VAX VacationAccess Privacy Policy

Effective March 10th, 2020

  1. Introduction

    VAX is an award winning travel platform specifically designed for Travel Agencies and Travel Agents. VAX VacationAccess Worldwide, LLC. works with contractors to provide you with access to a variety of benefits described herein as “VAX Content” which includes but is not limited to VAX applications, products and services. VAX VacationAccess is powered by Trisept, an Apple Leisure Group (“ALG”) company.

    Except as otherwise noted in this Privacy Policy, VAX VacationAccess is a data processor and a member of the ALG companies, which means that we manage how and why the information you provide to us is processed. This Privacy Notice may be amended or updated from time to time to reflect changes in our practices with respect to the Processing of your information, or changes in applicable law.

    We want you to know VAX VacationAccess will never sell, lease or rent your Personal Information to ensure your privacy is protected. We will always endeavor to take steps to assure that any personal information you provide to us will remain private and secure.

    We encourage you to read this Privacy Notice carefully, and to regularly check this page to review any changes we might make

  2. Part of Trisept Solutions

    The VAX family of platforms and services is managed by Trisept Solutions which is part of Apple Leisure Group (“ALG”) and operates under the policies of ALG. Trisept processes customer travel data from its data centers in the USA. Trisept is not responsible for the content of the information it processes or responsible for the way its clients treat personal information they collect or control.

    Accordingly, neither VAX VacationAccess nor Trisept directly interfaces with the traveling public (with the exception of “VAX Web” which allows travelers to interact with the platform services directly) and does not collect Personally Identifiable Information (“PII” under the General Data Protection Regulation (GDPR) of the European Union) or Personal Information (“PI” under the California Consumer Protection Act (CCPA)) from consumers. However, limited PII/PI is collected from representatives of its clients such as Travel Agents or Travel Merchandisers. This policy describes what information is collected directly as well as protections that are incorporated in the products and services Trisept/VAX VacationAccess provides to its clients that protect the information of their customers.

    In no case is PII/PI sold by Trisept or VAX VacationAccess. However, either may disclose your personal information as required by law, such as to comply with a subpoena, or similar legal process, when it believes in good faith that disclosure is necessary to protect their rights, protect individuals safety or the safety of others, investigate fraud, or respond to a government request.

    Trisept is an approved organization under the US – EU and Switzerland Privacy Shield administered by the International Trade Association of the US Dept. of Commerce (see: https://www.privacyshield.gov/list.)

  3. Definitions

    “Client” – means any Travel Agency or Travel Agent that contracts for or agrees to use the VAX VacationAccess platform(s).

    “Contractor” – means an independent provider of goods or services on behalf of VAX VacationAccess Worldwide, LLC.

    “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

    “Customer” – means an individual for whom the Travel Agency undertakes researching, shopping, booking, or purchasing of products and services on the VAX VacationAccess web sites.

    “Personal Information” means information from which any individual is directly or indirectly identifiable.

    “Process”, “Processing” or “Processed” means anything that is done with any Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

    “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.

    “Third Party” – means a company other than VAX VacationAccess Worldwide, LLC or a domain name other than www.vaxvacationaccess.com.

    “Trisept” – means the company that is part of Apple Leisure Group that provides solutions and services to travel agents and agencies and in some cases to the traveling public directly.

    "VAX" – means the VAX VacationAccess technology owned by VAX that enables the Travel Agency to access the VAX Content, various customer’s inventories (all of which are maintained separately and are not owned or controlled by VAX) and make purchases on behalf of their agency and/or customers.

  4. What information is collected and how we collect it.

    We may Process the following categories of Personal Information about you:

    • Personal details: your name; username or log in details; password;
    • Contact details: postal address; telephone and/or mobile number; email address;
    • Consent records: records of any consents you may have given, together with the date and time, means of consent and any related information (e.g., the subject matter of the consent).
    • Purchase and payment details of your customers: records of purchases and prices; invoice records; payment records; billing address; payment method; cardholder or accountholder name; payment amount; and payment date.

    We may also collect:

    • Information about your use of the services, such as usage data and statistical information, which may be aggregated.
    • Searches for and interactions with e-commerce opportunities, such as merchants and offers contained in the services.
    • Non-precise information about the approximate physical location (for example, at the city or postal code level) of a user’s computer or device derived from the IP address of such computer or device (“GeoIP Data”).
    • Device identification (“ID”), which is a distinctive number associated with a smartphone or similar handheld device but is different than a hardware serial number.
    • Advertising ID, which is a unique, user-resettable identification number for advertising associated with a device (e.g., iOS uses the Identifier for Advertising (or “IDFA”) and Android uses Google Advertising ID).
    • Internet Protocol (“IP”) address, which is a unique string of numbers automatically assigned to your device whenever you access the Internet.
    • Internet connection means, such as internet service provider (“ISP”), mobile operator, WiFi connection, service set identifier (“SSID”), International Mobile Subscriber Identity (“IMSI”) and International Mobile Equipment Identity (“IMEI”).
    • Information collected through the use of cookies, eTags, Javascript, pixel tags, device ID tracking, anonymous identifiers and other technologies, including information collected using such methods and technologies about (i) your visits to, and interaction and engagement with, the services, content and ads on third party websites, applications, platforms and other media channels (“Channels”), and (ii) your interaction with emails including the content and ads therein (collectively, “Online Data”).
    • Device type, settings and software used.
    • Log files, which may include IP addresses, browser type, ISP referring/exit pages, operating system, date/time stamps and/or clickstream data, including any clicks on customized links.
    • Web Beacons, which are electronic files that allow a website to count users who have visited that page or to access certain cookies.
    • Pixel Tags, also known as clear GIFs, beacons, spotlight tags or web bugs, which are a method for passing information from the user’s computer to a third-party website.
    • Local Shared Objects, such as Flash cookies, and Local Storage, such as HTML5.
    • Mobile analytics to understand the functionality of our mobile applications and software on your phone.

    Children. The services are not intended for use by children, especially those under 13. No one under the age of 13 should provide any Personal Information or use our public discussion areas, forums or chats. Minors under the age of 18 are not permitted to make purchases through the services or to obtain coupons or codes from the services to purchase goods or services on third party websites. If, notwithstanding these prohibitions, your children or your customer’s children disclose information about themselves in our public discussion areas, consequences may occur that are not intended for children (for example, they may receive unsolicited messages from other parties). If it is discovered that we have collected Personal Information from someone under 13, we will delete that information immediately.

  5. Uses of information

    The PII/PI is collected and used for processing transactions through the platform to provide services to your customers. The agreement between VAX VacationAccess and our clients ensures the information will be used for the purpose it was intended.

    • Accounts and Personalization: providing personalization for services from VAX VacationAccess or its partners including (i) management of your account, (ii) posting of your personal reviews, testimonials or comments, (iii) offering of contests, as well as chat areas, forums and communities, and (iv) customer support and relationship management.
    • Offering and Improving the services: operating and managing the services for you; providing personalized content to you; communicating and interacting with you via the services; identifying issues with the services and planning improvements to or creating new services; and notifying you of changes to any of our services.
    • Surveys: engaging with you for the purposes of obtaining your views on our services.
    • Communications: communicating with you via any means (including via email, telephone, text message, social media, post or in person) regarding news items and other information in which you may be interested, subject to ensuring that such communications are provided to you in compliance with applicable law; maintaining and updating your contact information where appropriate; and obtaining your prior, opt-in consent where required. We may provide direct marketing to you.
    • Advertising: providing advertising based on your interests and interactions with the services and channels, including using Personal Information to serve you advertisements on the services and Channels.
    • User Engagement and Purchases: tracking purchase traffic and activity across the Service and on Channels, including review of your browsing history (if available); provision of analytics and measurement of cost of traffic against money being made.
    • Commerce Offerings: using cookies to track your browsing history and the amount of money spent at a particular third-party merchant’s site to offer coupons and other offers that are relevant to your shopping experience; offering of coupons via SMS messages if a mobile phone number is provided.
    • IT Administration: compliance audits in relation to internal policies; identification and mitigation of fraudulent activity; and compliance with legal requirements.
    • Security: Cyber-security measures (including monitoring of login records and access details) to help mitigate the risk of and provide the ability to identify and rectify a security incident.
    • Legal Compliance: Subject to applicable law, we reserve the right to release information concerning any user of services when we have grounds to believe that the user is in violation of our Terms and Conditions or other published guidelines or has engaged in (or we have grounds to believe is engaging in) any illegal activity, and to release information in response to court and governmental orders, other requests from government entities, civil subpoenas, discovery requests and otherwise as required by law or regulatory obligations. We also may release information about users when we believe in good faith that such release is in the interest of protecting the rights, property, safety or security {company’s name}, any of our users or the public, or to respond to an emergency.
  6. Uses of Data (Third Parties)

    We may have to share your personal data with the parties set out below for the purposes set out above.

    • Service Providers:
      • Suppliers of accommodation and travel services acting as processors or controllers who provide the services that you booked with us.
      • Marketing companies to send information and offers on our behalf.
      • Other companies that provide IT and System administration services.
    • Third Parties:
      • Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
      • Regulatory and governmental bodies and other authorities acting as processors or joint controllers who require reporting of processing activities in certain circumstances.
      • Third parties to whom we may choose to transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
      • Businesses who we have a partnership with to provide related services to our customers.

    We require all service providers and third parties to respect the security of your personal data and to treat it in accordance with the law.

    We do not allow our third parties and service providers to use your personal data for their own purposes without your consent and only permit them to process your personal data for specified purposes and in accordance with our instructions.

  7. Principles Applicable to Privacy Shield

    Certain parts of the platform (specifically VAX Pro (UK) although parts of other transactions may also be covered) provide transactions that are between providers in the EU and UK and entities in the US. These processing transactions are frequently subject to the Principles of the Privacy Shield between the EU and the US.

    As part of the Trisept Solutions platforms, the VAX platforms and services are, in some cases, used for covered transactions between parties in the EU and the US. To that extent, the transactions are covered by the certification attained by Trisept Solutions as a certified organization under the voluntary Privacy Shield guidelines. The following principles apply to Trisept and to certain of the VAX VacationAccess transactions:

    Notice:
    The privacy policy enumerated here is published on our websites (www.vacationaccess.com or www.triseptsolutions.com may also be consulted relative to the Privacy Shield) and is applicable to individuals that register with Trisept and any member of the traveling public that may inquire about our approach to privacy. This policy is reviewed at least annually, and updates will be published to the websites. Notice of any material changes will be provided to the email address provided in registered accounts as well as a NOTICE on the website. Interested parties should visit the website regularly to ensure updates are received.

    Choice:
    This principle states that any person for whom PII/PI is collected must be able to choose whether to continue receiving information from Trisept/VAX VacationAccess once the initial selection has been made. Subscribers to newsletters or mailings regarding travel specials or similar marketing materials may choose to stop receiving these emailed notices at any time by using the “unsubscribe” tab on the website. Alternatively, send an email to privacycontact@triseptsolutions.com with the request to be unsubscribed.

    Subscribers to any of VAX VacationAccess’s clients marketing messages must go to those websites directly and request to unsubscribe or follow the instructions provided on the website in order to choose to change status regarding receiving marketing emails.

    On rare occasions, VAX VacationAccess may need to communicate service related announcements via email, in which case, such communication will be made to the registered email address on the client account.

    Accountability for Onward Transfer:
    In some cases VAX VacationAccess uses third parties to assist in the provisison of its services. Third parties may be service providers such as banks that process payments, firms that provide analytics of aggregated information that report on types of services and purchases made to assist in making the platforms more efficient or effective in supplying services and the like. Any third party is required by contract or similar written agreement to have in place a firm commitment to the security and privacy of any data it handles under the direction of VAX VacationAccess. Further it must have, and provide evidence upon request, suitable security solutions in place to ensure the safety and security of any PII/PI it processes or manages on behalf of VAX VacationAccess. In the event a third party determines it is no longer able to meet the requirements or Trisept or VAX VacationAccess determines a third party is not meeting the requirements for protecting the PII/PI per the contract, Trisept or VAX VacationAccess will notify its impacted clients of this fact and the steps taken to remediate the situation.

    Security:
    Trisept and VAX VacationAccess take reasonable precautions to ensure the security and safety of data including loss, misuse, unauthorized access, disclosure, alteration and destruction of any PII/PI it collects directly or processes on behalf of a controller or other responsible party. Please note that transmitting any information involves the inherent risk of theft and unauthorized use. No method of transmission over the Internet, or method of electronic storage, is 100% secure, therefore, Trisept and VAX VacationAccess cannot guarantee its absolute security. Using the Hosting Platform for the transmission of customer information is encrypted using secure socket layer technology (SSL).

    Data Integrity and Purpose Limitation:
    The Privacy Policy requires that data collected by VAX VacationAccess is limited to only that which is necessary to perform the service for which it was collected. In most cases, this is limited to the PII/PI of authorized agents or representatives that use the platforms provided by VAX VacationAccess (backed by Trisept) in order to satisfy a customer’s request to book a vacation. Trisept and VAX VacationAccess take all reasonable steps to ensure that the data provided is accurate, current and sufficient to provide the intended service.

    It is critical to note that Trisept and/or VAX VacationAccess are NOT responsible for data collected and onward submitted for processing by clients and their customers that are the actual purchasers of the travel services. Trisept and/or VAX VacationAccess take reasonable steps to ensure services are provided with the proper and sufficient protections to meet the Privacy Shield principles for processing PII/PI.

    Access:
    Persons from whom VAX VacationAccess collects PII/PI have the right to access that information and may submit a request to see or have that data to privacycontact@trisept.com at any time. A request may be made to review the information in order to make a correction or a change to the information held. Requests will be responded to within 30 business days of receipt of the request.

    Please note, information will be maintained for as long as an account is active or as needed to provide the services and per the ALG information retention policy. Data must be maintained and used to comply with legal obligations, resolve disputes and enforce agreements. A request to delete an account and/or any information held is subject to these circumstances.

    In the unlikely event of a dispute or an unresolved privacy issue, please contact the U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request with the details of the issue.

    Recourse, Enforcement and Liability
    The last of the seven (7) principles required to comply with the agreements of the US-EU Privacy Shield requires notification of the individual’s rights regarding recourse, enforcement and liability. With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, Trisept is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Trisept may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

    Under certain conditions, more fully described on the Privacy Shield website https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, a requestor may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.

  8. Other

    Several other items are relevant in this Privacy Policy. These are:

    • Cookies and Other Tracking Technologies

      VAX VacationAccess uses cookies or similar tracking technologies. These technologies are used in analyzing trends, administering the site, tracking users’ movements around the site and to gather demographic information about the user base as a whole. Reports based on the use of these technologies may be produced, generally on an aggregate basis.

      Cookies are used to identify a return visitor or used as a way to measure activity and traffic patterns on the site. Users can control the use of cookies at the individual browser level. If the use of cookies is rejected, you may still use the sites, but your ability to use some features or areas of the sites may be limited.

    • Behavioral Targeting / Re-Targeting

      VAX VacationAccess partners with a third party to either display advertising on the website or to manage advertising on other sites. The third party partner may use technologies such as cookies to gather information about your activities on this site and other sites in order to provide advertising based upon your browsing activities and interests. If you wish to opt out of interest-based advertising click here [or if located in the European Union click here]. Please note this does not opt you out of being served ads. You will continue to receive generic ads.

    • Log Files

      As is true of most web sites, VAX VacationAccess gathers certain information automatically and stores it in log files. This information may include internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and/or clickstream data. This automatically collected data is not linked to other information we collect about you.

    • Access to Data Controlled by our Clients

      VAX VacationAccess acknowledges that persons have the right to access their personal information. For the most part, VAX VacationAccess has no direct relationship with the individuals whose personal data is processed (the only persons for whom we have access are our employees and the PII/PI of travel agents or authorized representatives of our clients). An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data should direct his/her query to the specific client (the data controller) that collected it. If the client requests us to remove the data, we will respond to that request within 30 business days.

    • Contact Information

      Questions, comments or complaints regarding the company’s policy or data collection and processing practices can be emailed to: VAXdatarequest@triseptsolutions.com