Privacy Policy

Your privacy is our priority - transparent data practices and strong protection measures

Quick Summary

We collect information necessary to provide cruise services, protect it with industry-leading security, never sell personal data, comply with Canadian privacy laws (PIPEDA), and give you control over your information. You can request access, corrections, or deletion at any time.

Effective Date: July 5, 2025

Last Updated: July 10, 2025

1. Introduction and Scope

Who We Are

Echo Voyages Inc. ("we," "our," "us," or "Echo Voyages") is a Canadian corporation providing premium cruise tours and maritime experiences. We are committed to protecting your privacy and handling your personal information responsibly and transparently.

Legal Framework

This Privacy Policy complies with:

  • Personal Information Protection and Electronic Documents Act (PIPEDA) - Federal privacy law
  • Personal Information Protection Act (PIPA) - British Columbia provincial privacy law
  • Canada's Anti-Spam Legislation (CASL) - Electronic communications
  • General Data Protection Regulation (GDPR) - For European visitors
  • California Consumer Privacy Act (CCPA) - For California residents

Scope of Application

This policy applies to all personal information we collect through:

  • Our website (echovoyages.com)
  • Mobile applications
  • Booking and reservation systems
  • Customer service interactions
  • Onboard cruise services
  • Marketing and promotional activities
  • Third-party integrations and partnerships

2. Information We Collect

Personal Information You Provide Directly

Identity and Contact Information

  • Full name, date of birth, gender
  • Email address, phone numbers
  • Mailing address and billing address
  • Emergency contact information
  • Government-issued ID numbers (passport, driver's license)

Financial Information

  • Credit card details (processed securely by certified payment processors)
  • Billing information and payment history
  • Bank account information (if providing alternative payment methods)
  • Tax identification numbers (when required)

Travel and Booking Information

  • Cruise preferences and special requirements
  • Dietary restrictions and accessibility needs
  • Travel companion information
  • Previous booking history and preferences
  • Travel insurance information

Health and Safety Information

  • Medical conditions affecting travel safety
  • Mobility requirements and accessibility needs
  • Medication information (when relevant to cruise safety)
  • Emergency medical contact information
  • COVID-19 vaccination status (when required)

Information Collected Automatically

Website and Digital Interactions

  • IP address and approximate location
  • Browser type, operating system, device information
  • Pages visited, time spent, click patterns
  • Referral sources and search terms
  • Session recordings for user experience improvement

Cookies and Tracking Technologies

  • Essential cookies for website functionality
  • Performance cookies for analytics
  • Marketing cookies for advertising
  • Preference cookies for personalization

See our Cookie Policy for detailed information.

Information from Third Parties

  • Travel Agents: Booking information and passenger details
  • Payment Processors: Transaction verification and fraud prevention data
  • Social Media: Profile information when you interact with our social content
  • Data Brokers: Marketing and demographic information (with consent)
  • Government Agencies: Security screening and regulatory compliance information

3. How We Use Your Information

Primary Purposes (No Additional Consent Required)

Service Delivery and Operations

  • Processing and managing cruise bookings and reservations
  • Providing customer service and support
  • Coordinating travel logistics and itineraries
  • Ensuring passenger safety and security
  • Meeting dietary and accessibility requirements
  • Emergency response and medical assistance

Legal and Regulatory Compliance

  • Meeting Transport Canada and maritime safety requirements
  • Customs and immigration reporting
  • Tax reporting and financial record keeping
  • Insurance claims processing
  • Legal dispute resolution
  • Regulatory audits and inspections

Financial Management

  • Payment processing and verification
  • Fraud prevention and detection
  • Refund and chargeback processing
  • Financial reporting and accounting
  • Credit checks (when necessary)

Secondary Purposes (With Your Consent)

Marketing and Communications

  • Sending newsletters and promotional offers
  • Personalized cruise recommendations
  • Market research and surveys
  • Social media engagement and advertising
  • Event invitations and special announcements

Analytics and Improvement

  • Website performance optimization
  • Service quality improvement
  • Customer satisfaction analysis
  • Business intelligence and reporting
  • Predictive modeling for service enhancement

4. Legal Basis for Processing (GDPR Compliance)

Processing Activity Legal Basis Purpose
Cruise booking and service delivery Contract Performance Fulfilling our contractual obligations
Safety and emergency procedures Vital Interests Protecting life and safety
Regulatory compliance Legal Obligation Meeting legal requirements
Marketing communications Consent Promotional activities with permission
Website analytics Legitimate Interest Improving user experience
Fraud prevention Legitimate Interest Protecting business and customers

5. Information Sharing and Disclosure

Service Providers and Business Partners

We share information with trusted third parties who assist in our operations:

Government and Regulatory Authorities

We may disclose information when legally required:

  • Transport Canada: Maritime safety and passenger manifests
  • Canada Border Services Agency: Immigration and customs clearance
  • Revenue agencies: Tax reporting and compliance
  • Law enforcement: Criminal investigations and court orders
  • Public health authorities: Health emergencies and contact tracing

Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal information may be transferred to the acquiring entity. We will notify you and ensure continued protection under this privacy policy.

6. Data Security and Protection

Technical Safeguards

Encryption and Access Controls

  • SSL/TLS encryption for all data transmission
  • AES-256 encryption for data at rest
  • Multi-factor authentication for system access
  • Role-based access controls and principle of least privilege
  • Regular security audits and penetration testing

Infrastructure Security

  • Secure cloud hosting with certified providers
  • Regular security patches and updates
  • Firewall protection and intrusion detection
  • Data backup and disaster recovery procedures
  • Network monitoring and threat detection

Organizational Safeguards

  • Staff Training: Regular privacy and security awareness training
  • Background Checks: Security screening for employees with data access
  • Confidentiality Agreements: Binding privacy commitments for all staff
  • Incident Response: Procedures for data breach notification and response
  • Privacy by Design: Privacy considerations in all system development

Data Breach Notification

In the event of a data security incident, we will:

  1. Assess and contain the breach within 24 hours
  2. Notify the Privacy Commissioner within 72 hours (if required)
  3. Inform affected individuals without undue delay
  4. Provide clear information about the incident and protective measures
  5. Offer credit monitoring or identity protection services when appropriate

7. Data Retention and Deletion

Retention Periods

Information Type Retention Period Reason
Booking and travel records 7 years Legal and tax requirements
Financial transaction records 7 years Accounting and audit requirements
Marketing communications Until consent withdrawn Ongoing marketing relationship
Website analytics data 26 months Google Analytics standard retention
Customer service records 3 years Service quality and dispute resolution
Emergency contact information 2 years Safety follow-up and incident reporting

Secure Deletion

When information is no longer needed, we securely delete it using:

  • Cryptographic erasure for encrypted data
  • Multi-pass overwriting for physical storage devices
  • Certificate of destruction for physical documents
  • Verified deletion from backup systems

8. Your Privacy Rights

Under Canadian Privacy Law (PIPEDA)

Right to Access

You can request a copy of the personal information we hold about you, including:

  • What information we have collected
  • How we use your information
  • Who we share it with
  • How long we keep it

Right to Correction

You can ask us to correct inaccurate or incomplete personal information. We will investigate and make necessary corrections promptly.

Right to Withdraw Consent

For activities requiring consent (like marketing), you can withdraw permission at any time. This won't affect the lawfulness of processing before withdrawal.

Additional Rights for EU Residents (GDPR)

  • Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data
  • Right to Portability: Receive your data in a machine-readable format
  • Right to Restrict Processing: Limit how we use your information
  • Right to Object: Object to processing based on legitimate interests
  • Right to Complain: File complaints with EU data protection authorities

Additional Rights for California Residents (CCPA)

  • Right to Know: Detailed information about data collection and use
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: Opt out of the sale of personal information
  • Right to Non-Discrimination: Equal service regardless of privacy choices

How to Exercise Your Rights

Email Requests

Privacy Officer: [email protected]

Include your full name, email address, and specific request details

Phone Requests

Privacy Hotline: +1 613-448-1038

Monday-Friday, 9 AM - 5 PM PST

Written Requests

Echo Voyages Privacy Officer
1250 West Hastings Street, Suite 1400
Vancouver, BC V6E 4T5, Canada

Response Time

Standard: 30 days
Complex requests: Up to 90 days
Urgent matters: 48-72 hours

9. International Data Transfers

Transfer Safeguards

When we transfer personal information outside Canada, we ensure adequate protection through:

  • Adequacy Decisions: Transfers to countries deemed adequate by Canadian authorities
  • Standard Contractual Clauses: EU-approved data transfer agreements
  • Binding Corporate Rules: Internal privacy standards for multinational partners
  • Certification Schemes: Privacy Shield successors and similar frameworks

Current Transfer Destinations

Service Provider Location Purpose Safeguards
Google Analytics Canada Website analytics Standard Contractual Clauses
Stripe Payments Canada Payment processing Adequacy decision + certification
Mailchimp Canada Email marketing Standard Contractual Clauses
Cloud hosting European Union Data storage Adequacy decision

10. Google Ads and Digital Marketing Compliance

Google Ads Usage

We use Google Ads services for marketing and advertising, which involves:

  • Google Ads Conversion Tracking: Measuring advertising effectiveness
  • Google Analytics: Understanding website traffic and user behavior
  • Google Tag Manager: Managing tracking codes and pixels
  • YouTube advertising: Video marketing campaigns
  • Display advertising: Banner ads on Google's network

Data Sharing with Google

Information shared with Google includes:

  • Website visitor behavior and conversion events
  • Hashed email addresses for customer match advertising