Policies

In compliance with the provisions of Statutory Law 1581 of 2012 and its Regulatory Decree 1377 of 2013, Hotel el Virrey Central adopts this policy for the processing of personal data, which will be informed to all owners of the data collected or that may be obtained in the future in the exercise of academic, cultural, commercial or work activities. Hotel el Virrey Central declares that it guarantees the rights to privacy, intimacy, good name, in the processing of personal data, and consequently all its actions will be governed by the principles of legality, purpose, freedom, veracity or quality, transparency, restricted access and circulation, security and confidentiality. For GRUPO EL VIRREY SAS the conservation, protection, integrity and confidentiality of its clients' personal data is very important. For this purpose, we have designed a policy for storing and processing information that our clients provide through the various marketing channels for our products and services (such as websites, call centers), and we are committed to the protection and proper handling of such information, in accordance with the legal regime for the protection of personal data. PRIVACY AND PERSONAL DATA PROCESSING POLICIES - GRUPO EL VIRREY SAS CHAPTER I GENERAL PROVISIONS ARTICLE 1. DEFINITIONS. For the purposes of applying the rules contained in this manual and in accordance with the provisions of Article 3 of Law 1581 of 2012, the following are understood as: a) Authorization: Prior, express and informed consent of the Owner to carry out the Processing of personal data. b) Privacy Notice: Verbal or written communication generated by the Controller addressed to the Data Subject for the processing of their personal data, through which they are informed of the existence of the Information Processing policies that will be applicable to them, how to access them, and the purposes of the Processing intended for their personal data. c) Database: An organized set of personal data that is the object of Processing. d) Personal Data: Any information linked to or that can be associated with one or more specific or identifiable natural persons. e) Private Data: Data that, due to its intimate or reserved nature, is only relevant to the Data Subject. f) Sensitive Data: Sensitive data is understood to be that which affects the privacy of the Data Subject or whose improper use may lead to discrimination, such as data that reveals racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations, or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties, as well as data related to health, sexual life and biometric data. g) Data Processor: Natural or legal person, public or private, who, by itself or in association with others, processes personal data on behalf of the Data Controller. h) Data Controller: Natural or legal person, public or private, who, by itself or in association with others, decides on the database and/or the processing of the data. i) Data Subject: Natural person whose personal data is the subject of processing. j) Processing: Any operation or set of operations on personal data, such as the collection, storage, use, circulation or deletion of the same. ARTICLE 2. PURPOSE. The purpose of this document is to regulate the procedures for the collection, handling and processing of personal data carried out by GRUPO EL VIRREY SAS, in order to guarantee and protect the fundamental right to habeas data of its guests, visitors, clients, users and suppliers within the framework of what is established by law. All of the above in compliance with the provisions of literal (k) of Article 17 of Law 1581 of 2012, which regulates the duties of those responsible for the processing of personal data, among which is the duty to adopt an internal manual of policies and procedures to guarantee adequate compliance with the law and, in particular, for the attention of inquiries and complaints. ARTICLE 3. SCOPE OF APPLICATION. This manual will apply to personal data recorded and to be recorded in the different databases managed by GRUPO EL VIRREY SAS, that is, to the databases of our guests, visitors, clients, and suppliers who provide us with their data for commercial purposes. The information collected by GRUPO EL VIRREY SAS may include, in whole or in part, depending on the needs of each product and/or service, among others, the following data: • First and last names. • Identification type and number. • Nationality and country of residence. • Date of birth and gender. • Marital status and/or kinship with minors or disabled persons requesting our services. • Landline and cell phone contact numbers (personal and/or work). • Postal and email addresses (personal and/or work). • Profession or occupation • Company where you work and position. • Origin and destination • Purpose of your trip • Credit card information (number, bank, expiration date). • Cardholder personal information (name and surname, ID type and number). • Information on the address where the cardholder receives their bank statements. This information may be stored and/or processed on servers located in data centers, whether owned by the cardholder or contracted with third-party providers, which is authorized by our guests, visitors, clients, users, and suppliers upon accepting this Privacy Policy. ARTICLE 4. ACCURACY OF INFORMATION. Our guests, visitors, clients, users, and suppliers must provide accurate information about their personal data in order for GRUPO EL VIRREY SAS to provide services, and under this condition, they agree to provide the requested information. GRUPO EL VIRREY SAS assumes the accuracy of the information provided and does not verify, nor assume the obligation to verify, the identity of the guests, visitors, clients, users, and suppliers, nor the accuracy, validity, sufficiency, or authenticity of the data each of them provides. Therefore, it assumes no liability for damages and/or losses of any kind that may arise from the lack of veracity, validity, sufficiency or authenticity of the information, including damages that may be due to homonymy or identity theft. ARTICLE 5. APPLICABLE LEGISLATION. This manual was prepared taking into account the ordinances of Law 1581 of 2012 "By which general provisions for the protection of personal data are issued" and Decree number 1377 of 2013 "By which Law 1581 of 2012 is partially regulated". ARTICLE 6. INFORMATION OF CHILDREN AND ADOLESCENTS UNDER AGE. GRUPO EL VIRREY SAS will ensure the appropriate use of the personal data of minors, boys, girls and adolescents, guaranteeing that their best interests and fundamental rights are respected in the processing of their data and, to the extent possible, taking into account their opinions as owners of their personal data. ARTICLE 7. PURPOSES OF THE PROCESSING OF PERSONAL DATA The information collected is used to process, confirm, fulfill and provide the services and/or products purchased, directly and/or with the participation of third-party providers of products or services, as well as to promote and advertise our activities, products and services, carry out transactions, make reports to the various national or international administrative control and surveillance authorities, police authorities or judicial authorities, banking entities and/or insurance companies, for internal administrative and/or commercial purposes such as market research, audits, accounting reports, statistical analysis, billing, and offering and/or recognition of benefits from our loyalty programs. By accepting this Privacy and Data Processing Policy, our guests, visitors, clients, users and suppliers, in their capacity as data subjects, authorize GRUPO EL VIRREY SAS to process such data, in whole or in part, including the collection, storage, recording, use, circulation, processing and deletion of such data, for the execution of activities related to the services and products purchased, such as making reservations, making modifications, cancellations and changes to such reservations, refunds, handling of queries, complaints and claims, payment of compensation and indemnities, accounting records, correspondence, processing and verification of credit, debit and other payment cards, identification of fraud and prevention of money laundering and other criminal activities and/or for the operation of loyalty programs and other purposes indicated in this document. The foregoing is without prejudice to other purposes that have been reported in this document and in the terms and conditions of each of the products and services of each of our business units. We advise that third-party providers (such as reservation system providers, travel agencies, call centers, banking entities, insurers) may be involved in these activities. Additionally, our travelers, clients and users, as owners of the data collected, by accepting this privacy policy, authorize us to: • Use the information received from them for marketing purposes of their products and services, and the products and services of third parties with which GRUPO EL VIRREY SAS maintains a business relationship. • Provide personal data to police or judicial control and surveillance authorities, pursuant to a legal or regulatory requirement and/or use or disclose this information and personal data in defense of their rights and/or assets when such defense is related to the products and/or services contracted by their travelers, clients and users. • Allow access to information and personal data to auditors or third parties contracted to carry out internal or external audit processes related to the commercial activity we carry out. • Consult and update personal data, at any time, in order to to keep said information up to date. • Contract with third parties for the storage and/or processing of information and personal data for the correct execution of the contracts entered into with us, under the security and confidentiality standards to which we are obligated. CHAPTER II AUTHORIZATION ARTICLE 8. AUTHORIZATION. The collection, storage, use, circulation, or deletion of personal data by GRUPO EL VIRREY SAS requires the free, prior, express, and informed consent of the data subject. GRUPO EL VIRREY SAS, as the data controller, has put in place the necessary mechanisms to obtain the data subjects' authorization, ensuring in all cases that it is possible to verify the granting of said authorization. With the aforementioned authorization, the client accepts the policies and conditions established in this document. ARTICLE 9. FORM AND MECHANISMS FOR GRANTING AUTHORIZATION. The authorization of the data subject will be recorded in each of GRUPO EL VIRREY SAS's data collection channels and mechanisms. Thus, it may be recorded in a physical, electronic document or in any other format that allows guaranteeing its subsequent consultation. The authorization will be issued by the owner prior to the processing of their personal data, in accordance with the provisions of Law 1581 of 2102. The consent authorization procedure guarantees that the owner of the personal data has been informed both of the fact that their personal information will be collected and used for specific and known purposes, and that they have the option of knowing any alteration to them and the specific use that has been given to them. The foregoing is so that the owner makes informed decisions regarding their personal data and controls the use of their personal information. CHAPTER III RIGHTS AND DUTIES ARTICLE 10. RIGHTS OF THE INFORMATION OWNERS. In accordance with the provisions of article 8 of Law 1581 of 2012, the owner of the personal data has the following rights: a) Know, update and rectify their personal data before GRUPO EL VIRREY SAS, in its capacity as of the data controller. b) Request proof of the authorization granted to GRUPO EL VIRREY SAS, in its capacity as Data Controller. c) Be informed by GRUPO EL VIRREY SAS, upon request, regarding the use that has been given to your personal data. d) Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of Law 1581 of 2012, once you have exhausted the consultation or claim process with the Data Controller. e) Revoke the authorization and/or request the deletion of the data when the processing does not respect the constitutional and legal principles, rights, and guarantees. f) Access your personal data that have been subject to processing free of charge. ARTICLE 11. DUTIES OF GRUPO EL VIRREY SAS IN RELATION TO THE PROCESSING OF PERSONAL DATA. GRUPO EL VIRREY SAS. will always be aware that personal data belongs to the individuals to whom it refers and that only they may make decisions regarding such data. In this regard, it will use such data only for the purposes for which it is duly authorized, and in all cases respecting Law 1581 of 2012 on the protection of personal data. In accordance with the provisions of Article 17 of Law 1581 of 2012, GRUPO EL VIRREY SAS undertakes to permanently comply with the following duties: a) To guarantee the Data Subject, at all times, the full and effective exercise of the right to habeas data. b) To retain the information under the necessary security conditions to prevent its alteration, loss, consultation, use, or unauthorized or fraudulent access. c) To promptly update, rectify, or delete the data in accordance with the terms established in Articles 14 and 15 of Law 1581 of 2012. d) Process inquiries and complaints made by Data Subjects in accordance with the terms set forth in Article 14 of Law 1581 of 2012. e) Enter the legend "information under judicial dispute" into the database once notified by the competent authority of judicial proceedings related to the quality or details of the personal data. f) Refrain from circulating information that is being disputed by the Data Subject and whose blocking has been ordered by the Superintendency of Industry and Commerce. g) Allow access to the information only to those individuals who may have access to it. h) Inform the Superintendency of Industry and Commerce when security codes are breached and risks arise in the management of Data Subjects' information. i) Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce. CHAPTER IV ACCESS, CONSULTATION AND CLAIM PROCEDURES ARTICLE 13. RIGHT OF ACCESS: The power of disposition or decision that the owner has over the information that concerns him, necessarily entails the right to access and know if his personal information is being processed, as well as the scope, conditions and generalities of said processing. Likewise, the owner has the right to request its rectification if it is inaccurate or incomplete and to cancel it when it is not being used in accordance with legal or contractual purposes and terms or according to the purposes and terms contemplated in this Privacy Policy. GRUPO EL VIRREY SAS will guarantee the right of access when, after proving the identity of the owner or his representative or attorney-in-fact, he requests it as provided for in Law 1581 of 2012. Clients and users may exercise their rights to know, update, rectify and delete their personal data by sending their request to the email address: reservas@hotelelvirrey.com and by phone at 3341150, in accordance with this Privacy Policy. You must include the following information in the request: • First and last names. • Type of document. • Document number. • Telephone number. • Email address. • Country. • Subject. ARTICLE 13. RESPONSE TO CONSULTATIONS. In any case, regardless of the mechanism implemented to handle consultation requests, they will be attended to within a maximum period of ten (10) business days from the date of receipt. When it is not possible to attend to the query within said term, the interested party will be informed before the expiration of the 10 days, stating the reasons for the delay and indicating the date on which their query will be attended to, which in no case may exceed five (5) business days after the expiration of the first term. ARTICLE 14. CLAIMS. In accordance with the provisions of article 14 of Law 1581 of 2012, the Owner or their successors in title who consider that the information contained in a database should be subject to correction, updating or deletion, or when they notice the alleged non-compliance with any of the duties contained in Law 1581 of 2012, may file a claim with the Data Controller, which will be processed under the following rules: 1. The claim may be submitted by the Owner in the formats provided for this purpose by GRUPO EL VIRREY SAS in its Hotel registry. If the claim received does not have complete information that allows it to be processed, that is, with the identification of the Holder, the description of the facts that give rise to the claim, the address, and accompanying the documents that wish to be asserted, the interested party will be required within five (5) days following its receipt to correct the deficiencies. After two (2) months from the date of the request without the applicant presenting the required information, it will be understood that the claim has been withdrawn. If for any reason the Company receives a claim that should not actually be directed against it, it will forward it to the appropriate person within a maximum period of two (2) business days and will inform the interested party of the situation. 2. Once the complete claim has been received, a legend stating "claim in process" and the reason for it will be included in the database maintained by GRUPO EL VIRREY SAS, within a period of no more than two (2) business days. This legend must be maintained until the claim is decided. 3. The maximum term to address the claim will be fifteen (15) business days counted from the day following the date of its receipt. When it is not possible to address it within said term, the interested party will be informed before the expiration of the aforementioned period of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term. ARTICLE 15. IMPLEMENTATION OF PROCEDURES TO GUARANTEE THE RIGHT TO FILE CLAIMS. At any time and free of charge, the owner or his/her representative may request GRUPO EL VIRREY SAS to rectify, update or delete their personal data, upon proof of their identity. The rights of rectification, update or deletion may only be exercised by: • The owner or his/her successors in title, upon proof of their identity, or through electronic instruments that allow them to be identified. • His/her representative, upon proof of representation. When the request is made by a person other than the data subject and there is no proof that they are acting on the data subject's behalf, it will be deemed not submitted. Requests for rectification, update, or deletion must be submitted through the means enabled by GRUPO EL VIRREY SAS as indicated in the privacy notice and must contain, at a minimum, the following information: 1. The name and address of the data subject or any other means to receive a response. 2. Documents proving the identity or legal status of their representative. 3. A clear and precise description of the personal data with respect to which the data subject seeks to exercise any of their rights. 4. If applicable, other elements or documents that facilitate locating the personal data. PARAGRAPH 1. RECTIFICATION AND UPDATING OF DATA. GRUPO EL VIRREY SAS is obligated to rectify and update, at the data subject's request, any information about them that is incomplete or inaccurate, in accordance with the procedure and terms set forth above. In this regard, the following will be taken into account: In requests for rectification and updating of personal data, the data subject must indicate the corrections to be made and provide documentation supporting their request. GRUPO EL VIRREY SAS is fully free to enable mechanisms that facilitate the exercise of this right, as long as they benefit the data subject. Accordingly, electronic or other means it deems pertinent may be enabled. GRUPO EL VIRREY SAS may establish forms, systems, and other simplified methods, which must be disclosed in the privacy notice and which will be made available to interested parties on the website. GRUPO EL VIRREY SAS will use the customer service or support services it has in operation, as long as the response times are not longer than those indicated by article 15 of Law 1581 of 2012. Every time GRUPO EL VIRREY SAS makes a new tool available to facilitate the exercise of their rights by information holders or modifies existing ones, it will inform you through its website. PARAGRAPH 2. DELETION OF DATA. The owner has the right, at any time, to request GRUPO EL VIRREY SAS to delete (eliminate) their personal data when: a.) They consider that they are not being treated in accordance with the principles, duties and obligations provided for in Law 1581 of 2012. b.) They are no longer necessary or relevant for the purpose for which they were collected. c.) The period necessary for the fulfillment of the purposes for which they were collected has been exceeded. This deletion entails the total or partial elimination of personal information as requested by the owner in the records, files, databases or processing carried out by GRUPO EL VIRREY SAS. It is important to keep in mind that the right to erasure is not absolute and the data controller may deny the exercise of the right when: • The request to erase the information will not proceed when the owner has a legal or contractual obligation to remain in the database. • The elimination of data hinders judicial or administrative actions linked to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions. • The data is necessary to protect the legally protected interests of the owner; to carry out an action based on the public interest, or to comply with a legally acquired obligation of the owner. If the cancellation of personal data is appropriate, GRUPO EL VIRREY SAS must operationally carry out the deletion in such a way that the deletion does not allow the recovery of the information. ARTICLE 16. REVOCATION OF AUTHORIZATION. Personal data subjects may revoke their consent to the processing of their personal data at any time, provided that this is not prohibited by law. To do so, they must contact GRUPO EL VIRREY SAS by email at info@hotelelvirrey.com or by calling 3341150. It should be noted that there are two ways in which consent can be revoked. The first may apply to all of the consented purposes, meaning that GRUPO EL VIRREY SAS must completely stop processing the data subject's data; the second may apply to specific types of processing, such as for advertising or market research purposes. With the second method, partial revocation of consent, other processing purposes that the controller may carry out, in accordance with the authorization granted, and with which the data subject agrees, are safeguarded. Therefore, the data subject must indicate whether the revocation is total or partial when submitting the request to revoke consent to GRUPO EL VIRREY SAS. In the latter case, the processing with which the data subject does not agree must be indicated. There will be cases in which consent, due to its necessary nature in the relationship between the data subject and the party responsible for fulfilling a contract, cannot be revoked by law. The mechanisms or procedures established by GRUPO EL VIRREY SAS to address requests for revocation of consent may not exceed the time periods established for addressing claims, as indicated in Article 15 of Law 1581 of 2012. CHAPTER V INFORMATION SECURITY ARTICLE 17. SECURITY MEASURES. In compliance with the security principle established in Law 1581 of 2012, GRUPO EL VIRREY SAS has adopted the necessary technical, human, and administrative measures to ensure the security of the records, preventing their alteration, loss, unauthorized or fraudulent consultation, use, or access. Notwithstanding the foregoing, the client assumes the risks arising from providing this information over a medium such as the Internet, which is subject to various variables - third-party attacks, technical or technological failures, among others. GRUPO EL VIRREY SAS will make its best technological effort to guarantee the security of the personal information of all its clients and/or users, employing reasonable and current security methods to prevent unauthorized access, maintain data accuracy, and ensure the correct use of the information. ARTICLE 18. IMPLEMENTATION OF SECURITY MEASURES. GRUPO EL VIRREY SAS will maintain security protocols that are mandatory for personnel with access to personal data and information systems. The procedure must consider, at a minimum, the following aspects: a) Third parties contracted by GRUPO EL VIRREY SAS will be required to adhere to and comply with the information security policies and manuals, as well as the security protocols that we apply to all our processes. b) Every contract between GRUPO EL VIRREY SAS and third parties (contractors, external consultants, temporary collaborators, etc.) that involves the processing of information and personal data will include a confidentiality agreement detailing their commitments to the protection, care, security, and preservation of the confidentiality, integrity, and privacy of said information. c) Scope of the procedure with a detailed specification of the protected resources. d) Measures, norms, procedures, rules, and standards aimed at guaranteeing the level of security required by Law 1581 of 2012. e) Functions and obligations of personnel. f) Structure of personal data bases and description of the information systems that process them. g) Procedure for reporting, managing, and responding to incidents. h) Procedures for making backup copies and recovering data. i) Periodic controls that must be carried out to verify compliance with the provisions of the implemented security procedure. j) Measures to be adopted when a medium or document is to be transported, discarded or reused. k) The procedure must be kept up to date at all times and must be reviewed whenever relevant changes occur in the information system or in its organization. l) The content of the procedure must adapt at all times to the current provisions regarding the security of personal data. CHAPTER VI FINAL PROVISIONS ARTICLE 19. MODIFICATIONS TO THE PRIVACY POLICY. GRUPO EL VIRREY SAS reserves the right to make modifications or updates to this Privacy Policy at any time, to address legislative developments, internal policies or new requirements for the provision or offering of its services or products. ARTICLE 20. VALIDITY OF THE PROCESSING OF INFORMATION AND PERSONAL DATA. The information provided by clients and users will remain stored for up to fifteen (15) years from the date of the last processing, to allow us to comply with the legal and/or contractual obligations under your responsibility, especially in accounting, fiscal and tax matters.

SERVICES AND PAYMENT The hotel undertakes to ensure that the reserved room is available and to provide the services contracted by the guest. The guest agrees to pay the hotel the agreed amount for the accommodation service and any other contracted services, paying the first day of accommodation in advance at the time of check-in and the following days in daily installments. The guest declares that they have been informed of the rates, fees, and general room prices per night. ROOM AVAILABILITY, CHECK-IN AND CHECK-OUT The check-in time is set at 3:00 PM (15:00 hours). Before this time, the hotel does not undertake to allow access to the room. The check-out time is set at 12:00 PM (12:00 hours). The period between these times corresponds to the hotel night. Early check-in or late check-out is subject to availability and the guest must pay the corresponding amount. HOTEL AND GUEST RESPONSIBILITIES The hotel will not be liable to guests for valuables that have not been placed in the custody of management. The hotel recommends using the safety deposit boxes available to guests. Make sure you have all your belongings with you. The hotel is NOT responsible for lost or stolen belongings on our premises. Valet parking is an additional service and is subject to availability. The hotel is NOT responsible for damage or theft that may occur in the parking lot. Guests will be responsible for the inventory of items for use in the rooms and agree to assume the corresponding cost for missing or damaged items. Guests will also be responsible for any damage or harm caused to hotel facilities—rooms and common areas. Guests agree to abide by Resolution 1956 of the Ministry of Social Protection, which prohibits smoking in all hotel facilities, including rooms. If the guest smokes in the room, for each day they smoke, they must pay the hotel's cost to deodorize and clean the room. This amount is estimated at USD 100, settled at the representative market rate on the day of payment. The hotel rejects and does not permit sexual exploitation or any form of sexual abuse. The guest agrees to abide by Law 679 of 2001, which seeks to prevent and counteract the exploitation, pornography, and sex tourism of minors, in accordance with Article 44 of the Colombian Political Constitution. The hotel reserves the right to refuse entry to the room if it deems there is a risk of violating this law. The hotel is against the trafficking of flora, fauna, and cultural assets, in accordance with current regulations, and is responsible for the protection of natural resources and the promotion of responsible behaviors regarding the environment and culture. Law 17 of 1981, for the illicit trafficking of flora and fauna, and Law 397 of 1997, for the trafficking of cultural assets. Guests must register all companions or guests who visit their room at the hotel reception and pay the corresponding fee or value for each guest if the room extends beyond visiting hours. The hotel rejects any form of discrimination, distinction, exclusion, restriction, or preference based on gender, race, color, national or ethnic origin, religion, political opinion, or any other reason or condition that has the purpose or effect of impairing, restricting, or limiting the full enjoyment of fundamental rights and freedoms. The hotel provides free internet access. Guests are responsible for its proper and legal use and release the hotel from any liability for noncompliance with current legal regulations.

Code: P-SG-002 The Hotel El Virrey Central, located in the city of Bogotá, is committed to mitigating all negative impacts affecting the natural environment due to the development of its operations and to optimizing the use of natural resources. It is also committed to promoting and conserving the cultural heritage of the region, responsibly disseminating the region's traditions and tourist attractions. It is also committed to protecting and supporting the destination community by implementing good sustainable practices, respecting the rights of all stakeholders and ensuring compliance with their duties; preventing negative impacts such as CSEC associated with travel and tourism. To this end, it will have a base of local collaborators and suppliers committed to environmental conservation, culture, and social development.

GENERAL CONSIDERATIONS Aware of the importance of the protection and proper handling of personal information provided by information owners, AVIA SOLUCIONES HOTELERAS, - hereinafter AVIANET, who acts as responsible for the information received, has designed this policy and procedures that together allow for appropriate use of your personal data. In accordance with the provisions of Article 15 of the Colombian Political Constitution, which develops the fundamental right to habeas data, referring to the right of all citizens to know, update, and rectify personal data that exists about them in databases and files, both public and private, which is inevitably related to the handling and processing of information that recipients of personal information must take into account. This right has been developed through the issuance of Statutory Law 1581 of 2012 and Regulatory Decree 1377 of 2013, based on which AVIANET, as CONTROLLER of the personal data it receives, manages and processes the information, thus proceeds to issue this personal data processing policy, which is made known to the public so that they know how AVIA processes their information. The provisions of this personal data processing policy are mandatory for AVIANET, its administrators, employees, contractors and third parties with whom AVIANET establishes relationships of any kind. OBJECTIVE The implementation of this policy aims to guarantee the confidentiality of the information and the security of how it will be processed for all clients, suppliers, employees and third parties from whom AVIANET has legally obtained information and personal data in accordance with the guidelines established by the law regulating the right to Habeas Data. Likewise, through the issuance of this policy, compliance is achieved with the provisions of Section K of Article 17 of the aforementioned law. DEFINITIONS • Authorization: Prior, express, and informed consent of the data subject to carry out the processing. This may be written, verbal, or through unequivocal conduct that allows for a reasonable conclusion that the data subject has granted authorization. • Database: The organized set of Personal Data that is subject to processing, whether electronic or not, regardless of the method of its formation, storage, organization, and access. • Query: Request by the data subject or by persons authorized by them or by law to access the information held about them in databases or files. • Personal data: Any information linked to or that can be associated with one or more specific or determinable natural persons. This data is classified as sensitive, public, private, and semi-private. • Sensitive personal data: Information that affects a person's privacy or whose misuse may lead to discrimination, such as information that reveals racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations, or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data (fingerprints, among others). For the purposes of this policy, AVIANET warns that the owner of personal data has the discretion to provide this type of information in cases where it may be requested. • Public personal data: Data classified as such according to the mandates of the law or the Political Constitution and all data that are not semi-private or private. Public data includes, among others, data contained in public documents, public registries, official gazettes and bulletins, and duly executed court rulings that are not subject to confidentiality, data relating to a person's marital status, their profession or occupation, and their status as a merchant or public servant. Personal data held in the commercial register of the Chambers of Commerce are public data (Article 26 of the Civil Code). Likewise, public data includes data that, by virtue of a decision of the data subject or a legal mandate, is contained in files that are freely accessible and accessible. This data may be obtained and offered without reservation and regardless of whether it refers to general, private, or personal information. • Private personal data. Data that, due to its intimate or confidential nature, is only relevant to the data subject. Examples: merchants' books, private documents, information obtained from a home inspection. • Semi-private personal data. Semi-private data is data that is not of an intimate, reserved, or public nature and whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector or group of people or to society in general, such as, among others, data relating to the fulfillment and non-fulfillment of financial obligations or data relating to relationships with social security entities. • Data Controller: Person who, alone or in association with others, decides on the database and/or the processing of data. • Data Processor: Person who processes data on behalf of the data controller. • "Authorized" means AVIANET and all persons under its responsibility, who, by virtue of authorization and the Policy, are legitimized to process the owner's personal data. Authorized includes those who are authorized. • “Authorization” or being “Authorized” is the legitimacy that AVIANET expressly and in writing, through a contract or document acting in its place, grants to third parties, in compliance with applicable law, for the processing of personal data, making such third parties responsible for the processing of personal data delivered or made available. • Claim: Request by the data subject or persons authorized by them or by law to correct, update, or delete their personal data, or when they become aware of an alleged breach of the data protection regime, according to Article 15 of Law 1581 of 2012. • Data subject: The natural person to whom the information refers. • Processing: Any operation or set of operations on personal data such as, among others, the collection, storage, use, circulation, or deletion of that type of information. • Transmission: Processing of personal data that involves communicating the same within (national transmission) or outside of Colombia (international transmission) and whose purpose is to carry out processing by the data processor on behalf of the controller. • Transfer: Data transfer occurs when the controller and/or processor of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is the controller and is located within or outside the country. • Admissibility requirement: The owner or legal successor may only file a complaint with the Superintendency of Industry and Commerce once they have exhausted the consultation or claim process with the controller or processor, as established in Article 16 of Law 1581 of 2012. PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA The processing of personal data must be carried out in compliance with the general and special regulations on the matter and for activities permitted by law. Consequently, the following principles apply for the purposes of this policy: • Principle of legality: Data processing is a regulated activity that must comply with the provisions of the law and other implementing provisions. • Principle of purpose: Processing must serve a legitimate purpose in accordance with the Constitution and the law. • Principle of freedom: Processing may only be carried out with the prior, express, and informed consent of the data subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial order that waives consent. • Principle of truthfulness or quality: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited. • Principle of transparency: The processing must guarantee the right of the data subject to obtain from the data controller, at any time and without restrictions, information about the existence of data concerning them. • Principle of restricted access and circulation: Processing is subject to the limits derived from the nature of the personal data, the provisions of the law, and the Constitution. In this sense, processing may only be carried out by persons authorized by the data subject and/or by the persons provided for by law. • Principle of security: Information subject to processing by the Data Controller or Data Processor referred to in this law must be handled with the technical, human, and administrative measures necessary to ensure the security of the records, preventing their adulteration, loss, unauthorized or fraudulent consultation, use, or access. • Principle of confidentiality: All persons involved in the processing of personal data that are not public in nature are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks involved in the processing has ended. They may only provide or communicate personal data when this corresponds to the development of the activities authorized in this law and under the terms thereof. Any new project within the Organization that involves the Processing of Personal Data must be consulted with the Information Security Management, which is the person and department in charge of the data protection function to ensure compliance with the policy and the necessary measures to maintain the confidentiality of personal data. RIGHTS OF DATA OWNERS In accordance with current legal provisions, the rights of personal information owners are the following: • The right to know, update, rectify, and consult their personal data at any time with AVIANET regarding data that they consider partial, inaccurate, incomplete, fragmented, or those that are misleading. • The right to request at any time proof of the authorization granted to AVIANET, except in those cases in which the data controller is legally exempt from having the authorization to process the data of the owner. • The right to be informed by AVIANET, upon request by the data owner, regarding the use that has been given to said data. • The right to file any complaints you deem pertinent to assert your right to habeas data with the Superintendency of Industry and Commerce. • The right to revoke authorization and/or request the deletion of any data when you consider that AVIANET has not respected your constitutional rights and guarantees. • The right to freely access the personal data you voluntarily choose to share with AVIANET. The information and/or personal data we collect from you is as follows: Type of person: Natural: first and last names, type of identification, identification number, gender, marital status and date of birth, email address, financial information (bank accounts). Legal: company name, NIT, address, telephone number, cell phone number, email address, country, city, financial information (bank accounts). Information necessary to facilitate travel or other services, including preferences such as travel class, passenger names and surnames (document type, document number, date of birth, first name, last name, gender, email, nationality, passport expiration date), contact information in case of an accident or any other anomaly (first name, last name, phone number). Cardholder information: document type, document number, phone number, address, email, first name, card number, expiration date, and bank. Quote request: first name, last name, phone number, city, and email. Trip information: type of request, destination, departure date, duration, number of adults, number of children, age, hotel category, meals, additional services, transportation service, quote per person. Write to Yadira Rodríguez Guerrero: first name, last name, ID card, address, phone number (landline or cell phone), city, and email. Online help chat: name, email, what is your question? Please rate our site: Your opinion is very important for us to continually improve our customer service channels: first name, last name, email, phone number, and city. Complaint request: first name, last name, ID number, address, phone number, city, email, and comments. Technical problem report: first name, last name, address, phone number, city, email, and comments. Biometric data: Images, video, audio, fingerprints that identify or make identifiable our customers, users, or any person who enters, is located, or transits in any location where AVIANET has implemented devices to capture such information. This data may be stored and/or processed on servers located in data processing centers, whether our own or contracted with suppliers, located in different countries, which is authorized by our customers/users by accepting this policy for the processing and protection of personal data. AVIANET reserves the right to improve, update, modify, or delete any type of information, content, domain, or subdomain that may appear on the website without any obligation to provide prior notice. Publication on the Aviatur websites is deemed sufficient. This is for the resolution of legal or internal requests and for the provision or offering of new services or products. PROCESSING, SCOPE, AND PURPOSES • AVIANET informs data subjects that the data collected from our clients, contractors, and suppliers may be used for the following purposes. AVIANET may process the data directly or through its contractors, consultants, advisors, and/or third parties responsible for processing personal data, so that they may carry out any operation or set of operations such as the collection, storage, use, circulation, deletion, classification, transfer, and transmission (the "Processing") of all or part of your personal data: • To support the contractual relationship established with AVIANET. • To provide services related to the products and services offered. • Carry out all activities related to the service or product. You will be included in an email list for newsletter delivery. • Send information about changes to the terms and conditions of the services and products purchased, and notify you about new services or products. • Manage your requests, clarifications, and inquiries. • Prepare studies and programs necessary to determine consumer habits. • Refine security filters and business rules in commercial transactions; confirm and process said transactions with your financial institution, our service providers, and yourself. • Conduct periodic evaluations of our products and services in order to improve their quality. • Send, by traditional and electronic means, technical, operational, and commercial information on products and services offered by AVIANET, its partners, or suppliers, currently and in the future. • Request satisfaction surveys, which you are not obligated to answer. • Transmit and/or transfer data to other companies, business alliances, or third parties in order to fulfill the obligations acquired. Transmission and transfer may even be made to third countries that may have a different level of protection than Colombia, when necessary for the fulfillment of our obligations. • Comply with obligations contracted by AVIANET with its clients at the time of acquiring our services and products. • Respond to inquiries, requests, complaints, and claims made by regulatory bodies and other authorities that, pursuant to applicable law, must receive personal data. • Any other activity of a similar nature to those described above that are necessary to develop AVIANET's corporate purpose. • Perform queries in various databases and authorized sources (such as OFAC, UN, among others) necessary for the control and prevention of fraud or crimes related to money laundering, in accordance with our risk prevention and management policies - SARLAFT. • • The data collected from our employees: • Comply with the obligations contracted by AVIANET with the employees who own the information, regarding the payment of salaries, social benefits, and other provisions established in the employment contract and current labor regulations. • Inform the employee of any new developments that arise during the development of the employment contract and even after its termination. • Evaluate the quality of the services we provide. • Conduct internal studies on the habits of the employee who owns the information or request personal information for the development of management programs or systems. • Perform payroll deductions authorized by the employee. • Manage their requests, administration of activities, clarifications, and investigations. • Marketing and sales of our products and services. • Sending, by traditional and electronic means, technical, operational, and commercial information on products and services offered by partners or suppliers, currently and in the future. • Develop studies and programs necessary to determine consumer habits. • Transmit and/or transfer data to other companies, business alliances, or third parties in order to fulfill our obligations. This transmission and transfer may also be made to third countries that may have a different level of protection than Colombia, when necessary to fulfill our obligations. • Requesting surveys, which the client is not obligated to answer. • Transfer, either by transmission or transfer, the information received to all judicial and/or administrative entities when necessary for the fulfillment of the duties as an employer to comply with its obligations related to labor, social security, pensions, occupational risks, family compensation funds (Comprehensive Social Security System), and taxes. • Transfer the employer's personal information to third parties who legitimately have the right to access said information, which includes, but is not limited to, companies within the Aviatur Ltda. Business Group. • Deliver, either by transmission or transfer, the employee's personal information to all entities related to the performance of the responsible party in its capacity as employer. • Any other activity of a similar nature to those described above that is necessary to develop the corporate purpose of AVIATUR and its labor obligations acquired by virtue of the execution of the employment contract or by operation of law. • Perform queries in various databases and authorized sources (such as OFAC, UN, and other lists) necessary for the control and prevention of fraud or crimes related to money laundering, in accordance with our risk prevention and management policies (SARLAFT). • The processing of personal data will be carried out with the prior authorization of the data subject, except in cases where the data is public. For this purpose, a data processing authorization form has been implemented, which must be completed by the data subject at the time they provide their personal information. This authorization explains the scope and purposes of the processing of personal data, refers to authorization by others, data of minors, and sensitive data, and also defines the service channel for data subjects who wish to exercise the rights contemplated within habeas data, and indicates the location where this policy is hosted. For the purposes of data processing, AVIANET employs all activities aimed at maintaining the confidentiality of the information. Authorization will be obtained through any means that can be subsequently consulted, such as the website, forms, formats, in-person activities, or through social media, etc. Authorization may also be obtained from unequivocal conduct by the data subject that allows us to reasonably conclude that they have granted authorization for the processing of their information. • If you provide us with personal information about a person other than yourself, such as your spouse or a coworker, we understand that you have that person's authorization to provide us with their data; and we do not verify, nor do we assume the obligation to verify, the identity of the user/client, or the veracity, validity, sufficiency, or authenticity of the data each of them provides. By virtue of the foregoing, we do not assume liability for damages or losses of any kind that may arise from the lack of veracity, homonymy, or impersonation of the identity information. • Since AVIANET belongs to the Aviatur Business Group, your personal information may be shared by way of transfer or transmission with group companies, business partners, and/or third-party providers (flight, hotel, and car reservation systems, transactional security validators, banks, financial networks, and tourism services). These processes may be carried out in different locations than where the purchased tourist service or product is contracted, for the same purposes indicated for the collection of personal data. These entities are required to comply with the corresponding confidentiality, transmission, or transfer agreements. • The Personal Data collected will be processed manually or automatically and incorporated into the corresponding files or databases (hereinafter, the "File"), either in the capacity of data processor or data protection officer. To determine the term of processing, the regulations applicable to each purpose and the administrative, accounting, tax, legal, and historical aspects of the information will be considered. • When the data subject is accompanied by minors or persons considered to have disabilities at the time of providing the service, and their personal data is being collected, AVIANET will always request authorization from the minor's legal representative. However, if personal information of the population mentioned here is provided without being the legal representative, you declare that you have the authorization of the respective legal representative, assuming direct responsibility for this. AVIANET will strive to ensure that their rights and best interests are respected at all times. The representative must guarantee their right to be heard and assess their opinion on the processing, taking into account the maturity, autonomy, and capacity of the minors. Representatives are informed of the optional nature of answering questions about data relating to minors. The data of minors, who fall into a special protection category, will be processed in accordance with applicable legislation and in accordance with our personal data policy. • The companies of the Aviatur Business Group have adopted the legally required levels of personal data protection security and have installed all the technical means and measures at their disposal to prevent the loss, misuse, alteration, unauthorized access, and unlawful removal of the personal data provided to AVIANET. However, the data subject should be aware that Internet security measures are not unbreakable. • If you choose to delete your information, to the extent permitted by law, we will retain certain personal information in our files for the purposes of identifying transaction data for accounting and tax purposes, preventing fraud, resolving disputes, investigating conflicts or incidents, enforcing our terms and conditions of use, and complying with legal requirements. However, once you revoke your authorization, the stored information will no longer be used for the purposes set forth herein, but only for the purposes strictly necessary and defined in the preceding paragraph. • Security risks to consider when making online transactions: • A user may be tricked by emails or DNS server fraud into visiting a fake site with the same design, but where the cardholder's data is loaded into the fake system, stealing the cardholder's information. Therefore, it is important to foster a culture where users must access known domains directly to make transactions to reduce risks. • The computer where the user is making the transaction may have spyware or malware installed without prior knowledge that captures everything typed on the keyboard or captures information from input devices and sends it to a network or host on the internet. Therefore, it is recommended that the transaction be made on a home or office computer, whenever possible. • Cardholder impersonation could occur, where the cardholder denies having sent and/or received the transaction, and the transaction is used by a third party. • It is recommended that the computer where electronic transactions are made have an updated and active antivirus program to mitigate the risk of fraud. • If the personal information was collected or provided prior to July 30, 2013, and you did not express your opposition to the transfer of your personal data, it will be understood that you have given your consent. If you wish to ratify your consent or express your refusal, you may do so by sending an email to privacidad@aviasolucioneshoteleras.com. • Like other websites, AVIANET uses certain technologies, such as cookies and device fingerprinting, which allow us to make your visit to our site easier and more efficient, providing you with personalized service and recognizing you when you return. For the purposes of this Privacy Notice, "cookies" are text files that a website transfers to the hard drive of a user's computer for the purpose of storing certain records and preferences. • Websites may allow advertising or third-party features that send "cookies" to the owners' computers. • Cookies are only associated with an anonymous user and their computer, and do not provide their first and last name. In many cases, you can browse any of the AVIANET websites anonymously. When you access any AVIANET website, your IP address (the Internet address of your computer) is recorded to give us an idea of which parts of the website you visit and how much time you spend in each section. We do not associate your IP address with any of your personal information unless you have registered with us and logged in using your profile. • Therefore, in certain applications, AVIANET may recognize users after they have registered for the first time, without them having to register on each visit to access areas and services or products reserved exclusively for them. • In other services, the use of certain access keys and even the use of a digital certificate will be required, depending on the features determined. • The cookies used cannot read cookie files created by other providers. AVIANET encrypts user identification data for greater security. • To use the AVIANET website, it is not necessary for the user to allow the installation of cookies sent by AVIANET, without prejudice to the fact that in such case it will be necessary for the user to register for each of the services whose provision requires prior registration. NATIONAL OR INTERNATIONAL TRANSFER OF PERSONAL DATA AVIANET may transfer data to other data controllers when authorized by the data subject, by law, or by an administrative or judicial order. INTERNATIONAL AND NATIONAL TRANSMISSION OF DATA TO PROCESSORS AVIANET may send or transmit data to one or more processors located within or outside the Republic of Colombia in the following cases: a) When it has the authorization of the data subject and b) when, without authorization, a data transmission contract exists between the controller and the processor. DUTIES OF THE DATA CONTROLLER • Guarantee the data subject, at all times, the full and effective exercise of the right to habeas data. • Request and retain, under the conditions established in this law, a copy of the respective authorization granted by the data subject. • Duly inform the data subject about the purpose of the collection and the rights they have by virtue of the authorization granted. • Keep the information under the necessary security conditions to prevent its alteration, loss, unauthorized or fraudulent consultation, use, or access. • Process inquiries and complaints under the terms established in this law. • Adopt an internal manual of policies and procedures to ensure proper compliance with this law and, in particular, for addressing inquiries and complaints. • Inform the data subject, upon request, about the use of their data. • Inform the data protection authority when security code violations occur and when risks arise in the management of data subject information. • Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce. DUTIES OF DATA PROCESSORS • Guarantee the data subject, at all times, the full and effective exercise of the right to habeas data. • Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use, or unauthorized or fraudulent access. • Promptly update, rectify, or delete data in accordance with the terms of this law. • Update the information reported by those responsible for the processing within five (5) business days from its receipt. • Process inquiries and complaints made by data subjects in accordance with the terms established in this law. • Adopt an internal manual of policies and procedures to guarantee proper compliance with this law and, in particular, for the handling of inquiries and complaints by data subjects. • Refrain from circulating information that is being disputed by the data subject and whose blocking has been ordered by the Superintendency of Industry and Commerce. • Allow access to the information only to persons who may have access to it. • Inform the Superintendency of Industry and Commerce when security code violations occur and there are risks in the management of the data subjects' information. • Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce. PETITIONS, COMPLAINTS AND CLAIMS In order to receive requests, claims and inquiries related to the handling and processing of personal data, AVIANET has designated the email address privacidad@aviasolucioneshoteleras.com to channel, review and respond to them. Therefore, you may send your requests to this address, which will be processed in accordance with Law 1581: Inquiries: Data subjects or their successors in title may consult the data subject's personal information stored in our database. AVIANET will provide them with all information contained in the individual record or that is linked to the data subject's identification. The inquiry will be addressed within a maximum of ten (10) business days from the date of receipt. When it is not possible to attend to the query within said term, the interested party will be informed, and the date on which their query will be attended to will be indicated, which in no case may exceed five (5) business days following the expiration of the first term. Claims: The owner or their successors in title who consider that the information contained in a database should be subject to correction, updating or deletion, or when they notice the alleged non-compliance with any of the duties contained in the law, may file a claim with AVIANET, which will be processed under the following rules: The claim will be made by means of a request addressed to AVIANET with the identification of the owner, the description of the facts that give rise to the claim, the address, and accompanying the documents that they wish to assert. If the claim is incomplete, AVIANET will require the interested party within five (5) days following receipt of the claim to correct the deficiencies. After two (2) months from the date of the request, if the applicant does not submit the required information, it will be understood that the claim has been withdrawn. • Once the complete claim has been received, a legend stating “claim in process” and the reason for it will be included in the database, within a period of no more than two (2) business days. This legend must remain in effect until the claim is decided. • The maximum term for addressing the claim will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to address the claim within this period, the interested party will be informed and the date on which their claim will be addressed will be indicated, which in no case may exceed eight (8) business days following the expiration of the first term. • In any case, the owner or the beneficiary may only file a complaint with the Superintendence of Industry and Commerce once they have exhausted the consultation or claim process with AVIANET. • The area responsible for receiving and processing claims is the Information Security Department. • Requests to delete information and revoke authorization will not be processed when the owner has a legal or contractual obligation to remain in the database. DATA CONTROLLER Company name: Operadora de Hoteles Avia SAS Address: Centro de Negocios Andino, Carrera 11 # 82-01 Floor 4, Bogotá DC - Colombia Email: privacidad@aviasolucioneshoteleras.com Telephone: ( 57 1) 3817111 Website: www.aviasolucioneshoteleras.com QUESTIONS OR SUGGESTIONS If you have any questions or queries about the process of collecting, processing or transferring your personal information, or consider that the information contained in a database should be corrected, updated or deleted, please send us a message to the following email address: privacidad@aviasolucioneshoteleras.com. For more information about AVIANET, including its identity, address, and contact information, please visit www.aviasolucioneshoteleras.com. This website also includes the terms and conditions applicable to the published services and products, which may be consulted at any time for further information. VALIDITY AVIANET reserves the right to modify this policy to adapt it to new legislation or jurisprudence, as well as to best practices in the tourism sector and other sectors of the economy that comprise the business group. In such cases, AVIANET will announce any changes on this page with reasonable notice prior to their implementation.

The sexual exploitation and abuse of minors are punishable by imprisonment, according to Law 679 of 2001 and Law 1336 of 2009.