Privacy Policy

Willingness Malta Version 1.1 — 6 April 2026

1. Who we are

This Privacy Policy explains how Willingness Malta (“Willingness”, “we”, “us”, “our”) collects, uses, stores, and protects your personal data when you interact with us through our websites, services, programmes, or facilities.

Registered details:

  • Name: Willingness Malta
  • Registration number: P1900
  • VAT number: MT26805030
  • Registered address: Willingness Hub, Qolla Street, Żebbuġ ZBG 1511, Malta
  • General email: [email protected]
  • Phone: +356 79291817

Websites covered by this policy:

  • willingness.com.mt
  • sexclinicmalta.com
  • Any subdomains or associated campaign landing pages operated by Willingness

Data Protection Contact: For any privacy-related enquiry, to exercise your rights, or to raise a concern, please contact:

  • Email: [email protected] (please mark your message “Data Protection Request” so we can prioritise it)
  • Post: Data Protection Contact, Willingness Hub, Qolla Street, Żebbuġ ZBG 1511, Malta

2. Who this policy applies to

We process personal data about several categories of people, and the specific data, purposes, and retention periods differ for each group. This policy covers:

  • Therapy and clinical service clients (adults receiving mental health, couples, family, or sexual health services through Willingness or Sex Clinic Malta)
  • Participants in Camp Willingness programmes (children ages 4–12) and their parents / legal guardians
  • Website visitors (including people browsing, submitting contact or enquiry forms, or uploading documents)
  • Customers of our online shop (purchasers of books, merchandise, and related products via WooCommerce)
  • Newsletter and marketing subscribers
  • Job applicants (people submitting applications through our careers page)
  • Suppliers, contractors, and professional contacts

Where a section applies to only one group, it is clearly labelled.

Under the EU General Data Protection Regulation (GDPR) and the Maltese Data Protection Act (Chapter 586 of the Laws of Malta), we must have a lawful basis for every use of your personal data. The bases we rely on are:

Article 6 — all personal data

  • Contract (Art. 6(1)(b)) — to deliver the services you have booked or purchased
  • Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, health, safeguarding, and regulatory law in Malta and the EU
  • Legitimate interests (Art. 6(1)(f)) — to run our business, secure our systems, prevent fraud, and communicate with enquirers
  • Consent (Art. 6(1)(a)) — for marketing emails, non-essential cookies, optional photography, and any other use where we ask you to opt in

Article 9 — special category (health) data

For therapy, clinical, and sexual health services, we also process special category data (health and, where relevant, sexual health information). We rely on:

  • Art. 9(2)(h) — processing is necessary for the provision of health or social care, by or under the responsibility of a health professional subject to a duty of professional secrecy
  • Art. 9(2)(a) — explicit consent, where you voluntarily share health information through our contact or intake forms before a professional relationship is established

Children’s data (Camp Willingness)

For participants under 16, we rely on parental / guardian consent in line with Article 8 GDPR and Maltese law. Consent is obtained from the parent or legal guardian through our camp registration form.

4. What personal data we collect, and why

4.1 Therapy, clinical, and sexual health service clients

Important: Clinical appointment booking, session notes, and clinical records are managed through a separate practice management system operated by Willingness, not through the willingness.com.mt or sexclinicmalta.com websites. This section covers only the data you share with us through the websites (for example, initial enquiries or intake forms) and any clinical data that may flow from the website into our clinical systems.

Data collected through the websites:

  • Name, email address, phone number
  • Reason for contacting us / nature of enquiry
  • Any health, mental health, or sexual health information you choose to include in a contact or intake form
  • Files or documents you upload through secure forms (e.g. referral letters, prior assessments)

Purposes:

  • To respond to your enquiry and arrange an initial appointment
  • To triage your request to the appropriate professional
  • To provide the clinical service you request
  • To meet our professional, regulatory, and safeguarding obligations

Legal basis: Contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)); health care delivery (Art. 9(2)(h)); explicit consent for any health information you voluntarily share at enquiry stage (Art. 9(2)(a)).

4.2 Camp Willingness participants and their parents / guardians

Data collected about the child:

  • Full name, date of birth, age
  • Gender (if voluntarily provided)
  • Dietary requirements, allergies, medical conditions, behavioural considerations
  • Emergency medical information
  • Any special needs or accommodations requested
  • Photographs and video, where consent is given
  • Attendance records

Data collected about the parent / guardian:

  • Full name, relationship to child
  • Email address, phone number, home address
  • Emergency contact details (may include a second parent or designated adult)
  • Payment information (processed via our payment provider, not stored by us)
  • Consent records (photo/video, both-parents consent, terms acceptance)

Purposes:

  • To register and manage your child’s participation in the camp
  • To ensure safety, welfare, and appropriate supervision
  • To respond to medical emergencies
  • To communicate about the camp, logistics, and follow-up
  • For clearly-labelled promotional use of photos/videos, only where explicit consent has been given
  • To comply with safeguarding, health, and regulatory obligations

Legal basis: Contract (Art. 6(1)(b)); parental consent (Art. 6(1)(a) and Art. 8); vital interests in emergencies (Art. 6(1)(d)); legal and safeguarding obligations (Art. 6(1)(c)); health data processed under Art. 9(2)(a) explicit consent and Art. 9(2)(c) vital interests where applicable.

4.3 Website visitors and form submissions

Data collected:

  • Name, email address, phone number (if you submit a form)
  • Message content and any files you upload
  • IP address, browser type, device information, approximate location
  • Pages visited, time spent, referring source
  • Cookie identifiers (subject to consent — see Section 8)

Purposes:

  • To respond to enquiries
  • To monitor and secure our website
  • To analyse website usage and improve our services
  • To measure the effectiveness of our advertising (only with consent)

Legal basis: Legitimate interests (Art. 6(1)(f)) for site operation and security; consent (Art. 6(1)(a)) for analytics and advertising cookies.

4.4 Online shop customers (WooCommerce)

Data collected:

  • Name, billing and delivery address, email, phone
  • Order history and product preferences
  • Payment information (processed directly by Revolut Merchant — Willingness does not store full card details)
  • Delivery and collection records

Purposes:

  • To process and deliver your order
  • To issue invoices and meet tax obligations
  • To handle returns, refunds, and customer service
  • To detect and prevent fraud

Legal basis: Contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) for tax and accounting; legitimate interests (Art. 6(1)(f)) for fraud prevention.

4.5 Newsletter and marketing subscribers

Data collected:

  • Name (optional)
  • Email address
  • Subscription date and consent record
  • Engagement data (opens, clicks) provided by our email service

Purposes:

  • To send you newsletters, updates, offers, and information about Willingness services

Legal basis: Consent (Art. 6(1)(a)). You can withdraw consent at any time by clicking “unsubscribe” in any marketing email or by contacting us directly.

4.6 Job applicants

Data collected through our careers page (https://willingness.com.mt/willingness-job-openings/):

  • Name, email, phone, address
  • CV / résumé and cover letter
  • Qualifications, employment history, references
  • Any additional information you choose to provide in your application

Purposes:

  • To assess your suitability for the role
  • To contact you about your application
  • To comply with employment and equal-opportunity law
  • To retain unsuccessful applications for a limited period in case another suitable role arises

Legal basis: Taking steps to enter into a contract at your request (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) for recruitment administration; consent (Art. 6(1)(a)) for retaining your application beyond the active recruitment round.

Retention: We retain unsuccessful applications for 12 months, after which they are securely deleted unless you have explicitly consented to a longer period.

5. How long we keep your data

We only keep personal data for as long as we need it for the purposes described above, or as required by law. Specific retention periods:

Data categoryRetention period
Clinical records (therapy, sex clinic)In line with Maltese professional regulatory requirements — typically 10 years from the date of last contact for adults, and until the patient reaches age 25 for minors (whichever is longer)
Camp Willingness registrationsCurrent camp + 3 years after the end of the programme year
Online shop orders and invoices10 years (Maltese VAT and accounting law)
Website contact form enquiries (no services booked)12 months
Uploaded files via contact forms12 months unless retained as part of a clinical or camp record
Newsletter subscribersUntil you unsubscribe, plus a short record of withdrawal for compliance purposes
Job applications (unsuccessful)12 months
Website server logs30 days
Website analytics (aggregated)14 months maximum

After the relevant retention period, personal data is securely deleted or anonymised.

6. Who we share your data with

We do not sell your personal data. We share it only where necessary to deliver our services, comply with law, or operate our business. Our recipients fall into these categories:

6.1 Service providers (processors)

These providers process personal data on our behalf, under contracts that require them to protect it and use it only for the purposes we specify:

  • DigitalOcean (cloud hosting — EU/US, governed by Standard Contractual Clauses)
  • Cloudflare (content delivery, security, DDoS protection — global network)
  • Google (Google Workspace for email; Google Analytics and Google Ads, if consented; Google Sheets for camp registration data; Google Apps Script automation)
  • WordPress and its plugins (including Kadence forms, transactional email delivery, and related functionality)
  • Mailchimp (newsletter and marketing email delivery)
  • Revolut Merchant (payment processing for our online shop, integrated via WooCommerce — card details are handled directly by Revolut and never stored on our servers)
  • Our practice management system (for clinical appointment scheduling and records — separate from the website)

6.2 Professional recipients

  • Our clinical team — therapists, counsellors, and clinicians directly involved in your care, all bound by professional confidentiality
  • Supervisors and professional consultation — in anonymised form, as part of clinical supervision required by professional standards
  • Regulators and professional bodies — where legally required or in response to a formal request

We may disclose personal data without your consent where:

  • We are required by law, court order, or a lawful request from a competent authority
  • There is a serious and imminent risk to life or safety (yours or another person’s)
  • There is a safeguarding concern involving a child or vulnerable adult — in which case we will report to Appoġġ, the police, or other appropriate authority as required by Maltese law
  • We need to establish, exercise, or defend a legal claim

6.4 Business transfers

In the unlikely event that Willingness is sold, merged, or reorganised, personal data may be transferred to the new owner as part of that process. You will be informed and your rights will be preserved.

7. International data transfers

Some of our service providers are based outside the European Economic Area (EEA), most commonly in the United States (for example, certain Google services, Mailchimp, and Cloudflare’s global infrastructure). Where this happens, we rely on one of the following safeguards required by GDPR:

  • EU–US Data Privacy Framework adequacy decision, where the provider is certified
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Supplementary technical measures such as encryption in transit and at rest

You can request details of the safeguards applied to any specific transfer by contacting [email protected].

8. Cookies and tracking technologies

Our websites use cookies and similar technologies. A cookie is a small text file stored on your device that helps websites function and collect information about your visit.

8.1 Categories of cookies we use

  • Strictly necessary cookies — required for the site to function (e.g. shopping cart, login, security). These do not require consent.
  • Preference cookies — remember your language, region, or display settings.
  • Analytics cookies — help us understand how visitors use the site (e.g. Google Analytics). These require your consent.
  • Advertising / marketing cookies — used to measure and target advertising (e.g. Google Ads conversion tracking and remarketing). These require your consent.

8.2 Your choices

When you first visit our websites, you will be shown a consent banner that lets you accept, reject, or customise which cookie categories are used. You can change your choices at any time by clicking the cookie settings link in the website footer.

A full list of the specific cookies used on our sites is available in our Cookie Policy (to be published alongside the consent banner rollout).

9. Your rights under GDPR

Under EU and Maltese data protection law, you have the following rights in relation to your personal data. Most rights are exercised free of charge and we will respond within one month of receiving your request.

  • Right of access — ask us for a copy of the personal data we hold about you
  • Right to rectification — ask us to correct inaccurate or incomplete data
  • Right to erasure (“right to be forgotten”) — ask us to delete your data, subject to limits where we are legally required to keep it (e.g. clinical records)
  • Right to restriction of processing — ask us to limit how we use your data in certain circumstances
  • Right to data portability — ask us to provide your data in a structured, machine-readable format, or to transfer it to another service
  • Right to object — object to processing based on legitimate interests or for direct marketing
  • Right to withdraw consent — where we rely on consent, you can withdraw it at any time without affecting the lawfulness of prior processing
  • Right not to be subject to automated decision-making — we do not make decisions about you based solely on automated processing

How to exercise your rights: Email [email protected] with a clear description of your request and the subject line “Data Protection Request”. We may need to verify your identity before responding, particularly for access or deletion requests.

Right to complain: If you believe we have mishandled your personal data, you can lodge a complaint with the Maltese supervisory authority:

Information and Data Protection Commissioner (IDPC) Level 2, Airways House, High Street, Sliema SLM 1549, Malta Phone: +356 2328 7100 Email: [email protected] Website: https://idpc.org.mt

We would appreciate the chance to resolve your concern directly first — please contact us before escalating to the IDPC.

10. How we protect your data

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration, or disclosure. These include:

  • Encrypted connections (HTTPS / TLS) across all our websites
  • Access controls and authentication for staff systems
  • Password protection on sensitive file areas and clinical systems
  • Regular backups and disaster recovery procedures
  • Staff training on confidentiality and data protection
  • Contractual obligations on all service providers who process data on our behalf
  • A defined breach-response procedure, including notification to the IDPC within 72 hours where required

No system is completely secure, but we take our responsibility to protect your data seriously and continuously review our safeguards.

11. Children’s privacy

We provide services specifically designed for children (Camp Willingness). We do not knowingly collect data from children under 16 through our websites without parental consent. For camp registrations, all personal data about a child is provided by a parent or legal guardian, who acknowledges and consents to this policy on behalf of the child.

If you believe your child has provided us with personal data without your consent, please contact [email protected] and we will delete it promptly.

12. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or best practice. The “Version” and date at the top of this document indicate when it was last updated. For significant changes, we will notify you by email (where we have your address) or by prominent notice on our website before the change takes effect.

We encourage you to review this policy periodically.

13. Contact

If you have questions about this Privacy Policy or how we handle your personal data:

  • Privacy and data protection enquiries: [email protected] (mark subject line “Data Protection Request”)
  • General enquiries: [email protected]
  • Phone: +356 79291817
  • Post: Willingness Hub, Qolla Street, Żebbuġ ZBG 1511, Malta

This Privacy Policy should be read alongside our Terms & Conditions, Cookie Policy, and service-specific terms (including Camp Willingness Terms and Therapy Services Terms).