OUR COMMITMENT TO PRIVACY

CRGA is committed to respecting your privacy and protecting your personal data

- We want to be completely transparent regarding the data we collect and what we do with it.

- We will use the data you provide for the purposes described in our Privacy Policy, including providing the services you request and improving your experience with CRGA.

- We will also use the data to try to get to know you better and send you relevant offers.

- If you tell us that you want to stop receiving marketing communications, we will stop. We will, of course, continue sending you important information regarding the products and services that you have purchased, to keep you informed of your booking and flight itinerary.

- We will send you relevant information regarding the products and services that you have purchased, to keep you informed of your booking and flight itinerary.

- We will adopt the necessary measures to protect your information and keep it safe and to respect your data protection rights.

You can read our full Privacy Policy, which will help you to better understand how we use your personal data. We explain which personal data we collect, how we collect it, for what purposes and with whom we can share it.

Without affecting your rights under applicable legislation, the aforementioned information and the Privacy Policy are not contractual or part of your contract with us.

Personal Data Controller

All the personal data processed by CRGA regarding this Privacy Policy is controlled by CRGA, acting as the data controller under Costa Rica data protection laws. Our address is in the Domestic Terminal of the Juan Santamaria International airport, Alajuela, Costa Rica.

If you booked with us but one or several of the flights are operated by other airlines, each one of these airlines will independently be a data controller under data protection laws and local data protection laws that apply to these airlines.

All service providers, like hotels or car hire companies, will also individually be data controllers. You can access the privacy policy of these providers by contacting them directly.

What does personal data mean?

Personal data means all data that identifies you or that could be used to identify you, such as your name, contact details and travel and purchase history. It may also include information on how you use our website and mobile apps.

When does this policy apply?

This policy applies to all the personal data we collect, use and process as part of your relationship with us as a customer or potential customer, including when you travel with us, when you browse our website, when you contact one of our agents or customer services centers, and when you book our services via third parties (like travel agencies).

How can you protect your personal data?

We go to great lengths to protect the personal data that you provide. Here are a few measures you can take to keep your data safe:

- Never share your booking code.

When you book you get a booking code (also know as PNR, or Passenger Name Record). This reference will appear in the confirmation email or on the tickets of each one of the passengers in your booking.

- Always keep your booking code confidential. If you share your booking code with third parties, they will be able to access the booking details through our system.

- If you’re travelling with other people and you don’t want them to have access to the booking details, it is probably better for each person to book separately.

- In order to keep your private data on our website and mobile apps private, don’t share your username and password with anyone. When you finish using our website, online services or mobile apps, log out if anyone has access to your computer or device. This is especially important if you are using a public computer.

- Be careful and take precautions against online fraud and phishing (which involves illegally obtaining personal data by means of fake messages. Unsolicited emails are sent to people included in lists obtained illegally by third parties, and the recipients are asked to enter or confirm bank details or passwords on a cloned or fake website.

When do we collect your personal data?

We collect your personal data every time you use our services (whether they are supplied by us or by other companies or agents acting on our behalf), including when you travel with us, when you browse our website or when you interact with us electronically or through our Customer Service Center.

For more information, please see “What type of personal data do we collect and store?” below.

What type of personal data do we collect and store?

When you use our services, you’ll have to give us your personal data or the data of the people who are travelling. We collect the following personal data:

Data that you give CRGA to complete and manage a booking with us or a service you have requested. Your name, address, email, date of birth, passport number or national ID card, and telephone. Payment information is not saved in our system.

- If you are booking tickets for a third party, we may collect your billing details but directly contact the passenger regarding the flight.

- We will know if you book your flight via CRGA.com or if you use any other sales channels, such as travel agencies or our Customer Service Center.

- Data collected while travelling with us. We may collect certain information, such as your interaction with staff and cabin crew, before and during the flight.

- Data regarding your travel plans. Data about your booking, travel itinerary, details on any other additional assistance you require.

- Data on the services we have provided in the past. Data on previous trips, like where you went and all the information on these trips, including luggage requirements, problems at the airport, luggage loss and your comments as a customer.

- We will store your data if you take part in a competition or promotion or have interacted with us on social media like Facebook and Twitter.

- Data on how you use our website, mobile apps and Customer Services centers.

- In order to help us personalize your data and improve our website, we use cookies and similar technology to collect information on your searches and contents you have viewed on our website, such as the website you came from, and banners and links that can be found on the websites of our business partners.

- We will use the data on the use of our website stored in the cookies to understand you as a customer. If you have entered this information in our website, it may include data on any booking or passenger name.

- Based on your usage data we will be able to know that you visited CRGA.com and searched for a flight, but that you didn’t complete the booking in the end. We may use this information to contact you and offer you more information on the booking and location.

- Information on the location of your device if you have been browsing CRGA.com or using our mobile app. (This is your IP address. An IP address, that is, Internet Protocol address, is a numeric code that can act as a unique identifier of your computer or other device, which may be deactivated on your device).

- To identify the country in which the website or app is accessed, which will enable us to offer more relevant contents and use the right language.

- If you have given your consent, we may use your device’s functions (e.g. Bluetooth, WiFi and GPS) to determine your location in order to help you with your flight connections and to board our planes, and to offer you a personalized service (you can access or change this option by modifying your device’s location settings).

Why and when do we collect "sensitive personal data"?

Certain personal data categories, such as race, ethnicity, religion, health, sexual orientation and biometric data, fall into a special data category and are known as “sensitive personal data”. We always try to limit the circumstances in which we collect and process sensitive personal data. Here are some examples of cases in which we may collect and process sensitive personal data:

- When you ask CRGA and/or an airport operator for specific medical assistance, like a wheelchair or oxygen, for example.

- When you request authorization to fly with us and you have a certain medical condition or are over 28 weeks pregnant.

- When you decide to provide certain information for any other reason or a third party has provided it, such as the travel agency through which you booked your flight.

What do we use your personal data for?

We use your personal data for the following purposes:

- To process all the issues relating to your trip and provide the requested services.

- We will need your name, address, email, contact details, date of birth, passport number, account details and payment information in order to process your bookings, process the services for your trip, get the payment, give information to the authorities (like tax authorities, customs and immigration) and for CRGA to know who has booked a flight.

- To manage the boarding process and facilitate connecting flights at the airport.

- If you do not come to the boarding gate to board your flight, we may have to check whether you have been through security at the airport, or if you were on a connecting flight, to know how to contact you to inform you about the flight that you need to board.

- To send you status updates and service or operational communications regarding the purchased service.

- We may send you a message to tell you that check-in is open or that your flight has been delayed, cancelled, or any other circumstance that may affect your flight, like a strike, etc.

- To get in touch with you before your flight and at the airport.

- Every time you travel with us and use the airport in which we operate, we will be able to monitor your situation at the airport to help you with flight connections and when boarding the plane, and to offer you a personalized service.

- To ensure your safety and to comply with certain legal requirements that apply to CRGA as an airline.

- As an airline, CRGA must keep a record with information on all the passengers who are on board their aircraft.

- To provide more personalized services that adapt to your needs.

- We may update and share data that is not personal with our communications agency, to advertise partner and third-party services that are tailor-made and of interest to you, on our websites, apps and electronic boarding passes.

- To analyze data and conduct market studies.

- We will analyze the way in which customers use our sales channels, products and services, in order to better know how to improve the service we offer and encourage customers to use our entire range of products and services.

- To carry out marketing activities and keep you informed on CRGA’s products and services.

- We can send you information on our products and services by email or text.

- We may adapt the content of our websites, apps, emails and other communications to ensure that they are of interest to you as much as possible, including previous destinations with offers and/or services connected with these destinations or other similar ones.

- To understand your flying preferences and offer you information on offers.

- If you search for a flight but don’t book it, we may remind you of our services via email, Facebook or Twitter, depending on the flight you have been looking for.

- We may combine anonymous data from client-provider relationships with third parties (e.g. Google or Facebook) so that both companies can get to know more about user behavior like other visited websites.

- To send you up-to-date information and communications.

- Even if you opt out of receiving marketing information, we may continue to send you communications on the services you book, like your flight itinerary. These communications will help you to get details on the purchased services and may include options and other additional services that you may use (e.g. additional luggage).

- We may also send you communications on services that you have used, like if you have had a problem and we want to contact you proactively in order to solve it.

- To improve our website, products and services. We may monitor how you and other customers use our website, so that we can identify ways of improving your browsing experience.

- To process and manage the service. We may use and store your personal data, including your purchase history, for administrative purposes, which will include, for example, accountancy and billing tasks, auditing, verifying credit cards and other payment cards, fraud control (including the use of credit reporting companies and checking the validation of payment cards), and system testing, maintenance and development.

When will we send you marketing communications?

When we collect data directly from you we may ask you whether you wish to receive our marketing communications. In this sense, bear in mind that these marketing communications may be about our products and services that may be of interest to you, and sometimes they may promote products and services of other members of our group or of a third party (our business partners, for example).

We will respect your decision regarding which communications you wish to receive and the way you want to receive them.

How can I change the type of marketing communications I receive and the way I receive them?

If you decide you no longer want to receive marketing communications, you can change your mind at any time. This is what you should do if you want to stop receiving marketing communications:

- If you are a member of CRGA you would need to change your online profile settings, accessing your profile in www.costaricagreenair.com.

- Furthermore, all the marketing communications you receive by email will include an “unsubscribe” option so you can opt out at any time. We try to process subscription cancellation requests within 10 working days, so you may continue to receive messages before we finish processing your request.

- Bear in mind that even if you inform us that you no longer wish to receive marketing communications, you will still continue to receive communications (like the ones described above) regarding products and services that you have booked, e.g. to confirm your booking or send you an update on its status. If you ask us to stop sending you marketing communications, please bear in mind that we will keep your personal data in order to state that you do not want to receive marketing communications.

What is the legal basis for processing your personal data?

CRGA will only process your personal data when there is a legal basis to do so. The legal basis will depend on CRGA’s reason or reasons for collecting and using your data. According to Costa Rican data protection laws, in almost all cases the legal basis will be the following:

- Because we must use your data to process your booking, fulfil your travel plan and the contract with you.

- Because your personal information to conduct and improve our business as an airline and travel provider is one of CRGA’s legitimate interests as an airline.

- Because CRGA needs to use your personal data to fulfil a legal obligation.

- To protect your vital interests and those of other people.

- Because you have given your consent to CRGA using your personal data for a specific purpose.

- If the processing of your data is protected by any other law, the legal basis for this processing could be different to the list above, and in those circumstances the basis would be your consent in all cases.

How long do we store personal data for?

We store your personal data for as long as necessary to fulfil the purpose for which it is being processed. For example, when you book with us, we will store the information for that booking in order to process the specific travel services that you request, and beyond that, for as long as needed in order to manage or respond to any claims or questions about the booking. We may also store this information to continue improving your experience with CRGA.

We will actively check the data that we hold and delete it securely after the applicable prescription period in each case. In some cases, we will anonymize the data when there is no legal need to keep it, or any other need relating to the business or the customer.

Fulfilling a contract with you

CRGA will have to use your personal data to complete bookings made with us. For example, we will have to use data such as your contact details to provide you with the flight.

Legitimate interests

As an airline and transport service provider, CRGA has a legitimate business interest in processing personal data we collect to provide an effective service and conduct our business.

We will analyse data and use databases to personalise your experience.

Fulfilling legal obligations

There are situations in which CRGA will be subject to certain legal obligations and will need to use your personal data to fulfil said obligations.

In the event of a delayed flight or lost luggage.

We are bound by law to provide certain information on our passengers to customs and immigration authorities in certain countries.

To protect your vital interests and those of third parties

There are situations in which we may have to use your personal data to protect your vital interests or those of other people.

If we collect and process medical information in case of medical emergency and you are not able to give your consent.

Consent

Alternatively, we may collect and process your personal data when you have specifically given your consent.

If the basis for processing your personal data is your consent, you may revoke it at any time by changing the preferences on your CRGA profile.

Who do we share your personal data with?

We may also give your personal data to the following third parties, for the purposes described below:

- Customs and immigration authorities of any country in your itinerary or over which you are flying. CRGA and other airlines are bound by the law of the Costa Rica to give customs and border authorities access to travel and booking information when the flight’s origin or destination is in the country.

- If you book a ticket through our internet portal to travel with a transport service which you booked in advance, we will give your name and email address to the transport company so that they can issue your ticket and make your booking.

Credit and debit card companies, credit reporting agencies and fraud control service providers, to process payments and (when necessary) carry out fraud controls.

In response to legal requirements by the government and police, such as customs and immigration authorities.

External service suppliers that we hire to provide services, like carrying out marketing initiatives or conducting surveys with customers on our behalf.

Third parties like lawyer firms and courts, to demand compliance or the application of a contract with you.

Third parties, like the police and regulatory authorities, to protect our rights, property, or the safety of our customers, employees and assets.

Third parties to which we give data on the use of the website (but not personal data) so they know you have visited our websites (see “How we use cookies and other ways of collecting website data” above.)

We do not sell your personal data to third parties and we only allow third parties to send you marketing communications if you have given your consent.