Your privacy, handled with care

a) Data you provide directly to us

• Identification and contact: name, e-mail, telephone/WhatsApp.
• Reservation data: dates, accommodation, number of guests, preferences and special requests.
• Content of messages exchanged with us (e-mail, forms, WhatsApp).
• Subscription data for the Cartas do Naatooh newsletter: name and e-mail.

b) Payment data

• Transactions are processed by specialized partners. We do not store complete credit card data in our systems; such data is processed directly by the payment processor.

c) Data collected automatically (browsing)

• IP address, device and browser type, pages visited, time spent, access source and data from cookies and similar technologies (see Section 6).

• Through the completion of forms on the website (contact, reservation, newsletter).
• Through the booking engine and service channels.
• Through conversations on WhatsApp, including with our automated service (virtual assistant).
• Automatically, through cookies and analytics tools, while you browse the website.

• To process and manage reservations, stays and requested services.
• To provide assistance and respond to your requests, including via WhatsApp.
• To send relationship communications and news (Cartas do Naatooh newsletter), when you subscribe.
• To carry out marketing campaigns by e-mail and WhatsApp, with offers, experiences and Naatooh content, upon your consent.
• To display and measure ads and remarketing on third-party platforms (for example, social networks and search engines).
• To personalize your experience and improve our website and services.
• To comply with legal, tax and regulatory obligations, and to exercise or defend rights.
• To ensure security and prevent fraud.

We process your data based on one or more of the following legal bases under the LGPD (Brazilian General Data Protection Law):

• Performance of a contract and preliminary procedures (to make your reservation and provide the service).
• Consent (for the newsletter, marketing campaigns by e-mail and WhatsApp and non-essential cookies).
• Legitimate interest (to improve our services, security and relationship communications, always respecting your rights).
• Compliance with a legal or regulatory obligation (for example, tax obligations).

• You only receive our marketing communications if you express interest (opt-in), when registering or authorizing contact.
• You may unsubscribe at any time:
  • E-mail: through the unsubscribe link included in each message.
  • WhatsApp: by replying with an opt-out request or by contacting us through the channels in this Policy.
• Opting out of marketing communications does not affect messages necessary for your reservation or stay (confirmations, operational information).

We use cookies to make the website function, understand how it is used and, with your consent, support marketing actions. The types are:

• Essential: necessary for the website to function (do not require consent).
• Performance/analytics: help measure and improve browsing (for example, analytics tools).
• Marketing/advertising: enable more relevant ads and remarketing (for example, social media and search engine pixels).

On your first visit, we display a cookie notice in which you can accept or refuse non-essential categories. You may also manage or delete cookies in your browser settings.

We share data only when necessary, with:

• Operational partners: booking engine/hotel management system, payment processor, hosting and e-mail providers.
• Analytics and marketing tools: analytics, advertising and messaging platforms (e-mail and WhatsApp).
• Public authorities, when required by law or for the exercise of rights.

We do not sell your personal data.

Some of our partners (for example, technology, analytics and marketing tools) may store or process data outside Brazil. In such cases, we adopt measures to ensure an adequate level of protection, in accordance with the LGPD (Brazilian General Data Protection Law).

We retain your data for as long as necessary for the purposes of this Policy and to comply with legal obligations. Marketing data is retained for as long as your consent remains valid. After these periods, the data is securely deleted or anonymized.

We adopt technical and organizational measures to protect your data against unauthorized access, loss or improper alteration. No system is entirely immune, but we work continuously to keep your information secure.

Under the LGPD (Brazilian General Data Protection Law), you may, at any time, request:

• Confirmation of the existence of processing;
• Access to your data;
• Correction of incomplete, inaccurate or outdated data;
• Anonymization, blocking or deletion of unnecessary data or data processed in non-compliance;
• Data portability;
• Deletion of data processed based on consent;
• Information about the entities with which we share your data;
• Information about the possibility of not providing consent and the consequences thereof;
• Withdrawal of consent.

To exercise your rights, contact our Data Protection Officer by e-mail at [email protected]. You may also lodge a complaint with the Brazilian National Data Protection Authority (ANPD).

Naatooh welcomes guests from 12 years old. Any data relating to minors is processed only in the context of the reservation and stay, under the responsibility and with the consent of parents or legal guardians, and with heightened care, in the best interest of the minor.

We may update this Policy periodically. The current version will always be available on this page, with the date of the last update. Relevant changes may be communicated through our channels.

The party responsible for processing your data (controller) and the channel for questions and requests regarding this Policy and your data:

• Legal name: Naatooh Ltda.
• CNPJ: 34.590.953/0001-79
• Address: Rodovia Gilson da Costa Xavier, 320, Santo Antônio de Lisboa, Florianópolis, SC, Brasil
• E-mail: [email protected]
• Data Protection Officer (DPO): Bárbara Guedert Proença, [email protected]