top of page


















This privacy notice discloses the privacy practices for STM including the following sites: and including any and all subdomains. This privacy notice applies to information collected by these websites and subdomains and all Personal Identifiable Information collected through any means by STM. It will notify you of the following items (this list is not inclusive of all items covered in this policy): 

  1. What personally identifiable information is collected from you through the website, how it is used and with whom it may be shared. 

  2. What choices are available to you regarding the use of your data. 

  3. How consent is gathered to ensure Explicit Consent is given on user submitted information. 

  4. The security procedures in place to protect the misuse of your information and protect information in transit and at rest. 

  5. How you can correct any inaccuracies in the information. 


STM operates under the following industry regulatory guidelines and requirements where needed. This list covers the following but may not include all regulatory guidelines related to privacy. It also does not include the internal standards and governing policies of STM. 

  • PCI-DSS 

  • GDPR 


  • GLB Act 

  • CCPA 

  • Anti-Bribery Anti-Corruption (ABAC) Act 


What Information We Collect 

All information listed here is only obtained through user interaction or through B2B agreements direct with organizations or business entities. This data is covered under at least “industry standard” or better protection for data in transit and at rest. None of this information is collected without the express and explicit permission of the user through intentional submission into STM website interface or through a partnership with a client’s business for corporate integration. 

Information Collected (may not be complete list): 

  • Name 

  • Phone Number 

  • Email Address 

  • Identification information (i.e. passport) 

  • Credit Card information 

  • Work Role 

  • Employment Location 

  • Employment Company 

  • Additional information may be collected with user submission of information to their user profile. 


This information may be collected automatically through our analytics or logging. All information collected under this category is anonymized for user protection when held outside of STM. Internally, we may use this information in providing support regarding issues. All information regarding Payment Card, Password, and other sensitive data is anonymized or removed regardless of use. 

The following information is collected via a 3rd party analytics tool and anonymized to protect client privacy: 

  • IP Address information 

  • Browser type and version 

  • Demographic information 

  • Website usage statistics 


Information Collection and Sharing 

STM is the sole owners of the information collected on this site. We only have access to collect information that you voluntarily give us through submission on this website by user interaction where explicit consent is required. 

STM will not share your information with any 3rd party outside of our organization, other than as necessary to fulfill your request or provide required services agreed to by the user, or user’s employer, through employing STM services, including booking travel, and accommodation for a user through a requested action with providers of those services. This may include direct submission or submission through a GDS. 

Unless you ask us not to, or consent to do so is revoked through the contract with your employer, we may contact you via email in the future to tell you about specials, new products or services, or changes to this privacy policy. 

STM does not share client information with any advertising, research, or 3rd party providers or services. Information may be collated anonymously regarding travel statistics under B2B agreements and through travel data aggregation through an approved vendor that provides data aggregation or disclosure of travel data. 

Log Data 

Like many website operators we collect information from your browser upon visiting our website or “Log Data.” 

This data may include information such as your IP address, browser type and version, times visited, and which pages were visited as well as other statistics. 

We anonymize this information for all users and through a 3rd party service collect, monitor, and analyze this data. 

In the case of services that provide information or session reconstruction, any PII data is encrypted or redacted to ensure privacy and only held for the time required to provide support services to our users, clients, etc. 


STM reserves the right to use cookies. These are required to provide secure User Sessions and ensure website reliability. All data in STM cookies is encrypted data and no user information is disclosed under this process. 

Cookies are files with small amounts of data, which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your computer's hard drive. Like many websites, we use cookies to collect information and provide secure sessions for data protection. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you will not be able to use our online resources. 

If you wish to disable cookies regardless of the requirements on our site, the following links will provide the information for you to do so. 

(a) Cookie settings in Internet Explorer

(b) Cookie settings in Firefox

(c) Cookie settings in Chrome

(d) Cookie settings in Safari on Mac and Safari on iPhone, iPad, or iPod touch. 

Storage of Information 

Your data is processed at our operating offices in the United States and in any other places where the parties involved in the processing are located. Depending on your location, data transfers may involve transferring of your Personal Data to a country other than your own. Any international transfers of your personal information are made pursuant to appropriate safeguards, such as standard data protection clauses adopted by the European Commission. If you wish to enquire further about these safeguards used, please contact us using the details set out at the end of this privacy policy. 


If you live outside of the United States, you understand and agree that we may transfer your information to the United States as described herein. 

You are also entitled to learn about the legal basis of data transfers to a country outside the European Union, Canada, or to any international organization governed by public international law or set up by two or more countries, such as the UN, and about the security measures taken by us to safeguard your data. If any such transfer takes place, you can find out more by contacting us at 

Your Access and Control Over Information 

You may opt out of any future contact from us at any time by contacting us via the email address or phone number given on our website. 

Updating your data can be performed via our website. This allows users to maintain correct and current information, or to change or remove any information that is in error or that the user no longer wishes to have with STM. 

Information obtained through a B2B relationship will need to be addressed with the data controller. In these cases, that will be the business or organization providing the client’s information to STM. If you wish for your information, including PII, to be removed from STM systems, but it has been provided to STM by your employer, you will need to request a direct removal from the data controller. 

Retention Time 

Any personal data held by STM will remain with us until the user account is closed. Once that has happened the user’s data will be irreversibly destroyed. 

We may be allowed to retain Personal Data for a longer period whenever you have given consent to such processing, as long as such consent is not withdrawn. Furthermore, we may be obliged to retain Personal Data for a longer period whenever required to do so for the performance of a legal obligation or upon order of an authority. Once the retention period expires, Personal Data shall be deleted. Therefore, the right to access, the right to erasure, the right to rectification, and the right to data portability cannot be enforced after expiration of the retention period. 

All data such as Credit Card information is only held with STM for as long as PCI-DSS regulations allow or until that information is revoked by the data owner or through a break in B2B relationships where the information originated in. 


STM maintains compliance with PIPEDA requirements on user data for any clients under its protections. As such, our general privacy practices cover all areas required under this regulatory framework. Listed here are the 10 principles of that regulatory framework. 

  • Principle 1 - Accountability 
    An organization is responsible for personal information under its control. It must appoint someone to be accountable for its compliance with these fair information principles. 

    STM has created a Security & Compliance office which handles all accountability requirements for our privacy practices. 

  • Principle 2 - Identifying Purposes 
    The purposes for which the personal information is being collected must be identified by the organization before or at the time of collection. 

    STM only uses any information collected to provide travel-related services. 

  • Principle 3 - Consent 
    The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. 

    STM utilizes a portal system where users can provide information necessary to facilitate the travel services being provided without constant user interaction. Explicit Consent is required before providing information to our profile management system. 

  • Principle 4 - Limiting Collection 
    The collection of personal information must be limited to that which is needed for the purposes identified by the organization. Information must be collected by fair and lawful means. 

    All collection of information by STM conforms to transparent and legal means. No scraping or grabbing of information occurs for users not within our system outside of B2B relationships where contractual agreements allow STM to collect this information directly from the organization. 

  • Principle 5 - Limiting Use, Disclosure, and Retention 
    Unless the individual consents otherwise or it is required by law, personal information can only be used or disclosed for the purposes for which it was collected. Personal information must only be kept as long as required to serve those purposes. 

    All user data is required to be removed if requested by a user. If data is removed manually by a user, that information is irreversibly removed from our systems. Disclosure of any user data possessed by STM are made available upon request. Retention of data only occurs while a user is active in the B2B relationship and the data is removed upon the end of any B2B relationship that governs their information. 

  • Principle 6 - Accuracy 
    Personal information must be as accurate, complete, and up-to-date as possible in order to properly satisfy the purposes for which it is to be used. 

    All personal data sourced from employers under this protection are kept up to date on a minimum monthly basis. This update process ensures accuracy. Users are also able to update any data by contacting STM or through our portal website. 

  • Principle 7 - Safeguards 
    Personal information must be protected by appropriate security relative to the sensitivity of the information. 

    See Security Section. In summary, STM always considers security of paramount importance for all information within our systems and for our user’s safety. 

  • Principle 8 - Openness 
    An organization must make detailed information about its policies and practices relating to the management of personal information publicly and readily available. 

    STM is committed to the highest levels of transparency relating to our Privacy and Security practices. This document serves as our publicly disclosed privacy policy. Our security and other publicly available governing documents can be found on our website or requested from our security and compliance department via 

  • Principle 9 - Individual Access 
    Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. 

    STM maintains a portal system and disclosure of any user data will be made available upon request to our Security and Compliance department. 

  • Principle 10 - Challenging Compliance 
    An individual shall be able to challenge an organization’s compliance with the above principles. Their challenge should be addressed to the person accountable for the organization’s compliance with PIPEDA, usually their Chief Privacy Officer. 

    If there are concerns or challenges to our security practices please contact us at



If you are resident in the EU/EEA, or if you are receiving services from, or otherwise engaging with STM in the EU/EEA, under European law you have the following rights in respect to your personal information that we hold: 

  • Right to withdraw your consent at any time. 

    • You have the right to withdraw your consent where you have previously given your consent to the processing of your Personal Data. 
      Right to object to processing of Your Data. 

    • You have a right to object to any processing based on our legitimate interests where there are grounds relating to your particular situation. There may be compelling reasons for continuing to process your personal information, and we will assess and inform you if that is the case. You must know that, however, should your Personal Data be processed for direct marketing purposes, you can object to that processing at any time without providing any justification. 

  • Right to access your Data. 

    • You have the right to obtain: confirmation of whether, and where, we are processing your Personal Data; (ii) information about the categories of Personal Data we are processing, the purposes for which we process your Personal Data and information as to how we determine applicable retention periods; (iii) information about the categories of recipients with whom we may share your Personal Data; and (iv) a copy of the Personal Data we hold about you. 

  • Right of portability. 

    • You have the right, in certain circumstances, to receive a copy of the Personal Data you have provided to us in a structured, commonly used, machine-readable format that supports re-use, or to request the transfer of your Personal Data to another person. 

  • Right to verify and seek rectification. 

    • You have the right to verify the accuracy of your Personal Data and ask for it to be updated or corrected. 

  • Right to restrict the processing of your Data. 

    • You have the right, under certain circumstances, to restrict the processing of your Personal Data if the continued processing of your data in this way is not justified, such as where the accuracy of the personal information is contested by you. In this case, we will not process your Personal Data for any purpose other than storing it. 

    • Right to have your Personal Data deleted or otherwise removed. 

      You have the right, under certain circumstances, to have us erase your Personal Data without undue delay if the continued processing of that data is not justified. 

    • Right to lodge a complaint. 

      You have the right to bring a claim before your competent data protection authority. Further information about how to contact your local data protection authority is available at 

Availability, Errors, and Inaccuracies 

We are constantly updating our offerings, products, and services and availability of services may be inaccurately described and may experience delays. While we try to be thorough, we do not guarantee the accuracy or completeness of information on the website. If there are issues with the website information, please contact STM for resolution to any issues. 


Our Services are not directed at persons under the age of 16 and we do not knowingly collect Personal Data from children under the age of 16. If you become aware that your child has provided us with personal information, without your consent, then please contact us at so that we can take steps to remove such information and terminate any account your child has created with us. 


STM does not share personal information with 3rd parties for their direct marketing purposes. If you reside in California, you have the right to ask us one time each year whether we have shared personal information with 3rd parties for their direct marketing purposes. To make a request, please contact us by email using “Privacy Policy/Ad and Cookie Policy” as the subject of your message, and indicate in your message that you are a California resident making a “Shine the Light” inquiry. This can be sent directly to our security and compliance department at 

External Links 

This website may contain links to other websites. Please be aware that STM is not responsible for the privacy practices of other websites. We encourage you to be aware when you leave our website and to read the privacy statements of each and every website that collects personally identifiable information. This privacy statement policy applies solely to information collected by STM. 


We take precautions to protect your information. When you submit sensitive information via the website, your information is protected both online and offline. 

Wherever we collect sensitive information (such as credit card data), that information is encrypted and transmitted to us in a secure way. You can verify this by looking for a lock icon in the address bar and looking for "https" at the beginning of the address of the web page. 

While we use encryption to protect sensitive information transmitted online, we also protect your information offline. Only employees who need the information to perform a specific job are granted access to personally identifiable information. The computers/servers in which we store personally identifiable information are kept in a secure environment and maintained on encrypted storage to prevent unauthorized access. 

STM maintains PCI-DSS Compliance with independent ASV verification available upon request. 

GDPR Guidelines are followed with information for our European Union customers and any GDPR request for information removal, transport etc. can be sent to the following contact information to reach our Data Protection Officer. 

PIPEDA guidelines are followed for information including PII information for all customers and requests for removal or information can be sent directly to the following contact information. 

If you feel that we are not abiding by this privacy policy, you should contact us immediately via email 

If you wish to have your account information or personal information removed from STM, please email 

Policy Changes 

From time to time we may change our privacy policies. We will provide notice of any material changes to our Policy as required by law. We will also post an updated copy on our website. Please check our site periodically for updates. 

Complaints or Inquiries 

Any complaints or inquiries can be forwarded to our Security and Compliance officer, information below: 

Kris Adams, Compliance Security Manager

1203 W Ridgeway Ave, Waterloo, IA, 50701 

bottom of page