Privacy Policy

We do not use any type of solely automated decision-making that affects your interests.

How we share data

Data sharing hypotheses. The Data processed and the recorded activities (logs) may be shared:

• (I) With our suppliers and business partners, with whom we have entered into contractual obligations regarding the security and protection of personal data. Suppliers include data hosting and server companies; security companies, such as the company responsible for managing the reporting channel; payment method company, responsible for processing payment for reservations made on the Website and Application;
• (II) With competent judicial, administrative or governmental authorities, whenever there is a legal determination, request, requisition or order to that effect;
• (III) With the companies that make up the Economic Group to which the WISH GROUP belongs, always in compliance with the guidelines of this Policy;
• (IV) With service providers or partner companies, to facilitate, provide or carry out activities related to our environments;
• (V) With marketing and advertising companies, to deliver promotions and information appropriate to your profile and;
• (VI) Automatically, in the event of corporate movements, such as merger, acquisition or incorporation of the WISH GROUP.

If you have any questions about who we share your Data with, please contact us through the Service Channels provided at the end of this Policy.

Data Anonymization. For the purposes of market intelligence research, press releases and advertising, the Data will be shared in an anonymized manner, in a way that does not allow your identification.

How we protect your data and how you can protect it too

Security and Governance Practices. To safeguard your privacy and protect your Data, we have a governance program that contains rules of good practices, internal policies and procedures, which establish conditions for organization, training, educational actions and mechanisms for supervision and mitigation of risks related to the Processing of Personal Data.

Access to Data, proportionality and relevance. Internally, the Data processed is accessed only by duly authorized professionals, respecting the principles of proportionality, necessity and relevance for the objectives of our business, in addition to the commitment to confidentiality and preservation of your privacy under the terms of this Policy. In the event of individual leaks or unauthorized access to your Personal Data, we may promote, provided that these represent significant harm or risk to you and you agree, direct conciliation under the terms of art. 52, § 7, of the General Personal Data Protection Law.

Sharing passwords. You are also responsible for the confidentiality of your Personal Data and must always be aware that sharing passwords and access data violates this Policy and compromises the security of your Personal Data and the Website and Application.

Precautions You Should Take. It is very important that You take the necessary precautions against unauthorized access to your computer/smartphone, account or password, and that You always click “Exit” when ending your browsing on a shared computer. WISH GROUP never sends emails requesting data confirmation or with attachments that can be executed (extensions: .exe, .com, among others) or links for possible downloads. If You identify or become aware of a compromise in the security of Your Data, please contact our Officer through the Service Channels provided at the end of this Policy.

Information Security. All credit card payment transactions are executed using SSL (secure socket layer) technology, ensuring that your Personal Data is not unlawfully disclosed. In addition, this technology aims to prevent information from being transmitted or accessed by third parties.

External links. When using the Website and Application, You may be directed, via link, to third-party platforms that may collect your information and have their own Data Processing Policy. It is Your responsibility to read the Privacy Policies of such third-party platforms, and it is Your responsibility to accept or reject them. We are not responsible for the Privacy Policies of third parties or for the content or services of any websites other than our own.

Processing by third parties under our guidelines. We seek to carefully evaluate our partners and service providers and enter into contractual obligations with them regarding confidentiality, information security and data protection, with the aim of protecting you.

Email Communication. In order to optimize and improve our communication, when we send you an email, we may receive a notification when it is opened, provided that this option is available. It is important that you be aware that emails are only sent from the domains “@grupowish.com” or “@exclusiveguest.com”.

How we store your data and activity logs

Storage location. The Data processed and activity records (logs) are stored in a secure and controlled environment, which may be on our servers located in Brazil, as well as in an environment where resources are used or servers in the cloud (cloud computing), which may require the transfer and/or processing of your Data outside of Brazil. These transfers only involve companies that demonstrate compliance with applicable laws, maintaining a level of compliance similar to or more rigorous than that provided for in Brazilian law.

Storage period. We store Data only for as long as necessary to fulfill the purposes for which it was processed or to comply with any legal or regulatory obligations or to preserve rights.

Data Disposal. After the maintenance period and legal necessity have expired, the Data will be deleted using secure disposal methods or used in an anonymized form for statistical purposes.

What are your rights and how to exercise them?

Your basic rights. The Data is yours and the applicable Legislation provides a series of rights related to it, which may be exercised by you by making a request to our Officer through the Customer Service Channel available at the end of this Policy.

• (VII) Confirmation and access: you may request confirmation about the existence of Processing and access to your Data, including by requesting copies of records we have about you;
• (VIII) Correction: you may request the correction of your Data that is incomplete, inaccurate or out of date;
• (IX) Anonymization, blocking or deletion: you may request the anonymization of your Data, so that they can no longer be related to you, the blocking of your Data, temporarily suspending the possibility of Processing for certain purposes, or the deletion of your Data;
• (X) Portability: you may request that we provide your Data in a structured and interoperable format for transfer to a third party, respecting our intellectual property or business secrets;
• (XI) Information about sharing: you may request information about third parties with whom we share your Data, limiting such disclosure to information that does not violate our intellectual property or trade secret;
• (XII) Revocation of consent: you may choose to withdraw consent for any purpose to which you have consented. This revocation will not affect the lawfulness of any Processing previously carried out. If you withdraw your consent for purposes essential to the regular functioning of our environments and services, these may become unavailable to you;
• (XII) Opposition: you may object to the Processing of your Data if you do not agree with any purpose;
• (XIV) Review: in the case of decisions based exclusively on automated processing, you may request a review of the decision, indicating your interests that may have been affected.

Request. For your security, whenever you submit a request to exercise your rights, we may request additional information to verify your identity, seeking to prevent fraud.

Failure to comply with requests. We may fail to comply with a request to exercise rights if such compliance violates our intellectual property or trade secrets, or when there is a legal or regulatory obligation to retain Data. In addition, we may fail to comply with your request if we need to retain the Data to enable our defense or that of third parties in disputes of any nature.

Responses to requests. We undertake to respond to all requests within a reasonable time and always in compliance with applicable legislation.

Information about this policy

Change of content and updating. You acknowledge our right to change the content of this Policy at any time, depending on the purpose or need. If there are relevant updates to the Policy, you will be notified through the contact details you provide us or by posting them on our official profiles.

Inapplicability. If any point of this Policy is considered unenforceable by a Data Authority or court, the remaining conditions will remain in full force and effect.

Service Channels. If you have any questions regarding the provisions contained in this Policy, including the exercise of your rights, you may contact our Officer, who is available at the following addresses:

• Responsible: ESPALLARGAS, GONZALEZ, SAMPAIO – LAW FIRM – ESG Advogados;
• Responsible person appointed by EGS Advogados: Fabio Antonio Afonso;
• Substitute Responsible indicated by EGS Advogados: Júlio Cesar Beltrão;
• Address for correspondence: Av. Dra. Ruth Cardoso, 7815, CONJ 901, 1001 and 1002, São Paulo – SP;
• Contact email: lgpd@grupowish.com

 Applicable Law.  This Policy shall be interpreted in accordance with Brazilian law, in the Portuguese language.

 Update:  01/01/2025