Policies

For all the purposes of this text, Hacienda Combia will be called THE HOTEL.

GENERAL CONSIDERATIONS

Aware of the importance of the protection and proper handling of the personal information provided by the holders of the information, AVIA SOLUCIONES HOTELERAS, - hereinafter AVIANET, who acts as responsible for the information received, has designed this policy and procedures that in Together, they allow you to make appropriate use of your personal data.

In accordance with the provisions of article 15 of the Political Constitution of Colombia, which develops the fundamental right to habeas data, referring to the right that all citizens have to know, update, rectify the personal data that exist about it in databases and in files on both public and private bases, which is unfailingly related to the handling and treatment of information that recipients of personal information must take into account. This right has been developed through the issuance of Statutory Law 1581 of 2012 and Regulatory Decree 1377 of 2013, based on which AVIANET as RESPONSIBLE for the personal data that receives, handles and processes the information and thus proceeds to issue this personal data treatment policy, which is made known to the public so that they know how AVIA treats their information. The provisions of this personal data treatment policy are mandatory for AVIANET, its administrators, workers, contractors and third parties with whom AVIANET establishes relationships of any kind.

OBJECTIVE

With the implementation of this policy, it is intended to guarantee the reservation of information and the security regarding the treatment that will be given to it to all clients, suppliers, employees and third parties from whom AVIANET has legally obtained information and personal data in accordance with the guidelines established by the law regulating the right to Habeas Data. Likewise, through the issuance of this policy, the provisions of paragraph K of article 17 of the aforementioned law are complied with.

DEFINITIONS

Authorization: Prior, express and informed consent of the owner of the data to carry out the treatment. This can be written, verbal or through unequivocal behaviors that allow to reasonably conclude that the owner granted authorization. Data Base: It is the organized set of Personal Data that are subject to treatment, electronic or not, whatever the modality of its training, storage, organization and access. Consultation: Request from the owner of the data or the persons authorized by it or by law to know the information that rests on it in databases or files. Personal data: Any information linked or that may be associated with one or more specific or determinable natural persons. These data are classified as sensitive, public, private and semi-private.Sensitive personal data: Information that affects the privacy of the person or whose misuse may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social or human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life and biometric data (fingerprints, among others). For the purposes of this policy, AVIANET notices the optional nature of the owner of personal data to provide this type of information in cases in which, eventually, they may be requested. public personnel: It is the data classified as such according to the mandates of the law or the Political Constitution and all those those that are not semi-private or private. The data contained in public documents, public records, gazettes and official gazettes and duly executed judicial decisions that are not subject to reserve are public, among others, those related to the civil status of the people, their profession or trade and their quality of merchant or public servant. The personal data existing in the commercial register of the Chambers of Commerce (Article 26 of the C.Co.) Are public. Likewise, they are public data, those that, by virtue of a decision of the owner or a legal mandate, are in files of free access and consultation. These data can be obtained and offered without any reservation and regardless of whether they refer to general, private or personal information. Private personal data. It is the data that due to its intimate or reserved nature is only relevant for the person who owns the data. Examples: merchants' books, private documents, information extracted from home inspection, semi-private personal data. The data that is not intimate, reserved, or public in nature and whose knowledge or disclosure may be of interest not only to the owner but to a certain sector or group of people or to society in general, such as, among others, the data referring to compliance is semi-private. and breach of financial obligations or data related to relationships with social security entities Responsible for the Treatment: Person who by himself or in association with others, decides on the database and / or the treatment of the data .In charge of the treatment: Person who performs the data treatment on behalf of the person responsible for the treatment. Being "Authorized", is AVIANET and all the people under its responsibility, who by virtue of the authorization and the Policy have legitimacy to submit to treatment of the personal data of the owner. The Authorized includes the gender of the Qualified. "Qualification" or being "Qualified", is the legitimation that expressly and in writing by means of a contract or document that takes its place, AVIANET grants to third parties, in compliance with the applicable law, for the treatment of personal data, making such third parties in charge of the treatment of the personal data delivered or made available. Claim: Request from the owner of the data or the persons authorized by it or by law to correct, update or delete their personal data or when warn that there is an alleged breach of the data protection regime, according to article 15 of Law 1581 of 2012. Data owner: It is the natural person to whom the information refers. Treatment: Any operation or set of operations on personal data such as, among others, the collection, storage, use, circulation or deletion of this kind of information Transmission: Treatment of e personal data that implies the communication of the same within (national transmission) or outside of Colombia (international transmission) and that is intended to carry out a treatment by the person in charge on behalf of the person in charge.Transfer: The transfer of data takes place when The person in charge and / or person in charge of the processing of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible for the treatment and is inside or outside the country. or successor in title may only file a complaint with the Superintendency of Industry and Commerce once the consultation or claim process has been exhausted before the person responsible for the treatment or person in charge of the treatment, the foregoing according to Article 16 of Law 1581 of 2012.

PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA

The processing of personal data must be carried out respecting the general and special rules on the matter and for activities permitted by law. Consequently, the following principles apply for the purposes of this policy:

Principle of legality: The processing of data is a regulated activity that must be subject to the provisions of the law and the other provisions that develop it.Principle of purpose: The treatment must obey a legitimate purpose in accordance with the Constitution and the Law .Principle of freedom: Treatment can only be exercised with the prior, express and informed consent of the owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent. Principle of truthfulness or quality: The information subject to treatment must be truthful, complete, exact, updated, verifiable and understandable. . The treatment of partial, incomplete, fractioned or misleading data is prohibited.Principle of transparency: In the treatment, the right of the owner to obtain from the person responsible for the treatment, at any time and without restrictions, information about the existence of Data that concern you.Principle of access and restricted circulation: strong> The treatment is subject to the limits that derive from the nature of the personal data, the provisions of the law and the Constitution. In this sense, the treatment can only be done by people authorized by the owner and / or by the people provided for in the law.Principle of security: The information subject to Treatment by the Person in Charge of Treatment or Person in Charge of Treatment referred to herein law, it must be handled with the technical, human and administrative measures that are necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.Principle of confidentiality: All persons involved in the treatment of personal data that do not have the nature of public are obliged to guarantee the reservation of the information, even after the end of their relationship with any of the tasks that includes the treatment, being able only to supply or communicate personal data when this corresponds to the development of the activities authorized in this law and in the terms of the same.

Any new project within the Organization that involves the Processing of Personal Data must be consulted with the Information Security Management, which is the person and agency in charge of the data protection function to ensure compliance with the policy and of the necessary measures to maintain the confidentiality of personal data.

RIGHTS OF THE DATA HOLDERS

In accordance with current legal provisions, the following are the rights of the holders of personal information:

Right to know, update, rectify, consult your personal data at any time in front of AVIANET regarding the data that it considers partial, inaccurate, incomplete, fractioned and those that lead to error. Right to request at any time a proof of the authorization granted to AVIANET except in those cases in which the person in charge is legally released from having authorization to process the data of the owner. Right to be informed by AVIANET upon request of the owner of the data, regarding the use that has been given to them. to present before the Superintendency of Industry and Commerce the complaints it deems pertinent to assert its right to Habeas Data. Right to revoke the authorization and / or request the deletion of any data when it considers that AVIANET has not respected its rights and constitutional guarantees. Right to free access to the personal data that you voluntarily decide to share with AVIANET.

The information and / or personal data that we collect from you are the following:

Kind of person:

Natural: names and surnames, type of identification, identification number, gender, marital status and date of birth, email, financial data (bank accounts).

Legal: company name, TIN, address, telephone, cell phone, email, country, city, financial data (bank accounts).

Information necessary to facilitate the trip or other services, including preferences such as class of travel, names and surnames of passengers (type of document, document number, date of birth, first name, last name, gender, email, nationality, passport expiration date ), contacts in case of accident or any other anomaly (names and surnames, telephone number).

Cardholder data: type of document, document number, telephone, address, email, names, card number, expiration date and bank.

Quote request: names, surnames, telephone numbers, city and email.

Travel information: type of request, destination, departure date, duration, number of adults, number of children, hotel category, food, additional services, transportation service, budget per person.

Write to Jean Claude Bessudo: names, surnames, identity card, address, telephone (landline or cell phone), city and email.

Chat "online help": name, email, what is your question?

Evaluate our site: your opinion is very important for us to continuously improve our service channels: names, surnames, email, telephone numbers and city.

Claim request: names, surnames, identification number, address, telephone numbers, city, email and comments.

Report of technical problems: names, surnames, address, telephone numbers, city, email and comments.

Biometric data: images, video, audio, fingerprints that identify or make identifiable our clients, users or any person who enters or is or transits in any place that AVIANET has implemented devices to capture said information.

These data can be stored and / or processed on servers located in the data processing center, whether owned or contracted with providers, located in different countries, which is authorized by our clients / users, by accepting this treatment and protection policy. of personal data.

AVIANET reserves the right to improve, update, modify, delete any type of information, content, domain or subdomain, that may appear on the website, without any prior notice obligation, understanding as sufficient with the publication on the websites of Aviatur. For the solution of legal or internal requests and for the provision or offer of new services or products.

TREATMENT, SCOPE AND PURPOSES

AVIANET informs the owners that the data collected from our clients, contractors and suppliers may be used for the following purposes. The treatment may be carried out by AVIANET directly or through its contractors, consultants, advisors and / or third parties in charge of the processing of personal data, to carry out any operation or set of operations such as the collection, storage, use, circulation, deletion , classification, transfer and transmission (the "Treatment") of all or part of your personal data: The support of the contractual relationship established with AVIANET. The provision of services related to the products and services offered. The performance of all activities. related to the service or product, will be included in an email list for sending the newsletter. Send information about changes in the conditions of the services and products purchased, and notify you about new services or products. Manage your requests, clarifications, and research; develop studies and programs that are necessary to determine habit Consumer issues Fine-tuning of security filters and business rules in commercial transactions; confirm, process such transactions, with your financial institution, with our service providers and with yourself Perform periodic evaluations of our products and services in order to improve their quality Sending, by traditional and electronic means, information technical, operational and commercial products and services offered by AVIANET, its associates or suppliers, currently and in the future. The request for satisfaction surveys, which is not obliged to answer. Carry out the transmission and / or transfer of data to other companies. , commercial alliances or third parties in order to fulfill the obligations acquired. The transmission and transfer may even be made to third countries that may have a different level of protection compared to the Colombian, when necessary for the fulfillment of our obligations.Fulfill the obligations contracted by AVIANET with its clients at the time of acquiring our services and products. . Respond to queries, requests, complaints and claims that are made by control bodies and other authorities that by virtue of the applicable law must receive personal data. Any other activity of a similar nature to those described above that is necessary to develop the AVIATUR's corporate purpose Make inquiries in different databases and authorized sources (such as OFAC, UN lists, among others) necessary for the control and prevention of fraud or crimes related to money laundering, in accordance with our prevention and risk management - SARLAFT. • The data collected from our tr workers: To comply with the obligations contracted by AVIANET with the workers who hold the information, in relation to the payment of wages, social benefits, and others enshrined in the employment contract and current labor regulations. Inform the worker of the news that is presented in development of the employment contract and until after its completion Evaluate the quality of the services we provide Conduct internal studies on the habits of the worker who owns the information or request personal information for the development of programs or management systems Make discounts of payroll authorized by the worker Manage their requests, administration of activities, clarifications and investigations Marketing and sale of our products and services Sending, by traditional and electronic means, technical, operational and commercial information of products and services offered by partners or suppliers, now and in the future. Pray studies and programs that are necessary to determine consumption habits Carry out the transmission and / or transfer of data to other companies, commercial alliances or third parties in order to fulfill the obligations acquired. The transmission and transfer may even be made to third countries that may have a different level of protection compared to the Colombian, when necessary for the fulfillment of our obligations The request for surveys, which the worker is not obliged to answer. of transmission or transfer, the information received to all judicial and / or administrative entities when it is necessary for the fulfillment of the duties as an employer to fulfill the obligations of labor, social security, pensions, professional risks, compensation funds family (Comprehensive Social Security System) and taxes Transfer the employer's personal information to third parties that legitimately have the power to access said information, which includes, but is not restricted to, the companies of Grupo Empresarial Aviatur Ltda. by way of transmission or transfer the personal information of the work ajador to all entities that are related to the compliance of the person in charge in his capacity as employer Any other activity of a similar nature to those described above that is necessary to develop the corporate purpose of AVIATUR and its labor obligations acquired by virtue of the conclusion of the contract work or by ministry of law Make inquiries in different databases and authorized sources (such as OFAC, UN lists, among others) necessary for the control and prevention of fraud or crimes related to money laundering, in accordance with our risk prevention and management policies - SARLAFT. The processing of personal data will be carried out with the prior authorization of the owner of the data, except in events in which the data is of a public nature. For this, an authorization form for data processing has been implemented, which must be filled out by the owner of the information at the same time that they deliver their personal information. In said authorization, the scope and purposes of the processing of personal data are explained, an allusion is made to the authorization by another, the data of minors and sensitive data, as well as the channel of attention of the holders who wish is defined. exercise the rights contemplated within the habeas data and, the place where this policy is hosted is indicated. For the purposes of advancing the processing of the data, AVIANET employs all the activities aimed at preserving the confidentiality of the information. The authorization will be obtained through any means that may be subject to subsequent consultation, such as the web page, forms, formats , face-to-face activities or through social networks, etc. The authorization may also be obtained from the unequivocal conduct of the owner of the data that allows to reasonably conclude that he granted authorization for the processing of your information If you provide us with personal information about a person other than yourself, such as your spouse or a partner work, we understand that you have the authorization of said person to provide us with your data; and we do not verify, nor do we assume the obligation to verify the identity of the user / client, nor the veracity, validity, sufficient and authenticity of the data of each of them, provide. By virtue of the foregoing, we do not assume responsibility for damages or prejudices of any nature that could have origin in the lack of veracity, homonymy or the supplantation of identity information Since AVIANET, belongs to the Aviatur Business Group, your personal information It can be shared by way of transfer or transmission with group companies, business partners and / or third party providers involving (flight reservation systems, hotels, cars, transactional security validators, banks, financial networks, tourist services), These processes can be carried out in different places from which the purchased tourist service or product is contracted, with the same purposes that have been indicated for the collection of personal data. Said entities are obliged to comply with the corresponding confidentiality, transmission or transfer agreements. The Personal Data collected will be subject to manual or automated treatment and incorporated into the corresponding files or databases (hereinafter, the "File"), either in quality as the person in charge of the treatment and the person responsible for the protection of the data. To determine the term of the treatment, the rules applicable to each purpose and the administrative, accounting, fiscal, legal and historical aspects of the information will be considered.When at the time of providing the service the owner is accompanied by minors or persons considered with disabilities, and in which the collection of their personal data occurs, AVIANET will always request the authorization of whoever has the legal representation of the minor. Now, if personal information of the population mentioned here is delivered without being the legal representative, you state that you have the authorization of the respective legal representative, directly assuming the responsibility that this entails. AVIANET will strive to respect their rights at all times, and their superior and prevailing interest. The representative must guarantee the right to be heard and assess their opinion of the treatment taking into account the maturity, autonomy and capacity of minors. The representatives are informed of the optional nature of answering questions about the data of minors. The data of minors, included in a special category of protection, will be treated in accordance with the applicable legislation on the matter and in accordance with the provisions of our personal data policy.The companies of the Aviatur Business Group have adopted the levels protection of personal data legally required, and has installed all the means and technical measures at its disposal to prevent the loss, misuse, alteration, unauthorized access and illegitimate theft of personal data provided to AVIANET, however, The owner must be aware that Internet security measures are not unbreakable. If you choose to delete your information, to the extent permitted by law, we will keep certain personal information in our files in order to identify the data for accounting and tax purposes. of the transactions carried out, prevent fraud, resolve disputes, investigate conflicts or incidents, h To comply with our terms and conditions of use and comply with legal requirements.However, at the time you decide to revoke your authorization, the information hosted will not be used for the purposes set forth herein, only in the terms strictly necessary and defined in the previous paragraph.Security Risks that you must take into account when carrying out transactions on the Internet: A user may be deceived by means of emails or some DNS server deception, to visit a false site that presents the same design, but where card data is uploaded to the fake system, stealing cardholder information. Therefore, it is important to generate the culture that users must enter directly through known domains to reduce risks to carry out transactions. It may occur that the computer where the user is carrying out the transaction has some spyware installed without prior knowledge. or malicious intent that captures everything typed by the keyboard or captures information from input devices and is sent to any network or host on the internet. Therefore, it is recommended as far as possible that the transaction be carried out on the home or office computer. There could be an impersonation of the owner that the owner denies having sent and / or received the transaction and is used by a third party. It is recommended that from the computer where you carry out electronic transactions, you have an updated and active antivirus to mitigate the risks of fraud.If the personal information was collected or provided before July 30, 2013 and you did not express your opposition to your data personal data are transferred, it will be understood that you have given your consent. In the event that you want to ratify your consent or express your refusal, you can indicate it through the following email privacy@aviasolucioneshoteleras.com Like other websites, AVIANET uses certain technologies, such as cookies, and device fingerprinting, that we they make your visit to our site easier and more efficient, providing you with a personalized service and recognizing you when you return to our site. For the purposes of this Privacy Notice, "cookies" will be identified as the text files of information that a website transfers to the hard drive of the users' computer in order to store certain records and preferences. The websites may allow advertising or third-party functions that send "cookies" to the computers of the holders. Cookies are only associated with an anonymous user and their computer, and do not provide the name and surname of the same, in many cases, you can browse any of the AVIANET websites anonymously. When you access any AVIANET website, your IP address (the Internet address of your computer) is recorded, so that you give us an idea of which parts of the website you visit and how much time you spend in each section. We do not link your IP address to any of your personal information, unless you have registered with us and entered the system using your profile. For this reason, it is possible that in certain applications AVIANET will recognize users after they have registered for first time, without having to register on each visit to access the areas and services or products reserved exclusively for them.Other services will require the use of certain access codes, and even the use of a digital certificate, in the characteristics to be determined.The cookies used cannot read cookie files created by other providers. AVIANET encrypts the user's identification data for greater security.To use the AVIANET website, it is not necessary for the user to allow the installation of the cookies sent by AVIANET, without prejudice to the fact that in such case it will be necessary for the user to register at each of the services whose provision requires prior registration.

NATIONAL OR INTERNATIONAL TRANSFER OF PERSONAL DATA

AVIANET may transfer data to other data controllers when authorized by the owner of the information or by law or by an administrative or judicial mandate.

INTERNATIONAL AND NATIONAL TRANSMISSION OF DATA TO MANAGERS

AVIANET may send or transmit data to one or more managers located inside or outside the Republic of Colombia in the following cases: a) When it has authorization from the owner and b) when without authorization there is a contract between the person in charge and the manager. data transmission.

DUTIES OF THE DATA CONTROLLER

Guarantee the owner, at all times, the full and effective exercise of the right to habeas data Request and keep, under the conditions provided in this law, a copy of the respective authorization granted by the owner Duly inform the owner about the purpose of the collection and the rights that assist you by virtue of the authorization granted. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access. Process the inquiries and claims formulated in the terms indicated in this law Adopt an internal manual of policies and procedures to ensure adequate compliance with this law and especially for the attention of queries and claims Inform at the request of the owner about the use given to their data. the data protection authority when there are violations of security codes and there are risks in the administration of the to information from the holders Comply with the instructions and requirements issued by the superintendency of industry and commerce.

DUTIES OF THOSE IN CHARGE OF TREATMENT

Guarantee the holder, at all times, the full and effective exercise of the right to habeas data. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access. Make the update in a timely manner, rectification or deletion of data in the terms of this law Update the information reported by those responsible for the treatment within five (5) business days from its receipt Process the queries and claims made by the owners in the terms indicated in this law Adopt an internal manual of policies and procedures to guarantee adequate compliance with this law and, especially, for the attention of queries and claims by the owners Refrain from circulating information that is being controversial by the owner and whose blocking has been ordered by the superintendency of industry and commerce. Use of the information only to the people who can have access to it Report to the superintendency of industry and commerce when there are violations of security codes and there are risks in the administration of the information of the holders Comply with the instructions and requirements that imparts the superintendency of industry and commerce.

PETITIONS, COMPLAINTS AND CLAIMS

For the purposes of receiving requests, claims and queries related to the handling and processing of personal data, AVIANET has sent the email privacy@aviasolucioneshoteleras.com, to channel, study and answer them. Therefore, to said address they may send their requests, which will be treated as provided by Law 1581:

Queries: The owners or their successors in title may consult the personal information of the owner that resides in our database. AVIANET will provide them with all the information contained in the individual registry or that is linked to the identification of the owner. The query will be answered within a maximum term of ten (10) business days from the date of receipt. When it is not possible to attend the query within said term, the interested party will be informed, and the date on which the query will be addressed will be indicated, which in no case may exceed five (5) business days following the expiration of the first term.

Claims: The owner or his successors in title who consider that the information contained in a database should be subject to correction, updating or deletion, or when they notice the alleged breach of any of the duties contained in the law, they may file a claim with AVIANET , which will be processed under the following rules:

The claim will be formulated by means of a request addressed to AVIANET with the identification of the owner, the description of the facts that give rise to the claim, the address, and accompanying the documents that you want to assert. If the claim is incomplete, AVIANET will require the interested party within five (5) days after receiving the claim to correct the faults. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that the claim has been withdrawn. Once the complete claim is received, a legend that says “claim in procedure ”and the reason for it, within a term not exceeding two (2) business days. Said legend must be maintained until the claim is decided. The maximum term to attend the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to address the claim within said term, the interested party will be informed and the date on which their claim will be addressed will be indicated, which in no case may exceed eight (8) business days following the expiration of the first term. In any case, the owner or the successor in title may only file a complaint with the Superintendency of Industry and Commerce once the consultation or claim process with AVIANET has been exhausted.The area responsible for receiving and processing the claims is the Security Management of Information The request to delete the information and revoke the authorization will not proceed when the owner has a legal or contractual duty to remain in the database.

DATA OF THE RESPONSIBLE FOR THE TREATMENT

Company name: Operadora de Hoteles Avia SAS

Address: Andino Business Center, Carrera 11 # 82-01 Floor 4, Bogotá DC - Colombia

Email: privacy@aviasolucioneshoteleras.com

Phone: ( 57 1) 3817111

Website: www.aviasolucioneshoteleras.com

QUESTIONS OR SUGGESTIONS

If you have any questions or queries about the process of collection, treatment or transfer of your personal information, or consider that the information contained in a database should be corrected, updated or deleted, please send us a message to the following account e-mail address: privacy@aviasolucioneshoteleras.com.

For more information, about AVIATUR, the identity, address and contact forms, you can consult it at the following address www.aviasolucioneshoteleras.com. This website has with itself the terms and conditions, applicable to the services and products published, which can be consulted at any time for more information.

VALIDITY

AVIANET reserves the right to modify this policy to adapt it to new legislation or jurisprudence, as well as to good practices in the tourism sector and other sectors of the economy that are part of the business group. In such cases, AVIANET will announce on this page the changes introduced with reasonable anticipation of their implementation.

PRIVACY POLICY AND PERSONAL DATA TREATMENT OF THE Hotel Hacienda Combia

For all the purposes of this text, Hacienda Combia will be called THE HOTEL