This privacy notice discloses the privacy practices for STM including the following sites: shortstravelmanagement.com and shortstravel.com including any and all subdomains. This privacy notice applies to information collected by these websites and subdomains and all Personal Identifiable Information collected through any
means by STM. It will notify you of the following items (this list is not inclusive of all items covered in this policy):
What personally identifiable information is collected from you through the website, how it is used and with whom it may be shared.
What choices are available to you regarding the use of your data.
How consent is gathered to ensure Explicit Consent is given on user submitted information.
The security procedures in place to protect the misuse of your information and protect information in transit and at rest.
How you can correct any inaccuracies in the information.
STM operates under the following industry regulatory guidelines and requirements where needed. This list covers the following but may not include all regulatory guidelines related to privacy. It also does not include the internal standards and governing policies of STM.
Anti-Bribery Anti-Corruption (ABAC) Act
What Information We Collect
All information listed here is only obtained through user interaction or through B2B agreements direct with organizations or business entities. This data is covered under at least “industry standard” or better protection for data in transit and at rest. None of this information is collected without the express and explicit permission of the user through intentional submission into STM website interface or through a partnership with a client’s business for corporate integration.
Information Collected (may not be complete list):
Identification information (i.e. passport)
Credit Card information
Additional information may be collected with user submission of information to their user profile.
This information may be collected automatically through our analytics or logging. All information collected under this category is anonymized for user protection when held outside of STM. Internally, we may use this information in providing support regarding issues. All information regarding Payment Card, Password, and other sensitive data is anonymized or removed regardless of use.
The following information is collected via a 3rd party analytics tool and anonymized to protect client privacy:
IP Address information
Browser type and version
Website usage statistics
Information Collection and Sharing
STM is the sole owners of the information collected on this site. We only have access to collect information that you voluntarily give us through submission on this website by user interaction where explicit consent is required.
STM will not share your information with any 3rd party outside of our organization, other than as necessary to fulfill your request or provide required services agreed to by the user, or user’s employer, through employing STM services, including booking travel, and accommodation for a user through a requested action with providers of those services. This may include direct submission or submission through a GDS.
STM does not share client information with any advertising, research, or 3rd party providers or services. Information may be collated anonymously regarding travel statistics under B2B agreements and through travel data aggregation through an approved vendor that provides data aggregation or disclosure of travel data.
Like many website operators we collect information from your browser upon visiting our website or “Log Data.”
This data may include information such as your IP address, browser type and version, times visited, and which pages were visited as well as other statistics.
We anonymize this information for all users and through a 3rd party service collect, monitor, and analyze this data.
In the case of services that provide information or session reconstruction, any PII data is encrypted or redacted to ensure privacy and only held for the time required to provide support services to our users, clients, etc.
If you wish to disable cookies regardless of the requirements on our site, the following links will provide the information for you to do so.
(a) Cookie settings in Internet Explorer
(b) Cookie settings in Firefox
(c) Cookie settings in Chrome
(d) Cookie settings in Safari on Mac and Safari on iPhone, iPad, or iPod touch.
Storage of Information
If you live outside of the United States, you understand and agree that we may transfer your information to the United States as described herein.
You are also entitled to learn about the legal basis of data transfers to a country outside the European Union, Canada, or to any international organization governed by public international law or set up by two or more countries, such as the UN, and about the security measures taken by us to safeguard your data. If any such transfer takes place, you can find out more by contacting us at .
Your Access and Control Over Information
You may opt out of any future contact from us at any time by contacting us via the email address or phone number given on our website.
Updating your data can be performed via our website. This allows users to maintain correct and current information, or to change or remove any information that is in error or that the user no longer wishes to have with STM.
Information obtained through a B2B relationship will need to be addressed with the data controller. In these cases, that will be the business or organization providing the client’s information to STM. If you wish for your information, including PII, to be removed from STM systems, but it has been provided to STM by your employer, you will need to request a direct removal from the data controller.
Any personal data held by STM will remain with us until the user account is closed. Once that has happened the user’s data will be irreversibly destroyed.
We may be allowed to retain Personal Data for a longer period whenever you have given consent to such processing, as long as such consent is not withdrawn. Furthermore, we may be obliged to retain Personal Data for a longer period whenever required to do so for the performance of a legal obligation or upon order of an authority. Once the retention period expires, Personal Data shall be deleted. Therefore, the right to access, the right to erasure, the right to rectification, and the right to data portability cannot be enforced after expiration of the retention period.
All data such as Credit Card information is only held with STM for as long as PCI-DSS regulations allow or until that information is revoked by the data owner or through a break in B2B relationships where the information originated in.
STM maintains compliance with PIPEDA requirements on user data for any clients under its protections. As such, our general privacy practices cover all areas required under this regulatory framework. Listed here are the 10 principles of that regulatory framework.
Principle 1 - Accountability
An organization is responsible for personal information under its control. It must appoint someone to be accountable for its compliance with these fair information principles.
STM has created a Security & Compliance office which handles all accountability requirements for our privacy practices.
Principle 2 - Identifying Purposes
The purposes for which the personal information is being collected must be identified by the organization before or at the time of collection.
STM only uses any information collected to provide travel-related services.
Principle 3 - Consent
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
STM utilizes a portal system where users can provide information necessary to facilitate the travel services being provided without constant user interaction. Explicit Consent is required before providing information to our profile management system.
Principle 4 - Limiting Collection
The collection of personal information must be limited to that which is needed for the purposes identified by the organization. Information must be collected by fair and lawful means.
All collection of information by STM conforms to transparent and legal means. No scraping or grabbing of information occurs for users not within our system outside of B2B relationships where contractual agreements allow STM to collect this information directly from the organization.
Principle 5 - Limiting Use, Disclosure, and Retention
Unless the individual consents otherwise or it is required by law, personal information can only be used or disclosed for the purposes for which it was collected. Personal information must only be kept as long as required to serve those purposes.
All user data is required to be removed if requested by a user. If data is removed manually by a user, that information is irreversibly removed from our systems. Disclosure of any user data possessed by STM are made available upon request. Retention of data only occurs while a user is active in the B2B relationship and the data is removed upon the end of any B2B relationship that governs their information.
Principle 6 - Accuracy
Personal information must be as accurate, complete, and up-to-date as possible in order to properly satisfy the purposes for which it is to be used.
All personal data sourced from employers under this protection are kept up to date on a minimum monthly basis. This update process ensures accuracy. Users are also able to update any data by contacting STM or through our portal website.
Principle 7 - Safeguards
Personal information must be protected by appropriate security relative to the sensitivity of the information.
See Security Section. In summary, STM always considers security of paramount importance for all information within our systems and for our user’s safety.
Principle 8 - Openness
An organization must make detailed information about its policies and practices relating to the management of personal information publicly and readily available.
Principle 9 - Individual Access
Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
STM maintains a portal system and disclosure of any user data will be made available upon request to our Security and Compliance department.
Principle 10 - Challenging Compliance
An individual shall be able to challenge an organization’s compliance with the above principles. Their challenge should be addressed to the person accountable for the organization’s compliance with PIPEDA, usually their Chief Privacy Officer.
If there are concerns or challenges to our security practices please contact us at
If you are resident in the EU/EEA, or if you are receiving services from, or otherwise engaging with STM in the EU/EEA, under European law you have the following rights in respect to your personal information that we hold:
Right to withdraw your consent at any time.
You have the right to withdraw your consent where you have previously given your consent to the processing of your Personal Data.
Right to object to processing of Your Data.
You have a right to object to any processing based on our legitimate interests where there are grounds relating to your particular situation. There may be compelling reasons for continuing to process your personal information, and we will assess and inform you if that is the case. You must know that, however, should your Personal Data be processed for direct marketing purposes, you can object to that processing at any time without providing any justification.
Right to access your Data.
You have the right to obtain: confirmation of whether, and where, we are processing your Personal Data; (ii) information about the categories of Personal Data we are processing, the purposes for which we process your Personal Data and information as to how we determine applicable retention periods; (iii) information about the categories of recipients with whom we may share your Personal Data; and (iv) a copy of the Personal Data we hold about you.
Right of portability.
You have the right, in certain circumstances, to receive a copy of the Personal Data you have provided to us in a structured, commonly used, machine-readable format that supports re-use, or to request the transfer of your Personal Data to another person.
Right to verify and seek rectification.
You have the right to verify the accuracy of your Personal Data and ask for it to be updated or corrected.
Right to restrict the processing of your Data.
You have the right, under certain circumstances, to restrict the processing of your Personal Data if the continued processing of your data in this way is not justified, such as where the accuracy of the personal information is contested by you. In this case, we will not process your Personal Data for any purpose other than storing it.
Right to have your Personal Data deleted or otherwise removed.
You have the right, under certain circumstances, to have us erase your Personal Data without undue delay if the continued processing of that data is not justified.
Right to lodge a complaint.
You have the right to bring a claim before your competent data protection authority. Further information about how to contact your local data protection authority is available at
Availability, Errors, and Inaccuracies
We are constantly updating our offerings, products, and services and availability of services may be inaccurately described and may experience delays. While we try to be thorough, we do not guarantee the accuracy or completeness of information on the website. If there are issues with the website information, please contact STM for resolution to any issues.
Our Services are not directed at persons under the age of 16 and we do not knowingly collect Personal Data from children under the age of 16. If you become aware that your child has provided us with personal information, without your consent, then please contact us at so that we can take steps to remove such information and terminate any account your child has created with us.
This website may contain links to other websites. Please be aware that STM is not responsible for the privacy practices of other websites. We encourage you to be aware when you leave our website and to read the privacy statements of each and every website that collects personally identifiable information. This privacy statement policy applies solely to information collected by STM.
We take precautions to protect your information. When you submit sensitive information via the website, your information is protected both online and offline.
Wherever we collect sensitive information (such as credit card data), that information is encrypted and transmitted to us in a secure way. You can verify this by looking for a lock icon in the address bar and looking for "https" at the beginning of the address of the web page.
While we use encryption to protect sensitive information transmitted online, we also protect your information offline. Only employees who need the information to perform a specific job are granted access to personally identifiable information. The computers/servers in which we store personally identifiable information are kept in a secure environment and maintained on encrypted storage to prevent unauthorized access.
STM maintains PCI-DSS Compliance with independent ASV verification available upon request.
GDPR Guidelines are followed with information for our European Union customers and any GDPR request for information removal, transport etc. can be sent to the following contact information to reach our Data Protection Officer.
PIPEDA guidelines are followed for information including PII information for all customers and requests for removal or information can be sent directly to the following contact information.
If you wish to have your account information or personal information removed from STM, please email .
From time to time we may change our privacy policies. We will provide notice of any material changes to our Policy as required by law. We will also post an updated copy on our website. Please check our site periodically for updates.
Complaints or Inquiries
Any complaints or inquiries can be forwarded to our Security and Compliance officer, information below:
Kris Adams, Security Analyst & Systems Administrator
1203 W Ridgeway Ave, Waterloo, IA, 50701