Privacy Notice

("Notice")

We are OMNI Táxi Aéreo S/A (“OMNI” or “OTA”), a legal entity governed by private law, enrolled with the CNPJ (Corporate Taxpayer Registration) under No. 03.670.763/0001-38, headquartered at Av. Ayrton Senna, 2.541, RUA F1 LOTE 40 E HANGARES 35 E 42, Barra da Tijuca, Rio de Janeiro-RJ, CEP No. 22.775-002.

We are a civil aviation company focused on customer service in the air transport segment, serving both legal entities and individuals (“CLIENTS”), and offering offshore and onshore air transportation solutions throughout the Brazilian territory, as well as external cargo transportation and aeromedical transportation service

Our commitment to quality and safety is present in all sectors of the company and as such, in 2009, we became the first air cab company in Brazil to receive the ISO 9001, ISO 14001, OHSAS 18001 certifications. Moreover, rigorous audit programs have confirmed the quality of OMNI’s services, whether in customer service, in flight operation, or in the maintenance of our aircraft, area in which we have received the RBAC 145 approval.

With the advent of the Brazilian General Personal Data Protection Law, the Federal Law No. 13.709/2018 (“LGPD”), we further reaffirm our commitment to quality and safety as to the privacy, protection and processing of personal data by us, when necessary to properly and legitimately carry out our activities.Thus, to better meet our commitment to the privacy, protection and processing of personal data, we clarify below the details of our Privacy Notice. First of all, it is necessary to clarify some terms used in our Notice:

1. What is PERSONAL DATA and SENSITIVE PERSONAL DATA, and who is considered as the DATA SUBJECT.

Personal data is information related to an identified or identifiable individual, such as one’s CPF (Individual Taxpayer Registration), RG (Identity Card) or Passport, for example.

The personal data subject is, therefore, the individual to whom the personal data being processed refer, and this Privacy Notice does not apply to information about legal or collective entities in general.

Another important point is that not all data used by us, at OMNI, will be considered personal data for the purposes of the LGPD, as only the information that allows us to know exactly who the subject to whom the data refers is considered personal data. When data cannot be associated with a specific subject, it does not qualify as personal data

Some personal data are more sensitive than others, as the information contained therein may present a greater degree of exposure to discriminatory and/or unlawful practices, also entailing greater vulnerability for the subject.

Therefore, the LGPD created a special category of data, namely, the sensitive personal data. Brazilian law considers sensitive the personal data on racial or ethnic origin, religious conviction, political opinion, membership in a trade union or religious, philosophical or political organization, data concerning health or sex life, genetic or biometric data, when linked to an individual.

In our regular activities, we process both personal data in general, as well as the so-called sensitive personal data, at different times and for different purposes, however, always in view of a common commitment: to use the least amount of personal data possible, with transparency and with the security appropriate to the level of sensitivity of each data.

MINIMIZATION + TRANSPARENCY + SECURITY + ADEQUACY

2. Which personal data does OMNI process and why?

We are an air transport company focused mainly on the business segment, that is, acting primarily for legal entities, but we also serve individuals. In both cases, when transporting passengers, we need to identify the individuals traveling with us and who are the direct subjects of the personal data shared with us.

However, although our main business does not aim to collect, process and share personal data as a business itself, we do need to carry out numerous personal data processing to efficiently and safely achieve our core business.

Processing of Personal Data of CLIENTS (Legal Entity):

As we are a company focused on providing air transport services primarily to legal entities, most of the registration data of our clients is not personal data for the purposes of the LGPD.

However, in situations where it is necessary to collect and process personal data of the representatives and employees of our clients, or when the client is an individual, the Company will act, with transparency, applying to such data the same principles of necessity, transparency, purpose, adequacy, security and responsibility that are summarized in this Privacy Notice.

Processing of Personal Data of PASSENGERS:

The need to process the Personal Data of our passengers aims, in addition to ensuring their correct identification, to comply with the terms established by the airport authorities. The main Personal Data collected and processed are: name, nationality, profession and identification document.

In addition to this Personal Data, to ensure that the flight will be safe and that the capacity of the aircraft will be respected, we also collect some Sensitive Personal Data, such as: weight and height of passengers, which will be processed exclusively for this purpose.

Data collection occurs through the prior submission of the passenger list by our CLIENT and/or through the data informed by the PASSENGER themselves through our PASSENGER PORTAL, website https://vpp.omnibrasil.com.br/, where the specific Terms of Use are available.

Processing of Personal Data of EMPLOYEES:

In the performance of our economic business, we need to hire individuals to carry out the most diverse activities, from the crew that will operate the aircraft to the maintenance, security, information technology, human resources, engineering, commercial, financial, legal teams and many other professionals essential to the adequate provision of our services.

Thus, the personal data of our employees, service providers, business partners and co-workers in general, relating to their identification, qualification, insurance, social security, income, dependents, occupational health data, are examples of personal data that we need to process in order to fulfill contracts, to comply with legal and regulatory obligations, to promote security checks to protect the interests of the data subject and third parties, as well as for legitimate activities of the company.

The PERSONAL DATA of our employees processed by OMNI are those strictly necessary for the purpose of each processing, in particular for the fulfillment of the contract, to comply with a legal or regulatory obligation, to ensure the security of the data subject and third parties and so that we can regularly exercise our rights in administrative, judicial or arbitration proceedings, as appropriate.

Therefore, when we hire an employee, we establish with them, through the contract and/or its annexes, the specific rules that, in addition to this Notice, will govern the processing of their personal data.

In summary, we process personal data for a variety of purposes:

● Serving our Clients well:
• Manage their contract and fulfill their bookings and trips;
• Manage passenger data indicated by the Client;
• Manage third-party products and services when part of and necessary to the provision of OMNI's services';
• Prior collection and transmission about passengers for the safety of all involved, as well as for the correct fulfillment of our legal obligations;
• Obtain authorization to travel;
• Handle incidents related to contracted flights;
• Communicate with the CLIENT themselves and, where necessary, with the other passengers informed

● Quality Management of Services Provided: • Analyze statistical data, safety data, suggestions, requests and complaints made by our clients and passengers.

Manage our business: • Investigate and handle events that may disrupt the proper provision of our services;
• Detect, monitor and prevent fraud;
• Collaborate with fraud detection and risk analysis procedures legitimately promoted by our CLIENTS;
• Respond to requests from data subjects regarding the exercise of their rights according to the LGPD;
• Generate financial, audit, commercial and other reports strictly related to our operation;
• Respond to lawful requests for information from public authorities;
• Respond to media inquiries or press releases.
Manage collected cookies:
● For more information on which cookies we use and for what purposes, please refer to our Terms of Use of Cookies.

These are just a few examples that show how our activities need to use personal data, legitimately and within your expectations. This list of data may vary according to the specific purpose or a legal requirement and its collection is preceded by informed consent and, whenever the data subject deems it necessary, we will be ready to provide the additional clarifications that they need.

We are deeply committed to compliance with the rules governing the privacy, protection and processing of personal data, and this Privacy Notice is the summary of such commitment.

INFORMATION + ACCOUNTABILITY

3. Who is responsible for the processing of personal data?

Processing agent is an individual or legal entity, whether governed by public or private law, which carries out personal data processing activities, either as Controller, who is responsible for decisions relating to the processing of personal data, or as Operator, who carries out the processing of personal data on the Controller's behalf.

Our Policy on the Privacy, Protection and Processing of Personal Data applies to the personal data that OMNI, as CONTROLLER, collects and uses for the fulfillment of one or more legitimate and legally permitted purposes, related, necessary and/or useful to conduct its activities, always considering the premise of minimum data collection and only when the intended processing so justifies.

We are an air transport company that operates mainly in Brazil and thus subject to Brazilian privacy and data protection laws, which is why our personal data processing processes are based in accordance with the principles, guidelines, rules and regulations issued by the Brazilian authorities, in particular, by the National Data Protection Authority (Autoridade Nacional de Proteção de Dados – \“ANPD\”).

Occasionally, OMNI also acts as OPERATOR in the processing of personal data at the request of our CLIENTS, when necessary for the fulfillment of the terms contracted, or by determination of the Government, through laws and regulations. Especially in these cases, the processing of personal data will be subject to the rules defined by the third-party Controller, and OMNI, as OPERATOR, is limited to complying with the lawful rules and determinations requested by the Controller.

4. Under what legal bases do we process personal data?

According to the LGPD (General Personal Data Protection Law - Law No. 13.709/2018), for the processing of personal data to be lawful, it needs to be based on one of the established legal bases. In the case of our activities, we previously classify each type of processing we carry out, verifying the appropriate legal basis for such.

Our personal data processing procedures are diverse and take place on one of the following grounds:

● where necessary, upon consent of the data subject
● for compliance with a legal or regulatory obligation by the controller;
● for the fulfillment of a contract or preliminary proceedings relating to a contract to which the data subject is a party;
● for the regular exercise of rights in judicial, administrative or arbitration proceeding;
● for the protection of the life or physical well-being of the data subject or a third party;
● when necessary to meet our legitimate interests or those of a third party;
● for credit protection.

5. Do we share personal data?

The PERSONAL DATA processed by us preferably takes place in our own systems and files. However, there are times where we need to share data with the Government, with our Clients and with service providers who assist us, for example, in storing, verifying authenticity, complying with legal obligations, defending our rights in lawsuits.

In these cases, we are very careful to require these companies and professionals to state their commitment to the privacy, protection and processing of the personal data and to adopt the best governance and security practices, ensuring the integrity of our Policy on the Privacy, Protection and Processing of Personal Data

Some situations in which the sharing of personal data and its purposes may occur are

● With our data hosting service providers;
● With our document storage providers;
● With our external auditors;
● With health plan operators
● With companies providing asset security, authentication and registration validation services;
● With financial institutions and means of payment companies
● Use of Social Media: Some of our digital interactions, such as websites and social media profiles, allow you to register by logging into your account through a third-party service, such as your Facebook or Google profile. However, it is up to the personal data subject to decide whether or not to interact with us through these platforms and to know that each of them has its own policies and practices, over which we have no control or responsibility;
● With data companies, for some key purposes such as to prevent fraud, assist us in secure contracting, promote the protection of our employees and cargos we store;
● With Public Authorities, for compliance with laws and regulations;

If you have questions and need more information about the sharing of personal data by OMNI, we are available to assist you through our service channel privacidade@omnibrasil.com.br.

6. What are the rights of personal data subjects?

As the subject of one or more personal data processed by OMNI, you have the right to:

● Request confirmation as to whether or not your personal data is being processed;
● Access the data being processed, by means of a report provided to the data subject themselves or their representative with the powers to do so;
● Request the correction of incomplete, inaccurate or outdated data
● Request the anonymization, blocking or deletion of unnecessary, excessive data or data processed in breach of the provisions of this Law;
● Request data portability to another service provider, where applicable, upon express request, in accordance with the regulations of the national authority and observing commercial and industrial secrets;
● In the case of data processing being carried out under the legal basis of CONSENT, revoke said consent and request that the processing ceases with the deletion of the personal data processed, except in the cases provided for in Art. 16 of the LGPD;
● Information on the public and private entities with which OMNI has shared data.

OMNI will respond in compliance with the legal deadlines, on average 15 days, to the requests of the data subjects. For legal reasons, some requests may not be granted and we will inform you of the reasons for any refusal.

7. Do we promote the international transfer of your data?

As information technology companies operate globally, some processing, such as cloud storage, may require the transfer of your data to other countries.

Furthermore, some management information is shared with the holding company based abroad, as strictly necessary to comply with legal and corporate obligations. This may exceptionally occur in the case of service to foreign CLIENTS and airport authorities.

Even in these cases, the data continues to be processed in accordance with the LGPD (General Personal Data Protection Law) and other applicable laws and regulations. OMNI takes appropriate security measures and requires equal commitment from its suppliers, partners, consortium members and service providers in order to meet the best practices in data processing.

8. How long will we keep your personal data?

We store the personal data of subjects for as long as the registration remains active, such as during the term of the contract, for example. Once your relationship with us has ended, we will still keep the data for the time strictly necessary to comply with our legal and regulatory obligations and to defend our rights in court, in accordance with the rules on limitation and peremption of Brazilian legislation.

9. What is our responsibility for the personal data we process?

In the processing of data in which OMNI is the CONTROLLER, we are guided by the good practices of security established by the competent authority, adopting security, technical and administrative measures capable of protecting personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication or any form of inappropriate or unlawful processing.

We abide by the guidelines established by the ANPD, always taking reasonable care to avoid any incident. Our commitment to adopting the best practices does not, however, prevent failures from occurring, due to fortuitous events or force majeure, in particular due to criminal actions by third parties.

Whenever we find any failure, we will take the appropriate and necessary measures to correct and restrain the effects, in collaboration with the Public Authorities and with transparency.

10. Specific Privacy Terms

This Privacy Notice is generally applicable to OMNI. However, other Terms of Use and specific privacy policies may be provided for certain services and activities that we carry out. In the event of any conflict between this Notice and any other more specific Term or Policy, the more specific Term or Policy shall be considered.

11. What if there is a change in the Policy on the Privacy, Protection and Processing of Personal Data?

Considering the continuous evolution of information technology and the best practices of security, as well as the possible issue of new laws and regulations, this Privacy Notice may undergo updates to reflect the improvements made. We, therefore, recommend that you visit this page regularly to keep up to date with any modifications.

12. How to contact us about your personal data?

The Data Protection Officer is responsible for acting as a communication channel between the controller, the data subjects and the National Data Protection Authority (ANPD). You can contact them by email: privacidade@omnibrasil.com.br.

This Notice is governed by, construed and enforced in accordance with the Laws of the Federative Republic of Brazil, especially Law No. 13.709/2018, regardless of the Laws of other states or countries. It is hereby elected the Jurisdiction of the Capital of Rio de Janeiro as sole competent to settle any doubt arising from this instrument.