PRIVACY POLICY

 

Service / Brand: Discover Roatan™ Excursions & Tours (“DRET”)

Operating Entity (Honduras): Poseidon Corporation S.A. d/b/a Discover Roatan™ Excursions & Tours

Contracting Entity (United States): Discover Roatan Excursions & Tours, LLC

Website: https://discoverroatan.net

Effective Date: March 31, 2013

Last Updated: January 1, 2025

 

1. INTRODUCTION

This Privacy Policy (“Policy”) explains how (i) Poseidon Corporation S.A., a corporation organized under the laws of the Republic of Honduras, doing business as Discover Roatan™ Excursions & Tours, and (ii) Discover Roatan Excursions & Tours, LLC, a limited liability company organized under the laws of the United States (collectively, “DRET,” “Company,” “we,” “us,” or “our”), collect, use, disclose, retain, share, and protect the personal information of visitors to https://discoverroatan.net (the “Site”) and customers, prospects, and participants in our tours, transportation, and excursion services (collectively, “Services”).

This Policy is incorporated into, and forms part of, our Terms and Conditions and Booking Policy. By using the Site or engaging any Service, you acknowledge that you have read this Policy and consent to the processing of your personal information as described herein. If you do not agree, please do not use the Site or book any Service.

This Policy is written to comply with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”), the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA/CPRA”), and the data-protection laws of the Republic of Honduras, as well as any other privacy laws applicable to your jurisdiction of residence.

2. WHO WE ARE — DATA CONTROLLERS

DRET operates under a dual-entity structure. The controller responsible for your personal information depends on the activity:

(a) Online bookings, payment processing, marketing communications, and U.S.-side customer service are controlled by Discover Roatan Excursions & Tours, LLC.

(b) Operational delivery of tours, transportation, in-country guest service, and on-the-ground photography or video is controlled by Poseidon Corporation S.A. d/b/a Discover Roatan™ Excursions & Tours.

For data-protection purposes, both entities are joint controllers with respect to the Services and have agreed that Discover Roatan Excursions & Tours, LLC serves as the primary point of contact for data-subject requests. You may exercise any right described in this Policy through either entity, and we will route your request internally as appropriate.

Contact details for both entities are provided in Section 23 if applicable.

3. SCOPE

This Policy applies to personal information we collect through:

• the Site at https://discoverroatan.net and any subdomain or related microsite;
• any Booking, reservation, or quote request, regardless of channel (web form, email, phone, WhatsApp, SMS, third-party booking platform, or in-person);
• in-person interactions during a Service, including check-in, identification verification, and the capture of photographs, video, and audio recordings;
• our marketing communications, surveys, and post-tour follow-ups; and
• any third-party platform on which we maintain a presence (e.g., social-media pages, review sites) where you interact with us directly.

This Policy does not apply to third-party websites, applications, or platforms even where we link to them. See Section 19 (Third-Party Links).

4. INFORMATION WE COLLECT

We collect the following categories of personal information:

(a) Identification & contact data. Full name, email address, telephone number, mailing address, country of residence, date of birth (where required for age-restricted Services), passport or government-ID details (where required for ferry, marine, or border-crossing Services), emergency contact, and traveling-companion names.

(b) Booking & transaction data. Service purchased, reservation date and time, group composition, special requests, dietary restrictions, accessibility requirements, cruise-ship name and itinerary, ports of call, voucher numbers, transaction amounts, and refund history.

(c) Payment & billing data. Card-network type, last four digits of card number, billing postal code, billing name, and Stripe-generated tokens. Full primary account numbers (PANs), CVV/CVC codes, and full expiration dates are not stored on our systems — they are tokenized and processed directly by our PCI-DSS Level 1–certified payment processor (see Section 6).

(d) Health & accessibility data. Where you voluntarily disclose them: medical conditions, mobility limitations, allergies, pregnancy, recent surgery, or other circumstances relevant to safe participation. We treat this category as special category / sensitive personal data under the GDPR and process it only on the basis of your explicit consent and our legitimate interest in your safety.

(e) Photographic, video, audio, and biometric-adjacent data. Photographs, video, and audio recordings captured by DRET staff, contractors, or licensed photographers during Services, including images in which you appear and your voice. Where such material is processed by image-recognition, face-grouping, or generative-AI training systems, we describe that processing in Section 15.

(f) Technical & usage data. Internet Protocol (IP) address, device type, operating system, browser type and version, referrer URL, pages visited, time spent on each page, click paths, search terms used on the Site, and any error reports. We log this through standard server logs and through analytics, marketing, and advertising technologies disclosed in Section 8.

(g) Communications data. Email correspondence, support tickets, WhatsApp / SMS messages, voice calls (which may be recorded for quality and dispute-defense purposes — we will inform you at the start of any recorded call), reviews, social-media interactions, and survey responses.

(h) Marketing-preference data. Subscription status to newsletters, segmentation tags, open and click history, and opt-out flags.

(i) Inferred data. Customer lifetime value, propensity-to-rebook scores, segment membership, and similar derived attributes used for marketing optimization.

5. HOW WE COLLECT INFORMATION

We collect personal information:

• Directly from you when you book, request a quote, sign a Waiver Form, sign up for our newsletter, contact us, fill out a survey, or otherwise interact with us;
• Automatically through cookies, pixels, and similar technologies on the Site (see Section 8);
• From third parties, including cruise lines, travel agents, online travel agencies (OTAs), affiliate or referral partners, payment processors, and identity-verification or fraud-prevention services;
• From publicly available sources, including review sites, social-media platforms, and search engines, where you have made information public; and
• In person during Services, including via photography, video, and audio recordings made by DRET staff or contractors.

6. HOW WE USE INFORMATION — PURPOSES & LAWFUL BASES (GDPR / UK GDPR)

We use personal information for the following purposes, on the lawful bases identified in parentheses:

(a) To process your Booking, deliver the Service, and provide customer support (performance of a contract).

(b) To process payments and prevent fraud (performance of a contract; legitimate interest in fraud prevention; legal obligation).

(c) To verify identity at the start of a Service (performance of a contract; legitimate interest in safety and regulatory compliance).

(d) To ensure your safety, manage medical disclosures, and respond to incidents (vital interests; legitimate interest in safety; explicit consent for special-category data).

(e) To send transactional communications — Booking confirmations, manifest updates, weather alerts, refund notifications (performance of a contract).

(f) To send marketing communications — newsletters, promotions, post-tour follow-ups, review requests, and offers — only where you have opted in or where applicable law permits “soft opt-in” for existing customers (consent; legitimate interest in marketing existing-customer relationships).

(g) To improve and personalize the Site, our Services, and our marketing through analytics, attribution, and audience-modeling (legitimate interest; consent where required for non-essential cookies).

(h) To capture, edit, and use photographs, video, and audio of you during Services for marketing, training, internal documentation, archival, and AI/ML training purposes, as authorized by Section 20 of our Terms and Conditions (performance of a contract; legitimate interest in marketing; explicit consent where required by local law).

(i) To comply with legal, tax, audit, regulatory, and licensing obligations in Honduras, the United States, and any jurisdiction where we operate (legal obligation).

(j) To establish, exercise, or defend legal claims, including responding to chargebacks and payment-network disputes (legitimate interest in defending the business; legal obligation).

(k) To engage in corporate transactions — mergers, acquisitions, restructurings, financings, or asset sales — including the transfer of customer data to a successor entity (legitimate interest).

7. SHARING & DISCLOSURE — THIRD-PARTY PROCESSORS AND RECIPIENTS

We do not sell your personal information for monetary consideration. We share personal information only as described in this Section.

(a) Between our entities. Personal information is shared between Poseidon Corporation S.A. and Discover Roatan Excursions & Tours, LLC under their joint-controller arrangement.

(b) Service providers and processors acting on our instructions. We engage the following categories of vendors, each bound by a written Data Processing Agreement (DPA) or equivalent contractual safeguards:

• Payment processing — Stripe, Inc. (United States), our PCI-DSS Level 1–certified payment processor. Stripe receives the cardholder data necessary to process the transaction and is itself a controller for fraud-prevention purposes. See Stripe’s privacy policy at https://stripe.com/privacy.
• Booking, e-commerce, and website infrastructure — our website hosting provider, content-delivery network, security/firewall provider, and our WordPress-based e-commerce platform, each of which processes transaction and account data on our behalf.
• Email-marketing platform — our email service provider (e.g., Mailchimp, Klaviyo, ActiveCampaign, or successor), which stores customer email addresses, names, segmentation tags, and engagement history for the purpose of sending newsletters and promotional emails.
• Email correspondence and document collaboration — Google Workspace (Google LLC) for our `@discoverroatan.net` email accounts and for shared internal documents.
• Customer-relationship management (CRM) — our CRM platform, used to maintain repeat-customer records, sales-pipeline data, and call notes.
• Analytics and advertising technology — providers used to measure Site performance, attribute paid-advertising spend, and build remarketing audiences. See Section 8 for the cookie-level detail.
• Identity-verification, fraud-prevention, and dispute-defense providers — used to validate identity at check-in, evaluate transactions for fraud, and defend chargebacks.

A current list of named sub-processors is available on request via the contact details in Section 23.

(c) Tour partners and Third-Party Suppliers. We share the minimum necessary information (typically name, group size, dietary or accessibility notes, and pickup details) with tour partners, transportation operators, host venues, restaurants, attractions, dive operators, and other Third-Party Suppliers who deliver portions of your Service.

(d) Cruise lines and travel-agency partners. Where your Booking originates from a cruise line, an OTA, a travel agent, or an affiliate, we exchange Booking and manifest data with that partner as necessary to fulfill your reservation.

(e) Professional advisors. Our auditors, accountants, lawyers, insurance brokers, and bankers, where reasonably necessary in the conduct of business and bound by professional confidentiality obligations.

(f) Government, regulatory, and law-enforcement bodies. Where required by Honduran, U.S., or other applicable law; pursuant to lawful court order or subpoena; or to investigate and prevent suspected fraud or wrongdoing.

(g) Successors. A successor entity in connection with any merger, acquisition, restructuring, financing, or sale of assets, subject to that successor’s continuing obligations under this Policy.

We do not share your personal information with any third party for that party’s own independent marketing purposes without your prior consent.

8. COOKIES, PIXELS, AND TRACKING TECHNOLOGIES

The Site uses cookies and similar tracking technologies in the following categories:

• Strictly necessary — cookies required to operate the Site, maintain your session, secure checkout, prevent fraud, and remember consent choices. These cannot be disabled.
• Functional — cookies that remember your preferences (language, currency, recently viewed Services, wishlist).
• Analytics — cookies used to measure Site performance, traffic sources, and user behavior in aggregate.
• Advertising / marketing — cookies and pixels used to deliver, measure, and attribute advertising on Google, Meta (Facebook / Instagram), and other paid-media platforms, including remarketing to past Site visitors.

Where required by GDPR, UK GDPR, or other applicable law, we obtain your prior consent for non-essential cookies through a cookie-banner consent-management mechanism. You may withdraw consent at any time through the cookie-preference link in the Site footer or by clearing cookies in your browser. Opting out of advertising cookies will not prevent you from seeing ads — it will only prevent us from personalizing those ads to you.

We honor the Global Privacy Control (GPC) signal as a valid opt-out of “sale” or “sharing” under CCPA/CPRA where transmitted by your browser.

9. INTERNATIONAL DATA TRANSFERS

DRET operates in Honduras and the United States, and our service providers are located in the United States, the European Economic Area, the United Kingdom, and other jurisdictions. As a result, your personal information may be transferred to, stored in, and processed in countries other than your own, including countries that may not provide the same level of data-protection rights as your home jurisdiction.

Where personal information is transferred from the European Economic Area, the United Kingdom, or Switzerland to a third country, we rely on one or more of the following safeguards:

• the European Commission’s Standard Contractual Clauses (and the UK Addendum or International Data Transfer Agreement, as applicable);
• adequacy decisions where issued by the European Commission, the UK government, or the Swiss Federal Council;
• your explicit, informed consent to the transfer where appropriate; or
• the necessity of the transfer to perform the contract you have entered into with us.

A copy of the relevant transfer mechanism is available on request via Section 23.

10. DATA RETENTION

We retain personal information only for as long as necessary for the purposes for which it was collected, taking into account legal, tax, audit, and dispute-defense obligations. Our default retention schedule is:

(a) Booking, transaction, and tax-relevant records — seven (7) years from the date of the Booking, consistent with U.S. and Honduran tax-record-retention requirements.

(b) Card-payment data — full PANs and CVVs are not retained; tokens, last-four digits, and billing-name records are retained for the period in (a) for refund and chargeback handling.

(c) Customer accounts — for the life of the account, plus seven (7) years following last activity, after which the account is deleted or permanently anonymized.

(d) Marketing and email-engagement data — until you opt out, after which we retain a minimal “do-not-contact” suppression list indefinitely to honor your opt-out.

(e) Communications (email, SMS, WhatsApp, recorded calls) — three (3) years from the date of the communication, longer where reasonably needed for an active dispute or legal matter.

(f) Photographs, video, and audio captured during Services — retained indefinitely for ongoing marketing, training, AI/ML training, and archival use, consistent with the broad media release granted under Section 20 of our Terms and Conditions. You may request removal from currently active marketing channels (see Section 15 and Section 11); we are not able to recall material that has already been published, redistributed, or used to train AI/ML models.

(g) Analytics and advertising data — twenty-six (26) months by default, or such longer period as required by the platform.

(h) Health and accessibility disclosures — purged from active systems within twelve (12) months following completion of the relevant Service, except where retention is necessary for an active claim or insurance matter.

Where a longer retention period is required by law, regulation, or active legal proceeding, those records will be retained for the longer period.

11. YOUR RIGHTS — GENERAL

Subject to the conditions and limitations of applicable law, you have the right to:

(a) Access the personal information we hold about you;

(b) Correct inaccurate or incomplete information;

(c) Delete your information (subject to our legitimate retention obligations);

(d) Restrict or object to certain processing;

(e) Receive a copy of your information in a portable format;

(f) Withdraw consent where processing is based on consent (without affecting the lawfulness of prior processing);

(g) Opt out of marketing communications at any time;

(h) Opt out of “sale” or “sharing” of personal information under CCPA/CPRA (we do not “sell” personal information for monetary consideration; “sharing” for cross-context behavioral advertising is addressed in Section 13);

(i) Lodge a complaint with a data-protection authority.

To exercise any right, contact us at the details in Section 23. We will respond within the timelines required by applicable law (typically thirty (30) days under GDPR/UK GDPR; forty-five (45) days under CCPA/CPRA, extendable once).

We may need to verify your identity before honoring a request — typically by confirming the email address on file and asking you to confirm a recent Booking detail. We will not require you to create an account in order to exercise your rights.

12. EU / UK GDPR RIGHTS

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the rights set out in Section 11, plus the right to:

(a) Lodge a complaint with your local Data Protection Authority (in the EU: the supervisory authority of the Member State of your habitual residence, place of work, or place of the alleged infringement; in the UK: the Information Commissioner’s Office at https://ico.org.uk).

(b) Object to processing based on legitimate interest, including profiling related to direct marketing.

(c) Object to automated decision-making that produces legal or similarly significant effects on you (we do not currently engage in such automated decision-making — see Section 18).

EU / UK Representative — Article 27(2) Exemption Position. DRET is established outside the European Economic Area and the United Kingdom and is aware of the requirement under Article 27(1) of the EU GDPR and Article 27(1) of the UK GDPR to designate a written representative within those territories.

We have assessed our processing activities against the exemption set out in Article 27(2) and have determined that, as of the Effective Date of this Policy, our processing of EU and UK personal data is occasional in nature in the context of our overall business; does not include processing of special categories of personal data on a large scale as defined in Article 9(1) GDPR or processing of data relating to criminal convictions or offences; and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope, and purposes of the processing — namely, the routine fulfillment of pre-purchased tour bookings, transactional and operational communications, optional marketing communications, and customer-service inquiries. On that basis, DRET does not currently designate a written representative under Article 27.

EU and UK residents may exercise all rights described in this Policy, and direct any inquiry, complaint, or data-subject request, to DRET directly using the contact details in Section 23. We will respond within the timelines required by the GDPR and UK GDPR (typically thirty (30) days, extendable once by a further sixty (60) days where reasonably necessary, with notice to you) and will not require an EU/UK postal address as a condition of responding.

We review this Article 27(2) assessment periodically. If our processing of EU or UK personal data ceases to qualify for the exemption — for example, if we begin processing special-category data on a large scale, if our EU/UK booking volume becomes a non-occasional share of operations, or if a competent supervisory authority disagrees with our assessment — we will designate a representative within the relevant territory and update this Policy and Section 23 accordingly.

This position does not affect, limit, or condition any right you hold under the GDPR, the UK GDPR, or any other applicable law.

13. CALIFORNIA CONSUMER PRIVACY RIGHTS (CCPA / CPRA)

If you are a California resident, you have the rights set out in Section 11, plus the following rights under the CCPA, as amended by the CPRA:

(a) Right to know — the categories and specific pieces of personal information we have collected about you in the past twelve (12) months, the categories of sources, the purposes of collection, and the categories of third parties with whom we have shared the information.

(b) Right to delete — request deletion of personal information, subject to enumerated exceptions (e.g., to complete a transaction, detect fraud, comply with legal obligations).

(c) Right to correct — request correction of inaccurate personal information.

(d) Right to opt out of “sale” or “sharing” — although we do not “sell” personal information for monetary consideration, the CCPA’s broad definition of “sharing” can include the use of cross-context behavioral-advertising cookies (e.g., Meta Pixel, Google Ads). You may opt out by clicking the “Do Not Sell or Share My Personal Information” link in the Site footer, by transmitting a Global Privacy Control signal, or by contacting us at the details in Section 23.

(e) Right to limit use of sensitive personal information — limit our use of sensitive categories (e.g., precise geolocation, health data) to those purposes specified in the CCPA.

(f) Right to non-discrimination — we will not deny goods or services, charge different prices, or provide a different level of quality because you exercised any CCPA right.

(g) Authorized agent — you may designate an authorized agent, in writing and with proof of authorization, to make a request on your behalf.

(h) California “Shine the Light” Law — California Civil Code §1798.83 permits California residents to request information regarding our disclosure of personal information to third parties for the third party’s direct-marketing purposes. We do not disclose personal information to third parties for the third party’s direct-marketing purposes.

14. HONDURAN DATA-PROTECTION RIGHTS

If you are a resident of the Republic of Honduras, you have the rights of access, correction, cancellation, and objection (“ARCO rights”) with respect to personal data we process about you, as recognized under Honduran constitutional and statutory law. Requests may be submitted through the contact details in Section 23.

15. PHOTOGRAPHY, VIDEO, BIOMETRIC, AND AI / MACHINE-LEARNING PROCESSING

We capture photographs, video, and audio of Participants during Services for marketing, internal documentation, training, archival, and AI/machine-learning training purposes. Your participation in any Service constitutes your acknowledgement of, and (subject to applicable law) consent to, the broad media release granted in Section 20 of our Terms and Conditions.

(a) Categories of media-derived data we may process include: still photographs, video footage, audio recordings, voice samples, image-derived metadata (e.g., camera, time, location), face-grouping tags used to organize image libraries internally, and embeddings or feature vectors generated from images for image-search and AI-training purposes.

(b) Biometric considerations. We do not currently use facial-recognition technology for identification, verification, surveillance, or law-enforcement purposes. Where image-grouping or face-clustering is used to organize photo libraries internally, we treat the underlying embeddings as biometric-adjacent data and apply technical and organizational safeguards consistent with this Policy.

(c) AI / machine-learning training. Photographs, video, audio, and derived embeddings may be used to train, fine-tune, evaluate, or augment in-house or third-party machine-learning models supporting marketing, image search, content moderation, and Service personalization.

(d) Opt-out at point of capture. If you do not wish to be photographed or recorded, you must notify your guide in writing at the start of the Service. Your guide will use reasonable efforts to keep newly captured material clear of you. Once material has been published, distributed, or used to train an AI/ML model, we may not be able to recall it.

(e) Removal request from active channels. You may at any time submit a written request to remove specific images of you from our active marketing channels (Site, social media, email templates we control). We will use reasonable efforts to remove the material from those channels but make no warranty regarding third-party redistribution, archival copies, or material already incorporated into AI/ML training datasets.

(f) Children’s images. We require explicit parental or guardian consent (via the Waiver Form and on-tour consent) before publishing close-up identifying images of children. Where consent is not given or is later withdrawn, we will use reasonable efforts to blur, crop, or remove the child from active marketing channels.

16. CHILDREN’S PRIVACY

The Site and Services are not directed to children under the age of thirteen (13), and we do not knowingly collect personal information from children under thirteen (13) without verifiable parental consent, in accordance with the U.S. Children’s Online Privacy Protection Act (“COPPA”).

Bookings on behalf of minors must be made by a parent or legal guardian, who provides any required information about the minor and grants any required consents (including the photo / media consent referenced in Section 15) on the minor’s behalf. If you believe we have inadvertently collected personal information from a child under thirteen (13) without verifiable parental consent, please contact us at the details in Section 23 and we will delete the information promptly.

17. DATA SECURITY

We implement reasonable administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction, including:

• TLS / SSL encryption of data in transit between your browser, our Site, and our payment processor;
• PCI-DSS-compliant tokenization of card data via Stripe; we do not store full PANs or CVV codes;
• Access controls limiting personal-information access to personnel with a legitimate business need;
• Logging and monitoring of administrative access to customer-data systems;
• Vendor due diligence and Data Processing Agreements with material processors;
• Regular review of our security posture and policies.

No system can be made absolutely secure. By using the Site or our Services, you acknowledge the inherent risks of data transmission and storage on the Internet. In the event of a personal-data breach affecting you, we will notify you and the relevant supervisory authority within the timelines required by applicable law (under GDPR, generally within seventy-two (72) hours of becoming aware of the breach where it presents a risk to your rights and freedoms).

18. AUTOMATED DECISION-MAKING

We do not currently make decisions that produce legal or similarly significant effects on you based solely on automated processing (including profiling). We do use automated tools to support human decisions — for example, fraud-risk scoring on transactions and analytics-based audience modeling — but human review is involved in any decision that materially affects your access to a Service.

19. THIRD-PARTY LINKS

The Site may link to third-party websites, applications, social-media platforms, or services. This Policy does not apply to any such third party. We are not responsible for the privacy practices of third parties, and we encourage you to review the privacy policies of any third party before providing personal information.

20. MARKETING COMMUNICATIONS AND OPT-OUT

If you have provided your email address in connection with a Booking, an inquiry, a content download, or a newsletter sign-up, we may send you marketing communications about our Services consistent with applicable law. You may opt out at any time by:

• clicking the “unsubscribe” link in any marketing email;
• updating your preferences in your account profile (where applicable);
• contacting us at the details in Section 23; or
• where supported, transmitting a Global Privacy Control signal from your browser.

Transactional and operational communications (Booking confirmations, manifest updates, refund notifications, weather alerts, pickup-time changes) are not optional and will continue to be sent for as long as you have an active Booking.

21. CHANGES TO THIS POLICY

We may update this Policy from time to time to reflect changes in our practices, our services, applicable law, or industry standards. Material changes will be posted on the Site with an updated “Last Updated” date. Where required by applicable law, we will obtain your renewed consent or provide additional notice. Continued use of the Site or any Service after a change becomes effective constitutes acceptance of the updated Policy.

22. RELATIONSHIP TO OTHER DRET DOCUMENTS

This Policy is part of the contractual framework governing your relationship with DRET. The full order of precedence is set out in Section 32 of our Terms and Conditions and is summarized here for convenience: (1) the signed Waiver Form (for matters of personal injury, assumption of risk, and release); (2) the Terms and Conditions (for all other legal matters, including intellectual property, photo / media release, dispute resolution, force majeure, indemnification, and limitation of liability); (3) the Booking Policy (for booking, payment, refund, cancellation, weather, and operational mechanics); (4) this Privacy Policy (for data handling and electronic communications).

23. CONTACT — PRIVACY INQUIRIES

To exercise any right under this Policy, ask a question, or lodge a privacy-related concern, please contact us:

Discover Roatan Excursions & Tours, LLC (primary point of contact for data-subject requests)

5505 Eagle Court, Florence, MT 59833

Poseidon Corporation S.A. d/b/a Discover Roatan™ Excursions & Tours

Coxen Hole, Roatán, Bay Islands, Honduras

Phone: +504 9885-6554 / 1-844-576-2826

Email (privacy / data requests): privacy@discoverroatan.net

Email (general): admin@discoverroatan.net

Website: https://discoverroatan.net

EU and UK Residents. DRET does not currently designate a written representative under Article 27 of the EU GDPR or Article 27 of the UK GDPR; our reasoning is set out in Section 12. EU and UK residents may exercise all data-protection rights, and lodge any complaint or data-subject request, by contacting DRET directly through the email and postal addresses above. We respond to EU and UK requests within the statutory GDPR / UK GDPR timelines and do not require an EU or UK postal address as a condition of responding.

You also have the right to lodge a complaint with the data-protection authority of your country of residence (in the EU, the supervisory authority of your Member State; in the UK, the Information Commissioner’s Office at https://ico.org.uk; in California, the California Privacy Protection Agency at https://cppa.ca.gov; in Honduras, the competent national authority).

ACKNOWLEDGEMENT

By using the Site, making a Booking, signing the Waiver Form, or participating in any Service, you acknowledge that you have read this Privacy Policy and understand how DRET collects, uses, shares, retains, and protects your personal information.