Privacy Statement
Last Updated: 1-1-2024
Please read the following statement to learn about our privacy practices. By visiting this website, legal.expediagroup.com (the “Site”), you are accepting the practices described herein.
Lawful bases for processing
In the tables below, you will find the lawful basis we rely on to collect and use your personal information.
In summary, we will collect personal information from you only when one of the following lawful bases applies:
- Consent: this means that we will process your personal information where you have given your consent to do.
- Legal obligation: this means that we will process your personal information where we have a legal obligation to collect personal information from.
- Legitimate interest: this means that we will process your personal information where the processing is in our legitimate interests and not overridden by your rights (as explained below),
- Certain countries and regions allow us to process personal information on the basis of legitimate interests. If we collect and use your personal information in reliance on our legitimate interests (or the legitimate interests of any third-party), this interest will typically be to operate or improve our platform and communicate with you as necessary to provide our services to you, to respond to your queries, or for the purposes of potentially detecting or preventing illegal activities. While the concept of legitimate interest only exists in certain countries and regions, we balance our usage of your personal information against your rights globally.
CATEGORIES OF PERSONAL INFORMATION WE COLLECT AND USE
- Platform Usage Purposes – including to:
- Help display information better and more quickly.
- Communications Purposes – including to:
- Respond to your questions, requests for information, and process information choices.
- Security and Compliance Purposes – including to:
- Promote security, verify identity of our partners, travelers, and other users, prevent and investigate fraud and unauthorized activities, defend against claims and other liabilities, and manage other risks.
- Comply with applicable laws, protect our and our users’ rights and interest, defend ourselves, and respond to law enforcement, other legal authorities, and requests that are part of a legal process.
- Comply with applicable security and anti-terrorism, anti-bribery, customs and immigration, and other such due diligence laws and requirements.
We collect the following categories of personal information for the following purposes:
| Personal Information Category | Purposes for collection | Sources of Personal Information | Lawful basis |
|---|---|---|---|
Identification data – including name, email address, telephone number |
|
|
|
Geolocation data – including inferred location from IP address or country selected Communications with us – including emails |
|
|
|
Communications with us – including emails |
|
|
|
Site interaction data - including interactions with you on our platform and online services and apps |
|
|
|
Device data – including device type, unique device identification numbers , operating system, mobile carrier, and how your device has interacted with our online services, including the pages accessed, links clicked, and features used, along with associated dates and times |
|
|
|
SHARING OF PERSONAL INFORMATION
| Recipient of Personal Information | Purpose Category |
|---|---|
| Expedia Group Companies. We share your personal information within the Expedia Group companies, listed at expediagroup.com. Expedia Group companies (either autonomously or as joint data controllers, where applicable) share access and use your personal information as described in this Privacy Statement. |
|
| Third-party service providers. We share personal information with third-parties in connection with the operation of our business. These third-party service providers are required to protect personal information we share with them and may not use any directly identifying personal information other than to provide services we contracted them for. They are not allowed to use the personal information we share for purposes of their own direct marketing (unless you have separately consented with the third-party under the terms provided by the third-party). |
|
| Recipients in relation to our legal rights and obligations. We may disclose your personal information and associated records to enforce our policies; or where we are permitted (or believe in good faith that we are required) to do so by applicable law, such as in response to a subpoena or other legal request, in connection with actual or proposed litigation, or to protect and defend our property, people and other rights or interests. |
|
| Recipients in relations to corporate transactions. We may share your personal information in connection with a corporate transaction, such as a divestiture, merger, consolidation, assignments or asset sale, or in the unlikely event of bankruptcy. In the case of any acquisition, we will inform the buyer it must use your personal information only for the purposes disclosed in this Privacy Statement. |
|
You have certain rights and choices with respect to your personal information, as described below:
- If you have an account with one of the Expedia Group brands, you can update the accuracy of your information or change your communication preferences by either logging in and updating the information in your account (not available for all Expedia Group companies) or contacting us through the customer service portal of the relevant brand.
- You can control our use of certain cookies by following the guidance in our Cookie Statement.
- If you no longer wish to receive marketing and promotional emails from one of the Expedia Group brands, you may unsubscribe by clicking the ‘unsubscribe’ link in the email. You can also log into your account to change communication settings (not available for all Expedia Group companies or via this Expedia Group Legal Center) or contacting us through the customer service portal of the relevant brand. Please note that if you choose to unsubscribe from or opt out of marketing emails, The Expedia Group brand(s) may still send you important transactional and account-related messages from which you will not be able to unsubscribe
- For Expedia Group mobile apps, you can view and manage notifications and preferences in the settings menus of the app and of your operating system
- If we are processing your personal information on the basis of consent, you may withdraw that consent at any time by contacting us. Withdrawing your consent will not affect the lawfulness of any processing that occurred before you withdrew consent and it will not affect our processing of your personal information that is conducted in reliance on a legal basis other than consent.
Certain countries and regions provide their residents with additional rights relating to personal information. These additional rights vary by country and region and may include the ability to:
- Request a copy of your personal information
- Request information about the purpose of the processing activities
- Delete your personal information
- Object to our use or disclosure of your personal information
- Restrict the processing of your personal information
- Opt-out of the sale of your personal information
- Port your personal information
- Request information about the logic involved in our automated decision-making, the result of such decisions
- Object to the use of fully automated decision making, including profiling, with significant legal effect, and request a manual decision-making process instead
- Contest a decision based solely on automated processing
For more information on what data subject rights may be available to you, please click here.
For questions about privacy, your rights and choices, and in order for you, or (where applicable) your authorized agent to make a request to amend or update your information, or to inquire about deletion of your information, please contact us.
In addition to the above rights, you may have the right to complain to a data protection authority about our collection and use of your personal information. However, we encourage you to contact us first so we can do our best to resolve your concern. You may submit your request to us using the information in the Contact Us section below.
We respond to all requests we receive from individuals wanting to exercise their personal data protection rights in accordance with applicable data protection laws. Should you have the right to appeal a decision to not take action on a request under applicable law, instructions on how to make that appeal will be included in our response to you.
INTERNATIONAL DATA TRANSFER
The personal information that we process may be accessed from, processed, or transferred to countries other than the country in which you reside. Those countries may have data protection laws that are different from the laws of your country. Such cross-border transfer of your personal information is necessary for us to service your transaction with us, and for the purposes outlined in this Privacy Statement.
The servers for our platform are located in the United States, and the Expedia Group companies and third-party service providers operate in many countries around the world. When we collect your personal information, we may process it in any of those countries. Our employees may access your personal information from various countries around the world. The transferees of your personal data may also be located in countries other than the country in which you reside.
We have taken appropriate steps and put safeguards in place to help ensure that any access, processing, and/or transfer of your personal information remains protected in accordance with this Privacy Statement and in compliance with applicable data protection law. Such measures provide your personal information with a standard of protection that is at least comparable to that under the equivalent local law in your country, no matter where your data is accessed from, processed and/or transferred to.
We will comply with obligations regarding personal information cross-border transfer in accordance with applicable data protection laws, regulations, and conditions set by the competent authorities. This may include fulfilling obligations such as security assessments and/or certifications and signing agreements with overseas recipients in accordance with the standard contract established by the competent authorities.
Some measures that we have in place include the following:
- Adequacy decisions of the European Commission confirming an adequate level of data protection in respective non-EEA countries. Please see the latest list of such countries published by the European Commission here.
- Transferee countries’ participation in the APEC-CBPR forum. Please see the latest list of participant countries here. Expedia Group holds the APEC-CBPR certification, and we have accordingly established measures across all Expedia Group companies to ensure that data is shared only in accordance with the CBPR requirements. Further detail on Expedia Group’s participation in such forum may be found in the “APEC Cross Border Privacy Rules System Participation” section below.
- Ensuring that the third-party partners, vendors and service providers to whom data transfers are made have appropriate mechanisms in place to protect your personal information. For instance, our agreements signed with our third-party partners, vendors and service providers incorporate strict data transfer terms (including, where applicable, the European Commission's Standard Contractual Clauses issued by the European Commission and/or United Kingdom, for transfers from the EEA/UK), and require all contracting parties to protect the personal information they process in accordance with applicable data protection law. Our agreements with our third-party partners, vendors and service providers may also include, where applicable, their certification under the EU-U.S. DPF and the UK extension to EU-U.S. DPF and/or Swiss-U.S. DPF certification (and any other country specific extension to the DPF adopted from time to time), or reliance on the service provider's Binding Corporate Rules, as defined by the European Commission. In regard to the onward principle of the DPF Frameworks, if Expedia, Inc. learns that a third party is using or disclosing your Personal Information in a manner that is contrary to this Policy, we will take reasonable steps to prevent or stop such use or disclosure. Expedia, Inc. may be liable for onward transfers of Personal Information to third parties in violation of this Policy and the DPF Frameworks.
- Intra-group agreements in place for our Group companies which incorporate strict data transfer terms (including, where applicable, Standard Contractual Clauses issued by the European Commission and/or United Kingdom, for transfers from the EEA/UK) and require all group companies to protect the personal information they process in accordance with applicable data protection law.
- Carrying out periodic risk assessments and implement various technological and organization measures to ensure compliance with relevant laws on data transfer.
Data Privacy Framework
All wholly owned U.S. affiliates of Expedia, Inc. (part of the Expedia Group of brands) have certified to the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF and Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) (“the DPF Frameworks”) and that we adhere to the DPF Framework Principles of Notice, Choice, Accountability for Onward Transfers, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability for personal information from the EU, Switzerland, and the United Kingdom. The Federal Trade Commission has jurisdiction over such Expedia Group U.S. affiliates’ compliance with the DPF Frameworks. In addition, Expedia Group maintains intra-group Standard Contractual Clauses where applicable to cover the transfer of EU personal information to the U.S. Our certifications can be found here. For more information about the DPF Frameworks principles, please visit: https://www.dataprivacyframework.gov.
In compliance with the DPF Frameworks, Expedia, Inc. U.S. affiliates (part of the Expedia Group of brands) commit to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO), the Gibraltar Regulatory Authority (GRA) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the DPF Frameworks. Under certain circumstances, you may have the possibility to invoke binding arbitration for complaints regarding DPF compliance not resolved by any of the other DPF mechanisms. Please visit this link for more information: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2.
Expedia, Inc. commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the DPF Frameworks should first contact us via our Contact Us below.
APEC Cross Border Privacy Rules System Participation
The privacy practices of Expedia, described in this Privacy Statement, comply with the APEC Cross Border Privacy Rules System. The APEC CBPR system provides a framework for organizations to ensure protection of personal information transferred among participating APEC economies. More information about the APEC framework can be found here.
SECURITY
We want you to feel confident about using our platform and all associated tools and services, and we are committed to taking appropriate steps to protect the information we collect. While no company can guarantee absolute security, we do take reasonable steps to implement appropriate physical, technical, and organizational measures to protect the personal information that we collect and process.
Our cybersecurity team develops and deploys technical security controls and measures to ensure responsible data collection, storage, and sharing that is proportionate to the data’s level of confidentiality or sensitivity. We take efforts to continuously implement and update security measures to protect your information from unauthorized access, loss, destruction, or alteration. We hold our data-handling partners to equally high standards.
We have established an information security protection system based on industry best practices and perform regular assessment and certifications. We have also implemented appropriate security measures throughout the entire lifecycle of data collection, storage, processing, use, transmission, and sharing, and have taken certain technical and management measures including but not limited to verification and access controls, VPN, SSL encrypted transmission, and multi factor authentication mechanisms, based on our information classification and processing standards, to ensure the security of systems and services.
We have management and approval mechanisms for employees who may have access to your information and provide regular information security training for employees.
In the event of a personal data security incident that may affect your rights and interests, you will be notified in accordance with applicable data protection laws and regulations. We will also report the relevant incident to the competent regulatory authorities, if required by applicable laws and regulations.
MINORS
Our website is not directed at minors (as defined in applicable data protection laws) and we cannot distinguish the age of persons who access and use it. If a minor has provided us with personal information without parental or guardian consent, the parent or guardian should contact us through the relevant Expedia Group brand.
If you have any questions or concerns regarding our protection of minors’ personal information, or if you (in your capacity as the parent or guardian of the minor) wish to delete or correct the personal information of minors, please contact the relevant Expedia Group brand.
RECORD RETENTION
We will retain your personal information in accordance with all applicable laws, for as long as it may be relevant to fulfill the purposes set forth in this Privacy Statement, unless a longer retention period is required or permitted by law. We will deidentify, aggregate, or otherwise anonymize your personal information if we intend to use it for analytical purposes or trend analysis over longer periods of time.
When we delete your personal information, we use industry standard methods to ensure that any recovery or retrieval of your information is impossible. We may keep residual copies of your personal information in backup systems to protect our systems from malicious loss. This personal information is inaccessible unless restored, and all unnecessary information will be deleted upon restoration.
The criteria we use to determine our retention periods include:
- Whether we have a legal obligation related to your personal information
- Whether there are any current and relevant legal obligations affecting how long we will keep your personal information, including contractual obligations, litigation holds, statutes of limitations, and regulatory investigations
- Whether your information is needed for secure backups of our systems
CHANGES TO THIS PRIVACY STATEMENT
We may update this Privacy Statement in response to changing laws or technical or business developments. If we propose to make any material changes, we will notify you by means of notice on this page. You can see when this Privacy Statement was last updated by checking the “last updated” date displayed at the top of this Statement.
For more information on prior updates please Contact Us as mentioned below.
CONTACT US
For more information on how Expedia Group processes your personal information, please visit the applicable Expedia Group company’s website and view the privacy statement.
If you have questions about this Privacy Statement, please contact us using our using our customer service.