Privacy policy
Updated October 13, 2022
Protecting your privacy
This Privacy Policy explains how American Airlines, Inc. ("we," "us," "our," "American") collects, uses, shares, and protects information in connection with American’s online and offline services, systems, websites, and apps that refer or link to this Privacy Policy (our "Services"), including without limitation, the collection and processing of personal information in connection with bookings and travel on American Airlines or flights operated by our regional carriers (for example, Envoy Air, Piedmont Airlines and PSA Airlines), as well as loyalty data collected and processed in connection with the AAdvantage® program. This Privacy Policy applies regardless of the way you interact with our Services or the type of device or other means you use to access our Services.
American reserves the right to change this Privacy Policy at any time by posting the updated Policy here along with the date on which the Policy was changed. If we make material changes to this Privacy Policy that affect the way we collect, use and/or share your personal information, we will notify you by including a "NEWLY UPDATED" label with the "PRIVACY POLICY" link on aa.com for 30 days after material changes are made. This Privacy Policy is not a contract and does not create any contractual rights or obligations.
When we use the term ‘personal information,’ we are referring to information that identifies, relates to, describes, or can be associated with you, including the categories and specific types of information described in this Privacy Policy.
We collect and maintain personal information about you from many sources to understand and meet your needs, facilitate your travel, manage our business, and for other purposes disclosed to you. For example, we collect personal information about you from:
- You, when you voluntarily provide us with information
- Your transactions with American
- Other third-party sources, such as travel agents, law enforcement agencies, other airlines (e.g., code share and alliance partners) and travel and hospitality service providers (e.g., transportation or tour operators).
If the information is to be collected directly from you, you may in some cases have the option to decline providing that information. However, your choice to not provide information may impact your use of certain features or services.
The personal information we collect about you through these various sources may include, but is not limited to:
- General information about you, including name, title, gender, date of birth, AAdvantage® account number, driver's license number, passport number, nationality, and country of residence
- Contact information, including addresses and telephone numbers, email addresses, fax numbers, pager numbers, and social media handles
- Travel information, including:
- booking and itinerary information:
- American creates a record for each booking that involves travel on American Airlines, even if the ticket is sold under another airline’s booking code, including whether you booked your flight on aa.com or through another sales channel (such as a travel agency)
- American will also collect information about changes to your booking, including a cancellation or failure to complete your travel, upgrades, your baggage requirements, airport disruption, and lost baggage
- If you book travel for someone else, American may collect your billing information but may communicate with the passenger directly about their flight
- other information required to facilitate travel services, such as requests for assistance, dietary restrictions, interactions with staff and cabin crew, travel companion name(s), emergency contacts, photographs, information about your prior flights and travel-related issues
- booking and itinerary information:
- Payment information, including credit or debit card number(s), associated billing address(es), and expiration date(s)
- Sensitive information, Some examples of this type of information include:
- You have sought clearance from us to fly with a medical condition or device
- Biometric information, including a scan of your face, fingerprint, or other biometric identifiers, as disclosed to you when you participate in one of our biometric authentication programs
- You have otherwise chosen to provide such information to us or it has been passed onto us by a third party, such as the travel agent through which you made your booking or other entity, including information about whether you have symptoms of a communicable disease or virus (such as COVID-19), an appropriate vaccination, or a negative test result
- Digital identity credentials, including credentials linked to vaccination status or negative test results that you provide for specific purposes, such as compliance with customs and immigration requirements during international travel or services in which you choose to participate
- • Technical information, including browser type, IP address, type of operating system, geolocation, the name of your internet service provider, mobile advertising identifiers, and pages visited on our Services (as further described in the section titled “Automatically collected information (including cookies and geolocation)”)
- The content of correspondence you send to us, including information provided via survey, focus group or other marketing research efforts, the content of emails or online customer service requests you send to us, the content of chat, text message, social media, or other communications with us, and our responses to you
- Business information, including corporate-contract, employer name, corporate affiliation, and Business Extra® account information when you conduct business on behalf of your employer or when you travel or use our Services that are funded by your employer
To the extent that the personal information we collect constitutes sensitive personal information under applicable law, American will collect and process this sensitive personal information within the limits provided by applicable law. Where required by law, and where no other lawful bases exist for processing such data (such as to fulfill laws promoting a substantial public interest), American will seek your specific consent before processing sensitive personal information.
You may submit a request for services (such as a meal preference, or a request for wheelchair assistance) which is not sensitive personal information. American does not consider such data to reliably imply or suggest sensitive personal information.
American does not knowingly collect personal information directly from children – persons under the age of 13, or another age if required by applicable law – other than when required to comply with the law or for safety and security reasons. Due to the nature of our Services, we may collect travel information, which may include personal information, about children when it is required to comply with the law, including federal aviation or security regulations, as otherwise required to provide transportation needs and services, or for safety or security reasons. We may retain personal information when required to provide transportation and related services to a child, or in connection with services purchased or enrolled by the parent or guardian on the child’s behalf (such as a parent or guardian’s enrollment of their child in the AAdvantage® program).
If you are a parent or guardian of a child who has provided personal information without your knowledge and consent, you may request we remove this child’s information by emailing [email protected].
When you use our Services, we may receive technical information such as your browser type, the type of operating system you use, your geolocation, the name of your internet service provider, mobile advertising identifiers, and pages visited on our Services. American gets this information by using technologies, including cookies, web beacons, and mobile device geolocation to provide and improve our Services and advertising, including across browsers and devices (also known as cross-device linking). We also use this information to verify that visitors meet the criteria required to process their requests and for reporting activity on our Services. For example, we may want to know how long the average user spends on our Services or which pages or features get the most attention. This technical information may be combined with information that is personally identifiable in order to personalize our Services and advertising to your interests, including across browsers and devices. For example, if you spend time reviewing a particular flight or destination but do not complete a travel reservation, we may use this information to show you targeted advertising about similar flights or destinations on our Services or on third-party websites. Some of this information may be shared with third parties, as described in the section titled “Information collected by third parties on our Services.”
Additionally, and with your specific consent where required by law, American may combine the information we receive from you with information collected from other sources. This information may be used to provide offers and / or services specifically tailored to your interests in accordance with applicable laws.
Some of the content, advertising, and functionality on our Services may be provided by third parties, including third parties that are not affiliated with us. As noted above, these third parties may collect or receive technical information about your use of our Services, including through the use of Cookies, and this information may be collected over time and combined with information collected on different websites and online services. Also, some third parties collect information about users of our Services in order to provide interest-based advertising (on our Services and elsewhere, including across browsers and devices, also known as cross-device linking).
For example, we may use third parties to collect, and share with us, usage information about how you interact with our Services, including personal information that you provide, website or app visits and interactions, and user inputs such as mouse clicks or keystrokes.
Our Services
We use personal information to complete transactions and fulfill requests for our products and services. For example, we require you to provide personal information when making a reservation to purchase airline tickets or related products and services such as renting cars or booking hotel rooms through an American Airlines Reservations Agent, travel agent, the aa.com website or other travel-related website, or enrolling in the AAdvantage® and Business Extra programs. We may also use personal information to verify your identity, including for security purposes.
In the event of a flight delay, cancellation, or other service disruption, we may use the contact information provided in your booking to notify you, and the individuals traveling on the same booking, about the disruption.
Administrative, marketing, analytical purposes
In addition to processing, confirming and fulfilling the travel or other services or products you request, American may use personal information for administrative, analytical, and marketing purposes such as employee training, information systems management, accounting, billing and audits, credit card processing and verification, customer-relations correspondence, and/or operation of the AAdvantage® and Business Extra programs. American also uses personal information to identify, develop and market products and services that we believe you will value, including across browsers and devices, in accordance with applicable laws. Where we are required by applicable law, we will seek your consent prior to sending you communications for marketing purposes. More specifically, we may use your personal information for the following purposes:
- Business purposes and communication: To provide flight services or information you requested, to communicate with you for business or customer service reasons (such as sending messages related to flight tracking or delays), or for other such reasons such as changes to our policies or in response to your inquiry
- Personalized airport service: To provide personalized service, such as wheelchair assistance or access to our lounges; to check whether you have passed through airport security, whether you are on a connecting flight, and to contact you about boarding a flight, if you have not arrived at the gate; and to monitor where you are in the airport to assist you with flight connections and boarding our aircraft
- Financials transaction management: To facilitate payment for services or provide refunds
- Legal and regulatory obligations: To comply with legal, regulatory, or fiscal obligations, or in connection with litigation or an internal investigation or audit
- Tailored web experience: To personalize your advertising experience when visiting our sites, and to manage details about your accounts (such as an AAdvantage®, Business Extra, or AirPass℠ account), including when security updates are available, or when an action is required to keep the account active
- Improve our operations: To improve our route and service offerings as an airline operator, including reviewing our travel destinations, fare classes, loyalty program offerings, and operations more generally, as well as compiling statistics on international air traffic and statistics to improve products and services
- Marketing and analytics: To perform data analyses and other processing for marketing purposes, including to offer you specific services, applications, events, sweepstakes and special campaigns
- Site maintenance: To improve content, functionality, and usability of our sites and to offer opportunities to participate in surveys and provide feedback to us
- Security management: To secure American’s premises, assets, and information, and to test and evaluate the effectiveness of American’s security
- Third party requests: To respond to and comply with outside requests initiated by you, as well as in response to legal requests
- Audit and controls: To evaluate internal controls and audits for compliance (including those conducted by American’s internal and external audit service providers)
There are Closed Circuit Television (CCTV) cameras in operation within and around our stations and other premises, which are used for these purposes:
- to prevent and detect criminal, malicious, or fraudulent activity;
- to protect the health and safety of American’s customers and employees;
- to manage and protect American’s property and the property of American’s guests and other visitors; and
- for quality assurance purposes
We take reasonable measures to protect the personal information you provide to us.
American uses reasonable technical, administrative, and physical measures to protect your personal information from loss, interference, misuse, unauthorized access, disclosure, alteration or destruction, both during transmission and once we receive it. We also maintain reasonable procedures to help ensure that such data is reliable for its intended use and is accurate, complete and current. When your personal information is shared, American will take a reasonable approach to prevent the unauthorized use of personal information.
Please note, however, that while American attempts to safeguard your personal information, no method of transmitting or storing electronic information is ever completely secure, and thus we make no warranty, express, implied, or otherwise, that your information will never be accessed, used or released in a manner that is inconsistent with this Privacy Policy.
Here are some things you can do to keep your information secure.
Keep your record locator confidential:
When you make a booking, you will be given a 6-character record locator, also known as a Passenger Name Record (PNR). This will appear on the email confirmation or ticket of each person in your booking. You should keep your record locator confidential, as giving it to others may allow them to access your booking details through our systems. If you are traveling with others and do not want them to have access to your booking details, you should have each person make their own bookings.
Keep your AAdvantage® account number and login information confidential:
To make sure your access to our Services is secure; you should not share your log in details with anyone else. You should always log out of the Services after each use if others have access to your computer or device, especially if you are using a publicly accessible computer such as at a library or internet café.
Your personal information will be retained only for so long as reasonably necessary for the purposes set out above and consistent with our retention policies, considering criteria such as applicable rules on statute of limitations, legal requirements and the duration of your use of our website and receipt of our Services. In general, this retention will be at least for the duration of your customer relationship with us and a longer period as necessary for legal defense purposes or as required by tax, aviation, and other applicable laws and regulations.
General
We may disclose or share information about you to provide the products and services you have requested or for administrative, analytical, and marketing purposes, including to:
- third parties to distribute promotions, sweepstakes, marketing surveys and messages, focus groups, interviews and other opportunities offered by American;
- third parties who have arranged for discounts, and pre-paid travel or other services on your behalf, such as your employer if your employer purchased your ticket, or a travel agent if you book through a travel agency;
- American's group companies (including any entity that directly or indirectly controls, or is controlled by, or is under common control with, American), for uses in accordance with this Privacy Policy;
- other airlines in order to fulfill your booking requests relating to your flights, or in connection with your use of alliance or partner benefits such as airport lounge access, or with codeshare partners, so that you can earn and redeem miles with our partner airlines (you may have an independent relationship with the partner airline, and the partner airline is separately responsible for how they obtain and process your personal information);
- hotels, car rental companies, or other travel industry partners in order to fulfill your booking requests relating to vacation packages or other travel services booked using our Services;
- our co-branded credit card partners, in connection with a co-branded credit or debit card that is linked to your AAdvantage® account;
- third parties such as government and law enforcement agencies when required by law (as further described in the section titled “Legal requirements”);
- third-party vendors that assist American with respect to providing our Services and managing our AAdvantage® program enrollments and AAdvantage® travel partnerships; and
- another entity in the event of a bankruptcy, or as part of the due diligence or business integration process, in the event we undergo a business transition involving another company, such as a merger, corporate reorganization, acquisition, or lease or sale of all or a portion of our assets
In addition, from time to time, we may share information with certain third party companies with which we have a business relationship, including AAdvantage® and Business Extra participants. These companies may send you offers based on the information you have provided us. Where we are required by applicable law, we will seek your consent prior to sharing your personal information with such third parties for marketing purposes. Also, as described in the section titled “Opting out of marketing communications and sharing your information with third parties”, you can opt out of having your information shared with third parties for those parties' direct marketing purposes by emailing us at [email protected].
If your booking includes emergency contact information, we may share personal information with your emergency contact or attempt to collect information about you from your emergency contact, as appropriate based on the nature of the emergency.
Legal requirements
Please note that the laws and regulations of several countries, including without limitation, the requirements imposed under the Transportation Security Administration Secure Flight program, require us to provide foreign and domestic government agencies with access to the personal information you disclose to us and data that we have about you and your travel plans, history, or status, including both before and after a flight arrives. For example, American and other airlines comply with legal obligations in the United States (U.S.), United Kingdom (UK), member states of the European Union, Uruguay, Brazil (BR), and other countries to provide border control agencies and customs authorities with access to booking and travel data when you fly to and from such countries, including stopover or layover destinations or countries that you may overfly en route to your destination. American does not have control or knowledge of the storage and use of that data after it has been delivered to the respective government entity. Further, to the extent required by law, we may disclose personal information to government or law enforcement agencies, such as customs and immigration authorities, or to third parties pursuant to a subpoena or other legal process, and we may also use or disclose your information to law firms and courts, as permitted by law, to enforce or apply a contract with you or protect the rights or property of American, our customers, our employees, our Services, or its users, including, without limitations, sharing personal data with public health authorities for purposes of combating infectious disease.
We'd also like to remind you that we provide additional links to resources we think you'll find useful. These links will lead you to sites that are not affiliated with American and may operate under different privacy practices. Our visitors are responsible for reviewing the privacy policies for such other websites, as we have no control over information that is submitted to these companies.
We provide you with options to stop receiving marketing messages from us. Regardless of your opt-out preferences, we reserve the right to send you certain communications and share your information with third parties for administrative, transactional, and analytical purposes.
If you’re an AAdvantage® member and you want to opt out of receiving marketing emails, log in to your AAdvantage® profile and update your preferences, or contact AAdvantage® Customer Service. Please note, you’ll continue to receive AAdvantage® program updates and email products for which you’ve subscribed. If you’re a Business Extra member and you want to opt out of marketing emails, log in to the Business Extra website and update your preferences.
- Log in to your AAdvantage® profile and manage your email preferences Opens another site in a new window that may not meet accessibility guidelines
- Contact AAdvantage® Customer Service Opens another site in a new window that may not meet accessibility guidelines
- Update your Business Extra preferences Opens another site in a new window that may not meet accessibility guidelines.
If you’re not an AAdvantage® program member and you want to opt out of marketing emails, you can click the opt-out or unsubscribe link in the marketing email you receive to manage your marketing preferences. You can also send an email from the email address you wish to unsubscribe with the word “unsubscribe” in the subject line to [email protected]. When you do this, we will unsubscribe all users with the same email address, even if they are registered AAdvantage® members or Business Extra members with registered preferences.
If you want to opt out of receiving forms of communication from American other than marketing emails, please email [email protected] with your request.
Email [email protected] Link opens another site that may not meet accessibility guidelines
If you want American to stop sharing your personal information with third parties for those parties' direct marketing purposes, please opt out of third-party data sharing.
Opt out of third-party data sharing
When you use our Services, you may receive Cookies from us and the third parties that collect information on our Services. Please see the “Cookies and online advertising” section above for additional details.
Other companies or programs of American partners (such as AAdvantage® program participating companies) may require different steps to change your preferences for participation. Please consult the privacy policies of the relevant companies or programs for further information.
Application of local laws
Where required by local law, you may have the right to access, request a copy of, update, transfer or port, restrict the processing of, or request that we delete your personal information. You may also have the right to object to our processing of your personal information. To exercise these rights please email us at [email protected]. When we receive a request to exercise one of these rights, we will indicate what personal information we require from you to validate your identity. We will also provide information on the action we intend to take on the request without undue delay and no later than 30 days from receipt of the request, or within a shorter period of time where required by local law. This time may be extended by an additional two months in certain circumstances, for example, where requests are complex or onerous. Please note, these requests are subject to applicable legal, ethical reporting, or document retention obligations imposed on us.
When you provide us with your information, you acknowledge that this information may be stored, transferred, and processed on servers located anywhere in the World, including either inside or outside of the U.S., the European Union, the U.K., Switzerland, Uruguay, or Brazil.
This section of the Privacy Policy applies only if you use our website or Services covered by this Privacy Policy in Brazil, and supplements the information in this Privacy Policy.
Controller of personal data
To the extent that American Airlines, Inc. is subject to the laws of Brazil when processing personal data (“Personal Data”), it shall be the “data controller” under such laws.
Sensitive personal data
According to the Brazilian General Data Protection Law (the “LGPD”), data that concerns racial or ethnic origin, religious conviction, political opinion, affiliation to a union or organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data, when linked to a natural person, will be deemed as sensitive personal data. American only collects and uses sensitive personal data for purposes described in the “Information we collect and how we collect it” and “How your information will be used” sections of this Privacy Policy and will adopt strict security measures when processing sensitive personal data.
Personal information of children
Due to the nature of our Services, we may collect Personal Data of children under the age of 12. Please see the “Minors” section above for more information.
Lawful basis for data processing
American processes Personal Data for the purposes set out in this Privacy Policy, as described above. Our lawful basis to process Personal Data includes processing that is:
- necessary for the performance of the contract between you and American (for example, to facilitate your travel on American under our conditions of carriage, to manage your membership in our loyalty programs, to provide you with other Services that you request, or for resolving billing or customer service inquiries related to your use of our Services);
- necessary to comply with legal or regulatory requirements (for example, to comply with applicable tax and consumer rules, to comply with National Civil Aviation Agency (“ANAC”) and/or with any other administrative body rules etc.);
- necessary for our legitimate interests to:
- manage our relationship with you, including to provide you with relevant information about your booked flight and travel destination;
- improve the website and our Services, including by performing statistical studies or implementing analytics solutions (e.g., analytics cookies);
- provide marketing communications to you, some of which are personalized based on your interests. Depending on the nature of your relationship with American (i.e., whether you are an existing or prospect customer) the communications we send you and the applicable direct marketing rules, we process your Personal Data either based on your consent or based on our legitimate interest to promote our Services to you or those of our partners. You have the right to object to the use of your Personal Data for direct marketing purposes at any time (see section “Data Subject Rights” below);
- ensure safety management, including to ensure the safety of our flights (to the extent not already mandated by legal requirements);
- provide disabled persons and persons with reduced mobility opportunity for air travel comparable to those of other persons
- manage our disputes, prevent cases of fraud or comply with our legal obligations.
- to protect the vital interests of you or another person (for example, if we collect and process medical information in the event of a medical emergency and you are incapable of giving your consent);
- where legally required and we have no other valid legal basis to process Personal Data, we will use consent by our customers (for example, to provide you with marketing information or share information with third parties), which may subsequently be withdrawn at any time (by emailing [email protected]) without affecting the lawfulness of processing based on consent before its withdrawal.
International transfers of personal data
American is a global company, which owns entities in the United States. These entities include Envoy Air, Piedmont Airlines, and PSA Airlines. In order to achieve the purposes described in the “Information we collect and how we collect it” and “How your information will be used” sections above, we may transfer your Personal Data to our global entities or other third parties outside of Brazil.
We will adopt all necessary measures to ensure the overseas recipients can provide the same level of protection as required under applicable Brazilian laws and also use lawful cross-border transfer mechanisms, whenever required by such laws, to transfer your Personal Data overseas.
Data subject rights
Whenever Brazilian law is applicable to the processing of your Personal Data, you have the right to request from American:
- the confirmation of the existence of the processing;
- access to the processed data;
- correction of incomplete, inaccurate or out-of-date data;
- anonymization, blocking or deletion of unnecessary or excessive data or data processed in breach of the provisions of the Brazilian Data Protection Law (LGPD);
- portability of the data to another service provider or product provider, by the means of an express request, pursuant with the regulations of the national authority (ANPD), and subject to commercial and industrial secrets;
- deletion of personal data processed with your consent;
- information about public and private entities with which American has shared data;
- information about the possibility of denying consent and the consequences of such denial; revocation of consent;
- opposition to the processing carried out based on one of the situations of waiver of consent, if there is a breach of the provisions of the LGPD; and
- revision of decisions made solely based on automated processing of personal data affecting your interests, including decisions intended to define your personal, professional, consumer and credit profile, or aspects of your personality.
When we receive a request to exercise one of these rights, we will indicate what Personal Data we require from you to validate your identity. We will also provide information on the action we intend to take on the request.
To exercise these rights please email us at [email protected] and we will respond to your request as within the timeframe provided by the applicable laws and regulations.
You may always contact our Data Protection Officer, at [email protected]. If you consider that our processing of your Personal Data infringes applicable law, you may submit a complaint to the Brazilian Data Protection Authority (ANPD).
This section of the Privacy Policy applies only if you use our website or Services covered by this Privacy Policy in China, and supplements the information in this Privacy Policy.
Sensitive personal information
Credit or debit card payment information, biometric information, and medical information that we collect from you may be considered sensitive personal information under applicable Chinese laws. American only collects and uses sensitive personal information for purposes described in the “Information we collect and how we collect it” and “How your information will be used” sections of this Privacy Policy and will adopt strict security measures when processing sensitive personal information.
Personal information of children
Due to the nature of our Services, we may collect personal information of children under the age of 14. Please see the “Minors” section above for more information.
Sharing of your personal information with third parties
Please see the “With whom your information will be shared” section above for details about how your personal information may be shared with third parties. American will strictly follow the requirements of applicable Chinese laws when sharing your personal information with third parties.
If it is necessary for American to transfer personal information in case of a merger, division, dissolution, declaration of bankruptcy, or other reasons, American will provide notice of the name and contact information of the recipient. The recipient shall comply with this Privacy Policy when processing such personal information.
Cross-border transfer of your personal information
American is a global company, which owns entities in the United States. These entities include Envoy Air, Piedmont Airlines, and PSA Airlines. In order to achieve the purposes described in the “Information we collect and how we collect it” and “How your information will be used” sections above, we may transfer your personal information to our global entities or other third parties outside of China.
We will use lawful cross-border transfer mechanisms to transfer your personal information overseas and adopt necessary measures to ensure the overseas recipients can provide the same level of protection as required under applicable Chinese laws.
Data subject rights
You have the right to access, correct or supplement, restrict or object to processing, and withdraw your consent with respect to your personal information that American collects and processes. You also have the following rights subject to restrictions provided by applicable Chinese laws:
- Under the following circumstances, if American has not deleted your personal information, you have the right to request to delete your personal information:
- The purpose of processing has been achieved, is impossible to be achieved, or it is no longer necessary to achieve the purpose of processing;
- American ceases the provision of products or services to you or the retention period for the personal information ends;
- You have withdrawn your consent; or
- American processes your personal information in violation of applicable Chinese laws or an agreement with you.
- You may also have the right to request that we provide you with means to transfer your personal information to a specific entity designated by you, to the extent that your request is allowed under applicable Chinese laws.
To exercise your rights, please submit your request as described above.
This section of the Privacy Policy applies only if you use our website or Services covered by this Privacy Policy in Colombia, and supplements the information in this Privacy Policy.
Claims process
American has mechanisms so that you can submit claims regarding your personal data. If American identifies that the claim or additional documentation is incomplete, American may require the claimant to remedy the faults or provide additional information. If the claimant does not submit the documentation and information required within two (2) months following the date of the initial claim, the claimant shall be deemed to have waived the claim.
Sensitive personal information
American may need to collect and process sensitive personal information (e.g., health related data, biometric information) to provide its services in compliance with National laws and sectoral regulations, and consent to this effect is optional.
Additional data subject rights
You have the right to file complaints before the Colombian data protection authority, the Superintendencia de Industria y Comercio, and to withdraw consent save when there is a legal or contractual obligation for the personal data to remain in the respective database.
Controller of personal information
To the extent that American Airlines, Inc. is subject to the laws of Ecuador when processing personal data (“Personal Data”), it shall be the “data controller” under such laws.
The information of the data controller, and the Data Protection Officer of the data controller, is the following:
American Airlines
c/o Data Protection Officer
1 Skyview Drive, MD 8B503
Fort Worth, TX 76155 USA
Lawfulness of processing
We can process your personal data when:
- you have given consent to the processing of your personal data for one or more specific purposes;
- it is necessary for the performance of a contract to which you are party, or in order to take steps at the request of you prior to entering into a contract;
- the processing is necessary for compliance with a legal obligation to which we are subject; or
- the processing is necessary for the legitimate interests pursued by American Airlines or a third party, except when such interests are overridden by interests or fundamental rights and freedoms of our customers that require protection of personal data.
Claims to the data protection authority of Ecuador
You may address the Ecuadorian Data Protection Authority (Superintendencia de Protección de Datos) and submit a claim, especially in cases where you deem that we have not satisfied your individual rights regarding how we process your personal information.
Your rights
You may be entitled to exercise the right to:
- object to the processing of Personal Data (for instance, where the basis of our processing is our legitimate interests, see section above “Lawfulness of processing”), and we will stop processing your data. We will not resume processing unless we can establish compelling legitimate grounds that override your rights.
- request the restriction of processing of your Personal Data (for instance, this can be done if the Personal Data is not accurate and needs to be updated). This can also be done in relation to data where the purposes of processing no longer apply, but you still need the data and do not want us to erase it.
- request updating of your Personal Data (if you believe the information we have about you is not accurate or incomplete). You may ask us to update your Personal Data but we cannot modify it for previously flown bookings because that is the official record of the transaction. For bookings made by a travel agent or through another airline, you must contact that other agency or airline directly to update or manage your Personal Data in the booking.
- request access to your Personal Data (for instance, if you wish to receive a copy of your information, confirmation as to whether we are processing your information, and information as to how we use your information). You may request access to your Personal Data but that may not include information relating to others that you either did not provide to us or who have not consented to the disclosure of their information to you.
- request erasure of your Personal Data (for instance, if we have no legal basis to process the information and you have not given us your consent to do so, if the purposes of processing no longer apply, or if you have objected to the processing and we cannot establish compelling legitimate grounds to override your rights). Certain data may not be erased if we have a requirement to retain it for legal purposes, or if we have a contract with you as a member of AAdvantage® or Business Extra (as we need to be able to perform contractual obligations owed to you). You may ask us to delete your Personal Data, but we cannot do so if you have a pending flight booked with us.
- request portability of your own Personal Data (the transfer of information you have provided to us, to another controller, in a structured, commonly used and machine-readable format), if such a request is technically possible to complete.
To exercise these rights please email us at [email protected].
When we receive a request to exercise one of these rights, we will indicate what Personal Data we require from you to validate your identity. We will also provide information on the action we intend to take on the request. We will respond as soon as possible and in accordance with applicable law.
You may always contact our Data Protection Officer, at [email protected]. If you consider that our processing of your Personal Data infringes applicable law, you may submit a complaint with a supervisory authority.
This section of the Privacy Policy applies only if you use our Services from a country that is a Member State of the European Union, the United Kingdom, Switzerland, or Uruguay, and supplements the information in this Privacy Policy.
Controller of Personal Information
To the extent that American Airlines, Inc. is subject to the laws of the European Union, the United Kingdom, Switzerland, or Uruguay when processing personal data (“Personal Data”), it shall be the “data controller” under such laws.
If you have made a flight booking with us but one or more flights or services (including, for example, access to travel lounges operated by our partner airlines) are to be provided by other airline(s), then that other airline will also separately be considered a “data controller”. Your Personal Data will be processed in accordance with the applicable airline’s privacy policy and, if your booking is made via a reservation system provider (“GDS”), with its privacy policy. These are available at http://www.iatatravelcentre.com/privacy or from the airline or GDS directly. You should read this documentation, which applies to your booking and specifics (for example, how your personal data is collected, stored, used, disclosed and transferred).
Any travel services provider (such as a hotel or car rental company) or AAdvantage® participating partner (such as an AAdvantage® co-branded credit card issuer) will also separately be a “data controller”. For information on how those parties collect, use, and protect your information, you may obtain copies of their privacy policies by contacting them directly or visiting their websites.
Legal basis for data processing
We process Personal Data for the purposes set out in this Privacy Policy, as described above. Our legal basis to process Personal Data includes processing that is:
- necessary for the performance of the contract between you and American (for example, to facilitate your travel on American under our conditions of carriage, to manage your membership in our loyalty programs, to provide you with other Services that you request, or for resolving billing or customer service inquiries related to your use of our Services);
- necessary to comply with legal requirements (for example, to comply with applicable accounting rules, to make mandatory disclosures to law enforcement or to ensure the safety of our Services);
- necessary for our legitimate interests to:
- manage our relationship with you, including to provide you with relevant information about your booked flight and travel destination;
- improve the website and our Services, including by performing statistical studies or implementing analytics solutions (e.g., analytics cookies);
- provide marketing communications to you, some of which are personalized based on your interests. Depending on the nature of your relationship with American (i.e., whether you are an existing or prospect customer) the communications we send you and the applicable direct marketing rules, we process your Personal Data either based on your consent or based on our legitimate interest to promote our Services to you or those of our partners. You have the right to object to the use of your Personal Data for direct marketing purposes at any time (see section “Your Rights” below);
- ensure safety management, including to ensure the safety of our flights (to the extent not already mandated by legal requirements); and
- manage our disputes, prevent cases of fraud or comply with our legal obligations.
- to protect the vital interests of you or another person (for example, if we collect and process medical information in the event of a medical emergency and you are incapable of giving your consent);
- to perform a task carried out in the public or substantial public interest (for example, to provide disabled persons and persons with reduced mobility opportunity for air travel comparable to those of other persons); and
- where legally required and we have no other valid legal basis to process Personal Data, we will use consent by our customers (for example, to provide you with marketing information or share information with third parties), which may subsequently be withdrawn at any time (by emailing [email protected]) without affecting the lawfulness of processing based on consent before its withdrawal.
In some instances, you may be required to provide us with Personal Data for processing as described above, in order for us to be able to provide you all of our Services, and for you to use all the features of our website.
International transfers of personal data
The nature of American’s business means that the Personal Data collected through our Services will be transferred to the United States. Also, the American personnel and some of the third parties to whom we disclose Personal Data (as set out above) may be located in the United States and other countries outside of the European Union, the United Kingdom, Switzerland, or Uruguay, including in countries to which you fly and that may not provide the same level of data protection as your home country. We take appropriate steps to ensure that recipients of your Personal Data are bound to duties of confidentiality and we implement measures such as standard data protection contractual clauses to ensure that any transferred Personal Data remains protected and secure. More information and a copy of these clauses can be requested by emailing [email protected].
Your rights
As described above in the “Application of local laws” section, under data protection laws in the European Union, the United Kingdom, Switzerland, or Uruguay, you have certain rights related to your Personal Data.
You may be entitled to exercise the right to:
- object to the processing of Personal Data (for instance, where the basis of our processing is our legitimate interests, see section above “Legal Basis for Data Processing”), and we will stop processing your data. We will not resume processing unless we can establish compelling legitimate grounds that override your rights.
- request the restriction of processing of your Personal Data (for instance, this can be done if the Personal Data is not accurate and needs to be updated). This can also be done in relation to data where the purposes of processing no longer apply, but you still need the data and do not want us to erase it.
- request updating of your Personal Data (if you believe the information we have about you is not accurate or incomplete). You may ask us to update your Personal Data but we cannot modify it for previously flown bookings because that is the official record of the transaction. For bookings made by a travel agent or through another airline, you must contact that other agency or airline directly to update or manage your Personal Data in the booking.
- request access to your Personal Data (for instance, if you wish to receive a copy of your information, confirmation as to whether we are processing your information, and information as to how we use your information). You may request access to your Personal Data but that may not include information relating to others that you either did not provide to us or who have not consented to the disclosure of their information to you.
- request erasure of your Personal Data (for instance, if we have no legal basis to process the information and you have not given us your consent to do so, if the purposes of processing no longer apply, or if you have objected to the processing and we cannot establish compelling legitimate grounds to override your rights). Certain data may not be erased if we have a requirement to retain it for legal purposes, or if we have a contract with you as a member of AAdvantage® or Business Extra (as we need to be able to perform contractual obligations owed to you). You may ask us to delete your Personal Data, but we cannot do so if you have a pending flight booked with us.
- request portability of your own Personal Data (the transfer of information you have provided to us, to another controller, in a structured, commonly used and machine-readable format), if such a request is technically possible to complete.
To exercise these rights please email us at [email protected].
When we receive a request to exercise one of these rights, we will indicate what Personal Data we require from you to validate your identity. We will also provide information on the action we intend to take on the request in accordance with applicable law.
We will respond to your request as soon as possible and no later than 30 days from receipt of the request. In certain circumstances this time may be extended by an additional two months, for example, where requests are complex or onerous. You may always contact our Data Protection Officer, at [email protected]. If you consider that our processing of your Personal Data infringes applicable law, you may submit a complaint with a supervisory authority.
Exercise of the rights of information, access, rectification, cancellation and opposition of the data
As the owner of your personal data, you have the right to access your data held by American, know the characteristics of its treatment, rectify it if it is inaccurate or incomplete; request that they be deleted or canceled as they are considered unnecessary for the previously stated purposes or oppose their treatment for specific purposes. You may, at any time, revoke the expressly granted consent, as well as limit the use or disclosure of your personal data.
You may direct your request to exercise the aforementioned rights to the following address: [email protected].
When we receive a request to exercise any of these rights, you must submit the respective request in the terms established by the Regulation of Law No. 29733 (including: name of the owner of the personal data and address or other means to receive a response; documents that prove your identity or legal representation, if applicable; clear and precise description of the personal data with respect to which you seek to exercise your rights and other documents that facilitate the location of the data).
We will also provide information about the actions we intend to take on the request without undue delay and no later than 30 days after receiving the request. In some cases, this period could be extended for an additional two months, for example, when the requests are complex or onerous. Please note that these requests are subject to applicable law, ethical reporting standards, or document retention obligations imposed on us.
If you consider that you have not been assisted in the exercise of your rights, you can file a claim with the National Authority for the Protection of Personal Data, by contacting the Filing Desk of the Ministry of Justice and Human Rights. Calle Scipión Llona N° 350, Miraflores, Lima, Perú.
When you provide us with your information, you are agreeing that this information may be stored, transferred and processed on servers located in the United States of America.
This section of the Privacy Policy applies only if you use our Services from South Korea, and supplements the information in this Privacy Policy.
Purpose of personal information processing
Your personal information will be processed for the purposes described in this Privacy Policy. Depending on what services you request from us, this may include the following purposes:
- To provide the BeNotified service
- Search of flight reservation and purchase
- Purchase and issuance of ticket
- Notification related to reservation and purchase of ticket
- Mileage accumulation and use for ticket reservation
- ID verification
- To obtain feedback from customers and address any complaints or requests that customers may have
- For general communication with customers
- To verify whether you are already an AAdvantage® member and whether you have applied multiple times
- To verify whether you are an American Airlines, Inc. employee or an immediate family member
- To notify you of important information about the AAdvantage® program
- To provide you with mileage and other services pursuant to the AAdvantage® program
- Ticketing and preorders of duty-free goods
- To provide benefits available with a Promo code
- To provide services related to a redress number or known traveler number
- To provide services pursuant to member preferences
We may additionally use or provide your personal information after considering the below issues:
- Whether the additional use or provision of personal information is related to the original purpose of collection;
- Whether the additional use or provision of personal information is foreseeable in light of the circumstances in which personal information is collected or practices of processing personal information;
- Whether the additional use or provision of personal information unduly infringes on the interests of users; and
- Whether necessary measures have been taken to ensure security, such as pseudonymization or encryption.
Period of retention and use
Your personal information will be retained only for so long as reasonably necessary for the purposes set out above, considering criteria such as applicable rules on statute of limitations, legal requirements and the duration of your use of our website and receipt of our Services.
Except where preservation of personal information is required by applicable laws and regulations, your personal information will be kept until the above-mentioned purposes of collection and use has been achieved.
Right to refusal and adverse consequences
The personal information collected for travel purposes is mandatory. You have the right to refuse to consent to the collection and use of personal information, but upon such refusal, you may be prevented from reserving or purchasing a ticket.
Provision of personal information to third parties
- We provide personal information to third parties within the scope of consent obtained from users,
- In case of emergencies, such as disasters, infectious diseases, incidents or accidents that cause imminent risk to life or body, and imminent property loss, the Company may provide personal information to relevant agencies without the consent of data subjects, in accordance with the “Rules on Processing and Protection of Personal Information in Emergency Situations” jointly announced by government agencies.
Destruction of Personal Information
- We will destroy personal information without delay when personal information becomes unnecessary, such as when the retention period has lapsed or the purpose of processing personal information has been achieved.
- We are required by other laws and regulations to continue to retain personal information even though the personal information retention period consented by data subjects has expired or the purpose of processing such personal information has been achieved. In such cases, we will transfer the relevant personal information to a separate database (DB) or retain such information at a different location.
- We will destroy personal information as follows:
- We will erase or overwrite personal information recorded and stored in electronic files in an irrevocable manner, and shred or incinerate personal information recorded and stored in paper documents.
Rights and obligations of data subjects and legal representatives and method of exercise thereof
- You have your right to request American to allow you to access, correct, delete or suspend processing of your personal information at any time. This includes:
- Right to request access to your personal information
- Right to request correction in case of error
- Right to request deletion of your personal information; and
- Right to request suspension of personal information processing.
- You may exercise the above rights in writing or via email, and we will take necessary measures without delay.
- You may exercise your rights through your legitimate representative or agent authorized by you, in which case, the appropriate power of attorney must be submitted to us.
- We will verify the identity of a person submitting a request, to protect your privacy.
Measures to ensure security of personal information
We take the following measures to ensure the security of personal information.
- Administrative measures: Establishment and operation of internal management plan, operation of dedicated organization, regular training of employees.
- Technical measures: Management of access rights to the personal information processing system, installation of access control systems, use of encryption where appropriate, and installation and renewal of security programs.
- Physical measures: Control of access to computer room and data storage rooms.
Contact
If you have any questions or comments about the Privacy Policy, need to report a problem, or if you would like us to update, amend, or request deletion of information we have about you, please contact our Chief Privacy Officer or the American Airlines Privacy Office as provided in the section of our Privacy Policy titled “Contact Us”.
Remedy for infringement on rights
You have the right to file an application for resolution of disputes and to consult with the Personal Information Dispute Mediation Committee, the Personal Information Infringement Reporting Center of the Korea Internet Security Agency and other agencies so as to seek remedy. For reports on any other personal information infringement and consultation therefor, please contact the following agencies.
- Personal Information Dispute Mediation Committee: 1833-6972 (no regional code required; www.kopico.go.kr)
- Personal Information Infringement Reporting Center: 118 (no regional code required; privacy.kisa.or.kr)
- Supreme Prosecutors’ Office: 1301 (no regional code required; www.spo.go.kr)
- National Police Agency: 182 (no regional code required; ecrm.cyber.go.kr)
If you believe that your privacy rights and interests have been infringed due to the act or omission of act of the head of a public agency, you may file an administrative appeal in accordance with the Administrative Appeals Act, and please contact the following agency.
Central Administrative Appeals Commission: 110 (no regional code required; www.simpan.go.kr)
We endeavor to protect your privacy rights and to provide counseling and/or remedies for personal information infringement. If you wish to receive consultation on or report any personal information infringement, please contact our Chief Privacy Officer (CPO) (or American’s Privacy Office) using the contact information listed in the “Contact us” section.
Contact us
If you have other questions, comments or concerns about our privacy practices, or if you wish to issue a request to exercise your rights where applicable by law, please contact our Privacy Office at [email protected]. Requests intended for American’s Chief Privacy Officer may also be submitted to our Privacy Office at the same address. Please provide your name and contact information along with the request. Alternatively, inquiries may be mailed to the following address:
American Airlines
c/o Privacy Office
1 Skyview Drive, MD 8B503
Fort Worth, TX 76155 USA