Our Privacy Pledge

Effective 12/27/2019 | Download

Introduction
Xanterra Leisure Holding, LLC, along with its subsidiary companies listed below (collectively “Xanterra,” “us,” “our,” or “we”), is committed to respecting your privacy. This Privacy Policy (“Privacy Policy”) describes how we collect, process, and share your Personal Data (defined below). We also describe your rights and choices with respect to your Personal Data and other important information. You arrived at this Privacy Policy by clicking on a link when you visited Rocky Mountain National Park website, however, this Privacy Policy applies to the activities across all Xanterra companies. Please read this Privacy Policy carefully.

Scope of this Policy
This Privacy Policy applies to Personal Data collected through our “Services”, which include:
• Our “Offline Services” - Services you use when you visit properties or travel with companies operated by Xanterra;
• Our “Digital Services” - Our websites and other online services, including data collected when you interact with or reference our products/services or advertisements online.
Note that certain third parties may be able to identify you across sites and services using the information they process, however, any such processing not done at the direction of Xanterra is outside the scope of this Privacy Policy.

Who we are
Xanterra Leisure Holding, LLC is a Colorado-based company with offices at 6312 S. Fiddlers Green Cir., Ste. 600 North, Greenwood Village, Colorado 80111. Xanterra’s subsidiary companies include, at the time of publication of this Privacy Policy: Xanterra Holding Corporation; Xanterra Resort Holding, LLC; Xanterra Leisure Resort Holding, LLC; Xanterra, Inc.; Xanterra Parks & Resorts, Inc.; Xanterra South Rim, L.L.C.; GCR Acquisitions, LLC; Grand Canyon Railway, LLC; Grand Canyon Railway Hotel, LLC; Xanterra Tusayan, LLC; Xanterra Cedar Creek, LLC; Xanterra Adventure Companies, LLC; Holiday Vacations, LLC; Windstar Cruises Marshall Islands, LLC; and Windstar Cruises, LLC.

How to Contact Us

If you have any comments or questions about this Privacy Policy or privacy practices, please contact our Data Privacy Team at:
Xanterra Leisure Holding, LLC
Attn: Privacy
6312 S. Fiddlers Green Cir. Ste. 600N
Greenwood Village, CO 80111

General Inquiries and Data Updates: preferences@xanterra.com
Marketing Choices: If you would like to make changes to your communications preferences, click the link in any email from Xanterra, or send us an email at preferences@xanterra.com.

Data Rights Inquiries: visit Rocky Mountain National Park Rights Portal here, or call 1-844-388-2813.
Direct Marketing Disclosure Requests: datarequests@xanterra.com
Opt-Out of Data Sales: click here or call 1-844-388-2813

Categories and Sources of Personal Data

The following describes how we process data relating to identified or identifiable individuals and households (“Personal Data”), including the categories of Personal Data, its sources, and the purposes for which we process that data.

The categories of Personal Data we process
The categories of Personal Data we collect and use include (these are examples may be subject to change):

Identity Data
Information such as your name; address; email address; telephone number; gender; date of birth, age and/or age range; account login details, including your user name and password, or other account-related information; information you provide in connection with your application to be a vendor, volunteer, employee, or otherwise join or support our team; your identity, public profile, and similar information from social networks such as Facebook; and information such as unique IDs and similar data collected or derived from the use of RFID enabled products such as keycards.

Contact Data
Identity Data that relates to information about how we can communicate with you, such as email, phone numbers, physical addresses, social media handles, and information you provide to us when you contact us by email or when you communicate with us via social media.
Location Data
Information about your location, including “precise location data” (data from GPS, Wi-Fi triangulation, and similar) and “general location” (social media tags/posts, dates and times of your visit and which properties or locations you visited).

Device/Network Data
Browsing history, search history, and information regarding your interaction with a web site, application, or advertisement (e.g. IP Address, MAC Address, SSIDs or other device identifiers or persistent identifiers), online user ID, device characteristics (such as browser/OS version), web server logs, application logs, browsing data, first party cookies, third party cookies, web beacons, clear gifs and pixel tags.

Commercial Data
Information about the Services we provide to you and about reservations and transactions you make with Xanterra or other companies operating through us or on our behalf (including travel agents), information relating to events and services at our properties and locations you attend/use, information about purchases, what has been provided to you, when and where and, if applicable, how much you paid, and similar information.

Inference Data
Personal Data used to create a profile about you reflecting your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes, market segments, likes, favorites and other data or analytics provided about you or your account by social media companies or data aggregators, including household data such as income, number of children, occupation, social grade, home ownership status, the products and services you use or intend to use or purchase, and your interests.
Financial Data Information such as bank account details, payment card information, and information from credit reference agencies, including similar data defined in Cal Civ Code § 1798.80(e).

Audio/Visual Data
Recordings and images collected from our surveillance cameras when you visit our properties and locations and areas adjacent to them, as well as audio files and records, such as voice mails, call recordings, and the like.

Health Data
Information about your health (for example when you are buying accommodations or activities for wheelchair accessible spaces, when you request a sign language interpreter, or when we are responding to an accident or other health-related incident).

User Content
Unstructured/free-form data that may include any category of Personal Data, e.g. data that you give us in free text fields such as comment boxes, answers you provide when you participate in sweepstakes, contests, votes and surveys, including any other Personal Data which you may provide through or in connection with our Services.

Sources of Personal Data
We collect Personal Data from various sources, which vary depending on the context in which we process that Personal Data:
Data you provide us
We will receive your Personal Data when you provide them to us, when you purchase our products or services, or complete a transaction via our Services, or when you otherwise use our Services.

Data we collect automatically
We collect Personal Data about or generated by any device you have used to access our Services, the websites of subsidiary companies the websites of any service provider used to purchase accommodations at properties or travel with companies operated by Xanterra, or when you use Wi-Fi at any of our properties or while traveling with companies operated by us.

Data we receive from service providers & Agents
We receive Personal Data from on-line travel agents such as Expedia or booking.com or brick and mortar travel agents who transfer Personal Data to us when you purchase accommodations or services from them in connection with Services that we provide, and other service providers performing services on our behalf.

Data we receive from aggregators and advertisers
We receive Personal Data from ad networks, behavioral advertising vendors, market research, and social media companies or similar companies that provide us with additional Personal Data such as Inference Data.

Data we receive from social media companies
We receive Personal Data from Facebook and other social media companies who may transfer Personal Data to us when you register for one of our Services or interact with that social media company on or in connection with our services, properties or locations.

Data we create and infer
We, certain partners, social media companies, and third parties operating on our behalf create and infer Personal Data such as Inference Data or Aggregate Data based on our observations or analysis of other Personal Data processed under this Policy, and we may correlate this data with other data we process about you. We may combine any Personal Data about you that we receive from you, from other companies within our family of companies, and from third parties.

How We Process Personal Data

When you use our Services, we process your Personal Data in specific contexts and for certain specified purposes, as well as for our general business purposes and, in some cases, for commercial purposes.

How we Collect and Use Personal Data
We collect and process Personal Data in several contexts when you use our Services, including:
• When you make a purchase or other transaction through our Service
• When you visit properties or travel with companies operated by Xanterra
• Closed Circuit Television (CCTV)
• When you access or use our Digital Services
• Cookies and other tracking technologies
• When you enter a contest or other promotion
• When you contact us or submit information to us
• Feedback and Surveys
• Applications for employment or to provide services

See below for more information regarding the context in which we process Personal Data.

When you make a purchase or other transaction through our Service
We generally process Identity Data, Financial Data, Commercial Data and Contact Data when you engage in a purchase and sale transaction, whether through our Digital Services or in person. We process this Personal Data as necessary to perform or initiate a contract with you, process your order and payment, and carry out fulfillment and delivery. In addition, we may also collect or create Device/Network Data and Inference Data. This data, together with other data we collect in this context is used as necessary in connection with certain legitimate business interests, such as:
• ensuring the security of our Services and to prevent fraud;
• providing you with information about our Services, to contact you about administrative matters, to manage and respond to any queries or complaints you make or any correspondence you send us.

We may also use this Identity Data, Commercial Data, Contact Data, and Device/Network Data collected in this context for our Commercial Purposes.

When you visit properties or travel with companies operated by Xanterra
We generally process Identity Data, Commercial Data, Financial Data, and Contact Data when you interact with us Offline. Additionally, when you use electronic or RFID technologies, or use on-premise Digital Services, we will collect Device/Network Data (see below for additional information regarding our Digital Services). In addition, we may process this data in combination with Inference Data and Location Data that we collect and/or create as necessary in connection with certain legitimate business interests in:
• verifying your identity for authentication and security purposes;
• helping us to ensure our customers are genuine and to prevent fraud; and
• to help us to return lost property to its rightful owner

Note, in certain cases, we may collect Health Data. Health Data is generally used so that we can provide certain services to you such as to provide you with tailored services (for example, a wheelchair accessible space or a sign language interpreter) or in connection with our response to health-related incidents that may have taken place at properties or while traveling with companies operated by Xanterra. In each case, where consent is required by law, we will process this information only with appropriate consent.

We may also use this Identity Data, Commercial Data, and Contact Data collected in this context for Commercial Purposes.

Closed Circuit Television (CCTV)
We may operate CCTV or security cameras on and adjacent to properties and facilities managed by Xanterra. In connection with these systems, we may collect and/or create Audio/Visual Data as necessary in connection with certain legitimate business interests, such as:
• preventing and detecting crime and to keep people who visit and work at our company locations safe and secure;
• recording and investigating health and safety and other incidents which have happened or may have happened at properties or while traveling with companies operated by Xanterra;
• counting the numbers of people who visit our properties and to analyze flows of people around the properties and facilities for safety and commercial purposes using software which analyzes CCTV camera images; and
• creating aggregate data.

When you access or use our Digital Services
When you use our Digital Services, we automatically collect and process Device/Network Data. We use this data as necessary to initiate or fulfill your requests for certain features or functions through our Services, such as keeping you logged in, delivering pages, etc. In addition to Device/Network Data, we may also collect and process Contact Data, Identity Data and Inference Data that we collect, create, and/or receive (including through the use of cookies and similar technologies). We typically use this data as necessary in connection with certain legitimate business interests, such as:
• ensuring the security of our websites and other technology systems;
• analyzing the use of our Services, including navigation patterns, clicks, etc. to help understand and make improvements to the Services.

Some Digital Services may, with your consent, process Location Data. We use this data, together with Inference Data, and Device/Network Data in order to provide directions and contextual information to you, and other features that require the use of location. We may also use this information in connection with our legitimate business interests, such as, creating aggregate information about users’ location and patterns, which we use to help improve our Services. Note, Location Data may be required in order for you to use certain features of our Digital Services. We may also process Identity Data, Contact Data, and User Content if you interact with or identify us, relevant promoters, or other partners on social media platforms. Note, Personal Data processed when you submit information to us (such as when you make a reservation) may involve processing through Digital Services.
We may also use Identity Data, Device/Network Data, Location Data, Inference Data and Contact Data collected in this context for Commercial Purposes.

Cookies and other tracking technologies
We use cookies and similar technologies on our Digital Services. These technologies can be used to collect or create Identity Data, Device/Network Data, Contact Data, or Inference Data. Third parties may be allowed to view, edit, or set their own cookies or place web beacons on our websites. Cookies and web beacons allow us and third parties to distinguish you from other users of our websites, and some of these technologies can be used by us and/or our third party partners to identify you across platforms, devices, sites, and services. Third parties may engage in targeted advertising using this data.

We and authorized third parties may use cookies and similar technologies for the following purposes:
• for “essential” or “functional” purposes, such as to enable certain features of our Digital Services (for example, to allow a customer to maintain a basket when they are shopping at an online store);
• for “analytics” purposes, such as to analyze the traffic to and on our Digital Services (for example, we can count how many people have looked at a specific page, or see how visitors move around the website when they use it, what website they visited prior to visiting our website, and use this information to understand user behaviors and improve the design and functionality of the website);
• for “retargeting” or similar advertising or commercial purposes, such as:
• for social media integration e.g. via third-party social media cookies, or when you share information using a social media sharing button or “like” button on our Services or you link your account or engage with our content on or through a social networking website such as Facebook or Twitter;
• to collect information about your preferences and demographics to help target advertisements which are more likely to be of interest to you using behavioral advertising; and
• to allow us to carry out retargeting (this includes, for example, when advertisements are presented to you for products or services which you have previously looked at on a website but have not purchased).

The use of these technologies by third parties may be subject to their own privacy policies and is not covered by this Privacy Policy, except as required by law.
We may also use your Identity Data, Device/Network Data, Inference Data and Contact Data collected in this context for Business Purposes and Commercial Purposes.

When you enter a contest or other promotion
We collect and process Identity Data, Contact Data, and User Content as necessary to process your request to enter the contest, or take part in a promotion, notify you if you have won or to process delivery of a prize or for other related purposes.

In addition, we may process this information in connection with our legitimate business interests, such as:
• verifying your identity for authentication and security purposes (in which case we may process Government ID Data to complete verification); and
• helping us to ensure our customers are genuine and to prevent fraud.

Note, if you win a contest/sweepstakes, we may publicly post some of your data on our website (for example acceptance of a prize may also require you to allow us to post publicly some of your Personal Data such as on a winners’ page). Where required by law, your information will not be posted without your consent. Unless prohibited by law, we may use this Identity Data, Contact Data, and User Content information for Commercial Purposes.

When you contact us or submit information to us
We collect and process Identity Data, Contact Data, and any Audio/Visual data or User Content you provide as necessary to address your request, fulfill the business purpose for which that information was provided, or for other related purposes. Additionally where you consent, if relevant to your request (such as an inquiry regarding a product, service, etc.) or if otherwise permitted by law, we may send you marketing communications as described further below, and use this information for Commercial Purposes.

Feedback and Surveys
We generally process Identity Data, Contact Data, Inference Data, and User Content collected in connection with guest surveys or questionnaires. We generally process this Personal Data as necessary to respond to guest requests/concerns, and create aggregate analytics regarding guest satisfaction. We may store and analyze feedback for our purposes, for example, to personalize the services, and help recommend relevant offers or services. We may also use the Identity Data, Contact Data, Inference Data, and User Content collected in this context for Business Purposes and Commercial Purposes.

Employment & Service Provider Applications
We may process Personal Data in connection with your application to be a vendor, employee, or otherwise join or support our team. We process this Personal Data primarily in connection with the personnel relationship. Details regarding our collection and processing of Personal Data for these purposes is set forth in our supplemental HR Privacy Notice.

How we Process Personal Data for Business Purposes
We and our service providers process Personal Data we hold for numerous business purposes, depending on the context of collection, your rights and choices, and our legitimate business interests. For example, we generally process Personal Data:
• In connection with providing our services, and fulfilling our contractual obligations to you
• To maintain the quality and stability of, and generally improve, our Services
• To secure our properties and services, and prevent fraud
• To personalize the Services, and in connection with marketing and advertising, including behavioral advertising
• To compile aggregate statistics regarding the use of the services, and for research and market analysis
• To comply with the law, and for other purposes in the public interest

Service Provision and Contractual Obligations
We process any Personal Data as is necessary to provide our Service, to provide you with the products and services you purchase or request, to authenticate users and their rights to access the Service, or various data, features, or functionality, and as otherwise necessary to fulfill our contractual obligations to you, and provide you with the information, features, and services you request. Additionally, we use information to authenticate your right to access our properties and locations, deliver products and services, and for other related matters. Similarly, we may use Personal Data as necessary to audit compliance, and log or measure aspects of service delivery (e.g. to document ad impressions).

Internal Processing and Service Improvement
We may use any Personal Data we process through our Services as necessary in connection with our legitimate business interests in improving the design of our Service, understanding how are Services are used or function, for customer service purposes, in connection with logs and metadata relating to service use, and for debugging and similar purposes relating our identification of errors and improving the stability of the Service. Additionally, we may use Personal Data to understand what parts of our Service are most relevant to Users, how Users interact with various aspects of our Service, how our Service performs or fails to perform, etc., or we may analyze use of the Service to determine if there are specific activities that might indicate an information security risk to the Service or our Users.

Security and Incident Detection
Whether online or off, we work to ensure that our Services are secure. We may process any Personal Data we collect in connection with our legitimate business interest in ensuring that our properties and locations are secure, identify and prevent crime, prevent fraud, and ensure the safety of our guests. Similarly, we process Personal Data on our Digital Services as necessary to detect security incidents, protect against, and respond to malicious, deceptive, fraudulent, or illegal activity. We may analyze network traffic, device patterns and characteristics, maintain and analyze logs and process similar Personal Data in connection with our information security activities.

Compliance, health, safety, public interest
We may also process any Personal Data as necessary to comply with our legal obligations, such as where you exercise your rights under data protection law and make requests, for the establishment and defense of legal claims, or where we must comply with our legal obligations, lawful requests from government or law enforcement officials, and as may be required to meet national security or law enforcement requirements or prevent illegal activity. We may also process data to protect the vital interests of individuals, or on certain public interest grounds, each to the extent allowed under applicable law. Please see the data sharing section for more information about how we disclose Personal Data in extraordinary circumstances.

Aggregated data
We process Personal Data about our customers and users in order to identify trends (to create aggregated and anonymized data about our customers/users, buying and spending habits, use of our Services, and other similar information (“Aggregated Data”). We may pass Aggregated Data to the third parties referred to in the section below to give them a better understanding of our business and to bring you a better service. Aggregated Data will not contain information from which you may be personally identified.

Personalization
We process certain Personal Data as necessary in connection with our legitimate business interest in personalizing our Digital Services. For example, aspects of the Digital Services may be customized to you so that it displays your name and other appearance or display preferences, to display content that you have interacted with in the past, or to display content that we think may be of interest to you based on your interactions with our Digital Services and other content. This processing may involve the creation and use of Inference Data relating to your preferences.

Other Business Purposes
If we process Personal Data in connection with our Service in a way not described in this Privacy Notice, this Privacy Notice will still apply generally (e.g. with respect to your rights and choices) unless otherwise stated at collection. We will process such information in accordance with the notice provided at the time of collection or in a manner that is necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected.

How we Process Personal Data for Commercial Purposes
We and certain third parties process Personal Data we hold for certain purposes, depending on the context of collection and your rights and choices:
• Marketing communications
• To create marketing profiles
• In connection with online advertising, including targeted advertising
• Data sales

Personalization & Consumer Profiles
In order to understand our customers’ preferences, and better recommend products and services that are personalized to our prior customers, we may create a “Consumer Profile” by linking together and analyzing Personal Data collected in the following contexts:
• When you make a purchase or other transaction through our Service
• When you stay at properties or travel with companies owned or operated by Xanterra.
• When you access or use our Digital Services
• Cookies and other tracking technologies
• When you enter a contest or other promotion
• When you contact us or submit information to us
• Feedback and Surveys

We may also augment Consumer Profiles with Personal Data that we create (such as Inference Data) or that we receive from our subsidiary companies, third parties, and may include Personal Data such as information about Services you have used or purchased previously, information about when you have visited our properties or locations in the past and what activities you participated in, and demographic data.

We use Consumer Profiles for our legitimate interests in market research and statistical analysis in connection with the improvement of our Services. For example, we may analyze the Personal Data of people who have made a reservation for a particular itinerary in the past and compare them with other people in our database. If we identify people in the database who have similar Personal Data to the previous guests, we may then target marketing about a future event to the new people we have identified in our database, for example by sending marketing emails. We may conduct the profiling and send the direct marketing emails automatically. We may also use this information for other Commercial Purposes.

Marketing Communications
Consistent with our legitimate business interests, we (or if appropriate, our third-party partners) may send you marketing and promotional communications if you sign up for such communications or purchase products or services from us. Where allowed, we may also send you these communications if you register for our Services or for a promotion, or in connection with your communications with or submission of User Content to us. These communications may be personalized or customized based on your user profile.

Similarly, we may also collect Device/Network Data and contact data so that we can determine whether you have opened an email or otherwise interacted with our communications, and we may generate Inference Data based on these interactions. We may also process this Personal Data for targeted advertising. However, where consent to processing is required by law, we will link and process this information for targeted advertising with appropriate consent.

Targeted advertising
Xanterra, and certain third parties operating on or through our Services, may engage in targeted advertising. This form of advertising includes various parties and services providers, including third party data controllers, engaged in the processing of Personal Data in connection with advertising. These parties may be able to identify you across sites, devices, and over time.

The parties that control the processing of Personal Data for behavioral advertising purposes may create or leverage information derived from personalization and profiling. In some cases, these parties may also develop and assess aspects of a profile about you to determine whether you are a type of person a company wants to advertise to, and determine whether and how ads you see are effective. These third parties may augment your profile with demographic and other Inference Data derived from these observations, and may also track whether you view, interact with, or how often you have seen an ad, or whether you complete a purchase for a good or services you were shown in an advertisement.

We generally use targeted advertising for the purpose of marketing our Services and third-party goods and services, to send marketing communications, including by creating custom marketing audiences on third-party websites (such as Facebook).

Data Sales
Certain Commercial Processing purposes involve “sales” of data as defined by applicable law. For example, we may “sell” (as defined by applicable law) certain Personal Data when we engage in marketing campaigns with or on behalf of sponsors, when we conduct targeted advertising, or we may sell or grant access to Personal Data to our marketing partners, promoters, and other advertisers.

See the California Rights & Disclosures section for a list of categories of Personal Data sold.

How we Share Personal Data

Xanterra
In order to streamline certain business operations, improve Service personalization and behavioral marketing, develop products and services that better meet the interests and needs of our customers, and promote information we believe will be of interest to you, we will share your Personal Data internally within our family of companies, as well as any other current or future affiliated entities, subsidiaries, and parent companies of Xanterra.

Service Providers & Agents
In connection with our general business operations, product/service improvements, to enable certain features, and in connection with our other legitimate business interests and business purposes, we may share your Personal Data with service providers who provide certain services or process data on our behalf. For example, we may use cloud-based hosting providers to host our Service or may disclose information as part of our own internal operations or other business purposes (which may include the legitimate interests and business purposes of the Service Provider themselves).

See the California Rights & Disclosures section for a list of categories of Personal Data disclosed for Business Purposes.

Social Media Platforms
In order to improve personalization, deliver more relevant advertisements, and develop better products and services, we may share certain Personal Data with current or future affiliated entities and trusted third parties for marketing, advertising, or other commercial purposes, and we may allow third parties (such as Facebook and social media advertisers, ad exchanges, data management platforms, or ad servers) to operate on our Services and process data for targeted advertising. These transfers may be made for Commercial Purposes and in connection with Data Sales.

Additionally, If you use any social media plugin, API, or other similar feature, use an event hashtag or similar link, or otherwise interact with us or our Services via social media, we may make your post available on our Services or to the general public. We may share, rebroadcast, or redisplay Personal Data or other information in the post to the extent permitted by the relevant social media service.

Data Aggregators
In connection with our marketing operations, and subject to Users’ rights and choices, we may share certain Personal Data with data aggregators for Commercial Purposes and in connection with Data Sales. These disclosures/sales can help better personalize our Services, the services of third parties, enrich Consumer Profiles and help ensure that you see advertisements that are more relevant to your interests.

Successors
Your Personal Data may be shared if we go through a business transition, such as a merger, acquisition, liquidation, or sale of all or a portion of our assets. For example, Personal Data may be part of the assets transferred, or may be disclosed (subject to confidentiality restrictions) during the due diligence process for a potential transaction.

Lawful Recipients
In limited circumstances, we may, without notice or your consent, access and disclose your Personal Data, any communications sent or received by you, and any other information that we may have about you to the extent we believe such disclosure is legally required (including in connection with international travel manifests, immigration, etc.), to prevent or respond to a crime, to investigate violations of our Terms of Use, in the vital interests of us or any person, or in such other circumstances as may be required or permitted by law. Note, these disclosures may be made to governments that do not ensure the same degree of protection of your Personal Data as your home jurisdiction. We may, in our sole discretion (but without any obligation), object to the disclosure of your Personal Data to such parties.

International transfers of your Personal Data

If you are located outside the US, your Personal Data may be transferred to and/or processed in a location outside of the European Economic Area (EEA).

Your Personal Data may also be processed by staff operating in the United States or outside the EEA working for us, other members of our family of companies or third-party data processors. Such staff may be engaged in, among other things, the provision of our Services to you, the processing of transactions and/or the provision of support services.

Some countries outside the EEA do not have laws that protect your privacy rights as extensively as those in the EEA. However, if we do transfer your Personal Data to other territories, we will put in place appropriate safeguards to ensure that your Personal Data are properly protected and processed only in accordance with this Privacy Policy. We may transfer Personal Data from the EEA to the US using the EU standard contractual clauses, the EU-U.S. Privacy Shield Program, under Binding Corporate Rules, or other lawful mechanisms. You can obtain more information about the safeguards we put in place by contacting us.

EU-U.S. Privacy Shield

We comply with the EU-U.S. and U.S.-Swiss Privacy Shield Frameworks set forth by the U.S. Department of Commerce with respect to our collection, use, and retention of Personal Data from European Union member countries and Switzerland. We have certified that we adhere to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. Furthermore, we require third party recipients of EU/Swiss residents’ Personal Data to agree to respect these principles, and we accept liability for third parties’ processing of EU/Swiss residents’ data to the extent required by law.

If there is any conflict between the policies in this Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov. You may view the list of Privacy Shield companies here.

We encourage users to contact us if you have any concerns about our compliance with this Privacy Policy and the Privacy Shield Framework. In compliance with the EU-U.S./U.S.-Swiss Privacy Shield Principles, we commit to resolving complaints about your privacy and our collection or use of your Personal Data. EU/Swiss residents with inquiries or complaints regarding this Privacy Policy should first contact us at the address below. We will respond to complaints from EU/Swiss residents within 45 days.

If any complaints by EU/Swiss residents cannot be resolved informally, we have agreed to participate in the JAMS dispute resolution procedures pursuant to EU-U.S./U.S.-Swiss Privacy Shield principles. EU/Swiss residents with unresolved complaints may refer them to may refer them to JAMS here. Under certain circumstances, these dispute resolution processes may result in your ability to invoke binding arbitration. As a U.S. company, we are also subject to the investigatory and enforcement power of the FTC regarding our compliance with the Privacy Shield Framework and this Privacy Policy, and users may direct complaints to the FTC in the event the dispute resolution processes described above is unsatisfactory.

How we Retain Your Personal Data

We retain Personal Data for so long as it, in our discretion, remains relevant to its purpose, and in any event, for so long as is required by law. We will review retention periods periodically and may sometimes pseudonymize or anonymize data held for longer periods, if appropriate.

Your Rights & Choices

You may have certain rights and choices regarding the Personal Data we process. Please note, these rights may vary based on the country or state where you reside, and our obligations under applicable law.
• Additional information regarding individuals’ rights in California are available here.
• Additional information regarding individuals’ rights in the EU/EEA/Switzerland/Cayman Islands are available here.
Your Rights

To the extent applicable law grants you the right to do so, and subject to any necessary verification, you may have the right to:
• request that we provide you with a copy of the Personal Data which we hold about you;
• request that we update any of your Personal Data which are inaccurate or incomplete;
• request that we delete any of your Personal Data which we are holding; or
• request that we provide your Personal Data to you or a third-party provider of services in a structured, commonly-used and machine-readable format.

To submit a request, you may contact our Data Privacy Team. Your request must include your name, email address and postal address and we may require proof of your identity.

Your Choices
Marketing Communications.
You can withdraw your consent to receive marketing communications by clicking on the unsubscribe link in an email. You can also withdraw your consent to receive marketing communications or any other consent you have previously provided to us by contacting us. To opt-out of the collection of information relating to email opens, configure your email so that it does not load images in our emails.

Withdrawing Your Consent/Opt-Out
Where we are processing your Personal Data based on your consent, you may change your mind and withdraw your consent at any time. The consequence of you withdrawing consent might be that we cannot perform certain services for you, such as location-based services, personalization or providing certain types of advertising, or other services conditioned on your consent or choice not to opt-out.

Location Preferences
You may control or limit location data that we collect through our Services by changing your preferences in your device’s location services preferences menu, or through your choices regarding the use of Bluetooth, WiFi, and other network interfaces you may use to interact with our Services. However, please note that use of RFID technologies may be necessary for the functioning of hardware required for certain processing of Personal Data. Note, general location data may still be collected if you opt out of specific location services.

Do-not-Track
Our Services do not respond to your browser’s do-not-track request. If you do not want information collected through the use of cookies, you can manage/deny cookies (and certain technologies) using your browser’s settings menu. You must opt out of third party services directly via the third party. For example, to opt-out of Google’s analytic and marketing services, visit Google Analytics Terms of Use, the Google Privacy Policy, or Google Analytics Opt-out.

Advertising
You may opt out or withdraw your consent to behavioral advertising. In some cases, we may be able to process third party opt-out requests directly (e.g. when you click the “do not sell my personal information” link on our website), however in some cases, you must opt out of third party services directly via the third party. For example, to opt out of Google’s use of cookies, visit Google’s Ads Settings, here. If you wish to take steps to opt-out of tracking by certain online advertisers, you can visit the Digital Advertising Alliance’s opt-out page at http://www.aboutads.info/choices or the Network Advertising Initiative at www.networkadvertising.org/optout_nonppii.asp. You can limit or opt out of our processing for behavioral advertising by contacting us.

Data Sales
If you are a California Resident, or otherwise have the right to opt out of data sales, you may do so through Rocky Mountain National Park Rights Portal or by calling us at 1-844-388-2813. You may be required to validate your identity to ensure your request is not fraudulent.

Regional Rights
See the Your California Privacy Rights section for additional information regarding data sale opt-out, and other privacy rights under California law.

Residents and others in the EU, EEA and Cayman Islands may have rights under EU and other law. See the Your EU/Other Privacy Rights section for additional information.

How we protect your Personal Data

We use industry standard technical and organizational security measures to protect your Personal Data. We cannot guarantee the security of your Personal Data when you transmit it to us, and any such transmission is at your own risk.

Where we have given you (or where you have chosen) a password which enables you to access one of our Services, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Third Party Websites and Mobile Applications
We are not responsible for the privacy policies, content or security of any linked third party websites or mobile applications. We recommend that you check the privacy and security policies of each and every website and mobile application that you visit.

Minors

Our Services are neither directed at nor intended for use by children under the age of 13 in the US, or under the age of 13 to 16 in the EU, depending on the local jurisdiction. We do not knowingly collect Personal Data from such individuals. If we learn that we have inadvertently done so, we will promptly delete it. Do not access or use the Services if you are not of the age of majority in your jurisdiction unless you have the consent of your parent or guardian.

Changes to our Privacy Policy

We reserve the right to change our Privacy Policy from time to time. Any such changes will be posted on this page so that we can keep you informed about how we process your Personal Data. We recommend that you consult this page frequently so that you are aware of our latest Privacy Policy and can update your preferences if necessary. Your continued use of our Services shall constitute your acceptance of any revised Privacy Policy.

Additional Rights and Disclosures: EU/EEA, Switzerland, Cayman Islands, etc.

Your EU/Other Privacy Rights
Under the GDPR and analogous legislation, you may have the following rights notwithstanding those set forth in the Rights & Choices section above, subject to your submission of an appropriately verified request:
Access: You may have a right to know what information we collect, use, disclose, or sell, and you may have the right to receive a list of that Personal Data and a list of the third parties (or categories of third parties) with whom we have received or shared Personal Data, to the extent required and permitted by law. You may be able to access some of the Personal Data we hold about you directly through the account settings menu.

Rectification: You may correct any Personal Data that we hold about you to the extent required and permitted by law. You may be able to make changes to much of the information you provided to us using the account settings menu.
Delete: To the extent required by applicable law, you may request that we delete your Personal Data from our systems. We may delete your data entirely, or we may anonymize or aggregate your information such that it no longer reasonably identifies you. Contact us as part of your request to determine how your Personal Data will be erased in connection with your request.

Data Export: To the extent required by applicable law, we will send you a copy of your Personal Data in a common portable format of our choice.

Objection: You may have the right under applicable law to object to our processing of your Personal Data that we undertake without your consent as in connection with our legitimate business interests (including any processing specified as such, or processed under this Privacy Policy for a Business Purpose). You may do so by contacting us. Note that we may not be required to cease, or limit processing based solely on that objection, and we may continue processing cases where our interests in processing are balanced against individuals’ privacy interests.

You may also object to processing for direct marketing purposes. We will cease processing upon your objection to such processing.

Regulator Contact: You may have the right to contact or file a complaint with regulators or supervisory authorities about our processing of Personal Data. To do so, please contact your local data protection or consumer protection authority.

Additional Rights and Disclosures: California

Your California Privacy Rights
Under the California Consumer Privacy Act (“CCPA”) and other California laws, California residents may have the following rights in addition to those set forth in the Rights & Choices section above, subject to your submission of an appropriately verified request where required by applicable law (see below for verification requirements):

Right to Know
You may request any of following, for the 12 month period preceding your request: (1) the categories of Personal Data we have collected about you, or that we have sold, or disclosed for a commercial purpose; (2) the categories of sources from which your Personal Data was collected; (3) the business or commercial purpose for which we collected or sold your Personal Data; (4) the categories of third parties to whom we have sold your Personal Data, or disclosed it for a business purpose; and (5) the specific pieces of Personal Data we have collected about you.

Right to Delete
You have the right to delete certain Personal Data that we hold about you, subject to exceptions under applicable law

Right to Non-Discrimination
You have the right to not to receive discriminatory treatment as a result of your exercise of rights conferred by the CCPA.

Direct Marketing
You may request a list of Personal Data we have disclosed about you to third parties for direct marketing purposes during the preceding calendar year.

Opt-Out of Sale
If we engage in sales of data (as defined by applicable law), you may direct us to stop selling Personal Data to third parties for commercial purposes.

Minors’
To the extent we have actual knowledge that we collect or maintain personal information of a minor under age 16, those minors between the age of 13 and 16 must opt in to any sales of personal information (as defined under CCPA), and minors under the age of 13 must have a parent consent to sales of personal information (as defined under CCPA); all minors have the right to opt-out later at any time.

Minors under age 13 may have other rights under the Children’s Online Privacy Protection Act (“COPPA”).

Minors’ User Content
Individuals under the age of 18 in California can delete or remove posts using the same deletion or removal procedures described above, or otherwise made available through the Services. If you have questions about how to remove your posts or if you would like additional assistance with deletion you can contact us. We will work to delete your information, but we cannot guarantee comprehensive removal of that content or information posted through the Services.

Submission of Requests

You may submit requests, as follows (see below for summary of required verification information):
Opt-Out of Sale
You may visit Rocky Mountain National Park Rights Portal

You may call us at: 1-844-388-2813 and provide the requested information.

Right to Know
You may visit Rocky Mountain National Park Rights Portal
You may call us at: 1-844-388-2813 and provide the requested information.

Right to Delete
You may visit Rocky Mountain National Park Rights Portal
You may call us at: 1-844-388-2813 and provide the requested information.

Direct Marketing
You may request a list of any relevant direct marketing disclosures via email to our privacy team at datarequests@xanterra.com.

Verification of Requests

All rights requests must be verified to ensure that the individual making the request is authorized to make that request, to reduce fraud, and to ensure the security of your Personal Data. We may require that you provide the email address we have on file for you (and verify that you can access that email account) as well as an address, phone number, or other data we have on file, in order to verify your identity. If an agent is submitting the request on your behalf, we reserve the right to validate the agent’s authority to act on your behalf.

Data Processing

Categories of Personal Data Disclosed for Business Purposes
For purposes of the CCPA, we may disclose to Service Providers for “business purposes” the following categories of Personal Data: Identity Data, Contact Data, Location Data, Device/Network Data, Commercial Data, Inference Data, Financial Data, Audio/Visual Data, Health Data, Government ID Data, and User Content.

Categories of Personal Data sold
For purposes of the CCPA, we may “sell” the following categories of Personal Data processed through our Services: Identity Data, Contact Data, Location Data, Device/Network Data, Commercial Data, Inference Data, and User Content.

Right to Know

Category of Data Context Category of Sources Business Purposes Commercial Purposes Category of Recipients
User Content
  • When you access or use our Digital Services
  • When you enter a contest or other promotion
  • Feedback and Surveys
  • When you contact us or submit information to us
From you; Service providers; Agents and partners; Social media companies Service Provision and Contractual Obligations; Internal Processing and Service Improvement; Security and Incident Detection; Compliance, health, safety, public interest; Aggregated data; Personalization; Other Business Purposes Personalization & Consumer Profiles; Marketing Communications; Targeted advertising; Data Sales Xanterra; Service Providers; Social Media Platforms; Agents; Data Aggregators; Successors; Lawful Recipients
Location Data
  • When you visit our properties or locations or travel with companies owned or operated by Xanterra
  • When you access or use our Digital Services
From you; Service Providers Service Provision and Contractual Obligations; Internal Processing and Service Improvement; Security and Incident Detection; Compliance, health, safety, public interest; Aggregated data; Personalization; Other Business Purposes Personalization & Consumer Profiles; Marketing Communications; Targeted advertising; Data Sales Xanterra; Service Providers; Agents; Data Aggregators; Successors; Lawful Recipients
Inference Data
  • When you make a purchase or other transaction through our Service
  • When you visit our properties or locations or travel with companies owned or operated by Xanterra
  • When you access or use our Digital Services
  • Cookies and other tracking technologies
  • Feedback and Surveys
From you; Automatic collection; Service providers; Agents and partners; Aggregators and advertisers; Social media companies; Data we create/infer Service Provision and Contractual Obligations; Internal Processing and Service Improvement; Security and Incident Detection; Compliance, health, safety, public interest; Aggregated data; Personalization; Other Business Purposes Personalization & Consumer Profiles; Marketing Communications; Targeted advertising; Data Sales Xanterra; Service Providers; Agents; Data Aggregators; Successors; Lawful Recipients
Identity Data
  • When you make a purchase or other transaction through our Service
  • When visit our properties or locations or travel with companies operated by Xanterra
  • When you access or use our Digital Services
  • Cookies and other tracking technologies
  • Feedback and Surveys
  • When you enter a contest or other promotion
  • When you contact us or submit information to us
From you; Automatic collection; Service providers; Agents and partners; Aggregators and advertisers; Social media companies; Data we create/infer Service Provision and Contractual Obligations; Internal Processing and Service Improvement; Security and Incident Detection; Compliance, health, safety, public interest; Aggregated data; Personalization; Other Business Purposes Personalization & Consumer Profiles; Marketing Communications; Targeted advertising; Data Sales Xanterra; Service Providers; Agents; Data Aggregators; Successors; Lawful Recipients
Health Data When you travel with certain Xanterra companies From you; Service Providers Service Provision and Contractual Obligations; Security and Incident Detection; Compliance, health, safety, public interest; Aggregated data; Other Business Purposes None Service Providers; Successors; Lawful Recipients
Government ID Data When you enter a contest or other promotion, or when you travel with certain Xanterra companies From you; Service Providers Service Provision and Contractual Obligations; Security and Incident Detection; Compliance, health, safety, public interest; Other Business Purposes None Service Providers; Successors; Lawful Recipients
Financial Data When you make a purchase or other transaction through our Service From you; Service Providers Service Provision and Contractual Obligations; Security and Incident Detection; Compliance, health, safety, public interest; Aggregated data; Other Business Purposes Personalization & Consumer Profiles; Targeted advertising Xanterra; Service Providers; Agents; Successors; Lawful Recipients
Device/ Network Data
  • When you make a purchase or other transaction through our Service
  • When you visit our properties or locations or travel with companies owned or operated by Xanterra
  • When you access or use our Digital Services
  • Cookies and other tracking technologies
From you; Automatic collection; Service providers; Agents and partners; Aggregators and advertisers; Social media companies; Data we create/infer Service Provision and Contractual Obligations; Internal Processing and Service Improvement; Security and Incident Detection; Compliance, health, safety, public interest; Aggregated data; Personalization; Other Business Purposes Personalization & Consumer Profiles; Marketing Communications; Targeted advertising; Data Sales Xanterra; Service Providers; Agents; Data Aggregators; Successors; Lawful Recipients
Contact Data
  • When you make a purchase or other transaction through our Service
  • When you visit our properties or locations or travel with companies owned or operated by Xanterra
  • When you access or use our Digital Services
  • Cookies and other tracking technologies
  • Feedback and Surveys
  • When you enter a contest or other promotion
  • When you contact us or submit information to us
  • When you enter a contest or other promotion
  • When you contact us or submit information to us
From you; Automatic collection; Service providers; Agents and partners; Aggregators and advertisers; Social media companies; Data we create/infer Service Provision and Contractual Obligations; Internal Processing and Service Improvement; Security and Incident Detection; Compliance, health, safety, public interest; Aggregated data; Personalization; Other Business Purposes Personalization & Consumer Profiles; Marketing Communications; Targeted advertising; Data Sales Xanterra; Service Providers; Agents; Data Aggregators; Successors; Lawful Recipients
Commercial Data
  • When you make a purchase or other transaction through our Service
  • When you visit our properties or locations or travel with companies owned or operated by Xanterra
From you; Automatic collection; Service providers; Agents and partners; Data we create/infer Service Provision and Contractual Obligations; Internal Processing and Service Improvement; Security and Incident Detection; Compliance, health, safety, public interest; Aggregated data; Personalization; Other Business Purposes Personalization & Consumer Profiles; Marketing Communications; Targeted advertising; Data Sales Xanterra; Service Providers; Agents; Data Aggregators; Successors; Lawful Recipients
Audio/Visual Data
  • When you visit our properties or locations or travel with companies owned or operated by Xanterra
  • Closed Circuit Television (CCTV)
From you; Automatic collection; Service Providers Service Provision and Contractual Obligations; Security and Incident Detection; Compliance, health, safety, public interest; Aggregated data; Other Business Purposes none Service Providers; Successors; Lawful Recipients