Privacy Policies

The Arena Hotéis Group values transparency in its relationships with its guests, employees, and partners, and treats the processing of your personal data with great seriousness and respect.


The Arena Hotéis Group (“Arena Hotels”) is composed of the companies JDVB ADMINISTRAÇÃO E HOTELARIA LTDA. (CNPJ: 07.037.213/0001-37), responsible for the Arena Copacabana Hotel, located at Rua Paula Freitas, 4, Copacabana, Rio de Janeiro - Zip Code: 22040-010; ARENA LEME HOTEL LTDA (CNPJ: 14.949.199/0001-03), responsible for the Arena Leme Hotel, located at Rua Gustavo Sampaio, 111, Leme, Rio de Janeiro - Zip Code: 22010-011; and ARENA IPANEMA HOTEL LTDA (CNPJ: 15.576.251/0001-96), responsible for the Arena Ipanema Hotel, located at Rua Francisco Otaviano, 131, Ipanema (Arpoador), Rio de Janeiro - CEP: 22080-040. All these private law legal entities, duly registered in their respective National Registers of Legal Entities with the Brazilian Federal Revenue Service, are identified in this act as controllers of personal data.

This Privacy Policy is governed by the laws of Brazil, including the General Personal Data Protection Law (LGPD - Law 13,709/2018).

In this Privacy Policy, you will obtain information about our practices regarding the processing of personal data, including what data is collected, for what purposes it is used, how it is shared, what we do to ensure the security and protection of this information, and how you can exercise your rights as a data subject.

If you wish to exercise your rights as a personal data holder, send an email to dpo@arenahotel.rio.


You may also contact the Data Controller, in accordance with the guidelines provided at the end of this Policy.


Index

1. Collection of personal data;

2. Purposes of use;

3. Principles for the processing of personal data;

4. Legal bases used for the processing of personal data;

5. Sharing personal data with third parties;

6. International transfer of personal data;

7. Exercise of rights by holders of personal data;

8. Security of your personal data;

9. Retention and Deletion of personal data;

10. Data of minors;

11.Personal Data Processing Officer

12. Privacy Policy Updates.


1. Collection of personal data:


For the purposes of this Privacy Policy, “personal data” is considered to be all information that can directly or indirectly identify an individual.


When you stay at our hotels, use our services, or register on our applications, you provide us with personal data, such as your name, address, email, telephone number, details of your identification documents, among others.


We may obtain different types of personal data depending on your relationship with us, whether as a guest, employee, supplier or business partner.


1.1 Personal data we may collect:

Identification and contact details:

  • Full name
  • ID, CPF, RNE, CIR, passport or other identification documents, and their dates of issue
  • Nationality and place of birth
  • Marital status, and details of spouse or de facto partners
  • Children or dependents
  • Email address
  • Home address and proof of residence
  • Telephone numbers
  • Date of birth
  • Filiation
  • Gender;

    • Professional and financial data:

  • Education
  • Profession and employer
  • Position or role
  • Income tax return or proof of income
  • Bank details and credit card information
  • Negative certificates, data related to score or legal proceedings;

    • Hosting and services data:

  • Reservation and check-in/check-out information
  • Room number and number of guests
  • Food preferences and dietary restrictions
  • Food intolerances and allergies
  • Special requests and service preferences
  • Previous stay history
  • Reviews and feedback on our services;

    • Communication and interaction data:

  • Recordings of calls made through our customer service channels
  • Emails and messages exchanged with the data subject
  • Interactions on social media
  • Participation in satisfaction surveys;

    • Technical and navigation data:

  • Information about the browser and operating system of the device used to access our platforms
  • IP address, date and time of connection to our platforms
  • Cookies and similar tracking technologies
  • Geolocation data when authorized;

    •  

    Biometric and security data:

  • Facial biometrics (when applicable for security)
  • Images from security cameras in the common areas of the hotels
  • Access data to the hotel facilities;

    •  

    1.2 Specific data by department:

    As mapped in our personal data lifecycle inventory, we collect specific data for different operational purposes:

  • Marketing: Data for promotional campaigns, newsletters and commercial communication;

  • Human Resources: Data on employees, candidates and selection processes;

  • Sales: Corporate client information and commercial contracts;

  • Information Technology: System user data and information security;

  • Finance, Controllership and Purchasing: Supplier data, payments and financial control;

  • Pricing: Information for market analysis and tariff definition;

  • Confectionery and Kitchen: Data for handling special requests and dietary restrictions;

  • General Management: Operational and management data for the three hotels.

    •  

    You can obtain access to a personalized report of your personal data, as well as a description of the purposes for which such data is processed, and business partners with whom your data may be shared by contacting the Data Controller using the contact details provided in this Privacy Policy.



    2. Purposes of use:

    Arena Hotels processes personal data for legitimate and specific purposes, informing the data subject about these purposes in a clear, objective and transparent manner.

    2.1 Purposes of use of personal data:

    Hotel operations and service provision:

  • Execution of accommodation contracts, operation and provision of hotel services
  • Management of reservations, check-in, check-out and accommodations
  • Provision of food services, including catering to dietary restrictions, allergies or intolerances
  • Provision of concierge services, room service and other hotel facilities
  • Management of events and activities held on hotel premises
  • Control of access to hotel premises and rooms;

    •  

    Safety and prevention:

  • Identity validation to prevent fraud and ensure the integrity and security of our transactions
  • Assessment, maintenance and improvement of the security of our physical environments, especially to prevent accidents or potential threats
  • Monitoring by security cameras in common areas to protect guests and employees
  • Access control to hotel facilities to ensure security;

    •  

    Financial and administrative management:

  • Carrying out risk control and mitigation processes, accounting auditing, billing, negotiation and collection
  • Payment processing and management of banking and credit card data
  • Management of suppliers and purchasing processes
  • Compliance with regulatory duty or legal obligation, for defense in proceedings or by decision of a judicial or administrative authority;

    • Customer Relationship:

  • Creating and managing guest and corporate client registrations
  • Prospecting clients, offering services, providing customer service and support
  • Creating content for social networks and sending emails with informative content
  • Managing loyalty programs and benefits for frequent guests
  • Conducting satisfaction surveys regarding our services;

    • Human resource management:

  • Recruitment, application, selection process, including assessment of past experience
  • Training and offering benefits to employees
  • Payroll and benefits management
  • Conducting organizational climate surveys

    • Marketing and communication:

  • Development and execution of marketing and communication campaigns
  • Sending newsletters and promotional communications
  • Management of presence on social networks and digital platforms
  • Market analysis and definition of pricing strategies

    • Information Technology:

  • Management of information systems and digital security
  • Maintenance and improvement of online platforms and applications
  • Data backup and recovery
  • Information security monitoring;

    •  

    2.2. Specific purposes by department:

    As detailed in our personal data lifecycle inventory, each Arena Hotels department processes personal data for specific purposes:

     

  • Marketing: Development of promotional campaigns, customer relationship management, market analysis and institutional communication;

  • Human Resources: Complete management of the employee life cycle, from recruitment to dismissal, including training and benefits;

  • Sales: Management of corporate clients, contract negotiation, commercial prospecting and group service;

  • Information Technology: Management of technological infrastructure, information security, technical support and systems development;

  • Finance, Controllership and Purchasing: Financial management, cost control, auditing, supplier management and purchasing processes;

  • Pricing: Market analysis, rate definition, revenue management and commercial strategies;

  • Confectionery: Special order handling, dietary restrictions management and provision of customized products;

  • General Management: Operational supervision, strategic management, quality control and coordination between departments;

    •  

    All these purposes are carried out in accordance with Brazilian personal data protection legislation and based on the legal assumptions provided for in the LGPD.

    3. Principles for the processing of personal data:

     

    Arena Hotels base their personal data processing practices on the principles established in the General Data Protection Law (Law No. 13,709/2018):

    Purpose: we only use personal data for purposes authorized or required by law, specific and duly informed to the holder through our privacy notices, privacy policies, contracts and other documents that we use to formalize our relationship;

    Adequacy: the personal data used in each of our activities are only those suitable for the purpose of our provision of hotel services, that is, personal data that actually contribute to achieving the intended result in the business process, in accordance with the expectations of the holder of the personal data;

    Necessity: The scope of personal data used in our activities is limited to what is truly necessary to achieve the purpose of providing services. We periodically assess whether the scope of data processed is adequate and necessary, applying personal data scope review processes to our business processes;

    Free access: we guarantee that holders of personal data who interact with us can easily and free of charge consult their processed personal data, as well as information about our personal data protection practices;

    Data quality: we value the accuracy of the personal data we use, periodically reviewing our internal processes and providing data subjects with the opportunity to correct, update or supplement their personal data;

    Transparency: We inform you through our privacy policies, privacy notices, contracts, terms and other documents that formalize our relationship, the practices of collection, use and disposal of personal data;

    Security: we adopt information security standards to protect personal data, managing access to data and monitoring activities carried out with it, always seeking to guarantee the integrity, availability and confidentiality of this information;

    Prevention: we periodically carry out analyses of our activities to improve our practices involving the processing of personal data and detect potential risks and needs, treating our business processes in a preventive and mitigating manner;

    Non-discrimination: we do not process personal data in a way that discriminates against personal data holders, or engage in activities that may be seen as abusive or intrusive in relation to their privacy;

    Accountability and accountability: We maintain governance processes regarding privacy and personal data protection, with the aim of ensuring compliance with the law and timely reporting to personal data owners and authorities, if necessary.


    4. Legal bases used for the processing of personal data:

     

    Arena Hotels only processes personal data in accordance with Brazilian law. Depending on the activity performed, we process personal data in accordance with the following circumstances:

  • Contract execution: when necessary for the negotiation or execution of a hosting or service provision contract established between holders of personal data and Hotéis Arena;


  • Compliance with legal obligation: to comply with a legal or regulatory obligation that determines the processing of personal data, including tax, labor and security obligations;


  • Regular exercise of rights: for the regular exercise of rights, including in judicial, administrative or arbitration proceedings;


  • Protection of life: to protect the life or physical safety of the holder or third party, especially in emergency situations on hotel premises;


  • Legitimate interest: to meet a legitimate interest when disclosing our services to the public, sharing informative content, or to build loyalty and retain our guests, always with due transparency and respecting the rights and expectations of the holder of personal data;


  • Consent: upon provision of consent by the holder, especially for direct marketing activities, newsletters and promotional communications.

    • Depending on the relationship that the data subject has with Hotéis Arena, their personal data may be used based on legitimate interest to:

  • Quality review processes and satisfaction surveys, formation of indicators and improvement of hotel services;

  • Interaction and relationship development processes, including via social media and consumer complaint portals, aimed at winning, retaining or recovering guests;

  • Cookie management to improve the experience of visitors to our applications, to understand browsing preferences and better target services;

  • Data analysis to improve the hosting experience and personalize services;

    • Security of facilities and protection of hotel and guest assets.


    5. Sharing personal data with third parties:

    When necessary to provide our hotel services, we may share personal data with business partners, but we will always do so with due transparency and in a manner aligned with the expectations of the data subjects who interact with us.

    We may share your personal data with partner companies to develop campaigns and commercial activities, update contacts, offer services, publicize our own events or those of commercial partners, and to handle legal or extrajudicial disputes.


    Categories of third parties with whom we share data:

    Hotel service providers: companies that provide complementary services such as laundry, transportation, tourism, entertainment and gastronomy;


    Booking systems: online booking platforms, travel agencies and tour operators;

     

    Payment processors: financial institutions, credit card operators and payment systems;

     

    Technology providers: software companies, hotel management systems, information security and technological infrastructure;

     

    Business partners: companies in the tourism, entertainment and services sectors that can add value to the guest experience;

     

    Competent authorities: government agencies, tax, police and judicial authorities, when required by law;

     

    Support service providers: auditing, legal consulting, accounting, and other professional services firms.

    We may share your personal data with business partners to: (i) validate your identity, prevent fraud and ensure the security of our operations; (ii) issue statements, payment slips or charges; (iii) prospect customers and share informative content; (iv) manage our applications, such as websites and apps; (v) respond to investigations, legal or arbitration proceedings; (vi) store data in the cloud; or (vii) when the data subject authorizes its disclosure.


    6. International transfer of personal data:

     

    In accordance with the provisions of national legislation, the international transfer of personal data may occur to commercial partners or international organizations based in countries that provide a level of personal data protection adequate to that provided for in the Law, or ensure the same level of protection contractually.

    Arena Hotels may transfer personal data to foreign companies, which store and host data, at the request and under the interference of Arena Hotels, with the specific purpose of fulfilling the execution of contracts or carrying out preliminary procedures related to contracts, to which the data subject is a party.


    International transfer situations:

    Global reservation systems: international hotel reservation and distribution platforms;

     

    Payment processing: international credit card systems and payment processing;


    Cloud services: data storage and processing on servers located abroad;


    International partners: hotel chains, travel agencies and international operators;


    International compliance: compliance with legal obligations in foreign jurisdictions where applicable.

    All international transfers are carried out with appropriate contractual and technical safeguards to ensure adequate protection of personal data.


    7. Exercise of rights by holders of personal data:

     

    Hotéis Arena guarantees that holders of personal data can exercise their rights by contacting the Personal Data Protection Officer, using the contact details provided at the end of this Privacy Policy.

    Holders of personal data may exercise the following rights free of charge:


    Confirmation of processing of your personal data: Holders of personal data may request confirmation regarding the processing of their personal data by Hotéis Arena;


    Access to personal data: Holders of personal data may request access to the scope of personal data processed by Hotéis Arena, as well as information about the processing and sharing of personal data with commercial partners;


    Portability of personal data: Holders of personal data may request a report of personal data processed, to be shared with other companies;


    Correction, update or completion of personal data: Holders of personal data may request the correction, update or completion of their personal data;


    Opposition to the processing of personal data: Holders of personal data may request clarification and/or object to the processing of their personal data when they believe that such processing is being carried out irregularly;


    Blocking of processing of personal data: Holders of personal data may request the temporary blocking of the processing of their data, while requests for correction or objection are processed;


    Deletion or Anonymization of personal data: Holders of personal data may request the deletion of their personal data and/or anonymization thereof, when they understand that such data is no longer necessary to maintain the relationship they have with Hotéis Arena;

    Revocation of consent: When processing is based on consent, data subjects may revoke it at any time, without prejudice to the lawfulness of processing carried out based on previously expressed consent.

    Arena Hotels processes requests on behalf of third parties, enabling guardians, curators, and other legal representatives to exercise their rights. In these cases, we require documents proving legal authorization for this specific purpose, which must be provided by contacting the Data Protection Officer.

    Requests are processed within 15 (fifteen) days, with the possibility of an extension of another 15 (fifteen) days upon express justification. In complex cases involving a large volume of data, the deadline may be extended as provided by law.


    8. Security of your personal data:

     

    We apply appropriate information security measures to protect your personal data. For Hotéis Arena, the security of your data is a priority, and we always strive to improve our information security policies, processes, and controls.

    We have Information Security processes, policies, and controls designed and implemented to ensure the confidentiality, integrity, and availability of personal data. Access to personal data is limited and controlled according to the needs of each activity, aiming to protect personal data from unauthorized access or disclosure. Measures are implemented to track and record access to personal data, aiming to monitor interactions and prevent, detect, and quickly remedy any inappropriate situations.


    9. Retention and Deletion of personal data:

    The retention period for your personal data corresponds to that necessary to achieve the purpose for which we are committed, as described in our privacy policies, contracts and other documents that formalize our relationship.

    Additionally, we may retain your personal data for longer periods when necessary to comply with a legal obligation, regularly exercise rights or to comply with orders from competent authorities.

    At the end of the retention period, personal data is securely deleted or anonymized so that it is no longer possible to identify the data subject.


    10. Data on minors:

    Arena Hotels may accommodate minors accompanied by their legal guardians. The processing of personal data of children and adolescents is carried out with special care and always with the specific and explicit consent of at least one parent or legal guardian.

    For guests under 18 (eighteen) years of age, we always require the presence and authorization of parents or legal guardians to carry out check-in and for any processing of personal data that is not strictly necessary for the provision of the accommodation service.


    11. Person in Charge of Personal Data Processing:

     

    Arena Hotels has appointed a Data Protection Officer (DPO) to act as a communication channel between data subjects, Arena Hotels and the National Data Protection Authority (ANPD).

    Responsible Person:

  • Name: Maurício Lurahy
  • Telephone: 55 (21) 98491-4200
  • Email: dpo@arenahotel.rio

    • Substitute Manager:

  • Name: Maria Paula Comaru
  • Telephone: 55 (21) 981435992
  • Email: diretoria.vendas@arenahotel.rio


    • 12. Privacy Policy Updates:

    This Privacy Policy may be updated periodically to reflect changes in our data processing practices, changes in applicable legislation, or improvements to our services.


    13. Validity:


    This Privacy Policy is effective as of June 16, 2025, and remains valid until replaced by a new version.

    This Privacy Policy was prepared in accordance with the General Personal Data Protection Law (Law No. 13,709/2018) and other applicable regulations.

    Last updated: June 16, 2025