Last Updated: December 9, 2019
We at Yapta, Inc. (“Yapta”) are committed to protecting privacy.
Our corporate and consumer services help save our customers money on travel by alerting or automatically reticketing to lower fares for both flights and hotels.
We may have to collect personal data to provide enough detail to find and track airfare and hotel pricing for a match. The information added either by site visitors providing their contact information, by a consumer adding information, or through the integration of our services to Global Distribution Systems, is stored and managed on Yapta’s servers. This information is then either used to contact visitors about their interest in the company’s goods or services, to interact with the company, or to track and alert users to lower fares.
You want to review each of these sections on this page:
- Our Policy Aims
- Your Rights
- Disclosing Your Personal Data to Third Parties
- International Transfers of Your Personal Data
- Sharing of Information among Yapta Entities
- Storage, Retention, and Deletion of Your Personal Data
- Data Security
- Other Jurisdictions
- Policy Changes
- Contacting Us
- Data Protection Officer
1.4 Personal data refers to any information relating to an identified or identifiable natural person (“data subject”), where this identification can be made directly or indirectly, by means of identifiers such as your name, your travel itineraries, passenger name records (“PNRs”), ticketing information, email address, phone number, online identifiers such as cookies in some circumstances, your location, your genetic, economic, cultural or social identity or other information that is specific to you.
1.5 We do not mean information that only refers to a business corporation or organization. We also do not mean information that has been “anonymized,” either by removing or de-identifying all specific identifiers. Anonymous data is not personal data when the anonymization is irreversible. When we refer to anonymous data, we mean data that cannot be reversed into personal data.
1.6 As a data controller, we commit ourselves to protecting the privacy of our website visitors and users of our products and services with respect to the processing of your personal data.
1.7 Certain Yapta Services require users to upload or otherwise submit travel related information, including information about individual travel itineraries, passenger name records (“PNRs“), ticketing information, booked fares, service fees, and related travel data (collectively, “Your Data“). As between you and us, you agree that you are solely responsible for Your Data. Without limitation, you are responsible for the accuracy, relevance and timeliness of Your Data. You are also responsible for securing all rights and/or permissions needed for Yapta to use Your Data.
1.8 Where we collect and process your personal data, we will limit the collection and retention to what is adequate, relevant and necessary for our purposes and it will be kept in a form which allows for your identification no longer than necessary for the purpose for which we process your personal data. We refer to this as data minimisation.
1.9 Where we store your personal data for longer periods for statistical purposes, as permitted, we will use appropriate safeguards. Applicable law defines ‘statistical purpose’ as any collection of personal data, where the result of processing is for aggregate data, so the personal data we collect from you is anonymized or pseudonymized.
1.10 Our policy provides you with the legal bases for the collection of your personal data, lets you know how long personal data is stored and the reasons why, and how in some circumstances, they are necessary to retain. The length of this retention and how you may choose to request that we delete some or all your personal data and the consequences of the deletion are explained in this policy.
1.11 Some of the legal bases we rely on are contractual and service necessity, consent, legitimate interests and compliance with legal obligations.
1.13 We strive to keep the policy easy to understand and transparent, and so we refrain from overuse of technical information. If you wish to have further details on how we process your personal data, please contact us.
2.1 We try to ensure that the users of our products and services always have an open line of communication with us. You can contact us at any time if you have any questions, queries or requests about your personal data and, if European law applies to the processing of your data, about your right to request access to, modify, remove or export your data, or object to our processing of your data.
2.2 If you contact us to obtain the necessary information and action changes, corrections or deletions of your personal data, we will action your request within one month of receiving a request from you concerning any one of your rights as a data subject. Should we be inundated with requests or particularly complicated requests, the time limit may be extended to a maximum of another two months.
- Online activities
- Any personal data collected from you when you visit our websites or use our products or services.
- Phone contacts
- Any personal data collected from you when you call us for sales or customer support.
- Any personal data collected from you at a “live” or in-person event such as a trade show.
- Other circumstances
- Any personal data collected from you when you contact us by email.
5.1 We are required to disclose your personal data to unrelated third parties in limited circumstances:
- where necessary to satisfy a legitimate government request or order;
- in compliance with a legal requirement by a court of law or in the public interest;
- in response to a third-party subpoena, if we believe on the advice of our attorneys that we are required to respond;
- if we obtain your permission; or
- if necessary to defend ourselves or our users (for example, in a lawsuit).
6.1 We are an international business that provides its products and services all around the world. In order to reach all of our users and provide all of them with our services, we operate on an infrastructure that spans the globe. The servers that are part of this infrastructure may therefore be located in a country different than the one where you live. In some instances, these may be countries outside of the European Economic Area (“EEA”), where the level of protection provided by the laws of these countries may be different than the high standard enshrined in the GDPR. Regardless, we provide the same GDPR-level of protection to all personal data it processes.
At the same time, when we transfer personal data outside of the EEA, we always make sure to put in place appropriate and suitable safeguards, such as standardized contracts approved by the European Commission, which legally bind the receiving party to adhere to a high level of protection, and to ensure that your data remains safe and secure at all times and that your rights are protected.
Situations where we transfer personal data outside of the EEA include provision of our products and services, processing of transactions and your payment details, and the provision of support services.
7.1 Our data collection and management practices do not vary by location. We follow the same “data minimisation” procedure with respect to all personal data in our possession, regardless of the jurisdiction from which it was collected, and regardless of whether the data is transferred from one member of the Yapta Group to another.
7.2 We reserve the right to store and use the information collected by our software and to share such information among the Yapta Group to improve our current and future products and services, to help us develop new products and services, and to better understand the behaviour of our users.
7.3 Any reference in this policy to “Yapta Group” means its, direct and indirect, parent companies and any company that is, directly or indirectly, controlled by or under common control by Yapta, Inc.
8.1 Storage of Information
We store information that we collect on our servers or on the servers of our subsidiaries, affiliates, or contractors who are working on our behalf.
The data on our servers can only be accessed from our physical premises, or via an encrypted virtual private network (“VPN”). Access is limited to authorised personnel only, and company networks are protected, and subject to additional policies and procedures for security.
8.2 Access by our contractors
We or our subsidiaries, affiliates, or contractors who are working on our behalf undertake regular maintenance of your personal data. All third parties must agree to observe the privacy of our users, and to protect the confidentiality of their personal information. This means your personal data cannot be shared with others, and there must be no direct marketing by the third parties.
8.3 Retention and Deletion of Your Personal Data
For each type of data, we set retention timeframes based on the reason for its collection and processing. Some data you can delete whenever you like, and some data is deleted automatically as soon as we do not need it for our legitimate business or legal purposes. We do not delete data that we need for our legitimate or legal purposes, even upon request, until the purposes expire. We also take steps to anonymize certain data within set time periods. We may also amend the personal data we keep in such a way that you cannot be identified, for example, by hashing. We may retain a “key” to the hashing, but we will securely store it separately from the hashed data.
When the data is deleted, we remove it from our servers or retain it only in anonymized form.
8.4 The following describes why we hold onto different types of data for different periods of time:
- We keep your data for the life of your account, if it’s necessary for the service (such as support or communication) or if it helps us understand how users interact with our features and how we can improve Yapta Services.
- If you registered an account with us, we will keep data in your account until you choose to delete the account.
- If you subscribe to a recurring newsletter, we will keep your information to continue to fulfil your subscription request.
We have business and legal requirements that require we retain certain personal data, for specific purposes, for an extended period of time.
8.5 Reasons we might retain some data for longer periods of time include:
- Security, fraud & abuse prevention
- Financial record-keeping
- Complying with legal or regulatory obligations, including for investigations, enforcement, or when legally actionable
- Ensuring the continuity of Yapta Services
- Direct communication with you for support and marketing.
What are cookies?
A cookie is a file containing an identifier, a string of letters and numbers, that is sent by a web server to the web browser you are using to access this site and is stored by that browser. The identifier is then sent back to the server each time the browser requests a page from the server. Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date (e.g. 30 days), unless deleted by the user before the expiry date; a session cookie will expire at the end of the user session, when the web browser is closed.
- recognize a computer when a user visits the website
- track users as they navigate the website
- improve the website’s usability
- analyze the use of the website
- administer the website
- improve the security of the website
- personalize the website for our users
Can a User refuse to accept cookies?
Yes. Even if you refuse to accept cookies from Yapta, you can still access the website and use Yapta services. Certain functionality, such as automatically logging in the user and preferred user settings may need to be redone at the start of each visit.
Managing Cookies by Browser
Browsers have functionality that allows users to block, allow and delete cookies. If you want to know more about how to remove or block cookies, please access the Help guide for the browser you are using. Searching their Help menu for key words or phrases such as “delete cookie” will result in details on how to manage cookies on your device.
9.1 Safeguards for protection of personal information
We maintain administrative, technical, and physical safeguards for the protection of your personal data.
9.2 Administrative safeguards
Access to the personal data of our users is limited to authorized personnel who have a legitimate need to know based on their job descriptions, for example, employees who provide support to end users, or who service user accounts. In the case of third-party contractors who process personal information on our behalf, similar requirements are imposed. These third parties are contractually bound by confidentiality clauses, even when they leave. Where an individual employee no longer requires access, that individual’s credentials are revoked.
9.3 Technical safeguards
We store your personal information in our database using the protections described above. In addition, we utilize up-to-date firewall protection for an additional layer of security. We use high-quality antivirus and anti-malware software, and regularly update our virus definitions. Third parties who we hire to provide services and who have access to our users’ data are required to implement privacy and security practices that we deem adequate.
9.4 Physical safeguards
Access to user information in our database by Internet is not permitted except using an encrypted virtual private network (VPN). Otherwise, access is limited to our physical premises. Unencrypted removal of personal data from our location is forbidden. Third-party contractors who process personal data on our behalf agree to provide reasonable physical safeguards.
We strive to collect no more personal data from you than is required by the purpose for which we collect it. This, in turn, helps reduce the total risk of harm should data loss or a breach in security occur. The less data we collect, the smaller the overall risk.
9.6 Notification in the event of breach
In the unlikely event of a breach in the security of personal data, we will notify all users who are actually or potentially affected.
We may tailor the method of notice depending on the circumstances. Where the only contact information that we have for you is an email address, then the notification will necessarily be by email. Where we believe there are affected users for which we have no contact information on file, we may give notice via publication on our company website.
We reserve the right to delay notification if we are asked to do so by law enforcement or other authorities, or if we believe that giving notice immediately will increase the risk of harm to our user body overall.
10.1 Your California Privacy Rights
11.3 Where the changes are major, we will notify you through posts on our website and by email notification.
12.1 We are registered as Yapta, Inc. and our registered address is 401 2nd Ave S, Suite 101, Seattle WA 98104 United States.
12.2 Dispute Resolution
If you do not receive timely acknowledgment of your complaint, or if you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
12.3 Contact Detail
You can reach us by email at email@example.com. Please type “PRIVACY REQUEST” in the message line of your email so we can have the appropriate member of the Yapta team respond.
You can send postal mail to Yapta, Inc., 401 2nd Ave S, Suite 101, Seattle WA 98104 United States. Be sure to write “Attention: PRIVACY” in the address so we know where to direct your correspondence.
13.1 As required under the GDPR, we have a data protection officer (DPO) to monitor our compliance with the GDPR, provide advice where requested and cooperate with supervisory authorities. You can contact our data protection officer via firstname.lastname@example.org.
Yapta, Inc. (Yapta) complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data (as defined below) from European Union member countries, the United Kingdom, and Switzerland. Yapta has certified that it adheres to the Privacy Shield Principles of Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement, and Liability. If there is any conflict between the policies in this Privacy Shield Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/.
1.1. “Data Subject” means the individual to whom any given Personal Data covered by this Privacy Shield Policy refers.
1.2. “Personal Data” means any information relating to an individual residing in the European Union, the United Kingdom, and Switzerland that can be used to identify that individual either on its own or in combination with other readily available data.
1.3. “Sensitive Personal Data” means Personal Data regarding an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, physical or mental health, or sexual life.
1. Scope and Responsibility
1.1. This Privacy Shield Policy applies to Personal Data transferred from European Union member countries, the United Kingdom, and Switzerland to Yapta’s operations in the U.S. in reliance on the respective Privacy Shield framework and does not apply to Personal Data transferred under Standard Contractual Clauses or any approved derogation from the EU Directive.
1.2. Some types of Personal Data may be subject to other privacy-related requirements and policies. For example:
- Yapta websites have their own privacy policies.
- Personal Data regarding and/or received from a customer is also subject to any specific agreement with, or notice to, the customer, as well as additional applicable laws.
- Employee Personal Information is subject to internal human resource policies found in the Employee Handbook.
All employees of Yapta, that have access in the U.S. to Personal Data covered by this Privacy Shield Policy, are responsible for conducting themselves in accordance with this Privacy Shield Policy. Adherence by Yapta to this Privacy Shield Policy may be limited to the extent required to meet legal, regulatory, governmental, or national security obligations, but Personal Data covered by this Privacy Shield Policy shall not be collected, used, or disclosed in a manner contrary to this policy without the prior written permission of Yapta’s Data Protection Officer.
Yapta employees responsible for engaging third parties to which Personal Data covered by this Privacy Shield Policy will be transferred are responsible for obtaining appropriate assurances that such third parties have an obligation to conduct themselves in accordance with the applicable provisions of this Privacy Shield Principles, including any applicable contractual assurances required by Privacy Shield.
2. Privacy Shield Principles
Yapta commits to subject to the Privacy Shields’ Principles on all Personal Data received by Yapta in the U.S. from European Union member countries, the United Kingdom, and Switzerland in reliance on the respective Privacy Shield framework.
Yapta notifies Data Subjects covered by this Choice Privacy Shield Policy about its data practices regarding Personal Data received by Yapta in the U.S. from European Union member countries, the United Kingdom, and Switzerland in reliance on the respective Privacy Shield framework, including the types of Personal Data it collects about them, the purposes for which it collects and uses such Personal Data, the types of third parties to which it discloses such Personal Data and the purposes for which it does so, the rights of Data Subjects to access their Personal Data, the choices and means that Yapta offers for limiting its use and disclosure of such Personal Data, how Yapta’sobligations under the Privacy Shield are enforced, and how Data Subjects can contact Yapta with any inquiries or complaints.
If Personal Data covered by this Privacy Shield Policy is to be used for a new purpose that is materially different from that for which the Personal Data was originally collected or subsequently authorized, or is to be disclosed to a non-agent third party, Yapta will provide Data Subjects with an opportunity to choose whether to have their Personal Data so used or disclosed. Requests to opt out of such uses or disclosures of Personal Data should be sent to: email@example.com.
If Sensitive Personal Data covered by this Privacy Shield Policy is to be used for a new purpose that is different from that for which the Personal Data was originally collected or subsequently authorized, or is to be disclosed to a third party, Yapta will obtain the Data Subject’s explicit consent prior to such use or disclosure.
- Accountability for Onward Transfer
In the event we transfer Personal Data covered by this Privacy Shield Policy to a third party
acting as a controller, we will do so consistent with any notice provided to Data Subjects and any consent they have given, and only if the third party has given us contractual assurances that it will (i) process the Personal Data for limited and specified purposes consistent with any consent provided by the Data Subjects, (ii) provide at least the same level of protection as is required by the Privacy Shield Principles and notify us if it makes a determination that it cannot do so; and (iii) cease processing of the Personal Data or take other reasonable and appropriate steps to remediate if it makes such a determination. If Yapta has knowledge that a third party acting as a controller is processing Personal Data covered by this Privacy Shield Policy in a way that is contrary to the Privacy Shield Principles, Yapta will take reasonable steps to prevent or stop such processing.
With respect to our agents, we will transfer only the Personal Data covered by this Privacy Shield Policy needed for an agent to deliver to Yapta the requested product or service. Furthermore, we will (i) permit the agent to process such Personal Data only for limited and specified purposes; (ii) require the agent to provide at least the same level of privacy protection as is required by the Privacy Shield Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the Personal Data transferred in a manner consistent with Yapta’s obligations under the Privacy Shield Principles; and (iv) require the agent to notify Yapta if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield Principles. Upon receiving notice from an agent that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield Principles, we will take reasonable and appropriate steps to stop and remediate unauthorized processing.
Yapta remains liable under the Privacy Shield Principles if an agent processes Personal Data covered by this Privacy Shield Policy in a manner inconsistent with the Principles, except where Yapta is not responsible for the event giving rise to the damage.
Yapta takes reasonable and appropriate measures to protect Personal Data covered by this Privacy Shield Policy from loss, misuse, and unauthorized access, disclosure, alteration, and destruction, taking into due account the risks involved in the processing and the nature of the Personal Data.
- Data Integrity and Purpose Limitation
Yapta limits the collection of Personal Data covered by this Privacy Shield Policy to information that is relevant for the purposes of processing. Yapta does not process such Personal Data in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the Data Subject.
Yapta takes reasonable steps to ensure that such Personal Data is reliable for its intended use, accurate, complete, and current. Yapta takes reasonable and appropriate measures to comply with the requirement under the Privacy Shield to retain Personal Data in identifiable form only for as long as it serves a purpose of processing, which includes Yapta’s obligations to comply with professional standards, and Yapta’s business purposes, unless a longer retention period is permitted by law, and it adheres to the Privacy Shield Principles for as long as it retains such Personal Data.
Data Subjects whose Personal Data is covered by this Privacy Shield Policy have the right to access such Personal Data and to correct, amend, or delete such Personal Data if it is inaccurate or has been processed in violation of the Privacy Shield Principles (except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the Data Subject’s privacy, or where the rights of persons other than the Data Subject would be violated). Requests for access, correction, amendment, or deletion should be sent to: firstname.lastname@example.org.
- Recourse, Enforcement, and Liability
Yapta’s participation in the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework is subject to investigation and enforcement by the Federal Trade Commission.
In compliance with the Privacy Shield Principles, Yapta commits to resolve complaints about your privacy and our collection or use of your Personal Data. Data Subjects with inquiries or complaints regarding this Privacy Shield Policy should first contact Yapta at: email@example.com.
Yapta has further committed to refer unresolved privacy complaints under the EU-U.S. and Swiss-U.S. Privacy Shield Principles to an independent dispute resolution mechanism which lets users report potential violations of posted privacy statements and specific privacy issues that pertain to Yapta. If you do not receive timely acknowledgment of your complaint, or if you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
Under certain conditions detailed in the Privacy Shield, Data Subjects may be able to invoke binding arbitration before the Privacy Shield Panel to be created by the U.S. Department of Commerce and the European Commission.
Yapta agrees to periodically review and verify its compliance with the Privacy Shield Principles, and to remedy any issues arising out of failure to comply with the Privacy Shield Principles. Yapta acknowledges that its failure to provide an annual self-certification to the U.S. Department of Commerce will remove it from the Department’s list of Privacy Shield participants.
Changes to this Privacy Shield Policy
This Privacy Shield Policy may be amended from time to time consistent with the requirements of the Privacy Shield. Appropriate notice regarding such amendments will be given.