Jungle Joy

Privacy Policy

A. Who we are

The data controller is:
FGF STALL LTD
Company registration number: C 99162
VAT number: MT28283820
Registered office: 10/2 Triq Lapsi, San Ġiljan, STJ 1267, Malta
Email: jungle.joy.malta@gmail.com

B. What personal data we collect

  • Name
  • Email address
  • Phone number / WhatsApp number
  • Reservation details: date, time, outlet, match/event, number of guests, notes, reservation code, reservation status
  • Cancellation data: cancellation request, time and source
  • Email communication logs for transactional messages
  • Technical data: IP address, browser/device info, timestamps, basic security logs
  • Cookie and consent data
  • Optional notes submitted by the customer
  • Admin/internal user data for staff accounts

C. Why we process data and legal bases (GDPR)

  • Contract / pre-contractual steps: to process reservations, changes, confirmations, cancellations and customer requests.
  • Legitimate interests: manage venue capacity, prevent abuse/spam/fraud, website security, operational records, customer service.
  • Legal obligation: accounting, tax, business records, applicable laws.
  • Consent: non-essential cookies, analytics, marketing emails or promotional messages.

D. Reservation workflow

When a customer submits a reservation request, it may first be marked as pending. The customer may receive a pending confirmation by email and/or via a WhatsApp deep-link. Admins may receive an internal notification. After approval, the customer receives a confirmation. If the reservation is cancelled, the customer receives a cancellation notice and admins may receive an internal update.

E. WhatsApp

WhatsApp communication may be initiated through a manual browser deep-link. The website may open WhatsApp with a pre-filled message, but the customer must choose to send it. If the customer sends a WhatsApp message, WhatsApp/Meta may process data under its own terms and privacy policy.

F. Email provider

We may use Brevo or another email service provider to send transactional emails such as reservation confirmations, pending notices, cancellation notices and admin alerts. Brevo acts as a processor for these emails.

G. Payment providers

We may use third-party payment providers to process deposits or payments. We do not store full card details on our servers. Payment data is processed by the relevant payment provider according to its own terms and privacy policy. TODO: insert provider name (e.g. Revolut, SumUp, Stripe, PayPal).

H. Who receives the data

  • Internal authorised staff/admins
  • Email service provider
  • Hosting/database provider
  • Payment provider, if enabled
  • IT/security service providers
  • Professional advisors, accountants, lawyers, authorities where legally required
  • WhatsApp/Meta if customer chooses WhatsApp communication

I. International transfers

Some service providers may process data outside Malta or outside the EEA. Where this happens, we aim to use appropriate safeguards such as EU Standard Contractual Clauses or equivalent lawful transfer mechanisms. TODO: verify provider locations and transfer safeguards.

J. Retention periods

  • Reservation records: up to 24 months after the reservation date unless longer retention is required by law.
  • Payment/accounting records: as required by Maltese tax/accounting law.
  • Email communication: as long as needed to manage the reservation and customer relationship.
  • Consent records: as long as needed to prove consent and compliance.
  • Security logs: normally up to 12 months.
  • Marketing consent: until withdrawn or no longer required.

TODO: confirm final retention periods with accountant/lawyer.

K. Your rights

  • Access your personal data
  • Correct inaccurate data
  • Request deletion
  • Restrict processing
  • Object to processing
  • Request data portability
  • Withdraw consent where processing is based on consent
  • Lodge a complaint with the Malta Information and Data Protection Commissioner (IDPC)

To exercise your rights, contact us at jungle.joy.malta@gmail.com.

L. Security

We use reasonable technical and organisational measures to protect personal data, including access controls, admin authentication, database security rules, logging and limited access for authorised staff only.

M. Children

The website is not intended for children under 16. Reservations should be made by adults. If children attend the venue, the booking must be made by a parent/guardian or responsible adult.

N. Marketing

Transactional emails are sent to manage reservations and do not require marketing consent. Promotional newsletters, offers or marketing messages require consent or another lawful basis. You can unsubscribe from marketing at any time.

O. Changes to this policy

Last updated: 09.06.2026