Privacy Notice

("Notice")

We are OMNI TáxiAéreo S/A (“OMNI” or “OTA”), a private legal entity, registered with the CNPJ under no. 03.670.763/0001-38, headquartered at Av. Ayrton Senna, 2.541, RUA F1 LOTE 40 E HANGARES 35 E 42, Barra da Tijuca, Rio de Janeiro-RJ, CEP No. 22.775-002.

We are a civil aviation company focused on serving clients in the air transportation segment, serving both legal entities and individuals (“CLIENTS”), offering offshore and onshore air transportation solutions throughout the Brazilian territory, as well as external cargo transportation and aeromedical transportation services.

Our commitment to quality and safety is present in all sectors of the company, so much so that in 2009 we became the first air cab company in Brazil to receive ISO 9001, ISO 14001 and OHSAS 18001 certifications. In addition, rigorous auditing programs have confirmed the quality of OMNI's services, whether in customer service, flight operations or aircraft maintenance, an area in which we have received RBAC 145 approval.

With the advent of the Brazilian General Personal Data Protection Law, Federal Law No. 13,709/2018 (“LGPD”), we reaffirm our commitment to quality and security, also in relation to the privacy, protection and processing of personal data that we carry out, when necessary for the proper and legitimate performance of our activities.

Therefore, in order to better meet our commitment to the privacy, protection and processing of personal data, we clarify the details of our Privacy Notice below. First of all, we need to clarify some of the terms used in our Notice:

1. What PERSONAL DATA and SENSITIVE PERSONAL DATA are and who is considered the HOLDER of such data.

Personal data is information relating to an identified or identifiable natural person, such as your CPF, ID or Passport, for example.The holder of personal data is therefore the natural person to whom the personal data being processed relates, and this Privacy Notice does not apply to information about legal persons or legal entities in general.

Another important point is that not all data used by us, at OMNI, will be considered personal data for the purposes of the LGPD, since only information that allows us to know exactly who the data subject is can be considered personal data. When the data cannot be associated with a specific data subject, it is not classified as personal data.

Some personal data is more sensitive than others, as the information they contain may involve a higher risk of exposure to discriminatory and/or unlawful practices, also resulting in greater vulnerability for the data subject.

Therefore, the LGPD created a special category of data and named it sensitive personal data. Brazilian legislation considers sensitive any personal data regarding racial or ethnic origin, religious beliefs, political opinions, membership in a union or an organization of a religious, philosophical or political nature, data concerning health or sex life, genetic or biometric data, when linked to a natural person.

In our regular activities, we process both general personal data and the so-called sensitive personal data, which we do at various times and for different purposes, but always with a common commitment: to use the least amount of personal data possible, with transparency and with security measures appropriate to the sensitivity level of each data point.

MINIMIZATION + TRANSPARENCY + SECURITY + ADEQUACY

2. Which personal data does OMNI process and why?

We are an air transport company focused mainly on the corporate segment, in other words, we primarily serve legal entities, but we also serve natural person clients. In both cases, when transporting passengers, we need to identify the natural persons who travel with us and who are the direct data subjects of the personal data shared with us.

However, although our core business does not aim to collect, process, or share personal data as a business model, we do indeed need to carry out numerous personal data processing operations in order to efficiently and safely fulfill our core activity.

Processing of Personal Data of CLIENTS (Legal Entities):

As we are a company primarily focused on providing air transport services to legal entities, most of our clients’ registration data is not considered personal data for the purposes of the LGPD.

However, in situations where it is necessary to collect and process personal data of our clients’ representatives and employees, or when the client is a natural person, the Company will act transparently and apply to such data the same principles of necessity, transparency, purpose, adequacy, security, and accountability summarized in this Privacy Notice.

Processing of Personal Data of PASSENGERS:

The need to process the Personal Data of our passengers aims not only to ensure their proper identification but also to comply with requirements established by airport authorities. The main Personal Data collected and processed are: name, nationality, profession, and identification document, and, at certain boarding points, biometric data as well.

In addition to this Personal Data, in order to ensure flight safety and compliance with the aircraft’s capacity, we also collect certain Sensitive Personal Data, such as: the passenger’s weight andheight, which are processed solely for this purpose.

Data collection occurs through the prior submission of the passenger list by our CLIENT and/or through the information provided directly by the PASSENGER via exclusive-access portals, systems, or applications,in which the specific Terms of Use are made available.

In the specific case of the use of biometric data for access control to restricted areas at certain boarding points, such as at Jacarepaguá Airport, Rio de Janeiro - RJ, the entire processing is based on the legal grounds of Article 11, items “d” and “e” of the LGPD, respectively for the purposes of: ensuring the protection of the rights of OMNI, the crew, and other passengers by allowing access to the restricted boarding area only to duly authorized individuals, thereby more effectively safeguarding the security and integrity of all persons entering the area.

At boarding points where facial recognition technology is used, biometric facial data is collected by OMNI at the time of the data subject’s registration, when they request access to the boarding area. The collected data is stored on OMNI’s own server and used exclusively for access control purposes; it is neither shared with third parties nor processed for any other purpose.

Processing of Personal Data of EMPLOYEES:

In the course of our economic activity, we need to hire natural persons to perform a wide range of duties, from the flight crew operating the aircraft to the maintenance team, security, information technology, human resources, engineering, commercial, financial, legal, and many other professionals essential to the proper provision of our services.

Thus, the personal data of our employees, service providers, business partners, and collaborators in general related to their identification, qualifications, social security, pension, income, dependents, and occupational health data, are examples of personal data we need to process in order to fulfill contracts, comply with legal and regulatory obligations, carry out security checks to protect the interests of the data subject and third parties, as well as for the company’s legitimate activities.

The PERSONAL DATA of our collaborators that is processed by OMNI is limited strictly to what is necessary for each processing purpose, especially for the performance of the contract, compliance with legal or regulatory obligations, ensuring the safety of the data subject and third parties, and for the regular exercise of our rights in administrative, judicial, or arbitration proceedings, as applicable.

For this reason, when we hire a collaborator, we establish with them through the contract and/or its annexes the specific rules that, in addition to this Notice, will govern the processing of their personal data.

In summary, we process personal data for a variety of purposes:

● To properly serve our Client:
• Manage the contract and fulfill reservations and travel; oManage data of passengers indicated by the Client;
• Manage third-party products and services when they are part of and necessary for OMNI’s service provision;
• Collect and share advance information about passengers to ensure the safety of everyone involved, as well as to meet our legal obligations properly;
• Accurately identify each passenger, crew member, employee, or third party who needs access to certain restricted areas, including boarding points;
• Obtain travel authorization;
• Handle events or incidents related to the contracted flights;
• Communicate with the CLIENT directly and, when necessary, with the other indicated passengers.

● To manage the Quality of Services Provided: • Analyze statistical data, safety data, and suggestions, requests, and complaints made by our clients and passengers.

To manage our business: • Investigate and address events that may disrupt the proper provision of our services; oDetect, monitor, and prevent fraud;
• Collaborate with fraud detection and risk analysis procedures legitimately carried out by our CLIENTS;
• Respond to data subjects' requests regarding the exercise of their rights in accordance with the LGPD; o Generate financial, audit, commercial, and other reports strictly related to our operations;
• Respond to information requests legally submitted by public authorities; oRespond to media inquiries or issue press releases;
Manage collected cookies:
● For more information about which cookies we use and for what purposes, please refer to our Cookie Use Policy.

These are just some examples that illustrate how our activities require the use of personal data, in a legitimate manner and within the expectations of the data subjects. This list of data may vary depending on the specific purpose or a legal requirement, and its collection is preceded by proper notice and, whenever the data subject deems it necessary, we are ready to provide any additional clarifications required.

We have a strong commitment to complying with the rules that govern privacy, protection, and processing of personal data, and this Privacy Notice is a summary of that commitment.

INFORMATION + ACCOUNTABILITY

3. Who is responsible for processing personal data?

A data processing agent is a natural or legal person, whether public or private, who carries out personal data processing activities, either as a Controller, who is responsible for the decisions regarding the processing of personal data, or as a Processor, who carries out the processing on behalf of the Controller.

Our Privacy, Protection, and Personal Data Processing Policy applies to the personal data that OMNI, in its role as a CONTROLLER, collects and uses for one or more legitimate and legally permitted purposes, which are related, necessary, and/or useful to the performance of its activities, always observing the principle of minimal data collection and only when the intended processing is truly justified.

We are an air transport company operating mainly in Brazil and, therefore, we are subject to Brazilian data protection and privacy laws. For this reason, our personal data processing activities are guided by the principles, guidelines, rules, and regulations issued by Brazilian authorities, particularly the National Data Protection Authority (ANPD).

Occasionally, OMNI may also act as a PROCESSOR in the processing of personal data upon request from our CLIENTS, when necessary to fulfill contractual obligations or as determined by public authorities through laws and regulations. In such cases, the processing of personal data will be subject to the rules defined by the third-party Controller, and OMNI, acting as PROCESSOR, will comply only with lawful instructions and determinations provided by the Controller.

4. On what legal grounds do we process personal data?

According to the LGPD (General Data Protection Law - Law No. 13,709/2018), the processing of personal data must be based on one of the legal grounds established in the legislation to be considered lawful. In our operations, we assess each type of processing in advance to determine the appropriate legal basis for carrying it out.

We have various personal data processing activities, and each is carried out based on one of the following legal grounds:

● When necessary, with the data subject’s consent;
● For compliance with a legal or regulatory obligation by the controller;
● For the performance of a contract or preliminary procedures related to a contract to which the data subject is a party;
● For the regular exercise of OMNI’s rights, including in judicial, administrative, or arbitral proceedings;
● For the protection of life or physical safety of the data subject or third parties;
● When necessary to serve our legitimate interests or those of a third party;
● For the protection of credit

5. Do we share personal data?

The PERSONAL DATA we process is preferably stored and handled in our own systems and files. However, in some cases, we must share data with public authorities, our Clients, and service providers who assist us in storage, authentication, compliance with legal obligations, or in the defense of our rights in legal proceedings, for example.

In such cases, we take all necessary measures to ensure that these companies and professionals formally commit to respecting privacy, protecting personal data, and adopting best practices in governance and security, thereby maintaining the integrity of our Privacy, Protection, and Personal Data Processing Policy.

Some situations in which personal data may be shared, along with their respective purposes, include:

● With our data hosting service providers;
● With our document storage providers;
● With our external auditors;
● With health insurance providers;
● With companies providing physical security services, authentication, and identity verification;
● With financial institutions and payment processing companies;
● Use of Social Media: Some of our digital interactions such as websites and social media profiles allow you to log in using third-party services, such as your Facebook or Google account. However, it is up to the data subject to choose whether to interact with us through those platforms, and each of them has its own policies and practices, over which we have no control or responsibility;
● With data companies, for essential purposes such as fraud prevention, secure hiring processes, and to protect our employees and stored cargo;
● With Public Authorities, to comply with applicable laws and regulations.

If you have questions and need more information about the sharing of personal data by OMNI, we are available to assist you through our service channel privacidade@omnibrasil.com.br.

6. What are the rights of personal data subjects?

As the subject of one or more personal data processed by OMNI, you have the right to:

● Request confirmation as to whether or not your personal data is being processed;
● Access the data being processed, by means of a report provided to the data subject themselves or their representative with the powers to do so;
● Request the correction of incomplete, inaccurate or outdated data
● Request the anonymization, blocking or deletion of unnecessary, excessive data or data processed in breach of the provisions of this Law;
● Request data portability to another service provider, where applicable, upon express request, in accordance with the regulations of the national authority and observing commercial and industrial secrets;
● In the case of data processing being carried out under the legal basis of CONSENT, revoke said consent and request that the processing ceases with the deletion of the personal data processed, except in the cases provided for in Art. 16 of the LGPD;
● Information on the public and private entities with which OMNI has shared data.

OMNI will respond in compliance with the legal deadlines, on average 15 days, to the requests of the data subjects. For legal reasons, some requests may not be granted and we will inform you of the reasons for any refusal.

7. Do we promote the international transfer of your data?

As information technology companies operate globally, some processing, such as cloud storage, may require the transfer of your data to other countries.

Furthermore, some management information is shared with the holding company based abroad, as strictly necessary to comply with legal and corporate obligations. This may exceptionally occur in the case of service to foreign CLIENTS and airport authorities.

Even in these cases, the data continues to be processed in accordance with the LGPD (General Personal Data Protection Law) and other applicable laws and regulations. OMNI takes appropriate security measures and requires equal commitment from its suppliers, partners, consortium members and service providers in order to meet the best practices in data processing.

8. How long do we store your personal data?

We store personal data for as long as the registration remains active — for example, during the term of the contract. Once your relationship with us ends, we will retain the data only for the period strictly necessary to comply with our legal and regulatory obligations and to defend our rights in court, in accordance with Brazilian statutes of limitation and prescription laws.

In the specific case of processing facial biometric data for identification and access to restricted boarding areas, deletion will depend, case by case, on the necessity and/or obligation to retain the record, up to a period of two (2) years, during which the data subject's registration remains active. After this period, the data will be deleted, and if access is needed again, a new registration will be required.

9. What is our responsibility regarding the personal data we process?

This Privacy Notice applies generally to OMNI. However, specific Terms of Use and Privacy Policies may be applicable to certain services and activities we provide. In the event of a conflict between this Notice and any more specific Term or Policy, the more specific Term or Policy shall prevail.

10. Specific Privacy Terms

This Privacy Notice is generally applicable to OMNI. However, other Terms of Use and specific privacy policies may be provided for certain services and activities that we carry out. In the event of any conflict between this Notice and any other more specific Term or Policy, the more specific Term or Policy shall be considered.

11. What if there are changes to the Privacy, Data Protection, and Processing Policy?

Given the continuous evolution of information technology and security best practices, as well as the possible enactment of new laws and regulations, this Privacy Notice may be updated to reflect the improvements made. Therefore, we recommend periodic visits to this page so you can stay informed about any changes.

12. How can you contact us regarding your personal data?

The data protection officer is responsible for acting as a communication channel between the controller, data subjects, and the National Data Protection Authority (ANPD). You can contact the officer via email:privacidade@omnibrasil.com.br.

This Notice is governed by, interpreted under, and enforced in accordance with the laws of the Federative Republic of Brazil, especially Law No. 13.709/2018, regardless of the laws of other states or countries. The court of the capital of Rio de Janeiro is hereby elected as the sole competent venue for resolving any issues arising from this document.

Published on April 7, 2025. Last update of this page on April 28, 2025.