VegasMatt × Virgin Voyages

Privacy Policy

Effective: 2026-05-16

This policy describes how the VegasMatt cruise-booking intake site (cruise.vegasmatt.com) collects, uses, and shares personal information when you submit a casino offer for a Virgin Voyages group sailing.

It applies to anyone who uses this site, wherever you live. If you are in the European Economic Area, the United Kingdom, or California, additional rights are described below.

Who we are

The site is operated by Matt Davis (“VegasMatt”). Contact: cruise@vegasmatt.com. For privacy questions specifically, use the same address with “Privacy” in the subject.

What we collect

When you submit the intake form we ask for:

  • Name, date of birth, citizenship, email address, phone number.
  • Mailing address (street, city, state/region, postal code, country).
  • The same details for a second sailor (your “+1”) if you bring one.
  • The casino offer you’re submitting — usually as a photo or PDF. The image is processed by an automated classifier (see “How we use it” below) and stored alongside your submission.
  • Your selected sailing, the source casino, and free-text notes you choose to add.

After your booking is confirmed and we send you a sailor-info form, we may also collect a t-shirt size, badge name, Discord handle (optional), waiver acknowledgement, and excursion sign-ups for the trip.

We do not collect payment-card information. Virgin Voyages handles payment directly.

How we use it

  • Booking your cruise. The information you submit is forwarded to Virgin Voyages’ group-bookings team so they can secure your cabin under the casino offer.
  • Classifying your offer. Offer images are analysed by an automated system (Anthropic’s Claude Vision API) to extract the casino, free-play amount, and date range. The result is reviewed by a human before any decision is sent to you.
  • Verifying your address. US addresses are checked against the USPS database via Lob to catch typos before we forward the booking. We do not store the raw address with Lob beyond the verification call.
  • Communicating with you. We email you the booking confirmation, the post-booking sailor-info form, itinerary updates, and reminders. Replies you send come back into a thread we can see in our admin tool.
  • Operating the trip. Booked-sailor names, cabins, t-shirt sizes, and badge details feed the meet-greet check-in, on-board badges, and excursion rosters.
  • Detecting duplicate / fraudulent offers. We compare submitted offer images to prior submissions to flag duplicates.

Under GDPR, our legal bases are: contract (we need this information to book the cruise you asked for), legitimate interests (preventing fraud, operating the trip), and consent (optional fields like Discord handle and marketing opt-ins).

Who we share it with

We share information only with parties that need it to operate the booking:

  • Virgin Voyages — the cruise line. They become an independent controller of your booking data once it’s with them; their privacy policy applies. Virgin Voyages privacy notice.
  • Anthropic — processes your offer image to extract structured fields. Anthropic does not use submitted data to train models.
  • Lob — verifies US mailing addresses against USPS records.
  • Postmark — sends our outbound email and receives your replies.
  • Tigris — stores uploaded offer images and PDFs (S3-compatible object storage, US region).
  • Sentry — error monitoring; may incidentally see IP address and user-agent if a request errors.
  • Shopify — if you buy an excursion through the Vegas Matt shop, that purchase happens on Shopify under their privacy notice.
  • Hetzner — the hosting provider for the application servers (US data center).

We do not sell or rent your personal information. We do not share it with advertisers or data brokers.

International transfers

Our servers and most of our processors are based in the United States. If you submit from outside the US, your information is transferred to and processed in the US. Where required, our processors rely on the EU Standard Contractual Clauses (or equivalent UK/Swiss safeguards) for these transfers.

How long we keep it

  • Submission, sailor, and booking records: kept for the duration of your booking and for up to seven years after the sail date for tax and dispute resolution.
  • Offer images and PDFs: same retention as the submission they belong to.
  • Email correspondence: kept while it’s relevant to the booking, typically up to two years.
  • Server access logs: rotated within 30 days unless retained for security investigation.

You can request earlier deletion (see “Your rights” below) and we will honour it unless we are legally required to keep the record.

Security

The site runs over HTTPS. Sensitive identity fields (email, name, date of birth, phone, address) are encrypted at rest in our database. Offer image storage is private and accessed only through signed URLs. Access to the admin tool is limited to authorised staff with individual accounts.

No system is perfectly secure. If you believe your information has been compromised, email us at cruise@vegasmatt.com.

Your rights

Wherever you live you can ask us to:

  • Tell you what we have on file about you.
  • Correct it if it’s wrong.
  • Delete it.
  • Stop using it for a particular purpose.

European Economic Area / United Kingdom (GDPR / UK GDPR). In addition to the above, you have the right to data portability, the right to object to processing based on legitimate interests, and the right to lodge a complaint with your national data protection authority. There are no automated decisions that have a legal or similarly significant effect on you — the offer classifier’s output is always reviewed by a human before action.

California (CCPA / CPRA). You have the right to know what personal information we collect, to delete it, to correct it, and to opt out of any sale or sharing of personal information for cross-context behavioural advertising. We do not sell or share personal information for that purpose. We do not knowingly process the personal information of California residents under 16.

To exercise any of these rights, email cruise@vegasmatt.com with “Privacy request” in the subject. We respond within 30 days (or 45 days for CCPA, with notice).

Cookies and tracking

We use a small number of strictly necessary cookies: a session cookie that keeps you signed in to the admin tool, a CSRF token for form security, and a theme preference cookie that remembers whether you chose light or dark mode. We do not use advertising cookies, analytics cookies, or cross-site trackers.

Marketing email

The booking-related emails we send are transactional — you can’t opt out of them while you have an active booking. Any broadcast / promotional email includes a one-click unsubscribe link. You can also email us to be removed from all non-essential lists.

Children

The site is not directed at children under 16, and we do not knowingly collect personal information from anyone under 16. If you believe a child has submitted information to us, email cruise@vegasmatt.com and we will delete it.

Changes to this policy

We’ll update this page if our practices change. The “Effective” date at the top reflects the most recent revision. Material changes will be communicated by email to people with active bookings.