Legal

Privacy Policy

Luxara International Inc. · Last Updated: May 13, 2026 · Version 2026.05

At a glance

This summary is provided for convenience only; the full policy below governs.

· Who we are: Luxara International Inc., a corporation under the laws of Alberta, Canada. Our website is www.luxara.ca. Contact: privacy@luxara.ca.
· What we do: We offer co-ownership ("fractional ownership") interests in luxury real estate in Canada and Costa Rica, together with related booking, concierge, and member services.
· What we collect: Identity and contact information, investor due-diligence information (KYC/AML, source of funds, accreditation, financial details), property usage and booking information, communications, and standard website analytics.
· Why we collect it: To administer your investment, comply with securities and anti-money-laundering laws, manage property bookings, communicate with you, and operate our business.
· Who we share it with: Property managers, payment processors, identity-verification and compliance providers, legal and accounting professionals, technology vendors, co-owners of the same property (limited information), and regulators where required by law.
· We do not sell your personal information.
· Your rights: Depending on where you live, you have rights to access, correct, delete, restrict, port, or object to processing of your personal information, and to withdraw consent. See Section 13.
· How to reach us: Privacy Officer, privacy@luxara.ca, Luxara International Inc., 1600, 421 – 7th Avenue SW, Calgary, Alberta T2P 4K9.

1. Scope and acceptance

This Privacy Policy ("Policy") describes how Luxara International Inc. and its affiliates ("Luxara," "we," "us," or "our") collect, use, disclose, and otherwise process personal information in connection with:

the website at www.luxara.ca and any sub-domains (the "Site");
the Luxara investor portal, member areas, mobile applications, and any related services (collectively, the "Services"); and
offline interactions, including in-person events, telephone calls (which may be recorded for quality and compliance), correspondence, and visits to properties we manage or syndicate.

This Policy applies to prospective and current investors, co-owners and their authorized guests, website visitors, newsletter subscribers, event attendees, business partners, and individuals who otherwise interact with us. It does not apply to data we process about our employees or job applicants, which is governed by separate notices.

By accessing or using the Services, you confirm that you have read and understood this Policy. If you do not agree, do not use the Services. Where we rely on your consent to process your personal information, we will ask for it separately and you may withdraw it at any time (see Section 13).

This Policy should be read together with our Terms of Service, our cookie policy, and - for investors - any subscription agreement, limited partnership agreement, co-ownership agreement, or related disclosure document we provide to you. In the event of a conflict between this Policy and an investor-specific notice we deliver to you in connection with a transaction, the investor-specific notice governs that transaction.

2. Who we are and how to contact our Privacy Officer

Data controller: Luxara International Inc. is the controller of personal information processed under this Policy. Where required by law, our affiliates that hold or manage specific property assets may act as joint or independent controllers; we will identify them in transaction-specific notices.

Privacy Officer

Luxara International Inc.

Attn: Privacy Officer

1600, 421 – 7th Avenue SW

Calgary, Alberta T2P 4K9

Canada

Email: privacy@luxara.ca

Telephone: +1 (403) 969-3500

We maintain a list of the categories of subprocessors and named service providers that handle personal information on our behalf. You may request the current list from privacy@luxara.ca.

You may contact the Privacy Officer to ask questions about this Policy, to exercise your rights, or to raise concerns about how we handle your personal information.

3. Children

The Services are intended for adults. We do not knowingly collect personal information from individuals under the age of 18 (or the local age of majority, if higher). Co-ownership interests, financing, and related services are offered only to individuals who are at least the age of majority in their jurisdiction. If you believe a child has provided us with personal information, contact privacy@luxara.ca and we will delete it promptly. Where guest information includes minors travelling with a co-owner, the inviting co-owner is responsible for ensuring an appropriate adult has provided the information.

4. Categories of personal information we collect

The categories below describe the kinds of personal information we may collect about you. What we actually collect about a given individual depends on how you interact with us - a casual website visitor and a closed investor produce very different data sets.

Category	Examples	Typical source
Identifiers and contact information	Full legal name, preferred name, postal address, current and prior residential addresses, email address, telephone numbers, date of birth, country of residence, language preference.	You; co-owners introducing guests.
Government identification	Passport, driver's licence, national identity card, immigration status documents, Social Insurance Number (Canada) or Social Security Number (US) where legally required for tax reporting.	You; identity-verification providers.
Financial and accreditation information	Investor accreditation status, net worth, annual income, investment experience, source of funds and source of wealth narratives, bank account and wire instructions, tax residency and tax identification numbers, credit history (where you authorize a credit check).	You; banks and payment processors; credit bureaus; financing partners.
Investment and ownership records	Subscription amount, ownership percentage, property and offering identifiers, capital calls and distributions, voting decisions, transfer requests.	Internal records; transfer agents.
Property usage and booking data	Booking dates, points balance and usage, named guests, special requests, on-property service requests, incident reports, feedback and reviews.	You; property managers; concierge providers.
Compliance and screening data	KYC/AML check results, sanctions and politically-exposed-person (PEP) screening outcomes, adverse-media findings, beneficial ownership information, FATCA / CRS classifications.	Identity-verification and AML screening providers; you.
Communications	Emails, messages, support tickets, recordings or transcripts of telephone calls (with notice), web-chat transcripts.	You; us.
Marketing and preference data	Newsletter and event sign-ups, opt-in/opt-out status, communication channel preferences, expressed interests in specific offerings.	You.
Public profile and user content	Reviews, photographs, testimonials, social-media handles you provide, video or audio content you upload.	You.
Device, technical, and online activity data	IP address, device identifier, browser type and version, operating system, mobile network information, language, referring URL, pages viewed, search terms, time stamps, approximate geographic location derived from IP.	Your browser or device; analytics providers; cookies and similar technologies.
Geolocation	Approximate location (city/region) derived from IP; precise location only if you affirmatively share it with a mobile application.	Your device.
Inferences	Investor segment, anticipated interests, suitability classifications drawn from the data above.	Generated by us.

We will only collect what is reasonably necessary for the purposes set out in Section 6. If you choose not to provide information that is required (for example, KYC documentation), we may be unable to open or maintain your investor account.

5. Sources of personal information

We obtain personal information from the sources below. The combinations matter - for example, your identifiers come from you, but corroborating information for a KYC check comes from third-party data providers.

Directly from you, when you complete forms on the Site, register for an account, communicate with us, attend an event, book a stay, or submit investment documentation.
From third parties acting on your instructions or with your consent, including your financial advisors, lawyers, accountants, banks, financing providers, and the introducing co-owner who invites you as a guest.
From service providers acting for us, including identity-verification, AML/PEP/sanctions screening, accreditation-verification, payment, and analytics providers.
From public and commercial sources, including corporate registries, sanctions and PEP lists, court records, adverse-media databases, land titles registries, tax authorities, and licensed data brokers - used solely for compliance, fraud prevention, and risk management.
Automatically, through cookies, log files, mobile SDKs, and similar technologies when you visit the Site or use the Services.

6. How we use your personal information and our legal bases

We use personal information for the purposes set out in the table below. The "legal basis" column applies where the GDPR, UK GDPR, or other consent-based privacy frameworks require us to identify a basis. In Canada, processing is generally founded on consent (express or implied) and on the reasonable purposes permitted by law.

Purpose	Example activities	Legal basis (GDPR / UK GDPR)
Account administration and Services	Creating and maintaining your account; authentication; investor-portal access; member support.	Performance of a contract; consent.
Investor onboarding and due diligence	Verifying identity; checking accreditation; sanctions and PEP screening; beneficial-ownership analysis; assessing investor suitability.	Compliance with legal obligations; legitimate interests in operating a regulated business.
Transaction processing	Subscriptions, capital calls, distributions, wire transfers, tax withholding and reporting (including FATCA/CRS).	Performance of a contract; compliance with legal obligations.
Property management and booking	Scheduling stays; coordinating with property managers (Zindis Group for Costa Rica properties; Vacations in Canmore for Alberta properties); arranging concierge services; resolving incidents on-property.	Performance of a contract; legitimate interests.
Member and co-owner relations	Coordinating among co-owners; conducting owner votes; tracking points and allocations; handling owner-to-owner transfers.	Performance of a contract.
Compliance and reporting	Securities regulator filings; FINTRAC and equivalent reporting; tax reporting; record-keeping under securities, anti-money-laundering, and corporate laws.	Compliance with legal obligations.
Risk management and fraud prevention	Monitoring for fraud, abuse, or breach of agreements; protecting our investors and our business; conducting investigations.	Legitimate interests; compliance with legal obligations.
Communications	Sending transactional notices about your account, investment, or bookings; responding to inquiries.	Performance of a contract; legitimate interests.
Marketing	Sending newsletters, market insights, podcast notices, event invitations, and information about new offerings - only to recipients who have opted in or where we are permitted under Canada's Anti-Spam Legislation (CASL).	Consent; legitimate interests (where CASL permits).
Personalization and research	Tailoring content and recommendations; conducting market research; modeling demand; improving financial projections.	Legitimate interests; consent (where required).
Security and integrity	Protecting the Services from unauthorized access, malware, and abuse; logging; vulnerability management.	Legitimate interests; compliance with legal obligations.
Business operations and corporate transactions	Audits, accounting, financial reporting, insurance, evaluating and effecting mergers, financings, restructurings, or sales of assets.	Legitimate interests; compliance with legal obligations.
Legal proceedings	Establishing, exercising, or defending legal claims; responding to court orders, subpoenas, or government requests.	Compliance with legal obligations; legitimate interests.

Where we rely on legitimate interests, we have considered whether those interests are overridden by your rights and freedoms and concluded that they are not. You may object to processing based on legitimate interests at any time (see Section 13).

7. Sensitive personal information

Some of the information we collect is "sensitive personal information" under laws such as the California Privacy Rights Act (CPRA), Quebec's Law 25, and the GDPR - for example, government identifiers, financial account information, and (in narrow cases) information that may reveal protected characteristics during enhanced due diligence.

We use sensitive personal information only for the purposes for which it was collected, including (i) verifying identity and combating fraud, (ii) complying with anti-money-laundering, securities, tax, and other legal obligations, (iii) processing payments, and (iv) any other use you have expressly authorized.

We do not use sensitive personal information to infer characteristics about you for marketing purposes, and we do not disclose it for cross-context behavioural advertising.

California residents have the right to limit our use of sensitive personal information; see Section 17.2.

8. Automated decision-making and profiling

We do not make decisions about whether to accept you as an investor, set the terms of your investment, or restrict your access to a property solely through automated means. Investor suitability and accreditation determinations are reviewed by qualified personnel before any binding decision is made.

We do use automated tools to assist human reviewers, including:

KYC, sanctions, and PEP screening services, which flag potential matches against watchlists for human verification;
analytics that profile aggregate website traffic and engagement to inform marketing and product decisions; and
recommendation logic that suggests properties or content you may find of interest.

The logic involved. Screening tools compare your name, date of birth, and identifiers against sanctions, PEP, and adverse-media lists, and apply rules to score potential matches and the quality of identity-document evidence. A trained reviewer evaluates every flag before it influences any decision about your account. We retain the reviewer's reasoning alongside the automated output. The principal consequence of a confirmed adverse finding is that we may decline or terminate the relationship to comply with our legal obligations; you have the right to contest the outcome by contacting privacy@luxara.ca.

If a future feature would result in legally significant or similarly significant decisions being made about you solely by automated means, we will notify you in advance, give you the option to request human review, and - where Quebec's Law 25 applies - provide the additional information that law requires before the decision is rendered.

9. Who we share your personal information with

We disclose personal information to the categories of recipients below. We require each recipient to handle personal information consistently with this Policy and applicable law, and to use it only for the purpose for which we disclosed it. We do not authorize service providers to use your personal information for their own marketing.

Property managers and on-property service providers, including Zindis Group (Costa Rica) and Vacations in Canmore (Alberta), to manage properties, coordinate bookings, deliver concierge services, and resolve incidents.
Identity, accreditation, and compliance providers, who perform KYC and AML screening, verify accredited-investor status, conduct sanctions and PEP screening, and assist with beneficial-ownership analysis.
Payment processors and financial institutions, to process subscriptions, distributions, wire transfers, and other payments.
Legal, tax, and accounting professionals, who advise us on structuring, regulatory reporting, audits, and disputes.
Financing partners, where you have authorized us to introduce you for financing, and only to the extent required to evaluate and arrange financing for you.
Technology and infrastructure providers, including hosting, database, customer support, analytics, marketing automation, e-signature, and cybersecurity vendors.
Insurers and brokers, to procure and maintain insurance for properties and operations.
Marketing and communications partners, to deliver newsletters, host events, and operate analytics campaigns.
Co-owners of the same property, on a limited basis described in Section 10.
Regulators, courts, and law-enforcement agencies, where required by applicable securities, AML/ATF, tax, sanctions, or other law, where we receive a valid legal demand, or where we believe in good faith that disclosure is necessary to protect rights, property, or safety, to investigate fraud, or to enforce our agreements.
Acquirers and counterparties in corporate transactions, in connection with a financing, merger, acquisition, reorganization, sale of assets, or bankruptcy proceeding. We will continue to handle personal information consistently with this Policy and will notify you where required by law.
Anyone you direct us to share with, with your consent.

Disclosure matrix

Recipient category	Categories of personal information disclosed
Property managers and on-property providers	Identifiers and contact information; property usage and booking data; communications relating to a stay; limited guest information you provide.
Identity, accreditation, and compliance providers	Identifiers; government identification; financial and accreditation information; compliance and screening data.
Payment processors and financial institutions	Identifiers; financial and accreditation information (bank/wire instructions); investment and ownership records.
Legal, tax, and accounting professionals	All categories, as required by the engagement.
Financing partners	Identifiers; financial and accreditation information; compliance and screening data (only with your authorization).
Technology and infrastructure providers	All categories, limited to what the service requires (analytics typically receives only device, technical, and inferred data).
Insurers and brokers	Identifiers; relevant property usage data; incident reports.
Marketing and communications partners	Identifiers; marketing and preference data; device, technical, and online activity data.
Co-owners of the same property	Limited identifiers; investment and ownership records; selected property usage data; voting decisions. See Section 10.
Regulators, courts, law enforcement	The categories specifically requested or required by law.
Acquirers in a corporate transaction	All categories, subject to confidentiality and continued application of this Policy.

We may also share aggregated or de-identified information that cannot reasonably be used to identify you. We will not attempt to re-identify de-identified data and will require recipients to commit to the same.

We do not sell your personal information as that term is defined in applicable privacy laws, and we do not share it for cross-context behavioural advertising.

10. Information shared among co-owners

Co-ownership necessarily involves some information sharing among the individuals or entities who hold interests in the same property. We limit this sharing to what is needed to operate the co-ownership.

Other co-owners of a property you invest in may see:

your name (or the name of your investing entity);
your ownership percentage and points allocation;
your booking dates and the property; and
your votes on matters submitted to the co-ownership group.

Other co-owners will not see:

your contact details, unless you choose to share them;
the names of guests you bring (except to the extent necessary for on-property logistics, handled by the property manager);
your financial information, tax identifiers, or accreditation status;
your KYC or compliance file; or
communications you have with Luxara.

We may publish co-owner names within an owner directory or on voting records limited to a single property. You may request a pseudonym for these purposes; we will accommodate the request to the extent compatible with our co-ownership and securities-law obligations.

11. International transfers

Luxara is based in Canada. We operate properties and engage service providers in other jurisdictions, including Costa Rica, the United States, the European Economic Area, and the United Kingdom. As a result, your personal information may be transferred to, stored in, or processed in countries other than the one in which you live.

The laws of those countries may differ from the laws of your country. Where we transfer personal information out of the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction that requires a transfer mechanism, we use one or more of the following safeguards:

standard contractual clauses approved by the European Commission, the UK Information Commissioner's Office, the Swiss Federal Data Protection and Information Commissioner, or another competent authority;
adequacy decisions adopted by the relevant authority (including the Commission's decision recognizing Canada's PIPEDA as providing adequate protection); and
other legally recognized transfer mechanisms, including derogations such as your explicit consent or transfers necessary for the performance of a contract with you.

Transfers to Costa Rica. Costa Rica is not the subject of an EU adequacy decision. Where we transfer personal information of EU, UK, or Swiss residents to property managers or other recipients in Costa Rica, we rely on standard contractual clauses with those recipients, supplemented by additional safeguards (encryption, access controls, contractual purpose limitation) where appropriate, or on derogations such as your explicit consent or the necessity of the transfer for the performance of your co-ownership contract. Costa Rica has its own data-protection law (Law No. 8968), and we require local recipients to handle personal information consistently with that law and with this Policy.

You may request a copy of the safeguards we apply to a particular transfer by contacting privacy@luxara.ca.

12. How long we keep your personal information

We retain personal information only for as long as needed for the purposes for which we collected it, including to satisfy legal, regulatory, accounting, and reporting obligations. The principal retention periods are:

Investor and account records: for the duration of your investment, then at least seven (7) years following the disposition of your interest, to satisfy securities, tax, and AML record-keeping requirements. Some records (for example, those subject to litigation hold) are retained longer.
AML and KYC documentation: at least five (5) years following the end of the customer relationship, in line with Canada's Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and FINTRAC requirements; longer where another applicable law requires.
Booking, on-property, and concierge records: typically seven (7) years from the date of the stay, to support tax, insurance, and dispute resolution.
Marketing data: until you withdraw consent, opt out, or are inactive for a period determined by our retention schedule, after which we delete or anonymize the data.
Website analytics and security logs: typically up to twenty-six (26) months for analytics, and up to two (2) years for security logs; longer for events under active investigation.
Records of privacy requests and breaches: at least twenty-four (24) months under PIPEDA, longer where another applicable law requires.

When we no longer need to retain personal information, we delete, anonymize, or securely destroy it.

13. Your rights

Subject to applicable law and certain exemptions, you have the following rights with respect to your personal information.

Access. Receive confirmation as to whether we hold personal information about you and, where applicable, a copy.
Correction. Ask us to correct information that is inaccurate, incomplete, or out of date.
Deletion. Ask us to delete personal information, subject to legal, regulatory, or contractual obligations that require us to keep it. We cannot delete records we are legally required to retain - including, in particular, KYC and AML documentation (minimum five (5) years under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act), investor records (minimum seven (7) years under securities and tax law), and booking and incident records for periods set by tax and insurance law. We can, however, restrict use of those records to legal-retention purposes once the underlying relationship ends. We will tell you what we are and are not able to delete when we respond to your request.
Restriction. Ask us to limit how we process your personal information in specific circumstances.
Portability. Receive a copy of personal information you have provided to us, in a structured, commonly used, and machine-readable format, and ask us to transmit it to another organization where technically feasible.
Objection. Object to processing of your personal information that is based on our legitimate interests or carried out for direct marketing.
Withdraw consent. Withdraw any consent you have given, without affecting the lawfulness of processing carried out before the withdrawal. Withdrawal does not apply to processing required by law - for example, KYC, AML, sanctions screening, tax reporting, and securities record-keeping - for which we will continue to retain and process the information for the periods set out in Section 12. Withdrawing consent to processing that is essential to maintaining your investor account may require us to terminate the relationship.
Automated decisions. Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (see Section 8).
Complaint. Lodge a complaint with the privacy regulator in your jurisdiction (see Section 17).

How to exercise your rights: Email privacy@luxara.ca or write to the Privacy Officer at the address in Section 2. We will acknowledge your request promptly and respond within the time limits set by applicable law: typically thirty (30) days under PIPEDA (extendable by an additional thirty (30) days where the request is voluminous or further inquiries are needed, in which case we will notify you of the extension and the reason); forty-five (45) days under CCPA/CPRA, extendable by another forty-five (45) days with notice; one (1) month under GDPR and UK GDPR, extendable by a further two (2) months for complex or numerous requests. Quebec residents will receive a response within thirty (30) days under Law 25.

Verification: Because the information we hold can be sensitive, we may need to verify your identity before acting on a request. Where you use an authorized agent, we will ask the agent for written authorization signed by you, and we may contact you directly to confirm.

No discrimination. We will not deny services, charge different prices, or provide a lower quality of service because you exercised your rights.

14. Marketing communications

We send marketing communications only where you have opted in or where CASL or other applicable law permits. Every commercial electronic message includes our identity, our contact information, and an unsubscribe mechanism that takes effect promptly. You may also adjust preferences by contacting privacy@luxara.ca or by updating settings in your account.

Even after you opt out of marketing, we will continue to send transactional and relationship messages - for example, capital-call notices, booking confirmations, tax statements, regulatory disclosures, and material changes to this Policy.

15. Cookies and similar technologies

Cookies and similar technologies (pixels, tags, SDKs, local storage) help the Site function, measure performance, remember preferences, and - where you consent - support marketing.

Category	What it does	Examples we use	Typical retention
Strictly necessary	Site delivery, security, session management, fraud prevention.	Cloudflare bot management; session cookies.	Session to 12 months.
Performance and analytics	Aggregate usage measurement, error detection, A/B testing.	Google Analytics 4; server logs.	Up to 26 months.
Functionality	Remembering language, region, and other preferences.	Preference cookies.	Up to 12 months.
Marketing and advertising	Measuring campaign performance, retargeting on partner networks.	LinkedIn Insight Tag; Meta Pixel (only when enabled).	Up to 24 months.

Non-essential cookies are off by default. We display a cookie banner the first time you visit the Site that lets you accept, reject, or customize categories. You can change your choice at any time through the cookie-preferences control linked in the Site footer.

You can also manage cookies through your browser settings - but disabling strictly necessary cookies will impair the Site. We do not currently respond to global "Do Not Track" signals because no consensus standard exists. We do honour the Global Privacy Control (GPC) signal: when our systems detect GPC from your browser, we treat it as a valid opt-out of "sale" and "sharing" for cross-context behavioural advertising for California residents, and as a withdrawal of consent for non-essential cookies for visitors whose jurisdiction requires consent.

16. Security and breach notification

We maintain administrative, technical, and physical safeguards designed to protect personal information against loss, theft, unauthorized access, disclosure, alteration, and destruction. Controls include:

encryption of personal information in transit and (for sensitive categories) at rest;
role-based access controls and multi-factor authentication for systems holding investor data;
network segmentation, logging, and intrusion-detection monitoring;
vendor due-diligence, contractual confidentiality and security obligations, and periodic reviews;
employee training on privacy and information security; and
an incident-response program, including documented playbooks and tabletop exercises.

No method of transmission or storage is perfectly secure. We cannot guarantee absolute security, but we work to reduce risk continuously.

Breach notification. If a breach of security safeguards creates a real risk of significant harm to you, we will:

report the breach to the Office of the Privacy Commissioner of Canada (and any other competent regulator) without unreasonable delay;
notify you directly as soon as feasible, with information about the breach, the personal information involved, the steps we are taking, and what you can do to reduce the risk; and
maintain a record of the breach for at least twenty-four (24) months,

each consistent with PIPEDA, Quebec's Law 25, GDPR Articles 33 and 34, and any other applicable law. Where another organization could reduce the risk of harm to you, we will notify them as well.

17. Region-specific rights

The rights in Section 13 are available to everyone. This section adds rights and disclosures that apply to residents of specific jurisdictions.

17.1 Canadian residents (PIPEDA and provincial laws)

Canadian residents have rights under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar provincial laws, including Alberta's Personal Information Protection Act (PIPA Alberta), British Columbia's Personal Information Protection Act (PIPA BC), and Quebec's Act respecting the protection of personal information in the private sector (commonly, "Law 25").

You may file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca or 1-800-282-1376, or with your provincial commissioner where applicable.

Quebec residents - additional disclosures under Law 25:

Our Privacy Officer (the "person in charge of the protection of personal information" under Law 25) is identified in Section 2.
We do not currently use biometric data. If we decide to do so, we will provide separate notice and obtain your express consent, and we will declare our use of biometrics to the Commission d'accès à l'information at least sixty (60) days in advance.
See Section 8 for our position on automated decision-making.
Quebec residents may exercise rights of access, correction, de-indexation and cessation of dissemination (in the circumstances set out in section 28.1 of Law 25), data portability, and the rights set out in Section 13, and may file a complaint with the Commission d'accès à l'information du Québec at www.cai.gouv.qc.ca.

17.2 California residents (CCPA / CPRA)

In addition to the rights in Section 13, California residents have the right to:

Know the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose of collection, and the categories of third parties to whom we disclose personal information.
Delete personal information, subject to legal exceptions.
Correct inaccurate personal information.
Opt out of sale or sharing of personal information for cross-context behavioural advertising. We do not sell or share personal information in this sense. If our practices change, we will provide a "Do Not Sell or Share My Personal Information" link.
Limit the use of sensitive personal information to purposes necessary to provide our Services, prevent fraud, and ensure security.
Non-discrimination for exercising your rights.

We respond to verifiable consumer requests within forty-five (45) days, extendable by another forty-five (45) days where reasonably necessary. We will tell you if we need an extension.

California Civil Code § 1798.83 ("Shine the Light") gives California residents the right to request information about our disclosure of personal information to third parties for direct-marketing purposes. We do not disclose personal information to third parties for their own direct-marketing purposes without your consent.

To exercise your California rights, email privacy@luxara.ca. You may also complain to the California Privacy Protection Agency at www.cppa.ca.gov or the California Attorney General at oag.ca.gov/privacy.

17.3 Nevada residents

Nevada residents have a right to opt out of the sale of certain "covered information" collected online. We do not sell covered information as defined under Nevada law. You may still submit an opt-out request to privacy@luxara.ca, which we will retain in case our practices change.

17.4 European Economic Area, United Kingdom, and Switzerland (GDPR / UK GDPR / FADP)

If you are in the EEA, the UK, or Switzerland, the controller of your personal information is Luxara International Inc., established in Canada. Canada has been recognized by the European Commission as providing an adequate level of protection for personal data transferred from the EU. For matters where you would prefer an EU contact, you may write to privacy@luxara.ca and we will route your request appropriately.

In addition to the rights in Section 13, you may:

Lodge a complaint with your local supervisory authority. You can find your authority via the European Data Protection Board at edpb.europa.eu, or - in the UK - at the Information Commissioner's Office, ico.org.uk.

We will identify the relevant legal basis for processing as required (see the table in Section 6).

17.5 Costa Rica residents

If you reside in Costa Rica, your personal information is subject to Ley de Protección de la Persona frente al Tratamiento de sus Datos Personales (Law No. 8968) and overseen by PRODHAB (Agencia de Protección de Datos de los Habitantes). You may exercise rights of access, rectification, deletion, and revocation of consent by writing to privacy@luxara.ca, and you may lodge a complaint with PRODHAB at www.prodhab.go.cr.

We register applicable databases with PRODHAB as required by Law 8968, obtain informed consent prior to processing sensitive personal data, and maintain the security and confidentiality controls the law requires. We require our property managers and other recipients located in Costa Rica to do the same in respect of the data they process on our behalf.

17.6 Other jurisdictions

If your jurisdiction grants rights not listed above, you may exercise them by contacting privacy@luxara.ca. We will respond within the time limits set by applicable law.

18. Third-party services and links

The Services may link to third-party websites, applications, or services that we do not operate, including property-management portals, payment processors, financing applications, e-signature platforms, social-media platforms, and third-party booking tools. This Policy does not apply to those third parties. We encourage you to review their privacy notices before providing personal information.

19. Changes to this policy

We may update this Policy from time to time. When we do, we will:

update the "Last Updated" and version fields at the top of this Policy;
post the revised Policy on the Site;
where the change is material, notify you in advance - typically thirty (30) days where feasible - by email and through a notice on the Site; and
take any additional steps required by applicable law.

Prior versions of this Policy are available on request from privacy@luxara.ca.

If you continue to use the Services after a change to this Policy takes effect, you accept the revised Policy. Where applicable law requires fresh consent for a particular change, we will request it.

20. Definitions

AML/ATF - anti-money-laundering / anti-terrorist-financing.
CASL - Canada's Anti-Spam Legislation.
CCPA / CPRA - the California Consumer Privacy Act, as amended by the California Privacy Rights Act.
Co-owner - an individual or entity holding a fractional ownership interest in a Luxara property.
FATCA / CRS - the US Foreign Account Tax Compliance Act and the OECD Common Reporting Standard.
FINTRAC - the Financial Transactions and Reports Analysis Centre of Canada.
GDPR / UK GDPR - the EU and UK General Data Protection Regulation.
KYC - know-your-client identity verification.
PEP - politically exposed person.
Personal information / personal data - information about an identifiable individual. The precise definition varies between PIPEDA, Quebec Law 25, GDPR, CCPA/CPRA, and Costa Rica Law 8968; in each case, the definition under the law that governs the individual's residence applies for purposes of that individual's rights.
PIPEDA - Canada's Personal Information Protection and Electronic Documents Act.
Quebec Law 25 - the Act respecting the protection of personal information in the private sector, R.S.Q., c. P-39.1, as amended.
Sensitive personal information - categories of personal information designated as sensitive under applicable law, including government identifiers, financial account details, and precise geolocation.
Services - collectively, the Site, the investor portal, member areas, mobile applications, and related offline services.
Site - www.luxara.ca and its sub-domains.

Luxara International Inc. · 1600, 421 – 7th Avenue SW, Calgary, Alberta T2P 4K9 · privacy@luxara.ca