Integritetspolicy

Published June 29, 2026 (Version 6)
Last Updated: December 14, 2025

• Introduction
• Applicable Data Protection Laws
• Information We Collect
• Data Belonging to Minors
• How We Collect Your Information
• Purpose and Legal Basis of Data Processing
• Data Retention
• Security of Personal Data
• Sharing Your Personal Data
• International Transfer of Personal Data
• Sale of Your Personal Information
• Rights in Relation to Personal Data
• Third Party Websites
• Cookies and Similar Technologies
• How to Contact Us
• Annex I: Overview of Cookies on the Site
• Annex II: Overview of Third Parties and Recipients of Data
• Regional Annex A – European Union and European Economic Area
• Regional Annex B – United Kingdom
• Regional Annex C – Brazil
• Regional Annex D – Canada
• Regional Annex E Part I – United States (Federal)
• Regional Annex E Part II – California
• Regional Annex F – Switzerland
• Regional Annex G – Latin America

1. Introduction

This Global Privacy Policy (the “Policy”) provides information on the processing of personal data by the Aruba Tourism Authority (hereinafter referred to as “ATA” “we”, “us”, or “our”)

This Policy applies to Aruba.com, the associated localized domains, subdomains, translated versions, booking interfaces, campaign microsites, mobile sites, apps, conversations tools such as the MyAruba Assistant, and other digital experiences owned or operated by or for the ATA (collectively referred to herein as the “Site”), as well as all digital and offline services operated by or on behalf of the ATA (the “Services”). We respect the privacy of every person who visits our Site or uses our Services, and we are committed to ensuring a safe online experience for all.

This Policy explains what personal information we collect from and about you when you engage with the Site or access the Services. By using the Site or the Services, you acknowledge that we may collect information about you and use or disclose such information as described herein. Your use of the Site and/or the Services constitutes your acceptance of the terms of this Policy. If you do not agree with this Policy, please do not use our Site or the Services.

This Policy may change from time to time. The date listed above indicates when this Policy was last reviewed or updated. Your continued use of the Site or Services after we make such changes is deemed to be acceptance of those changes. We encourage you to review this Policy periodically for updates. If you no longer consent to our collection, processing, or storage of your Personal Data (as defined herein), you may contact us via the process referred to in Section 15.

This Policy is incorporated into the Global Terms and Conditions for Consumer Use (the “Terms”). All capitalized terms used but not otherwise defined in this Policy are defined in the Terms.

2. Applicable Data Protection Laws

We will handle your Personal Data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and any other privacy or data protection laws that apply in the jurisdictions where ATA offers its Services or where users are located (collectively, “Applicable Data Protection Laws”). Additional jurisdiction-specific requirements are addressed in the annexes to this Policy (the “Regional Annexes”), including requirements under the UK General Data Protection Regulation and Data Protection Act 2018, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), applicable U.S. state privacy laws, Brazil’s Lei Geral de Proteção de Dados (“LGPD”), Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), and any other privacy or data protection laws that apply in the jurisdictions where ATA offers its Services or where users are located. ATA reserves the right to review and alter the Policy periodically in order to comply with Applicable Data Protection Laws, reflect changes in our data processing practices or technological developments, and for any other purpose deemed reasonable or necessary by ATA.

The term “Personal Data” as used this Policy means any information relating to a living individual who is identified or identifiable, directly or indirectly, from that information alone or in combination with other information, including the categories of personal data described in Applicable Data Protection Laws.

This Policy applies only to the processing of Personal Data for which ATA acts as a data controller. In limited contexts, ATA may process Personal Data on behalf of another entity and therefore act as a data processor within the meaning of Applicable Data Protection Laws. For example, certain processing activities relating to the online ED Card are carried out by ATA on behalf of the Immigration Authority of Aruba (IASA), which acts as the data controller for ED Card data. In such cases, ATA processes Personal Data in its capacity as a data processor. Processing carried out by ATA in a processor capacity is governed by the applicable controller’s privacy notice and, where applicable, the relevant contractual arrangements between the parties, and falls outside the scope of this Policy.

3. Information We Collect

ATA collects different categories of Personal Data depending on how you interact with the Site, the MyAruba App, our marketing programs, events, business communications, or other Services. ATA may collect and process the following categories of Personal Data:

• Identity Data: your first name, last name, nationality or country of residence, MyAruba username or similar identifier, and other identity-related information that you voluntarily provide through forms, surveys, campaigns, account registration, or other interactions with ATA. dentity Data may also include your role (e.g., travel agent, tour operator, tourism partner, or media contact) where provided to ATA for professional purposes.

• Contact Data: your email address, telephone or mobile number, mailing address, ZIP or postal code, and, where applicable, business contact details if you interact with ATA in the course of a business or professional relationship.

• Travel & Visit Data: travel dates, place and duration of stay in Aruba, main purpose of visit, flight number (where voluntarily submitted), and itinerary or preference information that you choose to save, submit, or share through the MyAruba App or other Services.

• Technical Data: internet protocol (IP) address, device identifiers, login history, browser type and version, time zone setting and approximate location, operating system and platform, and information collected through cookies, pixels, tag managers, software development kits (SDKs), analytics tools, and similar technologies regarding how you access and use the Site, emails, and apps.

• Inquiry Data: information you provide when you contact ATA through email, customer support tools, web forms, telephone, or social media, as well as records of communications and information shared when participating in surveys, sweepstakes, contests, webinars, conferences, trade shows, or other events.

• Usage Data: information about how you use the Site and the Services, including frequency and patterns of use, navigation paths, feature interactions, interactions with marketing content (such as email opens and clicks), and activity recorded by analytics tools such as Google Analytics, Bloomreach, Salesforce Marketing Cloud, or similar technologies.

• Marketing and Communications Data: your preferences regarding receiving newsletters or marketing communications, your opt-in and opt-out choices, segmentation or interest categories, and engagement data relating to marketing or promotional campaigns.

• Financial Data: billing or payment-related information collected only in limited circumstances, such as event registrations or other administrative matters related to ATA’s business operations. ATA does not otherwise collect or process consumer payment card information in connection with tourism bookings or travel services. ATA does not process payments for third-party travel bookings or accommodations and does not act as a payment processor for tourism services.

• Profile Data: your MyAruba username, saved preferences, selected interests, saved itineraries, favorite locations, trip planning information, and other profile settings you configure within your MyAruba account.

ATA also processes non-identifiable information, including information that has been aggregated, anonymized, or otherwise processed so that it cannot reasonably be used to identify an individual. Non-identifiable information may be derived from Personal Data; however, where such information cannot be linked back to an identifiable person, it is not considered Personal Data under Applicable Data Protection Laws.

If non-identifiable information is combined with Personal Data in a manner that could identify an individual, ATA will treat the combined information as Personal Data and process it in accordance with this Policy.

4. Data Belonging to Minors

Our Services are not intended for individuals under the age of eighteen (18). ATA does not knowingly or intentionally collect Personal Data relating to individuals below that age (collectively, “Minors”), except where such Personal Data is provided by, and with the consent of, a parent or legal guardian.

The limited circumstances in which ATA may receive Personal Data relating to Minors include situations where a Minor submits a question through our Site and voluntarily identifies their age. In such cases, ATA may use the provided email address solely to respond once to the inquiry.

ATA does not knowingly use Minor’s email address to re-contact them and deletes such information after responding. If ATA becomes aware that Personal Data relating to a Minor has been collected without the required parental or guardian consent, ATA will take reasonable steps to delete such Personal Data in accordance with Applicable Data Protection Laws.

5. How We Collect Your Information

ATA uses a variety of methods to collect Personal Data from and about you, including through the following sources:

5.1. Direct Interactions

ATA collects Personal Data that you voluntarily provide when you:

• create a MyAruba profile;

• subscribe to newsletters or marketing communications;

• complete forms, surveys, sweepstakes, or similar promotions;

• register for events, webinars, or conferences;

• communicate with ATA by email, telephone, or through social media platforms; or

• participate in campaigns, contests, or travel-planning tools made available through the Site or the Services.

5.2. Automated technologies and interactions

As you interact with the Site, the MyAruba App, or ATA’s marketing communications, ATA may automatically collect technical data and usage data about your device, browsing actions, and interaction patterns. This information is collected through cookies, pixels, tag managers, server logs, software development kits (SDKs), and similar technologies. These tools may include analytics and marketing technologies such as Google Analytics, Google Tag Manager, Bloomreach, Salesforce Marketing Cloud, and similar providers.

Automatically collected information may include, without limitation:

• IP address, device identifiers, and browser information;

• time zone and approximate location;

• browsing behavior, page interactions, clicks, scrolls, or app usage;

• email engagement data (including opens, clicks, and preference settings); and

• MyAruba App activity, saved content, and selected interests.

5.3. Data from Third Parties or Public Sources

Where ATA receives Personal Data from third parties, ATA processes such data in accordance with this Policy and the purposes for which it was originally collected. ATA may receive Personal Data about you from the following categories of third parties and sources:

• Marketing and Analytics Partners: Marketing and analytics partners, including Meta (Custom Audiences), Google Customer Match, LinkedIn, TikTok, Pinterest, Sojern, and other advertising or audience measurement partners. These third-party partners process Personal Data in accordance with their own privacy policies and applicable data protection agreements. When you interact with ATA through these platforms, both ATA's Policy and the third party's privacy policy may apply.

• Service Providers: Service providers acting on ATA’s behalf, including: (a) email marketing and customer relationship management platforms (such as Salesforce Marketing Cloud and Bloomreach Engagement); (b) customer support tools (such as Zoho Desk); (c) event registration, survey, or form-building tools (such as JotForm, Typeform, Google Forms, and Monday.com forms); or (d) travel-planning or destination tools (such as VisitWidget).

• Social Media Platforms: Social media platforms, when you: (a) interact with ATA social media pages or accounts; (b) respond to campaigns, promotions, or user-generated content requests; or (c) voluntarily provide your social media handle, content, or other information to ATA.

• Business Partners and Tourism Industry Contacts: Business partners and tourism industry contacts, including: (a) travel agents, tour operators, or trade partners who submit business inquiries or collaborate with ATA; and (b) media representatives, influencers, or partners who provide contact details in the course of cooperation or collaboration.

• Public Sources: Public sources that you voluntarily make accessible to ATA, such as when you publicly tag, mention, or interact with ATA on social media or other public platforms. ATA does not collect Personal Data from public sources through scraping or automated harvesting.

6. Purpose and Legal Basis of Data Processing

ATA processes Personal Data only for specified, explicit, and legitimate purposes, and does so in accordance with Applicable Data Protection Laws. ATA may use Personal Data you provide to us, or that we otherwise collect, for the purposes described below.

ATA relies on one or more of the following legal bases when processing Personal Data, as permitted under Applicable Data Protection Laws:

• Contract: where processing is necessary to enter into or perform a contract with you.

• Legitimate Interests: where processing is necessary for ATA’s legitimate interests in operating, maintaining, improving, and promoting the Site and the Services, provided such interests are not overridden by your rights and freedoms.

• Consent: where you have provided your consent.

• Legal Obligation: where processing is necessary to comply with applicable laws.

ATA may rely on more than one legal basis for the same processing activity, depending on the context. You may contact ATA using the details provided in this Policy for further information about the legal basis applicable to a particular processing activity. The table below describes the primary purposes for which ATA processes Personal Data, the categories of Personal Data involved, and the legal bases relied upon for each purpose, including, where applicable, a description of ATA’s legitimate interests. Additional country-or region-specific legal bases or limitations may apply as set out in the Regional Annexes.

Purpose / Activity	Categories of Data	Legal Basis
MyAruba profile creation and itinerary planning	Identity Data Profile Data Travel and Visit Data	Contract; Legitimate Interests (platform operation and improvement); Consent
Forums or bulletin boards (user posts)	Identity Data Profile Data Usage Data	Consent
Newsletters and marketing communications	Identity Data Contact Data Marketing/Communications Data	Consent (where required); Legitimate Interests (where soft opt-in is permitted)
Surveys, sweepstakes, contests, and focus groups	Identity Data Contact Data	Consent
Customer support	Identity Data Contact Data Inquiry Data	Legitimate Interests (responding to user-initiated requests)
On-island visitor support	Identity Data Contact Data Inquiry Data	Legitimate Interests (visitor safety and tourism support)
Business and trade communications	Identity Data Contact Data	Contract (where applicable); Legitimate Interests (professional relationship management)
Analytics and Site/App improvement	Technical Data Usage Data	Legitimate Interests (understanding usage and improving functionality)
Marketing audience creation	Contact Data Marketing/Communications Data Usage Data	Consent
Event and webinar administration	Identity Data Contact Data Financial Data	Contract; Legitimate Interests (event administration)
Security, fraud prevention, and system integrity	Technical Data Usage Data	Legitimate Interests; Legal Obligation (where applicable)

 

6.1 How to Withdraw Consent

Where ATA processes Personal Data based on your consent, you may withdraw that consent at any time using the following methods:

Marketing emails: Click "unsubscribe" at the bottom of any marketing email or update preferences in your MyAruba account

Cookies and tracking: Use the cookie preference center accessible via the banner or footer link, or configure your browser settings as described in Section 14.7

MyAruba account: Delete your account via account settings or contact DPO@aruba.com

General consent withdrawal: Contact ATA using the details in Section 15

Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

7. Data Retention

ATA retains Personal Data only for as long as necessary to fulfil the purposes for which it was collected, or as otherwise permitted or required under Applicable Data Protection Laws.

Subject to this section, ATA generally retains Personal Data for a maximum period of thirty-six (36) months from the date of the individual’s last interaction with the Site or the Services, unless the Personal Data is updated, deleted, or consent is withdrawn earlier, where applicable. Certain categories of Personal Data may be retained for shorter or longer periods where required by law or justified by the purpose of processing. Where specific retention periods cannot be determined in advance, ATA determines the appropriate retention period by reference to the purpose of processing, the nature and sensitivity of the Personal Data, the necessity of continued retention, and applicable legal or regulatory requirements. ATA may retain Personal Data beyond the standard retention period where necessary to comply with legal obligations, respond to lawful requests from authorities, or to establish, exercise, or defend legal claims.

For information on the retention of cookies, pixels, and other online identifiers, please refer to Annex I (Overview of Cookies on the Site).

8. Security of Personal Data

ATA handles Personal Data with care and confidentiality and implements appropriate technical and organizational measures designed to protect Personal Data against unauthorized access, loss, misuse, alteration, or disclosure. ATA maintains procedures to assess and respond to personal data security incidents in accordance with Applicable Data Protection Laws.

ATA uses industry-standard security practices and works with reputable service providers, such as cloud hosting, customer relationship management, and analytics platforms that apply safeguards including, where appropriate, encryption in transit, access controls, authentication measures, and audit logging. Access to Personal Data is limited to personnel and service providers who require such access for legitimate business purposes and who are subject to confidentiality obligations.

While ATA takes reasonable steps to protect Personal Data, no method of transmission over the internet or method of electronic storage is completely secure. Accordingly, ATA cannot guarantee absolute security of Personal Data.

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, ATA will notify affected individuals without undue delay as required by Applicable Data Protection Laws, unless the personal data has been rendered unintelligible through encryption or other protective measures. Where required by law, ATA will also notify competent supervisory authorities.

9. Sharing Your Personal Data

ATA may prepare anonymous, aggregated, or de-identified information (including generic statistics) for the purposes described in this Policy. Because individuals cannot reasonably be identified from such information, ATA may share it with third parties, such as industry stakeholders, advertisers, media organizations, or the general public, for reporting, research, statistical, or promotional purposes. No Personal Data is shared in these circumstances.

ATA uses third-party service providers to support the operation of the Site and the Services, including email delivery platforms, analytics tools, customer support systems, cloud hosting providers, and other IT or operational service providers. These service providers process Personal Data solely on ATA’s behalf, in accordance with ATA’s instructions, and are subject to contractual obligations designed to meet the requirements of Applicable Data Protection Laws. A current list of ATA’s authorized service providers and other third-party recipients is provided in Annex II and may be updated from time to time as ATA engages new providers or discontinues existing relationships.

ATA may disclose Personal Data where required to comply with applicable laws, regulations, or legal processes, or in response to valid and lawful requests from public authorities (such as law enforcement agencies), and only to the extent permitted under Applicable Data Protection Laws.

10. International Transfer of Personal Data

Because ATA uses global service providers and digital platforms to operate the Site, the MyAruba App, and related marketing and operational technologies, ATA may transfer Personal Data (including through storage, hosting, transmission, or remote access) to countries outside the European Economic Area (“EEA”) or the United Kingdom (“UK”). These countries may have data protection laws that differ from those in the EEA or the UK and, in some cases, may not provide the same level of protection.

10.1. Categories of International Transfers

ATA may transfer Personal Data to recipients located outside the EEA or the UK, including:

• technology, analytics, and marketing service providers (such as email delivery, analytics, and customer support tools);

• cloud hosting and IT infrastructure providers; and

• regional tourism partners or representatives supporting ATA’s marketing and promotional activities, where relevant.

10.2. Transfers Subject to the GDPR

Where the GDPR applies, ATA will transfer Personal Data outside the EEA only where an appropriate level of protection is ensured in accordance with Chapter V of the GDPR, including where one or more of the following conditions are met:

• the recipient is located in a country or territory subject to an adequacy decision adopted by the European Commission under Article 45 GDPR (for example, transfers to the United States under the EU–U.S. Data Privacy Framework, where applicable);

• ATA has implemented Standard Contractual Clauses approved under Article 46 GDPR, together with any supplementary measures required to ensure an essentially equivalent level of protection;

• other appropriate safeguards recognized under Chapter V GDPR are in place, ensuring enforceable rights and effective legal remedies for data subjects; or

• a specific derogation under Article 49 GDPR applies, such as where the transfer is necessary for the performance of a contract or based on explicit consent.

10.3. Transfers Subject to the UK GDPR

Where the UK GDPR applies, ATA will transfer Personal Data outside the UK only where:

• an adequacy regulation has been issued by the UK Government under Article 45 UK GDPR;

• appropriate safeguards under Article 46 UK GDPR are in place, including the UK Addendum to the EU Standard Contractual Clauses or the International Data Transfer Agreement (IDTA); or

• a permitted derogation under Article 49 UK GDPR applies.

10.4. Other Jurisdictions

Additional information regarding international transfers and safeguards applicable to other jurisdictions, including countries outside the EEA and the UK, is set out in the Regional Annexes to this Policy.

10.5. Transfer Risk Assessments

Where required by Applicable Data Protection Laws, ATA conducts transfer risk assessments or transfer impact assessments and implements additional technical or organizational measures to ensure that Personal Data remains protected when stored or accessed outside the EEA or the UK.

10.5.1. Primary Transfer Mechanisms by Service Provider Category

The following table indicates the primary transfer mechanisms relied upon for key service provider categories:

Service Provider	Location	Transfer Mechanism
Google Analytics, Google Tag Manager	United States	EU-U.S. Data Privacy Framework + SCCs
Meta (Facebook) Custom Audiences*	United States	EU-U.S. Data Privacy Framework + SCCs
Salesforce Marketing Cloud	United States	EU-U.S. Data Privacy Framework + SCCs
Bloomreach Engagement	United States	SCCs + Supplementary Measures
Zoho Desk	United States/India	SCCs + Supplementary Measures

* Meta Custom Audiences and potentially lookalike audiences use email and web activity to help group with consumers that have similar interests.

A complete list of service providers and applicable safeguards is available upon request by contacting DPO@aruba.com.

11. Sale of Your Personal Information

ATA does not sell Personal Information for monetary consideration.

However, where applicable, certain activities described in this Policy may be considered a “sale” or “sharing” of Personal Data (or “Personal Information”) under certain U.S. state privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), even where no money is exchanged. This is because ATA may disclose Personal Information to third parties for advertising, analytics, or audience measurement purposes and receive non-monetary benefits in return, such as discounted services, enhanced functionality, or access to analytics or advertising tools (for example, analytics services provided by Google or audience creation tools provided by Meta).

Where such activities are considered a “sale” or “sharing” of Personal Data under applicable state privacy laws, individuals may have the right to opt out of those activities.

Please refer to the applicable State-Specific privacy notices for additional information about your rights under state privacy laws, including when those laws apply and how to exercise any rights to opt out of the sale or sharing of Personal Data.

12. Rights in Relation to Personal Data

Subject to Applicable Data Protection Laws, you have certain rights in relation to your Personal Data. ATA acts as a data controller in respect of such Personal Data and will comply with applicable rights as required by law. If you have any questions, concerns, or complaints regarding ATA’s use of your Personal Data, please contact us using the details set out in Section 15.

ATA will respond to requests to exercise your rights without undue delay and, in any event, within one month of receipt of the request. This period may be extended by up to two additional months where necessary, taking into account the complexity and number of requests. If an extension is required, ATA will inform you within one month of receipt of the request and explain the reasons for the delay.

Certain rights described in this section may vary depending on your jurisdiction. Additional jurisdiction-specific rights, disclosures, and limitations are set out in the Regional Annexes (Annexes A through G),, which form an integral part of this Policy.

Your principal rights under Applicable Data Protection Laws may include the following:

• Right to be informed: You have the right to receive clear, transparent, and easily understandable information about how ATA collects and uses your Personal Data and about your rights. This Policy is intended to provide such information.

• Right of access: You have the right to request confirmation of whether ATA processes your Personal Data and, where it does, to access that data and receive information about how it is used. Where the rights and freedoms of others are not adversely affected, ATA will provide a copy of your Personal Data. The first copy will be provided free of charge; reasonable fees may apply for additional copies.

• Right to rectification: You have the right to request correction of inaccurate Personal Data or completion of incomplete Personal Data that ATA holds about you.

• Right to erasure: You have the right to request deletion of your Personal Data in certain circumstances, including where the Personal Data is no longer necessary for the purposes for which it was collected, where you withdraw consent (where processing is based on consent), or where the Personal Data has been unlawfully processed. ATA may retain Personal Data where required by law or where necessary to establish, exercise, or defend legal claims.

• Right to restriction of processing: You have the right to request restriction of processing of your Personal Data in specific circumstances, such as where you contest the accuracy of the data or where processing is unlawful but you oppose deletion. Where processing is restricted, ATA may continue to store the Personal Data but will process it only with your consent or as otherwise permitted by law.

• Right to object: You have the right to object at any time to processing of your Personal Data that is based on ATA’s legitimate interests. ATA will cease such processing unless it can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defense of legal claims.

• Right to data portability: Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your Personal Data in a structured, commonly used, and machine-readable format and to request that ATA transmit that data to another controller, where technically feasible.

• Right to lodge a complaint with a supervisory authority: If you believe that ATA has not processed your Personal Data in accordance with Applicable Data Protection Laws, you may contact ATA in the first instance using the details set out in Section 15. You also have the right to lodge a complaint with a competent supervisory authority in your place of residence, work, or where the alleged infringement occurred. For individuals located in the EEA, the competent supervisory authority is typically the authority in the country of residence or habitual place of work.

• Right to withdraw consent: Where ATA relies on your consent to process Personal Data, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

13. Third Party Websites

The Site may contain links to third-party websites, plug-ins, or applications. Clicking on those links or enabling such connections may allow third parties to collect or share information about you. ATA does not control, and is not responsible for, the privacy practices or content of those third-party websites, plug-ins, or applications.

When you leave the Site or access a third-party website, plug-in, or application, ATA encourages you to review the applicable privacy notice or policy of that third party before providing any Personal Data.

14. Cookies and Similar Technologies

ATA uses cookies and similar technologies to operate, secure, and improve the Site and Services, to understand how visitors interact with our digital properties, and, where permitted by law, to personalize content and marketing. Additional details regarding specific cookies and similar technologies used on the Site are provided in Annex I.

14.1. What Are Cookies?

A cookie is a small text file that is placed on your device when you visit a website. Cookies are commonly used to ensure websites function properly, to improve efficiency, and to provide information to website operators.

Where required by law, ATA will request your consent before placing certain cookies on your device. You may also manage or delete cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of the Site.

14.2. How Do Cookies Work?

When you visit the Site, certain information may be automatically recorded in log files, including IP addresses, browser type, operating system, referring URLs, pages visited, and the dates and times of visits. This information is used on an aggregated or anonymized basis for statistical purposes, security, and to improve the performance and functionality of the Site.

Cookies allow ATA to recognize your browser and remember certain information, such as your preferences or settings. This helps avoid the need to repeatedly enter information and enables ATA to improve the usability and performance of the Site.

Where permitted by law and subject to your preferences, cookies and similar technologies may also be used to understand visitor behavior, measure the effectiveness of content and campaigns, and display more relevant advertising across websites.

If you log into your MyAruba account or access the Site via a link in an ATA email, ATA may associate your activity on the Site with your account, in accordance with this Policy and your consent preferences.

14.3. Who Places Cookies?

Cookies on the Site may be placed by:

• First-party cookies, which are set directly by ATA; and

• Third-party cookies, which are set by service providers or partners through the Site (for example, analytics, advertising, or social media providers).

In certain regions, including the European Union and the UK, ATA provides cookie management tools that allow you to control which categories of cookies are placed on your device.

14.4. Personal Data Collected Through Cookies

ATA does not store Personal Data directly in cookies. However, some cookies may collect information that may be considered Personal Data when combined with other information (such as an IP address or unique identifier).

For example, cookies used for personalization may be associated with your account information after you register or log in. This information may be used to personalize content, improve the Site in real time, or conduct limited data analysis, in accordance with applicable data protection laws and your consent choices.

14.5. Types of Cookies

• Functional Cookies: Functional cookies are necessary for the Site to operate correctly. They enable core features such as page navigation, secure access, and remembering your preferences. These cookies do not require consent under applicable law, but you may disable them through your browser settings. Please note that doing so may affect Site functionality.

• Analytical Cookies: Analytical cookies help ATA understand how visitors interact with the Site, such as which pages are visited most often, how long users remain on pages, and how visitors arrive at the Site. This information allows ATA to improve website experience. Where analytical cookies involve third-party tools or may impact privacy (for example, Google Analytics), ATA will request your consent where required by law.

• Tracking and Advertising Cookies: Tracking or advertising cookies collect information about your browsing behavior to help display personalized advertisements and content that may be relevant to you. These cookies may be placed by ATA or third-party advertising partners. ATA will request your consent before placing tracking or advertising cookies where required by applicable law.

• Social Media Plug-in Cookies: Social media plug-ins (for example, Meta or Pinterest) may place cookies when their content is embedded on the Site or when you interact with such content. These cookies may allow social media platforms to track your interactions in accordance with their own privacy policies. ATA will request your consent for these cookies where required by law.

14.6. Retention of Cookies

Cookies remain on your device for the duration specified for each cookie. Details regarding cookie retention periods are provided in Annex I, which lists the cookies and similar technologies used on the Site, their purposes, and their expiration periods.

14.7. Managing Cookies and Withdrawing Consent

Where available, ATA provides cookie preference controls that allow you to manage or withdraw your consent for non-essential cookies. These controls may be displayed based on your geographic location.

You may also manage cookies through your browser settings, including deleting existing cookies or blocking future cookies. Please note that restricting cookies may affect certain features of the Site, including access to your MyAruba account. If you are logged out as a result, you may reset your password using the MyAruba login page.

14.8. Profiles and Personalization

ATA may combine information collected through cookies, log files, clear gifs, or third-party sources to better understand user preferences and improve the content and functionality of the Site. Where permitted by law and subject to your consent, this information may be used to deliver tailored content, promotions, or marketing communications.

 ATA may use automated tools to analyze your interactions with the Site and Services to understand your preferences and deliver more relevant content and marketing communications (for example, showing destination content that matches your expressed interests). This processing does not produce legal effects concerning you or similarly significantly affect you within the meaning of GDPR Article 22 or equivalent provisions. You may object to this processing or opt out of marketing communications at any time using the methods described in Section 6.1. In jurisdictions where such activities may be considered "profiling in furtherance of decisions that produce legal or similarly significant effects" (such as certain U.S. states), ATA will honor opt-out requests as described in the applicable Regional Annex.

15. How to Contact Us

If you have any questions, concerns, or requests in connection with this Policy or ATA’s processing of Personal Data, you may contact ATA using the details below.

Aruba Tourism Authority
L.G. Smith Boulevard 8
P.O. Box 1019
Oranjestad, Aruba

Telephone: (+297) 582-3777
Email (General Inquiries / Customer Support): support@aruba.com 
Data Protection Officer (DPO): DPO@aruba.com

 

Annex I: Overview of Cookies on the Site

Vendor / Domain	Language	Pixel/Cookie name	Purpose	Expiration Date
www.aruba.com	ALL	ATA.gdpr.analytics	Remember Consent for Analytics	180 days
www.aruba.com	ALL	ATA.gdpr.location	Remember your country	During session
www.aruba.com	ALL	ATA.gdpr.personalization	Remember Personalization Consent	180 days
www.aruba.com	ALL	ATA.gdpr.popup	Determine Cookie Banner Visibility	180 days
www.aruba.com	ALL	ATA.gdpr.tracking	Remember Advertisement Consent	180 days
www.aruba.com	ALL	ATA.lang	Remember Last Language Site You Visited	5 years
Google / .aruba.com	ALL	_dc_gtm_UA-....	Remember Associated Google Analytics Property ID and DoubleClick	1 day
Google / .aruba.com	ALL	_ga	ID number of Google Analytics on aruba.com	2 years
Google / .aruba.com	ALL	_gid	Unique ID for every page visit	2 days
Bloomreach / www.aruba.com	ALL	_visitor	ID number for Personalization	2 years
Bloomreach / .aruba.com	ALL	__exponea_etc__	Customer’s Bloomreach Engagement generated client-side cookie	7 days - 3 years
Bloomreach / api.us1.exponea.com	ALL	xnpe_[project-token]	Customer’s Bloomreach Engagement generated server-side cookie	3 years
Bloomreach / .aruba.com	ALL	__exponea_time2__	Timestamp offset between browser and server time	60 minutes
Bloomreach / .aruba.com	ALL	__exponea_ab_[ABTestName]__	Variant name returned for an A/B test	7 days - 3 years
Taboola	US	USIM - Taboola - Video - All Bookings and Downloads	Track Booking Intent and Downloads	During session
Taboola	US	USIM - Taboola - Retargeting	Retargeting Advertisement	During session
Taboola	US	USIM - Taboola - Outbound Links	Track Outbound Link Clicks	During session
Taboola	US	USIM - Taboola - Downloads	Track Downloads	During session
Taboola	US	USIM - Taboola - All Bookings	Track Booking Intent	During session
Quantum11	US	USIM - Quantum11 - Retargeting - Hyperfocus	Retargeting Advertisement	During session
Quantum11	US	USIM - Quantum11 - Outbound Links	Track Outbound Link Clicks	During session
Quantum11	US	USIM - Quantum11 - Downloads	Track Downloads	During session
Quantum11	US	USIM - Quantum11 - All Bookings	Track Booking Intent	During session
Quantcast	US	USIM - Quantcast - All Pages	Audience Measurement	During session
Pixability	US	USIM - Pixability 2018 - Retargeting - All Pages	Retargeting Advertisement	During session
Pixability	US	USIM - Pixability 2018 - Outbound Links	Track Outbound Link Clicks	During session
Pixability	US	USIM - Pixability 2018 - Downloads	Track Downloads	During session
Pixability	US	USIM - Pixability 2018 - All Bookings	Track Booking Intent	During session
Liquid Audience	US	USIM - Liquid Audience - Outbound Links	Track Outbound Link Clicks	During session
Liquid Audience	US	USIM - Liquid Audience - Facebook - All Pages	Retargeting Advertisement	During session
Liquid Audience	US	USIM - Liquid Audience - Downloads	Track Downloads	During session
Liquid Audience	US	USIM - Liquid Audience - All Bookings	Track Booking Intent	During session
Adara	US	USIM - Adara Impact - All Pages	Audience Measurement	During session

 

Annex II: Overview of Third Parties and Recipients of Data

Type of data	Party	Category	Opt-out Mechanism
Personal	Immigration Department Aruba, Government of Aruba	Government or law enforcement	Not applicable
Personal	fame creative lab (Germany), NBTC Holland Marketing (Sweden), BeauVue Marketing (United Kingdom), Global Tourist Consulting (Italy).	ATA representation offices	dpo@aruba.com
Personal	Ansira Partners LLC, Sigma International Consulting Ltd.	Email processors	dpo@aruba.com
Personal	LogMeIn, Inc.	Customer support	dpo@aruba.com
Non-identifiable	USIM, MullenLowe Profero, Dept	Media agencies and advertising partners	Aruba.com cookie policy controls (not available in all countries) http://optout.aboutads.info/ http://optout.networkadvertising.org/ http://www.adsrvr.org/
Personal	Meta Platforms, Inc., Twitter Inc., Pinterest Inc.	Social media	Aruba.com cookie policy controls (not available in all countries)
Non-identifiable	Google Inc., Adara	Data analytics	Aruba.com cookie policy controls (not available in all countries) https://adara.com/opt-out/ https://tools.google.com/dlpage/gaoptout

 

Regional Annexes to Privacy Policy

1. Regional Annex A – European Union and European Economic Area

2. Regional Annex B – United Kingdom

3. Regional Annex C – Brazil

4. Regional Annex D – Canada

5. Regional Annex E Part I – United States (Federal)

6. Regional Annex E Part II – California

7. Regional Annex F – Switzerland

8. Regional Annex G – Latin America

 

The Regional Annexes form a part of the Aruba Tourism Authority Global Privacy Policy and should be read in conjunction with the main policy. All capitalized words used but not defined in the Regional Annexes shall have the definitions set forth in the main policy.

Annex A - Supplementary Privacy Notice for Residents of the European Union and the European Economic Area

This Annex supplements and forms part of the Privacy Policy (the "Policy") and applies only to the extent required by the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and, where applicable, national or equivalent data protection laws in the European Union (“EU”) or the European Economic Area (“EEA”). For clarity, this Annex covers ATA’s European operations, including (without limitation) the Netherlands, Belgium, Italy, Germany, and the Nordic EU Member States. This Annex applies to both individual users (tourists and website visitors) and business users (travel agents, tour operators, and business partners) where ATA processes their Personal Data as a data controller. ATA may update this Annex from time to time. When updates are made, the “Last Updated” date listed below will be revised and, where appropriate, additional notice will be provided.

1. Scope

Where the GDPR already applies directly to ATA’s processing of Personal Data under the Policy, this Annex does not replace or restate those provisions. Instead, it provides EU, EEA- and country-specific clarifications required by local law, supervisory authority practice, or transparency expectations. Where there is any conflict between this Annex and the Policy, the GDPR or applicable local law prevails. This Annex applies where ATA acts as a data controller and such processing is subject to the GDPR or equivalent local law, regardless of whether the data subject is a consumer or a business representative.

In addition to the GDPR, the following country-specific laws may apply, where relevant:

• Germany: Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG)

• Italy: Legislative Decree No. 196/2003 (Italian Data Protection Code), as amended

• Belgium: Act of 30 July 2018 on the protection of natural persons with regard to processing of personal data

• Netherlands: GDPR Implementation Act (Uitvoeringswet AVG)

• Nordic countries: National data protection acts implementing the GDPR (or, for Norway, the Personal Data Act)

This Annex does not apply to processing carried out by ATA in a data processor capacity, which is governed by the applicable controller’s privacy notice and contractual arrangements, as described in Section 2 of the Policy.

2. Categories, Purposes, Sources, and Sharing of Personal Data

2.1. Categories of Personal Data

The categories of Personal Data processed by ATA, the purposes of processing, the sources of such data, and the categories of recipients are described in Sections 3, 5, 6, and 9 of the Policy, together with Annex II. No additional categories of Personal Data are collected solely as a result of this Annex.

Certain European supervisory authorities, including those in Germany, the Netherlands, Italy, and the Nordic countries, place particular emphasis on transparency, data minimization, and proportionality, especially in relation to analytics, personalization, marketing technologies, and cross-border data transfers. ATA has taken these expectations into account in structuring the disclosures in the Policy.

2.2. Legal Bases for Processing Personal Data

ATA processes Personal Data of individuals located in the EU and EEA on the legal bases described in Section 6 of the Policy, including:

• performance of a contract or steps taken at the request of the individual prior to entering into a contract;

• ATA’s legitimate interests, provided such interests are not overridden by the rights and freedoms of the individual;

• consent, where required under applicable law; and

• compliance with legal obligations.

Where processing is based on legitimate interests, ATA has assessed whether such interests are balanced against the rights and freedoms of affected individuals, in accordance with the GDPR and applicable national law.

3. Your Rights

Individuals located in the EU and EEA have the rights described in Section 12 of the Policy, including rights of access, rectification, erasure, restriction, objection, data portability, and the right to withdraw consent, subject to applicable limitations and exceptions under law.

Certain national laws may permit restrictions on these rights in limited circumstances, such as where disclosure would adversely affect the rights of others, reveal confidential business information, or interfere with legal obligations, as permitted under the GDPR or applicable national law.

ATA does not engage in automated decision-making, including profiling, that produces legal or similarly significant effects within the meaning of Article 22 GDPR.

4. How to Exercise Your Rights and Opt-Out Choices

Requests to exercise data subject rights may be submitted using the contact details set out in Section 15 of the Policy.

Individuals located in the EU or EEA may also lodge a complaint with a competent supervisory authority, typically the authority in the Member State of their habitual residence, place of work, or place of the alleged infringement.

ATA encourages individuals to contact it first so that concerns may be addressed directly where possible.

5. International Transfers

Information regarding international transfers of Personal Data, including transfers outside the EU or EEA, is set out in Section 10 of the Policy.

Where required, ATA relies on appropriate safeguards, such as adequacy decisions, Standard Contractual Clauses, and supplementary technical or organizational measures, to ensure an essentially equivalent level of protection.

6. Country-Specific Regulatory Considerations

Without limiting the general application of the GDPR or applicable European law:

• Germany applies heightened scrutiny to cookies, tracking technologies, and marketing consent.

• Italy emphasizes transparency and safeguards in marketing and profiling activities.

• Belgium places particular focus on accountability and documentation.

• Netherlands expects clear justification where processing relies on legitimate interests.

• Nordic authorities emphasize fairness, proportionality, and timely handling of rights requests.

7. Data Protection Officer

ATA has designated a Data Protection Officer (“DPO”). Contact details are provided in Section 15 of the Policy.

Last updated: December 14, 2025

 

Annex B - Supplementary Privacy Notice for Residents of the United Kingdom

This Annex supplements and forms part of the Privacy Policy (the "Policy") and applies only to the extent required by the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018. This Annex applies to both individual users (tourists and website visitors) and business users (travel agents, tour operators, and business partners) where ATA processes their Personal Data as a data controller. ATA may update this Annex from time to time. When updates are made, the “Last Updated” date listed below will be revised and, where appropriate, additional notice will be provided.

1. Scope

Where the UK GDPR already applies directly to ATA’s processing of Personal Data under the Policy, this Annex does not replace or restate those provisions. Instead, it provides UK-specific clarifications required by applicable law, regulatory guidance, or transparency expectations. In the event of any conflict between this Annex and the Policy, the UK GDPR or applicable UK law prevails.

This Annex applies to the processing of Personal Data of individuals located in the United Kingdom where ATA acts as a data controller and such processing is subject to the UK GDPR, regardless of whether the data subject is an individual consumer or a business representative (B2B).

This Annex does not apply to processing carried out by ATA in a data processor capacity, which is governed by the applicable controller’s privacy notice and contractual arrangements, as described in Section 2 of the Policy.

2. Categories, Purposes, Sources, and Sharing of Personal Data

2.1. Categories of Personal Data

The categories of Personal Data processed by ATA, the purposes of processing, the sources of such data, and the categories of recipients are described in Sections 3, 5, 6, and 9 of the Policy, together with Annex II. No additional categories of Personal Data are collected solely as a result of this Annex.

UK regulatory guidance places particular emphasis on transparency around analytics, marketing technologies, cookie use, and cross-border data transfers, which ATA has taken into account in structuring the disclosures in the Policy.

2.2. Legal Bases for Processing Personal Data

ATA processes Personal Data of individuals located in the UK on the legal bases described in Section 6 of the Policy, including:

• performance of a contract or steps taken at the request of the individual prior to entering into a contract;

• ATA’s legitimate interests, provided such interests are not overridden by the rights and freedoms of the individual;

• consent, where required under UK law; and

• compliance with legal obligations.

Where processing is based on legitimate interests, ATA has assessed whether such interests are balanced against the rights and freedoms of affected individuals, in accordance with the UK GDPR.

3. Your Rights

Individuals located in the UK have the rights described in Section 12 of the Policy, including rights of access, rectification, erasure, restriction, objection, data portability, and the right to withdraw consent, subject to applicable limitations and exceptions under law.

ATA does not engage in automated decision-making, including profiling, that produces legal or similarly significant effects within the meaning of Article 22 UK GDPR.

4. How to Exercise Your Rights and Opt-Out Choices

Requests to exercise data subject rights may be submitted using the contact details set out in Section 15 of the Policy.

Individuals located in the UK also have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

ATA encourages individuals to contact it first so that concerns may be addressed directly where possible.

5. International Transfers

Information regarding international transfers of Personal Data, including transfers outside the United Kingdom, is set out in Section 10 of the Policy.

Where required, ATA relies on appropriate safeguards under UK law, such as UK adequacy regulations, the International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, together with supplementary technical or organizational measures where appropriate.

6. Data Protection Officer

ATA has designated a Data Protection Officer (“DPO”). Contact details are provided in Section 15 of the Policy.

Last updated: December 14, 2025

 

Annex C - Supplementary Privacy Notice for Residents of Brazil

This Annex supplements and forms part of the Privacy Policy (the "Policy") and applies only to the extent required by Brazil’s Lei Geral de Proteção de Dados (Law No. 13,709/2018 – “LGPD”). This Annex applies to both individual users (tourists and website visitors) and business users (travel agents, tour operators, and business partners) where ATA processes their Personal Data as a data controller. ATA may update this Annex from time to time. When updates are made, the “Last Updated” date listed below will be revised and, where appropriate, additional notice will be provided.

1. Scope

Where the LGPD already applies directly to ATA’s processing of Personal Data under the Policy, this Annex does not replace or restate those provisions. Instead, it provides Brazil-specific clarifications required by the LGPD, guidance issued by the Brazilian National Data Protection Authority (“ANPD”), or transparency expectations under Brazilian law. In the event of any conflict between this Annex and the Policy, the LGPD or applicable Brazilian law prevails.

This Annex applies to the processing of Personal Data of individuals located in Brazil, where ATA acts as a data controller and such processing, regardless of whether the data subject is a consumer or a business representative:

• occurs in Brazil;

• relates to the offering or provision of goods or services to individuals located in Brazil; or

• involves the processing of Personal Data collected in Brazil,

in each case within the meaning of the LGPD.

This Annex does not apply to processing carried out by ATA in a data processor (operador) capacity on behalf of another controller, which is governed by the applicable controller’s privacy notice and contractual arrangements, as described in Section 2 of the Policy.

2. Categories, Purposes, Sources, and Sharing of Personal Data

2.1. Categories of Personal Data

The categories of Personal Data processed by ATA, the purposes of processing, the sources of such data, and the categories of recipients are described in Sections 3, 5, 6, and 9 of the Policy, together with Annex II. No additional categories of Personal Data are collected solely as a result of this Annex.

Brazilian data protection authorities place particular emphasis on purpose limitation, transparency, necessity, and proportionality, especially in relation to marketing activities, analytics technologies, and international data transfers. ATA has taken these principles into account in structuring the disclosures in the Policy.

2.2. Legal Bases for Processing Personal Data

ATA processes Personal Data of individuals located in Brazil on one or more of the legal bases described in Section 6 of the Policy, as recognized under the LGPD, including:

• the consent of the data subject;

• compliance with a legal or regulatory obligation;

• performance of a contract or preliminary procedures related to a contract requested by the data subject;

• the legitimate interests of ATA or a third party, provided such interests do not override the fundamental rights and freedoms of the data subject; and

• other legal bases permitted under Article 7 of the LGPD.

Where processing is based on legitimate interests, ATA has assessed the necessity of such processing and its impact on the rights of data subjects, as required under Brazilian law.

3. Your Rights

Individuals located in Brazil have the rights described in Section 12 of the Policy, as supplemented by the LGPD, including the right to:

• confirmation of the existence of processing;

• access to Personal Data;

• correction of incomplete, inaccurate, or outdated data;

• anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in violation of the LGPD;

• portability of data, subject to regulation by the ANPD;

• deletion of Personal Data processed on the basis of consent, subject to legal exceptions;

• information about public and private entities with which ATA has shared data;

• information about the possibility of denying consent and the consequences of such denial; and

• revocation of consent, where applicable.

ATA does not engage in automated decision-making that produces legal or similarly significant effects within the meaning of the LGPD.

4. How to Exercise Your Rights and Opt-Out Choices

Requests to exercise data subject rights may be submitted using the contact details set out in Section 15 of the Policy. ATA may request reasonable information to verify the identity of the individual submitting a request and will respond within the timeframes required by applicable Brazilian law.

Individuals located in Brazil may also submit complaints to the Autoridade Nacional de Proteção de Dados (ANPD).

ATA encourages individuals to contact it first so that concerns may be addressed directly where possible. If your concern is not resolved, you may have the right to submit a complaint to the ANPD (Autoridade Nacional de Proteção de Dados), in accordance with applicable Brazilian law.

5. International Transfers

Information regarding international transfers of Personal Data, including transfers outside Brazil, is set out in Section 10 of the Policy. ATA transfers Personal Data internationally only where appropriate safeguards are in place as described below.

Where required under the LGPD, ATA relies on appropriate safeguards to ensure an adequate level of protection for Personal Data transferred internationally, such as: (i) adequacy decisions issued by the ANPD; (ii) standard contractual clauses or other mechanisms approved by the ANPD; and (iii) other transfer mechanisms permitted under Brazilian law.

6. Data Protection Officer

ATA has designated a Data Protection Officer (Encarregado pelo Tratamento de Dados Pessoais). Contact details are provided in Section 15 of the Policy.

Last updated: December 14, 2025

 

Annex D - Supplementary Privacy Notice for Residents of Canada

This Annex supplements and forms part of the Policy and applies, where required by applicable Canadian privacy law, to individuals located in Canada. ATA may update this Annex from time to time. When updates are made, the “Last Updated” date listed below will be revised and, where appropriate, additional notice will be provided.

1. Scope

This Annex applies where ATA processes personal information subject to the Personal Information Protection and Electronic Documents Act (Canada) (“PIPEDA”) and, where applicable, substantially similar provincial privacy laws, such as Quebec's Law 25 (An Act respecting the protection of personal information in the private sector).

ATA is responsible for personal information under its control and is accountable for compliance with applicable Canadian privacy laws. If you have questions about this Annex, wish to exercise your rights, or wish to make a privacy-related complaint, you may contact ATA using the details set out in Section 15 of the Policy.

For the purposes of this Annex, “personal information” means information about an identifiable individual, as defined under PIPEDA. Personal information does not include information that has been anonymized or aggregated such that it can no longer be associated with an identifiable individual.

2. Categories, Purposes, Sources, and Sharing of Personal Data

ATA collects, uses, and discloses personal information only for purposes that a reasonable person would consider appropriate in the circumstances and that are identified at or before the time of collection.

These purposes include those described in Section 6 of the Policy, and may include, for example:

• Operating and administering the Site, the MyAruba App, and related Services;

• Providing travel-related information, content, and services;

• Responding to enquiries and providing customer support;

• Conducting analytics, improving Services, and ensuring security and integrity;

• Sending marketing or promotional communications where permitted by law and consistent with your preferences; and

• Complying with applicable legal, regulatory, and contractual obligations.

Further details regarding the categories of personal information collected and the purposes of processing are set out in the Policy.

3. Your Rights

3.1. Consent

Under Canadian privacy law, ATA generally collects, uses, and discloses personal information with an individual’s knowledge and consent, except where otherwise permitted or required by law. Consent may be express or implied, depending on the sensitivity of the information and the reasonable expectations of the individual. You may withdraw your consent at any time, subject to legal or contractual restrictions and reasonable notice, by contacting ATA using the details set out in Section 15 of the Policy. Withdrawal of consent may affect ATA’s ability to provide certain Services.

3.2. Limiting Use, Disclosure, and Retention

In accordance with PIPEDA, ATA:

• Limits the collection of personal information to what is necessary for identified purposes;

• Uses and discloses personal information only for those purposes, unless additional consent is obtained or disclosure is permitted or required by law; and

• Retains personal information only for as long as necessary to fulfil the purposes for which it was collected, or as otherwise required or permitted by law.

Additional information regarding retention periods and criteria is provided in Section 7 of the Policy.

3.3. Safeguards

ATA implements reasonable administrative, technical, and physical safeguards appropriate to the sensitivity of the personal information to protect against loss, theft, and unauthorized access, disclosure, copying, use, or modification. Further information regarding ATA’s security measures is described in Section 8 of the Policy.

Subject to applicable legal exceptions, individuals located in Canada have the right to:

• Request access to the personal information ATA holds about them; and

• Request correction of inaccurate or incomplete personal information.

ATA may require reasonable verification of identity before responding to an access or correction request.

Requests may be submitted using the contact details set out in Section 15 of the Policy.

4. How to Exercise Your Rights

If you have concerns about ATA’s handling of your personal information, ATA encourages you to contact it first using the details set out in Section 15 of the Policy.

If your concern is not resolved, you may have the right to submit a complaint to the Office of the Privacy Commissioner of Canada, in accordance with applicable law.

5. International Transfers

Personal information may be processed or stored outside Canada, including in jurisdictions where ATA or its service providers operate. When personal information is transferred outside Canada, it may be subject to the laws of the receiving jurisdiction, and may be accessible to law enforcement and national security authorities in those jurisdictions. ATA takes reasonable steps to ensure that personal information processed outside Canada is protected by appropriate safeguards consistent with Canadian privacy requirements. Further information regarding international data transfers is provided in Section 10 of the Policy.

Last updated: December 14, 2025

 

Annex E - Part I - Supplementary Privacy Notice for Residents of the United States

This Annex supplements and forms part of the Policy and applies, where required by applicable U.S. federal and state-specific privacy laws, to individuals who reside in the U.S. ATA may update this Annex from time to time. When updates are made, the “Last Updated” date listed below will be revised and, where appropriate, additional notice will be provided.

SECTION 1: U.S. FEDERAL PRIVACY LAWS

1. Scope

This section addresses ATA’s compliance with U.S. federal privacy laws applicable to ATA’s operations in addition to the state-specific requirements set forth in Section 2 of this Annex, and, to the extent applicable Annex E - Part II, which sets forth laws specific to residents of California.

2. COPPA Compliance (Interactions with Minors)

As described in Section 4 of the Policy, ATA’s Services are not directed to children under the age of thirteen (13) years, and ATA does not knowingly collect Personal Information from children under thirteen (13) without verifiable parental consent as required by the Children’s Online Privacy Protection Act (16 C.F.R. Part 312) (“COPPA”). More broadly, ATA’s Services are not intended for individuals under the age of eighteen (18), and ATA does not knowingly collect Personal Data from Minors except in the limited circumstances described in Section 4 of the Policy.

2.1. Parental Rights Under COPPA

If ATA becomes aware that it has collected Personal Information from a child under thirteen (13) without verifiable parental consent, ATA will take steps to delete such information as promptly as reasonably practicable.

Parents or legal guardians who believe that ATA may have collected Personal Information from a child under thirteen (13) may contact ATA using the details in Section 15 of the Policy. Upon verification of parental status, parents have the right to:

• Review the Personal Information collected from their child;

• Request deletion of their child’s Personal Information;

• Refuse to permit further collection or use of their child’s Personal Information; and

• Request that ATA not disclose their child’s Personal Information to third parties (except to the extent necessary to provide the Services or as otherwise permitted under COPPA).

2.2. Limited Collection from Minors

In the limited circumstances where ATA receives an inquiry or question submitted by a Minor who voluntarily identifies their age, ATA may use the provided email address solely to respond once to the inquiry, as described in Section 4 of the Policy. ATA does not use such email addresses to re-contact the Minor, does not share such information with third parties, and deletes the information after responding in accordance with COPPA’s one-time response exception.

3. FTC Act Section 5 Compliance (Fair Commercial Practices)

ATA complies with Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45) (the “FTC Act”), which prohibits unfair or deceptive acts or practices in or affecting commerce. ATA’s privacy practices are designed to ensure that:

• All statements made in this Policy and related privacy notices are truthful and not misleading;

• ATA honors the commitments made in this Policy regarding collection, use, disclosure, and protection of Personal Data;

• ATA implements reasonable data security measures as described in Section 8 of the Policy; and

• ATA provides clear and conspicuous notice of material privacy practices, particularly those that may be unexpected or involve heightened privacy risks.

Where ATA makes material changes to the Policy or its privacy practices that affect Personal Data previously collected, ATA will provide appropriate notice as described in Section 1 of the Policy. ATA will not apply material changes retroactively in a manner inconsistent with promises made at the time of collection, except with affirmative consent or as otherwise permitted by law.

4. CAN-SPAM Act Compliance (Email Regulations)

4.1. Commercial Email Requirements

ATA complies with the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (15 U.S.C. § 7701 et seq.) (“CAN-SPAM”) for all commercial electronic mail messages sent to U.S. recipients. ATA’s email marketing practices include:

• Clear Identification: All marketing emails clearly identify ATA as the sender and include accurate “From,” “To,” and “Reply-To” information, as well as the email’s originating domain name and email address.

• Accurate Subject Lines: Subject lines accurately reflect the content of the message and are not deceptive.

• Advertisement Disclosure: Where required, marketing emails clearly and conspicuously disclose that the message is an advertisement or solicitation.

• Physical Address: All commercial emails include ATA’s valid physical postal address as stated in Section 15 of the Policy.

• Opt-Out Mechanism: All marketing emails include a clear and conspicuous explanation of how recipients can opt out of receiving future emails from ATA, typically through an “Unsubscribe” link at the bottom of the email.

• Opt-Out Honoring: ATA honors opt-out requests within ten (10) business days of receipt and does not charge a fee, require additional information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single opt-out webpage.

• No Transfer After Opt-Out: Once a recipient opts out, ATA will not sell, transfer, or otherwise share that recipient’s email address for marketing purposes, except as necessary to comply with CAN-SPAM or other applicable laws.

4.2. Transactional and Relationship Messages

Certain emails are excluded from CAN-SPAM’s opt-out requirements because they facilitate transactions or provide account-related information. These may include:

• Responses to direct customer service inquiries;

• Confirmation of account creation, updates, or changes;

• Information about changes to terms or policies affecting the recipient’s account or relationship with ATA;

• Safety, security, or privacy-related notifications; and

• Other transactional or relationship content as defined by CAN-SPAM.

Such messages do not require an opt-out mechanism but will still include accurate sender identification and ATA’s physical address.

5. TCPA Compliance (Telephone Regulations)

To the extent ATA engages in any telephone marketing, text messaging, or autodialed calls to U.S. numbers, ATA complies with the Telephone Consumer Protection Act (47 U.S.C. § 227) (TCPA) and related Federal Communications Commission (FCC) regulations, including:

• Obtaining prior express written consent before making autodialed or prerecorded telemarketing calls or sending marketing text messages to mobile phones;

• Maintaining internal Do Not Call lists and honoring opt-out requests;

• Respecting the National Do Not Call Registry; and

• Including required disclosures and opt-out mechanisms in text messages.

ATA does not currently engage in significant telephone or SMS marketing activities. Should such activities commence, ATA will update this Annex and implement appropriate consent and opt-out mechanisms.

6. Federal Data Security Standards

6.1. FTC Safeguards and Reasonable Security

Consistent with Federal Trade Commission (“FTC”) guidance and enforcement actions under Section 5 of the FTC Act, ATA implements reasonable administrative, technical, and physical safeguards designed to protect Personal Data against unauthorized access, disclosure, alteration, and destruction, as described in Section 8 of the Policy.

ATA’s security program is designed to be appropriate to:

• The size and complexity of ATA’s operations;

• The nature and scope of ATA’s activities;

• The sensitivity of the Personal Data processed; and

• The reasonably foreseeable risks to the security, confidentiality, and integrity of Personal Data.

6.2. Data Breach Notification

In the event of a data breach affecting Personal Data, ATA will assess the incident and provide notification to affected individuals and, where required, to federal authorities (such as the FTC) in accordance with applicable federal and state breach notification laws, industry standards, and ATA’s internal incident response procedures.

As stated in Section 8 of the Policy, in the event of a personal data breach that is likely to result in a high risk to individual rights and freedoms, ATA will notify affected individuals without undue delay as required by Applicable Data Protection Laws.

7. Federal Sector-Specific Laws

7.1. Health Information

ATA is not a covered entity or business associate under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) or the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”). ATA does not collect, use, or disclose protected health information as defined under HIPAA.

While ATA may collect general travel-related information (such as travel dates or accessibility preferences), such information does not constitute protected health information subject to HIPAA. If this changes in the future, ATA will update this Policy and implement HIPAA-compliant safeguards.

7.2. Financial Information

ATA is not a financial institution subject to the Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.) (GLBA). While ATA may collect limited financial information in certain administrative contexts (such as event registration), as described in Section 3 of the Policy, ATA does not provide financial products or services and does not act as a payment processor for tourism services.

7.3. Consumer Reporting

ATA does not collect, maintain, or furnish consumer reports as defined under the Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.) (FCRA) and is not a consumer reporting agency.

ATA does not use Personal Data to make credit, employment, insurance, or similar eligibility determinations.

7.4. Other Federal Laws

ATA complies with other applicable U.S. federal laws governing privacy, data security, consumer protection, and electronic communications, including:

• The Electronic Communications Privacy Act (18 U.S.C. §§ 2510–2523);

• The Computer Fraud and Abuse Act (18 U.S.C. § 1030);

• The Video Privacy Protection Act (18 U.S.C. § 2710), to the extent applicable;

• Federal laws prohibiting discrimination and protecting civil rights; and

• Export control and sanctions laws administered by the U.S. Department of Commerce and Office of Foreign Assets Control (OFAC).

8. Accessibility and Digital Inclusion

Consistent with federal accessibility requirements, including Section 508 of the Rehabilitation Act (29 U.S.C. § 794d) where applicable, and voluntary best practices under the Americans with Disabilities Act (42 U.S.C. § 12101 et seq.), ATA strives to ensure that its digital Services are accessible to individuals with disabilities.

If you encounter accessibility barriers or require assistance accessing this Policy or ATA’s Services, please contact ATA using the details in Section 15 of the Policy.

9. Contact Information for Federal Privacy Matters

For questions, concerns, or complaints regarding ATA’s compliance with U.S. federal privacy laws, please contact ATA using the details set out in Section 15 of the Policy.

U.S. residents also have the right to file complaints with federal regulatory agencies, including:

• Federal Trade Commission (FTC) Consumer Response Center 600 Pennsylvania Avenue, NW Washington, DC 20580

• Department of Commerce (for COPPA matters) Via the FTC (primary enforcement authority)

SECTION 2: U.S. STATE PRIVACY LAWS

This Section describes additional rights and disclosures required under certain U.S. state privacy laws, including, where applicable, the Virginia Consumer Data Protection Act ("VCDPA"), Colorado Privacy Act ("CPA"), Connecticut Data Privacy Act ("CTDPA"), Texas Data Privacy and Security Act ("TDPSA"), Utah Consumer Privacy Act ("UCPA"), Montana Consumer Data Privacy Act ("MCDPA"), Oregon Consumer Privacy Act ("OCPA"), Delaware Personal Data Privacy Act ("DPDPA"), and similar state laws (collectively, “U.S. State Privacy Laws”).

The applicable law depends on your state of residence and is subject to applicable limitations and exceptions under U.S. law.

For purposes of this Annex:

• “Personal Data” has the meaning given in the Policy and corresponds to “personal data” or “personal information” under applicable U.S. State Privacy Laws.

• “Sale” means the exchange of Personal Data for monetary or other valuable consideration, as defined in applicable U.S. State Privacy Laws. As explained in Sections 11 and 14 of the Policy, certain uses of cookies and similar technologies may be considered a “sale” or similar disclosure under the definitions applied by some U.S. State Privacy Laws, even where no monetary consideration is exchanged.

• “Targeted Advertising” means displaying advertisements selected for you based on Personal Data obtained from your activities over time and across websites, applications, or online services.

• “Profiling” means any form of automated processing of Personal Data to evaluate, analyze, or predict aspects concerning an individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

10. Categories, Purposes, Sources, and Sharing of Personal Data

Certain U.S. State Privacy Laws require that residents be informed, within a state-specific notice, of the categories of Personal Data collected, the purposes for which such data is processed, the sources from which the data is obtained, and the categories of third parties with whom the data is shared.

Accordingly, and to satisfy these requirements, ATA provides the following disclosures by reference:

• Categories of Personal Data processed by ATA: Identity Data, Contact Data, Travel & Visit Data, Technical Data, Usage Data, Marketing and Communications Data, and Financial Data, as described in Section 3 of the Policy.

• Purposes for processing Personal Data: operating and improving the Site and the MyAruba App, personalizing content, performing analytics, providing customer support, conducting marketing campaigns and events, and complying with legal obligations, as described in Section 6 of the Policy.

• Sources of Personal Data: information collected directly from you, through cookies and similar technologies, from marketing and analytics partners, social media platforms, business partners, and publicly available sources you make accessible to ATA, as described in Sections 5 and 14 of the Policy.

• Categories of third parties with whom Personal Data is shared: service providers, marketing and analytics partners, and government authorities, as described in Sections 9 and 11 of the Policy and Annex II.

These disclosures are incorporated into and form part of this U.S. State Notice and are intended to satisfy ATA’s transparency obligations under applicable U.S. State Privacy Laws.

11. Your Rights

Subject to applicable limitations and exceptions, residents of certain U.S. states may have one or more of the following rights in relation to their Personal Data under applicable U.S. State Privacy Laws:

• Right to Access / Know: You may request confirmation of whether ATA processes your Personal Data and request access to such Personal Data.

• Right to Deletion: You may request deletion of Personal Data ATA maintains about you, subject to applicable exceptions, such as where ATA is required to retain the data to comply with legal obligations or to establish, exercise, or defend legal claims.

• Right to Correction: You may request correction of inaccuracies in your Personal Data, taking into account the nature of the Personal Data and the purposes for which ATA processes it.

• Right to Data Portability: You may request a copy of Personal Data you have provided to ATA in a portable and, where technically feasible, readily usable format that allows you to transmit the data to another controller, where the processing is carried out by automated means.

• Right to Opt-Out: You may have the right to opt out of the processing of your Personal Data for: (1) Targeted Advertising; (2) Sale of Personal Data (as defined by applicable U.S. State Privacy Laws); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

• Right to Appeal: Where applicable, you may appeal ATA’s decision to decline to act on a request to exercise any of the rights described above.

12. How to Exercise Your Rights and Opt-Out Choices

You may exercise your rights under applicable U.S. State Privacy Laws, including applicable opt-out rights, by:

• using ATA’s cookie and tracking controls (where available) to manage your preferences for analytics, personalization, and advertising technologies;

• configuring your browser or device settings to limit or block cookies and similar technologies used for Targeted Advertising; and/or

• contacting ATA using the details set out in Section 15 of the Policy and indicating that your request relates to rights under U.S. State Privacy Laws.

ATA may take reasonable steps to verify your identity before responding to your request, including by requesting additional information necessary to confirm your identity. ATA will respond to requests within the timeframes required by applicable U.S. State Privacy Laws.

While ATA does not sell Personal Data for monetary consideration in the traditional sense, certain data sharing practices (such as the use of advertising cookies and analytics technologies) may be considered a "sale" or "sharing" under the broad definitions used by some U.S. State Privacy Laws. ATA will honor valid opt-out requests submitted using the methods described above.

13. Sensitive Personal Data

Certain U.S. State Privacy Laws provide enhanced protections for sensitive personal data, such as specific health information or precise geolocation data.

ATA processes sensitive Personal Data, if and to the extent applicable, only for purposes permitted by law, including providing requested Services, ensuring the security and integrity of ATA’s systems, performing services reasonably expected by an average consumer, and complying with legal obligations. Where required by applicable law, ATA will obtain consent or provide notice and an opportunity to limit the use of sensitive Personal Data before processing it.

ATA does not process sensitive Personal Data for Targeted Advertising without appropriate consent or user controls where such consent or controls are required by law.

14. Appeals Process

If ATA declines to act on your request and you are entitled to an appeal under applicable U.S. State Privacy Laws, you may submit an appeal by contacting ATA using the details set out in Section 15 of the Policy and indicating that your communication is an appeal of a privacy-rights decision.

ATA will review and respond to your appeal within the timeframe required by applicable U.S. State Privacy Laws and will inform you of any further options available to you, such as the possibility of contacting your State Attorney General or other competent authority.

15. Non-Discrimination

ATA will not discriminate against you for exercising any rights available to you under applicable U.S. State Privacy Laws. This means that ATA will not deny Services, charge different prices or rates, provide a different level or quality of Services, or suggest that you will receive a different price, rate, or quality of Services, solely because you exercised such rights, except where permitted by law or where any difference is reasonably related to the value of the Personal Data at issue.

Last updated: December 12, 2025

 

Annex E - Part II - Supplementary Privacy Notice for Residents of California

This Annex supplements and forms part of the Policy and applies, where required by applicable California privacy law, to individuals who are residents of the State of California. ATA may update this Annex from time to time. When updates are made, the “Last Updated” date listed below will be revised and, where appropriate, additional notice will be provided.

1. Scope

This Annex is provided pursuant to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the “CCPA”).

For purposes of this Annex:

• “Personal Information” has the meaning given in the CCPA and includes information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household.

• “Sensitive Personal Information” has the meaning given in the CCPA and includes, for example, precise geolocation data and certain government-issued identifiers.

• “Sell,” “Sale,” or “Sold” mean selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating. Personal Information to a third party for monetary or other valuable consideration, as defined under the CCPA.

• “Share” or “Sharing” mean disclosing Personal Information to a third party for cross-context behavioral advertising, whether or not for monetary consideration, as defined under the CCPA.

• “Targeted Advertising” means displaying advertisements selected for you based on Personal Data obtained from your activities over time and across websites, applications, or online services.

This Annex covers Personal Information collected online (including via the Site, the MyAruba App, and related digital services) and offline (such as at events, trade shows, or through customer service interactions) where ATA acts as a business under the CCPA.

2. Categories, Purposes, Sources, and Sharing of Personal Data

2.1. Categories of Personal Information We Collect

The categories of Personal Information collected from California residents, including during the preceding twelve (12) months, correspond to the categories described in Section 3 of the Policy. For ease of reference under the CCPA, these categories may include:

• Identifiers (e.g., name, email address, IP address, cookie identifiers, device identifiers);

• Personal Information Categories Listed in the California Customer Records Statute (Cal. Civ. Code § 1798.80(e));

• Commercial Information (e.g., travel-related preferences, participation in sweepstakes or events, marketing subscription status, interactions with ATA campaigns);

• Internet or Other Electronic Network Activity Information (e.g., browsing history, views and clicks, navigation paths, referral URLs, interactions with emails and marketing content);

• Geolocation Data (primarily approximate; more precise location only where enabled by you);

• Audio, Electronic, or Visual Information (e.g., customer support communications);

• Professional or Employment-Related Information (for business contacts; e.g., job title, organization, sector, nature of business relationship);

• Inferences drawn from interactions with ATA’s Services;

• Sensitive Personal Information (limited), where applicable.

ATA also processes aggregated or de-identified information that cannot reasonably be used to identify an individual. Such information is not considered Personal Information under the CCPA.

2.2. Sources of Personal Information

ATA collects Personal Information from the same categories of sources described in Section 5 of the Policy, including:

• Directly from you;

• Automatically through cookies and similar technologies (see Section 14 of the Policy and Annex I); and

• From third parties, including service providers, marketing and analytics partners (e.g., Google, Meta, Bloomreach, Sojern, USIM, and similar providers), email and CRM platforms (e.g., Salesforce Marketing Cloud, Bloomreach Engagement), customer support tools (e.g., Zoho Desk), event, form, or travel-planning providers (e.g., JotForm, Typeform, VisitWidget), social media platforms, and business partners in connection with ATA’s tourism-related activities.

2.3. Purposes for Which We Use Personal Information

ATA uses Personal Information for the purposes described in Section 6 of the Policy, including:

• Operating and improving the Site, the MyAruba App, and related Services;

• Creating and managing MyAruba profiles and itineraries;

• Providing customer support and responding to inquiries;

• Sending newsletters and other marketing communications (with your consent where required);

• Conducting analytics, audience measurement, and personalization of content;

• Organizing and administering events, webinars, and campaigns;

• Carrying out business communications and relationships with industry partners;

• Ensuring the security and integrity of our systems and Services; and

• Complying with applicable laws, regulations, and legal processes.

ATA uses Sensitive Personal Information only for limited purposes permitted by the CCPA, such as enabling requested features, maintaining security, managing business relationships, and complying with legal requirements. ATA does not use or disclose Sensitive Personal Information for purposes of profiling or Targeted Advertising in a manner that would require a “Right to Limit” notice beyond what is set out here, and we do not use Sensitive Personal Information to infer characteristics about you beyond those permitted by law.

2.4. Disclosure, “Sale,” and “Sharing” of Personal Information

Disclosure for Business or Commercial Purposes. In the preceding twelve (12) months, ATA may have disclosed Personal Information to the categories of recipients described in Section 9 of the Policy and Annex II, including service providers, marketing and analytics partners, tourism partners, and government authorities where required by law. ATA does not permit third parties to use Personal Information for their own independent marketing purposes except as permitted under the CCPA or with your consent where required.

“Sale” and “Sharing” for Cross-Context Behavioral Advertising. ATA does not sell Personal Information for monetary consideration. However, under the CCPA, certain uses of cookies, pixels, and similar technologies for analytics and cross-context behavioral advertising may be considered a “sale” or “sharing.” In the preceding twelve (12) months, ATA may have sold or shared (as defined by the CCPA) the following categories of Personal Information with the following categories of third parties: (1) identifiers shared with advertising technology providers, analytics partners, and social media platforms; (2) internet or other electronic network activity information shared with advertising technology providers, analytics partners, and social media platforms; and (3) inferences regarding interests or preferences shared with advertising technology providers and analytics partners. These activities are carried out primarily through the technologies described in Section 14 of the Policy and Annex I.

2.5. Retention of Personal Information

ATA retains Personal Information for the periods described in Section 7 of the Policy. In general, Personal Information is retained for up to thirty-six (36) months from the date of last interaction unless a shorter or longer period is required by law, justified by a legitimate business purpose, or necessary to fulfill the purposes for which it was collected. ATA may retain Personal Information for a longer period where necessary to comply with legal obligations or to establish, exercise, or defend legal claims. Retention periods for cookies and similar technologies are described in Annex I.

3. Your Rights

Subject to applicable limitations and exceptions, California residents may have one or more of the following rights in relation to their Personal Information under the CCPA:

• Right to Access / Know: You may request that ATA disclose: (i) the categories of Personal Information collected about you; (ii) the categories of sources from which it is collected; (iii) the business or commercial purposes for collecting, selling, or sharing Personal Information; (iv) the categories of third parties to whom ATA discloses Personal Information; (v) the categories of Personal Information sold or shared and the categories of third parties to whom it was sold or shared; (vi) the categories of Personal Information disclosed for a business purpose and the categories of recipients; (vii) the specific pieces of Personal Information collected about you; and (viii) the length of time ATA intends to retain each category of Personal Information.

• Right to Deletion: You may request that we delete Personal Information we have collected from you, subject to certain statutory exceptions (for example, where we must retain data to comply with legal obligations, complete transactions you requested, ensure security and integrity, or for other lawful purposes).

• Right to Correction: You may request correction of inaccuracies in your Personal Information we maintain about you, taking into account the nature of the Personal Information and the purposes of processing.

• Right to Data Portability: You may request a copy or, in certain circumstances, the specific pieces of Personal Information we have collected about you in a portable and (where technically feasible) readily usable format that allows you to transmit the information to another entity without hindrance.

• Right to Opt-Out: You may direct us not to sell or share your Personal Information, including with respect to cross-context behavioral advertising activities that may occur via third-party cookies and similar technologies.

• Right to Limit Use and Disclosure of Sensitive Personal Information: Where applicable, you may limit our use and disclosure of your Sensitive Personal Information to certain purposes permitted by the CCPA.

• Right to Non-Discrimination. You have the right to not receive discriminatory treatment for exercising any of your rights under the CCPA.

Separately from the CCPA, California residents may request information once per calendar year regarding our disclosure of certain categories of Personal Information to third parties for their direct marketing purposes. (Cal. Civ. Code § 1798.83)

4. How to Exercise Your Rights and Opt-Out Choices

You may exercise your California privacy rights by contacting ATA using the details set out in Section 15 of the Policy and indicating that your request relates to California privacy rights. ATA will verify requests as required by law and respond within the timeframes specified by the CCPA. In your request, please state which right(s) you wish to exercise, provide enough information for ATA to reasonably verify that you are the person about whom ATA collected Personal Information, and describe your request with sufficient detail for ATA to understand, evaluate, and respond.

ATA may request additional information solely for the purpose of verifying your identity or authority, or for security and fraud-prevention reasons. Where you submit a request to know/access, delete, or correct, ATA will respond within the timeframes required by the CCPA (generally within forty-five (45) days, with a possible one-time extension of up to an additional forty-five (45) days when reasonably necessary, provided ATA notifies you of the extension within the initial 45-day period) and will explain any reasons if ATA cannot comply with your request in whole or in part.

You may opt out of the Sale or Sharing of Personal Information by:

• Using ATA’s cookie and tracking controls to disable advertising and tracking cookies; and/or

• Submitting a request using the contact details in Section 15 of the Policy.

In addition, where your browser or extension supports an opt-out preference signal such as the Global Privacy Control (GPC), ATA’s Site is designed to recognize and honor such signals in accordance with California requirements, which will be treated as a request to opt out of Sale and Sharing for that browser.

5. Authorized Agents

California residents may designate an authorized agent to submit requests on their behalf, subject to verification requirements permitted under the CCPA.

6. Minors

ATA does not knowingly sell or share the Personal Information of consumers under sixteen (16) years of age without affirmative authorization as required by the CCPA. ATA’s Services are not directed to individuals under eighteen (18), as described in Section 4 of the Policy. If ATA becomes aware that it has collected Personal Information from a consumer under sixteen (16) years of age without the required authorization, or from a consumer under thirteen (13) years of age without parental consent, ATA will take reasonable steps to delete such information.

7. Non-Discrimination

ATA will not discriminate against California residents for exercising their rights under the CCPA, except as permitted by law. ATA will not, solely because you exercised a privacy right: (i) deny you Services; (ii) charge you different prices or rates for Services; (iii) provide you with a different level or quality of Services; or (iv) suggest that you may receive a different price, rate, level, or quality of Services. Where the CCPA permits differential treatment that is reasonably related to the value of Personal Information, ATA will ensure that any such practices comply with applicable law.

Last updated: December 12, 2025

 

Annex F - Supplementary Privacy Notice for Residents of Switzerland

This Annex supplements and forms part of the Policy and covers ATA’s processing of Personal Data relating to individuals located in Switzerland where such processing is subject to Swiss data protection law. ATA may update this Annex from time to time. When updates are made, the “Last Updated” date listed below will be revised and, where appropriate, additional notice will be provided.

1. Scope

This Annex applies only to the extent required by the Swiss Federal Act on Data Protection of 25 September 2020, as revised and effective 1 September 2023 (nFADP), together with its implementing ordinances (collectively, the “Swiss FADP”). Where the Swiss FADP already applies directly to ATA’s processing of Personal Data under the Policy, this Annex does not replace or restate those provisions. Instead, it provides Switzerland-specific clarifications required by Swiss law, regulatory practice, or transparency expectations.

This Annex applies where:

• ATA acts as a data controller (responsible entity) under Swiss law; and

• the processing of Personal Data has a sufficient connection to Switzerland within the meaning of the Swiss FADP.

This Annex does not apply to processing carried out by ATA solely in a data processor capacity on behalf of another controller, which is governed by the applicable controller’s privacy notice and contractual arrangements, as described in Section 2 of the Policy.

Nothing in this Annex is intended to imply that the GDPR applies to processing governed exclusively by Swiss law. Where ATA’s processing activities are subject to both Swiss law and another data protection regime (for example, due to cross-border operations), ATA will comply with each applicable legal framework as required.

2. Categories, Purposes, Sources, and Sharing of Personal Data

2.1. Categories of Personal Data

The categories of Personal Data processed by ATA, the purposes of processing, the sources of such data, and the categories of recipients are described in Sections 3, 5, 6, and 9 of the Policy, together with Annex II. No additional categories of Personal Data are collected solely as a result of this Annex.

Under the Swiss FADP, particular emphasis is placed on transparency, proportionality, data minimization, and purpose limitation. ATA has taken these principles into account in structuring the disclosures and safeguards described in the Policy.

2.2. Legal Bases for Processing Personal Data

ATA processes Personal Data of individuals located in Switzerland in accordance with the principles and legal grounds recognized under the Swiss FADP, including:

• the consent of the data subject, where required;

• performance of a contract or pre-contractual measures requested by the data subject;

• compliance with legal obligations; and

• legitimate private interests of ATA or third parties, provided such interests are preponderant and do not unlawfully override the personality rights or fundamental rights and freedoms of the data subject

Where processing is based on legitimate interests, ATA has assessed the proportionality and necessity of such processing in accordance with Swiss law.

3. Your Rights

Individuals located in Switzerland have the rights provided under the Swiss FADP, subject to applicable limitations and exceptions. These rights may include:

• the right to request confirmation as to whether ATA processes Personal Data relating to you;

• the right to access Personal Data held about you;

• the right to request correction of inaccurate or incomplete Personal Data;

• the right to request deletion or restriction of processing in certain circumstances;

• the right to object to specific processing activities, where permitted by law; and

• the right to withdraw consent, where processing is based on consent.

Certain rights may be restricted where permitted under Swiss law, including where disclosure would adversely affect the rights of others, conflict with legal obligations, or reveal protected business information.

ATA does not engage in automated individual decision-making, including profiling, that produces legal effects concerning an individual or similarly significantly affects them within the meaning of Article 21 of the Swiss FADP. Should ATA engage in such processing in the future, affected individuals will be informed and provided with appropriate safeguards, including the right to obtain human intervention.

4. How to Exercise Your Rights and Opt-Out Choices

Requests to exercise data subject rights may be submitted using the contact details set out in Section 15 of the Policy. ATA may request reasonable information to verify the identity of the individual submitting a request and will respond within the timeframes required under Swiss law.

Individuals located in Switzerland also have the right to lodge a complaint with the competent supervisory authority: Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Berne, Switzerland, www.edoeb.admin.ch

ATA encourages individuals to contact it first so that concerns may be addressed directly where possible.

5. International Transfers

Information regarding international transfers of Personal Data is set out in Section 10 of the Policy.

 

Where Personal Data is transferred outside Switzerland, ATA ensures that such transfers comply with the Swiss FADP, including by relying on: (i) countries recognized by Switzerland as providing an adequate level of data protection; (ii) contractual safeguards, such as Swiss-recognized standard contractual clauses; and (iii) supplementary technical or organizational measures where required to ensure appropriate protection.

6. Data Protection Officer

ATA has designated a Data Protection Officer (“DPO”) or privacy contact point. Contact details are provided in Section 15 of the Policy.

 

Last updated: December 12, 2025

Annex G - Supplementary Privacy Notice for Residents of Latin America (Argentina, Colombia, Ecuador, Paraguay, Peru, Uruguay)

This Annex supplements and forms part of the Policy and applies only to the extent required by applicable data protection laws in certain Latin American jurisdictions. For clarity, this Annex addresses ATA’s processing activities involving individuals located in Latin America, including (without limitation) Argentina, Colombia, Ecuador, Paraguay, Peru, and Uruguay, where such processing is subject to applicable local data protection laws. ATA may update this Annex from time to time. When updates are made, the “Last Updated” date listed below will be revised and, where appropriate, additional notice will be provided.

1. Scope

Where the Policy already satisfies applicable legal requirements, this Annex does not restate or replace those provisions. Instead, it provides country-specific clarifications required under local law or regulatory practice in the jurisdictions listed below. In the event of any conflict between this Annex and the Policy, the applicable local law prevails.

This Annex applies to ATA’s processing of Personal Data where ATA acts as a data controller and such processing is subject to applicable Latin American data protection laws.

This Annex applies to individuals located in the following countries, to the extent ATA’s processing activities are subject to local data protection law:

• Argentina: Law No. 25,326 on the Protection of Personal Data and its regulatory decrees

• Colombia: Law No. 1581 of 2012 and Decree No. 1074 of 2015

• Ecuador: Organic Law on the Protection of Personal Data (Ley Orgánica de Protección de Datos Personales – LOPDP)

• Paraguay: Law No. 6534/2020 (personal credit data), and other applicable privacy, consumer, or telecommunications provisions, where relevant

• Peru: Law No. 29733 (Personal Data Protection Law) and Supreme Decree No. 003-2013-JUS

• Uruguay: Law No. 18,331 on the Protection of Personal Data and Habeas Data

This Annex does not apply to processing carried out by ATA solely in a data processor capacity, which is governed by the applicable controller’s privacy notice and contractual arrangements, as described in Section 2 of the Policy.

2. Categories, Purposes, Sources, and Sharing of Personal Data

2.1. Categories of Personal Data

The categories of Personal Data processed by ATA, the purposes of processing, the sources of such data, and the categories of recipients are described in Sections 3, 5, 6, and 9 of the Policy, together with Annex II. No additional categories of Personal Data are collected solely as a result of this Annex.

Latin American data protection authorities generally emphasize lawful purpose, proportionality, transparency, and data minimization, particularly in connection with marketing activities, analytics technologies, and cross-border data transfers. The Aruba Tourism Authority ("ATA") has taken these principles into account in structuring its global disclosures and safeguards for Aruba.com.

2.2. Legal Bases for Processing Personal Data

ATA processes Personal Data of both individual consumers and business contacts located in the above jurisdictions on the legal bases described in Section 6 of the Policy, as permitted under applicable local law, including:

• the consent of the data subject, where required;

• performance of a contract or steps taken at the request of the data subject prior to entering into a contract;

• compliance with legal or regulatory obligations;

• legitimate interests of ATA or a third party (such as tourism promotion, website functionality, security, and service improvement), where recognized under local law and balanced against the rights of the data subject; and

• other legal bases permitted under applicable national legislation.

Consent requirements, formality standards, and withdrawal mechanisms may vary by jurisdiction. Where local law requires express or written consent (including for marketing communications, cookies, and analytics), ATA implements appropriate consent mechanisms through Aruba.com's interface and communication channels.

3. Your Rights

Both consumers and business contacts located in the jurisdictions covered by this Annex generally have rights similar to those described in Section 12 of the Policy, subject to applicable limitations and exceptions under local law. These rights may include:

• the right to access Personal Data;

• the right to rectify or update inaccurate or incomplete data;

• the right to request deletion, anonymization, or blocking of data processed unlawfully or excessively (noting that certain data may be retained for legal compliance, fraud prevention, or legitimate business purposes);

• the right to withdraw consent, where processing is based on consent; and

• the right to object to certain processing activities, where permitted by law.

The scope, terminology, and procedures for exercising these rights may vary by country. ATA will assess and respond to requests in accordance with the requirements of the applicable jurisdiction.

ATA does not engage in automated decision-making that produces legal or similarly significant effects on individuals, where restricted under applicable law. Any automated processing (such as website personalization or analytics) does not result in legal or similarly significant effects.

4. How to Exercise Your Rights and Opt-Out Choices

Requests to exercise data subject rights may be submitted using the contact details set out in Section 15 of the Policy. ATA may request reasonable information to verify the identity of the individual submitting a request and will respond within the timeframes required by applicable local law.

Depending on the jurisdiction, both consumers and business contacts may also have the right to lodge a complaint with the relevant data protection authority, including:

• Argentina: Agencia de Acceso a la Información Pública (AAIP)

• Colombia: Superintendencia de Industria y Comercio (SIC)

• Ecuador: Superintendence of Personal Data Protection

• Peru: Autoridad Nacional de Protección de Datos Personales

• Uruguay: Unidad Reguladora y de Control de Datos Personales (URCDP)

• Paraguay: The competent authority or complaint mechanism will depend on the applicable legal basis and context; ATA will provide additional information upon request

ATA encourages individuals to contact it first so that concerns may be addressed directly where possible.

5. International Transfers

Information regarding international transfers of Personal Data is set out in Section 10 of the Policy. As a global tourism website operating across multiple jurisdictions, ATA may transfer Personal Data internationally to service providers, partners, and affiliates. Where required under applicable Latin American law, ATA implements appropriate safeguards for cross-border data transfers, which may include: (i) transfers to jurisdictions deemed to provide an adequate level of protection; (ii) standard contractual clauses or equivalent contractual safeguards; and (iii) other mechanisms permitted under applicable local law.

ATA may also rely on derogations for specific situations where permitted by law, such as transfers necessary for the performance of a contract with the data subject (e.g., booking confirmations, travel arrangements) or with the explicit consent of the individual.

6. Country-Specific Regulatory Considerations

Without limiting the general application of the Policy, ATA recognizes the following country-specific requirements in Latin America:

• Argentina and Uruguay: maintain adequacy-based frameworks aligned with European standards for international transfers.

• Colombia and Peru: impose specific registration and accountability obligations for databases and controllers.

• Ecuador: places heightened emphasis on transparency, consent management, and risk-based safeguards.

• Paraguay: applies sector-specific protections, particularly in relation to credit and financial data.

5. Data Protection Officer

Where required by applicable law, ATA has designated a Data Protection Officer (“DPO”) or privacy contact point to oversee data protection matters related to Aruba.com and ATA's tourism promotion activities. Contact details are provided in Section 15 of the Policy.

Last updated: December 14, 2025

This Annex forms part of the Aruba Tourism Authority Privacy Policy and should be read in conjunction with the main Policy and any other applicable jurisdiction-specific annexes.