ATTG Global Privacy Policy – 01/05/22

Last updated: 01/05/2022

1. Introduction

Atlas Travel & Technology Group, Inc., a travel management and technology company, with headquarters in Marlborough, MA, including its brands, related corporate businesses, or affiliates; Atlas Travel, Atlas Travel Home, Atlas Travel & Technology, Ltd. and Prime Numbers Technology, LLC., (collectively, “ATTG”, “we”, “our”, or “us”), respects your privacy and is committed to honoring the confidence our clients, business partners and our workforce place in us.

Your privacy is extremely important to us. We have created this Privacy Policy (“Policy”) to demonstrate our firm commitment to data protection and compliance with global privacy laws. This Policy describes what personal data we collect about you, how we collect it, how we use it, with whom we may share it, and what choices you have regarding our use of your personal data. We also describe the measures we take to protect the security of your personal data and how to contact us.

This Policy applies to ATTG’s business managed travel and related services where we provide travel related services to corporations, individual travelers, and independent travel consultants as well as leisure services and meetings and events services that may be provided to you, including related services on ATTG websites and applications that display or link to this Policy (hereinafter collectively, the “Services”)

We encourage you to read this Policy carefully and in its entirety as it relates to your rights regarding the processing of your personal data. As a user of our Services, you understand and agree that we collect, use, store, and disclose your personal data in accordance with this Policy.

Our privacy practices vary amongst countries in which we operate to reflect local legal requirements. ATTG complies with applicable data protection laws in the jurisdictions in which it operates in its handling of personal data.

ATTG serves as both a controller and processor of personal data. When you engage our services as a technology company, ATTG is a data processor for personal data. For all other services where we collect personal data, ATTG is a controller.

2. What personal data does ATTG collect?

In the course of providing its Services, ATTG may collect, use, store, and disclose personal data. Personal data is any information that can be used to identify you or that we can link to you. You, as traveler or user of the Services, may be asked to provide certain personal data when you use our Services, such as:

• Names and contact information (work and home/mobile phone, fax, email, address);
• Traveler arranger/event booker and emergency contact names and information;
• Traveler/Attendee preferences and trip/meeting details (e.g. routings, class of service, seat preferences, frequent flyer data, meal preferences, hotel/rail/car and other ground transportation membership data and preferences, special accommodation requests, other personal data voluntarily supplied by you via your profiles, surveys, or other requests);
• Travel documentation (e.g. passport/visa/national id/driver’s license number, TSA number, citizenship, date of birth, gender);
• Payment data (corporate/personal credit cards) and bank information; and
• Login credentials, user IDs, employee IDs, IP addresses, and browsing information.

Other examples of personal data that we may collect include:

• From employment applicants, we or our service provider will collect contact and identification information, such as name, address, telephone number, e-mail address, date and place of birth, driver’s license number and employment history information;
• From business customers, customer relationship information, such as business contact information.
• If you use the ATTG mobile app, the app collects location data to display the real-time risk alerts and personalized assistance notification features, even when the app is closed and not in use. This option can be changed later by going to the device settings.

In some circumstances, we may collect personal information from you which may be regarded as sensitive information under your local data protection laws. Sensitive information may include (without limitation) your racial or ethnic origin, philosophical or religious beliefs or affiliations, sexual preferences or practices, criminal record and the alleged commission of an offence, membership of political, professional or trade associations, biometric and genetic information, passwords and financial information and health information. Please note that, when necessary for travel arrangements, we may collect from a responsible adult personal information relating to a child of any age, but we do not knowingly collect any such information directly from children.

We will only collect sensitive information in compliance with your local data protection laws, with your consent and where it is reasonably necessary for, or directly related to, one or more of our Services. (e.g. to make travel arrangements), unless we are otherwise required or authorized to do so by law. To the extent permitted or required under your local data protection laws, you consent to us using and disclosing your sensitive information for the purpose for which it was collected, unless we subsequently receive your consent to use it for another purpose. For example, if you provide health information to us in connection with a travel insurance application you would like to make, you consent to us using and disclosing that health information in connection with arranging that travel insurance on your behalf. A further example is if you disclose your religious beliefs to us because you are interested in, for example, certain holiday packages, in which case you consent to us using and disclosing that information in connection with facilitating your request. We will not use sensitive information for purposes other than those for which it was collected, unless we subsequently receive your consent to use it for another purpose.

If you submit any personal data relating to other people in connection with the Services (e.g. if you make a reservation for another individual, or provide an emergency contact), you represent that you have the authority to do so and that you have informed them we will collect, use, store, and disclose such personal data in accordance with this Policy.

3. How does ATTG collect personal data?

ATTG collects personal data:

• Directly from you when you access various parts of our Services, including when you communicate with us via email, contact form, job application or other channels;
• From other sources, for instance, including the company you are employed by or are otherwise traveling or attending a meeting on behalf of and your company’s third parties who may send us your personal data on your or your company’s behalf; and

From the network of websites and applications accessible through or utilized by our Services and our company, including third party suppliers (e.g. airlines, hotels, payment card providers) and our ATTG related companies, affiliates, subsidiaries, joint ventures, partners, subcontractors, and agents. This includes personal data we collect automatically through our websites and applications, for instance by using cookies and similar technologies.

4. How does ATTG use personal data and on which legal bases?

ATTG collects and uses your personal data for specified, explicit, and legitimate purposes as described in this Policy and does not process your personal data further in a manner that is incompatible with those purposes.

ATTG uses personal data to:

1. Provide its Services and fulfill its obligations to companies, groups and individuals (e.g. complete and administer travel reservations, meeting and event management, assist in managing the travel as well as the meeting, provide reporting and analytics based on the Services, provide notices about your account and the Services, inform you of updates to our websites and applications and other changes to our products or Services).
2. Communicate with you via various multi-media channels (for instance, by email, post, phone, or ATTG’s websites or applications) and to provide you with customer service.
3. Understand how our websites and applications are used and provide a customized experience as you use our Services, such as by providing interactive or personalized elements on our Services and providing you with content based on your interests (for more information, see the Section below titled “How does ATTG handle “do not track” requests and use “Cookies” and other similar technologies?”).
4. Fulfill a request made by you or your company (e.g. travel/meeting based reporting, questions, booking requests, or other requests about your personal data). Automated decision-making may be used to process some requests to assist in delivering faster and more reliable Services to you and/or your company (e.g. rerouting your request to the appropriate department, sending automatic replies). Important decisions will always be reviewed by an ATTG employee.
5. Send you newsletters, marketing emails, and other information or materials that may interest you or showing personalized advertisements. Where required, we will obtain your consent before sending such marketing messages or showing personalized advertisements.
6. Conduct surveys (e.g. traveler/attendee, client satisfaction) and review the quality and performance of our services for customer satisfaction purposes.
7. Carry out our obligations and enforce your, our, or other’s rights as we believe reasonably necessary (e.g. billing and collection, fraud prevention, comply with legal obligations, and respond to legal proceedings or requests from legal authorities and law enforcement or other third parties).

To process your personal data as described above, ATTG relies on the following legal bases. In view of purpose A, we process your personal data where necessary for the performance of the contract we have with your company and/or you, which allows us to deliver our Services to you. In view of purpose B to F, we rely on our legitimate business interest to provide and improve our Services. For purpose G, ATTG relies where applicable on compliance with legal obligations. We rely on our legitimate business interest to prevent fraud and to protect our rights. When using personal data to serve ATTG’s or a third party’s legitimate interest, ATTG will always balance your rights and interests in the protection of your personal data against ATTG’s rights and interests or those of the third party.

5. Who does ATTG disclose personal data to and why?

We do not and will not sell, rent out or trade your personal information. We will only disclose your personal information to third parties in the ways set out in this Policy and, in particular, as set out below, and in accordance with your local data protection laws. Note that, in this Policy, where we say “disclosed”, this includes to transfer, share (including verbally and in writing), send, or otherwise make available or accessible your personal information to another person or entity.

Personal data may be collected and shared with or disclosed as required for the provision of Services to:

• ATTG and its related companies, affiliates, subsidiaries, joint ventures, partners, subcontractors, and agents as necessary to fulfill and support the Services, including emergency bookings and assistance, ticket issuance, responding to requests, and assessing or offering promotions.
• Other companies ATTG uses to support its business who provide ancillary services (e.g. fulfillment, surveys, storage, statistical analysis, technology, development, credit checks (as applicable)).
• Your company for travel based and meeting and event based reporting, auditing, tracking and other purposes as necessary with your company, including those of its personnel they request we send or make personal data available to.
• Third party service providers you or your company request we send personal data to (e.g. providers who secure compensation for delayed, canceled, or overbooked flights on behalf of travelers; safety and tracking information providers; companies providing weather information, travel alerts, and destination content through solutions and tools; entities who collect travel information on behalf of airline carriers for the purpose of such entities forwarding it on to certain airlines for tracking of negotiated fares between airlines and your company; successor organizations; transfer/ground transportation companies; convention bureaus; companies that provide an event mobile app; congress registration providers and other travel management companies or event agencies).
• Third party service providers to complete travel and meeting arrangements and reservations and fulfill the Services (e.g. Global Distribution Systems (GDSs); airlines, trains, rental car and other ground transportation companies, hotels, cruise lines, destination management companies, and other related meeting and travel suppliers for booking/ticketing purposes; industry reporting authorities; equipment and technology vendors, including, without limitation, online booking tool providers, meeting registration software providers (including onsite and mobile event management solution providers), and audio visual companies; visa and passport providers; credit card companies and payment collection and processing companies).
• Other third parties as we believe is reasonably necessary in accordance with applicable laws, including laws outside your country of residence to: (i) satisfy laws, regulations, or governmental or legal requests and processes; (ii) identify, contact, or bring legal action against someone who may be violating our terms of use or policies or otherwise enforce our terms and policies; (iii) operate the Services properly; or (iv) protect ATTG and those it serves, including pursuing available remedies or to limit damages that may be sustained (e.g. exchanging information with other companies and organizations for the purposes of fraud protection and risk reduction).

Data consolidation companies may also be used by ATTG or your company for the purpose of creating reports and related statistics for benchmarking or other related purposes, including, without limitation, utilizing cumulative statistical data, which may incorporate data acquired from your company for ordinary business purposes customary in our industry and the Services we provide, but without identifying, directly or indirectly, you or your company.

ATTG may be acquired, merge with another business, sell, or liquidate its assets, acquire, or buy other businesses or assets. In such transactions, personal data is generally one of the transferred business assets. In the event of an acquisition, sale, liquidation, or merger, your personal data and non-personal identifying information may be automatically assigned by us in our sole discretion to a third party, in accordance with applicable laws.

6. Does ATTG disclose personal data across borders?

ATTG is a global company that provides travel and event management related services and therefore, transferring your personal data internationally is necessary for the provision of our Services. When sharing with or disclosing personal data to other parties, including to ATTG’s related companies, affiliates, subsidiaries, joint ventures, partners, subcontractors, and agents who provide Services and maintain facilities, your personal data may be transferred to countries with data protection laws providing a lower standard of protection for your personal data than your country.

We will transfer your personal data in compliance with applicable data protection laws, including having adequate mechanisms in place to protect your personal data when it is transferred internationally (e.g. Standard Contractual Clauses, data protection agreements). If you have questions or wish to obtain more information about the international transfer of your personal data or the implemented safeguards, please contact us as provided in this Policy.

7. How does ATTG store and protect personal data?

Typically, ATTG stores personal data on its servers managed internally in the United States and with third party storage providers.

ATTG uses appropriate technical and organizational security measures to protect the personal data ATTG holds on its network and systems from unauthorized access, disclosure, destruction, and alteration. We conduct periodic reviews of our data collection, storage, processing, and security measures to verify we are only collecting, storing, and processing personal data that is required for our Services and to fulfill our contractual obligations. While we make every effort to protect the integrity and security of our network and systems, we cannot guarantee, ensure, or warrant that our security measures will prevent illegal or unauthorized activity related to your personal data. When using our Services, you should be aware that no data transmission over the Internet can be guaranteed as totally secure. Although we strive to protect your personal data, we do not warrant the security of any data and information that you transmit to us over the Internet and you do so at your own risk.

In order to protect your personal data, we kindly ask you to not send us credit card information or other similar sensitive personal data, including special categories of personal data, to us via email. We also encourage you to keep your password confidential and not disclose it to any other person. If you are sharing a computer with anyone you should log out before leaving a website or service to protect access to your password and personal data from subsequent users. Please alert us immediately if you believe your password or any of your personal data has been misused while using ATTG Services and applications. Please note, we will never ask you to disclose your password or credit card information in an unsolicited phone call or email.

8. How long does ATTG keep my personal data?

ATTG retains personal data for the period necessary to fulfill the purposes outlined in this Policy, unless a longer retention period is required or permitted by applicable law. When determining how long to retain personal data, we take into account the necessity of the personal data for the provision of our Services, applicable laws and regulations, including data protection laws, and our legal obligations. We may retain records to investigate or defend against potential legal claims. When retention of the personal data is no longer necessary, the data will be deleted or aggregated for analytic purposes.

9. What about ATTG applications?

ATTG makes available its online applications (mobile and web based) for download from various application marketplaces. ATTG collects usage information for us to improve the application and to deliver a better and more personalized experience. ATTG may follow information on your use of our applications (e.g. anonymized statistics on the daily number of visitors, the daily requests for specific usage elements, tracking interest, who has posted content, the countries from which applications and Services are accessed). We use these statistics exclusively for measuring activities and for improvement or adaptation of Services for your benefit. We may also use Google Analytics or other analytics tools and methods to develop anonymized user statistics as described in our Cookie Policy (https://atlastravelandtechnology.com/attg-cookie-policy/). ATTG uses such statistics for the analysis of activities, the improvement of Services, communicating findings, and product improvements to your company and other ATTG clients and prospective clients. Such statistics do not contain personal data and cannot be used for the collection of personal data. In accordance with the applications’ terms of use, certain information about you (which may include your email address, itinerary data, and other information you provide voluntarily) may be shared with third parties as stated in this Policy. Please note that once you leave ATTG websites and applications for others, including, but not limited to, virtual assistants or other applications, the privacy policies of the other websites or applications shall apply.

10. What about links to third party websites and services?

Our Services may contain links to third party websites. Some of these websites may allow you to purchase products and services, register to receive materials, or receive new product and service updates. In many cases, you may be asked to provide contact information such as your name, address, email address, phone number, and credit/debit card information. If you use these third-party websites and/or provide your personal data and information, the privacy policy and terms of service on those websites are applicable. We encourage you to carefully read such policies on third party websites before submitting your personal data. ATTG is not responsible for and expressly disclaims any and all liability related to the actions of such websites, their privacy policies, or the terms and content of such websites.

11. How does ATTG handle “do not track” requests and use “Cookies” and other similar technologies?

We do not currently commit to responding to browsers “do not track” signals with respect to ATTG websites and applications. We process your personal data through our websites and applications in accordance with this Policy, irrespective of your tracking settings.

We may automatically collect information using “cookies”. You may choose to refuse cookies in your browser (please refer to the “Cookies” link below) however, that may limit your ability to receive some or all of our Services and/or some features may not be available to you or may not function properly as a result. Where required under applicable law, ATTG will obtain your consent prior to collecting information by using cookies. Additional information on “Cookies” and how the ATTG website uses them can be found here https://atlastravelandtechnology.com/attg-cookie-policy/.

12. Does ATTG collect personal data of children?

ATTG does not knowingly collect personal data directly from children under 18. Individuals under 18 years of age should not use our Services to submit any personal data about themselves.

We may collect information about children provided with the express consent of their parent or guardian (for example in the case of a family travel booking). If we become aware that a child under 18 has provided us with personal information without such consent, we will take steps to delete such information. If you become aware that a child has provided us with personal information, please contact our support services.

13. What are my rights with respect to my personal data?

You may choose what personal data (if any) you wish to provide to us. However, if you choose not to provide certain details, your experience with some or all of our Services may be affected.

To the extent required by applicable law, you have the ability to exercise various rights with regard to your personal data (i.e. access, correction, erasure, restriction, objection, portability, etc.). ATTG will handle such requests in accordance with applicable law, including in the time specified by applicable law, and where permitted by applicable law, may charge a reasonable administrative fee to cover the costs of responding to any such request. Where processing is based on consent, you have the right to withdraw consent at any time if required by applicable law, without affecting the lawfulness of processing based on your consent before your withdrawal.

In some jurisdictions, in addition to you agreeing to this Policy, data privacy or protection laws may require us to obtain a separate express consent for processing of your personal data. Your consent may also be implied in some circumstances, as permitted by applicable law, such as when communications are required to fulfill your requests.

14. How can I exercise my rights or make complaints?

If you wish to exercise any of your rights as described in this Policy, or have any questions about this Policy, you (or, in accordance with applicable law, someone on your behalf), can contact us as follows:

Email: SecurityAndCompliance@atlastravel.com

Postal Mail:

Atlas Travel & Technology Group, Inc.

Attn: Security and Compliance

200 Donald Lynch Boulevard – Suite 103

Marlborough, MA 01752

In the United Kingdom, you may contact us at:

Email: EU-SecurityAndCompliance@atlastravel.com

Postal Mail:

Atlas Travel and Technology, LTD

New Broad Street House – Suite 216

35 New Broad Street

London EC2M 1NH

ATTG will respond to your request via the email address you use to exercise your request, the phone number that you have registered with us or we otherwise have on file for you, or any other suitable method. Depending on your request, we may review the request with you and/or your company to assist in resolving and responding to the request.

We are committed to working with you to obtain a fair resolution of any complaint or concern you may have about our use of your personal data. If, however, you believe that we have not been able to assist with your complaint or concern, you may have the right to make a complaint to the data protection authority in your country (if one exists in your country).

15. EU Representative

If you are based in the EU, ATTG has appointed DataRep as its Data Protection Representative for the purposes of GDPR, so that you can contact them directly in your home country. DataRep has locations in each of the 27 countries and Norway & Iceland in the European Economic Area (EEA). If you want to pose a question regarding our processing of your personal information or otherwise exercise your rights (explained above) in respect of such processing, you can contact DataRep by:

• Sending an email to DataRep at datarequest@datarep.com, quoting Atlas Travel & Technology Group in the subject line.
• Using the online webform available at datarep.com/data-request
• Sending a letter to one of the addresses listed here

When sending letters, it is essential to address them to “DataRep”, and not to “Atlas Travel & Technology, Group” or your inquiry may not reach us.

On receiving your communication, DataRep may request evidence of your identity, to ensure your personal information is not provided to anyone other than you.

If you have any concerns over how DataRep will handle the personal data they will require to undertake their services, please refer to their privacy policy at www.datarep.com/privacy-policy.

16. How are changes to this Policy handled?

ATTG reviews the policy annually, at a minimum, and reserves the right to revise, amend, or modify this Policy at any time and in any manner. When we post changes to this Policy, we will update the “last updated” date at the top of this Policy and we encourage you to regularly check this Policy for changes.

17. Privacy Shield Notice

ATTG participates in and complies with the EU–U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework (collectively, “Privacy Shield Frameworks”) as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal data of individuals in the European Union (“EU”), the United Kingdom (“UK”) and Switzerland. ATTG has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. ATTG is committed to subjecting all Personal Data received from the EU member countries, Switzerland and the UK in accordance with the Privacy Shield Principles. Please note that we do not rely on the EU-U.S. Privacy Shield as a data transfer mechanism. If there is any conflict between the terms in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

ATTG remains accountable for onward transfers of EU, UK and Swiss personal data to third party agents acting on ATTG’s behalf, where those parties have processed personal data in a manner inconsistent with the Privacy Shield Principles, unless ATTG proves it is not responsible for the event.

ATTG’s commitments under the EU-U.S. Privacy Shield are subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC), or any other U.S. authorized statutory body in relation to the Privacy Shield, and the requirement to disclose personal data in response to a lawful request by any public authority, or to meet national security or law enforcement requirement in the U.S. ATTG commits to making public any order from the FTC or a court relating to any non-conformance to the principles of the Privacy Shield.

You may direct any inquiries or complaints related to our Privacy Shield compliance to the contact information above. If you have any unresolved privacy or data use concern that we have not addressed satisfactorily with regard to our participation in the Privacy Shield Frameworks, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request or http://go.adr.org/privacyshield.html.

In the EU/EEA and Switzerland you have the right to lodge a complaint with the data protection authority of your country where you believe that your rights have been violated at https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm or https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/task.html, respectively.

Finally, as a last resort and under certain conditions, more fully described on the Privacy Shield website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. For more information on binding arbitration, see U.S. Department of Commerce’s Privacy Shield Framework: Annex I (Binding Arbitration), available at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

ATTG has further committed to cooperate with the EU data protection authorities (DPAs) for EU employees, and the Swiss Federal Data Protection and Information Commissioner for Swiss employees, with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU or Switzerland, respectively, in the context of the employment relationship.

18. Employee Information

In the course of employment at ATTG, we may process personal information as described above for the purposes of your ATTG business travel and meetings & events. For other purposes and processing that relate to your employment, please refer to relevant company policies and notices.