Privacy Policy
CCTC Travel Group, LLC d/b/a Cupcake Castles Travel Company ("CCTC," "we," "us," "our").
1. Overview
This Privacy Policy explains how we collect, use, share, and protect personal information when you use cupcakecastlestravelcompany.com, request a quote, sign a card authorization, or otherwise interact with our travel-planning services. By using our services, you agree to the terms of this policy.
2. Information we collect
Information you provide
- Contact details (name, email, phone, mailing address)
- Travel preferences and traveler details (dates, party size, special needs, dietary restrictions, ages of minor travelers when relevant for pricing or room assignments)
- Payment authorization details (cardholder name, billing address, signed authorization) and the resulting browser-encrypted card payload
- Communications you send us (messages, photos, reviews, support requests)
Information collected automatically
- Device and browser data (IP address, user agent, referring page)
- Usage analytics (pages viewed, time on page, navigation paths)
- Cookies and similar technologies used for session management, analytics, and remarketing
Information from third parties
- Booking confirmations and supplier records from travel partners (Disney, cruise lines, resorts, tour operators)
- Reviews you submit through third-party platforms we monitor
3. How we use your information
- Plan, quote, book, and service your travel reservations
- Pass your card authorization to the applicable travel supplier so they can charge your deposits and balances directly
- Communicate with you about your trip, account, and customer-service matters
- Send marketing emails about deals and travel inspiration (with the ability to unsubscribe anytime)
- Improve our website, services, and advisor training
- Comply with legal obligations including state Seller of Travel registrations
4. Payment card data
CCTC does not process credit card payments from clients and is not a PCI-DSS certified merchant or service provider. Card numbers you provide on our authorization form are encrypted in your browser using your advisor's individual public encryption key (RSA-OAEP, 2048-bit) before submission. Only the encrypted ciphertext is transmitted to our application servers, where it is stored alongside non-sensitive metadata (card brand, last four digits, expiration, cardholder name, billing address). The advisor who received the submission can decrypt the card on demand solely to key it into the applicable travel supplier's booking system (Disney, cruise line, resort, tour operator, etc.), which is the merchant of record for the charge. Every decryption is logged with the advisor's identity, timestamp, IP address, and user-agent. See our Card Data Handling Policy for full detail.
Group booking exception. For group bookings, CCTC may accept a paper check from the lead traveler for the group's deposit or balance and then pay the supplier from CCTC's own funds. Checks are not stored in our vault and are processed through standard bank deposit. No client credit card data is captured for group bookings unless you separately submit a card authorization form for your individual portion.
5. How we share information
- Travel suppliers. We share traveler names, dates of birth where required, and contact information with airlines, cruise lines, resorts, tour operators, and other suppliers needed to fulfill your booking.
- Service providers. We use vetted providers for hosting (Lovable Cloud / Supabase), email delivery, analytics, signature capture, and payment vaulting. They process data only on our behalf under written agreements.
- Legal compliance. We may disclose information to comply with subpoenas, court orders, state Seller of Travel audits, fraud investigations, or to protect the rights, safety, or property of CCTC, our clients, or others.
- Business transfers. If CCTC is involved in a merger, acquisition, or sale of assets, personal information may be transferred subject to this policy.
We do not sell your personal information.
6. Data retention
We retain personal information for as long as needed to fulfill the purposes described above, comply with our legal obligations, resolve disputes, and enforce our agreements. Card tokens are retained for the lifetime of the booking plus 90 days for refund and chargeback windows, then deleted.
7. Your rights
Depending on your jurisdiction (including residents of California, Colorado, Connecticut, Virginia, Utah, and the EU/UK), you may have the right to:
- Access the personal information we hold about you
- Correct inaccurate information
- Request deletion of your information (subject to legal retention requirements)
- Opt out of marketing communications
- Request a portable copy of your information
To exercise these rights, email privacy@cupcakecastlestravelcompany.com. We will respond within 45 days.
8. Children's privacy
Our services are intended for adults booking family travel. We collect minors' names and ages only when they are part of a travel party, and only from the booking adult. We do not knowingly collect personal information directly from children under 13.
9. Security
We use industry-standard administrative, technical, and physical safeguards including encryption in transit (TLS) and at rest, role-based access controls, audit logging, and browser-side public-key encryption of card data so that raw card numbers are not readable by CCTC application servers or staff on their own. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
10. International transfers
Our service providers may store and process information in the United States and other countries. By using our services, you consent to such transfers.
11. Cookies
We use cookies for essential site functionality, analytics, and marketing. You can control cookies through your browser settings. Disabling cookies may limit certain features.
12. Changes to this policy
We may update this policy from time to time. The "Effective" date at the top reflects the most recent revision. Material changes will be communicated by email or a notice on our website.
13. Contact us
CCTC Travel Group, LLC
Email: privacy@cupcakecastlestravelcompany.com
Florida Seller of Travel Reg. No. ST42417 · California Seller of Travel Reg. No. 2143399-40 · Washington UBI #604 562 798













