Privacy at Expedia Group

Last Updated: September 7, 2023

Introduction

Expedia Group is committed to the privacy, confidentiality, and security of personal information entrusted to us.

Expedia Group approaches privacy by focusing on the following key privacy principles, which underlie Expedia Group’s practices for collecting, using, disclosing, storing, securing, accessing, transferring or otherwise, personal information entrusted to us:

Transparency, Purpose Limitation, Proportionality and Fairness
Expedia Group brands collect and use personal information as described in the Privacy Statement of each Expedia Group brand. Each Expedia Group Brand collects personal information for a specific, and legitimate purpose(s), and processes personal information in a lawful and transparent manner, which is not excessive for the purpose(s) for which it is collected. Any subsequent processing should be compatible with such purpose(s), unless the brand has obtained the individual’s consent, or the processing is otherwise permitted by law.

Security
Personal information we collect and use about you will have reasonable technical and organizational safeguards in place.

Compliance
We hold ourselves to privacy laws that apply to personal information we collect and use.

Data Quality, Integrity, and Relevance
You can always take steps to correct or update personal information we hold about you. We make reasonable efforts to keep your personal information accurate, complete and up-to-date as is reasonably necessary for the purpose(s) for which it is processed.

Accountability
We implement appropriate governance, policies, processes, controls, and other measures necessary to enable us to demonstrate that our processing of personal information is in accordance with the foregoing principles and applicable data protection laws.

International data transfer

The personal information that we process may be transmitted or transferred to countries other than the country in which you reside. Those countries may have data protection laws that are different from the laws of your country.

The servers for our platform are located in the United States, and the Expedia Group companies and third-party service providers operate in many countries around the world. When we collect your personal information, we may process it in any of those countries.

We have taken appropriate steps and put safeguards in place to help ensure that your personal information remains protected in accordance with this Privacy Statement. For example, any data transfers between our group companies are governed by our intragroup agreements which incorporate strict data transfer terms (including the European Commission's Standard Contractual Clauses, for transfers from the EEA) and require all group companies to protect the personal information that they process in accordance with applicable data protection law.

We also require that third-party service providers to whom data transfers are made have appropriate safeguards in place to protect your personal information, in compliance with applicable data protection law. The particular measures used will depend on the service provider, and our agreements with them may include Standard Contractual Clauses approved by the European Commission, the service provider's certification under the EU-US and/or Swiss-US Privacy Shield or reliance on the service provider's binding corporate rules, as defined by the European Commission.

Data Protection Framework

All wholly owned U.S. affiliates of Expedia, Inc. (part of the Expedia Group of brands) have certified to the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF and Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) (“the DPF Frameworks”) and that we adhere to the DPF Framework Principles of Notice, Choice, Accountability for Onward Transfers, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability for personal information from the EU, Switzerland, and the United Kingdom. The Federal Trade Commission has jurisdiction over such Expedia Group U.S. affiliates’ compliance with the DPF Frameworks. In addition, Expedia Group maintains intra-group Standard Contractual Clauses where applicable to cover the transfer of EU personal information to the U.S. Our certifications can be found here. For more information about the DPF Frameworks principles, please visit: https://www.dataprivacyframework.gov.

In compliance with the DPF Frameworks, Expedia, Inc. U.S. affiliates (part of the Expedia Group of brands) commit to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO), the Gibraltar Regulatory Authority (GRA) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the DPF Frameworks. Under certain circumstances, you may have the possibility to invoke binding arbitration for complaints regarding DPF compliance not resolved by any of the other DPF mechanisms. Please visit this link for more information: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2.

Expedia, Inc. commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the DPF Frameworks should first contact us via our contact information in our DPF certification above.”

Data Protection Officer, Data Controller and/or EU Representative:

For more information about the Data Protection Officer, data controller, and/or EU Representative for personal information we process, please click here.

Data Subject Rights

Certain countries and regions provide their residents with additional rights relating to personal information. For more information on what data subject rights may be available to you, please click here.