Insert link to processor’s privacy policy]

Data Processing Agreement: We maintain Data Processing Agreements with all payment processors in accordance with Article 28 GDPR

11.5 Communication Services

We may use third-party email and communication platforms to send you service-related communications, newsletters, and marketing materials.

Services Used:

Email service providers (e.g., [Insert provider name])
Customer support platforms
SMS/messaging services (where applicable)

Legal Basis:

Contractual necessity (Article 6(1)(b) GDPR) for service communications
Consent (Article 6(1)(a) GDPR) for marketing communications
Legitimate interests (Article 6(1)(f) GDPR) for business communications

Your Rights: You can unsubscribe from marketing communications at any time using the unsubscribe link in emails or by contacting us directly.

11.6 Customer Relationship Management (CRM)

We use CRM systems to manage customer relationships, track interactions, and improve our services.

Purpose: To maintain customer records, track service history, and provide better support

Legal Basis: Legitimate interests (Article 6(1)(f) GDPR) in managing customer relationships and contractual necessity (Article 6(1)(b) GDPR)

11.7 Social Media Plugins

Our Service may include social media features and plugins (e.g., Facebook, LinkedIn, Twitter buttons) that enable you to share content or interact with social media platforms.

Data Collection: These features may collect your IP address, pages visited, and set cookies. Social media features are either hosted by the respective third party or hosted directly on our Service.

Legal Basis: Legitimate interests (Article 6(1)(f) GDPR) in enabling social sharing and engagement

Your Rights: Your interactions with social media plugins are governed by the privacy policies of the respective social media platforms. We encourage you to review their privacy policies.

11.8 Third-Party Service Provider Obligations

All third-party service providers:

Are selected based on their ability to provide adequate data protection guarantees
Process data only in accordance with our instructions
Are bound by Data Processing Agreements compliant with Article 28 GDPR
Maintain appropriate technical and organizational security measures
Are located within the EEA or have appropriate safeguards for international transfers
Are regularly assessed for compliance with data protection requirements

11.9 Changes to Third-Party Services

We may change or add third-party service providers from time to time. We will update this Privacy Policy to reflect any significant changes and ensure all providers meet our data protection standards.

12. COOKIES POLICY

12.1 What Are Cookies

Cookies are small text files placed on your device when you visit our Service. They help us provide you with a better experience by remembering your preferences and understanding how you use our Service.

12.2 Types of Cookies We Use

a) Strictly Necessary Cookies

These cookies are essential for the operation of our Service. They enable core functionality such as security, network management, and accessibility.

Legal Basis: Legitimate interests (Article 6(1)(f) GDPR)
Duration: Session or up to 1 year
Purpose: Security, authentication, load balancing, session management
Opt-out: These cookies cannot be disabled as they are necessary for the Service to function

b) Analytical/Performance Cookies

These cookies allow us to analyze how visitors use our Service, enabling us to improve functionality and performance.

Legal Basis: Consent (Article 6(1)(a) GDPR) where required, or legitimate interests (Article 6(1)(f) GDPR)
Duration: Up to 26 months
Purpose: Website analytics, performance monitoring, user behavior analysis
Provider: Google Analytics
Opt-out: You can opt out via cookie consent banner or browser settings

c) Functional Cookies

These cookies enable enhanced functionality and personalization, such as remembering your preferences and settings.

Legal Basis: Consent (Article 6(1)(a) GDPR) or legitimate interests (Article 6(1)(f) GDPR)
Duration: Up to 1 year
Purpose: Language preferences, display settings, remembered choices
Opt-out: You can opt out via cookie consent banner or browser settings

d) Targeting/Advertising Cookies

These cookies are used to deliver relevant advertisements and track advertising campaign effectiveness.

Legal Basis: Consent (Article 6(1)(a) GDPR)
Duration: Up to 90 days
Purpose: Remarketing, personalized advertising, ad performance measurement
Provider: Google Ads
Opt-out: You can opt out via cookie consent banner, Google Ads Settings, or browser settings

12.3 Cookie Consent

In accordance with the ePrivacy Directive (Directive 2002/58/EC) and Maltese law, we obtain your consent before placing non-essential cookies on your device.

Cookie Consent Banner:

Appears on your first visit to our Service
Allows you to accept or reject different categories of cookies
Can be accessed at any time to change your preferences
Records your consent choices

Granular Control: You can accept or reject cookies by category (analytical, functional, advertising) through our cookie consent banner.

12.4 Managing Cookies

Browser Settings:

You can control and manage cookies through your browser settings. Most browsers allow you to:

Block all cookies
Block third-party cookies
Delete cookies after closing the browser
Accept cookies from specific websites only

Browser-Specific Instructions:

Chrome: https://support.google.com/chrome/answer/95647
Firefox: https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop
Safari: https://support.apple.com/guide/safari/manage-cookies-sfri11471/mac
Edge: https://support.microsoft.com/en-us/microsoft-edge/delete-cookies-in-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09
Opera: https://help.opera.com/en/latest/web-preferences/#cookies

Opt-Out Tools:

Google Analytics: https://tools.google.com/dlpage/gaoptout
Google Ads: http://www.google.com/settings/ads
Network Advertising Initiative: http://www.networkadvertising.org/choices/
Your Online Choices (EU): http://www.youronlinechoices.eu/

12.5 Impact of Disabling Cookies

If you disable or reject cookies, some features of our Service may not function properly. Strictly necessary cookies cannot be disabled without severely affecting the functionality of the Service.

12.6 Third-Party Cookies

Third-party service providers (such as Google Analytics and Google Ads) may place cookies on your device when you use our Service. We do not control these cookies, and they are subject to the third party’s privacy policy.

12.7 Do Not Track Signals

Some browsers include a “Do Not Track” (DNT) feature. Currently, there is no industry-wide standard for responding to DNT signals. Our Service does not currently respond to DNT signals, but we respect your cookie preferences set through our cookie consent banner.

13. CHILDREN’S PRIVACY

13.1 Age Restriction

Our Service is not intended for, and we do not knowingly collect Personal Data from, children under the age of 16 years (“Children” or “Minors”), in accordance with Article 8 GDPR.

13.2 Parental Consent

If we become aware that we have collected Personal Data from a child under 16 without verification of parental consent, or if a parent or guardian becomes aware that their child has provided us with Personal Data without consent, we will:

Take immediate steps to delete that information from our servers
Cease processing the child’s Personal Data
Notify the parent or guardian (where contact information is available)

13.3 Verification Measures

We implement age verification measures where appropriate to prevent children from providing Personal Data without parental consent.

13.4 Reporting

If you are a parent or guardian and believe that your child has provided us with Personal Data without your consent, please contact us immediately using the contact information in Section 20. Please provide:

The child’s name and age
Your relationship to the child
Details of the Personal Data provided
Proof of your parental responsibility (where necessary)

13.5 Educational Settings

If we offer services in educational or school settings that may involve children under 16, we will:

Obtain appropriate consent from parents or those with parental responsibility
Implement additional safeguards appropriate for children
Ensure compliance with applicable laws regarding children’s data

14. DATA PROTECTION IMPACT ASSESSMENTS (DPIA)

In accordance with Article 35 GDPR, we conduct Data Protection Impact Assessments when we introduce new processing operations that are likely to result in a high risk to the rights and freedoms of individuals.

14.1 When We Conduct DPIAs

We conduct DPIAs for processing operations that involve:

Systematic and extensive evaluation or scoring based on automated processing
Large-scale processing of special categories of Personal Data
Systematic monitoring of publicly accessible areas on a large scale
Use of new technologies that may pose high risks
Processing that may prevent Data Subjects from exercising their rights
Processing that involves vulnerable individuals (e.g., children, employees)

14.2 DPIA Process

Our DPIA process includes:

Description of the processing operations and purposes
Assessment of the necessity and proportionality of processing
Assessment of risks to Data Subjects’ rights and freedoms
Identification of measures to address risks and demonstrate compliance
Consultation with our Data Protection Officer (where appointed)
Consultation with the supervisory authority (where required for high-risk processing)

14.3 Consultation

Where a DPIA indicates that processing would result in high risk in the absence of measures to mitigate the risk, we consult with the Office of the Information and Data Protection Commissioner before commencing processing.

15. AUTOMATED DECISION-MAKING AND PROFILING

15.1 Automated Processing

We may use automated processing and profiling techniques to:

Personalize content and service offerings
Improve user experience and Service functionality
Analyze usage patterns and preferences
Detect fraud and security threats
Optimize marketing campaigns and communications

15.2 Profiling Activities

Profiling involves automated processing of Personal Data to evaluate certain personal aspects, such as:

Preferences and interests
Behavior patterns on our Service
Predicted responses to marketing communications
Risk assessment for fraud prevention

15.3 Legal Basis

Our automated decision-making and profiling activities are based on:

Consent (Article 6(1)(a) GDPR) where required
Contractual necessity (Article 6(1)(b) GDPR) for service provision
Legitimate interests (Article 6(1)(f) GDPR) where appropriate and proportionate

15.4 Solely Automated Decisions with Legal or Similar Significant Effects

We do not currently engage in solely automated decision-making that produces legal effects or similarly significantly affects you, as contemplated by Article 22 GDPR. If we introduce such processing in the future, we will:

Notify you in an updated Privacy Policy
Obtain your explicit consent (where required)
Implement suitable measures to safeguard your rights
Provide you with the right to obtain human intervention, express your point of view, and contest the decision

15.5 Your Rights

You have the right to:

Be informed about the existence of automated decision-making and profiling
Receive meaningful information about the logic involved
Understand the significance and envisaged consequences
Object to profiling based on legitimate interests
Withdraw consent where processing is based on consent

16. MARKETING COMMUNICATIONS

16.1 Types of Marketing

We may send you marketing communications about our services, special offers, news, and other information we believe may interest you, including:

Email newsletters
Promotional emails
Service updates and announcements
Invitations to events or webinars
Surveys and feedback requests

16.2 Legal Basis

Existing Customers (Soft Opt-In):

If you are an existing customer, we may send you marketing communications about similar products or services based on legitimate interests (Article 6(1)(f) GDPR), provided you have not opted out. This is known as the “soft opt-in” under the ePrivacy Directive.

New Customers and Newsletter Subscribers:

For individuals who are not existing customers, we will only send marketing communications based on your explicit consent (Article 6(1)(a) GDPR).

16.3 Consent

When we obtain your consent for marketing communications, we ensure it is:

Freely given: You have a genuine choice
Specific: You know exactly what you’re consenting to
Informed: We provide clear information about how we’ll use your data
Unambiguous: You take a clear affirmative action (e.g., ticking an unchecked box)

16.4 Opt-Out and Unsubscribe

You have the absolute right to opt out of marketing communications at any time:

Unsubscribe Methods:

Click the “unsubscribe” link in any marketing email
Update your communication preferences in your account settings
Contact us directly using the information in Section 20
Reply to any marketing email with “UNSUBSCRIBE”

Processing Time: We will process your opt-out request within 5 business days.

Service Communications: Please note that opting out of marketing does not affect essential service communications (e.g., account notifications, transaction confirmations, security alerts), which we send based on contractual necessity.

16.5 Suppression List

When you opt out, we retain your contact information on a suppression list to ensure we don’t inadvertently send you marketing communications in the future. This retention is based on our legitimate interests in complying with your preferences.

16.6 Third-Party Marketing

We do not sell, rent, or share your Personal Data with third parties for their own direct marketing purposes without your explicit consent.

17. LINKS TO THIRD-PARTY WEBSITES

17.1 External Links

Our Service may contain links to third-party websites, applications, services, or resources that are not owned, operated, or controlled by Stella Advisory Malta Ltd.

17.2 No Responsibility

We have no control over, and assume no responsibility for:

The content of third-party websites
Privacy policies or practices of third parties
Terms of service of third-party sites
Any damages or losses arising from your use of third-party websites

17.3 Third-Party Privacy Policies

When you click on a third-party link and leave our Service, you are subject to the privacy policy and terms of service of that third party. We strongly advise you to:

Review the privacy policy of every website you visit
Understand how third parties collect and use your information
Make informed decisions about sharing your Personal Data

17.4 Disclaimer

The inclusion of any link does not imply:

Endorsement of the third-party website
Association with the third party
Sponsorship or approval of their content or practices

17.5 Liability

We are not liable for:

Privacy practices of third-party websites
Security of information you provide to third parties
Consequences of your interactions with third-party websites

18. BUSINESS CONTINUITY AND DATA PORTABILITY

18.1 Backup and Recovery

We maintain regular backups of Personal Data to ensure business continuity and disaster recovery. Backups are:

Encrypted and stored securely
Subject to the same security measures as live data
Retained in accordance with our data retention policy
Tested regularly to ensure recoverability

18.2 Data Portability Procedures

To facilitate your right to data portability under Article 20 GDPR, we can provide your Personal Data in the following machine-readable formats:

CSV (Comma-Separated Values)
JSON (JavaScript Object Notation)
XML (Extensible Markup Language)
PDF (for documents)

18.3 Service Continuity

We have implemented business continuity plans to ensure continued protection of your Personal Data in the event of:

Technical failures or system outages
Natural disasters
Cybersecurity incidents
Business disruptions

19. CHANGES TO THIS PRIVACY POLICY

19.1 Right to Modify

We reserve the right to modify, update, or replace this Privacy Policy at any time to reflect:

Changes in our data processing practices
New legal or regulatory requirements
Changes in technology or industry standards
Feedback from Data Subjects or supervisory authorities
Changes to our Service or business operations

19.2 Notification of Changes

Material Changes:

For material changes that significantly affect your rights or how we process your Personal Data, we will notify you by:

Sending an email notification to the email address associated with your account (at least 30 days before the changes take effect)
Posting a prominent notice on our Service homepage
Displaying a pop-up or banner when you next access the Service
Obtaining your renewed consent where required by law

Non-Material Changes:

For minor or administrative changes, we will:

Update the “Last Updated” date at the top of this Privacy Policy
Post the updated Privacy Policy on our Service
Make the updated policy available for review

19.3 Review and Acceptance

Your Responsibilities:

Review this Privacy Policy periodically for any changes
Check the “Last Updated” date to identify recent modifications
Contact us if you have questions about changes

Continued Use:

Your continued use of the Service after any modifications to this Privacy Policy constitutes your acknowledgment and acceptance of the changes, unless the changes require your explicit consent under applicable law.

19.4 Withdrawal Following Changes

If you do not agree with any changes to this Privacy Policy, you have the right to:

Cease using the Service
Request deletion of your Personal Data (subject to legal retention requirements)
Withdraw any consent previously given

19.5 Version History

We maintain a version history of this Privacy Policy. Previous versions are available upon request for transparency and accountability purposes.

20. CONTACT INFORMATION AND COMPLAINTS

20.1 Contact Us

If you have any questions, concerns, requests, or complaints regarding this Privacy Policy or our data processing practices, please contact us:

Stella Advisory Malta Ltd

86A, Triq Leli Falzon

NXR2609, Naxxar
Malta

Email: hello@stellaradvisorymalta.com

Telephone: 00356 79657076

Office Hours:
Monday to Friday: 8:00am till 5pm
We respond to emails within 2 business days

20.2 Response Timeframes

We are committed to addressing your inquiries promptly:

Acknowledgment: Within 2 business days of receiving your communication
Substantive Response: Within 30 days of receiving your request
Complex Requests: We may extend the response period by an additional 60 days where necessary, and will inform you of any extension and the reasons for it

20.3 Complaints and Disputes

If you are dissatisfied with how we have handled your Personal Data or responded to your requests, you may:

Step 1: Contact Us Directly

Raise your concern with us first using the contact information above. We will:

Investigate your complaint thoroughly
Provide a detailed response
Take corrective action where appropriate
Work with you to resolve the issue amicably

Step 2: Escalate to Data Protection Officer

If your concern is not resolved to your satisfaction, you may escalate to our Data Protection Officer (if appointed).

Step 3: Lodge a Complaint with Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority at any time, without exhausting internal complaint procedures first.

20.4 Supervisory Authority Contact Information

Malta – Office of the Information and Data Protection Commissioner (IDPC)

Address:

Office of the Information and Data Protection Commissioner
Level 2, Airways House
High Street
Sliema SLM 1549
Malta

Contact:
Telephone: +356 2328 7100
Fax: +356 2328 7198
Email: idpc.info@idpc.org.mt
Website: https://idpc.org.mt

Office Hours:
Monday to Friday: 08:00 – 16:30

How to Lodge a Complaint with IDPC:

Complete the online complaint form on the IDPC website
Send a written complaint by post or email
Telephone to discuss your concern and receive guidance

Other EU Supervisory Authorities:

If you reside in another EU Member State, you may lodge a complaint with the supervisory authority in:

Your country of habitual residence
Your place of work
The place where you believe an infringement occurred

A complete list of EU data protection authorities: https://edpb.europa.eu/about-edpb/about-edpb/members_en

20.5 Alternative Dispute Resolution

We are committed to resolving disputes fairly and efficiently. If you are not satisfied with our response or the supervisory authority’s handling of your complaint, you may have access to alternative dispute resolution mechanisms or judicial remedies under applicable law.

20.6 Language

This Privacy Policy is drafted in English. In the event of any discrepancy between the English version and any translation, the English version shall prevail, except where prohibited by local law.

21. LEGAL FRAMEWORK AND GOVERNING LAW

21.1 Applicable Data Protection Laws

This Privacy Policy and our data processing practices comply with:

Regulation (EU) 2016/679 – General Data Protection Regulation (GDPR)
Data Protection Act (Chapter 586 of the Laws of Malta)
Directive 2002/58/EC – ePrivacy Directive (as implemented in Maltese law)
Processing of Personal Data (Electronic Communications Sector) Regulations (S.L. 440.01)
Other applicable EU and Maltese data protection legislation

21.2 Territorial Scope

This Privacy Policy applies to processing of Personal Data:

In the context of our establishment in Malta
By our Service offered to Data Subjects in the European Union
Regardless of whether the processing takes place within the EU

21.3 Governing Law

This Privacy Policy and any disputes arising from or related to it shall be governed by and construed in accordance with the laws of Malta and the European Union, without regard to conflict of law provisions.

21.4 Jurisdiction

Any disputes arising under this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of Malta, without prejudice to your right to lodge a complaint with a supervisory authority or pursue judicial remedies under Article 79 GDPR in any EU Member State.

21.5 Severability

If any provision of this Privacy Policy is found to be invalid, illegal, or unenforceable by a court of competent jurisdiction, such provision shall be severed, and the remaining provisions shall continue in full force and effect.

APPENDIX: DEFINITIONS AND ABBREVIATIONS

AML – Anti-Money Laundering

CRM – Customer Relationship Management

DPIA – Data Protection Impact Assessment

DPO – Data Protection Officer

EEA – European Economic Area (EU Member States plus Iceland, Liechtenstein, and Norway)

GDPR – General Data Protection Regulation (Regulation (EU) 2016/679)

IDPC – Information and Data Protection Commissioner (Malta)

IP Address – Internet Protocol Address

KYC – Know Your Customer

PCI-DSS – Payment Card Industry Data Security Standard

TLS/SSL – Transport Layer Security / Secure Sockets Layer

EFFECTIVE DATE: 08/10/2025

VERSION: 2.0

DOCUMENT OWNER: Stella Advisory Malta Ltd

LAST REVIEWED: 08/10/2025

ACKNOWLEDGMENT

This Privacy Policy has been prepared in accordance with the General Data Protection Regulation (GDPR) and applicable Maltese data protection laws. It represents our commitment to protecting your Personal Data and respecting your privacy rights.

By using our Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

For questions or concerns about this Privacy Policy, please contact us using the information provided in Section 20.

END OF PRIVACY POLICY Legitimate interests (Article 6(1)(f) GDPR) in understanding and improving our Service

Data Retention: Google Analytics data is retained for 26 months

IP Anonymization: We have enabled IP anonymization (anonymizeIP) so that IP addresses are truncated within EU Member States

Data Processing Agreement: We have a Data Processing Agreement with Google in accordance with Article 28 GDPR

Your Rights:

Opt-Out: You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on: https://tools.google.com/dlpage/gaoptout
Cookie Controls: You can control analytics cookies through our cookie consent banner and browser settings

Google’s Privacy Policy: https://policies.google.com/privacy

11.3 Advertising and Remarketing

Google Ads (formerly Google AdWords)

We use Google Ads remarketing services provided by Google Ireland Limited to advertise to you on third-party websites after you have visited our Service.

Purpose: To show relevant advertisements to users who have previously visited our Service

Data Collected:

Cookie identifiers
Pages visited on our Service
Interactions with advertisements
Device and browser information

Legal Basis:

Consent (Article 6(1)(a) GDPR) for placing advertising cookies
Legitimate interests (Article 6(1)(f) GDPR) in marketing our services

Data Retention: Google Ads cookies typically expire after 90 days

Your Rights:

Opt-Out of Personalized Ads: Visit Google Ads Settings: http://www.google.com/settings/ads
Opt-Out of Third-Party Cookies: Visit Network Advertising Initiative: http://www.networkadvertising.org/choices/ or European Interactive Digital Advertising Alliance: http://www.youronlinechoices.eu/
Cookie Controls: Manage your cookie preferences through our cookie consent banner

Google’s Privacy Policy: https://policies.google.com/privacy

11.4 Payment Processing

We use third-party payment processors to handle payment transactions securely. Our

payment processors are PCI-DSS compliant and certified.

Important Information:

We do not store, collect, or have access to your complete payment card details
Payment card information is provided directly to our payment processors
Payment processors process data in accordance with PCI-DSS standards
We may receive limited transaction information (e.g., transaction ID, payment status, last four digits of card for reference)
We will not store or collect your payment card details. That information is provided directly to our third-party payment processors whose use of your personal information is governed by their Privacy Policy. These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of payment information.