Colombia Luxury Group S.A.S. ("CLG", "we", "us" or "our") is a company duly incorporated under the laws of the Republic of Colombia, with tax ID 901169061-4 and registered address at Calle 32 #3-96, Cartagena de Indias. We act as the Data Controller of the personal data collected through our website, our WhatsApp Business number, email correspondence, booking forms and during the provision of our nautical charter, villa rental and concierge services.
This Privacy Policy describes what data we collect about you, why we process it, who we share it with, how long we keep it, and what rights you have under Colombian Law 1581 of 2012 (Habeas Data) and, where applicable, under the EU General Data Protection Regulation (GDPR). It complements — and does not replace — our Reservation and Cancellation Policy, which governs the commercial and contractual aspects of your booking.
Who we are (Data Controller)
Colombia Luxury Group S.A.S., a company incorporated in the Republic of Colombia with tax ID 901169061-4 and registered address at Calle 32 #3-96, Cartagena de Indias. We are the Data Controller (Responsable del Tratamiento) of the personal data processed through our services.
Data protection contact: [email protected]
Phone: +57 304 209 1627
What this Policy covers
This Policy describes what personal data we collect, how and why we process it, who we share it with, how long we keep it, your rights under applicable law, and how to exercise those rights.
It is issued in compliance with Colombian Law 1581 of 2012, Decree 1377 of 2013, and other applicable regulations. It complements our Reservation and Cancellation Policy, which governs commercial and contractual aspects of bookings.
What personal data we collect
3.1 Identity & contact data
Full name, email address, telephone number, country of residence, nationality, passport or national ID number, date of birth when required.
3.2 Booking & guest data
Names of all passengers in your group, guest identification when required by maritime authorities, emergency contact, dietary restrictions, service preferences.
3.3 Payment data
Billing name and address, invoice details, payment method, partial card data (last four digits only), transaction ID, proof of payment. We do not store full credit card numbers — these are handled exclusively by our payment processor (Bold) and invoicing system (Alegra).
3.4 Communication data
The content of messages exchanged through WhatsApp, email, chat widgets, forms or any other written channel. This includes conversations handled by our AI-assisted agent Melanie V (see Section 7).
3.5 Service delivery data
Boarding photos and videos, on-board photos and videos, check-in records, itinerary records, captain's operational log, GPS/geolocation data of the chartered vessel during the service.
3.6 Website and analytics data
IP address, browser type, device type, operating system, pages visited, referral source, approximate location, interaction events (collected via Google Analytics 4 and similar tools). See our separate Cookie Policy.
3.7 Marketing preferences
Subscription to newsletters, whether you consent to receive promotional materials, testimonial authorizations.
Why we process your personal data
4.1 To provide our services
Processing bookings, issuing quotations and invoices, coordinating crew and logistics, complying with DIMAR requirements, producing the charter manifest, verifying identity for marina access.
4.2 To process payments
Generating payment links, confirming transfers, issuing receipts, reconciling accounts, and defending against improper chargebacks or payment disputes — consistent with Sections 10 and 11 of our Reservation and Cancellation Policy.
4.3 To communicate with you
Responding to inquiries, sending booking confirmations, providing pre-charter instructions, notifying weather restrictions or itinerary changes, requesting post-service feedback and reviews.
4.4 To comply with legal obligations
Tax reporting, accounting records, DIMAR reporting, response to competent authorities, anti-money laundering compliance.
4.5 To defend our legal rights
Documenting the service provided, responding to customer disputes, defending against chargebacks or legal claims — as permitted by Sections 10 and 11 of our Reservation and Cancellation Policy.
4.6 For marketing (only with your consent)
Sending newsletters, special offers, using selected photos or videos for marketing. You may withdraw consent at any time without affecting the services you have booked.
4.7 To improve our operations
Analyzing aggregated usage data, improving website performance, training our human team (not AI models) on conversation best practices, measuring conversion metrics.
Legal basis for processing
Depending on the purpose, we rely on one or more of the following legal bases:
- Contract execution — to perform the charter or service you requested
- Your consent — for marketing, photo/video marketing use, non-essential cookies
- Legal obligation — for tax, maritime, and accounting records
- Legitimate interest — for fraud prevention, chargeback defense, security, aggregate analytics
- Vital interest — in medical emergencies during a service
Under Colombian Law 1581 of 2012, our primary legal basis is your authorization, which you provide when booking, signing our Reservation Policy, sending us a WhatsApp message, or submitting a form on our website.
Who we share your personal data with
We share personal data only with the following categories of recipients, and only to the extent necessary.
6.1 Service providers and operators
Vessel owners, captains and crew (for coordinating your charter); villa owners and property managers (for accommodation); marinas and ports (for access authorization); DIMAR — the Maritime Authority of Colombia (for passenger manifest as legally required); catering providers, photographers, DJs and other third-party vendors if engaged for your service.
6.2 Technology and business providers
| Provider | Purpose | Country |
|---|---|---|
| Meta Platforms, Inc. | WhatsApp Business messaging | USA |
| Anthropic, PBC | Claude API for AI-assisted responses | USA |
| Google LLC | Analytics 4, Workspace (Gmail) | USA |
| Alegra S.A.S. | Invoicing and accounting | Colombia |
| Bold Payments S.A.S. | Payment processing | Colombia |
| DocuSign, Inc. | Electronic signature for contracts | USA |
| Website hosting provider | Website delivery | USA (Bluehost) |
6.3 Legal and regulatory authorities
When legally required — DIAN (tax), DIMAR (maritime), courts, police, the SIC, or other competent authorities.
6.4 Our legal and financial advisors
On a need-to-know basis, when necessary to defend our rights or comply with legal obligations.
We do not sell your personal data to third parties.
AI-assisted concierge ("Melanie V")
We operate an AI-assisted concierge system named Melanie V to handle inbound WhatsApp conversations efficiently. You have the right to know how it works.
- Incoming messages are processed by the Anthropic Claude API to generate context-appropriate responses about our services.
- A human member of our team (Melanie Viana or authorized staff) monitors all conversations and can take over at any moment without interruption.
- We do not use your conversations to train any AI model. The Anthropic Claude API operates under a standard commercial agreement that prohibits training on customer inputs.
- Conversations are retained in our records as part of the commercial relationship (see Section 9).
- You may, at any time, request that your conversation be handled exclusively by a human. Simply write "I want to speak with a person" or similar, and a human team member will take over.
International data transfers
Some of our providers (Meta, Anthropic, Google, DocuSign) are based in the United States or other jurisdictions outside Colombia. When we transfer your personal data internationally, we ensure the level of protection is adequate, relying on:
- Standard contractual clauses offered by each provider
- Providers certified under recognized international standards (SOC 2, ISO 27001)
- Where applicable, adherence to the EU-US Data Privacy Framework
You authorize these international transfers when you accept this Policy.
How long we keep your personal data
| Category of data | Retention period |
|---|---|
| Booking and service records | 10 years (Colombian commercial code) |
| Invoices and accounting records | 10 years (tax obligation) |
| WhatsApp and email conversations | 5 years after last interaction |
| Passport/ID copies for marina manifests | 2 years, then deleted |
| Boarding and on-board photos/videos for chargeback defense | 18 months after the service (unless a dispute is active) |
| Marketing database | Until you withdraw consent |
| Website analytics (GA4) | 14 months (GA4 default) |
| Data provided to DIMAR | As required by maritime authority regulations |
After the retention period, data is either deleted or anonymized so it can no longer be linked to you.
Your rights
Under Colombian Law 1581 of 2012, you have the right to:
- Know what data we have about you
- Update or rectify inaccurate or incomplete data
- Request proof of the authorization you granted
- Receive information about the use we have given your data
- File complaints before the Superintendence of Industry and Commerce (SIC)
- Revoke your authorization and/or request deletion of your data, when legally possible
Under GDPR (if you are an EU resident), you additionally have the right to:
- Data portability — receive your data in a structured, commonly used format
- Object to processing based on legitimate interest
- Restrict processing temporarily
- Not be subject to automated decisions producing legal effects
- File complaints before your national data protection authority
How to exercise your rights
To exercise any of your rights, write to us at:
Email: [email protected]
Postal address: Calle 32 #3-96, Cartagena de Indias, Colombia
Subject line: "Habeas Data request" or "GDPR request"
Please include your full name, ID or passport number, a copy of your ID for identity verification, a clear description of the right you want to exercise, and an email address for our response.
Our response times: access or consultation — 10 business days (extendable by 5); rectification, deletion or revocation — 15 business days (extendable by 8); GDPR requests — 30 days. If we cannot satisfy your request, we will provide a reasoned response.
Security measures
We apply reasonable technical and organizational measures to protect your data, including:
- Encrypted data storage
- Role-based access controls
- Periodic security reviews
- Written confidentiality agreements with providers and staff
- Incident response procedures for security breaches
- HTTPS encryption on our website and portals
We report any security incident to you and to the SIC within 15 business days, as required by Colombian law.
Minors
Our services are intended for adults (18+). We do not knowingly collect personal data from minors without explicit authorization from their parents or legal guardians. When minors are part of a chartered group, we process their data exclusively for safety, manifest, and service delivery purposes, under the authorization of the adult booking holder.
Photos and videos of the service
During charters, villa stays and experiences, photos and videos may be taken for:
- Operational record — proof of boarding, itinerary and service delivery (legitimate interest, chargeback defense)
- Marketing purposes — only with your specific authorization
When you book, we will ask whether you authorize us to use photos or videos in which you appear for marketing. You may withdraw this authorization at any time by writing to [email protected]. We will stop using the images going forward (we cannot recover printed or already-distributed materials).
Changes to this Privacy Policy
We may update this Policy to reflect changes in our services or applicable law. The version date at the top shows the latest revision. Material changes will be notified via email to active customers and through a visible notice on our website.
Governing law and supervisory authority
This Privacy Policy is governed by the laws of the Republic of Colombia. The competent supervisory authority is the Superintendencia de Industria y Comercio (SIC), Carrera 13 No. 27-00, Bogotá, Colombia — sic.gov.co — [email protected].
If you are an EU resident, you may also file complaints before the data protection authority in your country of residence.
