ITA Group, Inc. – Privacy Policy

Last updated: June 11, 2024

ITA Group, Inc. (“ITA Group,” “we,” “our,” or “us”) and its domestic subsidiaries International Travel Associates, Inc., Chadwick Martin Bailey, Inc., and Hartmann Studios, Inc. have a strong commitment to respecting your concerns about privacy.

We understand you may have questions about whether and how we collect and use information. We have prepared this Privacy Policy to inform you of the privacy principles governing our website and our products and services. We encourage you to read this Privacy Policy carefully as it will help you make informed decisions about sharing your personal information with us.

If you are unable to access this policy due to a disability or any physical or mental impairment, please contact us using the contact details in the “How Do I Contact ITA Group” Section and we will arrange to supply you with the information you need in an alternative format that you can access.

The rights discussed in certain sections of this Privacy Policy may be subject to exemptions or other limitations under applicable law.  Please review this Privacy Policy carefully to understand what we do in regards to your personal information. If you are a California resident, please review the below Section 13, “Additional Disclosures for California Consumers” for additional disclosures, our Notice at Collection, and a description of your rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act, along with any implementing regulations and as may be amended, the “CCPA”).

1. What does ITA Group do?

ITA Group creates and manages events, incentives and recognition programs that help to align and motivate our clients and their people.  ITA Group is headquartered in West Des Moines, Iowa, United States, with clients all around the world.  For more details see https://www.itagroup.com/our-story

2. What information does ITA Group collect about me?

(a) Information collected through our products and services

In the course of using our products and services, you may need to provide ITA Group with certain personal information. For example, when we organize events or arrange travel on your behalf, details such as your name, address, contact details, company name, job title, date of birth and payment information may be required. We may also need information like your social security number, passport details and proof of citizenship in certain cases. However, we will only collect such information for the purposes of providing the services to you, and when we do so, we will act only in accordance with your instructions or those of our client (typically your employer or otherwise in line with this Privacy Policy).  Please note that some of this information may be considered sensitive personal information under applicable law.

You can always choose not to provide your personal information to ITA Group in this way, but it may mean that we are unable to provide our services to you or that some features of our products and services will be unavailable.

(b) Information collected through our website and other means

We may also collect personal information when you visit our website; for example, when you submit details about your name, title, company, address and other contact details through our website forms. We may also collect personal information by other means, such as when you correspond with us by post, email or telephone, or complete our surveys or attend ITA Group events.

In addition, when you visit our website, our servers will automatically log certain information such as your IP address, browser type, files requested and domain name. This information is collected primarily to improve our website through internal analytics, maintain security and to better meet our client's needs.

Some of this information will be collected through cookies and similar technologies. You can find out more about this in the Cookies section below.

3. Does ITA Group collect information about me from others?

There are limited circumstances in which we may receive information about you from others. For example, our clients may provide personal information about others (such as their employees, agents, suppliers or customers) in the course of using our products and services for the purposes of managing aspects of their business, or organizing events or incentive programs. In such cases, we are collecting the information purely on behalf of our client, on their instructions, and we rely on our clients to only provide your information where lawfully entitled to.  We do not have control over their privacy policies and practices and suggest you read them if you have any concerns.

4. How does ITA Group use my personal information?

We will use your personal information to deliver our products and services to you.  For example, to deliver the requested event, incentive or recognition program.  We also use your personal information to manage your client account, for general business administration, to respond to communications, and to provide technical or client support.  We provide information about ITA Group products and services you may find of interest in line with your consent preferences and measure the effectiveness of our advertising.

We will only process personal information in ways that are compatible with the purposes for which we have collected it, or for purposes that you later authorize.

We may also use aggregated anonymized data for internal business purposes – such as for analytical/statistical purposes and for business forecasting – and to help improve our products and services.

5. Does ITA Group disclose my personal information to third parties?

There are only a limited number of parties with whom we share your personal information – these may include disclosures:

• to our group companies (list available here) and other subsidiaries part-owned by ITA Group who will use your personal information only for the purposes that are disclosed in this Privacy Policy;

• to our clients on whose behalf we organise events or operate incentive and recognition programs (for example, we share your attendance at an event or participation in a reward program with the relevant client in line with your consent preferences);

• to our third party services providers and partners who provide data processing services to us or who otherwise support the operation of our business and services (for example, to venue providers, and travel and accommodation providers, in order to enable your participation in an event, or fulfilment partners who help us to deliver awards when you redeem points through the incentive and recognition programs for operate for clients), or who otherwise process personal information for purposes that are described in this policy or notified to you when we collect your personal information.  We only disclose to service providers the information necessary to perform the relevant service on our behalf and have put contractual controls in place as required by law;

• to any competent law enforcement body, regulatory, government agency, court or similar third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;

• to an actual or potential buyer (and its agents and advisers) in connection with any actual or proposed purchase, merger or acquisition of any part of our business, provided that we inform the buyer it must use your personal information only for the purposes disclosed in this Privacy Policy; and

• to any other person with your consent to the disclosure.

Please note that for purposes of this Section 5 (“Does ITA Group disclose my personal information to third parties?”) “sharing” does not mean “sharing” as defined under the CCPA. For additional disclosures and information on our CCPA practices, please review  Section 13 “Additional Disclosures for California Consumers” below.

To the extent not required by law or contract, you have the opportunity to choose (opt out) whether your personal information is disclosed to third parties. Requests to opt out can be made by sending an email to privacy@itagroup.com or using the contact information in Section 15 below.

6. How does ITA Group keep my information secure?

We implement appropriate technical and organisational security measures to protect the personal information we collect and use about you.  When you are asked to provide personal information (as part of our products or services or on our corporate website), a "secure session" will first be established using SSL. This technology encodes information as it is being sent over the Internet between your computer and our secure servers. That helps ensure the information remains secure. You will know when a secure session is taking place and when it is not. Your browser uses a symbol – typically a key or padlock – as an indicator. When your session is secure, an unbroken key may appear; when your session is not secure, a broken key symbol may appear. Each time you visit our site, you should see an unbroken key.

PCI data and other more sensitive information – such as a credit/debit card number, Social Security Number, or Passport number – is only collected when necessary to fulfill the services requested. This type of information is stored securely on our servers. ITA Group, Inc. is compliant with the Payment Card Industry Data Security Standard (PCI DSS).  We contract with a PCI Approved Scanning Vendor (ASV) to provide regular security scanning of our cardholder data environment to maintain the integrity of our security measures. 

Please however keep in mind that we cannot guarantee that the internet itself is 100% secure. Although we will do our best to protect your personal information, transmission of personal information to and from our site is at your own risk. You should only access our website and services within a secure environment.

7. Where does ITA Group store and process my information?

ITA Group's servers are located in the USA. If you are a non-US resident, this means that your personal information will be transferred to the USA.  We have taken the following appropriate safeguards to ensure that the personal information of residents of the EU/EEA, the United Kingdom, and Switzerland will be protected when transferred to the USA in accordance with this Privacy Policy.

Data Privacy Framework

ITA Group, Inc. and International Travel Associates Inc. participate and comply with the EU-US Data Privacy Framework ("EU-US DPF"), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework ("Swiss-US DPF"), as set forth by the US Department of Commerce. We have certified to the US Department of Commerce that we commit to comply with the EU-US DPF Principles with regards to the processing of personal information received from the European Union in reliance on the EU-US DPF, and from the United Kingdom in reliance on the UK Extension to the EU-US DPF. We have also certified to the US Department of Commerce that we commit to comply with the Swiss-US DPF Principles with regards to the processing of personal information received from Switzerland in reliance on the Swiss-US DPF (collectively, the "DPF Principles"). If there is any conflict between the terms in this privacy policy and the DPF Principles, the DPF Principles shall govern.

To learn more about the DPF, and to view our certification, please visit: https://www.dataprivacyframework.gov/.

Our compliance with the DPF Principles is subject to the investigatory and enforcement authority of the US Federal Trade Commission ("FTC").

If we receive your personal information in the US and subsequently transfer that information to a third party acting as our agent, and such third party agent processes your personal information in a manner inconsistent with the DPF Principles, then we will remain liable unless we can prove we are not responsible for the event giving rise to the damage.

If you have any questions or complaints about our DPF certification, you can contact us by using the contact details in Section 15 below.

We will investigate and attempt to resolve any DPF-related complaints or disputes within forty-five (45) days of receipt.

We have further committed to cooperate and comply with the panel of European Data Protection Authorities (EU DPAs), the UK Information Commissioner's Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (Swiss FDPIC) as our designated independent recourse mechanisms. As such, if you have a DPF-related complaint which you believe  we have not addressed or resolved to your satisfaction, please contact your local EU DPA, the UK ICO, or the Swiss FDPIC, as applicable. These services are provided free of charge to you. The contact details of the EU DPAs, the UK ICO, and the Swiss FDPIC can be found here respectively:
https://edpb.europa.eu/about-edpb/about-edpb/members_en;
https://ico.org.uk/global/contact-us/contact-us-public/; and https://www.edoeb.admin.ch/edoeb/en/home/deredoeb/kontakt/kontaktformular_uebrige.html.

If neither ITA Group nor the EU DPAs, UK ICO or Swiss FDIC (as applicable) can resolve your complaint, you may also have the option to invoke binding arbitration for the resolution of your complaint under certain circumstances. To find out more about the DPF's binding arbitration scheme, please see https://www.dataprivacyframework.gov/s/article/How-to-Submit-a-Complaint-Relating-to-a-Participating-Organization-s-Compliance-with-the-DPF-Principles-dpf.  

Standard Contractual Clauses

In addition to our participation and compliance with the DPF Frameworks, we have implemented the European Commission Standard Contractual Clauses ("SCCs") as an additional data transfer mechanism for transfers between ITA Group companies, or from clients based in the European Economic Area ("EEA"), which require all group companies to protect personal information from the EEA in accordance with EU law.  More details are available on request.

8. Marketing emails

Where it is in accordance with your marketing preferences, the e-mail address you provide when requesting services or information from us may be used to communicate future information, including news and announcements, and information about our products and services. Any marketing related communications sent by ITA Group have an automatic opt-out link at the bottom of each communication. You may elect to remove yourself from further informational communications by selecting and confirming this link.

9. Legal basis (EEA and UK visitors only)

In most cases we are acting on the instructions of its clients, who determine the legal basis.

Where we collect personal information on our own behalf and where you are a visitor from the EEA or UK, our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it.

We will normally collect personal information from you only where we have your consent to do so, where we need the personal information to perform a contract with you, or where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. In some cases, we may also have a legal obligation to collect personal information from you or may otherwise need the personal information to protect your vital interests or those of another person.

If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, or for more details on our legitimate interests, please contact us using the contact details provided in the "How do I contact ITA Group" section below.

10. What rights do I have in relation to my personal information?

Depending on your location, your jurisdiction, and subject to applicable law, you may have certain rights with regard to the personal information we control about you. We will respond to your requests within the appropriate timeline under applicable law.

Where we process personal information on behalf of our clients as part of the services we provide, we are not responsible for their use of the data and cannot control their data collection and privacy practices. Any individual who seeks to exercise their rights should direct their query to the client in question. For example, if your employer has uploaded your personal information in the course of using our services, you should contact your employer directly.  We will respond to requests from clients in accordance with applicable law and our service agreement with the relevant client.

Where we collect personal information on our own behalf (and not on behalf of our clients), ITA Group will grant individuals their rights, where required under the DPF or applicable law. California consumers should see the section below "Additional Disclosures for California Consumers" for more detailed information.

If the processing of personal information about you is subject to EU, UK, or Swiss data protection law, you have certain rights with respect to that data. Depending on your location, your rights may include: the right to access, correction or deletion, the right to object or to portability.  You may also object to direct marketing as detailed in section 8 above, and withdraw your consent (although this will not affect the lawfulness of any processing prior to withdrawal). These requests can be made by sending an email to privacy@itagroup.com or by using the contact details in Section 15 below. Please note that requests to access your personal information may be subject to a fee specified by applicable law. If you are a visitor from Switzerland, the EEA or UK, and you believe that we have not processed your personal information in accordance with the applicable provisions of the EU General Data Protection Regulation, you may lodge a complaint with the respective DPA.

11. How long does ITA Group retain my data?

We will only keep your personal information for as long as we require it for the purposes set out in this policy. However, we may also keep some of your personal information for specified period of time under our data retention policy, and as required by certain laws – for example those relating to corporate governance, money laundering and financial reporting legislation – or, where your personal information is controlled by our clients, in accordance with our clients' instructions.

12. Does ITA Group use cookies? 

Yes, we do. Cookies are small data files that are placed on your computer or mobile device when you visit a website or use online services. Many websites – including this one – use cookie technology to help users navigate efficiently and simplify the browsing experience as well as provide analytics information to help us improve our website and services.

Cookies set by the website owner (in this case, ITA Group) are called "first party cookies".  Cookies set by parties other than the website owner are called "third party cookies".  Third party cookies enable third party features or functionality to be provided on or through the website (e.g. like advertising, interactive content and analytics). 

Controlling cookies

You can change your settings in our Cookie Consent Manager.  Alternatively, you can set or amend your web browser controls to accept or refuse cookies. If you choose to reject cookies, you may still use our Website and Services though your access to some functionality and areas of our sites may be restricted.   As the means by which you can refuse cookies through your web browser controls vary from browser-to-browser, you should visit your browser's help menu for more information. Here are the current relevant information pages for the main browsers:

• Microsoft Internet Explorer: http://www.microsoft.com/info/cookies.htm 
• Google Chrome: https://support.google.com/accounts/answer/61416
• MozillaFirefox: http://www.mozilla.org/projects/security/pki/psm/help_21/using_priv_help.html  
• Apple Safari:  Blocks cookies by default and accepts cookies only from your current domain.  To change, click Safari, Preferences, Security, and choose your preference.

In addition, most advertising networks offer you a way to opt out of targeted advertising.  If you would like to find out more information, please visit http://www.aboutads.info/choices/, http://www.networkadvertising.org/choices/ or http://youronlinechoices.com/.

Do Not Track

“Do not track” refers to how Internet web browsers may request that a web application turn off tracking through the use of an HTTP header. ITA Group does not make use of this header. However, tracking that is done by cookies may be managed within your browser settings, as explained above.

13. Additional Disclosures for California Consumers

California law requires that we provide California residents with some additional information regarding how we collect, use, and disclose your "personal information" (as defined in the ("CCPA")). Throughout this Privacy Policy, we discuss in detail the specific pieces of information we collect from you or your device and discuss how we use and share such information. The rights described in this section are subject to exemptions and other limitations under applicable law.

Terms used in this section have the meaning ascribed to them in the CCPA.  We are a “business.” 

(a) Notice at Collection and Use of Personal Information

Information We Collect

As described in detail in Section 2 (“What information does ITA Group collect about me?”) above we may collect the following categories of information about you through the ITA products and services or when you visit our sites:

• Identifiers, such as name and contact information;
• Customer Records information;  
• Device identifiers, such as IP address;
• Internet or other network or device activity, such as browsing history or app usage;
• Geolocation information; and other information that identifies or can be reasonably associated with your device;
• Commercial information, such as transaction data;
• Professional or other employment related information, such as where you work and your title;
• Financial information, such as credit card and payment data; and
• Certain information that may qualify as “sensitive personal information” under the CCPA, including passport number, driver’s license, and state identification card.

Purpose for Collection and Use of Information

We also may collect and use personal information from California resident clients for the purposes described above in Section 4 (“How does ITA Group use my personal information?”).

Sale or Sharing of Personal Information

We do not sell or share your personal information (as such terms are defined under the CCPA).

How Long We Keep Information

We retain your personal information as described above in the Section 11 (“How long does ITA Group retain my data?”).

For more information about our privacy practices, please review our entire Privacy Policy, which is available here.

(b) Our Collection, Use, and Disclosure of Personal Information and Sensitive Personal Information

What Information We Have Collected and Our Purpose for Collecting the Information

In the preceding 12 months, depending on how you interact with us, we may have collected the categories of personal information listed above in the section, Section 2 ("What information does ITA Group Collect About Me"), We may collect all or a few of these categories of personal information for the business or commercial purposes identified in Section 4 (“How does ITA Group use my personal information?”).

Sources of Personal Information

The sources from which we collect personal information are described in Sections 2 ("What information does ITA Group Collect About Me"), and Section 3 (" Does ITA Group collect information about me from others?") of this Privacy Policy.

Our Disclosure of Personal Information

We do not sell or share your personal information (as those terms are defined under the CCPA).  We do not knowingly sell or share the personal information of California Residents under 16 years old. In the preceding 12 months, we may have disclosed for a business purpose the categories of personal information listed above in Section 13(a) under “Information We Collect” to the third parties listed in Section 5 (“5. Does ITA Group disclose my personal information to third parties?”). We may disclose personal information to all of the third parties listed above to comply with our legal obligations or for the business or commercial purposes identified above Section 4 (“How does ITA Group use my personal information?”).

In addition, we may disclose and in the preceding 12 months, may have disclosed for all of the categories of personal information identified in Section 2 ("What information does ITA Group Collect About Me"), to the following categories of third parties:  (i) judicial courts, regulators, or other government agents purporting to have jurisdiction over us, our subsidiaries or our affiliates, or opposing counsel and parties to litigation; and (ii) other third parties as may otherwise be permitted by law. We may disclose the categories of personal information identified in Section 2 ("What information does ITA Group Collect About Me") for the business or commercial purposes identified above in Section 4 (“How does ITA Group use my personal information?”). Additionally, we may disclose your personal information to third parties upon your request, at your direction, or with your consent.

We may also disclose your personal information or otherwise make it available to our service providers such as our CRM providers, other entities that have agreed to limitations on the use of your personal information, or entities that fit within other exemptions or exceptions in, or as otherwise permitted by, the CCPA.

As noted in Section 2 ("What information does ITA Group Collect About Me"), under the CCPA, certain personal information we collect and process may be considered “sensitive personal information.”  The CCPA requires that we provide you with a right to limit our use or disclosure of such sensitive personal information in certain circumstances.  Currently, we are not using or disclosing your sensitive personal information for purposes that would require that we provide you with a right to limit.                                                                                                     

(c) California Residents’ Rights under the CCPA

The CCPA, provides California residents with the following rights to their personal information, including the right to:

• Be informed, at or before the point of collection, of the categories of personal information to be collected, and the purposes for which the categories of personal information shall be used.
• Request access to, or for a copy of the personal information we have collected, used, disclosed, and sold about you over the past twelve (12) months (“Request to Know”).
• Request that we delete certain personal information we have collected from you (“Request to Delete”).
• Opt-out of the “sale” (as that term is defined in the CCPA) of your personal information if a business sells your personal information (we do not).
• Opt-out of the “sharing” (as that term is defined in the CCPA) of your personal information if a business shares your personal information with third parties (we do not).
• Limit the use and disclosure of sensitive personal information where required by the CCPA (“Right to Limit”) (please note that we are not using your sensitive personal information for purposes that would require that we provide you with a Right to Limit).
• Correct inaccurate personal information (“Request to Correct”).
• To not receive discriminatory treatment for the exercise of your CCPA privacy rights.

The CCPA does not restrict our ability to do certain things like comply with other laws or comply with regulatory investigations.  We also reserve the right to retain, and not to delete, certain personal information after receipt of a Request to Delete from you where permitted by the CCPA or another law or regulation.

(d) How to Submit a Request Under the CCPA

You may submit a Request to Know, Request to Correct or Request to Delete (“Consumer Rights Request”), as described above, through the following toll-free telephone number +1 (800) 257-1985  or by e-mailing us at privacy@itagroup.com or refer to our contact details in Section 15 of this Privacy Policy.

Please note that to protect your personal information, we will verify your identity by a method appropriate to the type of request you are making. Such information may include, at a minimum, depending on the sensitivity of the information you are requesting and the type of request you are making, your name and email address.  Any information gathered as part of the verification process will be used for verification purposes only. We may also request that your authorized agent have written permission from you to make requests on your behalf, and we may also need to verify your authorized agent's identity to protect your personal information.

As mentioned above, ITA Group may provide third parties with certain personal information to provide or improve our products and services, for example to deliver products or services at your request. In such cases, we require those third parties to handle the information in accordance with applicable laws and regulations.

14. Amendments to this Policy

ITA Group, Inc. may amend this policy from time to time and will post the updated policy on this site. You can see when it was last updated at the top of this policy. Please try to check on this page from time to time so that you can keep up to date with any changes.

If we make any material changes, we will take appropriate measure to inform you, consistent with the significance of the change, for example, posting a prominent notice on the website, and/or notifying you via email or through our services.

You can choose to withdraw your permission for us to use your personal information if at any time it will be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by you. You can withdraw your permission by sending an email to privacy@itagroup.com or by using the contact details in Section 15 below.

15. How do I contact ITA Group with questions or comments about this Policy?

If you have any questions about this policy or our privacy practices generally (including our DPF certification), please contact our Privacy team at privacy@itagroup.com or at our postal address:

ITA Group, Inc.
Privacy Team
Attention: General Counsel

7000 Vista Drive
West Des Moines, Iowa 50266

Tel: +1 (800) 257-1985

EEA or UK visitors: where we process information on behalf of our clients, the data controller is the relevant client (typically your employer or group leader); where we process information on our own behalf, the data controller is ITA Group Inc.