PRIVACY POLICY
Aloha!
Aloha! BlueRez LLC, doing business as BlueRez Software (“BlueRez”, “we”, “us”, or “our”), is a Hawai’i limited liability company with its principal place of business in Maui, Hawai’i. We value your trust and make it a priority to protect the personal information entrusted to us.
This Privacy Policy describes how we collect, use, disclose, retain, transfer, and protect personal information in connection with our websites, cloud-based reservation management platform, booking widgets, guest portals, communications tools, payment-facilitation and payment-processor integrations, operational controls, reporting and configuration tools, Booker checkout terms and acceptance flows, optional or beta/experimental AI-supported features if made available, and related services (collectively, the “Services”).
This Policy is intended to explain BlueRez’s own privacy practices and to supplement, not replace, the privacy notices of the tour, activity, rental, marine, and experience operators that use BlueRez. Those operators remain responsible for their own customer-facing privacy notices, disclosures, and legal compliance.
If a Client has entered into a Master Service Agreement or Data Processing Addendum with BlueRez, that agreement governs BlueRez’s processing of Customer Personal Data on the Client’s behalf as between BlueRez and the Client. This Policy provides general public notice and does not override any applicable written agreement, Schedule 2 Data Processing Addendum, Standard Contractual Clauses, or other mandatory transfer terms.
Mahalo!
Who This Policy Covers
This Policy applies to:
(a) Business clients, prospective business clients, and their authorized users, staff, agents, and representatives who access or interact with the BlueRez platform (“Clients” or “Client Users”);
(b) End customers and guests of Clients who interact with booking flows, guest portals, waivers, intake forms, communications, Booker checkout terms, payment authorizations, or other experiences powered by BlueRez (“Bookers”);
(c) Website visitors, demo requesters, newsletter subscribers, support contacts, and other individuals who interact with BlueRez outside a Client booking flow; and
(d) Individuals whose information is included in reservations, waivers, intake forms, manifests, support requests, communications, payment records, checkout acceptance records, version identifiers, transaction metadata, or other records processed through the Services.
This Policy does not apply to the privacy practices of our Clients, third-party payment processors, online travel agencies, channel partners, or other third parties. When BlueRez processes Customer Personal Data, Booker data, or guest information on behalf of a Client, the Client is generally the business, controller, merchant/operator, seller of the underlying activity, and party to the reservation contract with the Booker, and BlueRez acts as the Client’s service provider, contractor, processor, or equivalent role. The Client is responsible for its own Booker-facing privacy notices, fee disclosures, checkout terms, waiver disclosures, communication consents, and legal compliance, including disclosures for information collected through the Client’s website, booking widget, waivers, intake forms, communications, or integrations.
BlueRez may independently determine the purposes and means of processing for limited business purposes such as account administration, billing, payment-risk management, security, fraud prevention, PSP and legal compliance, service analytics, service improvement, product improvement using de-identified or aggregated data, and enforcing our agreements. This Policy also does not apply to BlueRez job applicants, employees, or contractors, except to the extent a separate notice expressly refers to this Policy.sures to its customers. This Policy also does not apply to job applicants or BlueRez employees.
Terms Used in This Policy
“Personal information” or “personal data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or can reasonably be linked to an identified or identifiable natural person or household. It does not include aggregated, de-identified, or anonymized information where it cannot reasonably be used to identify an individual.
“Business Partners” or “Clients” refers to businesses and individuals who have entered into a service agreement with BlueRez to use the platform, including tour operators, activity providers, marine operators, rental operators, and other experience-based businesses.
“Bookers” refers to end customers, guests, participants, purchasers, or other individuals whose information is processed through a BlueRez-powered booking, guest, waiver, communication, payment, or operational workflow.
“Customer Data” means data submitted to, generated by, or processed through the Services by or on behalf of a Client, including Booker data, Client business data, reservation data, communications, and operational records.
“Customer Personal Data” means Customer Data that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked with an individual or household, including Booker personal data, where BlueRez processes it on behalf of a Client under an applicable agreement or data processing addendum.
“Sensitive personal information” means information treated as sensitive under applicable law, which may include login credentials, government identification numbers, financial account information, precise geolocation, health or accessibility information, information about minors, racial or ethnic origin, biometric information, or similar categories.
1. Information We Collect
1.1 Information You Give Us
When you use our Services, request a demo, fill out a form, subscribe to updates, create or administer an account, complete payment or verification steps, or interact with us, we may collect:
(a) Account and contact information: full name, business name, role or title, email address, phone number, account username, business address, notice address, and contact preferences;
(b) Business, financial, and tax information: bank account details for payouts, billing information, tax ID or EIN, Form W-9 information, invoice records, payment history, settlement information, payout records, chargeback and refund records, and other information needed for accounting, risk, tax, or payment-facilitation purposes;
(c) Contract, onboarding, and verification information: agreement details, services purchased, configuration information, implementation materials, business licenses, company registration documents, ownership or authorized-representative information, and related correspondence;
(d) Platform content and configuration data: listings, pricing, schedules, availability, staff roles, waivers, intake forms, email/SMS templates, policies, guest instructions, logos, photos, and other content or settings submitted by Clients or authorized users;
(e) Credentials and security information: login credentials, authentication factors, role permissions, account activity, audit logs, password reset information, and security-event information; and
(f) Communications: content of messages, emails, chats, calls, support tickets, feedback, surveys, demo requests, and other communications with BlueRez.
1.2 Information We Collect About Bookers (On Behalf of Clients)
When a Booker makes a reservation, communicates with a Client, completes a waiver or intake form, uses a guest portal, accepts Booker checkout terms, authorizes payment, receives automated communications, or otherwise interacts with a BlueRez-powered workflow, we may process the following information on behalf of the applicable Client:
(a) Contact and identity information: name, email address, phone number, billing address, guest or participant names, age range or date of birth where configured by the Client, and similar contact or identity details;
(b) Booking, checkout, and operational information: reservation date and time, activity or service type, vessel/resource assignment, party size, purchase details, add-ons, tips, gratuities, discounts, coupon codes, check-in status, waiver status, no-show information, rescheduling, cancellation, refund information, special requests, fee-disclosure and payment-authorization records, checkout terms acceptance status, timestamps, version identifiers, transaction identifiers, and related metadata;
(c) Payment information: payment method details and payment metadata processed through third-party payment processors, such as Stripe Connect where enabled, tokens, processor customer IDs, connected account or merchant identifiers, transaction IDs, last four digits, card brand, authorization status, refund status, dispute or chargeback status, and platform-fee/application-fee metadata. BlueRez does not store full payment card numbers or full card security codes;
(d) Communications and customer-service records: booking confirmations, reminders, transactional messages, chat or AI-assisted interactions, call notes, support requests, responses, feedback, NPS or survey responses, message consent or opt-out metadata where applicable, and related metadata;
(e) Waiver, intake, and guest-submitted information: information a Client asks Bookers or participants to provide, which may include emergency contact details, dietary or accessibility needs, medical or safety-related information, certifications, signed waivers, acknowledgments, preferences, photos, or similar information depending on how the Client configures the Services; and
(f) Device and usage information: IP address, device information, browser information, approximate location, timestamps, interaction data, and other technical information associated with use of a BlueRez-powered booking or guest experience.
1.3 Information from Third-Party Sources
We may receive information about you, Clients, Client Users, Bookers, or transactions from third-party sources, including:
(a) Clients, authorized users, staff, agents, channel partners, online travel agencies, accounting tools, POS systems, waiver providers, communication tools, and other integrations used or enabled by a Client;
(b) Payment processors, banks, card networks, fraud-prevention services, know-your-customer or business-verification providers, sanctions-screening providers, and payout or tax-reporting partners;
(c) Publicly available sources, business directories, referrals, marketing partners, and data-enrichment providers used to verify, update, or correct business contact information;
(d) Law enforcement, regulators, tax authorities, courts, or other parties involved in legal, safety, fraud, chargeback, or compliance matters; and
(e) Cookies, analytics, monitoring, and security providers that help us operate, secure, troubleshoot, and improve the Services.
1.4 Information Collected Automatically
When you visit our website or use our platform, booking widgets, guest portals, or related Services, we and our service providers may automatically collect:
(a) IP address, approximate location based on IP address, browser type, operating system, device type, user-agent information, device identifiers, and mobile app identifiers;
(b) Pages or screens viewed, features accessed, referring URL, time and date of visit, language settings, session duration, click activity, search or navigation activity, and other usage data;
(c) Log files, security telemetry, crash reports, diagnostics, authentication events, API activity, and performance data;
(d) Cookie identifiers and similar tracking technologies, as described in Section 8; and
(e) Recognized privacy preference signals, such as Global Privacy Control (GPC), where our systems detect them and applicable law requires us to honor them.
If a Client enables mobile, crew, location-based, check-in, or operational features, we may process device location, push notification tokens, shift activity, schedule activity, or similar operational data from authorized users or devices, subject to device permissions and Client configuration where required.es, certain information is required as part of your contractual obligations. When using our website, some technical data collection is unavoidable.
1.5 Information You Provide About Others
If you share personal information about other individuals, such as staff members, guests, participants, emergency contacts, or other Bookers, you represent that you have the authority to do so and, where required, that those individuals have received appropriate notice and any required consent.
1.6 Sensitive Information
BlueRez does not require sensitive personal information for routine account creation other than limited information needed for account security, payments, tax, fraud prevention, and legal compliance. However, the Services may process sensitive information when a Client configures a waiver, intake form, accessibility request, safety workflow, crew feature, payment workflow, or other supported feature to collect it. Clients should not submit health, biometric, government identification, children’s, payment-card, or other sensitive data to the Services unless the data is necessary for the requested or supported functionality or BlueRez has approved that processing in writing where required by the applicable agreement. Please do not submit sensitive information unless it is necessary for the requested service or requested by the applicable Client. Where required by law, BlueRez or the applicable Client will rely on consent or another legally permitted basis for processing sensitive information.
2. How We Use Personal Information
We use personal information for the following purposes:
(A) Contractual relationship and service delivery: to enter into, administer, and perform agreements with Clients; provide, operate, configure, support, maintain, and improve the Services; process reservations; manage accounts; provide customer service; and implement Booker checkout terms, payment authorizations, privacy notices, cancellation/refund-policy links, waiver links, and related booking-flow disclosures as configured or authorized by Clients.
(B) Booking, payment, and Client operations: to process bookings, guest communications, payment authorizations, refunds, chargebacks, settlements, payouts, taxes, invoices, reports, waivers, check-ins, scheduling, manifests, Client Fees or fee-disclosure records, checkout acceptance logs, and other operational workflows as configured or instructed by Clients.
(C) Account management: to create, authenticate, administer, secure, and maintain Client accounts and user permissions; provide platform access; support onboarding; and enable data export and account-management functionality.
(D) Communications: to contact Clients, Client Users, Bookers, and other individuals by email, SMS, phone, chat, push notification, or similar channels about accounts, bookings, reservations, service updates, support, security, payments, compliance, or inquiries. For Client-directed communications, BlueRez sends communications based on Client instructions and data, and the Client remains responsible for legally required communication consents, unsubscribe or opt-out handling, message content, and sender disclosures.
(E) Security, fraud prevention, and platform integrity: to detect, investigate, prevent, and respond to fraud, chargebacks, illegal activity, misuse, spam, malware, security incidents, unauthorized access, and threats to the Services, Clients, Bookers, BlueRez, or third parties.
(F) Platform improvement, analytics, and optional AI-supported features: to analyze usage patterns, monitor performance, troubleshoot issues, improve features, develop new capabilities, train staff, produce analytics, and, if made available or enabled, provide AI-supported booking, support, communication, scheduling, inventory, reporting, and recommendation features.
(G) Marketing and relationship management: to send relevant communications about BlueRez products, services, events, and updates to Clients, prospective Clients, and business contacts. You may opt out of marketing communications at any time by contacting us at info@bluerez.com or using the unsubscribe mechanism in a marketing email.
(H) Legal and compliance: to comply with applicable laws, tax obligations, payment rules, card-network rules, court orders, subpoenas, regulator or law-enforcement requests, sanctions/export obligations, IRS Form 1099-K or similar reporting obligations, and security-breach notification requirements.
(I) Business transfers and corporate transactions: to evaluate, negotiate, or complete a merger, acquisition, financing, reorganization, bankruptcy, sale of equity, sale of assets, or transfer of all or part of BlueRez or the Services.
(J) Enforcing rights and agreements: to enforce agreements, collect amounts owed, resolve disputes, protect legal rights, and defend or bring claims.
Legal Bases for Processing
Where the GDPR, UK GDPR, or similar law requires a legal basis, BlueRez relies on the following legal bases for its own controller processing. For Customer Personal Data and Booker data processed on behalf of a Client, the Client generally determines the applicable legal basis and BlueRez processes the data under the Client’s documented instructions, including any applicable MSA, Order Form, Terms of Service, Operational Policies, Data Processing Addendum, Client platform configuration, and lawful written instructions.
| Purpose | Typical legal basis |
|---|---|
| Providing and administering Client accounts and the Services | Performance of a contract; legitimate interests in operating the Services |
| Processing bookings, payments, communications, checkout terms acceptance records, and operational workflows as instructed by a Client | For Client-controlled Customer Personal Data and Booker data, the Client determines the legal basis and BlueRez processes under Client instructions; for BlueRez controller activities, contract, legitimate interests, and legal obligations may apply |
| Security, fraud prevention, abuse prevention, chargeback management, and platform integrity | Legitimate interests; legal obligations where applicable |
| Tax, accounting, KYC, sanctions, regulatory, and legal compliance | Compliance with legal obligations; legitimate interests |
| Marketing to Clients, prospective Clients, and business contacts | Legitimate interests or consent where required; consent can be withdrawn at any time |
| Cookies, analytics, and similar technologies | Legitimate interests for necessary and basic analytics cookies; consent where required for non-essential cookies |
| AI-supported features, if made available, product improvement, de-identified analytics, and service development | Legitimate interests in improving and securing the Services; Client instructions for Customer Personal Data and Booker data; consent where required |
| Sensitive personal information | Explicit consent, Client instructions, legal obligation, or another legally permitted basis where applicable |
AI-Supported Features and Automated Processing
BlueRez does not represent or commit that any artificial intelligence, machine learning, automated decision-support, or similar functionality (“AI Features”) is currently available, included in the Services, or part of any product roadmap or delivery commitment. If BlueRez makes AI Features available, they may include tools such as chat or booking assistance, message suggestions, summaries, upsell or recommendation features, scheduling support, inventory insights, reporting, and other decision-support functionality. These tools may process Client content, Booker communications, booking data, usage data, and operational information to generate outputs or recommendations.
BlueRez does not use identifiable Customer Personal Data, Customer Data, or Booker personal data to train or fine-tune third-party foundation models without the applicable Client’s prior written authorization. BlueRez may use de-identified, aggregated, or anonymized data, system telemetry, and non-identifiable usage information to operate, secure, improve, benchmark, and develop the Services and AI-supported features, subject to applicable law and applicable agreements.
AI Features, if made available, are optional, assistive, and may be provided as beta, preview, pilot, or experimental functionality. AI outputs may be inaccurate, incomplete, delayed, biased, or unsuitable for a particular purpose and do not constitute legal, tax, accounting, safety, compliance, insurance, or professional advice. BlueRez does not use personal information to make automated decisions about individuals that produce legal or similarly significant effects. Clients remain responsible for required notices, consents, legal bases, human review, approval, and lawful use of AI-supported features in their own operations.
3. How We Share Personal Information
3.1 Service Providers
We share personal information with third-party service providers, contractors, and subprocessors that help us operate the Services, subject to contractual restrictions appropriate to the nature of the information and applicable law. For Customer Personal Data processed under an applicable MSA or Data Processing Addendum, BlueRez’s use of Subprocessors is governed by that agreement, including any material Subprocessor notice mechanisms that apply. These providers may include:
(a) Payment processors, banks, card-network or payment-method partners, payout providers, tax-reporting providers, and fraud-prevention vendors;
(b) Cloud infrastructure, hosting, storage, database, backup, security, monitoring, logging, and incident-response providers;
(c) Email, SMS, phone, chat, push notification, and other communication providers;
(d) Analytics, product-monitoring, debugging, customer-support, CRM, demo, and relationship-management tools;
(e) Business verification, KYC, sanctions-screening, identity-verification, and risk vendors;
(f) AI, automation, and workflow providers that help us deliver or improve AI-supported features, subject to the AI commitments in this Policy and applicable agreements; and
(g) Professional advisers, insurers, auditors, accountants, and legal counsel.
Service providers and subprocessors are authorized to use personal information only as necessary to provide services to BlueRez or the applicable Client, comply with law, protect security, or as otherwise permitted by applicable contracts and law. Where required by an applicable agreement or privacy law, BlueRez requires Subprocessors to comply with written obligations materially protective of Customer Personal Data and consistent with BlueRez’s obligations.
3.2 Clients
Booker and guest information collected through a Client’s BlueRez-powered booking flow, guest portal, waiver, intake form, communication, payment, checkout-acceptance, or operational workflow is made available to the applicable Client for purposes of fulfilling reservations, operating its business, providing customer service, complying with law, and using the Services. Clients are responsible for their own use and disclosure of Booker and guest information and for the underlying activity, accuracy of listings, customer service, safety rules, waivers, cancellation/refund policy, fulfillment, privacy notices, and other Booker-facing terms and disclosures.
3.3 Payment Processors and Financial Partners
Payments are processed by third-party payment processors and financial partners, including Stripe Connect where enabled. Those providers may process payment information, PSP account data, connected-account information, and transaction information under their own terms and privacy notices. For direct online bookings configured through Stripe Connect, payments may be processed as direct charges to the Client’s connected Stripe account, with BlueRez receiving its platform fee/application fee and related metadata. BlueRez receives payment metadata and transaction information needed to provide the Services, facilitate payouts, manage refunds and chargebacks, comply with tax and payment obligations, and prevent fraud.
3.4 Client-Directed Integrations and Third Parties
If a Client enables or requests an integration, export, channel connection, online travel agency connection, accounting export, POS integration, communication integration, waiver tool, map/location service, Booker checkout flow, or other third-party feature, BlueRez may share or receive information as needed to provide the integration or comply with the Client’s instructions. BlueRez is not responsible for the privacy practices of third parties that are not acting as BlueRez service providers.
3.5 Legal, Regulatory, Safety, and Enforcement
We may disclose information as required or permitted by law, court order, subpoena, regulator or government request, tax authority request, law-enforcement request, card-network or payment-rule request, or similar process. We may also disclose information where we believe disclosure is reasonably necessary to protect rights, safety, security, property, the Services, Clients, Bookers, BlueRez, or others; investigate fraud or misuse; resolve disputes; enforce agreements; or respond to legal claims.
3.6 Business Transfers
In the event of a merger, acquisition, financing, reorganization, bankruptcy, sale of equity, sale of assets, or transfer of all or part of BlueRez or the Services, information may be transferred to the acquiring or successor entity, subject to appropriate confidentiality and privacy protections.
3.7 Aggregated, De-Identified, or Anonymized Information
We may create, use, and disclose aggregated, de-identified, or anonymized information, usage telemetry, product analytics, and statistical data for analytics, benchmarking, reporting, research, security, service improvement, product development, and business purposes, provided the information does not reasonably identify a Client, Booker, individual, or Client-specific confidential information. We will not use Client identifiable data, Booker data, booking data, pricing, availability, or operational data to provide another client or operator with Client-specific competitive intelligence or to benefit a competing operator, except for de-identified or aggregated data permitted by applicable agreements and law. We will maintain and use de-identified information in de-identified form and will not attempt to re-identify it except as permitted by law, such as to test or validate de-identification safeguards.
3.8 No Sale or Sharing for Targeted Advertising
BlueRez does not sell personal information for money, rent personal information, or trade personal information to third parties for their own marketing purposes. BlueRez also does not currently share personal information or Customer Personal Data for cross-context behavioral advertising or process personal information for targeted advertising as those terms are used in applicable U.S. state privacy laws. If our practices change, we will update this Policy and provide any legally required opt-out mechanisms. BlueRez does not knowingly sell or share the personal information of minors under 16.
4. Data Retention
We retain personal information for as long as reasonably necessary to fulfill the purposes described in this Policy, provide the Services, comply with legal, tax, accounting, payment, security, and regulatory obligations, resolve disputes, enforce agreements, maintain business records, comply with Client instructions and applicable contracts, and honor any applicable post-termination export, deletion, backup, and retention provisions.
Specifically:
(a) Client account, contract, billing, support, and administrative data is generally retained for the duration of the Client relationship and for five (5) years following termination, or longer where required for legal, tax, accounting, fraud-prevention, dispute, or payment purposes;
(b) Booker reservation, transaction, communication, waiver, checkout-acceptance, and operational data is retained according to the applicable Client’s configuration, instructions, and agreement with BlueRez, and may be retained for at least five (5) years following the relevant transaction or reservation where reasonably necessary for chargeback resolution, refunds, tax, accounting, legal compliance, fraud prevention, audit, or dispute purposes. After any applicable post-termination export period, BlueRez may delete Customer Personal Data from active systems in accordance with its retention practices, subject to backups, logs, archives, audit records, fraud/risk records, tax records, legal/compliance records, and dispute records;
(c) Payment, payout, tax, risk, chargeback, fraud, and compliance records may be retained for the periods required or permitted by law, payment rules, card-network rules, tax requirements, audit obligations, and legitimate business needs;
(d) Security logs, audit logs, backups, diagnostic records, and technical data are retained for periods consistent with BlueRez’s standard data-management, security, backup, and disaster-recovery practices. Backups are not generally searchable or editable and may be overwritten on BlueRez’s normal backup cycle, unless a longer period is needed for security, legal, compliance, or dispute purposes;
(e) Marketing records are retained until you unsubscribe or opt out, and thereafter as needed to maintain suppression lists and comply with law; and
(f) Aggregated, de-identified, or anonymized information may be retained for longer periods where permitted by law.
Deletion requests may be subject to legal, contractual, backup, fraud-prevention, tax, accounting, payment, security, and recordkeeping exceptions. When we no longer need personal information, we will delete, de-identify, anonymize, or retain it in accordance with applicable law, our contracts, and our data-management practices.
5. Data Security
We maintain a commercially reasonable written information-security program and implement administrative, technical, and organizational safeguards designed to protect personal information against unauthorized access, disclosure, alteration, loss, misuse, or destruction, taking into account the nature of the Services, the personal information processed, BlueRez’s size and maturity, and the risks presented by the processing. Our measures may include:
(a) Encryption of data in transit and encryption at rest where supported by our hosting environment and appropriate to the data;
(b) Role-based access controls, least-privilege access, user permissions, authentication controls, and two-factor authentication where available;
(c) Security monitoring, logging, vulnerability management, backup procedures, and incident-response procedures;
(d) Vendor-risk review and contractual controls for material service providers and subprocessors;
(e) Training and policies for personnel with access to personal information; and
(f) Payment card data processed through PCI-DSS compliant payment processors. BlueRez does not store full card numbers or full card security codes.
No method of data transmission or storage is completely secure. Clients and authorized users are responsible for maintaining the security of their accounts, credentials, devices, personnel access, role permissions, and Client-controlled integrations. Clients should promptly remove former personnel, use strong passwords, enable two-factor authentication where available, and notify BlueRez of suspected unauthorized access or credential compromise.
In the event of a security incident affecting personal information, we will provide notices as required by applicable law and our contracts, including, where applicable, Hawai’i’s security breach notification statute (Haw. Rev. Stat. Chapter 487N). Where BlueRez acts as a processor or service provider for Client-controlled Customer Personal Data, we will notify the affected Client as required by the applicable agreement and law, including Schedule 2 to the applicable MSA where it applies.7N).
6. Your Rights and Choices
6.1 All Users
Depending on where you live and how you interact with the Services, you may have rights to access, correct, delete, restrict, object to, or obtain a copy of certain personal information; to opt out of certain processing; to withdraw consent; and to appeal a denial of certain requests. These rights may be limited by law, by our role as a processor or service provider for a Client, and by exceptions for security, fraud prevention, legal compliance, tax, accounting, payment, contract, and business-record purposes.
You may at any time:
(a) Access and update certain account information through the BlueRez platform;
(b) Request export of Customer Data through the available platform tools or as described in the applicable agreement;
(c) Request deletion of your BlueRez account or certain account information by contacting us at info@bluerez.com or using the account deletion request page at www.bluerez.com/deletion-request/;
(d) Opt out of BlueRez marketing emails by clicking “unsubscribe” or contacting info@bluerez.com; and
(e) Manage cookies through your browser settings or any cookie preference tools we provide.
6.2 Booker Requests
If you are a Booker or guest whose information was processed through a Client’s booking, waiver, intake, communication, payment, checkout, or guest workflow, the applicable Client is generally the business or controller responsible for receiving, verifying, and responding to your privacy request. Please contact the operator or business with which you booked. You may also contact BlueRez at info@bluerez.com, and we may refer your request to the Client, process the request in accordance with the Client’s instructions, or otherwise support the request as appropriate and as required by law or contract.
6.3 California Residents (CCPA / CPRA)
This section supplements this Privacy Policy and applies to California residents to the extent the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”), applies to BlueRez’s processing of personal information. California residents may have the following rights:
(a) Right to know/access: request the categories and specific pieces of personal information we collect, use, disclose, sell, or share;
(b) Right to delete: request deletion of personal information we collected from or about you, subject to exceptions;
(c) Right to correct: request correction of inaccurate personal information;
(d) Right to opt out: opt out of the sale or sharing of personal information. BlueRez does not currently sell personal information or share it for cross-context behavioral advertising;
(e) Right to limit: limit use and disclosure of sensitive personal information where required by law. BlueRez uses sensitive personal information only for permitted business purposes, as directed by Clients, with consent where required, or as otherwise permitted by law;
(f) Right to non-discrimination: we will not discriminate against you for exercising CCPA rights; and
(g) Authorized agent rights: you may use an authorized agent where permitted by law, subject to verification and proof of authority.
To submit a California rights request, contact us at info@bluerez.com with the subject line: “California Resident Privacy Rights – Request”. If you are an authorized agent, please include proof of authority and information sufficient for us to verify the request. If the request relates to Customer Personal Data or Booker data controlled by a Client, we may direct you to the Client, refer the request to the Client, or work with the Client to respond.
The following table describes the categories of personal information we may have collected in the last twelve (12) months. The sources, purposes, categories of recipients, and retention criteria are described in Sections 1 through 7 of this Policy.
| Category | Examples collected by BlueRez |
|---|---|
| A. Identifiers | Name, email address, phone number, account name, username, business contact information, billing address, IP address, device identifiers, transaction identifiers, booking identifiers, and similar identifiers. |
| B. Personal information under Cal. Civ. Code Section 1798.80 | Name, address, phone number, payment account metadata, bank account information for payouts, tax ID or EIN for business verification or tax reporting, signature information in waivers, and similar records. |
| C. Protected classifications | Generally not collected by BlueRez as a controller. Client-configured waivers or intake forms may collect age, accessibility, or similar information as directed by the Client and provided by the Booker or participant. |
| D. Commercial information | Booking history, products or services purchased or considered, activity selections, add-ons, Client Fees or fee disclosures, discounts, refunds, chargebacks, payment status, checkout terms acceptance records, Client relationship records, and transaction history. |
| E. Internet or network activity | Browsing or platform usage data, pages/screens viewed, feature usage, click activity, session data, logs, device/browser data, cookie IDs, and security telemetry. |
| F. Geolocation data | Approximate location derived from IP address; device location only if a Client-enabled feature or user/device permission provides it. |
| G. Audio, electronic, visual, or similar information | Support communications, chat messages, call notes or recordings where enabled and disclosed, uploaded logos or photos, waiver attachments, and electronic signatures. |
| H. Professional or employment-related information | Business name, role, title, employer, staff scheduling or operational information for Client Users where configured by the Client. |
| I. Education information | Not intentionally collected by BlueRez as a controller. |
| J. Inferences | Usage patterns, account preferences, risk signals, analytics, operational insights, AI-supported suggestions or recommendations where enabled, and product or support preferences derived from activity. |
| K. Sensitive personal information | Account login credentials, financial account information, tax identifiers for business reporting, precise geolocation if enabled, government identification information if submitted, waiver/intake information such as health, accessibility, dietary, emergency contact, or minor participant information where configured by a Client, and similar information. |
BlueRez does not sell or share the categories listed above for cross-context behavioral advertising. We disclose these categories to the categories of recipients described in Section 3, including service providers, payment processors, Clients, Client-directed integrations, legal recipients, and business-transfer recipients. We retain these categories according to Section 4.
6.4 Other U.S. State Residents
Residents of states with comprehensive privacy laws, such as Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Delaware, Iowa, Montana, New Hampshire, New Jersey, Tennessee, Indiana, Kentucky, Rhode Island, Minnesota, Maryland, and other states as their laws become effective, may have rights similar to those described above, including rights to access, correct, delete, obtain a portable copy of personal information, opt out of sale, targeted advertising, or certain profiling, and appeal a denied request.
BlueRez does not currently sell personal information, process personal information for targeted advertising, or use profiling to make decisions that produce legal or similarly significant effects concerning individuals. Where applicable law requires us to honor recognized universal opt-out mechanisms or opt-out preference signals, such as Global Privacy Control, we will do so to the extent the signal applies to our processing and can be honored in a commercially reasonable and legally required manner.
To submit a U.S. state privacy request, contact us at info@bluerez.com with the subject line: “US Resident Privacy Rights – Request”. To appeal a denied request where applicable law provides an appeal right, reply to our decision email or contact info@bluerez.com with the subject line: “Privacy Appeal”.
6.5 EEA, UK, and Swiss Residents (GDPR)
If the GDPR, UK GDPR, Swiss Federal Act on Data Protection, or similar law applies to BlueRez’s processing of your personal data, you may have the following rights, subject to legal limitations and our role as controller or processor:
(a) Right of access to personal data we hold about you;
(b) Right to rectification of inaccurate or incomplete data;
(c) Right to erasure, also known as the “right to be forgotten”;
(d) Right to restrict processing;
(e) Right to data portability;
(f) Right to object to processing based on legitimate interests or direct marketing;
(g) Right to withdraw consent where processing is based on consent;
(h) Right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, where applicable; and
(i) Right to lodge a complaint with a competent data protection supervisory authority.
For Booker data processed on behalf of a Client, please contact the applicable Client first because the Client generally determines the purposes and legal basis for processing and is responsible for receiving, verifying, and responding to data subject requests. You may also contact BlueRez at info@bluerez.com, and we will route, refer, process under Client instructions, or support the request as appropriate.
BlueRez has not appointed a Data Protection Officer as of the Last Modified date. GDPR, UK GDPR, or Swiss privacy inquiries may be sent to info@bluerez.com. If BlueRez is legally required to appoint an EEA, UK, or Swiss representative, BlueRez will identify that representative in this Policy or another legally sufficient notice.
6.6 Verification, Timing, and Limitations
We may need to verify your identity and authority before responding to a privacy request. We will respond within the time required by applicable law, generally within forty-five (45) days for U.S. state privacy requests and within one (1) month for GDPR-related requests, unless an extension is permitted. We may deny or limit requests where permitted by law, including where we cannot verify the request, where the request relates to Client-controlled data, or where retention is required for security, fraud prevention, legal compliance, payment, tax, accounting, contractual, or dispute purposes.ds, including Standard Contractual Clauses as approved by the European Commission, where required.
7. Children’s Privacy
The BlueRez platform is a business-to-business service and is not directed to children under 13. We do not knowingly collect personal information directly from children under 13 as a controller. Some Clients may use the Services to process information about minor guests or participants, such as names, ages, waiver signatures, or safety information, in connection with bookings made by adults or guardians. In those circumstances, BlueRez processes the information on behalf of the Client, and the Client is responsible for obtaining any required parental or guardian consent and providing legally required notices.
If we become aware that we collected personal information from a child under 13 as a controller without legally required consent, we will take reasonable steps to delete it. We do not knowingly sell or share personal information of minors under 16.
8. Cookies and Tracking Technologies
8.1 What Are Cookies
When you use our website, platform, booking widgets, or guest experiences, we use cookies and similar online tracking technologies. A cookie is a small text file placed on your device that stores information about your visit, session, preferences, or interactions. Similar technologies may include pixels, web beacons, local storage, SDKs, scripts, tags, and tracking URLs.
8.2 How We Use Cookies
We may use the following categories of cookies and similar technologies:
(a) Functional / Necessary cookies: required for the website or platform to operate correctly. These enable login, authentication, session management, security, fraud prevention, load balancing, language or currency preferences, and checkout functionality. Disabling these may affect functionality;
(b) Analytical / Performance cookies: used to understand how users interact with the website or platform, identify areas for improvement, troubleshoot errors, measure feature performance, and improve the Services. We use analytics data in aggregated or de-identified form where practicable;
(c) Preference cookies: used to remember choices, settings, or preferences; and
(d) Advertising or targeting cookies: BlueRez does not currently use cookies on the platform for interest-based advertising, retargeting, cross-context behavioral advertising, or behavioral profiling. If we deploy these technologies in the future, we will update this Policy and provide any legally required consent or opt-out controls.
8.3 Cookie Choices
You can manage cookie preferences through your browser settings, device settings, and any cookie preference tools we provide. Most browsers allow you to block or delete cookies. Blocking cookies may affect website, booking, checkout, or platform functionality.
Some browsers or extensions transmit privacy preference signals, such as Global Privacy Control. Where applicable law requires us to honor a recognized signal and the signal applies to our processing, we will treat it as an opt-out request to the extent required by law. “Do Not Track” signals are not uniformly recognized by law or technology standards, and our response may differ from our response to legally recognized opt-out preference signals.
9. International Data Transfers
BlueRez is based in Maui, Hawai’i, USA, and the Services are primarily operated from the United States. If you are located outside the United States, your personal information may be transferred to, stored in, accessed from, or processed in the United States or other jurisdictions that may not provide the same level of data protection as your home jurisdiction.
Where required for transfers of personal data from the EEA, UK, or Switzerland to the United States or other countries that do not have an applicable adequacy decision, we will implement appropriate safeguards, such as the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum or International Data Transfer Agreement, Swiss transfer safeguards, transfer impact assessments, an applicable adequacy decision, recognized certification framework, or other legally permitted mechanism. For Customer Personal Data controlled by a Client, the Client is responsible for implementing transfer mechanisms required for its controller-to-processor relationship with BlueRez, and BlueRez will provide reasonable cooperation as required by applicable agreements, Schedule 2, Standard Contractual Clauses, and law.
10. Third-Party Links and Integrations
The BlueRez website and platform may contain links to third-party websites or integrate with third-party tools, including payment processors, Stripe Connect, online travel agencies, channel managers, waiver providers, communication platforms, analytics providers, accounting tools, POS systems, map/location services, app stores, and Client-selected integrations. BlueRez is not responsible for the privacy practices, security, or content of third parties that are not acting as BlueRez service providers. We encourage Clients and Bookers to review the privacy policies and terms of any third-party services used in connection with the Services.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will post the updated Policy at www.bluerez.com/privacy with a revised effective date or last modified date. For material changes, we will provide notice to Clients by email, in-product notice, posting, or another reasonable method before or when the change becomes effective, as required by applicable law or contract. No Privacy Policy update is intended to override or materially reduce BlueRez’s express obligations under an applicable signed agreement, Data Processing Addendum, or mandatory transfer terms. Your continued use of the Services after the effective date of an updated Policy is subject to the updated Policy and any applicable agreements.
12. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
BlueRez LLC dba BlueRez Software
Maui, Hawai’i, USA
Email: info@bluerez.com
Website: www.bluerez.com
Account deletion request page: www.bluerez.com/deletion-request/
We will respond to inquiries and privacy requests within the time required by applicable law.