Privacy Policy

Update: January 1, 2025.

Wish Group S/A


Headquarters: São Paulo


CNPJ: 07.687.928/0001-35


The purpose of this Policy is to demonstrate the Wish Group's commitment to safeguarding your privacy and protecting your Personal Data, establishing the rules on Processing, as well as explaining what your rights are and how to exercise them, within the scope of the services and functionalities of the websites listed below (“Website”) and the application called Exclusive Guest (“Application”), in accordance with the laws in force, with transparency and clarity:


  • https://www.grupowish.com.br/
  • https://www.wishhotels.com.br/
  • https://www.prodigyhotels.com.br/
  • https://www.linxhotels.com.br/
  • https://www.marupiarahotel.com.br/
  • https://exclusiveguest.com/


Please read this Policy carefully and, if you still have questions, feel free to contact us through the Service Channels available here.



Basic concepts


For a better understanding of this Policy, the following definitions should be considered:


  • Algorithm: set of rules that provide a sequence of operations capable of solving a specific problem or performing a task;
  • Personal Data: data relating to an individual that can identify or make them identifiable. For example: name, email address, ID number, personal preferences, IP address, geolocation;
  • Sensitive Personal Data: any Data about racial or ethnic origin, religious belief, political opinion, membership of a trade union or organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data, when linked to an individual;
  • Data Protection Officer (DPO): person appointed by the Wish Group to act as a communication channel between us, the Personal Data Holders and the National Data Protection Authority (ANPD);
  • Applicable legislation: all legislation that deals with privacy and protection of Personal Data, especially Law No. 13,709/2018 (General Personal Data Protection Law – LGPD);
  • Our environments: refers to the electronic addresses provided above in this Policy and their subdomains, as well as the application called Exclusive Guest (“Application”), in addition to the physical environments;
  • Policy: this Privacy and Personal Data Processing Policy;
  • Holder of Personal Data: you, the natural person to whom the Personal Data refers, whether as a consumer;
  • Treatment: any operation carried out with Personal Data, such as those relating to collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction.



SPECIAL NOTE FOR CHILDREN, ADOLESCENTS AND LEGAL REPRESENTATIVES
  • If you are under 16 years of age, you should not register in our environments;
  • Although we do not allow children and adolescents under the age of 16 to register, parents or legal guardians must supervise the online activities of minors;
  • Activities of adolescents over 16 and under 18 years of age must be supervised by their parents or legal guardians.




SPECIAL NOTE FOR ELDERLY PEOPLE

If you are over 60, please be aware that we are aware of the risk of processing your personal data and are committed to taking all appropriate measures to protect it. Furthermore, we are committed to processing it in a manner that:


  • Clara;
  • Simple;
  • Accessible;
  • Suitable for your understanding.



About the data we process


How we process data. Data may be processed when you interact with our environments.

What do we treat?
What do we try for?
REGISTRATION DATA
REGISTRATION DATA
REGISTRATION DATA
What do we treat?
  • First and Last Name;
  • CPF/NIF;
  • RG;
  • Passport;
  • E-mail;
  • Date of birth;
  • POCKET;
  • Telephone;
  • Address (Street, City, State and Country);
  • Profession;
  • Travel destination;
  • Travel dates;
  • Plano do Exclusive Guest;
  • Number of Points.
What do we try for?
  • (I) Identify and authenticate You;
  • (II) Confirm hotel reservations made by You and activities related to the execution of the contract, as well as provide support to the guest;
  • (III) Contact You;
  • (IV) Expand our relationship and keep you updated on news, content, news and other events that we consider relevant;
  • (V) Enrich your experience with us and promote our products and services and promotion on social media and websites;
  • (VI) Issue an Invoice;
  • (VII) Investigate complaints made through our Reporting Channel and take the necessary measures, as well as for audits of the Wish Group;
  • (VIII) Protect You by carrying out fraud prevention, credit protection and associated risks, in addition to complying with legal and regulatory obligations;
  • (IX) Management of Exclusive Guest plan benefits;
  • (X) Regular Exercise of Rights.


Notify about any changes to this Policy, if necessary and in the event of legitimate interest.




DIGITAL IDENTIFICATION DATA
DIGITAL IDENTIFICATION DATA
What do we treat?
  • IP Address and Logical Port and Source;
  • Device (OS version) Browser;
  • Geolocation;
  • Date and time records of each action you perform on the Site (Logs);
  • Which screens did you access Session ID;
  • Cookies.
What do we try for?
  • (I) Identify and authenticate You;
  • (II) Comply with legal obligations to maintain records (Logs) established by the Internet Civil Rights Framework - Law 12,965/2014;
  • (III) Protect You by carrying out fraud prevention, credit protection and associated risks, in addition to complying with legal and regulatory obligations;
  • (IV) Improve user experience;
  • (V) Access management when you use Wi-Fi on the Hotel premises.



PAYMENT DATA
PAYMENT DATA
What do we treat?
  • Credit card number and security code.
What do we try for?
  • (I) Sell products and/or services on our Website or Application;
  • (II) Share the Data with the third party company responsible for processing the payment and regular exercise of rights when contesting and making payments;
  • (III) Protect You with regard to fraud prevention, credit protection and associated risks, in addition to compliance with legal and regulatory obligations.



IDENTIFICATION DATA
IDENTIFICATION DATA
What do we treat?
  • Full name;
  • Date of birth;
  • Age;
  • Apartment number;
  • Father's Name;
  • Mother's name;
  • Name of person in charge;
  • Signature of the person responsible.
What do we try for?
  • (I) Kids space management



What do we treat?
  • Photo/video
What do we try for?
  • (II) Identification, authentication, security through camera monitoring;


Algorithmic Instruction: The database created will be used to instruct an algorithm to improve the browsing experience. Data may be automatically collected, including characteristics of the access device, browser, IP address (with date and time), IP address origin, information on clicks, pages accessed, subsequent pages accessed after leaving the Pages, or any search term entered on or in reference to the website, among others. Standard technologies such as cookies, pixel tags, beacons, and local shared objects may be used for this collection, which are used to improve the User's browsing experience on the Pages, based on their habits and preferences.



Data Update and Accuracy. You are solely responsible for the accuracy, veracity, or updating of the data you provide to us. We are not obligated to process your data if we believe that such processing may impute us to a violation of any applicable law, or if you are using our environments for any illegal or illicit purposes.


Database. The database created through the collection of Data is our property and is our responsibility. Its use, access, and sharing, when necessary, will be carried out within the limits and purposes described in this Policy.





We do not use any type of solely automated decision-making that affects your interests.



How we share data


Data Sharing Hypotheses. Processed Data and recorded activities (logs) may be shared:


  • (I) With our suppliers and business partners, with whom we have entered into contractual obligations regarding the security and protection of personal data. Suppliers include data hosting and server companies; security companies, such as the company responsible for managing the whistleblower hotline; payment method companies, responsible for processing payments for reservations made on the Website and Application;
  • (II) With competent judicial, administrative or governmental authorities, whenever there is a legal determination, request, requisition or order to that effect;
  • (III) With the companies that make up the Economic Group to which the WISH GROUP belongs, always in compliance with the guidelines of this Policy;
  • (IV) With service providers or partner companies, to facilitate, provide or carry out activities related to our environments;
  • (V) With marketing and advertising companies, to deliver promotions and information appropriate to your profile and;
  • (VI) Automatically, in the event of corporate transactions, such as merger, acquisition or incorporation of the WISH GROUP.


If you have any questions about who we share your Data with, please contact us through the Service Channels provided at the end of this Policy.


Data Anonymization. For the purposes of market intelligence research, press releases, and advertising, data will be shared anonymously, preventing your identification.



How we protect your data and how you can protect it too


Security and Governance Practices. To safeguard your privacy and protect your Data, we have a governance program that contains best practice rules, internal policies, and procedures. These establish organizational conditions, training, educational initiatives, and mechanisms for monitoring and mitigating risks related to the Processing of Personal Data.


Data Access, Proportionality, and Relevance. Internally, processed data is accessed only by duly authorized professionals, respecting the principles of proportionality, necessity, and relevance to our business objectives, in addition to the commitment to confidentiality and preservation of your privacy as per this Policy. In the event of individual leaks or unauthorized access to your Personal Data, we may, provided that these leaks pose significant harm or risk to you and you agree, promote direct conciliation under the terms of art. 52, § 7, of the General Personal Data Protection Law.


Password Sharing. You are also responsible for the confidentiality of your Personal Data and should always be aware that sharing passwords and access data violates this Policy and compromises the security of your Personal Data and the Website and Application.


Precautions You Should Take. It is very important that you take the necessary precautions against unauthorized access to your computer/smartphone, account, or password, and ensure that you always click "Log Out" when ending your browsing session on a shared computer. WISH GROUP never sends emails requesting data confirmation or containing executable attachments (extensions: .exe, .com, among others) or links to downloads. If you identify or become aware of a compromised security of your Data, please contact our Data Protection Officer through the Customer Service Channels provided at the end of this Policy.


Information Security. All credit card payment transactions are executed using SSL (secure socket layer) technology, ensuring that your Personal Data is not unlawfully disclosed. Furthermore, this technology prevents information from being transmitted to or accessed by third parties.


External Links. When using the Website and Application, you may be redirected, via links, to third-party platforms that may collect your information and have their own Data Processing Policies. It is your responsibility to read the Privacy Policies of such third-party platforms and accept or reject them. We are not responsible for the Privacy Policies of third parties or for the content or services of any websites other than our own.


Data processing by third parties under our guidelines. We carefully evaluate our partners and service providers and enter into contractual obligations with them regarding confidentiality, information security, and data protection, with the aim of protecting you.


Email Communication. To optimize and improve our communication, when we send you an email, we may receive a notification when it is opened, provided this option is available. Please note that emails are only sent from the "@grupowish.com" or "@exclusiveguest.com" domains.



How we store your data and activity logs


Storage location. Processed Data and activity logs are stored in a secure and controlled environment, which may be on our servers located in Brazil, as well as in a resource-using environment or cloud computing servers, which may require the transfer and/or processing of your Data outside of Brazil. These transfers only involve companies that demonstrate compliance with applicable laws, maintaining a level of compliance similar to or stricter than that required by Brazilian law.


Storage period. We store Data only for as long as necessary to fulfill the purposes for which it was processed or to comply with any legal or regulatory obligations or to preserve rights.


Data Disposal. After the retention period and legal requirement have expired, the Data will be deleted using secure disposal methods or used in an anonymized form for statistical purposes.


What are your rights and how to exercise them?


Your basic rights. The Data is yours, and applicable legislation provides a series of rights related to it, which you may exercise by submitting a request to our Data Protection Officer through the Customer Service Channel available at the end of this Policy.


  • (VII) Confirmation and access: you may request confirmation about the existence of Processing and access to your Data, including by requesting copies of records we have about you;
  • (VIII) Correction: you may request the correction of your Data that is incomplete, inaccurate or out of date;
  • (IX) Anonymization, blocking or deletion: you may request the anonymization of your Data, so that they can no longer be related to you, the blocking of your Data, temporarily suspending the possibility of Processing for certain purposes, or the deletion of your Data;
  • (X) Portability: you may request that we provide your Data in a structured and interoperable format for transfer to a third party, respecting our intellectual property or business secrets;
  • (XI) Information about sharing: you may request information about third parties with whom we share your Data, limiting such disclosure to information that does not violate our intellectual property or trade secrets;
  • (XII) Withdrawal of consent: You may choose to withdraw your consent for any purpose to which you have consented. This withdrawal will not affect the legality of any Processing previously performed. If you withdraw your consent for purposes essential to the proper functioning of our environments and services, these may become unavailable to you;
  • (XII) Opposition: you may object to the Processing of your Data if you do not agree with any purpose;
  • (XIV) Review: in the case of decisions based exclusively on automated processing, you may request a review of the decision, indicating your interests that may have been affected.


Request. For your security, whenever you submit a request to exercise your rights, we may request additional information to verify your identity, seeking to prevent fraud.


Failure to comply with requests. We may fail to comply with a request to exercise rights if such compliance violates our intellectual property or trade secrets, or if there is a legal or regulatory obligation to retain data. Furthermore, we may fail to comply with your request if we need to retain the data to enable our defense or that of third parties in disputes of any nature.


Responses to requests. We are committed to responding to all requests within a reasonable timeframe and always in compliance with applicable law.


Information about this policy


Changes to content and updates. You acknowledge our right to change the content of this Policy at any time, depending on the purpose or need. If there are any relevant updates to the Policy, you will be notified through the contact information you provide or by posting them on our official profiles.


Inapplicability. If any provision of this Policy is deemed unenforceable by a Data Authority or court, the remaining provisions will remain in full force and effect.


Service Channels. If you have any questions regarding the provisions of this Policy, including regarding the exercise of your rights, you may contact our Data Protection Officer, who is available at the following addresses:


  • In charge: ESPALLARGAS, GONZALEZ, SAMPAIO – LAW FIRM – ESG Advogados;
  • Responsible person appointed by EGS Advogados: Júlio Cesar Beltrão;
  • Substitute Responsible appointed by EGS Advogados: Bruna Komoni;
  • Address for correspondence: Av. Dra. Ruth Cardoso, 7815, CONJ 901, 1001 and 1002, São Paulo – SP;
  • Contact email: lgpd@grupowish.com


Applicable Law. This Policy shall be interpreted in accordance with Brazilian law, in the Portuguese language.


Update: 01/01/2025