1. Introduction
Toucan Discovery attaches fundamental importance to protecting your privacy and your personal data. This Privacy Policy describes how we collect, use, store and protect the information you entrust to us when you visit our website www.toucandiscovery.com
or use our services.
This policy applies in compliance with:
- do General Data Protection Regulation (GDPR, EU 2016/679) for visitors and clients residing in the European Union;
- of the Costa Rican law No. 8968 on the protection of personal data;
- the international best practices regarding privacy.
2. Data controller
Toucan Discovery S.R.L. — Destination Management Company
Legal ID: 3-102-862013
Headquarters San Jose, Costa Rica
Legal Representative Tristan Martin, founder
Contact: admin@toucandiscovery.com
Phone / 24/7 Support: +506 8777-7166
3. Personal data collected
We only collect the data strictly necessary to provide our services or improve your experience. Depending on how you interact with us, this may include:
Identification and contact data
- First and last name
- Email address
- Phone number
- Country / city of residence
- Preferred language
Travel-related data
- Desired destination, dates, number of travelers
- Travel preferences (type of accommodation, activities, dietary requirements)
- Passport information (only if necessary to book a service)
- Specific requests (accessibility, medical needs if shared)
Browsing data
- IP address (anonymized)
- Browser type, device, operating system
- Pages viewed, time spent, traffic source
- Cookies (see dedicated section)
Professional data (B2B partners)
- Company, position, business contact details
- History of exchanges and quotes
Important: we do not collect any sensitive data (health, political or religious opinions, sexual orientation) without your explicit consent and only if strictly necessary for your trip.
4. Purposes of processing
Your data is processed for the following purposes:
- Handling your quote request and designing your tailor-made travel program
- Booking services (hotels, transport, guides, activities) with our local partners
- Sales follow-up and reminders if your request did not go through
- Invoicing and accounting
- Support during your trip (24/7 assistance in Costa Rica)
- Marketing communication (newsletter, news) — only with your consent
- Website improvement and user experience
- Compliance with our legal and tax obligations
5. Legal bases for processing
In accordance with Article 6 of the GDPR, our processing is based on:
- The performance of a contract — for the management of your trip
- Your consent — for the newsletter and non-essential cookies
- Our legitimate interest — for anonymized audience measurement and fraud prevention
- Compliance with legal obligations — for accounting and the retention of tax documents
6. Data recipients
Your data is never sold. It may be shared, strictly to the extent necessary to perform our services, with:
- Our local partners in Costa Rica, Panama, Nicaragua: hotels, transport companies, guides, activity providers (only the information necessary for your service)
- Our technical service providers : hosting provider Hostinger, invoicing tools (Ezus), communication tools, professional email platform
- The competent authorities where legally required (customs, tax administration)
All our partners and service providers are contractually committed to respecting the confidentiality and security of your data.
7. International data transfers
As Toucan Discovery is established in Costa Rica, some of your data may be processed outside the European Union. In that case, we ensure:
- That the destination country provides an adequate level of protection, or
- That appropriate safeguards are in place (European Commission standard contractual clauses, binding corporate rules)
Costa Rica has data protection legislation comparable to European standards (law No. 8968).
8. Retention period
We keep your data only for as long as necessary for the purposes for which it was collected:
- Quote requests that did not go through: 3 years from the last contact
- Clients who have traveled: 5 years after the end of the trip (for commercial and legal follow-up)
- Accounting documents and invoices: 10 years (legal obligation)
- Newsletter: until you unsubscribe
- Cookies: for the duration indicated in the cookies section
Beyond these periods, your data is deleted or anonymized.
9. Your rights
In accordance with the GDPR and Costa Rican law No. 8968, you have the following rights:
- Right of access — obtain a copy of the data we hold about you
- Right to rectification — correct inaccurate or incomplete data
- Right to erasure ("right to be forgotten") — delete your data, unless a legal obligation requires otherwise
- Right to restriction of processing — temporarily suspend the use of your data
- Right to portability — receive your data in a structured, reusable format
- Right to object — object to processing for commercial prospecting purposes
- Right to withdraw your consent at any time, without affecting the lawfulness of prior processing
- Right to lodge a complaint with the competent supervisory authority (CNIL for France, PRODHAB for Costa Rica)
10. Cookies
Our site uses cookies to ensure it works properly, measure its audience and improve your experience. You can manage your preferences at any time.
Types of cookies used
| Cookie | Purpose | Duration | Consent |
|---|
| Technical cookies | Site operation (session, security) | Session | Not required |
| Google Analytics | Anonymized audience measurement | 13 months max | Required |
| Marketing cookies | Remarketing (Google Ads, Meta) | 6 months | Required |
| User preferences | Language, cookie consent | 12 months | Not required |
You can change your cookie preferences at any time via the management banner displayed on the site, or directly in your browser settings.
11. Data security
We implement all the technical and organizational measures necessary to protect your data against loss, destruction, alteration or unauthorized access:
- Encrypted HTTPS connection (SSL/TLS) across the entire site
- Secure hosting (Hostinger, servers with firewall)
- Restricted access to data (strong authentication, least privilege principle)
- Regular backups
- Training our team in security best practices
12. Changes to this policy
We may update this Privacy Policy to reflect legal, technical or commercial developments. The date of the last update is shown at the top of this page. In the event of a substantial change, we will inform you by email or by a visible notification on the site.
For any question regarding this Privacy Policy or the use of your data: