General GDPR Notice – European Individuals

Effective Date: September 28, 2023

GDPR Privacy Notice

The GDPR privacy notice (this “Notice”), which encompasses both this “General GDPR Notice” and the “Sales GDPR Notice,” is included in our Privacy Policy and applies to the ‘personal data,’ as defined in the General Data Protection Regulation (the “GDPR”), of natural persons located in the European Economic Area or UK processed by Fareportal (collectively, for simplicity, “EEA Individuals,” “you,” or “your”). Any capitalized terms or other terms not defined herein shall have the meaning ascribed to them in the Privacy Policy or, if not defined herein or in the Privacy Policy, the GDPR. To the extent of any conflict between this Notice and the rest of our Privacy Policy, this Notice shall control only with respect to EEA Individuals and their personal data. If you are located elsewhere, please see our Privacy Policy here.

Controller Details

Personal Information We May Collect

Fareportal is the controller of personal data collected regarding EEA Individuals through the Websites, Apps, contact centers, or the Services. This Notice describes our general privacy and security practices in connection with your personal data.

Controller’s EU Representative

Fareportal’s representative in the European Union is Duke’s Court Travel, located at Mill House, 216-218 Chiswick High Rd., Chiswick, London W4 1PD, UK.

Data Storage

Fareportal stores EEA Individuals’ personal data within its U.S. data centers.

Data Transfer

We are self-certified under the EU-US Data Privacy Framework, the UK Extension, and the Swiss-US Data Privacy Framework and; you may have specific rights in relation thereto (see Data Privacy Framework section below). However, in the event of the Data Privacy Framework’s invalidation as a valid data transfer mechanism, we will rely instead on Standard Contractual Clauses for the purpose of providing appropriate transfer safeguards for data transfers to the United States.).

Transfers of personal data to non-EEA based travel suppliers for the purpose of fulfilling your various bookings or purchases (such as flight, hotel, or car accommodations) may also be based on the following derogations in GDPR Article 49, as applicable: (i) for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request (Article 49)(1)(b)); and/or (ii) for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person (Article 49)(1)(c)).

Sales and Marketing

More information regarding our sales and marketing activities can be found in our ‘Sales GDPR Notice’ here.

Retention

We retain your personal data based on our relationship with you, the types of personal data collected, and as we otherwise believe is reasonably necessary and proportional for enabling and providing our Services. The criteria that we use to determine our retention periods includes:

• Whether you are a loyalty account holder or not and how frequently you make transactions our Services, log in to your account, or whether you have active loyalty points or gift cards.
• What is reasonably needed to analyze historical travel and booking trends within our customer base to try to provide the most relevant deals and price points.
• Whether or not you’ve signed up for marketing communications and how frequently you interact with those communications (e.g., email open rates).
• What is reasonably needed to protect our Services, such as from a cybersecurity and fraud detection perspective.
• Personal data reasonably needed for purposes of fulfilling your transactions and related events such as actual or potential refunds, chargebacks, cancellations, customer service inquiries, or disputes (and keeping records relating thereto)
• Our relevant legal obligations related to personal data, including records requirements and statutes of limitation.
• What is reasonably needed for the exercise, defense, or exercise of potential legal claims, regulatory inquiries, and similar proceedings.

Information Security

Fareportal has a legitimate interest in ensuring cyber security and detecting possible criminal acts or threats to public security (including to prevent unauthorized access to networks and stopping damage to computers and systems) and employs a variety of technical and organizational measures that require processing certain data to fulfill such purposes.

We follow all PCI-DSS requirements and implement additional generally accepted industry standards (e.g., ISO 27001). For example, your credit card information is encrypted using Secure Sockets Layer technology (SSL).

Our web servers will also log your requesting IP address, the page requested, request time, referrer information, what URL you came from, browser information, and the status of the request (for example, if a page does not exist, a 404 error code will be returned). Such information is used to assist in maintaining the Websites and Apps, ensuring that our Services are available, and preventing malicious or otherwise harmful attacks to our back-end systems.

Governmental Access Requests

Fareportal may be required to disclose personal data in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements. We may also disclose personal data to other third parties when compelled to do so by government authorities or required by law or regulation including, but not limited to, in response to court orders and subpoenas.

Corporate Restructuring

In the event of a merger, reorganization, dissolution or similar corporate event, or the sale of all or substantially all of our assets, we expect that the information that we have collected, including personal data, would be transferred to the surviving entity in a merger or the acquiring entity. All such transfers shall be subject to our commitments with respect to the privacy and confidentiality of such personal data as set forth in our Privacy Policy.

Your GDPR Rights

Natural persons have a right to: (i) request access to, correction and/or erasure of their personal data; (ii) object to processing of their personal data; (iii) restrict processing of their personal data; and (iv) request a copy of their personal data, or have a copy thereof sent to another controller, in a structured, commonly used, and machine readable format under the right of data portability. These rights may be exercised by contacting privacy@fareportal.com with the subject line, “GDPR Notice.”

Objecting to Legitimate Interest/Direct Marketing

Natural persons may object to personal data processed pursuant to Fareportal’s legitimate interest. In such case, Fareportal will no longer process their personal data unless Fareportal demonstrates appropriate overriding legitimate grounds for the processing or if needed for the establishment, exercise, or defense of legal claims. Natural persons also may object at any time to processing of their personal data for direct marketing purposes. In such case, their personal data shall no longer be used for that purpose. In cases of email marketing (or similar channels, such as push notifications), natural persons will be able to fulfill such rights directly via an ‘Unsubscribe’ link or similar mechanism (e.g., device settings for push notifications), but may always reach out to privacy@fareportal.com with the subject line, “GDPR Notice.”

Please note that if you opt-out of receiving direct marketing from us, we may still send you important administrative messages via email from which you cannot opt out (e.g., booking confirmations).

Right to Lodge a GDPR Complaint

In accordance with GDPR Article 77, natural persons also have the right to lodge a complaint about Fareportal’s processing of their personal data with a competent supervisory authority, in particular in the member state of their habitual residence or place of work, or where an alleged GDPR infringement took place, as applicable.

Further, as applicable, natural persons may exercise their third-party beneficiary rights under Fareportal’s Standard Contractual Clauses.

Contact details for the EU data protection authorities can be found at:
http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm

Use of Our Services by Minors

Fareportal’s services are not directed to individuals under the age of eighteen (18), and we request that they not provide personal data to Fareportal through any means.

Updates to this Notice

If, in the future, we intend to process your personal data for a purpose other than that which it was collected, we will provide you with information on that purpose and any other relevant information at a reasonable time prior to such processing. After such time, the relevant information relating to such processing activity will be revised or added appropriately (either within this Privacy Policy or elsewhere), and the “Effective Date” at the top of this page will be updated accordingly.

Data Privacy Framework

Note: This Data Privacy Framework section applies only to personal data processed pursuant to the EU-US Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) (collectively the “DPF”).

Important Notice for Individuals of the European Economic Area and Switzerland
Fareportal complies with the DPF requirements, as set forth by the US Department of Commerce. Fareportal has certified to the Department of Commerce that it adheres to the EU-U.S. DPF Principles with respect to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Fareportal has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. DPF Principles with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the policies in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the DPF program, and to view our certification page, please visit https://www.dataprivacyframework.gov/.

Fareportal is subject to the investigatory and enforcement powers of the Federal Trade Commission (“FTC”).

EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF Complaints
In compliance with the DPF Principles, Fareportal commits to resolve complaints about your privacy and our collection or use of your personal data transferred to the United States pursuant to the DPF Principles. European Union, United Kingdom, or Swiss individuals with inquiries or complaints regarding this Privacy Policy should first contact Fareportal at privacy@fareportal.com with the subject line, “Data Privacy Framework.”

Fareportal has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, the BBB National Programs Data Privacy Framework Services , a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Data Privacy Framework Annex 1 at https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2.

Onward Transfer to Third Parties
Like many businesses, we hire other companies to perform certain business-related services. We may disclose personal data to certain types of third-party companies but only to the extent needed to enable them to provide such certain business-related services on our behalf as our “agents” (as such term is utilized under the DPF). The types of companies that may receive personal data and their functions are: hosting services, technical assistance, database management/back-up services, information security and fraud detection services, analytics and marketing providers, and contact centers. All such third parties function as our agents, performing services at our instruction and on our behalf pursuant to contracts which require they provide at least the same level of privacy protection as is required by this Privacy Policy and implemented by Fareportal and notify us if they are no longer able to provide such protections, at which point we will take reasonable remedial steps. We may also disclose personal data to our affiliates in order to support marketing, sale and delivery of any services, or other business operations as disclosed in this Privacy Policy.

In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Fareportal’s accountability for personal data that it receives under the DPF and subsequently transfers to a third party is described in the DPF Principles. In particular, Fareportal remains responsible and liable under the DPF Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless Fareportal proves that it is not responsible for the event giving rise to the damage.

Opt-In and Opt-Out to Certain Onward Transfers
Individuals have the opportunity to opt-out of sharing of their personal data with third parties other than our agents or before we use it for a purpose other than which it was originally collected or subsequently authorized. To limit the use and disclosure of your personal data, please submit a written request to privacy@fareportal.com, with the subject line “Data Privacy Framework.”

We will not disclose your sensitive personal data to any third party without first obtaining your opt-in consent. You may provide your consent by sending us an email at privacy@fareportal.com.

In each instance, please allow us a reasonable time to process your response.

Your DPF Rights
Upon request to privacy@fareportal.com with the subject line, “Data Privacy Framework,” we will provide you with confirmation as to whether we are processing your personal data pursuant to the DPF, and have such data communicated to you within a reasonable time. You have the right to access, correct, amend, or delete the personal data processed pursuant to the DPF where it is inaccurate or has been processed in violation of our privacy disclosures to you, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated. We may require payment of a non-excessive fee to defray our expenses in this regard. Please allow us a reasonable time to respond to your inquiries and requests.

Retention of Personal Data
We will retain the personal data processed pursuant to the DPF in a form that identifies you pursuant to our retention policy above. We may continue processing such personal data for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of our privacy disclosures. After such time periods have expired, we may either delete your personal data or retain it in a form such that it does not identify you personally.

How We Protect Your Data
Fareportal takes very seriously the security and privacy of the personal data that it collects pursuant to the DPF. Accordingly, we will implement reasonable and appropriate security measures to protect your personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved in processing and the nature of such data, and to comply with applicable laws and regulations.

For the privacy policies of our other websites, please click here:

www.cheapoair.co.uk/privacy/, www.cheapoair.ca/privacy/, www.onetravel.com/info/privacy-policy/

Contacting Us

If you have any questions regarding our privacy practices, please contact us via email at privacy@fareportal.com with the subject line, “GDPR Notice,” or write to us at:

CheapOair.com c/o Fareportal Inc.
135 West 50th Street,
Suite 500 New York, NY 10020
Attn: Customer Service/Privacy

Because email communications are not always secure, please do not include credit card or other sensitive information in your emails to us.