This Privacy Policy explains how American Airlines, Inc. ("we," "us," "our," "American") collects, uses, shares, and protects information both in connection with American’s online and offline services, systems, websites, and apps that refer or link to this Privacy Policy (our "Services"), and as explained below, including without limitation, the collection and processing of personal information in connection with bookings and travel on American Airlines or flights operated by our regional carriers (for example, Envoy Air, Piedmont Airlines and PSA Airlines), as well as loyalty data collected and processed in connection with the AAdvantage® program. This Privacy Policy applies regardless of the way you interact with our Services or the type of device or other means you use to access our Services.
American reserves the right to change this Privacy Policy at any time by posting the updated Policy here along with the date on which the Policy was changed. If we make material changes to this Privacy Policy that affect the way we collect, use and/or share your personal information, we will notify you by including a "NEWLY UPDATED" label with the "PRIVACY POLICY" link on aa.com for 30 days after material changes are made. This Privacy Policy is not a contract and does not create any contractual rights or obligations.
When we use the term ‘personal information,’ we are referring to information that identifies, relates to, describes, or can be associated with you, including the categories and specific types of information described in this Privacy Policy.
We collect and maintain personal information about you from many sources to understand and meet your needs, facilitate your travel, manage our business, and for other purposes disclosed to you. For example, we collect personal information about you from:
If the information is to be collected directly from you, you may in some cases have the option to decline providing that information. However, your choice to not provide information may impact your use of certain features or services.
The personal information we collect about you through these various sources may include, but is not limited to:
To the extent that the personal information we collect constitutes sensitive personal information under applicable law, American will collect and process this sensitive personal information within the limits provided by applicable law. Where required by law, and where no other lawful bases exist for processing such data (such as to fulfill laws promoting a substantial public interest), American will seek your specific consent before processing sensitive personal information.
You may submit a request for services (such as a meal preference, or a request for wheelchair assistance) which is not sensitive personal information. American does not consider such data to reliably imply or suggest sensitive personal information.
American does not knowingly collect personal information directly from children – persons under the age of 13, or another age if required by applicable law – other than when required to comply with the law or for safety and security reasons. Due to the nature of our Services, we may collect travel information, which may include personal information, about children when it is required to comply with the law, including federal aviation or security regulations, as otherwise required to provide transportation needs and services, or for safety or security reasons. We may retain personal information when required to provide transportation and related services to a child, or in connection with services purchased or enrolled by the parent or guardian on the child’s behalf (such as a parent or guardian’s enrollment of their child in the AAdvantage® program).
If you are a parent or guardian of a child who has provided personal information without your knowledge and consent, you may request we remove this child’s information by emailing privacy@aa.com.
When you use our Services, we may receive technical information such as your browser type, the type of operating system you use, your geolocation, the name of your internet service provider, mobile advertising identifiers, and pages visited on our Services. American gets this information by using technologies, including cookies, web beacons, and mobile device geolocation to provide and improve our Services and advertising, including across browsers and devices (also known as cross-device linking). We also use this information to verify that visitors meet the criteria required to process their requests and for reporting activity on our Services. For example, we may want to know how long the average user spends on our Services or which pages or features get the most attention. This technical information may be combined with information that is personally identifiable in order to personalize our Services and advertising to your interests, including across browsers and devices. For example, if you spend time reviewing a particular flight or destination but do not complete a travel reservation, we may use this information to show you targeted advertising about similar flights or destinations on our Services or on third-party websites. Some of this information may be shared with third parties, as described in the section titled “Information collected by third parties on our Services.”
Additionally, and with your specific consent where required by law, American may combine the information we receive from you with information collected from other sources. This information may be used to provide offers and / or services specifically tailored to your interests in accordance with applicable laws.
Some of the content, advertising, and functionality on our Services may be provided by third parties, including third parties that are not affiliated with us. As noted above, these third parties may collect or receive technical information about your use of our Services, including through the use of Cookies, and this information may be collected over time and combined with information collected on different websites and online services. Also, some third parties collect information about users of our Services in order to provide interest-based advertising (on our Services and elsewhere, including across browsers and devices, also known as cross-device linking).
For example, we may use third parties to collect, and share with us, usage information about how you interact with our Services, including personal information that you provide, website or app visits and interactions, and user inputs such as mouse clicks or keystrokes.
We use personal information to complete transactions and fulfill requests for our products and services. For example, we require you to provide personal information when making a reservation to purchase airline tickets or related products and services such as renting cars or booking hotel rooms through an American Airlines Reservations Agent, travel agent, the aa.com website or other travel-related website, or enrolling in the AAdvantage® and Business Extra programs. We may also use personal information to verify your identity, including for security purposes.
In the event of a flight delay, cancellation, or other service disruption, we may use the contact information provided in your booking to notify you, and the individuals traveling on the same booking, about the disruption.
In addition to processing, confirming and fulfilling the travel or other services or products you request, American may use personal information for administrative, analytical, and marketing purposes such as employee training, information systems management, accounting, billing and audits, credit card processing and verification, customer-relations correspondence, and/or operation of the AAdvantage® and Business Extra programs. American also uses personal information to identify, develop and market products and services that we believe you will value, including across browsers and devices, in accordance with applicable laws. Where we are required by applicable law, we will seek your consent prior to sending you communications for marketing purposes. More specifically, we may use your personal information for the following purposes:
There are Closed Circuit Television (CCTV) cameras in operation within and around our stations and other premises, which are used for these purposes:
We take reasonable measures to protect the personal information you provide to us.
American uses reasonable technical, administrative, and physical measures to protect your personal information from loss, interference, misuse, unauthorized access, disclosure, alteration or destruction, both during transmission and once we receive it. We also maintain reasonable procedures to help ensure that such data is reliable for its intended use and is accurate, complete and current. When your personal information is shared, American will take a reasonable approach to prevent the unauthorized use of personal information.
Please note, however, that while American attempts to safeguard your personal information, no method of transmitting or storing electronic information is ever completely secure, and thus we make no warranty, express, implied, or otherwise, that your information will never be accessed, used or released in a manner that is inconsistent with this Privacy Policy.
Here are some things you can do to keep your information secure.
When you make a booking, you will be given a 6-character confirmation code. This will appear on the email confirmation or ticket of each person in your booking. You should keep your record locator confidential, as giving it to others may allow them to access your booking details through our systems. If you are traveling with others and do not want them to have access to your booking details, you should have each person make their own bookings.
To make sure your access to our Services is secure; you should not share your log in details with anyone else. You should always log out of the Services after each use if others have access to your computer or device, especially if you are using a publicly accessible computer such as at a library or internet café.
Your personal information will be retained only for so long as reasonably necessary for the purposes set out above and consistent with our retention policies, considering criteria such as applicable rules on statute of limitations, legal requirements and the duration of your use of our website and receipt of our Services. In general, this retention will be at least for the duration of your customer relationship with us and a longer period as necessary for legal defense purposes or as required by tax, aviation, and other applicable laws and regulations.
To the extent it is required to do so by law, American will permanently destroy any biometric data or identifiers in our possession once the initial purpose for collecting or obtaining them has been satisfied, or within three years of your last interaction with American, whichever comes first. This applies to any biometric identifiers or information received by American from any source, even if that source does not refer or link to this Privacy Policy.
We may disclose or share information about you to provide the products and services you have requested or for administrative, analytical, and marketing purposes, including to:
In addition, from time to time, we may share information with certain third party companies with which we have a business relationship, including AAdvantage® and Business Extra participants. These companies may send you offers based on the information you have provided us. Where we are required by applicable law, we will seek your consent prior to sharing your personal information with such third parties for marketing purposes. Also, as described in the section titled “Opting out of marketing communications and sharing your information with third parties”, you can opt out of having your information shared with third parties for those parties' direct marketing purposes by emailing us at privacy@aa.com.
If your booking includes emergency contact information, we may share personal information with your emergency contact or attempt to collect information about you from your emergency contact, as appropriate based on the nature of the emergency.
Please note that the laws and regulations of several countries, including without limitation, the requirements imposed under the Transportation Security Administration Secure Flight program, require us to provide foreign and domestic government agencies with access to the personal information you disclose to us and data that we have about you and your travel plans, history, or status, including both before and after a flight arrives. For example, American and other airlines comply with legal obligations in the United States (U.S.), United Kingdom (UK), member states of the European Union, Uruguay, Brazil (BR), and other countries to provide border control agencies and customs authorities with access to booking and travel data when you fly to and from such countries, including stopover or layover destinations or countries that you may overfly en route to your destination. American does not have control or knowledge of the storage and use of that data after it has been delivered to the respective government entity. Further, to the extent required by law, we may disclose personal information to government or law enforcement agencies, such as customs and immigration authorities, or to third parties pursuant to a subpoena or other legal process, and we may also use or disclose your information to law firms and courts, as permitted by law, to enforce or apply a contract with you or protect the rights or property of American, our customers, our employees, our Services, or its users, including, without limitations, sharing personal data with public health authorities for purposes of combating infectious disease.
We'd also like to remind you that we provide additional links to resources we think you'll find useful. These links will lead you to sites that are not affiliated with American and may operate under different privacy practices. Our visitors are responsible for reviewing the privacy policies for such other websites, as we have no control over information that is submitted to these companies.
We provide you with options to stop receiving marketing messages from us. Regardless of your opt-out preferences, we reserve the right to send you certain communications and share your information with third parties for administrative, transactional, and analytical purposes.
If you’re an AAdvantage® member and you want to opt out of receiving marketing emails, log in to your AAdvantage® profile and update your preferences, or contact AAdvantage® Customer Service. Please note, you’ll continue to receive AAdvantage® program updates and email products for which you’ve subscribed. If you’re a Business Extra member and you want to opt out of marketing emails, log in to the Business Extra website and update your preferences.
If you’re not an AAdvantage® program member and you want to opt out of marketing emails, you can click the opt-out or unsubscribe link in the marketing email you receive to manage your marketing preferences. You can also send an email from the email address you wish to unsubscribe with the word “unsubscribe” in the subject line to privacy@aa.com. When you do this, we will unsubscribe all users with the same email address, even if they are registered AAdvantage® members or Business Extra members with registered preferences.
If you want to opt out of receiving forms of communication from American other than marketing emails, please email privacy@aa.com with your request.
Email privacy@aa.com Link opens another site that may not meet accessibility guidelines
If you want American to stop sharing your personal information with third parties for those parties' direct marketing purposes, please opt out of third-party data sharing.
Opt out of third-party data sharing
When you use our Services, you may receive Cookies from us and the third parties that collect information on our Services. Please see the “Cookies and online advertising” section above for additional details.
Other companies or programs of American partners (such as AAdvantage® program participating companies) may require different steps to change your preferences for participation. Please consult the privacy policies of the relevant companies or programs for further information.
Where required by local law, you may have the right to access, request a copy of, update, transfer or port, restrict the processing of, or request that we delete your personal information. You may also have the right to object to our processing of your personal information. To exercise these rights please email us at privacy@aa.com. When we receive a request to exercise one of these rights, we will indicate what personal information we require from you to validate your identity. We will also provide information on the action we intend to take on the request without undue delay and no later than 30 days from receipt of the request, or within a shorter period of time where required by local law. This time may be extended by an additional two months in certain circumstances, for example, where requests are complex or onerous. Please note, these requests are subject to applicable legal, ethical reporting, or document retention obligations imposed on us.
When you provide us with your information, you acknowledge that this information may be stored, transferred, and processed on servers located anywhere in the World, including either inside or outside of the U.S., the European Union, the U.K., Switzerland, Uruguay, or Brazil.
This section of the Privacy Policy applies only if you use our website or Services covered by this Privacy Policy in Brazil, and supplements the information in this Privacy Policy.
To the extent that American Airlines, Inc. is subject to the laws of Brazil when processing personal data (“Personal Data”), it shall be the “data controller” under such laws.
According to the Brazilian General Data Protection Law (the “LGPD”), data that concerns racial or ethnic origin, religious conviction, political opinion, affiliation to a union or organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data, when linked to a natural person, will be deemed as sensitive personal data. American only collects and uses sensitive personal data for purposes described in the “Information we collect and how we collect it” and “How your information will be used” sections of this Privacy Policy and will adopt strict security measures when processing sensitive personal data.
Due to the nature of our Services, we may collect Personal Data of children under the age of 12. Please see the “Minors” section above for more information.
American processes Personal Data for the purposes set out in this Privacy Policy, as described above. Our lawful basis to process Personal Data includes processing that is:
American is a global company, which owns entities in the United States. These entities include Envoy Air, Piedmont Airlines, and PSA Airlines. In order to achieve the purposes described in the “Information we collect and how we collect it” and “How your information will be used” sections above, we may transfer your Personal Data to our global entities or other third parties outside of Brazil.
We will adopt all necessary measures to ensure the overseas recipients can provide the same level of protection as required under applicable Brazilian laws and also use lawful cross-border transfer mechanisms, whenever required by such laws, to transfer your Personal Data overseas.
Whenever Brazilian law is applicable to the processing of your Personal Data, you have the right to request from American:
When we receive a request to exercise one of these rights, we will indicate what Personal Data we require from you to validate your identity. We will also provide information on the action we intend to take on the request.
To exercise these rights please email us at privacy@aa.com and we will respond to your request as within the timeframe provided by the applicable laws and regulations.
You may always contact our Data Protection Officer, at privacy@aa.com. If you consider that our processing of your Personal Data infringes applicable law, you may submit a complaint to the Brazilian Data Protection Authority (ANPD).
This section of the Privacy Policy applies only if you use our website or Services covered by this Privacy Policy in China, and supplements the information in this Privacy Policy.
Credit or debit card payment information, biometric information, and medical information that we collect from you may be considered sensitive personal information under applicable Chinese laws. American only collects and uses sensitive personal information for purposes described in the “Information we collect and how we collect it” and “How your information will be used” sections of this Privacy Policy and will adopt strict security measures when processing sensitive personal information.
Due to the nature of our Services, we may collect personal information of children under the age of 14. Please see the “Minors” section above for more information.
Please see the “With whom your information will be shared” section above for details about how your personal information may be shared with third parties. American will strictly follow the requirements of applicable Chinese laws when sharing your personal information with third parties.
If it is necessary for American to transfer personal information in case of a merger, division, dissolution, declaration of bankruptcy, or other reasons, American will provide notice of the name and contact information of the recipient. The recipient shall comply with this Privacy Policy when processing such personal information.
American is a global company, which owns entities in the United States. These entities include Envoy Air, Piedmont Airlines, and PSA Airlines. In order to achieve the purposes described in the “Information we collect and how we collect it” and “How your information will be used” sections above, we may transfer your personal information to our global entities or other third parties outside of China.
We will use lawful cross-border transfer mechanisms to transfer your personal information overseas and adopt necessary measures to ensure the overseas recipients can provide the same level of protection as required under applicable Chinese laws.
You have the right to access, correct or supplement, restrict or object to processing, and withdraw your consent with respect to your personal information that American collects and processes. You also have the following rights subject to restrictions provided by applicable Chinese laws:
To exercise your rights, please submit your request as described above.
This section of the Privacy Policy applies only if you use our website or Services covered by this Privacy Policy in Colombia, and supplements the information in this Privacy Policy.
American has mechanisms so that you can submit claims regarding your personal data. If American identifies that the claim or additional documentation is incomplete, American may require the claimant to remedy the faults or provide additional information. If the claimant does not submit the documentation and information required within two (2) months following the date of the initial claim, the claimant shall be deemed to have waived the claim.
American may need to collect and process sensitive personal information (e.g., health related data, biometric information) to provide its services in compliance with National laws and sectoral regulations, and consent to this effect is optional.
You have the right to file complaints before the Colombian data protection authority, the Superintendencia de Industria y Comercio, and to withdraw consent save when there is a legal or contractual obligation for the personal data to remain in the respective database.
To the extent that American Airlines, Inc. is subject to the laws of Ecuador when processing personal data (“Personal Data”), it shall be the “data controller” under such laws.
The information of the data controller, and the Data Protection Officer of the data controller, is the following:
American Airlines
c/o Data Protection Officer
1 Skyview Drive, MD 8B503
Fort Worth, TX 76155 USA
We can process your personal data when:
You may address the Ecuadorian Data Protection Authority (Superintendencia de Protección de Datos) and submit a claim, especially in cases where you deem that we have not satisfied your individual rights regarding how we process your personal information.
You may be entitled to exercise the right to:
To exercise these rights please email us at privacy@aa.com.
When we receive a request to exercise one of these rights, we will indicate what Personal Data we require from you to validate your identity. We will also provide information on the action we intend to take on the request. We will respond as soon as possible and in accordance with applicable law.
You may always contact our Data Protection Officer, at privacy@aa.com. If you consider that our processing of your Personal Data infringes applicable law, you may submit a complaint with a supervisory authority.
This section of the Privacy Policy applies only if you use our Services from a country that is a Member State of the European Union, the United Kingdom, Switzerland, or Uruguay, and supplements the information in this Privacy Policy.
To the extent that American Airlines, Inc. is subject to the laws of the European Union, the United Kingdom, Switzerland, or Uruguay when processing personal data (“Personal Data”), it shall be the “data controller” under such laws.
If you have made a flight booking with us but one or more flights or services (including, for example, access to travel lounges operated by our partner airlines) are to be provided by other airline(s), then that other airline will also separately be considered a “data controller”. Your Personal Data will be processed in accordance with the applicable airline’s privacy policy and, if your booking is made via a reservation system provider (“GDS”), with its privacy policy. These are available at http://www.iatatravelcentre.com/privacy or from the airline or GDS directly. You should read this documentation, which applies to your booking and specifics (for example, how your personal data is collected, stored, used, disclosed and transferred).
Any travel services provider (such as a hotel or car rental company) or AAdvantage® participating partner (such as an AAdvantage® co-branded credit card issuer) will also separately be a “data controller”. For information on how those parties collect, use, and protect your information, you may obtain copies of their privacy policies by contacting them directly or visiting their websites.
We process Personal Data for the purposes set out in this Privacy Policy, as described above. Our legal basis to process Personal Data includes processing that is:
In some instances, you may be required to provide us with Personal Data for processing as described above, in order for us to be able to provide you all of our Services, and for you to use all the features of our website.
The nature of American’s business means that the Personal Data collected through our Services will be transferred to the United States. Also, the American personnel and some of the third parties to whom we disclose Personal Data (as set out above) may be located in the United States and other countries outside of the European Union, the United Kingdom, Switzerland, or Uruguay, including in countries to which you fly and that may not provide the same level of data protection as your home country. We take appropriate steps to ensure that recipients of your Personal Data are bound to duties of confidentiality and we implement measures such as standard data protection contractual clauses to ensure that any transferred Personal Data remains protected and secure. More information and a copy of these clauses can be requested by emailing privacy@aa.com.
As described above in the “Application of local laws” section, under data protection laws in the European Union, the United Kingdom, Switzerland, or Uruguay, you have certain rights related to your Personal Data.
You may be entitled to exercise the right to:
To exercise these rights please email us at privacy@aa.com.
When we receive a request to exercise one of these rights, we will indicate what Personal Data we require from you to validate your identity. We will also provide information on the action we intend to take on the request in accordance with applicable law.
We will respond to your request as soon as possible and no later than 30 days from receipt of the request. In certain circumstances this time may be extended by an additional two months, for example, where requests are complex or onerous. You may always contact our Data Protection Officer, at privacy@aa.com. If you consider that our processing of your Personal Data infringes applicable law, you may submit a complaint with a supervisory authority.
As the owner of your personal data, you have the right to access your data held by American, know the characteristics of its treatment, rectify it if it is inaccurate or incomplete; request that they be deleted or canceled as they are considered unnecessary for the previously stated purposes or oppose their treatment for specific purposes. You may, at any time, revoke the expressly granted consent, as well as limit the use or disclosure of your personal data.
You may direct your request to exercise the aforementioned rights to the following address: privacy@aa.com.
When we receive a request to exercise any of these rights, you must submit the respective request in the terms established by the Regulation of Law No. 29733 (including: name of the owner of the personal data and address or other means to receive a response; documents that prove your identity or legal representation, if applicable; clear and precise description of the personal data with respect to which you seek to exercise your rights and other documents that facilitate the location of the data).
We will also provide information about the actions we intend to take on the request without undue delay and no later than 30 days after receiving the request. In some cases, this period could be extended for an additional two months, for example, when the requests are complex or onerous. Please note that these requests are subject to applicable law, ethical reporting standards, or document retention obligations imposed on us.
If you consider that you have not been assisted in the exercise of your rights, you can file a claim with the National Authority for the Protection of Personal Data, by contacting the Filing Desk of the Ministry of Justice and Human Rights. Calle Scipión Llona N° 350, Miraflores, Lima, Perú.
When you provide us with your information, you are agreeing that this information may be stored, transferred and processed on servers located in the United States of America.
This section of the Privacy Policy applies only if you use our Services from South Korea, and supplements the information in this Privacy Policy.
Your personal information will be processed for the purposes described in this Privacy Policy. Depending on what services you request from us, this may include the following purposes:
We may additionally use or provide your personal information after considering the below issues:
Your personal information will be retained only for so long as reasonably necessary for the purposes set out above, considering criteria such as applicable rules on statute of limitations, legal requirements and the duration of your use of our website and receipt of our Services.
Except where preservation of personal information is required by applicable laws and regulations, your personal information will be kept until the above-mentioned purposes of collection and use has been achieved.
The personal information collected for travel purposes is mandatory. You have the right to refuse to consent to the collection and use of personal information, but upon such refusal, you may be prevented from reserving or purchasing a ticket.
How we delegate the processing of personal information
We take the following measures to ensure the security of personal information.
If you have any questions or comments about the Privacy Policy, need to report a problem, or if you would like us to update, amend, or request deletion of information we have about you, please contact our Chief Privacy Officer or the American Airlines Privacy Office as provided in the section of our Privacy Policy titled “Contact Us”.
You have the right to file an application for resolution of disputes and to consult with the Personal Information Dispute Mediation Committee, the Personal Information Infringement Reporting Center of the Korea Internet Security Agency and other agencies so as to seek remedy. For reports on any other personal information infringement and consultation therefor, please contact the following agencies.
If you believe that your privacy rights and interests have been infringed due to the act or omission of act of the head of a public agency, you may file an administrative appeal in accordance with the Administrative Appeals Act, and please contact the following agency.
Central Administrative Appeals Commission: 110 (no regional code required; www.simpan.go.kr)
We endeavor to protect your privacy rights and to provide counseling and/or remedies for personal information infringement. If you wish to receive consultation on or report any personal information infringement, please contact our Chief Privacy Officer (CPO) (or American’s Privacy Office) using the contact information listed in the “Contact us” section.
If you have other questions, comments or concerns about our privacy practices, or if you wish to issue a request to exercise your rights where applicable by law, please contact our Privacy Office at privacy@aa.com. Requests intended for American’s Chief Privacy Officer may also be submitted to our Privacy Office at the same address. Please provide your name and contact information along with the request. Alternatively, inquiries may be mailed to the following address:
American Airlines
c/o Privacy Office
1 Skyview Drive, MD 8B503
Fort Worth, TX 76155 USA