Términos y Condiciones

Política de Tratamiento de Información

POLÍTICA DE TRATAMIENTO DE DATOS PERSONALES

INTRODUCCIÓN

En Stay S.A.S. (en adelante “Stay”) es muy importante la conservación, protección, integridad y confidencialidad de los Datos Personales de sus huéspedes, visitantes, clientes en general, proveedores, contratistas, accionistas, inversionistas, empleados y demás. Para esto hemos diseñado una política de almacenamiento y tratamiento de los Datos Personales que se nos suministren a través de cualquier medio, y estamos comprometidos con la protección y manejo adecuado de los mismos, conforme el régimen legal de protección de Datos Personales aplicable en cada territorio en donde operamos.

OBJETIVO

Describir las directrices para el tratamiento de Datos Personales teniendo en cuenta lo dispuesto por la Ley 1581 de 2012, Decreto 1377 de 2013, Decreto 886 de 2014, incorporados en el Decreto Único 1074 de 2015, y las demás normas que amplíen, modifiquen o sustituyan la regulación sobre la materia.

DEFINICIONES

Para efectos de la aplicación de las reglas contenidas en la presente política, y, de acuerdo con lo establecido en el artículo 3 de la Ley 1581 de 2012, se entiende por:

Autorización: Consentimiento previo, expreso e informado del Titular para llevar a cabo el Tratamiento de datos personales. Se entenderá que la Autorización cumple con estos requisitos cuando se manifieste (i) por escrito, (ii) de forma oral o (iii) mediante conductas inequívocas del Titular que permitan concluir de forma razonable que otorgó la autorización. En ningún caso el silencio podrá asimilarse a una conducta inequívoca.

Aviso de Privacidad: Comunicación verbal o escrita generada por el Responsable dirigida al Titular para el tratamiento de sus datos personales, mediante la cual se le informa acerca de la existencia de las políticas de Tratamiento de información que le serán aplicables, la forma de acceder a las mismas y las finalidades del Tratamiento que se pretende dar a los datos personales.

Base de datos: Conjunto organizado de Datos Personales que sea objeto de Tratamiento

Personal Data: Cualquier información vinculada o que pueda asociarse a una o varias personas naturales determinadas o determinables.

Private Data: Conjunto organizado de Datos Personales que sea objeto de Tratamiento.

Semi-private Data: Data that is not of intimate, reserved, or public nature and whose knowledge and dissemination may interest not only its holder but also a certain sector or group of people, or society in general, such as financial and credit data.

Sensitive Data: Data that affects the Data Subject’s intimacy or whose misuse can lead to discrimination, such as those revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions,

social organizations, human rights organizations, or organizations that promote any political party’s interests or guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.

Data Processor: A natural or legal person, public or private, who, alone or in association with others, processes Personal Data on behalf of the Data Controller.

Data Controller (or simply “Controller”): A natural or legal person, public or private, who, alone or in association with others, decides on the database and/or the processing of the data.

Transfer: Data transfer occurs when the Data Controller and/or Data Processor, located in Colombia, sends the information or Personal Data to a recipient, who in turn is responsible for processing the data and is located inside or outside the country.

Transmission: The processing of Personal Data that involves the communication of such data within or outside the territory of the Republic of Colombia for the purpose of processing by the Data Processor on behalf of the Data Controller.

Data Subject: A natural person whose Personal Data is subject to processing.

Processing: Any operation or set of operations on personal data, such as the collection, storage, use, circulation, or deletion of such data.

PRINCIPLES

The principles outlined below constitute the general parameters that will be adopted by Stay in the processes of personal data processing:

Principle of Purpose: The processing of Personal Data collected by Stay must comply with a legitimate purpose, which must be informed to the Data Subject.

Principle of Freedom: Processing can only be carried out with the prior, express, and informed consent of the Data Subject. Personal Data cannot be obtained or disclosed without prior authorization or in the absence of a legal or judicial mandate that relieves the need for consent.

Principle of Veracity or Quality: The information subject to processing must be truthful, complete, accurate, updated, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited.

Principle of Transparency: In processing, the right of the Data Subject to obtain from Stay or the Data Processor, at any time and without restrictions, information about the existence of data concerning them must be guaranteed.

Principle of Restricted Access and Circulation: Personal data, except for public information, cannot be available on the Internet or other means of mass communication or disclosure unless access is technically controllable to provide restricted knowledge only to the Data Subjects or authorized third parties.

Principle of Security: The information subject to processing by Stay S.A.S. must be protected using the necessary technical, human, and administrative measures to ensure the security of the records, preventing their adulteration, loss, unauthorized or fraudulent consultation, use, or access.

Principle of Confidentiality: All persons involved in the processing of Personal Data are obligated to guarantee the confidentiality of the information, even after their relationship with any of the tasks comprising the processing has ended.

Principle of Collaboration with National or Foreign Authorities: In addition to what is established by law, the Authorization of the Data Subject will include the possibility of providing information to national or foreign authorities, with the aim of collaborating in the prevention, detection, and mitigation of risks related to tax evasion, national or foreign corruption, money laundering, financing of terrorism, and/or similar activities, as well as carrying out necessary actions to mitigate the effects of such situations if they occur.

Principle of Legality: The collection, use, and processing of personal data will be based on the provisions established by the law and other regulations that develop it.

Principle of Necessity and Proportionality: The personal data recorded in a database must be strictly necessary to fulfill the purposes of the processing, as informed to the Data Subject. In this sense, they must be adequate, relevant, and in accordance with the purposes for which they were collected.

Principle of Purpose: The processing of the collected personal data must comply with a legitimate purpose according to the constitution and the law, which must be informed to the Data Subject.

Principle of Temporality or Expiry: The period of conservation of personal data will be necessary to achieve the purpose for which they have been collected.

SCOPE OF APPLICATION

This policy will be applicable to the Personal Data registered and to be registered in the different databases managed by Stay. This includes databases of guests, visitors, members, general clients, suppliers, contractors, shareholders, investors, employees, former employees, and others who provide their data through different communication channels (digital or printed media) for commercial, legal, contractual, labor, or security purposes, as applicable. The information collected by Stay may include, in whole or in part depending on the needs of each product and/or service, among others, the following data:

– First and last names

– Type and number of identification

– Nationality and country of residence

– Date of birth and gender

– Marital status and/or relationship with minors or disabled individuals requesting our services

– Landline and mobile contact numbers (personal and/or work)

– Postal and electronic addresses (personal and/or work)

– Profession or occupation

– Company where you work and position

– Origin and destination

– Purpose of your trip

– Credit card information (number, bank, expiration date)

– Personal data of the cardholder (first and last names, type and number of identification)

– Home address where the cardholder receives bank statements

– Biometric data, specifically security camera records for surveillance

– Photographic images or videos

These data may be stored and/or processed on servers located in data centers, either owned or contracted with third-party providers and/or contractors, who are in turn compelled to comply with this policy as Data Processors under confidentiality clauses.

VERACITY OF INFORMATION

Our guests, visitors, members, general clients, suppliers, contractors, shareholders, investors, employees, and others must provide truthful information about their Personal Data to establish an appropriate relationship with Stay, either for the provision of services or for the fulfillment of legal and/or contractual obligations. Stay presumes the veracity of the information provided and does not verify, nor is it obligated to verify, the identity of guests, visitors, general clients, suppliers, contractors, shareholders, investors, employees, and others, nor the veracity, validity, sufficiency, and authenticity of the data each of them provides. Therefore, Stay assumes no responsibility for damages and/or losses of any nature that may arise from the lack of veracity, validity, sufficiency, or authenticity of the information, including damages and losses that may be due to homonymy or identity theft.

INFORMATION OF CHILDREN AND ADOLESCENTS

In accordance with the law, Stay will not process the Personal Data of children and adolescents, except when it concerns public data, in accordance with Article 7 of Law 1581 of 2012, and when such processing complies with the following parameters and requirements:

a) It responds to and respects the best interests of children and adolescents.

b) It ensures the respect of their fundamental rights.

The collection of personal data of minors is optional and must be carried out with the prior and express authorization of the guardian or the person who has parental authority. In the case of children and other family members of the Data Subjects, the Processing of this information will be for purposes related to the human resources department (affiliation with social security, family compensation funds, benefits, and other legal obligations) and will ensure respect for the prevailing rights of children and adolescents. Stay will ensure the proper use of children’s and adolescents’ data, guaranteeing that their best interests and fundamental rights are respected in the processing of their data.

PURPOSES OF THE PROCESSING OF PERSONAL DATA

The Personal Data of guests, visitors, and general clients are collected to process, confirm, fulfill, and provide the services and/or products acquired, directly and/or with the participation of third-party contractors and/or product or service providers, as well as to promote and advertise, directly and through third-party providers, our activities, products, and services, perform transactions, make reports to various national or international administrative control and oversight authorities, police authorities, or judicial authorities, banks, and/or insurance companies, for internal and/or commercial administrative purposes such as market research, audits, accounting reports, statistical analysis, billing, and offering and/or recognition of benefits of our loyalty programs.

The Personal Data of suppliers, contractors, shareholders, investors, employees, and others are collected to fulfill the legal and/or contractual obligations assumed with each, make payments, make reports to various national or international administrative control and oversight authorities, police authorities, or judicial authorities, banks, and/or insurance companies, for internal administrative purposes such as market research, audits, accounting reports, statistical analysis, billing, and offering and/or recognition of benefits of our loyalty programs.

In the case of biometric data (specifically, security camera recordings for surveillance), the collected information will be used for the safety of employees, visitors, as well as property and facilities; and the information collected as photographic images or videos captured at events, courses, workshops, seminars, and other activities of Stay for the development of our social welfare, will be used or may be processed for security, coexistence, support, or evidence of the work and activities carried out.

In the case of contact information (phone number, email for sending SMS messages or through WhatsApp, Telegram, or any other technological or instant messaging means) of location and geolocation, the data will be processed by Stay S.A.S., by its CRM or Customer Relationship Management provider – Progress (Experience Hôtel ©) and any third party that replaces it or has access to this data to fulfill the purposes described below:

– Make event invitations and offer products and services;

– Manage procedures (requests, complaints, claims);

– Conduct satisfaction surveys regarding the goods and services offered by Stay S.A.S. or its business partners;

– Provide contact information to the sales force and/or distribution network, telemarketing, market research, and any third party with which Stay S.A.S. has a contractual relationship for the development of such activities (market research and telemarketing, etc.) for their execution;

– Contact the Data Subject through telephone, email, chat, WhatsApp, or Telegram to conduct surveys, studies, and/or confirmation of personal data necessary for the execution of a contractual relationship;

– Contact the Data Subject through electronic means – SMS or chat to send news related to loyalty campaigns or service improvement;

– Provide the services offered by Stay S.A.S. and accepted in the signed contract (where applicable);

– Learn about clients’ tastes, preferences, and hobbies; and the most used or preferred social networks.

By accepting the processing of personal data, our guests, members, visitors, general clients, suppliers, contractors, shareholders, investors, employees, and others, as data subjects, authorize Stay to apply this policy and process their personal data, in whole or in part, including the collection, storage, recording, use, circulation, processing, deletion, for the execution of activities related to the services and products acquired, such as making reservations, modifications, cancellations, and changes thereof, refunds, handling inquiries, complaints and claims, payment of compensations and indemnifications, accounting records, correspondence, processing and verification of credit, debit cards, and other identification instruments, fraud detection and prevention of money laundering and other criminal activities, and/or for the operation of loyalty programs, sending of advertisements and commercial material, requesting the completion of satisfaction surveys, and other purposes indicated in this document. This is without prejudice to other purposes that have been informed in this document and in the terms and conditions of each of the products and services specific to each of our business units.

Third-party providers and/or contractors may be involved in these activities and are compelled to comply with this policy as Data Processors under confidentiality clauses, such as reservation system providers, travel agencies, reservation centers, banks, insurers, security personnel or security agencies, and others. Additionally, our travelers, clients, and users, as Data Subjects of the collected data, by accepting this policy, authorize us to:

– Use, directly or through contracted third parties, the information received from them for marketing purposes of our products and services, and the products and services of third parties with whom Stay maintains a business relationship.

– Provide Personal Data to police or judicial control and surveillance authorities, by legal or regulatory requirement and/or use or disclose this information and Personal Data in defense of its rights and/or property as far as such defense is related to the products and/or services contracted by its travelers, clients, and users.

– Allow access to information and Personal Data to auditors or third parties contracted to carry out internal or external audit processes related to the commercial activity we develop.

– Consult and update personal data, at any time, to keep such information up to date.

– Contract with third parties for the storage and/or processing of information and Personal Data for the proper execution of the contracts entered into with us, under the security and confidentiality standards to which we are obliged.

AUTHORIZATION

The collection, storage, use, circulation, or deletion of Personal Data by Stay requires the free, prior, express, and informed consent of the Data Subject. The authorization will be considered compliant with these requirements when expressed (i) in writing, (ii) orally, or (iii) through unequivocal actions of the data subject that reasonably allow concluding that the authorization was granted. In no case shall silence be understood as an unequivocal conduct.

Stay, in its capacity as the data controller, has implemented the necessary mechanisms to obtain the Data Subject’s Authorization, ensuring that it is always possible to verify the granting of such authorization. With the aforementioned Authorization, the Data Subject accepts the policies and conditions established in this document. The Data Subject’s Authorization will not be necessary in the following events:

– Personal Data is required by a public or administrative entity in the exercise of its legal functions or by court order.

– The data is of a public nature.

– In cases of medical or sanitary emergency.

– The processing of Personal Data is authorized by law for historical, statistical, or scientific purposes.

– The data is related to civil registry records.

FORM AND MECHANISMS FOR GRANTING AUTHORIZATION

The Data Subject’s Authorization will be included in each of the data collection channels and mechanisms of Stay. It may be in a physical document, electronic format, or any other format that guarantees its subsequent consultation. The Authorization will be issued by the Data Subject prior to the processing of their personal data, in accordance with Law 1581 of 2012, Decree 1377 of 2013, Decree 886 of 2014, incorporated in the Sole Decree 1074 of 2015, and other regulations that expand, modify, or replace the rules on the matter.

With the consented Authorization procedure, it is ensured that the Data Subject of the personal data is informed that their personal information will be collected and used for specific and known purposes and that they have the option to know any alteration to them and the specific use that has been made of them. This allows the Data Subject to make informed decisions regarding their Personal Data and control the use of their personal information. The Authorization may also be consented to by the Data Subject through unequivocal actions that reasonably allow concluding that the Authorization was granted, such as entering and remaining in buildings with video surveillance systems, and with entry and exit records.

RIGHTS OF THE DATA SUBJECTS

In accordance with Article 8 of Law 1581 of 2012, the Data Subject of Personal Data has the following rights:

– To know, update, and rectify their Personal Data with Stay, in its capacity as data controller.

– To authorize Stay, as the data controller, to handle the information contained in the databases in accordance with Law 1581 of 2012.

– To request proof of the Authorization granted to Stay, in its capacity as data controller, except when expressly exempted as a requirement for processing, in accordance with Article 10 of Law 1581 of 2012.

– To be informed by Stay, upon request, about the use that has been made of their personal data.

– To file complaints with the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012, once they have exhausted the consultation or claim process with the data controller.

– Except for legal exceptions, to revoke the Authorization and/or request the deletion of the data when the processing does not respect constitutional and legal principles, rights, and guarantees. The revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that the data controller has engaged in conduct contrary to the law and the Constitution during processing.

– To access their Personal Data that has been subject to Processing free of charge.

– To refrain from answering questions about sensitive data or about the data of children and adolescents.

– To be informed about this data protection policy.

DUTIES OF STAY IN RELATION TO THE PROCESSING OF PERSONAL DATA

Stay will always keep in mind that Personal Data belongs to the individuals they refer to and that only they can decide on it. Accordingly, it will use them only for the purposes for which it is duly authorized and will always respect Law 1581 of 2012 on personal data protection. In accordance with Article 17 of Law 1581 of 2012, Stay commits to permanently comply with the following duties:

– Guarantee the Data Subject, at all times, the full and effective exercise of their rights.

– In accordance with the law, request and retain the respective authorization granted by the data subject.

– Clearly inform the data subject about the purpose of the collection of personal data and their rights.

– Keep the information under the necessary security conditions to prevent its alteration, loss, consultation, use, or unauthorized or fraudulent access.

– Request and retain, under the conditions provided by law, a copy of the respective Authorization granted by the data subject.

– Timely perform the updating, rectification, or deletion of data within the terms provided in Articles 14 and 15 of Law 1581 of 2012.

– Process consultations and claims made by the Data Subjects within the terms indicated in Article 14 of Law 1581 of 2012.

– Record the legend “Claim in Process” in the database in the manner regulated by Law 1581 of 2012.

– Insert the legend “Information under Judicial Discussion” in the database once notified by the competent authority about judicial processes related to the quality or details of the Personal Data.

– Refrain from circulating information that is being disputed by the Data Subject and whose blocking has been ordered by the Superintendence of Industry and Commerce.

– Allow access to information only to those who may have access to it.

– Inform the Superintendence of Industry and Commerce when security codes are violated, and there are risks in the administration of the Data Subjects’ information.

– Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

– Strictly comply with Law 1581 of 2012 as well as the decrees that regulate it and all requirements made by the Superintendence of Industry and Commerce.

– Use information responsibly, including security, administrative, physical, and technological controls.

PROCEDURES FOR ACCESS, CONSULTATION, AND CLAIMS

RIGHT OF ACCESS

The power of disposition or decision that the Data Subject has over their information necessarily entails the right to access and know if their personal information is being processed, as well as the scope, conditions, and generalities of such processing. Likewise, the Data Subject has the right to request the rectification of their data if it is inaccurate or incomplete and to cancel it when it is not being used in accordance with legal or contractual purposes or the purposes and terms contemplated in this Policy. Stay will guarantee the right of access when, upon verification of the identity of the Data Subject or their representative or attorney, it is requested as provided in Law 1581 of 2012, including the following data:

a) Names and surnames.

b) Type of document.

c) Document number.

d) Phone number.

e) Personal email.

f) Country.

g) Subject.

Clients and users can exercise their rights to know, update, rectify, and delete their Personal Data by sending their request to the email: protecciondatos@staygroup.co, or through the website https://seissta.com in the legal terms section, in accordance with this Policy.

RESPONSE TO CONSULTATIONS

In any case, regardless of the mechanism implemented for handling consultation requests, they will be attended to within a maximum term of ten (10) business days from the date of receipt. When it is not possible to attend to the consultation within this term, the interested party will be informed before the expiration of the 10 days, explaining the reasons for the delay and indicating the date on which the consultation will be attended to, which in no case may exceed five (5) business days following the expiration of the first term.

CLAIMS

In accordance with Article 14 of Law 1581 of 2012, the Data Subject or their successors who consider that the information contained in a database should be corrected, updated, or deleted, or when they notice an alleged breach of any of the duties contained in Law 1581 of 2012, may file a claim with the Data Controller, which will be processed under the following rules:

The claim can be submitted by the Data Subject using the forms provided by Stay in its Hotel registry. If the received claim lacks complete information that allows it to be processed, such as the identification of the Data Subject, description of the facts giving rise to the claim, address, and accompanying documents that are intended to be enforced, the interested party will be required within five (5) days following its receipt to remedy the deficiencies. If two (2) months elapse from the date of the request without the applicant providing the required information, it will be understood that they have withdrawn the claim. If for any reason the Company receives a claim that should not be directed to it, it will transfer it to the appropriate party within a maximum term of two (2) business days and inform the interested party of the situation.

Once the complete claim is received, a legend will be included in the database maintained by Stay that says “claim in process” and the reason for it, within a term not exceeding two (2) business days. This legend must be maintained until the claim is decided.

The maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to address it within this term, the interested party will be informed before the expiration of the referred term of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

In cases where the Data Subject claims identity theft, Stay S.A.S. must inform the Data Processor to include the respective legend regarding the Data Subject and the obligation or obligations affecting them with the impersonation. In any case, the Data Controller must carry out the corresponding process to establish if there are indications that lead to the elimination of the information report, both positive and negative. If as a result of the process it is determined that the elimination of the information does not proceed, the Data Subject may turn to the Superintendence of Industry and Commerce for it to rule on the matter.

IMPLEMENTATION OF PROCEDURES TO GUARANTEE THE RIGHT TO FILE CLAIMS

At any time and free of charge, the Data Subject or their representative may request Stay to rectify, update, or delete their personal data, upon verification of their identity. The rights of rectification, updating, or deletion may only be exercised by:

– The Data Subject or their successors, upon verification of their identity, or through electronic means that allow them to be identified.

– Their representative, upon verification of the representation.

When the request is made by a person other than the Data Subject and it is not proven that they are acting on behalf of the Data Subject, it will be considered not submitted.

The request for rectification, updating, or deletion must be submitted through the means enabled by Stay indicated in this policy and contain, at a minimum, the following information:

– The name and address of the Data Subject or any other means to receive the response.

– The documents that prove the identity or representation of the Data Subject.

– A clear and precise description of the Personal Data regarding which the Data Subject seeks to exercise any of their rights.

– Any other elements or documents that facilitate the location of the personal data.

– Indicate the corrections to be made and provide the documentation that supports the request.

DATA DELETION AND/OR REVOCATION OF AUTHORIZATION

The Data Subject has the right, at any time, to request Stay to delete their Personal Data when:

– They consider that the data is not being processed in accordance with the principles, duties, and obligations set out in Law 1581 of 2012.

– The data is no longer necessary or relevant for the purpose for which it was collected.

– The period necessary for fulfilling the purposes for which the data was collected has expired.

The request for data deletion or the revocation of the Authorization will not proceed when:

– The Data Subject has a legal or contractual obligation to remain in the database.

– The deletion of the data would hinder judicial or administrative proceedings related to tax obligations, the investigation and prosecution of crimes, or the updating of administrative sanctions.

– The data is necessary to protect the legally protected interests of the Data Subject, to carry out an action in the public interest, or to comply with a legally acquired obligation by the Data Subject.

INFORMATION SECURITY

In accordance with the principle of security established in Law 1581 of 2012, Stay has adopted the necessary technical, human, and administrative measures to ensure the security of the records, preventing their alteration, loss, unauthorized consultation, use, or fraudulent access. Nonetheless, the client assumes the risks arising from providing this information through a medium such as the internet, which is subject to various variables—third-party attacks, technical or technological failures, among others. Stay will make its best technological effort to guarantee the security of the personal information of all its clients and/or users, employing reasonable and current security methods to prevent unauthorized access, maintain data accuracy, and ensure the correct use of the information.

MODIFICATIONS TO THE POLICY

Stay reserves the right to make modifications or updates to this Policy at any time, to address legislative changes, internal policies, or new requirements for the provision or offering of its services or products.

VALIDITY

This Policy begins to take effect according to the terms of Law 1581 of 2012. The validity of the databases mentioned herein and the corresponding Personal Data will be maintained in accordance with contractual terms or the legal terms on document retention.

ANNEXES

– Authorization for Personal Data Processing (in contract and/or any document provided by Stay)

– Authorization for Image and Photography Use

– Hotel Registration