Privacy Policy
We, AirPM FZE (collectively, “AirPM”, “we”, “us”, “our”, or “we”) are committed, as data processor, to partnering with customers and users to help them understand and comply with data protection regulations (GDPR, ePrivacy, CCPA, LGPD ...).
AirPM provides an aviation industry platform for scheduling, pricing strategies, market intelligence, forecasting, and network planning tools, and based on instructions of the data controller, owners, and publishers of digital platforms. We collect, process and store personal data and other information through our products – AirPM Xchange (“Platform”), or when providing our service to Publishers (“Service”).
Personal Data Management on the Platform
To provide the Platform and/or perform the Service, AirPM collect, process and store data on behalf of the Publisher. The answers to the following questions allow us to explain how we manage personal data on the Platform.
What kind of personal data do we collect?
▪ Raw ID-type information: for instance, the user-terminal ID (cookie or mobile ID), that is transformed in a hashed visitor ID, or the IP address, that can be anonymized, to perform geolocation for instance
▪ All standard business information provided by the products of the Platform: for instance, navigation data (browser and device type, type of events or content, …), behavior information (sources, navigation path, time spent on contents, …), information related to registered or subscribed users (first name, last name, email, …)
▪ Additional and specific information that the Publisher can collect: based on the technology used to collect data (see following “How do we collect personal data?”), the Publisher can measure, collect, and analyze any business relevant information for him via our Platform
We consider by default all data collected, processed, and stored via our Platform as personal data according to GDPR art. 4.1.
What do we do with personal data?
We process the collected data to provide the information requested by the Publisher on the Platform: audience measurement data, content orchestration, account management, subscription processes, …
What are we not doing with personal data?
As data processor, and respecting the terms of contracts and the data processing agreement (DPA) signed with the Publisher acting as data controller, we do not:
▪ Sell personal data to anyone;
▪ Monetize personal data by other means;
▪ Claim ownership over personal data;
▪ Barter personal data for other services or products.
We do not knowingly process personal data relating to children less than 13 years of age (or 16 if the age of consent is higher in a particular country) or permit Publishers to provide us with such data. If we become aware that a Publisher has provided us with any personal data of children, we delete such data from our databases.
We do not knowingly process sensitive or special categories of personal data as defined in article 9 of the GDPR.
How do we collect personal data?
Personal data is collected via so called tagging libraries (mainly JavaScript on the web and SDK for native application) implemented by the Publisher on its online platforms. See Cookies and Similar Technologies below for further details on complementary data collection methods.
When a user/data subject visit a Publisher platform, and according to the legal basis chosen by the Publisher (see Purpose of Processing and Legal Basis below), https requests are sent to AirPM servers to perform the service requested by the Publisher.
How long do we store personal data?
Depending on the product of the Platform, or regarding specific legal obligation to perform, the data retention period can be different and always agreed in the contract with the Publisher acting as data controller. Analytics, for instance, has a predefined data retention period of 25 months with the opportunity for the Publisher to customize it.
For all products, all data is deleted at the end of the contract relationship with the Publisher.
Where do we store personal data?
Depending on the product used by the Publisher, the data collected from the end-user can be stored in different places.
Do we share personal data?
We, by default, do not share any data to anyone without the Publisher prior approval.
We, however, may share personal data, with all the adequate technical and organizational measures to protect it, in the following cases:
Intragroup: Only if necessary and for specific purposes, we may share personal data within affiliated companies belonging to AirPM. Our employees might have access to personal data on a strictly need-to-know basis typically governed and limited by function, role, and department of the particular employee. All affiliated companies belonging to AirPM concluded an intra-group data processing agreement (DPA) with EU Standard Contractual Clauses.
Legal disclosures: We may have to release personal data and other information we possess when necessary or appropriate to comply with the law; cooperate with law enforcement or national security requirements; respond to lawful requests; protect the rights of AirPM or a Publisher, other AirPM customers, and users, and third parties; or to enforce our terms of use. However, in doing so, we may:
- ▪ Dispute demands for release to the extent we believe, in our sole discretion, are unwarranted, illegitimate, or overbroad.
- ▪ Will notify Publishers of any requests unless we have some contradictory orders.
AirPM never had to disclose any personal data for legal purposes so far.
Cookies and Similar Technologies
To provide the products of the Platform, AirPM is using trackers, especially cookies on standard websites, or mobile IDs on native applications. Local storage, server-to-server request, clear gifs, pixel tags, web beacons or other similar technologies may also be used in some cases.
Users can control the use of trackers on their devices via the following means:
▪ Use the opt-out mechanism on the dedicated online platform provided by the Publisher
▪ Use the device appropriate configuration (browser or cellphone Operating System – Apple or Android mainly – settings)
Purpose of Processing and Legal Basis
Publishers can use the AirPM Platform and the associated Services for the following main purposes:
▪ Understand the audience
▪ Optimize content
▪ Engage the audience
▪ Monetize the online platform
Based on the main purposes observed in the digital marketing world, the following table synthesized for each purpose, what AirPM product is by default aimed for, and what is the by default legal basis for seen on our side for this purpose:
Purpose | Legal Basis |
---|---|
Audience and Analytics | Consent under GPDR or Exemption under ePrivacy |
Content Personalization or Performance | Consent under GDPR |
Advertising (personalized or not) | Consent under GDPR |
“One to one relationship” (account management, subscription, newsletter, …) | Consent or Contract under GDPR |
IMPORTANT: as a data controller, the Publisher can decide to use one or several products of the Platform for other purposes that the one foreseen originally, as well as to choose whatever legal basis he interprets to be the best in his specific case.
Each Publisher signs a data processing agreement (DPA) with AirPM to formalize these purposes and associated responsibilities.
International Data Transfers
Depending on the products of the Platform used by the Publisher, as well as the potential additional services requested by him, data may be transferred outside of original country where the data has been collected.
To meet with European requirements under the GDPR in terms of data transfers, AirPM uses the following mechanisms:
▪ EU Standard Contractual Clauses (SCC) through the data processing agreement (DPA) signed with the Publisher as well as with sub-processors;
▪ Binding Corporate Rules (BCRs) approved for both controller and processors transfers;
▪ Additional technical measures as encryption, pseudonymization or anonymization of the data.
To meet the guidelines of the PIPEDA in the applicable Canadian provincial legislation, AirPM recognizes and has controls in place to ensure that the privacy of personal information about an “identifiable individual” used in the course of “commercial activity” is protected and managed in the appropriate way.
Check the adequacy decisions under the GDPR, as well as the data protection around the world here.
Data Subject’s Rights
The GDPR, as many privacy laws around the word, empower data subject rights on its personal data.AirPM’s Platform enable Publishers to apply these rights to what is applicable regarding the data collected for their purposes (see Purpose of Processing and Legal Basis above).
The following table list all the main applicable rights regarding online data that and end-user can request to Publishers, and where AirPM provide standard solutions to these Publishers.
Data Subject Right | Mean |
---|---|
Information | Via Publishers’ information (CMP, Privacy Policy, …) |
Access | Via a request to the Publisher’s DPO |
Rectification | Via a request to the Publisher’s DPO |
Erasure | Via a request to the Publisher’s DPO |
Portability | Via a request to the Publisher’s DPO |
Object | Via opt-out mechanism provided by the Publisher |
AirPM’s data protection team is able to support the process of applying a data subject right.
Please contact support@airpmx.com, or any other communication channel listed in Data Protection Officer and Point of Contact below, for any further information.
Data Breaches and Security Measures
Data Breaches
AirPM maintains an incident response plan which governs the communication and process in the case of a data breach. Contractually this is covered between AirPM and all Publishers, in the Master Service Agreement.
Security Measures
AirPM security measures by pseudonymization and encryption of personal data; maintaining a detailed DRP to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services which in turn allows AirPM to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. AirPM maintains a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
AirPM affiliates don’t have automatic access to all Platform data. The access of Platform data is managed and strictly limited to what is necessary.
Data Protection Officer and Point of Contact
For all questions related to our privacy policy and how AirPM collects, processes and stores personal data, please feel free to contact the appointed Data Protection Officer (“DPO”):
Email: support@airpmx.com