Terms of Service

This Data Sharing & Processing Annex ("Annex") forms part of the Terms of Service between Tek a Hike Limited ("Tek a Hike" / "Controller") and the partner identified in the partner registration form ("Partner" / "Recipient"). It governs how Partner receives, handles, and (where applicable) processes participant personal data made available through the Platform.

DSA.1 Definitions

DSA.2 Scope and purpose

Tek a Hike shares Participant Personal Data with Partner for the sole purpose of letting Partner deliver the experience the participant has booked. Permitted uses include:

• Roll-call, head-count, and safety briefings on the day of the experience.
• Replying to participant questions through the in-platform inbox.
• Issuing safety updates, weather alerts, and meeting-point changes through Tek a Hike's notification tooling.
• Recording attendance, no-shows, incidents, and refund-relevant outcomes back to the Platform.
• Honouring the participant's signed waiver and any special requirements they disclosed.

Any use outside these purposes — for example, exporting contact details for independent marketing, resale, profiling, or sharing with third parties not engaged by Tek a Hike — is a material breach of this Annex.

DSA.3 Tek a Hike's obligations as Controller

Tek a Hike will:

• a Maintain a lawful basis under the JDPA for each category of processing and disclose it in the Privacy Policy.
• b Provide participants with the information required by JDPA Articles 13–14 at the point of collection.
• c Operate the data-subject rights surface (access, rectification, erasure, portability, objection, withdrawal of consent) and respond within 30 days.
• d Implement and maintain appropriate technical and organisational security measures (TLS in transit, encryption-at-rest for sensitive fields, RBAC, MFA on admin accounts, audit logging, vulnerability management).
• e Notify the Office of the Information Commissioner and affected participants of any reportable personal data breach within 72 hours of becoming aware, in line with JDPA Articles 33–34.
• f Maintain records of processing activities and a sub-processor register, available to Partner on reasonable written request.
• g Honour retention schedules published in the Privacy Policy and delete or anonymise data when those schedules expire.

DSA.4 Partner's obligations as Recipient and Limited Processor

Partner agrees to:

• a Use Participant Personal Data only for the purposes set out in DSA.2 and only on Tek a Hike's documented instructions through the Platform.
• b Restrict access to staff and guides who need it to deliver the booking, and ensure they are bound by appropriate confidentiality.
• c Not export, copy, scrape, sync, or otherwise extract participant contact details for any external CRM, mailing list, marketing platform, or third party not authorised by Tek a Hike.
• d Forward to Tek a Hike, without undue delay, any participant rights request, complaint, or correction received offline so we can fulfil it from the system of record.
• e Notify Tek a Hike's Data Protection Office at dpo@tekahike.com within 24 hours of becoming aware of any incident affecting participant data (lost device, misdirected message, unauthorised access, etc.) so we can meet our 72-hour regulatory clock.
• f Apply reasonable technical and organisational safeguards to any participant data on Partner-controlled devices (lock screens, encrypted storage, no shared accounts, prompt deletion of obsolete copies).
• g Delete or destroy any local copies of Participant Personal Data within 30 days of the experience completing, unless retention is required by law (for example, an incident report needed for an insurance claim).
• h Recognise that if Partner re-collects participant data outside the Platform (in-person sign-up sheets, off-platform marketing consent, follow-up questionnaires) Partner becomes a separate Data Controller for that re-collected data and is independently responsible under the JDPA — Tek a Hike's consent base does not extend to it.

DSA.5 Sub-processors engaged by Tek a Hike

Tek a Hike engages the following categories of sub-processor to operate the Platform. Partner is informed of, and by accepting these Terms authorises, these engagements:

Tek a Hike will give at least 30 days' notice before adding or replacing a sub-processor that handles participant data, via the partner dashboard. Partner may object on reasonable data-protection grounds, in which case the parties will work in good faith to find a solution; failing that Partner may terminate the affected service.

DSA.6 Security measures

Tek a Hike implements appropriate technical and organisational measures, including:

• TLS 1.2+ encryption in transit
• Encryption at rest for sensitive fields (waiver, contact, special-requirement notes)
• Argon2id / Bcrypt password hashing
• Role-based access control and MFA on admin accounts
• Audit logging of administrative actions
• Regular backups, vulnerability scans, and timely patching

DSA.7 Breach notification

Partner must notify Tek a Hike's Data Protection Office at dpo@tekahike.com within 24 hours of becoming aware of any incident affecting participant data in Partner's possession or control. Partner's notification must include: the nature of the incident, the categories and approximate number of participants affected, the likely consequences, and the containment / remediation steps already taken.

DSA.8 Retention & deletion of Partner-held copies

• Active bookings: Partner may hold Participant Personal Data for as long as the booking is active.
• Completed experiences: Partner deletes local copies (printed roll-calls, exported lists, in-message attachments) within 30 days of the experience date, unless a longer retention is required by law (e.g., insurance/incident files).
• Termination of the Partner Agreement: Partner deletes or destroys all Participant Personal Data in its possession within 30 days, except where retention is required by law, and confirms deletion in writing on Tek a Hike's request.
• Tek a Hike-held records follow the retention schedule published in the Privacy Policy.

DSA.9 International transfers

Where Tek a Hike transfers personal data outside Jamaica through a sub-processor, we ensure an adequate level of protection in line with the JDPA, using approved transfer mechanisms (such as standard contractual clauses) where required.

DSA.10 Audit and assurance

On reasonable written request, and not more than once per year unless required by a regulator or following a confirmed breach, Tek a Hike will make available information necessary to demonstrate compliance with this Annex, and where appropriate allow audits by Partner or an independent auditor mandated by Partner, at Partner's cost, subject to reasonable confidentiality and security restrictions.

DSA.11 Order of precedence

If anything in this Annex conflicts with the rest of the Terms of Service or the Partner Agreement, the terms of this Annex prevail in respect of personal data.