Privacy and personal data protection policy

PRIVACY AND PERSONAL DATA PROTECTION POLICY

ARLI S.A.S.

I. Purpose

The purpose of this Privacy and Personal Data Protection Policy (hereinafter “Privacy Policy”) is to comply with the Colombian regulations regarding Personal Data Protection.

II. Scope

This Privacy Policy is applicable both to ARLI S.A.S. (hereinafter “Arli”), as data controller, to its direct and indirect employees, as well as to all those third parties, whether individuals or companies, to whom they transmit personal data collected by Arli, when they carry out data processing on behalf of Arli.

III. Identification of the data controller

Company name: ARLI S.A.S.
Address: Bogotá, Colombia
Address: 70 Bis Street No. 4-54
E-mail address: info@arli.cloud

IV. Definitions

For the purposes of this Privacy Policy, the following terms shall be understood to mean:

“Adolescent”: persons between 12 and 18 years of age.
“Authorization”: the prior, express and informed consent of the holder of personal data to carry out the processing of his/her personal data.
“Privacy notice”: the document generated by the data controller to inform the holder about the processing of his/her personal data.
“Database”: the organized set of physical or electronic personal data that is the subject of manual or automated processing.
“Personal data”: any information linked or capable of being associated with one or more specific or determinable individuals.
“Private data”: data that due to its intimate or reserved nature is only relevant to the Data Subject.
“Public data”: data qualified as such according to the mandates of the law or the Political Constitution of Colombia.
“Sensitive data”: data that affect the privacy of the holder of personal data or whose improper use may generate discrimination.
“Semi-private data”: data that is not of an intimate, reserved, or public nature and whose knowledge or disclosure may be of interest not only to its owner, but also to a group of persons or to society in general.
“Processor”: any natural or legal person, public or private, who alone or in association with others, carries out the processing of personal data on behalf of the controller.
“Child”: persons between 0 and 12 years of age.
“Personal Data Protection Officer”: the person or area responsible for ensuring that the PQRSD regarding the protection of personal data are attended to.
“PQRSD”: Petitions, Complaints, Queries, Inquiries, Suggestions, Claims and Complaints regarding personal data protection.
“Data protection”: all the technical, human and administrative measures necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
“Data Controller”: the natural or legal person, public or private, who alone or in association with others, decides on the database and/or the processing of the data.
“Data Subject”: the individual whose personal data is the subject of processing.
“Transfer”: the transfer of data when the controller and/or processor of personal data sends the information or personal data to a recipient.
“Transmission”: the processing of personal data involving the communication of personal data within or outside the country of domicile of the controller.
“Processing”: any operation or set of operations on personal data, such as collection, storage, updating, use, circulation, transfer, transmission or deletion.

V. Guiding Principles

The following are the guiding principles regarding the protection of personal data, and shall apply to the processing carried out by the data controller, its employees and all those natural or legal third parties to whom it transmits or transfers personal data of the Data Subjects, when they carry out any processing of the same:

Principle of legality in the processing of personal data: The processing of personal data referred to in Statutory Law 1581 of 2012 is a regulated activity that must be subject to the provisions set forth therein.
Principle of purpose: The processing of personal data must obey a legitimate purpose in accordance with the Constitution and the law.
Principle of freedom: The processing of personal data can only be exercised with the prior, express and informed consent of the Data Subject.
Principle of truthfulness or quality: The information subject to processing must be truthful, complete, accurate, updated, verifiable and understandable.
Principle of transparency: The right of the Data Subject to obtain information about the existence of data concerning him/her, must be guaranteed in the processing.
Principle of restricted access and circulation: Personal data, except for public information, may not be made available on the Internet or other means of mass dissemination.
Security principle: The information subject to processing shall be protected through the use of necessary measures to provide security to the records.
Principle of confidentiality: All persons involved in the processing of personal data are obliged to guarantee the confidentiality of the information.

VI. Processing to which personal data will be subjected and the purposes for which they will be used

For the purposes of this Privacy Policy, the data controller, directly or through data processors, may collect, store, use, circulate, update, delete or perform any other type of processing of the personal data of the Data Subjects, in compliance at all times with the provisions of the regulations in force and for the purposes described below:

To fulfill Arli’s corporate purpose.
Manage, administer and use all information necessary for the fulfillment of Arli’s legal and contractual obligations.
Identification of the holders.
Transmission and national and international transfer and storage and custody of information and/or personal data.
Implementation of security measures and restriction of access to databases.
Preservation of information for historical, scientific and statistical purposes.
To guarantee the exercise of any right of the holders.
Registration and control of incoming and outgoing documents.
Information systems administration.
Planning, control, measurement and follow-up of the impact of decisions.
Design, development and implementation of strategies and goals.
Sending communications related to the purposes contained in this privacy policy.
Convening and execution of programs, meetings, training and events.
Marketing and remarketing.
Offering of goods and/or services.
Campaigns to update the data.
Controls, statistics and history of the relations maintained with the holders.
Support in internal and/or external audits.
Fraud control and prevention.
Reports to competent administrative and judicial authorities.
Attention to requests made by competent authorities.
Preparation and presentation of claims and complaints.
Compliance with the obligations derived from the contracts.
Administrative, financial and accounting management.
Preparation, recording and control of financial and accounting information.
Tax management and generation of tax information.
Attention to PQRSD.
Contracting insurance policies and requesting coverage.
Application for credit or financial services.
Transfer of Personal Data to merchants and other suppliers.
Other purposes indicated in this Privacy Policy.

VII. Rights of Data Subjects

These are rights of the holders of personal data:

To know, update and rectify their personal data.
Request proof of the authorization granted to the data controller.
Be informed by the controller or processor regarding the use of their personal data.
To file complaints for violations of the regulations in force before the Superintendence of Industry and Commerce.
To revoke the authorization and/or request the deletion of the data.
Access free of charge to personal data that has been processed.

VIII. Duties of the data controller

It is the duty of the data controller:

Guarantee the holder, at all times, the full and effective exercise of the right of habeas data.
Request and keep a copy of the respective authorization granted by the holder.
Duly inform the Data Subject about the purpose of the collection and the rights he/she has.
Keep the information under the necessary security conditions.
Ensure that the information provided to the data processor is truthful, complete, accurate, up-to-date, verifiable and understandable.
Update the information, communicating developments regarding the data previously provided.
Rectify the information when it is incorrect.
Provide to the data processor only data whose processing is previously authorized.
Require the data processor to respect the security and privacy conditions.
Process the PQRSD formulated.
Adopt an internal manual of policies and procedures.
Inform the data protection authority about violations.
Comply with instructions and requirements issued by competent authorities.

IX. Duties of data processors

It is the duty of the data processor to:

Comply with the Privacy Policy and protection of personal data.
Adopt necessary measures to provide security to the records.
Implement a personal data protection policy.
Treat personal data in accordance with the instructions received.
Maintain confidentiality regarding personal data.
Access personal data only when strictly necessary.
Report incidents that affect the protection of personal data.
Guarantee the full and effective exercise of the right of habeas data.
Update, rectify or delete data as required.
Adopt an internal manual of policies and procedures.
Comply with instructions and requirements issued by competent authorities.
Require authorization from the data subjects when necessary.

X. Personal Data Protection Officer

The customer service area will perform the functions of personal data protection officer.

XI. Procedure for the Data Subjects to exercise their rights

The holders or those persons who are legitimized by current regulations may submit PQRSD through the following channel:

E-mail address: support@arli.cloud

The following are the persons entitled to file PQRSD:

The holder, who must provide sufficient proof of identity.
The assignees of the holder, who must prove their status as such.
The holder’s representative and/or attorney-in

-fact.

By stipulation in favor of another or for another, provided that there is acceptance on the part of the owner.

The rights of children or adolescents shall be exercised by the persons who are empowered to represent them.

The PQRSD must contain at least:

Name and address or other means to communicate the response to your request.
Documents proving your identity or legal representation.
A clear and precise description of the personal data with respect to which it is requested to exercise any of the rights.
If applicable, the express manifestation to revoke consent to the processing of personal data.
Any other element that facilitates the location of the personal data.

The petitions, complaints, claims and denunciations will be resolved within fifteen (15) business days following their presentation by the holder or authorized person.

Inquiries shall be resolved within ten (10) business days following their submission by the owner or authorized person.

XII. Validity

This Privacy and Personal Data Protection Policy is effective as of January 1, 2024.

The databases subject to processing by the data controller shall remain in force for as long as the purposes for which the data were collected and/or the term established by law.

The controller reserves the right to modify this privacy policy at any time. In case of substantial changes, the controller will communicate these changes to the data subject before or at the latest at the time of implementing the new policies and will require a new authorization when the change refers to the purpose of the processing.