Privacy Notice

1. Who We Are

NYC Compass (nyccompass.com) is an informational website providing comprehensive guidance and resources for individuals planning to visit or explore New York City. Our content covers essential travel categories including Flights, Accommodations, Transportation, Experiences, and Guided Tours. This Privacy Notice outlines our approach to handling personal data in accordance with applicable data protection regulations, including the General Data Protection Regulation (GDPR) where applicable. We are dedicated to maintaining transparency concerning the collection, use, and protection of your personal information throughout your interaction with our Site.

2. Contact Information

For any inquiries regarding this Privacy Notice, your personal data, or our data protection practices, please contact us using the details provided below:

• General inquiries: contact@nyccompass.com
• Privacy-specific inquiries: privacy@nyccompass.com
• Feedback and suggestions: feedback@nyccompass.com

We strive to respond to all legitimate inquiries within a reasonable timeframe, typically within 30 days of receipt.

3. Personal Data We Collect

We collect personal data when you interact with our Site. This collection is necessary for the operation, improvement, and monetization of NYC Compass (primarily through affiliate marketing, as detailed in our Affiliate Disclosure). The categories of personal data we may collect include:

4. How We Use Your Personal Data

We process the personal data collected for specific, explicitly stated purposes based on one or more of the following legal bases: your consent, contractual necessity, compliance with legal obligations, or our legitimate interests. These purposes include:

• Operating and Maintaining the Site: Ensuring the technical functionality, security, availability, and performance optimization of NYC Compass, including troubleshooting technical issues and monitoring for security threats.
• Responding to User Inquiries: Processing and addressing questions, comments, and requests submitted via our contact channels, and maintaining records of such communications to enhance future interactions.
• Analyzing Site Usage: Understanding how users interact with our content and features to improve user experience, optimize website performance, and enhance content relevance (typically using aggregated or anonymized data whenever possible).
• Managing Affiliate Marketing Activities: Facilitating the tracking of affiliate referrals and commissions through Travelpayouts, which helps sustain the provision of free content on our Site, as explained in our Affiliate Disclosure.
• Developing and Improving Content: Using insights from user interactions and feedback to create more relevant, helpful travel information and resources for our audience.
• Communication: Responding to your feedback, suggestions, partnership inquiries, and other communications directed to our various contact channels.
• Compliance with Legal Obligations: Fulfilling any applicable legal or regulatory requirements as mandated by governing law (see Section 14 and our Terms of Service), including responding to legitimate requests from public authorities.

We will not use your personal data for purposes incompatible with those for which it was originally collected without notifying you and, where required, obtaining your consent.

5. Sharing Your Personal Data with Third Parties

We may share your personal data with the following categories of recipients under specific circumstances and for the purposes outlined in this Notice:

• Affiliate Network (Travelpayouts): Information necessary for tracking affiliate link clicks, conversions, and managing commission payments is shared with Travelpayouts according to their operational requirements, as detailed in our Affiliate Disclosure. This may include anonymized or pseudonymized identifiers, click data, and transaction information.
• Hosting Provider (Namecheap): As our website hosting provider, Namecheap processes server logs and other technical data necessary to provide hosting services and maintain server infrastructure security. They act as our data processor and handle information in accordance with our instructions. For more information on their data practices, please refer to Namecheap's Privacy Policy.
• Analytics Providers: Aggregated and/or anonymized website usage data may be processed by third-party analytics services (like Google Analytics, Snowplow, Yandex Metrica, Microsoft Clarity) to provide us with insights into site traffic and user behavior patterns. We implement appropriate safeguards, such as IP anonymization where required, to protect your privacy when using these services.
• Advertising Partners: We may share non-personally identifiable information or work with advertising partners (like Google, Microsoft/Bing, OpenX) who use cookies and similar technologies to collect data for personalized advertising purposes, as described in Section 3.1.
• Social Media Platforms: If you choose to interact with links to our social media profiles (like Instagram), you will be directed to their platforms, which operate under their own privacy policies. Data sharing occurs only upon your deliberate interaction with these links. We do not automatically share personal data with social media platforms.
• Legal Requirements: We may disclose your personal data if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency), as potentially required under our Terms of Service. This may include responding to legal process or complying with national security or law enforcement requirements.

NYC Compass does not sell, rent, or lease your personal data to third parties for their own direct marketing purposes. Any third parties with whom we share personal data are contractually obligated to use it only for the specified purposes and in accordance with our instructions, except where otherwise required by law.

6. International Data Transfers

NYC Compass is primarily operated from Sweden, but our service providers and partners may be located in other countries. Consequently, your personal data may be transferred to, stored in, or processed in jurisdictions other than the one in which you reside. When we transfer personal data across borders, we take steps to ensure that appropriate safeguards are in place to protect your information and comply with applicable data protection laws:

• Standard Contractual Clauses: Where necessary, we implement Standard Contractual Clauses approved by the European Commission or other appropriate legal mechanisms to protect personal data transferred outside the European Economic Area (EEA).
• Data Processing Agreements: We establish written agreements with our service providers and partners that process personal data, requiring them to provide at least the same level of protection for your data as stipulated in this Privacy Notice.
• Adequacy Decisions: Where possible, we transfer data to countries or organizations that have been recognized by relevant authorities as providing adequate protection for personal data.

By using our Site, you acknowledge that your personal data may be transferred to and processed in countries outside your country of residence, including jurisdictions that may not have the same data protection laws as your home country. If you have questions about our data transfer mechanisms, please contact us at privacy@nyccompass.com.

7. Your Rights Regarding Your Personal Data

Depending on your jurisdiction and applicable data protection laws (such as the General Data Protection Regulation - GDPR), you may possess certain rights concerning your personal data. These rights may include:

• Right to Access: The right to request confirmation of whether we process your personal data and to receive a copy of that data in a structured, commonly used, and machine-readable format.
• Right to Rectification: The right to request correction of inaccurate or incomplete personal data we hold about you without undue delay.
• Right to Erasure ("Right to be Forgotten"): The right to request deletion of your personal data under specific conditions (e.g., the data is no longer necessary for the purposes collected, you withdraw consent, or we have processed the data unlawfully).
• Right to Object to Processing: The right to object, on grounds relating to your particular situation, to our processing of your personal data based on legitimate interests or for direct marketing purposes.
• Right to Restriction of Processing: The right to request the restriction of processing your personal data under specific circumstances (e.g., while the accuracy of data is contested, while we verify the legitimate grounds for processing, or if you need the data for legal claims).
• Right to Data Portability: The right to receive your personal data in a structured, commonly used, machine-readable format and, where technically feasible, have it transmitted to another controller (primarily applies to data processed based on consent or contract).
• Right to Withdraw Consent: Where processing is based on consent (e.g., for certain cookies), you have the right to withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• Right to Lodge a Complaint: The right to lodge a complaint with a supervisory authority, particularly in the EU member state of your habitual residence, place of work, or place of an alleged infringement of applicable data protection laws.

To exercise any of these rights, please submit your request via email to privacy@nyccompass.com. We will assess and respond to your request in accordance with applicable data protection laws, typically within 30 days. We may need to verify your identity before fulfilling your request to protect your privacy and security. In certain circumstances, we may be unable to fully comply with your request, such as when it would impact the rights and freedoms of others or conflict with legal obligations. In such cases, we will explain the reasons for our decision.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, as outlined in this Privacy Notice, or as required to comply with legal obligations, resolve disputes, and enforce our agreements (including our Terms of Service). Specific retention periods vary depending on the type of data and the context:

• Contact Form Submissions: Retained for up to 24 months to manage inquiries, follow-up communications, and maintain service quality.
• Server Logs: Typically retained for 90 days for security monitoring, threat detection, and technical troubleshooting, unless needed longer for security investigations or legal purposes.
• Analytics Data: Retained in an aggregated or anonymized form for up to 26 months to enable long-term trend analysis and service improvement.
• Feedback and Partnership Inquiries: Retained for up to 36 months to support ongoing communication and potential future collaborations.
• Cookie Data: Retention periods for data collected via cookies vary widely based on the cookie's purpose, ranging from session-only to several years, as detailed in our Cookie Policy.

When personal data is no longer necessary for these purposes, we will securely delete or anonymize it in accordance with our internal data retention protocols. If complete deletion is not possible (for technical reasons or due to backup systems), we will implement appropriate measures to prevent any further processing of your data.

9. Data Security

We implement and maintain appropriate technical, administrative, and organizational security measures designed to protect the personal data we process against unauthorized access, disclosure, alteration, loss, or destruction. These measures include:

• Secure Hosting Infrastructure: Our website hosting is provided by Namecheap, which employs industry-standard security protocols and maintains appropriate certifications for its infrastructure.
• Data Encryption: We utilize secure HTTPS connections (TLS/SSL encryption) to protect data transmitted between your browser and our servers.
• Access Controls: We implement strict access controls and authentication procedures to ensure that access to personal data is limited to authorized personnel with a legitimate need for such access.
• Regular Security Assessments: We conduct periodic reviews of our security practices and systems to identify and address potential vulnerabilities.
• Malware Protection: We employ security tools like MalwareGuardian to protect against malicious software and unauthorized access attempts.
• Security Plugin: We utilize Wordfence, a security plugin that helps protect our website from malicious activity. This tool may process visitor IP addresses and browser information to identify and block potential threats. Wordfence's data handling practices are governed by their own privacy policy.
• Security Updates: We maintain regular updates to our software, plugins, and security measures to address emerging threats and vulnerabilities.

While we strive to use commercially reasonable means to protect your personal data, please be aware that no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, while we strive to protect your personal information, we cannot guarantee its absolute security. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us at privacy@nyccompass.com.

10. Children's Privacy

NYC Compass is designed for a general audience and is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16 years of age. If we become aware that we have inadvertently collected personal data from a child under the age of 16, we will take reasonable steps to delete such information from our records promptly.

If you are a parent or guardian and believe that we may have collected personal information from your child, please contact us immediately at privacy@nyccompass.com, and we will take steps to remove that information from our servers.

11. California Privacy Rights

If you are a California resident, you may have additional rights regarding your personal information under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). These rights may include:

• Right to Know: You have the right to request information about the personal information we collect, use, disclose, and sell/share.
• Right to Delete: You have the right to request the deletion of your personal information, subject to certain exceptions.
• Right to Correct: You have the right to request correction of inaccurate personal information.
• Right to Opt-Out: You have the right to opt-out of the sale or sharing of your personal information for cross-context behavioral advertising.
• Right to Limit: You have the right to limit the use and disclosure of sensitive personal information.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise these rights, please contact us using the contact information provided in Section 2 of this Privacy Notice. Please note that while NYC Compass does not "sell" personal information in the traditional sense, our use of third-party cookies for analytics and advertising, as well as our affiliate partnerships, might be considered "sharing" or potentially a "sale" under the broad definitions in California law. You can manage cookie preferences via browser settings or our consent tool. We do not use or disclose sensitive personal information for purposes requiring a specific right to limit under CPRA.

12. AI-Generated Content

As mentioned in our Terms of Service, certain content on NYC Compass may be generated or assisted by artificial intelligence (AI) tools. While we apply editorial oversight to ensure quality and accuracy, the use of AI in content creation has privacy implications you should be aware of:

• Training Data: The AI systems we use may have been trained on publicly available datasets. We do not provide these AI systems with your personal data for training purposes.
• AI Processing: When generating content, we may use AI services provided by third parties. Our interactions with these services typically do not involve sharing personal data about our users.
• Content Improvement: We may use aggregated, anonymized data about content engagement to guide AI content generation and improvement, but this process does not involve processing personal data in a way that identifies individual users.
• Transparency: We strive to be transparent about our use of AI-assisted content creation while maintaining high standards for accuracy and quality in all our travel guidance.

If you have questions or concerns about our use of AI in content generation, please contact us at feedback@nyccompass.com.

13. Changes to this Privacy Notice

We reserve the right to update or modify this Privacy Notice at any time to reflect changes in our practices, services, legal requirements, or other operational or commercial factors, consistent with our right to modify our Terms of Service. Any modifications will become effective immediately upon posting the revised Notice on this page, with material changes highlighted where appropriate.

The "Last Updated" date at the beginning of this Notice indicates when the most recent revisions were made. We encourage you to review this Privacy Notice periodically to stay informed about how we are protecting your information. Your continued use of our Site following the posting of any changes constitutes your acceptance of such changes. If we make material changes to how we treat your personal data, we will notify you through prominent notice on our Site or, where legally required, by email to the address associated with your account.

14. Governing Law

This Privacy Notice and any disputes arising out of or in relation to it shall be governed by and construed in accordance with the laws of Sweden, without regard to its conflict of law principles, as stipulated in our Terms of Service. This choice of law does not supersede any mandatory consumer protection provisions that would be applicable in your jurisdiction of residence. If a court of competent jurisdiction finds any provision of this Privacy Notice to be invalid or unenforceable, such provision shall be enforced to the maximum extent permissible, and the remaining provisions shall remain in full force and effect.