WEKall BIC S.A.S. (STARTUP) PERSONAL DATA PROTECTION AND PROCESSING POLICY

1. OBJECTIVE

WeKall BIC S.A.S. (hereinafter “STARTUP”) seeks to guarantee the protection of personal data or any other type of information that is used or stored in its databases and files, guaranteeing the constitutional right that all people have to know, update and rectify the information that has been collected about them in databases or archives. All this is in accordance with the provisions of article 15 of the Political Constitution, Law 1266 of 2008, Law 1581 of 2012 and other regulatory decrees.
In accordance with the above, STARTUP adopts this policy for the processing of personal data, which will be informed to all the owners of the data collected or that in the future will be obtained in the exercise of the company's own activities in the development of its corporate purpose, thus guaranteeing Habeas Data's constitutional right, privacy, privacy and good name in the processing of personal data.

2. IDENTIFICATION OF THE PERSON RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA

WeKall BIC S.A.S. (STARTUP) has its registered office in the city of Cali (Valle), and its main office
It is located at 28N Street # 2BN -86.
PHONE: (2) 4864645
EMAIL: protecciondedatos@wekall.co
OFFICIAL WEBSITE: www.wekall.co

3. REACH

This Personal Data Protection Policy will apply to all Databases and/or Files containing Personal Data of natural persons that are subject to Treatment by STARTUP.
This policy will apply to all workers, third parties, customers, distributors, suppliers or contractors who carry out Personal Data Processing in the development of their business or employment relationship with STARTUP, or to whom a general or specific task has been commissioned, from which a particular Processing of Personal Data is derived. This policy will not apply when STARTUP acts as Processor, since the order implies the delimitation of the purposes on the part of the third party that contracts and transmits its databases to STARTUP, giving precise instructions regarding the processing that must be given to Personal Data. In this regard, when STARTUP is a Data Processor, it will be subject to the Data Controller's Information Processing policy. Finally, this policy will apply to third parties with whom STARTUP has signed a contract for the transmission or transfer of Personal Data or provides information for the development of particular activities, provided that STARTUP acts in its capacity as Responsible.

4. DEFINITIONS

The relevant terms in this information processing policy will have the meaning assigned to them below, or the meaning that precedes the term in quotation marks in the parenthesis. Authorization: This is the verbal or written communication generated by STARTUP addressed to the Owners to inform them of the existence of this Policy, the way to access it and by means of which, by clicking, they carry out unambiguous behavior authorizing the Processing of their Personal Data for the purposes and under the terms of this Policy.
Authorized: These are those people who can exercise the rights of the Owner, such as the Owner, proving their identity through the means at their disposal, the creditors who prove that quality, the representative and/or proxy being accredited by means of a power of attorney or legal representation and those who, by stipulation in favor of another or for another, are accredited.
Database: Organized set of Personal Data that are subject to processing by STARTUP. Personal Data: It is any information linked to or that can be associated with one or more specific or determinable natural persons. Some examples of personal data include the following: name, citizenship card, address, email, telephone number, civil status, health data, fingerprint, salary, assets, financial statements, etc. Private Data: Data that, due to its intimate or reserved nature, is only relevant to the Owner.
Public Data: It is the data qualified as such according to the mandates of the law or the Political Constitution and all those that are not semi-private, private or sensitive. Public data are considered to be those relating to the civil status of individuals, their profession, the identification number, and other data contained in public records, public documents, duly enforceable judicial judgments that are not subject to reserve official gazettes and bulletins.
Semi-private data: is one that is not intimate, reserved, or public and whose knowledge or disclosure may interest not only its Owner but also a certain sector or group of people or society in general, such as the financial and credit data of commercial activity.
Sensitive data: Information that affects the Owner's privacy or whose misuse may lead to discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social or human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition politicians, as well as data relating to health, sexual life and biometric data, among others, the capture of a still image or movement, fingerprints, photographs, irises, voice, facial or palm recognition, etc.
Titular: Natural person whose Personal Data is subject to Treatment.
Data Processor: This is the natural or legal person, public or private, who by himself or in association with others carries out the Processing of Personal Data on behalf of a Data Controller. In relation to the state contracts that STARTUP signs with public entities, it acts as a manager to the extent that it receives instructions and guidelines based on the contractual object.
Responsible for the Treatment: It is the natural or legal person, public or private, who, on his own or in association with others, decides on the Database, the Processing of Personal Data and/or the purposes and conditions of the Treatment. For these purposes, the Responsible Party will be STARTUP, however, taking into account the commercial activities of STARTUP, it will act as Processor when carrying out any Processing on the Databases sent to it by the entities that contract its services, provided that they determine the purposes and guidelines of the treatment.
Treatment: It is any operation or set of operations on Personal Data, such as collection, administration, storage, use, circulation, transmission, transfer or deletion. Transfer: It occurs when the Responsible and/or Processor of Personal Data, located in Colombia, sends the information or Personal Data to a recipient, who in turn is the Data Controller and is located inside or outside the country. Transmission: This is the Processing of Personal Data that involves the communication of the same within or outside the territory of the Republic of Colombia when its purpose is to carry out a Treatment by the Processor on behalf of the Responsible. Information Processing Policy: This document contains the guidelines for the Processing of Personal Data that arise in any type of Processing carried out by STARTUP on Personal Data. In particular, this includes the purposes, the types of Treatment, the rights of the Data Controllers, the procedures to guarantee those rights and the people within STARTUP responsible for dealing with inquiries, complaints and/or claims.
Privacy Notice: Verbal or written communication generated by the Data Controller, addressed to the Data Controller for the processing of their personal data, informing them of the existence of the information processing policies that will be applicable to them, the way to access them and the purposes of the intended processing of personal data.
Complaint: Request from the Data Subject or from the persons authorized by the Data Subject or by the Law to correct, update or delete their personal data or to revoke the authorization in the cases established by the Law.
RGDPC or General Regime for the Protection of Colombian Personal Data: it is the set of rules that regulate the Processing of Personal Data in Colombian territory, such as Article 15 of the Colombian Political Constitution; Law 1266 of 2008, Law 1581 of 2012; Decree 1377 of 2013; Decree 1074 of 2015; Decree 886 of 2014; and other regulations that modify or add them.

5. PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA

For the purpose of ensuring the protection of personal data, STARTUP will apply the following principles in a harmonious and comprehensive manner, in the light of which the collection, management, use, processing, storage, transfer and transmission of personal data must be carried out:
Principle of Legality: Data processing is a regulated activity, which must be subject to the current and applicable legal provisions governing the matter. Principle of Purpose: The Treatment will serve a legitimate purpose in accordance with the Political Constitution of Colombia, applicable laws and other regulations that develop them. The Owner will be informed in a clear, sufficient and prior manner about the purpose of the information provided.
Principle of Freedom: The Treatment will be exercised only with the prior, express and informed consent of the Owner. Personal Data that is collected without the above-mentioned consent will be authorized by Law or by the implementation of efficient communication mechanisms, without prejudice to the request for the deletion of Personal Data that may eventually be submitted by the Owner and that is appropriate for the absence of a legal or contractual obligation that prevents it. Principle of Truthfulness or Quality: Information subject to Personal Data Processing must be true, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractional or misleading data is prohibited. Principle of Transparency: In the Processing of Personal Data, the right of the Data Controller to obtain, at any time and without restrictions, information about the existence of data concerning him is guaranteed.
Principle of Access and Restricted Circulation: The processing of personal data may only be carried out by persons authorized by the Owner and/or by persons provided for by the Law. Personal data, with the exception of public information, may not be available on the internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to owners or third parties authorized by law. For these purposes, STARTUP's obligation will be medium.
Principle of Safety: information subject to processing by STARTUP must be handled with the technical, human and administrative measures that are necessary to provide security to the records, avoiding their adulteration, loss, consultation, unauthorized or fraudulent use or access.
Principle of Confidentiality: All people who at STARTUP manage, manage, update or have access to information of any kind found in Databases, are obliged to guarantee the confidentiality of the information, so they undertake to keep and keep in a strictly confidential manner and not to disclose to third parties, all the information they come to know in the execution and exercise of their functions; except in the case of activities expressly authorized by data protection law.

6. PURPOSES OF THE PROCESSING OF PERSONAL DATA.

STARTUP, acting as Responsible for the Processing of Personal Data, for the proper development of its business activities, as well as for the strengthening of its relationships with third parties, collects, stores, uses, circulates and suppresses Personal Data corresponding to natural persons with whom it has or has had a relationship, such as, without limitation, workers and their families, shareholders, customers, distributors, suppliers, creditors and debtors, for the following purposes or purposes:

6.1. General Purposes of Personal Data Processing

• Allow the Owners to participate in marketing and promotional activities carried out by STARTUP.
• Execute the existing contractual relationship with its customers, suppliers and workers, including the payment of contractual obligations, as well as the assistance, consulting and support necessary to fulfill the obligations arising from the business relationship.
• Materialize potential commercial and/or legal relationships with people interested in being clients, suppliers or employees of STARTUP.
• Do your own administrative, accounting and fiscal management, including but not limited to billing management, collection and payment management, supplier management, customer management and reporting to tax authorities.
• Evaluate the quality of the service, carry out market studies and statistical analysis for internal uses.
• Operate and improve your service desk.
• Respond to queries, requests, complaints and claims that are made by the Data Controllers and control bodies and transmit the Personal Data to other authorities that, by virtue of applicable law, must receive the Personal Data.
•To eventually contact, via email, or by any other means, natural persons with whom you have or have had a relationship, such as, without the enumeration implying limitation, workers and their families, shareholders, consumers, customers, distributors, suppliers, creditors and debtors, for the above-mentioned purposes.
• Transfer or transmit the information collected to different areas of the company and to its related, subsidiary, affiliated, controlling and controlled companies in Colombia and abroad when this is necessary for the development of its operations (portfolio collection and administrative collections, treasury, accounting, marketing, promotion and advertising, among others).
• Send certain mandatory service communications, such as welcome letters (installation and activation instructions), payment reminders, information about technical and commercial service issues, and security announcements.
• To meet judicial or administrative requests and to comply with judicial or legal orders.
• Register your personal data in STARTUP's information systems and in its commercial and operational databases.
• Support internal or external auditing processes.
• Any other activity of a nature similar to those described above that are necessary to develop the corporate purpose of STARTUP.
• Those indicated in the authorization granted by the data subject or described in the respective privacy notice, as the case may be.

6.2. Regarding the Personal Data of Our Workers and Job Applicants

• Develop the selection, evaluation, and employment relationship process.
• Manage and operate, directly or through third parties, personnel selection and engagement processes, including the evaluation and qualification of participants and the verification of work and personal references, and the conduct of medical, psychological and safety studies.
• Record the information of workers and/or retirees, and their families (active and inactive) in the STARTUP databases.
• Develop the activities of Human Resources management within STARTUP, such as payroll, affiliations to entities of the general social security system, welfare and occupational health activities for workers and their families, exercise of the employer's sanctioning power, among others.
• Make the necessary payments derived from the execution of the employment contract and/or its termination, and any other social benefits that may arise in accordance with applicable law.
• To fulfill the employment obligations contracted by STARTUP as an employer.
• Execute academic, social, labor, recreational and welfare agreements with public and private entities for the benefit of the group of workers and their families. For the above purpose, STARTUP may send, transmit or transfer personal data with the entities with which it enters into agreements.
• Take out employment benefits with third parties, such as life insurance, medical expenses, and others.
• Notify authorized contacts in case of emergencies during working hours or during working hours.
• Coordinate the professional development of workers, the access of workers to the employer's computer resources and provide support for their use.
• Plan business activities.
• Send, transmit and/or transfer the information collected to its related, subsidiary, affiliated, controlling and controlled companies in Colombia and abroad.
• Send and/or share to the emails and/or cell phones provided by the worker and his family, work information, information specific to human resources, and academic, financial, social, labor, recreational and welfare agreements with public and private entities for the benefit of the group of workers, collaborators and their families.

6.3. Regarding the Personal Data of Customers and Prospects.

• To fulfill the obligations contracted by STARTUP with its Customers when purchasing our products.
• Provide the services and/or products required and/or contracted by customers.
• Know and use the necessary and required information owned by the customer for the implementation, provision, development and support of the STARTUP products and/or services contracted by the customer.
• Provide users, passwords and access codes to the STARTUP products and/or services contracted by the customer.
• For the administration and control of accounting and financial information.
• For portfolio collection management directly or through third parties.
• Send commercial, technical, advertising or promotional information to physical email, via text messages (SMS and/or MMS) or through any other analogous and/or digital means of communication created or to be created, commercial, technical, advertising or promotional information about products and/or services, events and/or promotions of a commercial nature or not of these, in order to promote, invite, direct, execute, inform and, in general, carry out campaigns, promotions or contests of a commercial or advertising nature, carried out by: i) STARTUP; ii) companies related, subsidiaries, subsidiaries, subordinates or controlling or controlled companies of STARTUP, its distributors and strategic allies located in Colombia or any other country; and/or iii) by third parties.
• For the determination of outstanding obligations, the consultation of financial information and credit history and the reporting to information centers of unfulfilled obligations, with respect to their debtors.
• To train sellers and agents in basic aspects of commercial management of the products offered by STARTUP.
• Invitation to training.
• Provide, share, transmit, transfer, send or deliver your personal data to related companies, subsidiaries, subsidiaries, subordinates or controlling or controlled companies of STARTUP, its distributors and strategic allies located in Colombia or any other country in the event that these companies require the information for the purposes indicated here and to contact the Owner for the purpose of offering goods or services of interest to you.
• Market research, demand generation, establishing market shares, marketing campaigns, and invitations to events organized by STARTUP.
• Inform about new products or services and/or about changes to them.
• Use the different services through the STARTUP websites, software and applications, including downloads of content, documents and formats.
‍

6.4. Regarding Suppliers or Contractors and Distributors

• To comply with contractual obligations.
• To process your payments and verify outstanding balances.
• To register in STARTUP's accounting and administrative systems
• For the administration and control of accounting and financial information.
• For the evaluation of compliance with their obligations.
• To invite them to participate in selection processes and events organized or sponsored by STARTUP.

6.5. Regarding Shareholders

• For the recognition, protection and exercise of the rights of the company's shareholders;
• For the payment of dividends;
• To contact them and/or send them via email, cell phone, physical mail, or by any other means, financial, commercial, organizational, administrative, accounting, promotional and advertising information, and in general any type of company information, either for compliance with a legal duty, at the request of the shareholder or by the simple will of the company;
• To carry out any type of processing in compliance with the rights, duties and obligations established by law in favor of the shareholder and/or the company;
• If the shareholder has any other type of legal and/or commercial link with the company, whether as an advisor, contractor, contractor or worker, for the development and execution of the commercial and/or employment relationship;
• To eventually contact, via email, cell phone, or any other means, shareholders for the purposes mentioned above.

7. RIGHTS OF THE OWNERS

This policy informs and guarantees the right to habeas data of the Data Subjects, such as the right of the Personal Data Holder to require the Data Controllers to access, include, delete, correct, add, update and certify the data. In this regard, and in accordance with the GDPR, the Owner has the following rights:
unto. To know, update, modify and rectify Personal Data in front of the Data Controllers or Processors free of charge, in accordance with the provisions of article 21 of Decree 1377 of 2013.
b. Request proof of the authorization granted to STARTUP, or, failing that, the implementation of efficient or alternative communication mechanisms, in accordance with Article 10 of Decree 1377 of 2013. This authorization can be granted verbally, in writing or through conclusive behavior such as through a click accepting the conditions and terms of use of the website and this Policy in the case of users, so such a copy may be a screenshot or other means that proves the authorization has been granted.
C. Request information about the uses and purposes to which your Personal Data is being submitted.
D. Submit complaints for violations to the Superintendency of Industry and Commerce regarding Personal Data, upon request, consultation or complaint addressed to STARTUP or the Personal Data Processor.
And. Revoke the authorization and/or request the deletion of your Personal Data and its storage in STARTUP databases, provided that there is no legal or contractual duty that prevents the exercise of this right of deletion.
F. Free access to your personal data that has been processed, at least once every calendar month, and every time there are substantial changes to this policy that motivate new inquiries.
g. The other rights that are conferred by the Personal Data Protection Regime.
The above rights may only be exercised by those Owners or Authorized Persons who sufficiently prove their identification with the relevant documentation or reliable credentials.

8. STARTUP DUTIES AS RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA

STARTUP is aware that Personal Data is the property of the people to whom they refer and only they can decide on them. In this sense, STARTUP will use the Personal Data collected only for the purposes for which it is duly empowered and in compliance, in any case, with current regulations on the Protection of Personal Data. STARTUP will meet the duties provided for Data Controllers, contained in article 17 of Law 1581 of 2012 and the other regulations that regulate, modify or replace it. In the activities in which STARTUP acts as Data Processor, it will meet the duties established for them in article 18 of Law 1581 of 2012 and the other regulations that regulate, modify or replace it.

9. SOURCES OF INFORMATION

STARTUP collects information from the following sources:

9.1. Directly from the owner of the information.

9.2. Automatically when the owner of the information uses the STARTUP websites or applications.

The STARTUP websites use cookies and other tools that collect information from those who visit them; simply by entering these websites, the following information can be obtained automatically:
• The hyperlinks you clicked on.
• Information about the browser you are using.
• Details of the pages you viewed.
• Your IP address
• The sites you visited before arriving at the Portal Taking into account the above, if the Data Subject DOES NOT want it to be collected automatically, you must disable the automatic acceptance settings in your Internet browser. There you can block it, as well as detect when such information is being sent to your computer. It should be noted that, if cookies are disabled, the experience on the website may be affected.

9.3. From other sources.

STARTUP may obtain personal information from public databases or from third parties authorized by the data subject to share, transmit or transfer information.

10. AUTHORIZATION

STARTUP will request prior, express and informed authorization from the Holders of the Personal Data for whom it requires carrying out the Treatment. Authorization to STARTUP for the processing of personal data will be granted by: i) The owner, who must prove their identity sufficiently by the various means made available to STARTUP; ii) The owner's legal entity, who must prove such quality; iii) The representative and/or agent of the owner, after accreditation of the representation or power of attorney; iv) Another for or for which the owner has stipulated.

STARTUP will obtain authorization through different means, including a physical document, electronic document, data message, Internet, Web Sites, Oral form (through a telephone conversation or video conference) or in any other format that in any case allows obtaining consent through unambiguous conduct through which it is concluded that if it had not been provided by the owner or the person entitled to do so, the data would not have been stored or captured in the database.

11. SPECIAL PROVISIONS FOR THE PROCESSING OF PERSONAL DATA

11.1. Processing of Sensitive Personal Data

The Processing of Personal Data of a sensitive nature is prohibited by law, unless there is express, prior and informed authorization from the Owner, among other exceptions enshrined in Article 6 of Law 1581 of 2012.
‍
In situations where STARTUP collects and processes Sensitive Data, it will inform the Data Controller that the granting of consent in this case is completely optional and optional. Additionally, the Data Controller will be informed of what information collected is considered to be sensitive.

11.2. Treatment of Personal Data of Children and Adolescents

In accordance with the provisions of Article 7 of Law 1581 of 2012 and Article 12 of Decree 1377 of 2013, STARTUP will only carry out the Treatment, corresponding to children and adolescents, provided that this Treatment responds to and respects the best interests of children and adolescents and ensures respect for their fundamental rights.

Once the above requirements have been met, STARTUP must obtain the Authorization of the legal representative of the child or adolescent, after the minor's exercise of his right to be heard, an opinion that will be evaluated taking into account his maturity, autonomy and ability to understand the matter.

12. PERSONAL DATA SECURITY

In compliance with the security principle established in current regulations, STARTUP will adopt the technical, human and administrative measures that are necessary to provide security to the records, avoiding their adulteration, loss, consultation, unauthorized or fraudulent use or access.

The obligation and responsibility of STARTUP is limited to having the appropriate means for this purpose. STARTUP does not guarantee the total security of your information nor is it responsible for any consequence derived from technical failures or improper access by third parties to the Database or file on which the Personal Data subject to Processing by STARTUP and its Managers are located.

STARTUP will require the service providers it contracts and their subsidiaries, subsidiaries, controlling or controlled companies, subordinates, their distributors and strategic allies, to adopt and comply with appropriate technical, human and administrative measures and those established here for the protection of Personal Data in relation to which such third parties act as Processors.

13. AREA RESPONSIBLE FOR THE IMPLEMENTATION, OBSERVANCE OF THIS POLICY AND ATTENTION TO THE OWNER OF PERSONAL DATA

The HABEAS DATA area of STARTUP is designated to work on the development, implementation, training, observance of this Policy, and the response to requests, inquiries, complaints and complaints before which the Data Subject may exercise their rights to know, update, rectify and delete data and revoke authorization, in accordance with the procedures described and through the channels provided in these policies.

This area is located at the address and headquarters of STARTUP located at Calle 28N # 2BN - 86, Cali (Valle), and can be contacted at protecciondedatos@wekall.co.

14. PROCEDURE FOR DEALING WITH INQUIRIES, COMPLAINTS, REQUESTS FOR RECTIFICATION, UPDATING AND DELETION OF DATA

The terms and manner of submitting will be described below: (i) inquiries; (ii) complaints or claims; or (iii) requests for revocation of authorization or deletion of Personal Data. The Owners may initiate these procedures to guarantee their rights to habeas data or to report a breach that, in their opinion, they consider serious in relation to the obligations borne by STARTUP. Requests submitted by the owners or authorized persons will be answered in the legal terms established in Law 1581 and its regulatory decrees.
The channels that STARTUP has implemented so that the owner can exercise their rights and submit respectful requests are the following:
• Written communication sent to the address and main office of STARTUP located at Calle 28N # 2BN - 86, Cali (Valle).
• Request submitted to the email: protecciondedatos@wekall.co
These channels may be used by Personal Data Holders, or third parties authorized by law to act on their behalf, in order to exercise the following rights:

14.1. Consultations

The Owners or Authorized Persons may submit inquiries about any information that is stored in the Databases managed by STARTUP. Once STARTUP receives the consultation, it will proceed with the steps described below. Please note that the query may be sent and/or processed through the channels provided by STARTUP to address issues related to privacy and the protection of Personal Data. Preferably, the reference subject should be: “habeas data”.
unto. STARTUP will verify the identity of the applicant (Copy of the identity document C.C., T.I., C.E. or passport; and power of attorney when authorized) to determine if he is entitled to submit the query and if he is, under reasonable parameters, the same subscriber.
b. If the applicant has the credentials and/or authorizations to submit the query, then STARTUP will proceed to respond to it within the next ten (10) business days, counting from the receipt of the consultation.
C. If the applicant does not have the appropriate credentials and/or authorizations to consult certain Personal Data, they will be informed within ten (10) business days, counting from the receipt of the query. In this case, the applicant will be given the option to demonstrate the ability or authorization to submit the query, providing additional information.
D. If in points 3 and 4 the query cannot be answered within ten (10) business days, the applicant will be contacted to inform him of the reasons why the status of the request is being “processed”. However, the final answer may not exceed five (5) business days following the expiration of the first term.
And. Responses will preferably be sent by email or by a similar means to which they were received. In any case, definitive responses to all requests cannot take more than fifteen (15) business days from the date on which the initial request was received by STARTUP.
F. STARTUP will keep a copy of all inquiries, in case the Owners or Authorized Authorizers want a copy of them eventually.

14.2. Complaints or Claims

The or Authorized Owners may submit complaints or claims in relation to Personal Data to STARTUP and its Managers. Please note that complaints may be sent through the channels provided by STARTUP. Please note that complaints may relate to:
• Incorrect information.
• Absence of authorization or consent under the terms of Law 1581 of 2012 or, failing that, of Article 10 of Decree 1377 of 2013.
• Outdated or biased information.
• STARTUP's failure to comply with duties or obligations in accordance with the GDPR.
• Lack of integrity or security of information (giving sufficient reasons).
• Information that you want to delete.
• Revocation of information.
The handling of complaints and claims will be processed under the following rules:
unto. STARTUP will verify the identity of the applicant to determine if they are entitled to file the claim (Copy of the identity document C.C., T.I., C.E. or passport; and power of attorney when authorized).
b. The complaint must contain the following points: (i) name and surname of the Personal Data Holder; (ii) brief description of the facts, and (iii) reason or purpose of the complaint. Additionally, if this is the case, you must attach the relevant documentation or evidence to support the claim.
C. If the complaint is incomplete, STARTUP may ask the complainant to remedy the complaint within the next five (5) business days from the date of receipt of the complaint. The claimant will have a period of two (2) months to provide and submit the required documentation, otherwise it will be understood that the claimant has withdrawn the claim.
D. STARTUP, within two (2) business days following the date of receipt of the complaint, will include in its Database a legend that says “pending claim” in the Personal Data that is being the subject of the complaint.
And. STARTUP will respond to the complaint within the next fifteen (15) business days from the day following the date of its receipt. If it is not possible to address the complaint within that period, the interested party will be informed of the reasons for the delay and the date on which their complaint will be dealt with. In any case, the claim cannot exceed eight (8) business days following the expiration of the first term.

14.3. Revocation of Authorization or Deletion of Personal Data

The owners of personal data can at any time revoke the authorization granted to STARTUP for the processing of their personal data or request the deletion of the same, as long as this is not prevented by a legal or contractual provision. The request to revoke the authorization for processing or the deletion of personal data must be made through the means provided here by STARTUP to respond to requests, complaints and/or complaints.
For the foregoing, it should be noted that the revocation of consent can be expressed, on the one hand, completely in relation to the authorized purposes, and therefore STARTUP must cease any data processing activity; and on the other hand partially in relation to certain types of processing, in which case it will be these that the processing activities will cease, such as for advertising purposes, among others. In the latter case, STARTUP may continue to process personal data for those purposes for which the owner has not revoked his consent.
The Owner also has the right, at any time, to request that STARTUP delete their Personal Data whenever:
unto. Consider that Personal Data is not being treated in accordance with the principles, duties and obligations set out in the RNBD.
b. They are no longer necessary or relevant for the purposes for which they were collected.
C. The period necessary for the fulfillment of the purposes for which they were collected has been exceeded.
‍
Please note that if the request for deletion is appropriate, because there is no legal or contractual duty to keep the Personal Data, the direct consequence is the total or partial deletion of your Personal Data, without which in some cases you will not be able to obtain our services.
The right of deletion is not absolute and STARTUP may deny the exercise of the same when:
unto. There is a legal or contractual duty to remain in the Database.
b. The suppression may hinder judicial or administrative actions related to fiscal obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.
C. Personal Data is necessary to protect the Data Controller's legally protected interests.
D. An action will be taken based on the public interest.
And. Action is taken to comply with a legally acquired obligation by the Owner.
Requests to revoke processing authorizations or to delete personal data will be governed by the same procedure established here for complaints and claims in paragraph 14.2.

15. DATA COLLECTED BEFORE THE ISSUANCE OF DECREE 1377 OF 2013:

In accordance with the provisions of Article 10 of Regulatory Decree 1377 of 2013 (Decree 1074 of 2015) STARTUP will publish a notice on its official website www.wekall.co addressed to owners of personal data for the purpose of publicizing this information processing policy and how to exercise their rights as holders of personal data stored in the STARTUP databases.

16. TRANSFER, TRANSMISSION AND DISCLOSURE OF PERSONAL DATA

STARTUP may disclose to its affiliated, subsidiary, subsidiary or subordinate companies the Personal Data on which it carries out the Processing, for use and Processing by the above-mentioned related companies in accordance with the purposes established here, those set out in the processing authorizations, and in accordance with this Personal Data Protection and Processing Policy.
STARTUP may also provide Personal Data to third parties not linked to STARTUP when: i) These are contractors and/or suppliers executing contracts or providing services for the development of STARTUP activities; ii) By transfer to any capacity of any line of business to which the information relates.
In any case, when STARTUP sends or transmits data to one or more Processors located inside or outside the territory of the Republic of Colombia, the Data Processors must carry out the processing in accordance with the purposes, scope, legal principles and conditions described in these policies, which they declare and accept upon the simple receipt of personal data.
In addition to the above, the Manager must:
unto. Comply with the legal obligations and those established here in your capacity as Data Processor with respect to the Data Subject and STARTUP.
b. To adequately protect personal data and databases as well as to keep confidential with regard to the processing of transmitted data.
C. STARTUP will require managers and their subsidiaries, subsidiaries, subsidiary and subordinate companies to adopt and comply with appropriate technical, human and administrative measures for the protection of Personal Data in relation to which such third parties/suppliers act as Processors.
STARTUP will not request authorization when the international transfer of data is covered by any of the exceptions provided for in the Act and its Regulatory Decrees.

17. VALIDITY

This personal data protection policy is effective as of September 30, 2017 and leaves out any special regulations or manuals that may have been adopted prior to this one.
Any non-substantive changes to these policies will not be notified directly to the Holders. However, the change in the area responsible for Personal Data protection issues, the material modification of the purposes, the channels for exercising the rights of the owners, or the contact details of STARTUP, will be informed through the official STARTUP website www.wekall.co, or by email to the Owners, or by any other available means.
Document version 2.1 10/MAR/2020

18. APPLICABLE LAW

This Personal Data Protection Policy is governed by the provisions of current legislation on the protection of Personal Data referred to in Article 15 of the Political Constitution of Colombia, Law 1266 of 2008, Law 1581 of 2012, Decree 1377 of 2013, Decree 1074 of 2015, Decree 1727 of 2009 and other regulations that modify, repeal or replace them.