Privacy Policy

Points International Ltd., Points.com Inc., Points International (UK) Limited, Points International (U.S.) Ltd., Points Development US Ltd. and Points Travel Inc. (each a "Points Affiliate", and collectively, "Points", "we", "us" or "our") take your privacy seriously.

This Privacy Policy (“Privacy Policy”) sets out our practices with respect to the collection, use, disclosure of the personal information of individuals ("you", “your”) who interact with us, including when you visit or view one of our websites at www.points.com ("Points.com"), pointshound.com ("PointsHound.com"), company.points.com (together with Points.com and PointsHound.com and our mobile applications, our "Sites"), establish a relationship with us, sign up to receive communications or sign up for or use any Points services, subject to certain exclusions as more fully explained in the “Scope of this Privacy Policy” section below. This Privacy Policy also sets out the rights you may have with respect to your personal information.

At the end of the Privacy Policy, we provide you with information on how to contact our Data Privacy Officer and, for those individuals residing in the European Economic Area, our EU Representative.

Please read this Privacy Policy carefully to understand our policies and practices for collecting, processing, and storing your personal information. By accessing or using our Sites or our services, or otherwise interacting with us, you consent to our collection, use and disclosure of your personal information as outlined in this Privacy Policy. Your consent is the legal basis for our use of your personal information. You can withdraw your consent at any time. However, if you withdraw your consent to certain uses, we may no longer be able to provide our services to you.

What is “Personal Information”?

In this Privacy Policy, the term “personal information” means any information that relates to you as an identified or identifiable individual (i.e., a natural person). It includes “personal information” “personally identifiable information” and “personal data” as each of those terms are defined in applicable privacy and data protection laws. It may also include other types of more technical information, but only when this information can be used to identify an individual. Information that is aggregated and/or anonymized, or otherwise cannot be associated with an identifiable individual is not considered to be personal information.

Scope of this Privacy Policy

We collect personal information from:

• visitors to our Sites;
• individuals who establish a relationship with us by telephone, sign up to receive communications or who sign up for or use any Points services; and
• customers of those of our third-party our loyalty program and redemption partners who have engaged us to deliver services on their behalf (collectively, our "Partners"), to the extent that you have given consent to the Partner to provide us with such personal Information.

This Privacy Policy sets out our practices with respect to the collection, use, disclosure of the personal information of individuals who fall into the first two categories. This Privacy Policy does not address our processing of personal information of customers of our Partners.

Some laws distinguish between a “controller” on the one hand, and a “processor” or “service provider” on the other (or similar terms). With respect to personal information that we collect, use, disclose or otherwise process on behalf of our Partners, we are service providers or processors for the purposes of such laws. When Points processes personal information in this way, we are acting at the direction of the Partner, and the Partner's terms of service and privacy policy apply—not ours.

For more information about how a Partner collects, uses and discloses your personal information as a customer of that Partner, please review that Partner's terms of service and privacy policy.

Children

Our Sites are not intended for children. If we become aware that we have inadvertently received or collected personal information pertaining to a child under the age of consent in the country where the child is located without valid consent, we will delete such information from our records.

What Personal Information We Collect

We may collect personal information which includes:

• user account information that you upload on our Sites, such as your picture, name, home address, email address and phone number;
• loyalty program account information for the third party loyalty programs you register with our Sites, including your program account numbers, passwords and balances, and details of buy, sell, trade and redemption transactions involving those loyalty programs;
• information for travel bookings through our Sites, including personal information of people you make reservations or bookings for using our Sites. It is your responsibility to obtain the consent of other individuals prior to providing us with their personal information;
• information about any other services booked or purchases made through our Sites;
• purchase and sale transaction information such as your credit card information and the details of your transaction;
• information contained in any email messages, questions, comments, complaints or requests you send us;
• your current geographic location;
• your IP address;
• information related to your use of our Sites or services, including the hardware, software or internet browser you used, and information about your computer’s operating system, such as application versions and your language settings, as well as device identifiers and error reporting information from devices on which you use our apps;
• information about which pages have been shown to you, site navigation details and links on our Sites that you follow;
• information you submit to our Sites in connection with sweepstakes, contests, surveys and other promotions offered by us; and
• information, including images, contained in posts you make about Points and its services on publicly accessible websites, blogs, mobile applications and/or community forums.
Special Categories of Personal Information

Certain jurisdictions have laws that define special categories of personal information. For the purposes of those laws, we do not process special categories of personal information, namely, personal information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

How We Collect Personal Information

We collect personal information in a variety of ways, including:

• Directly from you, such as when you visit our Sites or interact with us by mail, email, over the telephone, or in any other direct manner.
• Through technologies we use online, such as when you interact with our websites, marketing emails, social media accounts, online advertising, or through the use of our or a third party’s technologies, which include cookies, web beacons or single pixel gifs or analytics engines. The technologies we use include
  • Cookies and JSON Web Tokens (please see the section entitled “Cookies and JSON Web Tokens” below).
  • Clear GIFs (please see the section entitled “Clear GIFs” below).
  • Web analytics tools such as Google Analytics, which uses cookies to analyze your use of our website, to create reports about visitor and user activities for us and to provide further services associated with the use of our website.

Please note that third parties involved in providing these technologies may use tracking methods such as but not limited to cookies to achieve their own business goals and purposes by relating and combining information about your usage of our website to any other personal data they may have collected on you. We encourage you to review the privacy policies of third parties as well.

How We Use Personal Information

We may use your personal information for the following purposes, except as otherwise permitted or required by applicable law:

• allowing you to track, manage and access your loyalty points and miles on our Sites;
• allowing you to gather and view your travel information on our Sites;
• processing transactions that you have submitted to us and displaying your account history to you;
• providing customer service;
• for improved service, when you make calls to our Customer Service Team, relating your telephone number to your existing reservations using an automated telephone number detection system;
• communicating with you by email, mail and phone to handle any requests you or your booked accommodations have made; and
• acknowledging your comments and/or replying to your questions, complaints and requests
managing our operations, including:
• deploying and managing our information technology applications and systems, including managing our Sites;
• operating and maintaining, and improving the performance and utility of, our services;
• generally managing and administering our business;
• notifying you of changes to our services, terms, conditions or policies and to provide you administrative messages, updates, legal notices, technical notices or security alerts;
• meeting our contractual and legal obligations (including accounting, taxes and other legal or regulatory compliance obligations);
• maintaining the security of the public, our users and our employees; and
• preventing and protecting ourselves and third parties from errors, fraud and credit risk;
marketing, including
• providing you with information on and direct marketing of special offers or promotions (including sweepstakes and contests) that we believe may be of interest to you;
• serving advertisements to you in various marketing channels, including but not limited to social media, search engines, mobile apps, and various websites including our own Sites; and
• notifying you of offers of Points products and services that may be of interest to you;
research and analytics, including:
• market research: we sometimes ask our customers to take part in market research. Any additional personal details that you give us as part of the market research will be used only with your consent;
• profiling and analytical purposes, including marketing and website analytics, in order to optimize and customize our online platform to your needs, as well as the products and services marketed to you, and to make the Sites easier to use; and

any other purpose to which you may consent in the future.

Limited to Disclosed Purposes

We limit the collection, use, and disclosure of personal information to that which is needed to achieve the above noted purposes, except as otherwise permitted or required by applicable law.

Special Note on Profiling and Automated Processing

We may analyse your personal information (including through the use of automated processes) in order to create a profile of your interests and preferences so that we can contact you with information or to offer you services that are relevant to you. We may make use of additional information about you when it is available from our Partners and other external sources to help us do this effectively. We may also use and analyse your personal information to detect and reduce fraud and credit risk. For more information, please contact us using the coordinates provided in the section entitled “Contact Us”, below.

How We Share Your Personal Information

We will only share your personal information in the following circumstances, except as otherwise permitted or required by applicable law:

• with affiliates: We may share your personal information between Points affiliates, to allow Points affiliates to offer their products and services to you;
• with Partners and other third party service fulfilment partners: We may share personal information with third parties as necessary to provide you with services that you have requested or to fulfill the transactions you have submitted, such as hotels and airlines who provide services accessed through our Sites. Please also see the section “Third Parties” below;
• with our service providers: to third party companies and contractors that provide us with services in the conduct of our business ("service providers"), such as payment processing services, information technology services for our software applications, advertising, marketing and survey services and other essential similar services, but only as necessary for those service providers to provide services to us. All Points service providers are contractually bound to keep your information secure. Our service providers can use, store and disclose your personal information solely for purposes for which it is disclosed to them (to provide us with services);
• for business transactions: We may use and disclose your personal information in connection with the proposed or actual financing, sale or other business transaction involving part or all of our business or assets. Such use and disclosure would be for the purpose of allowing third parties to determine whether to proceed with the proposed transaction, and if the transaction proceeds, for the purpose of completing the transaction. Assignees or successors to our business or assets may use and disclose your personal information for the purposes described in this policy. You will be notified via email and/or a prominent notice on our Sites of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information;
• as permitted or required by law: applicable laws may permit or require the use, sharing, or disclosure of personal information without consent in specific circumstances. These circumstances include situations where it is necessary to disclose information in response to subpoenas, warrants, or court orders, or in connection with any legal process, or to comply with relevant laws. We may also share your information in order to establish or exercise our rights, to defend against a legal claim, to investigate, prevent, or take action regarding possible illegal activities, suspected fraud, safety of person or property, or a violation of our policies. If this happens, we will not share more personal information than is reasonably required to fulfill that particular purpose; and
• any other circumstance in which you provide your consent to disclose, or a consent exception applies, in accordance with applicable laws

Cross-Border Transfers

Points, our Partners and our service providers are located in various jurisdictions including, among others, Canada, the United States and the European Union and, as a result, your personal information may be stored, processed or transferred into or out of the jurisdiction in which you are located or where you reside (e.g., your country, state or province). The privacy and data protection laws in these jurisdictions may be different to those in your jurisdiction and your information may be subject to the laws of, and to access by the regulatory, governmental or law enforcement authorities in, those other jurisdictions.

Third Parties

Third Party Services Accessed Through Our Sites

When you provide personal information to us, we may be required, in order to provide you with services, to provide that personal information to our Partners and other third parties, such as hotels and airlines who provide services accessed through our Sites. Those companies are not contractually bound to comply with this Privacy Policy. Our Partners and other third parties use and disclose your personal information according to their own policies and for their own purposes. We encourage you to read our Partners' and other third parties’ privacy policies before obtaining their products or services through our Sites.

We may provide links or references to third party sites whose privacy practices may differ from those of Points. You may navigate to a Points site through a link from a Partner or other third party site. Points assumes no responsibility for the content or the privacy policies of those Partner or third party websites. Please be aware that when you follow any links to another site not owned or operated by Points and submit personal information to any of those sites, you are subject to their privacy policies. We encourage you to carefully read the privacy policy of any website you visit.

Our Sites include social media features, such as the Facebook button and widgets, among other things. These features may collect your IP address, track which page you visit on our Sites, and may set a cookie to enable the feature to function properly. Social media features and widgets are either hosted by a third party or hosted directly on our Sites. Your interactions with these features are governed by the privacy policy of the company providing it. We encourage you to carefully read the privacy policy of any company that provides the features you choose to interact with.

Data Retention

We will retain your personal information for as long as

• your account is active;
• your personal information is needed to provide you services; or
• it is necessary to meet legal, regulatory, insurance and audit requirements.

If you wish to cancel your account or request that we no longer use your information to provide you services, contact us at dpo@points.com.

Accuracy of Your Personal Information

We will use commercially reasonable efforts to ensure that your personal information is correct, complete and up-to-date to the extent we are notified of any changes by you. You can review and update your personal information on our Sites. You can assist by keeping us informed of any changes, or informing us if you find any errors in our information about you. If we have disclosed inaccurate information about you to a third party that you are aware of, we would be pleased to contact the third party in order to correct the information upon your request.

Your Rights with Respect to Your Personal Information

You are entitled to be informed or and have access to any of your personal information in our custody or control. Upon written request to our Privacy Officer as noted at the bottom of this page, we will provide you with your personal information under our custody or control, as well as information regarding how your personal information is being used and the identity of any third party(s) to whom that information has been disclosed. Please note that we may not be able to provide access to personal information in certain circumstances, such as if the personal information was collected for the purposes of an investigation, if disclosure would reveal the personal information of a third party, or if prohibited by law. To protect your privacy and security, we may take reasonable steps to verify your identity prior to providing such access.

If you wish to correct any of your personal information we have on file in our records, other than that available to you and capable of being modified through the Services, you may contact our Privacy Officer as noted at the bottom of this page. To protect your privacy and security, we may take reasonable steps to verify your identity prior to making corrections.

In addition to rights with respect to your personal data already noted elsewhere in this policy, for those individuals residing in the European Economic Area, you have certain additional rights under the General Data Protection Regulation (GDPR):

• Restrictions on Further Processing

You have the right, where there is a dispute in relation to the accuracy or basis of processing of your personal data, to request a restriction on further processing by us.

• Erasure

You have the right to erasure of your personal data (“right to be forgotten”) in certain circumstances.

• Data Portability

You have the right to request that personal data that you have provided to us be returned to you, or be provided to another third party of your choice, in a structured, commonly used and machine-readable format.

• Automated Decision-Making

You have the right not to be subject to a decision based solely on automated decision-making. In connection with such right, you may have the right to request human intervention with respect to such automated decision-making, as well as express your point of view or contest any such automated decision-making.

• Opt-out of Direct Marketing / Profiling

You may elect to “opt out” of direct marketing activities, including any profiling we may conduct for direct marketing purposes. Accordingly, we may rely on your consent permitting us to process your information in accordance with this policy for direct marketing, including profiling for direct marketing, unless you take affirmative action to opt out of such processing. You may opt out at any time by contacting our Data Privacy Officer or EU Representative, as provided further below.

• Lodge Complaints with Supervisory Authorities

You have the right to lodge a complaint with a data protection supervisory authority in your country.

Cookies and JSON Web Tokens

A cookie is a small text file that is stored on a user's computer for record-keeping purposes. JSON web tokens, or JWT tokens, are authentication confirmations that are used to authenticate a user. We use both session ID cookies and persistent cookies, as well as JWT tokens on our Sites. Session ID cookies expire when you close your browser. Persistent cookies remain on your hard drive for an extended period of time. You can remove persistent cookies by following directions provided in your Internet browser's "help" file. Cookies provide us with information on your use of our Sites, including the time and length of your visit, the pages you look at on our Sites, the website you visited just before coming to ours, and the name of your Internet service provider.

We use session cookies and tokens to make it easier for you to navigate our Sites. We use persistent cookies and tokens to store your username, so you don't have to enter it more than once, and to track and target your interests, to evaluate the performance of our Sites, and to tailor promotions and other marketing messages to you and enhance your experience on our Sites.

You can reject cookies by adjusting the preference settings in your browser. If you reject our cookies, you may not be able to take full advantage of certain features available on our Sites, such as contests and surveys. You can learn more about interest-based advertising by visiting http://www.networkadvertising.org/managing/opt_out.asp and http://www.aboutads.info/choices.

You can also selectively enable or disable certain cookies we use. For more information on the cookies we utilize, and how to enable or disable them, please see our Cookie Settings.

Clear Gifs

Clear GIFs (also known as tracking pixels or web beacons) are tiny graphics with a unique identifier, similar in function to cookies. They are used to track the online movements of users. In contrast to cookies, which are stored on a user's computer hard drive, clear gifs are embedded invisibly on web pages and are about the size of the period at the end of this sentence.

We and our service providers use clear gifs to help us better manage content on our Sites, by informing us what content is effective, and to gauge the effectiveness of certain communications and marketing campaigns. For instance, we use clear gifs in our HTML-based emails to let us know which emails have been opened by recipients and to allow us to serve you related advertising on the Internet.

Security Measures

We take reasonable measures, including administrative, physical and technical safeguards, to protect your information from loss, theft, misuse, unauthorized access, disclosure, alteration and destruction, in light of, among other things, the sensitivity of the information and the purposes for which it is to be used. Personal information uploaded to our Sites is transmitted to us using industry standard encryption, which creates a private conversation between your computer and our Sites. We authenticate our Sites and enable TLS/SSL encryption to protect your sensitive data and transactions.

We maintain policies and practices to protect your personal information, including our Information Security Policy, Backup Procedures, Encryption Policy, Data and Information Classification Policy, Record Retention Policy, Disposal Policy, Risk Management Policy, DPIA Process Template, Information Security Incident Management Policy and Procedure, Vendor Management Policy, and Audit Policy. These policies and practices (i) provide a framework for our collection, use and disclosure of personal information throughout its lifecycle, including the security and proper functioning of our information systems, data processing practices, and backup systems, our record retention and disposal policies, our procedures for assessing the privacy impact of our business processes and vendors we engage to process personal information, and our practices in relation to assessing risks, conducting security audits, and responding to actual or suspected security incidents; and (ii) define internal roles and responsibilities in connection with the foregoing.

We also maintain internal processes for dealing with complaints regarding the protection of personal information, as referred to in the section entitled “Disputes and Complaints” below, and for responding to requests to exercise individual rights. For more information, please contact us using the coordinates provided in the section entitled “Contact Us”, below.

Please note that, notwithstanding the efforts we make to protect your personal information, Points cannot absolutely guarantee that unauthorized third parties will never be able to defeat our security measures or use your personal information for improper purposes. In the event that your personal information in our possession or under our control is compromised as a result of a security breach, we will take reasonable steps to investigate the situation and, where appropriate, notify you and take other steps in accordance with applicable laws or regulations.

Remember that email sent over the Internet is generally unencrypted and transmitted in clear text. We recommend that you use caution when forwarding free-format email messages to us and that you do not include confidential information (such as unique user IDs, passwords or personally identifiable information) in those messages. Confidential information should be transmitted to us through other secure methods such as by telephone.

Revision of Policy

This policy may be revised from time to time. We will notify you of material changes prior to such material change being effective, either by e-mail at the address you have provided to us in connection with your registration on our Sites or by a prominent notice on our Sites. Your continued use of our Sites or services, failure to cancel your account on our Sites, or interaction with us following such notification shall constitute your acceptance of the revised policy. We encourage you to periodically review this page for the latest information on our privacy practices. The date provided at the end of the Privacy Policy indicates when it was last updated.

Disputes and Complaints

This policy is subject to our Terms of Use, including terms regarding the governing law and the resolution of any disputes between you and Points.

If you have a complaint with respect to our privacy policy please contact us as provided below. For those individuals residing in the European Economic Area, you also have the right to lodge a complaint with a data protection supervisory authority in your country.

Contact Us

The Data Privacy Officer is accountable for our compliance with this privacy policy and applicable privacy legislation.

If you have questions, comments or complaints with respect to our Privacy Policy or if you wish to request access to, or correction or deletion of your personal information under Points' care and control, please contact the Data Privacy Officer at:

In addition to contacting our Data Privacy Officer, individuals residing in the European Economic Area may contact our EU Representative at:

Points will respond to your request for access in accordance with applicable privacy legislation.

This Privacy Policy was last updated on December 6, 2023.