The Privacy Notice is the document through which Othon Hotels explains to data subjects and other interested parties the practices and procedures adopted to make the relationship between privacy and personal data protection transparent. Basically, it informs the data subject of the rights, guarantees and procedures adopted by Othon Hotels regarding the collection, use, sharing, storage, deletion and any other form of processing of personal information in its operational processes. Data protection gained special relevance after the entry into force of the European Union's General Data Protection Regulation (GDPR). Following the same line, Brazil adopted specific legislation to address the issue, namely Law No. 13,709/2018, better known as the General Data Protection Law (LGPD). This Privacy Notice contains information regarding how Othon Hotels processes, in whole or in part, in an automated or non-automated manner, personal data in its operational processes. This Notice aims to clarify to interested parties about the measures to respect data and rights of individuals, processes and procedures on how the holder may update, manage or delete this information. This Privacy Notice may be updated as a result of any regulatory updates and changes in procedures, which is why the data holder is invited to periodically consult this document. This document was prepared in accordance with the General Law for the Protection of Personal Data (Law No. 13,709/2018), the Internet Civil Rights Framework (Law No. 12,965/2014) and other current legislation.

LGPD: General Data Protection Law (L. 13.709/18) http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm Personal Data: The General Data Protection Law - LGPD, defines in its article 5, item I, that personal data is any data that refers to an identified or identifiable natural person. This definition includes all data that allows a natural person to be directly identified or the combination of data that can unequivocally identify a specific data subject. Sensitive Personal Data: This is personal data about racial or ethnic origin, religious belief, political opinion, membership in a union or organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data, when linked to a natural person. Holder: The data holder is the natural person to whom the personal data that are the object of the processing refer, that is, the person who owns the information. Controller: The natural or legal person, under public or private law, who is responsible for decisions on how the processing of personal data is carried out. Operator: The natural or legal person, under public or private law, who carries out the processing on behalf of the controller. Manager/DPO: The person who acts in the organization as a channel of connection and communication between the controller, the data holders, and the National Data Protection Authority (ANPD). Hotéis Othon SA Av. Nossa Sra. de Copacabana, 995 Copacabana - Rio de Janeiro – RJ – Zip code: 22060-001 Tel.: ( 55 21) 2106-1500 www.othon.com.br ANPD: The National Data Protection Authority is the public administration body responsible for overseeing, implementing, and monitoring compliance with this Law throughout the national territory.

The LGPD grants the data subject a series of rights and Hotéis Othon respects the rights of data subjects granted by the LGPD, listed in its Article 18. They are:  Right to confirmation and existence of processing (Art.18, I): Consists of the right of the data subject to obtain confirmation from the controller about the existence of the processing of their personal data in the organization;  Right of access (Art.18, II): It is the right of the data subject to have access to the data that is being processed by the organization;  Right to rectification (Art.18, III): The data subject may request the controller to correct incomplete, inaccurate or outdated data;  Right to data deletion (Art.18, IV): Concerns the possibility of having their data deleted from the controller's database;  Right to limit data processing (Art. 18, V): This is the right of the data subject to limit the processing of his/her personal data, which can be obtained when he/she disputes the accuracy of the data, when the processing is unlawful, when the controller no longer needs the data for the proposed purposes and when he/she has objected to the processing of the data and in the case of unnecessary data processing;  Right to object (Art. 18, VI): This deals with the possibility of the data subject, at any time, to object, for reasons related to his/her particular situation, to the processing of personal data concerning him/her, and may also object to the use of his/her personal data for defining a marketing profile;  Right to data portability (Art. 18, VII): This is the right of the data subject to request the controller to send his/her data to another service or product provider, upon express request, in accordance with ANPD regulations, observing commercial and industrial secrets.  Right not to be subject to automated decisions (Art.18, VIII): this is the right of the data subject not to be subject to any decision taken exclusively based on automated processing, including profiling, which produces effects in their legal sphere or which significantly affects them in a similar way. The data subject may exercise their rights by means of written communication, specifying the rights they wish to exercise before the controller. The request must be sent to the email of the Data Controller of Hotéis Othon: dpo@othon.com.br. The data subject will be answered regarding their requests within a maximum period of 15 (fifteen) days, counted from the date of the request, as provided for in Art.19 of the LGPD.

Hotéis Othon undertakes to comply with the provisions set forth in the LGPD, in compliance with the following principles set forth in Article 9 of the law:  Principle of Purpose: The data subject's personal data will be used for legitimate, specific, explicit purposes and informed to the data subject, without the possibility of further processing in a manner incompatible with these purposes.  Principle of Adequacy: The data subject's personal data will be processed in a manner appropriate to the purposes informed to the data subject, in accordance with the processing context.  Principle of Necessity: The data subject's personal data will be processed in a manner that is relevant and limited to the needs of the purpose for which they are processed.  Principle of Free Access: The data subject’s personal data will be processed and the data subject will be guaranteed easy and free consultation on the form and duration of processing, as well as on the completeness of their data.  Principle of Data Quality: The data subject’s personal data will be accurate and updated whenever necessary, so that inaccurate data is deleted or rectified whenever possible.  Principle of Transparency: The data subject’s personal data will be processed and the data subject will be guaranteed clear, accurate and easily accessible information, including on the processing agents, except for commercial and industrial secrets. Hotéis Othon SA  Principle of Security: The data subject’s personal data will be processed securely, protected from unauthorized or unlawful processing and against its accidental loss, destruction or damage, adopting appropriate technical or organizational measures.  Principle of Prevention: The data subject’s personal data will be processed, using all measures to prevent the occurrence of damage due to such processing.  Principle of Non-Discrimination: The data subject's personal data will NOT be processed for discriminatory, unlawful or abusive purposes.  Principle of Accountability and Responsibility: The data subject's personal data will be processed by the controller in a manner capable of demonstrating the measures adopted in order to prove compliance with the rules applicable to data protection. All processing of personal data carried out by Hotéis Othon aims to respect the principles mentioned above.

5. WHAT PERSONAL DATA IS PROCESSED BY OTHON HOTELS? Hotéis Othon processes Personal Data of those who are or were customers, of those who had any type of relationship with the company, such as: attorney, employee, former employees, partner of a customer, company or entity with which Hotéis Othon has a relationship or intends to have a relationship. The Personal Data processed varies according to the purposes of use, including those indicated in this Privacy Notice, and the activities carried out. Othon Hotels, by default in its activities, does not process data of minors or adolescents, but if it does so, it will be done exceptionally and provided that it has a lawful legal basis assigned, in accordance with the LGPD. Hotés Othon processes sensitive personal data, in strict compliance with Art. 11 of the LGPD, that is, as long as there is consent from the holder or, in the absence of consent, in cases where the processing is essential for compliance with a legal or regulatory obligation by the controller; regular exercise of rights, including in contracts and in judicial, administrative and arbitration proceedings; guarantee of fraud prevention and the security of the holder, in the identification and authentication processes of registration in electronic systems, safeguarding the rights mentioned in art. 9th of the law itself and except in the case where fundamental rights and freedoms of the holder prevail, which require the protection of personal data.

6. LEGAL BASIS FOR PROCESSING PERSONAL DATA The LGPD requires that the processing of personal data complies with at least one legal requirement. At Othon Hotels, the legal justifications are as follows:  Consent of the data subject.  Compliance with a legal or regulatory obligation by the controller.  Execution of a contract or preliminary procedures related to a contract to which the data subject is a party, at the request of the data subject. Regular exercise of rights in judicial, administrative or arbitration proceedings, the latter under the terms of Law No. 9,307 of September 23, 1996 (Arbitration Law).  Protection of the life or physical safety of the holder or third party.  Legitimate interest of the controller or third party.  Credit Protection. All operational processes that process personal data at Hotéis Othon meet at least one legal requirement.

Hotéis Othon undertakes to apply all technical and organizational measures capable of protecting the personal data processed from unauthorized access and from situations of destruction, loss, alteration, communication or dissemination of such data. To guarantee security, solutions will be adopted that take into account the appropriate techniques, application costs, nature, scope, context and purposes of the processing and the risks to the rights and freedoms of the data subject. However, Hotéis Othon is exempt from liability for the exclusive fault of third parties and the data subject, as provided for in the LGPD itself. Hotéis Othon also undertakes to notify the data subject within an appropriate timeframe in the event of any type of breach of the security of their personal data that may cause them significant risk or harm to their personal rights and freedoms. A personal data breach is a security breach that causes, accidentally or unlawfully, the destruction, loss, disclosure or unauthorized access to personal data transmitted, stored or subject to any other type of processing. The stored personal data is processed ensuring the confidentiality, integrity and availability of the information, within the legal limits.

Hotéis Othon processes personal information in Brazil and in countries that have similar and equivalent legislation. In addition, it maintains specific clauses to ensure correct processing, in line with Brazilian laws and regulations. When Hotéis Othon processes data cross-border, it guarantees respect for the rights and freedoms of data subjects.

PERSONAL – CONTROLLER The controller/responsible for processing the data subject’s personal data is the natural or legal person, public authority or other body that, individually or jointly with others, determines the purposes and means of processing personal data. In this case, the person responsible for processing the personal data processed is Hotéis Othon, which can be contacted by email at contato@othon.com.br

The Data Protection Officer (DPO) is the person appointed by the controller and operator to act as a communication channel between the controller, the data subjects and the National Data Protection Authority (ANPD). In the case of Othon Hotels, the Data Protection Officer (DPO) is Roberto Razuck, who can be contacted at the following email address: dpo@othon.com.br.

11. CHANGES TO THIS PRIVACY NOTICE This Privacy Notice was last updated on 09/14/2022. Hotéis Othon reserves the right to modify this Privacy Notice at any time, so it is recommended that the holder reviews it frequently. Changes and clarifications will take effect immediately upon publication on the company's website.

Othon Hotels are also available through the contacts below: OTHON HOTELS E-mail: telefonia.roph@othon.com.br Telephone: (21) 2106-1500 Address: Av. Nossa Senhora de Copacabana, n° 955 – 2nd floor (part), Copacabana, Rio de Janeiro/RJ – CEP 22060-001 Person in Charge (DPO): dpo@othon.com.br