Contact Us

Privacy Policy

Privacy Policy

Last updated: May 26, 2026
Version: 2.0

GoSouth Adventures (“we”, “us”, “our”) operates the website gosouthcr.com. This Privacy Policy explains how we collect, use, store, and protect your personal data when you visit our website, make a booking, or communicate with us. This policy complies with the General Data Protection Regulation (GDPR) (EU) 2016/679, the UK GDPR, and applicable international data protection standards.

1. Who we are

The data controller responsible for your personal information is:

GoSouth Adventures
Playas del Coco, Guanacaste, Costa Rica
Website: gosouthcr.com
Email: info@gosouthcr.com
Privacy inquiries:  info@gosouthcr.com
WhatsApp: +506 8387-1441

As a company based outside the European Economic Area that offers services to EU/EEA residents, we have assessed our obligations under Article 27 GDPR. Our processing of EU resident data is occasional and limited to booking transactions and inquiries. If you are an EU/EEA resident and wish to contact us regarding your data, please email  info@gosouthcr.com

2.We collect the following categories of personal data:

  • Identity data — First name and last name. Collected through booking forms and contact forms.
  • Contact data — Email, phone, and WhatsApp number. Collected through booking forms and contact forms.
  • Booking data — Tour selection, group size, dates, hotel, special requests, and dietary preferences. Collected through WooCommerce checkout.
  • Payment data — Transaction confirmation and order ID only. We do NOT store card numbers. Handled through WooCommerce + BAC gateway.
  • Technical data — IP address, browser, device, and pages visited. Collected through cookies and Google Analytics.
  • Communication data — Email and WhatsApp message content. Collected through direct communication.

We do not collect sensitive personal data (special categories under Article 9 GDPR) unless you voluntarily share it in connection with a special request (for example, a medical condition or dietary restriction relevant to the tour). In such cases, your explicit consent serves as our legal basis.

Children’s data: Our services are not directed at children under 16. We do not knowingly collect data from children under 16 without parental consent. Bookings that include minors are made by a parent or guardian who provides any necessary information on their behalf.

3.Why we collect your data (legal basis)

We process your personal data on the following legal bases under Article 6 GDPR:

  • Performance of a contract — To process and confirm your booking, process payment securely, coordinate hotel pickup and logistics, and send booking confirmations.
  • Legitimate interests — To respond to inquiries and improve our website.
  • Consent — To send marketing communications.
  • Legal obligation — To comply with legal and tax obligations.

Legitimate interests assessment: Where we rely on legitimate interests, our interest is to operate, maintain, and improve our tour booking service and to respond promptly to potential customers. We have assessed that this processing is necessary, proportionate, and does not override your fundamental rights and freedoms. You have the right to object to this processing at any time (see Section 9).

4. Cookies and tracking technologies

Our website uses cookies to improve your experience and analyze how our site is used. We use the following categories:

  • Strictly necessary cookies — Required for the website and WooCommerce cart to function. You cannot opt out of these.
  • Functional cookies — Remember your preferences. You can opt out.
  • Analytics cookies — Google Analytics with anonymized traffic data and IP anonymization enabled. You can opt out.
  • Marketing cookies — Meta Pixel and Google Ads. Only active with your prior consent. You can opt out.

You can manage or withdraw cookie consent at any time through our cookie banner or by adjusting your browser settings. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

5. WooCommerce and payment processing

Our booking system is powered by WooCommerce (Automattic Inc.). Payments are processed through BAC Credomatic’s secure encrypted gateway. GoSouth Adventures does not store, access, or process your credit card details. Payment data is handled exclusively by the payment processor under PCI-DSS compliance. For WooCommerce’s privacy policy, see automattic.com/privacy.

6. Who we share your data with

We do not sell your personal data. We share it only with the following categories of recipients:

  • BAC Credomatic (Costa Rica) — Payment processing.
  • WooCommerce / Automattic (USA) — Booking platform. Protected by Standard Contractual Clauses (SCCs) and supplementary measures.
  • Google Analytics / Google Ads (USA) — Website analytics and advertising. Protected by SCCs, IP anonymization, and supplementary measures.
  • Meta (WhatsApp, Meta Pixel) (USA) — Communication and advertising. Protected by SCCs.
  • Hotel partners (Costa Rica) — Pickup coordination.
  • Legal authorities — Only as required by law for compliance with legal obligations.

International transfers: Some of our processors are located outside the European Economic Area. Where this is the case, we rely on the European Commission’s Standard Contractual Clauses (SCCs) and apply supplementary technical and organizational measures (such as encryption and pseudonymization) to ensure your data receives an essentially equivalent level of protection. You may request a copy of these safeguards by contacting privacy@gosouthcr.com.

7. How long we keep your data

We retain your personal data for different periods depending on the type of data:

  • Booking and transaction records — 7 years, in line with tax and accounting obligations.
  • Customer communications — 3 years after the last interaction.
  • Marketing consent records — Until withdrawal of consent, plus 1 additional year.
  • Analytics data — 26 months.
  • Cookie data — Session cookies are deleted when you close your browser. Persistent cookies last up to 2 years.

When the retention period ends, your data is securely deleted or anonymized.

8. Data security


We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, in accordance with Article 32 GDPR. These measures include:

  • HTTPS / TLS encryption across the entire website
  • Encrypted payment processing via PCI-DSS compliant gateway
  • Restricted access to personal data on a need-to-know basis
  • Strong password policies and two-factor authentication on administrative accounts
  • Regular software updates and security patches
  • Periodic backups stored securely

Data breach notification: In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of it, and we will inform affected individuals without undue delay when required by Articles 33 and 34 GDPR.

9. Your rights under GDPR

If you are located in the European Economic Area or the United Kingdom, you have the following rights regarding your personal data:

  • Right of access (Art. 15) — Obtain confirmation of whether we process your data and receive a copy of it.
  • Right to rectification (Art. 16) — Request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17) — Request deletion of your data (“right to be forgotten”) where legally applicable.
  • Right to restriction (Art. 18) — Request that we limit the processing of your data in specific circumstances.
  • Right to data portability (Art. 20) — Receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.
  • Right to object (Art. 21) — Object to processing based on legitimate interests or direct marketing.
  • Rights related to automated decision-making (Art. 22) — We do not carry out automated decision-making or profiling that produces legal or similarly significant effects.
  • Right to withdraw consent (Art. 7.3) — Withdraw your consent at any time, without affecting the lawfulness of prior processing.
  • Right to lodge a complaint (Art. 77) — File a complaint with your national data protection supervisory authority.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The “Last updated” date at the top of this page indicates when the policy was most recently revised. We encourage you to review this policy periodically.

Contact

For any questions about this Privacy Policy or how we handle your personal data, please contact us:

GoSouth Adventures
Playas del Coco, Guanacaste, Costa Rica
General: info@gosouthcr.com
WhatsApp: +506 8387-1441

Scroll to Top