Privacy policy for contractors and suppliers
Updated May 2025
This Privacy Policy is applicable to all current and former contractors and suppliers (together, “contractor” or “you” or “your”) of American Airlines, Inc. (“we”, “us”, “our”, or “American”) and certain of its affiliates. As the Controller of your personal information we take your privacy seriously because we know you do. This Privacy Policy will help answer your questions about how we collect, use, share, and maintain the confidentiality, availability, integrity and security of our contractors’ personal information.
This Privacy Policy applies to contractors’ personal information and to the management of that personal information in any form, whether oral, electronic, or written. This Privacy Policy is not a contract and American reserves the right to change or update it at any time, and will notify contractors of any material changes.
We are providing this Privacy Policy to help you better understand the following:
- Collection of Your Personal Information
- Sensitive Personal Information
- Use of Your Personal Information
- Change of Purpose
- With Whom Your Personal Information Will Be Shared
- International Data Transfers
- How Long We Retain Your Personal Information For
- Application of Local Laws
- Voluntary or Mandatory Provision
- How Your Information Will Be Secured
- How Long We Retain Your Personal Information
- Your Rights with Respect to Your Personal Information including:
- Right to Object
- Additional Rights
- Contact Us
- Data Protection Officer
- Your Processing of Personal Information
American may, where applicable and in accordance with applicable laws and regulations, collect and maintain, as part of your business relationship with American, certain types of personal information about you. This includes, without limitation, the following categories of personal information:
- Contact information: Name, address, email address, telephone number and other contact details, the last four digits of your social security number, birthdate and emergency contacts;
- Engagement information: Details of your employer, residency, curriculum vitae information, information about your work permit/visa application if necessary for us to verify certain information about you, or where you or your employer ask us directly for assistance in relation to such an application.
- Background check information: Before you start work at American, and in accordance with applicable law (as applicable), we may require your employer to confirm that you have passed certain background checks that are relevant to your proposed engagement with us. We use a third party provider, Thomson Reuters, to carry out these checks. In most cases, we will not receive any information relating to the results of these checks, except for confirmation that you have passed. However, in rare cases, where an issue arises and where permitted by applicable laws, your employer may provide us with the results of a specific check.
- Identity verification: We may ask for a copy of your driver’s license or other form of government-issued ID to confirm your identity before we issue you with a security pass for one of our sites.
- Safety and Security assessments: Where required by applicable law, for example if your role requires you to access controlled areas of an airport, then we will also need to carry out a security threat assessment. In order to do this, we will ask you to complete a Fingerprint Application, which will request certain personal information from you, including (as applicable and in accordance with applicable law) your social security number, passport details, information about certain criminal offences (if applicable), and your fingerprints. In addition, we may be required to provide additional information such as your name, employer, gender, date of birth, place of birth, country of citizenship, and or/ other identifying or biographic data to certain government entities in order to meet certain regulatory safety and security requirements, as well as to meet the requests and directions of law enforcement authorities or court orders including acknowledgements regarding American policies;
- Work information: Information about your engagement at American, including hire date, position title, which area you will be employed in, your sponsoring work group and personnel sub area, manager, location and whether you have signed our Non-Disclosure Agreement, any information you provide us about absences and sickness from time to time, and other related information;
- Financial information: Taxpayer identification number(s), banking details and details of how much they will be paid.
- Skills, experience, and performance-related information: ID number, job title, job grade and function, hours worked, work location, direct manager/supervisor information, technical skills, educational background, professional certifications and registrations, language capabilities, training courses attended and training assessment and complaints, information about your performance at work, and so forth;
- Physical specifications: Height, weight, clothing sizes (ie. for uniform), photographs including for use on badges biometric data for security purposes (as described above), and details of any accidents at work;
- Automatically collected information: Information captured on network, information, operational and/or security systems, including but not limited to information and interactions required to provide and monitor access to American’s systems and networks, including CCTV and key card entry systems (including biometric data, such as fingerprints for entry access, as applicable), video recordings of company events and activities, voicemails, e-mails, and other correspondence, work product and communications created, stored or transmitted by you when you are using American’s computer network, communications equipment, and/or systems. American also collects information from American’s computer equipment and company-issued mobile devices, including but not limited to user session information, Internet browsing history, mobile app usage, and precise geo-location. This information may be collected in a variety of ways, including through data logs or the use of cookies and similar tracking technologies, all in accordance with applicable law; and
- Separation information: Date of termination of engagement, reason for termination, exit interview, and information relating to administering termination of engagement.
To the extent that any of the personal information we collect is considered “sensitive” under applicable privacy laws (such as “special category information” or criminal convictions data under certain data privacy laws), American will collect and process this information within the limits prescribed by relevant, applicable law, and only after establishing appropriate security safeguards for such sensitive information. Where required by law, American will seek consent before processing sensitive personal information.
Sensitive personal information includes any information about a contractor that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric information, health, sex life or sexual orientation, or it otherwise defined as sensitive under applicable law.
We may process sensitive personal information about you, such as: health data where it is relevant to the provision of your services to American (for example, health and safety purposes or employment screening); biometric data to secure access to some of American’s premises (if applicable); background check information, such as criminal convictions (where permitted and in accordance with applicable law); or where required or permitted under applicable laws, information about or which may reveal your race or ethnic origin.
The business purposes for which American may process your personal information include, without limitation, those set out in the list below.
- Internal contractor management: To manage all aspects of a contractor’s relationship with American – including, without limitation, engagement, payment, corporate travel and other reimbursable expenses, training, credit/bondability requirements (for assignments at the American Airlines Federal Credit Union (“AAFCU”)), administer termination of the contractor relationship, resource planning and allocation, and other general administrative related processes;
- Business communication: To communicate with you for business reasons such as to provide you with instructions relating to your engagement with American and to communicate changes in our policies or when responding to your queries;
- Facility / Resource monitoring: To the extent permitted by law, we monitor contractors’ use of American facilities, information technology (IT) systems , the use of American’s resources, and communications, including internet use, in accordance with our internal policies (which will be provided to you as part of your onboarding process) and any other applicable policies that may replace, amend or supplement those policies from time to time. As a result, within the limits provided for by relevant, applicable law, contractors should not have a reasonable expectation of privacy while at work while using or accessing company equipment, information, computer or communication systems, as those systems may be accessed at any time in accordance with our monitoring policies;
- Security management: To secure American’s assets and information, to protect your safety and security and the safety and security of American’s customers, staff and property (including controlling and facilitating access to and monitoring activity in secured premises and activity using American’s computers, communications and other resources), and to investigate and respond to claims against American and its customers, including any internal complaints;
- Audit trail records: To evaluate internal control and audits for compliance (including those conducted by American’s internal and external audit service providers).
Where required by applicable law, we will use your personal information only where we have a valid legal basis to do so. The lawful bases under which we can process your personal information include:
- (a) Consent: where you have provided your clear consent for us to process your personal information for a specific purpose;
- (b) Contract: where the processing is necessary for us to perform a contract which we have with you, or to take specific steps at your request before entering into a contract;
- (c) Legal obligation: where the processing is necessary for us to comply with the law (not including contractual obligations);
- (d) Vital interests: where the processing is necessary to protect someone’s life;
- (e) Public task: where the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law; and
- (f) Legitimate interests: where the processing is necessary for our legitimate interests or the legitimate interests of a third party, unless these interests are overridden by your rights and freedoms.
Most commonly, we will use your personal information:
- Where it is necessary for legitimate interests pursued by us or a third party and your interests and fundamental rights do not override those interests; and/or
- Where we need to comply with legal obligations.
There are Closed Circuit Television (CCTV) cameras in operation within and around our Headquarters, administrative offices, training facilities, airports and other premises, which are used for the following purposes:
- To prevent and detect crime;
- To protect your health and safety and the health and safety of American customers, contractors and employees;
- To manage and protect American’s property and the property of American’s guests and other visitors; and
- For quality assurance purposes.
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for another purpose, we will usually notify you and we will explain the legal basis that allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Please note that personal information submitted to us may be transferred to, stored and processed on servers located in various countries around the world. This includes when it is used by American in the United States of America and may include transfers to American’s affiliates and to third parties with whom we share personal information, as described in this Privacy Policy. The privacy laws of those countries might not be equivalent to those in your country of residence, but we take steps to protect your privacy. Where your data is transferred from the European Economic Area (“EEA”) to outside it, we will ensure that adequate safeguards are in place, such as:
- (a) the transfer is to a country which has been the subject of an adequacy-decision by the European Commission;
- (b) the transfer is covered by a contractual agreement which has been approved by the European Commission as providing adequate safeguards for personal information transferred outside of Europe, such as the EU Standard Contractual Clauses entered into by American and all of its branches located in the EUor
- (c) an exemption applies, such as where the transfer is necessary to perform a contract with you (or concluded in your interests) or to take pre-contractual measures at your request, or based on another relevant exemption recognized by applicable law.
If you wish to obtain further details about the safeguards in place to protect your privacy, please contact us using the contact details below.
This Privacy Policy provides global principles, which set out the minimum data protection requirements that American will apply to contractors’ personal information. American recognizes that local, state, national or regional laws and regulations in certain jurisdictions may require stricter legal standards than those described in this Privacy Policy. American will always process contractor personal information in accordance with relevant, applicable law.
When collecting personal information from you, American will, where required by applicable law, inform you whether your provision of the requested information is voluntary or mandatory and if it is mandatory, the consequences of not providing it.
The provision of certain information is necessary for us to engage you as a contractor, for you to provide your services to American, or for us to perform our obligations under our contract with you or your employer, such as to pay for your services. If you choose not to provide certain information, you will not be able to work as a contractor for American.
American is committed to protecting the security of your personal information. Whenever and wherever we collect, process or use personal information we apply appropriate technical, physical and administrative safeguards and access restrictions to secure your information in accordance with this Privacy Policy in order to prevent the unauthorized access and use, unlawful processing, unauthorized or accidental loss, destruction or damage to that information.
We will only retain your personal information for as long as is strictly necessary to fulfil the purpose(s) we collected it for, including to satisfy any legal and auditing requirements.
American will generally retain your personal information for the duration of your relationship as a contractor with American and for longer if required for legal, accounting, reporting or contractor management purposes. For further information about our retention of contractor data, please contact us, using the details provided below.
You may have certain rights under relevant, applicable laws in relation your personal information, such as:
Right to object
Where provided by applicable law, you have the right to object to our use of your personal information on grounds relating to your particular situation, including to the extent the processing is based on our (or another party’s) legitimate interests. If we receive such an objection, we will stop processing the personal information at issue unless we can demonstrate compelling legitimate grounds for the continue processing which override your interests, rights and freedoms, or if the processing is necessary for the establishment, exercise or defense of legal claims.
Additional rights
You may also have the following rights under applicable data privacy laws (unless an exemption applies), which can be exercised by contacting American using the details provided below.
- Request access to your personal information. This enables you to receive a copy of the personal information we hold about you, for example to check that it is accurate;
- Request correction of personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected;
- Request erasure of your personal information. This enables you to ask us to delete or remove your personal information, for example, where there is no good reason for us continuing to process it. You may also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see above);
- Request the restriction of processing of your personal information, including sensitive personal information (as applicable). This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it;
- Request the transfer of your personal information to another party; and
- The right to withdraw consent at any time where we have relied on it to process your personal information.
If you wish to exercise your rights directly (or have designated an authorized agent to do so on your behalf), please contact us using the details provided in the “Contact Us” section below. When we receive a request to exercise one of these rights, we will indicate what personal information we require from you to validate your identity (or the identity of your authorized agent and their authority to act on your behalf, as applicable).
American will respond to your request in accordance with applicable laws, and will not discriminate against you when doing so. Where provided by applicable law, you have the right to lodge a complaint with the corresponding data protection supervisory authority in your country of residence.
If you wish to exercise your rights (or do so via an authorized agent, where permitted by applicable law), or if you have questions, comments or concerns about this Privacy Policy or our privacy practices, please contact the Privacy Office at Privacy@aa.com. Please provide your name and contact information along with the request. Alternatively, inquiries may be mailed to the following address:
American Airlines
c/o Privacy Office
1 Skyview Drive
Fort Worth
TX 76155
United States
Upon receipt of your request, we may ask for additional information to verify your identity (or to confirm that an authorized agent is acting on your behalf), to ensure the validity of the request.
American has assigned a data protection officer, Russell Hubbard, who is responsible for overseeing American’s compliance with data protection law, whom you may contact at privacy@aa.com or via the postal address above in case of any questions or concerns regarding the processing of your personal information.
Where you process personal data pursuant to your engagement with American (for example, personal data relating to American’s employees or customers), you shall keep that data secure and comply with all of American’s data protection related policies and procedures when processing that data.