Privacy Notice

Last updated: 03/10/2026 (v3.1)

In compliance with the Mexican Federal Law on Protection of Personal Data Held by Private Parties ("Law"), its Regulations, the Privacy Notice Guidelines, the Brazilian General Data Protection Law ("LGPD"), the European Union General Data Protection Regulation ("GDPR"), and other applicable parameters and provisions (hereinafter the "Legislation"), ZATLAS OS, S.A. de C.V. (hereinafter "ZATLAS") makes available to Business Partners (as such term is defined in the Terms and Conditions), users, employees, collaborators, suppliers, distributors, agents, as well as any person who accesses the services and/or has a relationship with ZATLAS (all of the foregoing hereinafter the "Users"), this Privacy Notice (hereinafter the "Notice"), prepared to inform you about our practices related to the processing of information that you may provide through our website and/or application "ZATLAS", social media or any website or means of communication (hereinafter the "Platforms"). For any undefined term that appears with an initial capital letter, the meaning contained in the Terms and Conditions of use, available on the Platforms, shall apply.

ZATLAS, with address at Avenida Paseo de Las Palmas number 830, suite 402, Alcaldía Miguel Hidalgo, Mexico City, Zip Code 11000, is the Data Controller of the personal information collected, who is obligated to protect and safeguard your personal data and the use given to them, in order to prevent, among other matters, damage, loss, destruction, theft, misplacement, alteration, as well as unauthorized processing.

I. APPLICABILITY

This Notice shall apply to all persons who: (i) access or use the ZATLAS application, website or any other ZATLAS platform or interface; and/or (ii) share or exchange information with ZATLAS through any means and for any reason.

Access to and use of the Platforms constitutes acceptance of these privacy policies and express consent for ZATLAS to process your personal data in accordance with this Notice.

Likewise, this Notice applies to personal data of guests collected by ZATLAS on behalf of its Business Partners, who act as Data Controllers of the processing pursuant to the Law. In this case, ZATLAS acts as Data Processor, processing such data solely to fulfill the reservation automation services on external platforms, in accordance with the instructions and authorizations of its Business Partners.

In order to register personal data on the Platforms, the User must be over 18 years of age and not have any type of incapacity. If the User is a minor (Minor User), their parents or guardians must complete their registration on the Platforms. If a Minor User successfully completes their registration on the Platforms, ZATLAS presumes that it was done with the consent and authorization of their parents or guardians. ZATLAS is not responsible for any damages caused or that may be caused to the Minor User in the event that said Minor User provides their data without the consent of their parents or guardians.

In the event that the User does not comply with the provisions of this Notice, they may be temporarily suspended or permanently disabled, as applicable.

II. DATA AND PURPOSE

In the collection and processing of personal data voluntarily provided to us through our Platforms or any other means, we comply with the principles established by the Legislation, namely the principles of legality, quality, consent, information, purpose, loyalty, proportionality and accountability.

The information that ZATLAS may collect from Users, depending on the type of relationship or link with ZATLAS, includes but is not limited to the following:

First and last name and/or corporate name.
Address.
Nationality.
Date of birth.
City of residence.
Unique Population Registry Code (CURP, applicable in Mexico).
Email address.
Tax identification number (RFC, NIF, etc.).
Official identification.
A logo if applicable.
Payment information (such as bank accounts and/or credit card data), which may be provided by Business Partners, with the understanding that said Partners have obtained the corresponding consent or have a valid legal basis for its transfer.
Phone number.
IP address.
All reservation data obtained from external platforms (e.g., Booking.com and Expedia), other Online Travel Agencies ("OTAs") or Property Management Systems ("PMS") including, among others, check-in date, check-out date, number of reservations, amount, reservation type, payment type, payment card data (such as card number, expiration date and security code), payment status, guest card verification status, and any other information provided by Business Partners, through the access credentials authorized and provided directly by them.

a) Primary Purposes:

ZATLAS will process the personal data described above for the following primary purposes:

Manage and automate reservations on external platforms (including but not limited to Booking.com and Expedia) on behalf of Business Partners, using the access credentials provided by them to collect reservation data, including guest personal data and payment card data.
Carry out the activities necessary for the development and fulfillment of the services and purposes arising from the contractual and/or commercial relationship with ZATLAS.
Manage the creation of an Access Account, allowing its use, modification or update.
Contact and follow up on any process or matter related to publications on the Platforms.
Provide receipts and/or messages related to reservations.
Prevent potential fraud against the User and ZATLAS.
Manage the automatic charge of virtual cards issued by online travel agencies.
Process reservation payments in collaboration with third-party payment processors, ensuring compliance with the PCI-DSS standard.
Verify guest cards, and perform validations, pre-authorizations or charges to them in order to guarantee reservations for the hotel.
Update reservation information (such as status, stay dates and amount charged) between the PMS and OTAs.
Obtain all reservation data, and make modifications (as well as cancel or charge reservations) of any kind, based on user preferences within the ZATLAS system, or the automatic parameters defined by ZATLAS.
Generate reports and statistics for Business Partners related to managed reservations.
Fulfill the obligations arising from the contractual and/or commercial relationship with ZATLAS Business Partners.

b) Secondary Purposes:

ZATLAS will process the personal data described above for the following secondary purposes:

Inform the User of ZATLAS commercial information.
Inform the User of movements or activity in their Account.
Contact the User to inform them of special offers and/or promotions.
Conduct evaluations or any other activity aimed at promoting, maintaining, improving and evaluating the services offered by ZATLAS.

The User may, at any time, express their refusal to the processing of their personal data for secondary purposes, in which case said personal data will be placed on an exclusion list, to which only persons authorized by ZATLAS will have access.

In the event that ZATLAS processes personal data of third parties (for example, guests of hotels that are ZATLAS Business Partners), the Parties acknowledge that the processing of such data is carried out under the responsibility of the respective Business Partner, in its capacity as Data Controller, and that ZATLAS acts solely as Data Processor, in accordance with the instructions received and the provisions of the Law. ZATLAS undertakes not to use such data for purposes other than those instructed by the Data Controller.

The Business Partner authorizes ZATLAS to use automated techniques to collect data from third-party platforms, with the Business Partner assuming any risk arising from non-compliance with the policies of said platforms.

c) Legal Basis for Personal Data Processing:

The processing of personal data by ZATLAS is carried out based on the following:

(i) Performance of a Contract: Processing is necessary to fulfill our contractual obligations with Users and Business Partners (i.e., to provide the Services).
(ii) Consent: For secondary purposes (such as marketing) or when consent is granted by the data subject (or by the Business Partner on behalf of the data subject) pursuant to the Law.
(iii) Legal Obligations: When processing is necessary to comply with a legal obligation or a requirement from a competent authority.
(iv) Legitimate Interest: For purposes such as fraud prevention, platform security and improvement of our services, provided that they do not prevail over the interests or fundamental rights of the data subject.
(v) Legal Relationship (as Data Processor): When we act as Data Processor, our legal basis is the legal relationship with the Business Partner (Data Controller), who is responsible for having their own legal basis (whether consent, contract, etc.) for processing guest data.

LGPD Compliance (Brazil): When processing involves personal data of data subjects located in Brazil, ZATLAS will carry out such processing in accordance with the legal bases provided in the General Data Protection Law (LGPD), including (i) consent of the data subject, (ii) performance of a contract, (iii) compliance with a legal or regulatory obligation, (iv) regular exercise of rights, (v) credit protection, and (vi) legitimate interest, as applicable.

III. SENSITIVE PERSONAL DATA

ZATLAS will not in any way request, and the User shall not at any time provide ZATLAS with "sensitive personal data", that is, intimate personal data or data whose improper use may give rise to discrimination or entail a serious risk to the data subject.

The User agrees not to provide any information related to their racial or ethnic origin, present or future health status, genetic information, religious, philosophical and/or moral beliefs, union membership, political opinions, and sexual preference. In the event that the User provides sensitive data through documents uploaded to the Platform, or through forms, they expressly accept and consent that such data be processed in accordance with the ZATLAS Terms and Conditions and this Privacy Notice, it being the obligation of the User not to provide this type of data in the information uploaded to the Platforms.

IV. COOKIES

It is important that the User consider the existence of cookies on the Platform, which, in general terms, constitute information or files that are stored in device browsers when accessing a website or online service.

The Platform or any other website managed by ZATLAS will provide precise and necessary information regarding cookies, as well as the option to accept or reject their use, in order to obtain the express consent of the User (usually through an informational banner). The User's consent will be renewed at least every 12 (twelve) months, with the understanding that at any time they may change or withdraw their consent from our Platform.

Cookies are used to personalize User content and navigation. Some cookies that appear on websites are placed by third-party services, which are not managed by nor the responsibility of ZATLAS.

The following details the categories of cookies along with a description of their use:

Strictly Necessary Cookies: Essential for the functioning of the Platform, to maintain security and to comply with applicable regulations.
Functional Cookies: Allow ZATLAS to remember information related to User access and selections made (such as username, language or region), and provide enhanced and personalized features.
Performance/Analytical Cookies: Collect information about how Users use the Platform, including the most visited pages. They are used to improve the operation and performance of ZATLAS.
Advertising Cookies: Help ZATLAS decide which of its products, services and offers may be relevant to the User, and measure the effectiveness of advertisements.

The User may disable or modify the use of cookies from their browser, or manage their consent on the Platform.

V. DATA TRANSFER

ZATLAS will under no circumstances make improper use of Users' personal data nor use it contrary to the provisions of this Privacy Notice, and therefore may only use or transfer such data for the purpose of complying with the activities and obligations derived from the legal relationship with the User, as well as the primary and secondary purposes set forth in this Notice.

ZATLAS may transfer personal data, including payment card data, to third-party payment processors that comply with the PCI-DSS standard and the Law. The Business Partner guarantees that such transfers will be made in accordance with the Law, either with the consent of the data subject or based on one of the exceptions provided therein.

Likewise, ZATLAS may transfer data to persons or companies related to ZATLAS (such as parent companies, subsidiaries or affiliates), who will assume the same obligations as ZATLAS under the Legislation, being obligated to maintain the confidentiality of the information and not to use it in a manner different from that established in this Notice.

ZATLAS shall be entitled, without incurring any liability, to disclose data required by resolutions or orders from administrative or judicial authorities, always under applicable rules, treaties or laws.

In the event that ZATLAS makes international transfers of personal data (for example, to servers or service providers located outside Mexico), it will ensure that the receiving third party assumes the same obligations set forth in this Notice and in the Legislation, through the execution of Standard Contractual Clauses (SCCs) or other adequate legal instruments, in accordance with Article 36 of the Law and GDPR requirements, if applicable.

When processing involves personal data of data subjects located in Brazil, any international transfer will be carried out in accordance with the requirements of the LGPD, ensuring adequate safeguards, such as specific contractual clauses, governance policies and mechanisms recognized by the Brazilian National Data Protection Authority (ANPD).

VI. SECURITY MEASURES FOR PERSONAL DATA PROCESSING

ZATLAS implements administrative, technical and physical security measures, including, among others, data encryption, strict access controls and system monitoring, to protect Users' personal data against damage, loss, alteration, destruction or unauthorized use, access or processing. We require that these measures are equally complied with by the service providers we engage.

Personal data will be retained only for the time necessary to fulfill the purposes of processing, or during the legal prescription periods applicable to the legal relationship with the data subject, after which it will be deleted or blocked in accordance with the Legislation.

In particular, for payment card data, ZATLAS implements security measures in compliance with the PCI-DSS standard, ensuring protection against unauthorized access, loss or alteration.

VII. LIMITATION OF USE OR DISCLOSURE OF PERSONAL DATA

In the event that the User wishes to limit the use or disclosure of their personal data (for example, to stop receiving information or advertising), they may contact us at the email address established in Section XII "Contact".

VIII. EXTERNAL LINKS

The Platforms may contain links that redirect the User to third-party websites. This Notice does not regulate the way in which said third parties process Users' personal data. We encourage Users to read the privacy notice of said websites, mobile platforms or mobile applications.

IX. ARCO RIGHTS (AND OTHER RIGHTS)

As the holder of your personal data, the User may exercise their Access, Rectification, Cancellation and Opposition (ARCO) Rights, or revoke the consent granted to ZATLAS, by sending their request to the email address: contact@zatlas.com.

Access: Know what personal data is in ZATLAS's possession and, if applicable, obtain a copy.
Rectification: Request the correction of inaccurate or incomplete personal data.
Opposition: Request that data not be processed for specific purposes.
Cancellation: Request the deletion of data when it is no longer necessary. Cancellation will only be applicable when the User has stopped using the Services.

To submit a request to exercise ARCO Rights, Users must complete the "ARCO Rights Exercise Form" (available upon request), or may send a free-form letter to ZATLAS's address or the indicated email address, which must contain at least the following elements:

Name, address and email to communicate the response.
Documents proving the User's identity.
A clear and precise description of the personal data for which one of the ARCO Rights is being exercised.
Any other element that facilitates the location of the personal data.

ZATLAS will respond to rights exercise requests within the timeframes provided by applicable legislation. For requests submitted by data subjects located in Mexico, the timeframes established in the Federal Law on Protection of Personal Data Held by Private Parties will apply; for data subjects located in Brazil, ZATLAS will comply with the LGPD and with the timeframes and procedural rules established by the National Data Protection Authority (ANPD).

Important Note (Guest Data): For personal data of guests collected by Business Partners, ARCO Rights exercise requests should be directed to the corresponding Business Partner, who acts as the sole Data Controller. ZATLAS, as Data Processor, will collaborate with the Business Partner to address such requests in accordance with the Law.

Additional Rights (GDPR): If applicable local legislation (such as the GDPR in the EU) so determines, Users may have additional rights, such as the right to data portability, the right to restriction of processing and the right to file a complaint with the local data protection authority.

Additional Rights (LGPD - Brazil): When processing involves personal data of data subjects located in Brazil, they may exercise the rights provided in the LGPD, such as: confirmation of processing, access, correction of incomplete or outdated data, anonymization, blocking or deletion of unnecessary or irregularly processed data, portability, deletion of data processed with consent, information about shared use of data and revocation of consent. ZATLAS will respond to such requests in accordance with the timeframes and requirements established by the LGPD.

ZATLAS may deny the exercise of ARCO Rights in the cases permitted by the Law (e.g., when the applicant is not the data subject, when the data cannot be found, or when there is a legal impediment).

X. MODIFICATIONS

ZATLAS shall be entitled to change, modify, add to or partially or totally suppress this Notice at any time. In such case, ZATLAS will publish said modifications on the Platforms and indicate the date of the latest version of the Notice. It is recommended to periodically visit the Platforms in order to be informed of any changes to this Notice.

XI. AUTHORITIES

In Mexico, the supervisory and regulatory authority on personal data protection is the National Institute of Transparency, Access to Information and Personal Data Protection (INAI). If you consider that your rights regarding personal data protection have been violated, you have the right to file a claim before INAI. If you are in the European Union, you have the right to file a complaint with your local Data Protection Authority.

In Brazil, the supervisory authority on personal data protection is the National Data Protection Authority (ANPD). Data subjects located in Brazil may file complaints directly with said authority.

XII. CONTACT

For any questions related to this Privacy Notice, ZATLAS has designated the personal data protection area as responsible for processing and response. Said area can be contacted through the following means:

Name: ZATLAS OS, S.A. de C.V.
Email: contact@zatlas.com
Address: Avenida Paseo de Las Palmas número 830 interior 402, Alcaldía Miguel Hidalgo, Ciudad de México, C.P. 11000