PRIVACY NOTICE

This Privacy Notice is issued in accordance with the Federal Law on the Protection of Personal Data Held by Private
Parties, its Regulations, and the General Guidelines for Privacy Notices (hereinafter, the “Law”).

I. RESPONSIBLE PARTY

Corporación Inmobiliaria KTRC, S.A. de C.V. (hereinafter, the “Controller”), with registered address at Avenida Bonampak, Supermanzana 9, Manzana 2, Ground Floor, Tower N, Floors 7 to 11 and Tower S, Floor 7, Cancún, Quintana Roo, Mexico, C.P. 77503, is responsible for the processing of the personal data of the individuals (hereinafter, the “Individual”).

II. COLLECTED INFORMATION

We collect your personal data directly through:

• Physical or electronic forms completed by you, including those used to make reservations, complete check-in and check-out procedures, request services, respond to surveys, participate in promotions, or through any other interaction with the hotel.
• Our own reservation and communication channels, such as our website, applications, contact center, email instant messaging services, and other customer service channels.
• The capture of images and, where applicable, audio through video surveillance systems installed on our premises, for security purposes.

We may also collect your personal data indirectly through:

• Travel agencies, online booking platforms, tour operators, or other third parties with whom you have contracted
lodging or related services (for example, online travel agencies).
• Affiliated companies, suppliers, or commercial partners involved in the provision of contracted services, to the
extent that such transfer is necessary and permitted under applicable law.
• References, companions, additional guests, or individuals who make reservations or requests on your behalf.

What Personal Data Do We Collect?

The personal data processed by the Controller are grouped into the following categories:

1. Personal data
1.1 Identification and Contact Data
Full name
Email address
Telephone number
Address
Billing and/or collection information

1.2 Demographic and General Data
Date of birth
Place of birth
Nationality
Age
Height
Weight

1.3 Official Identification Data
Official identification number

2. Sensitive Personal Data
2.1 Health Data
Current health status
Medical conditions
Allergies
Medications
Dietary habits
Pregnancy status, where applicable

2.3 Gender Data
Gender
3. Financial and/or Patrimonial Data
Credit or debit card information

In cases where the Individuals are minors, personal data will be collected with the express authorization of the person holding parental authority, guardianship, or legal representation.

III. PURPOSES

The processing of personal information will be carried out in accordance with the principles of legality, quality, consent, information, purpose limitation, loyalty, proportionality, and accountability set forth in the Law.

Primary Purposes

The primary purposes that give rise to the processing of personal data and are necessary for the legal relationship between the Controller and the Individual include:

A. To provide the contracted products and services, including tourism, lodging, transportation, and other services offered during the Individual’s stay.
B.To identify and verify the Individual’s identity, as well as to create and maintain administrative, operational, and control records related to the provision of services.
C.To manage reservations and confirm services, and to maintain communication before, during, and after the stay, including sending confirmations, operational notices, calls, text messages, and other communications necessary for the proper provision of services.
D.To provide customer service and support, including addressing inquiries, clarifications, complaints, claims, suggestions, and incidents occurring at the facilities where services are provided, as well as following up on compensations, bonuses, or adjustments derived from guest experiences.
E. To provide complementary services, including, without limitation:

i) spa services and the customization of such services according to the Individual’s conditions and needs;
ii) food and beverage services, including the identification of potential dietary risks;
iii) recreational services, including activities for duly registered minors;
iv) gym services;
v) laundry services, including garment identification;
vi) luggage storage services;
vii) shipment, receipt, and storage of packages, as well as identification and recovery of lost items.

F. To manage room charges and collect payment for products and services provided

G. To follow up on accidents, losses, emergencies, or contingencies, as well as to implement and comply with civil protection measures, physical security, and applicable health requirements.

H. To implement access controls to facilities and restricted areas, as well as video surveillance activities, which may include the capture of images and, where applicable, audio, for the security of individuals, property, and facilities, as well as for the attention and follow-up of related incidents. Recordings may be viewed in real time and/or stored in accordance with applicable security measures.

Secondary Purposes

Additionally, the Controller informs that personal data may be processed for the following secondary purposes:
• To conduct statistical analyses, product and service usage analysis, market segmentation, and demographic and sociographic analysis, as well as to enrich customer profiles and generate similar audiences.
• To evaluate the Individual’s profile for commercial purposes, including pre-qualification for sales presentations.
• To use the Individual’s image (photographs and/or video) for advertising, promotional, marketing, corporate image, and campaign purposes in printed, digital, or any other media.
• Commercial prospecting.

If the Individual does not wish their personal data to be processed for these additional purposes, they may express their refusal through a written request signed by the Individual or their authorized representative and sent to the following email address: privacy@pamhotels.com. Refusal to allow the processing of personal data for these secondary purposes shall not be grounds for denying the provision of contracted services.

IV. TRANSFER OF INFORMATION

The Controller informs that personal data are not used in automated decision-making processes, without human intervention, that produce legal effects or significantly affect Individuals. However, for operational and service administration purposes, the Controller may use technological tools or systems to support the management of services provided to the Individual.

V. INFORMATION PROTECTION

Transfers of personal data, within or outside Mexican territory, may occur as necessary to fulfill the purposes described above, to the following third parties, who may act as data processors, following the direct instructions of the Controller.

To carry out the contracted services, necessary for the provision of services to the Individual or for the fulfillment of the purposes previously described in this Privacy Notice.

The personal data collected may be shared with:

• SMTouring
• AGILYSYS NV, LLC
• Mankara Technologies Inc.
• Sabre GLBL Inc.
• Worldpay, LLC
• ParGolf
• Book4Time, Inc.
• Odyssey Proyección Empresarial, S.A. de C.V.
• Oracle Hospitality LLC
• Nuvola, Inc.
• Inversiones Zahena, S.A.
• Inversiones Valozo, S.A.
• Hard Rock Limited
• Nobu LLC
• Marriot Switzerland Licensing Company, S.A.R.L.

VI. ARCO RIGHTS

You have the right to know what personal data we hold about you, what we use it for, and the conditions under which it is used (Access). You also have the right to request the correction of your personal information if it is outdated, inaccurate, or incomplete (Rectification); to request that we delete it from our records or databases when you consider that it is not being used in accordance with the principles, duties, and obligations provided by applicable law (Cancellation); and to object to the use of your personal data for specific purposes (Objection). These rights are known as ARCO rights.

To exercise any of your ARCO rights, the Individual must submit a written request addressed to the Data Protection Office, either by email to privacy@pamhotels.com or in writing to Avenida Bonampak, Supermanzana 9, Manzana 2, Ground Floor, Tower N, Floors 7 to 11 and Tower S, Floor 7, Cancún, Quintana Roo, Mexico, C.P. 77503.

When submitting a request to exercise ARCO rights, the following must be considered:

A.The applicant must be the Individual to whom the personal data belongs, or their legal representative. In both cases, identity must be duly accredited through official documentation (Voter Identification Card, Passport, Military Service Card, or Professional License). If a legal representative exists, their identity and legal authority must be accredited by attaching the corresponding documents (Public Instrument such as a Power of Attorney, declaration made by the Individual in a personal appearance, or, where applicable, a power of attorney signed before two witnesses).
B. The request must state the name of the Individual and the means by which the response should be communicated indicating whether the Individual consents to being contacted by email.
C.In addition to documentation proving identity and legal authority, a clear and precise description of the personal data in respect of which one of the aforementioned rights is to be exercised must be provided, as well as any other element or document that facilitates the location of such personal data. Documentation required for the specific right to be
exercised must also be included, in accordance with the Federal Law on the Protection of Personal Data Held by Private Parties.
D. The following specific requirements apply to each ARCO right:

i. ACCESS: Indicate the personal data to which access is requested and that are believed to be held in our databases.
ii. RECTIFICATION: Specify the corrections to be made and attach documentation supporting the request.
iii. CANCELLATION: Identify the personal data requested to be deleted.
iv. OBJECTION: Specify the personal data for which processing is opposed and the reasons for the alleged harm caused by such processing.

If the information provided in the request is insufficient or inaccurate, or if the required documents are not attached, the Data Protection Office may request additional information and/or documentation within a period not exceeding five (5) business days. The Individual will then have ten (10) business days from receipt of such request to provide the requested
information.

If the request contains sufficient information, the resolution period will be twenty (20) business days from the date the request is received. This period may be extended once for an equal period, when justified by the circumstances of the case, in accordance with applicable law.

If the resolution is favorable, it will be implemented within fifteen (15) business days following notification of the decision. This period may also be extended once for an equal period, when justified by the circumstances, and the Individual will be notified through the previously selected contact method.

The means by which the Individual may obtain the requested personal data through the exercise of the right of access may include simple copies, electronic documents, or any other selected medium.

For questions regarding the procedure and requirements for exercising ARCO rights, the Individual may contact the Data Protection Office, which will process such requests and address any questions regarding the processing of personal data. Contact details are as follows:

• Authorized office: Data Protection Office
• Address: Avenida Bonampak, Supermanzana 9, Manzana 2, Ground Floor, Tower N, Floors 7 to 11 and Towers, Floor 7, Cancún, Quintana Roo, Mexico, C.P. 77503
• Email: privacy@pamhotels.com

VII. CONSENT

The Individual may revoke the consent granted for the processing of their personal data at any time. However, the Individual should be aware that in certain cases it may not be possible to immediately comply with such request or to cease processing, due to legal obligations that require continued processing of personal data. Likewise, the Individual
should consider that revoking consent for certain purposes may result in the inability to continue providing the requested services or the termination of the legal relationship with us. To revoke consent, the Individual may follow the same procedure established for the exercise of ARCO rights, by sending an email to privacy@pamhotels.com or submitting a
written request to Avenida Bonampak, Supermanzana 9, Manzana 2, Ground Floor, Tower N, Floors 7 to 11 and Towers, Floor 7, Cancún, Quintana Roo, Mexico, C.P. 77503.

For questions regarding the procedure and requirements for revoking consent, the Individual may contact the Data Protection Office, which will process revocation requests and address any related inquiries. Contact details are as follows:

• Authorized office: Data Protection Office
• Address: Avenida Bonampak, Supermanzana 9, Manzana 2, Ground Floor, Tower N, Floors 7 to 11 and Tower
S, Floor 7, Cancún, Quintana Roo, Mexico, C.P. 77503
• Email: privacy@pamhotels.com

To submit a consent revocation request, the applicant must be the Individual or their legal representative, and identity must be duly accredited using official documentation (Voter Identification Card, Passport, Military Service Card, or Professional License). If a legal representative exists, their authority must be accredited through the corresponding
documents (Public Instrument such as a Power of Attorney, declaration made by the Individual in a personal appearance, or, where applicable, a power of attorney signed before two witnesses). The resolution of a consent revocation request will be issued within twenty (20) business days from the date the request is received.

How Can You Limit the Use or Disclosure of Your Personal Data?

In order to limit the use or disclosure of personal data, the following options are available:
• Registration in the Public Registry to Avoid Advertising, administered by the Federal Consumer Protection Agency (PROFECO), to prevent personal data from being used for advertising or promotional communications from providers of goods or services. Additional information may be obtained through PROFECO’s official website or by contacting the agency directly.
• Sending an email to privacy@pamhotels.com requesting that personal data not be processed for marketing, advertising, or commercial prospecting purposes.

VIII. USE OF COOKIES

The Controller’s website uses cookies and other similar technologies that allow monitoring of user behavior in order to provide a better browsing experience and offer products and services aligned with user interests. Personal data collected through these technologies may include, without limitation: browser type, operating system, IP address, pages
visited, browsing time, and usage preferences. The Individual may disable or adjust cookie settings directly through their browser. However, disabling cookies may affect the functionality of certain features of the website. For additional information regarding the use of cookies and similar technologies, the Individual may consult the Cookie Notice available on the Controller’s website.

How Can You Be Informed of Changes to This Privacy Notice?

This Privacy Notice may be modified, updated, or amended due to new legal requirements; changes in the products or services offered; updates to privacy practices; or changes to the business model. The Controller undertakes to keep the Individual informed of any changes through its website at www.pamhotels.com.

Notifications regarding changes or updates to this Privacy Notice will be carried out as follows:

• Publication of banners on the Controller’s website informing of the changes or updates.
• Any modification or update will become effective the day following its publication through the aforementioned
means.

The Individual declares that they have read and understood this Privacy Notice and grants express, informed, and voluntary consent for the processing of their personal data, including sensitive personal data and, where applicable, personal data of minors, in accordance with the purposes described herein, except where otherwise permitted by law. Such consent shall  bedeemed granted upon acceptance of this Privacy Notice, without prejudice to the Individual’s right to revoke consent at any time in accordance with the procedure described above.

IX. CONTACT US

Should it be any questions or concerns about this Notice, the management of your Personal Information or your rights, please feel free to contact our Personal Information Manager by email privacy@rcdhotels.com, by telephone +52 (998) 254 6500, or directly at Boulevard Kukulcán km 14.5, Zona Hotelera, Cancún, Quintana Roo, C.P. 77500, México.

This Privacy Notice was prepared based on the provisions of the Federal Law on Protection of Personal Data Held by Individuals and its Regulations.