COMMITMENT

At Newhotel, we are committed to protecting and respecting your privacy. We take the General Data Protection Regulation (GDPR) very seriously and respect the trust you place in us regarding the collection and processing of your personal data. Please read this policy as it contains important information about how we use the personal data we collect. This Privacy Policy applies to Newhotel and all companies within the Group. By accessing the Newhotel website or providing personal information, you agree to our privacy practices as outlined in this privacy statement. This privacy policy may be changed from time to time. We advise you to check this privacy policy frequently to ensure that you are aware of the latest version.

PURPOSES OF DATA PROCESSING

In compliance with the new legislation regarding the protection of individuals with regard to the processing of personal data and the free movement of such data, pursuant to the GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council adopted on April 27, 2016. Newhotel, in accordance with Regulation (EU) 2016/679, of the European Parliament and of the Council, of April 27, 2016, commonly known as the General Data Protection Regulation (GDPR) and other applicable national and community legislation, has adopted the Personal Data Privacy Protection Policy disclosed in this document, which establishes how it collects, stores, and processes Personal Data, ensuring its confidentiality and security. This document applies to all personal information collected, processed, and stored by Newhotel.

The processing operations carried out by Newhotel comply with the fundamental principles of data protection and privacy, ensuring the proper functioning of processes, trust among customers and partners, lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, limitation of storage, integrity, confidentiality, and transmission.

Newhotel ensures that all personal data are processed lawfully, i.e., in strict compliance with the legal bases imposed by the GDPR.

In the scope of "On Premise Solutions," Newhotel does not collect or store personal data.

For the purposes provided for in Article 13 of the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27 (GDPR), the Client and data subject (client) consent to the collection and processing of their personal data.

Ensuring, whenever necessary, the prior consent of the data subject, we will collect, among others, the following information:

• identification data (such as name, place of birth, citizen card number, tax identification number, or date of birth);

• contact details (such as mobile phone, address, or email);

• qualification and professional status data (such as level of education and CV);

• banking, financial, and transaction data (such as IBAN or tax identification number);

• location data (such as IP address);

• images of event recordings, training (in-person and online), and webinars;

• voice recordings (phone calls).

The purposes for data processing are:

• Administrative management;

• Invoicing;

• Execution of various mandatory or optional tax and accounting aspects arising from legal provisions;

• Account management;

• Technical assistance;

o Pursuing the Client's business, namely, by using Newhotel hotel management software;

• Execution of a court decision or judgment.

Newhotel ensures the confidentiality of the personal data provided, as well as the received documentation, and the transmitted information will be used solely within the scope of this document, in compliance with the new legislation regarding the protection of individuals and within the strictly necessary limits to ensure the proper processing of its conclusion and execution;

The personal data whose processing is authorized by this document may not be used for any direct marketing purposes or other commercial purposes, including profiling or any other automated decisions, and may be subject to portability under Article 20 of the GDPR.

Personal Data will be retained for different periods of time, depending on the purpose for which they are intended and considering legal criteria, necessity, and minimization of retention time.

The data recipients are entities to whom the data must be communicated by force of legal provision or at the request of the Client's data processing controller.

The data subject has the following rights:

• Right to request access to their personal data from the company's data processing controller;

• Right to request limitation of processing concerning the data subject, as well as its rectification;

• Right to erasure of data, including exercising the "right to be forgotten";

• Right to data portability;

• Right to withdraw consent at any time regarding the processing of personal data under Article 6(1)(a) or Article 9(2)(a) of the GDPR;

o Right to lodge a complaint with the National Data Protection Commission;

• Right to object to decisions made solely on the basis of automated processing, including profiling, unless necessary for the conclusion or execution of a contract between the data subject and a data controller, authorized by EU law, or based on the explicit consent of the data subject;

• Right to be informed upon request about the purposes of the processing, the categories of data involved, the identity of the recipients to whom they have been disclosed, and the retention period of personal data;

• Right to be informed about the personal data being processed and any available information about the origin of this data, electronically, if not in this document;

• Newhotel undertakes to adopt administrative, technical, physical, and organizational measures to ensure the security, integrity, and privacy of the personal data of the data subjects, appropriate to the risk of each processing and consistent with practices established in the European Union. These measures apply to protect personal data against their disclosure, misuse, unauthorized access, or loss, alteration, or destruction, as well as any other form of unlawful processing.

Partners and subcontractors who have access to personal data are required to adopt the necessary security measures, organizational and technical protocols, to protect such data.

The provision of information or the provision of services by Newhotel Software may involve the transmission or access to personal data by partners and subcontractors. Newhotel Software guarantees that it will only resort to entities that provide sufficient guarantees of implementing adequate technical and organizational measures, so that the processing ensures compliance with applicable law.

The provided data may also be transferred to official entities in compliance with legal obligations.

Newhotel only transfers personal data to entities located in a country outside the EU, in compliance with legal obligations or if compliance with national and community legal standards is guaranteed.

Newhotel does not sell, buy, or in any way, commercialize personal data.

Newhotel undertakes, within the scope of the conclusion and execution of the Service Provision Contract, to comply with the provisions of the Personal Data Protection Law, as well as other applicable legislation, namely, not to copy, reproduce, adapt, modify, alter, delete, destroy, disseminate, transmit, disclose or otherwise make available to third parties the personal data to which it has had access or has been transmitted to it under said Service Provision Contract, without having been expressly authorized for this purpose, undertaking to use them exclusively for the purposes determining the collection, refraining from any use outside the context, whether for its own benefit or that of third parties.

Newhotel and its employees, under their technical or consulting functions, in-person or remotely, to provide services to Newhotel's clients, for installations, parameterization, consultancy, and support for assistance in resolving doubts or incidents, or even interventions at the development level, are subject to the duty of confidentiality of the information processed, both in terms of consultation and extraction of databases that may contain personal data, which under the maintenance contract concluded between the employer and the client, will be used only for technical diagnostic purposes and undertakes not to use this data for other purposes that have not been consented to, to keep the data for the period necessary for the provision of the service and not to transfer this data to third parties outside the company or to use it for other purposes.

The data subject may contact us for questions regarding the application of the General Data Protection Regulation by Newhotel, S.A., through the website on the Customer Information/Contacts page, by email to dpo@newhotel.com, or by mail to:

Data Protection Officer/DPO

NEWHOTEL, S. A

Av. Almirante Gago Coutinho, 70

1700-031, Lisbon, Portugal

Newhotel may change this document at any time without notice and with immediate effect. These changes will be duly advertised on the website, and if necessary, the renewal of knowledge and consent will be requested.