Privacy Policy

Travel sometimes requires processing special category data (e.g., meal preferences revealing religion; health‑related assistance). Where required by GDPR or equivalent applicable legislation, we will ask for your explicit consent before processing such data and limit use to what is strictly necessary for your trip or event. In emergencies, we may process data to protect vital interests. We apply heightened safeguards and access controls for this category of data.

Where we need personal data to perform a contract (e.g., to book travel) and you do not provide it, we may be unable to deliver the requested services. We will tell you when data is mandatory.

We only share information with your consent, to comply with laws, to provide you with services, to protect your rights, or to fulfill business obligations.

We may process or share your data that we hold based on the following legal basis:

• Consent: We may process your data if you have given us specific consent to use your personal information for a specific purpose.
• Legitimate Interests: We may process your data when it is reasonably necessary to achieve our legitimate business interests.
• Performance of a Contract: Where we have entered into a contract with you, we may process your personal information to fulfill the terms of our contract.
• Legal Obligations: We may disclose your information where we are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or legal process, such as in response to a court order or a subpoena (including in response to public authorities to meet national security or law enforcement requirements).
• Vital Interests: We may disclose your information where we believe it is necessary to investigate, prevent, or take action regarding potential violations of our policies, suspected fraud, situations involving potential threats to the safety of any person and illegal activities, or as evidence in litigation in which we are involved.

We share data strictly on a need‑to‑know basis with:

• Travel suppliers: airlines, hotels, rail, car/ground, travel insurance, lounges/ancillaries.
• GDS platforms (General Distribution Systems) & OBT providers (Online Booking Tools) to search inventory, issue tickets, and manage traveler profiles.
• Event service providers: registration platforms, badge/printing, caterers, A/V.
• Payment & billing partners: card networks, acquirers, invoicing and reconciliation providers.
• Safety & security partners: incident alerting and traveler‑tracking providers as per client program.
• Government authorities: where required by law (e.g., immigration, security, tax).
• IT/sub‑processors: hosting, platform maintenance, support, backup, security, booking and managing travel related services —acting on our instructions under data‑processing terms.
• Affiliates: We may share your information with our affiliates, in which case we will require those affiliates to honor this privacy notice. Affiliates include our parent company and any subsidiaries, joint venture partners or other companies that we control or that are under common control with us.

We require all recipients to implement appropriate confidentiality and security measures and, where they act as processors, to process data only per our written instructions.

Our corporate clients may request us to share traveler or attendee information with designated third-parties of their choice, in connection with the products and services we provide.

ATG uses third-party sub-contractors for the management of its information technology tools and platforms. Such subcontractors may access your personal data but only for, on behalf of, and under the instructions of ATG, and are required to adhere to ATG policies, procedures and processes and to comply with applicable data privacy laws.

ATG reserves the right to disclose your personal data if required to do so by law or in the good faith belief that such action is reasonably necessary to comply with applicable law.

In accordance with the California Consumer Privacy Act, ATG has not sold any personal information.

Because travel is inherently global, personal data may be transferred to countries outside the EEA/UK internally within the ATG group, its affiliates and joint-ventures, and externally to its global partners and third-party providers. Where such transfers occur, we implement appropriate safeguards such as European Commission Standard Contractual Clauses (SCCs) or UK IDTA/Addendum, adequacy decisions where available, and other lawful mechanisms recognized under GDPR.

Where a recipient participates in the EU‑U.S. Data Privacy Framework, we may rely on their certification where appropriate. We also assess transfers case‑by‑case and apply additional technical/organizational measures as needed.

We keep personal data only as long as necessary for the purposes described, including: delivering services, responding to itinerary/history inquiries, complying with legal, tax, and accounting obligations, and establishing, exercising, or defending legal claims. Retention periods vary by data type, service, and legal requirements. Upon request, we will provide our retention criteria or applicable schedules and, where feasible, delete or anonymize data when it is no longer required.

Our websites and apps use necessary cookies to function and, where you consent, analytics and marketing cookies to measure usage and improve services. You can manage preferences through our Cookie Banner (shown on first visit and available thereafter via ‘Cookie Settings’), where you can grant or withdraw consent at any time.

Detailed cookie table for GDPR compliance.

Cookie Name	Provider	Category	Purpose	Retention
_ga	Google Analytics	Analytics	Aggregated visitor metrics	13 months
_gid	Google Analytics	Analytics	Session-level analytics	24 hours
session_id	ATG	Strictly Necessary	Session management	Session
ad_id	Ad Network	Advertising	Targeted advertising	90 days

We implement appropriate technical and organizational measures to protect personal data, including access controls, encryption in transit and at rest (where appropriate), network security, logging/monitoring, secure development practices, and regular testing. We maintain a data‑breach response plan and will notify authorities and affected individuals where required by law.

ATG Travel Worldwide B.V. is ISO/IEC27001:2022 certified and complies with the latest PCI DSS standards and all applicable regulations and legislation.

• Access your personal data and obtain a copy.
• Rectify inaccurate or incomplete data.
• Erase data (‘right to be forgotten’), subject to legal limits.
• Restrict processing in certain circumstances.
• Data portability (receive your data in a structured, commonly used, machine‑readable format and transmit it to another controller).
• Object to processing based on legitimate interests (including an absolute right to object to direct marketing).
• Withdraw consent at any time, where processing is based on consent.

We respond to requests within one month (extendable as permitted by law). To exercise rights, use the contacts in Section 15.

Our services are designed for adult business travelers and attendees. We do not knowingly collect personal data from children under the age required by local law without appropriate authorization/consent. If you believe a child has provided us data without authorization, contact us so we can take appropriate action.

Data Protection and Compliance: compliance@atgtravel.com

General privacy inquiries / rights requests: privacy@atgtravel.com

Postal:

ATG Travel (Attn: Privacy/DPO)
ATG TRAVEL WORLDWIDE B.V.
Reactorweg 47
Utrecht, AD 3542
Netherlands

You may also lodge a complaint with your local supervisory authority (e.g., your EEA member state authority or the UK ICO).

United Kingdom

We process personal data in accordance with UK GDPR and the Data Protection Act 2018. References to GDPR in this Notice include UK GDPR where applicable. Transfers from the UK rely on the IDTA or UK Addendum to the SCCs or equivalent adequate safety measures.

United States (State Privacy Laws)

If you are a resident of the United States, certain state privacy laws may provide additional rights and disclosures regarding your personal information. The following summarizes key rights; our detailed U.S. Privacy Notice provides full information and controls.

California (CCPA/CPRA)

• Right to Know the categories of personal information collected, sources, business purposes, and third‑party disclosures.
• Right to Access specific pieces of personal information.
• Right to Correct inaccurate personal information.
• Right to Delete personal information, subject to legal exceptions.
• Right to Opt Out of ‘sale’ or ‘sharing’ of personal information for cross‑context behavioral advertising.
• Right to Limit the use and disclosure of Sensitive Personal Information (where applicable).
• Authorized Agents & Verification: You may designate an authorized agent to submit requests on your behalf. We will verify your identity (and your agent’s authority) consistent with California regulations. We do not discriminate against you for exercising your rights.

Colorado (CPA), Virginia (VCDPA), Connecticut (CTDPA), Utah (UCPA)

• Confirm whether we process your personal data and access it.
• Delete personal data, subject to exceptions.
• Correct inaccuracies.
• Portability (obtain a copy of your data in a portable format).
• Opt out of targeted advertising, the sale of personal data, and certain profiling.
• Appeal Process: If we decline your request, you may submit an appeal via privacy@atgtravel.com. We will inform you of the outcome and how to contact your state Attorney General if you remain unsatisfied.

How to Submit U.S. Privacy Requests: Email privacy@atgtravel.com. We will respond to verified consumer requests within the timelines required by applicable laws.

Controller/Processor Classification: ATG acts as a ‘controller’ of personal information for its corporate travel services and as a ‘processor’ when handling data solely on behalf of enterprise clients under contract.

Other regions

ATG is committed to complying with both this Global Privacy Policy and Notice and applicable data protection and privacy laws including but not limited to the LGPD in Brazil, PIPL, CSL and DSL in China, PDPA in Singapore, Privacy Act in Australia. If they impose additional requirements or rights, ATG complies with those laws where applicable. Regional supplements may apply and will be provided where relevant.

We do not conduct decision‑making solely by automated means that produces legal or similarly significant effects about you. If this changes, we will provide meaningful information about the logic involved and your rights to obtain human review, express your point of view, and contest the decision.

We may update this Notice from time to time. Material changes will be highlighted on our websites/apps with a revised ‘Last updated’ date and, where appropriate, we will notify you via email or in‑app message.

19 February 2026