Logo← Back

One Eden — Privacy Policy

Effective date: 03 September 2025

Controller: Eden Entertainment Limited (Malta)
Address: Eden Place, St. Augustine's Street, St. Julian's, Malta, STJ3310
Email: support@oneeden.mt

We operate from Malta and serve users, including tourists, from many countries. This notice explains how we handle your personal data when you use the One Eden mobile app, buy or receive gift vouchers, or otherwise interact with our services.

1) Personal data we collect

1.1 Data you provide

  • Account and profile: first name, last name, email, phone number, date of birth, gender.
  • Onboarding and preferences: residency (tourist or local), stay dates and hotel if shared, travel party, and the areas of interest you select.
  • Marketing preferences: push, email and SMS opt-ins and notification settings.
  • Voucher flows: purchase for yourself or as a gift. For gifts, we collect recipient email and may collect recipient name and phone.

1.2 Data collected automatically

  • Device and app: device model, operating system, app version, language or region, push token, diagnostics and crash logs, approximate location if you grant permission.
  • Usage and events: screens viewed, taps, claim attempts, redemption outcomes and similar analytics.

1.3 From transactions and partners (as needed to deliver the service)

  • Payments: processed by Stripe. We receive payment status and identifiers. We do not receive full card numbers.
  • Vouchers: lifecycle, including creation, balance, expiry and redemptions, managed via Voucherify.
  • Push and deep links: delivered via Google Firebase, including FCM or APNs and Dynamic Links.
  • Analytics and marketing automation: via CleverTap.
  • Email delivery: via Brevo.
  • Hosting: on DigitalOcean, Germany, Frankfurt, EU.
  • Redemptions at venues: when a voucher is redeemed, we record venue, time and amount for your balance history.

We do not deliberately collect special category data. Please do not include sensitive information in free-text fields.

2) Purposes and legal bases

We process personal data to:

  • Provide the app and core features such as account, wallet, voucher purchase, gift delivery and claim links, and redemption history.
    Legal basis: contract (Article 6(1)(b) GDPR).
  • Personalise content and offers based on your selected interests and in-app behaviour using non-intrusive segmentation.
    Legal basis: legitimate interests (Article 6(1)(f)) to make the app more relevant. You can object at any time. See Section 7.
  • Send marketing communications by push, email or SMS where you opt in. You can opt out in settings or via unsubscribe links.
    Legal basis: consent (Article 6(1)(a)). You may withdraw consent at any time.
  • Send service communications such as receipts, gift delivery emails and security notices.
    Legal basis: contract and legitimate interests.
  • Process payments, prevent fraud and handle disputes.
    Legal basis: contract and legitimate interests.
  • Maintain security and prevent misuse including anti-abuse controls, rate limiting and logs.
    Legal basis: legitimate interests.
  • Comply with legal obligations such as accounting or tax retention and handling rights requests.
    Legal basis: legal obligation (Article 6(1)(c)).

Where we rely on consent, refusal or withdrawal will not affect features that do not require consent.

3) How vouchers and gifts work

  • Buying for yourself: we issue a voucher via Voucherify and show it in your Wallet. You also receive a PDF voucher by email.
  • Gifting: you must provide the recipient's email so we can send a one-time claim link and the PDF voucher. The recipient may add the voucher to their One Eden wallet via the link or use the attached PDF at participating venues.
  • Redemption: venues scan the QR code or voucher code to deduct amounts. We update the balance and record venue, time and amount.
  • Claim links: one-time and time-limited. Adding a voucher to a wallet does not invalidate the PDF unless stated in the voucher terms.

4) Who we share data with

We share personal data only as necessary to run the service:

  • Processors acting on our instructions: Voucherify for voucher lifecycle, Stripe for payments, CleverTap for analytics and marketing automation, Google Firebase for push and deep links, Brevo for email delivery, DigitalOcean for EU hosting.
  • Venues: at redemption we share only what is needed to process the voucher, such as voucher identifier or validity, amount or balance and the redemption outcome. We do not share your email or phone with venues for their marketing without your consent.
  • Legal and safety: where required by law or to protect rights, property and safety.

We do not sell your personal data.

5) International transfers

Some providers may be outside Malta or the EEA, for example in the United States. Where we transfer data internationally, we use appropriate safeguards such as the EU or UK Standard Contractual Clauses and the UK Addendum where relevant, together with technical and organisational measures.

6) Retention

We keep personal data only as long as needed:

  • Account and profile: for the life of your account. If you delete your account, we schedule deletion or anonymisation as described in Section 9.
  • Transactions and vouchers: retained to meet legal or accounting duties, typically 5-10 years depending on applicable law.
  • Marketing data: retained while you remain opted in and engaged. Stale records are periodically minimised or removed.
  • Logs and diagnostics: kept for short operational periods unless needed longer for security or legal reasons.

7) Your rights (GDPR and UK GDPR)

You have the rights to access, rectify, erase, restrict processing, object, including to personalisation based on legitimate interests, and data portability. Where we rely on consent, you may withdraw consent at any time.

To exercise your rights, email support@oneeden.mt. You can also complain to your local supervisory authority. In Malta, this is the Office of the Information and Data Protection Commissioner, IDPC.

8) Personalisation and your choices

We use basic segmentation, for example your selected interests and in-app activity, to prioritise relevant offers. This does not produce legal or similarly significant effects. You can object to this personalisation via in-app settings or by contacting us. The app remains usable but may be less tailored.

9) Deleting your account

In-app deletion (primary method). You can permanently delete your One Eden account in the app: My Profile -> Delete my account. Deletion is immediate and irreversible. Your profile, preferences and wallet are deleted from active systems and active sessions are revoked. We may retain minimal records that we are legally required to keep, for example Stripe transaction identifiers, amounts and accounting entries, and fraud prevention logs. These are held separately and are not used for marketing. Any unclaimed PDF vouchers remain subject to their own terms and may still be redeemable offline, but they will no longer appear in the app.

Deletion via support. If you cannot access the app, email support@oneeden.mt from the address linked to your account. We place the account into a pending deletion state for up to 30 days to prevent mistakes and allow fraud or security review. After that period we delete or irreversibly anonymise the account data, subject to legally required records as described above. We may ask for additional information to verify your identity.

10) Young people and content gating

One Eden may be used by individuals aged 13 and over. If you are under the age of digital consent in your country, typically 16 in Malta and the EEA, you should use the app with parental or guardian consent. We restrict alcohol related and other adult offers to users aged 18+. If you believe a child has provided data without appropriate consent, contact us and we will delete it.

11) Security

We implement appropriate technical and organisational measures, for example TLS encryption in transit, access controls, environment separation and monitoring. No system is 100 percent secure. If you have concerns, contact support@oneeden.mt.

12) Push notifications and emails

You can control push notifications in the app settings or your device operating system. Even if you opt out of marketing, we may still send service messages such as receipts, gift delivery notices, security updates and essential app notices. For marketing emails, use the unsubscribe link or adjust settings in the app.

13) Third party links

The app may link to third party booking sites or venue pages. Those services have their own privacy policies which we do not control. Review them before sharing your data.

14) Changes to this policy

We will update this notice when our practices change. We will post the new version here and, where appropriate, notify you in the app. If changes are material, we will seek consent again where required by law.

15) Contact

Eden Entertainment Limited
Eden Place, St. Augustine's Street, St. Julian's, Malta, STJ3310
support@oneeden.mt

Supervisory authority in Malta: Office of the Information and Data Protection Commissioner (IDPC)

Key processors (transparency)

  • Stripe - payment processing
  • Voucherify - voucher lifecycle management
  • CleverTap - analytics and marketing automation
  • Google Firebase - push notifications and dynamic links
  • Brevo - email delivery
  • DigitalOcean (Germany, Frankfurt, EU) - hosting
  • Infobip - SMS delivery

We choose providers with appropriate data protection measures and enter into data processing agreements with them.