Site Privacy Policy

Effective June 9, 2025

Types of Information We Collect
Cookies
Advertising
Social Media
Individuals Under 13
How Information May Be Used
Keeping Information Secure
Record Retention
Disclosure of PII for Legal Reasons
Links to Non-ARC Websites
Changes
Lawful Bases for Processing
EU-U.S. Data Privacy Framework Notice
Global Cross Border Privacy Rules System Participation (Global-CBPR)
International Data Transfer
Contact Information
Your Rights and Choices
Additional Notices to Certain State Residents

Airlines Reporting Corporation ("ARC," “us,” or “we”) provides a critical service in the air travel industry by providing financial settlement of transactions, including refunds and/or exchanges, between participating airlines and travel agencies (collectively, “Customers”). As part of its transaction settlement processing services, ARC may receive personal data, primarily individual passenger name and credit card number, as well as passenger name record (“PNR”), ticket number, frequent flyer number, date of birth, and other identifiers associated with airline tickets sold to passengers through U.S.-based travel agencies accredited by ARC.

ARC is committed to providing excellent service to all of our Customers and visitors to the ARC website, including respecting your concerns about privacy. This privacy policy (this “Policy” or “Privacy Policy”) applies to information ARC collects, uses, and shares relating to individuals, including information provided by visitors to our website. This Privacy Policy applies to ARC's corporate website (www.arccorp.com) and all websites controlled by ARC, including myarc.arccorp.com. However, this Privacy Policy does not apply to information that we collect from job applicants at careers-arccorp.icims.com.

This Policy covers:

The types of information we collect;
How information is used by ARC and shared with others;
What security measures we take to safeguard information;
How to contact us.

Types Of Information We Collect

In order to facilitate interactions with ARC and manage the business operations of ARC and its related entities, ARC may collect both Personally Identifiable Information and non-personally identifiable information (both defined below) from different sources, including, for example:

When you voluntarily provide us with information;
From your browser, when you visit our websites and your browser interacts with our site;
Your transactions with ARC, including the use of ARC's products and services;
From your transactions with ARC’s Customers, including airlines and travel agencies, in connection with processing their travel-related transactions; and
Other sources.

"Personally Identifiable Information" (also referred to as "personal Data" or “personal information”) is any information that identifies you personally, either alone or in combination with other information available from ARC. Personally Identifiable Information ("PII") does not include information that does not identify an individual. On some ARC sites, you may be able to register for and/or order ARC products or services, participate in surveys, or request information, which may also require that you provide PII.

"Non-personally identifiable information" includes data that does not identify a specific individual. For example, when you use ARC's websites, we may collect non-personally identifiable information such as your browser type, the type of operating system you use, the name of your Internet Service Provider, and pages visited on our site. This information is collected for site administration purposes such as monitoring and evaluating how visitors use the sites, analyzing usage trends and statistics, and enhancing the functionality and usability of the site to better tailor the site, products, and services to visitors' needs. ARC uses Google Analytics and Siteimprove to track such non-personally identifiable information about visitors to the site. Google Analytics’ policies may be viewed here. Siteimprove’s policies may be viewed here. Non-personally identifiable information may be aggregated for reporting about ARC websites' usability and effectiveness. We may also use information collected at this site to personalize the content, improve the content, and/or to provide product or service offers.

Cookies

Cookies are identifiers which a website can send to your browser to keep on your computer to facilitate your next visit to that website. You can set your browser to notify you when you are sent a cookie, giving you the option to decide whether or not to accept it. A cookie file can contain information such as a user ID that the site uses to track the pages you've visited, but the only PII a cookie can contain is information you supply yourself. A cookie cannot read hard disk or read cookie files placed by others. ARC uses cookies on its websites and may place ads on other websites that may use cookies. We do not link the information we store in cookies to any PII you submit on our site. The information collected by cookies helps us develop customized content for the site and also allows us to statistically monitor how many people are using our site and for what purpose. You can discover how to disable cookies on your browser here.

Advertising

ARC occasionally uses third-party advertising networks, such as NextRoll, Inc. (formerly AdRoll, Inc.), to collect visitor information on our site and serve targeted display ads to you on other sites. NextRoll, Inc. uses technology such as pixel tags and cookies to collect this information. For more information or to opt-out of this type of advertising, please visit the NextRoll, Inc. Service Privacy Notice.

Social Media

ARC occasionally uses third-party advertising networks on social media platforms—such as LinkedIn, Facebook, and Instagram—to collect visitor information on social media platforms to then pass over visitor information to ARC. Visitor information is used for ARC communications including, but not limited to, email, further advertising and direct mail. For more information or to opt-out of this type of advertising, please visit the various social media platforms.

Individuals Under 13

ARC does not knowingly collect PII from children under the age of 13 and ARC does not target its websites to children under 13. If you are a parent or guardian of a child who has provided personal information without your knowledge and consent, you may request we remove this child’s information by contacting us at privacy@arccorp.com.

How Information May Be Used

Personally Identifiable Information (PII) received or collected by ARC is used primarily to complete transactions, fulfill requests, and facilitate performance of contracts between ARC and participants in ARC's programs and services (e.g., ARC-accredited travel agents, CTDs, participating airlines and other ARC participants (collectively "Participants")) or as otherwise required by ARC's business practices or needs. PII is made available to ARC employees when necessary for the customary exercise of their duties. Additionally, ARC may contract with third party service providers, contractors and suppliers to conduct surveys or provide products, services, event registration, or other customer solutions to you based upon and using the information ARC gathers and receives. ARC contractors may have access to PII in the course of assisting in ARC's business operations ARC endeavors to limit access to Personally Identifiable Information by such third parties to that which is necessary for the contractor to perform its legally and contractually required functions. ARC uses reasonable means to ensure that the information you provide is not used by such third parties for purposes other than described in this policy.

ARC processes information related to airline carrier transactions (airline tickets, refunds, exchanges, etc.) and retains such information for a period deemed necessary to meet ARC’s legal obligations and business requirements to facilitate the processing and settlement of transactions and during which disputes between the parties to the transactions are likely to arise. ARC also prepares and publishes anonymized aggregated or consolidated transactional data.

Keeping Information Secure

To protect against unauthorized access, disclosure, alteration or destruction of information, to maintain data accuracy, to safeguard and secure the information in the database, ARC has put in place physical, electronic, and managerial technical security controls that are proportionate to the personal data’s level of confidentiality or sensitivity.

We have established an information security program based on industry standard practices including policies and procedures for employees who may have access to your information. We also provide regular information security training for employees.

Record Retention

We will retain your personal data in accordance with applicable laws, and for as long as necessary for the underlying purposes for which the information was collected and as set forth in this Privacy Policy, unless a longer retention period is required or permitted by law.

When we delete your personal data, we use industry standard methods to ensure that any recovery or retrieval of your information is impossible. We may keep residual copies of your personal data in backup systems to protect our systems from malicious loss. This personal data is inaccessible unless restored, and all unnecessary personal data will be deleted upon restoration.

Disclosure Of PII for Legal Reasons

We may disclose personally identifiable information in response to a legal process such as a court order or a subpoena. We also may disclose such information in situations such as the following: response to a law enforcement agency's request, compliance with government order, or matters relating to national security and/or where we believe it is necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our terms of use, to comply with legal requirements, or as otherwise required by law.

Links To Non-ARC Websites

ARC websites may provide links to third party companies' websites for your convenience and information. If you access such links, you leave ARC's website. ARC does not control such sites or their privacy policies or practices.

Changes

ARC reserves the right to change this policy at any time. Visitors to the site are responsible for consulting this page for any changes. The effective date will be noted to indicate the last time modifications were made. You may review the policy at any time by clicking on “Privacy” at the bottom of all ARC website pages.

Lawful Bases for Processing

Whenever we collect or use your personal data, that collection or use is be based on at least one of the one the established bases for processing, including, consent, legal obligation, and legitimate interest.

EU-U.S. Data Privacy Framework Notice

Pursuant to the EU-U.S. Data Privacy Framework (“DPF”), ARC provides notice to individuals of the following regarding any of their personal data which may be transferred from the European Union to ARC, located in the United States:

ARC complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  ARC has self-certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.  ARC has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit Data privacy framework website.
As part of its transaction settlement processing services, ARC receives personal data, primarily individual passenger name and credit card number, as well as passenger name record (PNR), ticket number, frequent flyer number, date of birth, and other identifiers associated with airline tickets sold to passengers through U.S.-based travel agencies accredited by ARC. While ARC’s settlement function only applies to the U.S. point-of-sale (POS), participating airlines may be located anywhere internationally, including the European Union, and/or passengers may be EU residents, despite purchasing through a U.S. POS, thus potentially implicating the General Data Protection Regulation (“GDPR”) and the DPF.
By providing this notice under the DPF, along with the information stated in ARC’s broader privacy policy, of which the DPF is a component, ARC commits to subject any personal data received from the European Union, United Kingdom (and Gibraltar), and/or Switzerland to the DPF Principles.
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Airlines Reporting Corporation commits to resolve DPF Principles-related inquiries or complaints about our collection and use of your personal data.  EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Airlines Reporting Corporation as follows: 

Please submit A Subject Access Request (“SAR) by email to privacy@arccorp.com. You may also submit by contacting the following toll-free number: 1-855-816-8003. Each SAR must include the following information pertaining to the inquiry/complaint:

Name (including middle initial)

Preferred contact information, such as telephone number, email address, and/or postal address;
Last four digits of the credit card you used to purchase air travel;
A description of your request

Any other information you deem relevant to ARC’s ability to respond appropriately.

We will attempt to verify your identity using any of your personal data that is already in our possession. We may need to request additional personal data in order to verify your identity. We will not use additional personal data you provide for verification for any other purposes, and we will promptly delete any such information once the verification process is complete. By providing any such verification information, you explicitly consent to, authorize and request ARC’s collection and use of such information solely for the purpose of verifying your identity in order to respond to your SAR submission. Any SAR submitted without the above information may result in a delay of ARC’s response. We will investigate and attempt to resolve complaints within 45 days. 

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, ARC commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF to the International Centre for Dispute Resolution of the American Arbitration Association (ICDR-AAA), an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://go.adr.org/dpf_irm.html for more information or to file a complaint. The services of the ICDR-AAA are provided at no cost to you.
The types of third parties to whom ARC may disclose personal data, in some cases for a fee, generally fall into the following categories: parties with whom we have a contractual relationship; law enforcement; and cloud and on-premises database infrastructure and maintenance providers. Such contracts specify the limited purpose of processing by the third party, require confidentiality of the third party, and its personnel and at least the same level of privacy protection as is required by the Principles.
Individuals have the right to request to exercise the following rights access concerning their data, which may be submitted by emailing ARC at privacy@arccorp.com:
1. The right to be informed
  1. ARC’s purpose for collecting or using their Personal Information
  2. How/where/when ARC uses or collects their Personal Information
2. The right of access
  1. Providing individuals with copies of any of their Personal Information that we collect or use.
3. The right to rectification
  1. Correction of any inaccuracies or omissions
4. The right to erasure/deletion
  1. We may do so upon request and if there is no legally valid reason to retain the data.
5. The right to data portability
  1. The right to receive information concerning his or her personal data, in a structured, commonly used and machine-readable format.
6. The right to restrict or object to processing
  1. Although generally inapplicable to ARC, GDPR permits the right to object to processing for profiling, direct marketing, and statistical, scientific, or historical research purposes.
7. Rights in relation to automated decision making and profiling
  1. Although generally inapplicable to ARC, individuals shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, subject to certain specific exceptions under GDPR.
ARC acts as a processor for our Customers and therefore we are a third party that is acting as an agent to perform the processing on behalf of and under the instructions of our Customers. We have contracts with all Customers.
ARC is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC), pursuant to Section 5 of the FTC Act, 15 U.S.C. § 45.
Binding arbitration is available pursuant to the EU-U.S. DPF Annex I Arbitration Rules; see detailed requirements at https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction
We may disclose personal information as required in response to lawful requests by public authorities including, but not limited to, in response to a law enforcement agency's requests, to comply with a government order, or to meet any requirements relating to national security.

Global Cross Border Privacy Rules System Participation (Global-CBPR)

The privacy practices described in this Privacy Policy comply with the Global Cross Border Privacy Rules System. The Global CBPR system provides a framework for organizations to ensure protection of personal data transferred among participating economies. More information about the Global CBPR framework can be found here.

International Data Transfer

The personal data we process may be accessed from, processed or transferred to countries other than the country in which you reside. Those countries may have data protection laws that are different from the laws of your country. Such cross-border transfer of your personal data is necessary for us to service your transaction with us, and for the other purposes outlined in this Privacy Policy.

The servers for our platform are located in the United States, where it is processed. The transferees of your personal data may also be located in countries other than the country in which you reside.

We have taken appropriate steps and put safeguards in place to help ensure that any access, processing and/or transfer of your personal data remains protected in accordance with this Privacy Policy and in compliance with applicable data protection law. Such measures provide your personal data with a standard of protection that is at least comparable to that under the equivalent local law in your country, no matter where your data is accessed from, processed and/or transferred to. We will comply with obligations regarding personal data cross-border transfer in accordance with application data protection laws, regulations, and conditions set by the competent authorities. This may include fulfilling obligations such as security assessments and/or certifications and signing agreements with overseas recipients in accordance with the standard contract established by the competent authorities.

Contact Information

Pursuant to GDPR (and other similar applicable privacy laws), ARC has appointed a data protection officer (“DPO”). If you would like to submit a SAR per above or have any questions or concerns related to this privacy policy or other aspects of data protection pertaining to ARC, you may reach out to the DPO as follows:

Airlines Reporting Corporation

3000 Wilson Blvd., Suite 300, Arlington, VA 22201

Attention: Data Protection Officer

Email: privacy@arccorp.com

Phone (to submit a SAR): 1-855-816-8003 (toll free)

If you believe that we have not been, or will not be, able to assist with your complaint or concern, and you are located in the European Economic Area (EEA) or the United Kingdom (UK), you have the right to lodge a complaint with the competent supervisory authority. If you work or reside in a country that is a member of the European Union or that is in the EEA, you may find the contact details for your appropriate data protection authority on the following website: https://edpb.europa.eu/about-edpb/about-edpb/members_en.

Your Rights and Choices

You have certain rights and choices with respect to your personal data, as described below:

You can control our use of non-essential cookies by following the guidance here.
You can access, amend, inquire about deletion of, or update the accuracy of, your personal data at any time by contacting us at privacy@arccorp.com.
If you no longer wish to receive marketing and promotional emails, you may unsubscribe by clicking the ‘unsubscribe’ link in the email. Please note that if you choose to unsubscribe from or opt out of marketing emails, we may still send you important transactional and account-related messages from which you will not be able to unsubscribe.
If we are processing your personal data on the basis of consent, you may withdraw that consent at any time by contacting us via privacy@arccorp.com. Withdrawing your consent will not affect the lawfulness of any processing that occurred before you withdrew consent, and it will not affect our processing of your personal data that is conducted in reliance on a legal basis other than consent.

Additional Notices to Certain State Residents

Certain states provide their state residents with rights to:

Confirm whether we process their personal information.
Access and delete certain personal information.
Correct inaccuracies in their personal information, taking into account the information's nature processing purpose.
Data portability.
Opt-out of personal data processing for targeted advertising; sales; or profiling in furtherance of decisions that produce legal or similarly significant effects.
Either limit (opt-out of) or require consent to process sensitive personal data.

The exact scope of these rights may vary by state or other jurisdiction. To exercise any of these rights by submitting a Subject Access Request (“SAR”), please email us at privacy@arccorp.com with your name (including middle initial) and last four digits of the credit card you used to purchase air travel. We will attempt to verify your identity using any of your personal information that is already in our possession. However, we may need to request additional personal information in order to verify your identity. We will not use additional information you provide for verification for any other purposes, and we will promptly delete any such information once the verification process is complete. You consent to, acknowledge and agree that by providing any such verification information, you explicitly consent to ARC’s collection and use of such information solely for the purpose of verifying your identity in order to respond to your SAR submission.

Any SAR submitted without the above required information may result in a delay of ARC’s response. We respond to all verified requests we receive from individuals wanting to exercise their personal data protection rights in accordance with applicable data protection laws. Should you have the right under applicable law to appeal a decision we have made to not take action on your request, another email address to which you can submit your appeal will be included in our response to you.