Privacy Policy of LLC “Dreamland Oasis”

1. Who we are

LLC “Dreamland Oasis” (hereinafter also referred to as the “Hotel”, “we” or “our”) is a legal entity registered in accordance with the legislation of Georgia, which combines 4 (four) business directions:

• Hotel
• Apartments
• Restaurants
• Pools and entertainment areas

Our identification number is: 205205124.

Our legal address is: Georgia, Kobuleti Municipality, Chakvi Settlement, Batumi Street No. 16.

Our actual address is: Georgia, Kobuleti Municipality, Chakvi Settlement, Batumi Street No. 16.

Our website address is: https://dreamland.ge

2. Definitions

Personal Data – any information that directly or indirectly relates to an identified or identifiable natural person (e.g. first name, last name, address, phone number, email address of a guest or employee, etc.).

Processing – any operation performed on personal data, such as collection, storage, transfer, deletion, transmission, etc.

Data Subject – a person whose data is being processed (e.g. guest, employee, etc.).

Data Controller – a person who determines the purposes and means of data processing. For the purposes of this Policy, the Data Controller is the Hotel.

Data Processor (Authorized Person) – a natural or legal person or a public institution that processes data on behalf of or for the Data Controller. A natural person employed by the Data Controller is not considered a Data Processor.

Incident – a personal data security breach resulting in unlawful or accidental destruction, loss, unauthorized disclosure, alteration, access to, collection or other unauthorized processing of data.

3. We declare that:

• we respect and recognize fundamental human rights and freedoms in the processing of personal data, including the right to privacy and confidentiality of communications;
• we assume responsibility to strictly comply with applicable legislation when processing your personal data;
• recognizing the value and importance of personal data, we undertake to strictly protect the confidentiality of your data;
• we do not use your data unlawfully;
• we ensure the security of your personal data;
• in cases provided by law, including upon your request, we provide information regarding your personal data and their processing.

4. Purpose of this Policy

The Personal Data Protection Policy plays an important role both in informing data subjects and in ensuring information security, as it protects the confidentiality, integrity, and availability of data. The purpose of this Policy is to reduce the risk of misuse, loss, or unauthorized access to personal data.

Through this document, we inform you of the legal grounds and purposes for collecting and processing your personal data, the principles guiding such processing, and the organizational and technical measures used to ensure data security. This document also provides information about your rights and the means of their protection, the categories of personal data we collect, data sharing practices, and processing methods.

5. For whom this document is intended

This document is intended for:

• our potential, current, and/or former customers;
• legal representatives or contact persons of customers;
• our employees, contractors, persons whose data we process, data recipients, and data processors;
• any other interested persons.

6. How we collect your data (sources of data)

We collect your data from the following sources:

• your request for services/products (including telephone, written, electronic communication or personal visits);
• your use of our services;
• use of our remote channels / registration on online services;
• use of our official website(s) and their functionalities;
• submission of applications, complaints, or other documentation in person, by post, or by email;
• provision of personal data by third parties based on transactions concluded with them;
• public sources and third parties, where a relevant legal basis exists and, if required, based on your consent.

7. What categories of data we process, during which processes, for what purposes and for how long

Process	Data Category	Purpose of Processing	Retention Period
Video surveillance	Ordinary personal data	Protection of persons and property	30 calendar days
Audio monitoring (telephone)	Ordinary personal data	Protection of the Hotel’s significant legitimate interests	15 calendar days
Provision of hotel services	Ordinary personal data	Provision of services, compliance with legal requirements, conclusion and performance of contracts, protection of legitimate interests	During the service period and 3 years thereafter
Personnel files	Ordinary and special (sensitive) personal data	Fulfillment of labor and legal obligations	During employment and 1 year after termination
Accounting/tax records and payroll	Ordinary personal data	Financial operations and tax compliance	As required by law
Hotel operational system	Ordinary personal data	Recording of services provided	During service and 3 years thereafter
Conclusion/performance of contracts	Ordinary and special personal data	Service/product provision, employment relations	Within statutory limitation periods
Restaurant and bar	Ordinary personal data	Provision of quality services	During service period
Entertainment areas, pools, aquapark, beach (payments via room card/bracelet)	Ordinary personal data	Payment processing	As required by law or legitimate interest
Apartment hotel services (rental)	Ordinary personal data	Provision of apartment hotel services	During service and 3 years thereafter
Apartment management	Ordinary personal data	Property management and service provision	Guest data: service period + 3 years; Owner data: contract period + up to 6 years
Apartment sales	Ordinary personal data	Communication and property sale	Up to 6 years
Reservations	Ordinary personal data	Service provision, accounting, settlements	During service and 3 years thereafter
Customer feedback	Ordinary personal data	Quality improvement	Up to 1 month
Website(s)	Ordinary personal data	Informing users, reservations, handling requests	Until account deactivation

8. Principles of data processing

We process personal data in accordance with the following principles:

• data is processed lawfully, fairly, transparently, and with respect for human dignity;
• data is collected for specific, explicit, and legitimate purposes only;
• data processing is limited to what is necessary to achieve legitimate purposes;
• data is accurate and kept up to date; inaccurate data is corrected or deleted without undue delay;
• data is stored only for as long as necessary;
• appropriate technical and organizational measures are applied to protect data from unauthorized or unlawful processing, loss, destruction, or damage.

9. Legal grounds for processing

We process your data based on one or more of the following grounds:

• your voluntary consent;
• compliance with legal obligations;
• processing required by law;
• conclusion or performance of a contract/transaction;
• provision of services / consideration of applications;
• protection of our or third parties’ legitimate interests;
• public availability of data or data made public by the data subject;
• other grounds provided by the Law of Georgia “On Personal Data Protection”.

Processing of special category (sensitive) data

Sensitive data is processed on the following grounds:

• your written consent;
• processing expressly regulated by law and necessary in a democratic society;
• protection of vital interests;
• healthcare-related purposes in accordance with law or contracts;
• employment-related obligations;
• data made public by the data subject;
• other legal grounds provided by Georgian law.

Data is processed using semi-automated means, combining automated and non-automated processing.

10. Rules of data processing

• Personal data is collected in secure networks and databases protected from unauthorized access.
• Data is stored only for the necessary period and then deleted or destroyed.
• Transfer of data is allowed only on a lawful basis and with the Hotel administration’s approval.

11. Data sharing (transfer)

Your data may be shared with:

• your representative;
• transaction parties;
• Georgian authorities, where required by law;
• law enforcement agencies;
• service providers and authorized processors;
• legal successors;
• third parties with your consent.

International data transfer is carried out in compliance with Georgian law and with appropriate safeguards.

12. Rights of the data subject

You have the right to:

• receive information about data processing;
• access and obtain copies of data;
• request correction or updating;
• request deletion, destruction, or restriction;
• request data portability;
• withdraw consent;
• lodge a complaint with the Data Protection Authority or court.

13. Restriction of rights

Your rights may be restricted only in cases provided by law and only to the extent proportionate to the purpose of restriction.

14. Processing through an authorized person

Data may be processed on our behalf by an authorized person only under a written agreement ensuring data protection measures.

15. Data security

We apply organizational and technical measures to protect personal data. Access is granted only to authorized employees. Compliance is monitored by the Data Protection Officer.

16. Obligations and liability of employees

All employees must comply with this Policy and applicable laws. Violations may result in disciplinary measures and liability for damages.

17. Data retention period

Data is stored:

• as long as necessary for processing purposes;
• for the duration of legitimate interests;
• in accordance with Georgian law.

18. Incidents

Incidents are recorded and reported to the Data Protection Authority within 72 hours, where required by law.

19. Your obligations

Please notify us of any changes to your personal or contact information.

20. Contact details

21. Amendments

This document may be updated periodically. The updated version will be published on our website with the date of amendment.

Date: 27.10.2025