Last Updated December 12, 2022
Personal Information We Collect About You and How We Use It
Information you provide us:
If you choose to use or access any of the Services, you must provide personal information in order to do so such as your name, email address, telephone number, other contact information, and travel itinerary data. This information is used to: (i) provide login information to the AirRetailer Platform and carry out processing functions and the Services AirRetailer has been contracted to provide by its Client, (ii) communicate with you by responding to your requests, comments, and questions, (iii) improve the Site, and (iv) perform various account functions provided by AirRetailer. The GDPR legal basis for processing this information is: (a) the legitimate interest in communicating with you and improving the Site and the AirRetailer Platform, and (b) the contractual obligation to perform the Services.
Email & Email Updates
When you contact us by email we collect your first name, last name and email address in order to respond to your request. When you sign up for email updates, we collect your email address in order to provide updates. When you opt-in to receive promotional emails, we will add you to our list to send you promotional, commercial, and informational emails. The GDPR legal basis for processing this information is the legitimate interest in communicating with you and answering your questions.
Tracking Technologies & Cookies
When you visit the Site, we collect your IP address. When you visit the Site, we use session “cookies” — a piece of information stored on your computer — to allow us to uniquely identify your browser while you are logged in and to enable us to process your online transactions. Session cookies also help us confirm your identity and are required in order to log into your account. Users who disable their web browsers’ ability to accept cookies will be able to browse the Site but will not be able to access or take advantage of the Services. We also use web beacons to monitor your browsing behaviour if you link to another site, such as Expedia.com, for example. The GDPR legal basis for processing this information is the contractual obligation to the Client to perform the Services.
Demonstrations and free trial analyses
When you schedule a demo or a free trial analysis, we collect your first and last name, work email address, telephone number, company name and the number of employees in your company. We use this information to provide the information requested and to enable us to follow up with you. If you would like us to delete this information, you may request that we do so by contacting us at Sales@Airretailer.com. The GDPR legal basis for processing this information is your consent.
Refer a Friend
When you refer us to a friend, we collect your friend’s first and last name, work email address, telephone number, and company name as well as your name, email address and company name. We use this information to send a one-time email to your friend inviting him or her to visit the site. We store this information for the sole purpose of sending the one-time email and tracking the success of your referral. Your friend may request that we delete this information by contacting us at Sales@Airretailer.com. The GDPR legal basis for processing this information is your consent.
You can log into the AirRetailer Platform using sign-in services made available to you by the applicable Client or other service providers. These sign-in services will authenticate your identity and provide you the option to share certain Personal Information with us such as your name and email address to log-in to the AirRetailer Platform. The GDPR legal basis for processing this information is the contractual obligation to the Client to perform the Services.
Information related to data collected for or received from our clients and used in providing the Services
If you have any questions about specific AirRetailer Platform settings, what information AirRetailer has been authorized by Client to process, or its privacy practices, you may contact the applicable Client administrator. If you no longer wish to have your Personal Information used by one of our Clients that use the AirRetailer Platform, please contact your Client administrator. The GDPR legal basis for processing this information is the contractual obligation to the Client to perform the Services.
Rights Related to Your Personal Information
In addition to the lawful transfer, processing and storage of your Personal Information, the GDPR gives certain European Union members additional rights over our use of your Personal Information. AirRetailer respects your control over your information and, in the event that you have provided Personal Information to us in your use of the site, we will provide you with information about whether we hold any of your personal information as detailed below. You may access, correct, or request deletion of your Personal Information by contacting us at Sales@Airretailer.com. We will respond to your request within a reasonable timeframe.
When acting as a service provider, AirRetailer may have no direct relationship with the individuals whose Personal Information is provided to AirRetailer for processing while providing the Services. An individual who is employed by one of our Clients and seeks access to, or who seeks to correct, amend, delete, or object to the processing of their Personal Data should direct the query to their employer’s AirRetailer administrator if they are unable to make the appropriate changes via access to the AirRetailer Platform. If the Client request AirRetailer to delete the data, we will respond to their request within 30 business days. If a user contacts us directly with such a request, we will notify the proper AirRetailer Client.
If you are in the European Economic Area (“EEA”), you have the following rights regarding your Personal Information we control:
Access. You can request details of your Personal Information we hold. We will confirm whether we are processing your Personal Information and we will disclose additional information including the types of Personal Information, the sources it originated from, the purpose and legal basis for the processing, the expected retention period and the safeguards regarding data transfers to non-EEA countries, subject to the limitations set out in applicable laws and regulations. We will provide you free of charge with a copy of your Personal Information, but we may charge you a fee to cover our administrative costs if you request further copies of the same information.
Correction. At your request, we will correct incomplete or inaccurate parts of your Personal Information, although we may need to verify the accuracy of the new information provided to us.
Deletion. At your request, we will delete your Personal Information if: (i) it is no longer necessary for us to retain your Personal Information, (ii) you withdraw consent which formed the legal basis for the processing of your Personal Information, (iii) you object to the processing of your Personal Information and there are no overriding legitimate grounds for such processing, (iv) the Personal Information was processed illegally, (v) the Personal Information must be deleted for us to comply with our legal obligations. We will decline your request for deletion if processing of your Personal Information is necessary: (i) for us to comply with our legal obligations, (ii) for the establishment, exercise or defence of legal claims, or (iii) for the performance of a task in the public interest.
Restrict Processing. At your request, we will restrict the processing of your Personal Information if: (i) you dispute the accuracy of your Personal Information, (ii) your Personal Information was processed illegally and you request a limitation on processing rather than the deletion of your Personal Information, (iii) we no longer need to process your Personal Information, but you need your Personal Information in connection with the establishment, exercise or defence of a legal claim, or (iv) you object to the processing of your Personal Information pending verification as to whether an overriding legitimate ground for such processing exists. We may continue to store your Personal Information to the extent required to ensure your request to restrict processing is respected in the future.
Data Portability. At your request, we will provide you free of charge with your Personal Information in a structured, commonly used and machine-readable format, if: (i) you provide us with your Personal Information, (ii) the processing of your Personal Information is required for the performance of a contract, or (iii) the processing is carried out by automated means.
Object. Where we rely on our legitimate interests (or that of a third party) to process your Personal Information, you have the right to object to this processing on grounds related to your particular situation if you feel it impacts your fundamental rights and freedoms. We will comply with your request unless we have compelling legitimate grounds for the processing which override your rights and freedoms, or where the processing is in connection with the establishment, exercise or defence of legal claims. We will always comply with your objection to the processing of your Personal Information for direct marketing purposes.
Not to be subject to decisions based solely on automated processing. You will not be subject to decisions with a legal or similarly significant effect (including profiling) that are based solely on the automated processing of your Personal Information, unless you have given us your explicit consent or where they are necessary for the performance of contract with us.
Withdraw consent. You have the right to withdraw consent you may have previously given us at any time. In order to exercise your right to withdraw consent we may ask you for certain identifying information to ensure the security of your Personal Information.
Please contact us at Sales@Airretailer.com to make a request to exercise any of the above rights. We will respond to your request within 30 days or otherwise provide you with reasons for the delay. If we refuse your request we will notify you of the relevant reasons. Typically, we will not charge any fees in connection with the exercise of your rights; however, if your request is manifestly unfounded or excessive (for example, because of its repetitive character) we may charge a reasonable fee, taking into account the administrative costs of dealing with your request.
Kindly note that if you decide to exercise some of your rights, we may be unable to perform the actions necessary to achieve the purposes set out above or you may not be able to use or take full advantage of the Services.
If you are not satisfied with our response, you have the right to complain or seek advice from a supervisory authority and/or bring a claim against us in any court of competent jurisdiction.
How, and With Whom, Your Information Is Shared
Email communications with us:
As part of the Services, we may send you promotional, commercial, and informational emails. You may opt out from receipt of these emails and unsubscribe by clicking “unsubscribe” at the bottom of the emails you receive from us. You have the right to object to the use of your Personal Information for direct marketing purposes, on a going forward basis, by emailing us at Sales@Airretailer.com.
Information shared with your employer:
For users of the AirRetailer Platform we disclose information to your employer such as your travel behaviour, redemption behaviour and year-end redemption reporting for tax purposes.
Information shared with our service providers and Sub-Processors:
Third Party Services
Information disclosed pursuant to business transfers:
If our assets are merged with or purchased by a third party, your Personal Information will be transferred to that third party.
Information disclosed for our protection and the protection of others:
We may also release your information when we believe release is appropriate to comply with the law, enforce our Privacy Policies, detect or prevent fraud, security or technical issues, or protect our or others’ rights, property, or safety. This includes exchanging information with other companies and organizations for fraud protection and spam/malware prevention. Because our servers that store your information are located in the U.S.A., your information may be available to U.S. government entities or agencies under a lawful court order or other legal process in the U.S.
Information we share with your consent:
How long do we retain your information?
When acting as a service provider, we will retain your Personal Information, which we process on behalf of our clients for as long as needed to provide services to our client, for as long as your account is active, or as needed to provide you services. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. We retain your Personal Information for up to sixty (60) days after your account is closed.
How do we protect your information?
We will take reasonable precautions to protect Personal Information from loss, misuse, unauthorized access, disclosure, alteration, and destruction. We follow generally accepted standards to protect the personal information submitted to us, both during transmission and once we receive it. For example, our Services sit on secure servers operated by Amazon Web Services (AWS EC2 & ECS). We use a method endorsed by the National Institute of Standards and Technology to protect your passwords. All of the data transfer is over secure http protocol (https) and we deploy TLS1.2 for transport layer security. No method of transmission over the Internet, or method of electronic storage, is 100% secure, however. Therefore, we cannot guarantee its absolute security.
International transfer of your Personal Information
Given that the Internet operates in a global environment and that, if you operate outside of the United States, transfer of your data is necessary for you to use any of our Services or request information from us, using the Internet to collect and process Personal Information necessarily involves the transmission of data on an international, or cross-border, basis. By accessing any of the Services, and/or communicating with us by email, you acknowledge and voluntarily provide your express consent to our collection, processing, and disclosure of your Personal Information in this way, including our disclosure to Sub-Processors and third parties located in the US and other locations outside the EU.
UAE Data Policy
Personal Data Protection Law
The Personal Data Protection Law, Federal Decree Law No. 45 of 2021 regarding the Protection of Personal Data, constitutes an integrated framework to ensure the confidentiality of information and protect the privacy of individuals in the UAE. It provides a proper governance for data management and protection and defines the rights and duties of all parties concerned.
Provisions of the law
Here are some of the provisions of the law in brief:
- The provisions of the law apply to the processing of personal data, whether in full or part through electronic systems, inside or outside the country.
- The law defines the controls for the processing of personal data and the general obligations of companies that have personal data to secure it and maintain its confidentiality and privacy. It prohibits the processing of personal data without the consent of its owner, except for some cases in which the processing is necessary to protect a public interest or to carry out any of the legal procedures and rights.
- The law gives the owner of the data the right to request for corrections of inaccurate personal data and to restrict or stop the processing of his personal data.
- It sets out the requirements for the cross-border transfer and sharing of personal data for processing purposes.
The Personal Data Protection Law is the first federal law to be drafted in partnership with major technology companies in the private sector. It will come into force on 2 January 2022.
Read about Personal Data Protection Law on this private website.
Data and privacy protection
Other laws related to data protection and privacy include:
Consumer protection law
The Federal Law No. 15 of 2020 on Consumer Protection protects all consumer rights, including the data of the consumers and prohibits suppliers from using it for marketing.
Data Protection Law, DIFC Law No 5 of 2020– Dubai International Financial Centre
Protection of health data and information
Federal Law No. 2 of 2019 Concerning the Use of Information and Communication Technology (ICT) in Health Fields (available in Arabic) regulates the use of information and communication technology (ICT) in the health care sector in the UAE, including its free zones. Read more about the law.
Protecting data and privacy online
- Law on combatting rumours and cybercrimes
Federal Decree Law No. 34 of 2021 on Combatting Rumours and Cybercrimes (available in Arabic only) provides a comprehensive legal framework to address the concerns relating to the misuse and abuse of online technologies. It aims to enhance the level of protection from online crimes committed through the use of information technology, networks and platforms.
- Internet Access Management (IAM) policy
Telecommunications and Digital Government Regulatory Authority (TDRA) implements the Internet Access Management (IAM) policy in the UAE, in coordination with National Media Council and Etisalat and Du, the licensed internet service providers in the UAE. Under this policy, online content that is used for impersonation, fraud and phishing and/or invades privacy can be reported to Etisalat and Du to be taken down.
Read more about UAE laws and resolutions concerning activities conducted online.
Electronic Transactions and Trust Services law
The law regulates the validity of electronic documents and boosts the legal value of digital signature and the level of its security. It provides provisions for eTransactions, the way eDocuments should be stored and saved, and sent and received to be valid. It also sets licensing requirements for trust services providers who are duly licensed to create, validate and preserve eSignatures, eSeals and digital certification.
The UAE’s Constitution
Article 31 of the UAE’s Constitution provides for the freedom of communication by means of post, telegraph or other means of communication and guarantees their confidentiality in accordance with the law.
Protection of copyrights, patents, and trademarks
Protection of credit information
Dubai Data law
The government of Dubai passed the Dubai Data law. One of its aims is data protection and privacy of the individual.
Read more about:
UAE Data Office
The UAE Data Office will act as the federal data regulator in the UAE. The office which is affiliated with the UAE Cabinet will be responsible for:
- preparing policies and legislations related to data protection
- proposing and approving the standards for monitoring Personal Data Protection Law
- preparing systems for complaints and grievances related to data
- issuing guidelines and instructions for the implementation of the law.
European Data Privacy
International Transfer of Personal Information: Privacy Shield, and Contractual Terms
Certain European Union residents have additional privacy rights as provided in the GDPR. For such residents, AirRetailer will collect, process, and store your personal information strictly in accordance with the GDPR. The GDPR further governs the transfer of subject personal information from certain European Area countries outside of the European Union. AirRetailer is based in the U.S., the Site and AirRetailer Platform servers are hosted in the U.S., and many of AirRetailer’s suppliers and Sub-Processors are also based in the U.S. or otherwise outside of the European Union. In providing your Personal Information to AirRetailer, your Personal Information will be sent to the U.S. (or otherwise outside of the European Union). In such cases, AirRetailer will transfer such data in accordance with the GDPR and the following transfer mechanisms:
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
AirRetailer is responsible for the processing of personal data it receives, under each Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. AirRetailer complies with the Privacy Shield Principles for all onward transfers of personal data from the EU and Switzerland, including the onward transfer liability provisions.
With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, AirRetailer is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
In compliance with the Privacy Shield Principles, AirRetailer commits to resolve complaints about our collection or use of your personal information. European Union and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact AirRetailer at: Sales@Airretailer.com. AirRetailer commits to cooperate with the panel established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner, as applicable, and comply with the advice given by the panel or Commissioner, as applicable, with regard to data transferred from the EU and Switzerland, as applicable. If you have an unresolved privacy or data use concern that We have not addressed satisfactorily and you are a European Union or Swiss individual, please contact the panel established by the EU data protection authorities (DPAs) or the Swiss Federal Data Protection and Information Commissioner, as applicable. For more information, see Privacy Shield’s informative website here.
Under certain conditions, more fully described on the Privacy Shield Website https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
AirRetailer may also enter into European Union Model Contractual Clauses, also known as Standard Contractual Clauses, with its Clients to meet the adequacy, privacy, and security requirements for Our Clients that operate in the European Union, and other international transfers of Client data.
California Data Privacy
California residents have certain privacy rights as specified under California law, including the California Consumer Privacy Act of 2018 (“CCPA”). If you are a resident of California, you have the right to know what personal information has been collected about you, and to access that information. You have the right to request deletion of your personal information, though exceptions under the CCPA may allow AirRetailer to retain and use certain personal information notwithstanding your deletion request.
AirRetailer collects various categories of personal information when you or your employer use the AirRetailer Platform or Services, including travel itinerary location information and personal information related to your business travel bookings. A more detailed description of the information AirRetailer collects and how we use it is provided above in the sections entitled: Personal Information We Collect About You and How We Use It, Rights Related to Your Personal Information, and How, and With Whom, Your Information Is Shared.
In addition to Our collection of your Personal Information, AirRetailer may engage certain third parties to perform a function or provide services to you on behalf of AirRetailer including hosting and maintenance, error monitoring, debugging, performance monitoring, billing, customer and account relationship management, database storage and management, and direct marketing campaigns. AirRetailer may share your Personal Information with these third parties, but only to the extent necessary to perform these functions and provide such services. AirRetailer requires these third parties to maintain the privacy and security of the Personal Information they process on our behalf.
AirRetailer does not sell your Personal Information when you use the AirRetailer Platform or when you use a Service and will not do so in the future without providing you with notice and an opportunity to opt-out of such sale as required by law. AirRetailer does not offer financial incentives associated with the collection, use, or disclosure of your personal information.
AirRetailer will not discriminate against you for exercising any of your CCPA rights. To this end, unless permitted by the CCPA, AirRetailer will not:
Deny you access to the AirRetailer Platform or Services;
Charge you a different price or rate for the AirRetailer Platform or Services, including the granting of discounts or other incentives.
Provide a different or downgraded AirRetailer Platform or Service
Suggest that you may receive a different price or rate for the AirRetailer Platform or its Services or a different or downgraded AirRetailer Platform or Service;
In certain cases, AirRetailer collects and processes your personal information at the contractual obligation of your employer. In order to respond to a verified request, AirRetailer may be required to provide notice to your employer of your request, and to follow your employer’s instructions as they relate to carrying out your request. AirRetailer cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm that the personal information relates to you. Making a verifiable request does not require you to create an account, but we may ask you to verify your request by logging into your account if you have one. We will only use personal information provided by a verifiable consumer request to verify the requestor’s identity or authority to make the request.
To exercise your rights under the CCPA please submit a verifiable consumer request to AirRetailer by either filling out an online call back form here (we will call you back toll-free) or emailing us at Sales@Airretailer.com. Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf may make a verifiable consumer request related to your personal information. You may only make a verifiable consumer request for access to your data twice within a twelve (12) month period. Your verifiable consumer request must: (i) be made by a natural person, (ii) provide sufficient information to allow AirRetailer to reasonably verify your identity and that you are the person about whom we collected personal information, or you are an authorized representative, and (iii) describe your request with sufficient detail that allows AirRetailer to properly understand, evaluate, and respond to your request.
We do not knowingly collect any information from anyone under 13 years of age. The Services are directed to people who are at least 13 years old or older. If you believe your child has provided Personal Information through the Services, please contact us as described below.
By post: AirRetailer, New Century City Tower, Office No. 808, Deira, Dubai, UAE. Po Box 117402
By email: Sales@Airretailer.com