Privacy Notice
1. Background and scope
This Privacy Notice (“Notice”) sets out how Umapped Inc. (“Umapped” or “we”) processes and protects the privacy of your personal information when you use Umapped’s website (www.umapped.com) or through Umapped’s mobile and web applications (the website and such mobile and web applications being collectively referred to as the “Applications”).
We need to collect, use and disclose personal information in order to perform our business functions and activities, including making and managing travel bookings on behalf of our customers. We are firmly committed to protecting the privacy and confidentiality of personal information and to maintaining various physical, electronic and procedural safeguards to protect personal information in our care.
For the purposes of the General Data Protection Regulation 2016/679 (“GDPR”) and other similarly situated legislation we are a “data processor” (or equivalent) for the processing of personal information you provide to us in connection with the Applications.
There may be instances where your local data protection laws impose more restrictive information handling practices than the practices set out in this Notice. Where this occurs, we will adjust our information handling practices in your jurisdiction to comply with these local data protection laws.
2. What personal information do we collect?
Personal information has the meaning given under your local data protection law, and, where the GDPR applies, the meaning of personal data given under the GDPR. Personal information generally means information which relates to a living individual who can be identified from that information, or from that information and other information in a person’s possession, including any expression of opinion, whether true or not, and whether recorded in material form or not, about an identified or reasonably identifiable individual, and any indication of intention in respect of an individual.
Generally, the type of personal information we collect about you is the information that is needed to facilitate your travel arrangements and bookings and to arrange travel related services and/or products on your behalf.
We therefore typically process the following types of personal information about you:
contact information (such as name, residential/mailing address, telephone number, email address);
payment account information (credit/debit card details, including card type, card number, security number and expiry date);
passport details;
loyalty program / frequent flyer details;
health information such as your dietary requirements and health issues (if any);
other details relevant to your travel arrangements or required by the relevant travel service provider(s) (e.g., airlines and accommodation or tour providers); and
geolocation data.
We also collect online identifiers such as your IP address and data regarding your device and the network you are using to connect with us.
When you contact us for other purposes, we may also collect personal information about you in relation to those purposes. For example, we may collect your personal information so we can contact you about a competition you have entered (e.g., if you win) or to respond to an enquiry or feedback you have sent to us.
In some circumstances, we may collect or derive personal information from you which may be regarded as sensitive information under your local data protection laws. Sensitive information may include (without limitation) your racial or ethnic origin, philosophical or religious beliefs or affiliations, sexual preferences or practices, membership of political, professional or trade associations (for use in booking special rates), passwords and financial information and health information Please note that, when necessary for travel arrangements, we may collect from a responsible adult personal information relating to a child of any age, but we do not knowingly collect any such information directly from children.
We will only collect sensitive information in compliance with your local data protection laws, with your explicit consent and where it is reasonably necessary for, or directly related to, one or more of our functions or activities (e.g. to make travel arrangements), unless we are otherwise required or authorised to do so by law. To the extent permitted or required under your local data protection laws, you consent to us using and disclosing your sensitive information for the purpose for which it was collected. We will not use or disclose sensitive information for purposes other than those for which it was collected, unless we subsequently receive your consent to use it for another purpose.
3. How do we collect personal information?
We will only collect personal information in compliance with your local data protection laws. We collect your personal information directly from you through our Applications or from your travel agent or travel service provider.
Unless you choose to do so under a pseudonym or anonymously, we may also collect your personal information (other than sensitive information) when you complete surveys or provide us with feedback.
You should let us know immediately if you become aware that your personal information has been provided to us by another person without your consent or if you did not obtain consent before providing another person's personal information to us.
We make every effort to maintain the accuracy and completeness of your personal information which we store and to ensure all of your personal information is up to date. However, you can assist us with this considerably by promptly contacting us if there are any changes to your personal information or if you become aware that we have inaccurate personal information relating to you (see section 14 below). We will not be responsible for any losses arising from any inaccurate, inauthentic, deficient or incomplete personal information that you, or a person acting on your behalf, provide to us.
4. How do we use your personal information?
We will only process your information, where:
you have given your consent to such processing (which you may withdraw at any time, as detailed at section 8 below);
the processing is necessary to provide our services to you;
the processing is necessary for compliance with our legal obligations; and/or
the processing is necessary for our legitimate interests or those of any third party recipients that receive your personal information (as detailed in sections 5 and 6 below).
We may share your information with our travel service providers such as travel agencies, hotel, airline, car rental, or other providers, who fulfill your travel bookings. Please note that these travel service providers also may use your personal information as described in their respective privacy policy and may contact you as necessary to obtain additional information about you, facilitate your travel reservation, or provide you with your requested services. We encourage you to review the privacy policies of any third-party travel service providers whose products you purchase through us.
If you have any concerns regarding the transfer of your personal information to a travel service provider, or you wish to contact us for further information, please refer to the “Feedback / Complaints / Contact” section below (section 14).
Further purposes for which we process personal information include:
providing you with services and tools you choose to use;
identification of errors;
developing and improving our products and services and those of our related entities;
servicing our relationship with you by, among other things, creating and maintaining a customer profile;
involving you in market research, gauging customer satisfaction and seeking feedback regarding our relationship with you and/or the service we have provided;
for research and analysis in relation to our business and services, including but not limited to trends and preferences in sales and travel destinations and use of our websites;
internal accounting and administration;
to comply with our legal obligations, including complying with law enforcement or government authority requests, and any applicable customs/immigration requirements relating to your travel; and
other purposes as authorised or required by law (e.g. to prevent a threat to life, health or safety, or to enforce our legal rights).
Where permitted by local data protection laws, we may use your personal information collected through the website only to send you targeted marketing activities relating to our products and services (and those of third parties) that we think may interest you, unless you have requested not to receive such information. These may include, but are not limited to, mail outs, electronic marketing and notifications as described below, and telephone calls). We will only use your personal information to send electronic marketing materials to you (including e-newsletters, email, SMS, MMS and iM) if you have opted-in to receive them or not opt-ed out of receiving them, depending upon the applicable law. You can subscribe to receive e-newsletters and other electronic promotional/marketing materials by following the relevant links on our website or requesting one of our consultants to do so for you.
Should you no longer wish to receive promotional/marketing material from us, participate in market research or receive other types of communication from us, please refer to the “Feedback / Complaints / Contact” section below (section14). You can unsubscribe from receiving electronic marketing materials by following the unsubscribe prompt in your email, SMS, MMS, iM or other form of electronic marketing. Please also see the “Your rights” section of this Notice to learn about your ability, at any time, to opt out or limit the use of your browsing behaviour for online behavioural advertising purposes (section 8 below).
5. Is personal information disclosed to third parties?
We do not and will not sell, rent out or trade your personal information. We will only disclose your personal information to third parties in the ways set out in this Notice and, in particular, as set out below, and in accordance with your local data protection laws. Note that, in this Notice, where we say “disclose”, this includes to transfer, share (including verbally and in writing), send, or otherwise make available or accessible your personal information to another person or entity.
Your personal information may be disclosed to the following types of third parties:
our independent contractors, suppliers and service providers, including without limitation:
in each of the circumstances set out in section 4 (“How do we use your personal information?”);
suppliers of IT based solutions that assist us in providing products and services to you (such as any external data hosting providers we may use);
publishers, printers and distributors of marketing material;
event and expo organisers;
marketing, market research, research and analysis and communications agencies;
mailing houses, freight services, courier services; and
external business advisers (such as lawyers, accountants, auditors and recruitment consultants);
our related entities and brands;
travel service providers such as travel wholesalers, tour operators, airlines, hotels, car rental companies, transfer handlers and other related service providers;
any third party to whom we assign or novate any of our rights or obligations;
financial institutions such as banks, when processing financial transactions;
a person making your travel booking on your behalf, where you are travelling on a booking made on your behalf by another person (for example, a family member, friend or work colleague);
your employer;
as required or authorised by applicable law, and to comply with our legal obligations;
government agencies and public authorities to comply with a valid and authorised request, including a court order or other valid legal process;
various regulatory bodies and law enforcement officials and agencies, including to protect against fraud and for related security purposes; and
enforcement agencies where we suspect that unlawful activity has been or may be engaged in and the personal information is a necessary part of our investigation or reporting of the matter; and
social media websites if you allow information to be shared through the Applications.
Other than the above, we will not disclose your personal information without your consent unless we reasonably believe that disclosure is necessary to lessen or prevent a threat to life, health or safety of an individual or to public health or safety or for certain action to be undertaken by an enforcement body (e.g. prevention, detection, investigation, prosecution or punishment of criminal offences), or where such disclosure is authorised or required by law (including applicable privacy / data protection laws).
6. Is personal information transferred overseas?
We may disclose your personal information to certain overseas recipients, as set out below. We will ensure that any such international transfers are either necessary for the performance of a contract between you and the overseas recipient or are made subject to appropriate or suitable safeguards as required by your local data protection laws (e.g. GDPR, China cybersecurity law, etc.).
It is possible that information will be transferred to an overseas recipient (other than any of our overseas related entities) located in a jurisdiction where you will not be able to seek redress under your local data protection laws and that does not have an equivalent level of data protection as in your jurisdiction. To the extent permitted by your local data protection laws, we will not be liable for how these overseas recipients handle, store and process your personal information.
a. Travel service providers located overseas
In providing our services to you, it may be necessary for us to disclose personal information to relevant overseas travel service providers. We deal with many different travel service providers all over the world, so the location of a travel service provider relevant to your personal information will depend on the travel services being provided. The relevant travel service providers will in most cases receive your personal information in the country in which they will provide the services to you or in which their business or management is based.
b. China cyber security law requirements
Personal information which is collected and generated within the territory of the People's Republic of China is stored within China's territory except for the following situations:
Where the international transfer is required or authorized by the traveler
We may transfer your personal information overseas when you are using our platform to book overseas hotels, airlines, and travel related services or products.
We will ensure that any such international transfers are either necessary for the performance of a contract between you and the overseas recipient, or are made subject to appropriate or suitable safeguards as required by your local laws.
If you have any specific questions about where or to whom your personal information will be sent, please refer to the “Feedback / Complaints / Contact” section below (section14).
7. Security of information
We are committed to safeguarding and protecting personal information and will implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to protect any personal information provided to us from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal information transmitted, stored or otherwise processed. Flight Centre has implemented various physical, electronic and organisational security procedures in order to protect the personal information it holds from loss and misuse, and from unauthorised access, modification, disclosure and interference. Flight Centre regularly reviews security technologies and will strive to protect your personal information as fully as we protect our own confidential information. Flight Centre is not responsible for any third party’s actions or their security controls with respect to information that third parties may collect or process via their websites, services or otherwise.
We will destroy or de-identify personal information once we no longer require it for our business purposes, or as required by law.
8. Your rights in relation to the personal information we collect
If you wish to make a Subject Access Request to:
access, update, modify, rectify, erase, object to, or obtain a copy of the personal information that we hold on you; or
restrict or stop us from using any of the personal information which we hold on you, including by withdrawing any consent you have previously given to the processing of such information; or
where any personal information has been processed on the basis of your consent or as necessary to perform a contract to which you are a party, request a copy of such personal information in a suitable machine-readable format or have that personal information transmitted by us to another controller
you can request this by contacting us as set out in section 14 below. You will receive acknowledgement of your request.
We endeavour to respond to such requests within a month or less, although we reserve the right to extend this period for complex requests or as otherwise permitted by applicable law.
We reserve the right to deny you access for any reason permitted under applicable laws. Such exemptions may include national security, corporate finance and confidential references. If we deny access or correction, we will provide you with written reasons for such denial unless it is unreasonable to do so and, where required by local data protection laws, will note your request and the denial of same in our records.
You have the right to lodge a complaint with a relevant supervisory authority.
Further correspondence regarding your request should only be made in writing as set out in section 13 below.
Please note that, if you request that we restrict or stop using personal information we hold on you, or withdraw a consent you have previously given to the processing of such information, this may affect our ability to provide services to you or negatively impact the services we can provide to you.
You must always provide accurate information and you agree to update it whenever necessary. You also agree that, in the absence of any update, we can assume that the information submitted to us is correct, unless we subsequently become aware that it is not correct.
You can at any time tell us not to send you marketing communications by email by clicking on the unsubscribe link within the marketing emails you receive from us or by contacting us as indicated below (section14).
In any of the situations listed above, we may request that you prove your identity by providing us with a copy of a valid means of identification in order for us to comply with our security obligations and to prevent unauthorised disclosure of personal information.
To the extent permissible by law, we reserve the right to charge you a reasonable administrative fee for any manifestly unfounded or excessive requests concerning your access to your personal information, and for any additional copies of the personal information you request from us.
9. California Privacy Notice and Rights
This section applies only to personal information of California individuals as governed by California law including the California Consumer Privacy Act (“CCPA”).
We are required by the CCPA to disclose that in the preceding 12 months to facilitate certain advertising activities commonly deployed by online companies, we “sold” (as the term “sale” is defined in the CCPA) through the use of social media integrations described in more detail in section 10.
Under the CCPA, a California consumer has the following rights: to request additional information about our data collection, use, disclosure, and sales practices in connection with the consumer’s personal information; to request the specific personal information collected about the consumer during the previous 12 months; and to request the deletion of the personal information we have about the consumer. A California consumer may not be discriminated against for exercising the consumer’s California privacy rights.
To make a request, you may email us at privacy@umapped.com or through our phone number at 877-867-2907. In most cases, you will be required to provide your name and email address or phone number so that we can verify your request, and in some cases additional information may be required. Where possible, we will attempt to match the information that you provide in your request to information we already have on file to verify your identity. If we are able to verify your request, we will process it. If we cannot verify your request, we may ask you for additional information to help us do so. We will respond to your request within the 45-day time period required by applicable law. However, we may not always be able to fully comply with your request, and we will notify you in that event.
Under the CCPA, California consumers may use an authorized agent to make privacy rights requests. We require the authorized agent to provide us with proof of the California consumer’s written permission (for example, a power of attorney) that demonstrates authorization to submit a request for the California consumer. An authorized agent must follow the process described above to make a request, and we will also (a) require the authorized agent to verify the agent’s own identity and (b) confirm the agent’s authority with the California consumer about whom the request was made.
10. IP addresses
When you access our Applications, our servers may record data regarding your device and the network you are using to connect with us, including your IP address. An IP address is a series of numbers which identify your computer, and which are generally assigned when you access the internet.
We may use IP addresses for system administration, investigation of security issues and compiling anonymised data regarding usage of our website and/or mobile applications. We may also link IP addresses to other personal information we hold about you and use it for the purposes described above (e.g. to better tailor our marketing and advertising materials, provided you have opted in to receive electronic marketing).
11. Tracking Technologies / Cookies
We may use third-party web analytics services on our Applications. The analytics providers that administer these services use technologies such as cookies and web beacons to help us analyse how visitors use our Applications.
12. Linked Sites
Our websites may contain links to third party websites over which we have no control. We are not responsible for the privacy practices or the content of such websites. We encourage you to read the privacy policies of any linked third party websites you visit as their privacy policy and practices may differ from ours.
13. Feedback / Complaints / Subject Access Requests / Contact
If you wish to make a Subject Access Request to inform us of a change or correction to your personal information, request a copy of the information we collect on you, request deletion of your information or would like to restrict the further processing of your data, please contact us at Privacy@umapped.com. We will respond to these requests within the time period required by the applicable jurisdiction. Please note that as data processor, we will need to work with the data controller of your personal information for the purpose of fulfilling most Subject Access Requests.
Similarly, if you have any enquiries, comments or complaints about this Notice or our handling of your personal information, please contact Privacy@umapped.com and we will respond as soon as practicable.
14. Changes to our Notice
We may amend this Notice from time to time. If we make a change to the Notice, the revised version will be posted on our website. We will post a prominent notice on our website to notify you of any significant changes to our Notice and indicate at the end of the Notice when it was most recently updated. It is your responsibility, and we encourage you, to check the website from time to time in order to determine whether there have been any changes.
This Privacy Notice was last updated on 1 August 2022.