Dream Destinations by Heather & Joe
Effective date: September 2, 2025

Dream Destinations by Heather & Joe (“we,” “us,” “our”) is a U.S.-based travel agency. This Privacy Policy explains how we collect, use, disclose, and protect your information when you visit our website, contact us, or book travel through us. We aim to keep this notice clear, accurate, and easy to find, consistent with U.S. consumer privacy guidance. Federal Trade Commission

Contact: heatherandjoetravel@gmail.com • +1 (989) 906-2652 • Bridgeport, MI, USA

We collect information that you provide directly or that is created during planning/booking:

• Identity & contact: name, email, phone, postal address, date of birth, emergency contacts.
   
• Travel documents & details: passport info, Known Traveler/Redress numbers, loyalty numbers, travel preferences, mobility or accessibility needs, dietary needs relevant to your trip.
   
• Booking & payment: itinerary choices, cabin/room preferences, insurance selections, limited payment details. We route payments to processors and do not store full credit card numbers.
   
• Website/app data: pages viewed, IP address, device/browser data, and cookies or similar tech for basic site operation and, if enabled, analytics. (You can control cookies in your browser settings.)
   

• Directly from you (forms, emails, phone calls, messages).
   
• From people booking on your behalf (e.g., a family member in your party).
   
• From travel partners/suppliers (e.g., airlines, cruise lines, hotels, tour operators, insurance providers) when necessary to arrange or service your trip.
   
• From payment processors to confirm payment status.
   

• Provide quotes, plan trips, make bookings, and service your travel.
   
• Communicate with you about requests, itineraries, policy updates, and support.
   
• Process payments and prevent fraud.
   
• Operate and improve our website and services.
   
• Comply with law, respond to legal requests, and protect our rights and customers.
   

We use only the information reasonably necessary for these purposes and apply security appropriate to the sensitivity of the data, in line with FTC expectations for reasonable privacy and data-security practices. Federal Trade Commission

We share your information as needed to deliver your travel and for lawful purposes:

• Travel suppliers: airlines, cruise lines, hotels/resorts, tour operators, transfer vendors, car rentals, ticketing/GDS partners, and travel insurance providers.
   
• Payments & operations: payment processors, fraud-prevention and IT providers, customer support tools, and our CRM.
   
• Legal/compliance: if required by law, regulation, or valid legal process.
   

We do not sell your personal information and do not share it for cross-context behavioral advertising. If that ever changes, we will update this Policy and provide the specific notices and opt-out mechanisms required by law (for example, California’s “Do Not Sell or Share My Personal Information” link). JustiaCalifornia Privacy Protection Agency

We use cookies and similar technologies to run our site (e.g., load pages, keep forms working) and, if implemented, to understand traffic (analytics). You can control cookies via your browser settings. Where required by law, we will honor browser-based opt-out signals (such as Global Privacy Control) for relevant activities. California Privacy Protection AgencyInsightPlus

Our services are not directed to children under 13, and we do not knowingly collect their personal information. If you believe a child under 13 has provided us information, contact us to delete it. If a service is ever directed to children, we will follow COPPA’s notice and parental-consent requirements. eCFRFederal Trade Commission

We keep personal information only as long as needed for the purposes above, to meet legal/contractual obligations (e.g., tax, accounting, travel recordkeeping), or as otherwise permitted by law. When no longer needed, we delete or de-identify it.

We implement reasonable administrative, technical, and physical safeguards to protect personal information against unauthorized access, disclosure, alteration, and destruction, consistent with FTC guidance on reasonable data security. No system is 100% secure. Federal Trade Commission

Depending on where you live, you may have rights over your personal information. These generally include the right to access, correct, delete, and obtain a portable copy of your data, as well as to opt out of certain processing (e.g., sales, sharing for targeted ads, or certain profiling). You may also have the right to limit the use of sensitive personal information (e.g., in California) and to appeal a decision if we decline your request (e.g., in Virginia/Colorado).

• California (CPRA/CCPA): we provide a reasonably accessible privacy notice that discloses categories of personal information, purposes, categories of recipients, retention, and your rights (access, delete, correct, opt-out of sale/share, limit sensitive PI). If a business sells/shares PI, it must offer a “Do Not Sell or Share My Personal Information” link (or process opt-out signals) and a “Limit the Use of My Sensitive Personal Information” link where applicable. We currently do not sell/share PI. Justia+1California Privacy Protection Agency
   
• Colorado (CPA): privacy notices must give consumers a meaningful understanding of processing and how to exercise rights; controllers must inform consumers about their rights and how to use them. We follow these principles for CO residents. Legal Information Institute
   
• Virginia (VCDPA): consumers have rights to access, correct, delete, obtain data portability, and opt out of targeted advertising, sale, and certain profiling; controllers must provide a clear, accessible privacy notice and respond to requests (generally within 45 days) with an appeal process. Virginia Attorney General
   
• Connecticut (CTDPA) & Utah (UCPA): similar rights and notice obligations apply; Utah also requires a clear, reasonably accessible privacy notice describing categories, purposes, and how to exercise rights. We honor these rights where applicable. le.utah.gov
   

Email heatherandjoetravel@gmail.com with the subject “Privacy Request” and tell us what you’d like to do (access, correct, delete, portability, opt-out, limit sensitive PI, or appeal). We’ll verify your identity and respond within the timelines required by applicable law. If we decline, you may appeal by replying “Appeal” to our decision; you may also contact your state Attorney General. Virginia Attorney General

If you are in the EEA or UK, our lawful bases for processing include: contract (to provide requested travel services), legal obligation (e.g., recordkeeping), legitimate interests (e.g., site security, service improvement), and consent where required (e.g., certain marketing/cookies). You have rights of access, rectification, erasure, restriction, portability, and objection, and the right to lodge a complaint with a supervisory authority. We provide controller identity, purposes, legal bases, retention, recipients, and your rights as required by GDPR Articles 13/14. GDPR

International transfers from the EEA/UK may occur to fulfill your bookings (e.g., U.S.-based suppliers). When we transfer data, we use appropriate safeguards permitted by law.

Our website may link to third-party sites or services (e.g., airlines, cruise lines, insurance providers). Their privacy practices are governed by their own policies.

We will update this Policy when our practices change or when laws require. If we make material changes, we will post a prominent notice on our site and indicate the effective date, consistent with applicable rules. Legal Information Institute