Privacy Policy

Last Updated: October 2, 2025

Who we are. Cozumel Excursions MX is operated by Inovex International CORP (EIN: 99-1760402) (“Cozumel Excursions MX”, “we”, “us”, “our”).
Website: https://cozumelexcursionsmx.com
Email: info@cozumelexcursionsmx.com | Phone: +52 1 998 491 7588
US Address: 4855 W HILLSBORO BLVD, B3, Coconut Creek, FL 33073, USA
MX Address: Av. Rafael E. Melgar, Cozumel, Quintana Roo, Mexico

This Policy explains how we collect, use, share, and protect personal information when you use our website and services (together, the “Services”). By using the Services, you consent to this Policy.

1) What We Collect

a) Information you provide

Contact & booking data: name, email, phone/WhatsApp, country, party size, participant names/ages, preferred dates/times, meeting/pickup details.
Preferences & notes: dietary needs, accessibility requests, language preference, equipment sizes (e.g., fins/vests).
Payment details: processed by our payment providers (we do not store full card numbers).
Communications: messages, emails, support requests, reviews, photos you submit.

b) Automatically collected (cookies & similar)

Device, browser, IP address, general geolocation, referring/exit pages, pages viewed, time on page, clicks, purchase events, error logs.
We use cookies, pixels, and local storage for authentication, analytics, and advertising.

c) Inferences

Non-sensitive interest segments for marketing (e.g., “snorkeling enthusiasts”, “cruise passengers”) based on your site interactions.

d) Sensitive data (limited)

Only if you choose to provide: relevant medical information (e.g., pregnancy, mobility concerns) needed to assess tour suitability and safety. We do not use this for advertising.

2) How We Use Information

Provide and manage bookings, issue vouchers, send confirmations and reminders.
Customer support and operational messages (meeting points, weather updates).
Personalize content and offers, run promotions (if you opt in).
Prevent fraud and abuse, secure our Services, debug and improve performance.
Comply with legal, tax, and accounting obligations.

Legal bases (EU/UK): contract performance, legitimate interests (fraud prevention, analytics, basic marketing), legal obligations, and consent (for certain marketing/cookies).

3) Payments & Providers

Payments: processed by Stripe and PayPal (both PCI-DSS compliant). We do not store full card details on our servers.
Hosting/CDN & security: Cloudflare (WAF/CDN) and AWS (infrastructure).
Analytics/ads: Google Analytics 4, Google Ads, Meta (Facebook/Instagram) Pixel.
User feedback/behavioral analytics: Hotjar (screening sensitive fields).
Email/SMS/WhatsApp: Mailchimp (email), Twilio (SMS/WhatsApp).
Maps/Geocoding: Google Maps (voucher directions/meeting points).

We may change providers over time; we require contractual safeguards and confidentiality.

4) Sharing of Information

We share only what’s necessary to deliver your tour and run the business:

Local operators/suppliers: participant names, date/time, contact info, preferences/restrictions needed to provide the activity.
Service providers: IT, hosting, email/SMS, analytics, payment processors, anti-fraud, and customer support tools under confidentiality agreements.
Legal & safety: to comply with law or protect rights, property, and safety.
Business transfers: in a merger, acquisition, or asset sale, data may transfer with appropriate protections.

We do not sell personal information for money. For California, we may “share” identifiers and internet activity with advertising partners for cross-context behavioral advertising unless you opt out (see §10).

5) International Transfers

We’re US-based and facilitate services in Mexico; providers may process data in the US, Mexico, the EU, or other countries. Where required, we use mechanisms like Standard Contractual Clauses to protect data transferred internationally.

6) Data Retention

Bookings & receipts: 7 years (tax/accounting).
Support and voucher correspondence: 3 years after last interaction.
Marketing subscribers: until you unsubscribe or after 24 months of inactivity.
Device/analytics events: typically 26 months (tool default or shorter).

We delete or anonymize data when no longer needed.

7) Your Choices

Marketing: unsubscribe anytime via email footer or contact us.
Cookies: manage in your browser and via our cookie banner (first visit). You can adjust Necessary / Functional / Analytics / Advertising categories. Some features may break if you disable certain cookies.
SMS/WhatsApp: reply STOP to opt out of texts.

8) Your Rights (by region)

California (CPRA)

Residents have the right to know/access, correct, delete, portability, and to opt out of sale/sharing and limit the use/disclosure of sensitive personal information. We do not use sensitive personal information for purposes requiring a “Limit Use” link.
To exercise: email info@cozumelexcursionsmx.com with “California Request,” your name, booking number (if any), and the request type. We’ll verify identity (email confirmation or reasonable match). Opt-out of sale/sharing: use the “Do Not Sell or Share My Personal Information” link in our footer or email us.

EU/UK (GDPR)

You may request access, correction, erasure, restriction, objection (including to profiling for direct marketing), and data portability, and you can withdraw consent at any time without affecting prior processing.
To exercise: email info@cozumelexcursionsmx.com with “GDPR Request.” You also have the right to lodge a complaint with your local supervisory authority.

Mexico (LFPDPPP – ARCO Rights)

You may exercise ARCO rights: Acceso, Rectificación, Cancelación y Oposición, and revoke consent where applicable.
To exercise: email info@cozumelexcursionsmx.com with subject “Solicitud ARCO”, include your full name, a copy of an ID (INE/passport; you may redact ID number), contact info, and a clear description of your request. We will respond within 20 business days and, if applicable, implement within 15 business days after our response, per applicable law.

9) Security

We use TLS/SSL encryption in transit, network segmentation, least-privilege access, MFA for admin systems, and regular monitoring. No system is perfect; in case of a data incident, we’ll notify affected users and authorities as required by law.

10) Ads, Cookies & “Do Not Sell or Share”

We use analytics and advertising cookies (e.g., GA4, Meta, Google Ads) to measure performance and show relevant offers. This may be considered “sharing” under California law.

Manage preferences: use our cookie banner or email us.
Opt-out of sale/sharing (California): use the “Do Not Sell or Share My Personal Information” link in the site footer or email us.
Do Not Track: we currently do not respond to browser DNT signals due to inconsistent standards.

11) Children

The Services are not directed to children under 13 (or under 16 in the EU/UK). We do not knowingly collect data from children. If you believe a child provided data, contact us to delete it.

12) Third-Party Links

Our site may link to third-party sites (e.g., operators, social networks). Their privacy practices are governed by their own policies.

13) Changes to This Policy

We may update this Policy from time to time. Changes take effect when posted with a new “Last Updated” date. Material changes will be highlighted on the site.

14) Contact Us

For privacy questions or to exercise rights:
Email: info@cozumelexcursionsmx.com
Phone/WhatsApp: +52 1 998 491 7588
Postal (US): Inovex International CORP, 4855 W HILLSBORO BLVD, B3, Coconut Creek, FL 33073, USA
Postal (MX): Av. Rafael E. Melgar, Cozumel, Quintana Roo, Mexico