Privacy Policy

Privacy Policy

Effective January 1, 2026

At Airlines Reporting Corporation, we value your privacy and are committed to protecting and processing your personal data responsibly.

Airlines Reporting Corporation ("ARC," “us,” or “we”) provides a critical service in the air travel industry by providing financial settlement of transactions, including refunds and/or exchanges, between participating airlines and travel agencies (collectively, “Customers” or “Travel Providers”). ARC also sells data products, which are used by ARC’s Customers and third parties, to settle and report transactions, process credit card transactions, audit and reconcile sales data, and understand travel and demand patterns.

This Privacy Policy applies to:

  • information ARC collects, uses, and shares relating to individuals
  • information ARC collects, uses, and shares at www.arccorp.com, myarc.arcorp.com, or other ARC-controlled websites, unless a different privacy policy is made explicitly applicable; and
  • visitors to the ARC website.

This Privacy Policy does not:

  • Apply to how airlines, travel agencies, or other travel providers (“Travel Providers”) use or processes Personal Data. It also does not apply to how a global distribution system or other travel technology company uses or processes Personal Data. Travelers should also carefully review the privacy policies of Travel Providers and global distribution systems;
  • apply to information that ARC collects from job applicants or from ARC employees (which is covered by a separate policy); or
  • cover Personal Data processed by the systems formally operated by nuTravel Technology Solutions, Inc. d/ba/ Traverse Technologies.

Personal Data We Collect

In order to facilitate interactions with ARC and manage the business operations of ARC and its related entities, ARC may collect both Personal Data and non-personally identifiable information from different sources. These sources include:

  • When you voluntarily provide us with the personal information;
  • From your transactions with ARC’s Customers, including airlines, travel agencies, global data systems, or their affiliated businesses in connection with processing their travel-related transactions; and
  • Other sources.

"Personally Identifiable Information" (also referred to as "Personal Data" or “personal information”) is any information that identifies you personally, either alone or in combination with other information available from ARC. Personally Identifiable Information ("PII") does not include information that does not identify an individual. The types of Personal Data that ARC processes is a subset of the typical information that a customer provides when they travel. This subset of information includes individual passenger name and credit card number and in certain limited circumstances, frequent flyer number, date of birth, and other identifiers associated with airline tickets sold to passengers through U.S.-based travel agencies accredited by ARC. This subset of information also includes non-personal information, including passenger name record (“PNR”) and ticket number. We do not collect or process sensitive personal data.

"Non-personally identifiable information" includes data that does not identify a specific individual. For example, when you use ARC's websites, we may collect non-personally identifiable information such as your browser type, the type of operating system you use, the name of your Internet Service Provider, and pages visited on our site. This information is collected for site administration purposes such as monitoring and evaluating how visitors use the sites, analyzing usage trends and statistics, and enhancing the functionality and usability of the site to better tailor the site, products, and services to visitors' needs. ARC uses Google Analytics and Siteimprove to track such non-personally identifiable information about visitors to the site. Google Analytics’ policies may be viewed here. Siteimprove’s policies may be viewed here. Non-personally identifiable information may be aggregated for reporting about ARC websites' usability and effectiveness. We may also use information collected at this site to personalize the content, improve the content, and/or to provide product or service offers.

Back to Top

Cookies

Cookies are identifiers that a website can send to your browser to keep on your computer to facilitate your next visit to that website. You can set your browser to notify you when you are sent a cookie, giving you the option to decide whether or not to accept it. A cookie file can contain information such as a user ID that the site uses to track the pages you've visited, but the only PII a cookie can contain is information you supply yourself. A cookie cannot read hard disk or read cookie files placed by others. ARC uses cookies on its websites and may place ads on other websites that may use cookies. We do not link the information we store in cookies to any Personal Data you submit on our site. The information collected by cookies helps us develop customized content for the site and also allows us to statistically monitor how many people are using our site and for what purpose. You can discover how to disable cookies on your browser.

Back to Top

Social Media

ARC occasionally uses third-party advertising networks on social media platforms — such as LinkedIn, Facebook and Instagram — to collect visitor information on social media platforms to then pass over visitor information to ARC. Visitor information is used for ARC communications including, but not limited to, email, further advertising and direct mail. For more information or to opt out of this type of advertising, please visit the various social media platforms.

Back to Top

Individuals Under 13

ARC does not knowingly collect Personal Data from children under the age of 13 and A RC does not target its websites to children under 13. If you are a parent or guardian of a child who has provided personal information without your knowledge and consent, you may request we remove this child’s information by contacting us at privacy@arccorp.com.

Back to Top

How Personal Data May Be Used

How we use the information we collect depends in part on which services are being used. We use Personal Data to:

  • Complete travel transactions, process credit card payments, fulfill requests related to refunds and exchanges, and facilitate performance of contracts between ARC and participants in ARC's programs and services (e.g., ARC-accredited travel agents, corporate travel departments, participating airlines and other ARC participants);
  • Perform billing and accounting functions;
  • Perform internal business processes (such as testing quality assurance, and product development and enhancement);
  • Conduct loss prevention and anti-fraud activities;
  • Meet legal requirements; and
  • Support essential business operations.

How We Share Personal Data

We share Personal Data only when necessary to operate our business, deliver the services, or comply with legal obligations. This may include sharing Personal Data with employees, service providers, business partners, affiliates, or legal authorities, where necessary and appropriate.

  • Service Providers: ARC contractors may have access to Personal Data in the course of assisting in ARC's business operations. ARC limit access to Personal Data by such third parties to that which is necessary for the contractor to perform its legally and contractually required functions. ARC uses reasonable means to ensure that Personal Data is not used by such third parties for purposes other than described in this policy.
  • Customers and Travel Providers: We process Personal Data to help perform the services requested in underlying contracts between travelers and Travel Providers. We may process your Personal Data shared with us by that customer and any authorized representatives, including travel agents, corporate travel departments, and airlines, as well as processors that act on their behalf.
  • Legal and Security Purposes: We may disclose Personal Data in response to legal process such as a court order or a subpoena. Historically, we may have disclosed such information in situations such as the following: response to a national security or law enforcement agency's verified request, investigation, or inquiry, compliance with court order, or matters relating to national security and/or where we believe it is necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our terms of use, to comply with legal requirements, or as otherwise required by law.

Lawful Bases for Processing

We process Personal Data only where we have a legal basis for doing so under applicable law or regulations. The legal bases depend on the services and how they are used, and may include:

  • To Provide and Manage our Services. We process Personal Data as necessary to deliver products and services to customers, operate our business, fulfill contractual and legal obligations, and protect the security, privacy and safety of our systems and customers.
  • Reliance on Legitimate Interests. Where we process Personal Data based on our other legitimate interests, we consider and balance those interests against your rights and freedoms.
  • Compliance with Legal Obligations. We may process your Personal Data where required to meet applicable laws, regulations, or legal processes.
  • With Consent. In cases where we rely on consent, it may withdrawn in writing at any time. This will not affect processing that has already occurred based on your prior consent.

Back to Top

Keeping Information Secure

To protect against unauthorized access, disclosure, alteration or destruction of information, to maintain data accuracy, to safeguard and secure the information in the database, ARC has put in place physical, electronic, and managerial technical security controls that are proportionate to the Personal Data’s level of confidentiality or sensitivity.

We have established an information security program based on industry standard practices including policies and procedures for employees who may have access to your information. We also provide regular information security training for employees.

Back to Top

Record Retention

We will retain your Personal Data in accordance with applicable laws, and for as long as necessary for the underlying purposes for which the information was collected, unless a longer retention period is required or permitted by law. When we delete your Personal Data, we use industry standard methods to ensure that any recovery or retrieval of your information is impossible. We may keep residual copies of your personal data in backup systems to protect our systems from malicious loss. This personal data is inaccessible unless restored, and all unnecessary personal data will be deleted upon restoration.

Back to Top

Links To Non-ARC Websites

ARC websites may provide links to third-party websites. If you access such links, you leave ARC's website. ARC does not control such sites or their privacy policies or practices.

Back to Top

EU-U.S. Data Privacy Framework Notice

Pursuant to the EU-U.S. Data Privacy Framework (“DPF”), ARC provides notice to individuals of the following regarding any of their personal data which may be transferred from the European Union to ARC, located in the United States:

  1. ARC complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. ARC has self-certified to the U.S. Department of Commerce that it adheres to the applicable DPF Principles. If there is any conflict between the terms in this privacy policy and the DPF Principles, the Principles shall govern. To learn more about the DPF program and view our certification, please visit the Data Privacy Framework website.
  2. As part of its transaction settlement processing services, ARC knowingly receives individual passenger name and credit card number (or partial credit card number), passenger name record (PNR), and ticket number. In limited circumstances, ARC may receive additional personal information such as frequent flyer number or date of birth, potentially implicating GDPR and the DPF.
  3. By providing this notice under the DPF, ARC commits to subject any personal data received from the European Union, United Kingdom (and Gibraltar), and/or Switzerland to the DPF Principles.
  4. In compliance with the EU-U.S. DPF, the UK Extension, and the Swiss-U.S. DPF, ARC commits to resolve inquiries or complaints regarding the handling of personal data. Individuals should first contact ARC as described below.

Please submit a Subject Access Request (“SAR”) by email to privacy@arccorp.com or by calling 1-855-816-8003. Each SAR must include:

Name (including middle initial)
Preferred contact information
Last four digits of the credit card used for air travel
A description of the request
Any other relevant information

ARC will verify identity using existing personal data or additional verification if required. Any additional data provided will be used solely for verification and promptly deleted.

ARC will investigate and attempt to resolve complaints within 45 days.

Unresolved complaints may be referred to the International Centre for Dispute Resolution of the American Arbitration Association (ICDR-AAA). Services are provided at no cost to you. For more information, visit https://go.adr.org/dpf_irm.html.

  1. The categories of Personal Data collected and the third parties to whom ARC may disclose Personal Data are described above under “How We Share Personal Data.”
  2. Individuals may request to exercise the following rights by emailing privacy@arccorp.com:
    • The right to be informed
      • ARC’s purpose for collecting or using personal information
      • How, where, and when ARC collects or uses personal information
    • The right of access
      • Providing copies of personal information ARC collects or uses
    • The right to rectification
      • Correction of inaccuracies or omissions
    • The right to erasure/deletion
      • Deletion upon request unless retention is legally required
    • The right to data portability
      • Receiving data in a structured, commonly used, machine-readable format
    • The right to restrict or object to processing
      • Including objections to profiling or direct marketing where applicable
    • Rights relating to automated decision-making and profiling
      • Right not to be subject to solely automated decisions producing legal or similarly significant effects, subject to GDPR exceptions
  3. ARC may act as a controller and/or processor for its Customers and operates under contractual obligations addressing both roles.
  4. ARC is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) under Section 5 of the FTC Act.
  5. Binding arbitration is available pursuant to the EU-U.S. DPF Annex I Arbitration Rules. Details are available at the DPF Arbitration Rules page .
  6. The purposes for which ARC may disclose Personal Data are set forth above under “How We Share Personal Data.”

Back to Top

Global Cross Border Privacy Rules System Participation (Global-CBPR)

The privacy practices described in this Privacy Policy comply with the Global Cross Border Privacy Rules System. The Global CBPR system provides a framework for organizations to ensure protection of personal data transferred among participating economies. More information about the Global CBPR framework can be found here.

Back to Top

International Data Transfer

The Personal Data we process may be accessed from, processed or transferred to countries other than the country in which you reside. Those countries may have data protection laws that are different from the laws of your country. Such cross-border transfer of your Personal Data is necessary for us to provide the services required by your transaction with our Customers, and for the other purposes outlined in this Privacy Policy.

The servers for our platform are located in the United States, where it is processed. The transferees of your personal data may also be located in countries other than the country in which you reside.

We have taken appropriate steps and put safeguards in place to help ensure that any access, processing and/or transfer of your personal data remains protected in accordance with this Privacy Policy and in compliance with applicable data protection law, including the EU-US DPF. Such measures provide your personal data with a standard of protection that is at least comparable to that under the equivalent local law in your country, no matter where your data is accessed from, processed and/or transferred to. We will comply with obligations regarding personal data cross-border transfer in accordance with applicable data protection laws, regulations, and conditions set by the competent authorities. This may include fulfilling obligations such as security assessments and/or certifications and signing agreements with overseas recipients in accordance with the standard contract established by the competent authorities.

Back to Top

Contact Information

Pursuant to GDPR (and other similar applicable privacy laws), ARC has appointed a data protection officer (“DPO”). If you would like to submit a SAR per above or have any questions or concerns related to this privacy policy or other aspects of data protection pertaining to ARC, you may reach out to the DPO as follows:

Airlines Reporting Corporation

3000 Wilson Blvd., Suite 300, Arlington, VA 22201

Attention: Data Protection Officer

Email: privacy@arccorp.com

Phone (to submit a SAR): 1-855-816-8003 (toll free)

If you believe that we have not been, or will not be, able to assist with your complaint or concern, and you are located in the European Economic Area (EEA) or the United Kingdom (UK), you have the right to lodge a complaint with the competent supervisory authority. If you work or reside in a country that is a member of the European Union or that is in the EEA, you may find the contact details for your appropriate data protection authority on the following website: https://edpb.europa.eu/about-edpb/about-edpb/members_en.

Back to Top

Your Rights and Choices and Additional Notices to Certain State Residents

You have certain rights and choices with respect to your personal data, as described below:

  • You can control our use of non-essential cookies by following the guidance here.
  • If we are processing your personal data on the basis of consent, you may withdraw that consent at any time by contacting us via privacy@arccorp.com. Withdrawing your consent will not affect the lawfulness of any processing that occurred before you withdrew consent, and it will not affect our processing of your personal data that is conducted in reliance on a legal basis other than consent.

Certain states provide their state residents with rights to:

  • Confirm whether we process their personal information.
  • Access and delete certain personal information.
  • Correct inaccuracies in their personal information, taking into account the information's nature processing purpose.
  • Data portability.
  • Opt-out of personal data processing for targeted advertising; sales; or profiling in furtherance of decisions that produce legal or similarly significant effects.

The exact scope of these rights may vary by state or other jurisdiction. To exercise any of these rights by submitting a Subject Access Request (“SAR”), please fill out this form: https://my.datasubject.com/Uw03R7mCGS/60313. If you would like to limit you sensitive data, please click here. https://my.datasubject.com/Uw03R7mCGS/60313. We will attempt to verify your identity using any of your personal information that is already in our possession. However, we may need to request additional personal information to verify your identity. We will not use additional information you provide for verification for any other purposes, and we will promptly delete any such information once the verification process is complete. You consent to, acknowledge and agree that by providing any such verification information, you explicitly consent to ARC’s collection and use of such information solely for the purpose of verifying your identity to respond to your SAR submission.

We respond to all verified requests we receive from individuals wanting to exercise their personal data protection rights in accordance with applicable data protection laws. Should you have the right under applicable law to appeal a decision we have made to not take action on your request, another email address to which you can submit your appeal will be included in our response to you.

In fiscal years 2023 and 2024, ARC received no requests to delete personal information, no requests to know or access what personal information we were collecting, no requests to what information we sold or shared and to whom, and no requests to opt out of the sale or sharing of personal information.

Back to Top

Changes

ARC reserves the right to change this policy at any time. Visitors to the site are responsible for consulting this page for any changes. The effective date will be noted to indicate the last time modifications were made. You may review the policy at any time by clicking on “Privacy” at the bottom of all ARC website pages.

California Privacy Policy Additional Terms