U.S. State Privacy Law Rights

Effective Date: July 1, 2024

This U.S. state law privacy notice (this “State Privacy Law Notice”) is included in our Privacy Policy and applies to Fareportal’s processing of personal information of California, Colorado, Connecticut, Montana, Oregon, Texas, Utah, and Virginia consumers under the State Privacy Laws (collectively, “Consumers,” “you,” or “your”). Any capitalized terms or other terms not defined herein shall have the meaning ascribed to them in the Privacy Policy or, if not defined herein or in the Privacy Policy, the State Privacy Laws. Where the State Privacy Laws use a similar term, such as “personal data” instead of “personal information, or “data subjects” instead of “consumers,” the term used herein shall also have the meaning defined under those laws. To the extent of any conflict between this State Privacy Law Notice and the rest of our Privacy Policy, this State Privacy Law Notice shall control only with respect to Consumers and their personal information. If you are located elsewhere, please see our Privacy Policy here.

GENERAL

This State Privacy Law Notice provides additional disclosures regarding use of personal information, and details about your rights, under the California Consumer Privacy Act (the “CCPA”) (including as amended by the California Privacy Rights Act), the Colorado Privacy Act, the Connecticut Data Privacy Act, the Montana Consumer Data Protection Act, the Oregon Consumer Privacy Act, the Texas Data Privacy and Security Act, the Utah Consumer Privacy Act, and the Virginia Consumer Data Protection Act, to the extent such laws are in effect (collectively, the “State Privacy Laws”).

Personal Information We May Collect

We collect the categories of personal information listed below.

General Personal Information

Categories of Personal Information	Sources of Personal Information	Business/Commercial Purposes for Collection and Disclosure
Identifiers, such as name, alias, postal address, online identifier, Internet Protocol address, e-mail address, account name, driver’s license number, passport number, or other similar identifiers, and unique personal identifiers (i.e. – persistent identifier such as device identifier).	Websites, Apps, or Services (information collected directly from user) Other Sources (e.g., public databases, marketing and analytics partners, social media platforms, booking suppliers and intermediaries, fraud management and security vendors)	To complete and fulfill your booking or purchase To respond to your inquiries and fulfill your requests To send administrative information to you To send you marketing communications that we believe may be of interest to you and present products/offers tailored to you To personalize your experience across our Services To allow you to participate in sweepstakes, contests, and similar promotions and to administer these activities To facilitate social sharing functionality To allow you to send messages to another person through the Services For business purposes such as data analysis, crash remediation and prevention, audits, fraud monitoring and prevention, developing and enhancing products and Services, analytics, and measuring effectiveness of our promotional campaigns (e.g., ads on our or third-party platforms, marketing emails, and measurement/attribution in relation thereto) As we believe to be necessary or appropriate to protect our rights or meet our legal obligations Aggregation such that it is no longer personal information As otherwise disclosed to you upon notice or with your consent
Commercial Information, such as products or services purchased, obtained, considered, such as booking details (e.g., name, origination/destination, date of birth, gender, co-traveler details), and other purchasing or consuming histories or tendencies.	Websites, Apps, or Services (information collected directly from user) Other Sources (e.g., public databases, marketing and analytics partners, social media platforms, booking suppliers and intermediaries, fraud management and security vendors)
Internet or Network Activity, such as booking search history, e-mail clickthroughs, sign-ups/registrations, and interaction with an advertisement.	Websites, Apps, or Services (information collected directly from user) Other Sources (e.g., marketing and analytics partners, social media platforms, fraud management and security vendors)
Geolocation, such as physical location of desktop or mobile device.	Websites, Apps, or Services (information collected directly from user) Other Sources (e.g., marketing and analytics partners, social media platforms, fraud management and security vendors)
Audio, electronic, visual, thermal, olfactory, or similar information, such as contact center calls	Websites, Apps, or Services (information collected directly from user) Other Sources (outsourced contact center locations)
Inferences drawn from any of these personal information categories, such as travel preferences, potential fraudulent behavior or activity, search history (e.g., bookings searched), web behavior, characteristics, and propensity.	Websites, Apps, or Services (information derived from user interaction) Other Sources (e.g., marketing and analytics partners, social media platforms, fraud management and security vendors)
Financial Information (information described in CA Code §1798.80), such as bank account number, credit card number, and debit card number.	Websites, Apps, or Services (information collected directly from user) Other Sources (e.g., payment vendors, fraud management, booking suppliers and intermediaries)	For business purposes relating to completing your transactions, fraud management and security, accounting/auditing, and compliance with applicable law

For more information regarding the categories of entities we may share with for such purposes set forth above, please see here. Note, however, that financial information is disclosed to our payment processors, financial institutions, travel-related suppliers (e.g., airlines, hotels), accounting/auditing firms, and other entities relating thereto.

Sensitive Personal Information

Under State Privacy Laws, we may be deemed to be collecting “sensitive personal information” when you voluntarily choose to submit meal requests or travel accommodations. For example, meal requests could theoretically imply racial/ethnic origin or philosophical beliefs (e.g., “kosher” meals), and travel accommodations may include requests for wheelchair access or other support based on a disability. The information is used to help accommodate your explicit request. Please note that meal requests or travel accommodation requests are optional and directly submitted by you through the prompts in the relevant booking flow. We may also use “precise geolocation” pursuant to the permissions set in our app.

For purposes of the CCPA, we do not use or disclose “sensitive personal information” for any purpose that requires a corresponding opt-out right.

Deidentified Data

Where we process “deidentified information” (as such term or similar term, such as “de-identified data,” is defined under the State Privacy Laws) and are required to keep such information as “deidentified,” we commit to maintain and use the information in such deidentified form and will not attempt to reidentify the information, except in instances where necessary for determining whether the deidentification process we used satisfies the requirements under applicable law.

Your State Privacy Law Rights

Access
You have the right to request confirmation regarding whether we are processing your personal information and to access that personal information (including the specific pieces of information that we have collected about you). Where the request for personal information is granted, that information will be provided in a portable format unless not technically feasible to provide in such a format.

Specifically, with respect to the CCPA’s right to access, you have the right to request the following: (a) the specific pieces of personal information the business has collected about you and (b) the categories of personal information collected, the sources of collection, the business/commercial purpose for collecting or "selling/sharing" personal information, and the categories of third party to whom the business discloses personal information.

Deletion
You have the right to request that Fareportal delete personal information collected and maintained about you, subject to certain exceptions. Once your request is verified and we have determined that we are required to delete that information in accordance with applicable law, we will delete your personal information accordingly.

Correction
You have the right to request that any inaccuracies in your personal data be corrected, taking into account the nature of the personal information and the purposes of the processing of the Consumer’s personal information.

Opt-Out of Sales, Sharing, and Targeted Advertising
You have the right to opt-out of:

The “sale” and “sharing” of personal information; and
The processing of personal information for purposes of “targeted advertising.”

Note that we “sell” or “share” (and process for “targeted advertising” more generally) your personal information in connection with our advertising-related activities. Specifically, we consider disclosures of identifiers, commercial information, and internet or other network information described in this Privacy Policy to our advertising/marketing and analytics partners (such as ad agencies, social media networks, adtech partners) via pixels or similar tracking technologies (e.g., cookies) as “sales,” “shares,” and processing for “targeted advertising” that users can opt-out of via our toggle in the “Your Privacy Choices” link or via GPC(learn more about GPC at www.globalprivacycontrol.org.). These opt-outs (whether by toggle or GPC) is on a per-website basis and applies at the browser level for the device you use to opt out.

In limited cases, we may also upload your email address to an advertising/marketing (e.g., social media networks, adtech partners) or analytics partner for advertising/marketing and analytics purposes, in which case you can use this email-based form linked below to opt-out of those “sales”/ “shares”/processing for “targeted advertising” in relation to your email address: Email Opt-Out Form. Note that this email-based opt-out is not an opt-out of marketing emails.

Note that our Your Privacy Choices link is set to appear in the footer of our website to residents of those states that provide such opt-out right, such as California, based on geolocation detected via a third-party service (such geolocation is derived from IP address).

The above opt-out rights may not apply where we have appropriately limited such advertising/marketing and analytics partners to only process such information on our behalf.

We do not have actual knowledge of “selling” or “sharing” personal information of those under sixteen (16) years of age.

Exercising Your Rights

To exercise the access, deletion, and correction rights described above, please submit a request to us by either:

Completing and submitting the following request form: https://www.cheapoair.com/support/datasubjectright/.
Emailing privacy@fareportal.com and following any steps in our auto-response email.
Calling us at 1-800-566-2345.

To opt-out of “sales”, “shares,” and processing of personal information for “targeted advertising”: Use the Your Privacy Choices link/GPC and this email form, as each are further discussed above.

Verifying Your Request

Only you, or a person that you authorize to act on your behalf, may make a request related to your personal information. In the case of access, deletion, correction (and opt-out requests if we believe such request is fraudulent or reasonably requires more information, such as in the case of use of authorized agents), your request must be verified before we can fulfill such request.

Verifying your request will require you to provide sufficient information for us to reasonably verify that you are the person about whom we collected personal information or a person authorized to act on your behalf (e.g., previous booking number of person to whom request relates, confirmatory details that the “authorized agent” is indeed able to act on your behalf, submission from an email address that you control).

We will only use the personal information that you have provided in a verifiable request in order to verify your request. As stated above, we cannot respond to your request or provide you with personal information if we cannot verify your identity or authority.

Please note that we may retain a record of your request. Further, we may charge a reasonable fee or refuse to act on a request if such request is excessive, repetitive, or manifestly unfounded.

Appeals and Non-Discrimination

In the event that we decline to take action on a request exercising one of your rights set forth above, Colorado, Connecticut, Montana, Oregon, Texas, and Virginia residents have the right to appeal our decision under their respective State Privacy Laws.

More broadly, note that you have the right not to receive discriminatory treatment for exercising the rights set forth above. However, if the exercise of these rights limits our ability to process personal information (such as in the case of a deletion request) in certain contexts, we may no longer be able to provide you certain related products and services or engage with you in the same manner.

Retention Period

We retain your personal data based on our relationship with you, the types of personal data collected, and as we otherwise believe is reasonably necessary and proportional for enabling and providing our Services. The criteria that we use to determine our retention periods may include:

Whether you are a loyalty account holder or not and how frequently you make transactions our Services, log in to your account, or whether you have active loyalty points or gift cards.
What is reasonably needed to analyze historical travel and booking trends within our customer base to try to provide the most relevant deals and price points.
Whether or not you’ve signed up for marketing communications and how frequently you interact with those communications (e.g., email open rates).
What is reasonably needed to protect our Services, such as from a cybersecurity and fraud detection perspective.
Personal data reasonably needed for purposes of fulfilling your transactions and related events such as actual or potential refunds, chargebacks, cancellations, customer service inquiries, or disputes (and keeping records relating thereto).
Our relevant legal obligations related to personal data, including records requirements and statutes of limitation.
What is reasonably needed for the exercise, defense, or exercise of potential legal claims, regulatory inquiries, and similar proceedings.

Financial Incentives/Loyalty Program

Financial Incentives (CCPA): Upon creating an account, you can earn points through the Rewards program brought to you by Club Miles LLC (an entity within the Fareportal group), which you can redeem for certain benefits, as discussed further in its program terms. In exchange, as it relates to personal information, we will primarily receive identifiers and commercial information (see categories of PI in the chart above). You may opt-out of such program by ceasing participation in the program and foregoing the ongoing incentives, as otherwise set forth in the program terms referenced above, or by deleting your account.

Where there is a price or service difference related to the collection and use of personal information, such price or service difference is based upon our reasonable, good-faith determination of the estimated value of such information to our business, such as by calculating the expense related to the offer, provision, or imposition of the financial incentive or price or service difference or revenue generated or expense related to the sale, collection, or retention of consumers’ personal information.

Colorado Loyalty Program Disclosure: We primarily collect your email address and demographic information as part of signing up for the Rewards program. We may work with loyalty partners, such as airlines or other services (e.g., hotel chains, airports), for purposes of honoring your rewards, as needed. Your email address and demographic information may be used for “targeted advertising” purposes and disclosed to our advertising/marketing partners in relation thereto. If you choose to delete your account with us, you will not be eligible for future rewards unless you sign up with a new account, as your rewards points are tied to your account. Note that this loyalty program disclosure does not apply to information that may be collected outside of signing up for the Rewards program (e.g., email address or other data received when making a booking).

CONTACTING US

If you have any questions regarding our privacy practices as it relates to this State Privacy Law Notice, please contact us via email at privacy@fareportal.com with the subject line, “U.S. State Privacy Law Notice.”

Because email communications are not always secure, please do not include credit card or other sensitive information in your emails to us.