GENERAL PERSONAL DATA PROTECTION POLICY

ON-VACATION ECUADOR S.A.S., hereinafter On Vacation, is a company committed to safeguarding personal data. To keep you informed, we have established a General Personal Data Protection Policy, hereinafter Policy, which will guide our interactions and procedures related to the processing of your personal data.

1. IDENTIFICATION AND CONTACT INFORMATION FOR ON VACATION THE CONTROLLER OF PERSONAL DATA

On Vacation thedata controller; its contact information is as follows:

• Address: GALLERY PLAZA Building, Avenida Seis de Diciembre, between Los Naranjos and Tamayo, Parroquia Benalcázar, Cantón Quito, Province of Pichincha.

• Telephone number: 593 98 848 8343

• E-mail: atencionalclienteecuador@onvacation.com

2. SCOPE OF THE POLICY

This Policy applies to job applicants, employees, customers, prospective customers, suppliers, visitors to our facilities, and any other third parties who have a relationship with On Vacation, who will hereinafter be referred to as data subject individually or data subjects collectively, where such relationship involves the Processing of Personal Data.

It is mandatory that employees, consultants, affiliated companies, business partners, suppliers, and, in general, any related or affiliated entity acting on behalf of On Vacation with this Policy.

This obligation is public knowledge, as the Policy is available on the On Vacation website, which facilitates its dissemination.

TERMS AND DEFINITIONS

The following definitions are established in this Policy, which were obtained from the Organic Law on Personal Data Protection LOPDP, its implementing regulations and other relevant regulations:

1. Personal Data Protection Authority (Superintendencia de Protección de Datos Personales): Independent public authority in charge of supervising the application of this Law, regulations and resolutions issued by it, in order to protect the fundamental rights and freedoms of natural persons, regarding the processing of their personal data.
2. Anonymization: The application of measures aimed at preventing the identification or re-identification of a natural person, without disproportionate efforts.
3. Database: Structured set of data whatever the form, modality of creation, storage, organization, type of support, treatment, processing, location or access, centralized, decentralized or distributed functionally or geographically.
4. Consent: Manifestation of free, specific, informed and unequivocal will, by which the holder of the personal data authorizes the data controller to process the personal data.
5. Personal information: Data that identifies or makes identifiable a natural person, directly or indirectly.
6. Personal credit data: Datathat integrate the economic behavior of natural persons, to analyze their financial capacity.
7. Data relating to health: personal data relating to an individual's physical or mental health, including the provision of health care services, which reveals information about the individual's health status.
8. Sensitive data: Data related to: ethnicity, gender identity, cultural identity, religion, ideology, political affiliation, judicial past, migratory condition, sexual orientation, health, biometric data, genetic data and those whose undue treatment may give rise to discrimination, attempt or may attempt against fundamental rights and freedoms.
9. Data Protection Officer: Natural person in charge of informing the data controller or processor of its legal obligations regarding data protection, as well as of ensuring or supervising regulatory compliance in this regard, and of cooperating with the Personal Data Protection Authority, serving as a point of contact between the latter and the entity responsible for data processing.
10. Recipient: Natural or legal person who has been communicated with personal data.
11. Profiling: Any processing of personal data that allows to evaluate, analyze or predict aspects of a natural person to determine behaviors or standards related to: professional performance, economic situation, health, personal preferences, interests, Ability, location, physical movement of a person, among others.
12. Processor of personal dataNatural or legal person, public or private, public authority, or other body that alone or jointly with others processes personal data on behalf of and for the account of a controller of personal data.
13. Responsible for the processing of personal data: natural or legal person, public or private, public authority, or other body, which alone or jointly with others decides on the purpose and processing of personal data.
14. Data subject: Natural person whose data is the subject of processing.
15. Transfer or communication: Manifestation, declaration, delivery, consultation, interconnection, assignment, transmission, dissemination, disclosure or any form of disclosure of personal data made to a person other than the holder, controller or processor of personal data. The personal data communicated must be accurate, complete and updated.
16. Processing: Any operation or set of operations performed on personal data, whether by technical procedures of an automated, partially automated or non-automated nature, such as: the collection, compilation, obtaining, recording, organization, structuring, conservation, custody, custody, adaptation, modification, deletion, indexing, extraction, consultation, processing, use, possession, exploitation, distribution, assignment, communication or transfer, or any other form of enabling access, matching, interconnection, limitation, suppression, destruction and, in general, any use of personal data.
17. Security breach of personal data: Security incident that affects the confidentiality, availability or integrity of personal data.

4. HOLDERS' RIGHTS AND HOW TO EXERCISE THEM

According to the situations that arise in each case, and in accordance with the Organic Law on Personal Data Protection, the holders have the following rights:

1. Right to information: Data subjects have the right to receive information regarding the collection and processing of their personal data, including information about On Vacation, the use of their personal data, and their rights regarding that information.
2. Right of access: Data Subjects have the right to know and obtain from the Controller access to their personal data.
3. Right to rectify and update: Data Subjects have the right to obtain from the Data Controller the rectification and updating of their inaccurate or incomplete personal data.
4. Right to erasure: Data Subjects have the right to have their personal data deleted by the Data Controller, when: (a) the processing does not comply with the principles set forth in the Organic Law on Personal Data Protection; (b) the processing is not necessary or relevant for the fulfillment of the purpose for which the data were collected; (c) the purpose for which the data were collected has been fulfilled; (d) the term of conservation of the personal data has expired; (e) the processing of the personal data affects fundamental rights or individual freedoms; (f) the consent of the holder is revoked; and, (g) there is a legal obligation.
5. Right to object: Data subjects have the right to object to or refuse the processing of their personal data in the following cases: a) provided that the fundamental rights and freedoms of third parties are not affected, the law permits it, and the information is not public, in the public interest, or required to be processed by law; b) where the processing of personal data is for the purpose of direct marketing, including profiling; their consent is not required for the processing as a result of a legitimate interest, as provided for in Article 7 of the LOPDP, and is justified by a specific personal situation of the Data Subject, provided that no law provides otherwise. On Vacation processing the Data Subjects’ personal data in the aforementioned cases, unless it can demonstrate legitimate and compelling reasons for the processing that override the Data Subjects’ interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.
6. Right to data portability: Data subjects have the right to request and receive from On Vacation their personal data in a compatible, up-to-date, structured, commonly used, interoperable, and machine-readable format, preserving its characteristics; or to have such data transferred to another controller, provided that this is technically feasible.
7. Right to Suspension of Processing: Data Subjects shall have the right to the suspension of the processing of their personal data when any of the following conditions are met: a) when the accuracy of their data is contested; b) when the processing is unlawful and the data subject requests the limitation of its use instead of its deletion; c) when there is no need of the personal data for the purposes of the processing, but there is a need of the Data Subject for the formulation, exercise or defense of claims.
8. Right not to be subject to a decision based solely or partially on automated assessments: Data Subjects have the right not to be subjected to a decision based solely or partially on assessments that are the product of automated processes, including profiling, that produce legal effects on him or her or that infringe on his or her fundamental rights or freedoms.

On Vacation the validity of your request, which may be submitted in person at the following address: GALLERY PLAZA Building, Avenida Seis de Diciembre, between Los Naranjos and Tamayo, Benalcázar Parish, Quito Canton, Pichincha Province, or electronically via email to: atencionalclienteecuador@onvacation.com, and if the information requires clarification or further details, the Data Subject may be asked, on a one-time basis and within five (5) days of receiving the request, to clarify or provide additional details. The Data Subject will have ten (10) days to clarify or provide additional details regarding the request.

Your request to exercise rights will be processed within fifteen (15) days from its submission, or from any extension or clarification thereof. You will not be allowed to exercise rights on behalf of third parties without express written authorization from them.

If your request is not answered in the time indicated by the regulations applicable to the case, or if you consider that the response received violates your rights, you have the right to file a complaint or claim directly to the Data Protection Authority. Likewise, you have the option to revoke your consent at any time in a simple and free manner. To revoke your consent, you can send an email to the address previously provided.

To exercise your rights, you must send your request in writing to the addresses indicated above, and must include at least the following information:

1. Your name and email address to receive response and notifications;
2. A document that accredits its identity as Holder; and,
3. Your request must include a clear and precise description of the personal data with respect to which you seek to exercise any of your rights, your specific request and your signature.

Notwithstanding the foregoing, On Vacation refuse a request if it provides a valid reason for doing so. Likewise, it may retain certain information that you request to be deleted or removed, so that it may serve as evidence in the event of a claim against On Vacation. Such retention will continue for as long as necessary based on On Vacation legitimate interest On Vacation defending itself against any potential claim that the Data Subject may file, or for the period established by applicable regulations for that purpose.

In the event that the deletion of personal data is relevant, but cannot be carried out due to technical limitations, this data will be anonymized so that it cannot be used to identify or make identifiable the Data Subject.

5. SECURITY MEASURES

On Vacation the necessary security measures to protect your information as the data subject, in order to prevent its alteration, loss, unauthorized processing, and/or unauthorized access, taking into account the nature of the information and the risks to which it is exposed depending on how it is processed.

In order to protect the personal data of data subjects, On Vacation with the provisions of applicable regulations by implementing technical, organizational, and legal security measures. In the event of any personal data breach, On Vacation the appropriate notifications in accordance with the Organic Law on the Protection of Personal Data and its implementing regulations.

6. TIME OF CONSERVATION OF PERSONAL DATA

Personal data will be stored only for as long as necessary to fulfill the purposes of processing, in accordance with the time limits set forth in the applicable regulations, and until the statute of limitations for the relevant legal actions has expired. After this period, the data will be deleted or anonymized in accordance with the procedures and tools implemented by On Vacation.

Data collected through video surveillance systems will be retained for a period of up to 15 days, although this period may be extended if required by legal obligation.

For commercial communications and promotion of services, your data will be kept as long as you do not withdraw your consent. You are free to withdraw your consent or object to the processing of your data at any time. In situations where data needs to be kept longer than usual, it will be blocked and will only be accessed to comply with legal and contractual obligations or at the request of a competent authority.

7. DATA SUBJECT TO PROCESSING

On Vacation Personal Data only when it has a legitimate basis for doing so. We collect this data directly from Data Subjects who provide it voluntarily or through authorized third parties. For example, but not limited to, we obtain Personal Data through our website, social media, phone calls, recruitment processes for job openings, in connection with employment or commercial contracts, through video surveillance cameras at our facilities, publicly available sources, etc.

We handle the following categories and typologies of Personal Data, by way of example and without limitation:

1. Special categories of personal data: Credit information, health data, disability information, data on minors.
2. Academic data: Education (degrees or certificates obtained), languages spoken.
3. Contact information: Telephone, home address, e-mail.
4. Economic and financial data: Banking information (bank, account number, type of account), credit or debit card data, commercial references.
5. Identification data: Include names, last names, ID number, RUC, photograph, driver's license, reservation or client code, and signature.
6. Personal data: Marital status, date and place of birth, gender, age, nationality and personal references.
7. Social and family data: Information about relatives, spouse's name, number of dependents, guarantor information.
8. Attendance data: Check-in and check-out times, reason for absences.
9. Professional data: Work experience, position, salary, work references, performance evaluations, employee code, entry and exit dates of employment.

8. PURPOSES OF THE PROCESSING OF THE PERSONAL DATA OF THE HOLDER(S)

On Vacation the personal data described above in order to fulfill its corporate purpose; therefore, the processing of this data is based on compliance with legal obligations, the implementation of pre-contractual measures, contractual and post-contractual obligations—including commercial prospecting—compliance with orders from competent authorities, the safeguarding of the public interest, the protection of the company’s legitimate interests, and the free, specific, informed, and unambiguous consent of the Data Subject.

The purposes for which the Personal Data of the Data Controllers are processed are the following:

1. Updating of information: Request periodic updates of the Personal Data provided by the Data Subjects.
2. Data storage: Store information on On Vacation Vacation’s media On Vacation compliance with applicable regulations.
3. Credit information analysis: Verify Personal Data to perform a credit rating for credit package sales.
4. Statistical, commercial, financial, social and technical analysis and profiling: Analysis to improve products or services according to the needs and interests of the Data Subject.
5. User logout: Restrict access to On Vacation Vacation’s information systems On Vacation former employees.
6. Supplier qualification: Validate and verify information from potential suppliers.
7. Training: Provide training and refresher courses on topics relevant to the employment relationship with On Vacation employees.
8. Marketing of products and services: Manage sales, prospecting, promotion and marketing of products and services.
9. Checking and verifying the identity and background of applicants: Verify the information provided by applicants for positions at On Vacation, including criminal, disciplinary, financial, and credit history.
10. Communications with applicants: Inform applicants about the status of the selection process.
11. Communications with suppliers: Maintain communications with suppliers on business matters.
12. Communications with employees: Contacting workers about labor and company matters.
13. Hiring of personnel: Formalize the employment relationship by signing contracts and creating human resources folders.
14. Attendance control: Monitor attendance and pay overtime or supplementary hours of the company's workers .
15. User creation: Manage On Vacation access to On Vacation ’s computer systems.
16. Compliance with tax obligations: Making tax returns, issuing invoices, withholdings and handling other tax obligations.
17. Development, execution and fulfillment of the contractual relationship: Formalizing relationships with customers, delivering contracted products or services and handling related requests. Includes sending Personal Data to related companies or business partners for the development, execution and fulfillment of the relationship.
18. Satisfaction surveys: To evaluate the Customer’s experience with the products and services purchased from On Vacation.
19. Delivery of equipment: Provide electronic equipment and work tools to workers.
20. Occupational examinations: To verify the Holder's fitness for his/her job functions.
21. Pre-occupational examinations: To assess whether the Incumbent is fit for the job.
22. Management of occupational accidents: Register accidents and manage procedures with relevant public entities.
23. Management of disciplinary actions: Administer sanctions to workers for labor infractions contained in the Internal Labor Regulations.
24. Management of accounting and collection activities: Handle accounting, refinancing and collection tasks.
25. Management of activities with external audit: Send information to external auditors according to corporate regulations.
26. Social security management: Affiliation to the Ecuadorian Institute of Social Security, discounts for contributions and management of contributions to the social security system in order to comply with the relevant regulations.
27. Sweepstakes and event management: Organize and manage events and sweepstakes.
28. Management of requests, complaints or claims: Attending to requirements of Personal Data Holders.
29. Management at the Ministry of Labor: Register the employment relationship in accordance with labor regulations.
30. Corporate management: Comply with the corporate obligations established in the applicable regulations.
31. Payment: Make payments corresponding to suppliers for services rendered or for the delivery of goods, as well as payments of remunerations, benefits of law and discounts applicable to workers.
32. Payment of legal benefits: Manage labor benefit payments and related procedures.
33. Dividend payments: Comply with dividend payments.
34. Payment of utilities: Complywith the payment of utilities according to labor regulations.
35. Requests from competent authorities: Transfer of information concerning personal data when requested by a competent authority.

9. TRANSFER OF PERSONAL DATA

In order to carry out the aforementioned processing activities, as well as to comply with legal and contractual obligations, ON VACATION transfer personal data to the following entities:

1. Public sector entities and institutions by reason of their legitimate powers, such as the Internal Revenue Service, the Financial and Economic Analysis Unit, the Superintendency of Banks, judicial and administrative authorities, among others.
2. External auditors to ensure compliance with the contractual and legal obligations applicable to ON VACATION.
3. Service providers and processors that support the management and compliance activities of the company, including security service providers, legal services, technology platforms and applications, cybersecurity and compliance tool providers, cloud computing solutions, consultants and other professional services.
4. Associated companies to facilitate and optimize the processing of personal data in accordance with the established purposes, ensuring compliance with the principles of relevance, minimization and proportionality of processing, quality, accuracy, and others contemplated in the Organic Law on Personal Data Protection.

The processing of Personal Data may involve international transfers of such data, such as in the case of data storage servers. For this reason, when such international transfers of Personal Data are made, On Vacation compliance with protection, confidentiality, and security standards, especially when transfers are directed to jurisdictions that do not offer adequate levels of protection as defined in relevant regulations and decisions made by the Superintendency of Personal Data Protection, or the entity acting as the data protection authority.

10. DATA ON CHILDREN, ADOLESCENTS AND THE DISABLED

On Vacation process the personal data of children, adolescents, and persons with disabilities when it has obtained the consent of their duly authorized legal representative in accordance with the terms set forth in Article 5 of the Regulations of the Organic Law on the Protection of Personal Data, when it has a legitimate basis for such processing, or when it is necessary to comply with a legal, contractual, or judicial obligation.

Notwithstanding the foregoing, On Vacation the right to remove or delete any information related to the aforementioned individuals in the event that a Data Subject has shared such information.

11. RECORDINGS AND IMAGES FROM SECURITY CAMERAS

On Vacation image and video data obtained through video surveillance cameras to ensure the protection of its facilities, its property, and the individuals who access the company’s premises, as well as to verify the traceability of processes. This data is stored in a system that maintains strict physical and logical security measures and is accessible only to authorized personnel.

The processing is based on the fulfillment of a public interest mission and on On Vacation Vacation’s legitimate interest.

The recordings are kept for fifteen (15) days, then deleted, and can only be downloaded for security reasons only.

12. MODIFICATIONS TO DATA PROTECTION POLICIES

On Vacation modify, update, or make changes to this General Personal Data Protection Policy at any time to ensure that it complies with any changes in data protection regulations that may arise. Any changes, updates, or additions to this Policy will be communicated through On Vacations official channels, and Data Subjects are encouraged to review the updated version of this document.