Exclusive access to live events

Legal

Privacy Policy

Fan Travel World — operated by GAL & CO CORPORATE LIMITED

Last updated: 9 June 2026·Effective: 10 June 2026·Company No. C86760 · Malta

1.Introduction

This Privacy Policy explains how Fan Travel World, a brand operated by GAL & CO CORPORATE LIMITED, collects, uses, discloses, and protects your personal data when you access or use our website at fantravelworld.com and our ticket resale marketplace services (collectively, the "Services").

This Policy is designed to comply with:

  • EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
  • Maltese Data Protection Act (Chapter 586 of the Laws of Malta)
  • UK General Data Protection Regulation (UK GDPR)
  • California Consumer Privacy Act (CCPA) as amended by the CPRA — applicable to California residents
  • Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP) — applicable to Mexican residents
  • UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection — applicable to data processing by our affiliated supplier entity
  • Meta Pixel, Advanced Matching, and Conversions API disclosure requirements
  • Google Analytics 4, Google Ads, Google Tag Manager (including server-side), and Enhanced Conversions disclosure requirements

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of our Services.

2.Data Controller and Affiliated Entities

2.1 Data Controller

For the purposes of the GDPR and applicable data protection laws, the data controller responsible for your personal data is:

FieldDetails
Legal NameGAL & CO CORPORATE LIMITED
Trading AsFan Travel World
Registered Address36 St Dminka Street, Victoria, Gozo, VCT 9030, Malta
Company RegistrationC86760
VAT NumberMT25325505
Privacy Contact[email protected]
Websitehttps://fantravelworld.com/en

GAL & CO CORPORATE LIMITED is the contract counterparty for all transactions you conduct through the Services. You contract directly and solely with GAL & CO CORPORATE LIMITED.

2.2 Affiliated Supplier (Data Processor)

Single-Vendor Marketplace Structure

Fan Travel World operates as a single-vendor marketplace. Tickets offered on our platform are sourced exclusively through our affiliated supplier entity located in the United Arab Emirates. This entity acts as a data processor under the instructions of GAL & CO CORPORATE LIMITED (Malta) for the purpose of ticket fulfilment.

This supplier entity receives only the minimum personal data necessary for fulfilment: your name, email address, and ticket delivery details. This transfer is governed by Standard Contractual Clauses (SCCs) and supplementary contractual measures (see Section 6). The affiliated supplier entity does not use your data for any purpose other than ticket fulfilment.

3.Information We Collect

3.1 Information You Provide Directly

  • Account Data: name, email address, password (hashed), profile preferences.
  • Transaction Data: billing address, payment method details (processed by our payment provider — we do not store full card numbers), order history, tickets purchased.
  • Communications: messages to our support team, feedback, and survey responses.
  • Marketing Preferences: your consent to receive marketing communications and opt-out requests.

3.2 Information Collected Automatically

  • Device Information: IP address, browser type and version, operating system, device identifiers.
  • Usage Data: pages visited, time spent, links clicked, search queries, referring URLs.
  • Location Data: approximate geographic location inferred from your IP address.
  • Cookies and Tracking Technologies: see Section 9 for full details, including server-side tracking.
  • Hashed Identifiers: SHA-256 hashed versions of your email and phone number used for advertising measurement (see Section 5.3).
  • First-Party Identifiers: identifiers stored in our database used for server-side tracking purposes (see Section 9.4).

3.3 Information from Third Parties

  • Payment Processors: transaction confirmation and fraud signals.
  • Advertising Platforms: aggregated audience insights from Meta and Google (no raw personal data received back).
  • Affiliated Supplier: fulfilment status and inventory data.
  • Public Sources: publicly available information used for fraud prevention.

4.How We Use Your Data

PurposeExamplesLegal Basis (GDPR Art. 6)
Contract PerformanceProcessing ticket orders, managing your account, delivering tickets, handling refunds.Art. 6(1)(b) — Necessary for contract performance
Legitimate InterestsFraud detection, security monitoring, analytics, advertising optimisation, direct marketing to existing customers (subject to opt-out).Art. 6(1)(f) — Legitimate interests balanced against your rights
ConsentMarketing emails and newsletters, advertising cookies and pixels, sharing hashed identifiers with Meta/Google for Advanced Matching and Enhanced Conversions.Art. 6(1)(a) — Consent (withdrawable at any time)
Legal ObligationTax compliance (VAT reporting), anti-money laundering, responding to regulatory authorities.Art. 6(1)(c) — Legal obligation

Where we rely on legitimate interests, we have conducted a balancing test. Contact [email protected] to request a copy of our legitimate interests assessment.

5.How We Share Your Data

We do not sell your personal data, except as described in Section 8.2 regarding California residents' rights under CCPA.

5.1 Service Providers

  • Payment Processors: to process transactions securely.
  • Cloud Hosting Providers: to host our website and databases.
  • Email and Communications Providers: to send transactional and marketing emails (including Zoho).
  • Customer Support Tools: to manage support tickets.

5.2 Affiliated Supplier (Single-Vendor Marketplace)

As described in Section 2.2, tickets are sourced exclusively through our affiliated supplier entity in the UAE. To fulfil your order, we share: your name, email address, and ticket delivery details. This entity acts solely as a processor and does not use your data for independent purposes. The transfer is governed by Standard Contractual Clauses (see Section 6).

5.3 Advertising and Analytics Partners (Client-Side and Server-Side)

We use a dual tracking architecture: client-side (browser-based) and server-side (backend-based) technologies. Both are subject to the same consent requirements — server-side tracking does NOT bypass your consent choices. The same opt-in is required for both, and the same rights apply to both.

Meta (Facebook & Instagram)

  • Meta Pixel (client-side): JavaScript code that tracks user actions (page views, add-to-cart, purchases) and reports them to Meta.
  • Meta Conversions API — CAPI (server-side): events sent directly from our backend servers to Meta, especially when browser tracking is limited (ad blockers, iOS restrictions). Deduplicated with client-side events via a unique event_id.
  • Advanced Matching: we share SHA-256 hashed versions of your email and phone number with Meta. SHA-256 is one-way — Meta cannot reverse it to obtain your raw data. Applies to both client-side and server-side channels.

Meta Data Policy · Manage ad preferences

Google (Analytics, Ads, Tag Manager & Enhanced Conversions)

  • Google Analytics 4 (client-side via GTM): tracks anonymised user behaviour on our website.
  • Google Ads Conversion Tracking (client-side): measures the effectiveness of our Google Ads campaigns.
  • Google Tag Manager (client-side and potentially server-side — sGTM): manages all tracking tags. Events may be routed through our own server-side GTM container before being forwarded to Google.
  • Google Enhanced Conversions (server-side): we share SHA-256 hashed email addresses with Google to improve conversion measurement accuracy. Hashing prevents Google from accessing your raw email address.

Google Privacy Policy · Opt out of Analytics

User Control: your cookie consent banner controls both client-side and server-side tracking. Withdrawing consent stops both channels. You can also opt out at youronlinechoices.com (EU) or aboutads.info (US).

5.4 Marketplace Participants

To fulfil your order, we share the minimum necessary data with our affiliated supplier (see Section 5.2). No other marketplace participants receive your personal data.

5.5 Legal and Regulatory

We may disclose your data to law enforcement, regulators, courts, or public authorities where required by law or to protect our legal rights or prevent fraud.

5.6 Business Transfers

In the event of a merger, acquisition, or asset sale, your data may be transferred. We will notify you before your data becomes subject to a different privacy policy.

6.International Data Transfers

Fan Travel World is registered in Malta (EU) and processes data primarily within the EEA. The following transfers outside the EEA occur:

TransferDestinationSafeguard
Meta, Google, and other US-based providersUnited StatesEU–US Data Privacy Framework (DPF) for certified organisations + Standard Contractual Clauses (SCCs) as fallback
Affiliated Supplier — ticket fulfilmentUnited Arab EmiratesStandard Contractual Clauses (SCCs) + supplementary contractual measures. Note: UAE does not currently hold an EU adequacy decision.

You may request a copy of the applicable safeguards by contacting [email protected].

7.Data Retention

Data CategoryRetention PeriodRationale
Account dataUntil deletion + 24 monthsOperational continuity and dispute resolution
Transaction data7 years from transaction dateTax and accounting obligations (Malta VAT Act)
Marketing consent & preferences14 months from last interactionEmail marketing best practice; GDPR accountability
Marketing email subscriptionsUntil unsubscribe + 30 daysOpt-out processing and proof of consent
Support communications36 months from resolutionDispute resolution and service improvement
Server and access logs12 monthsSecurity monitoring and fraud investigation
Hashed ad identifiers (Meta/Google)90–180 days per platform policiesAdvertising measurement and lookalike audiences
Cookie consent records24 monthsGDPR accountability and audit trail

8.Your Rights

8.1 Rights Under EEA and UK GDPR

RightWhat It Means
Access (Art. 15)Request a copy of the personal data we hold about you.
Rectification (Art. 16)Request correction of inaccurate or incomplete data.
Erasure (Art. 17)Request deletion of your data in certain circumstances ('right to be forgotten').
Restriction (Art. 18)Request that we limit processing in certain circumstances.
Portability (Art. 20)Receive your data in a machine-readable format.
Object (Art. 21)Object to processing based on legitimate interests or for direct marketing.
Withdraw Consent (Art. 7)Withdraw consent at any time without affecting prior lawful processing.
Lodge ComplaintLodge a complaint with the IDPC Malta or your local supervisory authority (see Section 14).

Contact [email protected] to exercise these rights. We respond within 30 days (extendable to 90 days for complex requests).

8.2 California Residents (CCPA/CPRA)

Important — California Residents

Fan Travel World's Wave 1 advertising targets California residents. The CCPA/CPRA applies to our processing of California residents' personal information.

Data Sharing for Advertising: we share personal information with advertising partners (Meta, Google) for cross-context behavioural advertising. Under the CCPA's broad definition, this may qualify as "selling" or "sharing" personal information. You have the right to opt out at any time.

As a California resident, you have the following rights:

  • Right to Know: request disclosure of the categories and specific pieces of personal information collected, sold, or shared about you in the preceding 12 months.
  • Right to Delete: request deletion of personal information we have collected (subject to certain exceptions).
  • Right to Correct: request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: opt out of the sale or sharing of your personal information for cross-context behavioural advertising. Visit our Do Not Sell or Share My Personal Information page or email [email protected] with subject "California Privacy Request".
  • Right to Limit Use of Sensitive Personal Information (SPI): request that we limit the use of SPI to purposes authorised by the CPRA.
  • Right to Non-Discrimination: we will not discriminate against you for exercising your CCPA/CPRA rights.
  • Global Privacy Control (GPC): we honour the GPC signal as a valid opt-out of sale/sharing. If your browser transmits a GPC signal, we treat this as a California opt-out request.
  • Authorised Agent: you may designate an authorised agent to submit requests on your behalf by providing written authorisation to [email protected].

Categories of Personal Information Collected (CCPA Categories):

CCPA CategoryExamplesSold/Shared for Advertising?
IdentifiersName, email, IP address, device IDsShared (hashed) with Meta & Google
Commercial InformationTransaction history, tickets purchasedNo
Internet/Network ActivityBrowsing history on our site, interactionsShared (aggregated) with Meta & Google
Geolocation DataApproximate location from IPNo
InferencesPreferences inferred from browsingShared with Meta & Google for ad targeting

8.3 Other Regions

Mexico (LFPDPPP): Mexican residents have the right to access, rectify, cancel, and oppose (ARCO rights) the processing of their personal data. Submit requests to [email protected].

Brazil (LGPD): Brazilian residents have equivalent rights under the Lei Geral de Proteção de Dados. Contact [email protected].

9.Cookies and Tracking Technologies

9.1 Categories of Cookies We Use

CategoryPurposeExamplesConsent Required?
Strictly NecessaryEssential for the website to function. Cannot be disabled.Session cookies, cart cookies, CSRF tokensNo
FunctionalEnable enhanced functionality and personalisation.Language preferences, saved searchesYes
AnalyticsUnderstand how visitors use our site.Google Analytics 4Yes
AdvertisingDeliver relevant ads and measure campaigns.Meta Pixel, Google Ads, Enhanced Conversions, CAPIYes

9.2 Consent Management Platform (CMP)

When you first visit our website, you will see a Cookie Consent Banner allowing you to accept, reject, or customise your preferences. Update preferences at any time via the Cookie Settings link in our website footer. Your CMP choices apply to both client-side and server-side tracking technologies.

9.3 Browser Controls

Most browsers allow you to control cookies via settings. For more information, visit allaboutcookies.org.

9.4 Server-Side Tracking and Cookieless Technologies

Server-Side Tracking Disclosure

In addition to browser-based tracking, we use server-side technologies including the Meta Conversions API, Google Enhanced Conversions, and potentially a server-side Google Tag Manager (sGTM) container. These send event data directly from our servers to Meta and Google.

Important: server-side tracking is subject to the same consent requirements as client-side tracking. We do not use server-side technologies to bypass your consent choices. If you withdraw consent or opt out via our Cookie Banner, both client-side AND server-side advertising tracking will cease.

We may store first-party identifiers (hashed email, event IDs) in our own database to enable server-side tracking. These are subject to the same data rights (access, deletion, opt-out) as all other personal data.

10.Children's Data

Our Services are not directed to children. Under GDPR, the age of consent is 16 years in Malta and most EEA states. Under COPPA (USA), the threshold is 13 years.

We do not knowingly collect personal data from individuals below the applicable age of consent. If you believe a child has provided us with personal data, contact [email protected] and we will delete such data promptly.

11.Security

  • Encryption in Transit: all data is encrypted using TLS 1.3.
  • Encryption at Rest: sensitive stored data is encrypted using AES-256.
  • Access Controls: role-based access controls and multi-factor authentication for administrative systems.
  • Regular Security Reviews: periodic security assessments of our systems and third-party providers.

In the event of a personal data breach posing risk to your rights and freedoms, we will notify the IDPC Malta within 72 hours (GDPR Art. 33) and affected individuals without undue delay where the risk is high (GDPR Art. 34).

12.Marketplace Disclosure

Important Notice — Ticket Resale Marketplace

Fan Travel World is an independent secondary ticket marketplace. We are NOT affiliated with, endorsed by, or officially connected to FIFA, UEFA, the Premier League, La Liga, the UEFA Champions League, any national football association, sports club, venue, or any other rights holder or primary ticket issuer.

Tickets offered on our platform are sourced through our affiliated supplier entity from authorised resale channels. Ticket prices may be above or below the original face value. All applicable fees, service charges, and taxes are disclosed to you before checkout is completed.

All trademarks, event names, and logos remain the property of their respective owners and are used for descriptive purposes only.

13.Changes to This Policy

When we make material changes, we will:

  • Update the "Last Updated" date at the top of this document.
  • Notify you by email to your registered address and/or display a prominent notice on our website.
  • Provide at least 30 days' advance notice before material changes take effect.

Your continued use of our Services after the effective date constitutes acceptance of the updated Policy.

14.Contact and Supervisory Authority

14.1 How to Contact Us

Contact MethodDetails
Privacy & Legal[email protected]
Postal AddressGAL & CO CORPORATE LIMITED
36 St Dminka Street
Victoria, Gozo, VCT 9030
Malta

14.2 Supervisory Authority — Malta

AuthorityInformation and Data Protection Commissioner (IDPC)
AddressLevel 2, Airways House, High Street, Sliema SLM 1549, Malta
Phone+356 2328 7100
Email[email protected]
Websitehttps://idpc.org.mt

14.3 California Privacy Rights Contact

California residents may submit privacy requests to [email protected] with subject line "California Privacy Request". To opt out of sale/sharing, visit our Do Not Sell or Share My Personal Information page. California residents may also contact the California Attorney General at oag.ca.gov.

14.4 Other EU Supervisory Authorities

If you are in another EU member state, you may lodge a complaint with your local supervisory authority. Full list available from the EDPB: edpb.europa.eu.

Last updated: 9 June 2026 · Effective: 10 June 2026

© 2026 GAL & CO CORPORATE LIMITED trading as Fan Travel World. All rights reserved.

HomePrivacy PolicyTerms and Conditions
Clubs
BosniaShakhtarAEKZulte WaregemWesterloStandard LiegeSint-TruidenOH LeuvenMechelenLa LouvièreGentGenkDender EHRoyal CharleroiCercle Brugge
Competitions
Europe LeagueConference LeaguePro LeagueSerie AFINALISSIMA 2026World Cup 2026Africa Cup of Nations Morocco 25EredivisieWorld Cup 2026 QualifiersLiga ArgentinaClub World Cup 2025WimbledonLigue 1Champions LeagueFormula One
Hot Events
Match 73: Runner-up Group A vs Runner-up Group BMatch 76: Winner Group C vs Runner-up Group FMatch 74: Winner Group E vs Best 3rd place Group A/B/C/D/FMatch 75: Winner Group F vs Runner-up Group CMatch 78: Runner-up Group E vs Runner-up Group IMatch 77: Winner Group I vs Best 3rd place Group C/D/F/G/HMatch 79: Winner Group A vs Best 3rd place Group C/E/F/H/IMatch 80: Winner Group L vs Best 3rd place Group E/H/I/J/KMatch 82: Winner Group G vs Best 3rd place Group A/E/H/I/JMatch 81: Winner Group D vs Best 3rd place Group B/E/F/I/JMatch 84: Winner Group H vs Runner-up Group JMatch 83: Runner-up Group K vs Runner-up Group LMatch 85: Winner Group B vs Best 3rd place Group E/F/G/I/JMatch 88: Runner-up Group D vs Runner-up Group GMatch 86: Winner Group J vs Runner-up Group H
© 2026 - Fan Travel World