1 ABOUT OUR POLICY

Aviva (Companhia Thermas do Rio Quente – CNPJ: 01.540.533/0001-29; Sauipe S/A – CNPJ: 00.866.577/0001-80; Valetur – CNPJ: 02.082.394/0001-08), recognizing the importance of this matter and in accordance with the Brazilian General Data Protection Law (Law No. 13.709/18), reinforces its commitment to the security of your data, prioritizing ethics and compliance with applicable laws.

Out of respect for your privacy and in the interest of transparency, Aviva has created this Privacy and Cookies Policy to demonstrate to you the personal data that are collected, used, stored, and shared, as well as your rights as a data subject.

This Policy applies to individuals (“Data Subject,” “Subject,” “you”) who interact with Aviva’s products and services, whether customers or prospective customers, third parties, visitors to our website, or job applicants, and anyone whose personal data are processed by Aviva.

2 PURPOSES, DATA COLLECTED, AND LEGAL BASES FOR PROCESSING

Data are collected based on the following legal bases for processing permitted under the LGPD:

PurposesData CollectedLegal Bases for Processing
Offers of products and services We may collect the following data:
  • • Name and initials – Name;
  • • Personal characteristics – Marital status | Leisure and interests | Purchase preference | Behavioral profile;
  • • Contact information – Home address | Phone | Personal email | Personal mobile number;
  • • Professional information – Occupation/Position.
Legitimate interest (Art. 7, item IX, LGPD).
Customer purchase of services, products, lodging, and travel packages, as well as hotel reservations We may collect the following data:
  • • Name and initials – Full name;
  • • Personal characteristics – Date of birth | Sex;
  • • Identification issued by official bodies – CPF | RG | Passport;
  • • Contact information – Home address | Home phone | Personal email | Personal mobile number;
  • • Financial information – Credit/debit card data;
  • • Children’s information – Name | Date of birth | Sex | CPF | RG | Passport;
  • • Adolescents’ information – Name | Date of birth | Sex | CPF | RG | Passport.
 Data are collected to comply with a legal obligation (Decree No. 7,381, of December 2, 2010, in conjunction with Art. 7, item I, LGPD, in conjunction with Art. 26 of Law 11,771/2008 and Art. 7, IV, b of the General Regulation on Lodging Facilities), as well as for refund requests, where applicable, and, internally, for payment reconciliation, issuance of invoices, and other internal operational routines.

During the term of the contract, the data will be processed based on contract performance (Art. 7, item V, LGPD). Once the relationship between the Parties ends, the data will be retained for the statute of limitations period and as otherwise legally required, based on the legal basis of the regular exercise of rights (Art. 7, item VI, LGPD).
Customer purchase of Hot Park tickets and Optional Leisure Activities. We may collect the following data:
  • • Name and initials – Full name;
  • • Personal characteristics – Date of birth | Sex;
  • • Identification issued by official bodies – CPF | RG;
  • • Contact information – Home address | Home phone | Personal email.
 Data are used for contract performance (Art. 7, item V, LGPD) and, once the contract has ended, allow retention for the statute of limitations period and as otherwise legally required under the legal basis of the regular exercise of rights (Art. 7, item VI, LGPD).
Browsing our websites Device data, information about website use (access time, pages visited), access logs. With respect to access logs, they are collected to comply with a legal obligation (Art. 15 of the Marco Civil da Internet (Brazilian Civil Framework of the Internet)); as for the other data, they are collected based on legitimate interest (Art. 7, item IX, LGPD).
Customer service
(this contact may cover several matters, such as: answers to questions, responses to complaints and requests, updates on orders placed, among others, handling requests through our Customer Service Center)
  • • Name and initials – Full name;
  • • Personal characteristics – Age | Date of birth | Place of birth | Gender | Nationality | Place of origin;
  • • Identification issued by official bodies – CPF | RG | Passport;
  • • Contact information – Home address | Home phone | Personal email | Personal mobile number;
  • • Professional information – Occupation/Position;
  • • Children’s information – Name | Date of birth | Address;
  • • Adolescents’ information – Name | Date of birth | Address;
  • • Mobile device information – Email – content (mobile devices).
 It will depend on the purpose of the service interaction.
If you are a prospective customer interested in the services offered, processing will be based on consent (Art. 7, item I, LGPD) or pre-contractual procedures (Art. 7, item V, LGPD). If it progresses, it may be used for contract performance (Art. 7, item V, LGPD), which is also the legal basis used for service interactions with data subjects who are already Aviva customers.
In any case, the data will be retained for the statute of limitations period and as otherwise legally required, based on the legal basis of the regular exercise of rights (Art. 7, item VI, LGPD).
Identify you upon entry and during your stay at Aviva’s facilities
  • • Name and initials – Full name;
  • • Identification issued by official bodies – CPF;
  • • Contact information – Personal mobile number;
  • • Children’s information – Name.
Legitimate interest (Art. 7, item IX, LGPD).
Provide personalized content and recommendations based on your activities in our services
  • • Name and initials – Full name;
  • • Contact information – City | Home phone | Personal email | Personal mobile number;
  • • Professional information – Occupation/Position.
Legitimate interest (Art. 7, item IX, LGPD).
Provision of mandatory information as required by law – Completion of FNRH
  • • Identification issued by official bodies – CPF | RG | Passport;
  • • Contact information – Home address | Home phone | Personal email | Personal mobile number;
  • • Reason for travel and length of stay;
  • • Other trips taken to the destination and during the year;
  • • Professional information – Occupation/Position;
  • • Children’s information – Name | Date of birth | Address;
  • • Adolescents’ information – Name | Date of birth | Address;
  • • Mobile device information – Email – content (mobile devices).
 Data are collected to comply with a legal obligation (Decree No. 7,381, of December 2, 2010, in conjunction with Art. 7, item I, LGPD, in conjunction with Art. 26 of Law 11,771/2008 and Art. 7, IV, b of the General Regulation on Lodging Facilities).
Hiring employees and/or outsourced service providers, as well as conducting the related recruitment process
  • • Name and initials – Full name;
  • • Personal characteristics – Age | Date of birth | Place of birth | Sex | Nationality | Place of origin | Marital status | Number of children | Internet browsing preferences | Behavioral profile;
  • • Parentage – Mother’s name | Father’s name;
  • • Identification issued by official bodies – CPF | RG | CNH | CTPS | Passport;
  • • Contact information – Home address | Personal email | Personal mobile number;
  • • Education – Diplomas and education | Licenses and professional association | Academic history | Certificates;
  • • Professional information – Occupation/Position | Professional council documents | Business address | Business phone | Business email | Business mobile | Identification number: Employee ID;
  • • Financial information – Bank details (bank, branch, and account);
  • • Children’s information – Name | Age | Sex;
  • • Adolescents’ information – Name | Age | Sex;
  • • General sensitive data – Religious or philosophical beliefs | Sexual orientation | Race or ethnic origin | Occupational health data | Photograph | Video file.
  • • Work history
 In recruitment processes, data will be processed based on pre-contractual procedures (Art. 7, item V, LGPD). If the recruitment process advances, data will be used for contract performance (Art. 7, item V, LGPD). In this case, some data will also be required to comply with a legal or regulatory obligation (Art. 7, item II, LGPD, in conjunction with Art. 11, item II, “a,” LGPD).

At the end of the contract with the employee or service provider, data will be retained for the legally prescribed period or the statute of limitations period, based on the legal basis of the regular exercise of rights (Art. 7, item VI, LGPD).
Measures to prevent and combat fraud and unlawful acts
  • • Name and initials – Full name;
  • • Personal characteristics – Date of birth | Sex;
  • • Identification issued by official bodies – CPF;
  • • Contact information – Home address | Home phone | Personal email | Personal mobile number;
  • • Children’s information - Name | Date of birth | Sex;
  • • Adolescents’ information - Name | Date of birth | Sex.
 Credit protection (Art. 7, item X, LGPD) and legitimate interests (Art. 7, item IX, LGPD).
Events, promotion of promotional actions, live streams
  • • Contact information (name, phone, social media, email address).
 The legal basis will depend on the stage of the customer journey.
In the initial collection, the legal basis will be consent (Art. 7, item I, LGPD).

If it progresses toward contracting, the legal basis will be pre-contractual procedures (Art. 7, item V, LGPD).

As it advances, data will be used for contract performance (Art. 7, item V, LGPD).
Content generated by you and disclosed with authorization: content created or publicly shared by you, when previously authorized.
  • • Recommendations, testimonials, reviews, comments, images, photos, among others.
Consent (Art. 7, item I, LGPD).

3 WITH WHOM WE MAY SHARE PERSONAL DATA

Aviva may share your data if you request it or, when necessary for a legitimate purpose, to offer products and services, and to share with service providers in order to fulfill AVIVA’s business purpose, all in accordance with the purposes table included under the legal bases for processing set out above. Accordingly, your data may also be shared with our service providers and partners, or with governmental authorities, as described below:

  • Service providers, suppliers, and partners: so that we can provide you with quality services and experiences, we work with various service providers and partners who may process the personal data collected on our behalf and according to our instructions. These services may include financial institutions, payment processing (acquiring) services, anti-fraud analysis, technology service providers for consumer behavior analysis, lead generation, offering products and services and fulfilling AVIVA’s business purpose, recruitment and selection of candidates, marketing campaigns, events and attractions, cloud storage, and research institutions;
  • Governmental authorities: to comply with legal or regulatory obligations, your personal data may be shared with the competent authorities;
  • In compliance with court orders.

4 INTERNATIONAL TRANSFER OF PERSONAL DATA

Some of your personal data may be transferred to other countries when necessary for the performance of services related to Aviva’s activities, such as the use of cloud computing services, technological solutions, or operational support, or through collaboration with partners that store your data internationally.

Aviva is accredited with an exchange company, and the extension of the use right for occupancy under a Time-Share System to a lodging exchange system is allowed. Therefore, if you enroll in the lodging-week exchange program, you will need to complete the exchange company’s agreement, and your data may be shared with it to process membership, through a separate agreement that the consumer enrolls in/contracts additionally. After membership, payment of fees, scheduling, reservations, among others, will be negotiated between the customer and the exchange company.

Whenever an international transfer of personal data is required, Aviva will adopt the mechanisms and safeguards provided for in the Brazilian General Data Protection Law (LGPD), especially those set out in Art. 33, and will also observe the guidelines and regulations issued by the Brazilian National Data Protection Authority (ANPD).

Under ANPD Resolution CD/ANPD No. 32, of January 26, 2026, the European Union was recognized as an international body that provides a level of personal data protection adequate to that provided for under the LGPD. Accordingly, transfers of personal data to the Member States of the European Union, to the countries that comprise the European Economic Area (Iceland, Liechtenstein, and Norway), as well as to the institutions, bodies, and agencies of the European Union, may occur pursuant to Art. 33, item I, of the LGPD, without prejudice to compliance with the other legal obligations applicable to the processing of personal data.

5 RETENTION AND DELETION OF YOUR PERSONAL DATA

Aviva will process your personal data throughout the period in which you are our customer, our employee, use our services, and browse our platforms, or when you are a prospective customer with whom we share our offers and promotions. The data will be stored in a secure and controlled environment to safeguard your privacy.

To comply with legal or regulatory obligations, for the regular exercise of rights in judicial, administrative, or arbitration proceedings, or, when applicable, for audit purposes, we may store your personal data for an additional period, in accordance with applicable law.

Personal data retention periods observe the purpose of processing, applicable legal and regulatory obligations, and Aviva’s internal policies on data retention and disposal, under Art. 16 of the LGPD.

6 YOUR RIGHTS AS A DATA SUBJECT

Transparency regarding the processing of your personal data is a priority for Aviva. In addition to the information provided in this Policy, you may also exercise the rights set out in Art. 18 of the LGPD, including:

  • Confirmation of the existence of processing;
  • Access to the data;
  • Correction of incomplete, inaccurate, or outdated data;
  • Anonymization, blocking, or deletion of unnecessary, excessive data or data processed in violation of the LGPD;
  • Data portability to another service or product provider, subject to trade and industrial secrets;
  • Deletion of personal data processed with the data subject’s consent, except in the cases provided for in the LGPD;
  • Information on public and private entities with which Aviva has carried out shared use of data;
  • Information about the possibility of refusing to provide consent and the consequences of refusal;
  • Withdrawal of consent.

It is important to note that there are situations governed by other laws that may restrict or limit some of these rights, such as situations involving trade and industrial secrets.

All requests will be handled upon request and free of charge, subject to prior verification of your identity. Our contact details are available in: “10. CONTACT US”.

7 SECURITY MEASURES

Aviva is committed to security and uses various technical and administrative measures to ensure the integrity of your personal data.

We inform you that our service providers, suppliers, and partners undergo due diligence, approval, and legal review processes.

For the performance of internal activities, we seek to follow standards and best practices adopted by the market.

8 USE OF COOKIES

8.1 What is it?

A cookie is a small computer file that may or may not be sent by a website to the user’s browser when the user visits the website. Cookies may be used to improve browsing and remember information about the website visitor’s activity, enabling faster and more efficient navigation for the user.

8.2 How does our website use them?

  • Essential cookies: those that are essential for the operation of our websites, as well as for the use of certain features;
  • Performance cookies: intended to enhance your browsing experience on our websites, making it smoother and more pleasant;
  • Analytics cookies: may collect information about how you browse and interact with our websites, which pages were visited, and when they were accessed;
  • Marketing cookies: used to offer discounts and promotions that may be of interest to you. If you choose to subscribe to our newsletters, we may send you other exclusive offers;
  • Advertising cookies: used to target advertising and are intended to display ads that may be of interest to you;
  • Third-party cookies: used to analyze the use of our website, enable sharing on social networks, and provide advertising.

8.3 How to disable?

You may, at any time, change your internet browser settings to disable cookies. To learn how to disable them, please consult the documentation for your respective browser. Please note that by disabling cookies, your browsing experience on our website may become limited or certain features may be affected.

9 CHANGES TO THIS POLICY

Aviva reserves the right to change this Privacy and Cookies Policy at any time to reflect any relevant changes in legislation or in our practices.

We recommend that you revisit this Policy periodically whenever you have questions, and if you have any inquiries, please feel free to contact us. Our information is available in: “10. CONTACT US”.

10 CONTACT US

If you have any questions about this Privacy and Cookies Policy, even after reading it, or if for any reason you need to contact us regarding matters involving your personal data, Aviva provides the channels below:

  • Person in Charge of Processing Personal Data: Data Guide Consultoria e Soluções em Proteção de Dados LTDA. (CNPJ: 39.317.591/0001-60), through Taynara Rodrigues Bernardo, legal representative of Data Guide;
  • Service Channel:https://www.costadosauipe.com.br/privacidade;
  • Mailing address: Rua Particular Complexo Turístico, Rio Quente Resorts, S/N, Esplanada, Rio Quente/GO – CEP 75.667-000.

We are available to answer your questions and help keep you in control of your personal data.