The Privacy Notice is the document through which Othon Hotels explains to data subjects and other interested parties the practices and procedures adopted to make the relationship regarding privacy and protection of personal data transparent. Basically, this notice informs the data subject of their rights, guarantees, and procedures adopted by Othon Hotels in relation to the collection, use, sharing, storage, deletion, and any other forms of processing of personal information in its operational processes. Data protection gained special relevance after the entry into force of the European Union's General Data Protection Regulation (GDPR). Following the same line, Brazil adopted specific legislation to address the issue, namely Law No. 13.709/2018, better known as the General Data Protection Law (LGPD). This Privacy Notice contains information regarding how Othon Hotels processes, in whole or in part, automatically or not, personal data in its operational processes. This Notice aims to clarify for interested parties the measures adopted to respect data and the rights of individuals, as well as the processes and procedures through which the data subject may update, manage, or delete this information. This Privacy Notice may be updated due to any regulatory updates and procedural changes, which is why it is recommended that the data subject consult this document periodically. This document was prepared in accordance with the General Data Protection Law (Law No. 13.709/2018), the Brazilian Civil Rights Framework for the Internet (Law No. 12.965/2014), and other applicable legislation.

LGPD – General Data Protection Law (Law No. 13.709/2018) http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm Personal Data: The General Data Protection Law (LGPD) defines, in its article 5, item I, that personal data is any information related to an identified or identifiable natural person. This definition includes any data that allows the direct identification of a natural person or through the combination of information that makes it possible to unequivocally identify a specific data subject. Sensitive Personal Data: This is personal data relating to racial or ethnic origin, religious beliefs, political opinions, membership in a trade union or religious, philosophical or political organization, as well as data relating to health or sex life, genetic or biometric data, when linked to a natural person. Data Subject: The data subject is the natural person to whom the personal data being processed refers, i.e., the person who owns the information. Controller: This is the natural or legal person, governed by public or private law, who is responsible for decisions regarding the processing of personal data. Processor: This is the natural or legal person, governed by public or private law, who processes personal data on behalf of the controller. Data Protection Officer (DPO): This is the person who acts within the organization as a liaison and communication channel between the controller, the data subjects, and the National Data Protection Authority (ANPD). Othon Hotels SA Av. Nossa Senhora de Copacabana, nº 995 Copacabana – Rio de Janeiro/RJ – CEP 22060-001 Telephone: ( 55 21) 2106-1500 Website: www.othon.com.br ANPD – National Data Protection Authority: It is the public administration body responsible for ensuring, implementing and monitoring compliance with the General Data Protection Law throughout the national territory.

The General Data Protection Law (LGPD) grants data subjects a series of rights, which are fully respected by Othon Hotels, as stipulated in Article 18 of said law. These are: I – Right to confirmation of the existence of processing (Art. 18, I): This consists of the data subject's right to obtain confirmation from the controller regarding the existence of the processing of their personal data within the organization. II – Right of access (Art. 18, II): This is the data subject's right to access the personal data being processed by the organization. III – Right to rectification (Art. 18, III): The data subject may request the controller to correct incomplete, inaccurate, or outdated data. IV – Right to erasure (Art. 18, IV): This refers to the possibility of having their personal data deleted from the controller's database, subject to the legal hypotheses for data retention. V – Right to restriction of processing (Art. 18, V): This is the right of the data subject to restrict the processing of their personal data, which can be exercised when they contest the accuracy of the data, when the processing is unlawful, when the controller no longer needs the data for the proposed purposes, when there is opposition to the processing, or in the case of processing unnecessary data. VI – Right to object (Art. 18, VI): This consists of the possibility for the data subject, at any time, to object to the processing of personal data concerning them, for reasons related to their particular situation, including the use of their data for marketing profiling. VII – Right to data portability (Art. 18, VII): This is the right of the data subject to request the controller to send their personal data to another service or product provider, by means of an express request, in accordance with the regulations of the National Data Protection Authority (ANPD), observing commercial and industrial secrets. VIII – Right not to be subject to automated decisions (Art. 18, VIII): This is the right of the data subject not to be subject to decisions taken solely on the basis of automated processing of personal data, including profiling, which produce legal effects concerning him or her or similarly significantly affect him or her. The data subject may exercise their rights by means of written communication, clearly specifying which rights they wish to exercise with the controller. The request must be sent to the email address of the Data Protection Officer (DPO) of Othon Hotels: dpo@othon.com.br. The data subject will receive a response to their requests within a maximum period of 15 (fifteen) days, counted from the date of the request, as provided for in article 19 of the LGPD.

Othon Hotels is committed to complying with the provisions of the General Data Protection Law (LGPD), respecting the principles set forth in applicable legislation. These are: Principle of Purpose: The personal data of the data subject will be processed for legitimate, specific, explicit purposes, informed to the data subject, without the possibility of subsequent processing in a manner incompatible with these purposes. Principle of Adequacy: The personal data of the data subject will be processed in a manner compatible with the informed purposes, according to the context of the processing. Principle of Necessity: The personal data of the data subject will be processed in a relevant manner and limited to the minimum necessary for the achievement of the purposes for which they are processed. Principle of Free Access: Data subjects will be guaranteed easy and free access to information about the form and duration of the processing, as well as about the completeness of their personal data. Principle of Data Quality: The personal data of the data subject will be accurate, clear, relevant, and updated whenever necessary, so that inaccurate data is deleted or rectified, when possible. Principle of Transparency: Data subjects will have access to clear, accurate, and easily accessible information about the processing of their personal data, including information about the data controllers, without prejudice to commercial and industrial secrets. Principle of Security: The data subject's personal data will be processed securely, protected against unauthorized or unlawful processing, as well as against accidental loss, destruction, or damage, through the adoption of appropriate technical and organizational measures. Principle of Prevention: All necessary measures will be taken to prevent the occurrence of damages due to the processing of personal data. Principle of Non-Discrimination: The data subject's personal data will not be processed for discriminatory, unlawful, or abusive purposes. Principle of Accountability and Reporting: The processing of personal data will be carried out in a way that demonstrates the adoption of effective measures capable of proving compliance with personal data protection regulations. All processing of personal data carried out by Othon Hotels aims to fully respect the principles described above.

Othon Hotels processes personal data of individuals who are or were clients, as well as those who maintain or have maintained some type of relationship with the company, such as attorneys, employees, former employees, partners of clients, companies or entities with which Othon Hotels relates or intends to relate. The personal data processed varies according to the purposes of use, including those indicated in this Privacy Notice, as well as according to the activities carried out. As a rule, Othon Hotels does not process personal data of minors or adolescents. If, exceptionally, such processing occurs, it will only be carried out if there is an applicable lawful legal basis, in accordance with the General Data Protection Law (LGPD). Othon Hotels processes sensitive personal data in strict compliance with the provisions of Article 11 of the LGPD, that is, only when there is consent from the data subject or, in the absence thereof, in cases where processing is indispensable for compliance with a legal or regulatory obligation by the controller; for the regular exercise of rights, including in contracts and in judicial, administrative or arbitration proceedings; or also to guarantee the prevention of fraud and the security of the data subject, in the identification and authentication processes of registration in electronic systems, safeguarding the rights provided for in article 9 of the LGPD and provided that fundamental rights and freedoms of the data subject that require the protection of personal data do not prevail.

The General Data Protection Law (LGPD) requires that all processing of personal data be based on at least one legal basis provided for by law. At Othon Hotels, the processing of personal data is carried out based on the following legal justifications: Consent of the data subject; Compliance with a legal or regulatory obligation by the controller; Execution of a contract or preliminary procedures related to a contract to which the data subject is a party, at the request of the data subject; Regular exercise of rights in judicial, administrative or arbitral proceedings, the latter under the terms of Law No. 9,307, of September 23, 1996 (Arbitration Law); Protection of the life or physical integrity of the data subject or a third party; Legitimate interest of the controller or a third party; Credit protection. All operational processes of Othon Hotels involving the processing of personal data meet, at a minimum, one of the legal bases provided for in the LGPD.

Othon Hotels is committed to adopting all appropriate technical and organizational measures to protect the personal data processed against unauthorized access and against situations of destruction, loss, alteration, communication or improper dissemination of this data. To ensure information security, solutions will be adopted that consider available techniques, implementation costs, as well as the nature, scope, context and purposes of the processing, in addition to the risks to the rights and freedoms of data subjects. Othon Hotels is exempt from liability in cases of exclusive fault of third parties or the data subject himself, as provided for in the General Data Protection Law (LGPD). Othon Hotels also undertakes to notify the data subject, within a reasonable timeframe, should any security incident occur that may cause significant risk or damage to their personal rights and freedoms. A personal data breach is considered to be any security incident that results, accidentally or unlawfully, in the destruction, loss, disclosure or unauthorized access to personal data transmitted, stored or subjected to any form of processing. The stored personal data is processed in a way that guarantees the confidentiality, integrity, and availability of the information, within the applicable legal limits.

Othon Hotels processes personal information both domestically and in countries with similar or equivalent data protection laws. Furthermore, they maintain specific contractual clauses to ensure the correct processing of data, in accordance with applicable Brazilian laws and regulations. When Othon Hotels processes personal data across borders, they guarantee respect for the rights and freedoms of data subjects.

PERSONAL DATA – CONTROLLER The controller, responsible for processing the data subject's personal data, is the natural or legal person, public authority or other body which, alone or jointly with others, determines the purposes and means of processing personal data. In this case, the controller of personal data is Hotéis Othon, which can be contacted via email at contato@othon.com.br.

The Data Protection Officer (DPO) is the person appointed by the controller and the processor to act as a communication channel between the controller, data subjects, and the National Data Protection Authority (ANPD). In the case of Othon Hotels, the Data Protection Officer (DPO) is Roberto Razuck, who can be contacted via the following email address: dpo@othon.com.br

This Privacy Notice was last updated on September 14, 2022. Othon Hotels reserves the right to modify this Privacy Notice at any time. Therefore, data subjects are advised to review this document frequently. Changes and any clarifications will take effect immediately upon publication on the company's website.

Othon Hotels can also be contacted using the information below: OTHON HOTELS Email: telefonia.roph@othon.com.br Phone: (21) 2106-1500 Address: Av. Nossa Senhora de Copacabana, nº 955 – 2º andar (parte), Copacabana, Rio de Janeiro/RJ – CEP 22060-001 Data Protection Officer (DPO): dpo@othon.com.br