PRIVACY POLICY

Aqua Watersports Ltd is committed to safeguarding and preserving the privacy of our visitors. We understand that customers care about the use and storage of their personal information and data and we value your trust in allowing us to do this in a careful and sensible manner.

This policy explains what happens to any personal data that you provide to us whilst you use our website, visit Aqua Watersports at our Reception Dock, or contact us by phone or e-mail. Whilst using our services and visiting our website you are consenting and agreeing to the practices outlined in this statement. Aqua Watersports will always handle information in compliance with the Cayman Data Protection Law (DPL) (2019).

We collect your data and personal information in the following ways:

Through our online services, when you visit our website, use the ‘Contact us’ form for an enquiry; book a tour online; subscribe to any newsletters; respond to any surveys or competitions.

Upon completion of the Waiver Form prior to the tour date or completion of the Waiver Form at check-in of your tour at our Reception Dock.

Every time you contact us with your details by telephone, e-mail, post or otherwise.

We work closely with third parties (including business partners (for example Hotels/Condos), third party booking agents and payment and delivery services and may receive information about you from them which we will add to the information which we may already hold about you in order to help us provide goods and services and to improve your experience with us. This will also ensure that the quality of personal data we have is maintained properly.

Personal identification information:

We will collect personal identification information from clients only if they voluntarily submit such information to us.

Clients and minors of clients’ of Aqua Watersports may be asked for, as appropriate, name, e-mail address, age, phone number, accommodation during their stay in Grand Cayman, emergency contact details, any medical conditions/allergy/disability and current medication. Details of an Emergency contact including, name, relationship, phone number and email.

Clients can always refuse to supply personal identification information, except when required by law.

Refusal of personal identification information may prevent clients from engaging in certain activities or services.

Special category data, such as allergies and health conditions, are only obtained voluntarily and are used only to provide services you request for example lunch on board the boat.

Non-personal identification information:

We may collect non-personal identification information about clients whenever they interact with our website.

Non-personal identification information may include the browser name, the type of computer and technical information about visitor’s means of connection to our website, such as the operating system, the Internet service provider’s utilised and other similar information.

How we collect and store your information:

We adopt strict procedures appropriate to data collection, storage and processing practices and security measures to protect against unauthorised access, alteration, disclosure or destruction or unlawful processing of your personal data.

We collect your data through our ‘Contact Us’ Form on our web site. Our Web Platform is managed by Wix.com. Wix.com is a leading cloud-based development platform with millions of users worldwide. It has implemented security measures designed to protect the Personal Information you share with us, including physical, electronic and procedural measures. Among other things, via Wix.com, we offer HTTPS secure access to most areas on our Services; the transmission of sensitive payment information (such as a credit card number) through their designated purchase forms your data is protected by an industry standard SSL/TLS encrypted connection; and they regularly maintain a PCI DSS (Payment Card Industry Data Security Standards) certification. They also regularly monitor their systems for possible vulnerabilities and attacks, and regularly seek new ways and for further enhancing the security of their Services and protection of our Visitors’ and Users’ privacy. For further information about Wix Privacy Policy please see https://www.wix.com/about/privacy and https://www.wix.com/about/privacy-dpa-users.

We collect your data through direct emails and telephone calls and text messages sent directly by you to us (other than via our ‘Contact Us’ form on our website). We store your data as a separate client folder. These folders are further sub-divided into clients who have given ‘Consent’ or the ‘Right to be forgotten.’ as a result of our marketing communication activities via our unsubscribe button.

Data security/compliance questions:

1. Overall data security practices / PCI compliance / storing personally identifiable data

We are fully PCI compliant and employ comprehensive data security practices. Below is a general overview of the different security elements deployed:

· Network Connections: All communications between client and servers, as well as within the infrastructure, are encrypted using 256 bit SSL encryption as well as key-based authentication for each data request.

· Online Credit Card Information: Peek uses Braintree and Stripe as its payment processors. In both cases, the customer’s credit card information is encrypted and vaulted directly with the processor. Peek’s infrastructure cannot access any of the credit card information, encrypted or plain, as it only receives a token ID to process payments.

· Offline (walk-up) Credit Card Information: Peek’s native iOS app connects with credit card swipers that encrypt the credit card information before it is being transmitted to the app itself.

· Infrastructure Design: To maximize scalability, productivity, and security, Peek Professional is built as a Service Oriented Architecture (SOA) on state-of-the-art technology, hosted in the Amazon Web Services Cloud.

· Database Security: All databases are encrypted, secured, and segmented in private subnets, all completely inaccessible from the general internet. Databases are backed up in real-time allowing full recovery to any moment in time. The data itself is highly decentralized as part of the SOA and there is, therefore, no single point of failure.

· Change Control: All code developments are peer-reviewed, have automated regression tests, and are overseen by a dedicated IT and security team.

· System Monitoring: Peek leverages a range of health monitoring products, such as New Relic and Sentry as well as sophisticated internal tools.

· Advanced DDOS Protection: We are currently leveraging Fastly as a CDN cache and are looking to expand protective capabilities using CloudFlare in the near future.

· Role Management: With Peek Professional, individual users of the system can be assigned specific roles that restrict their access to sensitive data.

2) GDPR compliance

Peek has taken several measures to ensure our compliance with the GDPR, as well as helping our tour operator partners maintain compliance as well:

· Cookie Notifications: For all users with European IP addresses, our booking widget will display a consent notice informing them that their usage is being tracked. The notification will link to our privacy policy, which will have a link to the Data Request/Removal Form.

· Abandoned Bookings: We collect emails during the booking process for the purposes of reminding people to come back to the booking widget and book. This is known as Abandoned Bookings and is a popular Peek feature. All customers located in Europe will need to check an Opt-In box to receive these reminders. All other users will not see this Opt-In box, and the feature will function as normal.

3) Data ownership (who owns data generated)

· You own all individual Customer and sales information collected by you in connection with the Merchant Services sold through your Merchant Online Channels.

· You understand that Peek collects the foregoing information into a database through the Peek Professional Software.

· You hereby grant to Peek and its successors and assignees a non-exclusive, worldwide, fully paid, assignable, transferable, sublicensable and perpetual license during the Term to access, reproduce and otherwise use such database in connection with these Terms, and following the Term on an anonymized and aggregated basis.

· You also irrevocably agree that Peek and its successors and assignees own all Customer personal data collected through any part of the Peek Network, including all information relating to Peek and third-party registered users, and may reproduce and otherwise use, distribute and disclose such data as determined by Peek or such.

4) Reliability

· Use best practices: We are fully cloud-native and use Amazon Web Services (AWS) best practices to ensure top system reliability

· Multi-Zone diversification: Our underlying services and databases are spread across multiple availability zones allowing for processes to continue running in case of availability zone failure

· Self-healing: We use Kubernetes which allows us to both keep our services running by self-healing them in many cases automatically, as well as allows us to scale up quickly in response to high load on the system

· Infrastructure as a #1 priority: We have a dedicated team of engineers dedicated to managing and improving our infrastructure to allow for future business growth. We take proactive measures to upgrade and “future proof” our infrastructure to prepare ourselves for the growth anticipated in 5+ years. Such initiatives are #1 priority for the team and take precedence over feature improvements

How do we use your data?

To provide services and information you have requested such as to facilitate payments, bookings, send administrative correspondence, to assist you with any events or celebrations and provide you with other information about our products, services, the local area and our tours.

To contact you in the event of a change that affects your booking or any data or personal information you have provided us with, such as changes to terms and conditions of booking or this privacy policy.

To continually improve your customer experience, improve our offerings and update our records. We may also contact you to ask about your experience and invite you to share that experience via a third party link (Trip Advisor, Google Business, Facebook and Instagram) as part of a continual programme of customer service improvement.

To send you, with your permission, marketing communications, competitions, promotional offers, events, recommended products and services that might be of interest to you. If you do not agree to receive this information, you may opt out from receiving future information at any time; see “the opt out” section of this policy.

For our business purposes, such as data analysis, audits, security and fraud monitoring and prevention, developing new products, enhancing, improving or modifying our services, identifying usage trends, determining the effectiveness of our promotional campaigns and operating and expanding our business activities.

Non-disclosure to third parties

The information and data we collect are important to Aqua Watersports Ltd and we would not want to share this with anyone else. Unless we have your express consent, we will never disclose, rent, trade or sell your personal data to any third parties for their marketing or mailing purposes.

We may use third-party service providers to help us operate our business, the website and to administer activities on our behalf, such as sending out newsletters. We may share your personal data with them in order that we can carry out certain functions, such as communicating about an enquiry, processing your booking and to assist with the general running of our site. We may also share your personal data with third party website agencies where this is necessary for us to carry out our obligations to you. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

In the event that Aqua Watersports Ltd or any part of its business is sold to or integrated with another business, Aqua Watersports Ltd may disclose your personal information to the new owners (and their professional advisers on the transaction) to be used by the new owners and their group of companies in the same ways as set out in this Privacy Policy, including to continue providing you with the same services and marketing information services as are currently provided by Aqua Watersports Ltd.

Cookies

Our website may use “cookies” to enhance visitors experience. A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. On our website

To provide a great experience for our visitors and customers.

To identify our registered members (users who have registered to our site)

To monitor and analyze the performance, operation and effectiveness of Wix's platform.

To ensure our platform is secure and safe to use.

Our websites are scanned with our cookie scanning tool regularly to maintain a list as accurate as possible.

Whilst cookies may identify you as a user of the websites, your personal details are not stored or used to individually identify you and the cookie cannot access or store any personal information which you have not provided to the websites during your visit. They are also not able to put malicious software or viruses on your computer or change the operation of your equipment.

We will never share any personal information about you with these third parties and the cookies used to maintain your anonymity.

Visitors may choose to set their web browser to refuse cookies or to alert you when cookies are being sent. If they do so, please note that some parts of the website may not function properly. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org. Please be aware that you will need to manage each browser on each device that you access the internet with separately.

Most browsers automatically accept all cookies by default. You should be able to adjust your browser’s settings to reject new cookies, prompt you before accepting a cookie, or disable cookies. Check your browser’s help section for instructions on how to do this.

Obtaining Consent

We will always ask your permission before sending you e-mail marketing information. This ensures you only receive information that you have given us permission to send and are willing to receive.

We provide you with the ability to control whether or not to continue to receive marketing communications from us. On promotional e-mails, we always provide an ‘unsubscribe’ link at the bottom of the e-mail which will unsubscribe you from that service. If you wish to opt out with

respect to more than one e-mail address, you must complete a separate request for each e-mail address. To withdraw from any other marketing communications please contact info@aqua-watersports.com.

Please note it is not possible to ‘opt-out’ of receiving communications from us which relate to your bookings/transactions. This ensures we can always contact you in the event of a circumstance that affects your activity with us.

You can always choose not to give us your personally identifiable information, although this information is required if you want to take advantage of various features of the Service.

Data Retention

We will retain your information in line with our data retention policy:

Data you provide via direct email contact: We will hold your personal data on our systems in a separate client file for as long as you are on a tour with Aqua Watersports and for as long afterwards as it is in the Aqua Watersports’ legitimate interest to do so or for as long as is necessary to comply with our legal obligations. We will review your personal data every year to establish whether we are still entitled to process it. If we decide that we are not entitled to do so, we will stop processing your personal data except that we will retain your personal data in an archived form in order to be able to comply with future legal obligations e.g. compliance with tax requirements and exemptions, and the establishment, exercise or defence of legal claims.

Data that is collected on our ‘Contact Form’: A separate client file containing elements of your data is stored via Wix. This data will be held for no more than 12 months and will then be securely disposed of.

Data that is collected on our ‘Waiver Form’: is the electronic contract and will be kept until it is automatically purged thirty days after the date of account termination. (The electronic contract may be kept longer if required by law, including a subpoena or court order.) WaiverSign will retain the audit log for each for each electronic contract indefinitely. The audit log contains the following information: 1) IP address of the signatory, 2) a date and time stamp of when the electronic signature was created, 3) a unique document identification number, and 4) name of the signatory.

Data that is collected via our Payment Gateway provider: CX Pay stores your personal data for no longer than is strictly necessary to achieve the purposes for which your data is collected. For further information please see CXPay’s Privacy Policy https://cxpay.global/privacy-cookie-statement/.2

Right of customer to delete or request what information we hold on them

You may request that your personally identifiable information be removed from our database. If you wish to unsubscribe from any direct mail list or remove or amend your personally identifiable information from our database, contact us using the information provided in the “Contact Us” section of this Privacy Policy. You will be removed from our databases usually within 14 business days of our receipt of your request, except where we are required to maintain the personal information by law. You may do so by putting this in writing to:

Aqua Watersports Ltd:

C/O Foreshore Corporate Services Ltd

4th Floor,

Queensgate House,

113 South Church Street

Grand Cayman

Or email us at info@aqua-watersports.com

Further, we will not be able to

1) remove any personal information that was included on a document submitted through the WaiverSign service,

2) delete documents submitted through the WaiverSign service,

3) delete audit logs;

or 4) delete information that we are required to retain by law (for instance, tax purposes, notices, etc.).

Information Collected by Third Parties

If you disclose information to third parties through our site or services or follow links to other sites, that information will be subject to the policies and practices of those third parties, which may be different than ours. Those third parties may or may not have a privacy policy. We do not control and are not responsible for the privacy policies and/or practices of third parties.

Children

Our website is not directed to children under 18. If you are under 18, you may not provide us with any personally identifiable information and you may not use our website without the supervision of a parent or guardian. If a child under the age of 18 has provided us with personally identifiable information, this can only be done with the child’s parent or guardian permission via the Waiver Form. The child’s parent or guardian may contact us and request that such information be deleted from our records.

Changes to this privacy policy

Aqua Watersports Ltd has the discretion to update this privacy policy at any time. When we do, we will revise the updated date at the bottom of this page. We encourage visitors to frequently check this page for any changes to stay informed about how we are helping to protect the personal information we collect. You acknowledge and agree that it is your responsibility to review this privacy policy periodically and become aware of modifications. Should we change our privacy policy, we will post the changes on this website so that you are always aware of what information we collect, how we use it and under what circumstances we disclose it.

Your acceptance of these terms

By using this website and our services, you signify your acceptance to the collection, storage and processing of your personal information by us in the manner set out in this privacy policy. If you do not agree to this policy, please do not use our website. Your continued use of the website following the posting of changes to this policy will be deemed your acceptance of those changes.

For the purposes of the Cayman Data Protection Law (DPL) (2019), the controller of all information collected on this website is:

Aqua Watersports Ltd

C/O Foreshore Corporate Services Ltd

4th Floor,

Queensgate House,

113 South Church Street

Grand Cayman

If you wish to make a subject access request or to exercise any other rights in relation to your personal information this can be done by contacting us in writing at the address provided above. Our security procedures do mean that we may request proof of identity before we are able to disclose personal data.

Aqua Watersports Ltd, 4th Floor, Queensgate House, 113 South Church Street, Grand Cayman, Business Licence No: 40738

This policy was last updated on April 2020.