PRIVACY POLICY

Version: September 8, 2025 (download)

WHO WE ARE

Website: https://www.caricoos.org/
© All rights reserved — Caribbean Coastal Ocean Observing System Inc. (CARICOOS), Puerto Rico

CARICOOS, the Caribbean Coastal Ocean Observing System, commits to providing open and timely access to all non-confidential environmental and oceanographic datasets for Puerto Rico and the U.S. Virgin Islands collected or managed under the IOOS Act, in accordance with NOAA/IOOS open data policies. CARICOOS respects the privacy of all visitors to our website (the “Website”). This Privacy Policy (the “Policy”) describes how we collect, store, use, share, protect, and disclose your personal information when you interact with our online resources, services, networks, and platforms, including access to real-time data, educational materials, and other services, through the Website, and with our Business WhatsApp Cloud.

This Policy does not apply to products, services, websites, and mobile applications not provided by CARICOOS. We recommend that you read the privacy policies of such third parties. CARICOOS is not responsible for the privacy practices or content of any such third parties’ websites, products, or services.

We may update this Policy from time to time. Any updates will be posted on CARICOOS’ Website at https://www.caricoos.org and are effective as of the date first published. If at any time you find this Policy unacceptable, you should cease using the Website.

SCOPE OF THE PRIVACY POLICY

This Policy applies to information collected through the Website operated by CARICOOS and through our official WhatsApp phone number, powered by the Meta WhatsApp Business Cloud API. The Policy explains our practices regarding the collection, storage, use, sharing, protection, and disclosure of personal data voluntarily provided by users in connection with our services.

Our primary mission is to deliver ocean observation information and educational resources to the public. In providing these services, we may collect limited personal data to support functionality and improve user experience on the Website.

WHAT DATA DO WE COLLECT AND WHY DO WE COLLECT IT

1.    Personal information

We may collect information about you that directly identifies you, such as your name, email address, and telephone number, to assist in providing our services through the Website and WhatsApp.

We may obtain this information from you directly, automatically through your navigation of the Website, or from third parties.

We may also collect information that does not directly identify you but that can be associated with you and your use of devices, such as IP address and device numbers. In certain jurisdictions, some of the information that we collect from you could be considered biometric data.

We may collect information about you in the following ways, among others:

  • Information you give us directly, such as when you complete any of our services forms, subscribe to updates, or send us e-mails.
  • Automatically collected from your device (e.g., IP address, browser type, operating system, and/or phone number) when you interact with the Website.
  • From third parties, such as service providers who deliver operational support or process data on our behalf.

1.1. How We Use Your Information

We use the information we collect about you and your interactions with the Website for purposes including:

  • Improving the Website and related services.
  • Providing materials or datasets you request.
  • Verifying user access to specific features or datasets.
  • Improving content delivery and user experience.

We will obtain your consent before using your personal information for any additional purposes not described in this Policy. 

1.2. How We Share Your Information

CARICOOS does not sell or rent your personal data to any third parties. We may share personal data only as described in this Policy, such as with trusted service providers who process data on our behalf or as required by law.

This commitment applies solely to personal data. Environmental and oceanographic datasets collected or managed under the Integrated Coastal and Ocean Observation System (IOOS) Act may be shared publicly in accordance with NOAA/IOOS open data policies and legal obligations.

2.    Comments and Media

We do not allow public comments or media uploads on the Website. All Website content is created, published, and managed by CARICOOS and its collaborators.

3.    Cookies

This website does not offer user accounts to the public. Any cookies used are strictly for operational purposes by contributors or partners. General users will not receive persistent cookies for login or personalization. Where optional cookies (such as analytic cookies) are used, they are activated only with the user’s prior consent, in compliance with applicable data protection and privacy laws.

4.    Embedded content from other websites

Some pages may include embedded content (e.g., videos, charts, or articles) from external websites. Such content behaves as if you visited the external site directly. These third-party sites may collect personal data about you, use cookies, embedded additional third-party tracking, and monitor your interaction with the embedded content, including tracking your activity if you have an account and are logged into that website. We encourage you to review the privacy policies of any such external sites before interacting with their content.

5.    Third-Party Links

Our site may link to external websites. CARICOOS is not responsible for the privacy practices or content of these sites. We strongly encourage users to review the privacy policies and terms of use of any linked websites before providing personal information or engaging with their content.

6.    Analytics

We use Google Analytics to understand how visitors interact with our Website. Google Analytics may collect:

  • Browser type and version
  • Geographic location (general, not precise geolocation)
  • Interaction patterns (e.g., downloads, page visits, or navigation flows)
  • Download statistics to evaluate the usage of our educational toolkit package to assess public interest

CARICOOS may also maintain internal download logs to evaluate demand and improve service delivery.

6.1. Who we share your data with

Only aggregated statistics are shared with collaborators and funders. We do not share personal data or any information that could identify individual users from specific sessions.

6.2. How long do we retain your data

  • Site visit logs: Retained for one (1)  year for security and operational purposes
  • Google Analytics summaries: Stored indefinitely to analyze long-term trends in accordance with applicable data protection regulations.

Where required by law, CARICOOS will be anonymized or deleted once is no longer necessary for the purposes described.

7.    Use of AI Applications

We use artificial intelligence (AI) applications to improve the delivery of real-time ocean data to users. These AI systems process and analyze environmental datasets to provide timely updates. Communication with users can occur through various channels, including, but not limited to, text messaging, email, and mobile notifications.

By opting in to receive such communications, users acknowledge and consent to the processing of their contact information and any related request parameters for the purpose of delivering real-time data updates. Where required by law, such processing will be based on explicit consent, which may be withdrawn at any time without affecting the lawfulness of processing prior withdrawal.

We are committed to protecting your personal information and ensuring that all AI-driven communications comply with applicable data protection regulations. Users may opt out of these communications at any time by contacting our support team.

8.    Messaging Via WhatsApp Cloud API

The following subsections explain how CARICOOS collects, uses, and protects your personal information when you interact with our official WhatsApp number, powered by the WhatsApp Cloud API. We are committed to safeguarding your privacy and ensuring transparency in our data practices. By using our WhatsApp services, you acknowledge and consent to the collection and use of our personal information as described in this Policy, in accordance with applicable data protection laws.

When you message our official WhatsApp number:

  • Your message is end-to-end encrypted between your device and Meta’s servers. Meta temporarily stores the content for up to 30 days solely to deliver our response.
  • CARICOOS retrieves the content through the WhatsApp Business Cloud API and processes it on our self-hosted n8n server located in DigitalOcean NYC3 (USA).
  • Parts of your text (never your phone number) may be pseudonymized and sent to OpenAI LLC (USA) to generate a natural-language reply.
  • Messages are stored in plain text on our server for 30 days, after which they are deleted or anonymized. Encrypted backups are retained for an additional 30 days for disaster recovery purposes.
  • To stop receiving automated responses, simply send STOP at any time. We will honor the request immediately and cease processing your messages.

We comply with the WhatsApp Business Terms of Service and the WhatsApp Business Data Processing Terms of Service. Meta acts as an independent controller for message transmission; CARICOOS acts as a separate controller for the content once delivered.

8.1. Automated Decision and AI

The chatbot automatically selects the nearest buoy to your specified location to provide conditions. This decision has no legal or similarly significant effect. You have the right to request human intervention, to express your point of view, and to contest any AI-generated response.

8.2. Children’s Privacy

Our services are not intended for children under 13 years of age. In compliance with the Children’s Online Privacy Protection Act (COPPA), if we discover that we have inadvertently collected personal information from a child under 13, we will promptly delete it. While COPPA sets 13 as the minimum age for online services, this service is designed for individuals aged 18 and older. Minors aged 13 to 17 may only use the service with the explicit consent and supervision of a parent or legal guardian.

8.3. Third-Party Service Providers

PROVIDERSERVICELOCATIONSAFEGUARDS
Meta Platforms IrelandWhatsApp Cloud API, authenticationEU (Ireland) / USAStandard Contractual Clauses 2021/914
Amazon Web Services LLCBack-up storage (S3, us-east-1)USASCC + AES-256 at rest
OpenAI LLCLarge-language model responsesUSA / EUSCC + text is pseudonymized
Google LLCGoogle Analytics (website only)USAIP anonymization, consent banner
CARICOOS/IOOSClimate research (aggregated)USAPublic-interest data sharing

Note: We do not sell or rent your personal data to any third parties.

8.4. Device and Usage Information

We automatically collect information such as your IP address and device identifiers when you visit the website or interact with embedded content. This data is used for security purposes and to improve analytics.

8.5. User-Generated Content

Chat messages sent to our WhatsApp bot or feedback forms are used to provide answers and improve our AI models.

8.6. Ocean Data Queries

Buoy identifiers, model parameters, and filters contained in your request are used solely to answer your query and maintain aggregated statistics.

8.7. Legal Basis for Processing Personal Data under General Data Protection Regulation (GDPR)

PURPOSELEGAL BASIS
Deliver requested forecasts or educational materialsContract (Article 6(1)(b)) – Processing is necessary to fulfill a service you have requested.
Send first reply on WhatsApp after you initiate the conversationConsent (Article 6(1)(a)) – Provided when you voluntarily message us on WhatsApp.
Analytics, fraud prevention, AI optimizationLegitimate Interests (Article 6(1)(f)) – A balancing test has been conducted and is available upon request.
Compliance with NOAA/IOOS open-data mandates and legal obligationsLegal Obligation (Article 6(1)(c)) – Required to comply with statutory or regulatory duties.

Note: Under GDPR Article 6, every personal data processing activity must be based on a valid legal basis, such as consent, contract, legal obligation, vital interests, public task, or legitimate interests. The use of legitimate interests requires a careful balancing test and proper documentation to ensure it does not override the rights and freedoms of the data subject.

9.    Data Retention

Personal information is retained only as long as necessary to fulfill the purposes outlined in this Policy or comply with legal obligations. You may request deletion of your personal information at any time, subject to the exclusions noted below. Environmental and oceanographic observational data collected, processed, or managed by CARICOOS under the IOOS Act will be retained and archived in accordance with NOAA/IOOS and National Centers for Environmental Information (NCEI) standards to ensure long-term public access scientific reproducibility.

DATA CATEGORYRETENTION PERIOD
Website access logs12 months
Google Analytics aggregated statisticsIndefinite (aggregated)
WhatsApp chat content30 days
Encrypted back-ups+30 days
Email correspondence7 years (legal & fiscal)
AI training text (pseudonymized)≤ 24 months

10. Your Rights

Depending on your jurisdiction, you may have rights to:

  • Access or request a copy of your personal data
  • Request correction or deletion of your data
  • Withdraw consent at any time, without affecting the lawfulness of processing prior to withdrawal.
  • Object to certain processing activities based on legitimate interests, or request restriction of processing.
  • Lodge a complaint with the corresponding authority, where applicable.

To exercise these rights, contact us at: dmac@caricoos.org.

11. Security

CARICOOS takes the protection of your personal data seriously and employs a combination of technical and organizational safeguards to prevent unauthorized access, misuse, or disclosure. Our security measures include:

  • TLS 1.3 encryption for data in transit
  • AES-256 encryption for data at rest
  • Role-Based Access Control (RBAC) to limit data access to authorized personnel only
  • Annual penetration testing and a formally audited incident response plan
  • Breach notification procedures, including informing affected users and Meta within 72 hours when legally required

12. Other Disclosures

CARICOOS will share personal identifiable information with third parties only if we have a good-faith belief that disclosure is reasonably necessary to:

  • Comply with applicable laws or legal requests
  • Enforce our policies or terms of use
  • Detect or address security or fraud issues
  • Protect the rights, safety, or property of CARICOOS, its partners, or the public

13. Contact Us

If you have any questions about this Policy or how your data is handled, please contact:

Caribbean Coastal Ocean Observing System Inc.
Email: d@caricoos.org

14. Changes to This Policy

This Policy may be updated periodically. We will post changes on this page and update the effective date. When required by law, we will provide prior notice of material changes and, if necessary, seek your consent before such changes take effect. Your continued use of our website after changes have been posted indicates your agreement to the revised Policy.

TERMS OF SERVICE FOR CARICOOS OFFICIAL WHATSAPP NUMBER

These Terms of Service (“ToS”) govern the use of the official CARICOOS WhatsApp phone number, operated through the Meta WhatsApp Business Cloud API. By initiating communication with this number, you acknowledge that you have read, understood, and agree to be bound by these ToS, including provisions on acceptable use, data handling, and service limitations.

1.    Service Description

CARICOOS provides wind, wave, tide, current, oceanographic, and numerical forecast data through APIs, web applications, and a WhatsApp chatbot based on Meta’s Cloud API.

2.    Eligibility

This service is intended for individuals aged 18 and older. Minors aged 13 to 17 may only use the service with the explicit consent and active supervision of a parent or legal guardian. Corporate or organizational users must have the authority to accept these ToS on behalf of their entity.

3.    Acceptable Use

  • Permitted Uses:
    • This service may be used for general informational purposes, including personal inquiries and support for scientific or academic research.

Please note that CARICOOS is not an official government weather authority and does not replace services provided by agencies such as the National Weather Service (NWS). While we strive to provide accurate and timely information, all data is provided “as is” without any express or implied warranties, and should be used at your own risk. Users should consult official sources for decision-making.

  • Prohibited Uses:
    • You may not use this service for:
      • Resale or redistribution of content without adherence to the Creative Commons BY 4.0 license
      • Attempting to interfere with, disrupt, or gain unauthorized access to system operations
      • Sharing or promoting illegal, violent, discriminatory, or harmful content

4.    Intellectual Property

Processed data is provided under a Creative Commons BY 4.0 license. All software code, AI models, datasets, and trademarks are and remain the exclusive property of CARICOOS, unless otherwise expressly stated.

5.    Fees

All services and data are offered completely free of charge to users.

6.    Limitation of Liability

Data is provided “as is.” CARICOOS makes no guarantees regarding the accuracy, completeness, or uninterrupted availability of the information. To the maximum extent permitted by law, CARICOOS disclaims all liability for any damages, direct or indirect, arising from the use of the service.

7.    Indemnification

You agree to indemnify, defend, and hold harmless CARICOOS for any claims, liabilities, damages, or expenses (including reasonable attorneys’  fees) arising from your misuse of the service or violation of these ToS.

8.    Termination

CARICOOS reserves the right to suspend or terminate access for any violations of these ToS. Users may discontinue use of the service at any time without incurring any penalties.

9.    Governing Law

These Terms of Service are governed by the laws of the Commonwealth of Puerto Rico and applicable federal laws of the United States. Any disputes arising under these terms shall be resolved exclusively in the U.S. District Court for the District of Puerto Rico.

10. Modifications

CARICOPOS reserves the right to modify these ToS. Any material changes will be communicated at least 30 days in advance. Where required by law, we will also seek your consent before implementing changes that materially affect your rights. Continued use of the service after the notice period constitutes your acceptance of the updated ToS.

DATA DELETION POLICY

1.    Data Collection and Retention

  • No user account is required to access or use our Website or WhatsApp chatbot.
  • We do not request or collect names, phone numbers, or any personally identifiable information (PII) unless it is voluntarily provided by the user in the course of communication.
  • Chat conversations may be stored solely for quality assurance and service improvement purposes. They are not used for profiling, advertising, or marketing.
  • Any data that is retained is anonymized and managed securely, in full compliance with applicable data protection regulations.

2.    Right to Erasure

You have the right to request deletion of your data under the following conditions:

  • The data is no longer necessary for the purposes for which it was collected.
  • You withdraw your consent (where processing was based on consent).
  • Deletion is required to comply with a legal obligation.

How to Request Deletion:

  • To request the deletion of your personal data, please email us at dmac@caricoos.org with the subject line: “Delete My Data.”
  • Your request will be reviewed and processed in accordance with applicable data protection laws. You may be asked to provide additional information to verify your identity.

3.    Deletion Workflow

Once a request is received, we follow this process:

  1. Acknowledge request within 24 hours
  2. Verify identity
  3. Erase or anonymize data in production systems
  4. Purge data from backups – within 30 days
  5. Issue a confirmation code

4.    Exclusions

Some data are excluded from deletion requests:

  • Aggregated NOAA/IOOS research data, including all original and quality-controlled observational datasets and associated metadata required under NOAA/NCEI retention schedules.

5.    Cookies Notice

We use the following types of cookies on our website:

  • Essential cookies: Required for basic functionality and security.
  • Optional cookies: Google Analytics cookies used for site analytics, activated only with your consent.

6.    Legitimate Interest Assessment (LIA) Summary

  • Device-level data is processed to:
    • Prevent fraud
    • Optimize infrastructure performance
  • User impact is minimal and outweighed by benefits such as improved marine safety
  • No less-intrusive alternative exists
  • Data are retained for a maximum of 90 days
  • Data is never sold

7.    Data Protection Officer (Interim)

Email: dmac@caricoos.org

Cookies Policy

This website utilizes cookies solely for the purpose of improving user experience and facilitating site functionality. A “cookie” is a small text file placed on a user’s device by a web server, which may be either temporary in nature (“session cookies”) or stored for a longer duration (“persistent cookies”).

1. Use of Cookies by This Website

This website does not employ persistent cookies or other persistent tracking technologies for any internal operations. No personally identifiable information is collected or retained through the use of persistent cookies.

2. Use of Third-Party Services

This website makes use of Google Analytics, a third-party web analytics service provided by Google LLC. Google Analytics collects non-personally identifiable information about website usage, including but not limited to pages visited, duration of visit, and browser type. In order to perform these functions, Google Analytics may place a persistent cookie on the user’s device to recognize repeat visits. The data collected by Google Analytics is subject to Google’s Privacy Policy.

3. Use of Session Cookies

Certain pages or components of this website may employ session cookies to facilitate navigation or enhance functionality during an active browsing session. Session cookies are temporary and are automatically deleted from the user’s device when the browser is closed. No personal information is collected, stored, or retained through the use of session cookies.

4. Consent and Control

By continuing to use this website, users consent to the placement of cookies as described herein, unless the user disables cookies through their browser settings. Users have the right to manage, restrict, or delete cookies at any time through their browser preferences.

5. Contact Information

For any questions or concerns regarding this Cookies Policy or the data practices of this website, please contact us at dmac@caricoos.org.