Information on this site is advertising in nature

GDPR Compliance

Last updated: June 2026

Our Commitment to GDPR

cliff-echo is committed to protecting the personal data of all individuals, including those in the European Economic Area (EEA) and United Kingdom. We comply with the General Data Protection Regulation (GDPR) and ensure appropriate safeguards for international data transfers.

Data Controller

cliff-echo acts as the data controller for personal information collected through our website and services:

cliff-echo
1847 Mountain View Road
Banff, Alberta T1L 1B4
Canada
Email: [email protected]

Legal Bases for Processing

We process personal data under the following legal bases as defined by GDPR Article 6:

Consent (Article 6(1)(a))

When you explicitly agree to our processing of your data, such as:

  • Submitting inquiry forms
  • Accepting non-essential cookies
  • Subscribing to communications

Contractual Necessity (Article 6(1)(b))

When processing is necessary to fulfill our contract with you:

  • Processing bookings and payments
  • Providing our guided experiences
  • Communicating about your reservations

Legitimate Interests (Article 6(1)(f))

When we have a legitimate business interest that does not override your rights:

  • Improving our website and services
  • Ensuring participant safety
  • Preventing fraud

Legal Obligation (Article 6(1)(c))

When we must process data to comply with legal requirements:

  • Tax and accounting records
  • Safety incident reporting

Your Rights Under GDPR

If you are located in the EEA or UK, you have the following rights:

Right of Access (Article 15)

You may request a copy of the personal data we hold about you, along with information about how we use it.

Right to Rectification (Article 16)

You may request correction of inaccurate personal data or completion of incomplete data.

Right to Erasure (Article 17)

You may request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for its original purpose.

Right to Restriction (Article 18)

You may request that we limit our processing of your data in specific situations, such as when you contest data accuracy.

Right to Data Portability (Article 20)

You may request your data in a structured, commonly used, machine-readable format for transfer to another controller.

Right to Object (Article 21)

You may object to processing based on legitimate interests or for direct marketing purposes.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing. We do not currently use automated decision-making that produces legal effects.

Exercising Your Rights

To exercise any of these rights, contact us at [email protected] with:

  • Your full name
  • The specific right you wish to exercise
  • Any information to help us identify your data

We will respond within one month. Complex requests may require an extension of up to two additional months, in which case we will inform you.

We may need to verify your identity before processing your request to protect your data from unauthorized access.

International Data Transfers

As a Canadian company, personal data may be transferred to and processed in Canada. Canada has been recognized by the European Commission as providing adequate data protection.

Where we use service providers in other jurisdictions, we ensure appropriate safeguards are in place through:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions where applicable
  • Other legally recognized transfer mechanisms

Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected. Specific retention periods include:

  • Inquiry data: 2 years from last contact
  • Booking and transaction records: 7 years for legal compliance
  • Health and safety information: 30 days after experience completion
  • Marketing consent records: Until consent is withdrawn plus 1 year

Data Protection Measures

We implement appropriate technical and organizational measures including:

  • Encryption of data in transit and at rest
  • Access controls and authentication
  • Regular security assessments
  • Staff training on data protection
  • Incident response procedures

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours where feasible
  • Communicate directly with affected individuals when the breach is likely to result in high risk
  • Document all breaches and our response measures

Complaints

If you believe we have not handled your data appropriately, you have the right to lodge a complaint with a supervisory authority. For EEA residents, this would be the data protection authority in your country of residence. For UK residents, this is the Information Commissioner's Office (ICO).

We encourage you to contact us first so we can address your concerns directly.

Updates to This Information

We may update this GDPR compliance information periodically. Significant changes will be communicated through our website.