Effective 05/27/2026

Card Data Handling Policy

How we collect, protect, and use the credit card information you share with Cupcake Castles Travel Company so your advisor can pay your travel supplier on your behalf.

Authorization only

CCTC does not charge your card. Your travel supplier is the merchant of record.

Encrypted in the browser

Card numbers are encrypted in your browser with your advisor's public key before they ever leave your device.

Every reveal logged

Advisor, timestamp, IP, and device are recorded each time card details are decrypted for use.

Important: CCTC is not a PCI-DSS certified service provider or merchant. We are an authorization-capture tool that allows you to securely pass your card details to your CCTC advisor so they can key your card directly into your travel supplier's booking system. The supplier (Disney, the cruise line, the resort, etc.) is the merchant that actually charges your card and is responsible for PCI compliance for that charge.

1. Scope

This policy describes how CCTC Travel Group, LLC d/b/a Cupcake Castles Travel Company ("CCTC") handles payment card data submitted through our card authorization form at /pay/<advisor> and viewed by our advisors. It supplements our Privacy Policy and Terms of Service.

2. How card data is collected and protected

When you enter your card details into our authorization form, your card number, expiration, security code, and billing address are encrypted in your browser using your advisor's individual public encryption key (RSA-OAEP, 2048-bit) before the form is submitted. Only the encrypted ciphertext is transmitted to and stored in our database. The private key needed to decrypt the data is held by your advisor and is not stored on CCTC application servers in any form that we can read on our own.

In addition to the encrypted card data, our database stores: the card brand (e.g., Visa), the last four digits, the expiration month and year, the cardholder name, the billing address you entered, and the metadata associated with your signed authorization (typed name, signature image, IP, user agent, timestamp).

3. What we are and are not

  • We are not a PCI-DSS certified vault or service provider. CCTC has not undergone a PCI-DSS Level 1, Level 2, or service provider audit. We do not represent ourselves as PCI compliant.
  • We are not a merchant. CCTC does not charge your card on a CCTC-owned merchant account. The applicable travel supplier (Disney, cruise line, resort, tour operator, etc.) is the merchant of record.
  • We are an authorization-capture and secure-transmission tool that allows you to encrypt your card details directly to a named advisor so the advisor can then key them into the supplier's own PCI-compliant booking system.

4. Who can reveal card details and when

  • Only the advisor whose public key was used to encrypt the submission can decrypt and view the full card number. CCTC staff and administrators cannot independently decrypt the card on their own.
  • Reveals happen one card at a time, on demand, when an advisor is preparing to key the card into the applicable travel supplier's booking system. Bulk export is not supported.
  • Card details are displayed on screen only for a limited reveal window; they are not emailed, exported as a file, or automatically copied to clipboard by the system.
  • For the same booking and authorization, an advisor may re-reveal the card as needed for additional installments (e.g., milestone payments or final balance) until the authorization or token is deleted.

5. Audit logging

Every reveal generates an immutable log entry containing:

  • Advisor user ID and email
  • Submission ID and client name
  • Timestamp (UTC)
  • IP address and browser user-agent

Logs are retained for a minimum of 24 months and are reviewable by CCTC administrators in the event of a cardholder dispute or fraud investigation.

6. Use of card data

CCTC does not charge your card. We are not a merchant processor for client travel payments and we do not hold a merchant account for that purpose. Your card data is used solely so that the authorized CCTC advisor you contracted with can enter it into the applicable travel supplier's booking system to fulfill the authorization you signed, including:

  • The deposit, milestone payments, and final balance for the booking described in your authorization
  • Supplier-approved add-ons (dining, photo packages, spa, tee times, room category upgrades) that you authorize in writing afterward
  • Late-cancellation or no-show fees imposed by the supplier per the booking's terms

Card data is never:

  • Charged by CCTC on a CCTC-owned merchant account
  • Sold, rented, or shared with marketers
  • Used for any booking other than the one described in the signed authorization without your written consent
  • Stored in plain text in our application database, in email, in chat, or in any document

6a. Group bookings paid by check

For group bookings (typically group cruise or resort blocks), CCTC may accept a paper check from the lead traveler for the group's deposit or balance and then pay the supplier from CCTC's own funds. Paper checks are not stored in this system; they are processed through standard bank deposit. This is the only circumstance in which CCTC receives client funds directly, and it does not involve credit card data.

7. Signed authorization document

Each card authorization includes your typed name, billing address, the authorized amount, the supplier and booking reference, your hand-drawn signature, the date and time, and the IP address from which it was submitted. We retain a PDF copy of every signed authorization for chargeback defense and audit purposes. The PDF intentionally contains only the card brand and last four digits — never the full card number.

8. Retention and deletion

  • Encrypted card submissions are retained for the lifetime of the booking plus 90 days for refund and chargeback windows, then deleted.
  • Signed authorization PDFs are retained for 7 years for accounting and regulatory purposes.
  • Reveal audit logs are retained for a minimum of 24 months.
  • You may request earlier deletion of your encrypted card submission by emailing privacy@cupcakecastlestravelcompany.com, subject to any outstanding booking obligations.

9. Incident response

In the event of a confirmed or suspected security incident involving payment data, CCTC will: (i) work to contain the incident, (ii) preserve forensic evidence, (iii) notify affected clients within 72 hours of confirmation, (iv) notify affected travel suppliers and state regulators as required by applicable law, and (v) offer remediation as appropriate.

10. Subprocessors

Our infrastructure subprocessor for storing the encrypted card payload and associated metadata is:

  • Lovable Cloud (Supabase, Inc.) — application hosting and database; stores encrypted card ciphertext, non-sensitive metadata, signed authorization PDFs, and audit logs.

11. Your rights

You may at any time:

  • Request a copy of your signed authorization
  • Request deletion of your encrypted card submission (post-booking)
  • Revoke authorization for future charges in writing
  • Dispute a charge directly with your card issuer

12. Contact

Questions about this policy: privacy@cupcakecastlestravelcompany.com

Ready to Start Planning?

Let us handle the details so you can focus on making memories. Reach out today for a complimentary vacation quote.

Trusted & Accredited

EarMarked by Disney - Gold Level Authorized Travel AgencyDisney Imagination Campus - Select Recognized Youth Travel PlannerALG Vacations - Elite DiamondUniversal Parks & Resorts Vacations - Preferred Travel AgencySandals - Executive Preferred AgencyCarnival Funnel Up Network - Platinum PartnerCupcake Castles Travel Company - Pinnacle Partner 2025CLIA - Cruise Lines International AssociationAccredited by IATANASTA - American Society of Travel AdvisorsTravel Leaders Network - President's CircleShop Small - Thank You For Your SupportCupcake Castles Travel Company BBB Business ReviewEarMarked by Disney - Gold Level Authorized Travel AgencyDisney Imagination Campus - Select Recognized Youth Travel PlannerALG Vacations - Elite DiamondUniversal Parks & Resorts Vacations - Preferred Travel AgencySandals - Executive Preferred AgencyCarnival Funnel Up Network - Platinum PartnerCupcake Castles Travel Company - Pinnacle Partner 2025CLIA - Cruise Lines International AssociationAccredited by IATANASTA - American Society of Travel AdvisorsTravel Leaders Network - President's CircleShop Small - Thank You For Your SupportCupcake Castles Travel Company BBB Business Review
Cupcake Castles Travel Company

Boutique family travel planning, crafted with heart.

Follow Us on Instagram

@CupcakeCastlesTravelCo

#TravelWithHeart

© 2013 - 2026 CCTC Travel Group, LLC. All rights reserved.

CCTC Travel Group, LLC is registered with the following state licenses: Florida Seller of Travel Registration No. ST42417, California Seller of Travel Registration No. 2143399-40, Washington Seller of Travel Unified Business ID (UBI) # 604 562 798. All Disney artwork, logos and properties © Disney. Ships Registry: The Bahamas.