Privacy Policy — Metal Hinges Manufacturing

Last updated: April 2026 · Compliant with GDPR (EU 2016/679) and Malta Data Protection Act (Chapter 586)

1. Data Controller

Metal Hinges Manufacturing (FARRCO)
Siġġiewi, Malta
Email: [email protected]
Website: cnclaserquote.com

We are the data controller responsible for the personal data collected through this platform.

2. What Data We Collect

Data	Purpose	Legal Basis
Name, email, phone	Account creation, order communication, login codes	Contract performance (Art. 6(1)(b))
Company name, VAT number	Invoicing, EU VAT zero-rating verification	Legal obligation (Art. 6(1)(c))
Address, city, postcode, country	Delivery, invoicing, VAT jurisdiction	Contract performance
DXF/DWG files	Manufacturing, quoting, order history	Contract performance
Order history, messages	Service delivery, customer support	Contract performance
IP address, login timestamps	Security, fraud prevention, rate limiting	Legitimate interest (Art. 6(1)(f))

3. How We Use Your Data

We use your personal data solely for:

Processing and fulfilling your CNC laser cutting orders
Communicating about your orders (status updates, pricing, collection)
Generating invoices and maintaining accounting records
Verifying EU VAT numbers for zero-rated transactions
Sending login codes for passwordless authentication
Protecting against fraud and abuse (rate limiting, audit logs)

We do not use your data for marketing, profiling, or automated decision-making. We do not sell, rent, or share your personal data with third parties for their marketing purposes.

4. Data Sharing

We may share your data with:

Email service providers — to send login codes and order notifications (transactional emails only)
EU VAT validation service (VIES) — to verify VAT numbers for zero-rated transactions
Maltese tax authorities — as required by law for accounting and VAT reporting

We do not transfer data outside the European Economic Area (EEA). All data is stored on servers located in Malta.

5. Data Retention

Data Type	Retention Period	Reason
Account details (name, email, phone)	Duration of account + 1 year	Service continuity
Order records, invoices	7 years from order date	Maltese tax law requirement
DXF/DWG files	2 years from last order	Re-ordering convenience
Messages	2 years	Dispute resolution
Login codes	15 minutes (auto-expire)	Authentication only
Audit logs	1 year	Security

6. Your Rights (GDPR Articles 15-22)

Under GDPR, you have the right to:

Access — request a copy of all personal data we hold about you
Rectification — correct any inaccurate data
Erasure ("right to be forgotten") — request deletion of your data, subject to legal retention requirements
Data portability — receive your data in a structured, machine-readable format
Restriction — request we limit how we process your data
Object — object to processing based on legitimate interests

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

7. Cookies & Authentication

We use only strictly necessary cookies for:

Session cookies — to keep you logged in during your visit
Cloudflare Access cookies — for secure authentication

We do not use analytics cookies, advertising cookies, or third-party tracking. No cookie consent banner is required for strictly necessary cookies under GDPR, but we inform you here for transparency.

8. Security

We protect your data through:

Passwordless authentication (login codes via email — no passwords stored)
HTTPS encryption on all connections
Rate limiting on login attempts and API access
Regular encrypted backups
Access restricted to authorised personnel only

9. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the Malta Information and Data Protection Commissioner (IDPC) within 72 hours and notify affected individuals without undue delay, as required by GDPR Articles 33-34.

10. Children

Our services are intended for business use and are not directed at individuals under 18 years of age. We do not knowingly collect data from minors.

11. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with:

Information and Data Protection Commissioner (IDPC)
Level 2, Airways House, High Street
Sliema SLM 1549, Malta
Website: idpc.org.mt

12. Changes to This Policy

We may update this policy from time to time. The current version will always be available at this page. Material changes will be communicated via email to registered users.