Privacy Policy – AZ Invest

Cookies and Tracking Technologies

Our websites use cookies and similar tracking technologies (such as pixels and local storage) to enhance your user experience and to collect information about how our services are used. A cookie is a small text file stored on your device. Cookies do not harm your device and do not contain viruses. We use both necessary (essential) cookies, which are indispensable for operating the website, and optional cookies for analytics and advertising purposes. In detail:

Essential cookies: These cookies are required for our websites and services to function properly. Without them, you would not be able to stay logged in or use shopping cart and checkout functions. Essential cookies store information such as your session ID, language settings, and other preferences, ensuring you are recognized when navigating the site. Since they are necessary for operation, these cookies are set automatically when you visit our site. You can block essential cookies in your browser settings, but some features may then not work as intended.

Analytics and statistics cookies: These optional cookies help us understand how visitors use our websites. They track which pages are visited most often or if certain error messages occur. This allows us to improve our content and functionality over time. For this purpose, we sometimes use third-party services – particularly Google Analytics. Usage information (including IP anonymization) is transmitted to Google and evaluated statistically. These cookies are only set with your express consent.

Advertising and marketing cookies: We also use cookies from selected partners to display relevant ads – e.g., via banners on our pages. These cookies collect information about your usage to serve personalized content. Important: These cookies are only set if you have expressly agreed, for example, via our cookie banner. Without your consent, these cookies remain inactive.

Cookie consent and objection: Upon your first visit (if optional cookies are active), we ask for your consent via a cookie banner. There you can choose which categories of cookies you wish to allow. You may withdraw or change your preferences at any time – either via the cookie banner (if available) or by contacting us directly.

Browser settings & “Do Not Track”: You can delete or block cookies at any time via your browser. Some browsers also offer a “Do Not Track” (DNT) feature. Our website currently does not respond specifically to DNT signals, as there is no binding standard. Regardless, we treat all users in accordance with this privacy policy.

Disclosure to Third Parties and External Providers

We treat your data confidentially and do not sell it to third parties. Disclosure to external recipients only occurs if legally permitted and one of the following reasons applies:

Commissioned service providers (processors): We work with external service providers who perform services on our behalf (e.g., IT and hosting providers, email services, analytics providers). These service providers may access personal data as part of their tasks but act strictly under our instructions. We have concluded data protection agreements with all processors to ensure your data remains protected. Examples: Our websites may be hosted on a third-party server that processes technical data (e.g., log files, database contents) strictly according to our instructions. Similarly, analytics tools like Google Analytics (see Section 5) operate as our processors.

Partner companies involved in service delivery: When necessary for providing our services, we share data with partners or agents. For example, when booking a tour or trip, it may be necessary to transmit your data (name, possibly date of birth, booking details) to local providers, hotels, airlines, or other service companies. Likewise, when using our fitness services, we may manage your membership data in an internal system or share it with on-site trainers as needed. In all such cases, data is shared only as required and in compliance with applicable data protection laws.

Payment service providers: For online payments, we integrate external providers like Stripe or PayPal to ensure secure processing. If you make a payment, the necessary data (e.g., credit card number, transaction amount, name) is sent directly to the respective provider. These third parties act as independent controllers and process your payment data in accordance with their own security policies. We usually only receive confirmation of payment and basic data (e.g., name, email, success status) for accounting purposes. Note: We do not store full credit card or bank account information in our systems, except what is needed for accounting (e.g., transaction ID).

Legally required or justified disclosure: In certain cases, we may be obligated to disclose data to third parties if required by law or official orders. This includes sharing with authorities (e.g., police, regulatory bodies, courts) as part of legal proceedings. Disclosure may also occur to enforce our rights – for instance, to pursue claims (e.g., sharing data with a debt collection agency or our lawyers) or defend ourselves in legal disputes. In the event of a business transaction (e.g., merger, acquisition, or sale of business units), disclosure of data to third parties (buyers, due diligence advisors) may be necessary. In all such cases, we ensure that data protection standards are upheld and that sharing complies with legal requirements.

Third-party liability disclaimer: External recipients of data are either contractually bound as processors or act as independent controllers with defined purposes. We carefully select our partners but cannot accept liability for their data practices if they operate beyond our control. We ensure appropriate agreements are in place at the time of data transfer. For more information, please consult the privacy policies of the respective providers (e.g., Google, Stripe, PayPal, etc.). Aside from the mentioned cases, we do not disclose your personal data to third parties unless you have expressly consented.

Data Transfer to Third Countries

AZ Invest S.R.L. is based in the Dominican Republic and uses services from companies located in other countries (e.g., the USA). Therefore, your personal data may be transferred to and processed in countries outside your home country.

EU/EEA users: If you access our services from the European Union or the EEA, please note that personal data may be transferred to countries outside the EEA that do not provide a level of data protection equivalent to EU law. Specifically, your data may be processed in the Dominican Republic (outside the EU) due to our company location and may be transmitted to providers in the USA (e.g., Google, payment providers). To ensure adequate protection, we take appropriate safeguards under Art. 44 et seq. GDPR, particularly by concluding EU Standard Contractual Clauses (SCCs) with third-country recipients who thereby commit to upholding European data protection standards. For example, we have SCCs in place with U.S. providers where possible. Additionally, some U.S. providers are certified under the EU-U.S. Data Privacy Framework, which the EU recognizes as offering adequate protection. Where this applies (e.g., Google is certified), we rely on such certification. In some cases, we rely on exceptions under Art. 49 GDPR – for example, if a transfer is necessary for contract fulfillment.

Dominican users: We also comply with the Dominican Data Protection Law 172-13 regarding international data transfers. This generally requires that personal data may only be transferred to another country if adequate data protection guarantees are in place or the data subject has given consent. Accordingly, when we transfer data from the Dominican Republic to providers abroad (e.g., in the USA or Europe), we ensure contractual guarantees similar to those mentioned above or obtain your consent if required.

USA/Canada and other countries: Users from the USA, Canada, or other countries outside the EU/DR: Your data may be processed in the Dominican Republic or other countries (e.g., the USA). We ensure recognized safeguards in these cases as well. For example, our U.S. providers are contractually bound as service providers under CCPA to process your data only for specified purposes and to maintain appropriate security levels. Regardless of your country of origin, the safeguards outlined in this privacy policy apply. Your data will not be transferred to third countries without appropriate protection. If you have questions about specific safeguards or wish to review contractual clauses, feel free to contact us.

Data Retention Duration

We store personal data only as long as necessary for the respective purposes. After that, we delete or anonymize the data unless legal retention obligations require otherwise. The specific retention periods depend on the type of data and the purpose of processing:

Account and profile data: We retain data associated with your user account or profile for as long as the account is actively used. If you delete your account (or it is deleted by us) or stop using our services, we typically remove this data from our active systems shortly thereafter. If certain data must be retained for legal reasons (see below), it will be blocked (i.e., no longer actively used) until deletion.

Contract and transaction data: Personal data collected in the context of bookings, orders, or other transactions (e.g., contract data, invoice and payment data) is retained as long as necessary to fulfill the contract and comply with any post-contractual obligations. Once the contract is fully processed, we restrict further use and delete the data after any applicable legal retention period has expired. For example, under Dominican and international commercial and tax law, we are required to retain certain business records (invoices, payment receipts, etc.) for a defined period (often 5–10 years depending on the legal regulation). Such data is not used for other purposes and is routinely deleted after the retention period ends.

Communication data: If you contact us (e.g., via e-mail or contact form), we store your details and the communication for as long as needed to handle your inquiry and any follow-up questions. Once your inquiry is fully resolved and there is no longer any reason to retain the data, the communication is deleted. If a contractual relationship arises from the inquiry or there is a legal reason to retain the data, the corresponding retention periods apply.

Newsletter and marketing data: If you have subscribed to a newsletter or similar information, we retain the necessary data (e.g., your e-mail address) until you unsubscribe or request deletion. Upon unsubscribing or revoking your consent, your contact data is immediately removed from the distribution list. We may retain a minimal dataset about your unsubscription (e.g., e-mail address and time of unsubscription) to document your opt-out and ensure you no longer receive messages from us.

Log and protocol data: Server logs and similar records (e.g., access logs) are only retained for a limited time. Typically, such log data is stored for only a few weeks (usually 4–8 weeks) to monitor system security and detect errors. In case of security-related incidents (e.g., a cyberattack), we may retain affected log files longer, until the incident is fully investigated and resolved. Afterwards, the data will also be deleted or anonymized.

Data backups: To protect against data loss, we regularly create backups of our databases and systems. These backup copies are also retained only as long as needed for recovery purposes. Older backups are overwritten at defined intervals and thus deleted. Access to backups occurs only when necessary (e.g., in the event of data loss) and always in accordance with the data protection principles set out in this policy.

As soon as the purpose for data processing no longer applies and no legal retention obligation remains, the corresponding personal data will be routinely deleted. In individual cases, data is initially blocked if legal or contractual retention obligations prevent immediate deletion. Instead of deletion, anonymization may be applied, provided the data can no longer be linked to an individual.

Rights of Data Subjects

As a data subject, you have – depending on the applicable data protection law – various rights regarding your personal data processed by us. These rights are granted under the GDPR, the Dominican Data Protection Law, and (with some variations) the CCPA. We respect your rights and support you in exercising them. Specifically, you have the following rights:

Right of access: You have the right to obtain confirmation as to whether or not we process personal data concerning you. If we do, you are entitled to access this data. Your right includes information about the purposes of processing, the categories of personal data, the recipients or categories of recipients to whom the data has been disclosed, (if possible) the planned retention period or the criteria used to determine it, as well as your other rights in relation to this data. You also have the right to obtain a copy of the personal data undergoing processing. (Art. 15 GDPR; under Dominican law, a comparable right of access exists; under the CCPA, California consumers have the right to request disclosure of the categories and specific personal data collected by a business within the past 12 months.)

Right to rectification: If we process incorrect or incomplete personal data concerning you, you have the right to request rectification. We will correct inaccurate information and complete incomplete data as required. (Art. 16 GDPR; a corresponding right to update/rectify also exists under Dominican data protection law.)

Right to erasure ("right to be forgotten"): Under certain circumstances, you may request the deletion of your personal data. This applies, for example, if the processing purpose no longer exists, if you have withdrawn your consent and there is no other legal basis, or if we process your data unlawfully. In such cases, we will delete your personal data without delay. Please note that there are exceptions to this right. We are not required to delete data if we are legally obligated to retain it (e.g., tax records), if we need the data to assert, exercise, or defend legal claims, or in other cases provided for by law. (Art. 17 GDPR; Dominican law also grants the right to delete unlawful or outdated data; under the CCPA, consumers have the right to request deletion of personal data collected by a business, subject to certain statutory exceptions.)

Right to restriction of processing: In certain situations, you may request that we temporarily restrict the processing of your data. This means that the data will only be processed – aside from storage – with your consent or for narrowly defined purposes. This right applies, for example, if you contest the accuracy of the data (for the duration of verification), or if you have objected to the processing (pending the outcome of the assessment of whether our legitimate grounds override yours). If the processing is unlawful but you prefer restriction over deletion, you may also exercise this right. (Art. 18 GDPR.) In such cases, we will flag the data accordingly and ensure it is not further processed.

Right to data portability: You have the right to receive the personal data you provided to us in a structured, commonly used, and machine-readable format. You may also request – where technically feasible – that we transmit this data directly to another company of your choice. This right applies where the processing is based on your consent or a contract and carried out by automated means. (Art. 20 GDPR.)

Right to object: You have the right to object to the processing of your personal data on grounds relating to your particular situation, where the processing is based on legitimate interests (Art. 21(1) GDPR). If you object, we will no longer process your data for these purposes unless we can demonstrate compelling legitimate grounds. Objection to direct marketing: You may object at any time to the processing of your personal data for marketing purposes (Art. 21(2) GDPR).

Right to withdraw consent: Where we process your data based on your consent, you have the right to withdraw this consent at any time. The withdrawal applies to future processing; processing based on consent before its withdrawal remains lawful.

Right to opt-out (Non-sale of data, CCPA): California residents have the right to opt out of the sale of their personal data to third parties. Note: We currently do not sell personal data to third parties. Should this change, we will inform you in advance.

Right to non-discrimination (CCPA): If you exercise any of your rights under the CCPA as a California consumer, you will not be subject to any form of discrimination. All users receive the same quality of service from us.

Right to lodge a complaint / legal remedy: If you believe that we are unlawfully processing your data or not adequately respecting your data protection rights, you have the right to lodge a complaint with the competent data protection authorities – in the EU, the Dominican Republic, or the United States.

Exercising your rights: To exercise any of the above rights, you may contact us informally at any time. The best way is to use the contact details provided in Section 2. We will respond within the legal deadlines: usually within one month in the EU, within 10 days in the DR, and within 45 days in California.

Security of Data Processing

We implement extensive technical and organizational security measures to protect your personal data against risks such as loss, misuse, unauthorized access, unauthorized disclosure, or alteration. These measures are continuously adapted in line with technological advancements. Examples of our security precautions include:

• The transmission of sensitive data is always encrypted (e.g., using SSL/TLS encryption, recognizable by the “https://” in the URL).
• Our systems are protected against unauthorized access by firewalls and other security mechanisms.
• Access to personal data within our company is limited to employees who need such access to perform their tasks (“need-to-know” principle). These employees are bound to confidentiality and regularly trained in data protection.
• We apply appropriate access controls and authentication procedures to ensure that only authorized individuals can access data.
• Regular backups, security audits, and, if necessary, penetration tests are carried out to ensure data integrity and availability.

Please note that despite all efforts, no electronic communication or storage can be 100% secure. However, we continuously strive to maintain our security standards at a high level. If a data breach occurs that is likely to result in a high risk to your rights and freedoms, we will inform you and – if applicable – the competent supervisory authority without delay, as required by law (e.g., Art. 33/34 GDPR).

User responsibility: We also encourage you to contribute to security yourself. For example, keep your login credentials confidential, use secure passwords, and do not disclose sensitive information carelessly to third parties. If you suspect that your account or data with us has been compromised, please inform us immediately so that we can take appropriate protective measures.

Changes to This Privacy Policy

We reserve the right to adapt or update this Privacy Policy as needed. Reasons may include changes to our services (e.g., introduction of new features requiring data usage) or changes in legal requirements (e.g., new data protection laws or regulatory decisions).

In the event of significant changes to the Privacy Policy, we will inform you appropriately. This may include a clearly visible notice on our websites and – if we have your email address – possibly also a direct notification.

The current version of the Privacy Policy will always be published on our websites, including the effective date.

Please review this Privacy Policy from time to time, especially before submitting any personal data to us. In case of doubt, the version available online shall apply.

If any changes involve data processing for which we require your consent, we will of course ask for your permission in advance.

Effective date of this Privacy Policy: July 2025.