Privacy policy

Last updated: set this when you publish

This privacy policy explains how Tour Operator ("we", "us") collects, uses, and protects personal data under the Cayman Islands Data Protection Act, 2017 (DPA).

1. Who we are

Cayman Ocean Adventures and Stingray City Cayman Tours are tour operators based at Safe Haven Marina, Seven Mile Beach, Grand Cayman. We are the data controller for personal information we collect through our website and during your booking and tour.

2. What we collect

• Account & profile: name, email, phone, password (stored as a one-way hash), billing address.
• Bookings: passenger names, departure selection, special requests, pickup details (cruise ship / hotel).
• Payments: handled by CyberSource. We store non-sensitive metadata (card brand, last four digits, expiry, transaction reference, 3-D Secure attestation) and never see or store full card numbers or CVV.
• Waivers: typed legal name, captured signature image, IP address, user agent, and timestamps for the signed liability waiver.
• Communications: contact-form submissions and email correspondence.
• Technical: IP address, browser/user agent, cookies and session data for security, abuse prevention, and analytics if you opt in.

3. How we use your data

• To create and confirm your bookings, process payments, and deliver the services you've purchased.
• To communicate with you about your booking (confirmations, reminders, waivers, cancellations).
• To meet legal, accounting, and tax obligations.
• To improve our website and services, prevent fraud, and protect security.
• For marketing communications only with your consent (you may opt out at any time via any email's unsubscribe link).

4. Legal basis (DPA)

We process personal data on the basis of (a) contract — to deliver the service you booked; (b) legal obligation — record-keeping and AML/tax requirements; (c) legitimate interest — fraud prevention, service improvement; or (d) consent — for optional marketing and analytics cookies.

5. Sharing your data

We share data only where necessary:

• CyberSource (payment processor) — for card authorisation and 3-D Secure.
• SMTP2Go (email delivery) — to send transactional emails.
• Google reCAPTCHA — to protect forms from abuse.
• Cayman Islands authorities — where legally required (tax, AML, court orders).

We never sell or rent personal data.

6. Cookies

We use strictly-necessary cookies for session, authentication, and anti-forgery protection — these run automatically. Optional cookies (analytics) run only with your consent via the cookie banner shown on first visit.

7. Retention

• Booking and payment records: 7 years (Cayman tax / AML).
• Signed waivers: 7 years from tour date.
• Account profile data: lifetime of the account; deleted on verified request.
• Contact-form messages: 90 days.
• Audit logs: 1 year.

8. Your rights under the DPA

You have the right to access, rectify, or erase your personal data; to object to processing; to data portability; and to withdraw consent. Submit a request at /my-account/privacy when signed in. We respond to verified requests within 30 days.

You also have the right to lodge a complaint with the Cayman Islands Office of the Ombudsman.

9. Security

We use TLS/HTTPS for all traffic, ASP.NET Core Data Protection for encrypting sensitive credentials at rest, hashed passwords, rate limiting, and 3-D Secure on all card payments. No system is perfectly secure, and we cannot guarantee absolute security of data transmitted over the internet.

10. International transfers

Some of our service providers (CyberSource, SMTP2Go, Google) process data outside the Cayman Islands. We rely on contractual safeguards and provider compliance (PCI-DSS, ISO 27001 where applicable) to protect personal data during these transfers.

11. Children

Our services are not directed to children under 13. We collect minor passenger information only as part of an adult-led booking and only for trip-safety purposes. The lead booker is responsible for any data they supply about minor passengers.

12. Changes to this policy

We may update this policy. The version in effect at the date of your booking applies. Material changes will be highlighted on this page; the "Last updated" date at the top reflects the most recent revision.