Privacy Policy

Last updated: March 20, 2026

Exuma Secrets ("we," "our," or "us") operates the Exuma Secrets mobile application (the "App"), available on the Apple App Store and Google Play Store. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our App. This policy applies to all users worldwide, including those in the United States, Canada, the European Economic Area (EEA), the United Kingdom, and the Asia-Pacific region.

1. Information We Collect

Account Information: When you create an account, we collect your first name, last name, email address, username, and password. You may optionally provide a telephone number and profile photo.

Location Data: With your explicit permission, we collect your device's precise GPS location. This data is used to enable check-ins at points of interest and show nearby places. Location data may be retained and used in aggregated, anonymized form for analytics. You can revoke location permission at any time in your device settings.

Photos and Media: When you upload photos to community posts, reviews, business listings, or menu pages, we collect and store those images on our servers. We access your device's photo library or camera only when you choose to upload, and only the selected media is transmitted.

User-Generated Content: We collect content you voluntarily submit, including community posts, comments, reviews, ratings, trip itineraries, direct messages, and business listing submissions. Trip itineraries, community content, and direct messages are stored on our servers. Packing list data and certain trip data may be stored locally on your device. All user-generated content (posts, comments, reviews, and direct messages) is processed by our AI-powered content moderation system before publication to detect and prevent objectionable content.

Trip Sharing Data: When you share a trip with another user, we store the sharing relationship, including the sender, recipient, trip details, and sharing status (pending, accepted, or declined).

Usage Data: We collect information about how you interact with the App, including features used, points of interest viewed, interactions with business listings (calls, emails, website visits, WhatsApp messages, bookings), and the dates and times of your activity. This data is used to provide analytics to business owners and to improve the App.

Device Information: We may collect information about your device, including device type, operating system version, unique device identifiers, and push notification tokens.

Purchase Information: If you make in-app purchases or subscribe to Premium features, payment processing is handled entirely by Apple (App Store) or Google (Play Store). We receive confirmation of your purchase status but do not collect or store your payment card details or financial information.

2. Legal Basis for Processing (EEA, UK, and Switzerland)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data based on the following legal grounds under the General Data Protection Regulation (GDPR) and equivalent UK legislation:

• Consent: For location data collection, push notifications, tracking (ATT), and marketing communications. You may withdraw consent at any time.
• Performance of a Contract: To provide the App's core features, maintain your account, process check-ins, manage your trip itineraries, facilitate direct messaging, and process subscriptions.
• Legitimate Interests: To improve the App, detect fraud, ensure security, provide business analytics, and conduct usage analysis — provided these interests are not overridden by your rights.
• Legal Obligation: To comply with applicable laws, regulations, and legal processes.

3. Tracking and Advertising

The App uses Apple's App Tracking Transparency (ATT) framework to request your permission before tracking your activity across other companies' apps and websites. If you grant permission, we may:

• Use advertising identifiers (IDFA) to measure the effectiveness of advertising campaigns.
• Share anonymized or aggregated data with advertising and analytics partners.

You can change your tracking preferences at any time in your device's Settings under Privacy & Security > Tracking. If you decline tracking, we will not use your IDFA or link your data with third-party data for advertising purposes.

Cookies: The App uses session cookies solely to maintain your login state. These are not used for cross-site tracking.

4. How We Use Your Information

• To provide and maintain the App's features, including the explore directory, community feed, trip planner, trip sharing, direct messaging, gamification system, business listings, and weather information.
• To verify GPS check-ins and award points, badges, and leaderboard rankings.
• To display your profile, posts, and activity within the community.
• To facilitate communication between users and business owners via direct messaging.
• To provide business owners with anonymized analytics about their listing performance (views, interactions, click-through rates).
• To improve and personalize your experience.
• To analyze usage trends for internal analytics and service improvement.
• To communicate with you about your account, security alerts, or service updates.
• To process and manage in-app purchases and subscriptions.
• To enforce our Terms of Use, detect abuse, and maintain the safety of our community through AI-powered content moderation.

5. Sharing of Information

We may share your information in the following situations:

• Public Content: Community posts, reviews, and your explorer profile (username, level, badges) are visible to other users of the App.
• Business Owners: When you interact with a business listing (view, call, message, etc.), aggregated and anonymized interaction data may be visible to the listing owner through their analytics dashboard. Your personal information is not shared unless you initiate direct contact.
• Trip Sharing: When you share a trip with another user, your display name and the trip details are visible to the recipient.
• Tourism and Business Partners: We may share aggregated, anonymized usage data and travel analytics with tourism boards and hospitality partners in the Exuma region. This data cannot be used to identify you individually.
• Advertising Partners: With your consent (via ATT), we may share data with advertising networks to deliver personalized ads and measure ad effectiveness.
• Service Providers: We may share data with third-party services that help us operate the App (e.g., hosting, analytics, push notification services, payment processing via RevenueCat). These providers are contractually bound to protect your data and use it only for the services they provide to us.
• Legal Requirements: We may disclose information if required by law, court order, or government request, or to protect the rights, safety, or property of our users or the public.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

We do not sell your personal information to data brokers. Anonymized, aggregated analytics data that cannot identify any individual may be shared with business partners for research and tourism development purposes.

6. International Data Transfers

Your personal data may be transferred to, stored, and processed in countries other than your country of residence, including the United States and The Bahamas. These countries may have data protection laws that differ from those in your jurisdiction.

If you are located in the EEA, UK, or Switzerland, we ensure that any transfer of your personal data to countries outside the EEA/UK is protected by appropriate safeguards, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Transfers to countries recognized by the European Commission as providing an adequate level of data protection.
• Other legally recognized transfer mechanisms under GDPR Article 46.

If you are located in Canada, transfers are conducted in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial legislation, ensuring a comparable level of protection.

7. Data Retention

We retain your account information and user-generated content for as long as your account is active or as needed to provide you services. After account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., fraud prevention, legal obligations). Anonymized, aggregated data that cannot identify you may be retained indefinitely for analytics and research.

8. Data Security

We use industry-standard security measures to protect your information, including encrypted connections (HTTPS), secure session management, JWT-based authentication, and access controls. However, no method of electronic transmission or storage is completely secure. In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with applicable law.

9. Children's Privacy

The App is not directed to children under the age of 13 (or under 16 in the EEA/UK, or under 14 in South Korea). We do not knowingly collect personal information from children below these age thresholds. In the EEA and UK, where processing of children's data requires parental or guardian consent under GDPR Article 8, we will not process such data without verifiable consent. In Canada, we comply with PIPEDA's requirements for meaningful consent for minors. If we become aware that we have collected personal information from a child below the applicable age threshold, we will take prompt steps to delete it. If you believe we have inadvertently collected information from a child, please contact us immediately.

10. Your Privacy Rights

10.1 United States

California (CCPA/CPRA): If you are a California resident, you have the right to:

• Know what personal information is collected, used, shared, or sold.
• Delete your personal information, subject to certain exceptions.
• Opt out of the sale or sharing of your personal information.
• Correct inaccurate personal information.
• Limit the use and disclosure of sensitive personal information.
• Not be discriminated against for exercising your privacy rights.

Other U.S. States: Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and other states with consumer privacy laws have similar rights to access, correct, delete, and opt out of the processing of personal data. To exercise these rights, contact us at the email address below.

10.2 European Economic Area, United Kingdom, and Switzerland (GDPR / UK GDPR)

If you are located in the EEA, UK, or Switzerland, you have the following rights under the GDPR:

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data when it is no longer necessary for the purposes for which it was collected.
• Right to Restriction of Processing: Request that we limit how we use your data in certain circumstances.
• Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Right to Object: Object to processing based on legitimate interests, including direct marketing.
• Right to Withdraw Consent: Where processing is based on consent, withdraw your consent at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint: File a complaint with your local data protection authority (e.g., the ICO in the UK, CNIL in France, BfDI in Germany).

We will respond to your request within 30 days, as required by law.

Data Protection Contact: If you have questions about how we process your data or wish to exercise your GDPR rights, please contact our data protection team at support@exumasecrets.com. As Exuma Secrets is based in The Bahamas (a non-EEA/UK country), we are committed to responding to your inquiries promptly and in accordance with GDPR requirements. If we are required to appoint a representative in the EEA or UK under GDPR Article 27, we will update this policy with their contact details.

10.3 Canada (PIPEDA and Provincial Laws)

If you are a Canadian resident, the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws (such as Quebec's Law 25, Alberta's PIPA, and British Columbia's PIPA) grant you the following rights:

• Access to and correction of your personal information held by us.
• Knowledge of how your personal information is collected, used, and disclosed.
• The ability to withdraw consent for the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions.
• The right to file a complaint with the Office of the Privacy Commissioner of Canada or your provincial privacy commissioner.

We will only collect, use, or disclose your personal information with your knowledge and consent, except where permitted or required by law.

10.4 Asia-Pacific

Japan (APPI): If you are a resident of Japan, the Act on the Protection of Personal Information (APPI) provides you with the right to request disclosure, correction, cessation of use, or deletion of your personal information. We will handle your personal data in accordance with APPI requirements, including obtaining your consent before providing personal data to third parties or transferring it internationally.

South Korea (PIPA): If you are a resident of South Korea, the Personal Information Protection Act (PIPA) grants you rights to access, correct, delete, and suspend processing of your personal data. We process personal data in accordance with PIPA, and you may contact us or the Personal Information Protection Commission (PIPC) with any concerns.

Australia (Privacy Act 1988): If you are an Australian resident, the Privacy Act 1988 and the Australian Privacy Principles (APPs) grant you the right to access and correct your personal information. You may file a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe your privacy has been violated.

Singapore (PDPA): If you are a resident of Singapore, the Personal Data Protection Act (PDPA) provides you with rights to access and correct your personal data, and to withdraw consent for data collection and use. You may contact the Personal Data Protection Commission (PDPC) with any complaints.

Other Jurisdictions: If you reside in a country with data protection laws not specifically listed above, we will honor your rights under your local law to the extent applicable. Please contact us to exercise any applicable rights.

11. Your Choices

• Tracking: You can opt out of tracking at any time through your device's Settings (Privacy & Security > Tracking).
• Location: You can disable location access at any time through your device's Settings.
• Notifications: You can manage push notification preferences in your device's Settings.
• Direct Messages: Business owners can enable or disable direct messaging from their profile settings.
• Account Deletion: You can delete your account directly within the App from your Profile settings. You may also request deletion by contacting us at the email address below.
• Data Export: You may request a copy of your personal data in a portable format by contacting us.

12. Third-Party Services

The App may integrate with or contain links to the following types of third-party services, each governed by their own privacy policies:

• Booking platforms (VRBO, Airbnb, Expedia, OpenTable)
• Weather and marine data providers
• Payment processors (RevenueCat for subscription management, Apple In-App Purchase, Google Play Billing)
• Push notification services (Expo Push Notifications)
• AI content moderation (OpenAI)
• Map services (OpenStreetMap)

We encourage you to review their privacy policies before interacting with them.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page, updating the "Last updated" date, and where appropriate, sending you a notification through the App. Your continued use of the App after changes are posted constitutes your acceptance of the revised policy. Where required by law (e.g., GDPR), we will obtain your consent before making material changes to how we process your data.

14. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or have a complaint about how we handle your data, please contact us at:

Exuma Secrets
Email: support@exumasecrets.com
Website: https://exumasecretsapp.com

If you are located in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority.