Club Travel Privacy Notice for Corporate Clients
(with particular reference to the use and operation of the Atriis Platform)
Introduction
Club Travel Limited, and its Associated Companies, respects your privacy, and this Privacy Notice explains our privacy practices for our services (“Services”) and describes the ways your personal information and data is collected, used and shared and the rights and options available to our Corporate Clients with respect to your information.
We are Data Processors on behalf of our Corporate Clients (Data Controllers), as described below in this notice. We may work with a number of sub processors, including Atriis, and other controllers, to whom we have instructed to process personal information for the purposes of providing our services.
We may change this Notice from time to time. Updated versions will be made available in an electronic or equivalent manner.
Last Reviewed: 13/01/2026
Next Scheduled Review: 13/01/2027
Amex GBT travelers: If you are an employee or traveler of a corporate client of American Express Global Business Travel (GBT), we act as a data processor on behalf of GBT with respect to our collection and processing of your personal information. The remainder of this Privacy Statement does not apply to you; your information is governed by the GBT Privacy Statement.For questions about your personal information, you may contact GBT as directed in its Privacy Statement or contact us here: [email protected]
Contact Us
Club Travel,
29 - 30 Lower Abbey Street,
Dublin 1.
Telephone 01 241 2337
Email: [email protected]
1) Personal information that our Corporate Clients provide
Our Corporate Clients are requested to submit a registration form for each Individual User (or otherwise provide personal information about our Corporate Client user in an equivalent form or manner) to become a registered (or logged in) member of our Service. The registration form includes personal details of Individual Users such as; name, DOB (required by airlines), phone number and email.
We will use this information to verify the Individual User identification (including enabling Third-Party Services) and to attribute purchases or actions (made online or offline) to our Corporate Clients for redemption purposes.
Some Corporate Clients have previously provided data to Club Travel through other systems. In agreement with our Corporate Clients, this data may be merged or migrated into the Atriis platform.
2) Other data collected
Club Travel through Atriis processes details of purchases made online or offline using the Service (e.g., time and date of your purchase, place where purchase was made, the amount paid and information about the items purchased). Club Travel will attribute the information in regard of Individual User’s purchases to our Corporate Clients. This is to fulfil our contractual agreements with our Corporate Clients.
We also collect data about the device from which the booking is made, such as mobile device identifier and/or account identifier (Android UDID, iOS UUID; Advertising ID: IDFA for iOS devices and AAID for Android devices, or their equivalent), the Internet Protocol (IP) address of the device used to access the Internet, device type and its operating system version.
Data is also processed regarding the features, content, services or websites accessed, clicked or interacted with through the Service as well as information regarding the interactions made with the Service’s interface and features such as logging info, the Service’s tabs, banners, or pages that are clicked on or accessed through the Service.
This data is processed for secure login reasons, and to be able to provide support and improve the services.
We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on Individual Users.
3) Storage of Personal Data
Personal data is stored within the EEA and may be accessed in countries deemed adequate or under Standard Contractual Clauses.
We implement appropriate technical and organizational measures (TOMs) to ensure a level of security appropriate to the risk, including encryption, access controls, secure data transfer protocols, and regular security audits. Details of our TOMs are available upon request.
4) Anonymisation of data
To get better value for money deals for Corporate Clients, we may anonymise some data sets for negotiation purposes (e.g. the number of flights a Corporate Client may make to the USA). A separate schedule can be drafted to formalise this activity.
Once data is anonymised, such anonymised data may be used to improve services, update, or upgrade existing services.
5) Processing by Third Parties
A list of all Third Parties that Club Travel use are available upon request.
Our Corporate Clients may provide information through certain areas, features, frames or sections of the Service that are operated by or for third parties. Those third parties may include airlines, hotels, car rental companies, e-commerce platforms, scheduling partners, payment services providers, and payment processors. Some of those third parties are Data Controllers (e.g. airlines) and are responsible for their own data processing practices.
Third parties may provide services to us, which are embedded in or integrated with the Service, such as ordering, payment, e-commerce, or scheduling services. These third parties will share data with Club Travel regarding the Individual User interactions with their systems, so that we can complete our contractual agreements.
6) Sharing and transferring collected information
The information outlined in the preceding sections may be shared with or transferred to third parties for the purposes of providing our Corporate Clients with services, features or content in connection with the Service, such as online ordering, e-commerce services, payments, communications, agencies, APIs, or companies that host the Service.
Information regarding transfers: we store your personal information in connection with the Service in the European Economic Area. Your data will be accessible in the countries where we or our service providers are located in countries deemed as providing an adequate level of data protection or where there is another appropriate legal basis such as Standard Contractual Clauses.
In addition to the above, we may share the information to comply with any applicable law and assist law enforcement agencies when we have a good faith belief that our cooperation with them meets the applicable legal standards.
7) Processing of Special Categories of Data
We do not require Individual Users to provide special categories of data and do not intentionally collect or process otherwise sensitive information. There are limited circumstances where our Corporate Clients may wish to relay special categories of data to us, for example if an Individual User has a disability this may require additional assistance at an airport.
8) Children’s Privacy
Personal information about those who are under 18 years is not knowingly or intentionally collected. If our Corporate Clients have an Individual User under this age, our Corporate Clients are not permitted to use any aspect of the Service.
9) Direct Marketing to Individual Users
Receipt of notifications to Individual Users, sent through the Service are only for flight confirmations (i.e. cancellations, time changes, etc) and are not used for direct marketing purposes.
10) Legal basis of processing
The legal basis for the following processing includes:
| Processing | Legal Basis |
| To provide our Corporate Clients with the Service’s functionalities, features, and services (including, without limitation, personalised content, location-based services, etc) | Contractual Obligation – Processing is necessary for the performance of the contract with our Corporate Clients. |
| Receipt of notifications to Individual Users, sent through the Service are only for flight confirmations (i.e. cancellations, time changes, etc) | Contractual Obligation – Required to fulfil travel booking and management services agreed with Corporate Clients. |
| Anonymising data for better value deals for Corporate Clients | Legitimate Interests – To negotiate improved pricing and service offerings. |
| To manage the administrative and operational aspects of the Service | Legitimate Interests – Ensuring smooth operation and support of the platform. |
| Using anonymised data to improve services, update or upgrade existing services | Only using previously anonymised data – No personal data involved. |
| To comply with any applicable law and assist law enforcement agencies when we have a good faith belief that our cooperation meets the applicable legal standards | Legal Obligation – Compliance with statutory requirements. |
| Supply PAX Data required for travel by European law | Legal Obligation – Mandatory under EU aviation and security regulations. |
11) Individual User Data Rights
Individual Users should exercise all Data Right Requests to the Data Controller (our Corporate Client). Club Travel shall fully cooperate with and assist our Corporate Clients without delay in respect of obligations regarding requests in respect of access, rectification, erasure, restriction, blocking or deletion of relevant data.
If Club Travel receives such a request, we will pass it on to the Corporate Client without delay.
In the event of a personal data breach, Club Travel will notify the Data Controller without undue delay after becoming aware of the breach and will provide all necessary information and assistance to meet regulatory obligations.
12) Data Retention
Within thirty (30) days after the termination of a Corporate Clients Agreement with Club Travel, we will destroy or, if requested by our Corporate Clients in writing within ten (10) business days of the date of expiration or termination of the Agreement, return all Individual Users personal data. These timelines can be modified in agreement with the Corporate Client.