Privacy Policy

  1. WHO ARE YOU AND WHAT IS ID90T, Inc?


    1. We are ID90T, Inc., a company registered in Delaware, USA, with trading address at 925, S. Kimball Avenue, Suite 140 Southlake, TX 76092 (we, us, our).

    2. In order to accommodate our Clients based in the EEA, or which employ individuals within the EEA and also any Users to whom we target services, we have self-certified with the Department of Commerce that we adhere to the Privacy Shield Principles. To review our Privacy Shield Policy (Policy), please click here. Our Policy is intended to supplement the rights and information set out in this document and provide additional rights and such information as may be required under the Privacy Shield Principles in respect of EEA Personal Data (as defined therein).

    3. Our software tool (ID90T) offers 2 distinct services (together, our Services):

      1. Ticketing Solution Services: It provides Contracted Airlines with a ticketing system for “non-rev” employee travel; and

      2. Complementary Travel Services: It provides Users of ID90T with Complementary travel services from Third Party Affiliates.

  2. WHAT IS THIS NOTICE?


    1. From time to time we may need to process Personal Data (that is information which can be used to identify someone) in connection with our Services. This Personal Data may be about you or other people. This notice explains how we will use any Personal Data we hold.

    2. We hold Personal Data about the following groups of people (Data Subjects):

      1. Clients: that is Personal Data about our Contracted Airlines and Third Party Affiliates (in each case including key contact data);

      2. Prospective Clients: that is Personal Data about key contacts in businesses we think may be in our Services, but which are not contracted with us;

      3. Partner Employees: that is Personal Data provided to us by a Contracted Airline about their employees or collected by us on behalf of the Contracted Airline for the purposes of providing the Ticketing Solution Services; and

      4. Users: that is Personal Data provided to us by any User of ID90T (whether or not a Partner Employee) or Third Party Affiliate, or collected by us, in each case in connection with the Complementary Travel Services or otherwise outside the scope of Ticketing Solutions Services.

    3. As part of our Services, we may need to transfer Personal Data about Users of ID90T to third parties (for more details on this have a look at paragraph 8 below). This notice only deals with our use of Personal Data. Recipients are not bound by this privacy notice. This notice should make it clear exactly when and to whom data may be transferred – but if you have any questions feel free to send us an email at privacy@id90travel.com .

    4. We might need to change this privacy notice from time to time. We will publish our privacy notice on our website (available at www.id90travel.com) and do our best to update you directly if we think the changes might affect you. Please do keep an eye on our notice before us any Personal Data or uploading it on to ID90T.

  3. ARE YOU A CONTROLLER OR A PROCESSOR?


    1. It depends on who the data is about and where it came from:

      1. We are a Controller in respect of any Client Data which we hold. This means that we make decisions about what types of Personal Data we think we need to collect about our Clients and how to use it to make our business work.

      2. We are a Controller in respect of any Prospective Client Data which we hold. This means that we make decisions about what types of Personal Data we think we need to collect about businesses we have identified as prospective clients (and their key contacts) and how to use it for our business purposes.

      3. We are a Processor in respect of any Partner Employee Data which we hold. This means we use the data in accordance with the relevant Contracted Airline’s instructions and not for our own purposes. The only decisions we make in respect of this data is procedural. The relevant Contracted Airline is the Controller.

      4. We are a Controller in respect of any User Data which we hold. This is because we have a direct relationship with users who sign up to use our software. We use the data for our own purposes rather than in accordance with someone else’s instructions. We make decisions about what data we would like to collect from you and how to use it to make our business work.

  4. WHAT PERSONAL DATA DO YOU COLLECT AND WHERE DO YOU GET IT FROM?

    1. Clients

    2. We may collect and store the following data about our Clients:

      1. Information a Client provides us with directly. This might include:
        • Identity data of key contacts of the Client;
        • Information about the Client’s business, workforce and needs;
        • Information about requests, disputes or responses to surveys; and
        • Information about a Client’s marketing preferences.
        • Transaction data about services purchased by our Client.
        • We use a third party service provider to manage financial data on our behalf. Save for authorisation tokens, we do not have access to our Client’s financial data

      2. Information which we collect automatically. This might include:
        • Usage data: which might include information about how a Client uses our website or ID90T service;
        • Traffic data: which might include information about websites, ads or links clicked on by our Client before, during or after visiting our website or ID90T service;
        • Technical data: which might include information about the device used by our Client to access our website or ID90T service.

        For more information about what cookies we use, please see our Cookies Policy, which can be accessed here.

      Prospective Client Data


    3. We may collect and store the following data about Prospective Clients:

      1. Information a Prospective Client provides us with directly. This might include:
        • Identity data of key contacts of a Prospective Client;
        • Information about a Prospective Client’s business, workforce and needs;
        • Information about a Prospective Client’s marketing preferences;
        • Information about requests, disputes or responses to surveys.

      2. Information which we collect automatically. This might include:
        • Usage data: which might include information about how a Client uses our website or ID90 Travel service;
        • Traffic data: which might include information about websites, ads or links clicked on by our Client before, during or after visiting our website or ID90 Travel service;
        • Technical data: which might include information about the device used by our Client to access our website or ID90T service.

        For more information about what cookies we use, please see our Cookies Policy, which can be accessed here.

      Airline Employees


    4. We may collect and store the following data about Airline  Employees:

      1. If you are or have been an employee of one of our Contracted Airlines, we may receive information about you which is given to us by our Contracted Airlines. This might include:
        • Identity data (including identification number)
        • Information about job benefits
        • Information about your job status (such as whether you have retired)

      2. Information which an Airline Employee or ID90T User provides us with directly. This might include:
        • Identity and contact data
        • Login details
        • Information about your job (or previous job)
        • Itinerary details
        • Information about your preferences
        • Information about your interests and hobbies
        • Transaction data about services you’ve purchased on ID90T
        • We use a third party service provider to manage financial data on our behalf. Save for authorisation tokens, we do not have access to an Airline Employee or ID90T User’s financial data
        • Information about requests, disputes or responses to surveys

      3. If you have used ID90T to benefit from our Discount Travel Services, we may receive information about you which a Third Party Supplier provides us with. This might include:
        • Identity data
        • Itinerary ID
        • Transaction data (including amount paid for certain third party services advertised on ID90T)

      4. Information which we collect automatically. This might include:
        • Usage data: which might include information about how a Client uses our website or ID90T service;
        • Traffic data: which might include information about websites, ads or links clicked on by our Client before, during or after visiting our website or ID90T service;
        • Technical data: which might include information about the device used by our Client to access our website or ID90T service.

        For more information about what cookies we use, please see our Cookies Policy, which can be accessed here.


  5. HOW WILL YOU USE THE PERSONAL DATA YOU HOLD AND WHAT IS YOUR LAWFUL BASIS FOR DOING SO?

    1. Client Data

    2. We hold and process Client Contact Data as a Controller, which means we must have a ‘lawful basis’ for doing so. We have set out how we use Client Contact Data along with our lawful basis in the table below.

    3. Anywhere we are relying on legitimate interest we believe that such processing is necessary for the purposes of our legitimate interest, which in this case is to function as a business. We consider such use goes no further than a Client would reasonable expect; is likely to align with the Client’s interests (by enabling us to provide a sustainable business model) and is unlikely to be detrimental to the fundamental rights and freedoms of our Client.

    4. We may collect aggregate data about our Clients’ use of ID90T. Any such data will be anonymized and used for business and market research purposes.

    PURPOSE/

    ACTIVITY

    DESCRIPTION

    TYPES OF DATA

    LAWFUL BASIS

    To provide our services


    To provide our Services which may include support and maintenance of your account on ID90T and facilitating the set-up and managing payment

    Identity Data

    Contact Data

    Transaction Data

    Necessary for the performance of the contract for the provision of our services or taking steps necessary to enter into a contract.

    To manage our relationship with you

    To notify you of updates to our services or software or updates to our privacy notice


    Identity Data

    Contact Data

    Necessary for the performance of the contract for the provision of our services or taking steps necessary to enter into a contract.


    Legitimate Interest

    Administration and Dispute Resolution

    We may also need to process Personal Data about you to meet our internal administration requirements and for matters such as dispute resolution. 

    Identity Data

    Contact Data

    Transaction Data

    Legitimate Interest

    Marketing

    From time to time we might contact you by telephone or email about updates to our services, new features or functions or new products we are bringing out. We will always include the right to opt out in any such correspondence.


    We may also use third party services which enable us to promote services to you on third party websites or platforms (such as Facebook or Linkedin).


    Our marketing may be tailored on the basis of what we think your interests are (from looking at traffic and usage data collected using cookies and other similar technologies as well as past transactions and interactions). 


    Identity Data

    Contact Data

    Transaction Data

    Profile Data

    Traffic Data

    Legitimate Interest



      Prospective Client Data

    1. We hold and process Prospective Client Data as a Controller, which means we must have a ‘lawful basis’ for doing so. We have set out how we use Prospective Client Data along with our lawful basis in the table below.

    2. Anywhere we are relying on legitimate interest we believe that such processing is necessary for the purposes of our legitimate interest, which in this case is to function as a business. We consider such use goes no further than a Prospective Client would reasonable expect; is likely to align with the Prospective Client’s interests (by enabling us to provide a sustainable business model) and is unlikely to be detrimental to the fundamental rights and freedoms of our Prospective Client.

    3. We may collect aggregate data about our Prospective Clients’ use of ID90T.  Any such data will be anonymized and used for business and market research purposes.

    PURPOSE/

    ACTIVITY

    DESCRIPTION

    TYPES OF DATA

    LAWFUL BASIS

    Marketing

    From time to time we might contact you by telephone or email about updates to our services, new features or functions or new products we are bringing out. We will always include the right to opt out in any such correspondence.


    We may also use third party services which enable us to promote services to you on third party websites or platforms (such as Facebook or Linkedin).


    Our marketing may be tailored on the basis of what we think your interests are (from looking at traffic and usage data collected using cookies and other similar technologies as well as past transactions and interactions). 


    Identity Data

    Contact Data

    Transaction Data

    Profile Data

    Traffic Data

    Legitimate Interest


    Consent


    Responding to your requests for information (solicited marketing)

    This may involve sending you information about our services if you have asked us to do so or contacting you whether by telephone or email to discuss our services


    Identity Data

    Contact Data

    Consent


    Necessary steps to enter into a contract


      Partner Employee Data

    1. Since we are acting as a Processor in respect of any Partner Employee Data, we will only use it in accordance with the relevant Contracted Airline’s instructions (for the purpose of providing the Ticketing Solution Services). This may include running a check to validate that the Airline Employee is employed by the relevant Contracted Airline.

    2. We may collect aggregate data about how Airline Employees use our software in connection with the Ticketing Solution Services. This data will be anonymized and will not identify a Airline Employee.

      User Data

    1. Since User Data relates to individuals who sign up to receive our Complementary Travel Services or usage data of users who have agreed to our terms of use, we hold and process User Data as a Controller. This means we must have a ‘lawful basis’ for doing so. We have set out how we use User Data along with our lawful basis in the table below.

    2. Anywhere we are relying on legitimate interest we believe that such processing is necessary for the purposes of our legitimate interest, which in this case is to function as a business. We consider such use goes no further than a User would reasonable expect; is likely to align with the User’s interests (by enabling us to provide a sustainable business model) and is unlikely to be detrimental to the fundamental rights and freedoms of our User.

    3. It is unlikely that much of the Personal Data which we collect and store will include Special Categories of Personal Data. Special Categories of Personal Data includes details about an individual’s race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about health and genetic and biometric data. However, it may be the case  if, for example, your travel requirements included any information relating to health matters. To the extent that is the case, we will only process such data on the basis of your consent.


    4. We may collect aggregate data about our User’s use of ID90T. Any such data will be anonymized and used for business and market research purposes.

    PURPOSE/

    ACTIVITY

    DESCRIPTION

    TYPES OF DATA

    LAWFUL BASIS

    To provide you with our Services

    To provide our Services which may include support and maintenance of your account on ID90T and facilitating the set-up and managing payment. This may also include sending you an email (and/or push notification) to confirm any transaction on our site.

    Identity Data

    Contact Data

    Transaction Data

    Necessary for the performance of the contract for the provision of our services

    To manage our relationship with you

    To notify you of updates to our services or software or updates to our privacy notice. We may also send you a reminder email (or push notification) about services which you expressed an interest in when using ID90T.


    Identity Data

    Contact Data

    Necessary for the performance of the contract for the provision of our services or taking steps necessary to enter into a contract.

    Legitimate Interest

    Monitoring account usage

    We may record usage patterns or other data we collect from your use of ID90T in order to make sure such use is in accordance with our terms of use.

    Identity Data

    Contact Data

    Transaction Data

    Usage Data

    Legitimate Interests

    Administration And dispute Resolution

    We may also need to process Personal Data about you to meet our internal administration requirements and for matters such as dispute resolution. 

    Identity Data

    Contact Data

    Transaction Data

    Legitimate Interest

    Marketing (profiling and direct mail)

    From time to time we might contact you by telephone or email or via push notification about updates to our services, new features or functions or new products we are bringing out. We will always include the right to opt out in any such correspondence.

    We may also use third party services which enable us to promote services to you on third party websites or platforms (such as Facebook or Linkedin).

    Our marketing may be tailored on the basis of what we think your interests are (from looking at traffic and usage data collected using cookies and other similar technologies as well as past transactions and interactions). 

    Identity Data

    Contact Data

    Transaction Data

    Profile Data

    Traffic Data

    Legitimate Interest


    Consent




  6. DO YOU DISCLOSE PERSONAL DATA TO ANYONE ELSE?


  7. DATA SUBJECT GROUP

    TYPES OF DATA TRANSFERRED

    RECIPIENT

    REASON FOR TRANSFER

    RECIPIENT LOCATION

    Clients

    Prospective Clients

    Airline Employees

    ID90T Users

    All types held

    Staff and employees

    Strictly to the extent necessary to provide our Services


    US - Texas


    All types held


    Host Service Provider

    Store data

    US - Virginia


    All types held

    Back up Service provider

    Store data as backup

    US- Oregan


    All types held


    If we are under a duty to disclose or share Personal Data in order to comply with any legal obligation, or in order to enforce or apply our terms of use and other agreements or to protect the operation of our website, or the rights, property, or safety of us, our customers, or others.

    Currently unknown


    All types held

    Buyer


    if we sell, transfer or merge parts of our business or our assets. If a change happens to our business, then the new owners will only be entitled to use Personal Data in accordance with the provisions set out in this privacy notice.

    Currently unknown


    All types held


    Email marketing platform

    Manage marketing emails

    US


    All types held


    Push notification platform

    Manage in app push notifications

    US

    Clients

    Airline Employees

    ID90T Users

    Identity and Contact

    Financial

    Transactions

    Payment provider

    To facilitate payments on our behalf

    US

    Airline Employees

    Identity and Contact

    Transactions

    Contracted Airline


    If such transactions are carried out in connection with our Ticketing Solution Services. This transfer will be undertaken in our role as a processor acting on behalf of the Airline Employee (which will be the controller).


    This will vary on a case-by-case basis depending on the location of the Contracted Airline.

    ID90T Users

    Identity and Contact

    Transactions

    Third Party Affiliates


    In order to facilitate bookings or other transactions made on our ID90T platform. Any such transfer will be to a Third Party Affiliate acting as a controller.

    This will vary on a case-by-case basis depending on the location of the booking agent and/or services booked.


    If you have any questions about who your data might be transferred to please send us an email at privacy@id90travel.com .



  8. WHAT SECURITY PROCEDURES DO YOU HAVE IN PLACE?


    1. We implement robust security procedures to safeguard the data we hold. We are PCI compliant and we use encryption techniques to encrypt any data we store and transfer.
    2. There are some steps you can take to help make sure that your data is protected. For example:
      1. if you are contacting us with a query or complaint, only ever give us your work details rather than your personal contact details;
      2. if you are sending any financial details or sensitive information, consider sending it in separate emails or encrypted, password protected documents; and
      3. make sure that you keep any passwords associated with your ID90T account secure.

  9. WHERE DO YOU STORE THE PERSONAL DATA YOU COLLECT?


    1. Our servers are currently based in the states of Virginia and Oregon in the USA, though we will access and process Personal Data in the state of Texas in the USA. We have self-certified under the privacy shield. For details of our privacy shield notification, please click here.
    2. If you would like further information about where we store your data, please contact us at privacy@id90travel.com.

  10. FOR HOW LONG DO YOU STORE PERSONAL DATA?

    1. Client Data

    2. Our retention policy for Client Data is follows:
      1. we may store data related to transactions for up to 7 years to ensure that we have sufficient records from an accounting and tax perspective. Any such data retained for a longer period will be anonymized so that an individual cannot be identified;
      2. we may archive data relating to negotiations, contracts agreed, payments made, disputes raised and your use of our software for up to 6 years to protect ourselves in the event of a dispute arising between you and us. Any such data retained for a longer period will be anonymized so that an individual cannot be identified;
      3. we may retain data which is held for marketing purposes until the Data Subject opts out. We will always include an opt-out in every marketing communication we send out.
      4. we may store aggregate data without limitation (on the basis that no individual can be identified from the data).

      Prospective Client Data

    3. Our retention policy for Prospective Client Data is follows:
      1. we may archive data relating to negotiations, contracts agreed, payments made, disputes raised and your use of our software for up to 6 years to protect ourselves in the event of a dispute arising between you and us. Any such data retained for a longer period will be anonymized so that an individual cannot be identified;
      2. we may retain data which is held for marketing purposes until the Data Subject opts out. We will always include an opt-out in every marketing communication we send out.
      3. we may store aggregate data without limitation (on the basis that no individual can be identified from the data).

      Partner Employee Data

    4. Since we hold Partner Employee Data as a Processor, we will only retain it for as long as the relevant Contracted Airline has an account with us. Once that contract terminates, we will securely delete such data within 30 days.

    5. User Data

    6. Our retention policy for User Data is as follows:
      1. we may store data related to transactions for up to 7 years to ensure that we have sufficient records from an accounting and tax perspective. Any such data retained for a longer period will be anonymized so that an individual cannot be identified;
      2. we may archive data relating to negotiations, contracts agreed, payments made, disputes raised and your use of our software for up to 6 years to protect ourselves in the event of a dispute arising between you and us. Any such data retained for a longer period will be anonymized so that an individual cannot be identified;
      3. we may retain data which is held for marketing purposes until the Data Subject opts out. We will always include an opt-out in every marketing communication we send out.
      4. we may store aggregate data without limitation (on the basis that no individual can be identified from the data).


  11. WHAT RIGHTS DO I HAVE IN RESPECT OF ANY PERSONAL DATA YOU HOLD ABOUT ME?


    1. Data Subjects have the following rights in respect of Personal Data relating to them which can be enforced against whoever is the Controller. This will be us in respect of Client Data, Prospective Client Data and User Data, and the relevant Contracted Airline in respect of Partner Employee Data:
      1. Right to be informed: the right to be informed about what Personal Data the Controller collects and stores about you and it’s used.
      2. Right of access: the right to request a copy of the Personal Data held, as well as confirmation of:
        1. the purposes of the processing;
        2. the categories of personal data concerned;
        3. the recipients to whom the personal data has/will be disclosed;
        4. for how long it will be stored; and
        5. if data wasn’t collected directly from you, information about the source.
      3. Right of rectification: the right to require the Controller to correct any Personal Data held about you which is inaccurate or incomplete.
      4. Right to be forgotten: in certain circumstances, the right to have the Personal Data held about you erased from the Controller’s records.
      5. Right to restriction of processing: the right to request the Controller to restrict the processing carried out in respect of Personal Data relating to you. You might want to do this, for instance, if you think the data held by the Controller is inaccurate and you would like to restrict processing the data has been reviewed and updated if necessary.
      6. Right of portability: the right to have the Personal Data held by the Controller about you transferred to another organisation, to the extent it was provided in a structured, commonly used and machine-readable format.
      7. Right to object to direct marketing: the right to object where processing is carried out for direct marketing purposes (including profiling in connection with that purpose.
      8. Right to object to automated processing: the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects (or other similar significant effects) on you.

    2. If you want to avail of any of these rights, you should contact us immediately at privacy@id90travel.com. If we are not the Controller, we will need to transfer your request to the Controller – but we will only do so with your consent. If you do contact us with a request, we will also need evidence that you are who you say you are to ensure compliance with data protection legislation.


  12. WHAT HAPPENS IF I NO LONGER WANT YOU TO PROCESS PERSONAL DATA ABOUT ME?


    1. You may notify us at any time that you no longer want us to process Personal Data about you for particular purposes or for any purposes whatsoever. This may have an impact on the services you receive from us. For example, if you ask us to stop processing Personal Data about you, you will no longer be able to access ID90T since we will not be able to identify you.

    2. A request to stop receiving direct marketing communications will not impact your access to ID90T.

    3. If we hold your Personal Data as a Processor, to facilitate your request we may need to pass it to the Controller. We will only do so with your consent.

  13. WHO DO I COMPLAIN TO IF I’M NOT HAPPY WITH HOW YOU PROCESS PERSONAL DATA ABOUT ME?


    1. If you have any questions or concerns about how we are using Personal Data about you, please contact our Data Protection Officer immediately at our registered address (see paragraph 1.1 above) or by email to privacy@id90travel.com. If we are processing Personal Data about you on behalf of our Client, we will need to pass your complaint to our Client – we will only do so with your consent.

    2. If you wish to make a complaint about how we have handled Personal Data about you, you may lodge a complaint with the Information Commissioner’s Office by following this link: https://ico.org.uk/concerns/ or you may contact the independent dispute resolution body set out in our Privacy Shield Notification (which can be accessed here).

  14. WHAT DO ALL OF THE DEFINED TERMS IN THIS PRIVACY NOTICE MEAN?


    1. Throughout this notice you’ll see a lot of defined terms (which you can recognise because they’re capitalised). Where possible, we’ve tried to define them as we go, but we thought it might be useful to have a glossary at the end for you. Anywhere in this notice you see the following terms, they’ll have the following meanings:

    2. Airline Employees means individuals employed by airlines or who were employed by airlines but have since retired;

      Client Data means Personal Data about our Contracted Airlines and Third Party Affiliates (in each case including key contact data);

      Complementary Travel Services means the discount travel services which we provide to Airline Employees and ID90T Users;

      Contracted Airlines means airlines which have contracted with us to provide Ticketing Solution Services to their Airline Employees;

      Controller is a legal term set out in the General Data Protection Regulation (GDPR), it means the party responsible for deciding what Personal Data to collect and how to use it;

      Data Subject means the individual who can be identified from the Personal Data;

      ID90T means our cloud-based software tool which we use to provide our Services;

      ID90T Users means any user, whether Airline Employee or not, whom has access to our cloud-based software tool;

      Our Services means either or both of our Complementary Travel Services and our Ticketing Solution Services;

      Partner Employee Data: that is Personal Data provided to us by a Contracted Airline about their employees or collected by us on behalf of the Contracted Airline for the purposes of providing the Ticketing Solution Services;

      Personal Data means data which can be used to identify a living individual. This could be a name and address or it could be a number of details which when taken together make it possible to work out who the information is about. It also includes information about the identifiable individual;

      Processor is another legal term set out in the GDPR, it means the party who has agreed to process Personal Data on behalf of the Controller.

      Third Party Affiliates means third parties which we have agreed may advertise and sell Complementary services relating to travel (such as hotels, cruises, rental cars etc) on ID90T

      Ticketing Solution Services means the ticketing system solution which we provide to Contracted Airlines for “non-rev” employee travel;

      User Data: that is Personal Data uploaded provided to us by an ID90T User or Third Party Affiliate or collected by us, in each case in connection with the Complementary Travel Services

      we, us, our means ID90T, Inc., a company registered in Delaware, USA, with trading address at 925, S. Kimball Avenue, Suite 140 Southlake, TX 76092


    If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

    Last updated: February 5th, 2019.