As a data controller, the International Air Transport Association (“IATA”, "we", “us”), an association incorporated by a Special Act of the Parliament of Canada with registered headquarters at SS135-800 rue du Square Victoria, Montreal, H3C 0B4, Quebec, Canada, is fully committed to protecting the privacy rights of individuals who provide us with personal data about themselves and to ensuring compliance with applicable data protection and privacy laws notably the Canada Personal Information Protection and Electronic Documents Act (“PIPEDA”), the Quebec Act Respecting the Protection of Personal Information in the private sector, the Swiss Federal Act of Data Protection (“FADP”), the China Personal Information Protection Law (“PIPL”) and the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“EU General Data Protection Regulation” or “EU GDPR”).

Your privacy is important to us and we take the necessary measures to ensure that your personal data, (i.e. any information relating to an identified or identifiable natural person) collected, processed and used in connection with your use of the IATA AUTH Application (“IATA AUTH” or “the app”) is protected from unauthorized access, misuse, loss and destruction.

We have created this Privacy Notice to explain how and why specific categories of personal data are collected when you use IATA AUTH. This app is designed to support secure authentication and transaction authorisation (e.g. multi-factor authentication and payment approval) and is not intended for general consumer use.

What data do we process?

We may process the following categories of data:

  1. Authentication data
    Authentication data includes cryptographic keys and one-time passcodes generated by the app. Authentication secrets are stored locally on your device and are not accessible to IATA or its service providers.
  2. Transaction data
    When you use the app to approve transactions (e.g. payments), we may process limited transaction-related data such as transaction identifiers, beneficiary identifiers and transaction amounts to allow you to review and securely approve transactions.
  3. Device and technical data
    We may process limited logs necessary to operate and secure the service, including authentication and security event logs and error and crash logs.
  4. Data we do NOT collect
    • We do not process payment card details through the app
    • We do not use your data for marketing
    • We do not track you across apps or services

How and why we use your data:

We process data strictly for the following purposes:

  • Authentication: To generate one-time passcodes and verify authentication requests.
  • Transaction authorisation: To enable you to securely review and approve transactions.
  • Security and fraud prevention: To protect user accounts and transactions against unauthorised access or misuse.
  • Service operation and reliability: To ensure the app functions correctly and securely.

Depending on the context, we rely on the following legal bases for processing:

  • Performance of a contract – to provide authentication and transaction approval services
  • Legitimate interests – to ensure security and prevent fraud


Where is the data stored?

Data is stored within the European Union, including Germany and Ireland.


Retention

Authentication data is stored on your device until you remove it. Technical and operational logs are retained for a limited period (e.g. 30 days) for security and troubleshooting purposes. Certain data may be retained for longer periods where required to comply with financial and regulatory obligations (for example audit requirements).


Who do we share your personal data with?


We limit the sharing of personal data to what is strictly necessary to operate the app.

We may share limited personal data with service providers who support the operation of the app, such as authentication service providers (e.g. OneSpan) and cloud hosting providers (e.g. AWS). This may include technical and authentication-related data necessary to enable secure authentication and transaction approval.

These service providers act on our behalf and under our instructions, and do not use personal data for their own purposes.

We may also disclose personal data where required to comply with applicable laws or regulatory obligations.

We do not sell or share personal data for advertising purposes.

Security


IATA implements appropriate technical and organizational measures to protect personal data, including encryption of data in transit, secure storage on device and access controls.


Your rights as a user


Subject to applicable law, you may have the right to:

  • Request access to your personal data; 
  • Request correction of inaccurate personal data;
  • Request deletion of your personal data, once it is no longer required for the above-mentioned purposes.
  • Object to or restrict processing of your personal data.


Please contact us via the IATA Customer Portal at https://portal.iata.org if you have any questions or comments regarding this Privacy Notice or to exercise your aforementioned rights.