TRAVEL INCORPORATED PRIVACY POLICY
AND
EU-U.S. DATA PRIVACY FRAMEWORK STATEMENT

This Privacy Policy and EU-U.S. Data Privacy Framework Statement was last updated on, and is effective as of, June 7, 2024.

UNLESS YOU ARE A RESIDENT OF THE EUROPEAN UNION OR OTHER DATA SUBJECT UNDER THE GDPR (AS DEFINED BELOW), WHEN YOU ACCESS THE PLATFORM OR USE OUR SERVICES YOU AGREE TO THIS PRIVACY POLICY. IF YOU DO NOT AGREE TO THIS PRIVACY POLICY, OR TO ANY CHANGES WE MAY SUBSEQUENTLY MAKE, YOU SHOULD STOP ACCESSING THIS PLATFORM OR USING THE SERVICES.

1.        Overview

  1. Purpose. Travel Incorporated (which also uses the trade names Group Travel Partners, DTI, and Travel Technology Solutions) ( “Travel Incorporated,” “Company,” “we,” “us,” or “our”), operates this web site or application, as applicable (collectively, the “Platform”), and the services and other offerings available through the Platform (collectively, the “Services”). For purposes of this Privacy Policy, “you” or “your” means our customers and other persons who are authorized to use and access the Platform or Services or who otherwise provide personal information to us (including, but not limited to, employees or contractors of our customers). Your privacy is important to us, which is why we have developed this Privacy Policy to explain our practices regarding the use, disclosure of, and access to personally identifiable information and other information that we obtain online from users of the Platform and Services.

  1. Changes to Privacy Policy. We reserve the right to modify this Privacy Policy at any time, and any modifications made will be effective immediately upon posting, so you should check this page for any changes. We will post at the top of this Privacy Policy the date that modifications were last made, which will alert you to any changes since your last visit to the Platform. Your continued use of the Platform is your agreement to the revised Privacy Policy.

2.        The personal information we collect. We collect and process the following personal information about you.

  1. Information that you give us. This includes information you give us so we can provide you with access to the Platform or Services.  When using the Platform or Services, you provide us with personal information about you and your employees so we can provide you with the Services. The information collected is not limited to and includes your name, address, e-mail address, and phone number.

  1. Information that we collect automatically. We automatically collect the following information from your use of the Platform:
  1. technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information (if applicable), browser type and version, browser plug-in types and versions, operating system and platform; and
  2. information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from the Platform (including date and time); products you viewed or searched for; page response times, length of visits to certain pages, and methods used to browse away from the page and any phone number used to call our customer service number.
  3. Information that we receive from third parties.  We work closely with certain third parties to help us provide our Services to you, receive information from them, and to otherwise conduct our business (including, for example, business partners, resellers, sub-contractors in technical and payment services, advertising networks, analytics providers, and search information providers).

3.        Why we collect personal information and what we do with it. When you provide your personal information to us, or we receive your personal information through a contractual relationship with your employer, we will make reasonable efforts to ensure that the purpose for which you are providing your personal information is clear and honored. Depending on who you are and your relationship with us, we will process your personal information as follows:

  1. to carry out our obligations to you from your use of our Platform, the Services, or under another agreement with you;

  1. to administer your account with us;

  1. to provide you with information about our products, the Platform, the Services and any other services we provide;

  1. to administer the Platform and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;

  1. to allow you to participate in interactive features of the Platform or Service, when you choose to do so;

  1. internally, to inform decisions about our business operations and strategy; and

  1. to contact you from time to time to market any other services we provide and we think to be of interest to you.

4.        Who we share your personal information with. In the course of normal business, we may disclose, or allow access to, your personal information to the following entities or persons:

  1. to business partners, suppliers and sub-contractors for the performance of any contract we or you enter into with them or to fulfill our Services to you;

  1. to employer organizations that are our customers in order to allow them and their covered employees and contractors to use our Service, and in some cases upon request from an employer organization, to the covered employees and contractors of such employer organization;

  1. in the event that we sell or transfer any part of our business or assets (whether by merger, asset sale or otherwise), in which case we reserve the right to disclose and transfer your personal information to the prospective buyer of such business or assets;

  1. in the event we are under a duty to disclose or share your personal information in order to comply with any legal or regulatory obligation or request; and

  1. to third parties to enforce agreements between us and such party or to investigate suspected breaches of those agreements or to protect the rights, property or safety of our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.

5.        Security Measures for the Platform. We implement a variety of technical, administrative and organizational security measures for the Platform and Services that we believe are commercially reasonable to help us maintain the safety of your personal information when you place an order, or enter, submit, or access your personal information. These security measures include using one or more servers for the Platform and Services that are secured by commercially reasonable measures. You are responsible for keeping confidential your access credentials for the Platform, including password(s) and you should not share your password(s) with anyone.

Notwithstanding the above, you should be aware that the transmission of information via the Internet is not completely secure. Although we will use commercially reasonable measures to protect your personal information, we cannot guarantee the security of your information transmitted using the Services or the Platform, and as a result, any transmission of personal information is at your own risk.

6.        Cookies. The Platform uses cookies to distinguish you from other users of the Platform. This helps us provide you with a good experience when you browse the Platform and enables you to use the Service. The use of cookies also allows us to improve the Platform and the Services.

A cookie is a small file that a site or its service provider transfers to the hard drive of your computer or other device through your Web browser and enables the site or the service provider’s systems to recognize your browser and capture information for use during your visit to our Platform and for future visits to our Platform.

We use the following types of cookies:

  1. Strictly necessary cookies. These are cookies that are required for the operation of the Platform. They include, for example, cookies that enable you to log into secure areas of the Platform, use a shopping cart or session tracking.

  1. Analytical/performance cookies. They allow us to recognize and count the number of visitors and to see how visitors move around the Platform when they are using it. This helps us to improve the way the Platform works, for example, by ensuring that users are finding what they are looking for easily.

  1. Functionality cookies. These are used to recognize you when you return to the Platform. This enables us to personalize our content for you, greet you by name and remember your preferences.

  1. Targeting cookies. These cookies record your visit to the Platform, the pages you have visited, and the links you have followed. We also share this information with third parties that assist us with our Platform and fulfilling our Services for you.

You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you will not be able to access all or parts of the Platform and use the Services. In addition, if you delete any Platform cookies on a given visit, you would need to block them again in subsequent visits to our Platform.

7.        Children’s Privacy and Age Limitations for the Platform. The Platform is intended for use by persons aged 18 or older.  We do not knowingly collect personally identifiable information from persons under the age of 18. If we discover or are made aware that we have received personally identifiable information from an individual who indicates that he or she is, or whom we otherwise have reason to believe is, under the age of 18, we will delete such information from our systems. If you are a parent or guardian of a child under the age of 18 and believe he or she has disclosed personally identifiable information to us, please contact us as provided below in Section 11.h. In any such event, a parent or guardian of a child under the age of 18 may review and request deletion of such child’s personally identifiable information as well as prohibit the use thereof.

8.        Links to Other Websites. The Platform contains links to other websites, applications, products and services provided or maintained by us, our affiliates and/or by third parties that may not follow the same privacy policies as applicable to the Platform. These other websites, applications, products and services may use cookies, collect data and use the data in ways that are different from the way in which we use the information collected through the Platform. When linking to another website, you should read that website’s privacy policy. Our Privacy Policy only governs information collected on or through the Platform.

9.        Assignment. We reserve the right to assign our rights and duties under this Privacy Policy, including, without limitation, our rights in information collected through the Platform, to any third party at any time without notice to you in connection with any sale, merger, acquisition, divestiture, or liquidation of all or part of our business or assets related to the Platform, all or substantially all of our business or assets, or as part of any reorganization or restructuring of our business.

10.        General Information to Contact Us. Questions, comments and requests regarding our Privacy Policy are welcomed and should be addressed to us at Travel Incorporated, 4355 River Green Parkway, Duluth, Georgia 30096 or at security@travelinc.com.

11.        Additional Privacy Notices for California Residents. The following additional privacy notices for California residents (the “California Notice”) supplement the information contained in the other portions of the Company’s Privacy Policy and apply solely to individuals who reside in the State of California (“California consumer” or “you”). The Company adopts this California Notice to comply with the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and their related regulations (collectively, the “California Privacy Law” or “CPL”) and other applicable California laws.

  1. Overview of Consumer Rights Under the CPL. Under the CPL, California consumers have certain rights regarding their personal information (as defined below in subsection 11.b), including:
  1. The right to know the categories of personal information that the Company has collected and the categories of sources from which we obtained such information.
  2. The right to know the Company’s business purposes for sharing personal information.
  3. The right to know the categories of third parties with whom the Company shared personal information.
  4. The right to know if we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
  5. sales, identifying the personal information categories that each category of recipient purchased; and
  6. disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.
  7. The right to access the specific pieces of personal information that the Company has collected.
  8. The right to correct personal information that the Company has collected.
  9. The right to delete your personal information.
  10. The right not to be discriminated against if a California consumer exercise their rights under the CPL.

The provisions below of this California Notice provide further details about these and other rights and certain details about the exercise of such rights.

  1.  Information We Collect. We collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California consumer, household or device (collectively, “personal information”).

We have collected the following categories of personal information from California consumers within the last twelve (12) months:

Category of Personal Information        Examples

A.  Identifiers.  An individual’s name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number or other similar identifiers

B.  Personal information categories described in Cal. Civ. Code § 1798.80(e)        A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information

C.  Protected classification characteristics under California or federal law Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information)

D.  Commercial information.  Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendency

F.   Internet or other similar network activity.  Browsing history, search history, information on a California consumer’s interaction with a website, application, or advertisement

G.  Geolocation data.  Physical location or movements. (Note: Certain precise geolocation data may be considered to be sensitive personal information under the CPL, and to the extent such data is considered to be sensitive personal information you have the right to limit the use and disclosure of such data).

K. Inferences drawn from other personal information.  Examples include a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes

C.  Sources of Personal Information.  In addition to sources of personal information addressed elsewhere in this Privacy Policy, we obtain the categories of personal information listed above from the following categories of sources:

  1. Directly From You. For example, from forms you complete in order to receive the Services you purchase, or from communications with you such as when you contact the Company (whether in person, by mail, by phone, online, via electronic communication or by other means) including our customer support service.
  2. Indirectly From You. For example, from observing your actions on our Platform or from the Services that you have purchased from the Company, if you have enabled such functionality, such as telemetry services.
  3. From Others.
  1. FROM THIRD PARTY SERVICE PROVIDERS. For example, if you choose to make an electronic payment directly to the Company, or through a linked website or app, or through an affiliate of ours, the Company may receive personal information about you from third parties such as payment services providers, for the purposes of that payment.
  2. FROM AFFILIATES. We may collect personal information about you from our affiliates or others acting on their behalf.
  3. FROM PUBLIC SOURCES. For example, we may collect information from public records.

  1. Uses of Personal Information. In addition to uses of personal information addressed elsewhere in this Privacy Policy, we may use, disclose, or allow access to the personal information we collect for one or more of the following business purposes:
  1. To fulfill the reason that you provided the information. For example, if you share your name and contact information to request a price quote, request to be contacted by an affiliate, or ask a question about our products or services, we will use that personal information to respond to your inquiry. If you provide your personal information to purchase a product or service, we may use that information to process your payment and facilitate delivery. We may also save your information to facilitate new product or service orders or to process returns.
  2. To perform services such as customer service, order fulfillment, payment processing, financing and advertising, marketing or analytic services.
  3. To advance our commercial or economic interests, such as by helping you to buy, rent, lease, join, subscribe to, provide, or exchange products, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction.
  4. To verify or maintain quality or safety standards or improve or upgrade a product or service provided or controlled by or for us.
  5. To provide, support, personalize and develop our Platform, products and services such as to perform warranty related services or other post-sale activities such as product or service monitoring or repairs.
  6. To create, maintain, customize and secure your account with us.
  7. To process your requests, purchases, transactions and payments and prevent transactional fraud.
  8. To provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses.
  9. To personalize your Platform experience and to deliver content and product and service offerings relevant to your interests, including targeted offers and ads through our Platform, third-party sites and via mail, email or text message (with your consent, where required by law).
  10. To help maintain the safety, security and integrity of our Platform, products and services, databases and other assets and business.
  11. For testing, research and analysis purposes, including to develop and improve our Platform, products and services.
  12. To respond to law enforcement requests and as required by applicable law, court order or governmental regulations.
  13. As described to you when collecting your personal information or as otherwise set forth in the CPL or applicable law.
  14. To send you information relevant to your past purchases and interests, subject to compliance with applicable laws regarding direct marketing.
  15. To otherwise use as reasonably necessary and proportionate to achieve our operational or notified purpose for collecting personal information and as compatible with the context in which we collected the information.
  16. To perform services on behalf of a CPL-covered business or its service provider, such as customer service, order fulfillment, payment processing, financing and advertising, marketing, or analytic services.
  17. To review and audit our business interactions with you.
  18. To detect or prevent security incidents or other illegal activity.
  19. To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of a bankruptcy, liquidation, or similar proceeding, in which personal information held by us about our Platform users, including California consumers, is among the assets transferred.

We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

  1.  Disclosing Personal Information. We may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract. In the preceding twelve (12) months, the Company has disclosed the following categories of personal information for a business purpose and to the following categories of third parties:

Category of Personal Information                                                                Category of Third Parties

Category A: Identifiers                                                                         Service Providers/Third Party, etc.

Category B: Personal information categories described in Cal. Civ. Code § 1798.80(e)        Service Providers/Third Party, etc.

Category C: Protected classification characteristics under California or federal law                Service Providers/Third Party, etc.

Category D: Commercial information                                                                Service Providers/Third Party, etc.

Category F: Internet or other similar network activity                                        Service Providers/Third Party, etc.

Category G: Geolocation data                                                                        Service Providers/Third Party, etc.

Category K: Inferences drawn from other personal information                                Service Providers/Third Party, etc.

F. Sales of Personal Information. The Company does not sell personal information to third parties.

G. Exercising Your CPL Rights and Choices. The sections below describe how you may exercise your rights under the CPL.

a. Access to Specific Information and Data Portability Rights. You have the right to request that we disclose certain information to you about our collection and use of your personal information. Once we receive and confirm your verifiable consumer request (see “Exercising Access, Data Portability and Deletion Rights” below), we will disclose to you:

i. The categories of personal information we collected about you.
ii. The categories of sources for the personal information we collected about you.
iii. Our business or commercial purpose for collecting that personal information.
iv. The categories of third parties with whom we share that personal information.
v. The specific pieces of personal information we collected about you (also called a data portability request).
vi. If we disclosed your personal information for a business purpose, a list disclosing the personal information categories that each category of recipient obtained.

As allowed by the CPL, we do not provide these access and data portability rights (i) for business-to-business personal information or (ii) as to personal information collected from the Company’s California-based employees, job applicants or contractors when provided or collected in such employee, job applicant or contractor capacities.

  1. Deletion and Correction Request Rights. You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see “Exercising Access, Data Portability and Deletion Rights” below), we will delete (and direct our service providers to delete) your personal information from our (and service provider) records, unless an exception applies. We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:
  1. Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, or otherwise perform our contract with you.
  2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
  3. Debug products or services to identify and repair errors that impair existing intended functionality.
  4. Exercise free speech, ensure the right of another California consumer to exercise their free speech rights, or exercise another right provided for by law.
  5. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
  6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
  7. Enable solely internal uses that are reasonably aligned with California consumer expectations based on your relationship with us, such as future field campaigns or product safety issues.
  8. Comply with a legal obligation.
  9. Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

As allowed by the CPL, we do not provide these deletion rights (i) for business-to-business personal information or (ii) as to personal information collected from the Company’s California-based employees, job applicants or contractors when provided or collected in such employee, job applicant or contractor capacities.

In addition, if you provide us with a verifiable consumer request to correct inaccurate personal information that we maintain about you, we will use commercially reasonable efforts to correct such information in accordance with your instructions.

  1.  Submitting a Verifiable Consumer Request for Access, Data Portability, Deletion and Correction Rights. To exercise the access, data portability, deletion, and correction rights described above, you should submit a verifiable consumer request to us by one of the following methods:
  1. Calling us toll free at: (855) 874-6603

  2. Emailing us at: security@travelinc.com

  3. Visiting the following page on our Platform: www.travelinc.com

  4. By postal mail at: Travel Incorporated, 4355 River Green Parkway, Duluth, Georgia 30096

  5. Accessing an online account that you maintain with us.
  1.  Making a Verifiable Consumer Request. Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of a minor child for whom you are a parent or legal guardian. You may only make a verifiable consumer request for access or data portability twice within a twelve (12) month period. The verifiable consumer request must provide sufficient information that allows us to reasonably verify that you are the person about whom we collected personal information or an authorized representative, which may include: your name, your address, additional information depending upon the type of request and the sensitivity of the information involved with such request. The request should also have sufficient detail to enable us to properly understand, evaluate and respond to such request. We cannot respond to your request or provide you with personal information if we cannot verify your identity or your authority to make the request and confirm that the personal information involved with the request relates to you. Making a verifiable consumer request does not require you to create an account with us. However, we will consider requests made through a password-protected online account that you maintain with us to be sufficiently verified when the request relates to personal information associated with that online account, provided such online account functionality is then made available by us on the Platform. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
  1. Response Timing and Format to Verifiable Consumer Request. We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time, we will inform you of the reason and extension period in writing. If you have an online account with us, we may deliver our written response to that online account, provided that such online account functionality is then made available by us on the Platform. If you do not have an online account with us, or such functionality is not available for your online account we will deliver our written response by mail or electronically, at your option.

If we are unable to comply with your request, the response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily usable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

  1. Non-Discrimination. We will not discriminate against you for exercising any of your CPL rights. Unless permitted by the CPL or other applicable law, we will not as a result of you exercising any of your rights under the CPL:
  1. Deny you goods or services;
  2. Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
  3. Provide you a different level or quality of goods or services; or
  4. Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

However, we may offer you certain financial incentives permitted by the CPL that can result in different prices, rates, or quality levels. Any CPL-permitted financial incentive we offer will reasonably relate to your personal information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt in consent, which you may revoke at any time.

  1.  Retention of Personal Information. Our policy is to retain personal information only for as long as is necessary to fulfill the reason for which the personal information was collected and as necessary to process such personal information. In addition to the above, we will retain your personal information for the purposes of satisfying any professional, legal, accounting or reporting requirements to which we are subject. To determine the appropriate retention period for personal information, we consider the scope, nature and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of the personal information, the purposes for which we collected and processed your personal information and whether we can reasonably achieve those purposes through other means, as well as any applicable legal and professional requirements

  1.  Other California Privacy-Related Disclosures.
  1. California Do-Not-Track Disclosure. At this time, the Platform is not set up to honor web browser do-not-track settings.
  2. Sharing Personal Information for Direct Marketing Purposes. Before sharing personal information of California consumers with third parties for direct marketing purposes we will obtain opt-in consent from the applicable California consumers or provide such California consumers with a cost-free method to opt out.
  3. Information on Marketing Disclosures. California Civil Code Section 1798.83 permits our users who are California residents to request and obtain from us once a year, free of charge, information about the personal information (if any) we disclosed to third parties for direct marketing purposes in the preceding calendar year. If applicable, this information would include a list of the categories of personal information that was shared and the names and addresses of all third parties with which we shared information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to us at Travel Incorporated, 4355 River Green Parkway, Duluth, Georgia 30096.
  4. Content Removal Requests for Users Under 18 Years Old.  If you are a user under 18 years of age and reside in California, you may request and obtain removal of, content or information that you have posted on the Platform.   You may send us any such requests by one of the following methods: (A) by email (writing “Privacy Policy – Removal Request” in the subject line) at security@travelinc.com; or (B) by writing to us at Travel Incorporated, 4355 River Green Parkway, Duluth, Georgia 30096. We will review the request and respond promptly.  You should be aware that a request to remove content or information posted by you on the Platform does not ensure or require complete or comprehensive removal of such content or information from our databases.

  1.  Complaints. If you have any complaint about use of the Platform, you may contact us by email at security@travelinc.com, or by postal mail at Travel Incorporated, 4355 River Green Parkway, Duluth, Georgia 30096. In accordance with California Civil Code Section 1789.3, California residents may also file complaints with the Complaint Assistance Unit, Division of Consumer Services, California Department of Consumer Affairs by postal mail at 1625 North Market Road, Suite N112, Sacramento, CA 95834 or by telephone at 800-952-5210.

  1.  Changes to Our California Notice. We reserve the right to amend this California Notice at our discretion and at any time. When we make changes to this California Notice, we will post the updated California Notice on the Platform and update the California Notice’s effective date. Your continued use of our Platform following the posting of changes constitutes your acceptance of such changes.

12.        Additional Notices to European Union Citizens. Persons who are residents of the member countries of the European Union (“EU”) or other data subjects covered by the EU’s General Data Protection Regulation, (EU) 2016/679 (the “GDPR”), have certain additional privacy rights under applicable law. The following provisions of this Section 13 provide an overview of these additional rights.

  1. Legal Bases for Processing Personal Information of European Union Citizens. When processing your personal information, Travel Incorporated relies on one or more of the following legal bases (or other available legal grounds), depending on the circumstances:
  1. Legitimate Interests. Travel Incorporated processes your personal information where Travel Incorporated has a (legal reason to process) in such processing for managing, operating or promoting our business, and that legitimate interest is not overridden by your interests, fundamental rights or freedoms.
  2. Consent. Travel Incorporated processes your personal information where Travel Incorporated has obtained your consent to the processing.
  3. Contractual Necessity. Travel Incorporated processes your personal information where such processing is necessary in connection with any contract that Travel Incorporated has with you.
  4. Legal Requirements. Travel Incorporated processes your personal information where such processing is required by applicable law.

  1. Disclosures to Third Parties. Your personal information will not be disclosed to, or accessed by, third parties except: (i) for where it is necessary for fulfillment of Travel Incorporated’s obligations to you; (ii) to an employer organization that is a customer of Travel Incorporated, and only upon request from such employer organization; (iii) where Travel Incorporated is obliged or permitted to do so by law (including, without limitation, through the terms of any agreement Travel Incorporated may have with you); or (iv) where Travel Incorporated makes disclosures or allows access otherwise consistent with the disclosures, access, and uses described elsewhere in this Privacy Policy.

Travel Incorporated will also disclose any information (including personal information) relating to you to law enforcement authorities or any regulatory or government authority in response to any request including requests in connection with the investigation of any suspected illegal activities.

Travel Incorporated reserves the right to transfer any personal information Travel Incorporated has about you in the event Travel Incorporated sells or transfers all or a portion of our business or assets, or merges with another organization. Should such a sale, transfer or merger occur, Travel Incorporated will use reasonable efforts seeking to require that the transferee uses personal information you have provided to Travel Incorporated in a manner that is consistent with this Privacy Policy and the GDPR.

Travel Incorporated will not sell, resell or lease your personal information to any third parties but Travel Incorporated may, if required for the purpose(s) for which your personal information was collected and processed, share it with Travel Incorporated partners and/or service providers to enable them to provide their services to Travel Incorporated or to you, as applicable. The foregoing is in addition to the other uses described elsewhere in this Privacy Policy.

  1. Security of Personal Information of European Citizens. Travel Incorporated has policies and technical and organizational measures in place which are intended to safeguard and protect your personal information against unauthorized access, accidental loss, improper use and disclosure. However, you should be aware that information transmitted over the internet is not inherently secure because of the nature of the internet and that systems and measures used to secure information are not flawless. For these reasons, although Travel Incorporated will use reasonable efforts to protect your personal information, Travel Incorporated does not warrant the security of personal information transmitted to Travel Incorporated or stored by Travel Incorporated, and personal information that is transmitted to Travel Incorporated by you electronically is done at your own risk.

  1. Retention of Personal Information of European Citizens. Travel Incorporated’s policy is to retain your personal information only for as long as is necessary to fulfill the legal reason to process the personal information. In addition to the above, Travel Incorporated will obtain your personal information for the purposes of satisfying any professional, legal, accounting or reporting requirements to which Travel Incorporated is subject. To determine the appropriate retention period for personal information, Travel Incorporated considers the scope, nature and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of the personal information, the purposes for which Travel Incorporated collected and processed your personal information and whether Travel Incorporated can achieve those purposes through other means, and any applicable legal and professional requirements.

  1. Location of Data Processing. All personal information that we process is processed in the United States.

  1. Your Rights as a European Citizen. You have several rights concerning your personal information that Travel Incorporated holds and uses, including the following:

I.  Right of Access. You have the right to be informed about what personal information Travel Incorporated holds about you and to a copy of this personal information.

Ii.  Right to Rectification. You have the right to have any inaccurate or incomplete personal information which Travel Incorporated holds about you updated or corrected.

Iii. Right to Erasure. In certain circumstances you have the right to request that Travel Incorporated delete the personal information that Travel Incorporated holds about you.

Iv.  Right to Complain. You have the right to lodge a complaint regarding the processing of your personal information to an applicable governmental or supervisory authority in your country.

V.  Right to Withdraw Consent. Where processing of personal information is based on your consent, you have the right to withdraw such consent at any time.

Vi. Right to Object. Where Travel Incorporated relies on our legitimate interests to process your personal information, you have the right to object to such use and Travel Incorporated is required to discontinue such processing unless Travel Incorporated can demonstrate an overriding legitimate interest in such processing.

Vii. Right to Restriction. You have the right to request that Travel Incorporated stop using your personal information in certain circumstances including if you believe that the personal information Travel Incorporated holds about you is inaccurate or that Travel Incorporated’s use of your personal information is unlawful. If you validly exercise this right, Travel Incorporated will store your personal information and will not carry out any other processing until the issue is resolved.

Viii. Right to Data Portability. You have the right to receive your personal information, which you have provided to Travel Incorporated, in a structured, commonly used and machine-readable format and have the right, where technically feasible, to transmit that data to another data processor without hindrance.

Ix. Automated Decision Making, Including Profiling. You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you unless such processing is necessary for the performance of contractual obligations between you and Travel Incorporated.

Please submit any User Access Right’s requests, in writing, to Travel Incorporated’s Data Protection Officer (DPO) at the contact information below.

  1. Processors and Controllers. Depending upon the engagement and purposes Travel Incorporated and its Affiliates are either the Controllers, Data Processors or in some cases, Sub-Processors with respect to your Personal Data.  

  1.  Contact Information. Our DPO can be reached at Travel Incorporated, 4355 River Green Parkway, Duluth, Georgia 30096 or at security@travelinc.com.

13.        EU-U.S. Data Privacy Framework Statement. Travel Incorporated complies with the EU-U.S. Data Privacy Framework (the “EU-U.S. DPF”) as set forth by the U.S. Department of Commerce.  Travel Incorporated has

certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (the “EU-U.S. DPF Principles”) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF. If there is any conflict between the terms in this Privacy Policy (including the Statement) and the EU-U.S. DPF Principles, the EU-U.S. DPF Principles shall govern.  To learn more about the Data Privacy Framework (“DPF”) program, and to view our certification, please visit the Data Privacy Framework at website.

In support of its adherence to the EU-U.S. DPF, Travel Incorporated affirms the following:

  1. Scope. This EU-U.S. Data Privacy Framework Statement (the “Statement”) sets forth the privacy principles that Travel Incorporated follows with respect to transfers of personal data, including personal information/sensitive personal information (collectively “Personal Data”), from the member states of the European Union (“EU”) to the United States (and which Personal Data may include human resources data as well as personal data other than human resources data). This Statement applies to all Personal Data received by Travel Incorporated in any format including electronic, paper or verbal, from the EU concerning individual residents of the EU or other individuals (collectively “Covered Persons”) covered by data privacy laws applicable in the EU. As an integral part of its business, Travel Incorporated collects and processes Personal Data from Covered Persons in a variety of ways, including manually, via telephonic means (including facsimiles), electronic mail or its platform and services. Travel Incorporated will not sell or share this information with third parties in ways different than what are disclosed in this Statement or in its related Privacy Policy. Personal Data collected by Travel Incorporated from Covered Persons may be maintained at its data centers in Suwanee, Georgia and Irving, Texas.

  1. Enforcement.  The Federal Trade Commission has jurisdiction over Travel Incorporated’s compliance with the EU-U.S. DPF.

  1. Notice About Collection and Uses of Personal Data. Travel Incorporated collects Personal Data for, among other things, legitimate business reasons such as customer service, travel related reporting and records requirements, maintenance of accurate accounts payable and receivable records, performance management, certain human resources purposes, financial and sales data, and contact information. All Personal Data collected by Travel Incorporated will be used for legitimate business purposes consistent with this Statement.  

Where Travel Incorporated collects Personal Data directly from Covered Persons, it will inform them about the purposes for which it collects and uses that information about them, the types of non-agent third parties to which Travel Incorporated discloses that information, and the choices and means, if any, Travel Incorporated offers Covered Persons the ability to limit the use and disclosure of their Personal Data. Notice will be provided in clear and conspicuous language when Covered Persons are first asked to provide Personal Data to Travel Incorporated, or as soon as practicable thereafter, and in any event before Travel Incorporated uses the information for a purpose other than that for which it was originally collected. At present, Travel Incorporated’s Privacy Policy addresses the above matters.  

  1.  Choice Concerning Disclosures. Section 4 of the Privacy Policy provides information about third parties to whom Travel Incorporated may disclose Personal Data.  Travel Incorporated will offer Covered Persons the opportunity to choose (opt-out) whether their Personal Data is (i) to be disclosed to a non-agent third party, or (ii) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the Covered Persons. For sensitive personal identifiable information, Travel Incorporated will give Covered Persons the opportunity to affirmatively and explicitly (opt-in) consent to the disclosure of the information to a non-agent third party or to the use of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the Covered Person. Travel Incorporated will Covered Persons with reasonable mechanisms to exercise their choices should requisite circumstances arise.

There are circumstances under which Travel Incorporated is legally compelled to disclose a Covered Person’s Personal Data, including where disclosure is required by law, as necessary to comply with an order of a court or governmental agency, for export control, where necessary for matters of safety, national security or other security concerns, and to protect Travel Incorporated’s rights. In such cases of a third party request for disclosure, Travel Incorporated will only provide the minimum amount of Personal Data permissible when responding to such a request.

  1.  Onward Transfers. Travel Incorporated may transfer Personal Data to our third-party agents or service providers who perform functions on our behalf as described in the previous sections of this Privacy Policy. Where required by the EU-U.S. DPF, Travel Incorporated enters into written agreements with those third-party agents and service providers requiring them to provide the same level of protection the EU-U.S. DPF requires and limiting their use of the data to the specified services provided on our behalf. Travel Incorporated takes reasonable and appropriate steps to ensure that third-party agents and service providers process Personal Data in accordance with our EU-U.S. DPF obligations and to stop and remediate any unauthorized processing. Travel Incorporated shall remain liable for the acts of our third-party agents or service providers who perform services on our behalf for their processing of Personal Data that we transfer to them if they process such Personal Data in a manner that is inconsistent with the EU-U.S. DPF Principles.

  1.  Rights of Access, Correction, Updates and Deletions. Upon request, Travel Incorporated will grant Covered Persons access to Personal Data that it holds about them. In addition, Travel Incorporated will take reasonable steps to permit Covered Persons to correct, update or delete information that is demonstrated to be inaccurate or incomplete or for other legitimate reasons. Any Covered Person covered by this Statement who desires to review, correct, update or delete their information can do so by contacting Travel Incorporated, Account Management, 4355 River Green Parkway, Duluth, GA 30096 or security@travelinc.com.  

  1.  Dispute Resolution. In compliance with the EU-U.S. DPF Principles, Travel Incorporated commits to resolve complaints about our collection or use of the Personal Data of Covered Persons.  EU  individuals and other Covered Persons with inquiries or complaints regarding our EU-U.S. DPF policy or the use or disclosure of Personal Data should contact Travel Incorporated by email at Security@travelinc.com or by postal mail at Travel Incorporated, Chief Privacy Officer, 4355 River Green Parkway, Duluth, GA 30096. Travel Incorporated will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Data in accordance with the principles contained in this Statement and shall be governed by, and construed in accordance with laws of the State of Georgia, USA. For complaints that cannot be resolved between Travel Incorporated and the complainant, Travel Incorporated has agreed to participate in the dispute resolution procedures of the panel established by the relevant European data protection authorities to resolve disputes pursuant to the EU-U.S. DPF Principles. In addition, Covered Persons may, under certain conditions, invoke binding arbitration to address complaints regarding EU-U.S. DPF compliance that are not otherwise resolved by other mechanisms. More information about such binding arbitration may be found by accessing the following links on the Department of Commerce’s official EU-U.S. DPF website:  Data Privacy Framework .

  1.  Other Privacy Rights and Notices. Sections 1 through 10 and Section 12 of the Travel Incorporated Privacy Policy also address additional notices and rights that are applicable to Covered Persons in relation to Travel Incorporated’s processing of Personal Data and that reinforce the EU-U.S. DPF Principles.    

  1.  Contact Information. Covered Persons may contact Travel Incorporated about complaints, inquiries and other matters concerning the company’s processing of Personal Data by one of the following means:  by mail at Travel Incorporated, 4355 River Green Parkway, Duluth, Georgia 30096 or by email at security@travelinc.com .  Covered Persons are also entitled to contact their local data protection authorities and for which more information can be found at this link: Our Members | European Data Protection Board (europa.eu) .