Information about Privacy and Cookies
Be A Local Tourist is run by Victoria Attractions Association, our website address is: beatourist.ca . Attractions Victoria (organizer of Be a Local Tourist ) needs personal data in order to perform services for our clients and their employees. For certain services personal data is needed to perform activities, like the Contest. The purpose of this policy is to outline the approach Attractions Victoria takes towards personal data and ensuring the protection thereof. This policy describes how personal data must be collected, handled, and stored to meet Attraction Victoria’s data protection standards and any legal requirements. In the event a data protection breach should occur, part B of this policy outlines our approach and steps that will be taken to resolve the breach and prevent a breach from happening again. This policy will be reviewed annually in January of each year. The policy is written for all Attraction Victoria employees, management, service providers, contractors and third parties that have access to information of Attractions Victoria’s corporate and individual clients.
What personal data we collect and why we collect it
Upon entering into the Contest [link to terms and conditions], you are giving us permission to store your personal data such as email address, name, wristband number. We collect this data in order to allow businesses to record the number of participants, ensure validity, and to contact winners. Personal data may be shared with the business the participant has visited for marketing purposes.
We may share personal data (email address, etc) with the Be a Tourist Participating businesses or authorized third parties who may process this data for marketing and research purposes described in this Policy.
We will obtain participant consent to collect, use or disclose personal information (except where, as noted below, we are authorized to do so without consent).
Consent can be provided by entering to our contest or it can be implied where the purpose for collecting, using, or disclosing the personal information would be considered obvious and the participant voluntarily provides personal information for that purpose.
Subject to certain exceptions (for example, the personal information is necessary to provide the service or product, or the withdrawal of consent would frustrate the performance of a legal obligation), participants can withhold or withdraw their consent for Be a Local Tourist to use their personal information in certain ways. A participant’s decision to withhold or withdraw their consent to certain uses of personal information may restrict our ability to provide a particular service or product (for example, participation in the Contest). If so, we will explain the situation to assist the participant in making the decision.
Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.
Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and remove them, visit About Cookies.org or All About Cookies.org.
Like many site operators, we collect information that your browser sends whenever you visit our Site. This Log Data may include information such as your computer’s Internet Protocol (“IP”) address, browser type, browser version, the pages of our site that you visit, the time and date of your visit, the time spent on those pages and other statistics.
If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
When someone visits this website, we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone.
To opt out of being tracked by Google Analytics across all websites visit Google Tools.
We use Google Ads Remarketing to advertise our services across the Internet. AdWords remarketing will display relevant ads tailored to you based on what parts of this website you have viewed by placing a cookie on your computer. Google Ads Remarketing allows us to tailor our marketing to better suit your needs and only display ads that are relevant to you.
You may opt out of Facebook’s Custom Audience ads by visiting WebChoices: Digital Advertising Alliance’s Consumer Choice Tool for Web.
We collect personally identifiable information through forms on our website, but only if you choose to fill in your information and submit it to us. Common uses of this information include: to allow our staff to contact you to respond to your questions, to allow you to subscribe to an email newsletter, or to allow you to complete an order. The intent of each web form will be clearly labelled.
The data submitted through these web forms is stored on our web server for up to 30 days. It is also sent to our corporate email address where it may be stored indefinitely. This information will be used for customer services purposes and will not be used for marketing unless you opt-in (eg. by subscribing to a newsletter).
If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
What We Collect and Store
While you visit our site, we track:
- Products you’ve viewed: we’ll use this to, for example, show you products you’ve recently viewed
- Location, IP address and browser type: we’ll use this for purposes like estimating taxes and shipping
When you purchase from us, we’ll ask you to provide information including your name, billing address, email address, phone number, credit card/payment details and optional account information like username and password. We’ll use this information for purposes, such as, to:
- Send you information about your account and order
- Respond to your requests, including refunds and complaints
- Process payments and prevent fraud
- Set up your account for our store
- Comply with any legal obligations we have, such as calculating taxes
- Improve our store offerings
- Send you marketing messages, if you choose to receive them
If you create an account, we will store your name, address, email and phone number, which will be used to populate the checkout for future orders.
We store your information only as long as we need it for the purpose it was collected, and we are no longer legally required to continue to keep it. For example, we will store order information for up to 7 years for tax and accounting purposes. This may include your name, email address and billing and shipping addresses.
We will also store comments or reviews, if you choose to leave them.
Who Has Access
Members of our team have access to the information you provide us. For example, both Administrators and Shop Managers can access:
- Order information like what was purchased, when it was purchased and where it should be sent, and
- Customer information like your name, email address, and billing and shipping information.
Our team members have access to this information to help fulfill orders, process refunds and support you.
What We Share with Others
We may share your personal data (email address, etc) with the Be a Tourist Participating businesses or authorized third parties who may process this data for marketing and research purposes described in this Policy. This may include for example, managing and analyzing consumer data, conducting research and managing marketing, and other such campaigns.
We may conduct joint marketing and other communications with our partners, for example, communicate follow-up offers or upcoming events at our participating businesses. To avoid duplicate or unnecessary communications and to tailor the message to you, we may need to match information that Be a Tourist Participating businesses have collected with information that the partner has collected where this is permitted by law. These authorized third parties are not permitted to use your personal data for any other purposes. We bind them contractually, require them to act consistently with this Policy and to use appropriate security measures to protect your personal data.
What Third Parties We Receive Data From
We will receive data from the onsite tracking software used to count attendance at each of the Be A Tourist participating members. For privacy the information will only track the anonymous unique QRcode ID number.
Payments & Billing Information
We collect your personal information during the checkout process when you make a purchase. We accept payments through Bambora. When processing payments, some of your data will be passed to Bambora, including information required to process or support the payment, such as the purchase total and billing information.
We use an email newsletter provider called MailChimp. If you opt-in to receive our newsletter, your name and email address will be shared with Mailchimp. You may unsubscribe at any time by clicking the unsubscribe link in the footer of any email newsletter we send you.
Links to External Websites
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
International Information Transfer and Storage
Your personal information may be transmitted and/or stored outside of Canada.
What rights you have over your data
If you have an account on this site, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. Please note that if you choose to have your personal data erased, you will not be eligible for the Contest. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
Where We Send/Store Your Data
All account information of members who sign up online and or purchase tickets online will be securely stored in the website database, in Google Docs and sent to MailChimp.
Embedded Content from Other Websites
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
How We Protect Your Information
We limit the number of people who have access to your personal information to those having a “need to know,” and ensure these people are obliged to respect your confidentiality.
We safeguard access to your digital information using strong passwords and/or encryption technology. We choose server infrastructure from providers that maintain secure, locked premises.
Upon request, we will attempt to delete all information we hold about you. In some cases, copies of deleted information may continue to exist on backup media, but will not be used unless permitted by law.
Using the Internet to collect and process personal data may involve the transmission of data internationally, and across networks not owned or operated by us. Therefore, by accessing our information and services, and/or electronically communicating with us, you acknowledge that we are not responsible for any personal information which is lost, altered, intercepted or stored by a third party without authorization.
Accounts on the beatourist.ca website will automatically be deleted after 36 months of inactivity.
Part B – Data Breach
- Data privacy breach – general
A data breach generally refers to the unauthorised access and retrieval of information that may include corporate and personal data. Managing data breaches is important to protect the personal data of our clients and their employees when a data breach occurs.
- How data breaches could occur
Data breaches can occur for different reasons. They may be caused by employees, parties external to the organisation or computer system errors. Possible ways in which a data breach may occur, and Boxx employees should be thoroughly aware of, are:
- Loss of laptop, phone, data storage devices or paper records containing client and/or personal data;
- Sending client and/or personal data to a wrong e-mail or physical address, or disclosing data to a wrong recipient;
- Unauthorised access or disclosure of client and/or personal data by employees;
- Improper disposal of client and/or personal data (e.g. hard disk, storage media or paper documents containing client and/or personal data sold or discarded before data is properly deleted);
- Hacking incidents / illegal access to databases containing client and/or personal data;
- Theft of laptop, phone, data storage devices or paper records containing client and/or personal data;
- Scams that trick organisations into releasing client and/or personal data; Computer system error:
- Errors or bugs in the programming code of websites, databases and other software which may be exploited to gain access to personal data stored on computer systems.
- Identification and classification
- Containment and recovery
III. Risk assessment
- Reporting of breach
- Evaluation of the response & recovery to prevent future breaches
I. Identification and classification
When a data breach occurs, this should be immediately reported by sending a Data Breach Incident Report to: firstname.lastname@example.org
The report should include: Details of the breach, such as: Date, Time, Who/what reported the breach; Description of the breach; Details of any systems involved: Corroborating material such as error messages, log files, etc. An account of immediate actions taken; An account of the Breach Management steps (II – V) to be taken.
II. Containment and recovery
As part of the Breach Management steps to be taken, the following measures have to be considered immediately, where applicable: Shut down the compromised system that led to the data breach; Prevent further unauthorised access to the system; Reset passwords if accounts and passwords have been compromised; Establish whether steps can be taken to recover lost data and limit any damage caused by the breach (e.g. remotely disabling a lost laptop containing personal data of clients and/or individuals); Isolate the causes of the data breach in the system, and where applicable, change the access rights to the compromised system and remove external connections to the system; Data Privacy & Breach Policy – Notify the police if criminal activity is suspected and preserve evidence for investigation (e.g. hacking, theft or unauthorised system access); Put a stop to practices that led to the data breach; Address lapses in processes that led to the data breach.
III. Risk assessment
Knowing the risks and impact of the data breach will help to determine the consequences to affected organisations and individuals, as well as the steps necessary to notify the organisations and individuals affected. For each data breach it has to be assessed: How many people were affected? Whose personal data has been breached? To whom does the personal data belong? (e.g. clients, their employees, Attractions Victoria employees, contractors, vendors or other third parties) What types of personal data were involved? Is there a risk to reputation, identity theft, safety and/or financial loss of affected organisations/individuals? How sensitive is the information? Do any additional measures have to be put in place to minimise the impact of the data breach? What caused the data breach? When and how often did the breach occur? Who might gain access to the compromised personal data? Will compromised data affect transactions with any other third parties? Who needs to be notified?
IV. Reporting of breach
Clients and/or individuals affected by the data breach should be notified.
Who to notify – We will notify organisations and/or individuals whose personal data have been compromised; We will notify other third parties such as banks, credit card companies or the police, where relevant; When to Notify – We notify affected individuals immediately if a data breach involves sensitive personal data. This allows them to take necessary actions early to avoid potential abuse of the compromised data;
Data Privacy & Breach Policy We notify affected organisations and/or individuals when the data breach is resolved;
How to Notify – We will reach out to affected organisations and/or individuals in the most effective way, taking into consideration the urgency of the situation and number of individuals affected (e.g. e-mails, telephone calls, letters); Notifications will be simple to understand, specific and provide clear instructions on what individuals can do to protect themselves;
What to Notify – How and when the data breach occurred, types of personal data involved in the data breach; What Attractions Victoria has done or will be doing in response to the risks brought about by the data breach; Specific facts on the data breach where applicable, and actions individuals can take to prevent that data from being misused or abused; Contact details and how affected individuals can reach Attractions Victoria for further information or assistance.
V. Evaluation of the response & recovery to prevent future breaches
After these steps have been taken to resolve the data breach, the cause of the breach has to be reviewed and it has to be evaluated whether existing protection and prevention measures are sufficient to prevent similar breaches from occurring. We will assess whether: Audits were regularly conducted on both physical and IT-related security measures; There are processes that can be streamlined or introduced to limit the damage if future breaches happen or to prevent a relapse; There were weaknesses in existing security measures and protection measures, or weaknesses in the use of portable storage devices or connectivity to the Internet; The methods for accessing and transmitting personal data were sufficiently secure; Support services from external parties should be enhanced, such as vendors and partners; The responsibilities of vendors and partners is clearly defined in relation to the handling of personal data; There is a need to develop new data-breach scenarios; There were enough resources to manage the data breach; Key personnel were given sufficient resources to manage the incident; Employees were aware of security related issues; Training was provided on personal data protection matters and incident management skills; Employees were informed of the data breach and the learning points from the incident; Management was involved in the management of the data breach; There was a clear line of responsibility and communication during the management of the data breach.
Questions and Complaints: The Role of the Privacy Officer or designated individual
The Privacy Officer or designated individual is responsible for ensuring Attraction’s Victoria’s compliance with this policy and the Personal Information Protection Act.
Participants should direct any complaints, concerns or questions regarding Attraction Victoria’s compliance in writing to the Privacy Officer. If the Privacy Officer is unable to resolve the concern, the participant may also write to the Information and Privacy Commissioner of British Columbia.
Contact information for Attractions Victoria’s Privacy Officer or designated individual:
Mailing address: Po BOX 39047 James Bay Postal Outlet V8V 2G0