• The mountains in Garden of the Gods park

PRIVACY POLICY

Effective Date: 08/23/2023

Privacy Policy PDF Download

Introduction

The Broadmoor Manitou and Pikes Peak Railway Company (“Cog Railway,” “us,” “our,” or “we”) is committed to respecting your privacy. This Privacy Policy (“Privacy Policy”) describes how we collect, process, and share your Personal Data (defined below). We also describe your Rights & Choices with respect to your Personal Data and other important information. Please read this Privacy Policy carefully.

Scope of this Policy

This Privacy Policy applies to Personal Data collected through our “Services”, which include:

– Our “Offline Services”- Services we provide when you visit us in person;

– Our “Digital Services” including:

– websites that link to/post this Privacy Policy, including any subdomains or mobile versions; and

– on-premise or web-enabled technologies, such as on-premise WiFi or Bluetooth beacons.

Note that certain third parties may be able to identify you across sites and services using the information they process, however, any such processing not done at the direction of Cog Railway is outside the scope of this Privacy Policy.

Contact Us/Controller

The controller of your Personal Data under this Policy is The Broadmoor Manitou and Pikes Peak Cog Railway. You may contact our Data Privacy Team as follows:

Physical Address: The Broadmoor Manitou and Pikes Peak Cog Railway, Attn: Privacy, 515 Ruxton Ave, Manitou Springs, CO 80829, United States

Data Requests: (where available under applicable law): Visit our Privacy Rights Portal, or call (866) 702-0816.

Opt-Out of Data Sales or Sharing: Visit our Privacy Choices Portal, or call (866) 702-0816.

General Inquiries, Marketing Choices, Direct Marketing Disclosure Requests, and Data Updates: [email protected]

Categories and Sources of Personal Data

The following describes how we process data relating to identified or identifiable individuals and households (“Personal Data”).

Categories of Personal Data we process

The categories of Personal Data we process may include:

Identity Data: Personal Data about your identity, such as your name, gender, date of birth, age and/or age range, public profile, and similar information from social networks

Contact Data: Personal Data that relates to how we can communicate with you, such as email address, physical address, phone number, or social media or communications platform username, as well as a name or other salutation.

General Location Data: Non-precise location data such as location data obtained from your IP address, social media tags/posts, dates and times of your visit and which properties or locations you visited.

Device/Network Data: Browsing history, search history, and information regarding your interaction with a web site, application, or advertisement (e.g. IP Address, MAC Address, SSIDs or other device identifiers or persistent identifiers), online user ID, device characteristics (such as browser/OS version), web server logs, application logs, browsing data, first party cookies, third party cookies, web beacons, clear gifs and pixel tags.

Transaction Data: Information about the Services we provide to you and about transactions you make with us or other companies operating on our behalf, information relating to events and services at our properties and locations, information about purchases, what has been provided to you, when and where and, if applicable, how much you paid, and similar information.

Inference Data: Personal Data used to create a profile about you reflecting your preferences, characteristics, behavior, market segments, likes, favorites and other data or analytics provided about you or your account by social media companies or data aggregators, including household data, and your interests.

Audio/Visual Data: Recordings and images collected from our surveillance cameras when you visit our properties and locations and areas adjacent to them, as well as audio files and records, such as voicemails, call recordings, and the like.

User Content: Unstructured/free-form data that may include any category of Personal Data, e.g. data that you give us in free text fields such as comment boxes, answers you provide when you participate in sweepstakes, contests, and surveys, including any other Personal Data which you may provide through or in connection with our Services.

Sensitive Personal Data: Personal Data deemed “sensitive” under California or other laws, such as social security, driver’s license, state identification card, or passport number; account log-in and password, financial account, debit card, or credit card number; precise location data; racial or ethnic origin, etc. We collect the following categories of Sensitive Personal Data:

– Account Login Data, including your username and password, or other account-related information.
– Government ID Data: Information relating to official government identification, such as driver’s license or passport numbers.
– Payment Data: Information such as bank account details or payment card information.
– Health Data: Information about your health (for example when we are responding to an accident or other health-related incident).

Sources of Personal Data

We collect Personal Data from various sources, which include:

Data you provide us: We will receive Personal Data you provide to us, such as when you book tickets, purchase our products, complete another transaction via our Services, or when you otherwise use our Services.

Data we collect automatically: We collect Personal Data about or generated by any device you have used to access our Services, or when you use Wi-Fi at our properties.

Data we receive from service providers & Agents: We may receive Personal Data from on-line booking sites who transfer Personal Data to us when you book our Services through them, and other service providers performing services on our behalf.

Data we receive from aggregators and advertisers: We receive Personal Data from ad networks, behavioral advertising vendors, market research, and social media companies or similar companies that provide us with additional Personal Data such as Inference Data.

Data we receive from social media companies: We receive Personal Data from social media companies who may transfer Personal Data to us when you interact with that social media company in connection with our Services.

Data we create and infer: We, certain partners, social media companies, and third parties operating on our behalf create and infer Personal Data such as Inference Data or Aggregate Data based on our observations or analysis of other Personal Data processed under this Policy, and we may correlate this data with other data we process about you. We may combine any Personal Data about you that we receive from you, from other companies within our family of companies, and from third parties.

Data Processing Contexts / Notice at Collection

Note: please click the following links to view information on Data Retention or Regional Data Rights for any of the processing contexts listed below.

Purchase, or other Transaction

We generally process Identity Data, Transaction Data, Payment Data, and Contact Data when you make a reservation or engage in a purchase and sale transaction, whether through our Digital Services, over the phone, or in person. In addition, we may also collect or create Device/Network Data and Inference Data. Our online ticket purchase functionality is managed by a third party service provider, which shares your Identity Data, Contact Data and Transaction Data with us so that we can reserve your scheduled time.  We process this Personal Data as necessary to perform or initiate a transaction with you, process your order, to carry out fulfillment-related processing, and for our Business Purposes. We may process Identity Data, Transaction Data, Contact Data, and Device/Network Data for Commercial Purposes (which may include data sales/sharing). We do not sell or “share” Payment Data or use it for Business Purposes not permitted under applicable law.  We will use your mobile phone number (if you provide it to us) or your email address if you do not provide a mobile number, to provide you with important updates about your reservation, such as if your train will be delayed due to weather, if the parking lot is full, or other information we believe you will need to know related to your trip.

Visiting our Properties

General

We generally process Identity Data, Transaction Data, Payment Data, and Contact Data when you interact with us Offline. Additionally, when you use on-premise Digital Services, we will collect Device/Network Data (see below for additional information regarding our Digital Services). In addition, we may process this data in combination with Inference Data and General Location Data that we collect and/or create as necessary in connection with verifying your identity for authentication and security purposes, preventing fraud, returning lost property to its owner, and our Business Purposes. We may also use Identity Data, Transaction Data, and Contact Data collected in this context for Commercial Purposes Commercial Purposes (which may include data sales/sharing).  We do not sell or “share” Payment Data or Health Data.

We may sometimes collect Health Data, which is generally used so that we can tailor our Services to you (for example, ensuring wheelchair access or allowing you to bring a service animal on board) or in connection with our response to health-related incidents at our properties. We will process this information only with appropriate consent where required by law.

Webcams and Closed Circuit Television (CCTV)

We may operate webcams on our properties, and we may display images from those webcams on our Digital Services in order to provide potential visitors with information about weather conditions, and the experience they will have when they visit us.  We also operate CCTV or security cameras on and adjacent to our properties. In connection with these systems, we may collect and/or create Audio/Visual Data as necessary in connection with certain legitimate business interests, such as:

– preventing and detecting crime and to keep people who visit and work at our locations safe and secure;

– recording and investigating health and safety and other incidents which have happened or may have happened at our properties;

– counting the numbers of people who visit our properties and to analyze flows of people around the properties for safety and commercial purposes using software which analyzes CCTV camera images;

– creating aggregate data; and

– other Business Purposes.

Digital Services

General

We may collect and process Device/Network Data, Contact Data, Identity Data, General Location Data, and Inference Data when you use our Digital Services. We use this data as necessary in connection with our Business Purposes, and our other legitimate interests, such as:

– fulfilling your requests for certain features or functions through our Services, such as keeping you logged in, delivering pages, etc.;

– ensuring the security of our websites and other technology systems; and

– analyzing the use of our Services, including navigation patterns, clicks, etc. to help understand and make improvements to the Services.

We may also process Identity Data, Contact Data, and User Content if you interact with or identify us on social media platforms.

We may process Identity Data, Device/Network Data, General Location Data, Inference Data, and Contact Data collected in this context for Commercial Purposes (which may include data sales/sharing).

Cookies and other tracking technologies

We use cookies and similar technologies on our Digital Services. These technologies can be used to process Identity Data, Device/Network Data, Contact Data, or Inference Data. Third parties may be allowed to view, edit, or set their own cookies or place web beacons on our website. Cookies and web beacons allow us and third parties to distinguish you from other users of our website, and some of these technologies can be used by us and/or our third party partners to identify you across platforms, devices, sites, and services. Third parties may engage in targeted advertising using this data.

We and authorized third parties may use cookies and similar technologies for the following purposes:

– for “essential” or “functional” purposes, such as to enable certain features of our Digital Services (for example, to allow a customer to maintain a “shopping cart” when they are making a purchase at an online store);

– for “analytics” purposes, such as to analyze the traffic to and usage of our Digital Services (for example, how many people have looked at a page, how visitors move around our website, what website they visited prior to visiting our website, and use this information to understand user behaviors and improve the design and functionality of the website);

– for “retargeting” or similar advertising or commercial purposes, such as:

– for social media integration e.g. via third-party social media cookies, or when you share information using a social media sharing button or “like” button on our Services or you link your account or engage with our content on or through a social networking website such as Facebook or Twitter;

– to collect information about your preferences and demographics to help target advertisements which are more likely to be of interest to you using behavioral advertising; and

– to allow us to carry out retargeting (this includes, for example, when advertisements are presented to you for products or services which you have previously looked at on a website but have not purchased).

The use of these technologies by third parties may be subject to their own privacy policies and is not covered by this Privacy Policy, except as required by law.

We may also use your Identity Data, Device/Network Data, Inference Data, and Contact Data collected in this context for Business Purposes and Commercial Purposes (which may include data sales/sharing). See your Rights & Choices for information regarding opt-out rights for cookies and similar technologies.

Service or Marketing Communications

We process Device/Network Data, Contact Data, Identity Data, and Inference Data in connection with emails or SMS communications regarding your upcoming visit (e.g. weather issues), marketing emails, telemarketing, or similar communications, and when you open or interact with those communications. You may receive service communications when you make a reservation with us, and you may receive marketing communications if you consent and, in some jurisdictions, as a result of account registration or a purchase.

We process this Personal Data to contact you about relevant products or services and for our Business Purposes. We may also use this data for our Commercial Purposes (which may include data sales/sharing). Marketing communications may also be personalized as permitted by applicable law. See your Rights & Choices to limit or opt out of this processing.

Contests and Promotions

We may collect and process Identity Data, Preference Data, certain Contact Data, and User Content when you enter a contest/sweepstakes or take part in a promotion.

We process this Personal Data as necessary to provide the contest/promotion, notify you if you have won, or to process delivery of a prize, for our Business Purposes, and other legitimate interests, such as:

– verifying your identity for authentication, anti-fraud, and security purposes (in which case we may process Government ID Data to complete verification);

– to improve our Services and to create a personalized user experience; and

– to contact you about relevant products or services, and in connection with marketing communications and Targeted Advertising.

We may process Identity Data, Contact Data, and User Content information for our Commercial Purposes (which may include data sales/sharing).

Some programs and offers are operated/controlled by our third-party partners or their affiliates or partners. We may receive this data from third parties to the extent allowed by the applicable partner; otherwise, this Privacy Policy will not apply to data processed by third parties.

Your Personal Data may be public. If you win a contest/sweepstakes, we may publicly post some of your data. We do not post Personal Information without consent where required by law. See any program agreement(s) for additional details and terms.

Contact Us; Support

We collect and process Identity Data, Contact Data, and User Content when you contact us, e.g., through a contact us form, or for support. If you call us via phone, we may collect Audio/Visual data from the call recording.

We process this Personal Data to respond to your request, and communicate with you, as appropriate, and for our Business Purposes. If you consent or if permitted by law, we may use Identity Data and Contact Data to send you marketing communications and for our Commercial Purposes (which may include data sales/sharing). We may also share Personal Data collected in connection with a support request with our Service Providers.

Feedback and Surveys

We process Identity Data, Contact Data, Inference Data, Preference Data, and User Content collected in connection with feedback you provide to us, surveys or questionnaires. We process this Personal Data as necessary to respond to your requests/concerns, for our Business Purposes, and other legitimate interests, such as analyzing customer satisfaction. We may process this Personal Data for our Commercial Purposes (which may include data sales/sharing). We may share Feedback/Survey data relating to third party partners with those partners, who may use it for their own purposes.

Processing Purposes

Business Purposes:

We and our Service Providers process Personal Data we hold for numerous business purposes, depending on the context of collection, your Rights & Choices, and our legitimate interests. We generally process Personal Data for the following “Business Purposes.”

Service Delivery

We process any Personal Data as is necessary to provide our Service, to provide you with the products and services you purchase or request, to authenticate users and their rights to access the Service, or various data, features, or functionality, and as otherwise necessary to fulfill our contractual obligations to you, and provide you with the information, features, and services you request. Additionally, we use information to authenticate your right to access our properties and locations, deliver products and services, and for other related matters. Similarly, we may use Personal Data as necessary to audit compliance, and log or measure aspects of service delivery.

Internal Processing and Service Improvement

We may use any Personal Data we process through our Services as necessary in connection with our legitimate business interests in improving the design of our Service, understanding how our Services are used or function, for customer service purposes, in connection with logs and metadata relating to service use, and for debugging and similar purposes relating to our identification of errors and improving the stability of the Service. Additionally, we may use Personal Data to understand what parts of our Service are most relevant to Users, how Users interact with various aspects of our Service, how our Service performs or fails to perform, etc., or we may analyze use of the Service to determine if there are specific activities that might indicate an information security risk to the Service or our Users.

Security and Incident Detection

Whether online or off, we work to ensure that our Services are secure. We may process any Personal Data we collect in connection with our legitimate business interest in ensuring that our properties and locations are secure, identify and prevent crime, prevent fraud, and ensure the safety of our guests. Similarly, we process Personal Data on our Digital Services as necessary to detect security incidents, protect against, and respond to malicious, deceptive, fraudulent, or illegal activity. We may analyze network traffic, device patterns and characteristics, maintain and analyze logs and process similar Personal Data in connection with our information security activities.

Compliance, health, safety, public interest

We may also process any Personal Data as necessary to comply with our legal obligations, such as where you exercise your rights under data protection law and make requests, for the establishment and defense of legal claims, or where we must comply with our legal obligations, lawful requests from government or law enforcement officials, and as may be required to meet national security or law enforcement requirements or prevent illegal activity. We may also process data to protect the vital interests of individuals, or on certain public interest grounds, each to the extent allowed under applicable law. Please see the data sharing section for more information about how we disclose Personal Data in extraordinary circumstances.

Aggregated Data

We process Personal Data about our customers and users in order to identify trends (to create aggregated and anonymized data about our customers/users, buying and spending habits, use of our Services, and other similar information (“Aggregated Data”). We may pass Aggregated Data to certain third parties to give them a better understanding of our business and to improve our Services. Aggregated Data will not contain information from which you may be personally identified.

Personalization

We process certain Personal Data in connection with our legitimate business interest in personalizing our Services. For example, aspects of the Digital Services may be customized to you based on your interactions with our Digital Services and other content. This processing may involve the creation and use of Inference Data relating to your preferences.

Other Business Purposes

If we process Personal Data in connection with our Service in a way not described in this Privacy Policy, this Privacy Policy will still apply generally (e.g. with respect to your Rights & Choices) unless otherwise stated at collection. We will process such information in accordance with the notice provided at the time of collection or in a manner that is necessary and proportionate to achieve the purpose for which the Personal Data was collected, or for another purpose that is compatible with the context in which the Personal Data was collected.

Commercial Purposes

We and certain third parties process Personal Data we hold for certain commercial purposes, depending on the context of collection and your Rights & Choices, including:

Profiles

In order to understand our customers’ preferences, and better recommend products and services to our prior customers, we may create a “Profile” by linking together and analyzing Personal Data collected in the following contexts:

– Reservations, Purchases or other Transactions

– Visiting our Properties

– Using Digital Services

– Contests and Promotions

– Contact Us; Support

– Feedback and Surveys

We may also augment Profiles with Personal Data that we create (such as Inference Data) or that we receive from our affiliates or third parties, and may include Personal Data such as Services you have used or purchased, information about when you have visited our properties and what activities you participated in, and demographic data.

We use Profiles for our legitimate interests in market research and statistical analysis in connection with the improvement of our Services. For example, we may analyze the Personal Data of people who have made a reservation for a particular Service in the past and compare them with other people in our database. If we identify people in the database who have similar Personal Data to the previous guests, we may then target marketing via emails to the new people. We may conduct the profiling and send these emails automatically. We may also use this information for other Commercial Purposes.

Personalized Marketing Communications

We may personalize Marketing Communications based on your Profile. If consent to Consumer Profiling or Targeted Advertising is required by law, we will seek your consent.

Targeted Advertising

We, and certain third parties operating on or through our Services, may engage in targeted advertising. This form of advertising includes various parties and services providers, including third party data controllers, engaged in the processing of Personal Data in connection with advertising. These parties may be able to identify you across sites, devices, and over time.

The parties that control the processing of Personal Data for Targeted Advertising purposes may create or leverage information derived from Personalization, Profiles, and Marketing Communications. In some cases, these parties may also develop and assess aspects of a Profile about you to determine whether you are a type of person a company wants to advertise to, and determine whether and how ads you see are effective. These third parties may augment your profile with demographic and other Preference Data, and may track whether you view, interact with, or how often you have seen an ad, or whether you purchased advertised goods or services.

We generally use Targeted Advertising for the purpose of marketing our Services and third-party goods and services, and to send marketing communications, including by creating custom marketing audiences on third-party websites or social media platforms.

Data Sales and “Sharing”

We may engage in “sales” or “sharing” of data as defined by applicable law. For example, we may “sell” certain Personal Data when we engage in marketing campaigns with or on behalf of sponsors, conduct Targeted Advertising, or we may sell, “share” for behavioral advertising purposes, or grant access to Personal Data to our marketing partners, and other advertisers in relation to Targeted Advertising as described below, joint promotions, and other marketing initiatives. See the California Rights & Disclosures section for a list of categories of Personal Data sold or shared.

Disclosure/Sharing of Personal Data

Affiliates

We may disclose your Personal Data to any of our current or future affiliated entities, subsidiaries, and parent companies in order to streamline certain business operations, and in support of our Business Purposes, and Commercial Purposes.

Service Providers

We may exchange your Personal Data with service providers who provide certain services or process data on our behalf in connection with our general business operations, product/service fulfillment and improvements, to enable certain features, and in connection with our (or our Service Providers’) Business Purposes.

Successors

Your Personal Data may be shared if we go through a business transition, such as a merger, acquisition, liquidation, or sale of all or a portion of our assets. For example, Personal Data may be part of the assets transferred, or may be disclosed (subject to confidentiality restrictions) during the due diligence process for a potential transaction.

Lawful Recipients

In limited circumstances, we may, without notice or your consent, access and disclose your Personal Data, any communications sent or received by you, and any other information that we may have about you to the extent we believe such disclosure is legally required, to prevent or respond to a crime, to investigate violations of our Terms of Use, or in the vital interests of us or any person. Note, these disclosures may be made to governments that do not ensure the same degree of protection of your Personal Data as your home jurisdiction. We may, in our sole discretion (but without any obligation), object to the disclosure of your Personal Data to such parties.

Sponsors, Advertisers, and Social Media Platforms

We may exchange certain Personal Data with social media platforms, advertisers, ad exchanges, data management platforms, or sponsors in support of our Business Purposes and Commercial Purposes. We may allow these third parties to operate through our Services.

Data Aggregators

We may exchange Personal Data with data aggregators in support of our Commercial Purposes and in connection with Data Sales. These disclosures/sales can help better personalize our Services, the services of third parties, enrich Profiles, and help ensure that you see advertisements that are more relevant to your interests.

Your Rights & Choices

You may have certain rights and choices regarding the Personal Data we process. Please note, these rights may vary based on the country or state where you reside, and our obligations under applicable law. See the following sections for more information regarding your rights/choices in specific regions:

– US States – California, Colorado and Others

– EEA/UK/Switzerland and certain other countries

Your Rights

You may have certain rights and choices regarding the Personal Data we process. See the “Regional Supplement” section below for rights available to you in your jurisdiction. To submit a request, contact our Data Privacy Team. We verify your identity in connection with most requests, as described below.

Verification of Rights Requests

If you submit a request, we typically must verify your identity to ensure that you have the right to make that request, reduce fraud, and to ensure the security of Personal Data. If an agent is submitting the request on your behalf, we reserve the right to validate the agent’s authority to act on your behalf.

We may require that you match personal information we have on file in order to adequately verify your identity. If you have an account, we may require that you log into the account to submit the request as part of the verification process. We may not grant access to certain Personal Data to you if prohibited by law.

Your Choices

Reservation Alerts

We will send you important alerts related to your reservation and other details to help make your visit more enjoyable.  For example, we will send updates related to the availability of parking, information on weather conditions impacting our Services, or other details you may need to know in order to ensure you arrive on time or if your reservation must be rescheduled or cancelled. You have a choice regarding whether to receive these communications by text message or email when you make a reservation on our Service.  If you need to change your method of communication, please email [email protected].

Marketing Communications

You can withdraw your consent to receive marketing communications by clicking on the unsubscribe link in an email. You can also withdraw your consent to receive marketing communications or any other consent you have previously provided to us by contacting us. To opt-out of the collection of information relating to email opens, configure your email so that it does not load images in our emails.

Withdrawing Your Consent/Opt-Out

Where we are processing your Personal Data based on your consent, you may change your mind and withdraw your consent at any time. The consequence of you withdrawing consent might be that we cannot perform certain services for you, such as personalization or providing certain types of advertising, or other services conditioned on your consent or choice not to opt-out.

Location Data

You may control or limit Location Data that we collect through our Services by changing your preferences in your device’s location services preferences menu, or through your choices regarding the use of Bluetooth, WiFi, and other network interfaces you may use to interact with our Services.

Cookies, Similar Technologies, and Targeted Advertising

General – If you do not want information collected through the use of cookies, you can manage/deny cookies (and certain technologies) using your browser’s settings menu. You may need to opt out of third -party services directly via the third party. For example, to opt-out of Google’s analytic and marketing services, visit Google Analytics Terms of Use, the Google Policy, or Google Analytics Opt-out.

Targeted Advertising – You may opt out or withdraw your consent to Targeted Advertising (including “sharing” for cross-context behavioral advertising) by visiting Your Privacy Choices. In some cases, you may be able to opt-out by submitting requests to third party partners, including for the vendors listed below:

– Google Ads

– Facebook Custom Audience Pixel

– Twitter Audience Pixel

– Digital Advertising Alliance’s opt-out

– Network Advertising Initiative opt-out

Do-Not-Track – Our Services do not respond to your browser’s do-not-track request.

Data Security

We implement and maintain commercially reasonable security measures to secure your Personal Data from unauthorized processing. While we endeavor to protect our Services and your Personal Data from unauthorized access, use, modification and disclosure, we cannot guarantee that any information, during transmission or while stored on our systems, will be absolutely safe from intrusion by others.

Data Retention

We retain Personal Data for so long as it is reasonably necessary to achieve the relevant processing purposes described in this Privacy Policy, or for so long as is required by law. What is necessary may vary depending on the context and purpose of processing. We generally consider the following factors when we determine how long to retain data (without limitation):

– Retention periods established under applicable law;

– Industry best practices;

– Whether the purpose of processing is reasonably likely to justify further processing;

– Risks to individual privacy in continued processing;

– Applicable data protection impact assessments;

– IT systems design considerations/limitations; and

– The costs associated with continued processing, retention, and deletion.

We will review retention periods periodically and may pseudonymize or anonymize data held for longer periods.

Minors

Our Services are neither directed at nor intended for use by persons under the age of majority.  It is our intent that any data regarding minors is provided to us by the parent or guardian of the minor (for example, a child’s parent or guardian would purchase a Ticket for a child).  If you have reason to believe that your child has provided information to us directly, please inform us of this, and we will promptly delete such Personal Data if requested by you, or if required by law. Do not access or use the Digital Services if you are not of the age of majority in your jurisdiction unless you have the consent of your parent or guardian.

Changes to Our Privacy Policy

We may change this Privacy Policy from time to time. Changes will be posted on this page with the effective date. Please visit this page regularly so that you are aware of our latest updates. Your use of the Digital Service following notice of any changes indicates acceptance of any changes.

Regional Supplement

US States (California, Colorado, others with comprehensive privacy laws)

Privacy Rights & Choices

Under the California Consumer Privacy Act (“CCPA”), the Colorado Privacy Act, and other state privacy laws, residents of certain US states may have the following rights, subject to regional requirements, exceptions, and limitations.

Confirm – Right to confirm whether we process your Personal Data.

Access/Know – Right to request any of following: (1) the categories of Personal Data we have collected, sold/shared, or disclosed for a commercial purpose; (2) the categories of sources from which your Personal Data was collected; (3) the purposes for which we collected or sold/shared your Personal Data; (4) the categories of third parties to whom we have sold/shared your Personal Data, or disclosed it for a business purpose; and (5) the specific pieces of Personal Data we have collected about you.

Portability – Right to request that we provide certain Personal Data in a common, portable format.

Deletion – Right to delete certain Personal Data that we hold about you.

Correction – Right to correct certain Personal Data that we hold about you.

Opt-Out (Sales, Sharing, Targeted Advertising, Profiling) – Right to opt-out of the following:

– If we engage in sales of data (as defined by applicable law), you may direct us to stop selling Personal Data.

– If we engage in Targeted Advertising (aka “sharing” of Personal Data or cross-context behavioral advertising) you may opt-out of such processing.

– If we engage in certain forms of “profiling” (e.g. profiling that has legal or similarly significant effects), you may opt-out of such processing. Please note: we do not currently engage in this type of profiling.

Non-Discrimination – You have the right to not to receive discriminatory treatment as a result of your exercise of rights conferred by the CCPA and certain other state laws.

List of Direct Marketers – California residents may request a list of Personal Data we have disclosed about you to third parties for direct marketing purposes during the preceding calendar year.

Submission of Requests

You may submit requests as follows. If you have any questions or wish to appeal any refusal to take action in response to a rights request, contact us at [email protected]. We will respond to any request to appeal within the period required by law.

Access/Know, Confirm Processing, Portability, Deletion, and Correction

– Visit our Privacy Rights Portal, or call (866) 702-0816. You will be directed to leave a voicemail where you will provide your email address, phone number and address we have on file, along with your request.

– You may send mail to our Contact Us address above with your email address, phone number and address we have on file, along with your request.

Opt-Out of Sales, Sharing, Targeted Advertising or Profiling

– Visit our Privacy Choices Portal, or call (866) 702-0816. You will be directed to leave a voicemail where you will provide your email address, phone number or address, along with your request.

– You may send mail to our Contact Us address above with your email address, phone number or address on file, along with your request.

List of Direct Marketers; Revoke Consent Previously Granted; Other Requests or Inquiries

– Contact us via email to our privacy team at [email protected].

Categories of Personal Data Disclosed for Business Purposes

For purposes of the CCPA, we have disclosed to Service Providers for “business purposes” in the preceding 12 months the following categories of Personal Data, to the following categories of recipients:

We have disclosed the categories of Identity Data, Contact Data, General Location Data, Device/Network Data, Transaction Data, Inference Data, and User Content to the following categories of recipients:  Service Providers; Affiliates; Sponsors, Advertisers, and Social Media Platforms; Data Aggregators; Successors; and Lawful Recipients.

We have disclosed the categories of Payment Data and Audio/Visual Data to the following categories of recipients:  Service Providers; Affiliates; Successors; and Lawful Recipients.

Categories of Personal Data Sold, Shared, or Disclosed for Commercial Purposes

For purposes of the CCPA, we have “sold” or “shared” in the preceding 12 months the following categories of Personal Data in the, to the following categories of recipients:

– We have disclosed the categories of Identity Data, Contact Data, General Location Data, Device/Network Data, Transaction Data, Inference Data, and User Content to the following categories of recipients: Affiliates; Partners; Sponsors, Advertisers, and Social Media Platforms; Data Aggregators.

Categories of Sensitive Personal Data Used or Disclosed

For purposes of CCPA, we may use or disclose the following categories of Sensitive Personal Data: Account Log-in Data; Government ID Data; Payment Data; and Health Data. However, we do not sell or share Sensitive Personal Data, or use it for purposes other than those listed in CCPA section 7027(m).

EEA/UK/Switzerland (and certain other countries)

Controller

The controller of Personal Data is: The Broadmoor Manitou and Pikes Peak Railway Company.

Rights & Choices

Residents of the EEA, UK, Switzerland, and certain other countries have the following rights. Please our review verification requirements. Applicable law may provide exceptions and limitations to all rights.

Access – You may have a right to access the Personal Data we process.

Rectification – You may correct any Personal Data that you believe is inaccurate.

Deletion – You may request that we delete your Personal Data. We may delete your data entirely, or we may anonymize or aggregate your information such that it no longer reasonably identifies you.

Data Export – You may request that we send you a copy of your Personal Data in a common portable format of our choice.

Restriction – You may request that we restrict the processing of personal data to what is necessary for a lawful basis.

Objection – You may have the right under applicable law to object to any processing of Personal Data based on our legitimate interests. We may not cease, or limit processing based solely on that objection, and we may continue processing where our interests in processing are appropriately balanced against individuals’ privacy interests. In addition to the general objection right, you may have the right to object to processing:

– for Profiling purposes.

– for direct marketing purposes (we will cease processing upon your objection); and

– involving automated decision-making with legal or similarly significant effects (if any).

Regulator Contact – You have the right to file a complaint with regulators about our processing of Personal Data. To do so, please contact your local data protection or consumer protection authority.

Submission of Requests: Please send all international data requests and privacy questions to [email protected].

Lawful Basis for Processing

We process Personal Data pursuant to the following legal bases:

Performance of a contract: The processing of your Personal Data is strictly necessary in the context in which it was provided, e.g., to perform an agreement you have with us, to provide products and services to you, to open and maintain your user accounts, or to process requests.

– This legal basis is applicable in the following contexts and for the following purposes, as described above (excluding Sensitive Personal Data): Purchases or other Transactions, Visiting our Properties, Digital Services (including Cookies and other tracking technologies – strictly necessary, and Service Delivery.

– Disclosures under this legal basis include: Public Disclosure, Service Providers.

Legitimate interests: This processing is based on our legitimate interests. For example, we rely on our legitimate interests to administer, analyze and improve our Services, to operate our business including through the use of service providers and subcontractors, to send you notifications about our Services, for archiving, recordkeeping, statistical and analytical purposes, and to use your Personal Data for administrative, fraud detection, audit, training, security, or legal purposes.

– This legal basis is applicable in the following contexts and for the following purposes, as described above (excluding Sensitive Personal Data): Internal Processing and Service Improvement, Security and Incident Detection, Contextual Advertising, Personalization, Aggregated Data, Profiles, Personalized Marketing Communications.

– Disclosures under this legal basis include: Affiliates, Service Providers, Sponsors, Advertisers, and Social Media Platforms, Data Aggregators, Successors.

Consent: This processing is based on your consent. You are free to withdraw any consent you may have provided, at any time, subject to your rights/choices, and any right to continue processing on alternative or additional legal bases. Withdrawal of consent does not affect the lawfulness of processing undertaken prior to withdrawal.

– This legal basis is applicable in the following contexts and for the following purposes, as described above: Cookies and other tracking technologies (except strictly necessary), Processing of Sensitive Personal Data, Marketing Communications, Targeted Advertising, Data Sales.

– Disclosures under this legal basis include: Sponsors, Advertisers, and Social Media Platforms.

Compliance with legal obligations: This processing is based on our need to comply with legal obligations. We may use your Personal Data to comply with legal obligations to which we are subject, including to comply with legal process.

– This legal basis is applicable in the following contexts and for the following purposes, as described above: Compliance, Health, Safety, Public Interest.

– Disclosures under this legal basis include: Lawful Recipients

Performance of a task carried out in the public interest: This processing is based on our need to protect recognized public interests. We may use your Personal Data to perform a task in the public interest or that is in the vital interests of an individual.

– This legal basis is applicable in the following contexts and for the following purposes, as described above: Compliance, Health, Safety, Public Interest.

– Disclosures under this legal basis include: Lawful Recipients.

International Transfers

We process data in the United States, and other countries where our sub processors are located. In cases where we transfer Personal Data to jurisdiction that have not been determined to provide “adequate” protections by your home jurisdiction, we will put in place appropriate safeguards to ensure that your Personal Data are properly protected and processed only in accordance with applicable law. Those safeguards may include the use of EU standard contractual clauses, reliance on the recipient’s Binding Corporate Rules program, or requiring the recipient to certify to a recognized adequacy framework. You can obtain more information about transfer measures we use for specific transfers by contacting us using the information above.