Privacy Policy
How Cuddly Times Ltd (trading as KaYu Solutions) collects, uses, and protects your personal data in accordance with the General Data Protection Regulation (GDPR) and the Malta Data Protection Act (Chapter 586).
Privacy Policy
Last updated: 27 April 2026
This Privacy Policy explains how Cuddly Times Ltd, trading as KaYu Solutions (“we”, “us”, “our”), collects, uses, stores, and protects personal data in connection with our website at kayusolutions.com and our consulting services (together, the “Services”). It is written in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Data Protection Act (Chapter 586 of the Laws of Malta).
We are committed to handling your personal data transparently and lawfully. Please read this policy carefully.
1. Data Controller
The data controller responsible for your personal data is:
Cuddly Times Ltd (trading as KaYu Solutions)
Ta Paris Court
Triq Censu Costa
Birkirkara, Malta
Email: privacy@kayusolutions.com
Website: https://kayusolutions.com/
If you have any questions about how we process your personal data, please contact us at the address above.
2. What Data We Collect and How
We collect personal data in the following ways:
a) Contact and enquiry forms
When you contact us via the website contact form or by email, we collect your name, email address, organisation name (if provided), and the content of your message. This data is used to respond to your enquiry and to assess whether our services are a good fit.
b) Consulting engagements
When you engage KaYu Solutions for consulting services, we collect the personal and business data necessary to deliver those services. This may include your name, job title, contact details, and professional background. In the course of an engagement, we may also process personal data belonging to your employees, customers, or other third parties on your behalf — in which case we act as a data processor and you, as the client, remain the data controller for that data.
c) Discovery calls and meetings
When you book a discovery call or meeting with us, we collect your name, email address, and any information you share in the course of that conversation.
d) Server and access logs
Our web hosting provider automatically records technical data when you visit the Site, including your IP address, browser type and version, operating system, referring URL, pages visited, and the date and time of your request. This data is used for security, fraud prevention, and diagnosing technical issues.
e) Cookies and similar technologies
We use cookies and similar tracking technologies on our Site. Please see Section 7 (Cookies) for full details.
f) Marketing communications
If you subscribe to our mailing list or opt in to receive updates, we will collect your email address and, where provided, your name and organisation. You may unsubscribe at any time using the link included in every communication.
We do not knowingly collect personal data from children under the age of 16.
3. Lawful Basis for Processing
Under Article 6 of the GDPR, we rely on the following lawful bases:
| Purpose | Lawful Basis |
|---|---|
| Responding to enquiries and contact messages | Legitimate interests (Art. 6(1)(f)) — to respond to communications addressed to us |
| Delivering consulting services under contract | Contract (Art. 6(1)(b)) — necessary to perform a contract with you or to take pre-contractual steps |
| Processing third-party data during an engagement | Contract + Legitimate interests, governed by a separate data processing agreement with the client |
| Server and security logs | Legitimate interests (Art. 6(1)(f)) — to maintain the security and integrity of the Site |
| Sending marketing communications | Consent (Art. 6(1)(a)) — only where you have explicitly opted in |
| Compliance with legal obligations (e.g. tax, accounting) | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interests, we have assessed that our interests are not overridden by your rights and freedoms.
4. How We Use Your Data
We use your personal data for the following purposes:
- To respond to enquiries and assess fit for our services
- To deliver consulting, advisory, and engineering services under contract
- To communicate with you about ongoing engagements
- To operate and improve the Site
- To ensure the security and proper functioning of our systems
- To send you insights or updates, where you have consented
- To comply with applicable law and legal obligations, including tax and accounting requirements
- To defend or exercise legal claims where necessary
We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.
5. Data Sharing and Third Parties
We may share your personal data with:
a) Hosting and infrastructure providers
Our Site is hosted on third-party infrastructure. Hosting providers process access log data on our behalf under appropriate data processing agreements.
b) Communication and productivity tools
We use professional communication and project management tools to deliver our services. These tools may process your name and contact details on our behalf under data processing agreements.
c) Accounting and invoicing services
Where required for billing and tax purposes, we may share your name, organisation, and contact details with our accounting software or advisors.
d) Analytics providers
If analytics software is in use on the Site, it may process anonymised or pseudonymised data about Site usage. Where personal data is involved, it is processed under a data processing agreement.
e) Legal and regulatory authorities
We may disclose your data to law enforcement, courts, or regulatory authorities where required by law or to protect our legal rights.
All third-party processors are required to handle your data in compliance with the GDPR and are bound by contractual obligations to maintain appropriate security measures.
6. Client Data Processing
Where KaYu Solutions processes personal data on your behalf during a consulting engagement (for example, reviewing your customer data, employee records, or system logs), we do so as a data processor acting on your instructions as the data controller.
In such cases, we will agree to a Data Processing Agreement (“DPA”) with you before processing begins. The DPA sets out the scope, nature, and purpose of the processing, the type of data involved, and the obligations of each party. We will not use client data for any purpose other than delivering the agreed services, and we will delete or return it upon completion of the engagement.
7. Cookies
We use cookies — small text files stored on your device — to help the Site function and, where applicable, to understand how it is used.
Types of cookies we use:
| Cookie Type | Purpose | Retention |
|---|---|---|
| Strictly necessary | Required for core Site functionality (e.g., contact form session management) | Session or up to 12 months |
| Analytics / performance | Helps us understand how visitors interact with the Site. Data is anonymised or pseudonymised where possible. | Up to 13 months |
| Preference | Remembers choices you make on the Site | Up to 12 months |
Your choices:
When you first visit the Site, you will be informed about our use of cookies. You may accept or decline non-essential cookies. You can also manage or delete cookies at any time through your browser settings.
For more information on managing cookies, visit www.aboutcookies.org.
8. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.
| Data Category | Retention Period |
|---|---|
| Enquiry and contact messages | Up to 3 years from last contact |
| Consulting engagement records | Up to 7 years after engagement close (professional liability and tax compliance) |
| Invoices and financial records | Up to 10 years (Maltese tax and accounting obligations) |
| Server and access logs | Up to 12 months |
| Marketing email list | Until you unsubscribe or withdraw consent |
When data is no longer needed, we securely delete or anonymise it.
9. International Data Transfers
Where personal data is transferred to countries outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR. These safeguards may include Standard Contractual Clauses approved by the European Commission, adequacy decisions, or other appropriate transfer mechanisms.
Given the international nature of consulting work, data may be processed or accessed from multiple jurisdictions. We will always ensure that transfers comply with applicable data protection law.
10. Your Rights
Under the GDPR and the Malta Data Protection Act (Chapter 586), you have the following rights in relation to your personal data:
- Right of access (Art. 15 GDPR): You may request a copy of the personal data we hold about you.
- Right to rectification (Art. 16 GDPR): You may request that we correct inaccurate or incomplete data.
- Right to erasure (Art. 17 GDPR): You may request that we delete your personal data in certain circumstances. Note that erasure may not be possible where we are required to retain records by law (e.g. financial and tax records).
- Right to restriction of processing (Art. 18 GDPR): You may request that we restrict how we use your data in certain circumstances.
- Right to data portability (Art. 20 GDPR): Where processing is based on consent or contract, you may request your data in a structured, machine-readable format.
- Right to object (Art. 21 GDPR): You may object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will cease processing immediately.
- Right to withdraw consent: Where we rely on consent as the lawful basis, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, please contact us at privacy@kayusolutions.com. We will respond within one calendar month of receiving your request, as required by Article 12 of the GDPR.
11. Right to Lodge a Complaint
If you believe we have not handled your personal data in accordance with the GDPR, you have the right to lodge a complaint with the supervisory authority in Malta:
Office of the Information and Data Protection Commissioner (IDPC)
Level 2, Airways House
High Street, Sliema SLM 1549, Malta
Tel: +356 2328 7100
Email: idpc.info@idpc.org.mt
Website: https://idpc.org.mt
You may also lodge a complaint with the supervisory authority in the EU member state where you live or work, if different from Malta.
We encourage you to contact us first at privacy@kayusolutions.com so we can try to resolve any concerns directly.
12. Security
We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include encrypted communications (HTTPS/TLS), access controls, and regular security reviews of our tools and processes.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the IDPC within 72 hours in accordance with Article 33 of the GDPR, and will inform affected individuals where required under Article 34.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in law, our practices, or the services we offer. The “Last updated” date at the top of this page will reflect the most recent revision. Where changes are material, we will take steps to bring them to your attention.
14. Contact Us
For any questions, requests, or concerns regarding this Privacy Policy or our data processing practices, please contact:
Cuddly Times Ltd (trading as KaYu Solutions)
Ta Paris Court, Triq Censu Costa, Birkirkara, Malta
Privacy enquiries: privacy@kayusolutions.com
General enquiries: hello@kayusolutions.com
Contact form: kayusolutions.com/contact/