Privacy policy
Updated November 27, 2024
Protecting your privacy
This Privacy Policy explains how American Airlines, Inc. ("we," "us," "our," "American") collects, uses, shares, and protects information both in connection with American’s online and offline services, systems, websites, and apps that refer or link to this Privacy Policy (our "Services"), and as explained below, including without limitation, the collection and processing of personal information in connection with bookings and travel on American Airlines or flights operated by our regional carriers (for example, Envoy Air, Piedmont Airlines and PSA Airlines), as well as loyalty data collected and processed in connection with the AAdvantage® program. This Privacy Policy applies regardless of the way you interact with our Services or the type of device or other means you use to access our Services.
Generally, the “Services” covered by this Privacy Policy fall into one of three categories:
- Services related to your reservations and travel, for bookings that include travel on American or that are made through an American owned and operated service (“Travel Services”)
- Services related to memberships or programs that you enroll in or purchase benefits from, such as the AAdvantage® or AAdvantage Business™ loyalty programs, Admirals Club® memberships, or use of Buy, Gift, Transfer to purchase AAdvantage® miles (“Program Services”)
- Services operated by American to enable you to interact with American, including the websites, mobile apps, and telephone and text messaging systems that enable you to access American’s Travel Services or Program Services (“Interactive Services”)
Some services or programs offered by American (such as SimplyMiles® or AAdvantage eShopping®) may have additional privacy disclosures to help you understand the collection and use of your personal information under the terms of use of those programs. You will be provided notice of these additional privacy disclosures on the website or mobile app where you register for or use these services. Such disclosures should be read in addition to this Privacy Policy.
American reserves the right to change this Privacy Policy at any time by posting the updated Policy here along with the date on which the Policy was changed. If we make material changes to this Privacy Policy that affect the way we collect, use and/or share your personal information, we will notify you by including a "NEWLY UPDATED" label with the "PRIVACY POLICY" link on aa.com for 30 days after material changes are made. This Privacy Policy is not a contract and does not create any contractual rights or obligations.
When we use the term ‘personal information,’ we are referring to information that identifies, relates to, describes, or can be associated with you, including the categories and specific types of information described in this Privacy Policy.
We collect and maintain personal information about you from many sources to understand and meet your needs, facilitate your travel, manage our business, and for other purposes disclosed to you. For example, we collect or receive personal information about you from:
- You, when you voluntarily provide us with information, either directly or through third parties such as survey companies or social media networks
- Entities involved in processing or fulfilling your transactions with us, such as payment processors, payment card issuers and networks, fraud detection and prevention services, and in-flight Wi-Fi providers
- Our travel and loyalty business partners that you interact with as an American customer or loyalty member, such as travel agents, other airlines (e.g., codeshare and alliance partners) and travel and hospitality service providers (e.g., transportation or tour operators)
- Other third party sources, such as law enforcement agencies, based on their purposes for sharing personal information with us
If the information is to be collected directly from you, you may in some cases have the option to decline providing American that information. However, your choice to not provide information may impact your use of certain features or services. For example, if you decline to provide information required by law for us to transport you, you will not be able to board or travel on our aircraft.
Travel Services
The personal information we collect about you when you search for, purchase, use, or manage your use of our Travel Services may include:
- General information about you, including name, title, gender, date of birth, AAdvantage® account number, driver's license number, passport number, nationality, and country of residence
- Contact information, including addresses and telephone numbers, email addresses, fax numbers, pager numbers, and social media handles
- Booking and itinerary information:
- American creates a record for each booking that involves travel on American Airlines, even if the ticket is sold under another airline’s booking code, including whether you booked your flight on aa.com or through another sales channel (such as a travel agency)
- American will also collect information about changes to your booking, including a cancellation or failure to complete your travel, upgrades, your baggage requirements, airport disruption, and lost baggage
- If you book travel for someone else, American may collect your billing information but may communicate with the passenger directly about their flight
- Other information required to facilitate Travel Services, such as requests for assistance, dietary restrictions, interactions with staff and cabin crew, travel companion name(s), emergency contacts, photographs, information about your prior flights, and travel-related issues
- Payment information, including credit or debit card number(s), associated billing address(es), and expiration date(s)
- Health information, some examples of which include:
- You have sought clearance from us to fly with a medical condition or device
- You have otherwise chosen to provide such information to us or it has been passed onto us by a third party, such as the travel agent through which you made your booking or other entity, including information about whether you have symptoms of a communicable disease or virus (such as COVID-19), an appropriate vaccination, or a negative test result
- Health information related to a medical emergency that occurs while traveling
- Biometric information, such as a scan of your face, fingerprint, or other biometric identifiers, as disclosed to you when you participate in a biometric authentication program
- Digital identity credentials, including credentials linked to vaccination status or negative test results that you provide for specific purposes, such as compliance with customs and immigration requirements during international travel or services in which you choose to participate
- Business information, including corporate-contract, employer name, corporate affiliation, and AAdvantage Business™ account information when you use our Travel Services in connection with your employment or that are funded by your employer
Program Services
The personal information we collect about you when you enroll in, use, or manage your use of our Program Services may include:
- Information you provide while enrolling or that you add and save to your membership account, including name, title, gender, date of birth, AAdvantage® account number, passport number, nationality, country of residence, booking or travel preferences, and contact information
- Payment information, including credit or debit card number(s), associated billing address(es), and expiration date(s)
- Information about your transactions and interactions with American, such as the number of miles and Loyalty Points earned for using our Travel Services, or the number of times you have used your Admirals Club® membership to access our clubs and lounges
- Information about your transactions with our loyalty or business partners, such as another airline, hotel, or car rental company that you have provided your AAdvantage® account number for purposes of earning or redeeming miles or receiving loyalty benefits
- Business information, including corporate-contract, employer name, corporate affiliation, and AAdvantage Business™ account information when you join a corporate Program Service such as AAdvantage Business™
Interactive Services
The personal information we collect about you during your use of our Interactive Services may include:
- The information described above in “Travel Services” or “Program Services” when you use our Interactive Services to provide us this information
- Technical information, including browser type, IP address, type of operating system, geolocation, the name of your internet service provider, mobile advertising identifiers, and pages visited on our websites or other digital properties (as further described in the section titled “Automatically collected information (including cookies and geolocation)”)
- The content of correspondence you send to us, including information provided via survey, focus group or other marketing research efforts, the content of emails or online customer service requests you send to us, the content of chat, text message, social media, or other communications with us, recordings of calls to our automated or live representative phone services, and our responses to you
To the extent that the personal information we collect constitutes sensitive personal information under applicable law, American will collect and process this sensitive personal information within the limits provided by applicable law. Where required by law, and where no other lawful bases exist for processing such data (such as to fulfill laws promoting a substantial public interest), American will seek your specific consent before processing sensitive personal information.
You may submit a request for services (such as a meal preference, or a request for wheelchair assistance) which is not sensitive personal information. American does not consider such data to reliably imply or suggest sensitive personal information.
In some instances, mobile devices or online services may offer you the choice of biometric identification such as fingerprint or facial recognition for enhanced security and convenience. Where possible, these security measures rely on your personal device’s own internal biometric management and secure storage, in which case American does not have access to any biometric information. You may contact your device’s biometric management creator (such as Apple or Google) for more information about their biometric security technology.
You may be offered opportunities to participate in programs that collect biometric information, which are offered to you in connection with your travel, but are not operated by American Airlines. For example, you may be offered the opportunity to participate in U.S. Customs and Border Protection’s Biometric Exit program. When you choose to participate in these programs, your biometric information is not collected or stored by American, and we do not have access to or control of your biometric information. For information about these programs, please contact the agency or entity that operates the program.
Data collected from other customers
When you provide information to us about your travel companions or other individuals (for example, when you make a booking that includes additional travelers), you confirm to us that you are acting on behalf of such individuals, and you have their permission to provide us their information for use in accordance with this Privacy Policy. If you do not have their permission, you must not provide us with any personal information about these individuals.
If your travel companions or other individuals have questions about how their personal information will be processed by American, please refer them to this Privacy Policy.
American does not knowingly collect personal information directly from children – persons under the age of 13, or another age if required by applicable law – other than when required to comply with the law or for safety and security reasons. Due to the nature of our Services, we may collect travel information, which may include personal information, about children when it is required to comply with the law, including federal aviation or security regulations, as otherwise required to provide transportation needs and services, or for safety or security reasons. We may retain personal information when required to provide transportation and related services to a child, or in connection with services purchased or enrolled by the parent or guardian on the child’s behalf (such as a parent or guardian’s enrollment of their child in the AAdvantage® program).
If you are not the parent or guardian of the child, or otherwise authorized by the child’s parent or guardian, you must not provide us with any personal information of the child.
If you are a parent or guardian of a child who has provided personal information without your knowledge and consent, you may request we remove this child’s information by emailing us at privacy@aa.com.
When you use our Interactive Services, we may receive technical information such as your browser type, the type of operating system you use, your geolocation, the name of your internet service provider, mobile advertising identifiers, and pages visited. American gets this information by using technologies, including cookies, web beacons, and mobile device geolocation to provide and improve our Interactive Services and advertising, including across browsers and devices (also known as cross-device linking). We also use this information to verify that visitors meet the criteria required to process their requests and for reporting activity on our Interactive Services. For example, we may want to know how long the average user spends on our Interactive Services or which pages or features get the most attention. This technical information may be combined with information that is personally identifiable in order to personalize our Interactive Services and advertising to your interests, including across browsers and devices. For example, if you spend time reviewing a particular flight or destination but do not complete a travel reservation, we may use this information to show you targeted advertising about similar flights or destinations on our Interactive Services or on third-party websites. Some of this information may be shared with third parties, as described in the section titled “Information collected by third parties on our Services.”
Additionally, and with your specific consent where required by law, American may combine the information we receive from you with information collected from other sources. This information may be used to provide offers and / or services specifically tailored to your interests in accordance with applicable laws.
Some of the content, advertising, and functionality on our Interactive Services may be provided by third parties, including third parties that are not affiliated with us. As noted above, these third parties may collect or receive technical information about your use of our Interactive Services, including through the use of Cookies, and this information may be collected over time and combined with information collected on different websites and online services. Also, some third parties collect information about users of our Interactive Services in order to provide interest-based advertising (on our Interactive Services and elsewhere, including across browsers and devices, also known as cross-device linking).
For example, we may use third parties to collect, and share with us, usage information about how you interact with our Interactive Services, including personal information that you provide, website or app visits and interactions, and user inputs such as mouse clicks or keystrokes.
Our Services
We use personal information to complete transactions and fulfill requests for our products and services. For example, we require you to provide personal information when making a reservation to purchase airline tickets or related products and services such as renting cars or booking hotel rooms through an American Airlines Reservations Agent, travel agent, the aa.com website or other travel-related website, or enrolling in the AAdvantage® and AAdvantage Business™ programs. We may also use personal information to verify your identity, including for security purposes.
In the event of a flight delay, cancellation, or other service disruption, we may use the contact information provided in your booking to notify you, and the individuals traveling on the same booking, about the disruption.
Fulfillment of contracts
When you enter into a contract for Travel Services or Program Services with American, we will use your personal information for purposes related to operation of the relevant program and the provision of services or benefits related to that contract. For example, when you join or participate in a Program Service such as the AAdvantage® program, your personal information is collected and used to process, confirm and fulfill transactions and provide benefits as specified in the AAdvantage® terms and conditions, and as otherwise necessary for American to exercise its rights under those terms and conditions. Similarly, when you book or reserve travel on one of our Travel Services, your personal information is collected, used, and processed in connection with the applicable conditions of carriage for your travel.
Use of our Interactive Services may be subject to contractual terms, such as the AA.com site usage terms. Information about contractual terms that apply to use of an Interactive Service, are made available through the Interactive Service.
Administrative, marketing, analytical purposes
In addition to processing, confirming, and fulfilling the Travel Services or Program Services you request or use, and operating the Interactive Services that you choose to use, American may use personal information for administrative, analytical, and marketing purposes such as employee training, information systems management, accounting, billing and audits, credit card processing and verification, customer-relations correspondence, and/or operation and improvement of our Services. American also uses personal information to identify, develop and market products and services that we believe our customers will value, including across browsers and devices, in accordance with applicable laws. Where we are required by applicable law, we will seek your consent prior to sending you communications for marketing purposes. More specifically, we may use your personal information for the following purposes:
Travel and program services
- Safety and operations: To ensure the safety of our flights and the efficient and lawful transport of passengers and baggage
- Personalized airport service: To provide personalized service, such as wheelchair assistance or access to our lounges; to check whether you have passed through airport security, whether you are on a connecting flight, and to contact you about boarding a flight, if you have not arrived at the gate; and to monitor where you are in the airport to assist you with flight connections and boarding our aircraft
- Loyalty and program benefits: To validate your eligibility for loyalty or program benefits, such as priority boarding or lounge access; to offer or provide priority assistance or elite benefits based on your membership status or loyalty tier level; and to monitor your loyalty or program activity and customer satisfaction level
Interactive services
- Business purposes and communication: To interact with you regarding our Travel Services or Program Services or to provide you information you requested, to communicate with you for business or customer service reasons (such as sending messages related to flight tracking or delays), or for other such reasons such as changes to our policies or in response to your inquiry
- Tailored web experience: To personalize your advertising experience when visiting our sites, and to manage details about your Travel Service purchases (such as your American travel bookings and reservations) and Program Service accounts (such as an AAdvantage®, AAdvantage Business™, or AirPass℠ account), including when security updates are available, or when an action is required to keep an account active
- Site maintenance: To improve content, functionality, and usability of our websites and digital properties and to offer opportunities to participate in surveys and provide feedback to us
All services
- Financials transaction management: To facilitate payment for services or provide refunds
- Legal and regulatory obligations: To comply with legal, regulatory, or fiscal obligations, or in connection with litigation or an internal investigation or audit
- Improve and personalize our Services: To improve and personalize our Travel Services (such as route and service offerings as an airline operator, including reviewing our travel destinations, fare classes, and operations more generally), Program Services (such as loyalty program offerings, reward redemption rates, and benefits), and Interactive Services (such as website and mobile app use and reliability), as well as compiling statistics on international air traffic, loyalty activity, and revenue generation, and statistics to improve and personalize products and services
- Marketing and analytics: To perform data analyses and other processing for marketing purposes, including to determine what services, applications, events, sweepstakes and special campaigns to offer, and to make specific offers to you
- Security management: To secure American’s premises, assets, and information, and to test and evaluate the effectiveness of American’s security
- Third party requests: To respond to and comply with outside requests initiated by you, as well as in response to legal requests
- Audit and controls: To evaluate internal controls and audits for compliance (including those conducted by American’s internal and external audit service providers)
Video and audio recording
There are Closed Circuit Television (CCTV) cameras in operation within and around our stations and other premises, our reservations and customer service telephone systems may record calls in accordance with applicable legal requirements, and we also keep logs or records of customer interactions on our digital Interactive Services. Such devices may be used for purposes that include:
- to prevent and detect criminal, malicious, or fraudulent activity;
- to protect the health and safety of American’s customers and employees;
- to manage and protect American’s property and the property of American’s guests and other visitors; and
- for quality assurance purposes
Where required by law, you will be provided notice at the time of any such recording.
We take reasonable measures to protect the personal information you provide to us.
American uses reasonable technical, administrative, and physical measures to protect your personal information from loss, interference, misuse, unauthorized access, disclosure, alteration or destruction, both during transmission and once we receive it. We also maintain reasonable procedures to help ensure that such data is reliable for its intended use and is accurate, complete and current. When your personal information is shared, American will take a reasonable approach to prevent the unauthorized use of personal information.
Please note, however, that while American attempts to safeguard your personal information, no method of transmitting or storing electronic information is ever completely secure, and thus we make no warranty, express, implied, or otherwise, that your information will never be accessed, used or released in a manner that is inconsistent with this Privacy Policy.
Here are some things you can do to keep your information secure.
Keep your confirmation code confidential:
When you make a booking, you will be given a 6-character confirmation code, also known as a Passenger Name Record (PNR). This will appear on the email confirmation or ticket of each person in your booking. You should keep your record locator confidential, as giving it to others may allow them to access your booking details through our systems. If you are traveling with others and do not want them to have access to your booking details, you should have each person make their own bookings.
Keep your AAdvantage® account number and login information confidential:
To make sure your access to our Services is secure; you should not share your log in details with anyone else. You should always log out of the Services after each use if others have access to your computer or device, especially if you are using a publicly accessible computer such as at a library or internet café. You should follow best practices for online security, such as using a different password for our Services than you do with other websites or services. American is not responsible if someone gains access to your accounts by obtaining your password.
Your personal information will be retained only for so long as reasonably necessary for the purposes set out above and consistent with our retention policies, considering criteria such as applicable rules on statute of limitations, legal requirements and the duration of your use of our website and receipt of our Services. This retention will be at least for the duration of your customer relationship with us, and a longer period as necessary for legal defense purposes or as required by tax, aviation, and other applicable laws and regulations.
We generally retain personal information related to your use of our Travel Services or Program Services for up to seven years after you complete your travel or terminate your membership with us. This includes information obtained from your use of our Interactive Services (for example, when you book, manage, or cancel travel through our websites or mobile apps).
To the extent it is required to do so by law, American will permanently destroy any biometric data or identifiers in our possession once the initial purpose for collecting or obtaining them has been satisfied, or within three years of your last interaction with American, whichever comes first. This applies to any biometric identifiers or information received by American from any source, even if that source does not refer or link to this Privacy Policy.
General
We may disclose or share information about you to provide the products and services you request or use, or for administrative, analytical, and marketing purposes, including to:
- third parties to distribute promotions, sweepstakes, marketing surveys and messages, focus groups, interviews and other opportunities offered by American;
- third parties who have arranged for discounts, and pre-paid travel or other services on your behalf, such as your employer if your employer purchased your ticket, or a travel agent if you book through a travel agency;
- American's group companies (including any entity that directly or indirectly controls, or is controlled by, or is under common control with, American), for uses in accordance with this Privacy Policy;
- other airlines and codeshare partners in order to fulfill your booking requests relating to your flights, or in order to offer or provide alliance or partner benefits such as airport lounge access, elite status benefits, or the ability to earn and redeem miles with our partner airlines (you may have an independent relationship with the partner airline, and the partner airline is separately responsible for how they obtain and process your personal information);
- hotels, car rental companies, or other travel industry partners in order to fulfill your booking requests relating to vacation packages or other travel services booked using our Services;
- our co-branded credit card partners, in connection with the operation or marketing of AAdvantage® program related offerings, such as a co-branded credit or debit card that is linked to your AAdvantage® account;
- third parties such as government and law enforcement agencies when required by law (as further described in the section titled “Legal requirements”);
- third-party vendors that assist American with respect to providing our Services and managing our AAdvantage® program enrollments and AAdvantage® travel and co-brand partnerships, such as vendors in the areas of technology, payment processing, sales and marketing, or fraud detection and prevention; and
- another entity in the event of a bankruptcy, or as part of the due diligence or business integration process, in the event we undergo a business transition involving another company, such as a merger, corporate reorganization, acquisition, or lease or sale of all or a portion of our assets
If you book travel using your employer's corporate account, or participate in a corporate travel program such as AAdvantage Business™, your employer will have access to certain details related to your corporate travel, including the ticket price, travel dates, and your flight information. Your employer is independently responsible for how it collects and uses your personal information and informs you about it.
In addition, we may share information with certain third party companies with which we have a business relationship, including AAdvantage® and AAdvantage Business™ participants. These companies may send you marketing based on the information you have provided us. Where we are required by applicable law, we will seek your consent prior to sharing your personal information with such third parties for marketing purposes. Also, as described in the section titled “Opting out of marketing communications and sharing your information with third parties”, you can opt out of having your information shared with third parties for those parties' direct marketing purposes by emailing us at privacy@aa.com.
If your booking includes emergency contact information, we may share personal information with your emergency contact or attempt to collect information about you from your emergency contact, as appropriate based on the nature of the emergency.
Legal requirements
Please note that the laws and regulations of several countries, including without limitation, the requirements imposed under the Transportation Security Administration Secure Flight program, require to provide foreign and domestic government agencies with access to the personal information you disclose to us and data that we have about you and your travel plans, history, or status, including both before and after a flight arrives. For example, American and other airlines comply with legal obligations in the United States (U.S.), United Kingdom (UK), member states of the European Union, Uruguay, Brazil (BR), and other countries to provide border control agencies and customs authorities with access to booking and travel data when you fly to and from such countries, including stopover or layover destinations or countries that you may overfly en route to your destination. American does not have control or knowledge of the storage and use of that data after it has been delivered to the respective government entity.
Further, to the extent required by law, we may disclose personal information to government or law enforcement agencies, such as customs and immigration authorities, or to third parties pursuant to a subpoena or other legal process, and we may also use or disclose your information to law firms and courts, as permitted by law or to enforce or apply a contract with you.
We may also disclose your personal information to protect the rights or property of American and providers and users of our Services, including our employees and customers. For example, we may disclose personal data to law enforcement or first responders in connection with a medical emergency or incident, or to public health authorities for purposes of combating infectious disease.
We'd also like to remind you that we provide additional links to resources we think you'll find useful. These links will lead you to sites that are not affiliated with American and may operate under different privacy practices. Our visitors are responsible for reviewing the privacy policies for such other websites, as we have no control over information that is submitted to these companies.
We provide you with options to stop receiving marketing messages from us. Regardless of your opt-out preferences, we reserve the right to send you certain communications for transaction fulfillment, notifications of changes to our Services, and other operational purposes.
If you’re an AAdvantage® member and you want to opt out of receiving marketing emails, log in to your AAdvantage® profile and update your preferences, or contact AAdvantage® Customer Service. Please note, you’ll continue to receive AAdvantage® program updates and email products for which you’ve subscribed. If you’re an AAdvantage Business™ member and you want to opt out of marketing emails, log in to the AAdvantage Business™ website and update your preferences.
- Log in to your AAdvantage® profile and manage your email preferences
- Contact AAdvantage® Customer Service
- Update your AAdvantage Business™ preferences Opens another site in a new window that may not meet accessibility guidelines.
If you’re not an AAdvantage® program member or you want to opt out of marketing emails, you can click the opt-out or unsubscribe link in the marketing email you receive to manage your marketing preferences. You can also send an email from the email address you wish to unsubscribe with the word “unsubscribe” in the subject line to privacy@aa.com. When you do this, we will unsubscribe all users with the same email address, even if they are registered AAdvantage® members or AAdvantage Business™ members with registered preferences.
We may send you marketing offers through other channels. For example, we may offer you the opportunity to receive push notifications of special offers through our mobile app. Where required by law or by mobile app store rules, we will obtain your consent prior to sending you such marketing. You can manage push notifications in our mobile app or in your device notification settings.
If you have any other questions about opting out of marketing communications, or managing your marketing preferences, please email privacy@aa.com with your request.
If you want American to stop sharing your personal information with third parties for those parties' direct marketing purposes, please opt out of third-party data sharing.
Opt out of third-party data sharing
If you are an AAdvantage® member and you want to opt out of data sharing, please log in to your AAdvantage® profile and update your data sharing preferences, or contact AAdvantage® Customer Service.
Log in to your AAdvantage® profile and manage your email preferences
Regardless of your opt-out preferences, we reserve the right to share your information with third parties for administrative, transactional, and analytical purposes. For example, we may share your personal information with companies or programs of American partners (such as other airlines, hotels, rental car companies, co-brand credit card partners, and other AAdvantage® program participating companies) when you request to earn or redeem AAdvantage® miles for their services. These other companies have their own business relationships with you, and may require different steps to change your preferences for participation. Please consult the privacy policies of the relevant companies or programs for further information.
When you use our Interactive Services, you may receive Cookies from us and the third parties that collect information on our Interactive Services. Please see the “Cookies and online advertising” section above for additional details, including information about how to manage Cookies on your browsers or devices.
Where required by local law, you may have the right to access, request a copy of, update, transfer or port, restrict the processing of, or request that we delete your personal information. You may also have the right to object to our processing of your personal information. To exercise these rights please email us at privacy@aa.com. When we receive a request to exercise one of these rights, we will indicate what personal information we require from you to validate your identity. We will also provide information on the action we intend to take on the request without undue delay and no later than 30 days from receipt of the request, or within a shorter period of time where required by local law. This time may be extended by an additional two months in certain circumstances, for example, where requests are complex or onerous. Please note, these requests are subject to applicable legal, ethical reporting, or document retention obligations imposed on us.
When you provide us with your information, you acknowledge that this information may be stored, transferred, and processed on servers located anywhere in the World, including either inside or outside of the U.S., the European Union, the U.K., Switzerland, Uruguay, or Brazil.
This section of the Privacy Policy applies only if you use our website or Services covered by this Privacy Policy in Brazil, and supplements the information in this Privacy Policy.
Controller of personal data
To the extent that American Airlines, Inc. is subject to the laws of Brazil when processing personal data (“Personal Data”), it shall be the “data controller” under such laws.
Sensitive personal data
According to the Brazilian General Data Protection Law (the “LGPD”), data that concerns racial or ethnic origin, religious conviction, political opinion, affiliation to a union or organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data, when linked to a natural person, will be deemed as sensitive personal data. American only collects and uses sensitive personal data for purposes described in the “Information we collect and how we collect it” and “How your information will be used” sections of this Privacy Policy and will adopt strict security measures when processing sensitive personal data.
Personal information of children
Due to the nature of our Services, we may collect Personal Data of children under the age of 12. Please see the “Minors” section above for more information.
Lawful basis for data processing
American processes Personal Data for the purposes set out in this Privacy Policy, as described above. Our lawful basis to process Personal Data includes processing that is:
- necessary for the performance of the contract between you and American (for example, to facilitate your travel on American under our conditions of carriage, to manage your membership in our loyalty programs, to provide you with other Services that you request or use, or for resolving billing or customer service inquiries related to your use of our Services);
- necessary to comply with legal or regulatory requirements (for example, to comply with applicable tax and consumer rules, to comply with National Civil Aviation Agency (“ANAC”) and/or with any other administrative body rules etc.);
- necessary for our legitimate interests to:
- manage our relationship with you, including to provide you with relevant information about your booked flight and travel destination;
- improve the website and our Interactive Services, including by performing statistical studies or implementing analytics solutions (e.g., analytics cookies);
- provide marketing communications to you, some of which are personalized based on your interests. Depending on the nature of your relationship with American (i.e., whether you are an existing or prospective customer) the purpose of the communications we send you and the applicable direct marketing rules, where prior consent is not required. You have the right to object to the use of your Personal Data for direct marketing purposes at any time (see section “Data Subject Rights” below);
- ensure safety and operational management, including to ensure the safety of our flights and the efficient and lawful transport of passengers and baggage into or within the United States (to the extent not already mandated by legal requirements);
- provide disabled persons and persons with reduced mobility opportunity for air travel comparable to those of other persons
- manage our disputes, detect and prevent cases of fraud or comply with our contractual and legal obligations.
- to protect the vital interests of you or another person (for example, if we collect and process medical information in the event of a medical emergency and you are incapable of giving your consent);
- where legally required and we have no other valid legal basis to process Personal Data, we will use consent by our customers (for example, to provide you with marketing information or share information with third parties), which may subsequently be withdrawn at any time (by emailing privacy@aa.com) without affecting the lawfulness of processing based on consent before its withdrawal.
International transfers of personal data
American is a global company, which owns entities in the United States. These entities include Envoy Air, Piedmont Airlines, and PSA Airlines. In order to achieve the purposes described in the “Information we collect and how we collect it” and “How your information will be used” sections above, we may transfer your Personal Data to our global entities or other third parties outside of Brazil.
We will adopt all necessary measures to ensure the overseas recipients can provide the same level of protection as required under applicable Brazilian laws and also use lawful cross-border transfer mechanisms, whenever required by such laws, to transfer your Personal Data overseas.
Data subject rights
Whenever Brazilian law is applicable to the processing of your Personal Data, you have the right to request from American:
- the confirmation of the existence of the processing;
- access to the processed data;
- correction of incomplete, inaccurate or out-of-date data;
- anonymization, blocking or deletion of unnecessary or excessive data or data processed in breach of the provisions of the Brazilian Data Protection Law (LGPD);
- portability of the data to another service provider or product provider, by the means of an express request, pursuant with the regulations of the national authority (ANPD), and subject to commercial and industrial secrets;
- deletion of personal data processed with your consent;
- information about public and private entities with which American has shared data;
- information about the possibility of denying consent and the consequences of such denial; revocation of consent;
- opposition to the processing carried out based on one of the situations of waiver of consent, if there is a breach of the provisions of the LGPD; and
- revision of decisions made solely based on automated processing of personal data affecting your interests, including decisions intended to define your personal, professional, consumer and credit profile, or aspects of your personality.
When we receive a request to exercise one of these rights, we will indicate what Personal Data we require from you to validate your identity. We will also provide information on the action we intend to take on the request.
To exercise these rights please email us at privacy@aa.com and we will respond to your request as within the timeframe provided by the applicable laws and regulations.
You may always contact our Data Protection Officer, Russell Hubbard, at privacy@aa.com. If you consider that our processing of your Personal Data infringes applicable law, you may submit a complaint to the Brazilian Data Protection Authority (ANPD).
This section of the Privacy Policy applies only if you use our website or Services covered by this Privacy Policy in China, and supplements the information in this Privacy Policy.
Sensitive personal information
Credit or debit card payment information, biometric information, and medical information that we collect from you may be considered sensitive personal information under applicable Chinese laws. American only collects and uses sensitive personal information for purposes described in the “Information we collect and how we collect it” and “How your information will be used” sections of this Privacy Policy and will adopt strict security measures when processing sensitive personal information.
Personal information of children
Due to the nature of our Services, we may collect personal information of children under the age of 14. Please see the “Minors” section above for more information.
Sharing of your personal information with third parties
Please see the “With whom your information will be shared” section above for details about how your personal information may be shared with third parties. American will strictly follow the requirements of applicable Chinese laws when sharing your personal information with third parties.
If it is necessary for American to transfer personal information in case of a merger, division, dissolution, declaration of bankruptcy, or other reasons, American will provide notice of the name and contact information of the recipient. The recipient shall comply with this Privacy Policy when processing such personal information.
Cross-border transfer of your personal information
American is a global company, which owns entities in the United States. These entities include Envoy Air, Piedmont Airlines, and PSA Airlines. In order to achieve the purposes described in the “Information we collect and how we collect it” and “How your information will be used” sections above, we may transfer your personal information to our global entities or other third parties outside of China.
We will use lawful cross-border transfer mechanisms to transfer your personal information overseas and adopt necessary measures to ensure the overseas recipients can provide the same level of protection as required under applicable Chinese laws.
Data subject rights
You have the right to access, correct or supplement, restrict or object to processing, and withdraw your consent with respect to your personal information that American collects and processes. You also have the following rights subject to restrictions provided by applicable Chinese laws:
- Under the following circumstances, if American has not deleted your personal information, you have the right to request to delete your personal information:
- The purpose of processing has been achieved, is impossible to be achieved, or it is no longer necessary to achieve the purpose of processing;
- American ceases the provision of products or services to you or the retention period for the personal information ends;
- You have withdrawn your consent; or
- American processes your personal information in violation of applicable Chinese laws or an agreement with you.
- You may also have the right to request that we provide you with means to transfer your personal information to a specific entity designated by you, to the extent that your request is allowed under applicable Chinese laws.
To exercise your rights, please submit your request as described above.
This section of the Privacy Policy applies only if you use our website or Services covered by this Privacy Policy in Colombia, and supplements the information in this Privacy Policy.
Claims process
American has mechanisms so that you can submit claims regarding your personal data. If American identifies that the claim or additional documentation is incomplete, American may require the claimant to remedy the faults or provide additional information. If the claimant does not submit the documentation and information required within two (2) months following the date of the initial claim, the claimant shall be deemed to have waived the claim.
Sensitive personal information
American may need to collect and process sensitive personal information (e.g., health related data, biometric information) to provide its services in compliance with National laws and sectoral regulations, and consent to this effect is optional.
Additional data subject rights
You have the right to file complaints before the Colombian data protection authority, the Superintendencia de Industria y Comercio, and to withdraw consent save when there is a legal or contractual obligation for the personal data to remain in the respective database.
Controller of personal information
To the extent that American Airlines, Inc. is subject to the laws of Ecuador when processing personal data (“Personal Data”), it shall be the “data controller” under such laws.
The information of the data controller, and the Data Protection Officer of the data controller, is the following:
American Airlines
c/o Data Protection Officer
1 Skyview Drive, MD 8B503
Fort Worth, TX 76155 USA
Lawfulness of processing
We can process your personal data when:
- you have given consent to the processing of your personal data for one or more specific purposes;
- it is necessary for the performance of a contract to which you are party, or in order to take steps at the request of you prior to entering into a contract;
- the processing is necessary for compliance with a legal obligation to which we are subject; or
- the processing is necessary for the legitimate interests pursued by American Airlines or a third party, except when such interests are overridden by interests or fundamental rights and freedoms of our customers that require protection of personal data.
Claims to the data protection authority of Ecuador
You may address the Ecuadorian Data Protection Authority (Superintendencia de Protección de Datos) and submit a claim, especially in cases where you deem that we have not satisfied your individual rights regarding how we process your personal information.
Your rights
You may be entitled to exercise the right to:
- object to the processing of Personal Data (for instance, where the basis of our processing is our legitimate interests, see section above “Lawfulness of processing”), and we will stop processing your data. We will not resume processing unless we can establish compelling legitimate grounds that override your rights.
- request the restriction of processing of your Personal Data (for instance, this can be done if the Personal Data is not accurate and needs to be updated). This can also be done in relation to data where the purposes of processing no longer apply, but you still need the data and do not want us to erase it.
- request updating of your Personal Data (if you believe the information we have about you is not accurate or incomplete). You may ask us to update your Personal Data but we cannot modify it for previously flown bookings because that is the official record of the transaction. For bookings made by a travel agent or through another airline, you must contact that other agency or airline directly to update or manage your Personal Data in the booking.
- request access to your Personal Data (for instance, if you wish to receive a copy of your information, confirmation as to whether we are processing your information, and information as to how we use your information). You may request access to your Personal Data but that may not include information relating to others that you either did not provide to us or who have not consented to the disclosure of their information to you.
- request erasure of your Personal Data (for instance, if we have no legal basis to process the information and you have not given us your consent to do so, if the purposes of processing no longer apply, or if you have objected to the processing and we cannot establish compelling legitimate grounds to override your rights). Certain data may not be erased if we have a requirement to retain it for legal purposes, or if we have a contract with you as a member of AAdvantage® or AAdvantage Business™ (as we need to be able to perform contractual obligations owed to you). You may ask us to delete your Personal Data, but we cannot do so if you have a pending flight booked with us.
- request portability of your own Personal Data (the transfer of information you have provided to us, to another controller, in a structured, commonly used and machine-readable format), if such a request is technically possible to complete.
To exercise these rights please email us at privacy@aa.com.
When we receive a request to exercise one of these rights, we will indicate what Personal Data we require from you to validate your identity. We will also provide information on the action we intend to take on the request. We will respond as soon as possible and in accordance with applicable law.
You may always contact our Data Protection Officer, at privacy@aa.com. If you consider that our processing of your Personal Data infringes applicable law, you may submit a complaint with a supervisory authority.
This section of the Privacy Policy applies only if you use our Services from a country that is a Member State of the European Union, the United Kingdom, Switzerland, or Uruguay, and supplements the information in this Privacy Policy.
Controller of Personal Information
To the extent that American Airlines, Inc. is subject to the laws of the European Union, the United Kingdom, Switzerland, or Uruguay when processing personal data (“Personal Data”), it shall be the “data controller” under such laws.
If you have made a flight booking with us but one or more flights or services (including, for example, access to travel lounges operated by our partner airlines) are to be provided by other airline(s), then that other airline will also separately be considered a “data controller”. Your Personal Data will be processed in accordance with the applicable airline’s privacy policy and, if your booking is made via a reservation system provider (“GDS”), with its privacy policy. These are available at http://www.iatatravelcentre.com/privacy or from the airline or GDS directly. You should read this documentation, which applies to your booking and specifics (for example, how your personal data is collected, stored, used, disclosed and transferred).
Any travel services provider (such as a hotel or car rental company) or AAdvantage® participating partner (such as an AAdvantage® co-branded credit card issuer) will also separately be a “data controller”. For information on how those parties collect, use, and protect your information, you may obtain copies of their privacy policies by contacting them directly or visiting their websites.
Legal basis for data processing
We process Personal Data for the purposes set out in this Privacy Policy, as described above. For example, our legal basis to process Personal Data includes processing that is:
Legal basis | Use cases |
---|---|
Necessary for the performance of the contract between you and American |
|
Necessary to comply with legal requirements |
|
Necessary for our legitimate interests |
|
Protect the vital interests of you or another person |
|
Perform a task carried out in the public or substantial public interest |
|
Consent |
|
In some instances, you may be required to provide us with Personal Data for processing as described above, in order for us to be able to provide you all of our Services, and for you to use all the features of our website.
International transfers of personal data
The nature of American’s business means that the Personal Data collected through our Services will be transferred to the United States. Also, the American personnel and some of the third parties to whom we disclose Personal Data (as set out above) may be located in the United States and other countries outside of the European Union, the United Kingdom, Switzerland, or Uruguay, including in countries to which you fly and that may not provide the same level of data protection as your home country. We take appropriate steps to ensure that recipients of your Personal Data are bound to duties of confidentiality and we implement measures such as standard data protection contractual clauses to ensure that any transferred Personal Data remains protected and secure. More information and a copy of these clauses can be requested by emailing privacy@aa.com.
Your rights
As described above in the “Application of local laws” section, under data protection laws in the European Union, the United Kingdom, Switzerland, or Uruguay, you have certain rights related to your Personal Data.
You may be entitled to exercise the right to:
- object to the processing of Personal Data (for instance, where the basis of our processing is our legitimate interests, see section above “Legal Basis for Data Processing”), and we will stop processing your data. We will not resume processing unless we can establish compelling legitimate grounds that override your rights.
- request the restriction of processing of your Personal Data (for instance, this can be done if the Personal Data is not accurate and needs to be updated). This can also be done in relation to data where the purposes of processing no longer apply, but you still need the data and do not want us to erase it.
- request updating of your Personal Data (if you believe the information we have about you is not accurate or incomplete). You may ask us to update your Personal Data but we cannot modify it for previously flown bookings because that is the official record of the transaction. For bookings made by a travel agent or through another airline, you must contact that other agency or airline directly to update or manage your Personal Data in the booking.
- request access to your Personal Data (for instance, if you wish to receive a copy of your information, confirmation as to whether we are processing your information, and information as to how we use your information). You may request access to your Personal Data but that may not include information relating to others that you either did not provide to us or who have not consented to the disclosure of their information to you.
- request erasure of your Personal Data (for instance, if we have no legal basis to process the information and you have not given us your consent to do so, if the purposes of processing no longer apply, or if you have objected to the processing and we cannot establish compelling legitimate grounds to override your rights). Certain data may not be erased if we have a requirement to retain it for legal purposes, or if we have a contract with you as a member of AAdvantage® or AAdvantage Business™ (as we need to be able to perform contractual obligations owed to you). You may ask us to delete your Personal Data, but we cannot do so if you have a pending flight booked with us.
- request portability of your own Personal Data (the transfer of information you have provided to us, to another controller, in a structured, commonly used and machine-readable format), if such a request is technically possible to complete.
To exercise these rights please email us at privacy@aa.com.
When we receive a request to exercise one of these rights, we will indicate what Personal Data we require from you to validate your identity. We will also provide information on the action we intend to take on the request in accordance with applicable law.
We will respond to your request as soon as possible and no later than 30 days from receipt of the request. In certain circumstances this time may be extended by an additional two months, for example, where requests are complex or onerous. You may always contact our Data Protection Officer, at privacy@aa.com. If you consider that our processing of your Personal Data infringes applicable law, you may submit a complaint with a supervisory authority.
Exercise of the rights of information, access, rectification, cancellation and opposition of the data
As the owner of your personal data, you have the right to access your data held by American, know the characteristics of its treatment, rectify it if it is inaccurate or incomplete; request that they be deleted or canceled as they are considered unnecessary for the previously stated purposes or oppose their treatment for specific purposes. You may, at any time, revoke the expressly granted consent, as well as limit the use or disclosure of your personal data.
You may direct your request to exercise the aforementioned rights to the following address: privacy@aa.com.
When we receive a request to exercise any of these rights, you must submit the respective request in the terms established by the Regulation of Law No. 29733 (including: name of the owner of the personal data and address or other means to receive a response; documents that prove your identity or legal representation, if applicable; clear and precise description of the personal data with respect to which you seek to exercise your rights and other documents that facilitate the location of the data).
We will also provide information about the actions we intend to take on the request without undue delay and no later than 30 days after receiving the request. In some cases, this period could be extended for an additional two months, for example, when the requests are complex or onerous. Please note that these requests are subject to applicable law, ethical reporting standards, or document retention obligations imposed on us.
If you consider that you have not been assisted in the exercise of your rights, you can file a claim with the National Authority for the Protection of Personal Data, by contacting the Filing Desk of the Ministry of Justice and Human Rights. Calle Scipión Llona N° 350, Miraflores, Lima, Perú.
When you provide us with your information, you are agreeing that this information may be stored, transferred and processed on servers located in the United States of America.
Purpose of personal information processing
Your personal information will be processed for the purposes described in this Privacy Policy. Depending on what services you request or use, this may include the following purposes:
- To provide the BeNotified service
- Search of flight reservation and purchase
- Purchase and issuance of ticket
- Notification related to reservation and purchase of ticket
- Mileage accumulation and use for ticket reservation
- ID verification
- To obtain feedback from customers and address any complaints or requests that customers may have
- For general communication with customers
- To verify whether you are already an AAdvantage® member and whether you have applied multiple times
- To verify whether you are an American Airlines, Inc. employee or an immediate family member
- To notify you of important information about the AAdvantage® program
- To provide you with mileage and other services pursuant to the AAdvantage® program
- Ticketing and preorders of duty-free goods
- To provide benefits available with a Promo code
- To provide services related to a redress number or known traveler number
- To provide services pursuant to member preferences
We may additionally use or provide your personal information after considering the below issues:
- Whether the additional use or provision of personal information is related to the original purpose of collection;
- Whether the additional use or provision of personal information is foreseeable in light of the circumstances in which personal information is collected or practices of processing personal information;
- Whether the additional use or provision of personal information unduly infringes on the interests of users; and
- Whether necessary measures have been taken to ensure security, such as pseudonymization or encryption.
Period of retention and use
Your personal information will be retained only for so long as reasonably necessary for the purposes set out above, considering criteria such as applicable rules on statute of limitations, legal requirements and the duration of your use of our website and receipt of our Services.
Except where preservation of personal information is required by applicable laws and regulations, your personal information will be kept until the above-mentioned purposes of collection and use has been achieved.
Right to refusal and adverse consequences
The personal information collected for travel purposes is mandatory. You have the right to refuse to consent to the collection and use of personal information, but upon such refusal, you may be prevented from reserving or purchasing a ticket.
Provision of personal information to third parties
- We provide personal information to third parties within the scope of consent obtained from users,
- In case of emergencies, such as disasters, infectious diseases, incidents or accidents that cause imminent risk to life or body, and imminent property loss, the Company may provide personal information to relevant agencies without the consent of data subjects, in accordance with the “Rules on Processing and Protection of Personal Information in Emergency Situations” jointly announced by government agencies.
Destruction of personal information
- We will destroy personal information without delay when personal information becomes unnecessary, such as when the retention period has lapsed or the purpose of processing personal information has been achieved.
- We are required by other laws and regulations to continue to retain personal information even though the personal information retention period consented by data subjects has expired or the purpose of processing such personal information has been achieved. In such cases, we will transfer the relevant personal information to a separate database (DB) or retain such information at a different location.
- We will destroy personal information as follows:
- We will erase or overwrite personal information recorded and stored in electronic files in an irrevocable manner, and shred or incinerate personal information recorded and stored in paper documents.
Rights and obligations of data subjects and legal representatives and method of exercise thereof
- You have your right to request American to allow you to access, correct, delete or suspend processing of your personal information at any time. This includes:
- Right to request access to your personal information
- Right to request correction in case of error
- Right to request deletion of your personal information; and
- Right to request suspension of personal information processing.
- You may exercise the above rights in writing or via email, and we will take necessary measures without delay.
- You may exercise your rights through your legitimate representative or agent authorized by you, in which case, the appropriate power of attorney must be submitted to us.
- We will verify the identity of a person submitting a request, to protect your privacy.
Measures to ensure security of personal information
We take the following measures to ensure the security of personal information:
- Administrative measures: Establishment and operation of internal management plan, operation of dedicated organization, regular training of employees.
- Technical measures: Management of access rights to the personal information processing system, installation of access control systems, use of encryption where appropriate, and installation and renewal of security programs.
- Physical measures: Control of access to computer room and data storage rooms.
Contact
If you have any questions or comments about the Privacy Policy, need to report a problem, or if you would like to update, amend, or request deletion of information we have about you, please contact our Chief Privacy Officer or the American Airlines Privacy Office as provided in the section of our Privacy Policy titled “Contact Us”:
Remedy for infringement on rights
You have the right to file an application for resolution of disputes and to consult with the Personal Information Dispute Mediation Committee, the Personal Information Infringement Reporting Center of the Korea Internet Security Agency and other agencies so as to seek remedy. For reports on any other personal information infringement and consultation therefor, please contact the following agencies.
- Personal Information Dispute Mediation Committee: 1833-6972 (no regional code required; www.kopico.go.kr)
- Personal Information Infringement Reporting Center: 118 (no regional code required; privacy.kisa.or.kr)
- Supreme Prosecutors’ Office: 1301 (no regional code required; www.spo.go.kr)
- National Police Agency: 182 (no regional code required; ecrm.cyber.go.kr)
If you believe that your privacy rights and interests have been infringed due to the act or omission of act of the head of a public agency, you may file an administrative appeal in accordance with the Administrative Appeals Act, and please contact the following agency.
Central Administrative Appeals Commission: 110 (no regional code required; www.simpan.go.kr)
We endeavor to protect your privacy rights and to provide counseling and/or remedies for personal information infringement. If you wish to receive consultation on or report any personal information infringement, please contact our Chief Privacy Officer (CPO) (or American’s Privacy Office) using the contact information listed in the “Contact us” section.
Contact us
If you have other questions, comments or concerns about our privacy practices, or if you wish to issue a request to exercise your rights where applicable by law, please contact our Privacy Office at privacy@aa.com. Requests intended for American’s Chief Privacy Officer may also be submitted to our Privacy Office at the same address. Please provide your name and contact information along with the request. Alternatively, inquiries may be mailed to the following address:
American Airlines
c/o Privacy Office
1 Skyview Drive, MD 8B503
Fort Worth, TX 76155 USA