ARTICLE 1. DEFINITIONS. For the purposes of applying the rules contained in this manual and in accordance with the provisions of Article 3 of Law 1581 of 2012, the following are understood as:
a) Authorization: Prior, express, and informed consent of the Data Subject to carry out the processing of personal data.
b) Privacy Notice: Verbal or written communication generated by the Controller addressed to the Data Subject for the processing of their personal data, through which they are informed about the existence of the information processing policies that will be applicable to them, how to access them and the purposes of the processing intended to be given to the personal data.
c) Database: Organized set of personal data that is the object of Processing.
d) Personal data: Any information linked to or that can be associated with one or more specific or determinable natural persons.
e) Private data: This is data that, due to its intimate or reserved nature, is only relevant to the owner.
f) Sensitive data: Sensitive data is understood to be that which affects the privacy of the Owner or whose improper use may lead to discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life and biometric data.
g) Data Processor: Natural or legal person, public or private, who, by itself or in association with others, carries out the processing of personal data on behalf of the Data Controller.
h) Data Controller: Natural or legal person, public or private, who, by itself or in association with others, decides on the database and/or the processing of the data.
i) Owner: Natural person whose personal data is subject to Processing.
j) Processing: Any operation or set of operations on personal data, such as the collection, storage, use, circulation or deletion of such data.
ARTICLE 2. PURPOSE. This document is intended to regulate the procedures for the collection, management, and processing of personal data carried out by HOTEL UTÜANE SAS, in order to guarantee and protect the fundamental right to habeas data of its guests, visitors, clients, users, and suppliers within the framework established by law. All of the foregoing is in compliance with the provisions of paragraph (k) of Article 17 of Law 1581 of 2012, which regulates the duties of those responsible for the processing of personal data, including the obligation to adopt an internal manual of policies and procedures to ensure proper compliance with the law and, in particular, to address inquiries and complaints.
ARTICLE 3. SCOPE OF APPLICATION. This information will apply to personal data registered and to be registered in the various databases managed by HOTEL UTÜANE SAS, that is, to the databases of our guests, visitors, clients, and suppliers who provide us with their data for commercial purposes.
The information collected by HOTEL UTÜANE SAS may include, in whole or in part, depending on the needs of the service we provide, among others, the following data:
• First and last names. • Identification type and number. • Nationality and country of residence. • Date of birth and gender. • Marital status and/or relationship with minors or disabled persons requesting our services. • Contact landline and cell phone numbers (personal and/or work). • Postal and email addresses (personal and/or work). • Profession or occupation. • Company where you work and your position. • Origin and destination. • Purpose of your trip. • Credit card information (number, bank, expiration date). • Cardholder personal information (first and last names, ID type and number). • Information on the address where the cardholder receives their bank statements.
This data may be stored and/or processed on servers located in computer centers, whether our guests, visitors, clients, users, and suppliers, which is authorized by our guests, visitors, clients, users, and suppliers upon accepting this Privacy Policy.
ARTICLE 4. ACCURACY OF INFORMATION. Our guests, visitors, clients, users, and suppliers must provide accurate information about their personal data in order to make HOTEL UTÜANE SAS possible to provide services. Under this condition, they agree to provide the requested information.
HOTEL UTÜANE SAS assumes the accuracy of the information provided and does not verify, nor assume the obligation to verify, the identity of the guests, visitors, clients, users, and suppliers, nor the accuracy, validity, sufficiency, or authenticity of the data each of them provides. Therefore, the company assumes no liability for damages of any kind that may arise from the lack of veracity, validity, sufficiency, or authenticity of the information, including damages that may be due to homonymy or identity theft.
ARTICLE 5. APPLICABLE LEGISLATION. This manual was prepared taking into account the ordinances of Law 1581 of 2012 “Which establishes general provisions for the protection of personal data” and Decree No. 1377 of 2013 “Which partially regulates Law 1581 of 2012.”
ARTICLE 6. INFORMATION ON MINOR CHILDREN AND ADOLESCENTS. HOTEL UTÜANE SAS will ensure the appropriate use of the personal data of minor children and adolescents, ensuring that their best interests and fundamental rights are respected in the processing of their data, and, to the extent possible, taking into account their opinions as the owners of their personal data. ARTICLE 7. PURPOSES OF THE PROCESSING OF PERSONAL DATA The information collected is used to process, confirm, fulfill and provide the services acquired, directly and/or with the participation of third party service providers, as well as to promote and advertise our activities and services, carry out transactions, make reports to the different national or international administrative control and surveillance authorities, police authorities or judicial authorities, banking entities and/or insurance companies, for internal administrative and/or commercial purposes such as market research, audits, accounting reports, statistical analysis, billing, and offering and/or recognition of benefits from our loyalty programs.
By accepting this Privacy and Data Processing Policy, our guests, visitors, clients, users and suppliers, in their capacity as owners of the data collected, authorize HOTEL UTÜANE SAS to process such data, in whole or in part, including the collection, storage, recording, use, circulation, processing and deletion of such data, for the execution of activities related to the services and products purchased, such as making reservations, making modifications, cancellations and changes to such reservations, refunds, handling of queries, complaints and claims, payment of compensation and indemnities, accounting records, correspondence, processing and verification of credit and debit cards and other payment instruments, identifying fraud and preventing money laundering and other criminal activities and/or for the operation of loyalty programs and other purposes indicated in this document.
The foregoing is without prejudice to other purposes that have been reported in this document and in the terms and conditions of each of the products and services of each of our business units.
We advise that third-party providers (such as reservation system providers, travel agencies, call centers, banks, and insurance companies) may be involved in these activities.
Additionally, our travelers, clients, and users, as data subjects, by accepting this privacy policy, authorize us to:
• Use the information received from them for marketing purposes of their products and services, and the products and services of third parties with whom HOTEL UTÜANE SAS maintains a business relationship. • Provide personal data to police or judicial oversight and surveillance authorities pursuant to a legal or regulatory requirement and/or use or disclose this information and personal data in defense of their rights and/or assets when such defense is related to the products and/or services contracted by their travelers, clients, and users. • Allow access to the information and personal data to auditors or third parties contracted to carry out internal or external audit processes related to the commercial activity we carry out. • Consult and update personal data at any time in order to keep said information up-to-date. • Contract with third parties for the storage and/or processing of information and personal data for the proper execution of contracts entered into with us, under the security and confidentiality standards to which we are bound.

ARTICLE 8. AUTHORIZATION. The collection, storage, use, circulation, or deletion of personal data by HOTEL UTÜANE SAS requires the free, prior, express, and informed consent of the data subject. HOTEL UTÜANE SAS, as the data controller, has implemented the necessary mechanisms to obtain the data subject’s authorization, ensuring in all cases that it is possible to verify the granting of such authorization.
With the aforementioned authorization, the client accepts the policies and conditions established in this document.
ARTICLE 9. FORM AND MECHANISMS FOR GRANTING AUTHORIZATION. The data subject’s authorization will be recorded in each of the collection channels and mechanisms. This authorization can be obtained when visiting our website or by phone requesting a quote or reservation. Visitors to www.utuane.com who choose to make reservations or request quotes online create a reservation profile and must provide specific Personal Information, such as their name, address, and contact information, as well as certain deposit and security information, to secure their reservation. By submitting your Personal Information, you acknowledge and agree to the terms and conditions contained in this Privacy Policy.

If you choose to provide us with this information, we will only use it for the purpose specified. We will only send you emails if you wish. By submitting your personal data, you acknowledge and accept the terms and conditions contained in this Privacy Policy. This information may be stored in an electronic document or in any other format that allows for future reference. Authorization will be issued by the data subject prior to the processing of your personal data, in accordance with Law 1581 of 2102.

ARTICLE 10. RIGHTS OF DATA SUBJECTS. In accordance with the provisions of Article 8 of Law 1581 of 2012, the subject of personal data has the following rights:
a) To know, update, and rectify their personal data with HOTEL UTÜANE SAS, as the data controller. b) To request proof of the authorization granted to HOTEL UTÜANE SAS, as the data controller. c) To be informed by HOTEL UTÜANE SAS, upon request, regarding the use of their personal data. d) To file complaints with the Superintendency of Industry and Commerce for violations of the provisions of Law 1581 of 2012, once they have exhausted the consultation or complaint process with the data controller. e) Revoke authorization and/or request the deletion of data when the processing does not respect constitutional and legal principles, rights, and guarantees. f) Access your personal data that has been processed free of charge.
ARTICLE 11. DUTIES OF HOTEL UTÜANE SAS REGARDING THE PROCESSING OF PERSONAL DATA. HOTEL UTÜANE SAS will always bear in mind that personal data is the property of the individuals to whom it refers and that only they have the power to make decisions regarding such data. Therefore, it will use such data only for the purposes for which it is duly authorized, always respecting Law 1581 of 2012 on the protection of personal data.
In accordance with the provisions of Article 17 of Law 1581 of 2012, HOTEL UTÜANE SAS undertakes to permanently comply with the following obligations:
a) To guarantee the Data Subject, at all times, the full and effective exercise of the right to habeas data. b) To maintain the information under the necessary security conditions to prevent its alteration, loss, unauthorized or fraudulent access, use, or consultation. c) To promptly update, rectify, or delete the data, that is, in accordance with the terms established in Articles 14 and 15 of Law 1581 of 2012. d) Process inquiries and complaints made by Data Subjects in accordance with the terms set forth in Article 14 of Law 1581 of 2012. e) Enter the legend “information under judicial dispute” into the database once notified by the competent authority of judicial proceedings related to the quality or details of the personal data. f) Refrain from circulating information that is being disputed by the Data Subject and whose blocking has been ordered by the Superintendency of Industry and Commerce. g) Allow access to the information only to those individuals who may have access to it. h) Inform the Superintendency of Industry and Commerce when security codes are breached and risks arise in the management of Data Subjects’ information. i) Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

ARTICLE 13. RIGHT OF ACCESS: The power of disposition or decision that the owner has over the information that concerns him, necessarily entails the right to access and know if his personal information is being processed, as well as the scope, conditions and generalities of said processing.
Likewise, the data subject has the right to request rectification if they are inaccurate or incomplete, and to delete them when they are not being used in accordance with legal or contractual purposes and terms, or according to the purposes and terms contemplated in this Privacy Policy.
HOTEL UTÜANE SAS will guarantee the right of access when, after proving the identity of the owner or his or her representative or attorney, he or she requests it in accordance with the provisions of Law 1581 of 2012.
Customers and users may exercise their rights to access, update, rectify, and delete their personal data by sending a request to Recepcion@utane.com, mercadeo@utuane.com, or by calling 85926144, in accordance with this Privacy Policy.
The request must include the following information: • First and last name. • Document type. • Document number. • Telephone number. • Email address. • Country. • Subject.
ARTICLE 13. RESPONSE TO INQUIRIES. In any case, regardless of the mechanism implemented to handle inquiry requests, they will be answered within a maximum of ten (10) business days from the date of receipt. When it is not possible to answer the inquiry within this period, the interested party will be informed before the expiration of the 10 days, stating the reasons for the delay and indicating the date on which their inquiry will be answered, which in no case may exceed five (5) business days after the expiration of the first deadline.
ARTICLE 14. COMPLAINTS. In accordance with the provisions of Article 14 of Law 1581 of 2012, the Data Subject or their successors in title who consider that the information contained in a database should be corrected, updated, or deleted, or when they notice an alleged breach of any of the obligations contained in Law 1581 of 2012, may file a claim with the Data Controller, which will be processed under the following rules:
1. The claim may be submitted by the Data Subject using the forms provided for this purpose by HOTEL UTÜANE SAS on its website. If the claim received does not include complete information that allows for its processing, that is, the identification of the Data Subject, a description of the facts giving rise to the claim, the address, and the accompanying documents to be asserted, the interested party will be required within five (5) days of receipt to correct the deficiencies. After two (2) months have elapsed from the date of the request without the applicant submitting the required information, the claim will be deemed to have been withdrawn. If, for any reason, the HOTEL receives a claim that should not actually be directed against it, it will forward it to the appropriate party within a maximum of two (2) business days and inform the interested party of the situation.
2. Once the complete claim has been received, a message stating “claim in process” and the reason for the claim will be entered into the HOTEL UTÜANE database within a period of no more than two (2) business days. This message must remain in effect until the claim is resolved.
3. The maximum period for addressing the claim will be fifteen (15) business days, starting on the day following the date of receipt. When it is not possible to address the complaint within this period, the interested party will be informed before the expiration of the aforementioned period of the reasons for the delay and the date on which their complaint will be addressed, which in no case may exceed eight (8) business days after the expiration of the first term.
ARTICLE 15. IMPLEMENTATION OF PROCEDURES TO GUARANTEE THE RIGHT TO FILE COMPLAINTS. At any time and free of charge, the data subject or their representative may request HOTEL UTÜANE to rectify, update, or delete their personal data, upon proof of identity. The rights to rectification, update, or deletion may only be exercised by:
• The data subject or their successors in title, upon proof of identity, or through electronic means that allow identification. • Their representative, upon proof of representation.
When the request is made by a person other than the data subject and there is no proof that they are acting on their behalf, it will be deemed not submitted.
The request for rectification, update, or deletion must be submitted through the means enabled by the HOTEL, as indicated in the privacy notice, and must contain, at a minimum, the following information:
1. The name and address of the data subject or any other means to receive a response. 2. Documents proving the identity or legal status of their representative. 3. A clear and precise description of the personal data regarding which the data subject seeks to exercise any of their rights.
PARAGRAPH 1. RECTIFICATION AND UPDATE OF DATA. HOTEL UTÜANE SAS is obligated to rectify and update, at the data subject’s request, any information about them that is incomplete or inaccurate, in accordance with the procedure and terms indicated above. In this regard, the following will be taken into account: In requests to rectify and update personal data, the data subject must indicate the corrections to be made and provide documentation supporting their request.
HOTEL UTÜANE SAS is fully free to implement mechanisms that facilitate the exercise of this right, as long as they benefit the data subject. Consequently, electronic or other means it deems appropriate may be enabled.
HOTEL UTÜANE SAS may establish forms, systems, and other simplified methods, which must be disclosed in the privacy notice and will be made available to data subjects on the website.
Whenever HOTEL UTÜANE SAS makes available a new tool to facilitate the exercise of their rights by data subjects or modifies existing ones, it will inform the data subject through its website.
PARAGRAPH 2. DATA DELETION. The data subject has the right, at any time, to request that HOTEL UTÜANE SAS delete their personal data when:
a.) They consider that their personal data is not being processed in accordance with the principles, duties, and obligations set forth in Law 1581 of 2012. b.) They are no longer necessary or relevant for the purpose for which they were collected. c.) The period necessary for the fulfillment of the purposes for which they were collected has exceeded.
This deletion implies the total or partial elimination of personal information as requested by the owner in the records, files, databases or treatments carried out by HOTEL UTÜANE SAS, it is important to keep in mind that the right of deletion is not absolute and the person responsible may deny the exercise of it when:
• Requests to delete information will not be processed when the data subject has a legal or contractual obligation to remain in the database.
• The deletion of data hinders judicial or administrative proceedings related to tax obligations, the investigation and prosecution of crimes, or the updating of administrative sanctions.
• The data is necessary to protect the legally protected interests of the data subject; to carry out an action based on the public interest; or to comply with a legal obligation of the data subject.
If the cancellation of personal data is appropriate, HOTEL UTÜANE SAS must operationally carry out the deletion in such a way that the deletion does not allow the recovery of the information.
ARTICLE 16. REVOCATION OF AUTHORIZATION. Data subjects may revoke their consent to the processing of their personal data at any time, provided that this is not prohibited by law. To do so, they must contact HOTEL UTÜANE SAS by email at datos@utane.com or by phone at 85926144.

ARTICLE 17. SECURITY MEASURES. In accordance with the security principle established in Law 1581 of 2012, HOTEL UTÜANE SAS has adopted the necessary technical, human, and administrative measures to ensure the security of its records, preventing their alteration, loss, unauthorized or fraudulent access, or consultation.
Notwithstanding the foregoing, the client assumes the risks arising from providing this information over a medium such as the Internet, which is subject to various variables—third-party attacks, technical or technological failures, among others. HOTEL UTÜANE SAS will make its best technological effort to guarantee the security of the personal information of all its clients and/or users, employing reasonable and current security methods to prevent unauthorized access, maintain data accuracy, and ensure the correct use of the information.
ARTICLE 18. IMPLEMENTATION OF SECURITY MEASURES. HOTEL UTÜANE SAS will maintain mandatory security protocols for staff with access to personal data and information systems. The procedure must consider:
a) Staff duties and obligations of complete confidentiality: All persons involved in the Processing of personal data that are not public are required to guarantee the confidentiality of this information, even after their relationship with any of the tasks involved in the Processing has ended. They may only provide or communicate personal data when it corresponds to the performance of the activities authorized by law and under the terms thereof.
b) Structure of personal data bases and description of the information systems that process them.

ARTICLE 19. MODIFICATIONS TO THE PRIVACY POLICY. HOTEL UTÜANE SAS reserves the right to make modifications or updates to this Privacy Policy at any time to address legislative developments, internal policies, or new requirements for the provision or offering of its services or products.
ARTICLE 20. VALIDITY OF PROCESSING OF INFORMATION AND PERSONAL DATA. The information provided by customers and users will be stored for up to fifteen (15) years from the date of the last processing, to allow us to comply with our legal and/or contractual obligations, especially in accounting, fiscal, and tax matters.