Legal Notice

PERSONAL INFORMATION PROCESSING POLICIES:

ONE: OVERVIEW

We take special care to protect and respect your information and personal data, which is why we have designed these information processing policies, under the framework of Law 1581 of 2012 and Regulatory Decree 1377 of 2013.

1.1. Introduction.

HOTEL SORATAMA S.A. may collect the personal data of its users, guests or visitors through the different resources designed for access to the services it provides. In any case, the gathering of data will be undertaken with the express authorisation of the owner of the data and the processing of this data will be subject to the provisions established in law.

The personal information that is the subject of the considerations established herein may by gathered by HOTEL SORATAMA S.A. through the website http://www.hotelsoratama.com, by visiting said site or purchasing the services offered on the platform, or directly in the hotels linked or associated with HOTEL SORATAMA S.A.

The considerations established herein will be considered accepted by the owner of the information when they visit or make use of the website http://www.hotelsoratama.com and/or enter their personal data or information through the functions established for this purpose, whatever their aim.

1.2. General Principles.

The obtaining and gathering of personal data, like the use, processing, handling, exchange, transfer and disclosure of these by HOTEL SORATAMA S.A. or any of the organisations operating HOTEL SORATAMA S.A. hotels, will always be guided by principles of legality, liberty, veracity, transparency, safety, confidentiality, access and restricted circulation.

1.3. Legal Definitions.

In accordance with Law 1581 of 2012 and Decree 1377 of 2013, the following definitions will govern the personal information processing policies.

1.3.1. Entity Responsible for Processing: The individual or legal entity, whether public or private, acting alone or in association with others, that processes personal data on behalf of the Processing Manager;

1.3.2. Processing Manager: The individual or legal entity, whether public or private, acting alone or in association with others, that makes decisions regarding the database and/or processing of data;

1.3.3. Database: The organised set of personal data that is the subject of processing;

1.3.4. Personal Data: Any information linked or that may be associated to one or various individuals who may be determined;

1.3.5. Sensitive Data: Data that affect the privacy of the owner, or whose undue use may give rise to discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical beliefs, membership of trade unions, social organisations, human rights organisations or organisations that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, in addition to data related to health, sex life and biometric data;

1.3.6. Public Data: Data that is not semi-private, private or sensitive. Among others, data related to the marital status of people, their profession or role, and their status of merchant or public servant are considered public data. Due to their nature, public data may be contained in public records, public documents, gazettes and official bulletins, and duly executed legal rulings that are not subject to reservation;

1.3.7. Transfer: The transfer of data take place when the Processing Manager and/or Entity Responsible for Processing Personal Data, located in Colombia, sends the personal data or information to a recipient, who is also the Processing Manager and who is found to be within or outside the country;

1.3.8. Disclosure: Personal data processing that involves their communication within or outside of Colombia when the aim is processing by the Processing Manager on behalf of the Entity Responsible for Processing.

TWO: AUTHORISATION OF THE OWNER:

The data supplied will be subject to authorised processing, granted previously, expressly and in an informed manner by the owner of the data, directly to HOTEL SORATAMA S.A., or through an intermediary of HOTEL SORATAMA S.A. hotels or the companies that operate them.

However, visiting, entering or using the website http://www.hotelsoratama.com constitutes prior, express and informed authorisation to store, gather and process information in compliance with the data processing policy contained herein.

In any case, the gathering of data will be limited to the personal data that is pertinent and relevant for the desired purpose.

THREE: PROCESSING OF INFORMATION:

3.1. Data gathered. The gathering of data for the development of processing and the aims this hopes to achieve will apply to the personal data HOTEL SORATAMA S.A. and the companies and hotels linked or associated with HOTEL SORATAMA S.A. receive and store, and it will comprise all the information that is supplied or provided during the visit to the website http://www.hotelsoratama.com in addition to all information related to the services or bookings made and the accommodation data supplied to HOTEL SORATAMA S.A., or any of the hotels associated with HOTEL SORATAMA S.A.

Notwithstanding the fact that in some cases public data is processed, the information gathered will correspond to the name, citizen identity card number, profession, nationality, date of birth, email address, personal preferences and interests, job or activity, consumption or travel habits, among others. If a booking is made through the website http://www.hotelsoratama.com, the information corresponding to the credit card that is supplied for the purposes of booking and accommodation will be gathered.

3.2. Processing to which the data will be subject and the purpose.

The data and information obtained and gathered by HOTEL SORATAMA S.A., by HOTEL SORATAMA S.A. hotels, or by the companies that operate said hotels, will be used in the normal course of the commercial activities of HOTEL SORATAMA S.A. for the sole purpose established in these information processing policies, such that direct and effective communication with the client is possible, leading to a closer relationship.

Processing consists of the sending of digital information through different communication channels with the intention of contacting the owner to send them service surveys following every stay, enabling the assessment of the service provided, and to inform them of the invitations, offers, promotions, portfolio of services or information of the hotel or hotels that form a part of HOTEL SORATAMA S.A., without their data being facilitated, ceded or submitted to third parties or people external to the hotel that gathered the information, or to the hotels and activities linked to HOTEL SORATAMA S.A. and the activities it develops. Additionally, via the collection of data, HOTEL SORATAMA S.A. seeks to: perform, process, handle and/or complete bookings or the purchase of nights at a hotel and other services; perform internal studies on tourism habits; evaluate the quality of its services; send surveys and questionnaires regarding the services offered; promptly attend to the requests, applications or needs of users; communicate invitations, offers, promotions and information in general regarding the portfolio of services offered by the individuals or legal entities linked directly with the hotel operation and specifically with the services provided by HOTEL SORATAMA S.A., and the companies and hotels it operates.

The information or data supplied that is collected, gathered or stored in accordance with these policies may be shared, transferred, updated and/or erased between HOTEL SORATAMA S.A., HOTEL SORATAMA S.A. hotels and their operating companies for the purpose defined in these policies, in order to be used in the manner established herein. Upon entering the website http://www.hotelsoratama.com, the user consents to their information and data being shared with the tourism providers referred to and through whoe their bookings and/or requests are processed.

They accept that all information or data supplied or stored through the website http://www.hotelsoratama.com is truthful, accurate and complete, and that it may be withdrawn at any time in the event it is considered harmful or damaging to their interests or the interests of a third party.

The data and information in general that is received when a user enters the website http://www.hotelsoratama.com may be about the user or the device from which they are entering the website. With the aim of optimising and making the user's experience visiting the website http://www.hotelsoratama.com more efficient, cookies and/or web beacons may be used to obtain and store the information on the websites visited, IP address and the operating system of the device used to enter the website via a process of recognition and tracking that enables the user's preferences to be identified and the user to be identified when they visit the website again, as well as the storage of certain records using the IP address. The IP address is not associated or linked to the user's name or personal data.

3.3. Sensitive data and data corresponding to children and minors. Neither HOTEL SORATAMA S.A. nor the operating companies of HOTEL SORATAMA S.A. hotels will process data classed as sensitive, nor will it gather data that is aimed at gathering sensitive information.

The gathering of data corresponding to children and minors, and the respective authorisation, must always be given through their legal guardian before the minor exercises their right to be heard. The processing of data corresponding to children and minors will respond to and respect the superior interest of children and minors and their fundamental rights. If for any reason a question may lead to the response is related to sensitive data or the data of children and minors, the response to said question will be optional.

3.4. Duties of the entity responsible for processing information.

Information managers and/or the entities and managers responsible for processing personal data undertake to: a) guarantee the owner the full and effective right to exercise habeas data; b) request and safe-keep in the conditions established by law a copy of the respective authorisation granted by the owner; c) duly inform the owner of the purpose of data collection and the rights that correspond to them pursuant to the authorisation granted; d) safe-keep information in the security conditions necessary to prevent their unauthorised or fraudulent alteration, loss, consultation, use or access; e) guarantee that the information supplied to the Processing Manager is truthful, complete, exact, updated, verifiable and understandable; f) update the information, promptly communicating to the Processing Manager all new aspects related to the data that was previously supplied and adopting all measures necessary to ensure the information supplied is kept up-to-date; g) correct information when it is incorrect and communicate the relevant aspects to the Processing Manager; h) supply the Processing Manager, if applicable, with only the data for which processing has been previously authorised in compliance with the provisions outlined in law; i) demand that the Processing Manager respects the security and privacy conditions of the information at all times; j) process the consultations and complaints formulated in the terms outlined in law; k) inform the Processing Manager when certain information is under discussion with the owner, once the complaint has been presented and the respective process remains incomplete; l) provide information, at the request of the owner, regarding the use of their data; m) inform the data protection authority when violations of security codes occur and when risks to the administration of information exist; n) comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

FOUR: RIGHTS AND POWERS OF THE OWNER:

4.1. Rights of the owner. Once authorisation has been granted by the owner for the corresponding processing, they have the right to: a) be aware of, update and correct their personal data. This right may be exercised with regard to partial data, inexact data, incomplete data and fragmented data that leads to error, or data whose processing is expressly prohibited and remains unauthorised; b) request proof of the authorisation granted, unless when expressly exempt as a requirement of processing, in compliance with the provisions outlined in Article 10 of Law 1581 of 2012; c) be informed by the manager and/or entity responsible for the processing of personal data, via request, of the use made of their personal data; d) present to the Superintendency of Industry and Commerce complaints due to incidents of non-compliance with the provisions outlined in law; e) revoke authorisation and/or request the removal of data when constitutional and legal principles, rights and guarantees are not respected in processing. The revocation and/or removal will occur when the Superintendency of Industry and Commerce has determined that conduct contrary to this law and the Constitution has occurred in processing; f) make a request, at any time, to the manager or entity responsible for processing personal data asking for their personal data to be removed and/or the authorisation granted to process said data be revoked via the presentation of a complaint. This will not occur when the owner has a legal or contractual obligation to remain on the database; g) freely access their personal data that is the subject of processing: (i) at least once every calendar month, and (ii) whenever substantial modifications to the information processing policies exist, giving rise to new consultations. In the case of requests that are made more frequently that once per calendar month, the manager and/or entity responsible for data processing may charge the owner shipping, reproduction and, if applicable, document certification costs.

4.2. Legitimacy to exercise owner's rights.

The following also have legitimacy to exercise the rights that pertain to the owner of the information: a) the owner themselves, but they must sufficiently accredit their identity via the means they make available to the manager; b) their successors who must be authorised in this capacity; c) the legal representative and/or attorney-in-fact, subject to prior certification of representation or power of attorney; d) by stipulation in favour or another or for another; e) the rights of children or minors will be exercised by the people who are authorised to represent them, subject to certification of the power of representation.

4.3. Area responsible for attending to and supporting the owner.

The attention and response to consultations, requests and complaints of information owners regarding any aspect of processing will be the responsibility of the Legal Department. Any owner of information who wishes to know, update or correct their information, or request proof of the authorisation granted; be informed of the use made of their personal data; revoke authorisation and/or request the elimination of data and/or freely access their personal data that is the subject of processing, must make a request to do so in writing sent directly to the email address administracion@hotelsoratama.com or send a letter to CARRERA 7 NUMERO 19-20 PEREIRA, RISARALDA. In either case, the following must be indicated: a) full name; b) identity document; c) physical address and email address; d) contact telephone number; e) brief list of the information and data referred to, expressly indicating the scope and content of the request; and, f) attach the documents that support their request.

4.4. Procedure for the exercising of rights to know, update, correct or remove information and revoke authorisation.

The procedures for accessing, updating, removing and correcting of personal data and for revoking authorisation may be advanced via consultations or complaints sent to the email address administracion@hotelsoratama.com or the address CARRERA 7 NUMERO 19-20 PEREIRA, RISARALDA, depending on the aim pursued, establishing, at minimum, the legitimacy the user has to make the request and clearly and specifically requesting the desired action.

All requests, suggestions and recommendations related to the processing of information must be sent to the email address administracion@hotelsoratama.com. The owner of the information or the authorised person must accompany their communication with proof of the capacity in which they act, and they must supply the data and documents necessary to confirm their identity and capacity.

The email sent must specify the reason or aim of the communication. To do so, the text must indicate that the right to access, update, rectify and remove data or revoke the authorisation granted is being exercised.

4.5. Procedure for correcting, updating or removing data for presenting complaints. The individual permitted by law, and who considers that the information contained must be the subject of correction, updating or removal, or the individual who believes that the processing of personal data breaches legal standards, may send, in accordance with Article 15 of Law 1581 of 2012, complaints to the email address administracion@hotelsoratama.com.

Complaints will be processed under the following terms and conditions:

4.5.1. The complaint will be formulated via request made to the Processing Manager or the Entity Responsible for Processing, identifying the owner, the description of the acts that have resulted in the complaint and the address, accompanied by supporting documents. If the complaint is incomplete, the party will be required to correct the faults within five (5) working days following receipt of the complaint. If two (2) months pass from the date this communication is made without the requestor presenting the information required, it will be understood that they have withdrawn the complaint. If the person who receives the complaint is not capable of resolving the issue, it will be transferred to someone who can within a maximum of two (2) working days and the party involved will be informed of the situation.

4.5.2. Once the full complaint has been received, the database will include a key that states "complaint being processed" and the reason for this, within a maximum of two (2) working days. This key must be maintained until the complaint has been settled.

4.5.3. The maximum term to address the complaint will be fifteen (15) working days from the day after it is received. When it is not possible to address the complaint within said term, the party involved will be informed of the reasons for the delay and the date on which their complaint will be addressed, which, under no circumstances, may exceed eight (8) working days following the expiry of the first term.

4.6. Consulting and accessing information. Consultations of the personal data contained on the database of HOTEL SORATAMA S.A. will be addressed via a written request made and sent to the email address administracion@hotelsoratama.com. Consultations will be addressed within a maximum term of ten (10) working days from the date they are received. When it is not possible to attend to the consultation within said term, the party involved will be informed of this before these ten (10) working days pass, explaining the reasons for the delay and indicating the date on which the consultation will be addressed, which, under no circumstances, may exceed five (5) working days following the expiry of the first term.

FIVE: SECURITY.

5.1. Security in the handling of information.

The data gathered will always be processed within a framework of confidentiality, for which reason they will not be facilitated, ceded or submitted to people different or external to the hotel, to HOTEL SORATAMA S.A. or to operating companies of HOTEL SORATAMA S.A. or that have legitimate authorisation to do so.

5.2. Transfer and disclosure of data.

In the event a contract is signed with a professional third party with experience in the handling and use of databases, the manager will sign the personal data disclosure contract referred to in Article 25 of Decree 1377 of 2013.

SIX: CIRCULATION AND VALIDITY.

6.1. Means of circulation of information processing policies and the privacy policy.

This document, via which the information processing policies for the personal data collected are established, will be published permanently on http://www.hotelsoratama.com so it may be consulted. When the express authorisation of the owner of data or information is requested for the processing of data, they will be told the specific purposes for which consent is to be obtained and made aware of the processing policy and the rights that pertain to them.

6.2. Effective date of information processing policies.

The gathering, storage, use and circulation of personal data, in development of the considerations established herein, will be undertaken and maintained while the need for direct communication with the client remains necessary and no other more efficient ways of doing so exist, in accordance with the aims proposed by processing. If the purpose cannot be reached through the processing of personal data, they will be removed permanently from the database. This document came into force on 22 February 2016.

6.3. Procedure for events of modification of policies.

In the event modifications are made to the personal data processing policies detailed herein, users will be notified and a communication will be made through this website before they come into force.

6.4. Inclusion of the conditions of use of the website http://www.hotelsoratama.com.

In compliance with applicable standards, the information processing policy forms an integral part of the terms and conditions of use of the website http://www.hotelsoratama.com.

6.5. Information manager.

The company HOTEL SORATAMA S.A., with VAT number 800156522-5 is the entity responsible and charged with processing personal data, along with each of the related operating companies that collect information. When information has been received or gathered by any of its linked companies, with express authorisation to be transferred, HOTEL SORATAMA S.A. will be responsible for processing.

Any communication may sent to CARRERA 7 NUMERO 19-20 PEREIRA, RISARALDA or to the email address administracion@hotelsoratama.com.