Privacy Policy
Once Upon a Wish Travel Website: ouawtravel.com
Effective date: 1 January 2026 Last updated: 1 January 2026
1. Introduction
Once Upon a Wish Travel (“Once Upon a Wish Travel,” “we,” “us,” or “our“) respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit ouawtravel.com (the “Site“), communicate with us, or use our travel-planning and booking services (collectively, the “Services“).
Please read this policy carefully. By using the Site or our Services, you acknowledge that you have read and understood this Privacy Policy.
Note for travelers: As a travel agency, we act as an intermediary between you and travel suppliers (airlines, hotels, cruise lines, tour operators, transfer providers, insurers, and similar). Those suppliers are independent businesses with their own privacy practices. When we pass your information to a supplier so it can fulfill your booking, that supplier processes your information under its own privacy policy.
2. Who we are (Data Controller)
For the purposes of the EU General Data Protection Regulation (GDPR) and the UK GDPR, the data controller is:
Once Upon a Wish Travel Once Upon a Wish Travel, LLC |9893 Georgetown Pike, Great Falls, VA 22066 | contact@ouawtravel.com] Phone: [INSERT PHONE]
3. Scope of this policy
This policy applies to personal information we process about:
- Visitors to the Site
- Clients who request quotes, plan trips, or make bookings
- Travelers included in a booking (who may be people other than the person making the booking)
- People who subscribe to our newsletter or marketing
- People who contact us by phone, email, web form, or social media
If you provide us with information about other travelers (for example, family members, a wedding party, or group members), you confirm that you have their permission to share their information with us and to receive communications on their behalf, and that you have made them aware of this Privacy Policy.
4. Personal information we collect
We collect the following categories of personal information. The specific data collected depends on the Service you use and the trip you are booking.
| Category | Examples |
|---|---|
| Identity & contact data | Full legal name, preferred name, postal address, email address, phone number |
| Traveler & booking details | Date of birth, gender, nationality, passport/visa details, frequent-flyer/loyalty numbers, travel dates, itineraries, room and seating preferences, group/party details |
| Special category / sensitive data (only when you provide it) | Health, mobility, or accessibility needs; dietary requirements; medical information relevant to travel; emergency contact details. (Some of this may reveal health information; see Section 6.) |
| Payment & financial data | Billing address and payment-card details (typically collected and processed by our payment processor and/or travel suppliers, not stored in full by us), records of transactions |
| Marketing & communication data | Newsletter subscription status, marketing preferences, communications you send us |
| Technical & usage data | IP address, device and browser type, operating system, referring URLs, pages viewed, and other information collected via cookies and similar technologies (see our Cookie Policy) |
| Insurance & documentation | Travel insurance details, copies of identity or travel documents you choose to share with us |
We do not intentionally collect personal information from children under 13. See “Children’s Privacy” below.
5. How we collect personal information
We collect personal information:
- Directly from you — when you request a quote, plan a trip, make a booking, complete forms, subscribe to marketing, or contact us.
- From the person who books on your behalf — when someone makes a booking that includes you as a traveler.
- Automatically — through cookies and similar technologies when you use the Site (see our Cookie Policy).
- From third parties — such as travel suppliers, payment processors, referral partners, and publicly available sources, where relevant to your booking.
6. How and why we use your information (and our legal bases)
Under GDPR/UK GDPR, we must have a lawful basis for each processing activity. The table below sets out our purposes and the legal basis we rely on.
| Purpose | Legal basis (GDPR / UK GDPR) |
|---|---|
| Respond to inquiries and provide quotes | Performance of a contract / taking steps at your request before entering a contract; legitimate interests |
| Arrange, confirm, and manage your travel bookings | Performance of a contract; legitimate interests |
| Share necessary details with travel suppliers to fulfill your trip | Performance of a contract |
| Process payments and prevent fraud | Performance of a contract; legal obligation; legitimate interests |
| Provide customer support and handle complaints | Performance of a contract; legitimate interests |
| Send service messages (booking confirmations, itinerary changes, travel alerts) | Performance of a contract; legitimate interests |
| Send marketing emails and newsletters | Consent (you may withdraw at any time) and/or legitimate interests where permitted |
| Process special category data (health, dietary, accessibility, etc.) | Your explicit consent, and/or where necessary to protect vital interests |
| Operate, secure, and improve the Site and Services | Legitimate interests |
| Comply with legal, tax, accounting, and regulatory obligations | Legal obligation |
| Establish, exercise, or defend legal claims | Legitimate interests; legal obligation |
Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms. You may object to this processing (see Section 11).
Where we rely on consent (for example, marketing or special category data), you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
7. How we share your information
We share personal information only as needed to provide the Services and run our business. We do not sell your personal information for money. (See Section 12 for how “sale” and “sharing” are defined under California law.)
We may disclose personal information to:
- Travel suppliers — airlines, hotels, resorts, cruise lines, rail and transfer companies, tour and excursion operators, and travel insurers, so they can fulfill your booking. These suppliers may be located outside your country (see Section 8).
- Booking and reservation systems / GDS and tour-operator host agencies or consortia we work with.
- Payment processors — to take payment securely.
- Service providers — IT, hosting, email, CRM, analytics, marketing, and professional advisors (lawyers, accountants) who process information on our behalf under contract.
- Legal and regulatory bodies — where required by law, court order, or to protect our rights, your safety, or the safety of others.
- Successors — in connection with a merger, acquisition, or sale of business assets, subject to this policy.
Service providers acting on our behalf (“processors”) are bound by contracts requiring them to protect your information and use it only as instructed.
8. International data transfers
Travel is global, so your personal information will often be transferred to and processed in countries outside your home country — including countries that may not provide the same level of data protection as the EU/UK.
This is necessary to provide your travel arrangements (for example, sending your details to a hotel abroad). Where we transfer personal information out of the EEA or UK other than to fulfill your specific travel contract, we use appropriate safeguards such as:
- the European Commission’s Standard Contractual Clauses (and the UK Addendum/IDTA, where relevant); or
- transfers to countries covered by an adequacy decision.
You may request a copy of the relevant safeguards by contacting us at contact@ouawtravel.com.
9. How long we keep your information (Retention)
We keep personal information only as long as necessary for the purposes described in this policy, including to satisfy legal, accounting, tax, insurance, or reporting requirements, and to resolve disputes or defend claims.
Typical retention periods:
- Booking and transaction records: 1 year after the trip, to meet tax/accounting and liability obligations.
- Marketing data: until you unsubscribe or withdraw consent, then suppressed as needed to honor your opt-out.
- Inquiries that do not become bookings: 12 Months.
- Website/technical data: 12 Months.
When we no longer need personal information, we securely delete or anonymize it.
10. Children’s privacy
Our Services are directed to adults. We do not knowingly collect personal information directly from children under 13 without parental consent.
Bookings frequently include minors as travelers. Where a child’s information is provided, we rely on the adult making the booking to provide it and to have authority to do so. If you believe we have collected information from a child inappropriately, contact us at contact@ouawtravel.com and we will take appropriate steps to delete it.
11. Your rights under GDPR / UK GDPR
If you are in the EEA or UK, you have the following rights regarding your personal information:
- Access — request a copy of the personal information we hold about you.
- Rectification — ask us to correct inaccurate or incomplete information.
- Erasure — ask us to delete your information (“right to be forgotten”) in certain circumstances.
- Restriction — ask us to limit processing in certain circumstances.
- Portability — receive certain information in a structured, machine-readable format, or have it transferred to another controller.
- Object — object to processing based on legitimate interests, and object to direct marketing at any time.
- Withdraw consent — where we rely on consent, withdraw it at any time.
- Avoid automated decision-making — we do not make decisions producing legal or similarly significant effects based solely on automated processing.
To exercise any of these rights, contact us at contact@ouawtravel.com. We will respond within the timeframe required by law (generally one month). We may need to verify your identity first.
Right to complain: You may lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner’s Office (ico.org.uk). In the EU, you may contact the supervisory authority in your country of residence. We’d appreciate the chance to address your concerns first, so please consider contacting us before filing a complaint.
12. Your California privacy rights (CCPA / CPRA)
This section applies to California residents and describes your rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”).
Categories of personal information we collect
In the past 12 months, we have collected the categories of personal information described in Section 4, which map to the following statutory categories:
- Identifiers (name, address, email, IP address, passport/loyalty numbers)
- Personal records (contact details, payment information)
- Characteristics of protected classifications (age/date of birth, nationality)
- Commercial information (booking and transaction history)
- Internet/network activity (browsing and usage data via cookies)
- Geolocation data (general, from IP)
- Sensitive personal information (passport/government ID numbers, and any health, dietary, or accessibility information you provide for travel)
Sources, purposes, and recipients are described in Sections 4–7 above.
Sale or sharing of personal information
We do not “sell” your personal information for money, and we do not “share” it for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA. We have not done so in the preceding 12 months.
We do not use or disclose your sensitive personal information for purposes beyond those permitted under the CCPA/CPRA. We do not knowingly sell or share the personal information of consumers under 16.
Your California rights
- Right to know — request the categories and specific pieces of personal information we have collected, the sources, purposes, and the categories of third parties to whom we disclose it.
- Right to delete — request deletion of your personal information, subject to legal exceptions (e.g., completing a transaction, complying with law).
- Right to correct — request correction of inaccurate personal information.
- Right to opt out of the sale or sharing of personal information (see above).
- Right to limit the use and disclosure of sensitive personal information.
- Right to non-discrimination — we will not discriminate against you for exercising your rights.
How to exercise your California rights
Submit a request by email: contact@ouawtravel.com
We will verify your identity before responding. You may use an authorized agent to submit a request on your behalf; we may require proof of authorization and verification of your identity.
We will respond within the timeframes required by law (generally 45 days, extendable). We do not charge a fee for most requests.
13. Data security
We use appropriate technical and organizational measures to protect personal information against unauthorized access, loss, misuse, or alteration — including [INSERT, e.g., encryption in transit (TLS), access controls, and vetted service providers]. No method of transmission or storage is completely secure, so we cannot guarantee absolute security. We ask that you protect your own account credentials and avoid sending sensitive information by unsecured channels.
14. Cookies and tracking technologies
The Site uses cookies and similar technologies. For full details on the cookies we use, their purposes, and how to manage your preferences, see our separate Cookie Policy below.
15. Third-party websites
The Site may contain links to third-party websites (for example, supplier or partner sites). We are not responsible for the privacy practices of those websites. We encourage you to read their privacy policies.
16. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date above and, where appropriate, notify you. Your continued use of the Services after an update constitutes acceptance of the revised policy.
17. Contact us
If you have questions, requests, or concerns about this Privacy Policy or how we handle your personal information, contact us:
Once Upon a Wish Travel, LLC | 9893 Georgetown Pike, Great Falls, VA 22066 | contact@ouawtravel.com
Cookie Policy
Once Upon a Wish Travel Website: ouawtravel.com
Effective date: 1 January 2026 Last updated: 1 January 2026
1. Introduction
This Cookie Policy explains how Once Upon a Wish Travel (“we,” “us,” or “our“) uses cookies and similar technologies on ouawtravel.com (the “Site“). It should be read together with our Privacy Policy.
By using the Site, and where required by law by accepting cookies through our consent banner, you agree to our use of cookies as described in this policy. You can change or withdraw your consent at any time (see Section 6).
2. What are cookies?
Cookies are small text files placed on your device when you visit a website. They are widely used to make websites work, to make them more efficient, and to provide information to the site’s owners.
We also use similar technologies such as pixels, tags, local storage, and software development kits (SDKs), which we refer to collectively as “cookies” in this policy.
Cookies may be:
- Session cookies — deleted when you close your browser.
- Persistent cookies — remain on your device until they expire or you delete them.
- First-party cookies — set by us.
- Third-party cookies — set by other organizations whose services we use (for example, analytics or advertising providers).
3. Why we use cookies
We use cookies to:
- Make the Site function and keep it secure
- Remember your preferences and settings
- Understand how visitors use the Site so we can improve it
- Measure the effectiveness of our marketing
- Deliver and personalize advertising (only where applicable — see Section 4)
4. Categories of cookies we use
Our Site does not set its own advertising or tracking cookies. The cookies present on our Site are set by an embedded third-party tool — the Disney Travel Center booking and quote system — which we include so you can browse and request Disney vacation options. These cookies are placed and controlled by Disney, not by us (see Section 5). We do not use advertising, retargeting, or cross-context behavioral advertising cookies.
The cookies you may encounter fall into these categories:
a) Strictly necessary cookies (always active)
These are essential for the embedded booking tool to function and cannot be switched off without breaking it. No consent is required for these.
| Cookie | Provider | Purpose | Duration |
|---|---|---|---|
__d | Disney Travel Center (third party) | Maintains a secure session for the booking tool | Session |
info | Disney Travel Center (third party) | Session identifier | Session |
b) Functional cookies
These remember your choices and preferences so the embedded tool works the way you expect.
| Cookie | Provider | Purpose | Duration |
|---|---|---|---|
set-language | Disney Travel Center (third party) | Remembers your language preference (e.g., en-us) | Session |
WDPROView | Disney Travel Center (third party) | Remembers your device/display preference (e.g., desktop) | Session |
geolocation_aka_jar | Disney Travel Center / Akamai (third party) | Determines approximate location to show relevant content | Session |
c) Performance & analytics cookies
These help the third-party provider monitor the performance and reliability of the embedded tool.
| Cookie | Provider | Purpose | Duration |
|---|---|---|---|
ADRUM_BT | Disney Travel Center / Cisco AppDynamics (third party) | Application performance monitoring | Session |
5. Third-party cookies
All of the cookies described above are placed by an embedded third-party service — the Disney Travel Center booking and quote tool — which appears on our Site so you can explore and request Disney vacation options. When you view a page containing this tool, Disney (and its service providers, such as Akamai and Cisco AppDynamics) may set the cookies listed in Section 4 directly on your device.
We do not control these cookies, and the information they collect is governed by Disney’s own privacy and cookie policies. For more information, please review the Disney Travel Center / The Walt Disney Company privacy and cookies notices on their website.
We do not set any first-party advertising or analytics cookies of our own.
6. How to manage your cookie preferences
Managing the embedded tool’s cookies
Because the cookies on our Site come from an embedded third-party tool rather than from cookies we set ourselves, the most effective ways to control them are:
- Browser controls (see below) to block or delete third-party cookies; and
- choosing not to interact with the embedded Disney Travel Center tool.
Note that blocking these cookies may prevent the embedded booking and quote tool from working properly.
Browser controls
Most browsers let you view, manage, and delete cookies through their settings. Note that blocking strictly necessary cookies may stop parts of the Site from working. For guidance, see your browser’s help pages:
- Google Chrome
- Mozilla Firefox
- Apple Safari
- Microsoft Edge
7. Do Not Track and Global Privacy Control (GPC)
Some browsers offer a “Do Not Track” (DNT) signal. Because there is no common industry standard for DNT, our Site does not respond to DNT signals.
We do not sell or share your personal information for cross-context behavioral advertising, so there is no sale or sharing for a Global Privacy Control (GPC) signal to opt out of. See our Privacy Policy for more on your California privacy rights.
8. Changes to this Cookie Policy
We may update this Cookie Policy from time to time to reflect changes in technology, law, or our practices. When we do, we will update the “Last updated” date above.
9. Contact us
If you have questions about our use of cookies, contact us:
Once Upon a Wish Travel, LLC | 9893 Georgetown Pike, Great Falls, VA 22066 | contact@ouawtravel.com