Privacy Notice
Last updated and effective date: 6 May 2026
This Privacy Notice includes important information about your personal data, and we encourage you to read it carefully.
Welcome to the OAG Privacy Notice
The purpose of this OAG Privacy Notice ('Notice') is to inform you about how we collect, use, and protect your personal data. It also outlines your rights as a data subject, identifies the relevant data controllers, and provides contact details for any questions or concerns.
By understanding our practices, you can be assured that your data is handled with care and in compliance with applicable laws.
This Notice applies to you if you interact with OAG in any of the following ways:
- Visitors – people who visit or interact with our websites.
- Prospects – people engaging with us through sales, marketing, events, or webinars.
- Customers – customers or representatives of organisations with which we have a commercial relationship.
- Business Partners – individuals collaborating with us for business purposes.
- Suppliers – individuals or representatives of organisations providing services to us.
- Others – anyone who contacts us with questions, complaints, feedback, or other enquiries.
This Notice does not apply to job candidates. Please refer to our Candidate Privacy Notice.
Where required under local data protection or privacy laws, country-specific privacy information is provided in a separate notice, as applicable.
1. Who We Are
OAG is a leading data platform for the global travel industry.
This Notice covers the processing of personal data carried out by OAG Aviation Worldwide Limited, registered in England and Wales, No. 08434134, registered address at 1 Capability Green, Luton, Bedfordshire, LU1 3LU, United Kingdom, and its affiliated group companies, including:
- OAG Aviation Worldwide Limited – United Kingdom
- OAG Aviation Worldwide LLC – United States
- OAG Aviation Worldwide Pte Ltd – Singapore
- OAG Aviation Worldwide, UAB – Lithuania
- Infare Solutions A/S – Denmark
- Infare VNO, UAB – Lithuania
- Infare BER GmbH – Germany
- Air Cube SAS – France
The entity with which you have a direct relationship acts as your data controller. OAG Aviation Worldwide Limited is the data controller for personal data collected through our websites.
Further information about our group companies is available at oag.com/office-locations
2. How to Contact Us
If you have any questions about this Notice or how we handle your personal data, please get in touch:
| Address | OAG Aviation Worldwide Limited, 1 Capability Green, Luton, Bedfordshire LU1 3LU, United Kingdom (Attn: Legal Department / Privacy) |
| privacy@oag.com | |
| Phone | +44 (0)1582 695050 |
Our Data Protection Officer is Sonya Stephens, who can be contacted at privacy@oag.com
To submit a data rights request, please use our online privacy rights form.
3. What Personal Data We Collect
We collect the following types of personal data, depending on how you interact with us:
| Type of data | What it means |
| Identity Data | Name, username, user ID |
| Contact Data | Email, phone, company, job title |
| Account & Subscription Data | Account details, data products/services purchased, payment method type, billing address, transaction history |
| Technical Data | IP address, device, browser, login data, session data, time zone, general location, cookies / tracking identifiers |
| Usage & Analytics Data | How you use our websites, data products, applications, feature usage, clicks, navigation paths |
| Preferences & Marketing Data | Marketing preferences, feedback, survey responses |
| Communication Data | Emails, messages, call recordings, transcripts, meeting metadata |
| Other Data | Any other information you choose to share with us |
How we collect your data
OAG collects personal data directly from you, from the entity with which you are affiliated, and through your interactions with our websites or applications. You may provide your contact details by filling out online forms, contacting us by post, phone, or email, participating in online calls or meetings, subscribing to our publications, requesting marketing communications, providing feedback, or submitting a complaint or comment.
The type of personal data we collect depends on the products and services you use, the actions you take, and whether you submit a support request or seek further information. We collect this data either independently or through external third parties (e.g. analytics providers, CRM tools), including tracking technologies (further detail in Section 12 (Cookies & Web Analysis)).
In this Notice, 'personal data' refers to any information that can identify, relate to, describe, or reasonably be linked – directly or indirectly – to a specific individual. This does not include aggregated or de-identified data that cannot reasonably be connected to an individual.
We do not collect any special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data).
4. Why We Use Your Data and Our Legal Basis
We process your personal data only where we have a lawful basis. The bases we rely on are:
- Contractual necessity – to perform a contract with you or your organisation, or to take steps before entering into one.
- Legitimate interests – to improve and develop our data products, analyse usage, personalise your experience, conduct research, communicate with you, maintain security and network and platform integrity. We apply this basis only where our interests are not overridden by your rights.
- Legal compliance – to meet our legal and regulatory obligations.
- Consent – for analytics, marketing, improving customer interactions, and user surveys. You can withdraw your consent at any time, without affecting the lawfulness of any processing carried out prior to your withdrawal, by contacting us at privacy@oag.com
- Vital interests / public task – in rare cases where processing is necessary to protect someone's life or carry out a task in the public interest.
- Automated decision-making and profiling – we may analyse your personal data to build a profile of your interests and preferences in order to personalise your experience and tailor our communications. This profiling does not involve solely automated decision-making that produces legal or similarly significant effects. Where we use automated processes that do produce such effects, we will inform you separately and ensure appropriate safeguards are in place, including your right to request human review.
5. How We Use Your Data, and How Long We Keep It
The table below sets out our main processing activities, the data involved, our legal basis, and how long we retain it.
| Purpose | Data we use | Legal basis | How long we keep it |
| Making our websites available; managing security; personalising your browsing; supporting email campaigns, event sign-ups, and content downloads | Technical, usage and analytics, preferences and marketing, other data | Legitimate interests; contract performance; consent | Retained for as long as necessary for the relevant purpose, or until consent is withdrawn. Cookie data: see Section 12 (Cookies and web analytics) below. |
| Providing data products and services; processing transactions; developing our business; ensuring security; complying with legal obligations; establishing or defending legal rights | Identity, contact, technical, account and subscription, usage and analytics, preferences and marketing, communication, other data | Contract performance; legitimate interests; legal compliance | Core account and subscription data is retained for up to 6 years after the end of our engagement with your organisation (plus until 30 January of the following year), unless a longer period is required by applicable law. Other categories of data are retained for shorter periods proportionate to the purpose for which they were collected. |
| Setting up, administering, and supporting your account | Identity, contact, account and subscription, technical, usage and analytics data | Contract performance; legitimate interests | Core account and subscription data is retained for up to 6 years after the end of our engagement with your organisation (plus until 30 January of the following year), unless a longer period is required by applicable law. Other categories of data are retained for shorter periods proportionate to the purpose for which they were collected. |
| Managing your customer experience; personalising communications and recommendations | Identity, contact, account and subscription, technical, usage and analytics, preferences and marketing, communication, other data | Contract performance; legitimate interests (and consent where required for marketing or cookies) | Retained for as long as necessary for the relevant purpose, or until consent is withdrawn. Cookie data: see Section 12 (Cookies and web analytics) below. |
| Managing supplier and business partner relationships; performing contracts; ensuring security and compliance; establishing or defending legal rights | Contact data | Contract performance; legitimate interests; legal compliance | Up to 6 years after our engagement ends (plus until 30 January of the following year). The exact retention period may vary depending on the applicable laws in different jurisdictions within our group. |
| Direct marketing: newsletters, product updates, event highlights, promotions | Contact, preferences and marketing, communication, other data | Consent; legitimate interests | Deleted after 2 years of inactivity or on consent withdrawal (core opt-out details retained) |
| Organising events, webinars, or meetings | Contact, other data | Consent; legitimate interests | Deleted 1 year after the event if no further activity occurs |
| Responding to your queries, requests, complaints, or other communications | Contact, other data | Legitimate interests | Deleted 1 year after the communication if no further activity occurs |
| Other legitimate business purposes | Identity, contact, account and subscription, technical, usage and analytics, preferences and marketing, communication, other data | Legitimate interests | Retained for as long as necessary for the relevant purpose |
Retention
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a compliance investigation or if we reasonably believe there is a prospect of litigation in respect of our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, tax, accounting or other requirements.
In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
Change of purpose
We will only use your personal data for the purposes for which it was collected. If we need to process it for an unrelated purpose, we will notify you and explain the lawful basis. In certain circumstances, we may process your data without your knowledge or consent where required or permitted by law.
6. Who We Share Your Data With
We may share your personal data with the following categories of recipients, as necessary for the purposes described in this Notice:
- OAG entities – other group companies in the UK, Europe, and worldwide, under an intra-group data sharing agreement.
- Authorised OAG representatives – individuals responsible for commercial activities and contractual performance.
- Third-party service providers – including professional advisers, auditors, IT and system administrators, hosting providers, analytics, marketing, security, and storage providers. All are bound by appropriate data processing agreements.
- Regulators, law enforcement, and government agencies – where required by law.
This list is non-exhaustive; there may be additional instances where we need to share personal data to provide services efficiently or comply with legal obligations.
When engaging third parties, we take all necessary steps to ensure they implement appropriate technical and organisational measures to protect your personal data.
7. International Transfers
To effectively deliver our data products and services, we may transfer your personal data beyond the jurisdiction where it was provided, including transfers within and outside the UK and EEA. When transferring data outside these regions, we implement appropriate safeguards to ensure its protection and security in compliance with applicable data protection laws.
Our agreements with third-party service providers processing data outside the UK and EEA include, as appropriate, EU Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA), each supported by a data protection test to confirm that the standard of protection in the destination country is not materially lower than that provided under UK law, in accordance with the Data (Use and Access) Act 2025. Where personal data is transferred between the UK and EEA countries (or vice versa), we rely on applicable adequacy decisions (including the UK adequacy regulations for EEA transfers and the EU–UK adequacy decision for transfers from the EEA to the UK) as the lawful transfer mechanism.
If you would like more information about our international transfer arrangements, please contact us.
8. Data Security
We take the security of your personal data seriously and have implemented a range of technical and organisational measures, including:
- Employee training on privacy obligations and data handling
- Access controls on a need-to-know basis
- Technological safeguards including firewalls and anti-virus software
- Encryption of personal data in transit and at rest
- Physical security measures including access passes for our facilities
- Regular security audits and vulnerability assessments
- Authentication mechanisms for sensitive systems
- Incident response procedures, including breach notification to you and regulators where legally required
While we take appropriate security measures, no internet transmission (including email) is entirely risk-free. We will always strive to protect your data, but absolute security cannot be guaranteed.
9. Your Data Protection Rights
Depending on your location and applicable law, you have the following rights in relation to your personal data:
| Your right | What it means |
| Access | Request a copy of the personal data we hold about you |
| Correction | Ask us to correct inaccurate or incomplete data |
| Erasure | Ask us to delete your personal data in certain circumstances |
| Restriction | Ask us to limit how we use your data in certain circumstances |
| Objection | Object to processing based on legitimate interests or for direct marketing |
| Portability | Receive your data in a structured, machine-readable format and transfer it to another provider (where applicable) |
| Withdraw consent | Where we rely on consent, withdraw it at any time (without affecting prior processing) |
| Automated decision-making and profiling | Request human review of, or contest, any decision made solely by automated means (including profiling) that produces legal or similarly significant effects for you. This right applies where we engage in such processing. |
| Complaint | You have the right to lodge a complaint with us at privacy@oag.com or through our privacy rights request form. We will acknowledge and respond to your complaint within 30 days. If you are not satisfied with our response, you may escalate your complaint to a supervisory authority (e.g. the UK ICO or your local EU data protection authority). |
To exercise any of these rights, please use our privacy rights request form or contact us.
10. Direct Marketing
With your consent, or on the basis of our legitimate interest where you are an existing contact, we may send you marketing communications about our services, data products, events, and publications.
You can opt out of marketing messages at any time by:
- Clicking the 'unsubscribe' link in any marketing email
- Emailing us at privacy@oag.com
- Using our privacy rights request form
Once you opt out, we will update your profile to stop marketing messages. You will continue to receive communications directly related to services you use.
11. Social Media
OAG maintains accounts on the following social media platforms. Each platform has its own privacy policy, which we encourage you to review:
- LinkedIn – OAG | Privacy policy: linkedin.com/legal/privacy-policy
- X (Twitter) – @OAG_Aviation | Privacy policy: x.com/en/privacy
- Instagram – @OAG_Aviation | Privacy policy: help.instagram.com
- Facebook – OAG Aviation | Privacy policy: facebook.com/privacy/policy
12. Cookies and Web Analytics
Cookies are small text files stored on your device when you visit a website. We use cookies to improve your browsing experience, understand how our sites are used, and deliver relevant content.
Our websites use different types of cookies. Some cookies are placed by third party services that appear on our pages:
| Type | What it means |
| Necessary cookies | Essential for our websites to function correctly. These cookies cannot be switched off as they are required to deliver the service you have requested. |
| Preference cookies | Remember your settings and choices (e.g. language, region) to improve your browsing experience. |
| Statistics cookies | Help us understand how visitors interact with our websites by collecting aggregated information about usage patterns. This information is used solely to improve our website and services and does not identify individual visitors. |
| Marketing cookies | Used to track visitor behaviour across our website and, where you are a known contact of OAG, to link that behaviour to your profile for sales, marketing, and personalisation purposes. |
| Unclassified cookies | Cookies that we are in the process of classifying, together with the providers of individual cookies. |
You can manage your cookie preferences by:
- Using the cookie banner on our websites
- Adjusting your browser settings (Chrome, Firefox, Safari, etc.)
- Opting out of third-party tracking (e.g. Google Analytics) through their respective settings
- Clicking the Cookiebot consent icon at the bottom left of our websites to open your cookie preferences
Note: disabling certain cookies may affect website functionality.
13. Children's Privacy
Our websites, data products and services are not directed at children under the age of 13, and we do not knowingly collect personal data from children. If we discover that we have inadvertently collected data from a child without appropriate consent, we will delete it promptly.
14. Requesting this Notice in Another Language or Format
If you would like this Notice in another language (where available) or in an accessible format due to a disability, please contact us.
15. Changes to the Notice
We review this Notice regularly and may update it to reflect changes in law, regulatory guidance, or our practices. The latest version will always be available on our websites. Where practicable, we will notify you by email of significant changes. We encourage you to review this Notice periodically.