Security and Privacy Policy

A. Protection of personal data
1. What kind of personal data do we collect and process?
2. How we will use your personal data?
3. Who processes your personal data we collect?
4. Where will your personal data be sent to?
5. How long do we keep your personal data for?

6. Request regarding your personal data
B. Security
C. Cookies
D. Changes to our policy

A. Protection of personal data

Luxair, Société Luxembourgeoise de Navigation Aérienne S.A., a public limited liability company (société anonyme) incorporated and existing under the laws of the Grand Duchy of Luxembourg, having its registered office at 25 rue Gabriel Lippmann, L-5365 Munsbach, with postal address at L-2987 Luxembourg (Luxair) is the data controller of your personal data and is committed to respecting your privacy and protecting your personal information in accordance with the law.

Luxair has appointed a Data Protection Officer to ensure that your personal data is processed in the correct manner. You can contact the Data Protection Officer with questions or requests concerning our processing of your personal information by sending an email to data.protection@luxairgroup.lu

1. What kind of personal data do we collect and process?

Luxair collects personal information about you when you use our services, when you travel with us, when you use our websites and mobile apps, or when you use our call centres or mobile applications. This includes information you provide to us directly or indirectly through third parties. Those third parties include the following categories: companies involved in your travel plan such as travel agencies, hotels, other airlines or airport operators and companies contracted by Luxair to provide services to you.

Luxair may process any data you have communicated directly or indirectly, and generally the following categories of data:

•    General information about you and contact information:

your name, gender, home/office address, telephone numbers, email addresses, nationality, date of birth, passport and visa. When you create a personal account or register, Luxair may also record your sign in details and other information you fill out on your personal account or registration form. This is for example the case with MyLuxair account;

•    Information about your reservation:

loyalty program, travel itinerary and dates, seat number, purchases, claims, additional assistance you require, information about your travel companion and emergency contact and other information related to your travel with Luxair (e.g. upgrades, extra luggage, etc);

•    Our interactions with you:

such as any feedback, complaints, compliments, claims you have made, responses to market surveys, records of any correspondence, interactions with us and our staff (including in person, online, by telephone or email and via social media)

•    Your interests:

such as destinations you have visited and products you have bought

•    Browsing information:

where appropriate, with your consent, Information about your browsing behavior on our websites and mobile apps and information about when you click on one of our adverts, and the way you access our digital services, including operating system IP address, online identifiers and browser details;

•    Health and dietary information:

you may also choose to share sensitive personal data with us regarding your health data because you have requested specific medical or other personalized assistance or following requests from Government agencies. Finally, for some destinations and due to the health context linked to the Covid-19 epidemic, we may have to collect and verify the documents required (questionnaires, negative Covid-19 test, etc.) by the authorities of your country of destination for public health purposes prior to boarding or disembarking.

Certain aspects of your personal information, for example details of your travel documentation, and contact information, are required for many of our products and services and if you fail to supply such information as requested for specific services, we may be unable to provide you with the products and services in full.

2. How we will use your personal data? 

The processing of your personal data is performed for the following purposes:

•    To fulfil a contract, or take steps linked to a contract, with you. This includes:

o    to provide and administer our travel products and services. For instance, when you book a flight, you will receive multiple e-mails regarding your booking (e.g. your booking confirmation, information about checking in and boarding).
o    to contact you about your bookings, for disruptions and other arrangements;
o    to process payments; 
o    to provide customer support such as handling your queries and complaints; and
o    to provide flight-related information, such as eJournals, and any on-board entertainment.

•    To conduct our business and pursue our legitimate interests, in particular:

o    to use our research results to develop better services and offers for you and improve the design and content of our websites and mobile apps; 
o    to administer our websites and mobile apps, and for internal operations, including troubleshooting;
o    to monitor and record calls to pursue our legitimate interest of improving service delivery; 
o    to send you surveys by email. You can opt-out of receiving these surveys at any time by contacting us; 
o    to send you service emails, such as reminders when you have not checked out your purchases on our website or mobile apps; 
o    to customise our marketing e.g. sending you targeted marketing on places you would like to visit, based on your prior travels; and
o    to prevent and detect fraudulent activity

•    Subject to your consent, in particular:

o    to provide offers as relevant as possible for you.  For example, with your consent, we will send you personalised offers for your next trip; and
o    to implement any request relating to assistance during a flight or food allergies.
You can always unsubscribe from receiving personalised advertisements and offers by clicking on the unsubscribe link in the e-mail. If you unsubscribe, you will only receive e-mails necessary to be able to use our services and related to your travel experience (e.g. your booking confirmation and e-ticket).

•    To comply with our legal obligations. This includes: 

o    to manage flight disruption claims and other claims
o    to conduct our business operations, such as for record-keeping purposes, to prevent or combat fraud, or to settle disputes.
o    to provide passenger information to border control and immigration in some countries. For instance, under EU Regulations 2016/679 and 2004/82 and applicable local laws and regulations, we must pass on PNR and API details to government bodies, including the Passenger Information Units (PIUs) of various countries. API (Advance Passenger Information) concerns information about your flight and passport details. PNR (Passenger Name Record) concerns all information about your bookings, such as flight information, passengers in the booking and payment information. 

If you refuse to provide the personal data that we need to fulfil the contract we have concluded with you or to comply with a legal obligation, we may not be able to provide all the services you have requested from us. Consequently, we may have to cancel your flight, or we may not be able to provide you with the additional services you have requested.

3. Who processes your personal data we collect?

We may communicate your personal data to the following categories of third parties:

•    Travel-related service providers:

To handle your reservations and bookings and to arrange your trips and purchases, we often need to share your personal data with our partner airlines, airport operators, and other companies involved in facilitating your trip (such as check-in agents, freight handling, specific assistance and ground transport, airport lounge operators, chauffeur services, catering services). Your personal data will be used by such third parties in accordance with their privacy policies. The privacy policies of our partner airlines can be found in the International Air Transport Association (“IATA”) privacy policy repository at http://www.iatatravelcenter.com/privacy. For others, please visit the third parties’ website for more details.

•    Paymentcard companies and anti-fraud service providers:

To process payments for your trips and purchases, we may work with third parties that offer payment and anti-fraud services.

•    Partners loyalty programs:

We may transfer your personal data to operators of our partner loyalty programmes, to facilitate your participation in the relevant programme.

•    Government agencies:

We may disclose your personal data to governments and regulatory authorities and bodies and to other individuals, bodies and organisations such as immigration, customs, border security, airport authorities, dispute resolution, prosecution and law enforcement bodies, legal advisers, organisations which conduct credit, fraud and other passenger checks, and other individuals, bodies and organisations for the purposes of complying with our legal obligations, for example, where we are required by laws in certain countries to disclose your personal data in relation to your travel document, booking details and flight itinerary (also known as Passenger Name Record (PNR) and/or Advanced Passenger Information (API)) to relevant customs and immigration authorities as required by laws. We may also be statutorily required to share your health data with the Government agencies in the countries on your itinerary for public health purposes.

•    Third-party websites:

our websites and mobile apps contain links to third-party websites. If you follow those links, you will leave our websites or mobile apps. This privacy policy does not apply to the websites of third parties. For more information on how they handle your personal data, please check their privacy and/or cookie policies (if available).

•     Support service providers:

To provide our services, we use the support or additional services of third parties, such as IT suppliers, social media providers, marketing agencies, and screening service providers. Further, we may also share your personal data with law firms and law courts to enforce or apply any contract with you and the police to protect our rights, property, or the safety of our customers, staff and assets.

4. Where will your personal data be sent to?

The transfer of your personal data is related to the purpose and localisation to third parties identified in this policy. Luxair intends to store and transfer personal data as much as possible inside the European Union or in third countries being considered by the European Commission as having an adequate level of protection. However, some personal data may be sent to third countries. When personal data is transferred to a non-EU/EEA country without satisfactory levels of protection for personal data, we will apply appropriate measures, usually by including a standard contractual clause that has been adopted by the European Commission. 
If there is a lack of both a decision on adequate levels of protection by the European Commission and established appropriate safeguards in the form of standard contractual clauses in accordance with the above, we will only transfer your personal data outside the EU/EEA, based on one of the conditions for transfers provided for by data protection legislation, e.g. if the transfer is necessary in order to fulfil the agreement we have with you.

5. How long do we keep your personal data?

Your personal data will be retained for as long as required for the purposes described in this privacy policy or in so far as such is necessary for compliance with statutory obligations and for solving any disputes.

The retention periods Luxair applies take into account laws and regulations which impose a specific retention period for certain categories of data, as well as CNPD recommendations regarding certain types of data processing. These retention periods can go up to 10 years. We may also archive your data until the statutory limitation periods have expired (up to 30 years in some cases), provided that this is necessary for the establishment, exercise or defence of legal claims.

Data collected as part of the fight against the spread of the COVID-19 epidemic will be stored securely and for a maximum of 14 days after the flight, except in cases where the applicable regulations provide for a longer retention period.

6. Request regarding your personal data

You have the right to request from Luxair access to and rectification of your data. Please note that where you request access to your personal data, since Luxair processes a large quantity of information and as allowed by the law, we may request that, before the information is delivered, you specify the information or processing activities to which the request relates.

You have also the right, subject to conditions imposed by law, to request the erasure of your personal data or the restriction of the processing concerning your data or to object to the processing of your personal data as well as the right to request the data portability of your personal data.

If you have provided your consent to the processing of your personal data you can at any time withdraw such consent.

You may also object, free of charge, to the future processing of your personal data relating to you for the purpose of marketing purposes.

In order to process your request we may ask you to provide us with the following items:

•    your full name 
•    a photocopy of your passport or ID so that we can verify your identity;
•    your email addresses (past and/or present) used to book
•    booking reference and dates if applicable

The above should be sent to the following address:

Luxair S.A. – Data Protection Officer
25 Rue Gabriel Lippmann,
L-5365 Munsbach
Luxembourg
Postal address: L-2987 Luxembourg

Or at the following email address: data.protection@luxairgroup.lu 

From the date that we receive the necessary above information, Luxair will start to process your request.  Please note that any missing information may delay the processing of your request.

If you wish to raise a complaint on how Luxair has handled your personal data, you can contact the supervisory authority for data protection in Luxembourg:

Commission Nationale pour la Protection des Données
1, avenue du Rock’n’Roll
L-4361 Esch-sur-Alzette

B.     Security

To ensure security where personal data is collected, our website uses strong encryption methods for the transmission of your data between your web browser and our web servers. The URL of a website using encrypted connections to your browser always starts with https://

If your current browser does not support encryption method you can download the most up-to-date versions for the most popular web browsers on the respective websites.

When you pay for any of our services using a payment card, all information is sent via a secure connection to ensure the protection of your personal data. The partners with whom we collaborate in terms of payment card are all certified in accordance with the international security standard PCI-DSS, which means a very high level of security for the processing of your payment card details.

C.    Cookies

For more details information about our use of cookies, see our Cookies Policy: https://www.luxair.lu/en/information-light/cookie-policy

D. Changes to our policy

This Security and Privacy Policy replaces all previous versions. We may change the policy at any time so please check it regularly on our website(s) and mobile apps for any updates.