1. Introduction & Scope
GDPR Compliant — Regulation (EU) 2016/679
Aftermath Ltd ("we", "us", "our") is the data controller for personal data collected and processed through the Insuq platform, including the mobile application and web services. This document explains how we collect, use, store and protect your personal data in compliance with the General Data Protection Regulation (GDPR) and the Maltese Data Protection Act (Chapter 586 of the Laws of Malta).
This notice applies to all users of the Insuq platform — driving instructors, students, and visitors — who interact with our application, website, or communication channels.
2. Data We Collect
We collect the following categories of personal data:
Identity Data: full name, username, date of birth, profile photo
Contact Data: email address, phone number, postal address
Account Data: login credentials (hashed), account preferences, language settings
Learning Data: quiz scores, module progress, lesson history, skill assessments, flashcard performance
Instructor Data: ADI licence number, vehicle registration, student reviews, lesson plans, earnings records
Usage Data: app interaction logs, pages visited, features used, session duration, device type, IP address
Payment Data: subscription status, payment method type (we do not store full card details — processed by PCI-DSS compliant providers)
Communication Data: messages sent within the platform, support queries, feedback forms
Location Data: only when explicitly enabled and only for lesson map features — never tracked in background
3. How We Use Your Data
We process your personal data for the following purposes and under the corresponding lawful bases:
Service Delivery (Contract): to provide the Insuq platform, manage accounts, deliver lessons, track progress and generate lesson plans
Platform Improvement (Legitimate Interest): to analyse usage patterns, identify bugs, improve features, and personalise the learning experience. We use aggregated and anonymised data for this purpose.
Safety & Compliance (Legal Obligation): to verify instructor ADI licences, maintain audit logs, and comply with Maltese and EU law
Marketing & Promotions (Consent): to send promotional emails, push notifications and SMS about new features, offers and updates — only when you have explicitly opted in
Customer Support (Contract / Legitimate Interest): to respond to your queries and resolve issues
We do not sell, rent, or trade your personal data with any third party for their own marketing purposes. Your data is yours.
4. Data Sharing & Third Parties
We share data only where strictly necessary and with appropriate safeguards in place:
Cloud Infrastructure: hosting and storage providers operating within the EU/EEA under GDPR-compliant data processing agreements
Payment Processors: PCI-DSS compliant payment gateways to process subscription fees — they receive only what is necessary to complete transactions
Analytics Tools: privacy-first analytics providers under data processing agreements — no personal identifiers are shared
Communication Providers: email and SMS delivery services under GDPR-compliant agreements
Legal Authorities: only when required by law, court order or to protect the rights, property or safety of Aftermath Ltd or our users
All third-party processors are bound by contractual obligations under Article 28 GDPR. We do not transfer personal data outside the EU/EEA except where adequate safeguards (Standard Contractual Clauses) are in place.
5. Data Retention
Active accounts: data retained for the duration of the account plus 3 years after closure
Learning & progress records: retained for 5 years to support reference checks and exam appeals
Payment records: retained for 7 years to comply with Maltese tax legislation
Support communications: retained for 2 years from resolution
Marketing consent records: retained until consent is withdrawn plus 3 years for legal evidence
Usage logs: anonymised after 12 months and retained in aggregate form indefinitely for improvement purposes
6. Security Measures
Aftermath Ltd implements appropriate technical and organisational measures to protect your personal data against accidental loss, destruction, alteration, disclosure, or unauthorised access:
All data transmitted over the network is encrypted using TLS 1.3
Passwords are stored using bcrypt hashing — never in plain text
Access to personal data is restricted to authorised personnel only, on a need-to-know basis
Regular security audits and penetration testing are conducted
Two-factor authentication is available and encouraged for all accounts
Data breach notification procedures are in place as required by Article 33 GDPR
7. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights, which you can exercise at any time by contacting dpo@insuq.com:
Right of Access (Art. 15): request a copy of all personal data we hold about you
Right to Rectification (Art. 16): correct inaccurate or incomplete personal data
Right to Erasure (Art. 17): request deletion of your data where there is no legitimate reason for continued processing
Right to Restriction (Art. 18): ask us to suspend processing of your data in certain circumstances
Right to Portability (Art. 20): receive your data in a structured, machine-readable format (JSON/CSV)
Right to Object (Art. 21): object to processing based on legitimate interests or for direct marketing at any time
Right to Withdraw Consent: withdraw consent for marketing communications at any time through the app settings or by clicking "unsubscribe" in any email
We will respond to all verified requests within 30 days. You also have the right to lodge a complaint with the IDPC Malta (idpc.org.mt) at any time.
8. Marketing & Promotional Communications
We will only send you promotional content — including emails, push notifications and SMS — if you have explicitly given your consent by opting in within the Insuq app or during registration.
You may withdraw your consent at any time through Settings → Notifications → Marketing Preferences
You may also unsubscribe from any marketing email using the unsubscribe link at the bottom of each email
Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal
Transactional communications (account alerts, booking confirmations, lesson reminders) are not marketing and may still be sent as part of service delivery
We do not share your contact details with third parties for their own marketing purposes under any circumstances.
9. Cookies & Tracking
The Insuq app and website use cookies and similar technologies. These fall into the following categories:
Essential Cookies: required for login sessions and security — cannot be disabled
Functional Cookies: remember your preferences such as language and theme settings
Analytics Cookies: help us understand usage patterns — only with your consent, using anonymised data
Marketing Cookies: used to measure the effectiveness of campaigns — only with your explicit consent
You can manage your cookie preferences at any time via the Cookie Settings option in the app or website footer.
10. Changes to This Notice
We may update this GDPR notice from time to time to reflect changes in law, technology, or our practices. We will notify you of any material changes via email or prominent in-app notification at least 30 days before they take effect.
Continued use of the Insuq platform after the effective date of any update constitutes acceptance of the revised notice. The latest version is always available in the app under Settings → Legal.
Contact & Queries
For any questions, data requests or complaints regarding this document, please contact our Data Protection Officer directly.
Company
Aftermath Ltd
Registered in Malta · EU VAT Registered
Data Protection Officer
dpo@insuq.com
Supervisory Authority
Office of the Information and Data Protection Commissioner (IDPC) — Malta
idpc.org.mt
© 2025 Aftermath Ltd — All rights reserved
Insuq® is a product of Aftermath Ltd, Malta