Lightweight records-of-processing + vendor map. Review at least annually and after any vendor, credential, or personnel change. Pairs with the retention policy in README.md and incident steps in RUNBOOK.md.
Last reviewed: 2026-06-14. Owner: Jake.
| Data | Categories | Purpose | Stored in | Recipients / processors | Retention | Deletion |
|---|---|---|---|---|---|---|
| Bookings / itineraries | Traveler & guest names, loyalty #, ticket #, confirmation codes, dates, locations, costs, free-text notes | Deliver client itineraries via the portal | Cloudflare KV (booking: / trash:) + R2 snapshots |
Cloudflare (processor) | Live until deleted; trash 90d; snapshots ≤90d | Admin Delete (soft, 90d) / Erase permanently (live+trash) |
| Booking attachments | Client-supplied documents — e-tickets, vouchers, confirmations (PDF/image, ≤10 MB) | Deliver supporting documents via the portal | Cloudflare R2 (farholm-attachments, att/<REF>/…) — Worker-gated, never public |
Cloudflare (processor) | Live until the booking is permanently erased | Admin removes a file, or Erase permanently deletes all of a booking's files |
| Contact inquiries | Name, email, phone, state, trip type/party/budget/timing, free-text message | Respond to and plan inquiries | Web3Forms → email hello@farholm.com |
Web3Forms, email provider | Set in Web3Forms + mailbox (configure) | Delete in Web3Forms + mailbox |
| Website usage | Pageviews, device/approx-geo, Core Web Vitals | Measure traffic & performance | Google Analytics (consent-gated, cookieless config) + Cloudflare Web Analytics (cookieless) | Google, Cloudflare | GA account default; CF rolling | Via provider controls |
| Consent records | Consent choices | Demonstrate consent | Termly | Termly | Per Termly | Per Termly |
| Admin identity | Admin email / Access session | Authenticate the admin | Cloudflare Access | Cloudflare | Per Access session policy | Remove from Access policy |
Prohibited in booking notes/fields and in uploaded attachments (data minimization): passport/ID numbers, payment-card data, account passwords, and medical details. Keep only what's needed to deliver the itinerary. The admin Attachments panel restates this; uploads are capped at 10 MB and limited to PDF/image types.
| Vendor | Provides | Data handled | Criticality | Account owner | Recovery / notes |
|---|---|---|---|---|---|
| Cloudflare | Hosting, Worker, KV (bookings), R2 (backups + attachments), Access, DNS | Booking PII + backups + attachments | Critical | Jake | Account password + MFA + saved recovery codes; primary data and its backups live here — keep an off-Cloudflare export (backlog) |
| GitHub | Source + Workers Builds deploy | Source only (no client data) | Critical (deploy path) | Jake | MFA; protect main; deploy keys |
| Web3Forms | Contact-form processing | Inquiry PII | Medium (email fallback exists) | Jake | Access key is public by design; strict spam protection enabled (domain restriction is Pro-only); page honeypot + email fallback in place |
| Termly | Privacy/cookie policy + consent banner | Consent + site-use signals | Critical (legal disclosures render from it) | Jake | Keep a first-party policy copy as fallback (backlog) |
Email (hello@farholm.com) |
Inquiry delivery / correspondence | Inquiry PII | Medium | Jake | MFA; retention policy on mailbox |
| Google Analytics | Usage analytics | Usage data | Low | Jake | Consent-gated; data-retention setting in GA |
| Google Places | Admin place auto-fill | Search queries (no client PII) | Low | Jake | Server-side key (Worker secret) |
| AeroDataBox (RapidAPI) | Admin flight auto-fill | Flight numbers/dates | Low | Jake | Server-side key (Worker secret) |
| Frankfurter | FX rates | None | Low | Jake | No key; cached daily |
| Virgin Voyages (+ cruise lines) | Cruise referral links | None (outbound links) | Low | Jake | Referral relationship |
Review who/what can reach each system, and remove obsolete accounts/credentials, at least annually and after personnel/vendor changes:
GOOGLE_PLACES_KEY, AERODATABOX_KEY) — rotate on suspicion.Record completed reviews (date + result) below.