← BackOne Eden Ops — Privacy Policy
Effective date: 05 September 2025
Controller: Eden Entertainment Limited
Address: Eden Place, St. Augustine's Street, St. Julian's, Malta, STJ3310
Email: support@oneeden.mt
This Privacy Policy explains how we handle personal data in the One Eden Ops mobile application used by staff at Eden venues and participating partners. The app can be downloaded publicly, but sign-in is restricted to users provisioned as Venue Employees in our admin panel. There is no in-app self-registration.
1) What data we collect
1.1 Employee and access data
- Name, work email, role and venue assignment created by your employer or our admins in the back office.
- Account identifiers such as internal user ID and role permissions.
- Authentication data such as hashed credentials. We do not store plain text passwords.
1.2 Device and app data
- Device model, operating system, app version, language or region, IP address.
- Push token if your organisation enables system notifications.
- Diagnostics and crash logs to maintain reliability.
1.3 Operational events and audit
- Time-stamped logs of sign-in and sign-out, permission checks, and key actions in the app.
- Scan and redemption events: voucher identifier or QR payload, venue ID, employee ID, terminal details and amount deducted or outcome.
- We do not record audio, photos or media through the app. Camera access is used only to scan QR codes.
1.4 No marketing profiles
- The One Eden Ops app does not build marketing profiles. We do not use One Eden Ops data for advertising.
We do not deliberately collect special category data. Do not enter sensitive data into free text fields.
2) Purposes and legal bases
We process data to:
- Provide and secure the One Eden Ops app for venue operations such as scanning and redeeming vouchers, with audit trails.
Legal basis: contract with the venue and legitimate interests in providing and protecting the service. - Prevent fraud and misuse, investigate anomalies and protect customers and venues.
Legal basis: legitimate interests. - Comply with legal obligations, for example accounting and anti-fraud record keeping.
Legal basis: legal obligation.
We do not rely on consent for core One Eden Ops features. Where a specific consent is required by law, we will request it clearly.
3) How the One Eden Ops app works with vouchers
- Staff scan a QR or enter a voucher code to redeem part or all of a voucher at the venue.
- The app displays only the data needed to complete the redemption such as balance and expiry. Customer contact details are not shown to employees.
- Redemption results are recorded for audit and settlement between Eden and venues.
4) Sharing and recipients
We share data only as needed:
- Processors acting on our instructions
- Voucherify for voucher lifecycle and redemption validation.
- Google Firebase for push notifications and deep links where enabled.
- DigitalOcean in the EU for hosting and storage.
- Email service provider for operational emails related to access or security if required.
- Venues and partner operators
Your employer receives operational and audit information related to its venue such as who redeemed a voucher, when and for what amount. Employers may act as independent controllers for their own HR records and should provide their own privacy notices. - Legal and safety
Where required by law or to protect rights, property and safety.
We do not sell personal data.
5) International transfers
Our primary hosting is in the EU. Some providers may be located outside the EEA. Where data is transferred internationally we use appropriate safeguards such as the EU Standard Contractual Clauses together with technical and organisational measures.
6) Retention
- Employee account and access records: retained while the account is active plus a short buffer after deprovisioning for security and audit.
- Redemption and operational logs: retained for fraud prevention, audit and accounting in line with legal and business requirements, typically 5 to 10 years depending on applicable law.
- Diagnostics logs: kept for short operational periods unless required longer for security.
When an employer removes an employee in the admin panel the account is disabled and scheduled for deletion of personal data from active systems, subject to the retention above.
7) Your rights
Depending on the law that applies, you have rights to access, rectify, erase, restrict processing, object and to data portability. To exercise your rights contact support@oneeden.mt. You can also contact your employer about HR records they control. You may complain to your local authority. In Malta this is the Office of the Information and Data Protection Commissioner (IDPC).
We will respond within one month, extendable by up to two months for complex requests.
8) Security
We apply appropriate technical and organisational measures such as TLS encryption in transit, access controls, role based permissions, environment separation, monitoring and regular review of audit logs. No system is 100 percent secure. Report security concerns to support@oneeden.mt.
9) App permissions
- Camera: used to scan QR codes for redemption. Images are not stored by the app.
- Notifications: optional, for operational notices if enabled by your organisation.
- The app does not request precise location.
10) Children
The One Eden Ops app is a business tool for venue staff and is not intended for children. User accounts are provisioned by employers.
11) Changes to this policy
We will update this notice when our practices change. We will post the new version here and, where appropriate, notify administrators. Material changes will be highlighted.
12) Contact
Eden Entertainment Limited
Eden Place, St. Augustine's Street, St. Julian's, Malta, STJ3310
support@oneeden.mt
Key processors for One Eden Ops
- Voucherify - voucher lifecycle and redemption
- Google Firebase - push notifications and deep links where enabled
- DigitalOcean (EU) - hosting and storage
- Email service provider - operational email delivery where used
We choose providers with appropriate data protection measures and enter into data processing agreements with them.