PRIVACY POLICY

Points International Ltd., Points.com Inc., Points International (UK) Limited, Points International (U.S.) Ltd., Points Development US Ltd. and Points Travel Inc. (each a "Points Affiliate", and collectively, "Points", "we", "us" or "our") take your privacy seriously. This privacy policy describes how we collect, use and disclose your personal information in connection with your use of www.points.com ("Points.com"), pointshound.com ("PointsHound.com"), company.points.com (together with Points.com and PointsHound.com and our mobile applications, our "Sites").

By using our Sites, you consent to our collection, use and disclosure of your personal information as outlined in this policy. Your consent is the legal basis for our use of your personal information. You can withdraw your consent at any time. However, if you withdraw your consent to certain uses, we may no longer be able to provide our services to you.

This policy is divided into three general areas: (i) how we process your information; (ii) your rights with respect to your personal data; and (iii) information on cookies, third party sites, security measures and similar issues that may impact personal data. At the end of the policy, we provide you with information on how to contact our Data Privacy Officer and, for those individuals residing in the European Economic Area, our EU Representative.

Who We Collect Information From

We collect personal information from:

Children

Our Sites are not intended for children. If we become aware that we have inadvertently received or collected personal information pertaining to a child under the age of consent in the country where the child is located without valid consent, we will delete such information from our records.

What Personal Information We Collect

We may collect personal information which includes:

Apps

When you use our mobile applications, we collect and use information about you in the same way and for the same purposes as we do when you use our Sites. Our mobile applications also use the unique device identifier for the device on which you have installed our mobile application, as well as error reporting information if the application stops working properly.

Partners

We may also receive personal information about you from our loyalty program and redemption partners (collectively, our "Partners") to the extent that you have given consent to the Partner to provide us with such Personal Information.

Special Categories of Personal Data

We do not process special categories of data, namely, sensitive personal data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

How We Use Personal Information

We will only collect and use your personal information for the following purposes, except as permitted or required by applicable law:

Limited to Disclosed Purposes

We limit the collection, use, and disclosure of personal information to that which is needed to achieve the above noted purposes.

Special Note on Profiling

We may analyse your personal information (including through the use of automated processes) in order to create a profile of your interests and preferences so that we can contact you with information or to offer you services that are relevant to you. We may make use of additional information about you when it is available from our Partners and other external sources to help us do this effectively. We may also use and analyse your personal information to detect and reduce fraud and credit risk.

Who We Disclose Personal Information To

We will only disclose your personal information in the following circumstances, except as permitted or required by applicable law:

Service Providers

All Points service providers are contractually bound to keep your information secure. Our service providers can use, store and disclose your personal information solely for purposes for which it is disclosed to them (to provide us with services).

Business Transactions

We may use and disclose your personal information in connection with the proposed or actual financing, sale or other business transaction involving part or all of our business or assets. Such use and disclosure would be for the purpose of allowing third parties to determine whether to proceed with the proposed transaction, and if the transaction proceeds, for the purpose of completing the transaction. Assignees or successors to our business or assets may use and disclose your personal information for the purposes described in this policy. You will be notified via email and/or a prominent notice on our Sites of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.

Other Data Protection Laws and Privacy Policies Impacting Personal Data

Points, our Partners and our service providers are located in various jurisdictions including, among others, Canada, the United States and the European Union and, as a result, your personal information may be stored, processed or transferred into or out of these countries. The data protection laws in these countries may be different to those in your country and your information may be subject to access by the regulatory authorities in, and to the laws of, those other jurisdictions.

When you provide personal information to us, we may be required, in order to provide you with services, to provide that personal information to our Partners and other third parties, such as hotels and airlines who provide services accessed through our Sites. Those companies are not contractually bound to comply with the Points privacy policy. Our Partners and other third parties use and disclose your personal information according to their own policies and for their own purposes. We encourage you to read our Partners' privacy policies before obtaining their products or services through our Sites.

In addition, in some circumstances, Points is not collecting your personal information for Points use, but instead is acting as a service provider or data processor to one of our Partners. In those circumstances, your personal information is governed by the privacy policy of the Partner.

Data Retention

We will retain your personal information for as long as

If you wish to cancel your account or request that we no longer use your information to provide you services, contact us at dpo@points.com.

Accuracy of Your Personal Information

We will use commercially reasonable efforts to ensure that your personal information is correct, complete and up-to-date to the extent we are notified of any changes by you. You can review and update your personal information on our Sites. You can assist by keeping us informed of any changes, or informing us if you find any errors in our information about you. If we have disclosed inaccurate information about you to a third party that you are aware of, we would be pleased to contact the third party in order to correct the information upon your request.

Your Rights with Respect to Your Personal Information

If you wish to change any of your personal information we have on file in our records, other than that available to you and capable of being modified through the Services, you may contact our Privacy Officer as noted at the bottom of this page. To protect your privacy and security, we may take reasonable steps to verify your identity prior to making corrections.

You are entitled to be informed or and have access to any of your personal information in our custody or control. Upon written request to our Privacy Officer as noted at the bottom of this page, we will provide you with your personal information under our custody or control, as well as information regarding how your personal information is being used and the identity of any third party(s) to whom that information has been disclosed. Please note that we may not be able to provide access to personal information in certain circumstances, such as if the personal information was collected for the purposes of an investigation, if disclosure would reveal the personal information of a third party, or if prohibited by law. To protect your privacy and security, we may take reasonable steps to verify your identity prior to providing such access.

Rights of European Data Subjects

In addition to rights with respect to your personal data already noted elsewhere in this policy, for those individuals residing in the European Economic Area, you have certain additional rights under the General Data Protection Regulation (GDPR):

Restrictions on Further Processing

You have the right, where there is a dispute in relation to the accuracy or basis of processing of your personal data, to request a restriction on further processing by us.

Erasure

You have the right to erasure of your personal data (“right to be forgotten”) in certain circumstances.

Data Portability

You have the right to request that personal data that you have provided to us be returned to you, or be provided to another third party of your choice, in a structured, commonly used and machine-readable format.

Automated Decision-Making

You have the right not to be subject to a decision based solely on automated decision-making. In connection with such right, you may have the right to request human intervention with respect to such automated decision-making, as well as express your point of view or contest any such automated decision-making.

Opt-out of Direct Marketing / Profiling

You may elect to “opt out” of direct marketing activities, including any profiling we may conduct for direct marketing purposes. Accordingly, we may rely on your consent permitting us to process your information in accordance with this policy for direct marketing, including profiling for direct marketing, unless you take affirmative action to opt out of such processing. You may opt out at any time by contacting our Data Privacy Officer or EU Representative, as provided further below.

Lodge Complaints with Supervisory Authorities

You have the right to lodge a complaint with a data protection supervisory authority in your country.

Cookies and JSON Web Tokens

A cookie is a small text file that is stored on a user's computer for record-keeping purposes. JSON web tokens, or JWT tokens, are authentication confirmations that are used to authenticate a user. We use both session ID cookies and persistent cookies, as well as JWT tokens on our Sites. Session ID cookies expire when you close your browser. Persistent cookies remain on your hard drive for an extended period of time. You can remove persistent cookies by following directions provided in your Internet browser's "help" file. Cookies provide us with information on your use of our Sites, including the time and length of your visit, the pages you look at on our Sites, the website you visited just before coming to ours, and the name of your Internet service provider.

We use session cookies and tokens to make it easier for you to navigate our Sites. We use persistent cookies and tokens to store your username, so you don't have to enter it more than once, and to track and target your interests, to evaluate the performance of our Sites, and to tailor promotions and other marketing messages to you and enhance your experience on our Sites.

You can reject cookies by adjusting the preference settings in your browser. If you reject our cookies, you may not be able to take full advantage of certain features available on our Sites, such as contests and surveys. You can learn more about interest-based advertising by visiting http://www.networkadvertising.org/managing/opt_out.asp and http://www.aboutads.info/choices.

Clear Gifs

Clear gifs (also known as tracking pixels or web beacons) are tiny graphics with a unique identifier, similar in function to cookies. They are used to track the online movements of users. In contrast to cookies, which are stored on a user's computer hard drive, clear gifs are embedded invisibly on web pages and are about the size of the period at the end of this sentence.

We and our service providers use clear gifs to help us better manage content on our Sites, by informing us what content is effective, and to gauge the effectiveness of certain communications and marketing campaigns. For instance, we use clear gifs in our HTML-based emails to let us know which emails have been opened by recipients and to allow us to serve you related advertising on the Internet.

Links to Third Party Sites

We may provide links or references to third party sites whose privacy practices may differ from those of Points. You may navigate to a Points site through a link from a Partner or other third party site. Points assumes no responsibility for the content or the privacy policies of those Partner or third party websites. Please be aware that when you follow any links to another site not owned or operated by Points and submit personal information to any of those sites, you are subject to their privacy policies. We encourage you to carefully read the privacy policy of any website you visit.

Social Media Features

Our Sites include social media features, such as the Facebook button and widgets, among other things. These features may collect your IP address, track which page you visit on our Sites, and may set a cookie to enable the feature to function properly. Social media features and widgets are either hosted by a third party or hosted directly on our Sites. Your interactions with these features are governed by the privacy policy of the company providing it. We encourage you to carefully read the privacy policy of any company that provides the features you choose to interact with.

Security Measures

We take reasonable measures, including administrative, physical and technical safeguards, to protect your information from loss, theft, misuse, unauthorized access, disclosure, alteration and destruction. Personal information uploaded to our Sites is transmitted to us using industry standard encryption, which creates a private conversation between your computer and our Sites. We authenticate our Sites and enable TLS/SSL encryption to protect your sensitive data and transactions.

Nevertheless, Points cannot absolutely guarantee that unauthorized third parties will never be able to defeat our security measures or use your personal information for improper purposes. In the event that your personal information in our possession or under our control is compromised as a result of a security breach, we will take reasonable steps to investigate the situation and, where appropriate, notify you and take other steps in accordance with applicable laws or regulations.

Remember that email sent over the Internet is generally unencrypted and transmitted in clear text. We recommend that you use caution when forwarding free-format email messages to us and that you do not include confidential information (such as unique user IDs, passwords or personally identifiable information) in those messages. Confidential information should be transmitted to us through other secure methods such as by telephone.

Revision of Policy

This policy may be revised from time to time. We will notify you of material changes prior to such material change being effective, either by e-mail at the address you have provided to us in connection with your registration on our Sites or by a prominent notice on our Sites. Your continued use of our Sites or failure to cancel your account on our Sites following such notification shall constitute your acceptance of the revised policy. We encourage you to periodically review this page for the latest information on our privacy practices.

Disputes and Complaints

This policy is subject to our Terms of Use, including terms regarding the governing law and the resolution of any disputes between you and Points.

If you have a complaint with respect to our privacy policy please contact us as provided below. For those individuals residing in the European Economic Area, you also have the right to lodge a complaint with a data protection supervisory authority in your country.

Contacting Us

The Data Privacy Officer is accountable for our compliance with this privacy policy and applicable privacy legislation.

If you have questions, comments or complaints with respect to our privacy policy or if you wish to request access to, or correction or deletion of your personal information under Points' care and control, please contact the Data Privacy Officer at:

Data Privacy Officer
dpo@points.com
Points.com Inc.
111 Richmond St. W., Suite 700
Toronto, ON, M5H 2G4
Canada
1-416-595-0000

In addition to contacting our Data Privacy Officer, individuals residing in the European Economic Area may contact our EU Representative at:

EU Representative
EURepresentative@points.com
Points International (UK) Limited
c/o
Points.com Inc.
111 Richmond St. W., Suite 700
Toronto, ON, M5H 2G4
Canada
1-416-595-0000

Points will respond to your request for access in accordance with applicable privacy legislation.

This Privacy Policy was last updated on May 9, 2018.