Effective as of October 2023.
This Privacy Notice describes how Airline Tariff Publishing Company, established at 45005 Aviation Drive, Dulles, VA 20166 (“ATPCO,” “we”, “us” or “our”) handles personal information when you visit our website: https://www.atpco.net/ or https://faremanager.atpco.net or associated sites or pages (the “Site"). This Privacy Notice applies to our Site’s users, whether or not our users have created an account on our Site. The purpose of this Privacy Notice is to provide you with clear explanation of what personal information we collect, when, why and how we collect, use and share your personal information and it explains your statutory rights.
ATPCO provides world-leading airline software for pricing and shopping data to airlines, GDSs, travel agencies, and tech companies. This Privacy Notice does not apply to information that we process on behalf of our business customers while providing the ATPCO services to them. Our use of this information is restricted by our agreements with those business customers. If you have concerns regarding personal information that we process on behalf of a business, please direct your concerns to that business. Please refer to our business customers’ privacy statements to understand how they collect, share and use your personal information.
Our Sites, products and services are designed for businesses and their representatives. We do not offer products or services for use by individuals for their personal, family or household purposes. Accordingly, we treat all personal information we collect as pertaining to individuals in their capacities as business representatives and not their individual capacities.
We strongly urge you read this notice and make sure you fully understand our practices in relation to personal information before you access or use our Site.
If you read and fully understand this Privacy Notice, but remain opposed to our practices, you must immediately leave our Site. Where you have read this notice but would like further clarification, please contact us at the details provided at the end of this document.
If you are located in the EEA or the UK, we will process your personal information as a controller, in compliance with the European General Data Protection Regulation (“GDPR”) and the UK GDPR. Please consult the section at the bottom of this Privacy Notice to understand the rights on your personal information under the GDPR and UK GDPR.
ATPCO complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. ATPCO has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. ATPCO has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy notice and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/
ATPCO is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). As set forth in Annex I of the DPF Principles, individuals, under certain conditions, may invoke binding arbitration. ATPCO is obligated to arbitrate claims and follow the terms and procedures as set forth in Annex I of the DPF Principles and is subject to those conditions.
In the context of an onward transfer, ATPCO is responsible for the processing of personal information it receives under the DPF and subsequently transfers to a third party acting as an agent on its behalf. ATPCO shall remain liable under the Principles, if its agent processes such personal information in a manner inconsistent with the Principles, except for situations in which ATPCO is found not to be responsible for the event giving rise to the damage.
- What Personal information do we collect and how do we collect it?
- How we use your personal information
- How we share your personal information
- Your Privacy rights
- Other sites and services
- International data transfer
- Changes to this Privacy Notice
- Additional information for users in California
- Additional information for users in the EEA/UK
What Personal information do we collect and how do we collect it?
Personal information is information that can be used to identify you directly or indirectly, such as your name, email address, phone number, etc.
Information you provide to us directly:
- When you contact us using our Contact form: we collect your first and last name, the name of your company, your email address, your job title, your department, your geographic area, whether you prefer to be contacted by email or phone, your phone number when you indicated that you want to be contacted by phone, as well as any information you decide to share with us.
- When you create an account on our Site, we collect your first and last name, your username, your email address, your phone number, the name of your company, and your business address. We may further process financial data.
- When you participate in Customer Satisfaction Survey, we collect your email address and any information you decide to share with us.
- When you sign up to receive our newsletter(s), we collect your first and last name and email address. We may also collect the name of your company.
- When you register to our events: we collect your first and last name, the name of your company, your email address, your job title, your department, your geographic area, whether you prefer to be contacted by email or phone, your phone number when you indicated that you want to be contacted by phone, as well as any information you decide to share with us.
- For international ATPCO sponsored events: we may collect information on the nationality of attendees which may be shared with local governments or jurisdictions as applicable to comply with local laws.
- For visitors to ATPCO office facilities: we collect identifying information such as name, address, telephone number, that you share with ATPCO before and during your visit to our office facilities. This information is collected as you engage with our visitor check-in process and helps us provide an efficient check-in process for you, protect the security and safety of our premises, and aid us in fulfilling our legal obligations.
- When you apply to one of our open positions published in our Career page, we collect your first and last name, your email address, your phone number, your place of residence, your resume, as well as any information you decide to share with us. We also collect information about your education, your professional experience, and your social media accounts (e.g. LinkedIn, Twitter).
Information we obtain from social media platforms:
- When you visit or interact with our pages on social media platforms, such as LinkedIn, Twitter, YouTube, and other third-party platforms, you are agreeing to the platform provider’s privacy notice. This may include sharing with us your name, profile, photos, reactions and comments to our posts, etc. The platform provider’s privacy notice applies to your interactions and their collection, use and processing of your personal information. You or the platforms may provide us with information through the platform, and we will treat such information in accordance with this Privacy Notice.
- Data from other accounts, if you use a third party, like LinkedIn, SmartrProfile or Indeed to apply to one of our open positions, then you authorize the third party to share your personal information with us, including your name, username, photo, email address, resume and any other information you agree to share. The platform provider’s privacy notice applies to your interactions and their collection, use and processing of your personal information.
Information collected by automated means from your browser and device through cookies and other tracking technologies:
- With your permission where it is required by applicable laws, we, our service providers, and/or our business partners may automatically log information about you, your browser, your computer or mobile device, and your activity on the Site, such as:
- Device data, such as your computer’s or mobile device’s operating system type and version, manufacturer and model, browser type, screen resolution, RAM and disk size, CPU usage, device type (e.g., phone, tablet), IP address, unique identifiers (including identifiers used for advertising purposes), language settings, mobile device carrier, radio/network information (e.g., Wi-Fi, LTE, 3G), and general location information such as city, state or geographic area.
- Online activity data, such as pages or screens you viewed, how long you spent on a page or screen, the Site you visited before browsing to the Service, navigation paths between pages or screens, information about your activity on a page or screen, access times and duration of access, and whether you have opened our emails or clicked links within them.
- Location data when you authorize the Service to access your device’s location.
Information we obtain from other third parties.
We may receive personal information about you from third-party sources. For example, we may obtain your personal information from other third parties, such as marketing partners, publicly available sources and data providers.
How we use your personal information?
We use your personal information for the following purposes or as otherwise described at the time of collection:
- Service delivery. We, our service providers and/or business partners may use your personal information to:
- provide, operate and improve our Site and our services.
- provide support for our services, and respond to your requests, questions and feedback.
- communicate with you about our services and provide you with the information and content you have requested, including providing you access to our trainings, event recordings, newsletters, sending announcements, updates, security alerts, and support and administrative messages, etc.
- establish and maintain your account on the Site.
- use our dashboard’s functionalities when you are logged on our Site.
- facilitate your payments and manage your invoices.
- register your attendance to events that we organize.
- understand your needs and interests, and personalize your experience with the Site and our services; and
- enable security features of the Site.
- To assess your job application: We and/or business partners process your personal information for human resources purposes, including to assess your application.
- For internal business purposes, such as:
- To ensure access to and maintenance of our Site, to ensure its proper functioning and to carry out statistical analyses on the use of the Site and the frequency of visits.
- to analyze and improve the Service and our services; and
- to track any fraudulent activities and other inappropriate activities and monitor content integrity on our Site.
- Marketing. With your consent where required by applicable laws, we may send you marketing communications. You will have the ability to opt-out of our marketing and promotional communications at any time as described in the opt-out of marketing section below.
- Compliance and protection. We may use your personal information to:
- comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities.
- protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims).
- audit our internal processes for compliance with legal and contractual requirements or our internal policies.
- prevent, identify, investigate, and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft.
As part of these activities, we may create aggregated, de-identified or other anonymous data from personal information we collect. We make personal information into anonymous data by removing information that makes the data personally identifiable to you. We may use this anonymous data and share it with third parties for our lawful business purposes, including to analyze and improve the Service and promote our business.
How we share your personal information
We may share your personal information with third parties only where it is necessary, and for purposes described in this Privacy Notice. We may share your personal information with the following categories of third parties:
- Affiliates: We may share your personal information with our subsidiaries and affiliates.
- Business partners / Services providers: We may transfer your personal information to our business partners / service providers as necessary for them to provide services to us in connection with our fulfilment of the purpose set out above. For example, we may rely on service providers to host and maintain our Site, perform backup and storage services, and transmit communications.
- Our business partners / service providers include without limitation SmartRecruiters, ServiceNow, Microsoft Corp., etc.
- Government Agencies, Regulators and Professional Advisors: Where permitted or required by applicable law, we may also need to transfer your personal information to government agencies and regulators (e.g., tax authorities, courts, and government authorities) to comply with our legal obligations, and to external professional advisors as necessary to defend our legal interests.
- Organizations Involved in Business Transfers: In the event of a merger, reorganization, dissolution or similar corporate event, or the sale of all or substantially all of our assets, we expect that the information that we have collected, including personal information, will be transferred to the surviving entity in a merger or the acquiring entity. Such information will be transferred in accordance with applicable law.
ATPCO will comply with government or public authority requests for data stored at ATPCO in accordance with applicable law. ATPCO will attempt to ensure that the data requests comply with the data transfer or privacy laws that the Controller is subject to. If ATPCO cannot guarantee compliance with the laws governing the Controller, ATPCO will notify the Controller (if allowed by law) and abide by the Controller's instructions on the data currently or in future in ATPCO's custody.
ATPCO will also maintain an internal record of such data requests and will share information related to the request (as allowed by law) with affected parties.
ATPCO will not disclose, or share, any personal data in response to a request that is not legally binding, or if the request is outside the scope listed above.
Your Privacy Rights
- Access or update your information. If you have registered for an account with us through the Service, you may review and update certain account information by logging into the account.
- Opt-out of marketing communications. You may opt-out of marketing-related emails by following the opt-out or unsubscribe instructions at the bottom of the email, or by contacting us via the contact information provided at the end of this document. Please note that if you choose to opt-out of marketing-related emails, you may continue to receive service-related and other non-marketing emails.
- Cookies. For information about cookies employed by the Service and how to control them, see our Cookie Notice: [LINK](below).
- Do Not Track. Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” or similar signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.
- Declining to provide information. We need to collect personal information to provide certain services. If you do not provide the information we identify as required or mandatory, we may not be able to provide those services.
- Delete your content or close your account. You can choose to delete certain content through your account. If you wish to request to close your account, please contact us via the contact information provided at the end of this document.
Other sites and services
The Site may contain links to websites, mobile applications, and other online services operated by third parties. In addition, our content may be integrated into web pages or other online services that are not associated with us. These links and integrations are not an endorsement of, or representation that we are affiliated with, any third party. We do not control websites, mobile applications or online services operated by third parties, and we are not responsible for their actions. We encourage you to read the privacy notices of the other websites, mobile applications and online services you use.
The security of your personal information is important to us. We employ a number of technical, organizational and physical safeguards designed to protect the personal information we collect from accidental loss and from unauthorized access, use, alteration, and disclosure. ATPCO encrypts all personal data in transit and at rest using NIST approved cryptographic standards.1 (National Institute of Standards and Technology). Your user profile, including personal information is protected by a password for your privacy and security.
Retention of personal information
We retain personal information we collect from you where we have an ongoing legitimate business need to do so (for example, to provide the ATPCO services requested or to comply with applicable legal, tax or accounting requirements). When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, according to the specific legal requirements.
If you have an account on our Site, we will store your personal information for as long as your account is active. When you delete your account, we delete the personal information attached to your account including your username. Please note that some information may remain in our records after your account has been deleted, and that we may only be able to delete this information later when updating our backups. We may also store some of your personal information for as long as necessary to comply with our legal obligations or to exercise our legal rights.
International data transfer
We are headquartered in the United States and may use service providers that operate in other countries. Your personal information may be transferred to the United States or other locations where privacy laws may not be as protective as those in your state, province, or country. We will take appropriate steps to ensure that transfers of personal information are in accordance with applicable laws.
The Site is not intended for use by anyone under 16 years of age (a “minor”). If you are a parent or guardian of a minor from whom you believe we have collected personal information in a manner prohibited by law, please contact us via the contact information provided at the end of this document. If we learn that we have collected personal information through the Service from a minor without the consent of the minor’s parent or guardian as required by law, we will comply with applicable legal requirements to delete the information.
Changes to this Privacy Notice
We reserve the right to modify this Privacy Notice at any time. To ensure that you are always aware of how we use your personal information we will update this Privacy Notice from time to time to reflect any changes to our use of your personal information. We may also make changes as required to comply with changes in applicable law or regulatory requirements. Please regularly check this page for the latest version of this Privacy Notice
Additional information for users in the EEA/UK
If you are located in the European Economic Area or the United Kingdom, and access our Site, this EEA/UK GDPR supplemental notice applies to you. For the purpose of this Privacy Notice, personal information has the same meaning as “personal data” under the GDPR and UK GDPR and refers to any information that relates to identified or identifiable Site’s users.
Who is the Controller?
Airline Tariff Publishing Company, established at 45005 Aviation Drive, Dulles, VA 20166, is the controller of your personal information.
Airline Tariff Publishing Company ’s Data Protection Officer (DPO) can be contacted using the contact details at the end of this document.
Legal bases for processing
- Performance of a contract. We process your personal information as is necessary to provide the services that you requested from us. For example
- we use your personal information in order to create your account
- we use your personal information to register you to our events
- we share your information with services provider to provide you with the services you requested
- Your Consent. We and/or our business partners process certain information based on your consent, which you may revoke at any time. For example:
- To understand what may be of interest to you, deliver relevant Site content to you, to measure or understand the effectiveness of the content we serve to you, to use data analytics to improve our website
- we will send you marketing communications where you have consented to receiving such communications in accordance with applicable law
- Legitimate Interests: We process your information where it is necessary for the purposes of our legitimate interests or our partners’ legitimate interests. For example, we process your information in furtherance of the following legitimate interests
- Ensuring access to and maintenance of our Site and ensuring its proper functioning
- Providing, improving, and developing the Services: We and/or our services providers use your information to provide the Site as well our services, including any personalized services, and to understand and improve our business. We do so as it is necessary to pursue our legitimate interests of providing an innovative and tailored offering to our users on a sustained basis
- Disclosing your personal information to a prospective or actual purchaser or seller in the context of a merger, acquisition or other reorganization or sale of our business or assets for the purpose of business development
- Legal Obligation. We may process your information in order to comply with a legal obligation, a court order, or to exercise and defend legal claims. For example
- we may preserve and disclose your information if it is necessary to respond, based on applicable law, to a valid legal request (e.g., a subpoena, search warrant, court order, or other binding request from government or law enforcement); an
- we may retain and process your information where it is necessary for compliance with applicable laws
The lawful bases listed above apply to any disclosure to third party business partners / services providers necessary for the corresponding purpose.
You have the following rights in relation to the personal information we hold about you
- Right of access: you can ask us to provide you with information about our processing of your personal information and give you access to your personal information
- Right to rectification: If the personal information we hold about you is inaccurate or incomplete, you are entitled to request to have it rectified
- Right to erasure: You can ask us to delete or remove personal information where there is no lawful reason for us continuing to store or process it, where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal information to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons that will be notified to you, if applicable, at the time of your request
- Right to restrict processing: you can ask us to suspend the processing of your personal information if, (i) you want us to establish the data's accuracy; (ii) where our use of the data is unlawful but you do not want us to erase it; (iii) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (iv) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it
- Right to object: Where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation that makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms
- Right to data portability: You have the right, in certain circumstances, to ask us to provide to you, or a third party you have chosen, your personal information in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you
- Right to withdraw consent at any time: where we are relying on consent to process your personal information. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent.
Please note that some of these rights may be limited where we have an overriding interest or legal obligation to continue to process the personal information or where certain exemptions apply.
To exercise any of these rights, please contact us via the contact information provided at the end of this document.
In response to a Data Subject Access Request, ATPCO will provide the data requested as permitted under data protection laws as applicable within 30 days of the request.
Although we urge you to contact us first to find a solution for every concern you may have, you always have the right to lodge a complaint with your competent data protection authority.
How Do We Protect Personal information if we transfer it internationally?
We may transfer your personal information outside of the EEA and/or UK. Some of these recipients are located in countries in respect of which either the European Commission and/or UK Government (as and where applicable) has issued adequacy decisions, in which case, the recipient’s country is recognized as providing an adequate level of data protection under UK and/or European data protection laws (as applicable) and the transfer is therefore permitted under the GDPR.
Some recipients of your personal information may be located in countries outside the EEA and/or the UK for which the European Commission or UK Government (as and where applicable) has not issued adequacy decisions in respect of the level of data protection in such countries (“Restricted Countries”). For example, the United States is a Restricted Country. Where we transfer your personal information to a recipient in a Restricted Country, we will either
- enter into appropriate data transfer agreements based on so-called Standard Contractual Clauses approved from time-to-time by the European Commission, the UK Information Commissioner’s Office or UK Government (as and where applicable); or
- rely on other appropriate means permitted by the EU/UK GDPR, which establish that such recipients will provide an adequate level of data protection and that appropriate technical and organizational security measures are in place to protect personal information against accidental or unlawful destruction, loss or alteration, unauthorized disclosure or access, and against all other unlawful forms of processing.
You may ask for a copy of such appropriate data transfer agreements by contacting us via the contact details provided at the end of this document.