PERSONAL DATA PROTECTION POLICY 
(LEY 1581 DE 2012)

2. Scope of application

 

The Policy shall apply to personal data registered in any database that makes it susceptible to processing and that is in the possession of HOSTAL DEL CIELO S.A.S.

 

3. Extent

 

This Policy applies to the hostel, administrators, employees, contractors, and visitors of HOSTAL DEL CIELO S.A.S. and to all databases in the possession of HOSTAL DEL CIELO S.A.S. It applies to the relationships between HOSTAL DEL CIELO S.A.S. as the Controller and any of its processors.

 

4. Responsible administration

 

HOSTAL DEL CIELO S.A.S., through the communications area, will assume the role of Controller; therefore, they will jointly be responsible for making decisions regarding the databases and/or the Processing of the data; defining the purpose and the manner in which the data is collected, stored, and administered. Likewise, they are obligated to request and keep the authorization evidencing the express consent of the Data Subject.

 

5. Definitions

​

• Authorization: Prior, express, and informed consent of the Data Subject to carry out the Processing of personal data; Database: Organized set of personal data that is subject to Processing;

• Personal data: Any information linked or that can be associated with one or more specific or determinable natural persons;

• Data Processor: Natural or legal person, public or private, who by themselves or in association with others, carries out the Processing of personal data on behalf of the Data Controller;

• Data Controller: Natural or legal person, public or private, who by themselves or in association with others, makes decisions regarding the database and/or the Processing of data;

• Data Subject: Natural person whose personal data is subject to Processing; Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.

 

6. Principles for the Processing of personal data

 

• Principle of legality in matters of data Processing: Processing is a regulated activity that must be subject to what is established by law and other provisions that develop it;

• Principle of purpose: Processing must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Data Subject;

• Principle of freedom: Processing may only be exercised with the prior, express, and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that waives consent;

• Principle of truthfulness or quality: Information subject to Processing must be truthful, complete, accurate, updated, verifiable, and understandable. The Processing of partial, incomplete, fractional, or misleading data is prohibited;

• Principle of transparency: In Processing, the right of the Data Subject to obtain from the Data Controller or the Data Processor, at any time and without restrictions, information about the existence of data concerning them must be guaranteed;

• Principle of restricted access and circulation: Processing is subject to the limits derived from the nature of personal data, the law, and the Constitution. In this sense, Processing may only be carried out by persons authorized by the Data Subject and/or by persons authorized by law;
  
  Personal data, except for public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the Data Subjects or authorized third parties;

• Principle of security: Information subject to Processing by the Data Controller or Data Processor must be handled with the technical, human, and administrative measures necessary to grant security to the records, preventing their adulteration, loss, consultation, or unauthorized or fraudulent use or access;

• Principle of confidentiality: All persons involved in the Processing of personal data that is not public in nature are obligated to guarantee the confidentiality of the information, even after their relationship with any of the tasks included in the Processing has ended, only being able to supply or communicate personal data when it corresponds to the development of authorized activities.

​

7. Name and personal information collected

​​

The type of information collected varies according to the status of the Data Subject in relation to HOSTAL DEL CIELO S.A.S. and depending on their respective purposes, as indicated below:

HOSTAL DEL CIELO S.A.S. has identified the following databases:
> Customers
> Suppliers
> Employees

7.1 Information collected in the customer database :
> Name
> Identification
>  Email

> Address

> Cell phone
> Credit card number
 

7.2 Information collected in the database of Suppliers, Third parties, and/or contractors:
> Name
> NIT Identification number

> Name and Identification number of the legal representative

> Economic activity
> Address

> Phone
> Email
> Cell phone

> Financial information

Information collected in the employee database: Name Identification number Date of birth Marital status Address Phone Email Cell phone Contact person Financial information

​​

7.3 Information collected in the employee database

> Name
> Identification number
> Date of birth
> Marital status
> Address
> Phone
> Email
> Cell phone
> Contact person
> Financial information
 

8. Purposes of information processing 

​

HOSTAL DEL CIELO S.A.S. uses personal data in accordance with the law to fulfill its corporate purpose, which is the provision of lodging services. The data is collected, stored, used, transmitted, processed, and deleted for the following purposes (among others):
 

• Execute and comply with lodging contracts and related services.

• Manage legal, tax, fiscal, and contractual obligations.

• Improve the lodging experience through personalization, effective communication, and attention to complaints or claims.

• Promote commercial campaigns, events, satisfaction surveys, and new offers.

• Guarantee security and fraud prevention in operations.

• Share data with subsidiaries, partners, or third parties in charge of processing, always with authorization.

• Comply with legal obligations and provision of information to competent authorities.

Processing of specific personal data for profiles relevant to lodging services. 

​

8.1 Employees

​

• Personal data of employees is used exclusively in the workplace.

• It is shared with other companies or entities only to comply with labor legal provisions or data protection laws.

• Biometric data obtained through identification and video surveillance systems are used for identification and security at HOSTAL DEL CIELO S.A.S. facilities.

• Data collected in personnel selection processes are used to manage calls and labor hiring.

​

8.2 Customers

​

The personal information collected from guests or customers includes contact data, booking information, stay, loyalty programs, payment methods, passport, travel history, preferences, among others, for the following uses :

​

• Maintain effective and timely communication regarding bookings, services, and contractual aspects through calls, messages, emails, social networks, and instant messaging.

• Comply with contractual and legal obligations with customers.

• Inform about internal modifications that affect the services.

• Conduct internal studies on customer habits and preferences to improve the service.

• Send promotions, commercial campaigns, and events through different digital and physical channels.

• Receive and manage PQRS (Questions, Complaints, Claims, and Suggestions).

• Facilitate bookings, quotes, and use of mobile applications, social networks, and the website.

• Conduct satisfaction surveys regarding the lodging.

• Store information backups for contingencies, both in Colombia and in other countries.

• Transmit offers and promotions, individually or through commercial alliances.

• Transfer data to authorities according to compliance with tax, accounting, and fiscal legislation.

• Collect and process sensitive data only with express and conscious authorization.

• Process biometric data to validate identity, control access, and monitor customer service calls.

​

8.3 Suppliers

​

The personal data of suppliers related to the provision of services at HOSTAL DEL CIELO S.A.S. includes contact information, legal documentation, personal characteristics, background, and other data relevant to :

​

• Make calls and communications related to the provision of services.

• Manage payments and comply with contractual obligations.

• Maintain effective communication regarding the contractual link through various channels.

• Inform of contractual or administrative modifications.

• Promote products, benefits, and services of HOSTAL DEL CIELO S.A.S. through digital and physical media.

• Maintain information backups for security and contingencies.

• Transmit offers suitable for suppliers and commercial alliances.

• Comply with legal, fiscal, and accounting obligations.

• Collect and process sensitive data only with express authorization.

• Use biometric data for identity validation and recordings for monitoring and improvement in customer service.

• Implement controls to prevent fraud, money laundering, terrorist financing, or illegal activities.

• Share information with third parties to facilitate the fulfillment of the corporate purpose and improve the provision of services.

• Maintain digital and physical files of contracts and related documentation.

• Conduct technical, statistical, and market studies related to the sector and services offered.

​

8.4 Security and confidentiality measures

​

HOSTAL DEL CIELO S.A.S. adopts all the technical, administrative, and legal measures necessary to guarantee the security and confidentiality of the personal data of employees, customers, suppliers, and other Data Subjects, avoiding unauthorized access, losses, or improper alterations.

​

9. Obligations of HOSTAL DEL CIELO S.A.S.
 

a) Guarantee the Data Subject, at all times, the full and effective exercise of the right of habeas data;

b) Request and keep a copy of the respective authorization granted by the Data Subject;

c) Duly inform the Data Subject about the purpose of the collection and the rights that assist them by virtue of the authorization granted;

d) Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, or unauthorized or fraudulent use or access;

e) Guarantee that the information supplied to the Data Processor is truthful, complete, accurate, updated, verifiable, and understandable;

f) Update the information, communicating in a timely manner to the Data Processor all novelties regarding the data that it had previously supplied, and adopt the other measures necessary so that the information supplied to the latter is kept updated;

g) Rectify the information when it is incorrect and communicate the relevant information to the Data Processor;

h) Supply to the Data Processor, as the case may be, only data whose Processing is previously authorized;

(i) Require from the Data Processor at all times, respect for the security and privacy conditions of the Data subject's information;

(j) Process the inquiries and claims formulated;

(k) Inform the Data Processor when certain information is being discussed by the Data Subject, once the claim has been presented and the respective process has not ended;

(k) Inform at the request of the Data Subject about the use given to their data;

(m) Inform the data protection authority when violations of security codes occur and there are risks in the administration of the Data Subjects' information;

(n) Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

 

10.Duties of officials in charge of data processing
 

a) Guarantee the Data Subject, at all times, the full and effective exercise of the right of habeas data.

b) Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, or unauthorized or fraudulent use or access.

c) Perform the updating, rectification, or deletion of data in a timely manner.

d) Update the reported information within five (5) business days from its receipt.

e) Process inquiries and claims formulated by the Data Subjects.

f) Adopt an internal procedures manual to guarantee proper compliance with the law and this policy and, especially, for the attention of inquiries and claims by Data Subjects.

g) Register the legend "claim in process" in the database.

h) Insert the legend "information under judicial discussion" in the database once notified by the competent authority about judicial processes related to the quality of the personal data.

(i) Refrain from circulating information that is being disputed by the Data Subject and whose blocking has been ordered by the Superintendency of Industry and Commerce.

(j) Allow access to information only to persons who may have access to it.

(k) Inform the Superintendency of Industry and Commerce when violations of security codes occur and there are risks in the administration of the Data Subjects' information.

(l) Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

11.Prohibitions
 

a) No processing of personal data incompatible with the purpose authorized by the Data Subject or by law may be carried out, unless there is unequivocal consent from the Data Subject.

b) Processing of partial, inaccurate, incomplete, fractional, or misleading data, or of those whose processing is expressly prohibited or has not been authorized, may not be carried out.

c) Personal data, except for public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the Data Subjects or authorized third parties.

d) The processing of sensitive data is prohibited except when the Data Subject has given their explicit authorization for such processing.

e) The processing of personal data of children and adolescents is prohibited, except for those data that are public in nature or that have prior, express, and informed authorization granted by the respective parents and/or legal representatives.

12.Rights of the Data Subjects
 

a) Know, update, and rectify their personal data.

b) Request proof of the authorization granted to HOSTAL DEL CIELO S.A.S. except when it is expressly excepted as a requirement for Processing.

c) Be informed by HOSTAL DEL CIELO S.A.S. or by the Data Processor, upon request, regarding the use that has been given to their personal data;

d) File complaints before the Superintendency of Industry and Commerce for infringements of the provisions of this law and other standards that modify, add, or complement it;

e) Revoke the authorization and/or request the deletion of the data when the principles, rights, and constitutional and legal guarantees are not respected in the Processing. Revocation and/or deletion will proceed when the Superintendency of Industry and Commerce has determined that in the Processing, the Controller or Processor have engaged in conduct contrary to the law and the Constitution;

f) Access their personal data that have been subject to Processing free of charge.

13. Processing of data of minors.

 

HOSTAL DEL CIELO S.A.S. may eventually process personal data of children and adolescents in order to carry out administrative actions, activities of interest, and/or to attend to any requirement of a competent authority… Processing will be carried out as long as :

a) The purpose of the processing responds to the best interest of children and adolescents.

b) The processing used by HOSTAL DEL CIELO S.A.S. ensures respect for their fundamental rights.

c) The right of the minor to be heard is respected, an opinion that will be valued taking into account their maturity, autonomy, and capacity to understand the data processing.

d) The requirements provided for in Law 1581 of 2012 for the processing of personal data are met.

 

Within the framework of the data protection policy of HOSTAL DEL CIELO S.A.S., a commitment is established to ensure the integrity and rights of minors who access the services of HOSTAL DEL CIELO S.A.S., in compliance with Law 1098 of 2006 (Code of Childhood and Adolescence), Law 704 of 2001, and Law 679 of 2001.

​

13.1. Law 1098 of 2006 (Code of Childhood and Adolescence)

​

This law aims to guarantee the comprehensive protection of children and adolescents, ensuring their full development in an environment of love, respect, equality, and dignity. HOSTAL DEL CIELO S.A.S., as part of society, recognizes minors as subjects with rights and is committed to respecting and protecting their fundamental rights, including their privacy and the protection of their personal data. In particular, this policy includes:

• Special protection of information and personal data of minors, ensuring their confidentiality and proper handling.

• Strict compliance with legal provisions to avoid any improper processing or that may affect the physical, psychological, or moral integrity of minors.

• Guarantee of safe environments free of any form of discrimination, violence, or abandonment, ensuring the comprehensive well-being of minors.
   

13.2. Law 704 of 2001

This law approves Convention 182 of the International Labour Organization, which prohibits the worst forms of child labor and establishes immediate actions for its eradication. HOSTAL DEL CIELO S.A.S. is committed to:
 

• Not allowing or facilitating any form of child labor within its facilities or related activities.

• Promoting responsible practices that ensure the protection of the labor and human rights of minors.

• Ensuring that every employer or supplier complies with this legislation to protect minors from labor risks.

13.3. Law 679 of 2001

​

Through this law, a statute is issued to prevent and counter exploitation, pornography, and sex tourism with minors. HOSTAL DEL CIELO S.A.S. reaffirms its unrestricted commitment to the protection of the rights of minors and the prevention of child sexual exploitation, committing to:

• Guarantee that no activity within its facilities or related services will allow or facilitate child sexual exploitation or any form of sexual abuse against minors.

• Reject and not contribute to or participate in the sexual exploitation or abuse of any minor, in compliance with the legal and ethical mandate that protects the dignity and fundamental rights of children and adolescents.

• Permanently train its personnel to identify, prevent, and report any situation that may compromise the integrity and safety of minors.

• Comply with the legal obligation to immediately report to the competent authorities any indication or suspicion of child sexual exploitation detected in its facilities or related activities.
   

13.4. Personal Data Protection of Minors

​

In accordance with Colombian regulations and the principles established in Law 1581 of 2012 and its regulatory decree, the processing of personal data of children and adolescents at HOSTAL DEL CIELO S.A.S :
 

• Is prohibited without the prior, express, and informed authorization of legal representatives.

• Must respond to the best interest of the minor, ensuring respect for their fundamental rights.

• Confidentiality, integrity, and security in the handling of their personal data must be guaranteed.

• The Data Subjects and their representatives must be clearly informed about the use, purposes, and rights regarding their data.

• HOSTAL DEL CIELO S.A.S. personnel must receive training to guarantee the responsible and secure handling of this information.
  
  HOSTAL DEL CIELO S.A.S. extends this same policy of protection and respect for the rights and integrity of minors to all activities and spaces that the company provides to children and adolescents in the community, such as those in which they perform schoolwork, recreational activities, or games. In said spaces, HOSTAL DEL CIELO S.A.S. is committed to guaranteeing a safe, respectful, and protected environment, taking care of the confidentiality and proper handling of the personal data of these minors, in accordance with the provisions established herein.
  
  With these provisions, HOSTAL DEL CIELO S.A.S. reaffirms its commitment to the comprehensive protection of minors and the responsible management of their personal data, ensuring a safe, respectful environment in accordance with current legal requirements.
  
  This chapter is an essential part of the personal data protection policy of HOSTAL DEL CIELO S.A.S., reaffirming the absolute priority of protecting minors and their rights in all activities and services offered by the company.
   

14. Community Activities of HOSTAL DEL CIELO S.A.S.

HOSTAL DEL CIELO S.A.S. committed to its corporate social responsibility, actively promotes and participates in community activities that seek to contribute to the social, cultural, and environmental well-being of the community where it is located. These activities include support for social organizations, volunteer programs, provision of spaces for charity events, and alliances with governmental and non-governmental entities to promote local development.

Conscious of the importance of respecting and protecting personal data in all its actions, HOSTAL DEL CIELO S.A.S. guarantees that the handling of information related to the persons participating in these community activities (collaborators, beneficiaries, volunteers, and third parties) is carried out under the principles of confidentiality, security, and respect for their fundamental rights, in accordance with the current legislation on data protection.

Main guidelines for data protection in community activities:
 

• Responsible collection: Only personal data strictly necessary to manage and coordinate community activities will be collected, with a clear and legitimate purpose.

• Informed consent: Persons involved will be clearly informed about the use that will be given to their data, requesting prior authorization when pertinent.

• Confidentiality and security: Personal data will be protected through technical and administrative measures that prevent unauthorized access, disclosure, or improper use.

• Rights of Data Subjects: It will be guaranteed that participants can exercise their rights of access, rectification, cancellation, or opposition regarding their data, providing them with channels for this purpose.

• Staff training: The HOSTAL DEL CIELO S.A.S. team involved in community activities will receive periodic training on the applicable data protection policies and procedures.

• Collaboration with third parties: In cases of alliances or agreements with external organizations, HOSTAL DEL CIELO S.A.S. will establish contractual clauses that ensure compliance with data protection standards.
  
  With these measures, HOSTAL DEL CIELO S.A.S. not only promotes a positive social impact but also protects the privacy and dignity of all people linked to its community actions, strengthening trust and transparency in its social management.

15. Person or area responsible for handling Petitions, inquiries, and claims

HOSTAL DEL CIELO S.A.S. informs the Data Subjects that the area in charge of handling petitions, inquiries, and claims and, in general, so that Data Subjects can exercise their rights, is the communications area, through the channels provided for this purpose in this policy, in any case observing the procedure contemplated below.
 

16. Inquiries and claims

16.1 Inquiries:

• Data Subjects or their successors may consult the personal information of the Data Subject that rests in the HOSTAL DEL CIELO S.A.S. database.

• The inquiry must be formulated in writing, either through written communication to HOSTAL DEL CIELO S.A.S. at Cl 55 #127 46 in 108, in the city of MEDELLÍN or sent to the email contact@hostaldelcielo.com

• If the inquiry is incomplete, the interested party will be required within five (5) days following receipt of the inquiry to correct the failures. After two (2) months from the date of the requirement, without the applicant presenting the required information, it will be understood that they have withdrawn the inquiry.

• The inquiry will be attended to within a maximum term of fifteen (15) business days from the date of receipt thereof. When it is not possible to attend to the inquiry within said term, the interested party will be informed, expressing the reasons for the delay and indicating the date on which the inquiry will be attended to, which in no case may exceed five (5) business days following the expiration of the first term.
   

16.2 Claims:
 

• The Data Subject or their successors who consider that the information contained in the HOSTAL DEL CIELO S.A.S. database should be subject to correction, updating, or deletion, or when they notice the alleged breach of any of the duties contained in this document or in the law, may file a claim.

• The claim will be formulated through a request addressed to HOSTAL DEL CIELO S.A.S. at Cl 55 #127 46 in 108, in the city of Medellín during the administration's service hours or sent to the email contact@hostaldelcielo.com, which must inform: Name and identification of the Data Subject, description of the facts that give rise to the claim, address, email, and accompanying the documents that they wish to assert.

• If the claim is incomplete, the interested party will be required within five (5) days following receipt of the claim to correct the failures. After two (2) months from the date of the requirement, without the applicant presenting the required information, it will be understood that they have withdrawn the claim.

• Once the complete claim is received, a legend that says "claim in process" and the reason for it will be included in the database, within a term not exceeding two (2) business days. Said legend must be maintained until the claim is decided.

• The maximum term to attend to the claim will be fifteen (15) business days from the day following the date of its receipt. When it is not possible to attend to the claim within said term, the interested party will be informed of the reasons for the delay and the date on which the claim will be attended to, which in no case may exceed eight (8) business days following the expiration of the first term.
   

17. Complaints to the Superintendency of Industry and Commerce.

As a procedural requirement, the Data Subject or successor may only file a complaint before the Superintendency of Industry and Commerce once they have exhausted the inquiry or claim process before HOSTAL DEL CIELO S.A.S. Data Processor.
 

18. Video Surveillance System.

HOSTAL DEL CIELO S.A.S., in the development of its administrative activity and for the purposes of guaranteeing the security of the goods of the facilities, has a Closed-Circuit Television, through which monitoring and observation activities are carried out, which imply the collection of images of persons, that is, of personal data in accordance with what is established in subparagraph c) of Article 3 of Law 1581 of 2012. Consequently, the processing of the collected data must observe the principles established in the law; namely, legality, freedom, quality or truthfulness, security, confidentiality, restricted access and circulation, and transparency, as well as the others contained in the Law on Personal Data Protection. Thus, and by virtue of the principle of freedom, as a general rule, it will be necessary for the Data Subject to grant authorization, which, in this specific case, will be determined by the unequivocal conduct adopted by the Data Subject regarding the Video Surveillance Notice adopted by HOSTAL DEL CIELO S.A.S., published in a visible manner mainly in the access areas to the places that are being watched and monitored and inside them.

 

Processing of images of children and adolescents

 

The processing of images of children and adolescents must respect their prevailing rights and may only be carried out when (i) it responds to and respects their best interest, and (ii) ensures respect for their fundamental rights.

As Controllers of the processing of images of children and adolescents, special rules are presented for their processing, some of which are :
 

• Have the authorization of the parents or legal representatives of the minors and the acquiescence of the latter, taking into account their maturity, autonomy, and capacity to understand the matter.

• Inform parents or legal representatives about the purpose and processing to which the personal data of minors will be subjected, as well as the rights that assist them.

• Limit the collection and other processing of images, in accordance with what is proportional and adequate in consideration of the previously informed purpose.

• Guarantee the security and confidentiality of the personal data of minors.

• Restrain access to and circulation of the images, in accordance with what is established by law.

​

Data collected before the issuance of Decree 1377 of 2013

​

For data collected before the issuance of Decree 1377 of 2013, subsequently compiled and repealed by the Single Regulatory Decree 1074 of 2015, HOSTAL DEL CIELO S.A.S. has the information processing policies and the method for exercising rights available to Data Subjects at its offices, which are published on the company's website https://www.hostaldelcielo.com/es.

Likewise, these policies will be made known to each of the information Data Subjects, to the corresponding email address registered in our databases, which will be carried out through our channel.

If, within a term of thirty (30) days after sending the corresponding email containing the Personal Data Processing Policies, the Data Subject has not contacted the controller to request the correction, deletion, or authorization of their personal data, HOSTAL DEL CIELO S.A.S. will continue to carry out the processing contained in its databases for the purposes indicated in the privacy notice.

Current national legislation

This Policy is governed by the provisions of Law 1581 of 2012, Law 1266 of 2008, the Single Regulatory Decree 1074 of 2015, and other norms that modify, repeal, or replace them.

Validity

This Policy shall enter into force as of July 1, 2025.

Publication

This policy will be published on the website https://www.hostaldelcielo.com/es