Policies & Compliance

By using our public site, portal, or admin dashboard you agree to:

• Use the tools solely for legitimate Malta Girl Guides activities and communications.
• Keep login details, passcodes, and session cookies secure. Sharing or re-posting portal/admin content on public channels is prohibited.
• Respect intellectual property rights related to MGG branding, photography, resources, and curricula.
• Report any suspected misuse, data exposure, or security issue immediately to the Unit Leader (contact below).

Leaders may suspend or revoke access if the terms are breached. Severe cases will be escalated to the Malta Girl Guides Association and, where appropriate, regulators.

For the purposes of the EU General Data Protection Regulation (GDPR), the Santa Venera Girl Guides unit (“SVGG”, “we”, “us”) is the data controller for personal data collected through this website, the member portal, and related digital forms.

The website, portal and leader/admin dashboard are hosted and technically operated by secure.mt, a Maltese cybersecurity and digital services provider, which acts as our data processor. secure.mt processes personal data only on our documented instructions, in order to provide hosting, security, and technical support.

This includes parent/guardian contact details, member registration data, activity preferences, medical/allergy notes shared with consent, newsletter subscriptions, and leader credentials.

Lawful bases for processing

• Legitimate interest: running the unit safely, keeping members and guardians informed, tracking attendance, and managing guiding activities.
• Consent: optional communications such as newsletters, photography/media permissions, or medical disclosures that are not strictly required. Consent can be withdrawn via email at any time.
• Legal obligation: safeguarding records, incident reporting, and financial reporting for events and membership.

Hosting, storage and access

All portal and site data is stored within secure.mt’s Cloudflare Pages environment, including Cloudflare D1/SQLite databases. Cloudflare primarily processes data within the European Union. Where data is routed outside the EU due to Cloudflare’s global network, such transfers are protected using EU Standard Contractual Clauses (SCCs) and additional technical safeguards.

Access to personal data is limited to:

• secure.mt (processor): for hosting, system administration, security monitoring, backups, and troubleshooting. secure.mt does not use the data for its own purposes.
• Authorised SVGG leaders (controller representatives): for registrations, event and attendance management, communications with guardians, and safeguarding.

Data sharing and processors

We do not sell personal data or publish membership lists. We share data only where necessary for guiding activities and in line with GDPR:

• Malta Girl Guides Association leadership, for coordination, safeguarding, and official reporting.
• Event partners (such as camp or activity providers) when needed for bookings and safety, subject to appropriate safeguards.
• Trusted service providers acting as data processors, including:
  • Cloudflare – hosting, CDN, firewall, access control, and serverless functions.
  • Cloudflare D1 / SQLite – secure data storage.
  • Resend – transactional email delivery (for example, portal access emails).

All processors are bound by written data processing agreements and must implement appropriate technical and organisational measures to protect personal data in line with EU GDPR.

Retention

Most membership records are retained for up to three guiding years after a member leaves, unless a longer period is required for safeguarding or legal obligations. Newsletter subscriber data is removed within 30 days of an unsubscribe request. Technical logs and backups retained by secure.mt are kept only for as long as necessary for security and operational purposes.

Our public site uses only essential cookies (Cloudflare security cookies). The portal and admin dashboard set signed session cookies to verify passcodes or Cloudflare Access tokens. We do not run advertising pixels or analytics that profile individuals.

• Session cookies: Required for logging into the member portal. These are httpOnly, SameSite, and expire automatically.
• Cloudflare Access cookies: Required for the admin dashboard. Managed by Cloudflare Access policies configured by MGGA.

You can block cookies at the browser level, but the portal/admin features will not function without the session cookies noted above.

Members, guardians, and leaders can exercise the following rights:

• Access and receive a copy of your personal data.
• Request corrections where data is inaccurate or incomplete.
• Request deletion when data is no longer required (subject to safeguarding/legal retention rules).
• Restrict or object to processing for specific purposes.
• Withdraw consent for newsletters, media use, or medical details at any time.
• Request data portability for information you provided electronically.

We aim to respond to verified requests within 30 days. Complex requests may take an additional 30 days; we will notify you if more time is required.

• Sensitive data (medical, safeguarding, incident records) is stored in restricted functions/endpoints and accessed only by vetted leaders.
• Members under 16 may only access the portal with guardian guidance; guardians manage registrations and data changes.
• Leaders follow MGGA safeguarding flowcharts for reporting concerns; urgent issues are escalated to the District Commissioner and, if needed, state authorities.
• Images or stories from events are published publicly only with guardian consent and in line with MGGA communications policies.

Offline safeguarding and behaviour policies continue to apply at meetings, camps, and events. This digital policy extends those expectations to all online interactions managed by SVGG.

Please email santavenera@maltagirlguides.com for any privacy, policy, or safeguarding query. Include:

• Your name and contact details.
• The member or volunteer you’re writing on behalf of (if applicable).
• Which right or policy the request refers to.
• Any supporting information that helps us verify and respond quickly.

You may also escalate unresolved privacy issues to the Office of the Information and Data Protection Commissioner (IDPC) in Malta or to the Data Protection Authority where you reside.