Privacy and Data Protection Policy (PPPD) – GAV RESORTS GFP GESTAO GO LTDA

1. DATA PRIVACY AND PROTECTION POLICY – PPPD GFP GESTAO ADM GO, a private legal entity, registered under CNPJ No. 58.009.201/0001-30, with headquarters at AV 136, No. 761, QUADRA F44 LOTE 02 E SALA A3 20 EDIF NASA BUSINESS STYLE, Setor Sul, GOIANIA - GO, CEP. 74.093-250, as well as the companies belonging to its group, hereinafter referred to as the “CONTROLLER”, due to access by a data subject, hereinafter referred to as the “SUBJECT”, when expressing interest in the acquisition of goods and services, hereby presents and makes public its DATA PRIVACY AND PROTECTION POLICY - PPPD, in compliance with the provisions of Law No. Law 13.709/18 – General Data Protection Law – LGPD, aims to enable and offer a personalized experience when contracting and offering services and products, in addition to protecting the privacy of personal information collected.

This policy aims to fulfill the commitment to protect personal information, and to that end it has been adopted by its affiliates, subsidiaries, and independent and distinct legal entities that comprise GFP GESTAO ADM GO, as defined in this document.



2. CONTACT

All contact regarding questions, clarifications, and other actions related to the PRIVACY AND DATA PROTECTION POLICY (PPPD) may be sent via email to the responsible DPO, as follows: Responsible DPO: LUCIANO SIMÕES DE ALMEIDA Email: lgpd@gavresorts.com.br



3. DATA COLLECTED

Personal information is collected and processed to offer the customer the best possible experience. The information collected may vary depending on the interaction method, and includes:

- WEBSITE ACCESS: While browsing our website, we use Necessary, Analytical, and Marketing Cookies. The latter collect browsing data: Access origin, pages accessed, average time spent on the site, hotels booked, average ticket price, booking value, number of bookings, and exit page, via Google Analytics.

- ACCOUNT CREATION: When you register on the portal/website, personal data such as full name, email, and CPF (Brazilian tax identification number) will be stored, exclusively for the purpose of making reservations, communications, and general sending of offers and promotions.

- RESERVATION: When making reservations, via the portal/website or by telephone when made through the call center, personal data such as full name, CPF (Brazilian tax identification number), contact phone number, email, date of birth, and residential address will be collected and stored. Data relating to payment methods will not be stored or processed.

- RECEPTION: As required by regulatory bodies, including the Ministry of Tourism, upon check-in, guests or visitors must complete the National Guest Registration Form (“FNRH”). The mandatory data collected on the FNRH includes Full Name, CPF (Brazilian tax identification number), RG (Brazilian identity card number), Full Address, Country, Email, Date of Birth, Mobile Phone Number, and Telephone Number. Optional data may also be collected: Gender, Nationality, Last Place of Origin, Next Destination, Reason for Travel, Means of Transportation, and Emergency Contact information. Payment information may also be collected.



4. DATA PROCESSING

The Privacy and Data Protection Policy (PPPD) is based on the processing of data for the fulfillment of the accommodation contract signed between the CONTROLLER and its managed hotels and the DATA SUBJECT, in compliance with the General Data Protection Law, through the consent for use provided by the guest, as well as with the use of the Company's interests, specifically for the implementation of marketing actions, safeguarding the interests of the DATA SUBJECT.

Furthermore, the data processing may be carried out exclusively for the fulfillment of legal or regulatory obligations by the CONTROLLER, in addition to its use for credit protection. It is also worth noting that the data processing of its database may be shared with its managed hotels and with the entire GAV RESORTS GROUP, provided that these are in accordance with the guidelines contained in this document.



5. HOW IS THE COLLECTED INFORMATION USED?

Under applicable legislation, information may be collected at the following times:

  • While browsing the site, cookies will be used to improve the customer experience. These cookies are categorized as Necessary, Analytical, and Marketing Cookies, using proprietary technology for cookie management, following the best principles of Privacy by Design, as clearly stated next to the cookie consent management banner.

  • All information regarding data processing using cookies is expressed in the referenced technology, and it is up to the DATA SUBJECT to consent or not to its permission, as well as to revoke their consent at any time.

  • During customer registration, the data provided will be stored in a database, properly classified for marketing purposes, and may be transmitted to partners responsible for digital marketing campaigns, as well as to the managed hotels. The storage of this data is also used to allow communication with the DATA SUBJECT by the CONTROLLER.

  • When reservations are made, the collected data will be stored in a database and transmitted to the managed hotels. Payment data will not be stored with the CONTROLLER, being used only for processing the respective payments.

  • While the HOLDER is at Reception, the data provided will be stored in a database, archived for compliance with legal obligations, and transmitted to the Ministry of Tourism when requested, as well as to partners responsible for digital marketing campaigns. The CONTROLLER may also use the data to send satisfaction surveys, in addition to use in promotional campaigns.

  • At the time of payment, the data provided is processed and transmitted directly to credit card companies, as well as for compliance with tax obligations, and is deleted after the payment is completed.



    • 6. ON THE PROCESSING OF SENSITIVE PERSONAL DATA

    The CONTROLLER may process sensitive data when provided by the USER, aiming to guarantee a personalized and secure experience during the hosting period.



    7. ON THE PROCESSING OF DATA OF CHILDREN AND ADOLESCENTS

    Children and adolescents are prohibited from accessing the CONTROLLER's website, and the sale of products and/or services to minors under 18 years of age is not permitted. Access to the website is exclusively for individuals over 18 years of age, requiring the capacity to enter into legally binding contracts under the relevant legislation.

    If the CARDHOLDER is under 18 years of age, or cannot enter into legally binding contracts under applicable law, they must contact the hotel for assistance.

    Parents or guardians of children and adolescents must provide personal data at check-in, such as full name, verified by any valid document or certificate proving parentage. This information will be linked to the parents' or guardians' National Registry of Human Resources (FNRH) and will only be used in cases provided for by law, always in the best interest of the HOLDER.



    8. RIGHTS OF CREDIT HOLDERS

    The Data Subject has the right to request access, rectification, correction, anonymization, deletion, as well as confirmation of the existence of data processing, through the email indicated in ITEM 2. CONTACT, present in this agreement.

    If the CONTROLLER requests the deletion of stored information, the CONTROLLER may retain the data for the period necessary for: (i) purposes of complying with legal and/or regulatory obligations; (ii) for the regular exercise of its rights; (iii) for the exclusive use of the CONTROLLER, in anonymized format; and (iv) for study by a research body, safeguarding, whenever possible, the anonymization of the DATA SUBJECT's personal data.



    9. TERMINATION OF DATA PROCESSING

    The information processed and stored in the CONTROLLER's databases will remain for an indefinite period, in order to guarantee and facilitate, at the time of new reservations and check-in at managed hotels, speed and convenience in the search for information.

    The processing of the respective data may be terminated, with the regular exercise of the DATA SUBJECT's right, in accordance with the PRIVACY AND DATA PROTECTION POLICY – PPPD.