Privacy Policy and Data Processing of Nobile Hotels and Resorts
Company Name: Nobile Gestão de Empreendimentos LTDA
Address: SIG Quadra 1, Lote 985/1055, Brasília / DF, CEP: 70610-140
CNPJ: 09.405.789/0001-35

Through this Policy, Nobile Hotels e Resorts demonstrates its commitment to the privacy and protection of Personal Data, in addition to establishing, clearly and transparently, the rules on the Processing of Personal Data of Users of the website www.nobilehoteis.com.br (“Nobile Hotels e Resorts website” or “website”), in accordance with current legislation. As a condition of access and use of the website, the User declares that they have fully and carefully read this Policy, being fully aware of it, and granting their free and express agreement with the terms herein stipulated, including the collection of the Data mentioned herein, as well as its use for the purposes specified below. If the User does not agree with the provisions of this Policy, they should discontinue their access to or use of the website.

SPECIAL INFORMATION FOR DATA OF CHILDREN AND ADOLESCENTS UNDER 18 YEARS OF AGE

If the User is under 18 years of age, it is essential that their parents or legal representatives provide specific consent for the processing of Data by Nobile Hotels e Resorts, in accordance with the purposes presented in this Policy.

INFORMATION FOR LEGAL REPRESENTATIVES
Parents or guardians should always supervise the online activities of their minor children. The activities of adolescents over 16 and under 18 years of age must be assisted by parents or legal representatives.

This Policy applies to all services made available by the Nobile Hotels e Resorts website, and there may be specific terms for certain products, which will be informed to the User in due course.

1. Data that Nobile Hotels e Resorts collects from the user
1.1. Users can access the website for different purposes, whether to consult the hotels in the chain, formalize reservations, or obtain information about services provided by Nobile Hotels e Resorts.

1.2. During this use, Nobile Hotels e Resorts may collect the User’s Data when the User submits it or when interacting in the manner mentioned above:

Collected Data Name Email Phone Number Country CPF Credit Card Identification Data

• Identify the user • Formalize reservations • Fill out the NHF (National Guest Form) • Comply with legal obligations • Manage your stay at the hotel • Comply with legal obligations and our contract when sharing Data with the third-party company responsible for processing payments • Identify and authenticate the user • Comply with the obligations of the Brazilian Civil Rights Framework for the Internet

1.3. Whenever the User actively chooses to formalize a reservation, the information will be fully transmitted to the chosen establishment.

1.4. Necessary Data. Our services depend directly on some Data provided in the table above, mainly registration and payment Data. If the User chooses not to provide some of this Data, we may be unable to provide our services fully or partially.

1.5. Updating and Accuracy of Data. The User is solely responsible for the accuracy and veracity of the Data provided or for its outdatedness. It is the User’s responsibility to ensure that it is updated, informing the data officer of any changes.

1.5.1. Likewise, Nobile Hotels e Resorts is not obliged to process or handle any of your Data if there are reasons to believe that such processing or handling may impute any violation of any applicable law to us, or if the User is using the website for any illegal, illicit purposes or contrary to morality.

1.6. Database. The database formed through the collection of Data is the property of Nobile Hotels e Resorts and is under our responsibility, and its use, access, and sharing, when necessary, will be done within the limits and purposes of the business described in this Policy.
2. What are the user’s rights and how to exercise them
2.1. Basic User Rights. The User may request confirmation of the existence of Personal Data processing, in addition to the display of their Personal Data, by contacting the Data Officer.

2.1.2. While the User maintains interest in keeping their data in our database, the correction of their Personal Data must be done by contacting the Data Officer.

2.2. Limitation, opposition, and deletion of data. By contacting the Data Officer, the User may also request to:
a) Express their opposition to and/or revoke consent regarding the use of their Personal Data; or
b) Request the deletion of their Personal Data that has been collected by Nobile Hotels e Resorts.
2.2.1. If the User withdraws their consent for fundamental purposes for the proper functioning of the website and the formalization of reservations, the services will become unavailable.

2.2.2. If the User requests the deletion of their Personal Data, a situation in which they will immediately lose access to Nobile Hotels e Resorts services, it may occur that the Data needs to be kept for a period longer than the deletion request, under the terms of article 16 of the General Personal Data Protection Law, for: (i) compliance with a legal or regulatory obligation; (ii) study by a research body; and (iii) transfer to a third party (respecting the data processing requirements set forth in the same Law). In all cases, through the anonymization of Personal Data, whenever possible.

2.2.3. Once the retention period and the legal necessity have ended, the Personal Data will be deleted using secure disposal methods or used in an anonymized manner for statistical purposes.

3. Sharing of data and personal information
3.1. Data Sharing Hypotheses. In addition to sharing with hotels and payment processing companies, the collected Data and recorded activities may be shared:
I. With competent judicial, administrative, or governmental authorities, whenever there is a legal determination, requirement, request, or court order; and
II. Automatically, in the event of corporate transactions, such as mergers, acquisitions, and incorporations.
3.2. Data Anonymization. For the purposes of market intelligence research, dissemination of data to the press, and advertising, the data provided by the User will be shared in an anonymized manner, that is, in a way that does not allow their identification.

4. Data protection
4.1. Password Sharing. The User is also responsible for the confidentiality of their Personal Data and must always be aware that the sharing of passwords and access logins violates this Policy and compromises the security of their Data and the website.

4.2. Precautions the User should take. It is very important that the User protects their Data against unauthorized access to their computer, account, or password, in addition to always making sure to click “log out” when finishing browsing on a shared computer. It is also very important that the User knows that Nobile Hotels e Resorts will never send electronic messages requesting confirmation of data or with attachments that can be executed (extensions: .exe, .com, among others) or links for eventual downloads.

4.3. Information Security. All payment transactions, whether by credit card or not, are executed with SSL (secure socket layer) technology, ensuring that all User Data, such as credit card details, is not unlawfully disclosed. Furthermore, this technology aims to prevent information from being transmitted or accessed by third parties.

4.4. Access to Personal Data, proportionality, and relevance. Internally, the collected Personal Data is accessed only by duly authorized professionals, respecting the principles of proportionality, necessity, and relevance for the objectives of our business, in addition to the commitment to confidentiality and preservation of your privacy under the terms of this Policy.

4.5. External Links. When the User uses the website, the User may be directed, via a link, to other portals or platforms, which may collect their information and have their own Data Processing Policy.

4.5.1. It is the User’s responsibility to read the Privacy and Data Processing Policies of such third-party portals or platforms and to accept or reject them. Nobile Hotels e Resorts is not responsible for the Privacy and Data Processing Policies of third parties or for the content of any websites, content, or services linked to environments other than our own.

4.5.2. Partner Services. Nobile Hotels e Resorts has commercial partners who may occasionally offer services through features or websites that can be accessed from the Nobile Hotels e Resorts website. The Data provided by the User to these partners will be the responsibility of these partners and will therefore be subject to their own data collection and use practices.

4.6. Processing by third parties under the direction of Nobile Hotels e Resorts. If outsourced companies process, on behalf of Nobile Hotels e Resorts, any Personal Data we collect, they will obligatorily respect the conditions stipulated herein and information security standards.

4.7. Communication by e-mail. To optimize and improve communication, when Nobile Hotels e Resorts sends an e-mail to the User, Nobile Hotels e Resorts may receive a notification when they are opened, provided this feature is available. It is important for the User to be aware, as emails are sent from the domains: @gruponobile.com.br, @nobilehoteis.com.br, and nobilemkt@nobilehoteis.com.br.
5. How Nobile Hotels e Resorts stores personal data and activity logs
5.1. The collected Personal Data and activity logs are stored in a secure and controlled environment for a minimum period that follows the determination of the General Data Protection Law.

5.2. Longer Storage Periods. For audit, security, fraud control, credit protection, and preservation of rights purposes, Nobile Hotels e Resorts may retain the User’s Data registration history for a longer period in cases where the law or regulatory standard so establishes or for the preservation of rights.

5.3. The collected data will be stored on servers located in Brazil and other countries, as well as in cloud environments or servers, which may require the transfer and/or processing of this data outside of Brazil.

6. General Information
6.1. Amendment of content and updating. The User acknowledges the right of Nobile Hotels e Resorts to amend the content of this Policy at any time, according to purpose or necessity, such as for legal adaptation and compliance with any law or regulation having equivalent legal force, and it is the User’s responsibility to verify it whenever accessing the website or using our services.

6.1.1. If updates occur in this document that require new consent collection, the User will be notified via their email address and/or their first access to the platform (website or app) after the change.

6.2. Inapplicability. If any point of this Policy is considered inapplicable by a Data or judicial Authority, the other conditions will remain in full force and effect.

6.3. Electronic Communication. The User acknowledges that all communication made by e-mail (informed in the registration), SMS, instant messaging applications, or any other digital form is also valid, effective, and sufficient for the disclosure of any matter relating to the services provided by Nobile Hotels e Resorts, the Data, as well as the conditions of its provision or any other matter addressed therein, except for what this Policy provides otherwise.

6.4. Service Channels. If you have any questions regarding the provisions contained in this Privacy and Data Processing Policy, the User may contact us via email: paulo@gruponobile.com.br.

6.5. Applicable law and jurisdiction. This Policy shall be interpreted in accordance with Brazilian law, in the Portuguese language, and the jurisdiction of the User’s domicile is elected to resolve any controversy involving this document, except for specific reservations of personal, territorial, or functional jurisdiction by applicable law.

7. Data Officer. The Data Officer of Nobile Hotels e Resorts is currently Paulo Silva, and you can contact him at any time via email: paulo@gruponobile.com.br.

8. Definitions
For the purposes of this Policy, the following definitions and descriptions should be considered for better understanding:
I. Data: Any information entered, processed, or transmitted through the website.
II. Personal Data: Data related to an identified or identifiable natural person.
III. Anonymization: Use of reasonable and available technical means at the time of Processing, through which data loses the possibility of direct or indirect association with an individual.
IV. Data Officer: Person appointed by Nobile Hotels e Resorts to act as a communication channel between the controller, data subjects, and the National Data Protection Authority (ANPD).
V. Cloud Computing: Or cloud computing, is a virtualization technology of services built from the interconnection of more than one server through a common information network (e.g., the Internet), with the aim of reducing costs and increasing the availability of supported services.
VI. Website: Refers to the electronic address www.nobilehoteis.com.br and its subdomains.
VII. Access Account: Necessary credential to use or access the exclusive features of the website.
VIII. Cookies: Small files sent by the website, saved on the User’s devices, which store preferences and some other information, for the purpose of personalizing their browsing according to the User’s profile.
IX. IP: Abbreviation for Internet Protocol. It is an alphanumeric set that identifies Users’ devices on the Internet.
X. Logs: Records of activities of any Users who use the website.
XI. Session ID: Identification of the Users’ session when access to the website is made.
XII. Processing: Any operation carried out with Personal Data, such as those relating to collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination, or extraction.

Brasília, April 13, 2025.