← Back to New York Wonderland Tours

Security Policy

Last updated: June 15, 2026

We take reasonable technical and organizational measures to protect your personal information and payment data.

1. Data Protection

  • Passwords are stored using salted one-way hashing — we never store plain-text passwords.
  • Admin access requires a separate authenticated token; customer sessions use expiring tokens.
  • API responses omit sensitive fields (e.g. payment secret keys are never exposed publicly).

2. Payment Security

When Stripe (or similar) is configured, card data is collected and processed on the provider’s PCI-compliant infrastructure. Our servers receive payment status and booking references, not full card numbers.

Stripe secret keys must be stored only in server environment variables or secure admin settings — never in client-side code or public repositories.

3. Transport & Hosting

Production deployments should enforce HTTPS (TLS) for all pages and API endpoints. Security headers such as X-Content-Type-Options are applied on API responses.

4. Access Control

Agency staff use the admin panel with role-based access. Customer accounts can only access their own booking history when authenticated.

5. Incident Response

If we discover a security incident affecting your data, we will investigate promptly and notify affected users when required by law.

6. Your Responsibilities

Use a strong unique password, do not share login details, and sign out on shared devices. Report suspicious account activity to hello@newyorkwonderlandtours.com.

7. Related Policies

Privacy Policy · Cookie Policy