Privacy Policy

Privacy Policy

Effective January 1, 2026

At Airlines Reporting Corporation, we value your privacy and are committed to protecting and processing your personal data responsibly.

Airlines Reporting Corporation ("ARC," “us,” or “we”) provides a critical service in the air travel industry by providing financial settlement of transactions, including refunds and/or exchanges, between participating airlines and travel agencies (collectively, “Customers” or “Travel Providers”). ARC also sells data products, which are used by ARC’s Customers and third parties, to settle and report transactions, process credit card transactions, audit and reconcile sales data, and understand travel and demand patterns.

This Privacy Policy applies to:

  • information ARC collects, uses, and shares relating to individuals
  • information ARC collects, uses, and shares at www.arccorp.com, myarc.arcorp.com, or other ARC-controlled websites, unless a different privacy policy is made explicitly applicable; and
  • visitors to the ARC website.

This Privacy Policy does not:

  • Apply to how airlines, travel agencies, or other travel providers (“Travel Providers”) use or processes Personal Data. It also does not apply to how a global distribution system or other travel technology company uses or processes Personal Data. Travelers should also carefully review the privacy policies of Travel Providers and global distribution systems;
  • apply to information that ARC collects from job applicants or from ARC employees (which is covered by a separate policy); or
  • cover Personal Data processed by the systems formally operated by nuTravel Technology Solutions, Inc. d/ba/ Traverse Technologies.

Personal Data We Collect

In order to facilitate interactions with ARC and manage the business operations of ARC and its related entities, ARC may collect both Personal Data and non-personally identifiable information from different sources. These sources include:

  • When you voluntarily provide us with the personal information;
  • From your transactions with ARC’s Customers, including airlines, travel agencies, global data systems, or their affiliated businesses in connection with processing their travel-related transactions; and
  • Other sources.

"Personally Identifiable Information" (also referred to as "Personal Data" or “personal information”) is any information that identifies you personally, either alone or in combination with other information available from ARC. Personally Identifiable Information ("PII") does not include information that does not identify an individual. The types of Personal Data that ARC processes is a subset of the typical information that a customer provides when they travel. This subset of information includes individual passenger name and credit card number and in certain limited circumstances, frequent flyer number, date of birth, and other identifiers associated with airline tickets sold to passengers through U.S.-based travel agencies accredited by ARC. This subset of information also includes non-personal information, including passenger name record (“PNR”) and ticket number. We do not collect or process sensitive personal data.

"Non-personally identifiable information" includes data that does not identify a specific individual. For example, when you use ARC's websites, we may collect non-personally identifiable information such as your browser type, the type of operating system you use, the name of your Internet Service Provider, and pages visited on our site. This information is collected for site administration purposes such as monitoring and evaluating how visitors use the sites, analyzing usage trends and statistics, and enhancing the functionality and usability of the site to better tailor the site, products, and services to visitors' needs. ARC uses Google Analytics and Siteimprove to track such non-personally identifiable information about visitors to the site. Google Analytics’ policies may be viewed here. Siteimprove’s policies may be viewed here. Non-personally identifiable information may be aggregated for reporting about ARC websites' usability and effectiveness. We may also use information collected at this site to personalize the content, improve the content, and/or to provide product or service offers.

Back to Top

Cookies

Cookies are identifiers that a website can send to your browser to keep on your computer to facilitate your next visit to that website. You can set your browser to notify you when you are sent a cookie, giving you the option to decide whether or not to accept it. A cookie file can contain information such as a user ID that the site uses to track the pages you've visited, but the only PII a cookie can contain is information you supply yourself. A cookie cannot read hard disk or read cookie files placed by others. ARC uses cookies on its websites and may place ads on other websites that may use cookies. We do not link the information we store in cookies to any Personal Data you submit on our site. The information collected by cookies helps us develop customized content for the site and also allows us to statistically monitor how many people are using our site and for what purpose. You can discover how to disable cookies on your browser.

Back to Top

Social Media

ARC occasionally uses third-party advertising networks on social media platforms — such as LinkedIn, Facebook and Instagram — to collect visitor information on social media platforms to then pass over visitor information to ARC. Visitor information is used for ARC communications including, but not limited to, email, further advertising and direct mail. For more information or to opt out of this type of advertising, please visit the various social media platforms.

Back to Top

Individuals Under 13

ARC does not knowingly collect Personal Data from children under the age of 13 and A RC does not target its websites to children under 13. If you are a parent or guardian of a child who has provided personal information without your knowledge and consent, you may request we remove this child’s information by contacting us at privacy@arccorp.com.

Back to Top

How Personal Data May Be Used

How we use the information we collect depends in part on which services are being used. We use Personal Data to:

  • Complete travel transactions, process credit card payments, fulfill requests related to refunds and exchanges, and facilitate performance of contracts between ARC and participants in ARC's programs and services (e.g., ARC-accredited travel agents, corporate travel departments, participating airlines and other ARC participants);
  • Perform billing and accounting functions;
  • Perform internal business processes (such as testing quality assurance, and product development and enhancement);
  • Conduct loss prevention and anti-fraud activities;
  • Meet legal requirements; and
  • Support essential business operations.

How We Share Personal Data

We share Personal Data only when necessary to operate our business, deliver the services, or comply with legal obligations. This may include sharing Personal Data with employees, service providers, business partners, affiliates, or legal authorities, where necessary and appropriate.

  • Service Providers: ARC contractors may have access to Personal Data in the course of assisting in ARC's business operations. ARC limit access to Personal Data by such third parties to that which is necessary for the contractor to perform its legally and contractually required functions. ARC uses reasonable means to ensure that Personal Data is not used by such third parties for purposes other than described in this policy.
  • Customers and Travel Providers: We process Personal Data to help perform the services requested in underlying contracts between travelers and Travel Providers. We may process your Personal Data shared with us by that customer and any authorized representatives, including travel agents, corporate travel departments, and airlines, as well as processors that act on their behalf.
  • Legal and Security Purposes: We may disclose Personal Data in response to legal process such as a court order or a subpoena. Historically, we may have disclosed such information in situations such as the following: response to a national security or law enforcement agency's verified request, investigation, or inquiry, compliance with court order, or matters relating to national security and/or where we believe it is necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our terms of use, to comply with legal requirements, or as otherwise required by law.

Lawful Bases for Processing

We process Personal Data only where we have a legal basis for doing so under applicable law or regulations. The legal bases depend on the services and how they are used, and may include:

  • To Provide and Manage our Services. We process Personal Data as necessary to deliver products and services to customers, operate our business, fulfill contractual and legal obligations, and protect the security, privacy and safety of our systems and customers.
  • Reliance on Legitimate Interests. Where we process Personal Data based on our other legitimate interests, we consider and balance those interests against your rights and freedoms.
  • Compliance with Legal Obligations. We may process your Personal Data where required to meet applicable laws, regulations, or legal processes.
  • With Consent. In cases where we rely on consent, it may withdrawn in writing at any time. This will not affect processing that has already occurred based on your prior consent.

Back to Top

Keeping Information Secure

To protect against unauthorized access, disclosure, alteration or destruction of information, to maintain data accuracy, to safeguard and secure the information in the database, ARC has put in place physical, electronic, and managerial technical security controls that are proportionate to the Personal Data’s level of confidentiality or sensitivity.

We have established an information security program based on industry standard practices including policies and procedures for employees who may have access to your information. We also provide regular information security training for employees.

Back to Top

Record Retention

We will retain your Personal Data in accordance with applicable laws, and for as long as necessary for the underlying purposes for which the information was collected, unless a longer retention period is required or permitted by law. When we delete your Personal Data, we use industry standard methods to ensure that any recovery or retrieval of your information is impossible. We may keep residual copies of your personal data in backup systems to protect our systems from malicious loss. This personal data is inaccessible unless restored, and all unnecessary personal data will be deleted upon restoration.

Back to Top

Links To Non-ARC Websites

ARC websites may provide links to third-party websites. If you access such links, you leave ARC's website. ARC does not control such sites or their privacy policies or practices.

Back to Top

EU-U.S. Data Privacy Framework Notice

Pursuant to the EU-U.S. Data Privacy Framework (“DPF”), ARC provides notice to individuals of the following regarding any of their personal data which may be transferred from the European Union to ARC, located in the United States:

  1. ARC complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  ARC has self-certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.  ARC has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit the Data Privacy Framework website.
  2. As part of its transaction settlement processing services, ARC knowingly receives individual passenger name and credit card number (or partial credit card number). ARC also receives passenger name record (PNR) and ticket number. At times, ARC may (but does require nor expect) receive other personal information, including frequent flyer number, date of birth, and other identifiers associated with airline tickets sold to passengers through U.S.-based travel agencies accredited by ARC. While ARC’s settlement function only applies to the U.S. point-of-sale (POS), participating airlines may be located anywhere internationally, including the European Union, and/or passengers may be EU residents, despite purchasing through a U.S. POS, thus potentially implicating the General Data Protection Regulation (“GDPR”) and the DPF.
  3. By providing this notice under the DPF, along with the information stated in ARC’s broader privacy policy, of which the DPF is a component, ARC commits to subject any personal data received from the European Union, United Kingdom (and Gibraltar), and/or Switzerland to the DPF Principles.

  4. In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Airlines Reporting Corporation commits to resolve DPF Principles-related inquiries or complaints about our collection and use of your personal data.  EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Airlines Reporting Corporation as follows: 

    Please submit A Subject Access Request (“SAR) by email to privacy@arccorp.com or by . You may also submit by contacting the following toll-free number: 1-855-816-8003. Each SAR must include the following information pertaining to the inquiry/complaint:

    Name (including middle initial)
    Preferred contact information, such as telephone number, email address, and/or postal address;
    Last four digits of the credit card you used to purchase air travel;
    A description of your request
    Any other information you deem relevant to ARC’s ability to respond appropriately.

    We will attempt to verify your identity using any of your personal data that is already in our possession. We may need to request additional personal data in order to verify your identity. We will not use additional personal data you provide for verification for any other purposes, and we will promptly delete any such information once the verification process is complete. By providing any such verification information, you explicitly consent to, authorize and request ARC’s collection and use of such information solely for the purpose of verifying your identity in order to respond to your SAR submission. Any SAR submitted without the above information may result in a delay of ARC’s response. We will investigate and attempt to resolve complaints within 45 days. 

    In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, ARC commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF to the International Centre for Dispute Resolution of the American Arbitration Association (ICDR-AAA), an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://go.adr.org/dpf_irm.html for more information or to file a complaint. The services of the ICDR-AAA are provided at no cost to you.

  5. The categories of Personal Data collected and the types of third parties to whom ARC may disclose Personal Data is set forth above under “How we Share Personal Data”
  6. Individuals have the right to request to exercise the following rights access concerning their data, which may be submitted by emailing ARC at privacy@arccorp.com:

    a. The right to be informed

      • ARC’s purpose for collecting or using their Personal Information
      • How/where/when ARC uses or collects their Personal Information

    b. The right of access

      • Providing individuals with copies of any of their Personal Information that we collect or use.

    c. The right to rectification

      • Correction of any inaccuracies or omissions

    d. The right to erasure/deletion

      • We may do so upon request and if there is no legally valid reason to retain the data.

    e. The right to data portability

      • The right to receive information concerning his or her personal data, in a structured, commonly used and machine-readable format.

    f. The right to restrict or object to processing

      • Although generally inapplicable to ARC, GDPR permits the right to object to processing for profiling, direct marketing, and statistical, scientific, or historical research purposes.
  7. ARC acts as a controller and/or processor for our Customers and therefore, in some circumstances, we are a third party that is acting as an agent to perform the processing on behalf of and under the instructions of our Customers. We have contracts with all Customers that address both Controller and Processor obligations.
  8. ARC is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC), pursuant to Section 5 of the FTC Act, 15 U.S.C. § 45.
  9. Binding arbitration is available pursuant to the EU-U.S. DPF Annex I Arbitration Rules; see detailed requirements at https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction
  10. The purposes for which we may disclose Personal Data are also set forth above in “How We Share Personal Data.”

Back to Top

Global Cross Border Privacy Rules System Participation (Global-CBPR)

The privacy practices described in this Privacy Policy comply with the Global Cross Border Privacy Rules System. The Global CBPR system provides a framework for organizations to ensure protection of personal data transferred among participating economies. More information about the Global CBPR framework can be found here.

Back to Top

International Data Transfer

The Personal Data we process may be accessed from, processed or transferred to countries other than the country in which you reside. Those countries may have data protection laws that are different from the laws of your country. Such cross-border transfer of your Personal Data is necessary for us to provide the services required by your transaction with our Customers, and for the other purposes outlined in this Privacy Policy.

The servers for our platform are located in the United States, where it is processed. The transferees of your personal data may also be located in countries other than the country in which you reside.

We have taken appropriate steps and put safeguards in place to help ensure that any access, processing and/or transfer of your personal data remains protected in accordance with this Privacy Policy and in compliance with applicable data protection law, including the EU-US DPF. Such measures provide your personal data with a standard of protection that is at least comparable to that under the equivalent local law in your country, no matter where your data is accessed from, processed and/or transferred to. We will comply with obligations regarding personal data cross-border transfer in accordance with applicable data protection laws, regulations, and conditions set by the competent authorities. This may include fulfilling obligations such as security assessments and/or certifications and signing agreements with overseas recipients in accordance with the standard contract established by the competent authorities.

Back to Top

Contact Information

Pursuant to GDPR (and other similar applicable privacy laws), ARC has appointed a data protection officer (“DPO”). If you would like to submit a SAR per above or have any questions or concerns related to this privacy policy or other aspects of data protection pertaining to ARC, you may reach out to the DPO as follows:

Airlines Reporting Corporation
3000 Wilson Blvd., Suite 300, Arlington, VA 22201
Attention: Data Protection Officer
Email: privacy@arccorp.com
Phone (to submit a SAR): 1-855-816-8003 (toll free)

If you believe that we have not been, or will not be, able to assist with your complaint or concern, and you are located in the European Economic Area (EEA) or the United Kingdom (UK), you have the right to lodge a complaint with the competent supervisory authority. If you work or reside in a country that is a member of the European Union or that is in the EEA, you may find the contact details for your appropriate data protection authority on the following website: https://edpb.europa.eu/about-edpb/about-edpb/members_en.

Back to Top

Your Rights and Choices and Additional Notices to Certain State Residents

You have certain rights and choices with respect to your personal data, as described below:

  • You can control our use of non-essential cookies by following the guidance here.
  • If we are processing your personal data on the basis of consent, you may withdraw that consent at any time by contacting us via privacy@arccorp.com. Withdrawing your consent will not affect the lawfulness of any processing that occurred before you withdrew consent, and it will not affect our processing of your personal data that is conducted in reliance on a legal basis other than consent.

Certain states provide their state residents with rights to:

  • Confirm whether we process their personal information.
  • Access and delete certain personal information.
  • Correct inaccuracies in their personal information, taking into account the information's nature processing purpose.
  • Data portability.
  • Opt-out of personal data processing for targeted advertising; sales; or profiling in furtherance of decisions that produce legal or similarly significant effects.

The exact scope of these rights may vary by state or other jurisdiction. To exercise any of these rights by submitting a Subject Access Request (“SAR”), please fill out this form: https://my.datasubject.com/Uw03R7mCGS/60313. We will attempt to verify your identity using any of your personal information that is already in our possession. However, we may need to request additional personal information to verify your identity. We will not use additional information you provide for verification for any other purposes, and we will promptly delete any such information once the verification process is complete. You consent to, acknowledge and agree that by providing any such verification information, you explicitly consent to ARC’s collection and use of such information solely for the purpose of verifying your identity to respond to your SAR submission.

We respond to all verified requests we receive from individuals wanting to exercise their personal data protection rights in accordance with applicable data protection laws. Should you have the right under applicable law to appeal a decision we have made to not take action on your request, another email address to which you can submit your appeal will be included in our response to you.

In fiscal years 2023 and 2024, ARC received no requests to delete personal information, no requests to know or access what personal information we were collecting, no requests to what information we sold or shared and to whom, and no requests to opt out of the sale or sharing of personal information.

Back to Top

Changes

ARC reserves the right to change this policy at any time. Visitors to the site are responsible for consulting this page for any changes. The effective date will be noted to indicate the last time modifications were made. You may review the policy at any time by clicking on “Privacy” at the bottom of all ARC website pages.

California Privacy Policy Additional Terms