Gatekick Labs / solutions Talk to us
Privacy

Privacy policy

Version 1.0. Effective 8 April 2027.

1. Who we are

Gatekick Labs Limited is the data controller responsible for your personal data. We are a company registered in Malta (a Member State of the European Union) under company number C 115354, with registered address at Tigne Towers 90/1, Tigne Street, Sliema, Malta. This privacy policy explains how we collect, use, store, and protect personal data when you visit gatekick.com or interact with us.

When this policy refers to "Gatekick Labs," "we," "us," or "our," it means Gatekick Labs Limited.

Our supervisory authority for data protection matters is the Office of the Information and Data Protection Commissioner (IDPC) in Malta.

2. What data we collect

We collect a limited amount of personal data. The specific categories depend on how you interact with our website.

Contact form submissions

When you use the contact form on our website, we collect the following information that you voluntarily provide.

  • Your name
  • Your email address
  • Your company name
  • Your message

Career inquiries

If you contact us about career opportunities by emailing [email protected], we may collect your email address and any background information you choose to include in your message.

Analytics data

We use Google Analytics 4 (property ID G-MT4FY4HL0C) to understand how visitors use our website, but only after you grant consent through our Cookiebot banner. Until you give consent, all analytics tags are blocked by Google Consent Mode v2 with all signals defaulted to "denied". If you accept statistics cookies, Google Analytics collects the following data:

  • Your IP address, which GA4 uses transiently for geolocation and then discards without storing it on Google's servers (IP truncation)
  • A persistent GA4 client identifier stored in the first-party _ga cookie — this remains personal data under Article 4(1) GDPR
  • Browser type and version
  • Operating system
  • Referring website
  • Pages visited, time spent on pages, and navigation paths
  • Device type and screen resolution
  • Approximate geographic location (derived from the IP before it is discarded)

The data is pseudonymous rather than anonymous: we do not combine analytics data with contact-form submissions or other identifiers to single out individual visitors, but the GA4 client identifier alone is sufficient to make the data personal data under Article 4(1) GDPR.

Security and bot protection data

We use Cloudflare Turnstile on our contact form to protect against automated abuse. Cloudflare Turnstile may collect the following data.

  • IP address
  • Browser metadata and interaction signals
  • Challenge completion tokens

Cloudflare processes this data to determine whether a visitor is a real person. No CAPTCHAs or visual puzzles are shown in most cases. You can read more in Cloudflare's privacy policy.

Cookie consent data

We use Cookiebot (provided by Usercentrics A/S) to manage cookie consent. When you make a consent choice, Cookiebot records the following data so we can demonstrate compliance with the GDPR and the ePrivacy Directive.

  • Anonymized IP address
  • Browser user agent
  • The date and time consent was given or withdrawn
  • The website domain (gatekick.com)
  • The version of the consent banner shown to you
  • Your specific consent state (which cookie categories you accepted or refused)

Cookiebot keeps consent records for 12 months. You can read more in Cookiebot's privacy policy.

Data we do not collect

We do not operate user accounts on this website. We do not collect payment or financial information through this website. We do not run a newsletter or mailing list at this time.

3. How we use your data

We use the personal data we collect for the following purposes.

  • Responding to inquiries. When you submit the contact form, we use your name, email, company, and message to respond to your inquiry and discuss potential projects.
  • Evaluating career interest. When you email us about career opportunities, we use the information you provide to assess whether there may be a fit.
  • Website analytics. We use Google Analytics to understand traffic patterns, identify popular content, and improve the website experience. We do not use analytics data to identify individual visitors.
  • Security and abuse prevention. We use Cloudflare Turnstile to prevent automated spam and abuse through our contact form.
  • Consent management. We use Cookiebot to record your cookie consent choices so we can respect them on subsequent visits and demonstrate compliance with the GDPR and ePrivacy Directive.

Under the General Data Protection Regulation (GDPR), we must have a valid legal basis for processing your personal data. The legal bases we rely on depend on the type of processing.

Processing activity Legal basis (GDPR Article 6(1))
Responding to contact form submissions Taking steps before entering into a contract at your request (Article 6(1)(b)), and our legitimate interest in communicating with prospective clients (Article 6(1)(f))
Processing career inquiries Our legitimate interest in evaluating potential candidates (Article 6(1)(f)), and your consent by voluntarily sending us your information (Article 6(1)(a))
Google Analytics Your consent, provided through our cookie consent mechanism (Article 6(1)(a))
Cloudflare Turnstile Our legitimate interest in protecting the website from automated abuse (Article 6(1)(f))
Cookiebot consent records Compliance with our legal obligation to obtain and demonstrate valid consent under Article 5(3) of the ePrivacy Directive and Article 7 of the GDPR (Article 6(1)(c))

Where we rely on legitimate interest, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interest at any time.

5. Cookies and tracking

Our website uses cookies and similar technologies. Google Analytics 4 sets cookies to distinguish unique visitors and track session information. Cloudflare may set cookies related to security and bot detection.

We do not use cookies for advertising, retargeting, or user profiling. We do not use cookies for login or authentication because this website does not have user accounts.

To collect and demonstrate consent for non-essential cookies, we use Cookiebot by Usercentrics A/S as our consent management platform. The Cookiebot banner appears on your first visit and lets you accept, refuse, or selectively allow cookie categories. You can change or withdraw your consent at any time by clicking the cookie icon at the bottom-left of any page on gatekick.com. Until consent is given, all non-essential cookies (including Google Analytics) are blocked.

For full details on the cookies used, their purpose, and how to manage them, please see our cookie policy.

6. Data sharing

We do not sell, rent, or trade your personal data. We share data only with the following third party service providers, who process data on our behalf.

Provider Purpose Data shared
Google LLC (Google Analytics 4) Website analytics Anonymized IP address, browser and device information, pages visited, session data
Cloudflare, Inc. (Turnstile) Bot protection on contact form IP address, browser metadata, interaction signals
Usercentrics A/S (Cookiebot) — Copenhagen, Denmark (EU) Cookie consent management and consent record-keeping Truncated IP address, consent state, timestamp, browser user agent, website domain, banner version

These providers act as data processors under agreements that comply with GDPR Article 28. They are contractually obligated to process your data only for the purposes we specify and in accordance with applicable data protection law. Usercentrics A/S is established in the European Union and processes consent records within the EU; no third-country transfer occurs for those records.

We may also disclose personal data if required to do so by law or in response to a valid legal request from a competent authority.

7. International transfers

Google LLC and Cloudflare, Inc. are companies headquartered in the United States. When your data is processed by these providers, it may be transferred outside the European Economic Area (EEA).

These transfers are safeguarded by the European Commission's adequacy decision of 10 July 2023 establishing the EU-US Data Privacy Framework (Decision C(2023) 4745), under which both Google LLC and Cloudflare, Inc. are certified. Where the EU-US Data Privacy Framework does not apply to a specific data flow, transfers also rely on the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914) supplemented by appropriate technical and organisational measures (IP truncation, encryption in transit, contractual access restrictions) as required by Chapter V of the GDPR.

You can request a copy of the relevant transfer safeguard, or find more information in each provider's documentation.

Consent records handled by Usercentrics A/S (Cookiebot) are processed within the European Union (Denmark) and are not transferred to a third country.

8. Data retention

We retain personal data only for as long as necessary to fulfill the purpose for which it was collected, or as required by law.

  • Contact form submissions. We retain your name, email, company, and message for up to 24 months after your inquiry, unless an ongoing business relationship requires longer retention.
  • Career inquiries. We retain candidate information for up to 12 months after your last communication with us, unless you ask us to delete it sooner.
  • Google Analytics data. Analytics data is retained in Google Analytics for 14 months, after which it is automatically deleted. Anonymized, aggregated data may be retained longer.
  • Cloudflare Turnstile data. Cloudflare retains security logs in accordance with its own data retention policies, typically for a limited period necessary for security purposes.

When the retention period expires, we securely delete or anonymize the data so that it can no longer be associated with you.

9. Your rights under the GDPR

Under the General Data Protection Regulation and the Malta Data Protection Act (Cap. 586), you have the following rights regarding your personal data.

  • Right of access (Article 15). You can request a copy of the personal data we hold about you.
  • Right to rectification (Article 16). You can ask us to correct any personal data that is inaccurate or incomplete.
  • Right to erasure (Article 17). You can ask us to delete your personal data in certain circumstances, such as when the data is no longer necessary for the purpose it was collected.
  • Right to restriction of processing (Article 18). You can ask us to temporarily stop processing your data in certain circumstances, such as while we verify its accuracy.
  • Right to data portability (Article 20). You can request that we provide your personal data in a structured, commonly used, and machine readable format so that you can transfer it to another controller.
  • Right to object (Article 21). You can object to processing based on our legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
  • Right to withdraw consent (Article 7(3)). Where we process data based on your consent, you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before you withdrew consent.

To exercise any of these rights, contact us at the email address listed in section 10 below. We will respond to your request within one month of receipt, as required by Article 12(3) of the GDPR. Where necessary, taking into account the complexity and number of the requests, that period may be extended by two further months, and we will inform you of any such extension within one month of receipt of the request, together with the reasons.

There is no fee for exercising your rights in most cases. If a request is manifestly unfounded or excessive, we may charge a reasonable fee or refuse the request, as permitted by Article 12(5) of the GDPR.

Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority. Our lead supervisory authority is the Office of the Information and Data Protection Commissioner (IDPC) in Malta, but you may also complain to the supervisory authority of your EU or EEA Member State of habitual residence, place of work, or place of the alleged infringement (Article 77 GDPR).

Office of the Information and Data Protection Commissioner (IDPC)
Level 2, Airways House, High Street
Sliema SLM 1549, Malta
Telephone: +356 2328 7100
Email: [email protected]
Website: idpc.org.mt

We encourage you to contact us first so that we can try to resolve your concern directly.

10. How to contact us

If you have any questions about this privacy policy, want to exercise your data protection rights, or have a concern about how we handle personal data, you can reach us at the following address.

Gatekick Labs Limited
A limited liability company incorporated in Malta under company number C 115354
Registered address: Tigne Towers 90/1, Tigne Street, Sliema, Malta
Email: [email protected]

We have not appointed a Data Protection Officer because our processing activities do not meet the criteria in Article 37(1) GDPR. For all data-protection matters, contact us at the email above. Because Gatekick Labs Limited is established in the EU (Malta), the Article 27 GDPR requirement to appoint an EU representative does not apply.

We aim to respond to all data protection inquiries within one month of receipt, in line with Article 12(3) GDPR.

11. Security of your data

We implement appropriate technical and organisational measures as required by Article 32 GDPR, including TLS encryption for all data in transit, access controls and least-privilege for any systems that hold contact-form submissions, logging and monitoring, periodic review of processor agreements, and restricted administrative access to back-end systems. No security measure is absolute, but we take reasonable steps proportionate to the risk of the processing.

12. Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Office of the Information and Data Protection Commissioner without undue delay and, where feasible, within 72 hours of becoming aware of the breach (Article 33 GDPR). Where a breach is likely to result in a high risk to you, we will also notify you directly without undue delay (Article 34 GDPR).

13. Automated decision-making

We do not carry out automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR. Cloudflare Turnstile performs an automated bot-versus-human assessment for the sole purpose of protecting our contact form; this does not produce legal or similarly significant effects on you.

14. Children's data

Our website is a business-to-business service directed at companies and professionals. It is not intended for, and we do not knowingly collect personal data from, children under the age of 16. If you believe a child has provided us with personal data, please contact us and we will erase it in accordance with Article 17 GDPR.

15. Whether provision of data is required

Providing personal data through our contact form or by emailing us is entirely voluntary. It is not a statutory or contractual requirement and you are under no obligation to provide data. However, if you do not provide at least an email address and a message, we cannot respond to your inquiry.

We also maintain an internal record of processing activities in accordance with Article 30 GDPR. All personal data we process about you is collected directly from you; we do not acquire contact lists, do not enrich submissions using third-party data brokers, and do not process personal data obtained from LinkedIn or other sources beyond what you have publicly shared with us directly. Our LinkedIn presence is limited to publishing content; our website does not load the LinkedIn Insight Tag or any LinkedIn tracking pixel.

16. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We use major.minor version notation: minor revisions (wording, clarifications) increment the minor number (1.1, 1.2…); material changes increment the major number (2.0). When we make changes, we will update the version number and "Effective" date at the top of this page.

If we make material changes that significantly affect how we process your personal data, we will make reasonable efforts to notify you, such as by posting a prominent notice on our website.

We encourage you to review this page periodically to stay informed about how we protect your data.