Privacy Policy Norte 19

This privacy notice is produced in accordance with the provisions of articles 8, 15, 16, 36 and other applicable provisions of the Federal Law on Protection of Personal Data Held by Private Parties (“Ley Federal de Protección de Datos Personales en Posesión de los Particulares (“LFPDPPP”).

1. Identity and principal address of the data controller.

Promotora de Hoteles Norte 19, S.A.B. de C.V., its affiliates and subsidiaries (hereinafter, indistinctly referred to as “Norte 19”), with principal address located at Av. Juan Salvador Agraz No. 69, Piso 12, Col. Santa Fe de Cuajimalpa, Alcaldía Cuajimalpa de Morelos, C.P. 05348, Mexico City, is the data controller for purposes of collecting and processing your personal data, which is collected as a result of the host-guest relationship we have and your affiliation to our loyalty programs and other programs or promotions to which you have subscribed and where we can be assisted by one or more data processors for improving the processing of your information.

2. Personal Data.

For the purposes set forth in this Privacy Notice, Norte 19 will collect from you the following personal data: name and surnames, date of birth, gender, address, telephone numbers, email address, social media accounts, likes and interests in social media, age range, federal taxpayers registry number (RFC), marital status, occupation, nationality or citizenship, license plate numbers; Facebook and Twitter accounts; main reason for travelling and number of trips per year; name and data of third parties; name of company, position and contact information; credit or debit card information and form of payment, billing information; information regarding your interests, opinions and hobbies; demographic data, including geolocation data of your device when using Norte 19' wi-fi, your IP address and browser type when collected through electronic means, data regarding internet services used from your device, as well as with respect to the use of third party apps and services.

Norte 19 does not collect personal information that is considered to be sensitive data according to the LFPDPPP. We can collect your credit card information for booking reservations and for payment purposes in case you do not fulfil your reservation.

Norte 19 collects or can collect personal data about you in the following ways:

• Personally, when you provide personal information to any of our employees, by completing forms to accept our accommodation agreement and checking in with us, or at our front desk. Also, when you answer satisfaction and service quality questionnaires, or sign-up for contests, promotions or loyalty programs.

• Directly, when you provide personal information to us by telephone or through our website www.norte19.com, to: identify yourself, create a profile or login to access an existing profile on our website, complete a reservation form, pre-check-in prior to your arrival at the Hotel, or check-out, as applicable, to any of our hotels, interact in our social media or through cookies or web beacons, or by email. Also, when you use any of Norte 19 hotels' wi-fi networks, when you complete satisfaction and service quality questionnaires online, or when you sign up for offers and contests through electronic media.

• Indirectly, when you provide personal information to any of our vendors, such as travel agencies or third parties that provide us with databases, or that support us during our reservation and marketing processes.

A cookie is a text file that is stored on the hard drive of your computer or electronic communications device when you visit our Websites and that allows our Websites and your web browser to share status information. Status information may reveal session identification and authentication methods or user preferences, as well as any data stored by the web browsers about the website. On the other hand, a web beacon is a visible or hidden image that is placed on our www.norte19.com website or email and is used to monitor your behavior when visiting the website or sending an email.. Web beacons can pass along information such as the source IP address, web browser used, operating system, the time of access to the website, and in the case of email, data association. Data collected through these means enables us to improve our service through our site. Most web browsers allow you to manage your cookie preferences. You can configure your browser to reject all cookies or opt-out of certain cookies. In general, you should be able to manage similar technologies in the same way you manage cookies -using your browser preferences -. The following links show you how to configure the most commonly used web browsers:

  • •Internet Explorer
  • •Firefox
  • •Safari
  • •Chrome

Please note that if you chose to block cookies, the services and functionality of our website could be affected or may not be available.

One of the third-party services we use to track the services that we offer, for example, placing cookies, is Google Analytics. If you do not wish for Google Analytics to collect and use your information you can select the opt-out option on your web browser (tools.google.com/dlpage/gaoptout?hl=None).

3. Purpose.

The personal data is collected and processed for the following necessary purposes:

a) To keep record of the guests in order to identify them as customers or users and be able to provide the best possible service and attention, being able to record the duration of the online session.

b) To validate the identity of the guest and verify the veracity of the information provided, being able to cancel the user's account if the data provided contains irregularities or missrepresentations.

c) To contact guests whenever required, among others, to complete transactions or provide customized services, or in case of emergency. To contact guests whenever required through different means of communication, such as telephone, chat and email, among others, to complete transactions, process reservations, provide customized services, offer promotions, benefits or discounts, update our databases, or in case of emergency.

d) To collect billing information if required.

e) To make in-person reservations directly at our hotels or online through our app and/or www.norte19.com website, in accordance with the guests' specifications and needs.

f) To collect your credit card information, which will only be used to secure the reservation and will only be charged if the reservation is not fulfilled.

g) To inquire on the quality of our service and understand the specific needs of each guest for purposes of providing a better service.

h) To comply with Norte 19' internal policies and processes, as well as with all mandatory legal and contractual provisions we have assumed by virtue of the existing commercial relationship.

i) To address guests' claim requests or complaints and/or comply with the requirements of competent authorities.

j) To protect Norte 19' interests and rights in accordance with legal provisions.

Your personal data will also be processed for the following purposes:

a) To create a personal profile on our app or www.norte19.com website that will allow you to receive notifications of special offers, promotions, advertising information, enroll in our loyalty programs and send e-cards and invitations to our events, among other additional services.

b) To sign you up for contests, raffles, promotions and sweepstakes, including in digital form, which allows us to adapt the promotions and notifications we send to you, and to get in touch with the winner.

c) To perform online surveys and satisfaction and service quality questionnaires or website evaluation questionnaires.

d) To send personalized advertising and advertising for marketing, statistical and commercial prospecting purposes.

e) To be anonymously shared with our business partners for statistical purposes only in order to generate audiences to whom we can target adds in Internet search engines and distribution lists for digital publicity.

You can modify the information provided for the purposes set forth above at any time by changing the security options on our website www.norte19.com, or by updating your personal data on your profile, in order to customize the promotions and notifications we send according to your own preferences,. Furthermore, you can choose not to receive marketing communications from us by clicking on the link that appears on each of the advertisements you will receive, selecting to be removed from our marketing and advertising services mailing list. Also, you can contact our Personal Data Department and request that your information is not used for unnecessary purposes, in accordance with the procedure set forth in section 5 hereof.

We also want to let you know that you can enroll in the Public Registry of Consumers (Registro Público de Consumidores) provided for in the Federal Consumer Protection Law (Ley Federal de Protección al Consumidor), and in the Public Registry of Users (Registro Público de Usuarios) provided for in the Law on the Protection and Defense of Financial Services Users (Ley de Protección y Defensa al Usuario de Servicios Financieros), to avoid receiving advertising information. We will respect your decision should you decide to enroll in such registries.

4. Consent to process your personal data.

By providing your personal information and not objecting to provide the personal information requested or to have such data processed for the specified purposes if you do not agree with having Norte 19 process any of your personal information, you are granting your implied consent. If you do not wish to provide certain data we request or do not agree with the processing thereof, you must, prior to providing such data, express your refusal. You have the right to provide only such data as you deem necessary for the specified purposes.

If you consent to the processing of your personal information for the specified purposes, in accordance with this privacy notice, please agree to this privacy notice and informed consent.

If at a later time you wish to withdraw your consent to have your personal and sensitive data processed in terms of this Privacy Notice, please send an email to: datospersonales@norte19.com, together with an official form of identification, expressing your desire to withdraw your consent, or send a written document duly signed by you, accompanied by a copy of your official valid photo identification, by post mail to the address Norte 19 has indicated herein.

5. Transfer of personal data.

Norte 19 may transfer your personal data to third parties for the purposes set forth in this Privacy Notice, including:

a. Your personal data may be shared with competent authorities where applicable by law, whether located in Mexico or abroad.

b. Norte 19 can transfer all or part of your personal information to our www.norte19.com website support service providers, such as GoogleAnalytics, with the purpose of providing information such as your IP address, statistical services and data analysis of our website usage, whether located in Mexico or abroad.

c. Norte 19 can also share your personal data with marketing and advertising service providers for email advertising data hosting.

d. Norte 19 may share or transfer your personal data to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding. Accordingly, we may assign and transfer all of the rights, benefits, duties, and obligations of this Privacy Notice, under the circumstances described in this paragraph.

As we require your authorization to transfer your personal data in terms of paragraphs c and d above, you can oppose to these transfers of your personal data by sending an email to datospersonales@norte19.com.

6. ARCO Rights

Pursuant to the LFPDPPP, you have the rights to Access, Rectify, Cancel and Oppose to the Processing of your personal data, also known as “ARCO Rights”, which are briefly described below:

- Access: The right to access your personal data we hold, as well as to obtain information on how such personal data is processed.

- Rectification: The right to rectify your personal data should this information be inaccurate or incomplete;

- Cancellation: The right to request the removal of your personal data from our records and databases if you consider that this information is not being processed according to the guidelines and duties set forth in the LFPDPPP and its Regulations.

- Opposition to the Processing: The right to oppose to the processing of your personal data when there is a justified reason or to the processing of your personal data for specific purposes.

The LFPDPPP also grants you the right to at any time withdraw the consent that you have previously granted to process your personal information.

To exercise your ARCO rights, to request or withdraw your previous consent to process and in general, to respond to any question or claim you may have with respect to the processing of your personal information, or to know if there are any other options available (in addition to those set forth herein) to limit the use or disclosure of your data, please contact our Personal Data Department (Departamento de Datos Personales, (“DDP”).

Your request to cancel, revoke and oppose to the processing will be assessed as provided under the LFPDPPP and the admissibility or inadmissibility thereof will be resolved taking into account the provisions of the LFPDPPP and other obligations applicable to Norte 19 (tax, commercial, consumer protection, public safety, health, etc.). In general, please consider that your requests may or may not be admitted where the processing is necessary to comply with a legal obligation that has been imposed on or acquired by Norte 19.

In any event, a simple request must be submitted as provided above. Our DDP will inform you on (i) the identification information required as well as the documents that you will need to send together with your request; (ii) the terms within which you will receive a response to your request; (iii) how you must submit your request, including any forms you may use to do so, if any, and; (iv) the method or means through which we will send information to you.

7. Personal Data Department (“DDP”).

You can contact our DDP at:

Av. Juan Salvador Agraz número 69, Piso 12, Col. Santa Fe de Cuajimalpa, Delegación Cuajimalpa de Morelos, C.P. 05348, México, Distrito Federal,

Email: datospersonales@norte19.com

Please always include your name and contact information.

8. Security of Personal Data

Norte 19 has taken and uses the required physical, organizational, administrative and technical security measures to prevent the loss, misuse, tampering or illegal disclosure of information and protect the personal data that you provide against damages, loss, tampering, destruction or unauthorized use, access or processing. Third parties with whom we share your personal data will be subject to privacy policies that are similar to those provided herein.

Norte 19 uses a secure server under SSL protocol on its website www.norte19.com to protect the information that you provide to us, in this regard, your acceptance of our privacy notice shall be deemed as your express authorization to transfer your information.

You can go to the National Institute for Transparency, Access to Information and Personal Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (“INAI”), if you consider there has been a personal data breach.

Norte 19 advises that if you do not agree to our privacy notice you will not be able to continue with your login or reservation process through any of our channels.

9. Modifications to the Privacy Notice.

Norte 19 reserves the right to make, at any time, changes or updates to this privacy notice, to include changes that derive from new legal requirements or internal policies. These modifications will be made available through the following means: visible announcements in our establishments, our website, or by email. If you not agree with such modifications, please email us to the email address set forth above requesting the removal of your personal data, in accordance with the LFPDPPP.

“Please be advised that this website may use cookies and web beacons to collect personal information. You may disable them as provided in our Privacy Notice.”

Last updated: April, 2024

MÉXICO COLOMBIA

• Corporate Name: SAC BE VENTURES COLOMBIA S.A.S.

• TIN.: 900.432.307-4

• Address: DG 25 G 95 66 P1 Bogotá, Colombia

• Email: datospersonales@norte19.com

Telephone: (+571) 746 26 70

• Website: www.norte19.com

I. INTRODUCTION

The purpose of the Data Processing Policy is to comply with Colombian personal data protection legislation, that is, article 15 of the Political Constitution, Statutory Law 1581 of 2012 and the respective regulatory decrees and other provisions that addition, supplement or modify such legislation and to make the data subjects aware of the purposes for which their personal data will be processed by SAC BE VENTURES COLOMBIA S.A.S. (hereinafter, indistinctly referred to as “Norte 19” or “THE DATA CONTROLLER”) as the personal data controller, as well as of the rights that each Data Subject is entitled to in such capacity, the person or area in charge of addressing petitions, consultations and claims and the support channels enabled by Norte 19 to guarantee the exercise of the right to habeas data.

Norte 19, taking into consideration that in fulfillment of its corporate purpose it must collect and in different ways process personal information of its different groups of interest, undertakes to: i) at all times comply with personal data protection legislation in effect; ii) guarantee the exercise of the rights of habeas data of all data subjects whose personal data is in its databases and files; iii) develop technical, legal and administrative measures and controls aimed at establishing security conditions to avoid unauthorized or fraudulent tampering, loss, consultation, use or access of the data processed in its capacity as Data Controller.

Accordingly, within Norte 19' corporate and legal duty to protect the privacy right of data subjects, as well as the right to know, update or request the information of such data subjects recorded in our databases, Norte 19 has adopted this Data Processing Policy (hereinafter referred to as the “Policy”), which purpose is to guaranty the right of habeas data of the data subjects whose personal data has been provided by virtue of a legal, contractual or any other kind of relationship and notify the different types of processing of the personal data it has or has had access to through different channels, as well as through third parties involved in our commercial or legal relationship with all of our SHAREHOLDERS, MEMBERS OF THE BOARD OF DIRECTORS, CANDIDATES FOR VACCANCIES, INTERNS, TRAINEES, APPRENTICES, VENDORS OR CONTRACTORS, BUSINESS PROSPECTS, CLIENTS AND GUESTS.

Norte 19 is committed to adopting security and quality standards in order for the information provided by data subjects to be exclusively processed for the specific purposes for which it was collected by virtue of the existing legal or contractual authorization.

II. DEFINITIONS AND CONCEPTS

Please take into consideration the following definitions when reading this Policy:

•Authorization: prior, express and informed consent of the Data Subject to the processing of their personal data.

•Database: set of personal data that is subject to being processed.

•Consent: is a freely given, informed and unambiguous indication of the data subject's will to have a third party use his or her personal data.

•Consultation: Data Subjects and their successors may consult the Data Subject's personal data that is kept in any database, whether in the public or private sectors. The Data Controller or the Data Processor must provide to them all information contained in the individual records or that is linked to the Data Subject's identity.

•Personal Data: refers to any information related to an identified or identifiable individual and relating to such individual's identity, existence and occupation.

•Public Data: is any data that qualifies as such according to the Constitution or the Law and any data that is not semi-private or private in accordance with this law. Among others, data contained in public documents, official gazettes and newsletters and court rulings duly executed that are not subject to reservation and data relating to the marital status of individuals shall be considered as public data.

•Semi-private Data: semi-private data is data that is not sensitive, confidential or public and which knowledge or disclosure may be of interest not only to the data subject but also to a certain sector or group of persons or to the community in general, such as financial and credit information of services or business activities.

•Private Data: is data that, due to its sensitive or confidential nature, is relevant only to the data subject.

•Sensitive Data: for purposes of this policy, sensitive data will be understood as any data that affects the Data Subjects' intimacy or which could be used to discriminate against them, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership of trade unions or social, human rights organization or organizations that promote the interests of a political party or that seek to ensure the rights and guarantees of opposition parties, as well as data relating to their health, sexual life and biometric data.

•Data Processor: any individual or legal entity, public or private, that either alone or in association with others, processes personal data on behalf of the Data Controller.

•Habeas Data: the right of all data subjects to know, update, rectify or delete their personal data.

•Data Processing Policy or Policy: refers to this document, as the personal data processing policy applied by Norte 19 in accordance with the guidelines of data protection legislation in effect.

•Vendor: any individual or legal entity that provides a service to Norte 19 by virtue of a contractual or binding relationship.

•Complaint: if the Data Subject or any successor thereof deems that the information kept in a data base must be corrected, updated or deleted, or becomes aware of an alleged infringement of any of the obligations provided under the law, they may submit a complaint before the Data Controller or the Data Processor.

•Data Controller: the individual or legal entity, public or private, that either alone or in association with others, controls the database and/or the processing of personal data.

•Processing: any operation or physical or automated procedures that enables to collect, record, reproduce, preserve, organize, modify and transfer personal data.

•Data Subject: the individual whose personal data is processed by a third party, whether a client, vendor, employee or any third party that, by virtue of a legal or commercial relationship, provides personal data to Norte 19.

•Transmission: refers to the transmission of personal data by the Data Controller to the Data Processor, inside or outside the territory of Colombia, in order for the Data Processor to process personal data on behalf of the Data Controller.

•Processing: any operation or set of operations on personal data, such as collection, storage, use , communication or deletion.

•Visitors: any individual or legal entity that visits Norte 19' offices located in Bogotá or any other city of Colombia, where applicable.

To understand any terms not included in the preceding listing, you should consult the legislation in effect, in particular Law 1581 of 2012 and chapters 25 and 26 of Decree 1074 of 2015, giving the meaning used in such rules to the terms which meaning is in question.

III. PRINCIPLES APPLICABLE TO PERSONAL DATA PROCESSING

In Norte 19 we are committed to complying with the principles that govern the processing of personal data of our groups of interest and, in general, of any individual whose personal data is in our databases and/or files, guaranteeing that the general principles set forth below will be applied in the processing of such data:

•Principle of Legality. Personal data processing is a regulated activity and must have a legitimate purpose, therefore, Norte 19 must comply with the provisions set forth in Law 1581 and other applicable provisions.

•Principle of Purpose. Norte 19 will process personal data always with a legitimate purpose which must be previously informed to the data subject.

•Principle of Freedom. Norte 19 will only process personal data when it has obtained the prior, express and informed consent of the data subject. The data subject may, in any case, refuse to have such data subject's sensitive data processed.

•Principle of Veracity or Quality. Personal data that is processed by Norte 19S must be true, complete, accurate, updated, verifiable and comprehensible.

•Principle of Transparency. Norte 19 will guarantee the Data Subject the right to obtain information regarding all data that concerns such Data Subject, at any time and without restriction.

•Principle of Restricted Access and Circulation. Norte 19 agrees that processing of personal data will only be carried out by entities authorized by the data subject and/or the persons permitted by Law 1581 of 2012. Personal data will not be available in the internet or in any other massive communication or dissemination media, unless the access is technically controlled to provide a restricted access only to data subjects or authorized third parties.

•Principle of Security. The information to be processed by Norte 19 will be handled with the technical, human and administrative measures that are necessary to provide security and avoid unauthorized or fraudulent tampering, loss, consultation, use or access of the data.

•Principle of Confidentiality. Norte 19 undertakes that everyone who intervenes in the processing of personal data that is not classified as public will be required to guarantee the confidentiality of the information, including after completing any of the tasks involved in the processing of the data, and will only be able to provide or communicate the personal data when such provision or communication corresponds to the authorized activities.

•Principle of Accountability. Focuses on the acknowledgment and commitment of organizations to increase protection standards that procure and assure that personal data is handled correctly. This principle entails Norte 19' obligation to be accountable for its personal data protection activities, to accept responsibility in connection therewith and to disclose the results in a transparent manner.

IV. OBLIGATIONS OF NORTE 19 DATA CONTROLLER

Norte 19 as Data Controller must comply with the following obligations, notwithstanding any provisions provided in law and other legislation governing its commercial activity:

a. Guarantee the Data Subject, at all times, the full and effective exercise of the right of habeas data;

b. Request and keep, under the conditions provided in the law, a copy of the relevant authorization granted by the Data Subject;

c. Adequately inform the Data Subject of the purpose of the data collection and the rights to which such Data Subject is entitled to pursuant to the authorization granted;

d. Keep the information under the necessary security conditions to prevent the tampering, loss, unauthorized or fraudulent consultation, use or access of the information;

e. Guarantee that the information provided to the Data Processor is true, complete, accurate, updated, verifiable and understandable;

f. Update the information, timely notifying to the Data Processor, all developments with respect to the data that was previously provided and adopt any other measures required to keep the information produced updated;

g. Rectify any incorrect information providing updates to the Data Processor;

h. Provide to the Data Processor, as applicable, only such information which Processing has been previously authorized in accordance with law;

i. Require the Data Processor to at all times apply the security and privacy measures to the Data Subject's information;

j. Process consultations and complaints made in terms of law;

k. Adopt internal policies and procedures to ensure proper compliance with the law and, in particular, to address consultations and complaints;

l. Report to the Data Processor when certain data is under discussion by the Data Subject, once the complaint has been filed and the respective proceeding has not been completed;

m. Upon request, inform to Data Subject on the use given to such Data Subject's data;

n. Notify the data protection authority of violations of the security codes and risks in the Data Subjects' information management;

o. Comply with the instructions and requirements of the Superintendence of Industry and Commerce (Superintendencia de Industria y Comercio).

V. PURPOSES FOR DATA PROCESSING

Norte 19 recognizes that the Data Subject is entitled to have a reasonable expectation of privacy, taking into consideration, in any case, such Data Subject's duties, rights and obligations with Norte 19. When establishing a relationship with Norte 19, we will handle your personal data with absolute confidentiality and, any collection, use, circulation, transmission, transfer and, in general, any type of processing thereof, will be carried out for the following purposes, which in any case will be in line with our corporate purpose and ordinary course of business.

For the purposes set forth in this Policy, Norte 19 will collect from you the following personal data: name and surnames, date of birth, gender, address, telephone numbers, email address, social media accounts, likes and interests in social media, age range, TIN, marital status, occupation, nationality or citizenship, license plate numbers; Facebook and Twitter accounts; main reason for travelling and number of trips per year; name and data of third parties; name of company, position and contact information; credit or debit card information and form of payment, billing information; information regarding your interests, preferences, opinions and demographic data, including geolocation data of your device when using Norte 19' wi-fi, your IP address and browser type when collected through electronic means, data regarding internet services used from your device, as well as with respect to the use of third party apps and services.

Norte 19 does not collect personal information that is considered to be sensitive data. We can collect your credit card information for booking reservations and for payment purposes in case you do not fulfil your reservation.

Norte 19 collects or can collect personal data about you in the following ways:

•Personally, when you provide personal information to any of our employees, by completing our hotel check-in forms, or at our front desk. Also, when you answer satisfaction and service quality questionnaires, or sign-up for contests or loyalty programs.

•Directly, when you provide personal information to us by telephone or through our website www.norte19.com, to: identify yourself, create a profile or login to access an existing profile on our website, complete a reservation form, check-in or check-out, as applicable, to any of our hotels, interact in our social media or through cookies or web beacons, or by email. Also, when you use any of Norte 19 hotels' wi-fi networks, when you complete satisfaction and service quality questionnaires online, or when you sign up for offers and contests through electronic media.

•Indirectly, when you provide personal information to any of our vendors, such as travel agencies or third parties that provide us with databases, or that support us during our reservation and marketing processes.

A cookie is a text file that is stored on the hard drive of your computer or electronic communications device when you visit our Websites and that allows our Websites and your web browser to share status information. Status information may reveal session identification and authentication methods or user preferences, as well as any data stored by the web browsers about the website. On the other hand, a web beacon is a visible or hidden image that is placed on our www.norte19.com website or email and is used to monitor your behavior when visiting the website or sending an email. Web beacons can pass along information such as the source IP address, web browser used, operating system, the time of access to the website, and in the case of email, data association. Data collected through these means enables us to improve our service through our site. Most web browsers allow you to manage your cookie preferences. You can configure your browser to reject all cookies or opt-out of certain cookies. In general, you should be able to manage similar technologies in the same way you manage cookies -using your browser preferences -. The following links show you how to configure the most commonly used web browsers:

  • •Internet Explorer
  • •Firefox
  • •Safari
  • •Chrome

Please note that if you chose to block cookies, the services and functionality of our website could be affected or may not be available. One of the third-party services we use to track the services that we offer, for example, placing cookies, is Google Analytics. If you do not wish for Google Analytics to collect and use your information you can select the opt-out option on your web browser (tools.google.com/dlpage/gaoptout?hl=None).

1. General Purposes:

The purposes set forth below will apply to all data subjects who have granted their prior, express and informed authorization to process their personal data:

a. To inform material changes made to Norte 19' Policy.

b. To create and manage the pre-contractual and contractual commercial, labor, civil or any other kind of relationship that arises from the fulfillment of a legal or contractual obligation of Norte 19.

c. To respond to requests, consultations, claims and/or complaints submitted by data subjects through any of the channels enabled by Norte 19 for such purposes.

d. To transfer or transmit your personal data to judicial and/or administrative entities and/or authorities upon being required to do so in connection with its corporate purpose and when necessary to comply with its legal or contractual obligations.

2. Shareholders:

The processing of personal data of Norte 19' shareholders will be carried out in accordance with the provisions set forth in the Code of Commerce (Código de Comercio) and as provided by any other statute to that effect. The purposes applicable for processing personal data of the shareholders are the following:

a. To exercise the rights and obligations of shareholders in such capacity.

b. To make payment of dividends.

c. To collect, record and update their personal data in order to inform, communicate, organize, control, address and validate the activities of the shareholders in such capacity.

d. To comply with judicial, administrative and legal decisions relating to their capacity as shareholders.

3. Candidates for vacancies:

Norte 19 will process the personal data of candidates for vacancies for the following purposes:

a. To establish and manage the recruitment, selection and hiring process.

b. To conduct screening, competence and skills tests, home visits, psychosocial assessments and all other assessments that may be advisable to identify the appropriateness of hiring the candidate.

c. To store in a physical and/or digital file or folder identified with the name of the CANDIDATE; the folder or file may be accessed by Norte 19' management or whoever has been designated to that effect.

Norte 19 will keep the information in the file or folder of the candidate for a vacancy for a maximum period of time of 90 (ninety) days. Once such period of time has concluded, the respective folder or file will be destroyed or deleted.

4. Employees:

Norte 19 will process the personal data of its employees for the following purposes:

a. To incorporate their personal data in the employment agreement, and in any amendments and supplements thereto, as well as in other documents that are necessary to manage the employment relationship and obligations of Norte 19 arising therefrom in its capacity as Data Controller.

b. To conduct performance, competence and skills tests, home visits, psychosocial assessments and all other assessments that may be deemed advisable to identify the appropriateness of employment relationship.

c. To adequately manage the employment relationship between the data subject and Norte 19.

d. To have the personal data of the collaborators in order to adequately incorporate such data in the active and historical data files of Norte 19 and keep them updated.

e. To send internal communications related or not to their employment relationship.

f. To handle the personal data in order to enable Norte 19, as employer, to duly comply with its obligations. For example: to advance the contributions to which the employee is entitled to with the integrated social security system, family compensation funds and other matters concerning social benefits, contributions, taxes, labor disputes, as well as in case of contributions or payments to other entities where the collaborator has previously authorized the processing of his/her data.

g. To handle the data subject's personal data and those of the data subject's family for purposes of carrying out affiliation procedures with health promotion entities −EPS−, family compensation funds, labor risks administrators −ARL−, and others that may be necessary for Norte 19 to comply with its obligations as employer.

h. To address employee's requests regarding issuance of certificates, certifications and other documents such employee may request to Norte 19 in connection with their employment relationship.

i. To promote the employee's participation in programs implemented by Norte 19 aimed at their welfare and good working environment.

j. To handle the personal data to ensure the adequate allocation of work tools (including IT tools such as email, computers, mobile devices, access to databases, etc…).

k. To handle the personal data to ensure the proper execution of the provisions of the Internal Labor Regulations, including the relevant disciplinary procedures and investigations.

l. To monitor and use the images captured in the surveillance video in order to control and oversee the conducting and performance of the activities in the workplace or jobsite.

m. To handle personal data to adequately make payroll payment, including discounts in connection with payments made to third parties that the employee has previously authorized and make the corresponding reports.

5. SENA Apprentices, Interns and University Trainees:

Norte 19 will process the personal data of the SENA apprentices, internes and university trainees for the following purposes:

a. To establish and manage the selection and recruitment process.

b. To incorporate their personal data in the learning or apprenticeship contract, and in any supplement thereto, as well as in other documents that are necessary to manage the apprenticeship relationship or intern contract and obligations of Norte 19 arising therefrom in its capacity as Data Controller.

c. To conduct tests and other assessments that may be deemed advisable to identify the appropriateness of recruitment of the apprentice, intern or trainee.

d. To adequately manage the apprenticeship relationship or intern contract that binds the data subject and Norte 19.

e. To send internal communications related or not to their recruitment.

f. To handle the personal data in order to enable Norte 19, as Data Controller, to duly comply with its obligations. For example: to advance the contributions to which the apprentice, intern or trainee is entitled to with the health promotion entities −EPS−, labor risks administrators −ARL−, and others matters in connection with their apprenticeship relationship or intern contract.

g. To address the apprentice, intern or trainee's requests regarding issuance of certificates, certifications and other documents they may request to Norte 19 in connection with their apprenticeship relationship or intern contract.

h. To promote their participation in programs implemented by Norte 19 aimed at their welfare and a good working environment

i. To handle the personal data to ensure the adequate allocation of work tools (including IT tools such as email, computers, mobile devices, access to databases, etc…)

j. To monitor and use the images captured in the surveillance video in order to control the performance of the activities of the apprentice, intern or trainee in the workplace.

k. To use the personal data to conduct –when required− performance, competence and skills tests, home visits, psychosocial assessments and all other assessments required as a result of their apprenticeship relationship or intern contract.

l. To handle personal data to adequately make payment of the economic or support allowance and other consideration that Norte 19 must legally pay and make the corresponding reports.

6. Vendors and/or Contractors:

Norte 19 will process the personal data of vendors and/or contractors for the following purposes:

a. To adequately manage the contractual relationship.

b. To collect, record and update their personal data in order to inform, communicate, organize, control, address and validate their as vendors and/or third parties related to Norte 19 and other associated proceedings in its capacity as Data Controller.

c. To handle their personal data to carry out the different payment processes of invoices and accounts receivables submitted before Norte 19 and manage collection processes.

d. To assess the services offered or provided by the vendor and/or contractor.

e. To comply with any other legal obligation of Norte 19.

f. To analyze financial, technical and any other matters that will enable Norte 19 to identify the vendor's performance ability.

g. To comply with the obligations arising from the business relationship established with the vendor or contractor.

h. To provide assistance and/or information of general interest and/or commercial information to the vendor or contractor.

i. To develop and implement selection and assessment processes, prepare responses to information requests, elaborate requests for proposals and requests for quotes and/or award contracts.

j. To assess the quality of the products and services offered or provided to Norte 19.

k. To use, when necessary, personal data of vendor's collaborators in order to establish access controls to the physical or logical infrastructure of Norte 19.

l. To handle personal data to make payments to vendors, including handling of bank accounts numbers to adequately process payments.

m. To send or provide information to the competent authorities, upon request, or over the course of contractual disputes.

n. To provide information to administrative authorities who in the exercise of their duties require such information for purposes of complying with our legal obligations.

The DATA CONTROLLER understands that the provision and processing of the personal data and third-party data provided by vendors or contractors, such as workers authorized to perform the job or services entrusted, commercial certifications and references, has been authorized by the data subject for the purposes set forth in this Policy.

7. Guests:

Norte 19 will process the personal data of guests, directly or with the assistance of third-party product and service providers, for the following purposes:

a. To keep record of the guests in order to identify them as customers or users and be able to provide the best possible service and attention, being able to record the duration of the online session.

b. To validate the identity of the guest and verify the veracity of the information provided, being able to cancel the user's account if the data provided contains irregularities or missrepresentations.

c. To contact guests whenever required through different means of communication, such as telephone, chat and email, among others, to complete transactions, process reservations, provide customized services, offer promotions, benefits or discounts, update our databases, or in case of emergency.

d. To carry out transactions, file reports before different national and international control and surveillance administrative authorities, judicial or police authorities, Banks and/or insurance companies.

e. To collect billing information if required.

f. To make in-person reservations directly at our hotels or online through our app and/or www.norte19.com website, in accordance with the guests' specifications and needs.

g. To collect the guests' credit card information, which will only be used to secure a reservation and will only be charged if the reservation is not fulfilled. Debit cards may only be used to pay the full amount of the stay.

h. To inquire on the quality of our service and understand the specific needs of each guest for purposes of providing a better service.

i. To comply with all mandatory legal provisions applicable to Norte 19 in the context of the commercial relationship with its guests.

j. To comply with the contractual obligations Norte 19 has assumed with its guests by virtue of the existing contractual relationship.

k. To address guests' claim requests or complaints and/or comply with the requirements of competent authorities.

l. To protect Norte 19' interests and rights in accordance with legal provisions.

m. To promote and advertise our activities, products and services.

The personal data of guests will also be processed:

a. For Internal and/or business purposes, such as market research, audits, accounting reports, statistical analysis, billing and offering and/or recognition of benefits of our loyalty programs.

b. To create a personal profile on our www.norte19.com website that will allow guests to receive notifications of special offers, enroll in our loyalty programs and send e-cards, among other additional services.

c. To sign up for contests, raffles and sweepstakes, including in digital form, which allows us to adapt the promotions and notifications we send, and to get in touch with the winner.

d. To perform online surveys and satisfaction and service quality questionnaires or website evaluation questionnaires.

e. To send personalized advertising and advertising for marketing, statistical and commercial prospecting purposes.

8. Business prospects:

Norte 19 will process the personal data of business prospects, directly or with the assistance of third-party product and service providers, for the following purposes:

a. To register the business prospect as such.

b. To assess the business prospect as a potential client of Norte 19.

c. To collect, record and update their personal data in order to inform, communicate, organize, control, address and validate the activities of the business prospects in such capacity

d. To respond to information requests or requirements with respect to our services.

e. To send to the physical address, email address, cellular phone or mobile device, via text message (SMS and/or MMS) or WhatsApp or Facebook Messenger, or through any other similar media and/or digital communications media existing or to be created, commercial, advertising or promotional information of the products and/or services, events and/or commercial promotions, for the purpose of promoting, inviting, managing, informing and, in general, conducting commercial or advertising campaigns, promotions or contests, implemented directly by Norte 19 and/or by third parties.

f. To perform statistical analysis of customer behavior, trends and consumption habits.

Please be advised that third-party providers (such as reservation system providers, travel agencies, call centers, Banks, insurance companies) may be involved in the carrying out of such activities.

VI. SPECIAL REQUIREMENTS FOR PROCESSING SENSITIVE DATA

Norte 19, as Data Controller, will identify any sensitive data that it eventually collects or processes in order to comply with the following purposes:

a. To pay special attention and enhance the responsibility it bears with respect to processing sensitive data, which entails higher standards in terms of complying with the principles and obligations set forth in data protection legislation in effect.

b. To establish the technical, legal and administrative standards to adequately process sensitive data.

c. To increase use and access restrictions by Norte 19' personnel, as employer, and those of its third-party contractors or vendors.

VII. PERSONAL DATA OF CHILDREN AND ADOLESCENTS

Norte 19 will always comply with the following requirements when processing personal data of children and adolescents:

a. The processing must respond to and fulfill the superior interest of children and adolescents.

b. The Data Controller must ensure that the fundamental rights of children and adolescents are safeguarded.

c. Ensure that the legal representative of the minor has granted authorization, prior exercise of the minor's right to be heard, whose opinion must, to the extent possible, be assessed taking into consideration the following factors:

  • •Maturity
  • •Autonomy
  • •Ability to understand the purpose for the processing of his/her personal data
  • •Explain the consequences of having his/her personal data processed

IMPORTANT: The assessment made in accordance with the aforementioned factors will not be carried out by Norte 19 in a general manner. Every controller, processor or third party involved in processing the personal data of minors must always ensure that such data is adequately processed.

VIII. SHARING PERSONAL DATA WITH THIRD PARTIES

When you provide Personal Data to us, such information will be used exclusively for the purposes set forth in this Policy and we will not sell, license, transfer or disclose such data to third parties, unless i) you expressly authorize us to do so; ii) it is necessary for our contractors or agents to provide the services we have entrusted to them; iii) it is necessary to effectively provide and fulfill the services you acquired; iv) to provide our products and services; v) it is necessary for third parties providing marketing services on our behalf or to other entities with which they hold collective marketing agreements; vi) it relates to a merger, consolidation, acquisition, divestment or other restructuring process; vii) it is required to perform administrative operations; or viii) is required or permitted by law.

In order to implement the foregoing, your personal data may be disclosed for the purposes set forth in this Policy to our human resources staff, processors, consultants, advisors and other persons or offices as appropriate.

Norte 19 may engage third parties to process certain information or to perform certain services. When we effectively engage third parties to process your personal data or we provide your personal data to third-party service providers, we advise such third parties on the need to protect such personal information with adequate measures, we will forbid them from using your personal information for their private purposes and we will prevent them from further disclosing your personal data to others.

Nonetheless, when Norte 19S performs a Transmission of Personal Data to third-party Data Processors located in Colombia or abroad, it must demonstrate (i) a prior, express and informed authorization of the Data Subject, or (ii) a Personal Data transmission agreement containing the requirements set forth in article 2.2.2.25.5.2 of Decree 1074 of 2015.

Similarly, Norte 19 may transfer or transmit (as applicable) your personal data to other companies located abroad for safety and administrative efficiency purposes and to improve service, in accordance with the authorizations granted thereby. Accordingly, your data may be transferred or transmitted, as applicable, to perform administrative operations on behalf and pursuant to the instructions of Norte 19 or on behalf of the global operation of Promotora de Hoteles Norte 19,S.A.B de C.V., its affiliates or subsidiaries.

IX. DURATION OF THE PROCESSING OF PERSONAL DATA

Norte 19 may only collect, store, use or share the personal data during a period of time that is reasonable and necessary to fulfill the purposes of the personal data processing, pursuant to applicable data protection provisions and administrative, accounting, tax, legal and historical information matters. Once the stated purpose(s) have been fulfilled and, notwithstanding any legal provision to the contrary, Norte 19 will proceed to delete the personal data it safely keeps or stores to be only disclosed according to law. However, the personal data must be kept when required to comply with a legal or contractual obligation.

You, as Data Subject, may, at any time, withdraw the consent you granted to process your personal data, except when Norte 19 is legally or contractually bound to keep such information, by sending a written communication and/or request through the contact channels set forth in this Policy to exercise the right of habeas data, and providing a copy of your ID or of any other document that, in Norte 19' opinion, constitutes proof of identity.

X. PROCESSING PERSONAL DATA ON BEHALF OF A THIRD PARTY

Norte 19 may in certain cases act as Data Processor of data provided or transmitted by certain groups of interest who have engaged Norte 19, and therefore agrees to comply with the following obligations when acting in such capacity:

a. Establish that the Data Controller is authorized to provide the personal data that it will process as Data Processor.

b. Guarantee the Data Subject, at all times, the full and effective exercise of the right of habeas data.

c. Keep the information under the necessary security conditions to prevent the tampering, loss, unauthorized or fraudulent consultation, use or access of the information.

d. Promptly carry out the update, rectification or deletion of the information.

e. Update the information reported by the Data Controller within five (5) business days from receipt thereof.

f. Process consultations and complaints made by the data subjects in accordance with this policy.

g. Record in the database the wording “complaint in process” as provided in this policy.

h. Insert in the database record the wording “information under judicial review” upon being notified by the competent authority of the existence of a judicial proceeding with respect to the personal data.

i. Refrain from circulating information that is being disputed by the data subject and which blocking has been ordered by the Superintendence of Industry and Commerce.

j. Only allow those persons authorized by the data subject or pursuant to law to access the information.

k. Notify the Superintendence of Industry and Commerce of violations of security codes and risks in the data subjects' information management.

l. Comply with the instructions and requirements imposed by the Superintendence of Industry and Commerce.

XI. SECURITY, INTEGRITY AND CONFIDENTIALITY

Norte 19 has incorporated to its different systems adequate security measures to protect the personal data of all data subjects against possible accidental losses and unauthorized access, processing or modification, in view of the state of technology, the type and nature of the data stored in our databases and the risks to which the information is exposed.

The personal data that Norte 19 collects through any format, agreement or physical or electronic communication will be processed with absolute confidentiality and privacy, under the duty of secrecy, and Norte 19 commits to guarantee the that the information will be stored putting in place the necessary measures that will prevent the tampering and unauthorized loss, processing or access, in accordance with applicable regulations.

XII. RIGHTS OF DATA SUBJECTS

Data Subjects may exercise the right of habeas data before Norte 19 in order to:

•a. Be informed and have access to the personal data that we collected from you.

•b. Update the personal data that we collected from you.

•c. Rectify the personal data that we collected from you.

•d. Withdraw the consent you granted to have your personal data processed in the event such processing does not comply with the principles set forth in Law 1581 of 2012.

•e. Request proof of the authorization granted to process your personal data.

These rights must be exercised directly by the Data Subject, his/her legal representative or a successor thereof, as the case may be.

If you wish to exercise your right of habeas data through your legal representative, you must produce a general or special power of attorney duly authenticated.

Below you will find a description of the content and detail of each of the rights that you, as data subject, may exercise:

a. Right of access. All individuals will have the right to know if their personal data has been in any way processed by Norte 19 as provided by law, in addition to exercising the right to know the source of the data and whether or not such data has been transmitted or transferred to third parties and, therefore, the identity of such third parties.

b. Right to update. All individuals will have the right to update their personal data held by Norte 19 as provided by law.

c. Right to rectify. All individuals will have the right to verify before the data controller the veracity and accuracy of the information and request that his/her personal data be rectified if such data is inaccurate, incomplete or incorrect. The data subjects must indicate the data they request be corrected providing documentation that supports his/her request.

d. Request to delete or cancel personal data. The data subject must indicate the data that they request be cancelled or rectified, providing where appropriate the supporting documentation or proof. Cancellation will entail blocking your data, which shall be kept by the data controller for the sole purpose of making such personal data available to the administrative or judicial authorities, always complying with the statute of limitations applicable thereto. Upon expiration of the statute of limitations, the data controller must proceed with the final cancellation of the personal data of the interested or affected party that is being stored on its databases or files.

Furthermore, the data subject may request that his/her personal data be deleted or cancelled when the use of such personal data by the Data Controller or the Data Processor is excessive or even inappropriate. The data subjects' personal data must be kept during the time periods provided by applicable law and/or, depending on the case, during the contractual relationships between the data subject and the data controller.

In any event, the deletion of the information and the withdrawal of the consent will not proceed if the data subject has a legal or contractual obligation to remain in the database.

XXIII. PROCEDURE FOR THE EXERCISE OF THE RIGHT OF HABEAS DATA

The Data Subjects may at all times effectively exercise the right of habeas data to guarantee their right to access, rectify, delete and of proof of consent before Norte 19 through any of the following available contact channels:

•Principal office address in Colombia you may go to Norte 19' principal office address, located at DG 25 G 95 66 P1 Bogotá, Colombia.

•Telephone (+571) 746 26 70

•Email you may contact us via email at datospersonales@norte19.com

The following are the legally permitted ways to exercise the right of habeas data: a. On own behalf: you, as the data subject of the personal data stored on Norte 19' databases and/or files, will have the right to know, update, access, rectify, delete, request proof of consent, be informed with respect to the use of your data and withdraw the consent granted.

b. Through a legal representative: This right may be exercised by the duly identified interested party or by the legal representative of the data subject, in which case the data subject must attach to the request the special or general power of attorney duly authenticated.

c. Exercise of the right of minors: The minors must exercise their right of habeas data through whomever evidences to have their legal representation.

XIV. CONSULTATION AND COMPLAINT PROCEDURES

a. Consultation procedure: The data subjects that wish to make consultations must take into consideration that Norte 19, as Data Controller, will provide to such persons all information contained in the individual record or that is linked to the identification of the data subject. The consultation must be made through the channels Norte 19 has enabled and must be addressed within a maximum term of ten (10) business days from the date of receipt of the request. When the consultation cannot be addressed within such term, the interested party will be informed, stating the reasons for the delay and indicating the date on which the consultation will be addressed, which in no event may exceed five (5) business days following the expiration of the first term, notwithstanding the provisions contained in special laws or regulations issued by the National Government which may establish lesser terms, depending on the nature of the personal information.

b. Complaint procedure: The Data Subject who considers that the information that is held in any of Norte 19' databases must be corrected, updated or deleted, or becomes aware of a breach of any of the duties set forth in Law 1581 of 2012, may submit a complaint before the Data Controller or Data Processor, which will be processed in accordance with the following rules:

•i. The complaint will be formulated by means of a request addressed to the data controller or data processor, with the identification of the data subject, the description of the facts that give rise to the complaint and the address, together with the documents that support the complaint.

•ii. If the complaint is incomplete, the claimant will be required to cure the defects within five (5) days following receipt of the complaint. If the claimant has not provided the required information within two (2) months from the date on which the requirement is made, it shall be understood that the complaint has been withdrawn.

•iii. If the recipient of the complaint is not competent to resolve such complaint, such recipient will transfer the matter to whomever shall correspond within a maximum term of two (2) business days and will notify such circumstance to the claimant.

•iv. Within a term of no more than two (2) business days following receipt of the full complaint, the wording “complaint in process” and the reasons that give rise to the complaint will be included in the database. Such wording must be kept until the complaint has been finally resolved.

•v. The maximum term to address the compliant will be of fifteen (15) business days from the date of receipt. When the complaint cannot be addressed within such term, the claimant will be notified of the reasons for the delay and the date on which the complaint will be addressed, which in no event may exceed eight business days following expiration of the first term.

XV. MODIFICATIONS TO POLICY

This policy may be adjusted or modified at any time, therefore, we advise that you periodically review our website: www.norte19.com where any changes will be communicated and the last version of this Policy or the mechanisms to obtain a copy thereof will be made available.

XVI. DATA PROTECTION OFFICER

The Data Protection Officer appointed by Norte 19 will be responsible internally for updating and communicating this Policy, and any change made hereto must be approved by the Data Protection Officer. If you, as data subject, do not agree with the changes made, you may exercise your right of Habeas Data through the channels and as provided in this Policy.

XVII. ENTRY INTO FORCE

This Policy became effective on April 25, 2024.