Habeas Data Manual

MANUAL OF POLICIES AND PROCEDURES FOR THE PROTECTION AND PROCESSING OF PERSONAL DATA AND ATTENTION TO REQUESTS, INQUIRIES, AND CLAIMS (HABEAS DATA MANUAL) VINDAM S.A.S., a commercial company legally constituted and registered with the Cali Chamber of Commerce, under the laws of the Republic of Colombia, identified with NIT 901998930-6, located at Avenida 3ra C norte #42-73, Cali - Valle del Cauca, hereinafter referred to as "THE CONTROLLER", issues this Manual in compliance with Law 1581 of 2012 and Single Regulatory Decree 1074 of 2015, regarding the personal data protection regime, with the purpose of guaranteeing that the processing of personal data is carried out in strict compliance with applicable regulations, safeguarding the rights of consumers, users, and other natural persons whose data is subject to processing, collectively referred to as "HOLDERS" and indistinctly as "THE HOLDER". I. PURPOSE AND CONTACT This Manual aims to establish the internal policies and procedures for the protection and processing of personal data by VINDAM S.A.S., as well as the mechanisms for attending petitions, inquiries, complaints, and claims (PQR) from Holders, pursuant to the provisions of Statutory Law 1581 of 2012, Decree 1377 of 2013, Decree 886 of 2014, Decree 1074 of 2015, and Law 2213 of 2022. Any petition, inquiry, complaint, or claim may be sent to the email: juridicavindam@gmail.com Controller identification: - Company name: VINDAM S.A.S. - Tax ID (NIT): 901998930-6 - Address: Avenida 3ra C norte #42-73, Cali - Valle del Cauca, Colombia - PQR email: juridicavindam@gmail.com - Website: https://vindam.com/ II. AGE OF MAJORITY No collection or processing of personal data of children or adolescents will be carried out, as the website, its content, and the services offered by VINDAM S.A.S. are exclusively directed at adults. Any suspicion that a Holder is a minor will result in the denial of service, blocking of the email, and immediate deletion of other personal data (real or not) that the Holder has supplied. III. TYPES OF DATA COLLECTED For registration on the website, requesting information, acquiring services, or product demonstrations by VINDAM S.A.S., Holders are required to provide the following personal data: 1) First and last names. 2) Email address. 3) Company or organization name. 4) Telephone country code and phone number. 5) Job function or title. 6) Country of residence. 7) Free-text messages (specific inquiries or requests). IV. PROCESSING AND PURPOSES The processing of Holders' personal data includes collection, storage, administration, use, and deletion in the manner permitted by Law and in accordance with the following purposes: 1. Verify that Holders are adults, including possible comparisons of information with public databases. 2. Maintain communication with Holders regarding products and services offered by VINDAM S.A.S. 3. Manage and execute product demonstrations, including activation of artificial intelligence chatbots and callbots. 4. Initiate and conduct automated telephone calls through artificial intelligence agents as part of the callbot service offered by VINDAM S.A.S. 5. Offer and promote, by any means, products and services of THE CONTROLLER, or third parties having a legal link with THE CONTROLLER, including conversational automation solutions powered by artificial intelligence. 6. Maintain information on requests, petitions, complaints, and claims presented by Holders regarding activities developed by THE CONTROLLER. 7. Perform statistical, demographic, and market analysis to improve the products and services offered. 8. Comply with contractual obligations agreed with the Holders. 9. Accounting, fiscal, and administrative management, including billing, collections, and payments. 10. Comply with legal, judicial, or administrative requirements. THE CONTROLLER has the obligation to maintain the confidentiality of personal data subject to processing and may only disclose them by express request of surveillance and control entities and authorities having the legal power to request it, and will allow at all times and free of charge to know, update, and correct the personal information of the Holder in accordance with Article 8 of Law 1581 of 2012. In development of the principle of purpose, the collection of personal data is limited to those personal data that are pertinent and adequate to fulfill the purposes expressed in this Manual. Except in cases expressly provided by Law, personal data may not be collected without authorization from the Holder. V. PRINCIPLES FOR PERSONAL DATA PROCESSING In the development, interpretation, and application of this Manual, the following principles will be applied harmoniously and integrally: 1. Principle of legality in data processing: The processing referred to in this Manual is a regulated activity that must be subject to what is established in the Law and other provisions developing it. 2. Principle of purpose: Processing must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Holder. 3. Principle of freedom: Processing can only be exercised with the prior, express, and informed consent of the Holder. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate relieving consent. 4. Principle of truthfulness or quality: Information subject to processing must be true, complete, exact, updated, verifiable, and understandable. Processing of partial, incomplete, fractioned, or misleading data is prohibited. 5. Principle of transparency: Processing must guarantee the right of the Holder to obtain from THE CONTROLLER, at any time and without restrictions, information about the existence of data concerning them. 6. Principle of restricted access and circulation: Processing is subject to limits derived from the nature of personal data, provisions of the Law, and the Constitution. In this sense, processing may only be done by persons authorized by the Holder and/or by persons provided for in the Law. Personal data, except public information, may not be available on the Internet or other means of mass disclosure or communication, unless access is technically controllable to provide restricted knowledge only to Holders or third parties authorized according to Law. 7. Principle of security: Information subject to processing by THE CONTROLLER must be handled with technical, human, and administrative measures necessary to grant security to records avoiding their adulteration, loss, consultation, use, or unauthorized or fraudulent access. 8. Principle of confidentiality: All persons intervening in the processing of personal data that do not have the nature of public are obliged to guarantee the reservation of information, even after their relationship with any of the tasks comprising the processing has ended, being able only to supply or communicate personal data when this corresponds to the development of activities authorized in the Law. VI. PROCESSING OF SENSITIVE DATA In accordance with Article 5 of Law 1581 of 2012, sensitive data are those that affect the privacy of the Holder or whose improper use can generate discrimination, such as those revealing racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, human rights organizations, or that promote interests of any political party or guarantee rights and guarantees of opposition political parties, as well as data relating to health, sexual life, and biometric data. VINDAM S.A.S. does not collect or process sensitive data through its website or its registration and service request forms. VII. RIGHTS OF HOLDERS Holders of personal data or their successors have the following rights: 1. Receive information about: (i) the processing to which their personal data will be subjected and its purpose, (ii) the optional character of answers to questions regarding sensitive data, (iii) the rights assisting them as a Holder, and (iv) the identification, physical or electronic address, and telephone of THE CONTROLLER. 2. Obtain from THE CONTROLLER, at any time and without restrictions, information about the existence of data concerning them. 3. Be informed by THE CONTROLLER, upon request, regarding the use given to their personal data. 4. Request proof of authorization granted to THE CONTROLLER except when expressly excepted as a requirement for processing, in accordance with Article 10 of Law 1581 of 2012. 5. That their personal data not be disclosed without prior authorization, except legal or judicial mandate relieving such consent. 6. Receive free of charge all information contained in the individual record or linked to the identification of the Holder, when the Holder or their successors so request through channels arranged for this purpose by THE CONTROLLER. 7. Access their personal data and exercise their rights over them through mechanisms arranged for this purpose by THE CONTROLLER. 8. Consult their personal data free of charge: (i) at least once every calendar month, and (ii) every time there are substantial modifications to information processing policies; all through mechanisms arranged for this purpose by THE CONTROLLER. 9. Receive a response to all inquiries made about their personal data within legal terms and in any case, in a term not exceeding fifteen (15) business days, in terms provided in Article 14 of Law 1581 of 2012. 10. Receive a response to all claims made about their personal data within legal terms and in any case, in a term not exceeding twenty-three (23) business days, in terms provided in Article 15 of Law 1581 of 2012. 11. Request update and/or rectification of their personal data to THE CONTROLLER. 12. Revoke authorization and/or request deletion of their personal data, through PQR procedures arranged for this purpose by THE CONTROLLER. The Holder may not revoke authorization and/or request deletion of their personal data when they have a legal or contractual duty to remain in the database. 13. Be informed about any substantial change, referring to the identification of THE CONTROLLER or the purpose of processing, in the content of processing policies, before or at the latest at the moment of implementing new policies. 14. File complaints with competent authorities for infringements of the Law. VIII. PROCEDURE FOR EXERCISE OF RIGHTS BY HOLDERS Holders of personal data must direct their requests or claims to the email: juridicavindam@gmail.com 1. Procedure for inquiries: THE CONTROLLER must address inquiries within a term of ten (10) business days counted from the date the request is received. When it is not possible to comply with this time, the interested party must be informed expressing the reasons for delay and the date their request or inquiry will be addressed, in a term not exceeding five (5) business days following the expiration of the first term. 2. Procedure in case of claims: The Holder or successor considering that information contained in a database should be corrected, updated, or deleted, or when noticing alleged non-compliance with any duties contained in the Law or this Manual, may file a claim to THE CONTROLLER, which will be processed under the following rules: 3. The claim must be formulated with the identification of the Holder, description of facts giving rise to the claim, address, and accompanying documents to be asserted. If the claim is incomplete, the interested party will be required within five (5) days following receipt thereof to remedy faults. After two (2) months from the date of request, without the applicant presenting required information, it will be understood that the claim has been abandoned. 4. Once the complete claim is received, a legend saying "claim in process" and the reason thereof will be included in the database, in a term not exceeding two (2) business days. Said legend must be maintained until the claim is decided. 5. The maximum term to address the claim will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to address the claim within said term, the interested party will be informed of reasons for delay and date their claim will be addressed, which in no case may exceed eight (8) business days following expiration of the first term. 6. Procedure for revocation of authorization and/or request for data deletion: Holders may at any time request THE CONTROLLER to delete their personal data and/or revoke authorization granted for processing thereof, by filing a claim, according to Article 15 of Law 1581 of 2012, Article 2.2.2.25.2.6 of Decree 1074 of 2015, and the procedure indicated in this Manual. If the respective legal term expires and THE CONTROLLER has not eliminated personal data, the Holder will have the right to request the Superintendency of Industry and Commerce to order revocation of authorization and/or deletion of personal data. However, according to Articles 2.2.2.25.2.6 and 2.2.2.25.2.8 of Decree 1074 of 2015, the request for deletion of information and revocation of authorization will not proceed when the Holder has a legal or contractual duty to remain in the database. IX. TEMPORAL LIMITATIONS TO PERSONAL DATA PROCESSING THE CONTROLLER may only collect, store, use, or circulate personal data for a reasonable and necessary time, according to purposes justifying processing, attending to applicable provisions and administrative, accounting, fiscal, legal, and historical aspects of information. Once the purpose(s) of processing is fulfilled, THE CONTROLLER will proceed to delete personal data in their possession. However, personal data must be kept when required for compliance with a legal or contractual obligation. X. VALIDITY The validity period of the database will be indefinite. This Manual enters into force from February 20, 2026. VINDAM S.A.S. reserves the right to make modifications, adjustments, and/or updates to the content of this Manual in any of its sections, which will be communicated to the Holders through the means arranged for such purpose.