Site Privacy Policy

Site Privacy Policy

Airlines Reporting Corporation ("ARC") is committed to providing excellent service to all of our customers and visitors to the ARC Website, including respecting your concerns about privacy. This privacy policy applies to information ARC collects, receives and holds relating to individuals, including information provided by visitors to our website. This Privacy Policy applies to ARC's corporate website (www.arccorp.com) and all websites controlled by ARC.

This Policy should answer your questions about:

  • The types of information we collect;
  • How information is used by ARC and shared with others;
  • What security measures we take to safeguard information;

Types Of Information We Collect

In order to facilitate interactions with ARC and manage the business operations of ARC and its related entities, ARC may collect and maintain information about individuals from different sources, including, for example:

  • When you voluntarily provide us with information;
  • From your browser, when you visit our Web sites and your browser interacts with our site;
  • Your transactions with ARC, including the use of ARC's products and services; and
  • Other sources, in connection with the processing of travel related transactions.

"Personally Identifiable Information" (also referred to as "personal Data" or “personal information”) is any information that identifies you personally, either alone or in combination with other information available from ARC. Personally Identifiable Information ("PII") does not include information that does not identify an individual. On some ARC sites, you may be able to register for and/or order ARC products or services, participate in surveys, request information, or apply for a position, which may require that you provide PII.

"Non-personally identifiable information" includes data that does not identify a specific individual. For example, when you use ARC's web sites, we may collect non-personally identifiable information such as your browser type, the type of operating system you use, the name of your Internet Service provider and pages visited on our site. This information is collected for site administration purposes such as to monitor and evaluate how visitors use the sites, analyze usage trends and statistics, and enhance the functionality and usability of the site to better tailor the site, products and services to visitors' needs. ARC may use a third party tracking service that uses cookies and other technologies to track such non-personally identifiable information about visitors to the site. Non-personally identifiable information may be aggregated for reporting about ARC websites' usability and effectiveness. We may also use information collected at this site to personalize the content, improve the content, and/or to provide product or service offers.

Back to Top

Cookies

Cookies are identifiers which a web site can send to your browser to keep on your computer to facilitate your next visit to that websites. You can set your browser to notify you when you are sent a cookie, giving you the option to decide whether or not to accept it. A cookie file can contain information such as a user ID that the site uses to track the pages you've visited, but the only PII a cookie can contain is information you supply yourself. A cookie cannot read hard disk or read cookie files placed by others. ARC uses cookies on its websites and may place ads on other websites that may use cookies. We do not link the information we store in cookies to any PII you submit on our site. The information collected by cookies helps us develop customized content for the site, and also allows us to statistically monitor how many people are using our site and for what purpose.

Back to Top

Advertising

Airlines Reporting Corporation (ARC) occasionally uses third-party advertising networks, such as AdRoll, to collect visitor information on our site then serve targeted display ads to you on other sites. AdRoll uses technology such as pixel tags and cookies to collect this information. For more information or to opt-out of this type of advertising, please visit the AdRoll Service Privacy Notice.

Back to Top

Social Media

Airlines Reporting Corporation (ARC) occasionally uses third-party advertising networks on social media platforms—such as LinkedIn, Twitter, Facebook and Instagram—to collect visitor information on social media platforms to then pass over visitor information to ARC. Visitor information is used for ARC communications; including but not limited to email, further advertising and direct mail. For more information or to opt-out of this type of advertising, please visit the various social media platforms.

Back to Top

Individuals Under 13

ARC does not knowingly collect PII from children under the age of 13 and ARC does not target its Web sites to children under 13.

Back to Top

How Information May Be Used

Personally Identifiable Information (PII) received or collected by ARC is used primarily to complete transactions, fulfill requests, and also to facilitate performance of contracts between ARC and participants in ARC's programs and services (e.g., ARC-accredited travel agents, CTDs, participating Carriers and other ARC participants (collectively "Participants")) or as otherwise required by ARC's business practices or needs. PII is made available to ARC employees in the customary exercise of their duties. Additionally, ARC may contract with third party service providers, contractors and suppliers to conduct surveys or provide products, services, event registration, or other customer solutions to you based upon and using the information ARC gathers and receives. ARC contractors may have access to PII in the course of assisting in ARC's business operations and providing services to you (e.g., ARC Marketplace). ARC endeavors to limit access to Personally Identifiable Information by such third parties to that which is necessary for the contractor to perform its designated functions. ARC uses all reasonable means to ensure that the information you provide is not used by such third parties for purposes other than described in this policy.

ARC compiles a list (the ARC List aka Agency List) of ARC participants and other travel professionals which includes, but is not limited to company name, address, email address, phone number and type of entity, etc., that may be shared with or marketed to suppliers or other entities for product information, promotions or other messages.

ARC processes information related to airline carrier transactions (airline tickets, refunds, exchanges, etc.) and retains such information for a period deemed reasonable to facilitate the processing and settlement of the transactions and during which disputes between the parties to the transactions (e.g., the passenger, the travel professional who issued the transaction and the carrier) are likely to arise and with respect to which PII associated with the transaction will continue to be relevant. ARC also prepares and publishes aggregated or consolidated transactional data.

Back to Top

Keeping Information Secure

To reduce the likelihood of unauthorized access, disclosure, alteration or destruction of information, to maintain data accuracy, to safeguard and secure the information in the database, ARC has put in place physical, electronic, and managerial procedures that ARC believes to be reasonable. ARC currently uses the Secure Socket Layers (SSL) protocol to help protect information in transit over the Internet. ARC employs firewalls to reduce the likelihood of unauthorized access via the Internet.

You can also help to keep information secure. Create secure passwords (i.e., difficult for someone else to figure out). Use a combination of special characters, number and upper and lower case letters. Change passwords frequently and do not share usernames and passwords or give your password to anyone.

Back to Top

Disclosure Of PII for Legal Reasons

We may disclose personally identifiable information in response to legal process such as a court order or a subpoena. We also may disclose such information in situations such as the following: response to law enforcement agency's requests, compliance with government order, or matters relating to national security and/or where we believe it is necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our terms of use, to comply with legal requirements, or as otherwise required by law.

Back to Top

Additional Notice to CA Residents

Applicability

This notice applies to the following types of individuals who are considered “consumers” under the California Privacy Rights Act of 2020 (“CPRA”):

  • Actual and prospective employees of ARC residing in California ("Employees")
  • Owners and/or officers of ARC-accredited travel agencies (“Agencies”) residing in California
  • Individuals residing in California who may have purchased airline tickets from any ARC-accredited travel agencies (“Passengers”)

Please note that ARC does not control the collection of personal information (as defined in the CPRA) from Passengers, since that is controlled primarily by airlines, as well as by Agencies. Additionally, ARC does not sell any personal information, including, sensitive personal information, which the CPRA defines as follows:

  • Personal information that reveals:
    • A consumer’s social security, driver’s license, state identification card, or passport number.
    • A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.
    • A consumer’s precise geolocation.
    • A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership.
    • The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication.
    • A consumer’s genetic data.
  • The processing of biometric information for the purpose of uniquely identifying a consumer.
  • Personal information collected and analyzed concerning a consumer’s health.
  • Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.

Note: information that is “publicly available” as defined in paragraph (2) of subdivision (v) of the CPRA is not considered sensitive personal information or personal information.

As detailed further below, ARC’s collection, use, retention, and sharing of any consumer’s personal information is reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.

Categories and Purposes of Personal Information we Collect about Employees and Agencies

  • Identifiers such as real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
    • Usage
      • Employees: to make employment-related decisions such as hiring, termination, pay, benefits, leave, etc.
      • Agencies: for accreditation by ARC and to provide services to ARC-accredited entities, namely transaction reporting, settlement, and ancillary products or services such as data intelligence subscriptions and ticket resolution services (“Agent Services”)
      • Sharing
        • Employees: with vendors providing services to support this function, such as criminal background and employment checks
        • Agencies: same as above re: Employees
      • Retention:
        • Employees: through the course of an individual’s employment, and extending beyond such period only as required to comply with employment, tax, and other applicable laws, regulations, or government directives (collectively, “Laws”). Background check data is stored for twenty-four (24) months after which it is automatically purged. Records in paper are generally retained for seven (7) years, with the exception of pension-required documents for eligible employees.
        • Agencies: through the course of an individual’s accreditation, and extending beyond such period only as required to comply with any Laws, excluding employment-related laws.
  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement
    • Usage:
      • Employees: to administer and enforce employment and corporate security policies
      • Agencies: to provide Agent Services and track analytics to improve customer experience, operational efficiency, etc.
      • Sharing: none
      • Retention
        • Employees: through the course of an individual’s employment, and extending beyond such period for no greater than twelve (12) months, and otherwise only as required to comply with Laws
        • Agencies: through the course of an individual’s accreditation, and extending beyond such period only as required to comply with any Laws, excluding employment-related laws.
  • Professional or employment-related information
    • Usage
      • Employees: to make employment-related decisions such as hiring, termination, pay, benefits, leave, etc.
      • Agencies: solely for accreditation by ARC
      • Sharing
        • Employees: with vendors providing services to support this function, such as criminal background and employment checks
        • Agencies: same as above re: Employees
      • Retention:
        • Employees: through the course of an individual’s employment, and extending beyond such period only as required to comply with Laws
        • Agencies: through the course of an individual’s accreditation, and extending beyond such period only as required to comply with any Laws, excluding employment-related laws.
  • The following sensitive personal information:
    • Your social security, driver’s license, state identification card, or passport number:
      • Usage: solely for accreditation or employment decisions by ARC
      • Sharing: with vendors providing services to support the above functions, such as criminal background and employment checks
      • Retention: only until the initial accreditation or hiring process is complete
      • Account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.
        • Usage
          • Employees: enabling access to services such as benefit and pay management in ARC’s systems
          • Agencies: enabling access to services provided as benefits of ARC-accreditation, namely transaction reporting, settlement, and ancillary products or services such as data intelligence subscriptions and ticket resolution services
          • Sharing
            • Employees: with vendors providing services to support this function, such as payroll administrators, retirement and 401(k) advisors, and financial institutions such as an employee’s designated financial institution for direct deposit
            • Agencies: with vendors providing services to support this function, such as database management, IT application developers, and technical support providers
            • Retention
              • Employees: through the course of an individual’s employment, and extending beyond such period only as required to comply with Laws
              • Agencies: through the course of an individual’s accreditation, and extending beyond such period only as required to comply with any Laws, excluding employment-related laws.

Subject Access Requests

Pursuant to the CPRA, you may submit to ARC a request for disclosure of any of the following (“Subject Access Request,” or “SAR”):

  • The categories of personal information we have collected about you, and/or that we have sold or shared for a business purpose;
  • We will provide disclosures about personal information sold in a list separately from disclosures about personal information disclosed for a business purpose.
  • The categories of sources from which the personal information is collected;
  • The business or commercial purpose for collecting, selling, or sharing personal information;
  • The categories of third parties to whom we disclose personal information; and
  • Specific pieces of personal information we collect about you;

You may also submit a SAR for any of the following purposes:

  • Deletion of personal information we have collected about you, if we receive a verifiable consumer request from you (as defined in the CPRA);
  • We may be unable to delete certain personal information if it is necessary for us to maintain the personal information in order to:
  • Complete the transaction for which the personal information was collected, provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between ARC and you;
  • Help to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for those purposes. Debug to identify and repair errors that impair existing intended functionality;
  • Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law;
  • Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code;
  • Engage in public or peer-reviewed scientific, historical, or statistical research that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the ability to complete such research, if you have provided informed consent;
  • To enable solely internal uses that are reasonably aligned with your expectations based on your relationship with the business;
  • Comply with a legal obligation; or
  • Correction of inaccurate personal information
  • Opting out of any sales or sharing of your personal information to third parties by clicking “Do Not Sell or Share My Personal Information,” which is also located on our website homepage;
    • You may authorize another person to opt-out of the sale of your personal information on your behalf.
  • Opting out of sales or sharing of personal information about a minor
  • Limiting use and disclosure of sensitive personal information by clicking “Limit the Use of My Sensitive Personal Information,” which is also located on our website homepage
    • As described above, ARC only uses sensitive personal information in a manner reasonably necessary and proportional to accomplish certain operational purposes, namely accreditation and employment decisions.
    • If we collect your sensitive personal information, you have the right, at any time, to direct us to limit our use of your sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by you who requested such goods or services, to perform the services set forth in paragraphs (2), (4), (5), and (8) of subdivision (e) of Section 1798.140 of the CPRA, and as authorized by regulations adopted pursuant to subparagraph (C) of paragraph (19) of subdivision (a) of Section 1798.185 of the CPRA.

How to Submit

Please submit any SAR using this form, by email to privacy@arccorp.com, or by postal mail to 3000 Wilson Blvd., Ste. 300, Arlington, VA 22201. You may also submit an SAR by contacting the following toll-free number: (855) 933-4272. If not submitted using the web form, each SAR must include the following information pertaining to the request:

  1. Name;
  2. Address of residence in CA
  3. Preferred contact information, such as telephone number or email address;
  4. The basis of the SAR, which may include any of the reasons described above;
  5. Any other information you deem relevant to the SAR and/or ARC’s ability to respond appropriately.

We will attempt to verify your identity using any of your personal information that is already in our possession, such as information pertaining to a password-protected account you have created with us. However, we may need to request additional personal information in order to verify your identity. Though not required, you may wish to provide the last four digits of the credit card that you used to purchase air travel through a travel agency, in order to assist us in verifying your identity. We will not use additional personal information you provide for verification for any other purposes, and we will promptly delete any such information once the verification process is complete. You acknowledge and agree that by providing any such verification information, you explicitly consent to ARC’s collection and use of such information solely for the purpose of verifying your identity in order to respond to your SAR submission.

Any SAR submitted without the above information may result in a delay of ARC’s response.

ARC’s Response

In responding to the SAR, ARC will adhere to the following guidelines:

  1. Responding without delay, and in any event no later than 45 days from the date we receive the SAR. We may need to extend the response period by up to 45 days where requests are complex, numerous, and/or incomplete. In such circumstance, ARC will inform you within the initial 45-day period and explain why an extension is necessary.
  2. Providing you a response at no cost
  3. Providing information that will cover the 12-month period preceding our receipt of the SAR. For any personal information collected on or after January 1, 2022, you may request disclosure of the required information covering a longer period than the 12-month period preceding our receipt of your verifiable consumer request, and we shall be required to provide such information unless doing so proves impossible or would involve a disproportionate effort.
  4. Providing written information in a portable and, to the extent technically feasible, in a readily useable format that allows you to transmit this information to another entity without hindrance
  5. Delivering the response through your account with us, if you maintain an account with the business, or by mail or electronically at your option if you do not maintain an account with us (however, we will not require you to create an account with us to make an SAR)
  6. Although not required, making best efforts to provide personal information requested more than twice in a 12-month period
  7. Withholding certain information as required by applicable law. For example, we may withhold information that could identify someone else, meaning it would not be reasonable to disclose that information to you. As another example, we may withhold information if you are being investigated for a crime or other legal violation, and the investigation would be prejudiced if you had access to the information

Notice of Non-Discrimination

ARC will not discriminate against you because you exercised any of your rights under the CPRA, including, but not limited to, by the following activities:

  1. Denying you goods or services;
  2. Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
  3. Providing you a different level or quality of goods or services;
  4. Suggesting that you will receive a different price or rate for goods or services or a different level or quality of goods or services; or
  5. If you are an employee, applicant for employment, or independent contractor, as defined in subparagraph (A) of paragraph (2) of subdivision (m) of Section 1798.145 of the CPRA, retaliating against you for exercising your rights under the CPRA

Note: we may charge a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data.

We may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. We may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data. If we offer any financial incentives, we will provide prior notice on our website to consumers. We will only enter you into a financial incentive program if you provide prior opt-in consent which clearly describes the material terms of the financial incentive program, and which may be revoked by you at any time. We will not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.

Additional Notice to VA Residents

Applicability

This notice applies to you if you are considered a “consumer” under the Virginia Consumer Data Protection Act (“CDPA”), meaning a natural person who is a resident of the Commonwealth acting only in an individual or household context. It does not include a natural person acting in a commercial or employment context. To the extent that ARC is considered a controller with respect to the personal data of any Virginia consumer, ARC provides the below notice to any and all such Virginia consumers.

Categories and Purpose of Personal Data Processed

ARC processes personal data, primarily individual name and credit card number, associated with airline tickets sold to passengers, whom may be Virginia consumers, through travel agencies accredited by ARC. ARC provides a critical service in the air travel industry by providing financial settlement of such transactions, including any refunds or exchanges, between participating Carriers and such agencies.

Sharing with Third Parties

ARC does not share any passenger personal data of Virginia consumers with any third party. Furthermore, ARC neither sells personal data to third parties nor processes personal data for targeted advertising.

Invoking Your Rights

If you are a Virginia consumer, you may submit to us a request (a “subject access request” or “SAR”), pursuant § to 59.1-577 of the CDPA, to invoke any of the following rights, either on your own behalf or on behalf of a known child, if you are the parent or legal guardian of such child:

1. To confirm whether or not ARC is processing your personal data and to access such personal data;

2. To correct inaccuracies in your personal data, taking into account the nature of the personal data and the purposes of the processing of your personal data;

3. To delete personal data provided by or obtained about you;

4. To obtain a copy of your personal data that you previously provided to ARC in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the data to another controller without hindrance, where the processing is carried out by automated means; and

5. To opt out of the processing of your personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit

Please submit any SAR using this form , by email to privacy@arccorp.com, or by postal mail to 3000 Wilson Blvd., Ste. 300, Arlington, VA 22201. You may also submit an SAR by contacting the following toll-free number: (855) 933-4272. If not submitted using the web form, each SAR must include the following information pertaining to the request:

  1. Name;
  2. Address of residence in VA
  3. Preferred contact information, such as telephone number or email address;
  4. The basis of the SAR, which may include any of the reasons described above;
  5. Any other information you deem relevant to the SAR and/or ARC’s ability to respond appropriately.

We will attempt to verify your identity using any of your personal information that is already in our possession, such as information pertaining to a password-protected account you have created with us. We will not require you to create a new account in order to exercise your rights. However, we may need to request additional personal information in order to verify your identity. Though not required, you may wish to provide the last four digits of the credit card that you used to purchase air travel through a travel agency, in order to assist us in verifying your identity. We will not use additional personal information you provide for verification for any other purposes, and we will promptly delete any such information once the verification process is complete. You acknowledge and agree that by providing any such verification information, you explicitly consent to ARC’s collection and use of such information solely for the purpose of verifying your identity in order to respond to your SAR submission.

Any SAR submitted without the above information may result in a delay of ARC’s response.

ARC’s Response

In response to your request, the following guidelines will apply:

1. ARC will respond without undue delay, but in all cases within 45 days of receipt of the request. The response period may be extended once by 45 additional days when reasonably necessary, taking into account the complexity and number of the requests, so long as we inform you of any such extension within the initial 45-day response period, together with the reason for the extension.

2. If ARC declines to take action regarding your request, we shall inform you without undue delay, but in all cases and at the latest within 45 days of receipt of the request, of the justification for declining to take action and instructions for how to appeal the decision, as detailed further below.

3. Information provided in response to a consumer request shall be provided by ARC free of charge, up to twice annually per consumer. If ARC is able to demonstrate that requests from a consumer are manifestly unfounded, excessive, or repetitive, we may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request.

4. If ARC is unable to authenticate the request using commercially reasonable efforts, we shall not be required to comply with it and may request that you provide additional information reasonably necessary to authenticate yourself as the consumer as well as your request.

5. If we have obtained personal data about you from a source other than yourself, we shall be deemed in compliance with any request by you to delete such data by either (i) retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the your personal data remains deleted from our records and not using such retained data for any other purpose pursuant to the provisions of the CDPA or (ii) opting you out of the processing of such personal data for any purpose except for those exempted pursuant to the provisions of the CDPA.

Your Right to Appeal

If ARC declines to take action on your request within 45 days of receipt, or within a valid 45-day extension period as described above, you may appeal this decision by submitting a request for appeal using the same process as described above in the section titled “How to Submit,” except that you must include the word “APPEAL” in capitalized letters in any of the data fields provided. Any request for appeal submitted without following these guidelines may result in a delay of ARC’s response.

Within 60 days of receipt of an appeal, we shall inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, you may contact the Attorney General of Virginia to submit a complaint.

Back to Top

Additional Notice to CO Residents

Applicability

This notice applies to you if you are considered a “consumer” under the Colorado Privacy Act (“CPA”), meaning an individual who is a Colorado resident acting only in an individual or household context. It does not include a natural person acting in a commercial or employment context. To the extent that ARC is considered a controller with respect to the personal data of any Colorado consumer, ARC provides the below notice to any and all such Colorado consumers.

Categories and Purpose of Personal Data Processed

ARC processes personal data, primarily individual name and credit card number, associated with airline tickets sold to passengers, whom may be Colorado consumers, through travel agencies accredited by ARC. ARC provides a critical service in the air travel industry by providing financial settlement of such transactions, including any refunds or exchanges, between participating Carriers and such agencies.

Sharing with Third Parties

ARC does not share any passenger personal data of Colorado consumers with any third party. Furthermore, ARC neither sells personal data to third parties nor processes personal data for targeted advertising.

Invoking Your Rights

If you are a Colorado consumer, you may submit to us a request (a “subject access request” or “SAR”), pursuant to the CPA, to invoke any of the following rights, either on your own behalf or on behalf of a known child, if you are the parent or legal guardian of such child:

1. To confirm whether or not ARC is processing your personal data and to access such personal data;

2. To correct inaccuracies in your personal data, taking into account the nature of the personal data and the purposes of the processing of your personal data;

3. To delete personal data provided by or obtained about you;

4. To obtain a copy of your personal data that you previously provided to ARC in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the data to another controller without hindrance, where the processing is carried out by automated means; and

5. To opt out of the processing of your personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit

Please submit any SAR using this form , by email to privacy@arccorp.com, or by postal mail to 3000 Wilson Blvd., Ste. 300, Arlington, VA 22201. You may also submit an SAR by contacting the following toll-free number: (855) 933-4272. If not submitted using the web form, each SAR must include the following information pertaining to the request:

  1. Name;
  2. Address of residence in CO
  3. Preferred contact information, such as telephone number or email address;
  4. The basis of the SAR, which may include any of the reasons described above;
  5. Any other information you deem relevant to the SAR and/or ARC’s ability to respond appropriately.

We will attempt to verify your identity using any of your personal information that is already in our possession, such as information pertaining to a password-protected account you have created with us. We will not require you to create a new account in order to exercise your rights. However, we may need to request additional personal information in order to verify your identity. Though not required, you may wish to provide the last four digits of the credit card that you used to purchase air travel through a travel agency, in order to assist us in verifying your identity. We will not use additional personal information you provide for verification for any other purposes, and we will promptly delete any such information once the verification process is complete. You acknowledge and agree that by providing any such verification information, you explicitly consent to ARC’s collection and use of such information solely for the purpose of verifying your identity in order to respond to your SAR submission.

Any SAR submitted without the above information may result in a delay of ARC’s response.

ARC’s Response

In response to your request, the following guidelines will apply:

1. ARC will respond without undue delay, but in all cases within 45 days of receipt of the request. The response period may be extended by 45 additional days when reasonably necessary, taking into account the complexity and number of the requests, so long as we inform you of any such extension within the initial 45-day response period, together with the reason for the extension.

2. If ARC declines to take action regarding your request, we shall inform you without undue delay, but in all cases and at the latest within 45 days of receipt of the request, of the justification for declining to take action and instructions for how to appeal the decision, as detailed further below.

3. Information provided in response to a consumer request shall be provided by ARC free of charge, up to twice annually per consumer. If ARC is able to demonstrate that requests from a consumer are manifestly unfounded, excessive, or repetitive, we may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request.

4. If ARC is unable to authenticate the request using commercially reasonable efforts, we shall not be required to comply with it and may request that you provide additional information reasonably necessary to authenticate yourself as the consumer as well as your request.

5. If we have obtained personal data about you from a source other than yourself, we shall be deemed in compliance with any request by you to delete such data by either (i) retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the your personal data remains deleted from our records and not using such retained data for any other purpose pursuant to the provisions of the CPA or (ii) opting you out of the processing of such personal data for any purpose except for those exempted pursuant to the provisions of the CPA.

Your Right to Appeal

If ARC declines to take action on your request within 45 days of receipt, or within a valid 45-day extension period as described above, you may appeal this decision by submitting a request for appeal using the same process as described above in the section titled “How to Submit,” except that you must include the word “APPEAL” in capitalized letters in any of the data fields provided. Any request for appeal submitted without following these guidelines may result in a delay of ARC’s response.

Within 60 days of receipt of an appeal, we shall inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, you may contact the Attorney General of Colorado to submit a complaint.

Back to Top

Additional Notice to CT Residents

Applicability

This notice applies to you if you are considered a “consumer” under the Connecticut Data Privacy Act (“CTDPA”), meaning an individual who is a Connecticut resident acting only in an individual or household context. It does not include a natural person acting in a commercial or employment context. To the extent that ARC is considered a controller with respect to the personal data of any Connecticut consumer, ARC provides the below notice to any and all such Connecticut consumers.

Categories and Purpose of Personal Data Processed

ARC processes personal data, primarily individual name and credit card number, associated with airline tickets sold to passengers, whom may be Connecticut consumers, through travel agencies accredited by ARC. ARC provides a critical service in the air travel industry by providing financial settlement of such transactions, including any refunds or exchanges, between participating Carriers and such agencies.

Sharing with Third Parties

ARC does not share any passenger personal data of Connecticut consumers with any third party. Furthermore, ARC neither sells personal data to third parties nor processes personal data for targeted advertising.

Invoking Your Rights

If you are a Connecticut consumer, you may submit to us a request (a “subject access request” or “SAR”), pursuant to the CTDPA, to invoke any of the following rights, either on your own behalf or on behalf of a known child, if you are the parent or legal guardian of such child:

1. To confirm whether or not ARC is processing your personal data and to access such personal data;

2. To correct inaccuracies in your personal data, taking into account the nature of the personal data and the purposes of the processing of your personal data;

3. To delete personal data provided by or obtained about you;

4. To obtain a copy of your personal data that you previously provided to ARC in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the data to another controller without hindrance, where the processing is carried out by automated means; and

5. To opt out of the processing of your personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit

Please submit any SAR using this form , by email to privacy@arccorp.com, or by postal mail to 3000 Wilson Blvd., Ste. 300, Arlington, VA 22201. You may also submit an SAR by contacting the following toll-free number: (855) 933-4272. If not submitted using the web form, each SAR must include the following information pertaining to the request:

  1. Name;
  2. Address of residence in CT
  3. Preferred contact information, such as telephone number or email address;
  4. The basis of the SAR, which may include any of the reasons described above;
  5. Any other information you deem relevant to the SAR and/or ARC’s ability to respond appropriately.

We will attempt to verify your identity using any of your personal information that is already in our possession, such as information pertaining to a password-protected account you have created with us. We will not require you to create a new account in order to exercise your rights. However, we may need to request additional personal information in order to verify your identity. Though not required, you may wish to provide the last four digits of the credit card that you used to purchase air travel through a travel agency, in order to assist us in verifying your identity. We will not use additional personal information you provide for verification for any other purposes, and we will promptly delete any such information once the verification process is complete. You acknowledge and agree that by providing any such verification information, you explicitly consent to ARC’s collection and use of such information solely for the purpose of verifying your identity in order to respond to your SAR submission.

Any SAR submitted without the above information may result in a delay of ARC’s response.

ARC’s Response

In response to your request, the following guidelines will apply:

1. ARC will respond without undue delay, but in all cases within 45 days of receipt of the request. The response period may be extended by 45 additional days when reasonably necessary, taking into account the complexity and number of the requests, so long as we inform you of any such extension within the initial 45-day response period, together with the reason for the extension.

2. If ARC declines to take action regarding your request, we shall inform you without undue delay, but in all cases and at the latest within 45 days of receipt of the request, of the justification for declining to take action and instructions for how to appeal the decision, as detailed further below.

3. Information provided in response to a consumer request shall be provided by ARC free of charge, up to twice annually per consumer. If ARC is able to demonstrate that requests from a consumer are manifestly unfounded, excessive, or repetitive, we may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request.

4. If ARC is unable to authenticate the request using commercially reasonable efforts, we shall not be required to comply with it and may request that you provide additional information reasonably necessary to authenticate yourself as the consumer as well as your request.

5. If we have obtained personal data about you from a source other than yourself, we shall be deemed in compliance with any request by you to delete such data by either (i) retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the your personal data remains deleted from our records and not using such retained data for any other purpose pursuant to the provisions of the CTDPA or (ii) opting you out of the processing of such personal data for any purpose except for those exempted pursuant to the provisions of the CTDPA.

Your Right to Appeal

If ARC declines to take action on your request within 45 days of receipt, or within a valid 45-day extension period as described above, you may appeal this decision by submitting a request for appeal using the same process as described above in the section titled “How to Submit,” except that you must include the word “APPEAL” in capitalized letters in any of the data fields provided. Any request for appeal submitted without following these guidelines may result in a delay of ARC’s response.

Within 60 days of receipt of an appeal, we shall inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, you may contact the Attorney General of Connecticut to submit a complaint.

Payment Card Industry (PCI) Data Security Standards

The PCI Data Security Standards are a set of best practices developed by the credit card payment industry and used to protect card holder data. There are 12 core data security requirements.

ARC was very pleased to be the first level 1 entity in the travel industry to be certified as PCI Compliant, and we actively participate in the PCI Security Standards Council. Level 1 merchants and processors with more than 6 million transactions must go through a yearly on-site audit by a qualified security assessor and perform quarterly scans to maintain compliance with PCI standards.

We all share a common interest to keep credit card information secure. Please click on the link for information about PCI and protection of credit card information.

Back to Top

Links To Non-ARC Web sites

ARC websites may provide links to third party companies' websites for your convenience and information. If you access such links, you leave ARC's website. ARC does not control such sites or their privacy policies or practices.

Back to Top

Changes

ARC reserves the right to change this policy at any time and will notify users of any material changes by updating the policy here. Visitors to the site are responsible for consulting this posting for any changes. The effective date will be noted to indicate the last time modifications were made. You may review the policy at any time by clicking on Privacy Policy at the bottom of all ARC Web site pages.

Back to Top

Consent

Your use of the ARC site and its services indicates you understand this policy and agree to the collection and use of the information discussed herein.

Back to Top

EU-U.S. Data Privacy Framework Notice

Pursuant to the EU-U.S. Data Privacy Framework (“DPF”), ARC provides notice to individuals of the following regarding any of their personal data which may be transferred from the European Union to ARC, located in the United States:

  1. its participation in the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and, as applicable the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) and provide a link to, or the web address for, the Data Privacy Framework List.

    ARC complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  ARC has self-certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.  ARC has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit Data privacy framework website.

  2. the types of personal data collected and, where applicable, the U.S. entities or U.S. subsidiaries of the organization also adhering to the DPF Principles.

    ARC provides a critical service in the air travel industry by providing financial settlement of such transactions, including any refunds or exchanges, between participating Carriers and such agencies. As part of its transaction settlement processing services, ARC receives personal data, primarily individual passenger name and credit card number, as well as passenger name record (PNR), ticket number, frequent flyer number, date of birth, and other identifiers associated with airline tickets sold to passengers through U.S.-based travel agencies accredited by ARC. While ARC’s settlement function only applies to the U.S. point-of-sale (POS), participating Carriers of ARC may be located anywhere internationally, including the European Union, and/or passengers may be EU residents despite purchasing through a U.S. POS, thus implicating GDPR and the DPF.

    As a result of the aforementioned settlement function, ARC receives a robust set of data, beyond only personal data, pertaining to ticket transactions and the associated travel journeys, and processes this data to provide business intelligence products and services to travel industry customers. Such products and services do not disclose personal data unless the personal data was collected by that customer or that customer has pre-existing access or a valid legal right to access, such as a government or court order. ARC’s inclusion of any personal data in any business intelligence products or services would be pursuant to a written contract containing the terms, conditions, and restrictions required under the DPF and other applicable data privacy laws.

    ARC has no U.S. affiliates or sub-entities to which the DPF Principles would apply.

  3. its commitment to subject to the DPF Principles all personal data received from the European Union and, as applicable the United Kingdom (and Gibraltar), and/or Switzerland in reliance on the relevant part(s) of the DPF program.

    By providing this notice under the DPF, along with the information stated in ARC’s broader privacy policy, of which the DPF is a component, ARC commits to subject all personal data received from the European Union, United Kingdom (and Gibraltar), and/or Switzerland to the DPF Principles.

  4. the purposes for which it collects and uses personal data about them.

    See item (ii) above in this section.

  5. how to contact the organization with any inquiries or complaints, including any relevant establishment in the European Union and, as applicable, the United Kingdom, and/or Switzerland that can respond to such inquiries or complaints, In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Airlines Reporting Corporation commits to resolve DPF Principles-related complaints about our collection and use of your personal data.  EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Airlines Reporting Corporation as follows: 

    Please submit any inquiries or complaints using this form , by email to privacy@arccorp.com, or by postal mail to 3000 Wilson Blvd., Ste. 300, Arlington, VA 22201. You may also submit by contacting the following toll-free number: (855) 933-4272. If not submitted using the web form, each inquiry/complaint must include the following information pertaining to the inquiry/complaint:

    1. Name;

    2. Preferred contact information, such as telephone number, email address, and/or postal address;

    3. A description of the basis and relevant information regarding such inquiry/complaint;

    4. Any other information you deem relevant to ARC’s ability to respond appropriately.

    We will attempt to verify your identity using any of your personal data that is already in our possession, such as information pertaining to a password-protected account you have created with us. We will not require you to create a new account in order to exercise your rights. However, we may need to request additional personal data in order to verify your identity. Though not required, you may wish to provide the last four digits of the credit card that you used to purchase air travel through a travel agency, in order to assist us in verifying your identity. We will not use additional personal data you provide for verification for any other purposes, and we will promptly delete any such information once the verification process is complete. Any SAR submitted without the above information may result in a delay of ARC’s response. We will investigate and attempt to resolve complaints within 45 days. 

    In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Airlines Reporting Corporation commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF to the International Centre for Dispute Resolution of the American Arbitration Association (ICDR-AAA), an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://go.adr.org/dpf_irm.html for more information or to file a complaint. The services of the ICDR-AAA are provided at no cost to you.

  6. the type or identity of third parties to which it discloses personal data, and the purposes for which it does so.

    ARC only discloses personal data to third parties acting as contractors, vendors, or service providers under an agency relationship with ARC (each, a “Vendor”), pursuant to a written contract. Such contracts specify the limited purpose of processing by the third party, requiring confidentiality of the Vendor and its personnel and at least the same level of privacy protection as is required by the Principles. Such contracts also require ARC to take reasonable and appropriate steps to ensure that the Vendor effectively processes the personal information transferred in a manner consistent with ARC’s obligations under the Principles, as well as requiring the Vendor to notify ARC if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles. In the event we receive any such notice, we will take reasonable and appropriate steps to stop and remediate unauthorized processing.

    The types of Vendors to whom ARC may disclose personal data generally fall into the following categories of products or services which in turn enable ARC to provide its products and services as detailed in section (ii) above: cloud and on-premises database infrastructure and maintenance; customer relationship management; and disaster recovery. ARC is responsible for the processing of personal information it receives under the EU-U.S. DPF and subsequently transfers to a Vendor.  ARC shall remain liable under the Principles if any of our Vendors processes such personal information in a manner inconsistent with the Principles, unless ARC proves that we are not responsible for the event giving rise to the damage.

  7. the right of individuals to access their personal data, Individuals have the following rights of access concerning their data, which may be submitted through this  form:

    1. The right to be informed
      1. ARC’s purpose for collecting or using their Personal Information
      2. How/where/when ARC uses or collects their Personal Information
    2. The right of access
      1. Providing individuals with copies of any of their Personal Information that we collect or use.
    3. The right to rectification
      1. Correction of any inaccuracies or omissions
    4. The right to erasure/deletion
      1. We may do so upon request and if there is no legally valid reason to retain the data.
    5. The right to data portability
      1. The right to receive information concerning his or her personal data, in a structured, commonly used and machine-readable format.
    6. The right to restrict or object to processing
      1. Although generally inapplicable to ARC, GDPR permits the right to object to processing for profiling, direct marketing, and statistical, scientific, or historical research purposes.
    7. Rights in relation to automated decision making and profiling
      1. Although generally inapplicable to ARC, individuals shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, subject to certain specific exceptions under GDPR.

  8. the choices and means the organization offers individuals for limiting the use and disclosure of their personal data

    ARC acts as a processor for our customers and therefore we are a third party that is acting as an agent to perform the processing on behalf of and under the instructions of our customers. We have contracts with all customers.

  9. the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is: (1) the panel established by the EU DPAs and, as applicable, the UK Information Commissioner’s Office (ICO) (and the Gibraltar Regulatory Authority (GRA)), and/or the Swiss Federal Data Protection and Information Commissioner (FDPIC), (2) an alternative dispute resolution provider based in the European Union and, as applicable, the United Kingdom, and/or Switzerland, or (3) an alternative dispute resolution provider based in the United States,

    As stated above, the ICDR-AAA based in the United States.

  10. being subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC), the U.S. Department of Transportation or any other U.S. authorized statutory body,

    ARC is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC), pursuant to Section 5 of the FTC Act, 15 U.S.C. § 45.

  11. the possibility, under certain conditions, for the individual to invoke binding arbitration,

    Binding arbitration is available pursuant to the EU-U.S. DPF Annex I Arbitration Rules; see detailed requirements at https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction

  12. the requirement to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, and

    We may disclose personal information as required in response to lawful requests by public authorities, such as court orders or subpoenas, including, but not limited to, in response to a law enforcement agency's requests, to comply with a government order, or to meet any requirements relating to national security.

Back to Top

Data Processing Addendum

When processing personal information on behalf of a customer, ARC may be required to enter into a data processing agreement or data processing addendum (“DPA”) under applicable laws, including, but not limited to, the General Data Protection Regulation (“GDPR”), with such customer. To the extent that we have executed a DPA with applicable customers under such laws, the terms of those DPA’s shall apply.

To the extent that we have not entered into a DPA with an applicable customer subject to GDPR, these terms of this DPA shall apply, only upon written notice to such customer providing such customer a reasonable opportunity to object.

Contact Information

Pursuant to GDPR (and other similar applicable privacy laws), ARC has appointed a data protection officer (“DPO”). If you would like to submit a SAR per above or have any questions or concerns related to this privacy policy or other aspects of data protection pertaining to ARC, you may reach out to the DPO as follows:

Airlines Reporting Corporation

3000 Wilson Blvd., Suite 300, Arlington, VA 22201

attention:  Data Protection Officer

email:      privacy@arccorp.com

Phone (to submit a SAR): (855) 933-4272

Phone (general):       (703)-816-8000

If you believe that we have not been, or will not be, able to assist with your complaint or concern, and you are located in the European Economic Area (EEA) or the United Kingdom (UK), you have the right to lodge a complaint with the competent supervisory authority. If you work or reside in a country that is a member of the European Union or that is in the EEA, you may find the contact details for your appropriate data protection authority on the following website: https://edpb.europa.eu/about-edpb/about-edpb/members_en.