Updated January 27, 2025
Academic Travel Abroad (“ATA,” “we,” “our,” or “us”) respects your privacy and protects the personal information we receive from you. We have created this Privacy Notice to identify: (i) how we collect personal information from you; (ii) the types of personal information we collect from you; (iii) how we handle the personal information of children; (iv) who we share that personal information with; (v) how we secure your personal information; (vi) our legal bases for processing your information; (vii) how European data protection law may apply in some limited cases; (viii) your choices about your personal information; and (ix) how to contact us with questions or requests. This Notice applies to all of ATA’s divisions and brands, including CET Academic Programs and Professionals Abroad.
I. How We Collect Personal Information
ATA collects personal information that: (a) you provide to us in connection with the services that we provide to you; (b) we record when you visit any of our websites, interact with promotional emails, or visit online account management systems; and (c) we obtain from third parties, such as social media platforms.
A. Data You Provide
You may directly provide us with personal information when you:
- Submit any form—either hardcopy or electronic;
- Send us, or ask a third party to send us, any personal information; or
- Provide personal information to us through our websites or online account management system.
B. Data Automatically Collected Upon Visiting Our Websites
We may automatically collect or record your personal information when you visit an ATA webpage or interact with a promotional email. This may include data about your hardware devices, geographic location based on IP address, browser type, website use, and referrals to third party websites. To gather this information, we use cookies, web beacons, and flash cookies:
- Cookies. A cookie is a small file placed on the hard drive of your computer. Cookies can collect data regarding your operating system, browser type, device type, mobile device ID, screen resolution, IP address, and other technical information.
- Web Beacons. Our websites, account management systems, and emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs).
- Flash Cookies. Certain features of our websites may use locally stored objects (or flash cookies) to collect and store information about your preferences and navigation to, from, and on our websites.
ATA does not engage in targeted advertising and does not track your online activity over time and across third party websites. Therefore, we do not respond to Do Not Track signals.
Although we do not engage in targeted advertising, some third-party sites may track your browsing activities when they serve you content, which enables them to tailor what they present to you. Third parties may embed content, pixels, or plugins on websites and in emails using tools such as Google Analytics. Facebook “Like” buttons or apps also may allow their operators to use cookie IDs, device IDs, IP addresses, and other technology to learn that you visited our websites or interacted with us. Third parties may use this information to create inferences about you, and they may combine this information with other personal information that they have collected about your visits to other websites or online services. Such third parties handle the personal information that they collect (through their own websites, content, pixels, and plugins) pursuant to their own privacy policies. We are not responsible for the privacy practices of these third parties.
To remove yourself from targeted advertising from third parties, you may consider the following options:
- You can set your browser to refuse all or some browser cookies or to alert you when cookies are being sent. To learn how you can manage your flash cookies settings, visit the flash player settings page on Adobe’s website. If you disable or refuse cookies, some parts of our websites may be inaccessible or not function properly.
- For third parties who are members of the Network Advertising Initiative (“NAI”), you can opt out of receiving targeted ads from them on the NAI’s website.
- You may have additional personal information rights and choices vis-à-vis these third parties based on where you live and the applicable local laws.
C. Data Provided by Social Media
If you contact us on a social media platform for customer support or for other reasons, we may communicate with you via the social media’s direct message tools. Those communications to and from us are governed by this Privacy Notice. However, your use of a social media platform is also subject to the policies and terms of the relevant social media platform. Certain social media platforms may automatically provide us with your personal information, and the information we receive will depend on the terms that govern your use of the social media platform(s) and any privacy settings you may have set.
II. Categories of Personal Information We Collect and Purposes for Processing
The following chart identifies the categories of personal information that we collect and the purposes for collecting and processing.
| Category | Examples | Purpose | Source |
|---|---|---|---|
| Identifiers | Real name, email, phone number, postal address, IP address |
| Customer, user, third parties, vendors |
| Geolocation data | Location based on electronic devices you use to access our services |
| Customer, user, third parties |
| Audio, electric, visual, thermal, olfactory, or similar information | Messages and media (e.g., photographs or video) containing your image or pertaining to your locations and your surrounding environments |
| Customer, user, ATA |
| Inferences drawn from other personal information to create consumer profiles | Marketing data, social media data, preferences; characteristics; psychological trends; predispositions; behavior; attitudes; abilities; or aptitudes |
| Third party services, customer, user |
| Commercial information | Records of personal property and purchasing habits, travel data, flight, hotel, vehicle reservation, and e-tickets |
| Vendors and their employees, customers, and third party providers |
| Professional or employment-related information | Name, address, phone number, email, social and financial account information, tax data, performance data, health data, criminal background, military history, educational information, resumé, credit history, and employment history |
| Applicants, third party services |
| Internet or other similar network activity | Browsing history, search history, IP address, social media data, user profile, cookies, and contact information |
| Customers, users, the social media platform, third party providers |
| Non-publicly available educational information as defined under the Family Educational Rights and Privacy Act (FERPA) and related regulations | Educational background, performance, and goals |
| Customer, user, educational institutions |
| Sensitive personal information | Passports, gender, Transportation Security Administration Redress Number, other government identifiers, medical history, payment information (e.g., credit card number, expiration date), financial information (e.g., FASFA data, and other student financial information) |
| Customer, third party providers |
We retain collected personal data for a reasonable period of time to fulfill the processing purposes identified in this Notice. We then archive it for time periods required or necessitated by law or legal considerations. When archiving is no longer required, we delete personal data from our records.
We do not use your data for automated decision making.
III. Personal Information of Children
Our websites are not intended for use by children under the age of 13. We also do not knowingly collect personal information from children under the age of 18 without parental or guardian consent (“Unauthorized Children”). If we learn we have collected or received personal information from an Unauthorized Child without verification of parental consent, we will delete that information and never knowingly sell it. No Unauthorized Child should provide any information to our websites or online account management systems. If you believe we might have any information from or about an Unauthorized Child, please contact our data privacy office using the information at the end of this Notice.
IV. Sharing Your Personal Information
We protect the personal information that we receive from you and will not share, sell, or use it for a business purpose with third parties, except for the following reasons:
- With your consent.
- To fulfill the purposes for which you provide it to us (for example, for the purpose of processing a transcript through a partner educational institution to award you with credit).
- To promote ATA products in print, online, or in person, by posting information about you, including but not limited to your name, your home educational institution, photos, videos, blogs, posts, or films that include or reference you. Please consult the Terms and Conditions for your program or tour for details on opting out of the use of your information and image in promotional materials.
- If we believe disclosure is necessary or appropriate to protect the rights, property, health, or safety of ATA, our employees, you, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.
- To identify, contact, or bring legal action against someone who may be violating our Privacy Notice or Terms of Use or may be causing injury to or interference with (either intentionally or unintentionally) ATA’s rights or property, other ATA users, or anyone else that could be harmed by such activities,
- For any other purpose disclosed by us when you provide the information.
We may, however, share your personal information with our subsidiaries and affiliates for a business purpose to provide you with our services.
We only share, sell, or provide your information for a business purposes with the following categories of third parties:
| Third Party | Type of Disclosure | Information Category | Notes |
|---|---|---|---|
| Travel, transportation, and hospitality companies | Business Purpose | Identifiers, commercial information, sensitive personal information | They support the services we provide to you and are bound by contractual obligations to keep your personal information confidential and may use it only for the purposes for which we disclose it to them and in accordance with our directions (“Third Party Obligations”). |
| Tour providers; host and partner organizations | Business Purpose | Identifiers, commercial information, sensitive personal information | We require them to follow Third Party Obligations. |
| Insurance providers | Business Purpose | Identifiers, commercial information, sensitive personal information | We require them to follow Third Party Obligations. |
| Government authorities, embassies, consulates, law enforcement | Business Purpose | Identifiers, commercial information, sensitive personal information | To comply with any court order, law, or legal process, including to respond to any government or regulatory request |
| High schools, colleges, universities, and other educational institutions | Business Purpose and Sharing | Identifiers, non-publicly available educational information as defined under the Family Educational Rights and Privacy Act (FERPA) | To facilitate the credit-granting process, we share the personal information of high school, pre-college, and college program participants. We generally do not share your personal information with third parties for their direct marketing purposes, except that, with your permission, some of our partner colleges or universities may use this information to market to students. |
We only share sensitive personal information with third parties for permitted purposes under the California Consumer Privacy Act, referred to as “Permitted SPI Purposes.”
In the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of ATA’s assets, your data may be sold to a buyer or other successor, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by ATA is among the assets transferred.
We also may disclose aggregated information about our users or other information that does not identify any individual, without restriction.
V. How We Secure Your Personal Information
We use technical and organizational measures designed to secure your personal information from accidental loss and from unauthorized access, use, alteration, and disclosure and to protect its confidentiality. All personal information that you provide to us is stored on secure servers behind firewalls.
We use encryption to protect any sensitive personal information that is transmitted online. You can verify that information transmitted to us electronically is secured by looking for a closed lock icon at the top of your web browser, or by looking for “https” at the beginning of the address of the web page. Any payment transactions and other transfer of data will be encrypted in transit.
Offline, the computers/servers on which we store personal information are kept in a secure environment, and only employees who need the information to perform a specific task are granted access to personal information.
We regularly review our security measures and consider appropriate new security technologies and methods.
As effective as these measures are, no security system is impenetrable. We cannot guarantee the security of your data, nor can we guarantee that the information you provide to us will not be intercepted while being transmitted over the Internet.
The safety and security of your personal information also depends on you. Where we have given you (or where you have chosen) a password to access to certain parts of our services and websites, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.
VI. Legal Bases for Processing your Personal Information
To the extent applicable, our legal grounds for collecting and processing your personal information are as follows:
- To honor our contractual commitments to you: Much of our processing of personal information is to meet our contractual obligations to customers or to take steps at your request in anticipation of entering into a contract with you. For example, we collect and handle personal information on this basis in connection with our tour travel, tour, education, reservation, and ticketing operations.
- Consent:When required by applicable law, and in other cases, we handle personal information on the basis of your consent. You may withdraw your consent at any time.
- Legitimate interests: In many cases, we handle personal information on the ground that it furthers our legitimate interests in providing commercial services to you in ways that are not overridden by the interests or fundamental rights and freedoms of the affected individuals. For example, we may collect and process personal information to:
- Provide a safe and enjoyable travel and educational experience;
- Provide you with services;
- Engage in marketing;
- Protect you, personnel, or property;
- Analyze and improve our business; or
- Manage legal issues.
We also may process personal information in accordance with the legitimate interests of our service providers and business partners.
- Legal compliance: Under certain circumstances, we may need to use and disclose personal information to comply with legal obligations. We may share data pursuant to a request from law enforcement, a subpoena, or a court order, or when otherwise may be required by law. For example, we may share personal information with the Transportation Security Administration or with law enforcement agencies to legally provide travel services and to safeguard our travelers, students, employees, and partners.
- To protect the vital interests of the individual or others: In some instances, we may collect or share personal information to resolve an urgent medical need or to protect you, travelers, students, employees, or partners.
By using our services, including our websites and online account management systems, and by otherwise providing us with your personal information, you are consenting to our collection, transfer, storage, and processing of that personal information in the United States, which consent you may withdraw at any time.
VII. European Data Protection Law
The General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), is a privacy regulation that imposes obligations on organizations that control or process the personal information of individuals located in the European Economic Area (“EEA”) and provides rights and protections to such data subjects. Similar rights are available to residents of Switzerland through the Swiss Federal Data Protection Act (“Swiss Act”) and to residents of the United Kingdom through the General Data Protection Regulation of the United Kingdom (“UK GDPR”). We are committed to ensuring that the privacy of all data subjects whose data we process is protected as required by law.
Your personal information may be transferred to and processed by recipients that are located inside or outside the European Economic Area (“EEA”), including the United States, where ATA is headquartered. For recipients located outside of the EEA, some recipients may be located in countries with adequacy decisions and, in each such case, the cross-border transfer is recognized as providing an adequate level of data protection from a European data protection law perspective. Other recipients of data might be located in countries that do not provide an adequate level of protection from a European data protection law perspective. In such cases, we will base the transfer on appropriate safeguards, such as standard data contractual clauses adopted by the European Commission or by a supervisory authority, approved codes of conduct together with binding and enforceable commitments of the recipient, or approved certification mechanisms together with binding and enforceable commitments of the recipient.
ATA generally uses approved standard contractual clauses to ensure that personal information is adequately protected when it is transferred out of the EEA, the UK, or Switzerland to the United States. We also may make transfers out of other jurisdictions on the basis of a data transfer agreement, with your permission, or as otherwise permitted by applicable law. ATA will ensure that any transfer of your personal information from the EEA, Switzerland, the UK, or other countries continues to be safeguarded as described in this section and in accordance with applicable law. Please contact us using the contact information at the end of this Notice if you would like to learn more about cross-border transfers of your personal information.
By using our services and providing us with your personal information, you consent to the transfer of your personal information to the United States or to other countries with and without adequacy decisions.
VIII. Your Choices About Your Personal Information
This section identifies some of the rights that you may enjoy regarding your personal information, which may vary depending on the jurisdiction. These rights include:
- Access — You may request that we confirm whether we are processing your personal information. If we are, you may request a copy of your personal information, which we will provide free of charge, together with personal information about the processing, such as the purposes of the processing and the categories of personal information concerned. However, this is not an absolute right and the interests of other individuals may restrict your right of access. We may decline or charge a reasonable administrative cost for requests which are excessive, particularly if they are repetitive.
- Correction — You may edit your personal information when you have access to do so. You may also ask us to change, update, or correct your personal information in certain cases, particularly if it is inaccurate. We may not accommodate a request to change personal information if we believe the change would violate any law or legal requirement or cause the information to be incorrect.
- Deletion — You may request the erasure of your personal information that we store. However, if you have shared your personal information with others or online, we may not be able to delete that data. In some cases, ATA is required to retain information about accidents or other incidents to protect our company, you, and our partners or to comply with a legal obligation. Asking to have your data deleted also may prevent you from participating in an ATA program.
- Restrict Processing — You may ask us to restrict the processing of your personal information under certain circumstances, such as if your personal information is inaccurate or unlawfully held.
- Data portability — You may ask for a copy of the personal information you provided to us in a structured, commonly-used, and machine-readable format, and you may have the right to transmit this data to another entity.
- Object — Under certain circumstances, you may object to the processing of your personal information on grounds relating to your particular situation. If you have a right to object and you exercise this right, your personal information will no longer be processed for such purposes by us, unless there are overriding compelling legitimate grounds for the processing or as otherwise provided or required under applicable law.
- Opt-Out — You may opt out of allowing us to share or sell your personal information for cross-context behavioral advertising. You can opt out by clicking the “Your Privacy Choices” link below or by using the contact information listed in Section IX Contact Us.
You have a right not to receive discriminatory treatment from ATA for the exercise of your privacy rights conferred by law. You may also have the right to lodge a complaint with a supervisory authority, depending on where you reside (e.g., if you are a resident of the European Economic Area). To exercise your rights, please follow the instructions provided in Section IX “Contact Us” below.
If you would like to exercise your right to opt out of cross-context behavioral advertising, please follow the Section IX instructions or click the button below:
Do Not Sell or Share My Personal Information
Any marketing communications that you receive from ATA will include an unsubscribe feature. You can choose to no longer receive marketing emails without affecting your ability to participate in an ATA program. However, opting out of all ATA communications will prevent your participation in an ATA program in most cases, and, in some cases, you may forfeit payments already made to ATA according to the terms of your program.
IX. Contact Us
Any request you make to our Data Privacy Office should include your name, email address, phone number, mailing address, and any other information that may identify you, such as the booking reference (e.g., confirmation number or record locator number), the dates on which the travel took place (or will take place), and any other relevant information that will help us identify you. For certain requests, you must also provide a photocopy of your passport or driver’s license so we can verify your identity.
To exercise your rights under applicable privacy law, to raise a privacy concern, or to make a data-related request, please submit your request to our Data Privacy Office at [email protected], by calling 800.556.7896, or writing to the following mailing address:
Data Privacy Office
Academic Travel Abroad, Inc.
1155 Connecticut Avenue NW, Suite 300
Washington, DC 20036
For basic requests (like a change of address), you can also reach our customer care representatives at 800.556.7896.
You also may use an authorized agent to submit a request to know or a request to delete personal information. If you use an authorized agent to submit a request, ATA may require that you provide the authorized agent with written permission to do so and that the authorized agent verify their identity. ATA may deny a request from an agent that does not submit proof that they have been authorized by the consumer to act on their behalf.
For California residents, if you want an authorized agent to submit a “Delete My Personal Information,” “Access My Personal Information,” or “Do Not Sell My Personal Information” request on your behalf, the authorized agent must provide proof of their registration with the California Secretary of State, as well as proof that you gave the authorized agent written permission to submit the request(s) on your behalf. We also may require you to verify your identity with us.
For residents of all locations outside of California, to act on a data subject request made by an authorized agent, ATA requires a notarized power of attorney for information about adults, or for requests about the information of minors, a notarized birth certificate or other official document proving the requester’s relationship to the minor. Additional proof of identity and relationship to the data subject may also be required.
X. Effective Date and Amendments
Any changes to this Privacy Notice will be posted on our websites. This Notice was last revised and is effective as of the data identified above at the beginning of this Notice. Any personal information that we collect will be used in accordance with the Privacy Notice in effect at the time that the information was collected. If we make material changes to how we treat your personal information, we will notify you by email to the email address specified in your account or through a notice on our websites’ home or landing pages. You are responsible for ensuring we have an up-to-date active and deliverable email address for you, and for periodically visiting our websites and this Notice to check for any changes.
