Privacy Policy

We collect information only when you actively provide it. We do not use tracking pixels, ad networks, or behavioral profiling.

We use the information you provide only for the following purposes:

• Booking management - to confirm, coordinate, and communicate about your tour reservation.
• Payment processing - your name and email are passed to Stripe to associate with your payment session.
• Tour logistics - arrival date, flight number, and special requests help our guides prepare for your group.
• Customer support - to respond to inquiries submitted through our contact form or by email.
• Legal compliance - to meet any obligations required under Canadian or El Salvadoran law.

We do not sell your data. We do not use your information for advertising, remarketing, or any automated decision-making.

We use a small number of third-party services to operate the site. Each has its own privacy policy.

Links to third-party privacy policies: Stripe, Supabase, Netlify, Google.

We use a minimal set of cookies required to operate the site. We do not use advertising cookies, social media tracking pixels, or third-party analytics.

• Booking records - retained as long as necessary for tour operations and legal record-keeping, typically up to 2 years after the tour date.
• Contact form submissions - retained for up to 12 months, then deleted unless ongoing correspondence requires otherwise.
• Booking completion tokens - expire 30 days after they are issued.
• Server logs - retained by Netlify per their standard retention policy (typically 30 days).

Depending on where you are located, you may have certain rights over your personal data.

• Access - you can request a copy of the personal information we hold about you.
• Correction - you can ask us to correct inaccurate information.
• Deletion - you can request that we delete your data, subject to any legal obligations we may have to retain certain records.
• Portability - you can request your data in a structured, machine-readable format.

Residents of Canada have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws. Residents of the European Economic Area or the United Kingdom have rights under the GDPR and UK GDPR. El Salvadoran residents have rights under Decree No. 929 (Ley de Proteccion de Datos Personales).

To exercise any of these rights, contact us at hello@bluehorizontravel.co. We will respond within 30 days.

We take reasonable technical and organizational precautions to protect your data:

• All data is transmitted over HTTPS.
• Our database (Supabase) enforces row-level security policies so that customer records are accessible only through authenticated server-side processes.
• Payment card data never passes through our servers. Stripe is PCI DSS compliant.
• Access to booking data is restricted to authorized Blue Horizon staff through a password-protected admin dashboard.

No method of transmission or storage is 100% secure. If you believe your information has been compromised, please contact us immediately.

Our website is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has submitted information to us, please contact us and we will delete it promptly.

We may update this policy from time to time. When we do, we will update the "Last updated" date at the top of this page. Continued use of our website after changes are posted constitutes your acceptance of the revised policy.

For significant changes, we will make a reasonable effort to provide notice, such as a notice on the website homepage.

If you have questions or requests about this privacy policy or your personal data, reach us at: