Through this Policy, Nobile Hotels e Resorts, registered under CNPJ: 09.405.789/0001-35, with address at SHS Quadra 6, Conjunto A, Bloco A, sala 501, Asa Sul, Brasília – DF, reaffirms its commitment to the privacy and protection of Personal Data, establishing, clearly and transparently, the rules regarding the Processing of Personal Data of Users of the website www.nobilehoteis.com.br (“Nobile Hotels e Resorts website” or “website”), in compliance with the General Personal Data Protection Law (Law nº 13.709/2018 – LGPD) and other applicable rules.

As a condition of accessing and using the website, the User declares to have read this Policy in full and expresses their free and express consent to the processing of their Data, in accordance with the purposes described herein. If they do not agree, they must discontinue their access or use of the website.

SPECIAL INFORMATION FOR DATA OF CHILDREN AND ADOLESCENTS UNDER 18 YEARS OF AGE
Should the User be under 18 years of age, it is essential that their parents or legal representatives provide specific and prominent consent for the processing of Data by Nobile Hotels e Resorts, in accordance with article 14 of the LGPD.

INFORMATION FOR LEGAL REPRESENTATIVES
Parents or guardians must supervise the online activities of minors. In the case of adolescents between 16 and 18 years of age, consent must be assisted by their legal representatives.

Data that Nobile Hotels e Resorts collects from the user
1.1 Purposes of use
Users can access the website to consult the chain’s hotels, formalize reservations, or obtain information about services provided.
1.2 Data collected
During this use, Nobile Hotels e Resorts may collect:

Collected Data Name Email Phone Number Country CPF Credit Card Identification Data

• Identify the user • Formalize reservations • Fill out the NHF (National Guest Form) • Comply with legal obligations • Manage your stay at the hotel • Comply with legal obligations and our contract when sharing Data with the third-party company responsible for processing payments • Identify and authenticate the user • Comply with the obligations of the Brazilian Civil Rights Framework for the Internet

1.3 Transmission to the enterprise
Whenever the User formalizes a reservation, the information will be fully transmitted to the chosen hotel.
1.4 Necessary Data
Some data is indispensable for the execution of the services. The lack of provision may partially or totally make the service unfeasible.
1.5 Update and veracity
The User is responsible for the updating and veracity of their data, and must communicate any changes to the Data Protection Officer.
1.6 Database
The database is owned by Nobile Hotels e Resorts, and is used only within the limits and purposes described in this Policy.

What are the user’s rights and how to exercise them

The User, as the personal data subject, is guaranteed the rights provided for in article 18 of the LGPD, including: Confirmation of the existence of processing, Access to personal data, Correction of incomplete, inaccurate or outdated data, Anonymization, blocking or elimination of unnecessary data or data processed in non-compliance, Data portability, Elimination of data processed with consent, Information about data sharing, and Revocation of consent.

2.1 Exercise of rights
Requests must be forwarded to the Data Protection Officer, through the channel informed in this Policy.

2.2 Limitation, opposition, and exclusion of data
The User may request the limitation of use, opposition to processing, or exclusion of data. However, exclusion may be limited when there is a need for maintenance for:
(i) compliance with a legal or regulatory obligation;
(ii) study by a research body (with anonymization);
(iii) transfer to an authorized third party; or
(iv) exclusive use by the controller, with anonymization whenever possible.

Data sharing
Personal data may be shared: With hotels and payment processing companies; With public authorities, by legal obligation; In corporate operations (merger, acquisition, incorporation) and In an anonymized manner, for statistical and market intelligence purposes.

Data protection
Nobile Hotels e Resorts adopts technical and administrative security measures to protect personal data against unauthorized access, accidental or unlawful situations of destruction, loss, alteration, communication, or diffusion.
4.1. Password sharing. The User is also responsible for the confidentiality of their Personal Data and must always be aware that sharing access passwords and login violates this Policy and compromises the security of their Data and the website.
4.2. Precautions the User must take. It is very important that the User protects their Data against unauthorized access to their computer, account, or password, in addition to making sure to always click on “log out” when ending their browsing on a shared computer. It is also very important that the User knows that Nobile Hotels e Resorts will never send electronic messages requesting data confirmation or with attachments that can be executed (extensions: .exe, .com, among others) or even links for eventual downloads.
4.3. Information Security. All payment transactions, with or without a credit card, are executed with SSL (secure socket layer) technology, ensuring that all User Data, such as credit card data, is not unlawfully disclosed. Furthermore, this technology aims to prevent information from being transmitted or accessed by third parties.
4.4. Access to Personal Data, proportionality, and relevance. Internally, the Personal Data collected is accessed only by duly authorized professionals, respecting the principles of proportionality, necessity, and relevance to the objectives of our business, in addition to the commitment to confidentiality and preservation of your privacy under the terms of this Policy.
4.5. External links. When the User uses the website, the User may be led, via link, to other portals or platforms, which may collect their information and have their own Data Processing Policy.
4.5.1. It will be up to the User to read the Privacy and Data Processing Policies of such third-party portals or platforms and it is their responsibility to accept or reject it. Nobile Hotels e Resorts is not responsible for the Privacy and Data Processing Policies of third parties nor for the content of any websites, content, or services linked to environments other than ours.
4.5.2. Partner services. Nobile Hotels e Resorts has commercial partners who may eventually offer services through functionalities or websites that can be accessed from the Nobile Hotels e Resorts website. The Data provided by the User to these partners will be the responsibility of the latter, thus being subject to their own data collection and use practices.
4.6. Processing by third parties under the guideline of Nobile Hotels e Resorts. Should outsourced companies carry out, on behalf of Nobile Hotels e Resorts, the Processing of any Personal Data we collect, they will compulsorily respect the conditions stipulated here and the information security standards.
4.7. Communication by email. To optimize and improve communication, when Nobile Hotels e Resorts sends an email to the User, it is possible that Nobile Hotels e Resorts receives a notification when they are opened, provided that this functionality is available. It is important that the User pays attention, as the emails are sent by the domains: @gruponobile.com.br, @nobilehoteis.com.br, and nobilemkt@nobilehoteis.com.br.

Storage and international data transfer
Data is stored on servers located in Brazil and, eventually, in other countries, through cloud service providers. When there is international data transfer, the legal requirements provided for in the LGPD will be observed, ensuring adequate protection.

Cookies and similar technologies
The Nobile Hotels e Resorts website uses cookies and similar technologies to improve the User experience, personalize content, and analyze browsing statistics.
The User may configure their browser to block cookies, but certain functionalities of the website may be affected.

Policy changes
This Policy may be changed at any time, for legal compliance or service improvement. Whenever there is a relevant update that requires new consent, the User will be notified by email or on their first access to the website after the change.

Data Protection Officer Contact
The Data Protection Officer for Nobile Hotels e Resorts is Paulo Silva, available at the email: paulo@peoadvogados.com.

Definitions
For the purposes of this Policy, the following definitions and descriptions should be considered for better understanding:
I. Data: Any information entered, processed, or transmitted through the website.
II. Personal Data: Data related to an identified or identifiable natural person.
III. Anonymization: Use of reasonable technical means available at the time of Processing, through which data loses the possibility of direct or indirect association with an individual.
IV. Officer: Person appointed by Nobile Hotels e Resorts to act as the communication channel between the controller, the data subjects, and the National Data Protection Authority (ANPD).
V. Cloud Computing: Technology for service virtualization built from the interconnection of more than one server through a common information network (e.g., the Internet), with the objective of reducing costs and increasing the availability of the supported services.
VI. Website: Designates the electronic address www.nobilehoteis.com.br and its subdomains.
VII. Access Account: Necessary credential to use or access the exclusive functionalities of the website.
VIII. Cookies: Small files sent by the website, saved on the User’s devices, that store preferences and a few other pieces of information, with the purpose of personalizing their navigation according to the User’s profile.
IX. IP: Abbreviation for Internet Protocol. It is an alphanumeric set that identifies Users’ devices on the Internet;
X. Logs: Records of activities of any Users who use the website.
XI. Session ID: Identification of the Users’ session when accessing the website.
XII. Processing: Any operation carried out with Personal Data, such as those related to collection, production, reception, classification, utilization, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, diffusion, or extraction.

Brasília, September 25, 2025.