AUTONOMIC SAS, in accordance with Law 1581 of 2012 and its Regulatory Decree 1377 of 2013, as the party responsible for the processing of personal data, informs that the objective of this Policy is to define the guidelines necessary to guarantee the exercise of the right to privacy of individuals, through the protection of personal data contained in the company’s different databases, so that they receive treatment in accordance with the purposes provided by law.

The Personal Data Processing Policies apply to personal data contained in databases under the responsibility of AUTONOMIC SAS, as well as its parent companies and subsidiaries, hereinafter “THE CONTROLLER,” and which may be accessed or processed by the company, its staff, or a related third party.

By accepting or consenting to AUTONOMIC SAS’s Personal Data Processing Policies , you represent that you are the legitimate owner of the data or that you have the respective authorizations or legal authority to transfer the data. You also represent that you are a legally competent person under applicable law. Therefore, you accept the guidelines and policies contained in this document.

 

DEFINITIONS

Authorization: Prior, express and informed consent of the Data Subject to carry out the processing of personal data.

Database: Organized set of personal data that is the object of processing.

Personal data: Any information linked to or that can be associated with one or more specific or identifiable natural persons.

Sensitive data: Sensitive data is understood to be that which affects the privacy of the Data Subject or whose improper use may lead to discrimination, such as data that reveals racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in trade unions, social organizations, human rights organizations or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.

Data Processor: A natural or legal person, public or private, who, either alone or in association with others, processes personal data on behalf of the Data Controller.

Data Controller: A natural or legal person, public or private, who, either alone or in association with others, decides on the database and/or the processing of data.

Owner : Natural person whose personal data is subject to processing.

Transfer: Data transfer occurs when the Controller and/or Processor of personal data, located in Colombia, sends the information or personal data to a recipient, who is also the Controller of the data and is located within or outside the country.

Transmission: Processing of personal data that involves communicating it within or outside the territory of the Republic of Colombia when the purpose of processing it is to be carried out by the Data Processor on behalf of the Controller.

Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

 

IDENTIFICATION OF THE DATA CONTROLLER

COMPANY NAME AND IDENTIFICATION : AUTONOMIC SAS , hereinafter referred to as THE COMPANY or THE CONTROLLER, a commercial company identified with NIT. 901.118.213 – 9

ADDRESS AND ADDRESS: THE COMPANY has its domicile in the city of Cra 43 # 9 Sur 195 and its main office is located at Cra 43 # 9 Sur 195 Medellín, El Poblado.

EMAIL: info@autonomicmind.com

PHONE:

• Talents: +57 300 496 3851
• Sales: +57 310 624 7670

 

2. PRINCIPLES OF DATA PROCESSING

In all processing of personal data carried out by THE COMPANY, the principles enshrined in the Colombian General Regime for the Protection of Personal Data will be applied, especially the following:

• Principle of legality of data processing: For the processing of personal data by THE COMPANY, the rules of the Colombian legal system relating to the General Regime for the Processing of Personal Data and those contained in this policy apply.
• Purpose Principle: The processing of personal data by THE COMPANY complies with the purposes established in this policy, which are in accordance with Colombian law. Any matters not regulated in this policy shall be governed by higher-level regulations that regulate, supplement, modify, or repeal it.
• Principle of freedom: The processing of personal data by THE COMPANY is done in accordance with the prior, express and consented authorization of the owner of the personal data.
• Principle of truthfulness or quality: The information subject to processing by THE COMPANY must be truthful, complete, up-to-date, verifiable and understandable.
• Transparency Principle: THE COMPANY guarantees that the owner of personal data can obtain information about their data at any time and without restrictions in accordance with the procedures described in this policy.
• Principle of restricted access and circulation : THE COMPANY guarantees that the processing of personal data given to the databases for which it is responsible is carried out by authorized persons and/or other persons permitted by law.
• Security Principle: THE COMPANY will implement all necessary technical, human, and administrative measures to protect the personal data processed in its databases, preventing unauthorized or unwanted use, alteration, loss, and access.
• Confidentiality Principle: The processing of personal data in THE COMPANY’s databases will be carried out with strict confidentiality and confidentiality, in accordance with the purposes described in this policy.

For further information on these principles, please refer to Law 1581 of 2012 and Decree 1377 of 2013, as well as other regulatory provisions that modify, clarify, supplement, or repeal them.

 

3. PROCESSING TO WHICH THE DATA WILL BE SUBJECTED AND ITS PURPOSE

The processing of personal data of any person with whom THE COMPANY has or will establish a permanent or occasional relationship will be carried out within the legal framework governing the matter. In any case, personal data may be collected and processed in the following cases:

• Develop the corporate purpose of THE COMPANY in accordance with its legal statutes.
• Compliance with legal obligations involving personal data.
• Compliance with applicable tax and trade regulations.
• Compliance with the provisions of the Colombian legal system regarding labor and social security, among others, applicable to current, past, and future employees, including the provision of employment references.
• The measurement and analysis of non-sensitive data freely provided by their respective owners.
• For commercial management and relationships with clients, potential clients and interest groups and also to carry out administrative and commercial management
• For prospective analysis of trends, preferences, behaviors and habits of its customers, potential customers and stakeholders, as well as satisfaction surveys on the provision of services and thus be able to monitor the management of services offered
• To provide information about products and their quality, the COMPANY, trends, benefits, events, partnerships, general information, and more.
• To consult information about Data Subjects in public databases and/or various information operators such as Datacrédito/Experian, Cifin/TransUnion, or any other entity that may manage databases for the same purposes, and in credit risk and financial information centers, in support of application review processes, credit behavior verification, reporting of delinquent clients, verifications for credit granting, and debt collection efforts.
• Report to the risk centers with which the COMPANY has an agreement the creation, modification, termination, fulfillment or non-fulfillment of the obligations contracted by the Data Owner.
• Maintaining labor relations with its employees, drafting employment contracts, linking them to the social security system, and paying salaries and benefits. It also maintains ongoing training for staff on various topics related to their activities and prepares them for their duties.
• Achieve efficient communication related to products, services, offers, promotions, alliances, studies, contests, content, and be able to implement loyalty programs, prepare market studies, and conduct credit, collection, and credit risk studies;
• Advance commercial agreements, events, or institutional programs directly or in partnership with third parties, as well as share with third parties that collaborate with the Company and that, in order to fulfill their functions, must access information to some extent, such as dealers, courier service providers, advertising agencies, collection agencies, product suppliers, and service centers for warranty purposes.
• To contract debt collection services; to comply with legal obligations to provide information to administrative or judicial entities, as well as to the competent authorities that so request.
• To share information with contractors in charge of providing services for the COMPANY that require access to the Data Subjects’ data.
• Conducting commercial or marketing activities through our website, Facebook, and other media and using them as part of our commercial or marketing campaigns.
• To advance commercial and promotional contacts, whether regarding our own services and products or those of third parties with whom the COMPANY has business relationships or alliances, strengthening business relationships and thus fulfilling the obligations assumed pursuant to any contract. To report on new requirements; enter into agreements with third parties; evaluate the levels of service received; perform control and accounting record processes for obligations assumed; ensure compliance with fiscal, accounting, tax, and procedural standards with government and regulatory entities; exercise control over payments for services received; and conduct inquiries, audits, simulations, and reviews arising from any business relationship; and support the Company’s audit processes.
• Comply with its legal obligations in relation to the company’s shareholders.
• Conduct inquiries and verifications of risks related to money laundering, terrorist financing, transnational bribery, and corruption.
• Share and exchange with its subsidiaries, parent companies, allies, and/or financial institutions the information of the Data Subjects contained in the entity’s databases for the purposes of risk control, disbursement and payment of obligations, commercial alliances, contracting of services, statistical purposes, carrying out marketing activities for services, and advertising.
• Compilation of information on transactions or services acquired through means provided by THE COMPANY as well as to process requests, complaints or claims made by users or clients, attend to the administrative requirements of district, departmental or national entities and/or respond to requests made by judges of the republic, conciliators, arbitrators and other entities with judicial functions, derived from legal actions that are promoted by or against AUTONOMIC SAS
• Processing of financial data related to payments made by users for services used that have a cost.
• Transfer of data to third parties for the purposes of the purpose and activities carried out by THE COMPANY.
• Obtaining usage and log information; transaction information; cookies to provide internet-based services; and transferring and transmitting data to third parties for the purposes of THE COMPANY’s activities and the fulfillment of all contractual or legal obligations assumed by the parties.
• Fulfill all contractual, statutory or legal commitments.
• Security and surveillance functions (including video surveillance) of THE COMPANY’s facilities and information.
• Any other purpose that may result in the development of the relationship between the company and the owner.

Authorization is not required when the processing is related to certain cases in which, however, all legal provisions related to the processing of information are complied with, such as:

• When the data is of a public nature.
• When cases of medical or health emergencies arise.
• When the treatment is authorized by law.

Each medium that may be used for data processing or collection will include an authorization text, privacy notice, or, in the case of technological methods, a box or signal of consent and acceptance in the processing of data, aimed at validating the authorization through unequivocal conduct to the extent possible. Said authorization will contain a link or access for direct consultation and reading of this Data Processing Policy.

 

4. PROCESSING OF SENSITIVE DATA.

THE COMPANY considers biometric data, such as facial, fingerprint, retinal, voice, and signature, as well as any data that affects the privacy of individuals and whose misuse could lead to discrimination against the data subject, to be sensitive. Therefore, this type of data is protected with greater rigor by the COMPANY and by those who access it in their capacity as information managers.

The processing of personal or sensitive data by THE COMPANY and its MANAGERS is restricted; it will be used exclusively for the fulfillment of authorized contractual obligations, compliance with legal obligations, or for purposes expressly authorized by the data subject. Under no circumstances, without prior authorization, will personal data be used for marketing purposes, the sale of databases, and/or any other purposes other than those strictly necessary.

THE COMPANY will only process sensitive data when the data subject gives their authorization or is authorized to do so by law. The data subject always has the right to decide whether or not to provide it.

Exceptionally, data may be processed on minors, including children of employees, directors, and collaborators of the company, as well as minors who enter THE COMPANY’s facilities. In this case, express and informed authorization from the minor’s legal representative is required for the specific purposes reported.

It is at the discretion of the Data Subject to grant authorization for the processing of his or her sensitive data.

 

5. RIGHTS OF THE INFORMATION HOLDER

In accordance with the provisions of current applicable data protection regulations, personal data subjects have the right to:

• Access, access, update, and rectify your personal data with the COMPANY as the data controller. This right may be exercised, among others, with respect to data that is partial, inaccurate, incomplete, fragmented, misleading, or whose processing is expressly prohibited or unauthorized.
• Request proof of the authorization granted to the COMPANY for data processing, by any valid means, except in cases where authorization is not required.
• Be informed by THE COMPANY, upon request, regarding the use that has been given to your personal data.
• Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other regulations that modify, add to, or complement it, after consulting or submitting a request to THE COMPANY.
• Revoke authorization or request deletion of data.
• Access your personal data that has been processed free of charge, at least once every calendar month, and whenever there are substantial modifications to this policy that motivate new inquiries.

These rights may be exercised by:

• The owner, who must sufficiently prove his identity by the various means made available to him by THE COMPANY.
• The holder’s successors in title, who must prove such status.
• The representative or attorney of the owner, upon prior accreditation of the representation or power of attorney.
• Another in favor of or for which the owner has stipulated.

 

6. CONTROLLER AND PERSON IN CHARGE OF PROCESSING PERSONAL DATA

THE COMPANY will be the controller of the personal data. THE COMPANY may assign its status as CONTROLLER at any time to any third party that provides proof of compliance with the conditions established in this Policy and in applicable legislation.

Transfers and transmissions for processing by third parties of personal data provided to THE COMPANY

By accepting this policy, the data subject agrees to THE COMPANY’s right to transmit or transfer all of the data subject’s data to its parent company, subsidiaries, or third parties for the purposes of processing, subject to the applicable legal provisions. In this case, the third party or parties receiving the information will be designated as the DATA PROCESSOR and, consequently, will assume the same obligations of care, proper management, and security assumed by THE COMPANY as the data controller, in accordance with current regulations. THE COMPANY may revoke the authorization granted in each case to the third party responsible for processing the information at any time.

In turn, THE COMPANY undertakes to inform third parties of the parameters under which authorization has been granted and the due respect that must be shown to this policy, informing third parties that they may only use said data and/or information while the legal or contractual relationship with THE COMPANY subsists, solely and exclusively, for the uses expressly defined by it.

The transmission of information, whether physical or digital, will be carried out through mechanisms with adequate security levels, established by THE COMPANY and its technology advisors, in accordance with the physical, logistical, technological, and economic capacity, ensuring that the data is delivered and received confidentially and securely.

 

7. PROCEDURE FOR HANDLING QUERIES, COMPLAINTS, REQUESTS FOR RECTIFICATION, UPDATING AND DELETION OF DATA

Data subjects or their successors in title may consult the data subject’s personal information held by THE COMPANY. THE COMPANY will provide all information contained in the individual record or linked to the data subject’s identification. Likewise, THE COMPANY provides a mechanism through which the data subject may submit complaints for the purpose of updating, rectifying, or deleting the data, or permanently revoking the authorization.

The procedure will be as established in Article 15 of Law 1581 of 2012 and as indicated below:

The claim will be made by means of a request addressed to AUTONOMIC SAS, with the identification of the Holder, the description of the facts that give rise to the claim, the address, and accompanying the documents that support the request. If the claim is incomplete, the interested party will be required within five (5) days following receipt of the claim to correct the deficiencies. After two (2) months from the date of the request, if the applicant does not present the required information, it will be understood that they have withdrawn the claim. In the event that the person receiving the claim is not competent to resolve it, they will forward it to the corresponding person within a maximum period of two (2) business days and inform the interested party of the situation.

Once the complete claim has been received, a legend stating “claim in process” and the reason for it will be added to the database within a period of no more than two (2) business days. This legend must remain in effect until the claim is decided.

Although AUTONOMIC SAS provides the appropriate means for the owners of personal data to consult about the processing of their data, which will be informed within the forms or via email for collecting personal data. The terms to resolve the queries will be ten (10) business days counted from the date of receipt of the same, in accordance with the provisions of article 14 of Law 1581 of 2012, the maximum term to attend to the claim will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to attend to the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be attended to, which in no case may exceed eight (8) business days following the expiration of the first term. AUTONOMIC SAS will train those in charge of handling queries and claims on the procedural process indicated by law.

FIRST PARAGRAPH: THE COMPANY will not comply with the request made by the owner or his/her representative to delete personal data when there is a legal or contractual obligation for the personal data to remain in the respective database.

SECOND PARAGRAPH: The owner of the personal data or his or her representative may revoke the authorization given for the processing of his or her personal data by submitting a request to the data controller or the person in charge of the processing in accordance with the terms of this policy.

Questions can be sent to info@autonomicmind.com

THE COMPANY reserves the right to unilaterally modify the Information Processing Policy at any time. The Information Processing Policy in effect at any given time will be available on the website and at the company’s facilities. Any substantial change to the Information Processing Policy that may affect the content of the authorization granted by the data subject will be communicated to the data subject or made available to the data subject under the terms established by current regulations. Furthermore, previous versions of the Information Processing Policy will be retained.

The non-opposition of the owner to the use of his/her data, within thirty (30) days following the notification of the new Information Processing Policy constitutes acceptance thereof.

 

8. INFORMATION SECURITY MEASURES

In compliance with the security principle established in current regulations, THE COMPANY will adopt the technical, human, and administrative measures necessary to ensure the security of records, preventing their alteration, loss, unauthorized or fraudulent access, use, or consultation.

The company is committed to the proper use and processing of its customers’ and users’ personal data, preventing unauthorized access by third parties that could lead to the disclosure, violation, modification, disclosure, and/or destruction of the information stored in the company’s databases. For this reason, the company has security and access protocols for its information, storage, and processing systems, including physical measures to control security risks.

Therefore, the Company must adopt the measures that allow it to comply with the provisions of Law 1581 of 2012, and any other law or regulation that modifies or replaces them. As a result of this legal obligation, among others, the Company must adopt logical, administrative, and physical security measures, appropriate to the criticality of the personal information it accesses, to ensure that this type of information will not be used, marketed, assigned, transferred, and/or subjected to any other processing contrary to the purpose set forth in the object of this contract. Any suspected loss, leak, or attack against personal information held in the Company’s databases will be reported. Notice must be given once it becomes aware of such eventualities through the most pertinent or effective mechanisms, such as publication on the Company’s website or networks, direct communication to the reported email address of the affected party or the means established by the Company for such purposes, or in any way that guarantees the owner’s right to information. The loss, leakage, or attack on personal information also implies the obligation to manage the security incident in accordance with the legal guidelines on the matter.

Depending on the logistical, physical, and economic possibilities, different information security measures may be implemented, which may include, but are not limited to:

• Antivirus and firewalls on THE COMPANY’s computers.
• User profiles and data access and manipulation and monitoring.
• Backup plans or backup copies with established periodicity.
• USB port blocking.
• Blocking websites with personal access or social networks.
• Prohibition of installing instant messaging applications on computers that store data.
• Video surveillance and access control.
• Record of queries and copies of protocols requested by users.
• Restricted access to the physical file area and computing area.
• Periodic updating of Personal Data Protection Policies and procedures.
• Continuous identification of legal requirements that must be implemented by THE COMPANY.
• Monitoring new regulations.
• Training on Personal Data protection issues.
• Reviews of procedures and documentation.

 

9. VALIDITY

This policy is effective from September 1, 2024.

Last updated: October 2024.