Data Processing Policy

Data Processing Policy

PERSONAL DATA PROCESSING POLICY FOR YOUR STORE

TE LOTENGO YA!, with registered address at TE LOTENGO YA!, has established this privacy and personal data protection policy, which regulates the collection, storage, management, and protection of information received from all clients, suppliers, consumers, contractors, debtors, creditors, employees, and related parties. For the purposes of this policy, the following shall apply:

DEFINITIONS
Privacy Notice: This is the document, in any physical, electronic, or other format, generated by the data controller and made available to the user, regarding the processing of their personal data. The privacy notice informs the data subject of the existence of these applicable data processing policies, how to access them, and the purposes and rights regarding the processing of the personal data they provide.

Authorization: This is the user's prior and express consent to the processing of their personal data.

Database: This is the set of all personal data that has been authorized by its Users and that will be subject to the processing established by this policy.

Personal Data: This is any information linked to or that can be associated with a user.
Private Data: Data that, due to its intimate or confidential nature, is only relevant to the user.

Sensitive Data: This is data that affects the user's privacy or whose misuse may generate discrimination based on racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in trade unions, social or human rights organizations, or organizations that promote the interests of any political party or guarantee the rights and protections of opposition political parties, as well as data relating to health, sex life, and biometric data.

Data Controller: For the purposes of this policy, this is TE LOTENGO YA!. who manages the personal data of its users, in accordance with the provisions of the Law and this document.

Data Processor: is the natural person designated by the controller of the personal data (TE LOTENGO YA!).

Data Subject: the natural person to whom the information belongs and who has freely and voluntarily authorized TE LOTENGO YA! to process their personal data.

Processing: is any operation performed on personal data, such as the collection, storage, use, circulation, modification, clarification, or deletion of said data.

PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA

As a fundamental premise of this policy, TE LOTENGO YA! respects the privacy of each individual or legal entity that provides their personal information through the various information collection channels established for this purpose.

TE LOTENGO YA! guarantees that it has adequate and secure storage mechanisms and systems. Information is collected, processed, and used in accordance with current data protection and privacy regulations.

However, TE LOTENGO YA! is not responsible for any consequences arising from unauthorized access to the database by third parties and/or any technical failure in the operation and/or data storage system.

The data provided by the Data Subject must be clear, truthful, verifiable, and accurate so that its processing can be equally reliable.

Confidentiality in the processing of personal data is another guiding principle of this policy, as all employees with access to databases are obligated to maintain strict confidentiality in their handling.

All data stored and processed by TE LOTENGO YA! must have the prior and express authorization of its owner, which must be granted freely and voluntarily. However, this principle does not apply in the following cases:

Information required by a public or administrative entity in the exercise of its legal functions or by court order.

Publicly available data.
Cases of medical or health emergencies.
Processing of information authorized by law for historical, statistical, or scientific purposes.
Data related to civil registration.

Personal data will be included in a database and will be used for the following purposes:
To code applications for becoming clients and/or suppliers in our systems.

To inform about new products or services.

To fulfill obligations contracted with our clients, suppliers, and employees.

To achieve efficient communication related to our products, services, offers, promotions, alliances, studies, contests, content, as well as those of our affiliated companies, and to facilitate general access to this information.

To provide our services and products.
To inform you about the launch of new products or services, or changes to existing ones.
To evaluate service quality.
To conduct internal studies on consumer habits.
To consult, report, process, and transfer information to credit bureaus.

PROCESSING OF PERSONAL DATA OF MINORS: The processing of data of minors must comply with and respect their rights. In the event of processing the personal data of minors, TU TIENDA will comply with applicable regulations and adhere to the rulings of the Constitutional Court on this matter.

PROCESSING OF SENSITIVE DATA: given that TU TIENDA. The organization collects biometric data, such as surveillance videos, photographs, fingerprints, and other data that may be considered sensitive. It will ensure that the processing of this information is carried out with the aim of establishing mechanisms that improve its customer service processes and in compliance with the provisions of Law 1581 of 2012 and Chapter 25 of Decree 1074 of 2015.

DUTIES AND RIGHTS
3.1. Rights of the Data Subject:
To know, update, and rectify their personal data with the data controllers or processors. This right may be exercised, among other things, with respect to data that is partial, inaccurate, incomplete, fragmented, misleading, or whose processing is expressly prohibited or has not been authorized.
To request proof of the authorization granted to the data controller, except when such authorization is expressly waived as a requirement for processing, in accordance with the provisions of this policy.

To be informed by the data controller or the data processor, upon request, regarding the use of your personal data.
To file complaints with the Superintendency of Industry and Commerce for violations of the provisions of the Law.
To revoke authorization and/or request the deletion of data when the processing does not respect constitutional and legal principles, rights, and guarantees. Revocation and/or deletion will proceed when the Superintendency of Industry and Commerce has determined that the controller or processor has engaged in conduct contrary to the Law and the Constitution.
To access your personal data that has been processed, free of charge.

3.2 Duties of the data controller:

Guarantee the Data Subject, at all times, the full and effective exercise of their right to data protection (habeas data).

Request and retain, under the conditions stipulated by law, a copy of the authorization granted by the Data Subject.
Duly inform the Data Subject about the purpose of the data collection and their rights under the authorization granted.
Store the information under the necessary security conditions to prevent its alteration, loss, unauthorized or fraudulent access, use, or disclosure.
Ensure that the information provided to the data processor is truthful, verifiable, complete, accurate, up-to-date, verifiable, and understandable.
Update the information, promptly notifying the data processor of any changes to the data previously provided and take all other necessary measures to ensure that the information provided remains up-to-date.
Rectify the information when it is incorrect and notify the data processor accordingly. Require the data processor to respect the security and privacy conditions of the data subject's information at all times.

Process inquiries and complaints submitted by data subjects in accordance with the law.
Inform the data processor when certain information is under dispute by the data subject, once a complaint has been filed and the respective process has not yet been completed.
Inform the data subject, upon request, about the use given to their data.
Inform the data protection authority when security breaches occur and there are risks in the management of data subjects' information.

Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

3.3 Duties of the data processor:
Guarantee the data subject, at all times, the full and effective exercise of their right to data protection (habeas data). Maintain the information under the necessary security conditions to prevent its alteration, loss, unauthorized or fraudulent access, use, or disclosure.
Promptly update, rectify, or delete the data.
Update the information reported by the data controllers within five (5) business days of receipt.
Process inquiries and complaints submitted by the data subjects.
Record the phrase “complaint in process” in the database when applicable.
Insert the phrase “information under judicial review” in the database once notified by the competent authority of legal proceedings related to the accuracy of the personal data.
Refrain from circulating information that is being disputed by the data subject and whose blocking has been ordered by the Superintendency of Industry and Commerce.
Allow access to the information only to those individuals authorized to access it. Report to the Superintendency of Industry and Commerce any violations of security codes and any risks in the management of data subjects' information.
Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

RESPONSIBLE AREA AND PROCEDURES FOR DATA INQUIRIES AND COMPLAINTS:

The Marketing Department will be responsible for inquiries, complaints, and claims.
Data subjects or their legal representatives may inquire about the data subject's personal information held in the database.

The data controller or processor must provide the data subject with all the information contained in their individual record or linked to their identification.
Inquiries must be submitted via email and the other contact information provided in the privacy notice published on the website www.telotengoya.net, which is attached to this policy as Annex 1.
Inquiries will be addressed within a maximum of ten (10) business days from the date of receipt. When it is not possible to respond to the inquiry within said timeframe, the interested party will be informed, stating the reasons for the delay and indicating the date on which their inquiry will be addressed, which in no case may exceed five (5) business days following the expiration of the initial time frame.
The Data Subject or their successors who believe that the information contained in a database should be corrected, updated, or deleted, or when they become aware of the alleged breach of any of the duties contained in the Law, may file a complaint with the data controller through the communication channels established in the privacy notice. For the purposes of filing complaints, the following procedure must be followed and the following requirements must be met:
The complaint must contain, at a minimum: the identification of the Data Subject, a description of the facts giving rise to the complaint, the address, and any supporting documents.

If the complaint is incomplete, the interested party will be required, within five (5) days following receipt of the complaint, to remedy the deficiencies. If the applicant fails to submit the required information within two (2) months of the request date, the claim will be considered withdrawn.

If the recipient of the claim is not authorized to resolve it, they will forward it to the appropriate party within two (2) business days and inform the claimant of the situation.

Once a complete claim is received, the database will be updated within two (2) business days with a note stating "claim in process" and the reason for the claim. This note will remain until the claim is resolved.

The maximum time allowed to address the claim is fifteen (15) business days, starting the day after the date of receipt.
If it is not possible to address the claim within this timeframe, the claimant will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the initial timeframe. The Data Subject or their successor may file a complaint with the Superintendency of Industry and Commerce once they have exhausted the consultation or claim process with TE LOTENGO YA!

EFFECTIVE DATE: This Personal Data Policy was created on March 15, 2019.