Policy for the Treatment of Personal Data

THE SERVICE PROVIDER informs the Owners of Personal Data that the service provider has this information processing policy, complying with the Law. The main purpose of this Policy is to inform the Owners of Personal Data about their rights, the procedures and mechanisms established by the service provider to enforce those rights of the Owners, and to inform them of the scope and purpose of the Treatment to which the Personal Data will be subject if the Owner gives their express, prior, and informed consent. The service provider also reaffirms its commitment to the various stakeholder groups with whom it interacts, and to the manifest interest of respecting all their rights, especially their right to Habeas Data, privacy, and other related rights.


General Provisions

ARTICLE ONE: DEFINITIONS. The following definitions are related to the meaning that should be given to the terms in this document.

a) Authorization: It is the prior, express, and informed consent of the Owner to carry out the Treatment of their personal data.

b) Database: It is the set of personal data that are subject to Treatment regardless of the modality thereof.

c) Financial Data: It refers to any Personal Data related to the birth, execution, and extinction of monetary obligations, regardless of the nature of the contract that gives rise to them, and whose Treatment is governed by the corresponding regulations.

d) Personal Data: It is any information related to or that can be related to a natural person.

e) Public Data: It is the data that the law designates as such or that is recorded in records, certificates, documents, or databases with a public character.

f) Sensitive Data: It is the personal data related to the privacy of the Owner or that may give rise to discrimination or differential treatment. Biometric data also fall into this category.

g) Data Processor: It is the natural or legal person, whether public or private, who, by itself or in association with others, carries out the Treatment of Personal Data on behalf of the Data Controller.

h) Authorized: It is the person and their dependents who, by virtue of the Authorization and these Policies, have legitimacy to Process the Personal Data of the Owner. The Authorized includes the category of Enabled individuals.

i) Enablement: It is the authorization expressly and in writing, through a contract or a document serving as such, granted by the service provider to third parties, in compliance with the applicable law, for the Treatment of Personal Data, thereby turning such third parties into Data Processors of the Personal Data provided or made available.

j) Data Controller: It is the person authorized by the Owner who manages and makes decisions regarding the Database.

k) Owner: It is the natural person to whom the data contained in the Database refer, and who is the object of protection under the Law and related regulations.

l) Transfer: It is the communication of personal data between the Processor and the data controller.

m) Transmission: It is the activity of Processing Personal Data through which they are communicated, internally or to third parties, within or outside the country, when such communication is intended for the performance of any activity involving the Processing of personal data.

n) Treatment of Personal Data: It refers to any activity aimed at processing Databases, as well as their transfer to third parties.

ARTICLE TWO: OBJECT. The Policy for the Treatment of Databases and Information aims to develop the procedure for collecting, storing, using, and performing any activity on personal data, as well as the other constitutional rights, freedoms, and guarantees; as well as the right to information about it, as stipulated by the law and other related regulations.

ARTICLE THREE: SUBJECT TO LEGAL PROVISIONS. The service provider declares that the guidelines for the processing of personal data will be those established by the current regulations in the field.

ARTICLE FOUR: PURPOSES OF THE COLLECTED DATA. All data collected by the service provider are intended to: i) Generate and manage the collection of all necessary information for the fulfillment of tax, commercial, civil, labor, legal obligations, and, in general, any obligation related to the service provider. ii) Manage the business concerning its clients, suppliers, shareholders, and other stakeholders. Regarding clients, the collected information can be used, without limitation, for the delivery of information to financial entities for financial services management, customer loyalty, customer service management, advertising, marketing, commercial management and contact, contacts for informational emails, physical and email correspondence, portfolio management, offer of real estate buying, renting, and exchanging, receipt and sending of real estate offers, transfer of information for contractual purposes, update or correction of real estate data, information about our business partners, making calls (call center) for administrative, commercial, and advertising purposes, and, in general, any information related to the activity that involves contracts between the parties. Additionally, it aims to develop technologies, services, or plans that represent a better service for the clients. iii) Comply with legal and contractual obligations of the service provider. iv) Act within the framework of legal requirements to verify the legal nature and situation of certain clients, contractors, or suppliers. v) Preserve physical or digital records for the legally required period so that they can be subsequently consulted by the Data Subject or an authority. vi) Transfer and transmit databases when necessary to fulfill collection actions, credit processing, legal actions, and other purposes provided for in this section. vii) Manage employee information related to payroll, social management, social security, selection processes, contractual integration, and employee well-being. ix) Carry out any other activities necessary for the effective provision of any usual or occasional services provided by the service provider.

ARTICLE FIFTH: PRINCIPLES. The principles indicated in this article are the guidelines that will be respected by the service provider in the processes of collection, storage, use, and management of personal data:

Principle of legality regarding the processing of personal data: The processing referred to in this Policy is an activity regulated by law, which must adhere to what is established in it and in other provisions that develop it.

Principle of purpose: The processing is carried out in accordance with the purposes established in Article Four of this document.

Principle of freedom: The processing can only be carried out with the prior, express, and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that exempts consent.

Principle of accuracy: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable.

Principle of transparency: The Data Subject’s right to obtain information about the existence of data concerning them from the data controller or data processor must be guaranteed at any time and without restrictions.

Principle of restricted access and circulation: The processing of personal data and Databases may only be carried out by the service provider or by those delegated by them according to the authorization provided by the Data Subject. Personal data may not be available in public access media or mass dissemination. In case of being stored in the cloud, software, or similar mechanisms, access will be restricted and will not be public.

Principle of security: The service provider will provide minimum security conditions to protect the information contained in its Databases. For this purpose, basic archiving measures will be implemented for physical documents, and digital security systems such as antivirus and/or cloud storage will be used for digital files.

Principle of confidentiality: As a general rule, and except as provided by law, the respective contract, or this Policy (with the Data Subject’s authorization in the last two cases), the information and personal data will be treated as confidential.


Rights and Duties

ARTICLE SIX: RIGHTS OF THE DATA SUBJECT. According to the Law, Data Subjects have the following rights: i) To know, update, and rectify their Personal Data in the possession of the service provider or the Data Processors. This right may be exercised, among others, in relation to partial, inaccurate, incomplete, misleading, or unauthorized data processing; ii) To request proof of the Authorization granted to the service provider, unless the Law states that such Authorization is not necessary; iii) To submit requests to the service provider or the Data Processor regarding the use that has been made of their personal data, and to receive such information; iv) To file complaints with a competent control authority for violations of the Law; v) To revoke their Authorization and/or request the deletion of their Personal Data from the databases of the service provider when the Superintendence of Industry and Commerce has determined, through a definitive administrative act, that the service provider or the Data Processor has engaged in conduct contrary to the Law or when there is no legal or contractual obligation to keep the personal data in the database of the Data Controller; vi) To request access and access, free of charge, their personal data that have been subject to processing in accordance with the Law; vii) To be informed in advance and efficiently of any modifications to the terms of this Policy or, if applicable, the new information processing policy; viii) To have easy access to the text of this Policy and its modifications; ix) To have easy and straightforward access to the personal data under the control of the service provider in order to effectively exercise the rights granted to Data Subjects by the Law; x) To know the department or person authorized by the company to whom complaints, inquiries, claims, and any other requests regarding their personal data can be submitted.

Data Subjects may exercise their rights under the Law and follow the procedures established in this Policy by presenting their original identification document. Minors may exercise their rights personally or through their parents or legal guardians, who must provide the relevant documentation to demonstrate their status. Likewise, the legal successors who can prove such status, the representative and/or attorney-in-fact of the data subject with the corresponding accreditation, and those who have made a stipulation for another person’s benefit may exercise the rights of the Data Subject. Requests may be submitted physically or via email using the contact information provided in the header.

ARTICLE SEVEN: DATA PROCESSOR AND DATA CONTROLLER. The service provider will directly act as both the Data Controller and the Data Processor of personal data, and may delegate any department or unit within the organization for these purposes. In general, the service provider commits to: i) Receive requests from Data Subjects, process, and respond to those that are based on the Law or this document, such as requests for updating personal data, requests to know personal data, requests for deletion of personal data when the Data Subject presents a copy of the decision from a competent control authority in accordance with the provisions of the Law, requests for information about the use of their Personal Data, requests to update Personal Data, requests for proof of granted Authorization when it has been required by the Law; ii) Provide responses to Data Subjects regarding requests that are not compliant with the Law. The contact details of the service provider are indicated in the corresponding section.



ARTICLE EIGHT: DATA SUBJECT’S PROTECTION MECHANISMS. The data subject may exercise their rights by following the procedures outlined below:

8.1. Inquiries: The service provider shall provide mechanisms for the Data Subject, their legal successors, representatives and/or attorneys-in-fact, those who have stipulated for the benefit of another or on behalf of another, and/or representatives of minor Data Subjects to submit inquiries regarding the personal data of the Data Subject that are held in the company’s databases.

Regardless of the means used, the service provider shall keep evidence of the inquiry and its response. a) If the requester has the capacity to submit the inquiry, in accordance with the accreditation criteria established by the Law, the service provider shall collect all the information about the Data Subject contained in the individual record of that person or linked to the identification of the Data Subject within the company’s databases and shall disclose it to the requester. b) The Data Controller responsible for handling the inquiry shall respond to the requester as long as they have the right to do so as the Data Subject, their legal successor, attorney-in-fact, representative, if stipulated by another party or on behalf of another, or as the legal guardian in the case of minor Data Subjects. This response shall be sent within ten (10) business days from the date the request was received by the service provider. c) If the request cannot be addressed within ten (10) business days, the requester shall be contacted to communicate the reasons why their request is still being processed. The same means of communication or a similar one to the one used by the Data Subject to submit their request shall be employed for this purpose. d) The final response to all requests shall not take more than fifteen (15) business days from the date the initial request was received by the company.

8.2. Claims: The service provider has mechanisms in place for the Data Subject, their legal successors, representatives and/or attorneys-in-fact, those who have stipulated for the benefit of another or on behalf of another, and/or representatives of minor Data Subjects to submit claims regarding (i) personal data processed by the company that should be corrected, updated, or deleted, or (ii) the alleged non-compliance with the legal duties of the company. The claim shall be submitted by the Data Subject, their legal successors, or representatives, or those duly accredited in accordance with the Law, as follows:

  • It shall be addressed to the service provider electronically to the email address provided in the relevant section, or physically to the address provided by the company.
  • It shall include the name and identification document of the Data Subject.
  • It shall contain a description of the facts giving rise to the claim and the objective pursued (updating, correction or deletion, or compliance with duties).
  • It shall indicate the address and contact information and identification of the claimant.
  • It shall be accompanied by all the documentation that the claimant wishes to submit.

8.2.1 Before addressing the claim, the service provider shall verify the identity of the Data Subject, their representative and/or attorney-in-fact, or the accreditation of stipulation by another party or on behalf of another. For this purpose, the original citizenship card or identification document of the Data Subject, as well as the specific or general powers of attorney or other documents required according to the case, may be requested.

8.2.2 If the claim or additional documentation is incomplete, the service provider shall request the claimant, only once, within five (5) days following the receipt of the claim, to rectify the deficiencies. If the claimant does not provide the requested documentation and information within two (2) months from the date of the initial claim, it will be understood that they have withdrawn the claim.

8.2.3 Once the claim with the complete documentation is received, a note stating “claim in process” and the reason for it shall be included in the service provider’s database where the Data Subject’s data subject to the claim is stored, within a term not exceeding two (2) business days. This note shall be maintained until the claim is decided.

8.2.4 The maximum period to address the claim shall be fifteen (15) business days, counted from the day following the date of its receipt. If it is not possible to address the claim within this term, the interested party shall be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case shall exceed eight (8) business days following the expiration of the initial term.

EFFECTIVENESS. This Policy shall be effective as of July 1, 2017. Personal data that are stored, used, or transmitted shall remain in our Database, based on the criteria of temporality and necessity, for the time necessary for the purposes mentioned in this Policy, for which they were collected.

The email address is [email protected].