This Privacy Policy applies to all online offerings of Corporacion Lutz S.R.L. (hereinafter referred to as "Corporacion Lutz," "we," or "us"). It specifically covers our websites xuloo.org, corporacionlutz.com, tour.corporacionlutz.com, juandoliogym.com, pics.xuloo.org, as well as any future domains and online services operated by us. With this unified statement, we cover all our platforms, eliminating the need for separate privacy policies per domain.
We place great importance on the protection of your personal data and comply with all applicable data protection laws. This Privacy Policy is designed to meet the requirements of Dominican Law No. 172-13, the EU General Data Protection Regulation (GDPR), relevant U.S. privacy regulations (notably the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA)), and the guidelines of the U.S. Federal Trade Commission (FTC).
Below, we clearly and fully explain what types of data we collect, for what purposes we process them, on what legal basis, and what rights you have regarding your data.
The data controller (within the meaning of the GDPR and other data protection laws) for the processing of data on these websites is Corporacion Lutz S.R.L., based in Santo Domingo, Dominican Republic.
For any questions or concerns regarding data protection, you can contact us at any time at privacy@corporacionlutz.com.
(In this Privacy Policy, the terms "we" or "us" refer to the aforementioned company.)
We generally process personal data only to the extent necessary to provide our services. In particular, we collect and use the following categories of data for the respective purposes:
Data you actively provide: This includes, for example, your name, contact information (email address, address, phone number), registration details (username, password), payment information for orders/bookings, and any communication content you send us. Depending on the service, additional data may be required (e.g., health information for fitness offerings or ID and travel information for tourism bookings). We use this data to fulfill contractual obligations (such as conducting a tour you booked or managing your membership), respond to inquiries, communicate with you, and generally provide the service you requested.
Automatically collected usage data: Certain data is automatically collected for technical reasons when you use our websites. This includes your device’s IP address, device and browser information (browser type, version, operating system), date and time of access, visited pages, and possibly the referring website. We also use cookies and similar technologies to analyze usage behavior (see Section 5 – Cookies and Tracking). We process this automatically collected data to ensure the functionality and security of our online offerings (e.g., defense against attacks, error diagnosis), to improve our offerings (through anonymous usage statistics), and, where applicable, to personalize content. This usage data is typically processed without direct association with your person unless necessary for the aforementioned purposes (e.g., in case of security incidents or technical troubleshooting).
As a general rule, we do not pursue purposes beyond those mentioned above. Should we intend to use data for a new purpose, we will obtain your consent or ensure that there is a legal basis.
We process personal data only on a permitted legal basis. Depending on the type of processing, the following legal bases in particular apply:
Consent: If you have given us your consent, we process your data for the purposes specified therein. (Legal basis, e.g., Art. 6(1)(a) GDPR.) This applies, for example, to the use of certain cookies (see Section 5) or the sending of newsletters to which you have expressly consented. Under Dominican Law 172-13, prior consent is also often required, and we obtain it accordingly. Note: You can revoke your consent at any time with future effect (see Section 9 on Data Subject Rights).
Contract Fulfillment / Pre-contractual Measures: We process your data when necessary to fulfill a contract with you or to carry out pre-contractual measures. (Legal basis, e.g., Art. 6(1)(b) GDPR.) This is the case when you use one of our services – such as booking a tour, purchasing a product, or creating a user account. Such processing is permitted under the GDPR and Dominican law. In U.S. law, this falls under "business purposes" that allow necessary data processing within service provision.
Legal Obligation: If we are subject to a legal obligation, we may process your data to comply with it. (Legal basis, e.g., Art. 6(1)(c) GDPR.) This includes legal retention obligations (e.g., storing business and payment data for tax purposes) or information obligations to authorities. Dominican Law 172-13 likewise allows or mandates data retention or transfer when legally required. Similar provisions exist under U.S. law for law enforcement and regulatory requests.
Legitimate Interests: We may process data to safeguard legitimate interests of our own or third parties. (Legal basis under the EU: Art. 6(1)(f) GDPR, provided your overriding rights do not prevail.) Examples: ensuring IT security, fraud prevention, direct marketing to existing customers, or improving our offerings (e.g., analyzing usage data to optimize the website). We ensure that your rights and freedoms are not disproportionately affected — a balancing of interests ensures that our legitimate interest aligns with your data protection. Where similar principles exist under Dominican or U.S. law, we rely on them accordingly (under U.S. practice, these are "legitimate business interests" that allow necessary data processing).
Note: In individual cases, other legal bases may apply (e.g., vital interests under Art. 6(1)(d) GDPR or public interest under Art. 6(1)(e) GDPR), which will be explicitly stated if applicable. Usually, these circumstances do not apply to our offerings.
Our websites use cookies and similar tracking technologies (such as pixels and local storage) to make your use more convenient and to gain insights into the usage of our offerings. A cookie is a small text file stored on your device. Cookies do not harm your device and do not contain viruses. We use both necessary (essential) cookies, which are indispensable for the operation of the site, and optional cookies for analytics and advertising purposes. Specifically:
Essential Cookies: These cookies are required for our websites and services to function properly. Without them, you would not be able to stay logged in or use shopping cart and checkout functions. Essential cookies store, for example, your session ID, language preferences, or other settings, and ensure that you are recognized during navigation. Because they are necessary for operation, these cookies are set without consent as soon as you access our site. You can block essential cookies via your browser settings, but doing so may impair certain website functionalities.
Analytics and Statistics Cookies: These optional cookies help us understand how visitors use our websites. They record, for example, which pages are frequently visited or whether error messages occur. This information allows us to improve our content and functionality over time. We sometimes use third-party services for this purpose — especially Google Analytics. Usage information (including anonymized IP addresses) is transmitted to Google and evaluated statistically. These cookies are set only with your explicit consent.
Advertising and Marketing Cookies: We also use cookies from selected partners to show you relevant advertisements — e.g., banners on our pages. These cookies collect information about your usage to deliver personalized content. Important: These cookies are only set if you have expressly consented, e.g., via our cookie banner. Without your consent, these cookies remain disabled.
Cookie Consent and Revocation: When you first visit our pages (if optional cookies are active), we ask for your consent via a cookie banner. There you can decide which categories of cookies you want to allow. You can withdraw or change your settings at any time — either via the cookie banner (if available) or by contacting us.
Browser Settings & “Do Not Track”: You can delete or block cookies at any time through your browser settings. Some browsers also offer a "Do Not Track" (DNT) function. Our sites currently do not specifically respond to DNT signals as no binding standard exists. Nonetheless, we treat all users in accordance with this Privacy Policy.
We treat your data confidentially and do not sell it to third parties. Disclosure to external recipients only occurs if it is legally permitted and one of the following reasons applies:
Commissioned Service Providers (Processors): We work with external service providers who perform services on our behalf (e.g., IT and hosting providers, email service providers, analytics services). These service providers may access personal data as part of their tasks but act strictly according to our instructions. We have entered into data protection agreements with all processors to ensure that your data remains protected. Examples: Our websites may be operated on the servers of a hosting company; such a company processes technical data (e.g., log files, database content) only according to our instructions. Similarly, analytics services like Google Analytics (see Section 5) act as our processors.
Partner Companies in Service Delivery: If necessary for the provision of our services, we disclose data to partners or auxiliary agents. For example, when booking a tour or trip, it may be necessary to transmit your information (name, possibly date of birth, booking details) to local providers, hotels, airlines, or other service providers. Similarly, if you use our fitness offerings, we may manage your membership data through an internal system or share it with local trainers, if necessary for service provision. In all cases, disclosure occurs only to the extent required and in compliance with applicable data protection regulations.
Payment Service Providers: For online payments, we integrate external payment services, such as Stripe or PayPal, to ensure secure transaction processing. When you make a payment, the required payment information is transmitted directly to the respective payment provider (e.g., credit card number, invoice amount, name). These third parties process your payment data as independent controllers in accordance with their own privacy policies. We typically only receive confirmation of payment and basic information (such as name, email, successful payment) for accounting purposes. Note: We do not store full credit card or account information in our systems, except what is necessary for bookkeeping (e.g., transaction ID).
Legally Required or Legitimate Disclosure: In certain situations, we may be obliged to disclose data to third parties if required by law or official order. This includes disclosure to authorities (police, supervisory authorities, courts) as part of laws or ongoing proceedings. Disclosure may also occur if necessary to enforce our rights — such as asserting claims (transfer to collection agencies or lawyers) or defending against legal claims. In the case of a corporate transaction (e.g., merger, acquisition, or sale of business parts), it may also be necessary to transfer personal data to third parties (buyers, audit advisors). In all cases, we ensure adequate data protection and compliance with legal requirements.
Disclaimer for Third Parties: External recipients to whom we transfer data based on the above reasons are either contractually bound as our processors or act as independent controllers for defined purposes. We carefully select our partners but cannot accept liability for their data protection practices beyond our control. We ensure that appropriate agreements are in place at the time of data transfer. For more information, we recommend reviewing the respective third-party privacy policies (e.g., Google, Stripe, PayPal, etc.). No other transfer of your personal data to third parties occurs unless you have expressly consented.
Corporacion Lutz S.R.L. is based in the Dominican Republic; we also use services from companies located in other countries (e.g., the USA). Therefore, your personal data may be transferred to and processed in countries outside your home country.
EU/EEA Users: If you access our services from the European Union or the EEA, please note that your personal data may be transferred to countries outside the EEA that do not provide an equivalent level of data protection as EU law. Specifically, your data may be processed in the Dominican Republic (outside the EU) due to our business location and may be transferred to services in the USA (e.g., Google or payment providers). To ensure an adequate level of data protection, we implement appropriate safeguards according to Art. 44 et seq. GDPR. This includes, in particular, the conclusion of EU Standard Contractual Clauses (SCCs) with recipients in third countries, obligating them to comply with European data protection standards. Some U.S. providers may also be certified under the EU-U.S. Data Privacy Framework, which is recognized by the EU. Where applicable (e.g., Google is certified), we rely on such certification. In some cases, we also rely on exceptions under Art. 49 GDPR, e.g., when the transfer is necessary to perform a contract with you.
Dominican Users: We also comply with the requirements of Dominican Law 172-13 regarding international data transfers. Generally, this law requires that personal data may only be transferred to another country if sufficient safeguards exist or with the consent of the data subject. When we transfer data from the Dominican Republic to foreign service providers (e.g., in the USA or Europe), we ensure appropriate contractual safeguards (comparable to the standard clauses mentioned above) or obtain your consent if necessary.
USA/Canada and Other Countries: Users from the USA, Canada, or other non-EU/DR countries: Your data may be processed in the Dominican Republic and possibly in other countries (such as the USA). We ensure that recognized safeguards are in place. For example, our U.S. service providers are contractually bound as "Service Providers" under the CCPA, ensuring that they use your data only for specified purposes and maintain an appropriate security level. Regardless of your country of origin, the protections of this Privacy Policy apply. Your data will not be transferred to third countries without adequate safeguards. If you have questions about specific measures or would like copies of contractual clauses, you may contact us.
We only store personal data as long as necessary for the respective purposes. After that, we delete or anonymize the data unless legal retention obligations prevent this. The specific storage periods depend on the type of data and the purpose of processing:
Account and Profile Data: Data linked to your user account or profile is generally retained for the duration of active use. If you delete your account (or it is deleted by us) or no longer use our services, this data is usually removed from our active systems shortly thereafter. If certain information must be retained for legal reasons, it will be blocked and no longer actively used.
Contract and Transaction Data: Personal data collected in connection with a booking, order, or other transaction (e.g., contract data, invoice, and payment data) is retained as long as necessary for contract performance and fulfillment of subsequent obligations. After full performance, we restrict processing and delete the data after the expiration of any applicable legal retention periods. For example, under Dominican and international commercial and tax laws, we are obligated to retain certain business records (e.g., invoices, payment receipts) for 5–10 years, depending on the regulation. These data are not used for other purposes during the retention period and are routinely deleted afterward.
Communication Data: If you contact us (e.g., by email or via a contact form), we store your information and communications as long as necessary to handle your inquiry and any follow-up questions. Once the matter is resolved, we delete the relevant communication data unless legal obligations require otherwise.
Newsletter and Marketing Data: If you subscribed to a newsletter or similar communications, we store the necessary data (e.g., your email address) until you unsubscribe or request deletion. Upon unsubscribing, your contact information will be immediately removed from the distribution list. A minimal data set (e.g., email address and timestamp of unsubscription) may be retained to prove your unsubscription and prevent further mailings.
Log and Protocol Data: Server logs and similar data (e.g., access logs) are usually retained for only a few weeks (typically 4–8 weeks) to monitor system security and diagnose errors. In the event of security incidents (e.g., cyberattacks), affected log files may be retained longer until the incident is fully resolved.
Data Backups: To protect against data loss, we create regular backups of our databases and systems. These backups are retained only as long as necessary for restoration purposes. Older backups are overwritten at defined intervals. Access to backups occurs only when necessary (e.g., data loss) and always under the data protection principles outlined in this policy.
Once the purpose for processing data ceases and no legal retention obligations exist, the respective personal data is routinely deleted. In individual cases, data is initially blocked if deletion is prohibited by legal or contractual obligations. Alternatively, anonymization may occur if no personal reference can be established thereafter.
As a data subject, you have various rights regarding your personal data processed by us, depending on applicable data protection law. These rights are available under the GDPR, the Dominican Data Protection Law, and, with some differences, under the CCPA. We respect your rights and support you in exercising them. Specifically, you have the following rights:
Right of Access: You have the right to request confirmation as to whether we are processing personal data about you. If this is the case, you may request access to this data. Your right of access includes information about the purposes of processing, the categories of personal data, the recipients or categories of recipients to whom the data has been disclosed, (if possible) the intended storage period or the criteria for determining it, and your other rights regarding this data. You also have the right to obtain a copy of the personal data undergoing processing. (Art. 15 GDPR; under Dominican law there is a comparable right of access; under the CCPA, California consumers have the right to know the categories and specific pieces of personal information collected about them over the past 12 months.)
Right to Rectification: If we process inaccurate or incomplete personal data about you, you have the right to request correction of this data. We will correct incorrect information and complete incomplete data as appropriate. (Art. 16 GDPR; a corresponding right to update/correct data also exists under Dominican data protection law.)
Right to Erasure ("Right to be Forgotten"): You can request the deletion of your personal data under certain conditions. Your right to deletion exists, for example, if the purpose of processing no longer applies, if you have withdrawn your consent and there is no other legal basis, or if we are processing your data unlawfully. In such cases, we will delete your personal data without delay. Please note that the right to erasure has exceptions. We are not required to delete data if we are legally obligated to retain it (e.g., for tax records), if the data is needed to assert, exercise, or defend legal claims, or in other legally prescribed cases. (Art. 17 GDPR; Dominican law also grants the right to delete unlawful or outdated data; under the CCPA, consumers have the right to request the deletion of personal information collected by a business, subject to certain statutory exceptions.)
Right to Restriction of Processing: Under certain circumstances, you can request that we temporarily restrict the processing of your data. This means that the relevant data – aside from storage – will only be processed with your consent or for narrowly defined purposes. Such a right exists, for example, if you dispute the accuracy of your data (for the duration of the verification) or if you have objected to the processing (pending the verification of whether our legitimate interests override yours). If the processing is unlawful but you oppose erasure and instead request restriction, you may exercise this right. (Art. 18 GDPR.) In the event of restriction, we will mark the affected data and ensure it is not further processed.
Right to Data Portability: You have the right to receive the personal data you provided to us in a structured, commonly used, and machine-readable format. You also have the right to request that we transmit this data directly to another company, where technically feasible. This right applies where processing is based on your consent or a contract and carried out by automated means. (Art. 20 GDPR.)
Right to Object: You have the right to object to the processing of your personal data for reasons arising from your particular situation, where the processing is based on legitimate interests (Art. 21(1) GDPR). If you object, we will no longer process your data for those purposes unless we can demonstrate compelling legitimate grounds. Objection to Direct Marketing: You can object to the processing of your personal data for marketing purposes at any time (Art. 21(2) GDPR).
Right to Withdraw Consent: If we process your data based on your consent, you have the right to withdraw this consent at any time. A withdrawal applies to the future; processing carried out based on consent before withdrawal remains lawful.
Right to Opt-Out (Do Not Sell My Personal Information, CCPA): Consumers residing in California have the right to opt-out of the sale of their personal information to third parties. Note: We currently do not sell personal information to third parties. Should this change, we will inform you in advance.
Right to Non-Discrimination (CCPA): If you exercise your rights under the CCPA as a California consumer, you must not be subjected to discriminatory treatment. All users receive the same quality of service from us.
Right to Complain / Legal Remedy: If you believe that we are unlawfully processing your data or are not adequately protecting your rights, you have the right to lodge a complaint with the relevant supervisory authorities — in the EU, in the Dominican Republic, or in the USA.
Exercising Your Rights: To exercise any of the above rights, you may contact us informally at any time. Please use the contact options mentioned in Section 2. We will respond within the statutory timeframes: usually within one month in the EU, within 10 days in the Dominican Republic, and within 45 days in California.
We implement extensive technical and organizational security measures to protect your personal data from the risks of loss, misuse, unauthorized access, unauthorized disclosure, or alteration. These measures are continuously adapted in line with technological progress. Examples of our security measures include:
Please note that despite all efforts, no electronic communication or storage can ever be 100% secure. However, we continuously strive to maintain a high level of security. Should a data breach occur that is likely to result in a high risk to your rights and freedoms, we will promptly inform you and – if applicable – the competent supervisory authority about the incident, as required by law (e.g., Art. 33/34 GDPR).
User Responsibility: We encourage you to contribute to security yourself. For example, keep your login credentials confidential, use secure passwords, and do not disclose sensitive information lightly to third parties. If you suspect that your account or your data with us has been compromised, please inform us immediately so that we can take appropriate protective measures.
We reserve the right to adapt or update this Privacy Policy as needed. Reasons for changes may include adjustments to our services (e.g., introduction of new features requiring data usage) or changes in legal requirements (e.g., new data protection laws or regulatory decisions).
In the event of significant changes to the Privacy Policy, we will inform you appropriately. This may be done by means of a clearly visible notice on our websites and – if we have your email address – possibly also by direct notification.
The current version of the Privacy Policy will always be published on our websites, including the date of entry into force.
Please review this Privacy Policy from time to time, especially before submitting personal data to us. In case of doubt, the current online version shall apply.
If a change affects a data usage for which your consent is required, we will of course ask for your prior consent.
Version of this Privacy Policy: April 2025.