The European Union has taken a monumental step in protecting the fundamental right to privacy for every EU resident with the General Data Protection Regulation (GDPR) which will take effect from May 25, 2018. Simply put, EU residents will now have a greater say over what, how, why, where, and when their Personally Identifiable Information (PII) is used, processed, or disposed. The regulation also clarifies how the EU personal data laws will apply beyond the borders of the EU. Any organisation that works with EU residents’ personal information in any manner, irrespective of their location in the world, has obligations to protect this data.
Definitions Used within the GDPR
These terms refer to the definition of terms given in Art. 4 of the Basic Data Protection Ordinance (DSGVO).
'PII' stands for Personally Identifiable Information and this refers to any information that relates to an indentifiable person, whether that information is either directly or indirectly related. In other words, it includes, but is not limited to, data such as names, an id number, location data, an online identifier (e.g cookies) or to one or more special features that express the physical, physiological, genetic, psychological, economic, cultural or social identity of that) person.
'Processing' means any operation carried out with or without the aid of automated procedures or any such series of operations in connection with personal data. The term goes a long way and covers practically every aspect of handling data.
In our case, for instance, assuming that we can show a legally legitimate reason for needing to collect information for a business purpose (e.g. when using agents, web hosts etc., or when sending automated follow-up emails through sites like Tripadvisor, requesting that clients share photos or leave feedback on third party feedback sites like Tripadvisor or Facebook), we still need to gain legal permission (consent) to collate the email contacts of our multiday clients for these purposes. The same also applies to the sharing of client information with companies like payment service providers (banks, paypal etc., in accordance with Art. 6, Para. 1 lit. b DSGVO) in order to fulfil the contract between both parties.
'Responsible' means the natural or legal person, authority, institution or other body that alone, or together with others, decides on the purposes and means of processing personal data. In this case, this is CAPE Lapland Oy / Hetta Huskies and any third parties we cooperate with.
'Data Subjects' (aka the people identifiable through their PII), according to Art. 15 DSGVO, have the right to request information about what data we hold and how their data is being processed. They also have the right to request access to (which links to the right to data portability) or to correct data, to restrict its future processing (Art. 18 & 21 DSGVO) or even immediately delete it, even if this revokes previously granted consents (Art. 7 para. 3 DSGVO). They can also object to the future processing of the data concerning them in accordance with Art. 21 DSGVO at any time. This object may be lodged, in particular, against processing for direct marketing purposes.
Hetta Huskies' Commitment
At Hetta Huskies we have always honoured our users’ right to data privacy and protection and, as a small business, we generally do not collect and process personal information beyond that which is required for the functioning of our products.
How Hetta Huskies prepared for GDPR
We carried out a mini data protection impact assessment (DPIA) around the Personally Identifiable Information (PII) that both we and our third-party partners collect for our products in accordance with GDPR guidelines. As part of this, we considered how it is processed - in other words the purpose for which it is collected, used and stored - and when and how it is disposed of.
Hetta Huskies' Data Protection Declaration
Our data protection declaration explains to you the type, scope and purpose of the processing of personal data within our physical company and our 'online offer'. Our online offer includes our associated websites, functions and contents as well as external online presences, e.g. our social media profile.
What PII do we currently process?
We understand that providing information online involves a great deal of trust on your part. We take this trust very seriously, and make it a high priority to ensure the security and confidentiality of the personal information you provide to us when you visit our Website or use our services. Before submitting your personal information to us, please read this Policy carefully to learn about our privacy practices. By visiting Hetta Huskies' website, www.hettahuskies.com, or using any of our linked sites or services, you are accepting the practices described herein.
We receieve and process so-called Personally Identifiable Information (PII) from you when you approach us by phone or email and when you enter information on our website or social media channels. PII which is directly collected from clients, staff, interns and partners is stored in our (portable and transferable) internal Customer Relationship Management System ("CRM System") and processed in a number of ways and for a number of reasons:. a) You supply your basic contact details and standard inventory data (for instance your first and last name, telephone number, postal and email addresses) when you contact us about our products and we respond, as solicited, to your questions and comments in order to facilitate your booking reservations to the point of sale (as per Art. 6 Para. 1 lit. b) DSGVO.
Clients can opt in to it being permissable for us to retain a very basic level of PII information (standard inventory data and basic contact details) for simple marketing purposes. For instance, we occassionally send general follow-up emails to our clients which contain useful or interesting information about our farm, dogs, and current tour options or special offers. (Please note that you will have the opportunity to choose not to receive these email messages in any such email we send.)
However, in addition to these standard information exchanges, we also request, as mentioned in section (c) and (d), above, detailed information about the drugs prescribed to - or taken by - our forthcoming clients, and their relevant medical history. We do this in conjunction with an explicit explanation as to both the reason behind the request, and information about how long we will retain the information. Essentially, this is requested in order for us to highlight individuals 'at increased risk of' cold-related injuries or those who might struggle, in general, with the physical demands of their proposed tour. Article 6(1)(d) provides a lawful basis for granting this type of request under provides a lawful basis for processing since it falls within the category of data in which “processing is necessary in order to protect the vital interests of the data subject or of another natural person”. Similarly, if the personal data is manifestly made public by the data subject, then processing is deemed permissable (Article 9(2)(e) and (Article 9(2)(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
Aspects of this request cover topics included within special category data, as determined by Category 9. This includes race; ethnic origin and health since these are considered the type of data that could create more significant risks to a person’s fundamental rights and freedoms. For example, by putting them at risk of unlawful discrimination because of sexual preferences or ethnic origin.
FYI: The guide states that 'Your choice of lawful basis under Article 6 does not dictate which special category condition you must apply, and vice versa. For example, if you use consent as your lawful basis, you are not restricted to using explicit consent for special category processing under Article 9. You should choose whichever special category condition is the most appropriate in the circumstances – although in many cases there may well be an obvious link between the two. For example, if your lawful basis is vital interests, it is highly likely that the Article 9 condition for vital interests will also be appropriate.'
We also explain that internal access to the digital forms requested in advance and maintained in our internal databases (or to the physical forms completed in situ by those who failed to send them in advance) is restricted to specifically designated members of staff.
Of course, you can choose not to provide information to us, but some information about you is required in order for you to participate in our products. For example, only registered members of our social media pagges may be able to post travel reviews or photos in them, access members-only newsletters, enter surveys or contests. Similarly, we have the right to refuse access to products if we know that you are choosing to withhold information about your medical history. However, we may not know that you have withheld data until after an incident has occured. Therefore, withholding requested data has to always be at your own risk.
With whom we share your information
Hetta Huskies may share your information with the following entities:
. Third-party vendors who provide services or functions on our behalf, including business analytics, payment processing, distribution of surveys or sweepstakes programs, and fraud prevention.
. Business partners with whom we may offer products or services in conjunction. You can tell when a third party is involved in a product or service you have requested because their name will appear either with ours or separately. If you choose to access these optional services, we may share information about you, including your personal information, with those partners. Please note that we do not control the privacy practices of these third-party business partners.
. Referring Websites. If you were referred to TripAdvisor from another website, we may share your registration information, such as your name, email address, mailing address, telephone number and travel preferences, about you with that referring website. We have not placed limitations on the referring websites’ use of personal information and we encourage you to review the privacy policies of any website that referred you to Hetta Huskies.
. Social Media Services. You can choose to access certain third party social media websites and services through our site (such as Facebook). When you do so, you are sharing information with those sites, and the information you share will be governed by their privacy policies. You may also be able to modify your privacy settings with these third party social media websites.
. We also may share your information if we believe, in our sole discretion, that such disclosure is necessary to either comply with legitimate and enforceable subpoenas, court orders, or other legal process; to establish or exercise our legal rights; to defend against legal claims; or as otherwise required by law. In such cases we reserve the right to raise or waive any legal objection or right available to us.
. Finally, we also may share your information if we believe, in our sole discretion, that such disclosure is necessary in connection with a corporate transaction, such as a divestiture, merger, consolidation, or asset sale, or in the unlikely event of bankruptcy.
Other than as set out above, you will be notified when personal information about you will be shared with third parties, and you will have an opportunity to choose not to have us share such information.
How we protect your information
We want you to feel confident when interacting with us, and we are committed to protecting the information we collect. While no website can guarantee security, we have implemented appropriate administrative, technical, and physical security procedures to help protect the personal information you provide to us. For example, only authorized employees are permitted to access personal information, and they only may do so for permitted business functions. We also employ firewalls and intrusion detection systems to help prevent unauthorized persons from gaining access to your information.
Deletion of data
Unless expressly stated in this data protection declaration, the data stored by us in our CRM systems will be deleted as soon as it is no longer required for its intended purpose and so long as the deletion does not either conflict with any statutory storage obligations or its storage is necessitated for other legally permissable purposes (e.g. data that must be retained for commercial or tax reasons). If there is a statutory storage requirement beyond the time when it is required for its intended purpose, its processing will be restricted in accordance with Articles 17 and 18 DSGVO.
Rights of data access, modification and portability / transferability
GDPR gives end users the right to not only access, modify or delete personal information but also to request that the controller be able to transfer it to another controller (depending on technical feasibility). To that end, an active and continuous GDPR implementation and privacy program needs to be in place for employees, in addition to a data breach notification protocol.
The hosting services we use serve to provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, security services and technical maintenance services.
We or our hosting provider process inventory data, contact data, content data, contract data, usage data, meta- and communication data of customers, interested parties and visitors of this online offer on the basis of our legitimate interests in an efficient and secure provision of this online offer according to Art. 6 Para. 1 lit. f DSGVO in conjunction with. Art. 28 DSGVO (conclusion of order processing contract).
Our hosting provider collects, on our behalf, data on each access to the server on which this service is located (so-called server log files) on the basis of our legitimate interests within the meaning of Art. 6 para. 1 lit. f. DSGVO.
Access data includes the name of the accessed website, file, date and time of access, transferred data volume and notification of successful access. Meta / communication data includes device and browser type and version, the user's operating system, referrer URL (the previously visited page) and the requesting provider (i.e., IP address). Usage data (e.g. interest in content, access times) is also available to us for analysis by default.
Log file information is stored, as standard, for a maximum of 7 days for security reasons (e.g. to investigate misuse or fraud) and then deleted. Data whose further storage is required for evidentiary purposes are excluded from deletion until the respective incident has been finally clarified.
Online presence in social media
We maintain online presences within social networks and platforms in order to communicate with active customers, interested parties and users and to inform them about our services. When accessing the respective networks and platforms, the terms and conditions and the data processing guidelines of their respective operators apply.
Cookies, the Collection of access data and log files and Other Web Technologies
A cookie is a small piece of data that a website asks your browser to store on your computer or mobile device (if your Web browser permits). The cookie may be either permanent or temporary and allows the website to "remember" your actions or preferences over time. Most browsers support cookies, but users can set their browsers to decline them and can delete them whenever they like.
The cookies are stored on the user's devices for a number of purposes, including but not limited to security, the presentation of the website, to identify the user and save their user decisions and preferences (so that, for instance, they can complete tasks without having to re‑enter information when browsing from one page to another or when visiting the site later), to measure reach and for marketing purposes. Cookies can also be used for online behavioural target advertising and to show adverts relevant to something that the user searched for in the past.
The Help portion of the toolbar on most browsers will tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether.
Integration of third-party services and content.
Within our online offer, we make no representations or warranties of any kind based on our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f. DSGVO) content or service offerings of third parties to incorporate their content and services, such as videos or fonts (hereinafter uniformly referred to as "content"). This always presupposes that the third party providers of this content perceive the IP address of the users, since without the IP address they could not send the content to their browser. The IP address is therefore required for the display of this content. We make every effort to use only those contents whose respective providers use the IP address only for the delivery of the contents.
In addition to using cookies to collect data about visitors visiting our pages on their sites, third-party providers like YouTube, Facebook, Tripadvisor etc., may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. Pixel tags" can be used to evaluate information such as visitor traffic on and between the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may include technical information about the browser and operating system, referring websites, visiting time and other information about the use of our online offer, as well as may be linked to such information from other sources.
The following presentation provides an overview of third-party providers and their contents, together with links to their data protection declarations, which contain further information on the processing of data and, in some cases already mentioned here, possibilities of objection (so-called opt-out):
According to GDPR, any organisation which uses Google Analytics, however infrequently (and this is something we would only look at very sporadically), is considered a Data Controller - since it controls which data is sent to Google Analytics - and Google Analytics, in turn, is considered to be one of that organisation's Data Processors.
Google, as a Data Processor, has obligations to conform to the EU GDPR. According to Google’s own Privacy Compliance website, they are “working hard to prepare for the EU’s General Data Protection Regulation.” You can see more details on this site and it is almost certain that Google Analytics will be fully compliant by May 25, 2018. As part of being a Data Processor, Google must provide a data processing agreement that you’ll need to accept.
Within our online offer we use the marketing functions (so-called "LinkedIn Insight Tag") of the network LinkedIn. The provider is LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA. Every time you visit one of our pages that contains functions of LinkedIn, a connection to LinkedIn's servers is established. LinkedIn is informed that you have visited our website with your IP address. With the help of the LinkedIn Insight Tag we can analyse the success of our campaigns within LinkedIn or determine target groups for them based on the interaction of the users with our online offer. If you are registered with LinkedIn, it is possible for LinkedIn to associate your interaction with our online service with your user account. Even if you click on the "Recommend-Button" of LinkedIn and are logged into your LinkedIn account, LinkedIn is able to assign your visit to our website to you and your user account. LinkedIn is certified under the Privacy Shield Agreement and thus offers a guarantee to comply with ()European data protection law.
Functions of the service or the Twitter platform (hereinafter referred to as "Twitter") can be integrated within our online offer. Twitter is an offer of Twitter Inc, 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. The functions include the presentation of our contributions within Twitter within our online offer, the link to our profile on Twitter as well as the possibility to interact with the contributions and the functions of Twitter and to measure whether users reach our online offer via the advertisements we place on Twitter (so-called conversion measurement).
Tripadvisor's policy statement on privacy settings can be found here.
Tripadvisor automatically collects some information from client computers or devices when people visit TripAdvisor. For example, they collect session data, including IP addresses, Web browser software, and referring website. They may also collect information about their client's online activity, such as content viewed, pages visited, and searches and/or reservations facilitated or made. One of their goals in collecting this automatic information was to help us understand the interests and preferences of their users and to customize their user experience.
When you use an Application on a Device, they collect and use information about you in generally similar ways and for similar purposes as when you use the TripAdvisor website. In addition, they may collect information about your location if you have instructed your Device to send such information to the Application via the privacy settings on that Device, or if you have uploaded photos tagged with location information. They may use the location information collected from your Device or photos to enhance your use of the Application by providing you with relevant content and contextual advertising. For example, they may use your location to show you reviews of hotels or restaurants near you when you are traveling. You can change the privacy settings of your Device at any time, in order to turn off the functionality to share location information with the Application and/or the functionality to tag your photos with location information. Please note that turning off location sharing may affect certain features of their App. If you have any queries about the privacy settings of your Device, we suggest you contact the manufacturer of your Device or your mobile service provider for help.
The ways in which TripAdvisor utilises cookies is also explained in this page. The Help portion of the toolbar on most browsers should tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable most types of cookies. Please note that if you refuse to accept cookies, you may not be able to access many of the travel tools offered on their sites.
Facebook Social Plugins
On the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f. DSGVO) Social Plugins ("Plugins") of the social network facebook.com, which is operated by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"). The plugins can display interaction elements or content (e.g. videos, graphics or text contributions) and are identified by one of the Facebook logos (white "f" on blue tile, the terms "like", "like" or a "thumbs up" sign) or are marked with the addition "Facebook Social Plugin". The list and appearance of Facebook Social Plugins can be viewed here
Facebook is certified under the Privacy Shield Agreement and thus offers a guarantee to comply with European data protection law.
When a user calls up a function of this online offer that contains such a plugin, his device establishes a direct connection to the Facebook servers. The content of the plugin is transmitted by Facebook directly to the user's device and integrated into the online offer. The processed data can be used to create user profiles. We therefore have no influence on the amount of data Facebook collects with the help of this plugin and therefore inform users according to our level of knowledge.
By integrating the plugins, Facebook receives information that a user has called up the corresponding page of the online offer. If the user is logged in to Facebook, Facebook can assign the visit to his Facebook account. When users interact with the plugins, such as pressing the Like button or posting a comment, the information is sent directly from your device to Facebook and stored there. If a user is not a member of Facebook, it is still possible for Facebook to obtain and store their IP address. According to Facebook, only an anonymized IP address is stored in Germany.
The purpose and scope of the data collection and the further processing and use of the data by Facebook, as well as the relevant rights and setting options for the protection of users' privacy, can be found in Facebook's data protection information: .
If a user is a Facebook member and does not want Facebook to collect data about them via this online offer and link it to their membership data stored on Facebook, they must log out of Facebook before using our online offer and delete their cookies. Further settings and objections to the use of data for advertising purposes are possible within the Facebook profile settings: https://www.facebook.com/settings?tab=ads or via the US page http://www.aboutads.info/choices/ or the EU page http://www.youronlinechoices.com/. The settings are platform-independent, i.e. they are applied to all devices, such as desktop computers or mobile devices.
The copyright and all other rights to content, images, photos or other files portrayed on the website belong exclusively to Hetta Huskies / CAPE Lapland Oy or the specifically named owners. The written consent of the copyright holders must be obtained in advance for the reproduction of any elements.
How you can contact us
Without limiting the generality of the foregoing, if FareHarbor is collecting or furnishing Personal Data of individuals in the European Economic Area (“EEA”) to Provider or if FareHarbor is Processing, storing or transferring such Personal Data on behalf of Provider, then FareHarbor and Provider and/or their Affiliate(s), as applicable, will agree to be bound by the Data Processing Addendum (Addendum 1), and any applicable data transfer mechanisms (collectively, the “Privacy and Security Terms”). For the avoidance of doubt, no such Personal Data should be Processed or transferred without Privacy and Security Terms necessary for compliance with applicable law.
Addendum  General Data Protection Regulation Data Processing Addendum for FareHarbor Terms of Service (European Economic Area & Switzerland)
This Data Processing Addendum (this “Addendum”), is part of the [FareHarbor Terms of Service] (“Agreement”) between FareHarbor and Controller and governs FareHarbor’s Processing of Personal Data to the extent such Personal Data relates to natural persons in the European Economic Area or Switzerland in connection with FareHarbor’s provision of the services described in the Agreement (“Services”). Except as expressly stated otherwise, in the event of a conflict between the terms of the Agreement and the terms of this Addendum, the terms of this Addendum will take precedence. This Addendum applies to each agreement between Controller and FareHarbor under which FareHarbor Processes Personal Data as part of performing under that agreement. The Addendum will be effective on May 25, 2018. All capitalized terms used but not defined in this Addendum have the meanings given to them in the Agreement.
“Personal Data” means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by referencing an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, whether transmitted, stored, or otherwise Processed.
“Processing” means any operation or set of operations that is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction. “Process” and “Processed” will have a corresponding meaning.
1. Instructions from the Controller. Notwithstanding anything in the Agreement to the contrary, FareHarbor will only Process Personal Data on documented instructions from Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by European Union or Member State law to which FareHarbor is subject. FareHarbor will promptly inform Controller if following Controller instructions would result in a violation of applicable data protection law or where FareHarbor must disclose Personal Data in response to a legal obligation (unless the legal obligation prohibits FareHarbor from making such disclosure).
2. Confidentiality. FareHarbor will restrict access to Personal Data to those authorized persons who need such information to provide the Services. FareHarbor will ensure such authorized persons are obligated to maintain the confidentiality of any Personal Data.
3. Security. FareHarbor will implement appropriate technical and organizational measures to ensure a level of security appropriate to the Personal Data provided by Controller and Processed by FareHarbor. Such security measures will be at least as protective as the security requirements set forth in the Agreement.
4. Sub-processors. Controller agrees that FareHarbor may engage other processors (“Sub-processors”) to assist in providing the Services consistent with the Agreement. FareHarbor will make a list of such Sub-processors available to Controller prior to transferring any Personal Data to such Sub-processors. FareHarbor will notify Controller of any changes to the list of Sub-processors in order to give Controller an opportunity to object to such changes. The list of Sub-processors can be found here.
5. Sub-processor Obligations. Where FareHarbor engages another processor for carrying out specific Processing activities on behalf of Controller, the same data protection obligations as set out in this Addendum will be imposed on that other processor by way of a contract or other legal act under EU or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the EU data protection law. Where that other processor fails to fulfil its data protection obligations, FareHarbor will remain fully liable to the Controller for the performance of that other processor’s obligations.
6. Access Requests. FareHarbor has implemented and will maintain appropriate technical and organizational measures needed to enable Controller to respond to requests from data subjects to access, correct, transmit, limit processing of, or delete any relevant Personal Data held by FareHarbor.
7. Recordkeeping. Upon a request issued by a supervisory authority for records regarding Personal Data, FareHarbor will cooperate to provide the supervisory authority with records related to Processing activities performed on Controller’s behalf, including information on the categories of Personal Data Processed and the purposes of the Processing, the use of service providers with respect to such Processing, any data disclosures or transfers to third parties and a general description of technical and organizational measures to protect the security of such data.
8. Cooperation. FareHarbor will cooperate to the extent reasonably necessary in connection with Controller’s requests related to data protection impact assessments and consultation with supervisory authorities and for the fulfillment of Controller’s obligation to respond to requests for exercising a data subject’s rights in Chapter III of Regulation (EU) 2016/679. FareHarbor reserves the right to charge Controller for its reasonable costs in collecting and preparing Personal Data for transfer and for any special arrangements for making the transfer.
9. Third Party Requests. If FareHarbor receives a request from a third party in connection with any government investigation or court proceeding that FareHarbor believes would require it to produce any Personal Data, FareHarbor will inform Controller in writing of such request and cooperate with Controller if Controller wishes to limit, challenge or protect against such disclosure, to the extent permitted by applicable law.
10. Transfer of Personal Data; Appointment. Controller authorizes FareHarbor to transfer, store or Process Personal Data in the United States or any other country in which FareHarbor or its Sub-processors maintain facilities. Controller appoints FareHarbor to perform any such transfer of Personal Data to any such country and to store and Process Personal Data in order to provide the Services. FareHarbor will conduct all such activity in compliance with the Agreement, this Addendum, applicable law and Controller instructions.
11. Retention. Personal Data received from Controller will be retained only for so long as may be reasonably required in connection with FareHarbor’s performance of the Agreement or as otherwise required under applicable law.
12. Deletion or Return. At the choice of the Controller, FareHarbor will delete or return all the Personal Data to the Controller after the end of the provision of services related to Processing, and delete existing copies unless European Union or Member State law requires storage of the Personal Data. FareHarbor will relay Controller’s instructions to all Sub-processors.
13. Breach Notification. After becoming aware of a Personal Data Breach, FareHarbor will notify Controller without undue delay of: (a) the nature of the data breach; (b) the number and categories of data subjects and data records affected; and (c) the name and contact details for the relevant contact person at FareHarbor.
14. Audits. Upon request, FareHarbor will make available to Controller all information necessary, and allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller, to demonstrate compliance with Article 28 of Regulation (EU) 2016/679. For clarity, such audits or inspections are limited to FareHarbor’s Processing of Personal Data only, not any other aspect of FareHarbor’s business or information systems. If Controller requires FareHarbor to contribute to audits or inspections that are necessary to demonstrate compliance, Controller will provide FareHarbor with written notice at least 60 days in advance of such audit or inspection. Such written notice will specify the things, people, places or documents to be made available. Such written notice, and anything produced in response to it (including any derivative work product such as notes of interviews), will be considered Confidential Information and, notwithstanding anything to the contrary in the Agreement, will remain Confidential Information in perpetuity or the longest time allowable by applicable law after termination of the Agreement. Such materials and derivative work product produced in response to Controller’s request will not be disclosed to anyone without the prior written permission of FareHarbor unless such disclosure is required by applicable law. If disclosure is required by applicable law, Controller will give FareHarbor prompt written notice of that requirement and an opportunity to obtain a protective order to prohibit or restrict such disclosure except to the extent such notice is prohibited by applicable law or order of a court or governmental agency. Controller will make every effort to cooperate with FareHarbor to schedule audits or inspections at times that are convenient to FareHarbor. If, after reviewing FareHarbor’s response to Controller’s audit or inspection request, Controller requires additional audits or inspections, Controller acknowledges and agrees that it will be solely responsible for all costs incurred in relation to such additional audits or inspections.
WE RESERVE ANY RIGHTS NOT EXPRESSLY GRANTED OR STATED IN THIS AGREEMENT.
FareHarbor Holdings, Inc. | 1515 Cleveland Pl, Suite 400, Denver, CO 80202
Payment processing services for Providers on FareHarbor are provided by Stripe and are subject to the Stripe Connected Account Agreement, which includes the Stripe Terms of Service (collectively, the “Stripe Services Agreement”). By agreeing to these terms or continuing to operate as a Provider on FareHarbor, you agree to be bound by the Stripe Services Agreement, as the same may be modified by Stripe from time to time. As a condition of FareHarbor enabling payment processing services through Stripe, you agree to provide FareHarbor accurate and complete information about you and your business, and you authorize FareHarbor to share it and transaction information related to your use of the payment processing services provided by Stripe.
What information do we collect?
We collect personally identifiable information from you when you register on our site, place a reservation order, subscribe to our newsletter, respond to a survey, fill out a form or input data on our site in any way.
When booking reservations through or registering on our site, as appropriate, you may be asked to enter your: name, e-mail address, mailing address, phone number, credit card information, social security number, gender, certification level, experience level, height, weight, shoe or other clothing size, hotel information, or other information as requested by the companies that use our service. You may, however, visit and browse our sites and offerings and not enter any of your personally identifiable information.
How do we use your information?
Any of the information we collect from you may be used in one of the following ways:
*To personalize your experience (your information helps us to better respond to your individual needs)
*To improve our website (we continually strive to improve our website offerings based on the information and feedback we receive from you)
*To improve customer service (your information helps us to more effectively respond to your customer service requests and support needs)
*To process transactions (In addition to processing your bookings with the companies that use our services, the email address you provide during booking processing may be used to send you information and updates pertaining to your reservation, in addition to receiving occasional company news, updates, related product or service information,
*To provide services to the companies that use FareHarbor
*To administer a contest, promotion, survey or other site feature
*To send periodic emails
We also may collect and store information about you that we receive from other sources to, among other things, enable us to verify, update and correct the information contained in our databases, prevent fraud, provide services to our other clients, and to better customize your experience on our site.
Note: If at any time you would like to unsubscribe from receiving future marketing emails, please contact [email protected].
We implement a variety of security measures to help maintain the safety of your personal information when you reserve a booking or enter, submit, or access your personal information.
All supplied credit card information is transmitted via Secure Socket Layer (SSL) technology. This information is then encrypted in our payment provider’s systems, may only to be accessible by those authorized with special access rights to such systems, and they are required to keep the information confidential. Please understand that while we try our best to safeguard your personal information once we receive it, no transmission of data over the Internet can be guaranteed to be 100% secure.
After a transaction, your personal information may be kept on file in order to archive reservation data, help improve the customer experience, and for other business purposes.
Yes, cookies are small files that a site or its service provider transfers to your computer’s hard drive through your Web browser (if you allow) that enables the sites or service providers systems to recognize your browser and capture and remember certain information.
We also use third-party service providers who assist us in operating our website, conducting our business, or servicing you, so long as those parties agree to keep this information confidential. We may also release your information when we believe release is appropriate to comply with the law, enforce our site’s policies, or protect our or others rights, property, or safety in anyway legally or most appropriate to the situation at our sole discretion.
Occasionally, at our discretion, we may include or offer third party products or services on our website. These third party sites have separate and independent privacy policies. We therefore have no responsibility or liability for the content and activities of these linked sites. Nonetheless, we seek to protect the integrity of our site and welcome any feedback about these sites.
California law permits California residents to request certain information regarding FareHarbor’s disclosure of their personally identifiable information to third parties for those third parties’ direct marketing purposes. To make such a request, please send an e-mail to [email protected] specifying that you seek your “California Customer Choice Notice.” Please allow up to thirty days for a response.
All users of our site may update their information at any time by logging into their control panel and going to the ‘Edit Profile’ page. We reserve the right to not accommodate a request to change your information if we believe doing so would violate any law or legal requirement, or cause the information to be incorrect.
FareHarbor’s sites are a general audience websites and do not offer services directed to children. You must be 16 years of age or older to book using FareHarbor’s sites. Should a child whom we know to be under 13 send personal information to us, we will use that information only to respond directly to that child to inform him or her that we must have parental consent before receiving his or her personal information and will delete the information. Bookings made by underage individuals without consent will not be honored. If you believe that FareHarbor has been provided with the personal information of a child under 13 without parental consent, please notify us immediately at [email protected].
This policy was last modified on April 12, 2018.
FareHarbor Holdings, Inc.
P.O. Box 306 Wayzata, MN 55391 USA