1. INTRODUCTION

The purpose of this Policy is to demonstrate the commitment of the WISH GROUP. (“WISH Group” or “we” / “our”), with the privacy and protection of your Personal Data, in addition to establishing the rules on the Processing of Personal Data, within the scope of the services and functionalities of the websites listed below (“ Site"), in accordance with the laws in force, with transparency and clarity:

https://www.grupowish.com.br/https://www.wishhotels.com.br/https://www.prodigyhotels.com.br/https://www.linxhotels.com.br/https://www.marupiarahotel.com.br/

As a condition for accessing and using the Website's functionalities, You declare that you have read this Policy completely and carefully, being fully aware, thus granting your free and express agreement with the terms stipulated herein, including the collection of the Data mentioned herein, as well as its use for the purposes specified below.

If you do not agree with the provisions of this Policy, we ask that you discontinue accessing or using the Site.

2. DATA THAT THE WISH GROUP HANDLES

2.1. How We Collect Data. Data, including Personal Data, may be collected when You submit them (Registration and Payment Data) or when You interact with the Site (Digital Identification Data).

2.1.1. The Data processed includes: REGISTRATION DATA

What do we collect? Name and Surname CPF/NIF Passport E-mail Date of birth Zip Code Phone Address (Street, City, State and Country)

What do we collect for? (i) Identify and authenticate You. (ii) Confirm hotel reservations made by You. (iii) Contact You. (iv) Expand our relationship and keep You updated on news, content, news and other events that we deem relevant. (v) Enrich your experience with us and promote our products and services. (vi) Issue Invoice. (vii) Investigate complaints made on our Whistleblowing Channel and take the necessary measures (viii) Protect You by preventing fraud, protecting credit and associated risks, in addition to complying with legal and regulatory obligations.

DIGITAL IDENTIFICATION DATA

What do we collect? IP Address and Logical Port of Origin Device (operating system version) Browser Geolocation Date and time stamps of each action you perform on the Site (Logs) Which screens you accessed Session ID Cookies

What do we collect for? (i) Identify and authenticate You. (ii) Comply with legal obligations to maintain records (Logs) established by Marco Civil da Internet - Law 12.965/2014. (iii) Protect You by performing fraud prevention, credit protection and associated risks, in addition to complying with legal and regulatory obligations.

PAYMENT DATA

What do we collect? Credit card number and security code

What do we collect for? (i) Comply with legal obligations and our contract by sharing the Data with the third party responsible for processing the payment.

2.1.2. If You register on the Site using a third-party service account, such as your Facebook, LinkedIn or Google profile, we may have access to publicly accessible Registration Data made available by those services. You will be informed, at the time of registration, which of these Data we will have access to.

2.2. Required data. Some of our services directly depend on some Data reported in the table above, mainly Registration and Payment Data. If you choose not to provide some of this Data, we may be unable to provide all or part of our services to You.

2.3. Updating and Veracity of Data. You are solely responsible for the accuracy, veracity or lack thereof in relation to the Data you provide or for its outdatedness. Please note that it is your responsibility to ensure accuracy or keep them up to date.

2.3.1. Likewise, GRUPO WISH is not obliged to process or treat any of your Data if there are reasons to believe that such processing or treatment may impute any violation of any applicable law to us, or if You are using the Site for any illegal purposes, unlawful or contrary to morality.

2.4. Data base. The database formed through the collection of Data is our property and is under our responsibility, and its use, access and sharing, when necessary, will be done within the limits and purposes of the business described in this Policy.

2.5. Technologies employed. We use the following technology(s):

(i) Cookies, it being up to You to configure your Internet browser if you wish to block them. In this case, some functionalities that we offer may be limited.

3. HOW YOUR DATA AND INFORMATION IS SHARED

3.1. Hypotheses for sharing the Data. Collected Data and recorded activities may be shared:

(i) With our suppliers and business partners, with whom we have entered into contractual obligations for the security and protection of personal data. Providers include data hosting and server companies; security companies, such as the one responsible for managing the reporting channel; payment method company, responsible for processing the payment of reservations made on the Site; (ii) With competent judicial, administrative or governmental authorities, whenever there is a legal determination, request, requisition or court order; (iii) Automatically, in case of corporate movements, such as mergers, acquisitions and incorporations.

3.2. Data Anonymization. For the purposes of market intelligence research, disclosing data to the press and carrying out advertisements, the data provided by You will be shared anonymously, that is, in a way that does not allow your identification.

4. PROTECTING YOUR DATA

4.1. Password sharing. You are also responsible for the secrecy of your Personal Data and you must always be aware that sharing passwords and access data violates this Policy and compromises the security of your Personal Data and the Site.

4.2. Precautions You Should Take. It is very important that You take the necessary precautions against unauthorized access to Your computer/smartphone, account or password, in addition to making sure You always click on “Exit” when ending your browsing on a shared computer. It is also very important that You know that GRUPO WISH never sends emails requesting confirmation of data or with attachments that can be executed (extensions: .exe, .com, among others) or even links to eventual downloads.

4.3. Information security. All credit card payment transactions are performed using SSL (secure socket layer) technology, ensuring that your Personal Data is not unlawfully disclosed. In addition, this technology aims to prevent information from being transmitted or accessed by third parties.

4.4. Access to Personal Data, proportionality and relevance. Internally, the Personal Data collected is accessed only by duly authorized professionals, respecting the principles of proportionality, necessity and relevance for the purposes of our business, in addition to the commitment to confidentiality and preservation of your privacy under the terms of this Policy.

4.5. External Links. When using the Site, You may be led, via link, to third-party platforms that may collect your information and have their own Data Processing Policy.

4.5.1. It will be up to you to read the Privacy Policy of such third-party platforms, and it is your responsibility to accept or reject it. We are not responsible for the Privacy Policies of third parties nor for the content or services of any websites other than ours.4.5.2. Partner services. We have commercial partners who, eventually, can offer services through functionalities or sites that can be accessed from our Site. The Personal Data provided by You to these partners will be their responsibility, thus being subject to their own data processing practices.

4.6. Processing by third parties under our policy. If third-party companies carry out the Processing on our behalf of any Personal Data we collect, they will obligatorily respect the conditions stipulated herein and the information security standards.

4.7. Email communication. To optimize and improve our communication, when we send you an email, we may receive a notification when they are opened, provided this possibility is available. It is important that you pay attention, as emails are only sent through the “@grupowish.com” domain.

5. HOW WE STORE YOUR PERSONAL DATA AND ACTIVITY REGISTRATION

5.1. Personal Data are stored only for as long as necessary to fulfill the purposes for which they were collected, unless there is another reason for their maintenance, such as compliance with legal, regulatory, contractual obligations, audit purposes, fraud control, security and preservation of rights of the WISH GROUP, provided they are duly substantiated.

5.2. The Personal Data collected will be stored on our servers located [•], as well as in an environment using resources or servers in the cloud (cloud computing), which may require a transfer and/or processing of this Data outside Brazil.

6. YOUR RIGHTS

6.1. Your Basic Rights. You may request confirmation of the existence, display, limitation, opposition to the processing of Personal Data, in addition to revoking consent, through our Service Channel.

6.1.1. As long as you maintain an active account with us, correction of your Personal Data can be done directly in the login area of the Site.6.1.2. If you withdraw your consent for purposes fundamental to the functioning of services on the Site, such services may become unavailable to you.6.1.3. If you request the deletion of your Personal Data, it may happen that the Personal Data needs to be kept for a period longer than the deletion request, pursuant to article 16 of the General Law on the Protection of Personal Data, for (i) compliance with a legal obligation or regulatory, (ii) study by a research body, and (iii) transfer to a third party (respecting the data processing requirements set forth in the same Law). In all cases by anonymizing Personal Data, whenever possible.6.1.4. At the end of the maintenance period and the legal necessity, the Personal Data will be deleted using safe disposal methods or used anonymously for statistical purposes.6.1.5. In case of doubts about the protection of personal data or requests for any related information, it is possible to contact the Data Protection Officer of GRUPO WISH Hotels and Resorts through the email: lgpd@grupowish.com.

7. GENERAL PROVISIONS

7.1. Content change and update. You acknowledge our right to change the content of this Policy at any time, according to the purpose or need, such as for adequacy and legal compliance with a provision of law or rule that has equivalent legal force.

7.1.1. Occurring updates to this document, You will be notified through the contact channels that You inform.

7.2. Inapplicability. If any point of this Policy is considered inapplicable by a Data Authority or court, the other conditions will remain in full force and effect.

7.3. Electronic Communication. You acknowledge that all communication made by e-mail (to the address informed by You), SMS, instant communication applications or any other digital form, are also valid, effective and sufficient for the disclosure of any subject that refers to the services we provide. , your Personal Data, as well as the conditions of its provision or any other subject addressed therein, with the exception of only what this Policy provides as such.

7.4. Service Channels. In case of any doubt regarding the provisions contained in this Privacy Policy, you may contact us through the Service Channels indicated below:

(i) Contact Us: https://www.grupowish.com.br(ii) Call Center: 0800 600 8088 or reservas@grupowish.com(iii) Official Social Networks: @grupowish and Grupo Wish(iv) Channel Reports: http://canalconfidencial.grupowish.com

7.5. Applicable law and venue. This Policy will be interpreted in accordance with Brazilian law, in the Portuguese language, with the jurisdiction of your domicile being elected to resolve any controversy involving this document, unless there is a specific exception of personal, territorial or functional competence under applicable law.

7.5.1. If you do not have a domicile in Brazil, and because the services offered by GRUPO WISH only take place in the national territory, you agree to submit to Brazilian legislation, agreeing, therefore, that in the event of a dispute to be resolved, the action must be proposal in the Forum of the Judicial District of São Paulo.

8. GLOSSARY

8.1. For the purposes of this Policy, the following definitions and descriptions should be considered for your better understanding:

(i) Anonymization: Use of reasonable technical means available at the time of Processing, through which data loses the possibility of association, directly or indirectly, with an individual. (ii) Cloud Computing: Or cloud computing, is technology service virtualization built from the interconnection of more than one server through a common information network (eg the Internet), with the aim of reducing costs and increasing the availability of sustained services.(iii) Access Account : Credential necessary to use or access the exclusive functionalities of the Site. (iv) Cookies: Small files sent by the Site, saved on your devices, which store preferences and little other information, with the purpose of customizing your navigation according to the your profile.(v) Personal Data: Data related to an identified or identifiable natural person.(vi) Session ID: User session identification when accessing Our Environments is performed.(vii) IP: Abbreviation for Internet Protocol. It is an alphanumeric set that identifies users' devices on the Internet;(viii) Logs: Records of activities of any users who use the Site.(ix) Site: Designates the electronic address https://www.grupowish.com.br/ and its subdomains(x) Processing: All operations carried out with Personal Data, such as those referring to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, diffusion or extraction.(xi) Website: Designates electronic addresses: https://www.grupowish.com.br/https://www.wishhotels.com.br/https:// www.prodigyhotels.com.br/https://www.linxhotels.com.br/https://www.marupiarahotel.com.br/