The following entities will manage your personal data as parties that are Jointly Responsible for Data Control:

• Hesperia World S.L.U., (hereinafter “Hesperia”), with Fiscal ID number B-67301242, and business address at Avenida Mare de Déu de Bellvitge, number 3, 08907 l’Hospitalet de Llobregat (Barcelona).

• The mercantile societies dedicated to the management and operation of the hotels that form part of the Hesperia Group (hereinafter “the Hotels”), although not all of the aforementioned hotels, will have access to or deal with your personal data, only the specific hotel that you have booked and/or that you stay in (hereinafter “the Hotel”).

We would also like to inform you that the Group to which Hesperia and the Hotels belong has a Data Protection Delegate who you can contact via the following email address: DPO@hesperiaworld.com

All the fields on the form marked with an asterisk [*] must be completed as the omission of any of these fields could mean that it is impossible to attend to your petition, to provide the services requested or to proceed to send the requested or authorised communications. You must provide accurate information, with the use of an alias or other means of disguising your identity being forbidden.

In order that the information provided is always up to date and contains no errors, you should inform Hesperia, as soon as possible, of any changes or corrections to your personal data, either by contacting reception at our hotels or by writing to the following email address: protecciondedatos@hesperiaworld.com.

Also, you declare that the information and the data you have provided is accurate and true.

To process bookings, we may contract service providers who will communicate your data to us. The data categories that we receive and that, as a result, we will use are those corresponding to identification and banking data that are necessary to correctly process your booking.

To follow, we describe the different purposes for which Hesperia and the Hotels will use your personal data, the bases that legitimise that processing and the duration of storage of said data. Hesperia and the Hotel may jointly process your personal data in order to:

• To manage the reservation you make at one of our hotels through any channel. This processing is based on the pre-contractual measure you request when you make said reservation, contracting our services. Your data will be kept until the date you make the reservation for and, in the event that you finally stay at the hotel in question, for the duration of our contractual relationship, and may subsequently be kept blocked for the periods arising from the statute of limitations for legal actions related to this processing.

• To deal, by telephone or e-mail, with requests, queries, complaints and/or claims submitted through the "do you need help?" form on this website, on the basis of the consent that, where applicable, you give when sending the corresponding request, query, complaint or claim. Your data will be kept until the query, request, complaint or claim raised has been resolved, and may subsequently be kept blocked for the periods deriving from the statute of limitations of legal actions related to this processing.

• To manage check-in, accommodation and check-out, as well as to process the payment of the contracted service. This processing of personal data will be carried out on the basis of the contractual relationship you have with us. Your data will be kept for the duration of our contractual relationship, and may subsequently be kept blocked for the periods arising from the statute of limitations for legal actions related to this processing.

• To manage your registration with Hesperia for the purpose of creating a global database of the entities that make up the Hesperia Group to facilitate check-in processes, based on the legitimate interest in sending personal data within the Group for internal administrative purposes. The data processed for this purpose will be kept for the duration of our contractual relationship, and may subsequently be kept blocked during the periods arising from the statute of limitations of legal actions related to this processing.

For its part, the Hotel may process your personal data in order to:

• To manage the sending, by any means, of messages related to the stay you have booked, as well as messages of an informative nature related to the opportunities offered by the city in which the hotel is located. These communications are based on the legitimate interest of the hotel in which you make a reservation, to keep our guests informed about issues that we believe may be of their interest because they are related to their stay. The data processed for this purpose will be kept until you unsubscribe from such messages or after 2 years have elapsed since your last interaction with us. However, also in this case, your personal data may be subsequently blocked for the time periods arising from the statute of limitations of legal actions related to this processing.

• To manage the provision of services additional to accommodation, such as requests for flowers, excursions, catering services, special services on special dates, which you may request at the time of check-in; and to manage the payment of the same. This data processing is based on the contractual relationship you have with us. With regard to the processing of health data for the provision of catering services, these will be processed on the basis of the consent given by you when you provide them to the Hotel. The data processed for this purpose will be kept for the duration of our contractual relationship, or, in the case of health data, until you revoke your consent. However, the data may be subsequently blocked for the time periods arising from the statute of limitations of legal actions related to this processing.

• To contact medical care services when you so require. In cases of medical emergency, your data will be processed for the protection of your vital interests. In cases where it is not a medical emergency, the data will be processed on the basis of the contractual relationship you have with us. Your data will be retained for the duration of our contractual relationship. However, the data may be subsequently blocked for the time periods arising from the statute of limitations of legal actions related to this processing.

• To carry out satisfaction surveys, based on the legitimate interest of the Hotel in which you make a reservation in knowing your degree of satisfaction with the services provided by the same. Your data will be kept until you object to their processing, or after 2 years have elapsed since your last interaction with us. Subsequently, your data may be kept blocked for the time periods arising from the statute of limitations of legal actions related to this processing.

• To manage the requests you make on using the customer services of the hotel you are staying in by means of the WhatsApp Business tool. The data you provide when communicating with us through this channel will be processed for the sole purpose of dealing with your request or providing you with the service you request. This data processing is based on the consent that, where appropriate, you give when you accept the use of the channel and when you contact us of your own volition. Without prejudice to the foregoing, in the event that as a result of your request we have to process your personal data to deal with a matter related to the services that you have previously contracted from us, which will be processed on the basis of the performance of the contractual relationship that you continue to have with the hotel. The data processed for this purpose will be kept until you revoke your consent and, when related to the services you have previously contracted, for as long as our contractual relationship continues. However, the data may be subsequently blocked for the time periods arising from the statute of limitations of legal actions related to this processing. Likewise, regardless of the aforementioned retention period, the conversations held through this channel will be deleted after [to be determined] from the last message [sent or received, to be determined depending on what the tool allows].

For its part, Hesperia may process your personal data in order to:

• Manage the sending, by any means, of offers and promotions of the services offered by the hotels that make up the Hesperia Group, as well as information about events organised by said hotels or news offered by them. These communications are made on the basis of the consent that, where appropriate, you give for this purpose. In the event that you have given us your consent, your data will be kept until you revoke the consent, where applicable, or after 2 years have elapsed since your last interaction with us, and may subsequently be kept blocked for the periods deriving from the statute of limitations of legal actions related to this processing.

• To manage the sending of commercial communications through social networks based on the consent that, where appropriate, you have given us by being a "follower" or "friend" of our profiles. Your data will be kept until you revoke the consent, if any, given, or after 2 years have elapsed since your last interaction with us, and may subsequently be kept blocked for the periods arising from the statute of limitations of legal actions related to this processing.

• To manage the sending, by any means, of commercial communications relating to news and offers related to the catering, insurance, entertainment, wellness and aeronautical sectors. These communications are made on the basis of the consent that, where appropriate, you give for this purpose. In the event that you have given us your consent, your data will be kept until you revoke the consent, where applicable, or after 2 years have elapsed since your last interaction with us, and may subsequently be kept blocked for the periods deriving from the statute of limitations of legal actions related to this processing.

• To draw up commercial profiles based on the consent that, where appropriate, you give us. Your data will be kept until you revoke the consent, if any, given, or after 2 years have elapsed since your last interaction with us, and may subsequently be kept blocked for the periods arising from the statute of limitations of legal actions related to this processing.

Where you have given consent, your data will be stored until you revoke that consent, however, your personal data may subsequently be retained for the period of time derived from the prescription of legal actions related to this usage.

• To manage the sending of commercial communications via social media based on the consent that, where appropriate, you have given us as a "follower" or "friend" of our profiles.

Your data will be stored until you revoke the consent that you had given, however, your personal data may subsequently be retained for the period of time derived from the prescription of legal actions related to this usage.

We inform you that you may exercise the following rights:

1. The right to access your personal data in order to know which data are being processed and what processing operations are being carried out on them;
2. The right to rectify any inaccurate personal data;
3. The right to have your personal data erased, where this is possible;
4. The right to object, where possible
5. The right to request the restriction of the processing of your personal data where the accuracy, lawfulness or necessity of the data processing is in doubt, in which case we may retain the blocked data for the exercise or defence of claims.
6. The right to the portability of your personal data, where the legal basis for us to process your personal data is the existence of a contractual relationship or your consent.
7. The right to revoke the consent, if applicable, given to Hesperia for the processing of your data.

You may exercise your rights at any time and free of charge by sending an email to protecciondedatos@hesperiaworld.com, indicating which right you wish to exercise and your identification details.

We also inform you that you have the right to lodge a complaint with the Spanish Data Protection Agency if you consider that a breach of data protection legislation has been committed with regard to the processing of your personal data.

Your data may be transferred to the Public Administrations determined by the applicable legislation in force at any given time, such as the Tax Authorities, Judges and Courts, and Security Forces.

The personal data that you provide us with for the purpose of managing your reservation, or for the contracting of additional services may be communicated, in turn, to the banking entity with which Hesperia and the Hotels work.

With regard to the data that you provide to us to manage your registration with Hesperia for the purpose of creating a global database of the entities that make up the Hesperia Group to facilitate the check-in process, they may be communicated to the companies of the Hesperia Group based on our legitimate interest in sending personal data within the group for internal administrative purposes.

Likewise, your data may be transferred to the health care company with which the hotel you are staying at works when you require medical care services. In cases where a medical emergency is involved, such communication of data will be made to protect your vital interests. In cases where a medical emergency is not involved, the communication of data to the health care company will be done for the management of our contractual relationship.

Notwithstanding the above, in the event that you make use of the hotel's customer services by means of the WhatsApp Business tool, WhatsApp Ireland Limited may have access to your personal data. In such cases, WhatsApp Ireland Limited will only access and process your personal data in its capacity as data processor and will do so solely for the purpose of providing the contracted messaging services in accordance with the terms of service published on link this link.

Your data will be transferred to countries located outside the European Economic Area and, specifically to:

1. The Philippines; as a result of the back office management services related to invoicing that Accenture Outsourcing Services, S.A. Carry out for Hesperia. These international data transfers are regulated by standard contractual clauses approved by the European Commission.
2. The United States; as a consequence of the following services:
• search engine services provided by TravelClick, Inc. in relation to the location and selection of the specific payment gateways or suppliers that authorise payments related to the services provided by Hesperia. These international transfers are regulated by means of standard contractual clauses approved by the European Commission.
• marketing services for the Hotels provided by Mailchimp. These international transfers are regulated by means of standard contractual clauses approved by the European Commission.
• instant messaging services for hotels using the WhatsApp Business tool to handle guests’ requests, provided by WhatsApp Ireland Limited. These international transfers are legalised by means of standard contractual clauses approved by the European Commission, in accordance with the Addendum on WhatsApp Business Data Transfer.
3. Andorra, as a consequence of the communication of data to the companies of the Hesperia Group located in that territory for the provision of said group's administrative management services. Andorra has been declared by the European Commission to have an adequate level of protection, in accordance with the provisions of Commission Decision 2010/625/EU, of 19 October 2010.

Hesperia has implemented and maintains the security levels required by the GDPR to protect your personal data against accidental losses and unauthorised access, treatment or disclosure, taking into account the state of technology, the nature of the stored data and the risks to which it is exposed. However, despite the fact that Hesperia makes every effort to protect the data they process, it cannot guarantee in any case the security during the process of communication of personal data from the users' network to that of Hesperia. Once your data has been received, Hesperia will ensure rigorous security procedures and functions are in place to prevent any unauthorised access.

The personal data that we may collect will be treated confidentially, and we are committed to keeping this totally secret in accordance with the provisions laid out in the applicable legislation.

On occasions, this Privacy Policy may need to be updated and therefore it is important that you review this policy periodically and, if possible, every time you make a reservation or contact us in order to be sufficiently informed about the type of information collected and its treatment. We will notify you of any modification to this privacy policy that substantially affects the processing of your personal data.

Last update: 28 January 2022.