Legal Notice

PERSONAL INFORMATION PROCESSING POLICIES:

FIRST: GENERAL PROVISIONS

We have a special interest in protecting and respecting your information and personal data, and for this reason, we have designed these information processing policies within the framework of Law 1581 of 2012 and Regulatory Decree 1377 of 2013.

1.1.- Introduction.

TEQUENDAMA SOCIETY S A may collect personal data from its users, guests, or visitors through the various means intended for access to the services provided by them. In any case, the collection will be carried out under the express authorization of the data subject, and the processing of such data will be subject to the provisions of the law.

The personal information subject to the considerations established herein may be collected by TEQUENDAMA SOCIETY S A through the website https://www.hotelestequendama.com.co/, through the visit or acquisition of services offered on the platform, or directly at the hotels linked or associated with TEQUENDAMA SOCIETY S A.

The considerations established herein shall be deemed accepted by the Data Subject when they visit or use the website https://www.hotelestequendama.com.co/ and/or when they enter personal data or information through the functions established for that purpose, regardless of the purpose.

1.2- General Principles.

The obtaining and collection of personal data, as well as the use, processing, handling, exchange, transfer, and transmission thereof by TEQUENDAMA SOCIETY S A or any of the TEQUENDAMA SOCIETY S A hotel operating companies, shall always be guided by the principles of legality, freedom, truthfulness, transparency, security, confidentiality, access, and restricted circulation.

1.3- Legal Definitions.

In accordance with Law 1581 of 2012 and Decree 1377 of 2013, the following definitions shall govern the personal information processing policies.

1.3.1.- Processor: A processor is a natural or legal person, public or private, who, by themselves or in association with others, performs the processing of personal data on behalf of the Controller;

1.3.2.- Controller: A controller is a natural or legal person, public or private, who, by themselves or in association with others, makes decisions regarding the database and/or the processing of the data;

1.3.3.- Database: A database is the organized set of personal data that is subject to processing;

1.3.4.- Personal data: Personal data is any information linked to or that can be associated with one or more specific or identifiable natural persons;

1.3.5.- Sensitive data: Sensitive data is understood as that which affects the intimacy of the Data Subject or whose improper use may generate discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, or human rights organizations, or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.

1.3.6.- Public data: Public data is data that is not semi-private, private, or sensitive. Public data includes, among others, data related to the civil status of individuals, their profession or trade, and their status as a merchant or public servant. By its nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed judicial sentences that are not subject to reservation.

1.3.7.- Transfer: The transfer of data takes place when the Controller and/or Processor of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is a Controller and is located inside or outside the country.

1.3.8- Transmission: The processing of personal data that implies the communication of the same within or outside the territory of the Republic of Colombia when its purpose is the performance of processing by the Processor on behalf of the Controller.

SECOND: AUTHORIZATION OF THE DATA SUBJECT:

The data provided shall be subject to authorized processing, granted in a prior, express, and informed manner by the Data Subject directly to TEQUENDAMA SOCIETY S A, or through TEQUENDAMA SOCIETY S A hotels or the companies that operate them.

However, the visit, entry, or use made of the website https://www.hotelestequendama.com.co/ constitutes in itself prior, express, and informed authorization for the storage, collection, and processing of information in accordance with the data processing policy contained herein.

In any case, the collection of data will be limited to those personal data that are relevant and adequate for the purpose pursued thereby.

THIRD: PROCESSING OF INFORMATION:

3.1- Collected data. The collection of data for the development of the processing and the purposes pursued thereby shall apply to the personal data received and stored by TEQUENDAMA SOCIETY S A and the companies and hotels linked or associated with TEQUENDAMA SOCIETY S A, and shall include all information supplied or provided during the visit to the website https://www.hotelestequendama.com.co/, as well as all information related to services or reservations made, and accommodation and lodging data provided to TEQUENDAMA SOCIETY S A or any of the hotels associated with it.

Without prejudice to the fact that in some cases this may be public data, the information collected will be the name, citizenship card number, profession, nationality, date of birth, email address, personal preferences and interests, job or activity, consumption habits, or travel habits, among others. If a reservation is made through the website https://www.hotelestequendama.com.co/, the information regarding the credit card supplied for the purposes of the reservation and stay will be collected.

3.2- Processing to which the data will be subjected and the purpose thereof.

The data and information obtained and collected by TEQUENDAMA SOCIETY S A, by TEQUENDAMA SOCIETY S A hotels, or by the operating companies of such hotels, will be used in the normal course of their commercial activities solely for the purpose established in these information processing policies, so as to allow for the creation of direct and effective communication with the client, leading to the establishment of a closer bond.

The processing consists of sending digital information through different means of communication, with the intention of contacting the data subject to send service surveys after each stay that allow for the rating of the service provided, and to communicate invitations, offers, promotions, service portfolios, or information about the Hotel or the hotels that are part of TEQUENDAMA SOCIETY S A, without your data ever being provided, transferred, or given to persons other than or external to the Hotel that collected the information, or to the hotels and activities linked to TEQUENDAMA SOCIETY S A and the activities it carries out. Additionally, the data collection seeks to: perform, process, manage, and/or complete reservations or purchases of hotel nights or other services; conduct internal studies on tourism habits; evaluate the quality of our services; send surveys and questionnaires regarding the services provided; attend to your requests, petitions, or needs in a timely manner; communicate invitations, offers, promotions, and information in general about the service portfolio offered by natural or legal persons that are directly linked to hotel operations and specifically with the services provided by TEQUENDAMA SOCIETY S A and the companies and hotels that operate them.

The information or data supplied that is collected, gathered, or stored in accordance with these policies may be shared, transmitted, updated, and/or deleted between TEQUENDAMA SOCIETY S A, TEQUENDAMA SOCIETY S A hotels, and their operating companies for the purpose defined in these policies, to be used in the manner established herein. By entering the website https://www.hotelestequendama.com.co/, you authorize your information and data to be shared with the tourism providers to which they refer and before whom your reservations and/or requests are processed.

It is assumed that all information or data supplied or deposited through the page https://www.hotelestequendama.com.co/ is true, accurate, and complete, and may be withdrawn at any time in the event that it is considered harmful or detrimental to your interests or the interests of a third party.

The data and information in general that is received when you enter the website https://www.hotelestequendama.com.co/ may be both yours and that of the equipment from which you are entering. With the aim of optimizing and making your experience visiting the page https://www.hotelestequendama.com.co/ more efficient, cookies and/or web beacons may be used, and information about the internet pages visited, your IP address, and the operating system of the equipment from which you are entering may be obtained and stored through a recognition and tracking process that allows for identifying your preferences, identifying you when you visit the page again, and storing certain records based on your IP address. The IP address is not associated with or linked to your name or your personal data.

3.3.- Sensitive data and data corresponding to children and adolescents. Neither TEQUENDAMA SOCIETY S A nor the TEQUENDAMA SOCIETY S A hotel operating companies will process data considered sensitive, nor is the data collection aimed at collecting sensitive information.

The collection of data corresponding to children and adolescents who are minors, and the respective authorization, must always be given through their legal representative, following the minor's exercise of their right to be heard. The processing of data corresponding to children and adolescents must respond to and respect the best interests of children and adolescents, and their fundamental rights. In the event that for any reason any question could lead to the answer being about sensitive data or data of children and adolescents, the response to such a question shall be optional.

3.4.- Duties of the person responsible for information processing.

The persons responsible for the information, and/or those responsible for and processors of personal data, are obliged to: a) Guarantee the Data Subject, at all times, the full and effective exercise of the right of habeas data; b) Request and keep, under the conditions provided for by law, a copy of the respective authorization granted by the Data Subject; c) Duly inform the Data Subject about the purpose of the collection and the rights that assist them by virtue of the authorization granted; d) Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access; e) Guarantee that the information provided to the Processor is truthful, complete, accurate, updated, verifiable, and understandable; f) Update the information, communicating in a timely manner to the Processor all updates regarding the data previously supplied to them and adopt the other necessary measures so that the information supplied to the latter is kept updated; g) Rectify the information when it is incorrect and communicate the relevant information to the Processor; h) Provide the Processor, as the case may be, only with data whose processing is previously authorized in accordance with the provisions of this law; i) Require the Processor at all times to respect the security and privacy conditions of the Data Subject's information; j) Process inquiries and complaints formulated in the terms indicated by law; k) Inform the Processor when certain information is in dispute by the Data Subject, once the claim has been presented and the respective process has not concluded; l) Inform the Data Subject upon request about the use given to their data; m) Inform the data protection authority when there are violations of security codes and there are risks in the administration of the Data Subjects' information. n) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

FOURTH: RIGHTS AND POWERS OF THE DATA SUBJECT:

4.1.- Rights of the data subject. Once authorization has been granted by the Data Subject for the corresponding processing, they have the right to: a) Know, update, and rectify their personal data. This right may be exercised regarding partial, inaccurate, incomplete, or fractioned data that leads to error, or data whose processing is expressly prohibited or has not been authorized; b) Request proof of the authorization granted, except when it is expressly excepted as a requirement for processing, in accordance with the provisions of article 10 of Law 1581 of 2012; c) Be informed by the controller and/or processor of the personal data, upon request, of the use that has been given to their personal data; d) File complaints with the Superintendence of Industry and Commerce for infringements of the provisions of the law; e) Revoke the authorization and/or request the deletion of the data when the constitutional and legal principles, rights, and guarantees are not respected in the processing. The revocation and/or deletion shall proceed when the Superintendence of Industry and Commerce has determined that conduct contrary to this law and the Constitution has been incurred in the processing; f) Request, at any time from the controller or processor, the deletion of their personal data and/or revoke the authorization granted for the processing thereof, by means of the presentation of a claim; this shall not proceed when the Data Subject has a legal or contractual duty to remain in the database. g) Access their personal data that has been subject to processing free of charge: (i) at least once every calendar month, and (ii) every time there are substantial modifications to the Information Processing Policies that motivate new inquiries. In the case of requests whose periodicity is greater than once per calendar month, the controller and/or processor may charge the Data Subject for the costs of shipping, reproduction, and, where appropriate, certification of documents.

4.2.- Legitimacy for the exercise of the rights of the data subject.

The following persons are also legitimized to exercise the rights that assist the data subject: a). The data subject themselves, who must prove their identity sufficiently by the means made available to them by the controller; b). Their successors, who must prove such quality; c). The representative and/or attorney-in-fact of the Data Subject, following proof of representation or power of attorney; d). By stipulation in favor of another or for another; e). The rights of children or adolescents shall be exercised by the persons empowered to represent them, following proof of the power of representation.

4.3.- Area responsible for the attention and support of the data subject.

The attention and response to inquiries, petitions, and complaints from Data Subjects regarding any aspect of the processing will be in charge of the legal area. The Data Subject who wishes to know, update, rectify, request proof of the authorization granted; be informed of the use that has been given to their personal data; revoke the authorization and/or request the deletion of the data; and/or access their personal data that has been subject to processing free of charge, must request it in writing directly to the email notificaciones.judiciales@sht.com.co or send the communication to Carrera 13 # 26-30. Bogotá D.C.. In either case, the following must be indicated: a) full name; b) identity document; c) physical address and email address; d) contact telephone number; e) brief description of the information and data to which it refers, expressly indicating the scope and content of the request; and, f) accompany the documents that you consider support your petition.

4.4.- Procedure to exercise the rights to know, update, rectify, or delete information and revoke authorization.

The procedures for access, updating, deletion, and rectification of personal data, and for the revocation of authorization, may be carried out through inquiries or claims directed to the email notificaciones.judiciales@sht.com.co or to the address Carrera 13 # 26-30. Bogotá D.C., according to the object they pursue, establishing at a minimum the legitimacy that one has to make the request and explaining clearly and concretely what is intended.

All petitions, suggestions, and recommendations related to information processing must be sent to the email notificaciones.judiciales@sht.com.co. The data subject or the legitimized person must accompany their writing with proof of the capacity in which they act, and must provide the data and documents that are missing to account for their identity and their capacity.

The email must specify the reason or object of the communication, and for this, it is sufficient that the text indicates that the right to know, update, rectify, delete, or revoke the authorization granted is being exercised.

4.5.- Procedure for the correction, updating, or deletion of data and for the filing of complaints and claims. Anyone who is legitimized by law, and considers that the information contained must be subject to correction, updating, or deletion; or when they consider that the processing given to the personal data infringes legal norms, may file, in accordance with article 15 of Law 1581 of 2012, claims to the email notificaciones.judiciales@sht.com.co.

Complaints and claims will be processed under the following rules:

4.5.1.- The claim shall be formulated by means of a request directed to the Controller or the Processor, with the identification of the Data Subject, the description of the facts that give rise to the claim, and the address, accompanying the documents that one wishes to assert. If the claim is incomplete, the interested party will be required within five (5) business days following the receipt of the claim to correct the deficiencies. After two (2) months from the date of the requirement, without the applicant presenting the required information, it will be understood that they have withdrawn the claim. In the event that the person receiving the claim is not competent to resolve it, it will be transferred to the corresponding person within a maximum period of two (2) business days and the interested party will be informed of the situation.

4.5.2.- Once the complete claim is received, a legend stating "claim in progress" and the reason for it will be included in the database, within a period of no more than two (2) business days. Such legend must be maintained until the claim is decided.

4.5.3.- The maximum term to attend to the claim will be fifteen (15) business days counted from the day following the date of its receipt. When it is not possible to attend to the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be attended to, which in no case may exceed eight (8) business days following the expiration of the first term.

4.6.- Inquiry and access to information. Inquiries about personal data contained in the TEQUENDAMA SOCIETY S A database will be attended to through a written request via the email notificaciones.judiciales@sht.com.co. Inquiries will be attended to within a maximum term of ten (10) business days counted from the date of their receipt. When it is not possible to attend to the inquiry within said term, the interested party will be informed before the expiration of the ten (10) business days, stating the reasons for the delay and indicating the date on which the inquiry will be attended to, which in no case may exceed five (5) business days following the expiration of the first term.

FIFTH: SECURITY.

5.1.- Security in the handling of information.

The collected data will always be processed within a framework of confidentiality, so they will not be provided, transferred, or given to persons other than or external to the Hotel, to TEQUENDAMA SOCIETY S A, or to TEQUENDAMA SOCIETY S A operating companies, or those who have legitimate authorization to do so.

5.2.- Data transfer and transmission.

In the event that a contract is signed with a third party who is a professional with experience in the handling and use of databases, the controller shall sign the personal data transmission contract referred to in article 25 of Decree 1377 of 2013.

SIXTH: DISSEMINATION AND VALIDITY.

6.1.- Means of dissemination of the information processing policies and the privacy notice.

This document, through which the information processing policies regarding collected personal data are established, will be published permanently on the link _Information processing URL_ so that it can be consulted by anyone interested. At the moment of requesting the express authorization of the Data Subject for data processing, the specific purposes for which the consent is obtained will be indicated to them, and the Processing Policy and the rights that assist them as a Data Subject will be made known to them.

6.2.- Entry into force of the information processing policies.

The collection, storage, use, and circulation of personal data, in the development of the considerations established herein, will be carried out and maintained as long as the need for direct communication with the client remains in force and there are no more efficient ways of doing so, in accordance with the purposes proposed by the processing. In the event that the purpose cannot be achieved through the processing given to the personal data, they will be permanently deleted from the database. This document enters into force on February 22, 2016.

6.3.- Procedure for events of modification of the policies.

In the event that modifications are made to the personal data processing policies established herein, they will be notified and communicated through this same website, prior to their entry into force.

6.4.- Incorporation of the terms of use of the website https://www.hotelestequendama.com.co/.

In accordance with the applicable regulations, the information processing policy is an integral part of the terms and conditions of use of the website https://www.hotelestequendama.com.co/.

6.5. - Person responsible for information.

The company TEQUENDAMA SOCIETY S A, with NIT 860.006.543 - 5, has the quality of controller and processor of personal data, together with each of the linked operating companies that have collected the information. When the information has been received or collected by any of its linked companies, with express authorization to be transferred, TEQUENDAMA SOCIETY S A shall be responsible for the processing.

Any communication may be directed to Carrera 13 # 26-30. Bogotá D.C., or to the email notificaciones.judiciales@sht.com.co.