Our policies

GENERAL CONSIDERATIONS Aware of the importance of the protection and proper handling of personal information provided by information owners, AVIA SOLUCIONES HOTELERAS, - hereinafter AVIANET, who acts as responsible for the information received, has designed this policy and procedures that together allow for appropriate use of your personal data. In accordance with the provisions of Article 15 of the Colombian Political Constitution, which develops the fundamental right to habeas data, referring to the right of all citizens to know, update, and rectify personal data that exists about them in databases and files, both public and private, which is inevitably related to the handling and processing of information that recipients of personal information must take into account. This right has been developed through the issuance of Statutory Law 1581 of 2012 and Regulatory Decree 1377 of 2013, based on which AVIANET, as CONTROLLER of the personal data it receives, manages and processes the information, thus proceeds to issue this personal data processing policy, which is made known to the public so that they know how AVIA processes their information. The provisions of this personal data processing policy are mandatory for AVIANET, its administrators, employees, contractors and third parties with whom AVIANET establishes relationships of any kind. OBJECTIVE The implementation of this policy aims to guarantee the confidentiality of the information and the security of how it will be processed for all clients, suppliers, employees and third parties from whom AVIANET has legally obtained information and personal data in accordance with the guidelines established by the law regulating the right to Habeas Data. Likewise, through the issuance of this policy, compliance is achieved with the provisions of Section K of Article 17 of the aforementioned law. DEFINITIONS Authorization: Prior, express, and informed consent of the data subject to carry out the processing. This may be written, verbal, or through unequivocal conduct that allows us to reasonably conclude that the data subject has granted authorization. Database: The organized set of Personal Data that is subject to processing, whether electronic or not, regardless of the method of its formation, storage, organization, and access. Query: Request by the data subject or by persons authorized by them or by law to know the information held about them in databases or files. Personal Data: Any information linked to or that can be associated with one or more specific or determinable natural persons. This data is classified as sensitive, public, private, and semi-private. Sensitive personal data: Information that affects a person's privacy or whose misuse may lead to discrimination, such as information revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, or human rights organizations, or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data (fingerprints, among others). For the purposes of this policy, AVIANET warns that the owner of personal data has the discretion to provide this type of information in cases where it may be requested. Public personal data: Data classified as such according to the mandates of the law or the Political Constitution and all data that are not semi-private or private. Public data includes, among others, data contained in public documents, public registries, official gazettes and bulletins, and duly executed court rulings that are not subject to confidentiality, data relating to a person's marital status, their profession or occupation, and their status as a merchant or public servant. Personal data held in the commercial register of the Chambers of Commerce are public data (Article 26 of the Civil Code). Likewise, public data includes data that, by virtue of a decision of the data subject or a legal mandate, is contained in files that are freely accessible and accessible. This data may be obtained and offered without reservation and regardless of whether it refers to general, private, or personal information. Private personal data. Data that, due to its intimate or confidential nature, is only relevant to the data subject. Examples: merchants' books, private documents, information obtained from a home inspection. Semi-private personal data. Semi-private data is data that is not of an intimate, reserved, or public nature and whose knowledge or disclosure may be of interest not only to the data subject but also to a certain sector or group of people or to society in general, such as, among others, data relating to the fulfillment or non-fulfillment of financial obligations or data relating to relationships with social security entities. Data Controller: A person who, alone or in association with others, decides on the database and/or the processing of data. Data Processor: A person who processes data on behalf of the data controller. "Authorized" refers to AVIANET and all persons under its responsibility who, by virtue of authorization and the Policy, are legitimized to process the data subject's personal data. Authorized includes those designated as authorized. "Authorization" or being "Authorized" is the legitimacy that AVIANET expressly and in writing, through a contract or document acting in its place, grants to third parties, in compliance with applicable law, for the processing of personal data, making such third parties responsible for the processing of personal data delivered or made available. Claim: Request by the data subject or persons authorized by them or by law to correct, update, or delete their personal data, or when they become aware of an alleged breach of the data protection regime, according to Article 15 of Law 1581 of 2012. Data subject: The natural person to whom the information refers. Processing: Any operation or set of operations on personal data such as, among others, the collection, storage, use, circulation, or deletion of such information. Transmission: Processing of personal data that involves communicating the same within (national transmission) or outside of Colombia (international transmission) and whose purpose is for processing by the data processor on behalf of the controller. Transfer: Data transfer occurs when the controller and/or processor of personal data, located in Colombia, sends the information or personal data to a recipient, who is in turn the controller and is located within or outside the country. Admissibility requirement: The owner or legal successor may only file a complaint with the Superintendency of Industry and Commerce once they have exhausted the consultation or claim process with the controller or processor, as per Article 16 of Law 1581 of 2012. PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA The processing of personal data must be carried out in compliance with the general and special regulations on the matter and for activities permitted by law. Consequently, the following principles apply for the purposes of this policy: Principle of legality: Data processing is a regulated activity that must comply with the provisions of the law and other implementing provisions. Principle of purpose: Processing must serve a legitimate purpose in accordance with the Constitution and the law. Principle of freedom: Processing may only be carried out with the prior, express, and informed consent of the data subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial order that waives consent. Principle of truthfulness or quality: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited. Principle of transparency: Data processing must guarantee the right of the data subject to obtain from the data controller, at any time and without restrictions, information about the existence of data concerning them. Principle of restricted access and circulation: Processing is subject to the limits derived from the nature of the personal data, the provisions of the law, and the Constitution. In this sense, processing may only be carried out by persons authorized by the owner and/or by the persons provided for by law. Security principle: Information subject to processing by the Data Controller or Data Processor referred to in this law must be handled with the technical, human, and administrative measures necessary to ensure the security of the records, preventing their adulteration, loss, unauthorized or fraudulent consultation, use, or access. Confidentiality principle: All persons involved in the processing of personal data that are not public in nature are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks involved in the processing has ended. They may only provide or communicate personal data when this corresponds to the development of the activities authorized in this law and under the terms thereof. Any new project within the Organization that involves the Processing of Personal Data must be consulted with the Information Security Management, which is the person and department in charge of the data protection function to ensure compliance with the policy and the necessary measures to maintain the confidentiality of personal data. RIGHTS OF DATA OWNERS In accordance with current legal provisions, the rights of personal information owners are the following: The right to know, update, rectify, and consult their personal data at any time with AVIANET regarding data that they consider partial, inaccurate, incomplete, fragmented, or those that are misleading. The right to request at any time proof of the authorization granted to AVIANET, except in those cases in which the data controller is legally exempt from having the authorization to process the data of the owner. The right to be informed by AVIANET, upon request by the data owner, regarding the use that has been given to said data. The right to file any complaints you deem pertinent to assert your right to Habeas Data with the Superintendency of Industry and Commerce. The right to revoke authorization and/or request the deletion of any data when you consider that AVIANET has not respected your constitutional rights and guarantees. The right to access, free of charge, the personal data you voluntarily decide to share with AVIANET. The information and/or personal data we collect from you is as follows: Type of person: Natural: first and last names, type of identification, identification number, gender, marital status and date of birth, email address, financial data (bank accounts). Legal: company name, NIT, address, telephone number, cell phone number, email address, country, city, financial data (bank accounts). Information necessary to facilitate travel or other services, including preferences such as travel class, passenger names (document type, document number, date of birth, first name, last name, gender, email, nationality, passport expiration date), contact information in case of an accident or any other anomaly (first name, last name, phone number). Cardholder information: document type, document number, phone number, address, email, first name, card number, expiration date, and bank. Quote request: first name, last name, phone number, city, and email. Travel information: type of request, destination, departure date, duration, number of adults, number of children, hotel category, meals, additional services, transportation service, quote per person. Write to Jean Claude Bessudo: first name, last name, ID card, address, phone number (landline or cell phone), city, and email. Online help chat: name, email, what is your question? Please rate our site: Your opinion is very important for us to continually improve our customer service channels: first name, last name, email, phone number, and city. Complaint request: first name, last name, ID number, address, phone number, city, email, and comments. Technical problem report: first name, last name, address, phone number, city, email, and comments. Biometric data: Images, video, audio, fingerprints that identify or make identifiable our customers, users, or any person who enters, is located, or transits in any location where AVIANET has implemented devices to capture such information. This data may be stored and/or processed on servers located in data processing centers, whether our own or contracted with suppliers, located in different countries, which is authorized by our customers/users by accepting this policy for the processing and protection of personal data. AVIANET reserves the right to improve, update, modify, or delete any type of information, content, domain, or subdomain that may appear on the website without prior notice. Publication on the Aviatur websites is deemed sufficient. This information is used to resolve legal or internal requests and to provide or offer new services or products. PROCESSING, SCOPE, AND PURPOSES AVIANET informs data subjects that the data collected from our clients, contractors, and suppliers may be used for the following purposes. Processing may be carried out by AVIANET directly or through its contractors, consultants, advisors, and/or third parties responsible for processing personal data, so that they may carry out any operation or set of operations such as the collection, storage, use, circulation, deletion, classification, transfer, and transmission (the "Processing") of all or part of your personal data: Supporting the contractual relationship established with AVIANET. Providing services related to the products and services offered. Carrying out all activities related to the service or product, you will be included in an email list for newsletter delivery. Sending information about changes to the terms and conditions of the services and products purchased, and notifying you about new services or products. Managing your requests, clarifications, and inquiries. Developing studies and programs necessary to determine consumer habits. Refining security filters and business rules in commercial transactions; confirming and processing said transactions with your financial institution, our service providers, and yourself. Conducting periodic evaluations of our products and services to improve their quality. Sending, by traditional and electronic means, technical, operational, and commercial information on products and services offered by AVIANET, its partners, or suppliers, currently and in the future. Requesting satisfaction surveys, which you are not obligated to answer. Transmitting and/or transferring data to other companies, business alliances, or third parties in order to fulfill our obligations. The transmission and transfer may even be made to third countries that may have a different level of protection than Colombia, when necessary for the fulfillment of our obligations. To comply with obligations contracted by AVIANET with its clients at the time of acquiring our services and products. To respond to inquiries, requests, complaints, and claims made by regulatory bodies and other authorities that, pursuant to applicable law, must receive personal data. Any other activity of a similar nature to those described above that are necessary to develop AVIATUR's corporate purpose. To perform queries in various databases and authorized sources (such as OFAC, UN, among others) necessary for the control and prevention of fraud or crimes related to money laundering, in accordance with our risk prevention and management policies - SARLAFT. • Data collected from our employees: To comply with the obligations contracted by AVIANET with the employees who own the information, regarding the payment of salaries, social benefits, and other provisions established in the employment contract and current labor regulations. Inform the employee of any new developments that arise during the development of the employment contract and beyond its termination. Evaluate the quality of the services we provide. Conduct internal studies on the habits of the employee who is the data subject or request personal information for the development of management programs or systems. Perform payroll deductions authorized by the employee. Manage their requests, administer activities, provide clarifications, and conduct research. Marketing and sales of our products and services. Send, by traditional and electronic means, technical, operational, and commercial information on products and services offered by partners or suppliers, currently and in the future. Prepare studies and programs necessary to determine consumer habits. Transmit and/or transfer data to other companies, business alliances, or third parties in order to fulfill our obligations. This transmission and transfer may also be made to third countries that may have a different level of protection than Colombia, when necessary to fulfill our obligations. Request surveys, which the employee is not obligated to complete. To transfer, either by transmission or transfer, the information received to all judicial and/or administrative entities when necessary for the fulfillment of the employer's duties and to comply with its obligations related to labor, social security, pensions, occupational risks, family compensation funds (Comprehensive Social Security System), and taxes. To transfer the employer's personal information to third parties that legitimately have the right to access said information, which includes, but is not limited to, companies within the Aviatur Ltda. Business Group. To deliver, either by transmission or transfer, the employee's personal information to all entities related to the controller's performance in its capacity as employer. Any other activity of a similar nature to those described above that is necessary to carry out AVIATUR's corporate purpose and its labor obligations acquired by virtue of the employment contract or by operation of law. Perform queries in various databases and authorized sources (such as OFAC, UN, and other lists) necessary for the control and prevention of fraud or crimes related to money laundering, in accordance with our prevention and risk management policies (SARLAFT). The processing of personal data will be carried out with the prior authorization of the data subject, except in cases where the data is public. For this purpose, a data processing authorization form has been implemented, which must be completed by the data subject at the time they submit their personal information. This authorization explains the scope and purposes of personal data processing, mentions authorization by others, data of minors, and sensitive data, and defines the service channel for data subjects who wish to exercise the rights contemplated within habeas data, and indicates the location where this policy is hosted. For the purposes of data processing, AVIANET employs all activities aimed at maintaining the confidentiality of the information. Authorization will be obtained through any means that can be subsequently consulted, such as the website, forms, templates, in-person activities, or through social media, etc. Authorization may also be obtained through unequivocal conduct by the data subject, which allows us to reasonably conclude that they have granted authorization for the processing of their information. If you provide us with personal information about a person other than yourself, such as your spouse or coworker, we understand that you have that person's authorization to provide us with their data; and we do not verify, nor do we assume the obligation to verify, the identity of the user/client, or the veracity, validity, adequacy, or authenticity of the data each of them provides. By virtue of the foregoing, we assume no liability for damages or losses of any kind that may arise from the lack of veracity, homonymy, or impersonation of the identity information. Since AVIANET belongs to the Aviatur Business Group, your personal information may be shared by transfer or transmission with group companies, business partners, and/or third-party providers (flight, hotel, and car reservation systems, transaction security validators, banks, financial networks, and tourism services). These processes may be carried out in different locations than where the purchased tourist service or product is contracted, for the same purposes indicated for the collection of personal data. These entities are required to comply with the corresponding confidentiality, transmission, or transfer agreements. The Personal Data collected will be processed manually or automatically and incorporated into the corresponding files or databases (hereinafter, the "File"), either in their capacity as data processor or data protection officer. To determine the term of processing, the regulations applicable to each purpose and the administrative, accounting, tax, legal, and historical aspects of the information will be considered. When providing the service, when the data subject is accompanied by minors or persons considered to have disabilities, and their personal data is being collected, AVIANET will always request authorization from the minor's legal representative. However, if personal information of the population mentioned here is provided without being the legal representative, you declare that you have the authorization of the respective legal representative, and you directly assume the responsibility for this. AVIANET will strive to ensure that their rights and best interests are respected at all times. The representative must guarantee their right to be heard and assess their opinion on the processing, taking into account the maturity, autonomy, and capacity of the minors. Representatives are informed of the optional nature of answering questions about the data of minors. The data of minors, who fall into a special protection category, will be processed in accordance with applicable legislation and in accordance with our personal data policy. The companies of the Aviatur Business Group have adopted the legally required levels of personal data protection security and have implemented all technical means and measures at their disposal to prevent the loss, misuse, alteration, unauthorized access, and unlawful removal of the personal data provided to AVIANET. However, the data subject should be aware that Internet security measures are not unbreakable. If you choose to delete your information, to the extent permitted by law, we will retain certain personal information in our files for the purposes of identifying transaction data for accounting and tax purposes, preventing fraud, resolving disputes, investigating conflicts or incidents, enforcing our terms and conditions of use, and complying with legal requirements. However, if you revoke your authorization, the stored information will no longer be used for the purposes set forth herein, but only for the purposes strictly necessary and defined in the preceding paragraph. Security risks to consider when making online transactions: A user may be tricked by emails or DNS server scams into visiting a fake site with the same design, but where the cardholder's information is loaded into the fake system, thereby stealing the cardholder's information. Therefore, it is important to foster a culture where users must access transactions directly through known domains to reduce risks. The computer where the user is making the transaction may have spyware or malware installed without prior knowledge, capturing all keyboard input or information from input devices and sending it to a network or host on the Internet. Therefore, it is recommended that transactions be made on a home or office computer, whenever possible. Cardholder impersonation could occur if the cardholder denies having sent and/or received the transaction, and the transaction is used by a third party. It is recommended that the computer where electronic transactions are made have an updated and active antivirus program to mitigate the risk of fraud. If the personal information was collected or provided prior to July 30, 2013, and you did not object to the transfer of your personal data, it will be deemed that you have given your consent. If you wish to ratify your consent or express your refusal, you may do so by sending an email to privacidad@aviasolucioneshoteleras.com. Like other websites, AVIANET uses certain technologies, such as cookies and device fingerprinting, which allow us to make your visit to our site easier and more efficient, providing you with personalized service and recognizing you when you return. For the purposes of this Privacy Notice, "cookies" are text files that a website transfers to a user's computer hard drive for the purpose of storing certain records and preferences. Websites may allow advertising or third-party features that send "cookies" to the owners' computers. Cookies are only associated with an anonymous user and their computer, and do not provide their first and last name. In many cases, you can browse any of the AVIANET websites anonymously. When you access any AVIANET website, your IP address (the Internet address of your computer) is recorded to give us an idea of which parts of the website you visit and how much time you spend in each section. We do not associate your IP address with any of your personal information unless you have registered with us and logged in using your profile. Therefore, in certain AVIANET applications, users may be recognized after they register for the first time, without having to register on each visit to access areas and services or products reserved exclusively for them. Other services may require the use of certain access keys, and even the use of a digital certificate, in certain specific cases. The cookies used cannot read cookie files created by other providers. AVIANET encrypts user identification data for greater security. To use the AVIANET website, it is not necessary for the user to allow the installation of cookies sent by AVIANET, without prejudice to the fact that in such case it will be necessary for the user to register for each of the services whose provision requires prior registration. NATIONAL OR INTERNATIONAL TRANSFER OF PERSONAL DATA AVIANET may transfer data to other data controllers when authorized by the data subject or by law or by an administrative or judicial order. INTERNATIONAL AND NATIONAL TRANSMISSION OF DATA TO PROCESSORS AVIANET may send or transmit data to one or more processors located within or outside the Republic of Colombia in the following cases: a) When it has authorization from the owner and b) when, without authorization, a data transmission contract exists between the controller and the processor. DUTIES OF THE DATA CONTROLLER Guarantee the owner, at all times, the full and effective exercise of the right to habeas data. Request and retain, under the conditions established in this law, a copy of the respective authorization granted by the data subject. Duly inform the data subject about the purpose of the collection and the rights they have by virtue of the authorization granted. Keep the information under the necessary security conditions to prevent its adulteration, loss, unauthorized or fraudulent consultation, use, or access. Process inquiries and complaints submitted under the terms established in this law. Adopt an internal manual of policies and procedures to ensure proper compliance with this law and, in particular, for addressing inquiries and complaints. Inform the data subject, upon request, about the use given to their data. Inform the data protection authority when security code violations occur and when risks exist in the management of the data subjects' information. Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce. DUTIES OF DATA PROCESSORS Guarantee the data subject, at all times, the full and effective exercise of the right to habeas data. Maintain information under the necessary security conditions to prevent its adulteration, loss, consultation, use, or unauthorized or fraudulent access. Promptly update, rectify, or delete data in accordance with the terms of this law. Update the information reported by those responsible for processing within five (5) business days of receipt. Process inquiries and complaints made by data subjects in accordance with the terms set forth in this law. Adopt an internal manual of policies and procedures to ensure proper compliance with this law and, in particular, for addressing inquiries and complaints from data subjects. Refrain from circulating information that is being disputed by the data subject and whose blocking has been ordered by the Superintendency of Industry and Commerce. Allow access to information only to persons who may have access to it. Inform the Superintendency of Industry and Commerce when security code violations occur and risks exist in the management of data subjects' information. Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce. PETITIONS, COMPLAINTS AND CLAIMS In order to receive requests, complaints and inquiries related to the handling and processing of personal data, AVIANET has designated the email address privacidad@aviasolucioneshoteleras.com to channel, study and respond to them. Therefore, you may send your requests to this address, which will be processed in accordance with Law 1581: Inquiries: The owners or their successors in title may consult the personal information of the owner that is stored in our database. AVIANET will provide them with all the information contained in the individual record or that is linked to the identification of the owner. The query will be answered within a maximum period of ten (10) business days from the date of receipt thereof. When it is not possible to answer the query within this period, the interested party will be informed, and the date on which their query will be answered will be indicated, which in no case may exceed five (5) business days following the expiration of the first term. Claims: The owner or their successors in title who consider that the information contained in a database should be corrected, updated or deleted, or when they notice the alleged non-compliance with any of the duties contained in the law, may file a claim with AVIANET, which will be processed under the following rules: The claim will be made by means of a request addressed to AVIANET with the identification of the owner, the description of the facts that give rise to the claim, the address, and accompanying the documents to be asserted. If the claim is incomplete, AVIANET will require the interested party within five (5) days following receipt of the claim to correct the deficiencies. After two (2) months from the date of the request, if the applicant does not present the required information, it will be understood that he has withdrawn the claim. Once the complete claim is received, a legend stating "claim in process" and the reason for it will be included in the database, within a term no longer than two (2) business days. This legend must remain in place until the claim is decided. The maximum period for addressing the claim will be fifteen (15) business days, counted from the day following the date of receipt. When it is not possible to address the claim within this period, the interested party will be informed and the date on which their claim will be addressed will be indicated, which in no case may exceed eight (8) business days following the expiration of the first term. In any case, the owner or the beneficiary may only file a complaint with the Superintendency of Industry and Commerce once they have exhausted the consultation or claim process with AVIANET. The area responsible for receiving and processing claims is the Information Security Management. The request for deletion of information and revocation of authorization will not be applicable when the owner has a legal or contractual obligation to remain in the database. DATA OF THE DATA CONTROLLER Company name: Operadora de Hoteles Avia SAS Address: Centro de Negocios Andino, Carrera 11 # 82-01 Floor 4, Bogotá DC - Colombia Email: privacidad@aviasolucioneshoteleras.com Telephone: ( 57 1) 3817111 Website: www.aviasolucioneshoteleras.com QUESTIONS OR SUGGESTIONS If you have any questions or queries about the process of collection, processing or transfer of your personal information, or consider that the information contained in a database should be subject to correction, updating or deletion, please send us a message to the following email account: privacidad@aviasolucioneshoteleras.com. For more information about AVIATUR, the identity, address and contact methods, you can consult it at the following address www.aviasolucioneshoteleras.com. This website has with it the terms and conditions applicable to the published services and products, which can be consulted at any time for more information. VALIDITY AVIANET reserves the right to modify this policy to adapt it to new legislation or jurisprudence, as well as to best practices in the tourism sector and other economic sectors that comprise the business group. In such cases, AVIANET will announce the changes on this page with reasonable notice before their implementation.

What time is check-in and check-out at the hotel? Check-in 3:00 pm Check-out 12:00 pm What is the hotel's policy regarding early arrivals and late departures? Early check-in: Subject to availability starting at 7:00 am. 50% of the rack rate will be charged, granting the room. Early use: A charge of $50,000 will be made for breakfast and the right to early use of the facilities. Early departure: In the event that the guest leaves early without notifying the hotel (48 hours in advance), a charge of 100% of the rate corresponding to one night of accommodation at the rack rate will be made at the time of check-out. Except in the case of an early departure due to force majeure or demonstrable fortuitous event, in which case the 100% of the charge will not be applied. Late check-out: Subject to availability. Between 3:00 PM (15:00) and 7:00 PM (19:00), 50% of one night's accommodation will be charged at the rack rate. After 7:00 PM (19:00), the full rack rate will be charged. What is the minimum check-in age at the hotel? 18 Years of Age Minors: If you are traveling with your child(ren) under 18 years of age, you must present the minor's identification document (civil registry) that proves the relationship. If the minor(s) are not traveling with their parents, you must submit to the reception, in addition to the minor's identification document (civil registry), the parents' permission, which must be authenticated by a notary and accompanied by a copy of the identification document of those who gave the authorization. If you are a foreigner, you must present an equivalent document. Minors are not permitted to enter the hotel without this documentation. If the Guest does not present any of the documents listed here, the Hotel reserves the right to refuse entry to any person or persons in the group who do not present the complete documents. This is in accordance with the provisions of Law 679 of 2001 to Prevent the Sexual Exploitation of Children and Adolescents and its related regulations.

The sexual exploitation and abuse of minors are punishable by imprisonment, according to Law 679 of 2001 and Law 1336 of 2009.