Privacy Policy — WaterParkUSA.org — CCPA/CPRA & State Privacy Laws

Privacy Policy

How waterparkusa.org/ Handles Personal Data — U.S. State Privacy Laws

This Privacy Policy sets out what personal data we collect, why, how long we keep it, who we share it with, and your rights under U.S. state privacy laws — CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah), TDPSA (Texas), OCPA (Oregon) and a growing list — plus the federal Children’s Online Privacy Protection Act (COPPA).

Effective date: January 1, 2026
Last reviewed: April 2026
Controller: waterparkusa.org/ Editorial
⚠ We do not hold any park booking information

waterparkusa.org/ is an editorial directory. We do not hold, process or store any ticket purchase, season-pass account, cabana reservation, locker rental, or other transactional record. Booking information is held by the park and its ticketing provider. For booking access, refunds or any account matter, contact the park directly.

What is in this notice

  1. Scope and controller
  2. Personal information we collect
  3. Why we collect it
  4. Who we share it with
  5. “Sale” / “share” disclosure
  6. Retention
  7. Your rights under state privacy laws
  8. Exercising rights
  9. Children — COPPA
  10. Security
  11. Changes
  12. Contact

1. Scope and Controller

This Privacy Policy applies to waterparkusa.org/. The "business" / "controller" is waterparkusa.org/ Editorial, contactable at info@waterparkusa.org. This notice does not apply to the CPSC, the CDC, any health department, the WWA, IAAPA, the PHTA, the NRPA, any park operator, or any parent company we link to. Each is its own controller with its own privacy policy.

2. Personal Information We Collect

CategoryExamplesSource
IdentifiersIP address, device ID, browser user agentAutomatic when you visit
Internet / network activityPages viewed, time on page, referrer, internal searchesAutomatic
Contact dataEmail address, name (if provided), message contentYou — only if you email us
Cookies / similar techSee Cookie PolicyAutomatic; managed by the cookie banner
Approximate locationCity and state inferred from IPAutomatic
What we do NOT collect

We do not collect your name, mailing address, Social Security number, payment-card data, bank-account data, ticket or season-pass number, biometric data, precise geolocation, or any park-account identifier. If you accidentally include any such data in an email to us, we delete it on receipt and ask you to take park-specific questions to the park itself.

3. Why We Collect It

  • To operate the site — serve pages, remember cookie preferences, protect against abuse
  • To understand which park guides are useful — aggregated, anonymous analytics
  • To respond to you when you email us a correction or inquiry
  • To display non-personalized or personalized advertising depending on your consent
  • To detect and prevent fraud, scraping and attacks
  • To comply with legal obligations — lawful subpoenas, court orders and government information requests

4. Who We Share It With

  • Service providers / processors — hosting, CDN/security (Cloudflare), analytics (Google Analytics 4), advertising (Google AdSense), email — under written agreements meeting the “service provider” / “processor” definitions under CCPA/CPRA, VCDPA, CTDPA, CPA, UCPA, TDPSA and OCPA
  • Authorities — when required by law, valid legal process (subpoena, court order, warrant), or to protect rights and safety
  • Successors — in a merger, acquisition or sale; we require the successor to honor this notice

5. “Sale” and “Sharing” Disclosure

We do not “sell” personal information for money

However, the broad definitions of “sale” under California’s CCPA/CPRA and “sharing” under the CPRA (for cross-context behavioral advertising) can cover the disclosure of cookie-based identifiers to third-party advertising partners (e.g., Google AdSense) when you have not opted out. To the extent any of our cookie-based advertising falls within those definitions, you can opt out via the Global Privacy Control (GPC) signal (which we honor as a “Do Not Sell or Share” request), the cookie banner, the “Do Not Sell or Share My Personal Information” footer link where displayed, or Google’s opt-out at adssettings.google.com.

6. How Long We Keep It

CategoryRetention period
Web server & security logs30 days
Aggregated GA4 analytics14 months
Email correspondence24 months from last interaction
Cookie consent records12 months from your choice
Rights-request audit trail3 years (state AG enforcement window)

7. Your Rights Under State Privacy Laws

StateLawKey rights
CaliforniaCCPA (Cal. Civ. Code §1798.100 et seq.) as amended by CPRAKnow, access, delete, correct, opt-out of sale/share, limit sensitive PI, non-discrimination
VirginiaVCDPAAccess, correct, delete, portability, opt-out of targeted advertising, sale and certain profiling
ColoradoCPAAccess, correct, delete, portability, opt-out; universal opt-out signal recognition
ConnecticutCTDPAAccess, correct, delete, portability, opt-out; GPC recognition
UtahUCPAAccess, delete, portability, opt-out of targeted advertising and sale
TexasTDPSAAccess, correct, delete, portability, opt-out
OregonOCPAAccess, correct, delete, portability, opt-out; third-party-list disclosure
Other statesIowa, Indiana, Tennessee, Montana, Delaware, New Jersey, New Hampshire, Maryland, Minnesota, Kentucky, Rhode Island, and a growing listSimilar core rights; effective dates and thresholds vary

If your state is not listed, you may still email us and we will give the same core rights as a matter of policy.

8. How to Exercise Your Rights

Email info@waterparkusa.org with the subject “Privacy rights request” and the right you are exercising. We respond within 45 days (extendable by 45 days when necessary, with notice) as required by most state laws. We may need to verify your identity using information already in our records. You can use an authorized agent; for California requests via an agent, we require written authorization.

9. Children — COPPA

The site is not directed at children under 13. Under the federal Children’s Online Privacy Protection Act (COPPA) and its implementing rule (16 CFR Part 312), we do not knowingly collect personal information from children under 13. Although our content (water parks) is family-oriented, the site is written for parents and guardians planning visits, not directed at children. If you believe a child under 13 has provided personal information to us, email us with the subject “COPPA / child data” and we will delete it. For minors aged 13–15, California’s CPRA requires opt-in consent before “selling” or “sharing” their personal information, which we do not do regardless.

10. Security

We use technical and organizational measures appropriate to the limited categories of personal information we process — TLS/HTTPS in transit, encryption at rest where applicable, access controls, vendor due diligence, and a breach-response procedure aligned with state breach-notification statutes (e.g., Cal. Civ. Code §1798.82) and FTC data-security guidance.

11. Changes to This Notice

We update this notice when our practices or U.S. law change. The “Last reviewed” date at the top reflects the current version. Material changes are flagged on the site for 30 days.

12. Contact

For any privacy question or rights request: info@waterparkusa.org

You may also complain to the Federal Trade Commission (FTC) at reportfraud.ftc.gov, your state Attorney General, or (in California) the California Privacy Protection Agency at cppa.ca.gov.

Exercise a Privacy Right

Email us with the subject “Privacy rights request”. We respond within 45 days.

📧 info@waterparkusa.org