GENERAL PERSONAL DATA PROTECTION POLICY

ON-VACATION ECUADOR S.A.S. from now on On Vacationis a company committed to safeguarding personal data. In order to keep you informed, we have established a General Policy for the Protection of Personal Data, hereinafter referred to as the "Policy". Policywhich will guide our interactions and procedures related to the Processing of your Personal Data.

1. IDENTIFICATION AND CONTACT DETAILS OF ON VACATION AS CONTROLLER OF PERSONAL DATA

On Vacation is responsiblefor the processing of personal data, its contacts are as follows:

• Address: GALLERY PLAZA Building, Avenida Seis de Diciembre, between Los Naranjos and Tamayo, Parroquia Benalcázar, Cantón Quito, Province of Pichincha.

• Telephone number: 593 98 848 8343

• E-mail: atencionalclienteecuador@onvacation.com

2. SCOPE OF THE POLICY

This Policy applies to candidates or applicants for employment, employees, customers, prospective customers, suppliers, visitors to the facilities and any other third party who has a relationship with On Vacation, who are hereinafter referred to as the owner individually or owners as a whole, involving the Processing of Personal Data.

It is mandatory that employees, consultants, associated companies, business partners, suppliers and in general, any related or related entity acting on behalf of On Vacation comply with this Policy.

This obligation is public knowledge, as the Policy is available on the On Vacation website, which facilitates its disclosure.

TERMS AND DEFINITIONS

The following definitions are established in this Policy, which were obtained from the Organic Law on Personal Data Protection LOPDP, its implementing regulations and other relevant regulations:

1. Personal Data Protection Authority (Superintendencia de Protección de Datos Personales): Independent public authority in charge of supervising the application of this Law, regulations and resolutions issued by it, in order to protect the fundamental rights and freedoms of natural persons, regarding the processing of their personal data.
2. Anonymization: The application of measures aimed at preventing the identification or re-identification of a natural person, without disproportionate efforts.
3. Database: Structured set of data whatever the form, modality of creation, storage, organization, type of support, treatment, processing, location or access, centralized, decentralized or distributed functionally or geographically.
4. Consent: Manifestation of free, specific, informed and unequivocal will, by which the holder of the personal data authorizes the data controller to process the personal data.
5. Personal information: Data that identifies or makes identifiable a natural person, directly or indirectly.
6. Personal credit data: Datathat integrate the economic behavior of natural persons, to analyze their financial capacity.
7. Data relating to health: personal data relating to an individual's physical or mental health, including the provision of health care services, which reveals information about the individual's health status.
8. Sensitive data: Data related to: ethnicity, gender identity, cultural identity, religion, ideology, political affiliation, judicial past, migratory condition, sexual orientation, health, biometric data, genetic data and those whose undue treatment may give rise to discrimination, attempt or may attempt against fundamental rights and freedoms.
9. Data Protection Officer: Natural person in charge of informing the data controller or processor of its legal obligations regarding data protection, as well as of ensuring or supervising regulatory compliance in this regard, and of cooperating with the Personal Data Protection Authority, serving as a point of contact between the latter and the entity responsible for data processing.
10. Recipient: Natural or legal person who has been communicated with personal data.
11. Profiling: Any processing of personal data that allows to evaluate, analyze or predict aspects of a natural person to determine behaviors or standards related to: professional performance, economic situation, health, personal preferences, interests, Ability, location, physical movement of a person, among others.
12. Processor of personal dataNatural or legal person, public or private, public authority, or other body that alone or jointly with others processes personal data on behalf of and for the account of a controller of personal data.
13. Responsible for the processing of personal data: natural or legal person, public or private, public authority, or other body, which alone or jointly with others decides on the purpose and processing of personal data.
14. Data subject: Natural person whose data is the subject of processing.
15. Transfer or communication: Manifestation, declaration, delivery, consultation, interconnection, assignment, transmission, dissemination, disclosure or any form of disclosure of personal data made to a person other than the holder, controller or processor of personal data. The personal data communicated must be accurate, complete and updated.
16. Processing: Any operation or set of operations performed on personal data, whether by technical procedures of an automated, partially automated or non-automated nature, such as: the collection, compilation, obtaining, recording, organization, structuring, conservation, custody, custody, adaptation, modification, deletion, indexing, extraction, consultation, processing, use, possession, exploitation, distribution, assignment, communication or transfer, or any other form of enabling access, matching, interconnection, limitation, suppression, destruction and, in general, any use of personal data.
17. Security breach of personal data: Security incident that affects the confidentiality, availability or integrity of personal data.

4. HOLDERS' RIGHTS AND HOW TO EXERCISE THEM

According to the situations that arise in each case, and in accordance with the Organic Law on Personal Data Protection, the holders have the following rights:

1. Right to information: Data Subjects have the right to receive information about the collection and processing of their personal data, which includes information about On Vacation, the use of their personal data and their rights in relation to the information.
2. Right of access: Data Subjects have the right to know and obtain from the Controller access to their personal data.
3. Right to rectify and update: Data Subjects have the right to obtain from the Data Controller the rectification and updating of their inaccurate or incomplete personal data.
4. Right to erasure: Data Subjects have the right to have their personal data deleted by the Data Controller, when: (a) the processing does not comply with the principles set forth in the Organic Law on Personal Data Protection; (b) the processing is not necessary or relevant for the fulfillment of the purpose for which the data were collected; (c) the purpose for which the data were collected has been fulfilled; (d) the term of conservation of the personal data has expired; (e) the processing of the personal data affects fundamental rights or individual freedoms; (f) the consent of the holder is revoked; and, (g) there is a legal obligation.
5. Right to object: The Holders have the right to oppose or refuse the processing of their personal data, in the following cases: (a) fundamental rights and freedoms of third parties are not affected, the law allows it and it is not public information, of public interest or whose processing is mandated by law; (b) the processing of personal data is for direct marketing purposes, including profiling; their consent to the processing is not required as a result of a legitimate interest, provided for in Article 7 of the LOPDP, and it is justified in a specific personal situation of the Data Subject, provided that a law does not provide otherwise. On Vacation shall cease to process the personal data of the Data Subjects in the aforementioned cases, unless it proves legitimate and compelling grounds for the processing that override its interest, the rights and freedoms of the Data Subjects, or for the formulation, exercise or defense of claims.
6. Right of portability: Data Subjects have the right to request and receive from On Vacation, their personal data in a compatible, updated, structured, common, inter-operable and machine-readable format, preserving its characteristics; or that the same be transferred to another Data Controller, provided that it is technically possible.
7. Right to Suspension of Processing: Data Subjects shall have the right to the suspension of the processing of their personal data when any of the following conditions are met: a) when the accuracy of their data is contested; b) when the processing is unlawful and the data subject requests the limitation of its use instead of its deletion; c) when there is no need of the personal data for the purposes of the processing, but there is a need of the Data Subject for the formulation, exercise or defense of claims.
8. Right not to be subject to a decision based solely or partially on automated assessments: Data Subjects have the right not to be subjected to a decision based solely or partially on assessments that are the product of automated processes, including profiling, that produce legal effects on him or her or that infringe on his or her fundamental rights or freedoms.

On Vacation will verify the legitimacy of your request, which may be sent physically to the address Edificio GALLERY PLAZA, Avenida Seis de Diciembre, between Los Naranjos and Tamayo, parish Benalcázar, Cantón Quito, province of Pichincha or digitally to the e-mail address: atencionalclienteecuador@onvacation.com, and in case the information needs to be clarified or expanded, the Holder may be required, only once and within five (5) days of receipt of the request, to clarify or expand it. The Holder shall have a term of ten (10) days to clarify or expand the request.

Your request to exercise rights will be processed within fifteen (15) days from its submission, or from any extension or clarification thereof. You will not be allowed to exercise rights on behalf of third parties without express written authorization from them.

If your request is not answered in the time indicated by the regulations applicable to the case, or if you consider that the response received violates your rights, you have the right to file a complaint or claim directly to the Data Protection Authority. Likewise, you have the option to revoke your consent at any time in a simple and free manner. To revoke your consent, you can send an email to the address previously provided.

To exercise your rights, you must send your request in writing to the addresses indicated above, and must include at least the following information:

1. Your name and email address to receive response and notifications;
2. A document that accredits its identity as Holder; and,
3. Your request must include a clear and precise description of the personal data with respect to which you seek to exercise any of your rights, your specific request and your signature.

Notwithstanding the foregoing, On Vacation may refuse the request submitted in a reasoned manner. Likewise, On Vacation may keep certain information that you request to be deleted or eliminated, in order to serve as evidence in the event of a possible claim against On Vacation. The duration of such retention shall be for the time necessary according to the legitimate interest of On Vacation to defend itself against any possible claim that the Holder may initiate or for the times that the relevant regulations establish for this purpose.

In the event that the deletion of personal data is relevant, but cannot be carried out due to technical limitations, this data will be anonymized so that it cannot be used to identify or make identifiable the Data Subject.

5. SECURITY MEASURES

On Vacation adopts the necessary security measures for the protection of your information as the Owner of the personal data, in order to avoid its alteration, loss, treatment and/or unauthorized access, taking into consideration the nature of the information and the risks to which it is exposed according to its treatment.

With the purpose of protecting the personal data of the Owners, On Vacation complies with the provisions of the corresponding regulations, adopting technical, organizational and legal security measures. In case of any breach of security of the Personal Data, On Vacation will make the corresponding notifications in accordance with the Organic Law on Personal Data Protection and its implementing regulations.

6. TIME OF CONSERVATION OF PERSONAL DATA

Personal data will be stored only for the time necessary to achieve the purposes of treatment, respecting the deadlines of the regulations applicable to the case and until the expiration of the statute of limitations of the corresponding legal actions. After this time, the data will be deleted or anonymized according to the procedures and tools implemented by On Vacation.

Data collected through video surveillance systems will be retained for a period of up to 15 days, although this period may be extended if required by legal obligation.

For commercial communications and promotion of services, your data will be kept as long as you do not withdraw your consent. You are free to withdraw your consent or object to the processing of your data at any time. In situations where data needs to be kept longer than usual, it will be blocked and will only be accessed to comply with legal and contractual obligations or at the request of a competent authority.

7. DATA SUBJECT TO PROCESSING

On Vacation processes Personal Data only when it has a legitimate basis to do so. We collect this data directly from Data Subjects who provide it voluntarily or through authorized third parties. For example, but not limited to, we obtain Personal Data through our website, social networks, telephone calls, selection processes for vacancies, in connection with employment or commercial contracts, through video surveillance cameras on our premises, publicly accessible sources, etc.

We handle the following categories and typologies of Personal Data, by way of example and without limitation:

1. Special categories of personal data: Credit information, health data, disability information, data on minors.
2. Academic data: Education (degrees or certificates obtained), languages spoken.
3. Contact information: Telephone, home address, e-mail.
4. Economic and financial data: Banking information (bank, account number, type of account), credit or debit card data, commercial references.
5. Identification data: Include names, last names, ID number, RUC, photograph, driver's license, reservation or client code, and signature.
6. Personal data: Marital status, date and place of birth, gender, age, nationality and personal references.
7. Social and family data: Information about relatives, spouse's name, number of dependents, guarantor information.
8. Attendance data: Check-in and check-out times, reason for absences.
9. Professional data: Work experience, position, salary, work references, performance evaluations, employee code, entry and exit dates of employment.

8. PURPOSES OF THE PROCESSING OF THE PERSONAL DATA OF THE HOLDER(S)

On Vacation processes the personal data previously indicated, in order to comply with its corporate purpose; therefore, the processing of this data is based on compliance with legal obligations, the execution of pre-contractual measures, contractual and post-contractual obligations including commercial prospecting, compliance with orders from competent authorities, the safeguarding of the public interest, the protection of the legitimate interests of the company, and the free, specific, informed and unequivocal consent of the Data Subject.

The purposes for which the Personal Data of the Data Controllers are processed are the following:

1. Updating of information: Request periodic updates of the Personal Data provided by the Data Subjects.
2. Storage of information: Retain information on On Vacation media in compliance with applicable regulations.
3. Credit information analysis: Verify Personal Data to perform a credit rating for credit package sales.
4. Statistical, commercial, financial, social and technical analysis and profiling: Analysis to improve products or services according to the needs and interests of the Data Subject.
5. Termination of users: Limit access to On Vacation's information systems to former employees.
6. Supplier qualification: Validate and verify information from potential suppliers.
7. Training: Provide training and updates on topics relevant to the labor relationship with On Vacation employees.
8. Marketing of products and services: Manage sales, prospecting, promotion and marketing of products and services.
9. Verification and verification of the identity and background of applicants: Verify information submitted from On Vacation employee applicants, including criminal, disciplinary, financial and credit history.
10. Communications with applicants: Inform applicants about the status of the selection process.
11. Communications with suppliers: Maintain communications with suppliers on business matters.
12. Communications with employees: Contacting workers about labor and company matters.
13. Hiring of personnel: Formalize the employment relationship by signing contracts and creating human resources folders.
14. Attendance control: Monitor attendance and pay overtime or supplementary hours of the company's workers .
15. Creation of users: Manage access to On Vacation's computer systems for employees.
16. Compliance with tax obligations: Making tax returns, issuing invoices, withholdings and handling other tax obligations.
17. Development, execution and fulfillment of the contractual relationship: Formalizing relationships with customers, delivering contracted products or services and handling related requests. Includes sending Personal Data to related companies or business partners for the development, execution and fulfillment of the relationship.
18. Satisfaction surveys: To evaluate the Cardholder's experience with the products and services contracted with On Vacation.
19. Delivery of equipment: Provide electronic equipment and work tools to workers.
20. Occupational examinations: To verify the Holder's fitness for his/her job functions.
21. Pre-occupational examinations: To assess whether the Incumbent is fit for the job.
22. Management of occupational accidents: Register accidents and manage procedures with relevant public entities.
23. Management of disciplinary actions: Administer sanctions to workers for labor infractions contained in the Internal Labor Regulations.
24. Management of accounting and collection activities: Handle accounting, refinancing and collection tasks.
25. Management of activities with external audit: Send information to external auditors according to corporate regulations.
26. Social security management: Affiliation to the Ecuadorian Institute of Social Security, discounts for contributions and management of contributions to the social security system in order to comply with the relevant regulations.
27. Sweepstakes and event management: Organize and manage events and sweepstakes.
28. Management of requests, complaints or claims: Attending to requirements of Personal Data Holders.
29. Management at the Ministry of Labor: Register the employment relationship in accordance with labor regulations.
30. Corporate management: Comply with the corporate obligations established in the applicable regulations.
31. Payment: Make payments corresponding to suppliers for services rendered or for the delivery of goods, as well as payments of remunerations, benefits of law and discounts applicable to workers.
32. Payment of legal benefits: Manage labor benefit payments and related procedures.
33. Dividend payments: Comply with dividend payments.
34. Payment of utilities: Complywith the payment of utilities according to labor regulations.
35. Requests from competent authorities: Transfer of information concerning personal data when requested by a competent authority.

9. TRANSFER OF PERSONAL DATA

In order to carry out the aforementioned processing, as well as to comply with legal and contractual obligations, ON VACATION may transfer personal data to the following entities:

1. Public sector entities and institutions by reason of their legitimate powers, such as the Internal Revenue Service, the Financial and Economic Analysis Unit, the Superintendency of Banks, judicial and administrative authorities, among others.
2. External auditors to comply with contractual and legal obligations applicable to ON VACATION.
3. Service providers and processors that support the management and compliance activities of the company, including security service providers, legal services, technology platforms and applications, cybersecurity and compliance tool providers, cloud computing solutions, consultants and other professional services.
4. Associated companies to facilitate and optimize the processing of personal data in accordance with the established purposes, ensuring compliance with the principles of relevance, minimization and proportionality of processing, quality, accuracy, and others contemplated in the Organic Law on Personal Data Protection.

The processing of Personal Data may include international transfers of Personal Data, as in the case of information storage servers. For this reason, when these international transfers of Personal Data are made, On Vacation will require that the standards of protection, confidentiality and security are complied with, especially when the transfers are directed to jurisdictions that do not offer adequate levels of protection as defined in the relevant regulations and the decisions made by the Superintendence of Personal Data Protection, or the one that acts as data protection authority.

10. DATA ON CHILDREN, ADOLESCENTS AND THE DISABLED

On Vacation will process Personal Data of children, adolescents and disabled persons when there is the consent of their legal representative duly accredited in the terms set forth in Article 5 of the Regulation of the Organic Law on Personal Data Protection, when there is a legitimate basis that allows the processing or when it is necessary to comply with a legal, contractual or judicial obligation.

Notwithstanding the foregoing, On Vacation reserves the right to remove or delete any information related to the aforementioned individuals, in the event that a Personal Data Subject has shared information.

11. RECORDINGS AND IMAGES FROM SECURITY CAMERAS

On Vacation will process image and video data obtained through video surveillance cameras to ensure the protection of its facilities, its assets and the people accessing the company's properties, as well as to verify the traceability of the processes and the aforementioned data is stored in a system that maintains strict physical and logical security conditions, which can only be accessed by authorized personnel.

The processing is based on the fulfillment of a public interest mission and the legitimate interest of On Vacation.

The recordings are kept for fifteen (15) days, then deleted, and can only be downloaded for security reasons only.

12. MODIFICATIONS TO DATA PROTECTION POLICIES

On Vacation may modify, update, or add changes to this General Personal Data Protection Policy at any time, in order to ensure that it is in accordance with any regulatory changes that may appear in the field of data protection. Any change, update or addition to this Policy will be notified through the official channels of On Vacation, urging the Holders to review the update of this document.