Legal
Privacy Policy
Contents
- Introduction / Who We Are
- Information We Collect
- How We Use Your Information
- How We Share Your Information
- Sensitive Personal Information
- International Data Transfers
- Data Retention
- Your Rights and Choices
- Cookies and Tracking
- Children’s Privacy
- Data Security
- Links to Third-Party Sites
- Changes to This Policy
- Florida Seller of Travel Disclosure
- Contact Us
1. Introduction / Who We Are
Conway Travel Collective LLC (“CTC,” “we,” “us,” or “our”) is a travel booking agency organized under the laws of the State of Florida. We are registered with the State of Florida as a Seller of Travel (Registration No. ST46413) as required by Florida Statutes §§ 559.927–559.9355.
What we do. CTC acts solely as a booking agent. We do not own, operate, or control airlines, hotels, cruise lines, tour operators, car rental companies, or other travel suppliers. When you ask us to arrange travel on your behalf, we transmit your information to the relevant suppliers so they can provide the services you have requested. The suppliers operate under their own terms of service and privacy policies, and CTC is not responsible for their independent data practices.
What this policy covers. This Privacy Policy describes:
- The personal information we collect about you when you visit our website, contact us, or use our booking services;
- How we use, share, and protect that information;
- How long we keep it;
- Your rights under applicable federal and state law; and
- How to contact us with questions or privacy requests.
This policy applies to all personal information collected through our website at www.conwaytravelcollective.com (the “Site”), by email, by phone, and through any other interaction with CTC. By using our Site or services, you acknowledge that you have read and understood this Privacy Policy.
2. Information We Collect
2.1 Information You Provide to Us
When you inquire about travel, request a quote, make a booking, or otherwise communicate with us, you may provide us with:
Identity and Travel Document Information
- Full legal name, date of birth, and gender (as required for airline tickets)
- Passport number, expiration date, and country of issue
- Visa information (when applicable)
- Known Traveler Number / TSA PreCheck / Global Entry number
Contact Information
- Email address, phone number(s), and mailing or billing address
Payment Information
- Credit or debit card number, expiration date, and security code
Important: CTC transmits your payment card information directly and securely to travel suppliers and payment processors. We do not store your full card number or security code on our own systems. Payment processing is handled consistent with PCI-DSS standards.
Travel Preferences and Loyalty Programs
- Airline, hotel, or cruise loyalty program numbers
- Seat, meal, and cabin preferences
- Destination and activity preferences
Health and Disability Accommodation Requests
- Medical conditions, disabilities, or special assistance needs shared with us for the purpose of arranging accommodations with suppliers
This information is treated as sensitive personal information. See Section 5.
Emergency Contact Information
- Name, relationship, and phone number of an emergency contact
2.2 Information Collected Automatically
When you visit our Site, our systems and third-party service providers automatically collect certain technical information, including:
- IP address and approximate geographic location
- Browser type and version
- Device type and operating system
- Pages visited, time spent on pages, referring URLs, and click paths
- Cookies and similar tracking technologies (see Section 9)
2.3 Information We Receive from Third Parties
In limited circumstances, we may receive information about you from travel suppliers (such as booking confirmation numbers or itinerary change notifications), Global Distribution Systems (GDS), and other agents acting on your behalf. We do not purchase data from data brokers.
3. How We Use Your Information
We use the personal information we collect for the following purposes:
Booking and Service Fulfillment
- To process and confirm travel reservations on your behalf
- To transmit required traveler details to suppliers
- To communicate changes, cancellations, and updates to your itinerary
Identity Verification and Legal Compliance
- To verify your identity and the identity of travelers in your group
- To comply with TSA Secure Flight requirements and similar government mandates
- To comply with applicable federal, state, and international laws, including the Florida Seller of Travel Act
Communications
- To respond to your inquiries and requests
- To send booking confirmations, receipts, and trip-related notifications
- To send marketing communications about travel offers and services — only to the extent you have not opted out (see Section 8)
Payment and Fraud Prevention
- To process payments and handle refunds
- To detect, investigate, and prevent fraudulent transactions and other illegal activity
Website Operation and Improvement
- To operate, maintain, and improve our Site
- To analyze usage trends and enhance the user experience
Legal Defense and Dispute Resolution
- To establish, exercise, or defend legal claims
- To comply with court orders, subpoenas, or other lawful process
We rely on the following legal bases for processing (particularly relevant to EU/UK residents):
- Performance of a contract: Processing necessary to fulfill your booking request.
- Legal obligation: Processing required to comply with applicable law.
- Legitimate interests: Fraud prevention, IT security, and service improvement.
- Consent: Processing of health/disability information and, where required, marketing communications.
5. Sensitive Personal Information
5.1 Health and Disability Information
If you share medical information, disability status, or special assistance needs with us for the purpose of arranging travel accommodations, we treat this information as sensitive personal information. We:
- Use it only to arrange the specific accommodations you requested;
- Share it only with suppliers who need it to fulfill those accommodations;
- Do not use it for marketing or profiling; and
- Retain it only as long as necessary for your trip and our legal obligations.
You are never required to disclose health or disability information to us. However, if you choose not to share information necessary for a specific accommodation, we may not be able to arrange that accommodation on your behalf.
5.2 Passport and Government-Issued Identification Data
Passport numbers and other government-issued identification numbers are sensitive personal information. We collect this information only when required for international travel bookings, transmit it securely to the relevant airlines and government authorities, and do not store passport numbers beyond the period necessary for the booking and any applicable legal retention requirement.
5.3 Payment Card Data
Although we collect payment card information in the course of processing bookings, we do not retain full card numbers or CVV/security codes in our own systems following transmission to the payment processor. See Section 11 for details on our PCI-DSS approach.
6. International Data Transfers
Because we book travel worldwide, we necessarily share your personal information with travel suppliers and service providers located outside the United States, including in the European Union, the United Kingdom, and other countries. These countries may have different data protection laws than the United States or your home country.
When we transfer your data internationally in connection with a travel booking, such transfers are necessary for the performance of a contract between you and the relevant travel supplier, or made with your explicit consent (for certain sensitive data transfers).
EU and UK Residents
If you are located in the European Union or the United Kingdom:
- We process your personal data in accordance with the EU General Data Protection Regulation (GDPR) and, where applicable, the UK GDPR.
- Where we transfer personal data outside the EEA or UK to a country that has not received an adequacy decision, we rely on appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, the UK International Data Transfer Addendum.
- You have the right to obtain a copy of the relevant safeguards governing such transfers by contacting us at the address in Section 15.
7. Data Retention
We retain your personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, to comply with legal obligations, and to resolve disputes or enforce agreements.
| Category of Information | Retention Period |
|---|---|
| Booking records and itineraries | 7 years from the date of travel (Florida Seller of Travel & federal tax requirements) |
| Payment records (transaction details, not card numbers) | 7 years from the date of transaction |
| Passport and government ID data | Duration of booking process, plus 2 years (or longer if required by law) |
| Health and disability accommodation data | Duration of the relevant trip, plus 2 years for dispute resolution |
| Website analytics and log data | 13 months from collection |
| Marketing communications (opt-in records) | Duration of consent plus 3 years after opt-out |
| General correspondence and email | 5 years from the date of the communication |
| Emergency contact information | Duration of the relevant trip; deleted promptly thereafter unless otherwise requested |
When we no longer have a lawful basis to retain your data, we securely delete or de-identify it. We may retain certain information for longer periods when required to do so by a litigation hold, government investigation, regulatory directive, or applicable law.
8. Your Rights and Choices
Depending on where you live, you may have specific legal rights regarding your personal information. We will respond to verifiable requests as described in Section 15.
8.1 Florida Residents — Florida Digital Bill of Rights (FDBR)
Effective July 1, 2024, Florida residents have the following rights under the Florida Digital Bill of Rights, Fla. Stat. Ch. 501, Part II:
- Right to Access: Request confirmation of whether we process your personal data and obtain a copy.
- Right to Correction: Request that we correct inaccurate personal data we hold about you.
- Right to Deletion: Request that we delete personal data we hold about you, subject to certain exceptions.
- Right to Data Portability: Request your personal data in a portable, readily usable format.
- Right to Opt Out of Targeted Advertising: Opt out of the processing of your personal data for targeted advertising.
- Right to Opt Out of Profiling: Opt out of profiling that produces legal or similarly significant effects.
Note: Because CTC does not sell personal data, there is no right to opt out of sale that applies.
8.2 California Residents — CCPA / CPRA
California residents have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
- Right to Know: Request disclosure of categories and specific pieces of personal information we have collected about you.
- Right to Delete: Request deletion of personal information we hold about you, subject to certain exceptions.
- Right to Correct: Request correction of inaccurate personal information we hold about you.
- Right to Opt Out of Sale or Sharing: CTC does not sell or share your personal information for cross-context behavioral advertising.
- Right to Limit Use of Sensitive Personal Information: Request that we limit our use of sensitive personal information to uses necessary to provide the services you requested.
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
California residents may exercise these rights by contacting us as described in Section 15. We will acknowledge your request within 10 business days and respond substantively within 45 calendar days.
8.3 EU and UK Residents — GDPR / UK GDPR
If you are located in the EEA or the United Kingdom, the following rights apply:
- Right of Access (Art. 15): Obtain confirmation of whether we process your personal data and receive a copy.
- Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
- Right to Erasure (Art. 17): Request deletion of your personal data where there is no longer a lawful basis for processing.
- Right to Restriction (Art. 18): Request restriction of processing in certain circumstances.
- Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format where processing is based on consent or contract.
- Right to Object (Art. 21): Object to processing based on legitimate interests, with an absolute right to object to direct marketing.
- Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.
- Right to Lodge a Complaint: Contact your national supervisory authority. In the UK, you may contact the Information Commissioner’s Office (ICO).
We will respond to GDPR/UK GDPR requests within 30 days, with a possible 60-day extension for complex requests.
8.4 All Users — Marketing and Communications Choices
Regardless of your location, you may opt out of marketing emails at any time by clicking the “unsubscribe” link in any marketing email we send you, or by contacting us at concierge@conwaytravelcollective.com. Even if you opt out of marketing communications, we will still send you transactional messages related to active bookings.
9. Cookies and Tracking Technologies
9.1 What We Use
Our Site uses cookies and similar technologies, including:
- Essential cookies: Required for the Site to function. These cannot be disabled without impairing Site functionality.
- Analytics cookies: Used to understand how visitors interact with our Site (e.g., Google Analytics).
- Functional cookies: Used to remember your preferences (e.g., saved search criteria).
- Advertising and targeting cookies: May be used by third-party services to display relevant advertising on other websites.
9.2 Third-Party Analytics
Our Site may use Google Analytics or similar services to collect anonymized usage data. You can learn about Google’s data practices at policies.google.com/privacy.
9.3 Your Cookie Choices
- Browser controls: Most web browsers allow you to manage or disable cookies through your browser settings.
- Opt-out tools: You may opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on.
- Do Not Track: Our Site currently does not respond to “Do Not Track” signals, as there is no industry-wide standard for such signals.
- Florida FDBR opt-out: Florida residents may opt out of targeted advertising that relies on cookies by contacting us at concierge@conwaytravelcollective.com.
10. Children’s Privacy
Our services are intended for adults (18 years of age and older) or minors booking travel under the supervision of a parent or legal guardian. Conway Travel Collective LLC does not knowingly collect personal information directly from children under the age of 13 without verifiable parental consent, in compliance with the Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. § 6501 et seq.
When a booking includes a minor traveler, we collect the minor’s name, date of birth, gender, and passport information as required by the airline or other supplier. This information is provided by the parent or guardian making the booking, not collected directly from the minor.
If you believe we have inadvertently collected personal information from a child under 13 without appropriate consent, please contact us immediately at concierge@conwaytravelcollective.com so that we can take appropriate steps to delete such information.
11. Data Security
We implement technical, physical, and organizational measures designed to protect your personal information against unauthorized access, disclosure, alteration, and destruction. These measures include:
- Encrypted transmission of data (TLS/HTTPS) on our Site and in communications with suppliers and payment processors;
- Access controls that limit employee access to personal information to those with a business need;
- Secure, password-protected systems with multi-factor authentication requirements for internal access;
- Regular review of our information collection, storage, and processing practices.
PCI-DSS Compliance
CTC handles payment card transactions in a manner designed to be consistent with the Payment Card Industry Data Security Standard (PCI-DSS). We do not store your full card number, security code (CVV), or magnetic stripe data on our own systems. Payment information is transmitted directly to PCI-DSS-compliant payment processors and travel suppliers.
Data Breach Notification
Despite our security measures, no system is 100% secure. In the event of a data breach that triggers notification requirements under the Florida Information Protection Act (FIPA), Fla. Stat. § 501.171, we will notify affected Florida residents within 30 days of determining that a breach occurred. If the breach affects more than 500 Florida residents, we will also notify the Florida Department of Legal Affairs.
We will also comply with applicable breach notification requirements under federal law and the laws of other states and jurisdictions, including GDPR Article 33 (72-hour notification to the supervisory authority) and Article 34 (notification to affected individuals without undue delay).
12. Links to Third-Party Sites and Supplier Websites
Our Site may contain links to the websites of airlines, hotels, cruise lines, tour operators, and other travel suppliers, as well as links to general third-party websites. These linked sites operate independently of CTC and are not covered by this Privacy Policy. We have no control over the content or data practices of third-party websites and are not responsible for their privacy policies or practices.
We encourage you to review the privacy policy of every website you visit, particularly any travel supplier website through which you may transact directly.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, applicable law, or the services we provide. When we make material changes, we will:
- Post the revised policy on our Site with a new “Effective Date” at the top of the document; and
- Send an email notification to clients with active booking relationships where we have a valid email address on file.
We encourage you to review this Privacy Policy periodically. Your continued use of our Site or services after the effective date of any revised policy constitutes your acknowledgment of the updated terms.
14. Florida Seller of Travel Disclosure
Conway Travel Collective LLC is registered as a Seller of Travel with the State of Florida. Registration No.: ST46413.
Conway Travel Collective LLC is registered with the State of Florida as a Seller of Travel pursuant to Florida Statutes §§ 559.927–559.9355. Registration as a seller of travel does not constitute approval by the State of Florida.
As a booking agent only, Conway Travel Collective LLC arranges travel services provided by independent travel suppliers. We do not own, operate, or control the suppliers whose services we book, and we are not responsible for the acts or omissions of those suppliers. Travel suppliers may have their own financial and insolvency risks. We strongly recommend that travelers purchase travel insurance, including trip cancellation and interruption coverage, to protect against unforeseen events.
- Airline tickets purchased through us are non-refundable once issued unless the airline’s own fare rules provide otherwise.
- Additional restrictions may apply depending on the specific travel products booked. Please review all terms and conditions provided at the time of booking.
15. Contact Us / How to Exercise Your Rights
If you have questions about this Privacy Policy, wish to exercise any of your privacy rights, or need to report a privacy concern, please contact us:
Conway Travel Collective LLC
Attn: Privacy Request
411 Walnut Street #23894
Green Cove Springs, FL 32043-3443
Email: concierge@conwaytravelcollective.com
Website: www.conwaytravelcollective.com
How to Submit a Verifiable Consumer Request
To protect your personal information, we must verify your identity before processing a privacy rights request. We will ask you to provide information sufficient to identify you as the person whose data is in our records (e.g., name, email address, and details of a prior booking).
- Authorized agents: If you are submitting a request on behalf of another person, you must provide written authorization signed by the data subject, or proof of legal guardianship.
- Third-party verification: We will not fulfill a request that we cannot reasonably verify. We will let you know if we are unable to verify your identity and what additional steps may resolve the issue.
Response Timeframes
| Jurisdiction | Initial Acknowledgment | Substantive Response | Extension Available |
|---|---|---|---|
| Florida (FDBR) | As soon as practicable | 45 days | +45 days (with notice) |
| California (CCPA/CPRA) | 10 business days | 45 calendar days | +45 calendar days (with notice) |
| EU / UK (GDPR / UK GDPR) | Without undue delay | 30 calendar days | +60 calendar days (with notice) |
| All other users | As soon as practicable | 45 days | +45 days if necessary |
We will never charge a fee for a first verifiable request in any 12-month period. We may charge a reasonable fee or decline to act on requests that are manifestly unfounded, excessive, or repetitive.
This Privacy Policy is effective as of June 6, 2026.
© 2026 Conway Travel Collective LLC · Fla. Seller of Travel Reg. No. ST46413
411 Walnut Street #23894, Green Cove Springs, FL 32043-3443