privacy policy

Revised and effective December 13, 2023

Download | Regional Supplements | Prior Version

Xanterra Leisure Holding, LLC, along with its subsidiary companies listed below (collectively “Xanterra,” “us,” “our,” or “we”), is committed to respecting your privacy. This Privacy Policy (“Privacy Policy”) describes how we collect, process, and share your Personal Data (defined below). We also describe your rights and choices with respect to your Personal Data and other important information. Please read this Privacy Policy carefully.

Scope of This Policy

This Privacy Policy applies to Personal Data collected through our “Services”, which include:

  • Our “Offline Services” – Services you use when you visit properties or travel with companies operated by Xanterra;
  • Our “Digital Services” – Our websites, mobile applications, and other online services, including data collected when you interact with or reference our products/services or advertisements online.

Note that certain third parties may be able to identify you across sites and services using the information they process; however, any such processing not done at the direction of Xanterra is outside the scope of this Privacy Policy. This Privacy Policy does not apply to Personal Data collected in the employment context or for other HR purposes, all of which is covered by our HR Privacy Notice.

Who We Are

Xanterra Leisure Holding, LLC is a Colorado-based company with offices at 6312 S. Fiddlers Green Cir., Ste. 600 North, Greenwood Village, Colorado 80111. Its subsidiary companies include, at the time of publication of this Privacy Policy: Xanterra Holding Corporation; Xanterra Leisure Resort Holding, LLC; Xanterra Parks & Resorts, Inc.; Xanterra South Rim, L.L.C.; GCR Acquisitions, LLC; Grand Canyon Railway, LLC; Grand Canyon Railway Hotel, LLC; Xanterra Tusayan, LLC; Xanterra Cedar Creek, LLC; Xanterra Adventure Companies, LLC; Holiday Vacations, LLC; Xanterra Cruise, LLC; Otago France; Windstar Cruises Marshall Islands, LLC; and Windstar Cruises, LLC.

How to Contact Us/Controller

If you have any comments or questions about this Privacy Policy or privacy practices, please contact our Data Privacy Team at:

Xanterra Leisure Holding, LLC
Attn: Privacy
6312 S. Fiddlers Green Cir. Ste. 600N
Greenwood Village, CO 80111

The controller of your Personal Data under this Policy is Xanterra Leisure Holding, LLC. If you have any comments or questions about this Privacy Policy or privacy practices, please contact our Data Privacy Team at:

Xanterra Leisure Holding, LLC
Attn: Privacy
6312 S. Fiddlers Green Cir., Ste. 600 North
Greenwood Village, CO 80111

General Inquiries and Data Updates: preferences@xanterra.com

Marketing Choices: If you would like to make changes to your communications preferences with regard to any Xanterra entity, click the link in any email from the applicable Xanterra entity to change your preferences with regard to that entity, or send us an email at preferences@xanterra.com and let us know to which Xanterra entity your request is related.

Data Rights: to exercise your data rights (access, deletion, correction) with regard to a particular Xanterra entity, visit the Xanterra Rights Portal link on the privacy policy page accessed from that Xanterra entity’s website or call 1-844-388-2813.

Opt-Out of Data Sales and Sharing (for advertising purposes), Limit Sensitive Data Use/Processing: to opt out of data sales and sharing (as defined by applicable data privacy laws) with regard to a particular Xanterra entity, you may either visit our Privacy Choices Portal to opt-out for the Xanterra entity from which you have accessed this privacy policy, click the “Your Privacy Choices” link from that entity’s website, or in the US call 1-844-388-2813.

Direct Marketing Disclosure Requests: please email datarequests@xanterra.com.


Categories and Sources of Personal Data

The following describes how we process data relating to identified or identifiable individuals and households (“Personal Data”).

Categories of Personal Data We Process

The categories of Personal Data we process may include:

Audio/Visual Data - Recordings and images collected from our surveillance cameras when you visit our properties and locations and areas adjacent to them, as well as audio files and records, such as voice mails, call recordings, and the like.

Biographical Data - Data relating to professional and employment history, qualifications, and similar biographic information. Transaction Data-Information about the Services we provide to you and about reservations and transactions you make with Xanterra or other companies operating through us or on our behalf (including travel agents), information relating to operations or services at our properties and locations you visit, information about purchases and the method of payment you have used for purchases (including gift card purchase and use), what has been provided to you, when and where and, if applicable, how much you paid, and similar information.

Contact Data - Identity Data that relates to information about how we can communicate with you, such as email, phone numbers, physical addresses, social media handles, and information you provide to us when you contact us by email or when you communicate with us via social media.

Device / Network Data - Browsing history, search history, and information regarding your interaction with a web site, mobile application, or advertisement (e.g., IP Address, MAC Address, SSIDs or other device identifiers or persistent identifiers), online user ID, device characteristics (such as browser/OS version), web server logs, application logs, browsing data, first party cookies, third party cookies, web beacons, clear gifs and pixel tags, as well as similar information collected when you use Wi-Fi at our properties or on our ships.

Identity Data - Information such as your name; address; email address; telephone number; date of birth, account login details, including your user name and password, license plate number, or other account-related information; your identity, public profile, and similar information from social networks; and information such as unique IDs and similar data collected or derived from the use of RFID enabled products such as keycards.

Inference Data - Personal Data used to create a profile about you reflecting your preferences, characteristics, behavior, and market segments, likes, favorites and other data or analytics provided about you or your account by social media companies or data aggregators, including household data such as income, number of children, occupation, home ownership status, the products and services you use or intend to use or purchase, and your interests.

General Location Data - Non-precise location data, such as dates and times of your visit, which properties or locations you visited, and location specified by social media tags/posts.

Sensitive Personal Data - Personal Data deemed “sensitive” under various privacy laws, such as social security, driver’s license, state identification card, or passport number; account log-in and password, financial account, debit card, or credit card number; precise location data; racial or ethnic origin, religious or philosophical beliefs, etc. We may collect (either directly or through third parties who may provide the data to us) the following categories of Sensitive Personal Data:

  • “Government ID Data” relates to official government identification, such as driver’s license or passport numbers, including similar Identity Data protected as Sensitive Data under applicable law.
  • “Health Data” includes information about your health, temperature, or vaccinations, or other information health-related information you may provide in connection with your bookings.
  • “Payment Data” includes information such as bank account details, payment card information, and information from credit reference agencies, including similar data as defined in applicable law, and relevant information in connection with a financial transaction.
  • “Precise Location Data” relates to data from GPS, Wi-Fi triangulation, certain localized Bluetooth beacons, mobile devices, or technologies used to locate you at a precise location and time.

User Content - Unstructured/free-form data that may include any category of Personal Data, e.g., data that you give us in free text fields such as comment boxes, answers you provide when you participate in sweepstakes, contests, votes and surveys, including any other Personal Data which you may provide through or in connection with our Services.

Sources of Personal Data We Process

We collect Personal Data from various sources, which include:

Data you provide us - We receive your Personal Data when you provide them to us, when you purchase our products or services, or complete a transaction via our Services, when you purchase or use one of our gift cards, or when you otherwise use our Services.

Data we collect automatically - We collect Personal Data about or generated by any device you have used to access our Services, the websites of any service provider used to purchase accommodations at properties or travel with companies operated by Xanterra, or when you use Wi-Fi at any of our properties or while traveling with companies operated by us.

Service Providers & Agents - We receive Personal Data from on-line travel agents such as Expedia or booking.com or brick and mortar travel agents who transfer Personal Data to us when you purchase accommodations or services from them in connection with Services that we provide, and other service providers performing services on our behalf.

Aggregators and advertisers - We receive Personal Data from ad networks, behavioral advertising vendors, market research companies, data brokers, and social media companies or similar companies that provide us with additional Personal Data such as Inference Data.

Social media companies - We receive Personal Data from Meta (e.g. Facebook and Instagram) and other social media companies who may transfer Personal Data to us when you register for one of our Services or interact with that social media company on or in connection with our services, properties or locations.

Data we create or infer - We, certain partners, social media companies, and third parties operating on our behalf create and infer Personal Data such as Inference Data or Aggregate Data based on our observations or analysis of other Personal Data processed under this Policy, and we may correlate this data with other data we process about you. We may combine any Personal Data about you that we receive from you, from other companies within our family of companies, and from third parties.

Data Processing Contexts/Notice at Collection

Note: please click the following links to view information on Data Retention or Regional Data Rights for any of the processing contexts listed below.

Purchases and Transactions

We process Identity Data, Transaction Data, Payment Data, Inference Data, Device/Network Data, and Contact Data when you engage in a purchase and sale transaction, whether through our Digital Services or in person, and whether for our products, our services, our gift cards, or otherwise. If provided, we also process Health Data (such as your requests for health-related accommodations, or as otherwise necessary in connection with your visit – please see “Health Data” below) and Government ID Data.

We process this Personal Data as necessary to perform or initiate a contract with you, process your order and payment, carry out fulfillment and delivery, track the use and balance of gift cards, and for our Business Purposes. We may process Identity Data, Transaction Data, Preference Data, Contact Data, and Device/Network Data for Commercial Purposes (which may include data sales/sharing). We do not sell or “share” (for behavioral advertising purposes) Payment Data, Government ID Data, or Health Data or use it for Business Purposes not permitted under applicable law.

Third party businesses/controllers may receive your information. Third Party data controllers/businesses (such as service providers) provide many products and services you purchase through our Services. We may disclose Identity Data, Transaction Data, Contact Data, and Device/Network Data to those third parties. You may also direct us to disclose this data to or interact with these third parties as part of visiting our properties or making a purchase (which does not involve a data sale by us).

Marketing Communications

We process Device/Network Data, Contact Data, Identity Data, and Inference Data in connection with marketing communications, push notifications, telemarketing, or similar communications, and when you open or interact with those communications. You may receive marketing communications if you consent and, in some jurisdictions, as a result of account registration or a purchase.

We process this Personal Data to contact you about relevant products or services and for our Business Purposes. We may use this data for our Commercial Purposes (which may include data sales/sharing). Marketing communications may also be personalized as permitted by applicable law, but will not involve Targeted Advertising where users have opted out or not provided necessary consents. See your Rights & Choices to limit or opt out of this processing.

Visiting Our Properties or Traveling with Companies Operated by Xanterra

Generally

We process Identity Data, Transaction Data, and Contact Data when you visit our properties or travel with Xanterra. Additionally, if you use electronic or RFID technologies, or use on-premise Digital Services, we will collect Device/Network Data (see below for additional information regarding our Digital Services). In some cases, we will collect Health Data as may be needed in connection with your travel and activities (please also see “Health Data” below) and Government ID Data for identification purposes and in connection with regional requirements. In some situations, when you travel with a Xanterra entity, we may recommend that you use certain mobile applications. Certain mobile applications may feature the branding of a Xanterra entity but are operated for us by third parties, or in other cases the mobile applications may be entirely those of third parties.

We may process Identity Data, Transaction Data, Contact Data, Inference Data, and General Location Data as necessary to operate our properties and provide our services to you, for our Business Purposes, and our other legitimate interests, including:

  • verifying your identity for authentication and security purposes;
  • helping us to ensure our customers are genuine and to prevent fraud;
  • notifying you via email or SMS regarding changes in circumstances impacting your visit; and
  • to help us to return lost property to its rightful owner

We may also use Identity Data, Commercial Data, Contact Data, and Race or Ethnic Origin Data collected in this context for Commercial Purposes. We do not sell or “share” Payment Data, Government ID Data, Health Data, Race or Ethnic Origin Data, or use this data for Business Purposes not permitted under applicable law.

Third parties operating mobile applications on our behalf may collect or process Precise Location Data if you have permitted the collection of such data from your mobile device.

Health Data

In certain cases, we process Health Data. Health Data, such as your vaccinations, temperature, data on health screening questionnaires, and/or your COVID-19 testing status, may be required (by us or by various laws, regulations, or local authorities) in order to book or embark on some of our offerings, visit certain properties we manage, or visit certain locations at which our cruise ships or tours may stop. Health Data is also used so that we can provide certain services to you such as to provide you with tailored services (for example, a wheelchair accessible space or a sign language interpreter) or in connection with our response to health-related incidents that may have taken place at properties or while traveling with companies operated by Xanterra. Health Data may also be required in connection with certain activities.

Where we collect Health Data, we will use it only as necessary to fulfill or ensure compliance with relevant booking contracts, to protect the health, safety, and vital interests of our personnel, guests and the public, to provide healthcare services you may request (where available), and as otherwise necessary for authorized Business Purposes. In each case, where consent is required by law, we will process this information only with appropriate consent. We do not sell or “share” (for behavioral advertising purposes) Health Data or use it for Business Purposes not permitted under applicable law.

CCTV Data

We may process Audio/Visual Data in connection with CCTV or security cameras on and adjacent to properties and facilities managed by Xanterra. We process this data as necessary to operate our CCTV systems, for our Business Purposes, and our other legitimate business interests, such as:

  • preventing and detecting crime and to keep people who visit and work at our company locations safe and secure;
  • recording and investigating health and safety and other incidents which have happened or may have happened at properties or while traveling with companies operated by Xanterra;
  • counting the numbers of people who visit our properties and to analyze flows of people around the properties and facilities for safety and commercial purposes using software which analyzes CCTV camera images; and
  • creating aggregate data.

We do not sell or “share” Audio/Visual Data collected in this context.

Digital Services

Generally

We process Device/Network Data, Contact Data, Identity Data, General Location Data, and Inference Data when you use our Digital Services. You may also be able to complete purchases, sign up as a travel advisor, or enroll in marketing communications through our Digital Services. We may process Precise Location Data through certain Digital Services if you consent. Location Data may be required in order for you to use certain features of our Digital Services. Please note: in some situations, Precise Location Data may be collected by a third party mobile application recommended by Xanterra, and in some circumstances, the data may be owned and controlled by that third party rather than Xanterra.

We use this Personal Data as necessary to operate our Digital Services, such as keeping you logged in, delivering pages, etc., for our Business Purposes, and our other legitimate interests, such as:

  • enhancing the security of our websites, mobile applications and other technology systems;
  • analyzing the use of our Services, including navigation patterns, clicks, etc. to help understand and make improvements to the Services, to provide directions and contextual information to you, and other features that require the use of location. This may include the use of “session capture” or “session replay” software, which we use to understand how users are interacting with our websites, and to help us make decisions regarding design and functionality. Third party service providers operating this software may capture this data on our behalf.
  • creating aggregate information about users’ location and patterns, which we use to help improve our Services.

We may process this Personal Data for our Commercial Purposes (which may include data sales/sharing). You have the right to limit our use of Precise Location Data by withdrawing consent to or disabling the collection of Precise Location Data.

Cookies, Pixels, Similar Technologies, and Targeted Advertising

General

If you do not want information collected through the use of cookies or pixels, you can manage/deny cookies, pixels, and similar technologies using your browser’s settings menu or the Cookie Preferences page for the Xanterra entity website from which you have arrived at this Privacy Policy. You may need to opt out of third-party services directly via the third party. For example, to opt-out of Google’s analytic and marketing services, visit Google Analytics Terms of Use, the Google Policy, or Google Analytics Opt-out.

Targeted Advertising

You may opt out or withdraw your consent to Targeted Advertising by visiting our Privacy Choices Portal. In some cases, you may be able to opt-out by submitting requests to third party partners, including for the vendors listed below:


Global Privacy Control (GPC)

Our Digital Services may support certain automated opt-out controls, such as the Global Privacy Control (“GPC”). GPC is a specification designed to allow Internet users to notify businesses of their privacy preferences, such as opting-out of the sale/sharing of Personal Data. To activate GPC, users must enable a setting or use an extension in the user’s browser or mobile device. Please review your browser or device settings for more information regarding how to enable GPC.

Please note: We may not be able to link GPC requests to your Personal Data in our systems, and as a result, some sales/sharing of your Personal Data may occur even if GPC is active. See the “Regional Supplements” section below for more information regarding other opt-out rights.

Do-Not-Track - Our Services do not respond to your browser’s do-not-track request.

We and authorized third parties may use cookies and similar technologies for the following purposes:

  • for “essential” purposes necessary for our Digital Services to operate (such as maintaining user sessions, CDNs, and the like);
  • for “functional” purposes, such as to enable certain features of our Digital Services (for example, to allow a customer to maintain a basket when they are shopping at an online store);
  • for “analytics” purposes and to improve our Digital Services, such as to analyze the traffic to and on our Digital Services (for example, we can count how many people have looked at a specific page, or see how visitors move around the websites when they use them, to distinguish unique visits/visitors to our Digital Services, and what website they visited prior to visiting our websites, and use this information to understand user behaviors and improve the design and functionality of the websites);
  • for “retargeting,” Targeted Advertising, or other advertising and marketing purposes, including technologies that process Inference Data or other data so that we can deliver, buy, or target advertisements which are more likely to be of interest to you; and
  • for “social media” e.g. via third-party social media cookies, or when you share information using a social media sharing button or “like” button on our Services or you link your account or engage with our content on or through a social networking website such as Facebook or X (also known as "Twitter").

We may also process this Personal Data for our Business Purposes and Commercial Purposes (which may include data sales/sharing). See your Rights & Choices for information regarding opt-out rights for cookies and similar technologies. You may implement your preferences with regard to cookies and similar tracking technologies by visiting the Cookie Preferences Page for the Xanterra entity website from which you have arrived at this Privacy Policy.

Third parties may view, edit, or set their own cookies or place web beacons on our websites. We, or third-party providers, may be able to use these technologies to identify you across platforms, devices, sites, and services. Third parties may engage in Targeted Advertising using this data. Third parties have their own privacy policies and their processing is not subject to this Policy.

Data Security

We implement and maintain commercially reasonable security measures to secure your Personal Data from unauthorized processing. While we endeavor to protect our Services and your Personal Data unauthorized access, use, modification and disclosure, we cannot guarantee that any information, during transmission or while stored on our systems, will be absolutely safe from intrusion by others.

Children

Our Services are neither directed at nor intended for use by persons under the age of 13 in the US, or under the age of 13 to 16 in the EEA, UK, Switzerland, Cayman Islands, or 15/16 in Australia. Further, we do not knowingly collect Personal Data from minors. If we learn that we have inadvertently done so, we will promptly delete it. Do not access or use the Services if you are not of the age of majority in your jurisdiction unless you have the consent of your parent or guardian.

Data Retention

We retain Personal Data for so long as it is reasonably necessary to achieve the relevant processing purposes described in this Privacy Policy, or for so long as is required by law. What is necessary may vary depending on the context and purpose of processing. We generally consider the following factors when we determine how long to retain data (without limitation):

  • Retention periods established under applicable law;
  • Industry best practices;
  • Whether the purpose of processing is reasonably likely to justify further processing;
  • Risks to individual privacy in continued processing;
  • Applicable data protection impact assessments;
  • IT systems design considerations/limitations; and
  • The costs associated continued processing, retention, and deletion.

We typically retain Government ID Data and Health Data for so long as you are receiving relevant Services from us (e.g. the duration of your stay or travels). However, we may need to retain such data for longer periods based on legal requirements, other business needs related to your travel, or in connection with incidents during your travel.

We will review retention periods periodically and may pseudonymize or anonymize data held for longer periods.

Third Party Websites and Mobile Applications

Except for processing by our service providers (described below), this Privacy Policy does not apply to third party websites, products, or services. For example, we handle some purchases on our Services directly, and third party businesses manage others. Third parties may operate or develop some Xanterra websites and mobile apps, may operate or host a contest/sweepstakes on our Services. In these cases, the terms, conditions, and privacy practices of the third party, not those of the Xanterra, may govern your transactions, and we may have no control over the Personal Data collected.

Changes to Our Policy

We may change this Policy from time to time. We will post changes on this page. We will notify you of any material changes, if required, via email or notices on our Digital Services. Your continued use of our Services constitutes your acknowledgement of any revised Policy.

Regional Supplements

US States/California & Others

US State & California Privacy Rights & Choices

Under the California Consumer Privacy Act (“CCPA”) and other state privacy laws, residents of certain US states may have the following rights, subject to regional requirements, exceptions, and limitations.

Confirm-Right to confirm whether we process your Personal Data.

Access/Know-Right to request any of following: (1) the categories of Personal Data we have collected, sold/shared, or disclosed for a commercial purpose; (2) the categories of sources from which your Personal Data was collected; (3) the purposes for which we collected or sold/shared your Personal Data; (4) the categories of third parties to whom we have sold/shared your Personal Data, or disclosed it for a business purpose; and (5) the specific pieces of Personal Data we have collected about you.

Portability-Right to request that we provide certain Personal Data in a common, portable format.

Deletion- Right to delete certain Personal Data that we hold about you.

Correction-Right to correct certain Personal Data that we hold about you.

Opt-Out (Sales, Sharing, Targeted Advertising, Profiling)- Right to opt-out of the following:

  • If we engage in sales of data (as defined by applicable law), you may direct us to stop selling Personal Data.
  • If we engage in Targeted Advertising (aka “sharing” of personal data or cross-context behavioral advertising,) you may opt-out of such processing.
  • If we engage in certain forms of “profiling” (e.g. profiling that has legal or similarly significant effects), you may opt-out of such processing.

Revoke Consent for Use of Sensitive Personal Data-If we are collecting, using or otherwise processing your Sensitive Personal Data solely based on consent you have provided, you may revoke that consent at any time. Please note that we only use Sensitive Personal Data where necessary and in accordance with the specific purposes authorized by applicable law, subject to your consent where required. For California residents, because we do not process Sensitive Personal Data for purposes other than those listed in CCPA section 7027(m), the right to limit use of Sensitive Personal Data is not applicable.

Opt-in/Opt-out of Sale/Sharing of Minors’ Personal Data-To the extent we have actual knowledge that we collect or maintain personal information of a minor under age 16 in California, those minors must opt in to any sales/sharing of personal information (as defined under CCPA), and minors under the age of 13 must have a parent consent to sales/sharing of personal information. All minors have the right to opt-out later at any time.

Non-Discrimination-California residents have the right to not to receive discriminatory treatment as a result of your exercise of rights conferred by the CCPA.

List of Direct Marketers-California residents may request a list of Personal Data we have disclosed about you to third parties for direct marketing purposes during the preceding calendar year.

Remove Minors’ User Content-Residents of California under the age of 18 can delete or remove posts using the same deletion or removal procedures described above, or otherwise made available through the Services. If you have questions about how to remove your posts or if you would like additional assistance with deletion you can contact us. We will work to delete your information, but we cannot guarantee comprehensive removal of that content or information posted through the Services.

Submission of Requests

You may submit requests to a specific Xanterra entity, as follows (please our review verification requirements section). If you have any questions or wish to appeal any refusal to take action in response to a rights request, contact us at datarequests@xanterra.com. We will respond to any request to appeal within the period required by law.


Request Type
Action
Access/Know, Confirm Processing, Portability, Deletion, and Correction You may visit our Data Request Portal (applicable to the specific Xanterra entity listed on the portal page)

You may call us at: 1-844-388-2813. You will be directed to leave a voicemail where you will provide your email address, phone number and address we have on file, along with your request.

You may send mail to our Contact Us address above with your email address, phone number and address we have on file, along with your request.
Opt-Out or Opt-In: Sales, Sharing, Targeted Advertising or Profiling, Opt-in/Opt-out of Sale/Sharing of Minors’ Personal Data You may visit our Privacy Choices Portal (applicable to the specific Xanterra entity listed on the portal page)

You may call us at: 1-844-388-2813. You will be directed to leave a voicemail where you will provide your email address, phone number or address, along with your request.

You may send mail to our Contact Us address above with your email address, phone number or address on file, along with your request.

Note: Digital Services supporting GPC (or similar standards) will treat the request as a request to opt-out of Targeted Advertising/sharing on the device where the GPC setting is active.
Revoke Consent for Sensitive Personal Data; List of Direct Marketers; Remove Minors' User Consent Contact us via email to our privacy team at datarequests@xanterra.com

Categories of Personal Data Disclosed for Business Purposes

For purposes of the CCPA, we have disclosed to Service Providers for “business purposes” in the preceding 12 months the following categories of Personal Data, to the following categories of recipients:

Category of Personal Data
Category of Recipients
Audio Visual Data
Biographical Data
Transaction Data
General Location Data
Xanterra Companies; Service Providers; Partners, Excursions & Local Providers; Successors; Lawful Recipients
Inference Data
Device/Network Data
Xanterra Companies; Service Providers; Partners, Excursions & Local Providers; Data Aggregators; Successors; Lawful Recipients
Contact Data
Identity Data
Xanterra Companies; Service Providers; Partners, Excursions & Local Providers; Public Disclosure; Data Aggregators; Successors; Lawful Recipients
Gov. ID Data
Health Data
Xanterra Companies; Service Providers; Partners, Excursions & Local Providers; Successors; Lawful Recipients; Contact Us/Support
Sensitive Personal Data
Payment Data
Xanterra Companies; Service Providers; Successors; Lawful Recipients

Categories of Personal Data Sold, Shared, or Disclosed for Commercial Purposes

For purposes of the CCPA, we have “sold” or “shared” in the preceding 12 months the following categories of Personal Data to the following categories of recipients:

Category of Personal Data
Category of Recipients
Contact Data
Device/Network Data
Identity Data
Inference Data
General Location Data
Advertisers and Social Media Platforms; Data Aggregators

Categories of Sensitive Personal Data Used or Disclosed

For purposes of CCPA, we use, and may disclose as described above, the following categories of Sensitive Personal Data: Government ID Data; Health Data; Payment Data; Precise Location Data. However, we do not sell or “share” (for behavioral advertising purposes) Sensitive Personal Data. We do not use these categories of Sensitive Personal Data for purposes other than those listed in CCPA section 7027(m).


EEA/UK/Switzerland/Cayman Islands

Controller

The controller of Personal Data relating to residents of the UK/EEA/Switzerland/Cayman Islands is: Xanterra Leisure Holding, LLC, 6312 S. Fiddlers Green Cir., Ste. 600N, Greenwood Village, CO 80111.

Rights & Choices

Residents of the EEA, UK, Switzerland, and the Cayman Islands have the following rights. Please our review verification requirements. Applicable law may provide exceptions and limitations to all rights.

Access-You may have a right to access the Personal Data we process.

Rectification-You may correct any Personal Data that you believe is inaccurate.

Deletion-You may request that we delete your Personal Data. We may delete your data entirely, or we may anonymize or aggregate your information such that it no longer reasonably identifies you.

Data Export-You may request that we send you a copy of your Personal Data in a common portable format of our choice.

Restriction-You may request that we restrict the processing of personal data to what is necessary for a lawful basis.

Objection-You may have the right under applicable law to object to any processing of Personal Data based on our legitimate interests. We may not cease or limit processing based solely on that objection, and we may continue processing where our interests in processing are appropriately balanced against individuals’ privacy interests. In addition to the general objection right, you may have the right to object to processing:

  • for Profiling purposes;
  • for direct marketing purposes (we will cease processing upon your objection); and
  • involving automated decision-making with legal or similarly significant effects (if any).

Regulator Contact-You have the right to file a complaint with regulators about our processing of Personal Data. To do so, please contact your local data protection or consumer protection authority.

Submission of Requests

  • Access, Rectification, Data Export, Deletion, Restriction, or Correction: please visit our Data Request Portal (applicable to the specific Xanterra entity listed on the portal page).
  • Restriction; Do Not Sell:please visit our Privacy Choices Portal (applicable to the specific Xanterra entity listed on the portal page).
  • For other questions or requests, please contact us via email to our privacy team at datarequests@xanterra.com

Lawful Basis for Processing

Legal Basis
Description of Basis & Relevant Purposes
Relevant Contexts / Purposes / Disclosures
Performance of a contract The processing of your Personal Data is strictly necessary in the context in which it was provided, e.g. to perform the agreement you have with us, to provide products and services to you, to open and maintain your user accounts, to deliver ticket(s) you have purchased, or process requests. Contexts
Contexts where Personal Data (excluding Sensitive Personal Data) is processed for purposes listed below
Cookies and Other Tracking Technologies (strictly necessary)

Purposes
Service

Disclosures
Partners, Excursions & Local Providers;
Public Disclosure
Legitimate interests This processing is based on our legitimate interests. For example, we rely on our legitimate interest to administer, analyze and improve our Services and related content, to operate our business including through the use of service providers and subcontractors, to send you notifications about our Services or products you have purchased, for archiving, recordkeeping, statistical and analytical purposes, and to use your Personal Data for administrative, fraud detection, audit, training, security, or legal purposes. See the Business Purposes of Processing section above for more information regarding the nature of processing performed on the basis of our legitimate interests. Contexts
Contexts where Personal Data (excluding Sensitive Personal Data) is processed for specified legitimate interests or purposes listed below

Purposes
-We process Personal Data as necessary to provide our products and Service, to authenticate users and their rights to access the Service and as otherwise necessary to fulfill our contractual obligations to you, and provide you with the information, features, and services you request. Similarly, we may use Personal Data as necessary to audit compliance, and log or measure aspects of service delivery (e.g., to document ad impressions). Internal Processing and Service Improvement

-Security and Incident Detection

-Personalization

-Aggregated Data

-Consumer Profiles

-Personalized Marketing Communications

Disclosures
-Service Providers

-Partners, Excursions & Local Providers

-Advertisers, and Social Media Platforms

-Data Aggregators

-Successors

-Lawful Recipients
Consent This processing is based on your consent. You are free to withdraw any consent you may have provided, at any time, subject to your rights/choices, and any right to continue processing on alternative or additional legal bases. Withdrawal of consent does not affect the lawfulness of processing undertaken prior to withdrawal. Contexts
-Contexts where Personal Data is processed for purposes listed below

-Cookies and Other Tracking Technologies (except strictly necessary)

-Processing of Sensitive Personal Data

-Marketing communications

Purposes
-Targeted Advertising

-Data “Sales"

Disclosures
-Advertisers and Social Media Platforms
Compliance with legal obligations This processing is based on our need to comply with legal obligations. We may use your Personal Data to comply with legal obligations to which we are subject, including to comply with legal process. See the Business Purposes of Processing section above for more information regarding the nature of processing performed for compliance purposes. Business Purposes
- Compliance, Health, Safety, Public Interest

Disclosures
- Lawful Recipients
- Partners & Excursions
(e.g. for investigations)
Performance of a task carried out in the public interest This processing is based on our need to protect recognized public interests. We may use your Personal Data to perform a task in the public interest or that is in the vital interests of an individual. See the Business Purposes of Processing section above for more information regarding the nature of processing performed for such purposes. Business Purposes
- Compliance, Health, Safety, Public Interest

Disclosures
- Lawful Recipients
- Partners & Excursions
(e.g. for health and safety)

Australia

Rights and Choices

Residents of Australia have the right under the Privacy Act to request access or correct Personal Data we hold about you, the right to erasure, and the right to withdraw any consent you may have provided with regard to processing your Personal Data. If you make a request, we will require you to verify your identity before we provide you with any access, as described in the verification requirements section.

Submission of Australian Data Requests

  • Access, Deletion or Correction: please visit our Data Request Portal (applicable to the specific Xanterra entity listed on the portal page).
  • Withdraw Consent (including Restriction or Do Not Sell): please visit our Privacy Choices Portal (applicable to the specific Xanterra entity listed on the portal page).
  • For other questions or requests, please Contact us via email to our privacy team at datarequests@xanterra.com.

Purposes of Processing

In certain cases, we may not automatically process your Personal Data for certain purposes. We rely on your consent to process Personal Data as follows:

Contexts
  • Cookies and Other Tracking Technologies for Targeted Advertising
  • Any context where we process certain categories of Sensitive Personal Data (including Health Data, Government ID Data, Payment Data and Precise Location Data)
  • Marketing communications

Purposes
  • Targeted Advertising
  • Data Sales

Disclosures
  • Advertisers and Social Media Platforms

Regulatory Contact

You may contact the Office of the Australian Information Commissioner (OAIC) or you may contact us with any complaints regarding our privacy practices. We will respond to complaints we receive in a timely manner and process your data in accordance with your rights and our legal obligations.