Coralbound Privacy Policy

Effective Date: August 13, 2025
Last Updated: August 13, 2025

Introduction

Coralbound and its affiliated companies ("Coralbound," "we," "us," or "our") are committed to respecting the privacy of customers – including participants in our diving liveaboard experiences, hotel and resort guests, tour participants, persons making inquiries, and visitors to the Coralbound website at coralbound.com.

Coralbound understands that your privacy is important to you and is committed to respecting and protecting your personal data, which is any information that is capable of identifying you as an individual person. This Privacy Policy covers personal information that may be provided to or obtained by Coralbound during such interactions and describes how we will handle and protect your personal data in connection with your interactions with Coralbound, in our capacity as data controller.

Specific to Coralbound's personal data privacy policies and security procedures, as noted in various specific portions of this Privacy Policy, Coralbound is compliant with the privacy requirements and regulations of the EU's General Data Protection Regulation ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), US state privacy laws including the California Consumer Privacy Act ("CCPA"), and various international frameworks, as affects residents of the respective areas covered by those regulations.

Additionally, in relation to Coralbound's role as a data controller, our diving operator partners, accommodation providers, and destination management company (DMC) partners may act as co-data controllers, as well as data processors on behalf of Coralbound, especially within the booking and service delivery process. Coralbound itself also serves as a data processor when processing personal information on behalf of our partner operators and accommodation providers.

Please see also the Terms of Service associated with the Coralbound website and booking platform for more information about Coralbound's general terms and policies.

Coralbound may also automatically collect information about the devices you use to interact with Coralbound's website and booking platform. The information automatically collected may include IP address, device identifier, web browser and browsing information collected through cookies, web beacons, pixels, clear gifs and other similar technologies (collectively "Cookies and Other Tracking Technologies" and "Cookies") on Coralbound's sites. Coralbound may also automatically collect information about how you use the sites, such as what you have searched for and viewed. The information automatically collected will be associated with any personal data you have provided.

Geographic Restrictions: This platform is geo-blocked for Indonesian residents. We do not provide services to or collect personal data from individuals located in Indonesia, allowing us to focus our compliance efforts on EU GDPR, UK GDPR, US state privacy laws, and international frameworks.

Key Information:

We collect only necessary information to provide our booking services
Your data is protected with industry-standard security measures
You have comprehensive rights to control your personal information
We respond to data subject requests within 72 hours
We do not sell your personal information to third parties

Summary Of Collection And Use of Information

The personal data Coralbound collects is used for Coralbound's commercial, legal and business purposes. Depending on applicable law in your area, that use may be limited to what your specific consent allows, or when Coralbound has a legitimate interest or other legal basis for processing and using such information. In some situations, the collection of personal data may be required for the operation of the platform or to provide certain services or products.

Coralbound uses your personal data to fulfill your requests for information, process your bookings for liveaboard diving experiences, hotel accommodations, tours and activities, evaluate and improve Coralbound's services, distribute safety alerts, newsletters, and diving-related correspondence and materials to you, analyze the platform's performance and functionality, prevent fraud, enforce Coralbound's various terms of service, comply with all applicable laws and corporate reporting obligations, enforce Coralbound's agreements and accomplish other purposes you may initiate or request. Coralbound may keep any of your personal data on file and use it to contact you.

Coralbound may use first and third-party Cookies and Other Tracking Technologies to manage its platform and services, and to collect analytics about how you use them. The information provided throughout this Privacy Policy about Cookies also applies to these other tracking technologies. Please refer to the Cookie information herein for more details regarding Coralbound's use of Cookies.

As is explained following, the information obtained by Coralbound during various types of interactions may be treated differently.

1. About This Policy

1.1 Who We Are

Coralbound is operated by PT Tur Tak Terkalahkan, a company incorporated in Indonesia with Business Identification Number (NIB): [NIB NUMBER]. We are headquartered at Jl. Sunset Road No 89, Pertokoan Sunset Indah II, Kav 3, No 3B, 80361 Kuta, Bali, Indonesia.

Data Controller Information:

Primary Data Controller: PT Tur Tak Terkalahkan
EU Representative: [EU Representative Details] pursuant to GDPR Article 27
UK Representative: [UK Representative Details] pursuant to UK GDPR Article 27
Contact: legal@coralbound.com

Technical Infrastructure:

Server Location: European Union
Data Processing: EU-based infrastructure

1.2 Services Covered

This policy applies to all Coralbound services including:

Liveaboard diving cruise bookings
Hotel and resort accommodation reservations
Flight bookings through DMC partners
Tour packages and activities through local DMC partners
Mobile applications and website interactions
Customer service and support communications

1.3 Legal Framework

We comply with:

European Union: General Data Protection Regulation (GDPR)
United Kingdom: UK General Data Protection Regulation (UK GDPR)
United States: California CCPA/CPRA, Virginia CDPA, Colorado CPA, Connecticut CTDPA
International: Canada PIPEDA, Japan APPI, Singapore PDPA, Australia Privacy Act

2. Information We Collect

2.1 Personal Information You Provide

Booking and Account Information:

Full name, email address, phone number
Date of birth, nationality, passport information
Emergency contact details
Diving certification level and experience
Medical fitness declarations (as required for diving activities)
Dietary restrictions and accessibility needs
Travel preferences and special requests

Payment Information:

Billing address and payment method details
Transaction history and booking records
Note: Credit card details are processed directly by our PCI DSS compliant payment processors (Xendit, Stripe) and never stored on our servers

Communication Data:

Customer service interactions and support tickets
Review and feedback submissions
Marketing communication preferences
Social media interactions with our accounts

2.2 Information Collected Automatically

Technical Data:

IP address, device identifiers, browser type and version
Operating system, screen resolution, time zone settings
Website navigation patterns and click-through data
Cookie and tracking technology data (see Section 6)

Location Data:

GPS coordinates (with your consent) for dive site recommendations
General location derived from IP address for currency and language preferences
Location-based service preferences

Usage Analytics:

Pages visited, time spent on site, bounce rates
Search queries and booking abandonment data
Feature usage patterns and performance metrics
Platform interaction data for service improvement

2.3 Third-Party Information

Social media profile data (when you connect accounts)
Partner-provided information (dive operators, hotels, DMCs)
Public business directories and travel databases
Identity verification services (where required by applicable law)

2.4 Special Considerations Regarding Children

Age Restrictions: You must be at least 13 years of age (16 years of age in the EU) to register for a Coralbound account. Children under 18 years of age require parental consent for certain diving activities and may need additional parental approval for booking services.

Parental Consent Requirements: In consideration for use of Coralbound's services, parents/guardians agree to provide true and accurate information in registration forms for their children and to update registration information as necessary to keep it accurate and current. If false, inaccurate, not current or incomplete information is provided, or if Coralbound, in its sole discretion, determines that such information may be false, inaccurate, not current or incomplete, Coralbound has the right to suspend or terminate the account and refuse present or future use of Coralbound's services.

Children's Privacy Protection: While Coralbound cannot prevent children younger than 13 years of age (16 years of age in the EU) from viewing the public portions of the Coralbound website, in a commitment to safeguard their online privacy, clear notice is given that children younger than 13 years of age (16 years of age in the EU) are not permitted to register accounts. The required birth date field will not allow registration to continue when a birth date indicating younger than the minimum age is entered.

Coralbound does not knowingly collect personal information from children younger than 13 years of age (16 years of age in the EU). If Coralbound becomes aware that a child younger than the minimum age has provided personal information, reasonable steps will be taken to remove such information and terminate the child's account. Coralbound strongly encourages parents and guardians to supervise the activity of all children younger than 18 years of age in their use of the internet.

Coralbound is compliant with the Children's Online Privacy Protection Act of 1998 (COPPA) and EU regulations regarding children's data protection.

3. Privacy by Design and Data Minimization

3.1 Privacy by Design Principles

Coralbound implements privacy by design principles in all aspects of our platform development and business operations:

Proactive Rather Than Reactive:

Privacy impact assessments conducted before implementing new features or services
Anticipatory privacy protection measures built into system architecture
Regular privacy audits and risk assessments to identify potential issues before they occur
Continuous monitoring of data processing activities for compliance

Privacy as the Default Setting:

Most privacy-protective settings enabled by default for new accounts
Explicit opt-in required for all marketing communications and non-essential processing
Minimal data collection enabled by default, with options to provide additional information voluntarily
Service access never conditional on marketing consent

Privacy Embedded into Design:

Technical and organizational measures integrated from the system design phase
Privacy considerations included in all business process development
Regular staff training on privacy-first thinking and implementation
Privacy requirements included in all vendor and partner agreements

Full Functionality - Positive-Sum:

Privacy protection does not compromise platform functionality or user experience
Multiple privacy-respecting options provided for achieving business objectives
User control over privacy settings without service degradation
Balancing privacy protection with service personalization through user choice

End-to-End Security:

Comprehensive security measures from data collection through deletion
Encryption protocols for data at rest and in transit
Access controls and authentication measures throughout data lifecycle
Secure deletion procedures when data retention periods expire

Visibility and Transparency:

Clear communication about all data processing activities
User-friendly privacy controls and account management tools
Regular transparency reports about data processing activities
Open communication about privacy practices and policy changes

Respect for User Privacy:

User consent and choice prioritized in all data processing decisions
Easy-to-use privacy controls and preference management
Prompt response to user privacy requests and concerns
Recognition that privacy is a fundamental right, not a luxury

3.2 Data Minimization Practices

Collection Limitation:

We collect only personal data that is necessary for the specific purpose stated
Optional data fields clearly marked and explained
Regular review of data collection forms to eliminate unnecessary fields
Just-in-time data collection - requesting information only when needed for specific services

Purpose Limitation:

Personal data used only for the purposes for which it was collected
Additional uses require explicit consent or clear legal basis
Data not used for secondary purposes without user notification and consent
Clear documentation of all processing purposes and legal bases

Storage Limitation:

Automatic deletion of personal data when retention periods expire
Regular data purging schedules for different categories of information
Secure archival for data required for legal compliance
User notification before data deletion where appropriate

Accuracy and Quality:

Systems in place to maintain data accuracy and completeness
User-friendly tools for updating and correcting personal information
Regular data quality checks and cleanup procedures
Prompt correction of inaccurate data when identified

3.3 Privacy-First Development

Feature Development:

Privacy impact assessments required for all new features
Privacy requirements included in technical specifications
User privacy controls designed into new functionality from the start
Regular privacy reviews during development cycles

Vendor Selection:

Privacy protection capabilities evaluated during vendor selection
Data processing agreements include comprehensive privacy protections
Regular audits of vendor privacy and security practices
Preference for vendors with strong privacy certifications and track records

Data Architecture:

Systems designed to minimize data exposure and access
Role-based access controls limit employee access to personal data
Data segregation and compartmentalization where technically feasible
Regular architecture reviews for privacy optimization opportunities

4. Emergency Data Sharing

4.1 Medical Emergencies

Immediate Medical Response: When you experience a medical emergency during a Coralbound-booked service, we may need to share your personal information immediately to protect your vital interests:

Emergency Contact Notification: Immediate contact of your designated emergency contacts using information provided during booking
Medical Information Sharing: Sharing relevant medical fitness declarations and health information with local medical facilities, dive emergency services (such as DAN - Divers Alert Network), and emergency responders
Hospital Coordination: Providing identification, insurance information, and medical history to receiving medical facilities
Evacuation Services: Coordinating with medical evacuation services and sharing necessary personal and medical information

Medical Information Shared:

Full name, nationality, and identification information
Emergency contact details and relationships
Medical fitness declarations and known health conditions
Diving certification level and experience (relevant for diving-related medical emergencies)
Insurance information and policy details
Medication allergies and current medications (if provided)
Blood type and other critical medical information (if provided)

Legal Basis: Vital interests protection under GDPR Article 6(1)(d) and legitimate interests for emergency response

4.2 Safety and Security Incidents

Maritime and Diving Emergencies:

Coast Guard and Maritime Authorities: Sharing passenger manifests, diving experience levels, and emergency contact information with Indonesian Coast Guard, harbor authorities, and international maritime rescue coordination centers
Dive Emergency Services: Immediate sharing with DAN (Divers Alert Network), local dive emergency response teams, and hyperbaric chamber facilities
Search and Rescue Operations: Providing location data, personal identification, and emergency contacts to search and rescue authorities
Vessel Emergency Response: Coordinating with vessel operators and emergency services for evacuation or rescue operations

Natural Disasters and Crisis Situations:

Government Authorities: Sharing guest information with local emergency management authorities during natural disasters (earthquakes, tsunamis, volcanic eruptions)
Embassy and Consular Services: Providing citizen information to relevant embassies and consulates for citizen welfare and evacuation assistance
Family Notification: Immediate notification of emergency contacts and family members about safety status and location
Evacuation Coordination: Sharing travel documents and identification information with evacuation services and transportation authorities

4.3 Law Enforcement and Security

Legal Requirements:

Criminal Investigations: Cooperation with law enforcement agencies when required by valid legal process or court orders
Immigration and Border Control: Sharing passenger information with immigration authorities as required by law
Anti-Terrorism and National Security: Compliance with security screening requirements and watch list checking
Customs and Border Protection: Providing travel information to customs authorities when legally required

Fraud and Safety Protection:

Financial Crime Prevention: Sharing transaction information with financial crime prevention agencies and payment processors
Safety Threat Response: Immediate sharing with authorities when credible safety threats are identified
Missing Persons: Cooperation with law enforcement in missing person investigations
Child Protection: Mandatory reporting to appropriate authorities when child safety concerns are identified

4.4 Communication and Notification Procedures

Emergency Contact Protocol:

Immediate Response (0-1 hour): Contact emergency services and medical facilities
Family Notification (1-4 hours): Contact designated emergency contacts
Insurance Coordination (4-24 hours): Notify travel insurance providers and assist with claims
Ongoing Support (24+ hours): Continued coordination with family, medical facilities, and insurance providers

Information Sharing Safeguards:

Minimum Necessary Standard: Only information essential for the emergency response is shared
Purpose Limitation: Emergency data sharing limited to the specific emergency situation
Retention Limits: Emergency-shared data subject to normal retention schedules unless ongoing medical or legal requirements exist
Documentation: All emergency data sharing documented for audit and accountability purposes

Your Rights During Emergencies:

Family Designation: You control who is contacted in emergencies through your emergency contact designations
Medical Directives: Advance medical directives and DNR orders will be communicated to medical facilities when provided
Religious/Cultural Considerations: Cultural and religious preferences will be communicated to emergency responders when provided
Post-Emergency Control: You regain full control over your data once the emergency situation is resolved

5. How We Use Your Information

5.1 Primary Processing Purposes

Service Delivery (Legal Basis: Contract Performance):

Processing and confirming your liveaboard, hotel, and tour bookings
Coordinating with dive operators, hotels, and local DMC partners
Facilitating payment transactions through Xendit, Stripe and other processors
Providing customer support and trip assistance
Sending booking confirmations, vouchers, and travel documentation

Legal Compliance (Legal Basis: Legal Obligation):

Anti-money laundering and fraud prevention under applicable banking regulations
Tax and accounting obligations per applicable international tax laws
Safety and emergency response coordination with relevant authorities
Compliance with travel and tourism regulations in service destinations

Legitimate Business Interests (Legal Basis: Article 6(1)(f) GDPR):

Website functionality and security improvements
Fraud detection and prevention systems
Business analytics and performance optimization for service delivery
Basic service personalization and safety-based recommendations
Platform development and feature enhancement for user experience
Customer service quality improvement and training
Safety monitoring and emergency response capability
Payment processing and transaction security

With Your Explicit Consent (Legal Basis: Article 6(1)(a) GDPR):

Marketing communications and promotional offers (explicit opt-in required)
Enhanced personalization features beyond basic service delivery
Location-based marketing and targeted recommendations
Social media integration and advertising features
Optional data analytics and research participation
Newsletter subscriptions and diving industry updates
Partner promotions and third-party offers (separate consent required)
SMS/WhatsApp marketing messages and promotional communications

5.2 Automated Decision-Making and Artificial Intelligence

We use automated systems and artificial intelligence for various aspects of our platform to enhance your experience and ensure safety:

Fraud Prevention and Security:

Automatic transaction screening based on risk algorithms and machine learning models
Payment verification systems that analyze transaction patterns
Account security monitoring using behavioral analysis
Suspicious activity detection across booking patterns

Dynamic Pricing and Availability:

Commission-based pricing for liveaboard experiences using operator published rates
Net pricing with markup for hotels, tours, and flights bookings
Real-time availability checking and booking confirmation systems
Future implementation of dynamic pricing algorithms based on demand, seasonality, and market conditions (not currently active)

Personalization and Recommendations:

Customized diving experience recommendations based on certification level, experience history, and preferences
Personalized accommodation suggestions using booking history and stated preferences
Targeted content delivery based on browsing behavior and engagement patterns
Smart search results ranking based on relevance algorithms

Customer Service Automation:

AI-powered chatbots for initial customer inquiries and basic booking questions
Automated email responses for common support requests
Intelligent routing of support tickets to appropriate human agents
Predictive support - identifying potential issues before they occur

Operational Efficiency:

Automated booking confirmations and travel document generation
Smart matching between divers and appropriate operators based on experience levels
Predictive maintenance alerts for partner vessels and equipment
Resource allocation optimization for customer service staffing

Transparency and Control:

Algorithm Explainability: We can provide basic explanations of how automated decisions affect your bookings
Human Review Right: You can request human review of any automated decision that significantly affects you by contacting legal@coralbound.com
Opt-Out Options: Where possible, you may opt out of certain automated processing (though this may limit service functionality)
Bias Monitoring: We regularly audit our algorithms for unfair bias and discrimination
Performance Tracking: Automated systems are continuously monitored for accuracy and fairness

Data Used in Automated Processing:

Booking history and preferences
Diving certification and experience data
Payment and transaction history
Website interaction and browsing behavior
Communication preferences and feedback
Location data (when provided with consent)

Legal Basis for AI Processing:

EU/UK: Legitimate interests for service improvement and fraud prevention; consent for marketing personalization
US: Business operations with appropriate opt-out mechanisms
Contract Performance: Essential automated processing for booking fulfillment

Your Rights: You can request human review of any automated decision that significantly affects you by contacting legal@coralbound.com.

6. Information Sharing and Disclosure

6.1 Service Providers and Partners

Travel Service Providers:

Dive operators and liveaboard companies for booking fulfillment
Hotels and resorts for accommodation arrangements
Airlines and flight booking services through DMC partners
Local DMC partners for tour, activity, and flight services
Transportation providers for transfer services
Travel insurance providers (with your consent)

Technology and Business Partners:

Payment processors (Xendit, Stripe, PayPal) for transaction processing
Cloud hosting providers (AWS, Google Cloud) for data storage
Email service providers (Mailchimp, SendGrid) for communications
Analytics providers (Google Analytics) for website optimization
Customer service platforms for support ticket management
Remarketing and advertising partners including but not limited to Google, Meta, X, and other third-party advertising platforms for personalized advertising and marketing campaigns

Legal and Compliance:

Relevant authorities when required by valid legal process
Regulatory authorities for compliance reporting under applicable laws
Professional advisors (lawyers, auditors) under confidentiality obligations
Emergency services and relevant coast guard authorities for safety coordination

6.2 Data Controller vs. Processor Relationships

Joint Controllers:

Marketing partner networks for promotional campaigns
Social media platforms for advertising and engagement
Tourism industry associations for industry reporting

Data Processors:

Technical infrastructure providers
Customer service platform providers
Data analytics and research services
Document storage and management systems

6.3 No Data Sales

We do not sell your personal information to third parties for monetary consideration. Any data sharing serves legitimate business purposes or legal requirements as outlined above.

7. International Data Transfers

7.1 Transfer Mechanisms

Adequacy Decisions:

EU-Japan mutual adequacy framework
UK adequacy recognition (until December 2025)
Other jurisdiction adequacy determinations as available

Appropriate Safeguards:

Standard Contractual Clauses (EU SCC, UK IDTA)
Corporate binding rules for intra-group transfers
Certification schemes and codes of conduct

Consent-Based Transfers:

Explicit consent for transfers to countries without adequacy decisions
Clear notification of transfer purposes and risks
Option to withdraw consent for future transfers

7.2 Cross-Border Processing Locations

Your data may be processed in:

European Union: Primary server infrastructure and data storage
United Kingdom: UK-specific compliance operations
United States: Technology service providers (Google, AWS) under appropriate safeguards
Other locations: As disclosed in service-specific notices

7.3 Cross-Border Transfer Compliance

In accordance with applicable international transfer regulations:

Pre-transfer notifications to relevant authorities where required
Post-transfer compliance reporting as mandated
Documentation of transfer necessity and safeguards
Regular review of international transfer arrangements

8. Cookies and Tracking Technologies

8.1 Cookie Categories

Strictly Necessary Cookies:

Session management and user authentication
Security and fraud prevention
Basic website functionality and navigation
Shopping cart and booking process management

Performance and Analytics Cookies:

Google Analytics for website optimization
Error tracking and performance monitoring
A/B testing for feature improvements
User experience research and heat mapping

Functionality Cookies:

Language and currency preferences
Personalized content delivery
Location-based service enhancements
Social media integration features

Marketing and Advertising Cookies:

Retargeting and remarketing campaigns through various third-party advertising platforms
Conversion tracking and attribution across advertising networks
Interest-based advertising and audience segmentation
Cross-platform marketing coordination and customer journey tracking
Custom audience creation and lookalike audience development

8.2 Cookie Management

Granular Controls: Manage cookie preferences in our Cookie Consent Center
Browser Settings: Configure cookie acceptance in your browser settings
Global Privacy Control: Automatic recognition of GPC signals
Regular Review: Update your preferences anytime through account settings

8.3 Third-Party Cookies and Remarketing

We work with various third-party advertising partners for remarketing and personalized advertising campaigns. These may include but are not limited to Google, Meta, X, and other advertising networks and platforms.

Types of Remarketing Activities:

Website visitor remarketing and conversion tracking
Custom audience creation based on customer data
Lookalike audience development for similar customer targeting
Cross-platform advertising coordination and optimization
Interest-based advertising based on user behavior and preferences

Legal Basis for Remarketing:

EU/UK: Explicit consent required for all remarketing activities - no pre-checked boxes
Existing customers: Legitimate interests for service-related remarketing only (safety, booking updates)
Prospective customers: Explicit opt-in consent required for all advertising
US: Opt-out model with clear mechanisms and Global Privacy Control compliance
Data Protection: All partners maintain adequate data protection measures and use appropriate transfer safeguards

Your Controls:

Manage advertising preferences through our Cookie Consent Center
Opt-out directly through advertising platform privacy settings
Use browser settings to block advertising cookies
Contact us to remove your data from remarketing activities

Refer to each platform's privacy policy for detailed information about their specific data practices and your rights.

9. Data Retention and Deletion

9.1 Retention Periods

Booking Records:

Active bookings: Until trip completion plus 2 years for customer service
Cancelled bookings: 3 years for dispute resolution
Payment records: 7 years for tax and accounting requirements
Customer service records: 5 years for quality improvement and training

Marketing and Communications:

Email marketing lists: Until opt-out or account deletion
Website analytics: 26 months (Google Analytics default retention)
Chat logs and support tickets: 3 years for service improvement
User-generated content: Until content removal request

Legal and Compliance:

Fraud prevention data: 7 years or until threat resolution
Legal dispute records: Duration of applicable limitation periods
Regulatory reporting data: As required by applicable authorities
Safety and emergency records: 10 years for insurance and liability purposes

9.2 Automated Deletion

Inactive accounts: Reviewed annually with notification before deletion
Expired promotional codes: Deleted 30 days after expiration
Temporary files and logs: Automatically purged according to retention schedules
Cache and backup data: Synchronized with primary retention periods

9.3 Deletion Procedures

When we delete your data:

Secure deletion from all active systems within 30 days
Backup system purging within 90 days
Third-party processor deletion coordination
Anonymization when deletion would compromise legitimate interests

10. Your Privacy Rights

10.1 Universal Rights

Right to Information:

Clear explanation of our data processing activities
Details about data sources and sharing practices
Information about retention periods and deletion criteria
Contact information for privacy-related inquiries

Right of Access:

Request a copy of all personal data we hold about you
Information about processing purposes and legal basis
Details of data recipients and transfer arrangements
Response within 30 days as required by applicable privacy laws

Right to Rectification:

Correct inaccurate or incomplete personal data
Update account information and preferences
Modify communication settings and marketing consent
Real-time correction through your account dashboard

10.2 Enhanced Rights (Where Applicable)

Right to Erasure ("Right to be Forgotten"):

Delete account and associated personal data
Remove specific data categories or processing activities
Coordinate deletion with third-party processors
Exceptions for legal compliance and legitimate interests

Right to Data Portability:

Receive personal data in structured, machine-readable format
Transfer data directly to another service provider
Export booking history, preferences, and profile information
JSON and CSV format options available

Right to Restrict Processing:

Temporarily limit certain data processing activities
Maintain data storage while restricting usage
Apply during dispute resolution or objection periods
Clear notification of restriction reasons and duration

Right to Object:

Object to processing based on legitimate interests
Opt-out of direct marketing communications
Refuse automated decision-making and profiling
Stop processing for research and analytics purposes

10.3 Consent Management

Explicit Opt-In Requirements:

Marketing Communications: Separate, unchecked boxes for email marketing, SMS promotions, and newsletter subscriptions
Enhanced Personalization: Optional features beyond basic service delivery require specific consent
Social Media Integration: Advertising and remarketing features require explicit consent
Partner Promotions: Third-party offers and partner marketing require separate consent categories
Location Marketing: Marketing use of location data (beyond safety/service delivery) requires consent

Consent Characteristics:

Freely Given: Service access never conditional on marketing consent
Specific: Separate consent for each marketing category and purpose
Informed: Clear explanations of what each consent category includes
Unambiguous: Positive action required (no pre-ticked boxes for marketing)
Withdrawable: Easy withdrawal through account settings with immediate effect

Legitimate Interests vs. Consent:

No Consent Required: Essential service delivery, safety communications, fraud prevention, customer service
Consent Required: All marketing, enhanced personalization, social media advertising, partner promotions
Clear Separation: Users can easily distinguish between essential and optional processing

Consent Management Tools:

Granular Controls: Individual on/off switches for each consent category
Easy Withdrawal: One-click unsubscribe and account-based preference management
Consent History: Users can view their consent history and changes
Regular Refresh: Annual consent confirmation requests for ongoing marketing processing
Consent Receipts: Clear confirmation of consent choices provided to users

10.4 Exercise Your Rights

Multiple Contact Options:

Email: legal@coralbound.com
Account Settings: Manage privacy preferences in your account dashboard
Mail: PT Tur Tak Terkalahkan, Jl. Sunset Road No 89, Pertokoan Sunset Indah II, Kav 3, No 3B, 80361 Kuta, Bali, Indonesia

Identity Verification:

Account login verification for simple requests
Additional verification for sensitive requests
Alternative verification methods for account access issues
Security measures to prevent unauthorized access

Response Timeframes:

Acknowledgment: Within 72 hours (our enhanced service commitment)
Simple requests: Within 30 days (GDPR/UK GDPR requirement)
Standard requests: Within 30 days (GDPR/UK GDPR requirement)
Complex requests: Within 45-90 days with extension notification (legal maximum)
Emergency/security requests: Immediate response during business hours

11. Data Security

11.1 Technical Safeguards

Encryption:

AES-256 encryption for data at rest
TLS 1.3 for data in transit
End-to-end encryption for sensitive communications
Regular encryption key rotation and management

Access Controls:

Role-based access permissions
Multi-factor authentication for employee access
Regular access review and deprovisioning
Principle of least privilege implementation

Infrastructure Security:

ISO 27001 certified data centers
Regular security audits and penetration testing
24/7 security monitoring and incident response
Redundant backup systems and disaster recovery

11.2 Organizational Measures

Employee Training:

Regular privacy and security awareness training
Role-specific data protection training
Incident response procedure training
Confidentiality agreements and background checks

Vendor Management:

Due diligence on third-party processors
Contractual data protection requirements
Regular security assessments of partners
Incident notification and response coordination

Governance Framework:

Privacy by design implementation
Data protection impact assessments
Regular policy reviews and updates
Executive oversight and accountability

11.3 Incident Response

Breach Detection:

Automated monitoring and alerting systems
Regular security scans and vulnerability assessments
Employee reporting mechanisms
Customer reporting channels

Notification Procedures:

Relevant authorities notification within 72 hours as required by applicable laws
Individual notification within 72 hours for high-risk breaches
Coordination with international authorities as applicable
Clear communication about breach impact and remediation

Remediation Actions:

Immediate containment and assessment
Forensic investigation and root cause analysis
System hardening and vulnerability patching
Additional monitoring and prevention measures

12. Regional Privacy Provisions

12.1 European Residents (GDPR Compliance)

Data Subject Rights Enhancement:

Comprehensive data portability formats
Detailed consent management options
Advanced objection and restriction procedures
Supervisory authority complaint mechanisms

Legal Basis Framework:

Explicit consent for non-essential processing
Legitimate interest balancing test documentation
Contractual necessity clear demonstration
Legal compliance requirement specification

EU Representative Services:

[EU Representative Name and Contact Details]
Local language support for privacy inquiries
GDPR-specific complaint handling procedures
Coordination with EU supervisory authorities

12.2 UK Residents (UK GDPR Compliance)

Post-Brexit Data Protection:

UK GDPR applies separately from EU GDPR since Brexit
Current adequacy arrangement with EU until December 2025
UK Information Commissioner's Office (ICO) as supervisory authority
Similar rights and obligations to EU GDPR with UK-specific variations

UK Representative Services:

Company: [UK Representative Company Name]
Address: [UK Representative Address]
Email: coralbound@[uk-representative-domain].com
Phone: +44-XXX-XXXX-XXXX
Services: English language support for all privacy inquiries, UK GDPR-specific complaint handling procedures, coordination with ICO for investigations and compliance

Data Subject Rights (UK-Specific):

Enhanced subject access request procedures
UK-specific data portability formats and standards
ICO complaint mechanisms and dispute resolution
UK court system for legal remedies and enforcement

Transfer Mechanisms:

UK Adequacy decisions (limited, primarily EU adequacy)
UK International Data Transfer Agreements (IDTA)
UK Addendum to EU Standard Contractual Clauses
Explicit consent for transfers to non-adequate countries

12.3 California Residents (CCPA/CPRA Compliance)

Enhanced Consumer Rights:

"Do Not Sell My Personal Information" mechanisms
Global Privacy Control automatic recognition
Comprehensive data category disclosures
15-day opt-out processing timeframes

Business Purpose Disclosures:

Detailed third-party sharing categories
Commercial purpose clear identification
Retention period specific documentation
Source category comprehensive listing

Verification and Identity Management:

Multi-tier verification procedures
Alternative verification methods
Authorized agent representation processes
Identity protection against fraudulent requests

12.4 Other Jurisdictions

Canada (PIPEDA):

Meaningful consent requirements
Accountability for international transfers
Privacy breach notification procedures
Privacy Commissioner cooperation

Australia (Privacy Act):

Australian Privacy Principles compliance
Notifiable data breach scheme participation
Overseas transfer accountability measures
Privacy complaint resolution procedures

Singapore (PDPA):

Consent and notification requirements
Data breach notification obligations
Do Not Call Registry compliance
Personal Data Protection Commission cooperation

13. Service-Specific Data Collection and Use

13.1 Liveaboard Diving Experience Participants

What information does Coralbound obtain? For participants in liveaboard diving experiences, Coralbound may obtain participant name, email address, phone number, postal address, nationality, date of birth, passport information, diving certification level and number, dive experience history, medical fitness declarations, dietary restrictions, emergency contact information, and associated dive operator/liveaboard vessel information.

How is the information used? Coralbound uses participant information to coordinate with dive operators and liveaboard vessels for booking fulfillment, send booking confirmations and travel documentation, provide customer support throughout the diving experience, distribute diving safety alerts and important operational updates, and for quality management processes including post-trip evaluation forms and related correspondence.

Marketing and Promotional Use (Requires Explicit Consent): With your separate, explicit consent, participant information may be used by Coralbound to:

Promote additional diving experiences and travel opportunities
Send newsletters and diving industry updates
Provide personalized recommendations based on your diving experience
Share information with our trusted dive operator partners for marketing purposes (separate consent required)
Include you in partner promotions for diving, training and dive-related products and services

Service Delivery (Legitimate Interests - No Consent Required):

Booking coordination and confirmation
Safety communications and emergency alerts
Customer service and support
Quality assurance and feedback collection
Fraud prevention and payment security

13.2 Hotel and Resort Booking Participants

What information does Coralbound obtain? For hotel and resort bookings, Coralbound obtains guest name, contact information, booking preferences, special requests, payment information (processed securely through third-party processors), and accommodation history.

How is the information used? This information is used to coordinate reservations with accommodation providers, provide personalized service recommendations, send booking confirmations and check-in instructions, facilitate customer support, and enhance future booking experiences through personalized recommendations.

13.3 DMC Tour and Activity Participants

What information does Coralbound obtain? For tours and activities booked through our destination management company (DMC) partners, Coralbound obtains participant details, activity preferences, physical fitness requirements, dietary restrictions, and emergency contact information.

How is the information used? Information is shared with our trusted DMC partners to ensure proper tour coordination, safety compliance, and personalized experiences. We use this data to match participants with appropriate activities based on skill level and interests, provide safety briefings and equipment, and maintain quality standards across all tour offerings.

13.4 Website Visitors and Mobile App Users

What information does Coralbound obtain? When someone visits coralbound.com or uses Coralbound mobile applications, the following information may be obtained: email address, name, contact information, personal demographic information, browsing behavior, search preferences, device information, and location data (with consent).

What does Coralbound do with the information? Coralbound treats this information to identify visitor interests, aggregate demographic data, improve website and mobile app functionality, and enhance user experience for service delivery purposes.

Service Delivery and Functionality (Legitimate Interests):

Website performance optimization and technical functionality
Basic personalization for user experience (language, currency preferences)
Security monitoring and fraud prevention
Analytics for service improvement and platform development
Error tracking and technical support

Marketing and Enhanced Personalization (Requires Explicit Consent): With your separate, explicit consent, visitor information may be used for:

Personalized marketing recommendations and promotions
Enhanced content personalization beyond basic service delivery
Marketing analytics and audience development
Targeted advertising and remarketing campaigns
Newsletter subscriptions and promotional communications

Data Sharing Policy: Coralbound will not provide, market, trade or sell visitor information to third parties for marketing purposes without explicit consent. We may share aggregate, non-personally identifiable information as part of statistical reports that do not include personally identifying information.

Email addresses collected from website/app communications are used for customer service responses and, with your consent, marketing communications. Coralbound will not share any information with third parties unless they have agreed to maintain confidentiality, security and integrity of the personal information they obtain from Coralbound.

What does Coralbound use to track information from users? Coralbound uses various standard web-measuring tools to trace website visitor movements, such as Google Analytics, Facebook Analytics, and other performance monitoring tools. Google Analytics uses Cookies to collect and record information about visitor behavior on coralbound.com. This data is not tied to personally identifiable information. Coralbound has enabled demographic and interest reporting to understand user preferences better. You can use the Google Analytics Opt-Out Browser Add-on to disable tracking by Google Analytics.

13.5 Customer Service and Support Interactions

What information does Coralbound obtain? Through customer service interactions, Coralbound obtains contact information, booking details, service inquiries, feedback, complaint details, and resolution preferences.

How is the information used? This information is used to provide timely and effective customer support, resolve booking issues, improve service quality, train customer service staff, and maintain records for quality assurance and dispute resolution purposes.

14. Global Privacy Control and Opt-Out Mechanisms

Global Privacy Control (GPC): Global Privacy Control (GPC) is a browser setting that notifies websites of a user's privacy preferences, such as not to share or sell personal data without their consent, by sending a signal to each website a user visits. Coralbound's website complies with the GPC requirements under the California Consumer Privacy Act (CCPA) and legislation in other jurisdictions.

Opt-Out Options: For marketing communications and optional features that require consent, you have full control:

Marketing Communications:

Email Marketing: Unsubscribe links in every email, account settings, or contact legal@coralbound.com
SMS/WhatsApp Marketing: Reply STOP to any message or manage in account settings
Partner Promotions: Separate opt-out for each partner category in account settings
Social Media Advertising: Opt-out through our Cookie Consent Center or directly with advertising platforms

Essential Service Communications (Cannot Opt-Out): Essential communications are sent based on legitimate interests and cannot be disabled as they are necessary for service delivery:

Booking confirmations and travel documentation
Safety alerts and emergency communications
Payment receipts and billing notices
Account security notifications
Legal compliance and regulatory communications
Customer service responses to your inquiries

How to Change Preferences:

Account Settings: Manage all consent preferences in your account dashboard
Cookie Settings: Manage cookie preferences through our Cookie Consent Center
Email: Contact legal@coralbound.com with specific requests
Immediate Effect: All opt-out requests processed immediately for future communications

Marketing Communications: You may choose to "unsubscribe" from receiving marketing communications at any time by following the unsubscribe links in our emails, updating your account preferences, or contacting us directly.

15. Social Networking and Third-Party Integration

Social Media Integration: The Coralbound website and platform may allow you to sign into and associate your social network accounts including, but not limited to, Instagram, Facebook, Twitter, and YouTube, with Coralbound. The platform may also allow you to log in to a Coralbound account using certain social network account credentials.

By associating your social network account with Coralbound or logging in to a Coralbound account using your social network account credentials, you give Coralbound permission to access information that you have made available in your public profile for that social network account. The information available in your public profile varies based on the social network and your settings, but may include your email address, real name, profile picture, gender, and location.

Social Media Advertising: Where legally permissible and with appropriate consent, Coralbound may use certain limited personal information about you, such as your email address, to create hashed versions and share with social media platforms, such as Facebook Custom Audiences and Google Customer Match, to generate leads, drive traffic to Coralbound's website or otherwise promote Coralbound's diving and travel services.

Consent Requirements:

EU/UK Residents: Explicit opt-in consent required before any social media advertising
US Residents: Opt-out model with clear mechanisms provided
Existing Customers: Service-related remarketing may use legitimate interests (safety updates, booking reminders)
Prospective Customers: All advertising requires explicit consent regardless of jurisdiction

Opt-Out of Social Media Advertising: You may, at any time, opt-out of social media advertising by:

Contacting us at legal@coralbound.com
Adjusting your privacy settings on the respective social media platforms
Using our Cookie Center to disable advertising cookies
Enabling Global Privacy Control (GPC) in your browser
Managing preferences in your account settings at coralbound.com/privacy-center

16. Limits on Coralbound's Abilities to Protect Personal Information

Your privacy is very important to Coralbound. However, due to the existing legal and technical environment, Coralbound cannot ensure that your personally identifiable information will not be disclosed to third parties in ways not described in this Privacy Policy. For example, Coralbound may be forced to disclose information to the government or third parties under certain circumstances, or third parties may unlawfully intercept or access transmissions or private communications.

Additionally, Coralbound can (and you authorize Coralbound to) disclose any information about you to private entities, law enforcement or other government officials as Coralbound, in its sole discretion, believes necessary or appropriate to address or resolve inquiries or problems, prevent fraud, or protect the safety of our customers and partners.

17. Links to Third-Party Sites

Coralbound's website may provide links to third-party websites or information as a service to users. If you use these links, you will leave the Coralbound website. Such links do not constitute or imply an endorsement, sponsorship or recommendation by Coralbound of the third party, the third-party website or the information contained therein, and Coralbound shall not be responsible or liable for your use thereof. Such use shall be subject to the terms of use and privacy policies applicable to those sites.

18. User Forums and Public Disclosure

You should be aware that whenever you publicly disclose information online through reviews, forums, or social media interactions with Coralbound, that information could be collected and used by others. Coralbound is not responsible for any action or policies of any third parties who collect information that users publicly disclose in any such forums or platforms.

19. Business Transfers and Corporate Changes

19.1 Merger, Acquisition, or Asset Sale

Data Transfer in Business Transactions: In the event that PT Tur Tak Terkalahkan undergoes a business transition such as a merger, acquisition by another company, or sale of all or a portion of its assets, your personal data may be transferred to the successor entity as part of the transaction.

Your Rights and Protections:

Advance notification: Minimum 30 days' notice via email and prominent website notice
Privacy policy continuity: The acquiring entity must honor this Privacy Policy for a minimum transition period of 90 days
Enhanced protections: If the new entity's privacy practices are materially less protective, you will have the right to request deletion of your personal data before the transfer, opt-out of the data transfer (where legally permissible), and receive detailed information about the new entity's privacy practices

Due Diligence Requirements: We commit to conducting appropriate due diligence to ensure the acquiring entity maintains adequate data protection standards comparable to ours, has proper legal basis for the data transfer under applicable privacy laws, implements appropriate technical and organizational security measures, and respects all existing user consent preferences and opt-out choices.

20. Contact Information and Complaints

20.1 Privacy Contact Details

Primary Contact:

Email: legal@coralbound.com
Address: PT Tur Tak Terkalahkan, Jl. Sunset Road No 89, Pertokoan Sunset Indah II, Kav 3, No 3B, 80361 Kuta, Bali, Indonesia
Business Hours: Monday-Friday, 9:00 AM - 6:00 PM WITA

Regional Contacts:

EU Representative: [EU Representative Company], [Address], Email: coralbound@[eu-representative-domain].com
UK Representative: [UK Representative Company], [Address], Email: coralbound@[uk-representative-domain].com

20.2 Complaint Procedures

Internal Resolution:

Submit complaint through any contact method above
Acknowledgment within 72 hours
Investigation and response within 30 days
Appeal process for unsatisfactory resolutions

External Authorities:

EU: Your local supervisory authority
UK: UK Information Commissioner's Office (ICO)
California: California Attorney General
Canada: Privacy Commissioner of Canada
Australia: Office of the Australian Information Commissioner

20.3 Language Support and Translation Disclaimer

Official Language: English is the official language of this Privacy Policy
AI Translations: This policy may be translated into other languages using artificial intelligence or automated translation services for user convenience
Translation Accuracy: While we strive for accuracy, automated translations may contain errors or inaccuracies
Legal Precedence: In the event of any conflict, discrepancy, or difference in interpretation between the English version and any translated version of this Privacy Policy, the English version shall prevail and be considered the authoritative and legally binding document
Human Translation: For critical legal matters, we recommend consulting the English version or seeking professional human translation services
Translation Updates: Translated versions may not be immediately updated when the English version is revised. Always refer to the English version for the most current and accurate information

21. Policy Updates and Changes

21.1 Change Notification and Consent

By using Coralbound's services and website, you consent to the collection, use, and storage of your personal data by Coralbound in the manner described in this Privacy Policy. Coralbound reserves the right to make changes to this Privacy Policy from time to time and will alert you to any such changes by updating this Privacy Policy.

If Coralbound makes material changes that increase its rights to use personal data that Coralbound has previously collected about you, Coralbound will obtain your consent either through an email to your registered email address or by prominently posting information about the changes on coralbound.com. Any changes will only apply to information collected after the posted date of any such change.

Change Types:

Material changes: 30-day advance notice via email and website banner with explicit consent required
Minor updates: Website posting with last updated date
Legal requirement changes: Immediate implementation with prompt notification
Annual review and potential updates to maintain compliance

21.2 Continued Use Agreement

Continued service use after notification constitutes acceptance of non-material updates
Explicit consent required for material changes that expand data use
Opt-out mechanisms available for users disagreeing with material changes
Grace period for withdrawal before new terms take effect for material changes
Clear explanation of change implications provided to users

21.3 Version Control and Historical Access

Previous versions of this Privacy Policy archived and available upon request
Change log documentation maintained for transparency
Effective date tracking for all modifications
Legal requirement change attribution and documentation
Users may request historical versions for their records

22. Non-Agency Disclosure and Acknowledgment

As a user of Coralbound's platform and services, you are informed, understand and agree that diving operators, liveaboard vessels, hotels, resorts, and DMC partners are independent businesses that are licensed to provide services booked through Coralbound, but are not agents, employees or franchisees of Coralbound.

You are further informed, understand and agree that the business activities of these service providers are independent, and are neither owned nor operated by Coralbound. While Coralbound establishes standards for service providers on our platform and facilitates bookings, we are not responsible for, nor do we have the right to control, the day-to-day operations of these independent businesses or their staff's conduct during service delivery.

Coralbound acts as a booking platform and facilitator, connecting travelers with qualified service providers, but the actual diving, accommodation, and tour services are provided by independent third parties who maintain their own insurance, certifications, and operational standards.

This privacy policy describes Coralbound's data processing practices and your privacy rights. We process personal data in accordance with applicable privacy laws and provide transparency about our data handling practices.

Document Version: 1.0
Policy Owner: PT Tur Tak Terkalahkan Legal and Privacy Team
Next Review Date: August 14 2026

LANGUAGE DISCLAIMER: This Privacy Policy is published in English as the official and legally binding version. Any translations of this policy into other languages (whether provided by artificial intelligence, automated translation services, or other means) are provided solely for convenience and informational purposes. In the event of any conflict, discrepancy, or difference in interpretation between the English version and any translated version, the English version shall prevail and be considered the authoritative document. Users are advised to refer to the English version for the most accurate and legally binding terms.

Translation Services: The translation of this privacy policy may be generated by an AI language model. While we strive to deliver accurate and reliable translations of our content, no automated translation is perfect and we advise you to refer to the English version which is Coralbound's official version of our privacy policy.