Data protection and personal data processing policy of Wekall BIC S.A.S. (STARTUP)

Those are the individuals who can exercise the rights of the Data Subject, such as the Data Subject, proving their identity by the means available to them, the heirs who prove that status, the representative and/or attorney proving their representation or power of attorney, and those who, by stipulation in favor of another or for another, are accredited.

An organized set of Personal Data that is subject to processing by STARTUP. Personal Data: Any information linked or that can be associated with one or more identified or identifiable natural persons. Some examples of personal data include the following: name, citizenship ID, address, email, phone number, marital status, health data, fingerprints, salary, assets, financial status, etc. Private Data: That which, by its intimate or reserved nature, is only relevant to the Data Subject.

It is the data qualified as such according to the mandates of the law or the Political Constitution and all those that are not semi-private, private, or sensitive. Public data are considered those related to the civil status of individuals, their profession, ID number, and other data contained in public records, public documents, judicial sentences duly executed that are not subject to reservation, official gazettes, and bulletins.

It is one that does not have an intimate, reserved, or public nature and whose knowledge or disclosure may interest not only its Data Subject but also a certain sector or group of people or society in general, such as financial and credit data of commercial activity.

Information that affects the privacy of the Data Subject or whose improper use may generate discrimination, such as those revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights, or that promote the interests of any political party or guarantee the rights and guarantees of opposition political parties as well as data related to health, sexual life, and biometric data, among others, the capture of still or moving images, fingerprints, photographs, iris, voice recognition, facial or palm recognition, etc. Data Subject: Natural person whose Personal Data is subject to Processing. Data Processor: It is the natural or legal person, public or private, who, by themselves or in association with others, carries out the Processing of Personal Data on behalf of a Controller. In relation to the state contracts that STARTUP enters into with public entities, it acts as a Processor to the extent that it receives instructions and guidelines based on the contractual object.

It is the natural or legal person, public or private, who by themselves or in association with others decides on the Database, the Processing of Personal Data and/or the purposes and conditions of Processing. For these purposes, the Controller will be STARTUP, however, considering the commercial activities of STARTUP, it will act as a Processor when it carries out any Processing on the Databases sent to it by the entities that contract its services, provided that these determine the purposes and guidelines of the processing.

It is any operation or set of operations on Personal Data, such as collection, administration, storage, use, circulation, transmission, transfer, or deletion. Transfer: Occurs when the Controller and/or Processor of Personal Data, located in Colombia, sends the information or Personal Data to a recipient, who is also a Controller of the Processing and is located inside or outside the country. Transmission: It is the Processing of Personal Data that involves the communication of the same within or outside the territory of the Republic of Colombia when it aims to carry out Processing by the Processor on behalf of the Controller. Data Processing Policy: This document contains the guidelines for the Processing of Personal Data arising from any type of Processing that STARTUP carries out on Personal Data. In particular, this includes the purposes, types of Processing, rights of the Data Subjects, procedures to guarantee those rights, and the persons within STARTUP responsible for addressing inquiries, complaints, and/or claims.

Verbal or written communication generated by the Controller, directed to the Data Subject for the processing of their personal data, through which they are informed about the existence of the data processing policies that will apply to them, how to access them, and the purposes of the processing intended for the personal data.

Request from the Data Subject or from persons authorized by them or by law to correct, update, or delete their personal data or to revoke the authorization in the cases established by law. GDPR or General Regime for the Protection of Personal Data in Colombia: is the set of norms regulating the Processing of Personal Data in Colombian territory such as Article 15 of the Colombian Political Constitution; Law 1266 of 2008, Law 1581 of 2012; Decree 1377 of 2013; Decree 1074 of 2015; Decree 886 of 2014; and other norms that amend or add to them.

Data processing is a regulated activity, which must be subject to the current and applicable legal provisions governing the matter. Purpose Principle: The Processing will obey a legitimate purpose according to the Political Constitution of Colombia, applicable laws, and other regulations that develop them. The Data Subject will be informed clearly, sufficiently, and in advance about the purpose of the information provided.

Processing will only be exercised with the prior, express, and informed consent of the Data Subject. Personal Data collected without the aforementioned consent will be authorized by law or by the implementation of efficient communication mechanisms, without prejudice to the request for deletion of Personal Data that may eventually be raised by the Data Subject and that proceeds when there is no legal or contractual obligation preventing it.

The information subject to Processing of personal data must be truthful, complete, accurate, updated, verifiable, and understandable. The Processing of partial, incomplete, fragmented data, or that induce error is prohibited. Transparency Principle: In the Processing of Personal Data, the right of the Data Subject to obtain at any time and without restrictions information about the existence of data concerning them is guaranteed.

The Processing of personal data may only be carried out by persons authorized by the Data Subject and/or by persons provided for in the Law. Personal data, except for public information, may not be available on the internet or other means of mass dissemination or communication, unless access is technically controllable to provide restricted knowledge only to the data subjects or third parties authorized in accordance with the law. For these purposes, STARTUP's obligation will be one of means.

The information subject to processing by STARTUP must be handled with the necessary technical, human, and administrative measures to ensure the security of the records, preventing their alteration, loss, consultation, unauthorized use, or fraudulent access.

All persons in STARTUP who manage, handle, update, or have access to any type of information contained in Databases are obliged to guarantee the confidentiality of the information, committing to keep and maintain it strictly confidential and not disclose it to third parties, except when it comes to activities expressly authorized by the data protection law.

• Allow the participation of Data Subjects in marketing and promotional activities conducted by STARTUP.

• Execute the existing contractual relationship with its clients, suppliers, and employees, including the payment of contractual obligations, as well as the necessary assistance, consulting, and support to fulfill the obligations arising from the commercial relationship.

• Materialize potential commercial and/or legal relationships with individuals interested in becoming clients, suppliers, or employees of STARTUP.

• Conduct its own administrative, accounting, and tax management, including, but not limited to, billing management, collection and payment management, supplier management, client management, and reports to tax authorities.

• Evaluate service quality, conduct market studies, and statistical analyses for internal uses.

• Operate and improve its service desk.

• Respond to inquiries, requests, complaints, and claims made by Data Subjects and control agencies and transmit Personal Data to other authorities that, by virtue of applicable law, must receive Personal Data.

• To eventually contact, via email, or by any other means, natural persons with whom it has or has had a relationship, such as, without limiting the enumeration, employees and their relatives, shareholders, consumers, clients, distributors, suppliers, creditors, and debtors, for the aforementioned purposes.

• Transfer or transmit the collected information to different areas of the company and to its linked companies, subsidiaries, affiliates, controlling and controlled companies in Colombia and abroad when necessary for the development of its operations (debt collection and administrative collections, treasury, accounting, marketing, promotion, and advertising among others).

• Send certain mandatory service communications, such as welcome letters (installation and activation instructions), payment reminders, information about technical, commercial matters, and security announcements.

• For the attention of judicial or administrative requirements and compliance with judicial or legal mandates.

• Register their personal data in STARTUP's information systems and in its commercial and operational databases.

• Support internal or external audit processes.

• Any other activity of a similar nature to those previously described that are necessary to develop the corporate purpose of STARTUP.

• Those indicated in the authorization granted by the data subject or described in the respective privacy notice, as applicable.

• Develop the selection, evaluation, and hiring process.

• Manage and operate, directly or through third parties, the selection and hiring processes, including the evaluation and qualification of participants and the verification of work and personal references, and conducting medical, psychological, and security studies.

• Register the information of employees and/or pensioners, and their families (active and inactive) in STARTUP's databases.

• Carry out activities related to Human Resources management within STARTUP, such as payroll, affiliations to entities of the general social security system, welfare activities, and occupational health for the employee and their family, exercising the employer's sanctioning power, among others.

• Make necessary payments arising from the execution of the employment contract and/or its termination, and other social benefits as applicable under the law.

• To fulfill the labor obligations contracted by STARTUP as an employer.

• Execute academic, social, labor, recreational, and welfare agreements with public and private entities for the benefit of the group of employees and their families. For this purpose, STARTUP may send, transmit, or transfer personal data to the entities with which it enters into agreements.

• Contract labor benefits with third parties, such as life insurance, medical expenses, among others.

• Notify authorized contacts in case of emergencies during working hours or in connection with the development of the same.

• Coordinate the professional development of employees, access to the employer's IT resources, and provide support for their use.

• Plan business activities.

• Send, transmit, and/or transfer the information collected to its linked companies, subsidiaries, affiliates, controlling and controlled companies in Colombia and abroad.

• Send and/or share to the emails and/or mobile phones provided by the employee and their family, labor information, human resources information, and information about academic, financial, social, labor, recreational, and welfare agreements with public and private entities for the benefit of the group of employees, collaborators, and their families.

• To fulfill the obligations contracted by STARTUP with its Clients when acquiring our products.

• Provide the services and/or products required and/or contracted by clients.

• Know and use the necessary and required information owned by the client for the implementation, provision, development, and support of the products and/or services of STARTUP contracted by the client.

• Provide users, passwords, and access codes to the products and/or services of STARTUP contracted by the client.

• For the administration and control of accounting and financial information.

• For debt collection management directly or through third parties.

• Send to the physical, electronic, mobile phone, via text messages (SMS and/or MMS), or through any other analog and/or digital communication means created or to be created, commercial, technical, advertising, or promotional information about the products and/or services, events and/or promotions of a commercial or non-commercial nature, in order to promote, invite, direct, execute, inform, and generally carry out campaigns, promotions, or contests of a commercial or advertising nature, conducted by: i) STARTUP; ii) the linked companies, subsidiaries, affiliates, controlling or controlled companies of STARTUP, their distributors and strategic allies located in Colombia or any other country; and/or iii) by third parties.

• For the determination of pending obligations, the consultation of financial information and credit history, and the reporting to information centers of unpaid obligations regarding their debtors.

• To train sellers and agents in basic aspects of commercial management of the products offered by STARTUP.

• Invitation to training sessions.

• Provide, share, transmit, transfer, send or deliver their personal data to linked companies, subsidiaries, affiliates, controlling or controlled companies of STARTUP, their distributors and strategic allies located in Colombia or any other country in the event that such companies require the information for the purposes indicated here and to contact the Data Subject to offer them goods or services of their interest.

• Market research, demand generation, establishing market shares, marketing campaigns, and invitations to events organized by STARTUP.

• Inform about new products or services and/or changes to them.

• Use the various services through STARTUP's websites, software, and applications, including downloads of content, documents, and formats.

• To fulfill contractual obligations.

• To process payments and verify outstanding balances.

• To register in STARTUP's accounting and administrative systems.

• For the administration and control of accounting and financial information.

• For evaluating compliance with obligations.

• To invite them to participate in selection processes and events organized or sponsored by STARTUP.

• For the recognition, protection, and exercise of the rights of the shareholders of the company;

• For the payment of dividends;

• To contact them and/or send them via email, mobile phone, physical mail, or by any other means, financial, commercial, organizational, administrative, accounting, promotional, and advertising information, and in general any type of information from the company, either by fulfilling a legal duty, at the request of the shareholder, or by the simple will of the company;

• To carry out any type of processing in compliance with the rights, duties, and obligations established by law in favor of the shareholder and/or the company;

• If the shareholder has any other type of legal and/or commercial link with the company, either as an advisor, contractor, contracting party, or employee, for the development and execution of the commercial and/or labor relationship;

• To eventually contact, via email, mobile phone, or by any other means, the shareholders for the purposes mentioned above.

On STARTUP's websites, cookies and other tools are used to collect information from visitors; simply by entering these websites, the following information may be automatically obtained:


• The hyperlinks clicked.


• Information about the browser being used.


• Details of the pages viewed.


• Your IP address


• The sites visited before arriving at the Portal. Considering the above, if the data subject does NOT want this information to be collected automatically, they must disable the automatic acceptance setting in their Internet browser. There, they can block it, as well as detect when such information is being sent to their device. It should be noted that if cookies are disabled, the experience on the website may be affected.

STARTUP may obtain personal information from public databases or from third parties authorized by the data subject to share, transmit, or transfer information.

The processing of sensitive personal data is prohibited by law, unless there is express, prior, and informed authorization from the data subject, among other exceptions provided in Article 6 of Law 1581 of 2012.
‍


In situations where STARTUP collects and processes sensitive data, it will inform the data subject that granting consent in that case is completely optional. Additionally, the data subject will be informed of which information collected is considered sensitive.

According to the provisions of Article 7 of Law 1581 of 2012 and Article 12 of Decree 1377 of 2013, STARTUP will only process data related to children and adolescents, as long as this processing responds to and respects the best interests of children and adolescents and ensures the respect of their fundamental rights.



Once the above requirements are met, STARTUP must obtain the authorization of the legal representative of the child or adolescent, prior to exercising the minor's right to be heard, an opinion that will be valued considering the maturity, autonomy, and ability to understand the matter.

Data subjects or authorized persons may raise inquiries about any information held in the databases managed by STARTUP. Once STARTUP receives the inquiry, it will take the steps described below. Please note that the inquiry may be sent and/or processed through the channels provided by STARTUP to address matters related to privacy and the protection of personal data. Preferably, the subject of reference should be: "habeas data".


A. STARTUP will verify the identity of the requester (Copy of the identity document C.C., T.I., C.E. or passport; and power of attorney when made through an authorized person) to determine if they are legitimized to raise the inquiry and if they are, under reasonable parameters, the same subscriber.


B. If the requester has the credentials and/or authorizations to raise the inquiry, then STARTUP will proceed to address it within the following ten (10) business days, counted from the receipt of the inquiry.


C. If the requester does not have the corresponding credentials and/or authorizations to inquire about certain personal data, they will be informed within ten (10) business days, counted from the receipt of the inquiry. In this case, the requester will be given the option to demonstrate their capacity or authorization to raise the inquiry by providing additional information.


D. If in points 3 and 4 the inquiry cannot be addressed within ten (10) business days, the requester will be contacted to inform them of the reasons why the status of the request is "in process". However, the final response cannot exceed five (5) business days following the expiration of the initial term.


E. Responses will preferably be sent by email or by a similar means to which they were received. In any case, the final responses to all requests cannot take more than fifteen (15) business days from the date the initial request was received by STARTUP.


F. STARTUP will keep a copy of all inquiries, in case the data subjects or authorized persons wish to have a copy of them eventually.

Data subjects or authorized persons may file complaints or claims regarding personal data to STARTUP and its Managers. Please note that complaints may be sent through the channels provided by STARTUP. Please note that complaints may concern:


• Incorrect information.


• Absence of authorization or consent in the terms of Law 1581 of 2012 or, failing that, Article 10 of Decree 1377 of 2013.


• Outdated or biased information.


• Non-compliance by STARTUP with the duties or obligations in accordance with the RGDPC.


• Lack of integrity or security of the information (providing sufficient reasons).
• Information that is desired to be deleted.


• Revocation of information.


The handling of complaints will be processed under the following rules:

A. STARTUP will verify the identity of the requester to determine if they are legitimized to file the complaint (Copy of the identity document C.C., T.I., C.E. or passport; and power of attorney when made through an authorized person).


B. The complaint must contain the following points:

(i) name and surname of the data subject;

(ii) brief description of the facts, and

(iii) reason or purpose of the complaint. Additionally, if applicable, the relevant documentation or evidence must be attached to support the complaint.


C. If the complaint is incomplete, STARTUP may request the complainant to rectify the complaint within the following five (5) business days, counted from the date of receipt of the complaint. The complainant will have a term of two (2) months to provide and submit the required documentation; otherwise, it will be understood that the complainant has withdrawn the complaint.


D. STARTUP will, within two (2) business days following the date of receipt of the complaint, include in its Database a legend stating "complaint in process" in the personal data that is the subject of the complaint.


E. STARTUP will respond to the complaint within the following fifteen (15) business days counted from the day after the date of receipt. If it is not possible to address the complaint within that term, the interested party will be informed of the reasons for the delay and the date on which their complaint will be addressed. In any case, the complaint cannot exceed eight (8) business days following the expiration of the initial term.

‍

Data subjects may revoke the authorization granted to STARTUP for the processing of their personal data or request the deletion of the same at any time, provided that a legal or contractual provision does not prevent it. The request for revocation of the processing authorization or the deletion of personal data must be made through the means provided here by STARTUP for the attention of requests, complaints, and/or claims.


For this purpose, it should be noted that the revocation of consent can be expressed, on the one hand, totally in relation to the authorized purposes, and therefore STARTUP must cease any data processing activity; and on the other hand, partially in relation to certain types of processing, in which case these will be the ones for which processing activities will cease, such as for advertising purposes, among others. In this latter case, STARTUP may continue processing personal data for those purposes for which the data subject has not revoked their consent.


The data subject also has the right, at any time, to request STARTUP to delete their Personal Data as long as:


A. They consider that the Personal Data is not being processed in accordance with the principles, duties, and obligations set forth in the RNBD.


B. They have ceased to be necessary or relevant for the purposes for which they were collected.


C. The period necessary for the fulfillment of the purposes for which they were collected has been exceeded.
‍


Please note that if the request for deletion is granted, due to the absence of a legal or contractual obligation to retain the Personal Data, the direct consequence is the total or partial deletion of their Personal Data, without which in some cases they may not obtain our services.


The right to deletion is not absolute, and STARTUP may deny the exercise of it when:


A. There is a legal or contractual obligation to remain in the Database.


B. The deletion may hinder judicial or administrative actions related to tax obligations, the investigation and prosecution of crimes, or the updating of administrative sanctions.


C. The Personal Data is necessary to protect the legally protected interests of the data subject.


D. An action is to be taken in the public interest.


E. It is acted upon to comply with a legally acquired obligation by the data subject.
Requests for revocation of processing authorizations or deletion of personal data will be governed by the same procedure established here for complaints and claims in numeral 14.2.