Legal

Privacy Policy

Last updated: 2026-05-30

Coastal Travel Company ("we," "us," or "our") operates the website at coastaltravelcompany.com and related services. This policy explains what information we collect, why we collect it, who we share it with, and your rights under the California Consumer Privacy Act (CCPA).

1. What We Collect and Why

Contact form submissions

When you submit the contact form we collect your name, email address, and message. This information is forwarded directly to our inbox via Resend (our email delivery provider) and is not stored on our servers. It is retained only within the recipient's email client.

User accounts

If you create an account we collect your email address and either a bcrypt-hashed password or a Google OAuth token (we never see or store your Google password). We also store your account role (client or admin). This data is stored in a Cloudflare D1 database indefinitely until you request deletion.

Gallery sessions

When you access a client gallery we issue a short-lived session token (a random UUID) stored in Cloudflare KV with a 4-hour expiry. No IP address, browser fingerprint, or personally identifiable information is associated with gallery sessions. Photos are fetched from our NAS through the Cloudflare Worker and are not cached server-side.

Invoices and contracts

As part of our booking process we collect your name, email address, and invoice and contract data. This information is stored in a Cloudflare D1 database. Payment is processed by Stripe — we receive a confirmation token from Stripe but never see or store your card number or full payment details. Stripe's handling of payment data is governed by their own privacy policy.

Real estate analytics (when live)

Our planned real estate property pages will collect anonymized room engagement events and hotspot interactions for property owners. A session identifier (a random UUID) is generated in your browser and stored in sessionStorage only — it is cleared when you close the tab and is never linked to your identity. No personally identifiable information is collected. Analytics events are only sent if you grant consent via the on-page consent banner.

Real estate lead capture (when live)

If you voluntarily submit your email address through a lead capture form on a property page, that email is shared only with the listing agent and is not sold or shared with any other third party.

2. Third-Party Services

We use the following third-party services. Each processes data according to their own privacy policy, linked below.

  • Cloudflare — provides our website hosting (Pages), serverless compute (Workers), database (D1), key-value storage (KV), and secure NAS tunnel. Cloudflare Privacy Policy
  • Resend — delivers transactional emails including contact form forwards and booking notifications. Resend Privacy Policy
  • Google — provides optional OAuth login ("Sign in with Google"). If you use this option, Google shares your email address and profile identifier with us. We do not receive your password. Google Privacy Policy
  • Stripe — processes all payments. Stripe receives your payment card details directly; we receive only a confirmation token. Stripe Privacy Policy
  • Synology NAS — client photos are stored on a self-hosted Synology NAS accessed through a Cloudflare Tunnel. Photos are not transmitted to any external cloud storage provider.

3. Cookies and Local Storage

We do not set any cookies on this site.

We use browser storage as follows:

  • sessionStorage — used for gallery session tokens and, when live, real estate analytics session IDs. All sessionStorage data is cleared automatically when you close the browser tab.
  • localStorage — used in the client portal to store your authentication token and in the admin panel to store saved settings. This data persists across sessions until you sign out or clear your browser data.

No tracking pixels, advertising cookies, or cross-site tracking technologies are used on this site.

4. Your Rights (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

  • Right to know — you may request a summary of the personal information we have collected about you, the purposes for which it was collected, and the categories of third parties with whom it has been shared.
  • Right to delete — you may request deletion of personal information we hold about you. To delete your account and associated data, email us at the address below.
  • Right to opt out of sale or sharing — we do not sell or share your personal information with third parties for advertising or cross-context behavioral advertising purposes. There is nothing to opt out of, but you may contact us to confirm this at any time.
  • Right to non-discrimination — we will not discriminate against you for exercising any of these rights.

To exercise any of these rights, contact us at the address in Section 5 below. We will respond within 30 days.

5. How to Contact Us

For privacy questions, data deletion requests, or to exercise any CCPA rights, please email us at:

[email protected]

We aim to respond to all privacy requests within 30 days.

6. Changes to This Policy

We may update this privacy policy from time to time. When we do, we will update the "Last updated" date at the top of this page. Material changes will be communicated to registered users by email.