Information Processing Policy

ID
Company Name: STAY S.A.S
Tax ID (NIT): 901591751-6
Physical and Email Address: Calle 2 Sur #25-115
Contact Information: 3102529434
National Tourism Registry Number (RNT 130176 )

INTRODUCTION
At STAY S.A.S., the conservation, protection, integrity, and confidentiality of the Personal Data of its guests, visitors, customers in general, suppliers, contractors, shareholders, investors, employees, and others is very important. To this end, we have designed a policy for the storage and processing of Personal Data provided to us through any medium, and we are committed to the protection and proper handling of the same, in accordance with the legal regime for the protection of Personal Data applicable in each territory where we operate. For all purposes, STAY S.A.S. (hereinafter “STAY”) located at Cra. 29 # 1 – 203 Medellín, Colombia, will be responsible for the data. Operator of the brands: Seissta, Kiin Living, Moira, Wake, Wake living, Wake BioHotel, Silo, Wake Medellín, and Boro.

OBJECTIVE
To describe the guidelines for the processing of Personal Data, taking into account the provisions of Law 1581 of 2012, Decree 1377 of 2013, Decree 886 of 2014, incorporated into Single Decree 1074 of 2015, and other regulations that extend, modify, or replace the regulation on the matter.

DEFINITIONS
For the purposes of applying the rules contained in this policy, and in accordance with the provisions of Article 3 of Law 1581 of 2012, the following definitions apply:

Authorization: Prior, express, and informed consent of the Data Subject to carry out the Processing of personal data. Authorization shall be understood to meet these requirements when expressed (i) in writing, (ii) orally, or (iii) through unequivocal conduct by the Data Subject that allows a reasonable conclusion that authorization was granted. In no case shall silence be assimilated to unequivocal conduct. Privacy Notice: Verbal or written communication generated by the Controller addressed to the Data Subject for the processing of their personal data, through which they are informed about the existence of the information Processing policies that will be applicable to them, how to access them, and the purposes of the intended Processing of the personal data. Database: Organized set of Personal Data subject to Processing. Personal Data: Any information linked to or that can be associated with one or more specific or determinable natural persons. Private Data: Data that, due to its intimate or reserved nature, is only relevant to the Data Subject. Semi-private Data: Data that is not of an intimate, reserved, or public nature and whose knowledge and disclosure may interest not only its owner but also a certain sector or group of people, or society in general, such as financial and credit data. Sensitive Data: Sensitive data are those that affect the privacy of the Data Subject or whose improper use may generate discrimination, such as those revealing racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights organizations, or those promoting the interests of any political party or guaranteeing the rights and guarantees of opposition political parties, as well as data relating to health, sexual life, and biometric data. Processor: Natural or legal person, public or private, who by themselves or in association with others, performs the Processing of Personal Data on behalf of the Data Controller. Data Controller (or simply “Controller”): Natural or legal person, public or private, who by themselves or in association with others, decides on the database and/or the Processing of the data. Transfer: Data transfer takes place when the Controller and/or Processor of personal data, located in Colombia, sends the information or Personal Data to a recipient, who in turn is a Data Controller and is located inside or outside the country. Transmission: Processing of Personal Data that involves the communication of these within or outside the territory of the Republic of Colombia when its purpose is the performance of processing by the Processor on behalf of the Controller. Data Subject: Natural person whose Personal Data is subject to Processing. Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion thereof.

PRINCIPLES
The principles established below constitute the general parameters that will be adopted by STAY in personal data processing operations:

Principle of Purpose: The processing of Personal Data collected by STAY must obey a legitimate purpose, which must be informed to the Data Subject; Principle of Freedom: Processing can only be carried out with the prior, express, and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that waives consent; Principle of Truthfulness or Quality: The information subject to processing must be true, complete, accurate, updated, verifiable, and understandable. The processing of partial, incomplete, fractioned data or data that leads to error is prohibited; Principle of Transparency: In processing, the Data Subject’s right to obtain from STAY or the Processor, at any time and without restrictions, information about the existence of data concerning them must be guaranteed; Principle of Access and Restricted Circulation: Personal data, except for public information, may not be available on the Internet or other mass disclosure or communication media, unless access is technically controllable to provide restricted knowledge only to Data Subjects or authorized third parties. Principle of Security: The information subject to processing by STAY S.A.S. must be protected through the use of technical, human, and administrative measures necessary to provide security to the records, avoiding their adulteration, loss, consultation, unauthorized or fraudulent use, or access; Principle of Confidentiality: All persons involved in the processing of Personal Data are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks comprised in the processing has ended. Principle of Collaboration with National or Foreign Authorities: In addition to what is established by law, the Data Subject’s Authorization will include the possibility of providing information to national or foreign authorities for the purpose of collaborating with the prevention, detection, and mitigation of risks of tax evasion, national or foreign corruption, money laundering, financing of terrorism, and/or similar, as well as to carry out necessary activities to mitigate the effects of such situations if they occur. Principle of Legality: The collection, use, and processing of personal data is based on what is established by Law and other provisions that develop it. Principle of Necessity and Proportionality: Personal data registered in a database must be strictly necessary for the fulfillment of the purposes of processing informed to the data subject. In this sense, they must be adequate, relevant, and in line with the purposes for which they were collected. Principle of Purpose: The processing of the personal data collected must obey a legitimate purpose in accordance with the constitution and the law, which must be informed to the data subject. Principle of Temporality or Expiration: The period of conservation of personal data will be that which is necessary to achieve the purpose for which they were collected.

SCOPE OF APPLICATION
This policy shall be applicable to Personal Data registered and to be registered in the different databases managed by STAY, that is, to the databases of guests, visitors, members, customers in general, suppliers, contractors, shareholders, investors, employees, former employees, and others who provide their data through different communication channels (digital or physical means) for commercial, legal, contractual, labor, or security purposes, as applicable. The information collected by STAY may include, in whole or in part according to the needs of each product and/or service, among others, the following data:

First and last names Type and identification number Nationality and country of residence Date of birth and gender Marital status and/or relationship in regard to minors or disabled persons requesting our services Landline and cell phone contact numbers (personal and/or work) Postal and electronic addresses (personal and/or work) Profession or occupation Company where they work and position Origin and destination Reason for travel Credit card information (number, bank entity, expiration date) Personal data of the cardholder (first and last names, type and identification number) Information of the address where the cardholder receives their bank statements. Biometric data, specifically, security camera records for surveillance, those required for the operation of the SaaS system, and attendance control and identity validation (including fingerprints, facial patterns, or voice records and photographic records associated with attendance marks). Photographic images or videos. These data may be stored and/or processed on servers located in computer centers, whether owned or contracted with third-party providers and/or contractors who are in turn obliged to comply with this policy as Processors of personal data, under confidentiality clauses.

VERACITY OF INFORMATION
Our guests, visitors, members, customers in general, suppliers, contractors, shareholders, investors, employees, and others must provide truthful information about their Personal Data for the purposes of proper relationship-building with STAY, whether for the provision of services or for the fulfillment of their legal and/or contractual obligations. STAY presumes the veracity of the information provided and does not verify, nor assume the obligation to verify, the identity of guests, visitors, customers in general, suppliers, contractors, shareholders, investors, employees, and others, nor the veracity, validity, sufficiency, and authenticity of the data provided by each of them. Therefore, STAY assumes no responsibility for damages and/or losses of any nature that may arise from the lack of veracity, validity, sufficiency, or authenticity of the information, including damages and losses that may be due to homonymy or identity theft.

INFORMATION OF CHILDREN AND ADOLESCENTS
In accordance with the law, STAY will not process the Personal Data of children and adolescents, except when it involves data of a public nature, in accordance with the provisions of Article 7 of Law 1581 of 2012 and when such processing meets the following parameters and requirements:

a) That it responds to and respects the superior interest of children and adolescents. b) That the respect for their fundamental rights is ensured. The collection of these personal data of minors is optional and must be carried out with the prior and express authorization of the guardian or whoever has parental authority. In the case of children and other family members of the Data Subjects, the Processing of this information will be for purposes related to the human management department (affiliation to social security, family compensation fund, benefits, and other legal obligations) and respect for the prevalent rights of children and adolescents will be ensured. STAY will ensure the proper use of the data of children and adolescents, guaranteeing that the processing of their data respects their superior interest and fundamental rights. In the processing of this special type of data, STAY may develop specific terms and conditions for the respective activity, project, or program, defining the special parameters and requirements mentioned above. Therefore, for the development of a specific program or activity involving the processing of special data of minors, the provisions of this Data Processing Policy and the relevant special norms will always apply, unless STAY develops specific terms and conditions for a particular program, project, or activity.

PROCESSING OF PERSONAL DATA OF A SENSITIVE NATURE STAY
may request Sensitive Data from you at any time, informing at the time of collection that the requested data has this character, and what type of Sensitive Data will be collected. STAY may process sensitive data in the following cases:

When you have given your explicit and voluntary consent for specified purposes; If the Processing is necessary to comply with legal obligations; If the Processing is necessary to protect your vital interests or those of another natural person; If the Processing refers to Personal Data that you have made public; If the Processing is necessary for the formulation, exercise, or defense of claims or when judges or courts act in the exercise of their judicial function; or If the Processing is mandatory by virtue of the Law. STAY will not, under any circumstances, condition any activity on the delivery of Sensitive Data. Sensitive Data will be processed with the greatest possible diligence and the highest security standards. Limited access to Sensitive Data will be a guiding principle to safeguard their privacy, and therefore, only authorized personnel may have access to that type of information.

PURPOSES OF THE PROCESSING OF PERSONAL DATA
The Personal Data of guests, visitors, and customers in general are collected for the purposes of:

Processing, confirming, fulfilling, and providing the services and/or products acquired, directly and/or with the participation of third-party contractors and/or suppliers of products or services. Promoting and advertising, directly and through third-party providers, our activities, products, and services. Performing transactions, making reports to various national or international administrative control and surveillance authorities, police authorities, or judicial authorities, banking entities, and/or insurance companies, for internal administrative and/or commercial purposes such as market research, audits, accounting reports, statistical analysis, billing, and offering and/or recognition of benefits inherent to our loyalty programs. Contacting Data Subjects to send information regarding the contractual relationship. Knowing, storing, and processing all information provided by Data Subjects in one or more databases, in the format deemed most convenient. Managing, maintaining, developing, and controlling the existing contractual relationship between the parties, attending to their requests for information, as well as managing their claims, processing their requests for contract termination, and revocation of the authorization for the processing of personal data. Preventing fraud or improper use of our services. Allowing the creation of cases or users in STAY’s information systems associated with the linkage of workers, as well as for the development of strategic, administrative, commercial, and accounting functions. Collecting data for the fulfillment of duties that, as Controller of the information and personal data, correspond to the Organization. Satisfying legal obligations, such as those related to the prevention of money laundering and terrorism financing. Verifying, corroborating, checking, validating, investigating, or comparing the information provided by the Data Subjects with any information legitimately available. The Personal Data of suppliers, contractors, shareholders, investors, employees, and others are collected for the purposes of:

Complying with the legal and/or contractual obligations assumed with respect to each. Making payments. Effecting reports to various national or international administrative control and surveillance authorities, police authorities, or judicial authorities, banking entities, and/or insurance companies. For internal administrative purposes such as market research, audits, accounting reports, statistical analysis, billing, and offering and/or recognition of benefits inherent to our loyalty programs. In the case of biometric data (specifically, security camera records for surveillance), the collected information will be used for the security purposes of employees, visitors, as well as property and facilities; and the information collected as photographic images or videos captured at events, courses, workshops, seminars, and other STAY activities for the development of our social welfare will be used or may be processed for purposes of security, coexistence, support, or evidence of the tasks and activities performed. In relation to the biometric data of employees, the information collected will be used for attendance control and management purposes. The specific purposes of the processing include, but are not limited to:

a) Enabling access, configuration, and administration of user accounts within the GeoVictoria system, for both administrative and operational users. b) Managing profiles, permissions, schedules, shifts, cost centers, and other organizational variables associated with the operation of the service. c) Storing, processing, and analyzing records of punching, attendance, absenteeism, disability, and other labor events recorded through the system. In the case of contact information (phone number, email for sending SMS messages or via WhatsApp, Telegram, or any other technological or instant messaging medium) of location and geolocation, the data will be processed by STAY S.A.S., by its CRM provider or Customer Relationship Management provider, and any third party that replaces it or has access to these data for the fulfillment of the purposes described below: – Making invitations to events and offering products and services; – Managing procedures (requests, complaints, claims). – Performing satisfaction surveys regarding goods and services offered by STAY S.A.S. or its commercial allies. – Providing contact information to the sales force and/or distribution network, telemarketing, market research, and any third party with whom STAY S.A.S. has a contractual link for the development of such activities (market research and telemarketing, etc.) for their execution. – Contacting the Data Subject through telephone means, emails, chat, WhatsApp, or Telegram to perform surveys, studies, and/or confirmation of personal data necessary for the execution of a contractual relationship. – Contacting the Data Subject through electronic means – SMS or chat for sending news related to loyalty campaigns or service improvement. – Providing the services offered by STAY S.A.S. and accepted in the signed contract (where applicable). – Learning about customers’ tastes, preferences, and hobbies; and the most used or preferred social networks. By accepting the processing of personal data, our guests, members, visitors, customers in general, suppliers, contractors, shareholders, investors, employees, and others, in their capacity as subjects of the data collected, authorize STAY to apply this policy and perform the processing of personal data, partially or totally, including collection, storage, recording, use, circulation, processing, deletion, for the execution of activities related to the services and products acquired, such as making reservations, modifications, cancellations, and changes to them, refunds, attention to inquiries, complaints, and claims, payment of compensation and indemnities, accounting records, correspondence, processing and verification of credit and debit cards and other instruments for fraud identification and prevention of money laundering and other criminal activities and/or for the operation of loyalty programs, sending of advertising and commercial material, requests to complete satisfaction surveys, and other purposes indicated in this document. The foregoing without prejudice to other purposes that have been informed in this document and in the terms and conditions of each of the products and services of our business units. Third-party providers and/or contractors may be involved in these activities and are in turn compelled to abide by this policy as Processors of personal data under confidentiality clauses, such as reservation system providers, travel agencies, reservation centers, banking entities, insurers, security guards or agencies, and others. Additionally, our travelers, customers, and users, as Data Subjects of the collected data, by accepting this policy authorize us to:

Use, directly or through contracted third parties, the information received from them for marketing purposes for their products and services, and the products and services of third parties with whom STAY maintains a business relationship. Provide Personal Data to police or judicial control and surveillance authorities by virtue of a legal or regulatory requirement and/or use or disclose this information and Personal Data in defense of its rights and/or its assets insofar as said defense relates to the products and/or services contracted by its travelers, customers, and users. Allow access to information and Personal Data to auditors or third parties contracted to carry out internal or external audit processes inherent to the commercial activity we develop. Consult and update personal data at any time in order to keep said information updated. Contract third parties for the storage and/or processing of information and Personal Data for the correct execution of contracts entered into with us, under the security and confidentiality standards to which we are obliged.

AUTHORIZATION
The collection, storage, use, circulation, or deletion of Personal Data by STAY requires the free, prior, express, and informed consent of the Data Subject. Authorization shall be understood to meet these requirements when expressed (i) in writing, (ii) orally, or (iii) through unequivocal conduct by the data subject that allows a reasonable conclusion that authorization was granted. In no case shall silence be assimilated to unequivocal conduct. STAY, in its capacity as the controller of Personal Data processing, has established the necessary mechanisms to obtain the Authorization of the Data Subjects, guaranteeing in all cases that it is possible to verify the granting of said authorization. With the aforementioned Authorization, the Data Subject accepts the policies and conditions set forth in this document. Authorization from the Data Subject will not be necessary in the following events:

Personal Data is required by a public or administrative entity in the exercise of its legal functions or by judicial order. It involves data of a public nature. In cases of medical or health urgency. The processing of Personal Data is authorized by law for historical, statistical, or scientific purposes. It involves data related to the civil registry of persons.

FORM AND MECHANISMS TO GRANT AUTHORIZATION
The Authorization of the Data Subject is recorded in each of STAY’s data collection channels and mechanisms. Thus, it may be recorded in a physical or electronic document or in any other format that allows for subsequent consultation. The Authorization will be issued by the Data Subject prior to the processing of their personal data, in accordance with the provisions of Law 1581 of 2012, Decree 1377 of 2013, Decree 886 of 2014, incorporated into Single Decree 1074 of 2015, and other regulations that extend, modify, or replace the regulation on the matter. Through the consented Authorization procedure, it is guaranteed that the Personal Data Subject has been informed both of the fact that their personal information will be collected and used for specific and known purposes, and that they have the option to know any alteration to them and the specific use given to them. This is so that the Data Subject makes informed decisions regarding their Personal Data and controls the use of their personal information. Authorization may also be consented to by the Data Subject through unequivocal conduct that allows a reasonable conclusion that they granted Authorization, such as entering and remaining in facilities in buildings with video surveillance recording systems and entry and exit logs.

RIGHTS OF THE DATA SUBJECTS
In accordance with Article 8 of Law 1581 of 2012, the Personal Data Subject has the following rights:

To know, update, and rectify their Personal Data before STAY, in its capacity as the data controller. To authorize STAY, as the Data Controller, for the handling of the information contained in the databases in accordance with Law 1581 of 2012. To request proof of the Authorization granted to STAY, in its capacity as the Data Controller, except when expressly exempted as a requirement for processing, in accordance with the provisions of Article 10 of Law 1581 of 2012. To be informed by STAY, upon request, regarding the use given to their personal data. To file complaints with the Superintendency of Industry and Commerce for violations of the provisions of Law 1581 of 2012, once the consultation or claim process before the Data Controller has been exhausted. Except for legal exceptions, to revoke the Authorization and/or request the deletion of data when the processing does not respect constitutional and legal principles, rights, and guarantees. The revocation and/or deletion will proceed when the Superintendency of Industry and Commerce has determined that in the processing, the Controller has engaged in conduct contrary to the law or the Constitution. To access their Personal Data that has been subject to Treatment free of charge. To refrain from answering questions about sensitive data or about data of children and adolescents. To know about this data protection policy.

STAY’S DUTIES IN RELATION TO THE PROCESSING OF PERSONAL DATA STAY
will keep in mind at all times that Personal Data is the property of the persons to whom it refers and that only they can decide over it. In this sense, it will make use of them only for those purposes for which it is duly authorized, and respecting in all cases Law 1581 of 2012 on the protection of personal data. In accordance with the provisions of Article 17 of Law 1581 of 2012, STAY undertakes to permanently comply with the following duties: a) To guarantee the Data Subject, at all times, the full and effective exercise of their rights; b) According to the law, to request and keep the respective authorization granted by the data subject; c) In clarity of the authorization granted, to inform the data subject about the purpose of the personal data collection and their rights; d) To keep information under the necessary security conditions to prevent its alteration, loss, consultation, unauthorized or fraudulent use or access; e) To request and keep, under the conditions provided by law, a copy of the respective Authorization granted by the data subject; f) To perform updates, rectifications, or deletions of data in a timely manner, that is, within the terms provided in Articles 14 and 15 of Law 1581 of 2012; g) To process consultations and claims formulated by the Data Subjects within the terms indicated in Article 14 of Law 1581 of 2012; h) To record the legend “Claim in Process” in the database in the manner regulated by Law 1581 of 2012; i) To insert the legend “information under judicial discussion” in the database once notified by the competent authority regarding judicial processes related to the quality or details of the Personal Data; j) To refrain from circulating information that is being disputed by the Data Subject and whose blocking has been ordered by the Superintendency of Industry and Commerce; k) To allow access to information only to persons who can have access to it; l) To inform the Superintendency of Industry and Commerce when security code violations occur and risks in the administration of the Data Subjects’ information exist; m) To comply with instructions and requirements issued by the Superintendency of Industry and Commerce; n) To strictly comply with Law 1581 of 2012 as well as the decrees that regulate it, as well as with all requirements made by the Superintendency of Industry and Commerce; and the responsible use of information, including security, administrative, physical, and technological controls.

ACCESS, CONSULTATION, AND CLAIM PROCEDURES

RIGHT OF ACCESS
The power of disposal or decision that the Data Subject has over information concerning them necessarily entails the right to access and know if their personal information is being subject to processing, as well as the scope, conditions, and generalities of said processing. Likewise, the Data Subject has the right to request its rectification in case of being inaccurate or incomplete and to cancel them when they are not being used in accordance with legal or contractual purposes and terms or according to the purposes and terms contemplated in this Policy. STAY will guarantee the right of access when, prior accreditation of the identity of the Data Subject or their representative or proxy, it is requested as provided in Law 1581 of 2012, including the following data: a) First and last names. b) Document type. c) Document number. d) Telephone. e) Personal email. f) Country. g) Subject. Customers and users can exercise their rights to know, update, rectify, and delete their Personal Data by sending their request to the email: protecciondatos@staygroup.co, website https://kiinliving.com/  in the legal terms section, in accordance with this Policy.

RESPONSE TO INQUIRIES
In any case, regardless of the mechanism implemented for handling inquiry requests, they will be addressed within a maximum term of ten (10) business days from the date of receipt. When it is not possible to address the inquiry within said term, the interested party will be informed before the expiration of the 10 days, stating the reasons for the delay and indicating the date on which the inquiry will be addressed, which in no case may exceed five (5) business days following the expiration of the first deadline.

CLAIMS
In accordance with the provisions of Article 14 of Law 1581 of 2012, the Data Subject or their successors who consider that the information contained in a database should be subject to correction, updating, or deletion, or when they notice an alleged breach of any of the duties contained in Law 1581 of 2012, may file a claim with the Data Controller, which will be processed under the following rules:

The claim may be submitted by the Data Subject in the formats provided by STAY in its Hotel Registry. If the claim received does not contain complete information allowing it to be processed—that is, the identification of the Data Subject, the description of the facts giving rise to the claim, the address, and the accompanying documents to be asserted—the interested party will be required within five (5) days following receipt to correct the flaws. After two (2) months from the date of the request without the applicant providing the required information, it will be understood that they have withdrawn the claim. If for any reason the Company receives a claim that should not actually be directed to it, it will transfer it to the appropriate party within a maximum term of two (2) business days and inform the interested party of the situation.

Once the complete claim is received, a legend stating “claim in process” and the reason for it will be included in the database maintained by STAY within a term not exceeding two (2) business days. Said legend must be maintained until the claim is decided.

The maximum term to address the claim will be fifteen (15) business days counted from the day following the date of its receipt. When it is not possible to address it within said term, the interested party will be informed before the expiration of said period of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

In cases where the Data Subject claims identity theft, STAY S.A.S. must inform the Data Processor to include the respective legend regarding the Data Subject and the obligation or obligations affecting them due to the identity theft. In any case, the data controller must carry out the corresponding procedure to establish if there are indications that lead to the removal of the information report, both positive and negative. If as a result of the procedure it is determined that the removal of information is not appropriate, the Data Subject may appeal to the Superintendency of Industry and Commerce for a ruling.

IMPLEMENTATION OF PROCEDURES TO GUARANTEE THE RIGHT TO FILE CLAIMS
At any time and free of charge, the Data Subject or their representative may request the rectification, updating, or deletion of their personal data from STAY, upon accreditation of their identity. The rights of rectification, updating, or deletion may only be exercised by:

The Data Subject or their successors, upon accreditation of their identity, or through electronic instruments that allow them to identify themselves.

Their representative, upon accreditation of the representation.

When the request is made by a person other than the Data Subject and it is not proven that they are acting on behalf of the latter, it will be considered as not submitted.

The request for rectification, updating, or deletion must be submitted through the means enabled by STAY indicated in this policy and contain, at a minimum, the following information:
• The name and address of the Data Subject or any other means to receive the response
• Documents proving identity or the legal standing of their representative
• A clear and precise description of the Personal Data regarding which the Data Subject seeks to exercise any of the rights
• If applicable, other elements or documents that facilitate the location of the personal data
• Indicate the corrections to be made and provide the documentation supporting their request.

DATA DELETION AND/OR REVOCATION OF AUTHORIZATION
The Data Subject has the right, at all times, to request STAY to delete their Personal Data when: • They consider that they are not being processed in accordance with the principles, duties, and obligations provided in Law 1581 of 2012 • They have ceased to be necessary or relevant for the purpose for which they were collected • The period necessary for the fulfillment of the purposes for which they were collected has been exceeded.

The request for deletion of information or the revocation of Authorization will not proceed when: • The request for deletion of information will not proceed when the Data Subject has a legal or contractual duty to remain in the database • The deletion of data hinders judicial or administrative actions linked to tax obligations, the investigation and prosecution of crimes, or the updating of administrative sanctions • The data is necessary to protect the legally protected interests of the owner; to perform an action based on public interest, or to comply with a legally acquired obligation by the owner.

INFORMATION SECURITY
In accordance with the principle of security established in Law 1581 of 2012, STAY has adopted the technical, human, and administrative measures necessary to provide security to the records, avoiding their alteration, loss, consultation, unauthorized or fraudulent use or access. Notwithstanding the above, the client assumes the risks derived from providing this information in a medium such as the internet, which is subject to various variables – third-party attacks, technical or technological failures, among others. STAY will make its best technological effort to guarantee the security of the personal information of all its clients and/or users, employing reasonable and current security methods to prevent unauthorized access, maintain data accuracy, and guarantee the correct use of information.

MODIFICATIONS TO THE POLICY STAY
reserves the right to make modifications or updates to this Policy at any time, to address legislative news, internal policies, or new requirements for the provision or offering of its services or products.

EFFECTIVE DATE
This Policy begins to govern under the terms of Law 1581 of 2012. The validity of the databases mentioned herein and the corresponding Personal Data will be maintained according to the contractual terms or the legal terms regarding document conservation.

ANNEXES
Authorization for Personal Data Processing (in contracts and/or any document provided by STAY) Authorization for the Use of Image and Photography Hotel Registry

COOKIES
A cookie refers to a file that is sent for the purpose of requesting permission to be stored on your computer; by accepting said file, the cookie is created. The cookie then serves to hold information regarding web traffic and also facilitates future visits to a recurring website. Another function of cookies is that they allow websites to recognize users individually and therefore provide the best personalized service on their site. A cookie refers to a file that is sent for the purpose of requesting permission to be stored on your computer; by accepting said file, the cookie is created. The cookie then serves to hold information regarding web traffic and also facilitates future visits to a recurring website. Another function of cookies is that they allow websites to recognize users individually and therefore provide the best personalized service on their site. In other words, cookies are small data files used by websites, such as applications or emails, that are saved in your browser and optionally on your hard drive. Cookies allow us to “remember” information about your preferences and session, and they allow you to move within the areas of our websites without re-entering your data. Our website uses cookies to identify the pages visited and their frequency. This information is used for statistical analysis and makes it possible to create a more personalized and convenient shopping experience. STAY may use third parties to place cookies on your computer to collect non-personally identifiable information; these third parties will have access to said data for their own benefit and for third parties anonymously, which may be reflected in social media actions and other websites. You can delete cookies at any time from your computer. However, cookies help provide a better service from websites. They do not grant access to information from your computer or about you unless you choose to provide it directly. You can accept or deny the use of cookies; however, most browsers automatically accept cookies as it serves to provide a better web service. You can also change your computer settings to decline cookies. If declined, you may not be able to use some of our services. Although the User can configure their Internet browser not to accept cookies, these are necessary to view, create an account, or make purchases through the website and/or application. Without cookies enabled, the User will not be able to use the Site and/or application. The Internet browser automatically collects information from the web page the User consulted before visiting, the browser used, and any search terms entered on our site and/or application, among other things. The Site and/or application may also use other technologies to track the pages visited by Users to ensure a better and safer shopping experience and to help us understand how visitors use our website and/or application.

Links to third-party websites
The Site and/or application contains links to other sites operated by third parties. STAY does not guarantee nor make any representation regarding the essence, quality, functionality, accuracy, fitness for a particular purpose, merchantability, or any representation regarding third-party sites or their content. A link to a third-party site on and/or in the application does not constitute sponsorship, endorsement, approval, or any responsibility regarding said third-party site. STAY does not guarantee nor make any representation regarding the products or services offered on third-party sites. The conditions of use and privacy policy of any third-party site may differ significantly from the conditions of use and legal notices that apply to the use of the Site and/or application.

Linking, Deeplinking, and Framing
STAY prohibits the use of names and/or logos, trademarks, and any other distinctive signs of its property as hypertext links or in any other form (“links”) directed to Internet sites whose URL is different from https://kiinliving.com/ unless the establishment of such a link is approved by STAY in writing, in which case it must comply with the design and advertising criteria and manuals established by STAY. STAY reserves the right to request the removal of links that have been established on websites without its express and prior authorization. The establishment of links to subdirectories within the URL https://kiinliving.com/ (“Deeplinking”) on pages not controlled by STAY is prohibited. The deployment, use, display, copy, or any other form of reproduction of the site https://kiinliving.com/ or any of its subdirectories and/or pages on sites not controlled by STAY (“Framing”) is expressly prohibited. Failure to comply with these prohibitions will be a violation of intellectual property rights over the contents and Industrial Property rights.

Inquiries Any questions related to the use of the Contents, cookies, or the establishment of links to the URL https://staygroup.co/ may be directed to STAY in Medellín at the phone number +57 3144718720 or through the form at https://staygroup.co/contacto/. Its use, in contravention of what is provided herein, will give rise to the corresponding civil and criminal actions.

Last updated: 12/26/2025

Welcome to the website https://kiinliving.com/, operated by STAY S.A.S. (hereinafter, “the Company”). By accessing or using this website (hereinafter, the “Site”), you agree to comply with these Terms and Conditions of Use. If you do not agree with these terms, we request that you do not use the Site.

4.1. PURPOSE OF THE SITE

The purpose of this Site is to provide information about accommodation services, events, promotions, and reservations offered by the hotel and STAY, as well as to allow the contracting of such services through electronic means.

4.2. USE OF THE SITE

The user agrees to use the Site in a lawful manner, without infringing on the rights of third parties or violating current regulations.

The use of the Site for fraudulent or illegal purposes, or to perform any act that may damage the image, interests, or rights of the Company, is prohibited.

The Company reserves the right to restrict, suspend, or cancel access to the Site at any time, without prior notice.

4.3. RESERVATIONS AND PAYMENTS

Reservations made through the Site will be subject to availability and confirmation by the Company.

By making a reservation, the user declares that the data provided is truthful and complete.

The indicated prices include applicable taxes, unless otherwise stated.

Cancellation, modification, or no-show policies will be specified during the reservation process and must be accepted by the user before confirmation.

4.4. INTELLECTUAL PROPERTY

All contents of the Site (texts, images, logos, trademarks, design, structure, etc.) are the property of the Company or authorized third parties and are protected by applicable intellectual and industrial property legislation.

Their reproduction, distribution, modification, or any other unauthorized use without the express written consent of the Company is prohibited.

4.5. THIRD-PARTY LINKS

The Site may contain links to third-party websites. The Company is not responsible for the content, accuracy, or operation of such external sites, nor for any damages that may arise from their use.

4.6. PROTECTION OF PERSONAL DATA

The processing of personal data collected through the Site will be governed by the provisions of our Data Processing Policy, which the user must accept when providing their data. The Company undertakes to process personal data in accordance with current data protection legislation.

4.7. LIMITATION OF LIABILITY

The Company is not responsible for any damages or losses that may arise from the use of the Site or the inability to access it, including those caused by viruses or other harmful computer elements.

4.8. MODIFICATIONS

The Company reserves the right to modify, update, or delete, at any time and without prior notice, the contents, services, or structure of the Site, as well as these Terms and Conditions.

4.9. APPLICABLE LAW AND JURISDICTION

These Terms and Conditions shall be governed by the laws of Colombia. Any controversy arising in relation to the interpretation or application of these terms shall be submitted to the competent authority in Medellín, Colombia; the user expressly waiving any other jurisdiction that may correspond to them.

In compliance with the Consumer Statute – Law 1480 of 2011

Kiin Living operated by STAY S.A.S., in its capacity as a tourism service provider, informs its users that transactions conducted through this website are governed by the applicable Colombian legislation regarding consumer protection, specifically the provisions of Law 1480 of 2011 (Consumer Statute), its regulatory decrees, and other concordant norms.

5.1. CONSUMER RIGHTS

In accordance with Colombian legislation, when acquiring hotel services through electronic means, you have the right to:

Receive clear, truthful, sufficient, and timely information about the services offered, including total prices, rates, taxes, and conditions for reservation, modification, cancellation, and use.

Be informed prior to payment about the right of withdrawal policies, payment reversal, and terms and conditions of service.

Exercise the right of withdrawal within five (5) business days following the purchase, provided that the service has not commenced and has not been utilized. (Art. 47, Law 1480).

Request a payment reversal in cases of fraud, unsolicited operations, or non-compliance by the provider, in accordance with Article 51 of Law 1480 of 2011.

Access customer service mechanisms and submit petitions, complaints, or claims (PQR) free of charge, or approach the Superintendency of Industry and Commerce (SIC) in case of dissatisfaction.

Receive immediate confirmation of the completed transaction, including the reservation number, service conditions, and contact channels.

5.2. USER DUTIES

When making a reservation or online purchase through this website, the user undertakes to:

Provide truthful, updated, and verifiable information during the reservation process.

Read and accept the Terms and Conditions of Use, as well as the Privacy Policy and the processing of personal data before confirming a transaction.

Carefully review the cancellation, modification, and no-show policies, which are provided before finalizing the reservation.

Use the contracted services responsibly and in accordance with the internal rules of the establishment.

Refrain from making fraudulent reservations or those for purposes contrary to the law.

SERVICE CHANNELS

To exercise your rights as a consumer, file complaints, or request a payment reversal, you may contact us through the following means:

Email: info@kiinliving.com

Customer service telephone: +57 3144718720

Web form: https://staygroup.co/contacto/

Physical address: Cra. 29 #1-203, El Poblado, Medellín

In the event of not receiving a satisfactory response, you may approach the Superintendency of Industry and Commerce – SIC, the competent entity in Colombia for the protection of consumer rights: https://www.sic.gov.co

This notice is published in compliance with Law 1480 of 2011 – Consumer Statute, with the aim of ensuring transparency, security, and trust in the e-commerce of tourism services offered by Kiin Living.

General information on refunds

In accordance with Article 17 of Decree 482 of 2020 and Article 4 of Decree 557 of 2020, tourism and accommodation service providers may issue refunds in services, such as:
Open reservations
Date changes
Credits or vouchers for future use
As determined by the service provider. In this sense, Kiin Living prioritizes refunds in services, unless a monetary refund applies according to the law and the specific rate conditions purchased.

2. Refunds

A refund is understood as any request made by the client for the total or partial return of a payment made directly to Kiin Living.

General conditions:
All refunds are subject to the conditions of the rate or plan contracted, which are provided at the time of reservation.
Administrative fees, service fees, or management charges are non-refundable in any case.
Kiin Living may apply an administrative charge for refund management, depending on the product purchased.
Refunds are processed in favor of the original payer.

In the case of a monetary refund, it will be made to the same payment method used and may take between 30 and 45 business days, counted from:
The complete receipt of the required documentation.
The formal approval by the administrative area of Kiin Living.

3. Procedure:

To request a refund, the client must:

Fill out the Refund request through official Kiin Living channels.
Attach the following mandatory documentation:
Copy of the payer’s identity document.
Current bank certification of the payment method used (bank statements are not accepted).
Proof of payment or voucher for the acquired service.

3. Force majeure cases

In duly accredited force majeure situations, the client must attach additional documentation:

Illness of the guest or a first-degree relative: Medical history Civil registry proving the relationship
Death: Death certificate
The evaluation of these cases will be carried out directly by Kiin Living, which may accept or reject the request based on the analysis of the specific case and current regulations.

4. Right of withdrawal (cancellation before the start of the stay)

Non-refundable rates do not apply to the right of withdrawal.

For refundable rates: 50% deposit to secure the reservation. Flexible rates – cancellation and modification (subject to price adjustment) flexible up to 2 days before arrival. 50% penalty if canceled 1 day before arrival. No-show: 100% penalty of the reservation value.

In all cases:

• The administrative fee is non-refundable.

• The same procedure and documentation required for refunds apply.

• Final approval will be subject to validation by Kiin Living.

5. Right of retraction

This applies only to non-face-to-face purchases (web, WhatsApp, email, digital platforms). The client may exercise the right of retraction if all the following conditions are met:

The request is made within 5 business days following the conclusion of the contract.
The stay is not within 5 calendar days prior to check-in.
The retraction will be carried out according to the current legal framework and, pursuant to Decrees 482 and 557 of 2020, the refund will be made in services (credit or open reservation).
The request must be made through the official Kiin Living refund form.

6. Final considerations

Kiin Living is a model of flexible stays, without forced permanence contracts; however, payments made are subject to the accepted rate conditions.
Incomplete submission of documentation delays response times.
Kiin Living reserves the right to request additional information to validate any request.

In compliance with Article 17 of Law 679 of 2001, STAY Group warns that exploitation, abuse, and sexual pornography involving minors are crimes punishable by criminal and administrative penalties in accordance with current Colombian legislation.

Likewise, and in compliance with Resolution 3840 of December 24, 2009, and Law 1336 of July 21, 2009, STAY Group promotes and adheres to national and international standards for the prevention of exploitation and sexual tourism involving minors. We reaffirm our commitment to the protection of the human rights of children, adolescents, and all persons in vulnerable conditions

Seasonal Promotions Timeline:

Concierto Jbalvin:

Si vienes al concierto de J Balvin este 29 de noviembre, convierte tu noche en una experiencia completa y quédate en una de nuestras habitaciones con tarifa especial para 2 personas, desayuno incluido.

Categorías y tarifas exclusivas:

Aplica solo para noches del 28 de noviembre al 1 de diciembre 2025

 Cupos limitados.

Concierto Julieta Venegas:

Si vienes al concierto de J Balvin este 29 de noviembre, convierte tu noche en una experiencia completa y quédate en una de nuestras habitaciones con tarifa especial para 2 personas, desayuno incluido.

Categorías y tarifas exclusivas:

Aplica solo para noches del 28 de noviembre al 1 de diciembre 2025

Cupos limitados

Black Friday – 20% OFF on Loft & Suite

Make the most of Black Friday and secure your stay with an exclusive 20% discount on our Loft / Loft City View and Suite categories.

Promotion details:

• Applicable categories: Loft / Loft City View and Suite
• Discount: 20% OFF
• Booking window: November 20 – December 15
• Stay window: Valid for stays until December 31, 2025
• Direct bookings only through our official website.

Early Booking 2026 – Lock 2025 Rates

Plan ahead and freeze 2025 rates for your 2026 stay.
Book between November 1 and December 15 and travel anytime in 2026 at this year’s price.

Why book now:

• Booking window: November 1 – December 15
• Stay window: Valid until December 31, 2026
• Flexibility: Secure your rate now and choose your travel dates later within the valid period
• Best rate guarantee for early planners

What type of breakfast is served at the Hotel? Is breakfast included in the rate and what is the breakfast schedule? We have a special menu designed for this breakfast service. Hours: from 7:00 a.m. to 10:00 a.m. Included only in short-stay rates that are not prorated. The service is offered exclusively at the restaurant (does not apply to room service).

Do you offer transportation service from the airport to the hotel? Yes, we provide transportation service to and from the airport.

What is the approximate distance from the hotel to points of interest in Provenza? 11 minutes by car. 22 minutes walking | depending on walking pace.

What is the address? Cra. 29 #1-203, El Poblado, Medellín, Antioquia.

What are the check-in and check-out times? Check-in: 3:00 pm. Check-out: 12:00 pm.

Does the hotel have a restaurant? Yes, MOIRA is a bistro café where you can work comfortably, connect with like-minded people, enjoy a quiet coffee, or share moments with friends. Every dish and every detail of the space promotes a balanced, nutritious, and authentic lifestyle.

Is it pet-friendly? Yes.

Are children allowed at the Hotel? Children are not allowed.

Is there parking at the hotel? Yes, we have free private parking for our guests.

Is English spoken at the hotel? You have a Superhost and a General Manager with whom you can have a conversation in English at all times.

What do I need to do to acquire a membership and what options are available? You must fill out the following form: Here We offer two options: Coworking only: 400,000 COP. Coworking and amenities: 600,000 COP. You can find all the information and terms and conditions here:

Where can I contact you for any requests before my arrival? You can contact us via phone/WhatsApp at +57 323223942.