Privacy Policy
How Cuddly Times Ltd (trading as Paper Hugs by Cuddly Times) collects, uses, and protects your personal data in accordance with the General Data Protection Regulation (GDPR) and the Malta Data Protection Act (Chapter 586).
Privacy Policy
Last updated: 27 April 2026
This Privacy Policy explains how Cuddly Times Ltd, trading as Paper Hugs by Cuddly Times (“we”, “us”, “our”), collects, uses, stores, and protects personal data in connection with our website at paperhugsmalta.com (the “Site”). It is written in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Data Protection Act (Chapter 586 of the Laws of Malta).
We are committed to handling your personal data transparently and lawfully. Please read this policy carefully.
1. Data Controller
The data controller responsible for your personal data is:
Cuddly Times Ltd (trading as Paper Hugs by Cuddly Times)
Ta Paris Court
Triq Censu Costa
Birkirkara, Malta
Email: privacy@paperhugsmalta.com
Website: https://paperhugsmalta.com/
If you have any questions about how we process your personal data, please contact us at the address above.
2. What Data We Collect and How
We collect personal data in the following ways:
a) Orders and purchases
When you place an order through our Site or enquire about a product, we collect your name, email address, delivery address, phone number, and payment details. Payment card data is processed securely by our payment provider and is not stored by us.
b) Custom and personalised orders
For bespoke products such as wedding stationery or personalised cards, we collect the content details you supply (names, dates, messages, images). This information is used solely to fulfil your order and is deleted once the order is complete unless you ask us to retain it.
c) Wedding and event enquiries
When you submit a wedding or event enquiry, we collect your name, email address, event date, and any other details you choose to share. This data is used to respond to your enquiry and, if you proceed, to manage your order.
d) Contact enquiries
When you submit a message via our contact form or send us an email, we collect your name, email address, and the content of your message.
e) Server and access logs
Our web hosting provider automatically records technical data when you visit the Site, including your IP address, browser type and version, operating system, referring URL, pages visited, and the date and time of your request. This data is used for security, fraud prevention, and diagnosing technical issues.
f) Cookies and similar technologies
We use cookies and similar tracking technologies on our Site. Please see Section 7 (Cookies) for full details.
g) Marketing communications
If you subscribe to our mailing list or opt in to receive updates, we will collect your email address and, where provided, your name. You may unsubscribe at any time using the link included in every communication.
We do not knowingly collect personal data from children under the age of 16. If you believe we have inadvertently collected such data, please contact us immediately so we can delete it.
3. Lawful Basis for Processing
Under Article 6 of the GDPR, we rely on the following lawful bases:
| Purpose | Lawful Basis |
|---|---|
| Processing orders and fulfilling purchases | Contract (Art. 6(1)(b)) — necessary to perform a contract with you |
| Managing custom and personalised order content | Contract (Art. 6(1)(b)) |
| Responding to enquiries and contact messages | Legitimate interests (Art. 6(1)(f)) — to respond to communications addressed to us |
| Server and security logs | Legitimate interests (Art. 6(1)(f)) — to maintain the security and integrity of the Site |
| Sending marketing communications | Consent (Art. 6(1)(a)) — only where you have explicitly opted in |
| Compliance with legal obligations (e.g. tax records) | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interests, we have assessed that our interests are not overridden by your rights and freedoms.
4. How We Use Your Data
We use your personal data for the following purposes:
- To process and fulfil orders, including custom and personalised items
- To respond to enquiries and provide customer support
- To communicate with you about your order, delivery, or event
- To operate and improve the Site
- To ensure the security and proper functioning of our systems
- To send you marketing or product updates, where you have consented
- To comply with applicable law and legal obligations, including tax and accounting requirements
- To defend or exercise legal claims where necessary
We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.
5. Data Sharing and Third Parties
We may share your personal data with:
a) Hosting and infrastructure providers
Our Site is hosted on third-party infrastructure. Hosting providers process access log data on our behalf as data processors under appropriate data processing agreements.
b) Payment processors
Payment transactions are handled by a third-party payment provider. We do not store full card details. The payment provider processes your data under their own privacy policy and applicable PCI-DSS standards.
c) Delivery and courier services
Where physical goods are shipped, we may share your name and delivery address with a courier or postal service to fulfil your order.
d) Email and communication services
If we use a third-party platform to manage email communications or our mailing list, that provider processes your email address on our behalf under a data processing agreement.
e) Analytics providers
If analytics software is in use on the Site, it may process anonymised or pseudonymised data about Site usage. Where personal data is involved, it is processed under a data processing agreement.
f) Legal and regulatory authorities
We may disclose your data to law enforcement, courts, or regulatory authorities where required by law or to protect our legal rights.
All third-party processors are required to handle your data in compliance with the GDPR and are bound by contractual obligations to maintain appropriate security measures.
6. International Data Transfers
Where personal data is transferred to countries outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR. These safeguards may include Standard Contractual Clauses approved by the European Commission, adequacy decisions, or other appropriate transfer mechanisms.
7. Cookies
We use cookies — small text files stored on your device — to help the Site function and, where applicable, to understand how it is used.
Types of cookies we use:
| Cookie Type | Purpose | Retention |
|---|---|---|
| Strictly necessary | Required for core Site functionality (e.g., shopping basket, session management) | Session or up to 12 months |
| Analytics / performance | Helps us understand how visitors interact with the Site (e.g., pages viewed, referral source). Data is anonymised or pseudonymised where possible. | Up to 13 months |
| Preference | Remembers choices you make (e.g., language or display settings) | Up to 12 months |
Your choices:
When you first visit the Site, you will be informed about our use of cookies. You may accept or decline non-essential cookies. You can also manage or delete cookies at any time through your browser settings. Note that disabling certain cookies may affect the functionality of the Site, including the shopping basket.
For more information on managing cookies, visit www.aboutcookies.org.
8. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.
| Data Category | Retention Period |
|---|---|
| Order and purchase records | Up to 10 years (VAT and tax compliance obligations under Maltese law) |
| Custom order content (names, messages, images) | Deleted upon order completion unless you request otherwise |
| Contact and enquiry messages | Up to 3 years from last contact |
| Server and access logs | Up to 12 months |
| Marketing email list | Until you unsubscribe or withdraw consent |
When data is no longer needed, we securely delete or anonymise it.
9. Your Rights
Under the GDPR and the Malta Data Protection Act (Chapter 586), you have the following rights in relation to your personal data:
- Right of access (Art. 15 GDPR): You may request a copy of the personal data we hold about you.
- Right to rectification (Art. 16 GDPR): You may request that we correct inaccurate or incomplete data.
- Right to erasure (Art. 17 GDPR): You may request that we delete your personal data in certain circumstances (“right to be forgotten”). Note that erasure may not be possible where we are required to retain records by law (e.g. tax records).
- Right to restriction of processing (Art. 18 GDPR): You may request that we restrict how we use your data in certain circumstances.
- Right to data portability (Art. 20 GDPR): Where processing is based on consent or contract, you may request your data in a structured, machine-readable format.
- Right to object (Art. 21 GDPR): You may object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will cease processing immediately.
- Right to withdraw consent: Where we rely on consent as the lawful basis, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, please contact us at privacy@paperhugsmalta.com. We will respond within one calendar month of receiving your request, as required by Article 12 of the GDPR. In complex or multiple requests, this period may be extended by a further two months; we will notify you if this is the case.
We will not charge a fee for reasonable requests but reserve the right to charge a reasonable administrative fee, or to refuse, manifestly unfounded or excessive requests.
10. Right to Lodge a Complaint
If you believe we have not handled your personal data in accordance with the GDPR, you have the right to lodge a complaint with the supervisory authority in Malta:
Office of the Information and Data Protection Commissioner (IDPC)
Level 2, Airways House
High Street, Sliema SLM 1549, Malta
Tel: +356 2328 7100
Email: idpc.info@idpc.org.mt
Website: https://idpc.org.mt
You may also lodge a complaint with the supervisory authority in the EU member state where you live or work, if different from Malta.
We encourage you to contact us first at privacy@paperhugsmalta.com so we can try to resolve any concerns directly.
11. Security
We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These measures include encrypted communications (HTTPS/TLS), access controls, and regular security reviews.
However, no method of transmission over the internet is completely secure. While we take all reasonable steps to protect your data, we cannot guarantee absolute security.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the IDPC within 72 hours in accordance with Article 33 of the GDPR, and will inform affected individuals where required under Article 34.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in law, our practices, or the services we offer. The “Last updated” date at the top of this page will reflect the most recent revision. Where changes are material, we will take steps to bring them to your attention.
We encourage you to review this policy periodically.
13. Contact Us
For any questions, requests, or concerns regarding this Privacy Policy or our data processing practices, please contact:
Cuddly Times Ltd (trading as Paper Hugs by Cuddly Times)
Ta Paris Court, Triq Censu Costa, Birkirkara, Malta
Email: privacy@paperhugsmalta.com
Contact form: paperhugsmalta.com/contact/