PERSONAL DATA PROCESSING POLICY SUPRA NEGOCIOS S.A.S. AND SUPAGO S.A.S.

OBJECTIVE:

Establish criteria for the collection, storage, use, circulation, and deletion of personal data processed by Supra Negocios S.A.S. and SUPAGO S.A.S.

SCOPE:

This policy applies to all personal information recorded in the databases of Supra Negocios S.A.S. and Supago S.A.S., who act as data controllers.

OBLIGATIONS:

This policy is mandatory and strictly enforced for Supra Negocios S.A.S. and Supago S.A.S.

DEFINITIONS:

For the interpretation and application of this policy, the following definitions from Statutory Law 1581 of 2012, Regulatory Decree 1377 of 2013, and/or this policy must be considered:

  • Authorization: The prior, express, and informed consent of the data subject to process personal data, understood as the clients of Supago S.A.S. and Supra Negocios S.A.S.

  • Privacy Notice: Notification by the data controller in cases where making the information processing policies available to the data subject is not possible.

  • Database: An organized set of personal data subject to processing, including information about the data subjects of Supago S.A.S. and Supra Negocios S.A.S.

  • Personal Data: Any information directly or indirectly referring to a natural person and allowing their identification.

  • Public Data: Data that is not semi-private, private, or sensitive, including information about civil status, profession, or occupation.

  • Sensitive Personal Data: Information affecting the privacy of the person, such as racial or ethnic origin, political orientation, religious or philosophical beliefs, health data, etc.

  • Data Processor: A person processing data on behalf of the data controller.

  • Data Protection: Strategies adopted by the entity to ensure the security of user information against unauthorized access.

  • Claim: A request from the data subject to correct, update, or delete their personal data or to revoke authorization.

  • Data Controller: A natural or legal person processing personal data on behalf of the data controller.

  • Data Subject: A natural or legal person whose personal data is subject to processing.

  • Processing: Any operation on personal data, such as collection, storage, use, circulation, or deletion.

  • Transfer: The sending of personal data from Colombia to a controller within or outside the country.

RESPONSIBLE FOR PROCESSING:

Supago S.A.S., legally constituted commercial entity, identified with NIT 901782002-8, with its main address at Calle 140 #10a-31 in Bogotá, Republic of Colombia. Website www.supra.la and phone 3118608013. Supra Negocios S.A.S., legally constituted commercial entity, identified with NIT 901641609-3, with its main address at Carrera 9 bis # 97-59 in Bogotá, Republic of Colombia. Website www.supra.la and phone (314) 411 6393.

DATA PROCESSOR:

Supago S.A.S., legally constituted commercial entity, identified with NIT 901782002-8, with its main address at Calle 140 #10a-31 in Bogotá, Republic of Colombia. Website www.supra.la and phone 3118608013. Supra Negocios S.A.S., legally constituted commercial entity, identified with NIT 901641609-3, with its main address at Carrera 9 bis # 97-59 in Bogotá, Republic of Colombia. Website www.supra.la and phone (314) 411 6393.

CATEGORIES TO BE PROCESSED:

To fulfill the purposes of personal data processing, the following categories of personal data will be processed:

  • Identifying data
  • Contact data
  • Economic, financial, and fiscal data

PROCESSING AND PURPOSE:

The processing that Supago S.A.S. and Supra Negocios S.A.S. will carry out with personal information is as follows:

  • Collection, storage, use, circulation, and deletion to carry out actions for the development of the company’s corporate purpose, fulfill the contract object with the data subject, send invitations, offer new products and services, manage procedures, conduct satisfaction surveys, provide contact information to the commercial force and/or distribution network, telemarketing, market research, and any third party with which they have a contractual relationship, contact the data subject through various means for surveys, studies, or confirmation of personal data necessary for the execution of a contractual relationship, and other purposes detailed in the policy.

Supago S.A.S. and Supra Negocios S.A.S. may share the provided data within or outside of Colombia with:

  • Their parent, affiliated, or subsidiary companies: for centralized information storage, statistical purposes, and historical customer records; for fraud investigations, criminal activities, and investigations into their products and services (current or future).
  • Information operators and information bureaus: for requesting information on credit history, contact information, financial data, employment-related information; to consult and report information to restrictive lists and politically exposed persons lists, for the prevention and mitigation of money laundering, financing of terrorism, financial and credit risk, and fraud; report compliance or non-compliance with obligations to Supra Negocios S.A.S. and for financial and credit risk management purposes.
  • Authorities, governmental bodies, or entities: to comply with obligations under applicable law and/or in response to requirements made by them.
  • Unrelated third parties (including supervised financial entities) and competent authorities: for investigating or preventing potential cases of fraud, impersonation, or possible criminal conduct.

DATA SUBJECT RIGHTS:

As the data subject, you have the right to:

(i) Access the processed data free of charge.

(ii) Know, update, and rectify your information in the case of partial, inaccurate, incomplete, misleading data, or data whose processing is prohibited or unauthorized.

(iii) Request proof of the granted authorization.

(iv) Lodge complaints with the Superintendence of Industry and Commerce (SIC) for violations of current regulations.

(v) Revoke authorization and/or request data deletion, provided there is no legal or contractual obligation preventing it.

(vi) Refrain from answering questions about sensitive data. Responses related to sensitive data or data about children and adolescents are optional.

ATTENTION TO REQUESTS, INQUIRIES, AND CLAIMS:

The legal and administrative department of Supago S.A.S. and Supra Negocios S.A.S. ([email protected]) is responsible for processing requests from data subjects to enforce their rights.

PROCEDURE FOR EXERCISING THE RIGHT OF HABEAS DATA:

In compliance with personal data protection rules, Supago S.A.S. and Supra Negocios S.A.S. present the procedure and minimum requirements for exercising your rights:

For filing and addressing your request, we ask you to provide the following information:

  • Full name and surnames/Company name
  • Contact details (physical and/or electronic address and contact numbers)
  • Means to receive a response to your request
  • Reason(s)/fact(s) giving rise to the claim with a brief description of the right you want to exercise (know, update, rectify, request proof of the granted authorization, revoke it, delete, access the information)
  • Signature and identification number

The maximum term established by law to resolve your claim is fifteen (15) business days, counted from the day following the date of receipt. If it is not possible to address the claim within this term, Supago S.A.S. and Supra Negocios S.A.S. will inform the interested party of the reasons for the delay and the date on which the claim will be addressed, which will not exceed eight (8) business days following the expiration of the initial term.

Once the terms stipulated by Law 1581 of 2012 and other regulations are met, the data subject who is denied, totally or partially, the exercise of the rights of access, updating, rectification, deletion, and revocation may bring their case to the Superintendence of Industry and Commerce – Delegation for the Protection of Personal Data.

MODIFICATIONS TO THE PERSONAL DATA PROCESSING POLICY:

In case of substantial modification or update of this Policy, it will be published on our website. At any time, you may request the latest version of this Policy, i.e., the one in force at the time of your consultation, from our Personal Data Department, through the email address [email protected]. You can also access the latest version of this Policy through the website www.supra.la.

VALIDITY:

This Personal Data Processing Policy is effective from February 27, 2024.

The provided personal data will be retained until its deletion is requested by the interested party and as long as there is no legal duty to keep them.