Effective April 17, 2026
At Airlines Reporting Corporation, we value your privacy and are committed to protecting and processing your personal data responsibly.
Airlines Reporting Corporation ("ARC," “us,” or “we”) provides a critical service in the air travel industry by providing financial settlement of transactions, including refunds and/or exchanges, between participating airlines and travel agencies (collectively, “Customers” or “Travel Providers”). ARC also provides data products, which are used by ARC’s Customers and third parties, to settle and report transactions, process credit card transactions, audit and reconcile sales data, and understand travel and demand patterns.
This Privacy Policy applies to:
This Privacy Policy does not:
In order to facilitate interactions with ARC and manage the business operations of ARC and its related entities, ARC may collect Personal Data and other information from different sources. These sources include:
"Personally Identifiable Information" (also referred to as "Personal Data" or “personal information”) is any information that identifies you personally, either alone or in combination with other information available from ARC. Personally Identifiable Information ("PII") does not include information that does not identify an individual.
The types of Personal Data that ARC processes are a subset of the typical information that a passenger provides when they travel. This subset of information includes, at times, individual passenger name and credit card number and in certain limited circumstances, frequent flyer number, date of birth, and other identifiers associated with airline tickets sold to passengers through U.S.-based travel agencies accredited by ARC. Unless otherwise described herein, ARC does not collect or process sensitive personal data.
ARC also collects technical information that does not directly identify a specific individual. For example, we may collect passenger name record (“PNR”) number and ticket number. As another example, when you use ARC's websites, we may collect information such as your IP address, browser type, the type of operating system you use, the name of your Internet Service Provider, and pages visited on our sites. When you use ARCs websites, this information is collected for site administration purposes such as monitoring and evaluating how visitors use the sites, analyzing usage trends and statistics, and enhancing the functionality and usability of the site to better tailor the sites, products, and services to visitors' needs. ARC uses Google Analytics and Siteimprove to track such information about visitors to the sites. Google Analytics’ policies may be viewed here. Siteimprove’s policies may be viewed here. This information may be aggregated for reporting about ARC websites' usability and effectiveness. We may also use technical information collected through the sites to personalize the content, improve the content, and/or to provide product or service offers.
In addition to the above data elements, ARC collects certain additional Personal Data solely related to Traverse Technologies technical solutions. This specific subset of information may include gender, passport number and information, IP address, location, user name and information, and e-mail address.
Cookies are identifiers that a website can send to your browser to keep on your computer to facilitate your next visit to that website. In some cases, you can set your browser to notify you when you are sent a cookie, giving you the option to decide whether or not to accept it. A cookie file can contain information such as a user ID that the site uses to track the pages you've visited, but the only information that directly identifies you as an individual that a cookie can contain is information you supply yourself. A cookie cannot read hard disk or read cookie files placed by others. ARC uses cookies and similar technologies on its websites and may partner with third party cookie providers including to place ads on other websites. We do not link the information we store in cookies to any Personal Data you submit on our sites. The information collected by cookies helps us develop customized content for the sites and also allows us to statistically monitor how many people are using our sites and for what purpose. You can discover how to disable cookies on your browser.
ARC occasionally uses third-party advertising networks on social media platforms — such as LinkedIn, Facebook and Instagram — to collect visitor information on social media platforms to then pass over visitor information to ARC. Visitor information is used for ARC communications including, but not limited to, email, further advertising and direct mail. For more information or to opt out of this type of advertising, please visit the various social media platforms.
ARC does not knowingly collect Personal Data from children under the age of 13 and ARC does not target its websites to children under 13. If you are a parent or guardian of a child who has provided personal information without your knowledge and consent, you may request we remove this child’s information by contacting us at privacy@arccorp.com.
How we use the information we collect depends in part on which services are being used. We use Personal Data to:
We share Personal Data only when necessary to operate our business, deliver the services, or comply with legal obligations. This may include sharing Personal Data with employees, service providers, business partners like customers and travel providers affiliates, or legal authorities, where necessary and appropriate.
To the extent permitted by applicable law, we also may use and share deidentified information and aggregated information with third parties.
We process Personal Data only where we have a legal basis for doing so under applicable law or regulations. The legal bases depend on the services and how they are used, and may include:
To protect against unauthorized access, disclosure, alteration or destruction of information, to maintain data accuracy, and to safeguard and secure the information in the database, ARC has put in place physical, electronic, and managerial technical security controls that are proportionate to the Personal Data’s level of confidentiality or sensitivity.
We have established an information security program based on industry standard practices including policies and procedures for employees who may have access to your information. We also provide regular information security training for employees.
We will retain your Personal Data in accordance with applicable laws, and for as long as necessary for the underlying purposes for which the information was collected, unless a longer retention period is required or permitted by law. When we delete your Personal Data, we use industry standard methods designed to ensure that any recovery or retrieval of your information is impossible. We may keep residual copies of your personal data in backup systems to protect our systems from malicious loss. This Personal Data is inaccessible unless restored, and all unnecessary personal data will be deleted upon restoration.
ARC websites may provide links to third-party websites. If you access such links, you leave ARC's website. ARC does not control such sites or their privacy policies or practices.
Pursuant to the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) (collectively, the “DPF”), ARC provides notice to individuals of the following regarding any of their personal data which may be transferred from the United Kingdom, Switzerland, or the European Union to ARC, located in the United States:
ARC complies with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF as set forth by the U.S. Department of Commerce. ARC has self-certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. ARC has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (“Swiss-U.S. DPF Principles”) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles (collectively, the “DPF Principles”), the DPF Principles shall govern. To learn more about the program, and to view our certification, please visit the U.S. Department of Commerce Data privacy framework website at https://www.dataprivacyframework.gov.
Onward Transfers. ARC is accountable for the processing of Personal Data it receives under the DPF Principles and subsequently transfers to a third party. ARC complies with the DPF Principles for onward transfers of personal information from the EU, UK, and Switzerland, including the onward transfer liability provisions. ARC may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security and law enforcement requirements.
Personal Data Processing. As described in this Privacy Policy, ARC collects, uses, and discloses Personal Data to provide its services. For example, as part of its transaction settlement processing services, ARC receives individual passenger name and credit card number (or partial credit card number). ARC also receives passenger name record (PNR) number and ticket number. At times, ARC may receive other Personal Data as described in this Privacy Policy, including frequent flyer number, date of birth, and other identifiers associated with airline tickets sold to passengers through U.S.-based travel agencies accredited by ARC. The types of Personal Data collected and the types of third parties to whom ARC may disclose Personal Data are set forth above under the “Personal Data We Collect” and the “How we Share Personal Data” sections of this Privacy Policy. The purposes for which we may use and disclose Personal Data are set forth above in the “How Personal Data May Be Used” and the “How We Share Personal Data” sections of this Privacy Policy.
ARC commits to subject any Personal Data received in reliance on the DPF from the European Union, United Kingdom (and Gibraltar), and/or Switzerland to the DPF Principles.
Dispute Resolution and Enforcement. In compliance with the DPF Principles, ARC commits to resolve DPF Principles-related inquiries or complaints about our collection and use of your Personal Data. EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of Personal Data received in reliance on the DPF should first contact ARC by emailing privacy@arccorp.com or by contacting us toll-free at 1-855-816-8003.
In compliance with the DPF, ARC commits to refer unresolved complaints concerning our handling of Personal Data received in reliance on the DPF to the International Centre for Dispute Resolution of the American Arbitration Association (ICDR-AAA), an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://go.adr.org/dpf_irm.html for more information or to file a complaint. The services of the ICDR-AAA are provided at no cost to you. Under certain conditions, more fully described on the DPF website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
Jurisdiction. ARC is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC), pursuant to Section 5 of the FTC Act, 15 U.S.C. § 45. The FTC has jurisdiction over ARC’s compliance with the DPF.
Rights and Choices. Residents of the EU, UK, and Switzerland have the right to access Personal Data that ARC maintains. In some cases, these residents may also have the right to limit the use and disclosure of Personal Data. Rights available to such residents are described more fully in the “International Visitors” section of this Privacy Policy below. To exercise these rights, please submit a Data Subject Request (“DSR”) by email to privacy@arccorp.com or by going to https://my.datasubject.com/Uw03R7mCGS/60313. You may also submit by contacting the following toll-free number: 1-855-816-8003. Please include the following information with your DSR:
If you reside in the United Kingdom (UK), the European Economic Area (EEA), or Switzerland, this section of the Privacy Policy describes rights that may be available to you. Subject to certain exceptions and limitations, such individuals have the right to request to exercise the following rights concerning Personal Data about them:
To exercise these rights, please submit a Data Subject Request (“DSR”) by email to privacy@arccorp.com or by going to https://my.datasubject.com/Uw03R7mCGS/60313. You may also submit by contacting the following toll-free number: 1-855-816-8003. Please include the following information with your DSR:
If you believe that we have not been, or will not be, able to assist with your complaint or concern, you may have the right to lodge a complaint with the competent supervisory authority. If you work or reside in a country that is a member of the European Union or that is in the EEA, you may find the contact details for your appropriate data protection authority on the following website: https://edpb.europa.eu/about-edpb/about-edpb/members_en. We encourage you to contact us first with any questions.
The privacy practices described in this Privacy Policy comply with the Global Cross Border Privacy Rules System. The Global CBPR system provides a framework for organizations to ensure protection of personal data transferred among participating economies. More information about the Global CBPR framework can be found here.
The Personal Data we process may be accessed from, processed or transferred to countries other than the country in which you reside. Those countries may have data protection laws that are different from the laws of your country. Such cross-border transfer of your Personal Data is necessary for us to provide the services required by your transaction with our Customers, and for the other purposes outlined in this Privacy Policy.
The servers for our platform are located in the United States, where it is processed. The transferees of your personal datawe process the data we collect. Entities to which we transfer Personal Data may also be located in countries other than the country in which you reside.
We have taken appropriate steps and put safeguards in place to help ensure that any access, processing and/or transfer of Personal Data remains protected in accordance with this Privacy Policy and in compliance with applicable data protection requirements, including the DPF. We will comply with obligations regarding Personal Data cross-border transfers in accordance with applicable data protection laws, regulations, and conditions set by the competent authorities. This may include fulfilling obligations such as security assessments and/or certifications and signing agreements with overseas recipients in accordance with the standard contract established by the competent authorities.
ARC has appointed a data protection officer (“DPO”). If you would like to submit a DSR per above or have any questions or concerns related to this Privacy Policy or other aspects of data protection pertaining to ARC, you may reach out to the DPO as follows:Airlines Reporting Corporation
Airlines Reporting Corporation
3000 Wilson Blvd., Suite 300
Arlington, VA 22201
Attention: Data Protection Officer
Email: privacy@arccorp.com
Phone (to submit a DSR): 1-855-816-8003 (toll free)
You have certain rights and choices with respect to your personal data, as described below:
Certain states provide their state residents with rights to:
The exact scope of these rights may vary by state or other jurisdiction. To exercise any of these rights by submitting a Subject Access Request (“SAR”), please fill out this form: https://my.datasubject.com/Uw03R7mCGS/60313. We will attempt to verify your identity using any of your personal information that is already in our possession. However, we may need to request additional personal information to verify your identity. We will not use additional information you provide for verification for any other purposes, and we will promptly delete any such information once the verification process is complete. You consent to, acknowledge and agree that by providing any such verification information, you explicitly consent to ARC’s collection and use of such information solely for the purpose of verifying your identity to respond to your SAR submission.
We respond to all verified requests we receive from individuals wanting to exercise their personal data protection rights in accordance with applicable data protection laws. Should you have the right under applicable law to appeal a decision we have made to not take action on your request, another email address to which you can submit your appeal will be included in our response to you.
In 2024, ARC received no requests to delete personal information, no requests to know or access what personal information we were collecting, no requests to what information we sold or shared and to whom, and no requests to opt out of the sale or sharing of personal information.
ARC reserves the right to change this policy at any time. Visitors to the site are responsible for consulting this page for any changes. The effective date will be noted to indicate the last time modifications were made. You may review the policy at any time by clicking on “Privacy” at the bottom of all ARC website pages.