Effective Date: 15-Jan-2018
Last Revised: 23-May-2025
This Privacy Policy and Data Processing Notice ("Policy") constitutes a legally binding agreement between The Cottontail Inn, a California based vacation rental company, and any individual accessing or utilizing our proprietary software application, digital platform, or associated services (collectively, the "Platform"). This Policy governs the collection, processing, retention, disclosure, and disposition of Personal Data (as hereinafter defined) in connection with your access to and use of the Platform.
BY ACCESSING OR USING THE PLATFORM, YOU EXPRESSLY ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY ALL TERMS OF THIS POLICY. IF YOU DO NOT AGREE TO THESE TERMS, YOU MUST IMMEDIATELY DISCONTINUE USE OF THE PLATFORM.
Definitions: For purposes of this Policy, the following terms shall have the meanings ascribed below:
"Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to data elements that, alone or in combination with other information, can be used to identify, contact, or locate a specific individual.
"Processing" encompasses any operation or set of operations performed on Personal Data, whether or not by automated means.
"Data Subject" refers to the natural person to whom Personal Data relates.
"Controller" means the natural or legal person who determines the purposes and means of the Processing of Personal Data.
"Processor" means a natural or legal person who Processes Personal Data on behalf of the Controller.
"Force Majeure" means any act of God, natural disaster, pandemic, governmental action, cyberattack, infrastructure failure, or other circumstances beyond Company's reasonable control.
"Reasonable Efforts" means commercially reasonable efforts consistent with industry standards, but excludes any obligation to incur extraordinary costs or implement measures that would fundamentally alter Company's business model.
2. Legal Basis for Processing and Jurisdictional Framework
Where the General Data Protection Regulation (EU) 2016/679 ("GDPR") applies, our Processing activities are predicated upon the following lawful bases pursuant to Article 6(1):
(a) Consent - Where you have provided explicit, informed, and freely given consent to Processing for specific purposes;
(b) Performance of Contract - Processing necessary for the performance of our Terms of Service or to take steps at your request prior to entering into such contract;
(c) Legal Obligation - Processing necessary for compliance with legal obligations to which Company is subject;
(d) Vital Interests - Processing necessary to protect vital interests of Data Subjects or other natural persons;
(e) Public Task - Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
(f) Legitimate Interests - Processing necessary for purposes of legitimate interests pursued by Company or third parties, except where overridden by your fundamental rights and freedoms, particularly where the Data Subject is a child.
For Special Categories of Personal Data under Article 9 GDPR (including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for unique identification, health data, or data concerning sex life or sexual orientation), Processing is generally prohibited except where one of the following conditions applies:
(a) Explicit Consent - You have given explicit consent to Processing for specified purposes;
(b) Employment and Social Security - Processing necessary for employment, social security, and social protection law obligations;
(c) Vital Interests - Processing necessary to protect vital interests where you are physically or legally incapable of giving consent;
(d) Legitimate Activities - Processing by foundations, associations, or not-for-profit bodies with appropriate safeguards;
(e) Manifestly Made Public - Processing relates to data manifestly made public by you;
(f) Legal Claims - Processing necessary for establishment, exercise, or defense of legal claims;
(g) Substantial Public Interest - Processing necessary for substantial public interest based on Union or Member State law;
(h) Medicine and Health - Processing necessary for medical diagnosis, healthcare provision, or public health purposes;
(i) Public Health - Processing necessary for public health in the public interest;
(j) Archiving and Research - Processing for archiving, scientific research, or statistical purposes with appropriate safeguards.
Registration and Account Data: Including but not limited to personally identifiable information ("PII") such as full legal name, electronic mail addresses, postal addresses, telephone numbers, authentication credentials, demographic information, and photographic likenesses.
Transactional Data: Financial information including payment card details, billing addresses, transaction histories, and associated metadata, processed through PCI DSS-compliant third-party payment processors operating under separate processor agreements.
User-Generated Content: All content, data, information, text, software, music, sound, photographs, graphics, video, messages, or other materials submitted, posted, or displayed by you through the Platform ("User Content").
Device and Usage Analytics: Technical identifiers including Internet Protocol ("IP") addresses, Media Access Control ("MAC") addresses, device fingerprints, browser characteristics, operating system specifications, referring URLs, clickstream data, session durations, and engagement metrics.
Geolocation Data: Precise or approximate geographic coordinates derived from GPS signals, cellular tower triangulation, Wi-Fi access points, or IP geolocation services, subject to your explicit opt-in consent where required by applicable law.
Tracking Technologies Data: Information collected through cookies, web beacons, pixel tags, local storage objects, and similar tracking technologies as detailed in our Cookie Policy, incorporated herein by reference.
Social Media Integration Data: Information received from third-party platforms including but not limited to Meta Platforms, Inc., Twitter, Inc., LinkedIn Corporation, and Pinterest, Inc., pursuant to their respective API terms and your privacy settings on such platforms.
Data Enrichment Services: Commercially available information from data aggregators and verification services used to supplement and validate information you provide.
We Process Personal Data for the following enumerated purposes, each supported by adequate legal justification:
Service Provisioning and Contract Performance: Account creation and management, authentication services, Platform functionality delivery, transaction processing, and performance of our contractual obligations under our Terms of Service.
Personalization and User Experience Enhancement: Algorithm-driven content curation, preference learning, recommendation engines, and user interface optimization based on behavioral analytics and machine learning models.
Communications and Customer Relations: Service notifications, transactional communications, customer support services, dispute resolution, and relationship management activities.
Business Intelligence and Analytics: Aggregated usage analytics, performance metrics, market research, product development insights, and strategic business planning, utilizing de-identification and anonymization techniques where feasible.
Marketing and Promotional Activities: Direct marketing communications, promotional campaigns, affiliate program management, and advertising optimization, subject to applicable consent requirements and opt-out mechanisms.
Legal Compliance and Risk Management: Regulatory compliance obligations, legal process responses, fraud prevention and detection, security threat mitigation, audit requirements, and law enforcement cooperation.
Personal Data may be disclosed to the following categories of recipients under appropriate contractual safeguards:
Service Providers and Processors: Third-party vendors operating under data processing agreements ("DPAs") compliant with Article 28 GDPR requirements, including cloud infrastructure providers, payment processors, analytics services, and customer support platforms.
Corporate Affiliates: Subsidiaries, parent companies, and affiliated entities within our corporate structure, subject to equivalent privacy protections and legitimate business purposes.
Professional Advisors: Legal counsel, accountants, consultants, and other professional service providers bound by confidentiality obligations and attorney-client privilege where applicable.
Legal Process and Regulatory Compliance: Disclosures required by court orders, subpoenas, search warrants, regulatory investigations, or other lawful governmental requests, subject to applicable procedural safeguards and notice requirements.
Corporate Transactions: In connection with actual or contemplated mergers, acquisitions, divestitures, or other business combinations, subject to successor entity assumption of privacy obligations and appropriate due diligence procedures.
Personal Data may be transferred to, processed in, and accessed from jurisdictions outside your country of residence, including jurisdictions that may not provide equivalent data protection standards.
For transfers outside the European Economic Area ("EEA"), we implement appropriate safeguards including:
Adequacy Decisions: Reliance on European Commission adequacy determinations under Article 45 GDPR where available.
Standard Contractual Clauses: Implementation of European Commission-approved Standard Contractual Clauses ("SCCs") under Article 46(2)(c) GDPR with supplementary measures as required by Schrems II jurisprudence.
Binding Corporate Rules: Where applicable, reliance on approved Binding Corporate Rules ("BCRs") for intra-group transfers.
Derogations: In limited circumstances, reliance on Article 49 GDPR derogations including explicit consent, contract performance necessity, or compelling legitimate interests with appropriate safeguards.
Where GDPR applies, you possess the following rights concerning your Personal Data:
Right of Access (Article 15): Right to obtain confirmation of Processing activities and access to Personal Data along with specified accompanying information.
Right to Rectification (Article 16): Right to correction of inaccurate Personal Data and completion of incomplete data.
Right to Erasure (Article 17): Right to deletion under specified circumstances, subject to applicable limitations and overriding legitimate grounds.
Right to Restriction (Article 18): Right to limit Processing under defined conditions pending resolution of disputes or verification procedures.
Right to Data Portability (Article 20): Right to receive Personal Data in structured, commonly used, machine-readable format and transmit to another controller where technically feasible.
Right to Object (Article 21): Right to object to Processing based on legitimate interests or for direct marketing purposes.
Right to Withdraw Consent (Article 7): Where Processing is based on consent, right to withdraw such consent without affecting lawfulness of prior Processing.
Rights requests must be submitted through our designated data protection portal or to our Data Protection Officer ("DPO"). We will acknowledge receipt within 72 hours and respond substantively within one month, with possible extension to three months for complex requests. Identity verification procedures may be required to prevent unauthorized access to Personal Data.
LIMITATIONS ON RIGHTS EXERCISE:
Requests may be denied where they are manifestly unfounded, excessive, or repetitive
We may charge a reasonable fee for additional copies or manifestly unfounded requests
Rights may be restricted where exercise would adversely affect the rights and freedoms of others
Technical impossibility of fulfillment may preclude certain data portability requests
Legal obligations may override certain deletion requests
We reserve the right to extend response timeframes during periods of high request volume
REQUEST VERIFICATION REQUIREMENTS: Identity verification procedures may include provision of government-issued identification, account verification through authenticated channels, or sworn attestations of identity. Failure to provide adequate verification may result in request denial to protect Personal Data security.
We maintain industry-standard technical and organizational measures ("TOMs") including:
Encryption Protocols: Advanced Encryption Standard (AES) 256-bit encryption for data at rest and Transport Layer Security (TLS) 1.3 for data in transit.
Access Controls: Role-based access controls ("RBAC"), multi-factor authentication ("MFA"), privileged access management ("PAM"), and principle of least privilege implementation.
Security Monitoring: Continuous security monitoring, intrusion detection systems ("IDS"), security information and event management ("SIEM"), and regular penetration testing by certified third parties.
Incident Response: Comprehensive incident response procedures including breach assessment, containment measures, forensic analysis, and regulatory notification protocols compliant with Article 33-34 GDPR requirements.
SECURITY DISCLAIMER: WHILE COMPANY EMPLOYS REASONABLE SECURITY MEASURES CONSISTENT WITH INDUSTRY STANDARDS, NO SYSTEM IS COMPLETELY SECURE. COMPANY MAKES NO WARRANTIES REGARDING THE ABSOLUTE SECURITY OF PERSONAL DATA AND EXPRESSLY DISCLAIMS ANY LIABILITY FOR SECURITY BREACHES RESULTING FROM SOPHISTICATED ATTACKS, ZERO-DAY VULNERABILITIES, STATE-SPONSORED ACTIVITIES, OR OTHER EXTRAORDINARY CIRCUMSTANCES BEYOND REASONABLE CONTROL.
In the event of a Personal Data breach, we maintain comprehensive incident response procedures compliant with GDPR Articles 33 and 34:
Supervisory Authority Notification (Article 33): Where a Personal Data breach is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of the breach. Where notification is not made within 72 hours, we will provide reasons for the delay.
Data Subject Notification (Article 34): Where a Personal Data breach is likely to result in a high risk to the rights and freedoms of natural persons, we will communicate the breach to affected Data Subjects without undue delay. Such communication will describe in clear and plain language the nature of the breach and contain contact details of our Data Protection Officer, the likely consequences of the breach, and measures taken or proposed to address the breach and mitigate adverse effects.
Documentation Requirements: We maintain comprehensive documentation of all Personal Data breaches, comprising facts relating to the breach, its effects, and remedial action taken, in accordance with Article 33(5) GDPR.
Personal Data retention periods are determined based on:
Legal Obligation Requirements: Mandatory retention periods under tax, employment, consumer protection, or industry-specific regulations.
Limitation Periods: Applicable statutes of limitations for potential legal claims or disputes.
Business Purpose Necessity: Ongoing legitimate business needs including contract performance, customer service, and fraud prevention.
Data Minimization Principles: Regular assessment to ensure continued Processing necessity and proportionality.
Upon expiration of retention periods, Personal Data is securely destroyed using industry-standard data destruction methods including cryptographic erasure, physical destruction, or anonymization techniques that render re-identification practically impossible.
California residents possess specific rights under the California Consumer Privacy Act ("CCPA") and California Privacy Rights Act ("CPRA"). We collect the following categories of Personal Information as defined in California Civil Code Section 1798.140:
Category A - Identifiers: Real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers.
Category B - Protected Classifications: Characteristics of protected classifications under California or federal law including race, religion, sexual orientation, gender identity, nationality, and similar characteristics.
Category C - Commercial Information: Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
Category D - Biometric Information: Genetic, physiological, behavioral, and biological characteristics used for identification.
Category E - Internet Activity: Browsing history, search history, and information regarding interaction with websites, applications, or advertisements.
Category F - Geolocation Data: Physical location or movements.
Category G - Sensory Data: Audio, electronic, visual, thermal, olfactory, or similar information.
Category H - Professional Information: Current or past job history, performance evaluations, employment-related information.
Category I - Education Information: Information not publicly available as defined in the Family Educational Rights and Privacy Act.
Category J - Inferences: Inferences drawn from any of the above categories to create profiles reflecting preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Category K - Sensitive Personal Information: Social Security numbers, driver's license numbers, financial account information, precise geolocation, racial or ethnic origin, religious beliefs, union membership, mail/email/text content, genetic data, biometric data, health information, and sexual orientation data.
Business Purposes: We use Personal Information for operational purposes, service improvement, security, legal compliance, and short-term transient use as defined in CCPA Section 1798.140.
Third-Party Disclosures: We may disclose Personal Information to service providers, professional advisors, and affiliated entities for enumerated business purposes under written contracts restricting use and retention.
Sale and Opt-Out Rights: We do not "sell" Personal Information as defined under CCPA. Should our practices change, we will provide conspicuous opt-out mechanisms and update this Policy accordingly.
Virginia residents have rights to access, correct, delete, and obtain copies of Personal Data, along with rights to opt out of targeted advertising and profiling activities.
Colorado residents possess similar rights along with additional protections for sensitive Personal Data and algorithmic decision-making activities.
Connecticut residents have equivalent consumer rights with specific provisions for data controller responsibilities and consumer request processing.
The Platform is not directed to children under 13 years of age. We do not knowingly collect Personal Information from children under 13. Upon discovery of such collection, we will promptly delete the information and terminate associated accounts.
For users between 13-17 years of age, we implement enhanced privacy protections including parental notification procedures, restricted data sharing, and simplified privacy controls.
We employ automated processing techniques including machine learning algorithms, artificial intelligence systems, and profiling activities for personalization, fraud detection, and service optimization purposes.
Where automated decision-making produces legal effects or similarly significant consequences, you have rights to human intervention, explanation of decision logic, and challenge of automated decisions under Article 22 GDPR and equivalent state law provisions.
Data accessed through Meta platforms (Facebook, Instagram, WhatsApp) is governed by Meta's Platform Policy, Data Policy, and your privacy settings within Meta services. We process such data solely for Platform functionality and in accordance with Meta's developer terms.
Twitter/X data integration complies with Twitter Developer Agreement terms, API usage policies, and applicable rate limiting. Tweet data and user information are processed consistent with Twitter's privacy framework and user expectations.
LinkedIn data access operates under LinkedIn Developer Terms, API Guidelines, and Member Privacy Policy requirements. Professional networking data is handled with enhanced confidentiality protections.
Pinterest API integration follows Pinterest Developer Guidelines, Terms of Service, and Privacy Policy requirements with specific protections for user-generated content and behavioral data.
Material modifications to this Policy will be communicated through conspicuous notice on the Platform, direct communication to registered users, and posting of updated terms with highlighted changes. Continued use following the notice period constitutes acceptance of modifications.
MODIFICATION RIGHTS RESERVED: Company reserves the unilateral right to modify this Policy at any time as necessary for legal compliance, business operations, or Platform functionality. Material changes affecting data processing purposes will be communicated with at least 30 days' notice where required by applicable law.
DEEMED ACCEPTANCE: If you continue to use the Platform after the effective date of any modification, you will be deemed to have accepted such changes. If you do not agree to modifications, your sole remedy is to discontinue use of the Platform.
Previous Policy versions are maintained in our archives and available upon request for audit and compliance purposes.
Virginia residents have rights to access, correct, delete, and obtain copies of Personal Data, along with rights to opt out of targeted advertising and profiling activities that produce legal or similarly significant effects.
Colorado residents possess similar rights along with additional protections for sensitive Personal Data and algorithmic decision-making activities. Sensitive data includes government identifiers, financial information, precise geolocation, biometric data, genetic data, personal communications content, account access information, and data revealing racial/ethnic origin, religious beliefs, mental/physical health diagnosis, sexual orientation, or citizenship status.
Connecticut residents have equivalent consumer rights with specific provisions for data controller responsibilities and consumer request processing procedures.
Utah residents possess rights to access, delete, and obtain copies of Personal Data, with opt-out rights for targeted advertising and sale of Personal Data.
The Platform is not directed to children under 13 years of age. We do not knowingly collect Personal Information from children under 13. Upon discovery of such collection, we will promptly delete the information and terminate associated accounts.
For users between 13-17 years of age, we implement enhanced privacy protections including parental notification procedures where required by law, restricted data sharing, and simplified privacy controls.
We may implement age verification procedures including account registration requirements, parental consent mechanisms, and identity verification processes to ensure compliance with age-related privacy requirements.
The Platform is not directed to children under 13 years of age. We do not knowingly collect Personal Information from children under 13. Upon discovery of such collection, we will promptly delete the information and terminate associated accounts.
For users between 13-17 years of age, we implement enhanced privacy protections including parental notification procedures where required by law, restricted data sharing, and simplified privacy controls.
We may implement age verification procedures including account registration requirements, parental consent mechanisms, and identity verification processes to ensure compliance with age-related privacy requirements.
TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, COMPANY'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO THIS POLICY, INCLUDING BUT NOT LIMITED TO DATA PROCESSING ACTIVITIES, SECURITY INCIDENTS, OR PRIVACY VIOLATIONS, SHALL NOT EXCEED THE LESSER OF: (A) THE TOTAL AMOUNTS PAID BY YOU TO COMPANY IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM, OR (B) ONE THOUSAND DOLLARS ($1,000 USD).
IN NO EVENT SHALL COMPANY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO LOSS OF PROFITS, DATA, USE, GOODWILL, OR OTHER INTANGIBLE LOSSES, REGARDLESS OF THE THEORY OF LIABILITY AND EVEN IF COMPANY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
WHILE COMPANY IMPLEMENTS REASONABLE SECURITY MEASURES, NO SYSTEM IS COMPLETELY SECURE. COMPANY MAKES NO WARRANTIES OR REPRESENTATIONS REGARDING THE ABSOLUTE SECURITY OF PERSONAL DATA AND EXPRESSLY DISCLAIMS ANY GUARANTEE OF PREVENTION OF UNAUTHORIZED ACCESS, DISCLOSURE, OR SECURITY BREACHES.
COMPANY SHALL NOT BE LIABLE FOR ANY ACTS, OMISSIONS, OR SECURITY FAILURES OF THIRD-PARTY SERVICE PROVIDERS, PROCESSORS, OR OTHER ENTITIES OUTSIDE COMPANY'S DIRECT CONTROL, EVEN WHERE SUCH THIRD PARTIES PROCESS PERSONAL DATA ON COMPANY'S BEHALF.
COMPANY SHALL NOT BE LIABLE FOR ANY FAILURE TO PERFORM OBLIGATIONS UNDER THIS POLICY DUE TO FORCE MAJEURE EVENTS, INCLUDING BUT NOT LIMITED TO CYBERATTACKS, INFRASTRUCTURE FAILURES, GOVERNMENTAL ACTIONS, OR OTHER CIRCUMSTANCES BEYOND COMPANY'S REASONABLE CONTROL.
TO THE FULLEST EXTENT PERMITTED BY LAW, YOU AGREE TO INDEMNIFY, DEFEND, AND HOLD HARMLESS COMPANY, ITS OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, AND AFFILIATES FROM AND AGAINST ANY AND ALL CLAIMS, DAMAGES, LOSSES, COSTS, AND EXPENSES (INCLUDING REASONABLE ATTORNEYS' FEES) ARISING FROM OR RELATING TO: (A) YOUR USE OF THE PLATFORM; (B) YOUR VIOLATION OF THIS POLICY; (C) YOUR VIOLATION OF ANY RIGHTS OF THIRD PARTIES; (D) ANY CONTENT OR INFORMATION YOU SUBMIT; OR (E) ANY MISREPRESENTATION MADE BY YOU.
AS A CONDITION OF COMPANY'S OBLIGATIONS UNDER THIS SECTION, YOU MUST: (A) PROMPTLY NOTIFY COMPANY IN WRITING OF ANY CLAIM; (B) GRANT COMPANY SOLE CONTROL OF THE DEFENSE AND SETTLEMENT; AND (C) PROVIDE REASONABLE COOPERATION IN THE DEFENSE OF SUCH CLAIM.
COMPANY'S COMPLIANCE WITH THIS POLICY AND GOOD FAITH EFFORTS TO ADHERE TO APPLICABLE PRIVACY LAWS SHALL CONSTITUTE A COMPLETE DEFENSE TO ANY CLAIMS OF NON-COMPLIANCE, PROVIDED THAT ANY NON-COMPLIANCE WAS NOT WILLFUL OR GROSSLY NEGLIGENT.
GIVEN THE RAPIDLY EVOLVING NATURE OF PRIVACY LAWS AND REGULATIONS, COMPANY RESERVES THE RIGHT TO MODIFY DATA PROCESSING PRACTICES TO MAINTAIN COMPLIANCE. ANY SUCH MODIFICATIONS SHALL BE DEEMED REASONABLE AND NECESSARY FOR REGULATORY ADHERENCE.
WHERE THIS POLICY REQUIRES SPECIFIC ACTIONS OR MEASURES, COMPANY'S OBLIGATION SHALL BE LIMITED TO USING REASONABLE COMMERCIAL EFFORTS CONSISTENT WITH INDUSTRY STANDARDS AND AVAILABLE TECHNOLOGY.
This Policy is governed by California, USA law without regard to conflict of law principles. Any disputes arising under this Policy are subject to the exclusive jurisdiction of the state and federal courts located in San Francisco, California, except as provided for arbitration below.
ANY DISPUTE, CONTROVERSY, OR CLAIM ARISING OUT OF OR RELATING TO THIS POLICY OR THE PROCESSING OF PERSONAL DATA (COLLECTIVELY, "DISPUTES") SHALL BE RESOLVED THROUGH BINDING ARBITRATION ADMINISTERED BY NATIONAL ARBITRATION AND MEDIATION IN ACCORDANCE WITH ITS COMMERCIAL ARBITRATION RULES. THE ARBITRATION SHALL BE CONDUCTED BY A SINGLE ARBITRATOR IN SAN FRANCISCO, CALIFORNIA.
YOU EXPRESSLY WAIVE ANY RIGHT TO PARTICIPATE IN A CLASS ACTION, REPRESENTATIVE ACTION, OR COLLECTIVE ARBITRATION. ALL DISPUTES MUST BE BROUGHT INDIVIDUALLY.
ANY CLAIMS UNDER THIS POLICY MUST BE BROUGHT WITHIN ONE (1) YEAR OF THE ACCRUAL OF THE CAUSE OF ACTION, AFTER WHICH TIME SUCH CLAIMS ARE PERMANENTLY BARRED.
The arbitration requirement does not apply to: (a) regulatory enforcement actions by governmental authorities; (b) claims for injunctive relief to protect intellectual property rights; or (c) small claims court actions within jurisdictional limits.
BY USING THE PLATFORM, YOU ACKNOWLEDGE AND ASSUME ALL RISKS ASSOCIATED WITH THE TRANSMISSION AND PROCESSING OF PERSONAL DATA OVER THE INTERNET AND THROUGH DIGITAL SYSTEMS, INCLUDING BUT NOT LIMITED TO RISKS OF INTERCEPTION, ALTERATION, OR UNAUTHORIZED ACCESS.
DATA SECURITY IS A SHARED RESPONSIBILITY. WHILE COMPANY IMPLEMENTS APPROPRIATE TECHNICAL AND ORGANIZATIONAL MEASURES, YOU REMAIN RESPONSIBLE FOR: (A) MAINTAINING THE CONFIDENTIALITY OF YOUR ACCOUNT CREDENTIALS; (B) PROMPTLY REPORTING SUSPECTED SECURITY INCIDENTS; (C) USING STRONG AUTHENTICATION PRACTICES; AND (D) KEEPING YOUR DEVICES AND SOFTWARE UPDATED.
YOU AGREE TO TAKE REASONABLE STEPS TO MITIGATE ANY DAMAGES ARISING FROM PRIVACY OR SECURITY INCIDENTS, INCLUDING PROMPTLY IMPLEMENTING RECOMMENDED SECURITY MEASURES AND COOPERATING WITH COMPANY'S INCIDENT RESPONSE PROCEDURES.
IN THE EVENT OF CONFLICTING LEGAL REQUIREMENTS ACROSS MULTIPLE JURISDICTIONS, COMPANY SHALL PRIORITIZE COMPLIANCE IN THE FOLLOWING ORDER: (A) MANDATORY COURT ORDERS AND SUBPOENAS; (B) EXPLICIT STATUTORY REQUIREMENTS; (C) REGULATORY GUIDANCE; (D) INDUSTRY BEST PRACTICES.
COMPANY RESERVES THE RIGHT TO MODIFY DATA PROCESSING PRACTICES AS NECESSARY TO MAINTAIN COMPLIANCE WITH CHANGING LEGAL REQUIREMENTS. SUCH MODIFICATIONS SHALL NOT CONSTITUTE A BREACH OF THIS POLICY IF MADE IN GOOD FAITH TO ENSURE REGULATORY ADHERENCE.
WHERE COMPLIANCE WITH ONE JURISDICTION'S LAWS WOULD VIOLATE ANOTHER'S, COMPANY SHALL MAKE REASONABLE EFFORTS TO RECONCILE SUCH CONFLICTS BUT SHALL NOT BE LIABLE FOR NON-COMPLIANCE RESULTING FROM IRRECONCILABLE LEGAL REQUIREMENTS.
Data Protection Inquiries:
Data Protection Officer
The Cottontail Inn
Post Box 6
Gualala, CA, 95445
Email: thecottontailinn@gmail.com
Telephone: +1 (201) 918-3197
This Policy constitutes the complete and exclusive statement of our privacy practices concerning Personal Data Processing. Any conflicts between this Policy and other Company communications shall be resolved in favor of this Policy's terms.