Policies

Cancellation and Modification Policy:

1. Guarantee Policy:

A 100% deposit of the total stay amount, excluding VAT, is required at the time of booking. Please refer to the rate rules, as exceptions may apply.

2. Cancellation Policy:

5-Day Flexible Cancellation: Guests can cancel without penalty up to 5 days before arrival.

If you cancel within 5 days of check-in, the full reservation amount will be charged.

3. No-Show Policy:

In the event of a no-show on the reservation date: The full reservation amount will be charged as a penalty.

There is no refund or possibility of rescheduling under this condition.

The exploitation and sexual abuse of minors are punishable by imprisonment, Law 679 of 2001 and Law 1336 of 2009. 

Rates for children at AIMARAWA: 

Children 0-3 years: Free. 

Children 4-17 years: $350,000

 GENERAL CONSIDERATIONS Aware of the importance of protecting and properly handling the personal information provided by data subjects, AVIA SOLUCIONES HOTELERAS, - hereinafter AVIANET, acting as the data controller, has designed this policy and procedures which together allow for the appropriate use of your personal data. In accordance with Article 15 of the Political Constitution of Colombia, which establishes the fundamental right to habeas data, referring to the right of all citizens to know, update, and rectify their personal data held in databases and files, both public and private, this is inextricably linked to the handling and processing of information that recipients of personal data must consider. This right has been developed through the enactment of Statutory Law 1581 of 2012 and Regulatory Decree 1377 of 2013, based on which AVIANET, as the CONTROLLER of the personal data it receives, manages, and processes, hereby issues this personal data processing policy, which is made public so that everyone is aware of how AVIANET processes their information. The provisions of this personal data processing policy are mandatory for AVIANET, its administrators, employees, contractors, and any third parties with whom AVIANET establishes relationships of any kind. OBJECTIVE: The purpose of implementing this policy is to guarantee the confidentiality of information and the security of its processing for all clients, suppliers, employees, and third parties from whom AVIANET has legally obtained personal information and data, in accordance with the guidelines established by the law regulating the right to Habeas Data. Furthermore, the issuance of this policy fulfills the requirements of subparagraph K of Article 17 of the aforementioned law. DEFINITIONS Authorization: Prior, express, and informed consent of the data subject to carry out the processing. This may be written, verbal, or through unambiguous conduct that reasonably allows the conclusion that the data subject granted authorization. Database: The organized set of Personal Data that is subject to processing, whether electronic or not, regardless of the method of its creation, storage, organization, and access. Inquiry: A request from the data subject or persons authorized by the data subject or by law to access the information held about them in databases or files. Personal Data: Any information linked to or that can be associated with one or more identified or identifiable natural persons. This data is classified as sensitive, public, private, and semi-private. Sensitive personal data: Information that affects a person's privacy or whose misuse could lead to discrimination, such as data revealing racial or ethnic origin, political affiliation, religious or philosophical beliefs, membership in trade unions, social or human rights organizations, or organizations that promote the interests of any political party or guarantee the rights and protections of opposition political parties, as well as data relating to health, sex life, and biometric data (fingerprints, among others). For the purposes of this policy, AVIANET advises that providing this type of information is optional for the data subject in cases where it may be requested. Public personal data: Data classified as such according to the mandates of the law or the Political Constitution, and all data that is not semi-private or private. Among others, the following are considered public data: those contained in public documents, public registries, official gazettes and bulletins, and duly executed judicial judgments that are not subject to confidentiality; data relating to a person's civil status, profession or occupation, and their status as a merchant or public servant. Personal data held in the commercial registry of the Chambers of Commerce are also public (Article 26 of the Commercial Code). Likewise, data that, by virtue of a decision of the data subject or a legal mandate, is found in freely accessible and consultable files is also considered public data. This data may be obtained and offered without any restriction and regardless of whether it refers to general, private, or personal information. Private personal data is data that, due to its intimate or confidential nature, is only relevant to the data subject. Examples include merchants' ledgers, private documents, and information obtained from a home inspection. Semi-private personal data... Semi-private data is information that is neither intimate, confidential, nor public in nature, and whose knowledge or disclosure may be of interest not only to its owner but also to a specific sector or group of people or to society in general, such as, among others, data relating to compliance or non-compliance with financial obligations or data relating to relationships with social security entities. Data Controller: The person who, alone or jointly with others, decides on the database and/or the processing of the data. Data Processor: The person who processes data on behalf of the Data Controller. Being "Authorized" refers to AVIANET and all persons under its responsibility who, by virtue of the authorization and the Policy, are legitimately authorized to process the data subject's personal data. The term "Authorized" includes all those designated as "Enabled." “Authorization” or being “Authorized” is the express written authorization granted by AVIANET to third parties, in compliance with applicable law, for the processing of personal data, making such third parties data processors of the personal data provided or made available. Complaint: A request from the data subject or persons authorized by the data subject or by law to correct, update, or delete their personal data, or when they become aware of a presumed breach of the data protection regime, according to Article 15 of Law 1581 of 2012. Data Subject: The natural person to whom the information refers. Processing: Any operation or set of operations performed on personal data, such as, among others, the collection, storage, use, circulation, or deletion of such information. Transmission: The processing of personal data that involves its communication within (national transmission) or outside of Colombia (international transmission) and whose purpose is for processing by the processor on behalf of the controller. Transfer: The transfer of data takes place when the controller and/or processor of personal data, located in Colombia, sends the information or personal data to a recipient, who is also a controller and is located within or outside the country. Procedural requirement: The data subject or their successor may only file a complaint with the Superintendency of Industry and Commerce once they have exhausted the consultation or claim process with the controller or processor, in accordance with Article 16 of Law 1581 of 2012. PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA The processing of personal data must be carried out respecting the general and special regulations on the matter and for activities permitted by law. Therefore, the following principles apply to the purposes of this policy: Principle of legality: Data processing is a regulated activity that must comply with the provisions of the law and other applicable regulations. Principle of purpose: Processing must have a legitimate purpose in accordance with the Constitution and the Law. Principle of freedom: Processing may only be carried out with the prior, express, and informed consent of the data subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that waives the requirement for consent. Principle of accuracy or quality: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited. Principle of transparency: The processing must guarantee the data subject's right to obtain information from the data controller, at any time and without restrictions, regarding the existence of data concerning them. Principle of restricted access and circulation: The processing of personal data is subject to the limitations arising from the nature of the data, the provisions of the law, and the Constitution. In this regard, processing may only be carried out by persons authorized by the data subject and/or by persons authorized by law. Principle of security: Information subject to processing by the Data Controller or Data Processor referred to in this law must be handled with the necessary technical, human, and administrative measures to ensure the security of the records, preventing their alteration, loss, unauthorized or fraudulent access, use, or disclosure. Principle of confidentiality: All persons involved in the processing of personal data that is not publicly available are obligated to guarantee the confidentiality of the information, even after their relationship with any of the processing activities has ended. They may only supply or communicate personal data when it is necessary for the performance of the activities authorized in this law and in accordance with its terms. Any new project within the Organization that involves the Processing of Personal Data must be consulted with the Information Security Management, which is the person and department responsible for data protection to ensure compliance with the policy and the necessary measures to maintain the confidentiality of personal data. RIGHTS OF DATA SUBJECTS In accordance with current legal provisions, the following are the rights of data subjects: Right to know, update, rectify, and consult their personal data at any time with AVIANET regarding data they consider partial, inaccurate, incomplete, fragmented, or misleading. Right to request proof of the authorization granted to AVIANET at any time, except in those cases where the data controller is legally exempt from having authorization to process the data subject's data. Right to be informed by AVIANET, upon request of the data subject, regarding the use that has been made of their data. Right to file complaints with the Superintendency of Industry and Commerce as deemed necessary to enforce your right to Habeas Data. Right to revoke authorization and/or request the deletion of any data when you believe AVIANET has not respected your constitutional rights and guarantees. Right to access, free of charge, the personal data you voluntarily choose to share with AVIANET. The personal information and/or data we collect from you includes the following: Type of person: Natural Person: first and last name, type of identification, identification number, gender, marital status and date of birth, email address, financial information (bank accounts). Legal Entity: company name, Tax Identification Number (NIT), address, telephone number, mobile phone number, email address, country, city, financial information (bank accounts). Information necessary to facilitate travel or other services, including preferences such as travel class, passenger names (document type, document number, date of birth, first name, last name, gender, email, nationality, passport expiration date), and contact information in case of accident or any other issue (first and last name, phone number). Cardholder information: document type, document number, phone number, address, email, first name, card number, expiration date, and bank. Quote request: first and last name, phone number, city, and email address. Trip information: type of request, destination, departure date, duration, number of adults, number of children, hotel category, meals, additional services, transportation service, and budget per person. Contact Jean Claude Bessudo: first and last name, ID number, address, phone number (landline or mobile), city, and email address. Online help chat: name, email address, and your question. Evaluate our site: Your opinion is very important to us for continuously improving our customer service channels: names, surnames, email, phone numbers, and city. Complaint request: names, surnames, identification number, address, phone numbers, city, email, and comments. Technical problem report: names, surnames, address, phone numbers, city, email, and comments. Biometric data: images, video, audio, and fingerprints that identify or make identifiable our clients, users, or any person who enters, is present, or passes through any location where AVIANET has implemented devices for capturing such information. This data may be stored and/or processed on servers located in data processing centers, whether owned by us or contracted with providers, located in different countries. This is authorized by our clients/users by accepting this personal data processing and protection policy. AVIANET reserves the right to improve, update, modify, or delete any type of information, content, domain, or subdomain that may appear on the website, without prior notice, it being understood that publication on the Aviatur websites is sufficient. This includes addressing legal or internal requests and providing or offering new services or products. AVIANET informs data subjects that the data collected from our clients, contractors, and suppliers may be used for the following purposes. AVIANET may process this data directly or through its contractors, consultants, advisors, and/or third parties responsible for processing personal data, so that they may carry out any operation or set of operations such as collection, storage, use, circulation, deletion, classification, transfer, and transmission (the “Processing”) on all or part of your personal data: To support the contractual relationship established with AVIANET. To provide services related to the products and services offered. The performance of all activities related to the service or product will result in inclusion on an email list for newsletter distribution. We will send you information about changes to the terms and conditions of the services and products you have purchased, and notify you about new services or products. We will manage your requests, clarifications, and inquiries. We will develop studies and programs necessary to determine consumer habits. We will refine security filters and business rules in commercial transactions; confirm and process these transactions with your financial institution, our service providers, and with you. We will conduct periodic evaluations of our products and services to improve their quality. We will send you, via traditional and electronic means, technical, operational, and commercial information about products and services offered by AVIANET, its associates, or suppliers, both now and in the future. We may request satisfaction surveys, which you are under no obligation to complete. We may transmit and/or transfer your data to other companies, business partners, or third parties to fulfill our contractual obligations. The transmission and transfer may be carried out even to third countries that may have a different level of protection than Colombia, when necessary for the fulfillment of our obligations. This includes fulfilling obligations undertaken by AVIANET with its clients at the time of acquiring our services and products; responding to inquiries, requests, complaints, and claims made by regulatory bodies and other authorities that, under applicable law, must receive personal data; any other activity of a similar nature to those described above that are necessary to carry out AVIATUR's corporate purpose; and conducting consultations in various databases and authorized sources (such as OFAC and UN lists, among others) necessary for the control and prevention of fraud or crimes related to money laundering, in accordance with our risk prevention and management policies - SARLAFT. Regarding the data collected from our employees: This includes fulfilling the obligations undertaken by AVIANET with the employees who are the data subjects, in relation to the payment of salaries, social benefits, and other obligations established in the employment contract and current labor regulations. To inform the employee of any changes that arise during the course of the employment contract and even after its termination. To evaluate the quality of the services we provide. To conduct internal studies on the habits of the employee whose information is being collected or to request personal information for the development of management programs or systems. To make payroll deductions authorized by the employee. To manage employee requests, administer activities, provide clarifications, and conduct investigations. To market and sell our products and services. To send, via traditional and electronic means, technical, operational, and commercial information about products and services offered by partners or suppliers, both currently and in the future. To develop studies and programs necessary to determine consumer habits. To transmit and/or transfer data to other companies, business partners, or third parties in order to fulfill our obligations. This transmission and transfer may even be carried out to third countries that may have a different level of data protection than Colombia, when necessary for the fulfillment of our obligations. To request surveys, which the employee is not obligated to answer. To transfer, whether by transmission or disclosure, the information received to all judicial and/or administrative entities when necessary for the fulfillment of employer obligations related to labor, social security, pensions, occupational risks, family compensation funds (Comprehensive Social Security System), and taxes. To transfer the employer's personal information to third parties legitimately entitled to access such information, including, but not limited to, companies within the Aviatur Ltda. Business Group. To provide, whether by transmission or disclosure, the employee's personal information to all entities related to the employer's compliance. Any other activity of a similar nature to those described above that is necessary to carry out AVIATUR's corporate purpose and its labor obligations acquired by virtue of the employment contract or by operation of law. We conduct searches in various databases and authorized sources (such as OFAC and UN lists, among others) as necessary for the control and prevention of fraud or crimes related to money laundering, in accordance with our risk prevention and management policies (SARLAFT). The processing of personal data will be carried out with the prior authorization of the data subject, except in cases where the data is publicly available. For this purpose, an authorization form for data processing has been implemented, which must be completed by the data subject at the time they provide their personal information. This authorization explains the scope and purposes of the personal data processing, addresses authorization by another party, the processing of data concerning minors and sensitive data, defines the channel for data subjects who wish to exercise their rights under habeas data law, and indicates where this policy is located. To process data, AVIANET employs all measures aimed at maintaining the confidentiality of the information. Authorization will be obtained through any means that can be subsequently verified, such as the website, forms, formats, in-person activities, or social media, etc. Authorization may also be obtained from the unambiguous conduct of the data subject that reasonably allows the conclusion that they granted authorization for the processing of their information. If you provide us with personal information about someone other than yourself, such as your spouse or a coworker, we understand that you have that person's authorization to provide us with their data; and we do not verify, nor do we assume the obligation to verify, the identity of the user/client, nor the truthfulness, validity, sufficiency, or authenticity of the data provided by each of them. Therefore, we do not assume responsibility for damages or losses of any kind that may arise from the lack of truthfulness, homonymy, or identity theft. Since AVIANET belongs to the Aviatur Business Group, your personal information may be shared with other companies within the group, business partners, and/or third-party providers (including flight, hotel, and car reservation systems, transaction security validators, banks, financial networks, and tourism services). These processes may take place in locations different from where the purchased tourism service or product is contracted, for the same purposes indicated for the collection of your personal data. These entities are obligated to comply with the corresponding confidentiality, transmission, or transfer agreements. The collected Personal Data will be processed manually or automatically and incorporated into the corresponding files or databases (hereinafter, the "File"), either as the data processor or the data controller. The duration of the processing will be determined by considering the regulations applicable to each purpose and the administrative, accounting, tax, legal, and historical aspects of the information. When the service is provided to a minor or a person with a disability, and their personal data is collected, AVIANET will always request authorization from the minor's legal representative. However, if you provide personal information of the aforementioned individuals without being their legal representative, you represent that you have the authorization of the respective legal representative, directly assuming the corresponding responsibility. AVIANET will strive to ensure that their rights and best interests are respected at all times. The representative must guarantee their right to be heard and consider their opinion regarding the processing of their data, taking into account the maturity, autonomy, and capacity of the minors. Representatives are informed that answering questions about the data of minors is optional. The data of minors, which falls under a special protection category, will be processed in accordance with applicable legislation and our personal data policy. The companies of the Aviatur Business Group have adopted the legally required levels of security for the protection of personal data and have implemented all available technical means and measures to prevent the loss, misuse, alteration, unauthorized access, and unlawful removal of personal data provided to AVIANET. However, data subjects should be aware that internet security measures are not infallible. If you choose to delete your information, to the extent permitted by law, we will retain certain personal information in our files for accounting and tax purposes to identify transaction data, prevent fraud, resolve disputes, investigate conflicts or incidents, enforce our terms and conditions of use, and comply with legal requirements. However, once you decide to revoke your authorization, the stored information will not be used for the purposes described here, but only as strictly necessary and defined in the preceding paragraph. Security Risks to Consider When Making Online Transactions: A user may be tricked through emails or DNS server spoofing into visiting a fake website that looks identical to the real one, but where card details are entered into the fraudulent system, stealing the cardholder's information. Therefore, it is important to promote the practice of users accessing online transactions directly through known domains to minimize risks. The computer the user is using for the transaction may have spyware or malicious software installed without their knowledge, capturing everything typed on the keyboard or information from input devices and sending it to a network or host on the internet. For this reason, it is recommended that transactions be carried out on a home or office computer whenever possible. Cardholder identity theft could occur, where the cardholder denies having sent and/or received the transaction, and it is used by a third party. It is recommended that the computer used for electronic transactions have an updated and active antivirus program to mitigate the risk of fraud. If your personal information was collected or provided before July 30, 2013, and you did not object to the transfer of your personal data, it will be understood that you have given your consent. If you wish to confirm your consent or express your objection, you may do so by sending an email to privacidad@aviasolucioneshoteleras.com. Like other websites, AVIANET uses certain technologies, such as cookies and device fingerprinting, which allow us to make your visit to our site easier and more efficient, providing you with personalized service and recognizing you when you return. For the purposes of this Privacy Notice, "cookies" are defined as text files that a website transfers to a user's computer hard drive to store certain records and preferences. Websites may allow third-party advertising or features that send "cookies" to users' computers. Cookies are associated only with an anonymous user and their computer, and do not, by themselves, provide the user's name and surname. In many cases, you can browse any of AVIANET's websites anonymously. When you access any AVIANET website, your IP address (your computer's internet address) is recorded to give us an idea of which parts of the website you visit and how long you spend in each section. We do not link your IP address to any of your personal information unless you have registered with us and logged in using your profile. Therefore, in certain AVIANET applications, users may be recognized after their initial registration, without needing to register on each visit to access areas, services, or products reserved exclusively for them. Other services will require the use of specific access codes, and even a digital certificate, depending on the features specified. The cookies used cannot read cookie files created by other providers. AVIANET encrypts user identification data for added security. To use the AVIANET website, it is not necessary for the user to allow the installation of cookies sent by AVIANET. However, in such cases, the user will need to register for each service that requires prior registration. NATIONAL OR INTERNATIONAL TRANSFER OF PERSONAL DATA AVIANET may transfer data to other data controllers when authorized by the data subject, by law, or by an administrative or judicial order. INTERNATIONAL AND NATIONAL TRANSMISSION OF DATA TO PROCESSORS AVIANET may send or transmit data to one or more processors located within or outside the Republic of Colombia in the following cases: a) When authorized by the data subject, and b) when, without authorization, a data transfer agreement exists between the controller and the processor. DUTIES OF THE DATA CONTROLLER To guarantee the data subject, at all times, the full and effective exercise of their right to data protection (habeas data). Request and retain, under the conditions stipulated in this law, a copy of the respective authorization granted by the data subject. Duly inform the data subject about the purpose of the data collection and the rights they hold by virtue of the authorization granted. Keep the information under the necessary security conditions to prevent its alteration, loss, unauthorized or fraudulent access, use, or disclosure. Process inquiries and complaints submitted in accordance with the terms established in this law. Adopt an internal manual of policies and procedures to guarantee proper compliance with this law and, in particular, for handling inquiries and complaints. Inform the data subject, upon request, about the use given to their data. Inform the data protection authority when security breaches occur and there are risks in the management of data subjects' information. Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce. DUTIES OF DATA PROCESSORS: Guarantee the data subject, at all times, the full and effective exercise of their right to data protection (habeas data). Maintain information under the necessary security conditions to prevent its alteration, loss, unauthorized or fraudulent access, use, or disclosure. Promptly update, rectify, or delete data in accordance with this law. Update the information reported by data controllers within five (5) business days of receipt. Process inquiries and complaints submitted by data subjects in accordance with this law. Adopt an internal manual of policies and procedures to ensure proper compliance with this law and, in particular, to address inquiries and complaints from data subjects. Refrain from circulating information that is being disputed by the data subject and whose blocking has been ordered by the Superintendency of Industry and Commerce. Allow access to information only to those individuals authorized to access it. Report to the Superintendency of Industry and Commerce any violations of security protocols and any risks in the management of data subjects' information. Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce. REQUESTS, COMPLAINTS, AND CLAIMS For the purpose of receiving requests, claims, and inquiries related to the handling and processing of personal data, AVIANET has designated the email address privacidad@aviasolucioneshoteleras.com to channel, review, and respond to them. Therefore, you may send your requests to this address, which will be processed in accordance with Law 1581: Inquiries: Data subjects or their successors may inquire about the data subject's personal information held in our database. AVIANET will provide them with all the information contained in the individual record or that is linked to the data subject's identification. The inquiry will be addressed within a maximum of ten (10) business days from the date of receipt. If it is not possible to address the inquiry within this period, the interested party will be informed, and the date on which their inquiry will be addressed will be indicated, which in no case may exceed five (5) business days following the expiration of the initial period. Claims: Data subjects or their successors who believe that the information contained in a database should be corrected, updated, or deleted, or who become aware of the alleged breach of any of the duties contained in the law, may file a claim with AVIANET, which will be processed under the following rules: The claim must be submitted in writing to AVIANET, including the data subject's identification, a description of the facts giving rise to the claim, the address, and any supporting documents. If the claim is incomplete, AVIANET will request the interested party to correct the deficiencies within five (5) days of receiving the claim. If the applicant fails to provide the required information within two (2) months of the date of the request, the claim will be considered withdrawn. Once a complete claim is received, the database will be updated within two (2) business days with a note stating "claim in process" and the reason for the claim. This notice must remain until the claim is resolved. The maximum time to address the claim is fifteen (15) business days, starting from the day after its receipt. If it is not possible to address the claim within this timeframe, the interested party will be informed of the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the initial timeframe. In any case, the data subject or their successor may only file a complaint with the Superintendency of Industry and Commerce once they have exhausted the consultation or claim process with AVIANET. The Information Security Management is responsible for receiving and processing claims. Requests for deletion of information and revocation of authorization will not be granted when the data subject has a legal or contractual obligation to remain in the database. DATA CONTROLLER INFORMATION Company Name: Operadora de Hoteles Avia SAS Address: Centro de Negocios Andino, Carrera 11 # 82-01, 4th Floor, Bogotá DC - Colombia Email: privacidad@aviasolucioneshoteleras.com Phone: ( 57 1) 3817111 Website: www.aviasolucioneshoteleras.com QUESTIONS OR SUGGESTIONS If you have any questions or concerns about the collection, processing, or transfer of your personal information, or if you believe that the information contained in a database should be corrected, updated, or deleted, please send us a message to the following email address: privacidad@aviasolucioneshoteleras.com. For more information about AVIATUR, its identity, address, and contact methods, please visit www.aviasolucioneshoteleras.com. This website contains the terms and conditions applicable to the published services and products, which can be consulted at any time for further information. AVIANET reserves the right to modify this policy to adapt it to new legislation or case law, as well as to best practices in the tourism sector and other sectors of the economy that are part of the business group. In such cases, AVIANET will announce the changes on this page with reasonable notice before they take effect.  

The rate includes:

Welcome drink

Breakfast

Wi-Fi internet

Satellite TV

Access to the hotel's common areas (pool, jacuzzi, gym, children's playroom)

Parking

Guests have access to a free in-room safe; the hotel is not responsible for items not deposited in it.

Services not included in the rate:

TRANSFERS: If you wish, we can book a private transfer service to and from the airport for you and your companions at an additional cost.

Minibar items and any other additional consumption must be paid at check-out.

Motorized and non-motorized water sports services.

Transportation service fees. These rates are per trip (prices for a single journey)

** 1 to 4 people: $260,000

** 5 to 6 people: $350,000

** 7 to 9 people: $425,000

** 10 to 15 people: $694,000

For safety reasons, Jet Skis are strictly prohibited on hotel property. Watercraft rentals must be made only at authorized locations on the beach.

Hotel Aimarawa does not offer electric vehicle charging services.

GENERAL CONSIDERATIONS Aware of the importance of protecting and properly handling the personal information provided by data subjects, AVIA SOLUCIONES HOTELERAS, - hereinafter AVIANET, acting as the data controller, has designed this policy and procedures which together allow for the appropriate use of your personal data. In accordance with Article 15 of the Political Constitution of Colombia, which establishes the fundamental right to habeas data, referring to the right of all citizens to know, update, and rectify their personal data held in databases and files, both public and private, this is inextricably linked to the handling and processing of information that recipients of personal data must consider. This right has been developed through the enactment of Statutory Law 1581 of 2012 and Regulatory Decree 1377 of 2013, based on which AVIANET, as the CONTROLLER of the personal data it receives, manages, and processes, hereby issues this personal data processing policy, which is made public so that everyone is aware of how AVIANET processes their information. The provisions of this personal data processing policy are mandatory for AVIANET, its administrators, employees, contractors, and any third parties with whom AVIANET establishes relationships of any kind. OBJECTIVE: The purpose of implementing this policy is to guarantee the confidentiality of information and the security of its processing for all clients, suppliers, employees, and third parties from whom AVIANET has legally obtained personal information and data, in accordance with the guidelines established by the law regulating the right to Habeas Data. Furthermore, the issuance of this policy fulfills the requirements of subparagraph K of Article 17 of the aforementioned law. DEFINITIONS

Authorization: Prior, express, and informed consent of the data subject to carry out the processing. This may be written, verbal, or through unambiguous conduct that reasonably allows the conclusion that the data subject granted authorization.

Database: The organized set of Personal Data that is subject to processing, whether electronic or not, regardless of the method of its creation, storage, organization, and access.

Inquiry: A request from the data subject or persons authorized by the data subject or by law to access the information held about them in databases or files.

Personal Data: Any information linked to or that can be associated with one or more identified or identifiable natural persons. This data is classified as sensitive, public, private, and semi-private.

Sensitive personal data: Information that affects a person's privacy or whose misuse could lead to discrimination, such as data revealing racial or ethnic origin, political affiliation, religious or philosophical beliefs, membership in trade unions, social or human rights organizations, or organizations that promote the interests of any political party or guarantee the rights and protections of opposition political parties, as well as data relating to health, sex life, and biometric data (fingerprints, among others). For the purposes of this policy, AVIANET advises that providing this type of information is optional for the data subject in cases where it may be requested.

Public personal data: Data classified as such according to the mandates of the law or the Political Constitution, and all data that is not semi-private or private. Among others, the following are considered public data: those contained in public documents, public registries, official gazettes and bulletins, and duly executed judicial judgments that are not subject to confidentiality; data relating to a person's civil status, profession or occupation, and their status as a merchant or public servant. Personal data held in the commercial registry of the Chambers of Commerce are also public (Article 26 of the Commercial Code). Likewise, data that, by virtue of a decision of the data subject or a legal mandate, is found in freely accessible and consultable files is also considered public data. This data may be obtained and offered without any restriction and regardless of whether it refers to general, private, or personal information.

Private personal data. This is data that, due to its intimate or confidential nature, is only relevant to the data subject. Examples: merchants' books, private documents, information obtained from a home inspection.

Semi-private personal data. Semi-private data is information that is neither intimate, confidential, nor public in nature, and whose knowledge or disclosure may be of interest not only to its owner but also to a specific sector or group of people or to society in general, such as, among others, data relating to compliance or non-compliance with financial obligations or data relating to relationships with social security entities.

Data Controller: The person who, alone or jointly with others, decides on the database and/or the processing of the data.

Data Processor: The person who processes data on behalf of the Data Controller.

Being “Authorized” refers to AVIANET and all persons under its responsibility who, by virtue of the authorization and the Policy, are legitimately authorized to process the data subject's personal data. The term “Authorized” includes all those designated as “Enabled.”

“Authorization” or being “Authorized” is the express written authorization granted by AVIANET to third parties, in compliance with applicable law, for the processing of personal data, making such third parties data processors of the personal data provided or made available.

Complaint: A request from the data subject or persons authorized by the data subject or by law to correct, update, or delete their personal data, or when they become aware of a presumed breach of the data protection regime, according to Article 15 of Law 1581 of 2012.

Data Subject: The natural person to whom the information refers.

Processing: Any operation or set of operations performed on personal data, such as, among others, the collection, storage, use, circulation, or deletion of such information.

Transmission: The processing of personal data that involves its communication within (national transmission) or outside of Colombia (international transmission) and whose purpose is for the processor to carry out processing on behalf of the controller.

Transfer: The transfer of data takes place when the controller and/or processor of personal data, located in Colombia, sends the information or personal data to a recipient, who is also a controller and is located within or outside the country.

Procedural requirement: The data subject or their successor may only file a complaint with the Superintendency of Industry and Commerce once they have exhausted the consultation or claim process with the controller or processor, in accordance with Article 16 of Law 1581 of 2012. PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA The processing of personal data must be carried out respecting the general and special regulations on the matter and for activities permitted by law. Therefore, the following principles apply to the purposes of this policy:

Principle of legality: Data processing is a regulated activity that must comply with the law and other applicable regulations.

Principle of purpose: Processing must have a legitimate purpose in accordance with the Constitution and the Law.

Principle of freedom: Processing may only be carried out with the prior, express, and informed consent of the data subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that waives the requirement for consent.

Principle of accuracy or quality: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited.

Principle of transparency: The processing must guarantee the data subject's right to obtain information from the data controller, at any time and without restrictions, regarding the existence of data concerning them.

Principle of restricted access and circulation: The processing of personal data is subject to the limits derived from the nature of the data, the provisions of the law, and the Constitution. In this regard, processing may only be carried out by persons authorized by the data subject and/or by persons provided for by law.

Principle of security: Information subject to processing by the Data Controller or Data Processor referred to in this law must be handled with the necessary technical, human, and administrative measures to ensure the security of the records, preventing their alteration, loss, unauthorized or fraudulent access, use, or disclosure.

Principle of confidentiality: All persons involved in the processing of personal data that is not publicly available are obligated to guarantee the confidentiality of the information, even after their relationship with any of the tasks involved in the processing has ended. They may only supply or communicate personal data when it corresponds to the development of the activities authorized in this law and in accordance with its terms. Any new project within the Organization that involves the Processing of Personal Data must be consulted with the Information Security Management, which is the person and department responsible for data protection to ensure compliance with the policy and the necessary measures to maintain the confidentiality of personal data. RIGHTS OF DATA SUBJECTS In accordance with current legal provisions, the following are the rights of data subjects:

Right to know, update, rectify, and consult their personal data at any time with AVIANET regarding data they consider partial, inaccurate, incomplete, fragmented, or misleading.

Right to request proof of the authorization granted to AVIANET at any time, except in those cases where the data controller is legally exempt from having authorization to process the data subject's data.

Right to be informed by AVIANET, upon request of the data subject, regarding the use that has been made of their data.

Right to file complaints with the Superintendency of Industry and Commerce as deemed necessary to enforce your right to Habeas Data.

Right to revoke authorization and/or request the deletion of any data when you believe AVIANET has not respected your constitutional rights and guarantees.

Right to access, free of charge, the personal data you voluntarily choose to share with AVIANET. The personal information and/or data we collect from you includes the following: Type of person: Natural Person: first and last name, type of identification, identification number, gender, marital status and date of birth, email address, financial information (bank accounts). Legal Entity: company name, Tax Identification Number (NIT), address, telephone number, mobile phone number, email address, country, city, financial information (bank accounts). Information necessary to facilitate travel or other services, including preferences such as travel class, passenger names (document type, document number, date of birth, first name, last name, gender, email, nationality, passport expiration date), and contact information in case of accident or any other issue (first and last name, phone number). Cardholder information: document type, document number, phone number, address, email, first name, card number, expiration date, and bank. Quote request: first and last name, phone number, city, and email address. Trip information: type of request, destination, departure date, duration, number of adults, number of children, age, hotel category, meals, additional services, transportation service, and budget per person. Contact Yadira Rodríguez Guerrero: first and last name, ID number, address, phone number (landline or mobile), city, and email address. Online help chat: name, email address, and your question. Evaluate our site: Your opinion is very important to us for continuously improving our customer service channels: names, surnames, email, phone numbers, and city. Complaint request: names, surnames, identification number, address, phone numbers, city, email, and comments. Technical problem report: names, surnames, address, phone numbers, city, email, and comments. Biometric data: images, video, audio, and fingerprints that identify or make identifiable our clients, users, or any person who enters, is present, or passes through any location where AVIANET has implemented devices for capturing such information. This data may be stored and/or processed on servers located in data processing centers, whether owned by us or contracted with providers, located in different countries. This is authorized by our clients/users by accepting this personal data processing and protection policy. AVIANET reserves the right to improve, update, modify, or delete any type of information, content, domain, or subdomain that may appear on the website, without prior notice, it being understood that publication on the Aviatur websites is sufficient. This includes addressing legal or internal requests and providing or offering new services or products. PROCESSING, SCOPE, AND PURPOSES

AVIANET informs data subjects that the data collected from our clients, contractors, and suppliers may be used for the following purposes. AVIANET may process this data directly or through its contractors, consultants, advisors, and/or third parties responsible for processing personal data, so that they may carry out any operation or set of operations such as collection, storage, use, circulation, deletion, classification, transfer, and transmission (the “Processing”) on all or part of your personal data:

To support the contractual relationship established with AVIANET.

To provide services related to the products and services offered.

All activities related to the service or product will be included in an email list for newsletter distribution.

Sending information about changes to the terms and conditions of purchased services and products, and notifying you about new services or products.

Managing your requests, clarifications, and inquiries.

Developing studies and programs necessary to determine consumer habits.

Refining security filters and business rules in commercial transactions; confirming and processing these transactions with your financial institution, our service providers, and with you.

Conducting periodic evaluations of our products and services to improve their quality.

Sending, via traditional and electronic means, technical, operational, and commercial information about products and services offered by AVIANET, its associates, or suppliers, both currently and in the future.

Requesting satisfaction surveys, which you are under no obligation to complete.

Transmitting and/or transferring data to other companies, business partners, or third parties to fulfill our obligations. The transmission and transfer may be carried out even to third countries that may have a different level of protection than Colombia, when necessary for the fulfillment of our obligations.

To fulfill obligations undertaken by AVIANET with its clients at the time of acquiring our services and products.

To respond to inquiries, requests, complaints, and claims made by regulatory bodies and other authorities that, under applicable law, must receive personal data.

Any other activity of a similar nature to those described above that are necessary to carry out AVIANET's corporate purpose.

To conduct inquiries in different databases and authorized sources (such as OFAC and UN lists, among others) necessary for the control and prevention of fraud or crimes related to money laundering, in accordance with our risk prevention and management policies - SARLAFT.

Data collected from our employees:

To fulfill the obligations undertaken by AVIANET with the employees who are the data subjects, regarding the payment of salaries, social benefits, and other obligations established in the employment contract and current labor regulations.

To inform the employee of any changes that arise during the course of the employment contract and even after its termination.

To evaluate the quality of the services we provide.

To conduct internal studies on the habits of the employee whose information is being collected or to request personal information for the development of management programs or systems.

To make payroll deductions authorized by the employee.

To manage requests, administer activities, provide clarifications, and conduct investigations.

To market and sell our products and services.

To send, via traditional and electronic means, technical, operational, and commercial information about products and services offered by partners or suppliers, both currently and in the future.

To develop studies and programs necessary to determine consumer habits.

To transmit and/or transfer data to other companies, business partners, or third parties in order to fulfill our obligations. This transmission and transfer may even be carried out to third countries that may have a different level of data protection than Colombia, when necessary for the fulfillment of our obligations.

To request surveys, which the client is under no obligation to complete.

To transfer, whether by transmission or disclosure, the information received to all judicial and/or administrative entities when necessary for the fulfillment of employer obligations related to labor, social security, pensions, occupational risks, family compensation funds (Comprehensive Social Security System), and taxes.

To transfer the employer's personal information to third parties who legitimately have the right to access such information, which includes, but is not limited to, companies within the Aviatur Ltda. Business Group.

To provide, whether by transmission or disclosure, the employee's personal information to all entities related to the employer's compliance with its obligations.

Any other activity of a similar nature to those described above that is necessary to carry out AVIATUR's corporate purpose and its labor obligations acquired by virtue of the employment contract or by operation of law.

Conducting consultations in various databases and authorized sources (such as OFAC and UN lists, among others) necessary for the control and prevention of fraud or crimes related to money laundering, in accordance with our risk prevention and management policies - SARLAFT.

The processing of personal data will be carried out with the prior authorization of the data subject, except in cases where the data is publicly available. For this purpose, an authorization form for data processing has been implemented, which must be completed by the data subject at the time they provide their personal information. This authorization explains the scope and purposes of the personal data processing, addresses authorization by another party, data of minors and sensitive data, defines the channel for data subjects who wish to exercise their rights under habeas data, and indicates where this policy is located. To carry out data processing, AVIANET employs all measures aimed at maintaining the confidentiality of the information. Authorization will be obtained through any means that can be subsequently verified, such as the website, forms, formats, in-person activities, or social media, etc. Authorization may also be obtained from the unambiguous conduct of the data subject that reasonably allows the conclusion that they granted authorization for the processing of their information.

If you provide us with personal information about someone other than yourself, such as your spouse or a coworker, we understand that you have that person's authorization to provide us with their data; and we do not verify, nor do we assume the obligation to verify, the identity of the user/client, nor the truthfulness, validity, sufficiency, or authenticity of the data provided by each of them. Therefore, we do not assume responsibility for damages or losses of any kind that may arise from the lack of truthfulness, homonymy, or identity theft.

Since AVIANET belongs to the Aviatur Business Group, your personal information may be shared by transfer or transmission with group companies, business partners, and/or third-party providers (including flight, hotel, and car reservation systems, transactional security validators, banks, financial networks, and tourism services). These processes may be carried out in different locations than where the purchased tourism service or product is contracted, for the same purposes indicated for the collection of personal data. These entities are obligated to comply with the corresponding confidentiality, transmission, or transfer agreements.

The Personal Data collected will be processed manually or automatically and incorporated into the corresponding files or databases (hereinafter, the "File"), either as the data processor or the data controller. To determine the duration of the processing, the regulations applicable to each purpose and the administrative, accounting, tax, legal, and historical aspects of the information will be considered.

When the service is provided to a minor or a person with a disability, and their personal data is collected, AVIANET will always request authorization from the minor's legal representative. However, if you provide personal information of the aforementioned individuals without being their legal representative, you represent that you have the authorization of the respective legal representative, directly assuming the corresponding responsibility. AVIANET will strive to ensure that their rights and best interests are respected at all times. The representative must guarantee their right to be heard and consider their opinion regarding the processing of their data, taking into account the maturity, autonomy, and capacity of the minors. Representatives are informed that answering questions about the data of minors is optional. The data of minors, which falls under a special protection category, will be processed in accordance with applicable legislation and our personal data policy.

The companies of the Aviatur Business Group have adopted the legally required levels of security for the protection of personal data and have implemented all available technical means and measures to prevent the loss, misuse, alteration, unauthorized access, and unlawful removal of personal data provided to AVIANET. However, the data subject should be aware that internet security measures are not infallible.

If you choose to delete your information, to the extent permitted by law, we will retain certain personal information in our files for accounting and tax purposes to identify transaction data, prevent fraud, resolve disputes, investigate conflicts or incidents, enforce our terms and conditions of use, and comply with legal requirements. However, once you decide to revoke your authorization, the stored information will not be used for the purposes described here, but only as strictly necessary and defined in the preceding paragraph.

Security Risks to Consider When Making Online Transactions:

A user may be tricked through emails or DNS server spoofing into visiting a fake website that looks identical to the real thing, but where card details are entered into the fraudulent system, stealing the cardholder's information. Therefore, it is important to promote the practice of users accessing online transactions directly through known domains to minimize risks.

The computer the user is using for the transaction may have spyware or malicious software installed without their knowledge. This software may capture everything typed on the keyboard or information from input devices and send it to a network or host on the internet. Therefore, it is recommended that transactions be carried out on a home or office computer whenever possible.

Cardholder identity theft may occur, where the cardholder denies having sent and/or received the transaction, and it is used by a third party.

It is recommended that the computer used for electronic transactions have an updated and active antivirus program to mitigate the risk of fraud.

If your personal information was collected or provided before July 30, 2013, and you did not object to the transfer of your personal data, it will be understood that you have given your consent. If you wish to confirm your consent or express your objection, you may do so by sending an email to privacidad@aviasolucioneshoteleras.com.

Like other websites, AVIANET uses certain technologies, such as cookies and device fingerprinting, which allow us to make your visit to our site easier and more efficient, providing you with personalized service and recognizing you when you return. For the purposes of this Privacy Notice, "cookies" are defined as text files that a website transfers to a user's computer hard drive to store certain records and preferences.

Websites may allow third-party advertising or features that send "cookies" to users' computers. Cookies are associated only with an anonymous user and their computer, and do not, by themselves, provide the user's name and surname. In many cases, you can browse any of AVIANET's websites anonymously. When you access any AVIANET website, your IP address (your computer's internet address) is recorded to give us an idea of which parts of the website you visit and how long you spend in each section. We do not link your IP address to any of your personal information unless you have registered with us and logged in using your profile. Therefore, in certain AVIANET applications, users may be recognized after their initial registration, without needing to register on each visit to access areas, services, or products reserved exclusively for them. Other services will require the use of specific access codes, and even a digital certificate, depending on the features specified. The cookies used cannot read cookie files created by other providers. AVIANET encrypts user identification data for added security.

To use the AVIANET website, it is not necessary for the user to allow the installation of cookies sent by AVIANET. However, in such cases, the user will need to register for each service that requires prior registration. NATIONAL OR INTERNATIONAL TRANSFER OF PERSONAL DATA AVIANET may transfer data to other data controllers when authorized by the data subject, by law, or by an administrative or judicial order. INTERNATIONAL AND NATIONAL TRANSMISSION OF DATA TO PROCESSORS AVIANET may send or transmit data to one or more processors located within or outside the Republic of Colombia in the following cases: a) When authorized by the data subject, and b) when, without authorization, a data transfer agreement exists between the controller and the processor. DUTIES OF THE DATA CONTROLLER

Guarantee the data subject, at all times, the full and effective exercise of their right to data protection (habeas data).

Request and retain, under the conditions stipulated in this law, a copy of the respective authorization granted by the data subject.

Duly inform the data subject about the purpose of the data collection and their rights under the authorization granted.

Keep the information under the necessary security conditions to prevent its alteration, loss, unauthorized or fraudulent access, use, or disclosure.

Process inquiries and complaints submitted in accordance with the terms established in this law.

Adopt an internal manual of policies and procedures to ensure proper compliance with this law and, in particular, for handling inquiries and complaints.

Inform the data subject, upon request, about the use given to their data.

Inform the data protection authority when security breaches occur and there are risks in the management of data subjects' information.

Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce. DUTIES OF DATA PROCESSORS

Guarantee the data subject, at all times, the full and effective exercise of their right to data protection (habeas data).

Keep the information under the necessary security conditions to prevent its alteration, loss, unauthorized or fraudulent access, use, or disclosure.

Carry out the timely updating, rectification, or deletion of data in accordance with the terms of this law.

Update the information reported by the data controllers within five (5) business days of receipt.

Process inquiries and complaints submitted by data subjects in accordance with the terms established in this law.

Adopt an internal manual of policies and procedures to ensure proper compliance with this law and, in particular, for handling inquiries and complaints from data subjects.

Refrain from circulating information that is being disputed by the data subject and whose blocking has been ordered by the Superintendency of Industry and Commerce.

Allow access to the information only to those persons authorized to access it.

Report to the Superintendency of Industry and Commerce any violations of security codes and risks in the management of data subjects' information.

Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce. REQUESTS, COMPLAINTS, AND CLAIMS For the purpose of receiving requests, claims, and inquiries related to the handling and processing of personal data, AVIANET has designated the email address privacidad@aviasolucioneshoteleras.com to channel, review, and respond to them. Therefore, you may send your requests to this address, which will be processed in accordance with Law 1581: Inquiries: Data subjects or their successors may inquire about the data subject's personal information held in our database. AVIANET will provide them with all the information contained in the individual record or that is linked to the data subject's identification. The inquiry will be addressed within a maximum of ten (10) business days from the date of receipt. When it is not possible to respond to the inquiry within said timeframe, the interested party will be informed, and the date on which their inquiry will be addressed will be indicated, which in no case may exceed five (5) business days following the expiration of the initial timeframe. Complaints: The data subject or their successors who believe that the information contained in a database should be corrected, updated, or deleted, or when they notice the alleged breach of any of the duties contained in the law, may file a complaint with AVIANET, which will be processed under the following rules:

The complaint will be submitted by means of a request addressed to AVIANET with the identification of the data subject, a description of the facts giving rise to the complaint, the address, and accompanied by any supporting documents. If the complaint is incomplete, AVIANET will request the interested party to remedy the deficiencies within five (5) days following receipt of the complaint. If the applicant fails to submit the required information within two (2) months of the request date, the claim will be considered withdrawn.

Once a complete claim is received, the database will be updated within two (2) business days with a note stating “claim in process” and the reason for the claim. This note will remain until the claim is resolved.

The maximum time allowed to address the claim is fifteen (15) business days from the day after its receipt. If it is not possible to address the claim within this timeframe, the interested party will be informed of the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the initial timeframe.

In any case, the account holder or their successor may only file a complaint with the Superintendency of Industry and Commerce after exhausting the consultation or claim process with AVIANET.

The Information Security Management is responsible for receiving and processing complaints.

Requests for data deletion and revocation of authorization will not be processed when the data subject has a legal or contractual obligation to remain in the database. DATA CONTROLLER Company Name: Operadora de Hoteles Avia SAS Address: Centro de Negocios Andino, Carrera 11 # 82-01, 4th Floor, Bogotá DC - Colombia Email: privacidad@aviasolucioneshoteleras.com Phone: ( 57 1) 3817111 Website: www.aviasolucioneshoteleras.com QUESTIONS OR SUGGESTIONS If you have any questions or concerns about the collection, processing, or transfer of your personal information, or if you believe that the information contained in a database should be corrected, updated, or deleted, please send us a message to the following email address: privacidad@aviasolucioneshoteleras.com. For more information about AVIANET, including its identity, address, and contact methods, please visit www.aviasolucioneshoteleras.com. This website contains the terms and conditions applicable to the published services and products, which can be consulted at any time for further information. AVIANET reserves the right to modify this policy to adapt it to new legislation or case law, as well as best practices in the tourism sector and other sectors of the economy that are part of the business group. In such cases, AVIANET will announce the changes on this page with reasonable notice before they take effect.