Effective April 2, 2021
SCOPE OF THIS POLICY
– Our “Offline Services”- Services you use when you visit us in person;
– Our “Digital Services” including:
– on-premise or web-enabled technologies, such as on-premise WiFi or Bluetooth beacons.
HOW TO CONTACT US
The Cog Railway
515 Ruxton Ave.
Manitou Springs, CO 80829
Email (general inquiries, data rights, etc.): [email protected]
CATEGORIES AND SOURCES OF PERSONAL DATA
The following describes how we process data relating to identified or identifiable individuals (“Personal Data”), including the categories of Personal Data, its sources, and the purposes for which we process that data.
The categories of Personal Data we process
The categories of Personal Data we collect and use include (these are examples may be subject to change):
Information such as your name; address; email address; telephone number; age and/or age range; information you provide in connection with your application to be an employee, vendor, or otherwise join or support our team; and your identity, public profile, and similar information from social networks such as Facebook.
Identity Data that relates to information about how we can communicate with you, such as email, phone numbers, physical addresses, social media handles, and information you provide to us when you contact us by email or when you communicate with us via social media.
Information about your location, including “precise location data” (data from GPS, Wi-Fi triangulation, and similar) and “general location” (social media tags/posts, dates and times of your visit).
Browsing history, search history, and information regarding your interaction with a web site or advertisement (e.g. IP Address, MAC Address, SSIDs or other device identifiers or persistent identifiers), online user ID, device characteristics (such as browser/OS version), web server logs, application logs, browsing data, first party cookies, third party cookies, web beacons, clear gifs and pixel tags.
Information about the Services we provide to you and about reservations and transactions you make with us or other companies operating through us or on our behalf (including travel agents), information about your reservation and other purchases, what has been provided to you, how much you paid, and similar information.
Personal Data used to create a profile about you reflecting your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes, market segments, likes, favorites and other data or analytics provided about you or your account by social media companies or data aggregators, including household data, the products and services you use or intend to use or purchase, and your interests.
Information such as payment card information, including similar data.
Recordings and images collected from our webcams or surveillance cameras when you visit our properties and areas adjacent to them, as well as audio files and records, such as voice mails, call recordings, and the like.
Information about your health (for example when you make a reservation requiring wheelchair access, when you request accommodation for a service animal, or when we are responding to an accident or other health-related incident). We may also collect information about vaccinations, temperatures, or similar public health information that may reveal information about your health.
Unstructured/free-form data that may include any category of Personal Data, e.g. data that you give us in free text fields such as comment boxes, answers you provide when you participate in sweepstakes, contests, and surveys, including any other Personal Data which you may provide through or in connection with our Services.
Sources of Personal Data
We collect Personal Data from various sources, which vary depending on the context in which we process that Personal Data:
Data you provide us
We will receive Personal Data you provide to us, such as when you make a reservation with us, purchase our products or services, complete a transaction via our Services, or when you otherwise use our Services.
Data we collect automatically
We collect Personal Data about or generated by any device you have used to access our Services, or when you use Wi-Fi at our properties, and via cameras at our properties.
Data we receive from service providers & agents
We receive Personal Data from travel agents or others who transfer Personal Data to us when you book reservations for our Services through them, and other service providers performing services on our behalf.
Data we receive from aggregators and advertisers
We receive Personal Data from ad networks, behavioral advertising vendors, market research, and social media companies or similar companies that provide us with additional Personal Data such as Inference Data.
Data we receive from social media companies
We receive Personal Data from Facebook and other social media companies who may transfer Personal Data to us when you interact with that social media company in connection with our Services.
Data we create and infer
We, certain partners, social media companies, and third parties operating on our behalf create and infer Personal Data such as Inference Data or Aggregate Data based on our observations or analysis of other Personal Data processed under this Policy, and we may correlate this data with other data we process about you. We may combine any Personal Data about you that we receive from you, from other companies within our family of companies, and from third parties.
HOW WE PROCESS PERSONAL DATA
When you use our Services, we process your Personal Data in specific contexts and for certain specified purposes, as well as for our general Business Purposes and, in some cases, for Commercial Purposes, both as described below.
How we Collect and Use Personal Data
We collect and process Personal Data in several contexts when you use our Services, including:
When you make a reservation, purchase or other transaction
We generally process Identity Data, Financial Data, Commercial Data and Contact Data when you make a reservation or engage in a purchase and sale transaction, whether through our Digital Services, over the phone, or in person. We process this Personal Data as necessary to perform or initiate a contract with you, process your order, and carry out fulfillment-related processing. In addition, we may also collect or create Device/Network Data and Inference Data. This data, together with other data we collect in this context is used in connection with legitimate business interests, such as ensuring the security of our Services, preventing fraud, providing information about our Services, contacting you about administrative matters, and responding to queries, complaints, or correspondence you send us. We may also use this Identity Data, Commercial Data, Contact Data, and Device/Network Data collected in this context for our Commercial Purposes. We will use your mobile phone number (if you provide it to us) or your email address if you do not provide a mobile number, to provide you with important updates about your reservation, such as if your train will be delayed due to weather, if the parking lot is full, or other information we believe you will need to know related to your trip.
When you visit our properties or participate in activities we provide
We generally process Identity Data, Commercial Data, Financial Data, and Contact Data when you interact with us Offline. Additionally, when you use on-premise Digital Services, we will collect Device/Network Data (see below for additional information regarding our Digital Services). In addition, we may process this data in combination with Inference Data and Location Data that we collect and/or create as necessary in connection with certain legitimate business interests in verifying your identity for authentication and security purposes, preventing fraud, and returning lost property to its owner. We may also use Identity Data, Commercial Data, and Contact Data collected in this context for Commercial Purposes.
We may sometimes collect Health Data, which is generally used so that we can tailor our Services to you (for example, ensuring wheelchair access or allowing you to bring a service animal on board) or in connection with our response to health-related incidents at our properties. We will process this information only with appropriate consent where required by law. We may also collect Health Data as we may deem necessary in the public interest, e.g. in the event of a pandemic.
Webcams and Closed Circuit Television (CCTV)
We may operate webcams on our properties, and we display images from those webcams on our Site in order to provide potential visitors with information about weather conditions at the Pikes Peak summit, and the experience they will have when they visit us. We also operate CCTV or security cameras on and adjacent to our properties. In connection with these systems, we may collect and/or create Audio/Visual Data as necessary in connection with certain legitimate business interests, such as:
– preventing and detecting crime and to keep people who visit and work at our locations safe and secure;
– recording and investigating health and safety and other incidents which have happened or may have happened at our properties;
– counting the numbers of people who visit our properties and to analyze flows of people around the properties for safety and commercial purposes using software which analyzes CCTV camera images; and
– creating aggregate data.
When you access or use our Digital Services
Some Digital Services may, with your consent, process Location Data. We use this data, together with Inference Data, and Device/Network Data in order to provide directions and contextual information to you, and other features that require the use of location. We may also use this information in connection with our legitimate business interests, such as, creating aggregate information about users’ location and patterns, which we use to help improve our Services. We may also process Identity Data, Contact Data, and User Content if you interact with or identify us on social media platforms.
We may also use Identity Data, Device/Network Data, Location Data, Inference Data and Contact Data collected in this context for Commercial Purposes.
Cookies and other tracking technologies
– for “essential” or “functional” purposes, such as to enable certain features of our Digital Services (for example, to allow a customer to maintain a “shopping cart” when they are making a purchase at an online store);
– for “analytics” purposes, such as to analyze the traffic to and usage of our Digital Services (for example, how many people have looked at a page, how visitors move around our website, what website they visited prior to visiting our website, and use this information to understand user behaviors and improve the design and functionality of the website);
– for “retargeting” or similar advertising or commercial purposes;
– for social media integration e.g. via third-party social media cookies, or when you share information using a social media sharing button or “like” button on our Services or you link your account or engage with our content on or through a social networking website such as Facebook or Twitter;
– to collect information about your preferences and demographics to help target advertisements which are more likely to be of interest to you using behavioral advertising; and
– to allow us to carry out retargeting (this includes, for example, when advertisements are presented to you for products or services which you have previously looked at on a website but have not purchased).
We may also use your Identity Data, Device/Network Data, Inference Data and Contact Data collected in this context for Business Purposes and Commercial Purposes.
When you enter a contest or other promotion
We collect and process Identity Data, Contact Data, and User Content as necessary to process your request to enter the contest, or take part in a promotion, notify you if you have won or to process delivery of a prize or for other related purposes. In addition, we may process this information in connection with our legitimate business interests, such as verifying your identity for authentication and security purposes, and helping us to prevent fraud. Note, if you win a contest/sweepstakes, we may publicly post some of your data on our website (such as on a winners’ page). Where required by law, your information will not be posted without your consent. Unless prohibited by law, we may use this Identity Data, Contact Data, and User Content information for Commercial Purposes.
When you contact us or submit information to us
We collect and process Identity Data, Contact Data, and any Audio/Visual data or User Content you provide as necessary to address your request, fulfill the business purpose for which that information was provided, or for other related purposes. Additionally where you consent, if relevant to your request (such as an inquiry regarding a product, service, etc.) or if otherwise permitted by law, we may send you marketing communications as described further below, and use this information for Commercial Purposes.
Feedback and Surveys
We may process Identity Data, Contact Data, Inference Data, and User Content collected in connection with guest surveys or questionnaires. We generally process this Personal Data as necessary to respond to guest requests/concerns, and create aggregate analytics regarding guest satisfaction. We may store and analyze feedback for our purposes, for example, to personalize the Services, and help recommend relevant offers or services. We may also use the Identity Data, Contact Data, Inference Data, and User Content collected in this context for Business Purposes and Commercial Purposes.
Employment & Service Provider Applications
We may process Personal Data in connection with your application to be a vendor, employee, or otherwise join or support our team. We process this Personal Data primarily in connection with the personnel relationship. Details regarding our collection and processing of Personal Data for these purposes may be subject to the privacy policies of our service providers who manage our career portal, and this data is also subject to our internal policies.
Public Health and Vaccinations
We may collect Personal Data, including Health Data, in the event we determine that it is necessary for us to require guests to provide such information in order to protect the health or other vital interests of our guests or the public, or we are required to collect or process such Personal Data by a public health or other governmental authority. For example, in extraordinary times (such as a pandemic) we may require proof of vaccinations against certain illnesses (such as Covid-19) in order for guests to ride our trains. Where we collect this Personal Data, we will use it only as reasonably necessary to protect the health, safety, and vital interests of our personnel, guests and the public, and as otherwise necessary for applicable legal or compliance purposes. Where we process Health Data, we will limit access to such information, and minimize the information that reveals any condition or information about your health as much as reasonably possible to fulfill the purpose of collection. Personal Data will be stored only for so long as is necessary to fulfill those purposes, or as may otherwise be required for our legal compliance obligations. Please note, in cases where public health authorities or governmental agencies require proof of vaccination or request other Health Data, we may disclose Health Data or other Personal Data to that party where required by law, if the third party requests such information, or if you authorize its disclosure.
How we Process Personal Data for Business Purposes
We and our service providers process Personal Data we hold for numerous business purposes, depending on the context of collection, your rights and choices, and our legitimate business interests. For example, we generally process Personal Data in connection with:
Service Provision and Contractual Obligations
We process any Personal Data as is necessary to provide our Services, to provide you with the products and services you purchase or request, to provide you with updates about your reservation and your visit to our properties, to authenticate users and their rights to access the Services, or various data, features, or functionality, and as otherwise necessary to fulfill our contractual obligations to you, and provide you with the information, features, and services you request. Additionally, we use information to authenticate your right to board our trains, access our properties, deliver products and services, and for other related matters. Similarly, we may use Personal Data as necessary to audit compliance, and log or measure aspects of service delivery (e.g. to document ad impressions).
Internal Processing and Service Improvement
We may use any Personal Data we process through our Services as necessary in connection with our legitimate business interests in improving the design of our Services, understanding how our Services are used or function, for customer service purposes, in connection with logs and metadata relating to Service use, and for debugging and similar purposes relating our identification of errors and improving the stability of the Services. Additionally, we may use Personal Data to understand what parts of our Services are most relevant to Users, how Users interact with various aspects of our Services, how our Services perform, etc., or we may analyze use of the Services to determine if there are specific activities that might indicate an information security risk to the Services or our users.
Security and Incident Detection
Whether online or off, we work to ensure that our Services are secure. We may process any Personal Data we collect in connection with our legitimate business interest in ensuring that our properties are secure, identify and prevent crime, prevent fraud, and ensure the safety of our guests. Similarly, we process Personal Data on our Digital Services as necessary to detect security incidents, protect against, and respond to malicious, deceptive, fraudulent, or illegal activity. We may analyze network traffic, device patterns and characteristics, maintain and analyze logs and process similar Personal Data in connection with our information security activities.
Compliance, health, safety, public interest
We may also process any Personal Data as necessary to comply with our legal obligations, such as where you exercise your rights under data protection law and make requests, for the establishment and defense of legal claims, or where we must comply with our legal obligations, lawful requests from government or law enforcement officials, and as may be required to meet national security or law enforcement requirements or prevent illegal activity. We may also process data to protect the vital interests of individuals, or on certain public interest grounds, each to the extent allowed under applicable law. Please see the data sharing section for more information about how we disclose Personal Data in extraordinary circumstances
We process Personal Data about our customers and users in order to identify trends (to create aggregated and anonymized data about our customers/users, buying and spending habits, use of our Services, and other similar information (“Aggregated Data”). We may pass Aggregated Data to certain third parties to give them a better understanding of our business and to improve our Services. Aggregated Data will not contain information from which you may be personally identified.
We process certain Personal Data in connection with our legitimate business interest in personalizing our Services. For example, aspects of the Digital Services may be customized to you based on your interactions with our Digital Services and other content. This processing may involve the creation and use of Inference Data relating to your preferences.
Other Business Purposes
How we Process Personal Data for Commercial Purposes
We and certain third parties process Personal Data we hold for certain commercial purposes, depending on the context of collection and your rights and choices, including:
Personalization & Consumer Profiles
In order to understand our customers’ preferences, and better recommend products and services to our prior customers, we may create a “Consumer Profile” by linking together and analyzing Personal Data collected in the following contexts:
– When you make a reservation, purchase or other transaction through our Service
– When you ride our train or visit our properties
– When you access or use our Digital Services
– Cookies and other tracking technologies
– When you enter a contest or other promotion
– When you contact us or submit information to us
– Feedback and Surveys
We may also augment Consumer Profiles with Personal Data that we create (such as Inference Data) or that we receive from our affiliates or third parties, and may include Personal Data such as Services you have used or purchased, information about when you have visited our properties and what activities you participated in, and demographic data.
We use Consumer Profiles for our legitimate interests in market research and statistical analysis in connection with the improvement of our Services. For example, we may analyze the Personal Data of people who have made a reservation in the past and compare them with other people in our database. If we identify people in the database who have similar Personal Data to the previous guests, we may then target marketing via emails to the new people. We may conduct the profiling and send these emails automatically. We may also use this information for other Commercial Purposes.
Consistent with our legitimate business interests, we (or if appropriate, our third-party partners) may send you marketing and promotional communications if you sign up for such communications or purchase products or services from us. Where allowed, we may also send you these communications if you make a reservation with us, register for a promotion, or in connection with your communications with or submission of User Content to us. These communications may be personalized or customized based on your user profile. We may also collect Device/Network Data and Contact Data so that we can determine whether you have opened an email or interacted with our communications, and we may generate Inference Data based on these interactions. We may also process this Personal Data for targeted advertising. However, where consent to processing is required by law, we will link and process this information for targeted advertising with appropriate consent.
We and certain third parties operating on or through our Services, may engage in targeted advertising on our Site or elsewhere. This form of advertising includes various parties and services providers, including third party data controllers, engaged in the processing of Personal Data in connection with advertising. These parties may be able to identify you across sites, devices, and over time.
The parties that control the processing of Personal Data for behavioral advertising may create or leverage information derived from personalization and profiling. In some cases, these parties may also develop and assess aspects of a profile about you to determine whether you are a type of person a company wants to advertise to and determine whether and how ads you see are effective. These third parties may augment your profile with demographic and other Inference Data derived from these observations, and may also track whether you view, interact with, or how often you have seen an ad, or whether you complete a purchase for something you saw in an advertisement.
We generally use targeted advertising for the purpose of marketing our Services and third-party goods and services, to send marketing communications, including by creating custom marketing audiences on third-party websites (such as Facebook) or targeting users with advertisements on other websites.
HOW WE SHARE PERSONAL DATA
In order to streamline certain business operations, improve Service personalization and behavioral marketing, develop products and services that better meet the interests and needs of our customers, and promote information we believe will be of interest to you, we may share your Personal Data internally within our family of companies, as well as our current and future affiliated entities.
Service Providers & Agents
In connection with our general business operations, product/service improvements, to enable certain features, and in connection with our other legitimate business interests and business purposes, we may share your Personal Data with service providers who provide certain services or process data on our behalf. For example, we use a third party service provider to process reservations and payments on our website, we use cloud-based hosting providers to host our website, and we may disclose information as part of our own internal operations or other business purposes (which may include the legitimate interests and business purposes of the Service Provider themselves). We may disclose the following categories of Personal Data to our service providers: Identity Data, Contact Data, Location Data, Device/Network Data, Commercial Data, Inference Data, Financial Data, Audio/Visual Data, Health Data, and User Content
Your Personal Data may be shared if we go through a business transition, such as a merger, acquisition, liquidation, or sale of all or a portion of our assets. For example, Personal Data may be part of the assets transferred, or may be disclosed (subject to confidentiality restrictions) during the due diligence process for a potential transaction.
INTERNATIONAL TRANSFERS OF PERSONAL DATA
If you are located outside the US, your Personal Data may be transferred to and/or processed in a location outside of the European Economic Area (EEA).
Your Personal Data may also be processed by staff operating in the United States or outside the EEA working for us, other members of our family of companies or third-party data processors. Such staff may be engaged in, among other things, the provision of our Services to you, the processing of transactions and/or the provision of support services.
HOW WE RETAIN YOUR PERSONAL DATA
We retain Personal Data for so long as it, in our discretion, remains relevant to its purpose, and in any event, for so long as is required by law. We will review retention periods periodically and may sometimes pseudonymize or anonymize data held for longer periods, if appropriate.
YOUR RIGHTS & CHOICES
You may have certain rights and choices regarding the Personal Data we process. Please note, these rights may vary based on the country or state where you reside, and our obligations under applicable law.
We will send you important alerts related to your reservation and other details to help make your visit more enjoyable. For example, we will send updates related to the availability of parking, information on weather conditions impacting our trains, or other details you may need to know in order to ensure you arrive on time or if your reservation must be rescheduled or cancelled. You have a choice regarding whether to receive these communications by text message or email when you make a reservation on our Service. If you need to change your method of communication, please email [email protected]om.
You can opt-out of receiving marketing communications by clicking on the unsubscribe link in an email. You can also withdraw your consent to receive marketing communications or any other consent you have previously provided to us by emailing [email protected] To opt-out of the collection of information relating to email opens, configure your email so that it does not load images in our emails.
Withdrawing Your Consent/Opt-Out
Where we are processing your Personal Data based on your consent, you may change your mind and withdraw your consent at any time. The consequence of you withdrawing consent might be that we cannot perform certain Services for you, such as providing you with important updates related to your reservation, or providing certain types of advertising, or other services conditioned on your consent or choice not to opt-out.
You may control or limit location data that we collect through our Services by changing your preferences in your device’s location services preferences menu, or through your choices regarding the use of Bluetooth, WiFi, and other network interfaces you may use to interact with our Services. However, please note that use of RFID technologies may be necessary for the functioning of hardware required for certain processing of Personal Data. Note, general location data may still be collected if you opt out of specific location services.
Residents of California (and others if mandated by the laws of your state) may request a list of direct marketing disclosures we have made within the prior 12 months, by emailing [email protected].
HOW WE PROTECT YOUR PERSONAL DATA
We use industry standard technical and organizational security measures to protect your Personal Data. We cannot guarantee the security of your Personal Data when you transmit it to us, and any such transmission is at your own risk.
THIRD PARTY WEBSITES AND MOBILE APPLICATIONS
We are not responsible for the privacy policies, content or security of any linked third party websites or mobile applications. We recommend that you check the privacy and security policies of each and every website and mobile application that you visit.
Our Services are neither directed at nor intended for use by children under the age of 13 in the US, or under the age of 13 to 16 in the EU, depending on the local jurisdiction. We do not knowingly collect Personal Data from such individuals. If we learn that we have inadvertently done so, we will promptly delete it. Do not access or use the Services if you are not of the age of majority in your jurisdiction unless you have the consent of your parent or guardian.