Legal

Privacy Policy

Last updated: 2026-06-07

Coastal Travel Company ("we," "us," or "our") operates the website at coastaltravelcompany.com and related services. This policy explains what information we collect, why we collect it, who we share it with, and your rights under the California Consumer Privacy Act (CCPA).

1. What We Collect and Why

Contact form submissions

When you submit the contact form we collect your name, email address, and message. This information is forwarded directly to our inbox via Resend (our email delivery provider) and is not stored on our servers. It is retained only within the recipient's email client.

User accounts

If you create an account we collect your email address and either a bcrypt-hashed password or a Google OAuth token (we never see or store your Google password). We also store your account role (client or admin). This data is stored in a Cloudflare D1 database indefinitely until you request deletion.

Gallery sessions

When you access a client gallery we issue a short-lived session token (a random UUID) stored in Cloudflare KV with a 4-hour expiry. No IP address, browser fingerprint, or personally identifiable information is associated with gallery sessions. Photos are fetched from our NAS through the Cloudflare Worker and are not cached server-side.

Invoices and contracts

As part of our booking process we collect your name, email address, and invoice and contract data. This information is stored in a Cloudflare D1 database. Payment is processed by Stripe — we receive a confirmation token from Stripe but never see or store your card number or full payment details. Stripe's handling of payment data is governed by their own privacy policy.

Website & clickstream analytics

With your consent (see "Cookies and Local Storage" below), we collect anonymized analytics about how visitors use this site — pages viewed, navigation paths, referrers, device/browser type, and approximate location derived from IP address. This is gathered through:

  • Our first-party analytics pipeline — page views and clickstream events are sent to our own Cloudflare Worker and stored in our Cloudflare D1 database. A randomly generated session identifier (not linked to your account or identity) is used to group events from the same visit.
  • Google Analytics (GA4) — a third-party analytics service from Google that helps us understand site traffic and usage trends. IP addresses are anonymized before being processed.
  • Microsoft Clarity — a third-party service that provides aggregated heatmaps and session recordings so we can understand how visitors interact with the site.

None of these tools load, and no associated cookies or identifiers are set, until you actively opt in to "Analytics" via the cookie-consent banner. You may withdraw consent at any time through "Manage Preferences" in the banner, which stops these tools from running on future page loads.

We also use the following privacy-friendly tools that do not require consent because they do not use cookies or collect personal information:

  • Cloudflare Web Analytics — provides aggregate traffic and Core Web Vitals metrics (visits, page views, load performance) without setting cookies or tracking individuals.
  • Google Search Console — provides aggregate data about how our site appears in Google Search results (search queries, rankings, click-through rates, indexing status). Google Search Console does not track individual visitors to our site.

Real estate analytics (when live)

Our planned real estate property pages will collect anonymized room engagement events and hotspot interactions for property owners. A session identifier (a random UUID) is generated in your browser and stored in sessionStorage only — it is cleared when you close the tab and is never linked to your identity. No personally identifiable information is collected. Analytics events are only sent if you grant consent via the on-page consent banner.

Real estate lead capture (when live)

If you voluntarily submit your email address through a lead capture form on a property page, that email is shared only with the listing agent and is not sold or shared with any other third party.

2. Third-Party Services

We use the following third-party services. Each processes data according to their own privacy policy, linked below.

  • Cloudflare — provides our website hosting (Pages), serverless compute (Workers), database (D1), key-value storage (KV), secure NAS tunnel, and (cookie-free) Web Analytics. Cloudflare Privacy Policy
  • Resend — delivers transactional emails including contact form forwards and booking notifications. Resend Privacy Policy
  • Google — provides optional OAuth login ("Sign in with Google"); Google Analytics (GA4), used only with your analytics consent; and Google Search Console, which provides aggregate, cookie-free search-performance data and does not track individual visitors. If you sign in with Google, Google shares your email address and profile identifier with us — we do not receive your password. Google Privacy Policy
  • Microsoft Clarity — provides aggregated heatmaps and session-recording analytics, used only with your analytics consent. Microsoft Privacy Statement
  • Stripe — processes all payments. Stripe receives your payment card details directly; we receive only a confirmation token. Stripe Privacy Policy
  • Synology NAS — client photos are stored on a self-hosted Synology NAS accessed through a Cloudflare Tunnel. Photos are not transmitted to any external cloud storage provider.

3. Cookies and Local Storage

We use a cookie-consent banner to let you choose whether we may set analytics cookies and identifiers. Until you actively accept "Analytics" (or "Accept All"), no analytics cookies, scripts, or tracking identifiers are loaded — only strictly necessary items run, such as your authentication session.

Depending on your choice, the following may be set:

  • Essential cookies — used to keep you securely signed in to the client portal and admin panel (e.g. auth_token). These are always active and cannot be disabled, as the site cannot function securely without them.
  • Analytics cookies/identifiers — set only if you opt in via the consent banner. These come from our first-party analytics pipeline, Google Analytics (GA4), and Microsoft Clarity, and are used solely to understand how visitors use the site (see "Website & clickstream analytics" above). Your choice is remembered for up to 12 months and can be changed at any time via "Manage Preferences" in the banner.

We use browser storage as follows:

  • localStorage — stores your cookie-consent preference (ctc_cookie_consent), and is used in the client portal to store your authentication token and in the admin panel to store saved settings. This data persists across sessions until you sign out, withdraw consent, or clear your browser data.
  • sessionStorage — used for gallery session tokens and, when live, real estate analytics session IDs. All sessionStorage data is cleared automatically when you close the browser tab.

We do not use advertising cookies or cross-site tracking technologies, and we do not sell or share your data with advertisers.

4. Your Rights (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

  • Right to know — you may request a summary of the personal information we have collected about you, the purposes for which it was collected, and the categories of third parties with whom it has been shared.
  • Right to delete — you may request deletion of personal information we hold about you. To delete your account and associated data, email us at the address below.
  • Right to opt out of sale or sharing — we do not sell or share your personal information with third parties for advertising or cross-context behavioral advertising purposes. There is nothing to opt out of, but you may contact us to confirm this at any time.
  • Right to non-discrimination — we will not discriminate against you for exercising any of these rights.

To exercise any of these rights, contact us at the address in Section 5 below. We will respond within 30 days.

5. How to Contact Us

For privacy questions, data deletion requests, or to exercise any CCPA rights, please email us at:

[email protected]

We aim to respond to all privacy requests within 30 days.

6. Changes to This Policy

We may update this privacy policy from time to time. When we do, we will update the "Last updated" date at the top of this page. Material changes will be communicated to registered users by email.