Last Updated: February 10, 2020
We at Yapta, Inc. (“Yapta”) are committed to protecting privacy.
Our corporate and consumer services help save our customers money on travel by alerting or automatically reticketing to lower fares for both flights and hotels.
We may have to collect personal data to provide enough detail to find and track airfare and hotel pricing for a match. The information added either by site visitors providing their contact information, by a consumer adding information, or through the integration of our services to Global Distribution Systems, is stored and managed on Yapta’s servers. This information is then either used to contact visitors about their interest in the company’s goods or services, to interact with the company, or to track and alert users to lower fares.
You want to review each of these sections on this page:
- Our Policy Aims
- Your Rights
- Disclosing Your Personal Data to Third Parties
- International Transfers of Your Personal Data
- Sharing of Information among Yapta Entities
- Storage, Retention, and Deletion of Your Personal Data
- Data Security
- Other Jurisdictions
- Policy Changes
- Contacting Us
- Data Protection Officer
1.4 Personal data refers to any information relating to an identified or identifiable natural person (“data subject”), where this identification can be made directly or indirectly, by means of identifiers such as your name, your travel itineraries, passenger name records (“PNRs”), ticketing information, email address, phone number, online identifiers such as cookies in some circumstances, your location, your genetic, economic, cultural or social identity or other information that is specific to you.
1.5 We do not mean information that only refers to a business corporation or organization. We also do not mean information that has been “anonymized,” either by removing or de-identifying all specific identifiers. Anonymous data is not personal data when the anonymization is irreversible. When we refer to anonymous data, we mean data that cannot be reversed into personal data.
1.6 As a data controller, we commit ourselves to protecting the privacy of our website visitors and users of our products and services with respect to the processing of your personal data.
1.7 Certain Yapta Services require users to upload or otherwise submit travel related information, including information about individual travel itineraries, passenger name records (“PNRs“), ticketing information, booked fares, service fees, and related travel data (collectively, “Your Data“). As between you and us, you agree that you are solely responsible for Your Data. Without limitation, you are responsible for the accuracy, relevance and timeliness of Your Data. You are also responsible for securing all rights and/or permissions needed for Yapta to use Your Data.
1.8 Where we collect and process your personal data, we will limit the collection and retention to what is adequate, relevant and necessary for our purposes and it will be kept in a form which allows for your identification no longer than necessary for the purpose for which we process your personal data. We refer to this as data minimisation.
1.9 Where we store your personal data for longer periods for statistical purposes, as permitted, we will use appropriate safeguards. Applicable law defines ‘statistical purpose’ as any collection of personal data, where the result of processing is for aggregate data, so the personal data we collect from you is anonymized or pseudonymized.
1.10 Our policy provides you with the legal bases for the collection of your personal data, lets you know how long personal data is stored and the reasons why, and how in some circumstances, they are necessary to retain. The length of this retention and how you may choose to request that we delete some or all your personal data and the consequences of the deletion are explained in this policy.
1.11 Some of the legal bases we rely on are contractual and service necessity, consent, legitimate interests and compliance with legal obligations.
1.13 We strive to keep the policy easy to understand and transparent, and so we refrain from overuse of technical information. If you wish to have further details on how we process your personal data, please contact us.
2.1 We try to ensure that the users of our products and services always have an open line of communication with us. You can contact us at any time if you have any questions, queries or requests about your personal data and, if European law applies to the processing of your data, about your right to request access to, modify, remove or export your data, or object to our processing of your data.
2.2 If you contact us to obtain the necessary information and action changes, corrections or deletions of your personal data, we will action your request within one month of receiving a request from you concerning any one of your rights as a data subject. Should we be inundated with requests or particularly complicated requests, the time limit may be extended to a maximum of another two months.
- Online activities
- Any personal data collected from you when you visit our websites or use our products or services.
- Phone contacts
- Any personal data collected from you when you call us for sales or customer support.
- Any personal data collected from you at a “live” or in-person event such as a trade show.
- Other circumstances
- Any personal data collected from you when you contact us by email.
5.1 We are required to disclose your personal data to unrelated third parties in limited circumstances:
- where necessary to satisfy a legitimate government request or order;
- in compliance with a legal requirement by a court of law or in the public interest;
- in response to a third-party subpoena, if we believe on the advice of our attorneys that we are required to respond;
- if we obtain your permission; or
- if necessary to defend ourselves or our users (for example, in a lawsuit).
6.1 We are an international business that provides its products and services all around the world. In order to reach all of our users and provide all of them with our services, we operate on an infrastructure that spans the globe. The servers that are part of this infrastructure may therefore be located in a country different than the one where you live. In some instances, these may be countries outside of the European Economic Area (“EEA”), where the level of protection provided by the laws of these countries may be different than the high standard enshrined in the GDPR. Regardless, we provide the same GDPR-level of protection to all personal data it processes.
At the same time, when we transfer personal data outside of the EEA, we always make sure to put in place appropriate and suitable safeguards, such as standardized contracts approved by the European Commission, which legally bind the receiving party to adhere to a high level of protection, and to ensure that your data remains safe and secure at all times and that your rights are protected.
Situations where we transfer personal data outside of the EEA include provision of our products and services, processing of transactions and your payment details, and the provision of support services.
7.1 Our data collection and management practices do not vary by location. We follow the same “data minimisation” procedure with respect to all personal data in our possession, regardless of the jurisdiction from which it was collected, and regardless of whether the data is transferred from one member of the Yapta Group to another.
7.2 We reserve the right to store and use the information collected by our software and to share such information among the Yapta Group to improve our current and future products and services, to help us develop new products and services, and to better understand the behaviour of our users.
7.3 Any reference in this policy to “Yapta Group” means its, direct and indirect, parent companies and any company that is, directly or indirectly, controlled by or under common control by Yapta, Inc.
8.1 Storage of Information
We store information that we collect on our servers or on the servers of our subsidiaries, affiliates, or contractors who are working on our behalf.
The data on our servers can only be accessed from our physical premises, or via an encrypted virtual private network (“VPN”). Access is limited to authorised personnel only, and company networks are protected, and subject to additional policies and procedures for security.
8.2 Access by our contractors
We or our subsidiaries, affiliates, or contractors who are working on our behalf undertake regular maintenance of your personal data. All third parties must agree to observe the privacy of our users, and to protect the confidentiality of their personal information. This means your personal data cannot be shared with others, and there must be no direct marketing by the third parties.
8.3 Retention and Deletion of Your Personal Data
For each type of data, we set retention timeframes based on the reason for its collection and processing. Some data you can delete whenever you like, and some data is deleted automatically as soon as we do not need it for our legitimate business or legal purposes. We do not delete data that we need for our legitimate or legal purposes, even upon request, until the purposes expire. We also take steps to anonymize certain data within set time periods. We may also amend the personal data we keep in such a way that you cannot be identified, for example, by hashing. We may retain a “key” to the hashing, but we will securely store it separately from the hashed data.
When the data is deleted, we remove it from our servers or retain it only in anonymized form.
8.4 The following describes why we hold onto different types of data for different periods of time:
- We keep your data for the life of your account, if it’s necessary for the service (such as support or communication) or if it helps us understand how users interact with our features and how we can improve Yapta Services.
- If you registered an account with us, we will keep data in your account until you choose to delete the account.
- If you subscribe to a recurring newsletter, we will keep your information to continue to fulfil your subscription request.
We have business and legal requirements that require we retain certain personal data, for specific purposes, for an extended period of time.
8.5 Reasons we might retain some data for longer periods of time include:
- Security, fraud & abuse prevention
- Financial record-keeping
- Complying with legal or regulatory obligations, including for investigations, enforcement, or when legally actionable
- Ensuring the continuity of Yapta Services
- Direct communication with you for support and marketing.
What are cookies?
A cookie is a file containing an identifier, a string of letters and numbers, that is sent by a web server to the web browser you are using to access this site and is stored by that browser. The identifier is then sent back to the server each time the browser requests a page from the server. Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date (e.g. 30 days), unless deleted by the user before the expiry date; a session cookie will expire at the end of the user session, when the web browser is closed.
- recognize a computer when a user visits the website
- track users as they navigate the website
- improve the website’s usability
- analyze the use of the website
- administer the website
- improve the security of the website
- personalize the website for our users
Can a User refuse to accept cookies?
Yes. Even if you refuse to accept cookies from Yapta, you can still access the website and use Yapta services. Certain functionality, such as automatically logging in the user and preferred user settings may need to be redone at the start of each visit.
Managing Cookies by Browser
Browsers have functionality that allows users to block, allow and delete cookies. If you want to know more about how to remove or block cookies, please access the Help guide for the browser you are using. Searching their Help menu for key words or phrases such as “delete cookie” will result in details on how to manage cookies on your device.
9.1 Safeguards for protection of personal information
We maintain administrative, technical, and physical safeguards for the protection of your personal data.
9.2 Administrative safeguards
Access to the personal data of our users is limited to authorized personnel who have a legitimate need to know based on their job descriptions, for example, employees who provide support to end users, or who service user accounts. In the case of third-party contractors who process personal information on our behalf, similar requirements are imposed. These third parties are contractually bound by confidentiality clauses, even when they leave. Where an individual employee no longer requires access, that individual’s credentials are revoked.
9.3 Technical safeguards
We store your personal information in our database using the protections described above. In addition, we utilize up-to-date firewall protection for an additional layer of security. We use high-quality antivirus and anti-malware software, and regularly update our virus definitions. Third parties who we hire to provide services and who have access to our users’ data are required to implement privacy and security practices that we deem adequate.
9.4 Physical safeguards
Access to user information in our database by Internet is not permitted except using an encrypted virtual private network (VPN). Otherwise, access is limited to our physical premises. Unencrypted removal of personal data from our location is forbidden. Third-party contractors who process personal data on our behalf agree to provide reasonable physical safeguards.
We strive to collect no more personal data from you than is required by the purpose for which we collect it. This, in turn, helps reduce the total risk of harm should data loss or a breach in security occur. The less data we collect, the smaller the overall risk.
9.6 Notification in the event of breach
In the unlikely event of a breach in the security of personal data, we will notify all users who are actually or potentially affected.
We may tailor the method of notice depending on the circumstances. Where the only contact information that we have for you is an email address, then the notification will necessarily be by email. Where we believe there are affected users for which we have no contact information on file, we may give notice via publication on our company website.
We reserve the right to delay notification if we are asked to do so by law enforcement or other authorities, or if we believe that giving notice immediately will increase the risk of harm to our user body overall.
10.1 Your California Privacy Rights
11.3 Where the changes are major, we will notify you through posts on our website and by email notification.
12.1 We are registered as Yapta, Inc. and our registered address is 401 2nd Ave S, Suite 101, Seattle WA 98104 United States.
12.2 Dispute Resolution
If you do not receive timely acknowledgment of your complaint, or if you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
12.3 Contact Detail
You can reach us by email at email@example.com. Please type “PRIVACY REQUEST” in the message line of your email so we can have the appropriate member of the Yapta team respond.
You can send postal mail to Yapta, Inc., 401 2nd Ave S, Suite 101, Seattle WA 98104 United States. Be sure to write “Attention: PRIVACY” in the address so we know where to direct your correspondence.
13.1 As required under the GDPR, we have a data protection officer (DPO) to monitor our compliance with the GDPR, provide advice where requested and cooperate with supervisory authorities. You can contact our data protection officer via firstname.lastname@example.org.