PIRANI S.A.S., in accordance with Law 1581 of 2012 and its Regulatory Decree 1377 of 2013, as responsible for the processing of personal data, informs that the purpose of this Policy is to define the necessary guidelines to ensure the exercise of the right to privacy of individuals, through the protection of personal data contained in the different databases of the company, so that they receive the treatment in accordance with the purposes provided by law.
The Policies for the Treatment of Personal Data are applicable to the personal data contained in the databases that are under the responsibility of PIRANI S.A.S., as well as its parents and subsidiaries, hereinafter "THE RESPONSIBLE" and that are susceptible to any access or treatment by the company, its personnel or any related third party.
The authorization for the processing of data may be provided through the express authorization or through unequivocal conduct of acceptance, such as the use of the platform, with the availability of consultation of this processing policy.
By accepting or consenting to the Policies for the Treatment of Personal Data of PIRANI S.A.S. you declare to be the legitimate owner of the data or have the respective authorizations or legal powers to transfer the data. Additionally, you declare to be capable in the terms of the applicable legislation. Therefore, you accept the guidelines and policies contained in this document.
Authorization: Prior and informed consent of the Data Subject to carry out the Processing of personal data.
Database: Organized set of personal data that is subject to Processing.
Personal data: Any information linked or that may be associated with one or several determined or determinable natural persons.
Sensitive data: Sensitive data is understood as that which affects the privacy of the Data Subject or whose improper use may generate discrimination, such as that which reveals the racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights organizations or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties, as well as data relating to health, sex life, and biometric data.
Data Processor: Natural or legal person, public or private, who by himself or in association with others, performs the Processing of personal data on behalf of the Data Controller.
Data Controller: Natural or legal person, public or private, who by himself or in association with others, decides on the database and/or the Processing of the data.
Data Subject: Natural person whose personal data is the object of Processing.
Transfer: The transfer of data takes place when the Controller and/or Processor of personal data, located in Colombia, send the information or personal data to a recipient, which in turn is the Data Controller and is located inside or outside the country.
Transmission: Processing of personal data that involves the communication of such data within or outside the territory of the Republic of Colombia when the purpose is the performance of a Processing by the Processor on behalf of the Controller.
Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or suppression.
I. IDENTIFICATION OF THE DATA CONTROLLER
COMPANY NAME AND IDENTIFICATION: PIRANI S.A.S., hereinafter referred to as THE COMPANY or THE CONTROLLER, a commercial company identified with NIT 900.484.747-4.
ADDRESS AND ADDRESS: THE COMPANY has its domicile in the city of Medellín and its main office is located in the building EDIFICIO SELF, Carrera 42 # 5 sur - 47 | Piso 16, EDIFICIO, Medellín, Antioquia.
TELEPHONE: +57 (323) 563 9223
II. DATA PROCESSING PRINCIPLES
In all personal data processing carried out by THE COMPANY, the principles enshrined in the Colombian General Regime for the Protection of Personal Data shall be applied, especially the following:
1. Principle of the legality of data processing: For the processing of personal data carried out by THE COMPANY, the rules of the Colombian legal system relating to the General Regime for the Processing of Personal Data and those contained in this policy shall apply.
2. Principle of purpose: The treatment given by THE COMPANY to the personal data it treats, obeys the purposes established in this policy, which are in harmony with the Colombian legal system. In what is not regulated in this policy, the superior norms that regulate, add, modify or repeal it will be applied.
3. Principle of freedom: The treatment carried out by THE COMPANY to personal data is done according to the prior, express, and consented authorization of the personal data owner.
4. Principle of truthfulness or quality: The information subject to treatment by THE COMPANY must be truthful, complete, updated, verifiable and understandable.
5. Principle of transparency: THE COMPANY guarantees that the holder of the personal data can obtain information about their data at any time and without restrictions according to the procedures described in this policy.
6. Principle of restricted access and circulation: THE COMPANY guarantees that the processing of personal data given to the databases for which it is responsible, is carried out by authorized persons and/or other persons permitted by law.
7. Security Principle: THE COMPANY will implement all technical, human, and administrative measures necessary to protect the personal data processed in its databases, avoiding the use, adulteration, loss, and unauthorized or unwanted consultation.
8. Principle of confidentiality: The treatment given to the personal data of the COMPANY's databases will be carried out with strict confidentiality and reserve, according to the purposes described in this policy.
For more information on these principles, please refer to Law 1581 of 2012 and Decree 1377 of 2013, as well as other regulatory provisions that modify, clarify, supplement, or repeal them.
III. PROCESSING TO WHICH THE DATA WILL BE SUBJECTED AND THE PURPOSE FOR WHICH IT WILL BE USED
The processing of personal data of the person with whom THE COMPANY has established or establishes a relationship, permanent or occasional, will be carried out within the legal framework that regulates the matter. In any case, personal data may be collected and processed in the following cases:
1. To develop the corporate purpose of THE COMPANY in accordance with its legal statutes.
2. Compliance with legal obligations involving personal data.
3. The measurement and analysis of non-sensitive data are freely provided by their respective owners. This use will be based on statistical and mathematical models or machine learning solutions, and data analytics, among other methods. In this case, the use of the information will be exclusively for the constant improvement of the service and/or facilitate the development of new functionalities, software, modules, or tools. The corresponding treatment for this purpose involves the sanitization and anonymization of the information of any customer or owner so that the information is not directly identified with a particular entity.
4. For the commercial management and relationship with your customers, potential customers, and stakeholders.
5. For prospective analysis of trends, preferences, behaviors, and habits of its customers, potential customers, and stakeholders.
6. To inform about products and their quality, about the COMPANY, trends, benefits, events, alliances, and general information, among others.
7. To consult the information about the data subjects in public databases and/or different information operators such as Datacrédito/Experian, Cifin/TransUnion, or any other entity that comes to manage databases with the same objectives and in credit risk and financial information centers, in support of the processes of study of applications, verification of credit behavior, reporting of delinquent customers, verifications for granting credit and collection efforts.
8. Report to the credit bureaus with which EMPRESA has an agreement on the generation, modification, extinction, fulfillment, or non-fulfillment of the obligations contracted by the Data Holder.
9. To achieve efficient communication related to products, services, offers, promotions, alliances, studies, contests, and content.
10. To share the information with contractors in charge of providing services for the COMPANY that require access to the data of the Holders.
11. To carry out commercial or marketing activities through our website, Facebook, and other media and use them as part of our commercial or marketing campaigns.
12. To advance contacts for commercial and promotional purposes either about our own services and products, or those of third parties with which EMPRESA has business relationships or alliances.
13. For the delivery of employment references.
14. To perform administrative and commercial management.
15. To comply with its legal obligations in relation to the company's shareholders.
16. To follow up on the management of services offered.
17. To comply with the provisions of the Colombian legal system in labor and social security matters, applicable to former employees, current employees and candidates for future employment.
18. Carry out consultations and verifications of risks of money laundering, financing of terrorism, transnational bribery, corruption.
19. Share and exchange with its subsidiaries, parent companies, allies and/or financial institutions, the information of the data subjects contained in the databases of the entity for risk control purposes, disbursement and payment of obligations, commercial alliances, contracting of services, statistical purposes, marketing activities of services and advertising.
20. Collection of information on transactions or services purchased through means provided by THE COMPANY.
21. Processing of financial data related to payments made by users for services used that have some cost.
22. Transfer of data to third parties for the purposes of the object and activities developed by THE COMPANY.
23. Obtain information on usage and records; information on transactions; cookies to provide internet-based services; transfer and transmission of data to third parties for activities of the object of THE COMPANY and the fulfillment of all contractual or legal obligations acquired by the parties.
24. Conduct surveys related to the services or goods of THE COMPANY.
25. Fulfill all its contractual, statutory or legal commitments.
26. Security and surveillance functions (including video surveillance) of THE COMPANY's facilities and information.
Authorization is not required when the processing is related to certain cases in respect of which, however, all legal provisions related to the processing of information are complied with, such as:
- When the data is of a public nature.
- When there are cases of medical or sanitary urgency.
- When the treatment is authorized by law.
In each medium that may be used for the processing or collection of data, there will be an authorization text, privacy notice, or, in the case of technological methods, a box or sign of consent and acceptance in the processing of data, aimed at validating the authorization through unequivocal conduct to the extent possible, such authorization will contain a link or access for consultation and direct reading of this Data Processing Policy.
IV. TREATMENT OF SENSITIVE DATA
THE COMPANY considers that biometric data, such as the face, fingerprint, retina, voice, and signature; as well as any data that affect the privacy of individuals, whose improper use can generate discrimination of the holder, are of a sensitive nature, and therefore, this type of data is protected more rigorously by the COMPANY and the persons who access them in their capacity as the persons in charge of handling the information.
The treatment of personal or sensitive data by THE COMPANY and its CAREGIVERS is restricted; it will be exclusively for the fulfillment of authorized contractual obligations, compliance with legal obligations or the purposes expressly authorized by the owner voluntarily. At no time; without prior authorization, they will be used for marketing purposes, the sale of databases, and/or other purposes other than those strictly necessary.
THE COMPANY will only carry out the processing of sensitive data provided that the owner gives his authorization or that the law authorizes it. The owner of the sensitive data will always have the power to decide whether to provide it or not.
Exceptionally, data of minors, corresponding to the children of employees, administrators, and collaborators of the company, may be processed, in which case the express and informed authorization of the legal representative of the minor must be obtained for the specific purposes reported.
It is optional for the Holder of the personal data to grant authorization for the processing of their sensitive data.
V. RIGHTS OF THE OWNER OF THE INFORMATION
In accordance with the provisions of the currently applicable regulations on data protection, the holders of personal data have the right to:
1. Access, know, update, and rectify their personal data against the COMPANY in its capacity as the data controller. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data or those whose treatment is expressly prohibited or has not been authorized.
2. Request proof of the authorization granted to the COMPANY for the processing of data, by any valid means, except in cases where authorization is not required.
3. Be informed by THE COMPANY, upon request, regarding the use given to their personal data.
4. To file complaints before the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other regulations that modify, add, or complement it, after consultation or request to THE COMPANY.
5. Revoke the authorization or request the deletion of the data.
6. Access free of charge to their personal data that have been processed, at least once every calendar month, and whenever there are substantial changes to this policy that motivate new consultations.
These rights may be exercised by:
- The holder, who must prove their identity sufficiently by the various means made available by THE COMPANY.
- The assignees of the holder, who must prove such quality.
- The representative or attorney-in-fact of the holder, prior accreditation of the representation or power of attorney.
- Another in favor or for which the holder has stipulated.
VI. PERSON IN CHARGE AND PERSON IN CHARGE OF THE PROCESSING OF PERSONAL DATA
THE COMPANY will be responsible for the processing of personal data. THE COMPANY may transfer its condition of RESPONSIBLE at any time to any third party that proves compliance with the conditions set forth in this Policy and in the applicable legislation in force.
Transfers and transmissions for processing by third parties of personal data provided to THE COMPANY.
The acceptance of the present policy implies for the holder of the personal data the acceptance of the possibility that THE COMPANY has, respecting at all times the legal provisions that regulate the matter, to transmit or transfer the totality of the holder's data to its parent company, subordinate companies or third parties for the fulfillment of the purposes of the processing. In this case, the third party or parties that receive the information will acquire the quality of the data processor and, consequently, will assume the same obligations of care, good handling, and security assumed by THE COMPANY as responsible, in the terms defined by the current regulations. THE COMPANY may at any time revoke the authorization granted in each case to the respective third party in charge of the processing of the information.
In turn, THE COMPANY undertakes to inform third parties, of the parameters under which the authorization has been granted and the due respect to be made of this policy, informing third parties that they may only make use of such data and/or information while the legal or contractual relationship with THE COMPANY subsists, solely and exclusively, for the uses expressly defined by it.
The transmission of information, whether in physical or digital form, shall be carried out through mechanisms that have adequate security levels, established by THE COMPANY and its technology advisors, according to the physical, logistical, technological, and economic capacity, ensuring that the data is delivered and received in a confidential and secure manner.
VII. PROCEDURE FOR THE ATTENTION OF QUERIES, CLAIMS, REQUESTS FOR RECTIFICATION, UPDATING AND DELETION OF DATA.
The owners or their successors in title may consult the personal information of the owner that is held by THE COMPANY, who will provide all the information contained in the individual record or that is linked to the identification of the owner. Likewise, THE COMPANY provides the mechanism through which the holder may file claims to update, rectify, delete the data or revoke the authorization definitively.
In any case, regardless of the mechanism implemented for the attention of requests for consultation, these will be answered within a maximum period of ten (10) working days from the date of receipt. When it is not possible to attend the consultation within such term, the interested party shall be informed before the expiration of the 10 days, stating the reasons for the delay and indicating the date on which the consultation will be attended, which in no case may exceed five (5) business days following the expiration of the first term.
THE COMPANY reserves the right to modify, at any time, unilaterally, the Information Processing Policy. The Policy of Treatment of the Information in force at each moment will be available in the web page and in the facilities of the company. Any substantial change in the Information Processing Policy that may affect the content of the authorization granted by the holder will be communicated to the holder or will be made available to him/her under the terms established by the regulations in force. In addition, the previous versions of the Information Processing Policy shall be kept.
The holder's non-opposition to the use of his/her data, within thirty (30) days following the notification of the new Information Processing Policy constitutes acceptance of the same.
VIII. INFORMATION SECURITY MEASURES
In compliance with the security principle established in the current regulations, THE COMPANY will adopt the technical, human, and administrative measures necessary to provide security to the records avoiding their adulteration, loss, consultation, use, or unauthorized or fraudulent access.
The company is committed to giving the correct use and treatment of the personal data of its customers and users, avoiding unauthorized access to third parties that allow them to know or violate, modify, disclose, and/or destroy the information contained in the databases of the company. For this reason, the company has security protocols and access to its information, storage, and processing systems, including physical measures to control security risks.
Therefore, it must adopt the measures that allow it to comply with the provisions of Law 1581 of 2012 and any other law or regulation that modifies or replaces them. As a consequence of this legal obligation, among others, it shall adopt security measures of logical, administrative, and physical type, according to the criticality of the personal information to which it has access, to ensure that this type of information will not be used, traded, assigned, transferred and/or will not be subjected to any other treatment contrary to the purpose included in the provisions of the object of this contract. Any suspicion of loss, leakage, or attack against the personal information contained in the databases of THE COMPANY shall be reported, notice to be given once it has knowledge of such eventualities through the most relevant or effective mechanisms, such as publication on the website or networks of the company, direct communication to the reported email of the affected or the means established by it for such purposes or in any way that guarantees the right to information of the holder. The loss, leakage, or attack against personal information also implies the obligation to manage the security incident in accordance with the legal guidelines on the matter. Some of the minimum standards voluntarily adopted from the ISO 27001/27002 standards may be taken as a reference.
According to the logistical, physical, and economic possibilities, different information security measures can be implemented, among which we can find:
- Antivirus and firewalls in the COMPANY's computer equipment.
- User and data access and manipulation and monitoring profiles.
- Back-up plans or backup copies with the established periodicity.
- Blocking of USB ports.
- Blocking of web pages with personal access or social networks.
- Prohibition of the installation of instant messaging applications on computer equipment that stores data.
- Video surveillance and access control.
- Record of consultation and copies of protocols requested by users.
- Restricted access to the physical archive area and computer area.
- Periodic updating of Personal Data Protection Policies and procedures.
- Continuous identification of legal requirements to be implemented by THE COMPANY.
- Follow-up of new regulations.
- Training on Personal Data Protection issues.
- Revisions of procedures and documentation.
IX. VIDEO SURVEILLANCE
THE COMPANY uses various means of video-surveillance installed in different internal and external sites of our facilities and offices. It is necessary to clarify that the information collected will be used for security purposes of people, property and facilities; it may also be used as evidence in any process before any type of judicial or administrative authority and the organization, including insurers. About the existence of this mechanism, information is provided through the dissemination of notices and this treatment policy.
Taking into account that, at the moment of entering our facilities, this action will be understood as the express and informed authorization to carry out the treatment of these images, protected under the Law.
This policy is effective as of November 18, 2020.
Last update: February 1, 2023.
Alejandro Orrego Santamaría