Home / Privacy policy

Privacy policy and personal data treatment

MASANI S.A.S., identified with NIT. 901.805.189 – 7, located in the city of Bogotá D.C., with physical address [°], email reservas@masanisas.com / contacto@masanisas.com and phone number +(57) 311 517 7549 (hereinafter, “MASANI“), as the data controller responsible for personal data collected through the website and booking processes of CASA TOMASA, located at Calle 3 # 2 – 49, Riohacha (La Guajira), and, in general, the Personal Data of the Data Subjects that are subject to Processing, has adopted this Privacy Policy and Personal Data Processing (hereinafter, the “Policy”), in compliance with Law 1581 of 2012, Decree 1377 of 2013, Law 2300 of 2023, and other regulations that amend, replace or complement them.

SCOPE AND APPLICATION

This Policy is applicable to all Data Subjects whose Personal Data is collected, stored, used, transmitted, or deleted by MASANI in the context of the operation and provision of tourist services offered through this website, official contact channels other than this, and even through channels provided by intermediaries.

This includes, among others, the data of:

  • Users and visitors of the website, who browse or interact with its content;
  • Guests and potential guests, who make inquiries, reservations, payments, or requests for services related to staying at CASA TOMASA;
  • Providers, contractors, or business partners, to the extent that their data is required to fulfill obligations arising from the tourist operation.

This Policy covers all databases and physical or digital files in which MASANI processes personal information, whether obtained directly from the Data Subject, through authorized third parties, or through technological tools such as web forms, emails, WhatsApp, payment gateways, and online booking systems.

Accessing and using this website implies knowledge and acceptance of this Policy regarding the processing of personal data collected in this context.

DEFINITIONS

For the purposes of this Policy, the following terms shall have the following meanings:

  1. Authorization: Prior, express, and informed consent of the Data Subject to carry out the Processing of Personal Data;
  2. Database: An organized set of Personal Data that are the subject of Processing;
  3. Personal Data: Any information linked or that can be associated with one or more specific individuals. Examples: name, identification document, email, address, phone number, payment information, among others;
  4. Sensitive Data: Those that affect the privacy of the Data Subject or whose misuse may lead to discrimination, such as those revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, affiliation with trade unions, social organizations, human rights organizations, or promoting the interests of any political party or guaranteeing the rights and guarantees of opposition political parties, as well as data relating to health, sexual life, and biometric data;
  5. Data Subject: Natural person whose personal data is subject to Processing. In the context of MASANI‘s operation, guests, potential guests, website users, providers, contractors, employees, and business partners are considered Data Subjects;
  6. Processing: Any operation or set of operations on Personal Data, such as collection, storage, use, circulation, transmission, transfer, updating, rectification, or deletion.

GUIDING PRINCIPLES

In the development of its tourist and commercial activities, MASANI will collect, store, use, transmit, transfer, and in general process the Personal Data of the Data Subjects in accordance with the purposes established in this Policy. All Processing of Personal Data carried out by MASANI and/or by third parties to whom Personal Data is transferred will be governed by the principles enshrined in Law 1581 of 2012, its regulatory decrees, and those indicated in this Policy, guaranteeing at all times the protection of the fundamental right to data protection.

The principles guiding the Processing are as follows:

  1. Principle of legality: The Processing referred to in this Policy is a regulated activity that must comply with the provisions of Law 1581 of 2012 and other regulations that develop and complement it;
  2. Principle of purpose: The Processing must comply with a legitimate purpose, informed to the Data Subject and in accordance with the Constitution and the Law. MASANI will process Personal Data only for authorized purposes, including reservation management, provision of tourist services, handling inquiries, sending relevant information, and fulfilling legal obligations;
  3. Principle of freedom: The Processing can only be carried out with the prior, express, and informed consent of the Data Subject. No Personal Data will be collected or disclosed without authorization, unless there is a legal or judicial mandate that exempts such consent;
  4. Principle of truthfulness or quality: The information subject to Processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. MASANI will refrain from processing data that is partial, incomplete, fragmented, or misleading;
  5. Principle of transparency: The Data Subject has the right to obtain, at any time, clear and unrestricted information about the existence and Processing of their Personal Data;
  6. Principle of limited access and circulation: The Processing will be subject to the limits derived from the nature of the Personal Data, the Constitution, and the Law. Consequently, Personal Data may only be accessed and processed by persons authorized by the Data Subject or by law. Personal Data, except public information, may not be available on the Internet or other mass media unless access is technically controllable to provide restricted knowledge only to the Data Subjects or third parties authorized by law;
  7. Principle of security: MASANI will implement technical, human, administrative, and organizational measures necessary to protect the information of the Data Subjects, preventing its alteration, loss, consultation, use, or unauthorized or fraudulent access;
  8. Principle of confidentiality: All persons involved in the Processing of Personal Data that are not public in nature are obliged to maintain confidentiality about the information, even after their relationship with MASANI is terminated. The information may only be provided in the terms authorized by Law and this Policy.

DATA COLLECTION

In compliance with the principles of purpose and freedom, the collection of Personal Data carried out by MASANI will be limited to information that is relevant, adequate, and strictly necessary to fulfill the legitimate purposes linked to the tourist operation and services offered through this website.

Deceptive, fraudulent, or disproportionate means may not be used to collect and process Personal Data. Collection will always be subject to the Data Subject’s prior consent, except in cases expressly permitted by law.

Category of Personal Data processed.

MASANI may process, in an illustrative and non-limiting way, the following categories of data:

  1. Identification and contact: full name, type and number of identification document (ID card, passport, or other), email, phone, residential address;
  2. Stay and reservations: check-in and check-out dates, number of guests, nationality (when required for tourist or immigration reports), reservation details and contracted services;
  3. Payments: transactional information necessary to process payments through secure platforms. MASANI does not store complete credit or debit card numbers;
  4. Stay preferences (optional): estimated arrival time, special requirements (e.g. accessibility, additional services);
  5. Customer service: data derived from communications, inquiries, complaints, claims, suggestions (PQRS), and information requests;
  6. Technology/web browsing: IP address, device type, browser, cookies, and geolocation data.

Origin and means of collecting Personal Data.

The information may be collected through the following means:

  1. Official digital channels: forms on the website, emails, WhatsApp, phone calls, and online chats;
  2. In person: directly during the check-in, check-out process, or when filling out physical forms at CASA TOMASA;
  3. Payment and booking platforms: through payment gateways (e.g. Wompi, Addi, PayU, or others authorized) and integrated booking engines, acting as Data Processors;
  4. Social media: only when the Data Subject contacts MASANI through direct messages on official accounts;
  5. Authorized third parties: travel agencies, tourism portals, or operators with whom the Data Subject has made previous reservations.

PERSONAL DATA PROCESSING

Personal Data will be collected, stored, organized, used, circulated, transmitted, transferred, updated, rectified, deleted, and, in general, managed by MASANI according to the specific purposes that justify each type of Processing.

These purposes will be informed to the Data Subject at the time of requesting their Authorization, prior, express, and informed, and will be developed within the applicable legal framework and in accordance with the nature of the relationship between the Data Subject and MASANI.

Purposes of the processing.

MASANI will process Personal Data exclusively for the purposes informed to the Data Subject at the time of their collection and that have been expressly consented to.

Likewise, third parties who have access to Personal Data by virtue of law or contract must keep the Processing within the purposes described here or those informed at the time of collection.

The purposes of Processing Personal Data include, among others:

  1. Managing lodging reservations, tourist services, and complementary services offered by MASANI;
  2. Complying with tax, accounting, contractual, and regulatory obligations in the tourism and immigration sector;
  3. Managing the registration of guests and visitors, as well as procedures associated with their stay;
  4. Processing payments and billing through secure platforms;
  5. Managing providers, employees, contractors, business partners, and any other relationships necessary for the operation;
  6. Sending communications related to the provision of services, including confirmations, reminders, relevant information about the stay, attention to PQRS, and associated promotions;
  7. Developing marketing, loyalty, and customer knowledge activities, with the express authorization of the Data Subject;
  8. Safeguarding and keeping guest, customer, and web user databases and information up to date;
  9. Transmitting and/or transferring Personal Data to third parties (reservation platforms, payment gateways, technological providers, strategic partners), with the obligation to comply with data protection standards;
  10. Complying with legal obligations to report to government or control entities, in tourism, migration, security, or tax matters

Processing of Sensitive Data.

MASANI may request Personal Data classified as Sensitive Data, which will be expressly identified and indicated in the respective Authorization granted by the Data Subject.

The Processing of Sensitive Data is prohibited, except when:

  1. The Data Subject has given explicit Authorization to such Processing, except in cases where such Authorization is not required by law;
  2. The Processing is necessary to safeguard the vital interests of the Data Subject, and the Data Subject is physically or legally incapacitated. In these cases, legal representatives must grant their Authorization;
  3. The Processing is carried out within the legitimate activities and with the necessary guarantees by a foundation, NGO, association, or any other non-profit organization, whose purpose is political, philosophical, religious, or union-related, provided that it exclusively relates to its members or people who maintain regular contacts for reasons of their purpose. In these cases, the data must not be provided to third parties without the Authorization of the Data Subject;
  4. The Processing relates to data that is necessary for the recognition, exercise, or defense of a right in a judicial process;
  5. The Processing has a historical, statistical, or scientific purpose. In this case, measures must be taken to de-identify the Data Subjects;
  6. The Processing relates to data essential for handling emergencies, health processes, or security during the stay.

Sensitive Data will be processed with the highest diligence possible and with the highest standards of security and privacy. Access to this information will be strictly limited to personnel with the necessary Authorization and who need to know it in the performance of their duties.

Processing of Personal Data of children and/or adolescents.

The Processing of Personal Data of children and adolescents is prohibited, except when it concerns public data, in accordance with the provisions of article 7 of Law 1581 of 2012 and when such Processing complies with the following parameters and requirements:

  1. That it responds to and respects the best interests of children and adolescents;
  2. That the respect for their fundamental rights is ensured.

Once these requirements are met, the legal representative of the child or adolescent will grant Authorization after the child has exercised their right to be heard, an opinion that will be considered taking into account their maturity, autonomy, and capacity to understand the matter.

Temporary limitations on the Processing of Personal Data.

MASANI will only collect, store, use, or circulate Personal Data for a reasonable and necessary period of time to fulfill the purposes that justified the Processing, in compliance with legal provisions and contractual, tax, and tourism obligations.

Once these purposes have been fulfilled, and unless there is a legal norm that specifies otherwise, MASANI will proceed to delete the Personal Data in its possession. However, this data may be retained when required to comply with a legal or contractual obligation (e.g. tax obligations or migration reporting).

AUTHORIZATION FOR THE PROCESSING OF PERSONAL DATA

Without prejudice to the exceptions provided for by law, the Processing of Personal Data requires the prior, express, and informed Authorization of the Data Subject. This may be obtained by any means that allows for subsequent consultation (e.g. web forms, acceptance of terms, physical documents, voice recordings, or electronic media).

In the context of commercial, contractual, and labor relations, and with respect to guests and users of CASA TOMSA, MASANI will seek to request and retain Authorization in the terms required by law.

Personal Data found in public sources may be processed by anyone, as long as by their nature they are considered public data.

By browsing this website and providing Personal Data, all users are accepting this data processing policy, which will be expressly processed for the purposes set forth herein.

Information provided to the Data Subject at the time of Authorization.

At the time of requesting Authorization, MASANI will inform the Data Subject, clearly and expressly, of the following:

  1. The Processing to which their Personal Data will be subject and the purpose thereof;
  2. The voluntary nature of answering questions about Sensitive Data or about children and adolescents’ data;
  3. The rights available to them as Data Subjects (to know, update, correct, delete, or revoke the Authorization);
  4. The identification, physical and electronic address, as well as the contact phone number of MASANI.

MASANI will retain proof of compliance with the provisions of this point and, when requested by the Data Subject, will provide a copy of the Authorization granted.

Authorization for the Processing of Sensitive Data.

In the Processing of Sensitive Data, MASANI will observe the following obligations:

  1. Inform the Data Subject that, because they are Sensitive Data, they are not obliged to authorize their Processing;
  2. Explicitly and in advance inform the Data Subject, in addition to the general requirements of Authorization for the collection of any type of Personal Data, which of the data to be Processed are Sensitive and the purpose of the Processing, as well as obtain their express consent.

In no case will the provision of tourism or lodging services be conditioned on the Data Subject providing Sensitive Data.

Method of obtaining Authorization.

Authorization may be granted (i) in writing, (ii) orally, or (iii) through the Data Subject’s unequivocal conduct allowing it to be reasonably concluded that they have granted Authorization.

Proof of Authorization.

MASANI will retain proof of the Authorization granted by Data Subjects for the Processing of their Personal Data.

Cases where Authorization is not necessary.

Authorization from the Data Subject will not be necessary when it concerns:

  1. Information required by a public or administrative entity in the exercise of its legal functions or by a court order;
  2. Data of a public nature;
  3. Cases of medical or health emergency;
  4. Information Processing authorized by law for historical, statistical, or scientific purposes;
  5. Data related to the Civil Registry of Persons.

Revocation of Authorization and/or deletion of data.

The Data Subject may at any time request the deletion of their Personal Data and/or revoke the Authorization granted for their Processing by submitting a complaint under the terms of Article 15 of Law 1581 of 2012.

The request for data deletion or revocation of Authorization will not proceed when the Data Subject has a legal or