Your Business Is About To Get Smarter

VINDAM S.A.S., a commercial company legally constituted and registered with the Cali Chamber of Commerce, under the laws of the Republic of Colombia, identified with NIT 901998930-6, located at Avenida 3ra C norte #42-73, Cali - Valle del Cauca, hereinafter referred to in this document as THE COMPANY, with email ceo.vindam@gmail.com, pursuant to the provisions of current regulations regarding personal data protection, namely Law 1581 of 2012, Decree 1377 of 2013, Decree 886 of 2014, and even the new regulatory compendium of Decree 1074 of May 26, 2015, allows itself to bring to the knowledge of the public interest, its clients, employees, allies, collaborators, and suppliers its INFORMATION AND PERSONAL DATA TREATMENT POLICY (PTIDP). With this document, the objective is to inform the holders of their personal data, state entities, private entities, and interested third parties, of the treatment that THE COMPANY will give to these when they are in its possession. Likewise, the processes for access to information, claims, requests, complaints, or claims regarding the handling of such information in light of the Constitution, the Law, and Jurisprudence. I. APPLICABLE REGULATORY FRAMEWORK The legal framework of this PTIDP of THE COMPANY is established primarily in the Political Constitution of Colombia, in its articles 15 and 20, which determine the right to information, liberties, and guarantees of all citizens regarding their personal data. Secondly, the provisions of Statutory Law 1581 of 2012, through which general provisions for the protection of information and personal data are dictated. Thirdly, the regulatory provisions established by the National Government in Decrees 1377 of 2013, Decree 886 of 2014, and even the new Decree 1074 of May 26, 2015; As well as in the Decrees that subsequently became Laws following the framework of the Pandemic generated by COVID-19 such as Law 2213 of 2022. II. OBJECT This PTIDP complies with articles 17 and 18 of Law 1581 of 2012, as well as what is determined by articles 2.2.2.25.3.1, 2.2.2.25.3.2, and 2.2.2.25.3.3 of Decree 1074 of 2015. In this sense, the object of this document or the regulations stipulated here is to establish the parameters for the handling of personal data by VINDAM S.A.S. and that, in turn, all holders, State entities, private companies, or interested third parties have full knowledge of the treatment and, in the case of holders or authorities, the purposes given to their data once obtained by any of our dependencies. III. DEFINITIONS AND CONCEPTS • Authorization: Prior, express, and informed consent supplied by the holder of the information and personal data, which may be granted to THE COMPANY so that it can develop the purposes established in its PTIDP. • Database: The organized set of personal data that will be subject to treatment by THE COMPANY, taking into account what is established in the PTIDP. • Sensitive data: Sensitive data must be understood as established in Article 5 of Law 1581 of 2012, that is, those data that affect the privacy of the holders or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sexual and reproductive life, and biometric data. • Personal data: Understood as any information linked or that can be associated with one or several specific or determinable natural persons. • Public data: Understood as public data that which is not consecrated by the constitution or the law as semi-private, private, or sensitive. That is, among others, those relating to the civil status of persons, their profession, trade, and their quality as a merchant or public servant are considered public data. In general, any data that can be obtained without any reservation. Public data may be contained, among others, in public records, public documents, gazettes, and official bulletins, as well as in duly executed judicial sentences that are not subject to reservation by express legal provision. • Responsible for the treatment: Must be understood as any natural or legal person, public or private, who by itself or in association with others, decides on the databases and/or the treatment of personal data. Taking into account this PTIDP, the responsible for the treatment is THE COMPANY, by itself. • Person in charge of the treatment: Will be understood as any natural or legal person, public or private, who by itself or in association with others, carries out the treatment of personal data on behalf of the responsible for the treatment. In this case and in accordance with this Information and Personal Data Treatment Policy, the person in charge is THE COMPANY by itself; or third parties it delegates for these purposes. • Holder: Understood as any natural or legal person whose personal data is subject to treatment in the databases handled and administered by THE COMPANY. • Treatment: Must be understood as any operation or set of operations on personal data such as collection, storage, use, circulation, or deletion developed by THE COMPANY always in light of this PTIDP. • Transfer: Understood as the transfer of data between the responsible and/or person in charge of the treatment of personal data, located in Colombia, with a recipient outside the country who in turn will act through their respective responsible or person in charge. • Transmission: Understood as a modality of treatment of information and personal data that implies the communication of the same, internally within THE COMPANY or with external third parties, within or outside the territory of the Republic of Colombia, when its purpose is the realization of treatment activities by the person in charge who will receive them; However, all transmission must be done with the authorization of the responsible party. • Privacy notice: Understood as the verbal or written communication generated by the responsible for the treatment, directed to the holder of the information and personal data, through which they are informed about the existence of the PTIDP of THE COMPANY that will be applicable to them, the way to access them, and the purposes of the treatment intended to be given to their personal data and information by THE COMPANY. GUIDING PRINCIPLES OF THE PTIDP OF VINDAM S.A.S. • Principle of legality: The treatment referred to in Law 1581 of 2012 is a regulated activity that must be subject to what is established therein, Decree 1074 of 2016, Law 2213 of 2022, and other norms that develop, modify, or add to them. • Principle of purpose: The treatment must obey one or several legitimate purposes according to the Constitution and the Law, which must be informed to the holder. • Principle of freedom: The treatment can only be exercised with the prior, express, and informed consent of the holder. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent. • Principle of Truthfulness or Quality: The information subject to treatment must be truthful, complete, exact, updated, verifiable, and understandable. The treatment of partial, incomplete, fractioned, or misleading data is prohibited. • Principle of transparency: In the treatment, the right of the holder to obtain from our company, at any time and without restrictions, information about the existence of data concerning them must be guaranteed. • Principle of Access and Restricted Circulation: The treatment is subject to the limits derived from the nature of the personal data, the provisions of the Law, and the Constitution. In this sense, the treatment may only be done by persons authorized by the holder and/or by the persons provided for in the Law. Personal data, except public information, may not be available on the Internet or other means of mass disclosure or communication, unless access is technically controllable to provide restricted knowledge only to the holders or authorized third parties in accordance with the law. • Principle of security: The information subject to treatment by THE COMPANY must be handled with the technical, human, and administrative measures necessary to provide security to the records, preventing their adulteration, loss, consultation, use, or unauthorized or fraudulent access. • Principle of Confidentiality: All persons involved in the treatment of personal data that do not have the nature of public are obliged to guarantee the reservation of the information, even after the end of their relationship with any of the tasks that comprise the treatment, being able only to supply or communicate personal data when this corresponds to the development of the activities authorized in the Law and in the terms thereof. IV. SCOPE OF APPLICATION. The PTIDP will be applicable to the treatment that all officials, collaborators, workers, allies, and shareholders of THE COMPANY must give to the information and personal data administered by it. However, branches, subsidiaries, and third parties, to which by virtue of the purposes of the databases, have access to them, must also proceed in accordance with what is established by the parameters of this PTIDP and in what is not provided therein to what is established in the Political Constitution of Colombia, Laws, and Jurisprudence. All the foregoing without prejudice to the legal and regulatory precepts that regulate these procedures generally in Colombia. V. PURPOSE OF THE TREATMENT OF INFORMATION AND PERSONAL DATA Through this PTIDP that regulates the treatment that will be given to personal data and information by the company, it is guaranteed that the information and personal data collected and administered by VINDAM S.A.S will be solely and exclusively for the development of activities directly linked to the corporate purpose of THE COMPANY. Specifically the following purposes: • Accounting, fiscal, and administrative management - Management of collections and payments; • Accounting, fiscal, and administrative management - Billing management; • Marketing; • Commercial distribution activities related to the purchase and sale of its services; • Advertising and commercial prospecting - Own advertising; • Advertising and commercial prospecting - Market segmentation; • Advertising and commercial prospecting - Decision support systems; • Data migrations and management thereof, without access to them; VI. RIGHTS OF THE HOLDERS OF THE PTIDP. In accordance with Article 8 of Statutory Law 1581 of 2012, which establishes the rights of data holders, THE COMPANY guarantees through this PTIDP, the exercise of the following rights of holders among others: • Request proof of the authorization granted to THE COMPANY in its capacity as responsible and in charge of the treatment, except when expressly excepted as a requirement for treatment, in accordance with the provisions of Article 10 of Law 1581 of 2012. • Be informed by THE COMPANY, in its capacity as responsible and in charge of the treatment, upon request, regarding the use that has been given to their personal data. • File complaints with the Superintendence of Industry and Commerce for violations of the provisions of the PTIDP, Law 1581 of 2012, and other norms that modify, add, or complement it once the requirement of procedibility established in this PTIDP has been exhausted. • Revoke the authorization and/or request the deletion of the personal data when in the treatment of those that THE COMPANY does not respect constitutional and legal principles, rights, and guarantees. In any case, said revocation and/or deletion will proceed only when the Superintendence of Industry and Commerce has determined that, in the development of treatment activities, the company has incurred in conduct contrary to Law 1581 of 2012 and the National Constitution of the Republic of Colombia. VII. THE EXERCISE OF THE RIGHTS OF THE HOLDERS OF THIS POLICY. Taking into account what is established in article 2.2.2.25.4.1 of the Single Regulatory Decree 1074 of 2015, the rights of the holders of personal data and information may be exercised by the people mentioned below: • By the respective holder, who must prove their identity sufficiently by the different means made available by the responsible party. • By their successors, who must prove such quality. • By the representative and/or attorney of the holder, prior accreditation of the representation or power of attorney. • By stipulation in favor of another or for another. • Given the case where the holder of the information is a minor, their rights may be exercised only by the persons who, in accordance with the law, are empowered to represent them. VIII. AUTHORIZATION BY THE HOLDERS OF INFORMATION AND PERSONAL DATA THE COMPANY allows itself to accredit that any activity of collection, conservation, use, handling, updating, correction, deletion and in general, any activity through which it is intended to obtain and/or treat personal data and information owned by third parties, must be carried out through prior, express, and free authorization from their respective holders. With the granting of authorization by the holder for the collection and treatment of information and personal data, it will be understood that they have read this PTIDP or failing that, they were previously informed through the privacy notice that it is published in the access links and on the website of THE COMPANY and that it can be consulted at any time and by any person without any type of restriction. Likewise, through the authorization for the conservation, administration, collection, and treatment of information and personal data, the holder declares that such data and information are truthful, complete, exact, updated, verifiable, understandable, and correspond to the current reality for the moment they are supplied. THE COMPANY will have available to all holders of information and personal data subject to treatment, the document through which they granted the respective authorization, with the sole purpose that they can access it upon request for the purpose of proving the means and the date on which it was granted. The authorization granted by the information holder may be in writing, whether in a physical, digital document, or on magnetic media, as well as in audio files, online data storage technological platforms, or in any other suitable and apt means to prove the existence of the holder's consent and authorization for the treatment of their personal data. Law 1581 of 2012 in Article 10 establishes that the authorization of the holder will not be necessary when it comes to: 1. Information required by a public or administrative entity in the exercise of its legal functions or by court order. 2. Data of a public nature or domain. 3. Cases of medical or sanitary urgency. 4. Information treatment authorized by law for historical, statistical, or scientific purposes. 5. Data related to the civil registration of persons. In light of what is established in articles 8 and 9 of Law 1581 of 2012, the holders of information or personal data may at any time request the deletion of their data and/or revoke the authorization granted to THE COMPANY for its treatment. In accordance with article 2.2.2.25.2.8 of the Single Regulatory Decree 1074 of 2015, the request for deletion of information and the revocation of authorization will not proceed when the holder thereof has a legal or contractual duty to remain in the database. Once the request is filed through the channels established in this PTIDP and THE COMPANY has not made any response or failing that has not deleted the data of the claimant holder, they will be fully entitled to go to the Superintendence of Industry and Commerce so that said entity, using its sanctioning and jurisdictional powers (article 22 law 1581 of 2012), orders THE COMPANY the deletion and/or revocation of the authorization deprecated by the holder. By virtue of what is regulated in the first paragraph of article 6 of Law 1581 of 2012, the treatment of sensitive personal data is prohibited as a general rule. However, in accordance with literal d) of the mentioned provision, the treatment of said data is allowed when it occurs by virtue of the purposes they have, that is, when these are directly linked to a specific objective they are permitted, in this case, it is the recognition, exercise, or defense of a right in a judicial process. In this sense, taking into account that within the corporate purpose of THE COMPANY is the provision of services or advice, the treatment of sensitive data is allowed, since data relating to health, sexual orientation, may be used for the exercise of rights and the protection of fundamental freedoms and prerogatives established in the political constitution. In light of what is established in article 2.2.2.25.2.3 of the Single Regulatory Decree 1074 of 2015, THE COMPANY will request express and written authorization from the holder of the sensitive data to consent to its treatment, prior verifiable communication of the following determinations: 1. That they are not obliged to authorize the treatment of sensitive data as long as it is not their will. 2. That responding to any question or questioning that THE COMPANY makes in relation to their sensitive personal data is optional. 3. Which of their sensitive data will be subject to treatment by THE COMPANY and for what purpose. 4. That all information regarding sensitive data provided to collaborators and dependents will be covered by the commercial professional secrecy that THE COMPANY must keep in the terms of law, and that appropriate and suitable measures will be used for its protection. THE COMPANY'S PTIDP recognizes that data pertaining to minors, as established in Article 7 of 1581 of 2012 regarding children and adolescents, are highly sensitive and their treatment is prohibited. However, in those cases where they are of public knowledge, their treatment is legally permitted, or when required to guarantee their fundamental rights. In this sense, THE COMPANY guarantees that it will refrain from treating private and semi-private data in which the holder is a minor, without it being absolutely necessary. Now, for said treatment, the authorization of the minor's representative will be required in the terms established by law and this PTIDP. THE COMPANY, through this PTIDP and by virtue of Law 1581 of 2012, guarantees that the information contained in its database will be used correctly, for lawful purposes and keeping the habeas data right protected by the Political Constitution harmless. The treatment of the personal data described above by the company will be circumscribed solely to the activities of collection, storage, and use of said information with the purposes established above. THE COMPANY guarantees all holders of information and personal data that it will not be used for purposes other than those respectively authorized by their holders in the authorization documents, that it will not be marketed to third parties under any figure, nationally or internationally, without prior express authorization by the holders. However, it is pertinent to highlight that without prejudice to the holder of the data manifesting their intention to revoke the authorization given to THE COMPANY for the conservation of their data, by virtue of a legal or contractual obligation, the data must be preserved, said revocation will not have the pertinent effects. IX. SECURITY, CUSTODY, CARE, AND SAFEGUARD POLICY OF PERSONAL DATA. The security, custody, care, and safeguard policy of personal data at VINDAM S.A.S aims primarily to guarantee the comprehensive protection of the personal information of its clients and employees. This is achieved through the implementation of rigorous security measures, both technological and organizational. To guarantee the security and confidentiality of the information, VINDAM S.A.S. supports its technological infrastructure on services from globally recognized providers for their high security standards: 1. **Security in hosting and data transmission**: Our services are hosted on secure infrastructures (Hostinger), and all communications and information transfers are made using the secure protocol **HTTPS (SSL/TLS)**. This ensures that data travels encrypted between the user and our servers, protecting them from unauthorized interception. 2. **Database Security (Supabase / PostgreSQL)**: For the storage of personal data, we use **Supabase**, a platform built on PostgreSQL, one of the most robust and secure databases in the world. We implement: * **Encryption at rest**: Stored data is encrypted, guaranteeing that, even in the unlikely event of physical access to disks, the information remains unreadable without the corresponding keys. * **Access Control (Row Level Security)**: We use Row Level Security (RLS) policies to ensure that each user can only access the information corresponding to them, preventing unauthorized cross-access. * **Secure Authentication**: Access to database administration is restricted and protected by robust authentication mechanisms. 3. **Vulnerability Management and Updates**: THE COMPANY keeps its systems and libraries updated to mitigate known vulnerabilities. We perform periodic security reviews in accordance with best web development practices. All these technical measures are complemented by internal administrative policies that restrict access to personal data solely to authorized personnel who require it for the fulfillment of their duties, who are obliged to maintain strict confidentiality. X. DEPARTMENT RESPONSIBLE FOR INQUIRIES, PETITIONS, COMPLAINTS, AND CLAIMS OF HOLDERS THE COMPANY has designated the Administrative Area to attend immediately and adequately to the petitions, complaints, claims, and requests raised by holders to it. For this purpose, Telephone (+57) 3147896054 was enabled; or email ceo.vindam@gmail.com, where general information will be provided to personal data holders or their representatives and they can update, correct, rectify, and request any novelty regarding information and personal data, including revoking the authorization granted for treatment. The physical address was also enabled, filing your request in person at the address Avenida 3ra C norte #42-73, Cali - Valle del Cauca. In the terms of article 13 of Law 1581 of 2012, information and personal data may be Supplied, upon written request for the purpose, to the following persons: 1. To the respective holders, their successors, or their legal representatives. 2. To public or administrative entities in the exercise of their functions. 3. To third parties who have been expressly authorized by the data holder or who by express legal provision are empowered to request the information. XI. PROCESS TO RESOLVE PETITIONS, COMPLAINTS, AND CLAIMS Giving scope to what is established in Law 1581 of 2012, in its Article 14 and what is established in the previous section of this PTIDP, THE COMPANY will have a maximum term of TEN (10) business days counted from the day following its filing, to answer each and every one of the inquiries that have been filed by the holders or their successors through any of the means established in the previous section and of which there is proof. These inquiries must be about or directed to consult or know the personal information that is subject to treatment by THE COMPANY. Given the case that it is not possible to attend the inquiry within said term, the interested party will be informed, expressing the reasons for the delay and indicating the date on which their inquiry will be attended, a term that may not exceed five (5) business days following the expiration of the first term. Secondly, in compliance with the provisions of Article 15 of Law 1581 of 2012, THE COMPANY allows itself to communicate to all interested parties and holders of data treated by it, that regarding requests not related to an inquiry of the information subject to treatment or that enshrine a claim regarding correction, updating, or deletion, or when they notice the alleged breach of any of the duties of this PTIDP or Law 1581 of 2012, the term to respond will be fifteen (15) business days, counted from the day following its filing. All claims must be formulated in writing to the email ceo.vindam@gmail.com. A) EMAIL FOR PERSONAL DATA PROTECTION Complying with what is established by Law 1581 of 2012, Law 2213 of 2022, and its regulatory decrees, THE COMPANY has made available to all interested parties the email ceo.vindam@gmail.com for all inquiries, petitions, complaints, or claims derived from the treatment given to information and personal data. B) PROCEDIBILITY REQUIREMENT In accordance with what is established in Article 16 of Law 1581 of 2012, its regulatory decrees and what is established in this PTIDP, holders are warned that the inquiry or claim before THE COMPANY constitutes a requirement of procedibility to file a complaint before the Superintendence of Industry and Commerce. XII. VALIDITY OF THIS POLICY. This PTIDP governs from October fifteen (15) of the year two thousand and twenty-five (2025) and indefinitely, that is, its content obliges THE COMPANY, its workers, collaborators, external advisors, shareholders, and any external or internal third party that has a relationship with the treatment of information and personal data. To provide publicity to this PTIDP, it will be published through a hyperlink, being available immediately and sustained during its validity, on the official website of THE COMPANY: https://vindam.com/. THE COMPANY reserves the right to make modifications, adjustments, and/or updates to the content of its PTIDP in any of its sections.