Your privacy is our priority at Cesta Hotels. We're committed to safeguarding your personal information and complying with data protection laws, including the Zimbabwe Cyber and Data Protection Act [Chapter 12:07] (No. 5 of 2021). This Privacy Notice outlines how we collect, use your information and safeguard your data. This Notice applies to all clients, investors, and individuals with a contractual relationship with our company. We're dedicated to maintaining the confidentiality and security of your personal data. As a Data Controller, we ensure that your personal data is processed in accordance with the law."

In relation to your personal data, we will: • Process it fairly, lawfully and in a clear, transparent way • collect your data only for reasons that we find proper for the course of your stay with us and any other purposes which may be requested from you from time to time. • application and in ways that have been explained to you • only use it in the way that we have told you about • ensure it is correct and up to date • keep your data for only as long as we need it • keep it securely.

Identification Data: Name, Identification Number, email address, phone number, physical address, copies of IDs, physical address

1. Account Data: Username, password, account settings.
2. Technical Data: IP address, browser type, operating system.
3. Usage Data: Information on how you use our services and products.
4. Marketing Data: Preferences in receiving marketing communications.

We use the information that we collect for various purposes, including: • Providing and managing our guest services • Processing transactions and sending related information. • Improving our website and services. • Complying with legal obligations and protecting our rights. • Sharing marketing materials, promotions, or offers if you sign up for our newsletters. You can opt out at any time.

We may share your information with: Service Providers: Third-party vendors, agents or contractors who provide services to us or on our behalf. Affiliates: Companies related to us by common ownership or control. Legal Authorities: When required by law or to protect our rights. Transborder Data Transfers: Some of our service providers may be located outside Zimbabwe and your data may be transferred internationally. Transfer of data is done in compliance with the Act and the regulations.

We implement industry-standard security controls to safeguard your data. Your information is retained only for as long as necessary for legal and business purposes. These measures are to protect your personal information from unauthorised access, use or disclosure.

The retention period of your personal data will be determined by various considerations including: • the purpose for which we are using it, • legal and regulatory obligations which may set a minimum period for which we must keep your personal data.

1. You have the following rights regarding your personal information:
2. Accessing and obtaining a copy of your data.
3. Requesting correction or deletion of your data.
4. Objecting to or restricting the processing of your data.
5. Withdrawing consent to data processing.
6. You may exercise your rights by contacting us at george@cresta.co.zw

The organisation is a data controller, meaning that it determines the processes to be used when using your personal data.If you have any questions or concerns about this Privacy Policy, or simply seek to enforce your rights as outlined in clause 6 above, please contact us at: Attention: The Data Protection Officer Email: george@cresta.co.zw Telephone: +263-242- 774 066 Address: Cresta Hotels, 28 Downie Avenue, Belgravia, Harare

Version of 1 March 2025.