Privacy and Data Processing Policy
1. General Company Information
PROLIBU TECH S.A.S. (the “Company”), NIT 901.268.824-1, a corporation organized under the laws of the Republic of Colombia, domiciled in Bogotá D.C. with main offices at Cra 9 # 115-06 / Floor 17, Office 01 (Tel. +57 311 521 3448), is committed to protecting the privacy, integrity, security, and confidentiality of Personal Data belonging to clients, suppliers, employees, contractors, and, in general, all Data Subjects registered in its databases.
The Company carries out Processing activities such as collection, storage, management, processing, database creation, circulation, segmentation, transfer, transmission, and use of Personal Data in the course of its software development and IT consulting activities.
This Policy, required by Decree 1074 of 2015, informs about rights, mechanisms, and procedures to exercise them, the person in charge of handling inquiries and complaints, as well as the purposes and Processing applied.
2. Scope of Application
This Policy applies to all Processing of Personal Data carried out in the territory of the Republic of Colombia by the Company, its employees, and third parties with whom activities related to such Processing are agreed upon, including Processors through transmission contracts.
3. Key Definitions
| Term | Definition |
|---|---|
| Authorization | Prior, express, and informed consent of the Data Subject for Processing. |
| Authorized | The Company and all persons legitimized by Authorization and this Policy to carry out Processing. |
| Privacy Notice | Communication from the Controller to the Data Subject about this Policy, how to access it, their rights, and the purposes. |
| Database | Organized set of Personal Data subject to Processing. |
| Personal Data | Any type of information linked or linkable to one or more identified or identifiable natural persons. |
| Public Data | Data classified as public by law or Constitution, e.g., marital status, profession, business quality, or public servant status. |
| Sensitive Data | Data whose misuse can generate discrimination (racial/ethnic origin, political orientation, religious or philosophical beliefs, affiliations, health, sexual life, biometric data, etc.). |
| Processor | Natural or legal person who processes Personal Data on behalf of the Controller. |
| Authorized Third Party | Third party whom the Company authorizes, via contract, to act as Processor. |
| Legitimated | Data Subject, heirs, representative or attorney, and those acting for the benefit of another. |
| Law | Law 1581 of 2012, Decree 1074, Ruling C-748 of 2011, and other applicable regulations and case law. |
| Manual | Document of policies and procedures for proper compliance with the Law. |
| Policy | This document containing guidelines on data protection and Processing, rights, procedures, and responsible party. |
| Controller | Who decides on the databases and Processing of Personal Data. |
| Data Subject | Natural person to whom the Personal Data refers. |
| Transfer | Sending Data to a receiving Controller (inside or outside the country). |
| Transmission | Communication of Data to a Processor for Processing on behalf of the Controller (inside or outside the country). |
| Processing | Operations such as collection, storage, use, circulation, modification, deletion, assignments, and communication of Personal Data. |
4. Principles
| Principle | Description |
|---|---|
| Restricted Access | Personal Data will not be made publicly available without technical controls restricting access to authorized persons. |
| Restricted Circulation | Only authorized staff with specific functions may process data. No disclosure to third parties without Authorization or Transmission contract. |
| Confidentiality | Duty of confidentiality even after termination of the relationship that originated the Processing. |
| Consent | Processing requires verifiable Authorization, including through unequivocal conduct. |
| Sensitive Data and Diligence | Greater diligence to preserve integrity, restricted access, and security. |
| Purpose | Processing must serve legitimate purposes informed to the Data Subject. |
| Integrity | Data must be truthful, complete, accurate, and up-to-date; no processing of partial or misleading data. |
| Security | Technical, human, and administrative measures to prevent unauthorized access, use, or modification. |
| Database Separation | Databases where the Company acts as Controller or Processor are kept separate. |
| Temporality | Use only for the necessary time according to informed purposes; deleted when no longer necessary. |
| Transparency | Provide information to the Data Subject upon request, within legal deadlines. |
| Post-Processing Confidentiality | Non-public data is treated as confidential even after the relationship ends. |
5. Processing and Purposes
Corporate, Administrative, and Marketing Purposes
- Fulfill tax, commercial, corporate, and accounting obligations.
- Supplier and contractor management; evaluation and classification of suppliers.
- Marketing and loyalty activities.
- Archiving, system updates, protection, and custody of information and databases.
- Internal processes for development, operation, and system management.
- Fraud and money laundering prevention, including checks against restrictive lists and credit bureaus.
- Conduct events, recreational and entertainment activities.
- Human resource management (recruitment, hiring, training, evaluations, welfare, occupational health, certifications, references, payroll, staff mapping).
- Data update campaigns.
- Internal investigations under company policies (employees/contractors).
- Customer satisfaction and quality surveys.
- Communication of amendments to this Policy and requests for new Authorizations.
- Other purposes necessary to comply with legal obligations and business development.
Business and Commercial Activity
- Implement communication channels with clients, suppliers, and relevant third parties.
- Loyalty activities, analysis, and segmentation for preference studies and statistics.
- Surveys and opinion polls on products and services.
- Share clients’ personal data with PROLIBU LLC in the United States via transfer or transmission.
With Third Parties
- Manage requests, complaints, and claims (RCC) and forward them to responsible areas.
- Transmit Personal Data to third parties with whom there are contracts or agreements for commercial, administrative, and/or operational purposes.
- Transfer, transmit, share, deliver, or disclose Data to third parties inside and outside Colombia, including countries with different protection levels.
Rights of Data Subjects
| Right | Description |
|---|---|
| Knowledge and Access | Access their Data free of charge at least once a month. |
| Update | Keep their Data accurate and up-to-date in the Company’s databases. |
| Rectification | Correct information under the Company’s control. |
| Proof | Request proof of Authorization except in legal exceptions. |
| Use Information | Request information on how their Data has been used. |
| Deletion | Request deletion when no legal or contractual duty requires retention. |
| Revocation | Revoke Authorization when legally applicable. |
| Complaint before the SIC | Lodge complaints before the Superintendence of Industry and Commerce, after exhausting the Company’s internal procedure. |
The exercise of rights by minors may be carried out by the minor, their parents, or whoever holds parental authority, upon proof of such authority.
6. Sensitive Data
The Company may collect and process Sensitive Data (e.g., medical information, images, photos, voice recordings, biometric data), as well as data relating to health or sexual life. Independent and explicit consent will be requested.
These data are processed with the highest security standards and access is limited to authorized personnel only. Authorization to process them is optional, and no activity will be conditioned upon their provision.
7. Authorization
All Processing is preceded by obtaining the Data Subject’s Authorization. Proof of such Authorization will be retained.
Exceptions to Authorization
- Information required by public authority or court order.
- Public data.
- Cases of medical or health emergencies.
- Processing for historical, statistical, or scientific purposes authorized by law.
- Data related to civil registration of persons.
8. Data Protection Area
The department responsible for handling Requests, Complaints, and Claims (RCC) regarding Personal Data is Customer Service, which will process requests in accordance with the Law and this Policy.
| Field | Detail |
|---|---|
| Responsible department | Customer Service |
| Contact person | Ivandavid Rueda |
| Address | Cra 9 # 115-06 / Floor 17, Office 01 – Bogotá D.C. |
| info@prolibu.com | |
| Phone | [update if applicable] |
| Position | Commercial Manager – Customer Service |
9. Procedures to Exercise Rights
a) Inquiries
Data Subjects or Legitimated parties may inquire about: (i) Data stored in the databases; (ii) Processing to which they are subjected; (iii) Purposes.
Contact channels: physical office or email info@prolibu.com. Proof of inquiry and response will be retained.
Timeframes: response within ten (10) business days from receipt. If not possible, the reason and new date will be provided, not exceeding five (5) additional business days. Final response shall not exceed fifteen (15) business days.
b) Complaints
Applicable for: (i) correction, update, or deletion; (ii) alleged breach of duties.
Submission: addressed to Customer Service (email info@prolibu.com or physical address). Must include: name and ID, description of facts and claim, contact details, and supporting documents.
Flow and Timeframes:
- If incomplete, rectification will be requested within five (5) business days; failure to comply within two (2) months will be deemed withdrawn.
- Upon receipt of complete complaint, the record will be marked “complaint in process” within two (2) business days.
- Response within fifteen (15) business days; if not possible, notification will be given, and it will be resolved within a maximum of eight (8) additional business days.
10. Term
This Policy is effective as of November 1, 2019. Data will be retained according to the principle of temporality and as long as necessary for the informed purposes.
11. Amendments
The Company may amend this Policy. Any substantial amendment will be communicated in advance to Data Subjects through the website and/or email. Substantial amendments include, among others: (i) change of area or responsible person; (ii) changes in purposes that affect Authorization (in which case a new Authorization will be requested).
Annexes
The flowcharts of Inquiries and Complaints referenced in Annexes 1 and 2 may be published as images or as accessible diagrams on the website. If you wish, I can recreate them in SVG/HTML for greater accessibility.