Book a Table

Privacy Policy

Last updated: 14 October 2025

This Privacy Policy explains how Grana Malta (“Grana”, “we”, “us”, “our”) collects and uses your information when you visit granamalta.com (the “Site”). We are established in Malta and process personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable Maltese data protection law.

We review this notice regularly and will post updates here.

1) Who we are & contact details

  • Controller: The Neu Collective, The Strand, Sliema GZR1027, Malta
  • Email: info@granamalta.com
  • Phone: (+356) 2016 5100

Supervisory authority (primary):
Office of the Information and Data Protection Commissioner (IDPC), Malta — idpc.org.m

2) What we collect (and what we don’t)

We do not store customer accounts, orders, or payment data on our WordPress server.

We may process:

  • Usage & analytics data (via GA4): page views, events, device/browser, approximate geo (city/country). Processed only after consent via our cookie banner. IP masking/anonymisation enabled where supported.
  • Newsletter data (via MailerLite): email address, name (if provided), subscription preferences, engagement (opens/clicks).
  • Booking data (via ResOS): name, contact details, party size, date/time, special requests (if provided). Entered directly in ResOS; not stored on our WordPress server.
  • Technical/security logs: IP address, timestamps, requested URLs, user-agent, strictly for security and troubleshooting.
  • Contact enquiries (email/phone): the details you supply and our replies.

Please avoid sharing sensitive data (e.g., health) in free-text fields.

3) Sources of data

  • Directly from you (newsletter sign-up, booking, enquiries).
  • Automatically via cookies/analytics (after consent).

4) Purposes & legal bases

  • Analytics & site improvement (GA4): Consent (ePrivacy/GDPR). Analytics scripts only load after you accept non-essential cookies.
  • Email newsletters (MailerLite): Consent. You may withdraw at any time via the unsubscribe link.
  • Reservations & customer service (ResOS / email): Contract (to manage your booking) and legitimate interests (to respond to enquiries).
  • Security, fraud prevention, legal compliance: Legitimate interests and/or legal obligation.

We do not use automated decision-making that produces legal or similarly significant effects.

5) Processors & disclosures

We use vetted providers acting on our instructions:

  • Google Analytics (GA4) — analytics.
  • MailerLite — email marketing & subscriber management.
  • ResOS — reservation management.
  • Hosting/security providers — to run and protect the Site.

Transfers may occur outside the EEA. Where they do, we rely on appropriate safeguards (e.g., EU Standard Contractual Clauses or adequacy decisions). We do not sell your personal data.

6) Cookies & consent

We use cookies and similar technologies for essential site functions and (with your consent) analytics.

Your choices
On first visit you’ll see our banner. You can Accept all, Reject non-essential, or Manage preferences. You can change your choice anytime via the cookie settings link in the footer.

Categories we use

  • Strictly necessary (always on, essential for the site).
  • Analytics (GA4; load only after consent).

Illustrative cookie table (update to match your setup):

Cookie/ToolPurposeProviderRetention
_ga* (GA4)Aggregate analyticsGoogle2–14 months (per GA settings)
cookie_consent_statusStores your banner choice[Your site]6–12 months

You can also adjust your browser settings or use Google’s opt-out tools.

7) Retention

  • Analytics: per GA settings (typically 2–14 months).
  • Newsletter: until you unsubscribe or we remove inactive contacts (e.g., after 24 months of inactivity).
  • Bookings (ResOS): retained in ResOS for operational needs and legal requirements (normally up to 24 months, longer if needed for disputes/legal obligations).
  • Security logs: 30–180 days, unless required longer for investigation.

We delete or anonymise data when no longer needed.

8) Your rights (EU)

You may have the right to access, rectify, erase, restrict, object, and data portability, and to withdraw consent at any time (for newsletters/analytics). You also have the right to lodge a complaint with the IDPC (Malta).

To exercise rights, email info@granamalta.com. We may request verification.

9) Children

Our Site is not intended for children under 16. We do not knowingly collect children’s data. If you believe a child has provided data, contact us for deletion.

10) Security

We use appropriate technical and organisational measures, including HTTPS, access controls, and vendor due diligence. No system is perfectly secure; we continually improve safeguards.

11) International transfers

If data is processed outside the EEA (e.g., by our processors), we implement EU Standard Contractual Clauses or rely on an adequacy decision and require equivalent protections.

12) Third-party links

Our Site may link to third-party sites (e.g., ResOS booking pages). Their privacy practices apply; please review their notices.

13) Contact

Questions or requests: info@granamalta.com
Postal: The Neu Collective, The Strand, Sliema GZR1027, Malta

Platform notes

WordPress
We do not run customer accounts or store bookings/payments on our WordPress server. Basic security logs may be generated.

Google Analytics (GA4)
Configured to load only after consent, with IP masking/anonymisation (where supported) and limited retention.

MailerLite
If you subscribe, MailerLite processes your email and engagement data to deliver newsletters. Unsubscribe anytime.

ResOS
Bookings are processed directly in ResOS so we can confirm/manage your reservation. ResOS acts as our processor.