Legal - Privacy Policy

Why Do We Collect Personal Data?

Jeppesen relies on a wide variety of information to run our business. In some instances, this information may include data that could be used to identify a particular individual, otherwise referred to as Personal Data (PD). So that we may provide you with our products and services, Jeppesen processes your PD to meet the requirements of our legitimate business interests, and legal, statutory and contractual obligations.

In this Privacy Policy, we provide multiple examples of how Personal Data we collect may be used and why it is important. For example, when a customer purchases one of our products or services we must collect, at a minimum, their name, address and payment information to complete the transaction.

What Personal Data Do We Collect?

Examples of Personal Data we collect, the specific kind of information collected will depend on your use of Jeppesen’s range of websites, mobile applications, products, and services:

• First and last names;

• Phone numbers;

• E-mail addresses;

• Mailing addresses;

• Passport or government identification information;

• Gender;

• Date of birth; and,

• Country of residence.

How Do We Collect Personal Data?

We collect information directly from you, as well as automatically through your use of our websites, mobile applications, products, and services and, in some cases, from third parties.

Information collected via email:

When you send an email to an email address displayed on one of our various websites, we collect your email address and any other information you provide in that email (such as your name, telephone number and the information contained in any signature block in your email).

Legal basis for processing: Our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation)

Legitimate interest(s): Responding to inquiries and messages we receive and keeping records of correspondence.

Information collected via our contact form:

Legal basis for processing: Our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation)

Legitimate interest(s): Responding to inquiries and messages we receive and keeping records of contact.

Information collected when contact us by phone:

When you contact us by phone, we collect your phone number and any information you provide to us during the call. At this time we do not record phone calls.

Legal basis for processing: Our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation)

Legitimate interest(s): Responding to inquiries and messages we receive and keeping records of contact.

Information we collect when you place an order:

When you place an order for goods or services on our website, we collect the following mandatory information: name, email address, phone number, billing address, company name (if applicable), and, if you create an account, an account password

If you do not provide the pertinent information, you will not be able to purchase goods or services from us on our website or enter into a contract with us.

Legal basis for processing: Necessary to perform a contract (Article 6(1)(b) of the General Data Protection Regulation).

Legitimate interest(s): Reason why necessary to perform a contract: We need this information collected by our checkout form to establish who the contract is with and to contact you to fulfil our obligations under the contract, including sending you receipts and order confirmations. It is also necessary to issue you with an invoice for the goods and services you purchased from us.

Collection of Personal Data from Children

Jeppesen may collect, use or disclose Personal Data (PD) from children (as defined by local law) where it is necessary to do so. For example, a child member of a group using Jeppesen’s (International Trip Planning Services (ITPS). This information is necessary to fulfil travel arrangements, ensure safety, to meet legal and regulatory requirements, and to provide, or arrange for appropriate assistance or facilities where necessary.

This information will be collected with the consent of a responsible adult or guardian where possible. The Data will be appropriately designated for extra protections and review and removal at the earliest opportunity. PD from children will be flagged to avoid direct marketing

If you believe that we have collected PD about a child (defined as a natural person under the age of consent in the applicable country or jurisdiction that he/she resides in), please inform us by email at Privacy@Jeppesen.com., so that we can delete the collected information. Additionally, if the registered user was a child, please use Privacy@Jeppesen.com. to request removal of such content or PD.

Jeppesen’s Policy on Sensitive Personal Data

Jeppesen does not knowingly or intentionally collect sensitive Personal Data (PD) from individuals, and you must not submit sensitive PD to us. “Sensitive Personal Data” is information about an individual that reveals their racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic information, biometric information for the purpose of uniquely identifying an individual, information concerning health or information concerning a natural person’s sex life or sexual orientation.

Pursuant to Article 9(2)(a) of the European Union General Data Protection Regulation, if you inadvertently or intentionally transmit sensitive PD to us, you will be considered to have explicitly consented to us processing that sensitive PD. We will use and process your Sensitive Personal Data for the express purpose of deleting it.

How Do We Use Personal Data?

Jeppesen takes your privacy very seriously and we will strive to avoid collecting any unnecessary personal data from you and not process your information in a way other than as specified in this Privacy Policy. We will not purposefully disclose, share or sell your Personal Data (PD) without your consent, unless required to do so by law.

Uses of Personal Data includes:

• Uses within specific Jeppesen products and/or services

• Undertaking normal and reasonable business activities.

• Managing an individual's relationship with Jeppesen.

• Improving Jeppesen products, sites and services (by itself or in combination with data from other Jeppesen offerings or third parties.)

• Detection, prevention, investigation and prosecution of crime.

• Administration and management of PD related to Employees (i.e. benefits, use of company assets, salary planning, etc.)

• Allow you to download and purchase products and services.

• Investigating, responding to, and managing inquiries or events.

• Work with and respond to law enforcement and regulators.

• Research matters relating to our business such as security threats and vulnerabilities.

How Do We Retain Personal Data (PD)?

Jeppesen retains personal data for as long as necessary to provide its products and services and to fulfill requested transactions, or for other essential purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements. Because these needs can vary for different data types in the context of different products, actual retention periods can vary.

The criteria used to determine the retention periods include:

• How long is the PD needed to provide the products and operate our business? This includes such things as maintaining and improving the performance of those products, keeping our systems secure, and maintaining appropriate business and financial records. This is the general rule that establishes the baseline for most data retention periods.

• Has the user provided consent for a longer retention period? If so, we will retain data in accordance with your consent.

• Is Jeppesen subject to a legal, contractual, relevant agreed industry practices, or similar obligations to retain the data?

• The level of risk, cost and liability involved with Jeppesen continuing to hold the information

• How hard it is to ensure that the information can be kept up to date and accurate.

• Any relevant surrounding circumstances (such as the nature and status of our relationship with you).

What Security Measures Do We Have?

Although we work hard to protect Personal Data (PD) that we collect and store, no program is 100% secure and Jeppesen cannot guarantee that our safeguards will prevent every unauthorized attempt to access, use or disclose PD. We use administrative, organizational, technical, and physical safeguards to secure your PD and to protect it against unauthorized or unlawful use and accidental loss or destruction, including:

• Where appropriate, only sharing and providing access to your information to the minimum extent necessary, subject to confidentiality restrictions, and on an anonymized basis whenever possible.

• Using secure servers to store your information.

• Verifying the identity of any individual who requests access to information prior to granting them access to information.

• Using Secure Sockets Layer (SSL) software or other similar encryption technologies to encrypt any payment transactions you make on or via our website.

• Employees are trained on the importance of protecting privacy and on the proper access to, use and disclosure of customer information.

• Under our practices and policies, access to sensitive PD is authorized only for those who have a business need for such access.

• PD and other sensitive records are retained only as long as reasonably necessary for business, accounting, tax or legal purposes.

• Jeppesen maintains security and incident response plans to handle incidents involving unauthorized access to private information we collect or store.

• If you become aware of a security issue, please contact Jeppesen at Privacy@Jeppesen.com. . We will work with you to address any problems.

Cookies

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your web browser settings, we’ll assume that you are happy to receive all cookies on the Jeppesen website. However, if you would like to, you can change your cookie settings on your web browser at any time.

What is a Cookie?

Most websites you visit will use cookies in order to improve your user experience by enabling that website to ‘remember’ you, either for the duration of your visit (using a ‘session cookie’) or for repeat visits (using a ‘persistent cookie’).

Cookies do lots of different jobs, like letting you navigate between pages efficiently, storing your preferences, and generally improving your experience of a website. Cookies make the interaction between you and the website faster and easier. If a website doesn’t use cookies, it will think you are a new visitor every time you move to a new page on the site – for example, when you enter your login details and move to another page it won’t recognize you and it won’t be able to keep you logged in.

Some websites will also use cookies to enable them to target their advertising or marketing messages based for example, on your location and/or browsing habits. Cookies may be set by the website you are visiting (‘first party cookies’) or they may be set by other websites who run content on the page you are viewing (‘third party cookies’).

What is in a Cookie?

A cookie is a simple text file that is stored on your computer or mobile device by a website’s server and only that server will be able to retrieve or read the contents of that cookie. Each cookie is unique to your web browser. It will contain some anonymous information such as a unique identifier and the site name and some digits and numbers. It allows a website to remember things like your preferences or what’s in your shopping basket.

What to do if you don’t want cookies to be set.

Some people find the idea of a website storing information on their computer or mobile device a bit intrusive, particularly when this information is stored and used by a third party without their knowledge. Although this is generally quite harmless you may not, for example, want to see advertising that has been targeted to your interests. If you prefer, it is possible to block some or all cookies, or even to delete cookies that have already been set; but you need to be aware that you might lose some website functionality. If you don’t want to receive cookies, you can modify your browser so that it notifies you when cookies are sent to it or you can refuse cookies altogether. You can also delete cookies that have already been set.

If you wish to restrict or block web browser cookies which are set on your device then you can do this through your browser settings. The Help function within your web browser should tell you how this is done. Alternatively, you may wish to visit www.aboutcookies.org, which contains comprehensive information on how to do this on a wide variety of desktop browsers.

Data Breaches

In accordance with Article 55 of the GDPR, If a Data Breach occurs that involves Personal Data (PD), then if Jeppesen is acting as the Controller of such Pd, it shall, without undue delay and where possible, provide appropriate notice no later than 72 hourse after having become aware of such data breach.

Jeppesen’s Data Breach Notification shall describe the nature of the PD data breach, the categories and approximate number of data subjects affected, as well as the approximate number of PII data records potentially impacted by such Data Breach. Jeppesen will also descrbe the likely consequences of the PII Data Breach, and notify affected parties of the measures that Jeppesen will take to address the PII Data Breach including but not limited to measures to mitigate its possible advese effects.

If it is not possible to fully disclose the details of a PD Data Breach at the same time, Jeppesen will provide disclosures concerning such PD Data Breach in phases without undue delay. Jeppesen will document any PD Data Breaches, its effects, and the remediation actions taken.

Consent to Transfer, Processing and Storage of Personal Data (PD) – Privacy Shields

As Jeppesen is a global organization, we may transfer your PD to Jeppesen in the United States of America (US), to any Jeppesen subsidiary worldwide, or to third parties and business partners as described above that are located in various countries around the world. By use of our websites and Solutions, or providing any PD to Jeppesen where applicable law permits, you consent to the transfer, processing, and storage of such information outside of your country of residence where data protection standards may be different.

Jeppesen safeguards and enables the global transfer of Personal Data by participation in the:

EU-US and Swiss-US Privacy Shields

Jeppesen participates in and has certified its compliance with the EU-U.S. and Swiss-US Privacy Shield Frameworks and Principles as set forth by the US Department of Commerce regarding the collection, use, and retention of Personal Data transferred from the European Union (EU) and Switzerland, respectively. Jeppesen is committed to subjecting all personal data received from European Union (EU) member countries and Switzerland, in reliance on the EU-US and Swiss-US Privacy Shield Frameworks, to the Frameworks’ applicable Principles. If there is any conflict between the terms in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about these Privacy Shield Frameworks, visit the U.S. Department of Commerce's Privacy Shield site.

Jeppesen is responsible for the processing of Personal Data (PD) it receives, under these Privacy Shield Frameworks, and subsequently transfers to a third party acting as an agent on its behalf. Jeppesen complies with the Privacy Shield Principles for all onward transfers of PD from the EU and Switzerland, including the onward transfer liability provisions. In certain situations, Jeppesen may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

With respect to PD received or transferred pursuant to these Privacy Shield Frameworks, Jeppesen is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.

Physical Location of Data Processing and Personal Data (PD)

PD that Jeppesen processes is transferred to, stored and processed in the United States or any other country in which Jeppesen or its affiliates or subcontractors maintain facilities. The data protection laws in these countries are different from and may be less stringent than those in your country of residence. We take steps to ensure that the data we collect under this Statement is processed according to the provisions of this Privacy Policy and the requirements of applicable laws and regulations wherever the data is located.

What are Your Rights?

Subject to limitations on certain rights, you have the following rights in relation to your information:

• The right to be informed - Organizations must be completely transparent in how they are using personal data.

• The right of access - Individuals will have the right to know exactly what information is held about them and how it is processed.

• The right of rectification - Individuals will be entitled to have personal data rectified if it is inaccurate or incomplete

• The right to erasure - Also known as 'the right to be forgotten', this refers to an individual's right to having their personal data deleted or removed without the need for a specific reason as to why they wish to discontinue.

• The right to restrict processing - Refers to an individual's right to block or suppress processing of their personal data.

• The right to data portability - This allows individuals to retain and reuse their personal data for their own purpose.

• The right to object - In certain circumstances, individuals are entitled to object to their personal data being used. This includes, if a company uses personal data for the purpose of direct marketing, scientific and historical research, or for the performance of a task in the public interest.

• Rights of automated decision making and profiling - The General Data Protection Regulation (GDPR) has put in place safeguards to protect individuals against the risk that a potentially damaging decision is made without human intervention. For example, individuals can choose not to be the subject of a decision where the consequence has a legal bearing on them, or is based on automated processing.

In accordance with Article 77 of the GDPR, you also have the

right to lodge a complaint with a supervisory authority,

in particular in the Member State of your habitual residence, place of work or of an alleged infringement of the General Data Protection Regulation.

Customer California Privacy Rights:

Under California law, Individuals who are California residents are entitled to annually request and obtain information about the Personal Data (PD) shared, if any, with other businesses for their own direct marketing. If applicable, the information would include the categories of PD and the names and addresses of those businesses with which PD was shared for the prior calendar year. To make such a request, please send an email to Privacy@Jeppesen.com Written requests may be sent to Jeppesen, Attention: Data Privacy Office, 55 Inverness Drive East, Englewood, CO 80112-5498. Please note that not all information sharing is covered under the California law, and only information on covered sharing will be included in any response.

You can exercise your rights by writing to:

Jeppesen Sanderson, Inc.

Attention: Data Privacy Office

55 Inverness East

Englewood, CO 80112

Or sending an email to Privacy@Jeppesen.com

Dispute Resolution

Verification, correction or deletion of any Personal Data collected, or to communicate any questions or concerns regarding this Policy or Jeppesen's treatment of Personal Data, please e-mail Privacy@Jeppesen.com, or by writing to Jeppesen, Data Privacy Office, 55 Inverness Drive East, Englewood, CO 80112, USA. Certain information may also be corrected by using the "Account" and "Profile" section of Jeppesen’s websites. Please note that in certain circumstances, Personal Data may not be able to be removed or changed. Upon receipt of formal written complaints, it is Jeppesen's policy to contact the complainant regarding any concerns.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact JAMS, our U.S.-based third party dispute resolution provider, free of charge here.

Changes to this Policy

We reserve the right to make changes to this privacy policy, so please check back periodically for changes. You will be able to see that changes have been made by checking to see the effective date posted at the beginning of the policy. In addition, Jeppesen follows the notice provisions below relative to Minor and Major changes to our Privacy Policy:

Minor changes to our Privacy Policy:

Where we make minor changes to our Privacy Policy, we will update our Privacy Policy with a new effective date stated at the beginning of it. Our processing of your information will be governed by the practices set out in that new version of the Privacy Policy from its effective date onwards.

Major changes to our Privacy Policy:

Where we make major changes to our Privacy Policy or intend to use your information for a new purpose or a different purpose than the purposes for which we originally collected it, we will notify you by email (where possible) or by posting a notice on our website.

We will provide you with the information about the change in question and the purpose and any other relevant information before we use your information for that new purpose.

Wherever required, we will obtain your prior consent before using your information for a purpose that is different from the purposes for which we originally collected it.

How to Contact Us:

If you have access, correction, or deletion request or questions or comments about Jeppesen’s privacy practices, please contact us at Privacy@Jeppesen.com, or mail us at:

Jeppesen Sanderson, Inc.

Attention: Data Privacy Office

55 Inverness Drive East

Englewood, CO 80016

Telephone:

Toll-Free: 1-800-353-2107

Direct: 1-303-799-9090 (ask for Data Privacy Office)

Corporate Changes (Mergers, Acquisitions & Divestures)

In the event of a reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets or stock, Jeppesen is likely to disclose your Personal Data to the new owners, subject to a requirement that such information be used only in accordance with this Privacy Policy.

Statement Revision

From time to time, Jeppesen will revise this Statement at its discretion. We note the effective date of the Statement below, so you know when it was last updated. Jeppesen advises you to check back periodically to review the Statement because users of our Services will be prospectively bound by the then-current version of this Statement. Effective Date: May 24, 2018.

JEPPESEN PRIVACY POLICY

Date of Last Revision: June 1, 2018

Jeppesen Sanderson, Inc. and its family of companies (collectively “Jeppesen”) are sensitive to the issue of confidentiality, the protection of Personal Data (PD) and are committed to protecting individual privacy across our range of websites, mobile applications, products, and services. This notice provides information about data we collect, use and share.

This Privacy Policy documents how we at Jeppesen, collect, use, store and share your PD in compliance with applicable law and regulations in multiple jurisdictions. When you access or use our range of websites, mobile applications, products, and services, you acknowledge that you have read this Privacy Policy and understand its contents and any dispute related to such offerings over privacy is subject to this Privacy Policy and out Terms of Service.