Version 1.0
Who are we; What do we do?
This policy has been prepared by Ecliptio Ltd incorporated and registered in Malta, bearing company registration number C 111698, with its registered office situated at Northlink Business Centre, Level 2, Triq Burmarrad, Naxxar, NXR 6345, Malta (“ Ecliptio ”, “ we ” or “ us ”).
We manage and operate a portal, currently accessible online at ludocards.com (“ the Portal ”), which allows registered users to request quotes and place orders for custom cards and games. For further information about the Portal and our respective rights and obligations, please refer to our Terms of Use (“ TOU ”).
What does this policy cover?
This policy provides an overview of the personal data we process when acting as data controllers in connection with your use of our Portal. This includes the processing of orders, the management of registered user accounts, and the provision of related services. It covers any activities, interactions, or services provided to you as a registered user.
This policy also outlines how we collect or otherwise procure this personal data, what we do with such personal data and generally how we comply with the provisions of laws relating to the protection of personal data as applicable to us, in particular Regulation (EU) 2016/679 (“GDPR”).
Definitions
Throughout this document, we will be using certain specific terms. Since our intention is that this document is easily understood, we would like to clarify what these terms are intended to refer to. Naturally, if anything is unclear, please do not hesitate to get in touch with us.
- Personal Data: In terms of the provisions of the GDPR, the term “ personal data ” is defined as ‘ any information relating to an identified or identifiable natural person (‘ data subject’ )’.
- Processing: The term “processing” is also given a wide meaning and is defined as ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.’ This includes collection, recording, storage, adaptation, and use of personal data.
What types of personal data will we be processing as data controller? How do we get such personal data?
We have grouped the personal data that we receive, use or otherwise process in the following categories:
| Title | Description | Source |
|---|---|---|
| Profile Information | This relates to (a) the details that you provide to us when opening an account, including your name, surname, email address and contact details; and (b) generally all other information that we require to manage and operate your account. | Directly from you when you create and manage your account. |
| Interaction Information | This comprises any information, data or material that is exchanged with us and is not covered in any of the other categories set out in this table. | Directly from your interactions and communications with us. |
| Financial Information | This includes details concerning the necessary details to process your orders, the fees owed to us, banking / credit card details and other data relative to the aforementioned. | Directly from your financial transactions with us, including payment details and banking information. |
| Usage Information | When you access our Portal, request a quote or submit on order, we also receive certain types of personal data automatically, such as the sections you have visited, the content you have accessed and the frequency and duration of your visits. In addition to the above, please note that we will also collect certain data about your device or browser automatically via log files, such as your Media Access Control (MAC) address, device ID, operating system name and version, browser type, and device manufacturer and model. We may also collect your IP address. We use data about your device to ensure our solutions function properly, diagnose server problems, and administer our software solutions and the services we provide. | Automatically as described in the second column. |
How do we use personal data? What is the legal basis for processing personal data?
Our primary objective in processing personal data is to manage your account and handle your orders. We also do so to ensure compliance with our duties and obligations, whether legal or contractual (including discharging our obligations pursuant to the TOU). We will process personal data when we have a proper reason for doing so. In particular, the legal basis we rely upon to process personal data is further set out in the table hereunder:
| Purpose | Type | Lawful basis |
|---|---|---|
| To complete our onboarding process This includes setting up your account and verifying your identity. |
Profile Information; Interaction Information | Legal obligation (GDPR Article 6(1)(c)); Necessary for our legitimate interests (GDPR, Article 6(1)(f)) - to administer the account opening process; to safeguard our reputation |
| To provide access to and operate the Portal Allowing registered users to log in, request quotes, and place orders for custom cards and games. |
Profile Information; Learning Information; Interaction Information | Contractual necessity (GDPR Article 6(1)(b)). Legitimate interests (GDPR Art. 6(1)(f)): ensure platform integrity and usability |
| To deliver and fulfil product orders Processing specifications, printing, shipment, and updates related to the order. |
Profile Information; Financial Information | Contractual necessity (GDPR Art. 6(1)(b)) |
| To manage our relationship with you, including the provision of customer service This encompasses ongoing customer support, handling inquiries, and ensuring satisfactory communication throughout your time that you hold an account with us. |
Profile Information; Interaction Information; Financial Information | Legal obligation (GDPR Article 6(1)(c)); Contractual necessity (GDPR Article 6(1)(b)); Necessary for our legitimate interests (GDPR, Article 6(1)(f)) - to keep our records updated; Consent (GDPR, Article 6(1)(a)). |
| To manage payments and fees We process fees associated with your orders, which may include processing of refunds where applicable. |
Profile Information; Financial Information; Interaction Information | Contractual necessity (GDPR Article 6(1)(b)); Necessary for our legitimate interests (GDPR, Article 6(1)(f)) – to collect the payment due to us. |
| To maintain our contact database for marketing We manage and update our list of contacts to send you information about new products, special offers, and upcoming events through various communication channels. |
Profile Information; Service Information; Interaction Information | Consent (GDPR, Article 6(1)(a)); Necessary for our legitimate interests (GDPR, Article 6(1)(f)) - to keep our records updated; to enhance our business and client-base. |
| Business Intelligence & Analytics To collect and anonymize data for statistical and benchmarking purposes. |
Profile Information; Service Information; Interaction Information | Necessary for our legitimate interests (GDPR, Article 6(1)(f)) – to improve user experience and offerings). |
| To safeguard our interests This includes keeping our infrastructure secure, through security monitoring to detect, prevent and respond to suspicious activity, fraud, intellectual property infringement, violations of our terms or law and for other similar purposes; to establish, exercise or defend legal claims |
Profile Information; Interaction Information; Financial Information; Usage Information. | Necessary for our legitimate interests (GDPR, Article 6(1)(f)) – to safeguard our interests and infrastructure); Legal obligation (GDPR Article 6(1)(c)) |
| To facilitate business transactions To make certain information available to third parties that may be interested in acquiring our business (either prior to or as part of the transaction). This includes, amongst others, any merger, sale, restructure, acquisition, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock. |
Profile Information; Interaction Information; Financial Information; Usage Information | Necessary for our legitimate interests (GDPR, Article 6(1)(f)) – to ensure that we are able to sell our business, should we decide to do so). |
Change of purpose
We will use and process personal information solely for the purposes for which it was initially collected, unless we reasonably believe there is a need to use it for a different yet compatible reason. In the event we intend to use personal information for an unrelated purpose, we will inform the relevant data subjects and provide an explanation of the legal basis that permits us to do so.
Is the provision of personal data mandatory?
The provision of certain personal data is necessary for us to provide our services and to fulfil our contractual or legal obligations. While you are not legally obliged to share your personal data with us, please note that choosing not to do so may limit your ability to use certain features of the Portal. In particular, access to features reserved for registered users—such as requesting quotes, placing orders, tracking submissions, and managing your account—requires the provision of specific personal information. If such information is not provided, we may be unable to create or maintain your account, process your orders, or respond to certain requests. We respect your decisions regarding the sharing of personal data, but we may not be able to accommodate all preferences without impacting service functionality.
What about data concerning third parties? Are there any additional obligations or duties?
To safeguard privacy and ensure that we comply with our legal obligatiosn, we require that you only provide personal data that pertains directly to yourself.
Do we collect special categories of data?
Under the GDPR, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is deemed to be “special categories of personal data” and require a higher level of protection. We need to have further justification for collecting, storing and using this type of personal information. We have in place appropriate safeguards which we are required by law to maintain when processing such data.
We do not collect any such special category of personal data.
Do we collect data related to criminal convictions and offences?
No.
Do we share or make personal data available with third parties?
We will share personal data with third parties where required by law, where it is necessary to administer the relationship with our clients, and as otherwise provided hereunder. We will only share and disclose personal data:
- [a] When required by law: We may also process your personal data to comply with our regulatory requirements or in the course of dialogue with our regulators as applicable, which may include disclosing your personal data to government, regulatory or law enforcement agencies in connection with enquiries, proceedings or investigations by such parties anywhere in the world or where compelled to do so. Where permitted, or unless to do so would prejudice the prevention or detection of a crime, we will direct any such request to you or notify you before responding.
- [b] Where necessary to administer our relationship with users and to supply certain functionalities. In this respect, we will share and disclose personal data as follows:
| Recipient Category | Purpose & Activity carried out |
|---|---|
| Data Storage and Hosting (e.g., AWS, DigitalOcean) | Stores website data and ensures the site is hosted on reliable, scalable servers to maintain uptime and performance. |
| Online Forms and Surveys (e.g., Typeform, Google Forms) | Allows for easy creation of online forms, surveys, and questionnaires to collect user feedback and data. |
| Live Chat Support (e.g., Tawk.to, LiveChat) | Provides real-time support to users through live chat on the website, improving customer service and engagement. |
| Payment Gateway (e.g., PayPal, Stripe) | Processes customer payments securely and handles transactions, including credit card processing and fraud detection. |
| Analytics Provider (e.g., Google Analytics, Plausible) | Tracks user behavior, collects traffic data, monitors website performance, and provides insights for improving user experience. |
| CRM – like NetHunt | Manages the database of our clients, leads and contacts. |
| Email Marketing Service (e.g., Mailchimp, SendinBlue) | Manages email lists, automates marketing campaigns, sends newsletters, and tracks email engagement and conversions. |
| Security Service (e.g., Cloudflare, Sucuri) | Provides protection from security threats such as DDoS attacks, malware, and enhances website security and load performance. |
| Customer Support Tools (e.g., Zendesk, Intercom) | Offers customer service through live chat, ticketing systems, and helps manage customer inquiries efficiently. |
| Content Delivery Network (CDN) (e.g., AWS CloudFront, Akamai) | Accelerates content delivery by distributing website assets globally to ensure faster loading times for users. |
| Social Media Integration (e.g., Facebook Pixel, Twitter Cards) | Allows for social sharing, tracks user engagement from social platforms, and helps with targeted advertising and retargeting. |
| Advertising and Remarketing (e.g., Google Ads, Facebook Ads) | Supports advertising efforts, enables user retargeting, and helps optimize ad performance and conversions. |
| User Authentication (e.g., Auth0, Firebase Authentication) | Manages user authentication, allowing users to sign in with credentials or third-party login options like Google or Facebook. |
| Review and Rating Tools (e.g., Trustpilot, Yotpo) | Enables customers to leave reviews, ratings, and feedback on products or services. |
| Compliance and Cookie Consent (e.g., OneTrust, Cookiebot) | Ensures compliance with GDPR, CCPA, and other data privacy laws by managing cookie consent and data collection practices. |
| SEO Tools (e.g., Yoast SEO, SEMrush) | Provides recommendations and tools to optimize the website for search engines and improve ranking in search results. |
| Payment Fraud Detection (e.g., Riskified, Signifyd) | Provides fraud prevention services by analyzing transactions for potential fraudulent activities. |
| Backup and Recovery (e.g., BackupBuddy, CodeGuard) | Automatically backs up website data and provides recovery options in case of data loss or website failure. |
| A/B Testing Tools (e.g., Optimizely, Google Optimize) | Enables A/B testing of website elements to determine the most effective versions for user experience and conversions. |
- [c] To protect our legitimate interests: We disclose personal data to safeguard the security and integrity of the Portal and its underlying systems; prevent, detect, or investigate misuse, fraud, or security incidents; enforce our Terms of Use and other applicable policies; manage disputes or exercise or defend our legal rights; share relevant personal data with our insurance providers where necessary for securing cover, assessing risk exposure, or managing or defending claims and generally take all such measures as we reasonably consider necessary to protect our legitimate business interest[cite: 52, 53, 54].
- [d] Authorised sharing: We will share personal data with any other person or entity but solely when we are expressly authorised to do so, such as when you provide us with your consent.
- [e] Corporate transactions: We are also permitted to share personal data with a prospective buyer or any of its advisors, where relevant, in the course of a due diligence exercise or as part of a corporate transaction. In this situation we will, so far as possible, share anonymised data with the other parties before the transaction completes.
Prior to sharing data with a third-party service provider, we require them to commit in implementing appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
Is the information transferred outside of the EEA?
We do not currently transfer personal data outside of the European Economic Area (EEA). All processing activities, including hosting and service provision, are carried out within the EEA. If we do so, we will take adequate measures to ensure that personal data is safeguarded to the same standards as it would have been if processed in the EU, by relying on one of the following:
- We will ensure that personal information is sent to a country that is considered to provide an adequate level of data protection, in terms of any adequacy decision adopted by the European Commission, in accordance with the provisions of article 45 of the GDPR;
- We will enter into agreements that impose a legal obligation on the recipient to protect personal data in accordance with the provisions of the GDPR.
Data Subject Rights
The GDPR grants data subjects a number of rights that can be exercised in certain circumstances, including:
- Right of access (subject access request): This right allows data subjects to request and obtain confirmation on whether we are processing their personal data. Data subjects can also access details about the processing and receive a copy of the data being held.
- Right of rectification: Data subjects have the right to request that we correct any inaccuracies or incomplete personal data held about them.
- Right of erasure: In terms of this right, commonly known as the "Right to be Forgotten," data subjects can request the deletion of their personal data under certain circumstances, particularly when the data is no longer necessary for the purpose for which it was collected.
- Right of restriction: Data subjects can request the limitation of the processing of their personal data in specific situations. This right is relevant, for instance, when the data subject is contesting the accuracy of the data, or the processing is deemed unlawful.
- Right to object: This right enables the data subjects to object to the processing of their personal data, including profiling, for reasons related to their particular situation.
- Right of data portability: Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format.
We do not carry out any fully automated decision-making or profiling.
In those occasions where we have indicated that we are basing our processing on our legitimate interest, please note that in terms of Article 21 GDPR, data subjects have the right to object to that processing. Where the legal basis of processing is based solely on the data subject’s consent, the data subjects may withdraw such consent at any time by notifying us accordingly. This shall be without prejudice to the lawfulness of processing based on consent before such withdrawal.
For more information about these rights and how to exercise them (when we are acting in our capacity as data controllers), kindly contact us on the contact details set out hereunder.
For how long do we retain personal data?
The length of time for which we hold personal data depends on a number of factors, such as regulatory rules and any legal requirements. We also consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of personal data, the purposes for which we process personal data and whether we can achieve those purposes through other means. For further information about our data retention policies, please get in touch with our data privacy manager on the contact details set out hereunder.
Do you need more information about our data handling policies?
If you need more information about this this privacy notice or how we handle personal information, please contact our data privacy manager, on mail@ludocards.com
Our registered address is situated at:
Northlink Business Centre, Level 2, Triq Burmarrad, Naxxar, NXR 6345, Malta
What responsibilities do clients and data subjects have regarding the processing of personal data?
Privacy and data protection is a two-way street, and while we strive to uphold it diligently, the active participation of everyone is crucial. This means that along with enjoying privacy rights, data subjects also have certain responsibilities. As part of these obligations, we anticipate that data subjects take reasonable measures to assist us in effectively safeguarding and managing your privacy. For instance, to ensure that we maintain accurate, complete, and up-to-date personal information, we kindly you to promptly notify us if personal details previously submitted to us become inaccurate, incomplete, or outdated.
Is it possible to file a complaint?
We go to great lengths to ensure that we handle personal data responsibly. If there are any concerns or issues with anything related to these matters, please do not hesitate to get in touch with us and we assure you that we will do our utmost to address your concerns. In any case, if you are not satisfied with the way we manage personal data, you have the right to file a complaint with any relevant data protection authority (particularly the one situated where you habitually reside).
Contact details of the competent authority in Malta are as follows:
Address - Information and Data Protection Commissioner, Floor 2, Airways House, High Street, Sliema, SLM 1549, Malta.
Telephone - (+356) 2328 7100
Email - idpc.info@idpc.org.mt
Changes to Privacy Policy
We may alter these terms at any time, but in any case we will inform you accordingly, by means we deem reasonable in the circumstances. In the event of any conflict between the current version of these terms and any previous version(s), the provisions current and in effect shall prevail unless it is expressly stated otherwise.