POLICY FOR THE PROTECTION OF PERSONAL DATA

Effective Date: 1 de enero de 2024.

Important Information:

The personal data protection policy aims to guarantee the Constitutional right that individuals have regarding their personal and sensitive data, including the right to know, update, modify, rectify, and delete the data collected about them in databases or files, as well as to provide the other guarantees referred to in Law 1581 of 2012, Decree 1377 of 2013, Law 1266 of 2008, or any other laws that modify, add, or complement the aforementioned regulations.

This terms of use policy is organized as follows:

  1. Area of Application
  2. Legal Framework
  3. Objective
  4. Scope
  5. Definitions
  6. Guiding Principles
  7. Authorization
  8. Guarantee of Information Security and Privacy
  9. Data Retention
  10. How Information is Shared
  11. National Database Registry
  12. Procedure for Consultation, Requests, Claims, Information Deletion
  13. Transfer and International Transmission of Data
  14. Treatment of Personal Data from Platforms, Corporate Websites, and Social Networks
  15. Treatment of Data of Children and Adolescents
  16. Treatment of Sensitive Data
  17. Duties of Innovaryx
  18. Purpose of Data Processing
  19. Modification of the Policy

1. Area of Application

This Personal Data Processing Policy covers all individuals who have been registered in any database subject to processing by Innovaryx. Therefore, the processing of data will be governed by the Laws of the Republic of Colombia and especially by the regime of personal data protection established by the Constitution, the Law, its regulatory Decrees, and other regulations that complement, modify, or repeal it.

2. Legal Framework

This Policy is governed by the Laws of the Republic of Colombia, such as: Political Constitution of 1991, Law 1266 of 2008, Law 1581 of 2012, Law 1480 of 2011, Regulatory Decree 1727 of 2009, Regulatory Decree 2952 of 2010, Regulatory Decree 1377 of 2013, and other norms that complement, modify, or add to it.

3. Objective

This Policy is aimed at protecting the rights of users of the Innovaryx platform or corporate web portals, seeking to ensure that as data subjects, they can exercise the rights granted to them by law, such as: Consultation, verification, deletion, collection, disclosure. Likewise, it seeks to inform in advance, fully, and timely, the processing that Innovaryx will give to the personal data of users, collaborators, third parties, and in general, anyone who uses the Innovaryx platform, in events such as: Collection, recordings, registrations, use, adaptation, recovery, storage, provision of services, disclosure, commercial offers, information sending, certificates, as well as the registration of information, account creation, or entry of data on corporate web portals, and in general in any event that requires processing of data made known to Innovaryx.

4. Scope

The PERSONAL DATA PROCESSING POLICY of Innovaryx will be applicable to all those who use the platform and register within it or make their personal data available to Innovaryx in any database managed by Innovaryx, where the latter is responsible or in charge of the information.

5. Definitions

Authorization: Prior, express, and informed consent of the data subject to carry out the processing of personal data. 

Privacy Notice: It is the physical, electronic document, or in any other known or to be known format, made available to the data subject in order to inform about the processing of their personal data 

Database: Set of personal data organized for processing. 

Personal Data: Information associated with one or more specific or identifiable natural persons. 

Public Data: It is data that is not semi-private, private, or sensitive. Public data includes, among others, data regarding the civil status of individuals, their profession or occupation, and their status as a merchant or public servant. By their nature, public data may be contained, among others, in public records, public documents, gazettes and official bulletins, and duly executed judicial decisions, which are not subject to reserve. 

Sensitive Data: Those that affect the privacy of the Data Subject or whose improper use may lead to their discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations or that promote the interests of any political party or guarantee the rights and guarantees of opposition political parties as well as data related to health, sexual life, and biometric data. 

Data Processor: Natural or legal person, public or private, who, alone or in association with others, processes personal data on behalf of the data controller. 

Habeas Data: It is the right that allows people to know, update, and rectify all information that has been collected in databases. 

Data Controller: Natural or legal person, public or private, who, alone or in association with others, decides on the database or the processing of data. 

Data Subject: Natural person whose personal data is being processed. 

Transfer of Data: When the data controller and/or data processor, located in Colombia, sends information or personal data to a recipient, who in turn is responsible for processing and is located inside or outside the country.

Transfer of Data: When the data controller and/or data processor, located in Colombia, sends information or personal data to a recipient, who in turn is responsible for processing and is located inside or outside the country. 

Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.

6. Guiding Principles

In compliance with legal guidelines, Innovaryx declares that the processing of data is governed by the following principles:

  • a) Principle of legality: The processing referred to shall be subject to the provisions established by the Law of the Republic of Colombia. 
  • b) Principle of purpose: The processing will only be carried out for the purposes for which the data subject has given their authorization. 
  • c) Principle of freedom: The data subject will voluntarily give their approval for the processing of their data, which can only be carried out with the prior, express, and informed consent of the data subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that excludes consent. 
  • d) Principle of truthfulness or quality: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. Partial, incomplete, fragmented, or misleading data will not be processed. 
  • e) Principle of transparency: The data subject may know with certainty and without conditions from the data controller and/or processor, information about the databases that concern them. 
  • f) Principle of access and restricted circulation: The processing will respect the provisions issued by the Law and the authorization of the data subject, therefore, it will only be known by natural or legal persons authorized by the data subject. Personal data, except for public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the data subjects or third parties authorized by law. 
  • g) Principle of security: Controls will be implemented to prevent adulteration, fraudulent or unauthorized use, loss, or consultation of data, for which the tools used for processing will guarantee the security of the information. 
  • h) Principle of confidentiality: All individuals involved in the processing of personal data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks involved in the processing has ended, and may only provide or communicate personal data when it corresponds to the development of activities authorized by the Law and in accordance with its terms. 
  • i) Principle of Territoriality: The processing of data will take place in Colombian territory, in countries authorized by the data subject, and in third countries that comply with the guarantees required by Colombian legislation.

7. Authorization

In accordance with the regulations of the country and in line with the principles of purpose and freedom, Innovaryx will collect data limited to those personal data that are relevant and appropriate for the purpose for which they are collected or required. Except in cases expressly provided for by law, personal data may not be collected without the authorization of the Data Subject. 

By registering, creating an account, or entering their data on the Innovaryx platform, users accept this policy and therefore authorize Innovaryx to: I) Share data with consultants, providers, and other users; II) With partners, shareholders, companies, and allied institutions, and in general with any natural or legal person, national or foreign, with whom commercial or inter-institutional cooperation relationships are established; III) With data analysis services; IV) To advertise, send promotions, and surveys; V) To make commercial advertising and service offers; VI) To process for the provision of services object of the Company. 

EVENTS WHERE AUTHORIZATION IS NOT REQUIRED:

The authorization of the data subject will not be necessary when it comes to: a) Information required by a public or administrative entity in the exercise of its legal functions or by court order; b) Data of a public nature; c) Cases of medical or health emergencies; d) Processing of information authorized by law for historical, statistical, or scientific purposes; e) Data related to the Civil Registry of Persons.

8. Guarantee of Information Security and Privacy

The data processed by Innovaryx will only be known by personnel designated by the data controller, complying with the confidentiality of the information, such as the exclusive use for which authorization has been granted by the data subject. Therefore, Innovaryx undertakes to comply with the security guidelines established in ISO 27001.

9. Data Retention

Data will be stored for the time necessary to fulfill the purpose for which it was collected. If a special retention period is required by law, compliance will be ensured. In cases where the data subject requests the deletion of their information from the Innovaryx database, it will be retained until such time as requested by the data subject. Security measures will be used to allow restricted access to the supplied information. In any case, platform users should ensure the proper use of information by protecting user accounts and passwords.

10. How Information is Shared

Innovaryx ensures its users the security in the event that information is transferred or transmitted. In such an event, data will be shared through encrypted files or through means and methods implemented by Innovaryx, safeguarding the confidentiality and integrity of the information to an identified recipient by the company and respecting the parameters granted in the authorization for its processing.

11. National Registry of Databases

It is the public directory of databases with personal information subject to processing that operate in the country. It is administered by the Superintendence of Industry and Commerce, which keeps the registry of all databases in the country, their purpose, the channels available to address citizens' requests, the adopted policies for the processing of personal data, the type of data they contain, and the transfers and transmissions of information made. 

For the purpose of registering databases, a procedure will be carried out taking into account: 

  1. Quantity of databases with personal information. 
  1. Number of data subjects for each database. 
  1. Detailed information on the channels or means planned to address the data subjects. 
  1. Type of personal data contained in each database, subject to processing, such as: identification data, location, socioeconomic, sensitive, and others. 
  1. Physical location of the databases. 
  1. Security measures and/or controls implemented in the database to minimize the risks of improper use of the processed personal data. 
  1. Information on whether authorization from the data subjects of the databases' contained data is available. 
  1. Method of obtaining the data (directly from the data subject or through third parties).

12.Procedure for Consultation, Requests, Claims, Information Deletion

Whenever there is no legal imposition to retain the information, it may be deleted at the request of the data subject or upon fulfillment of the purpose of its processing. Accordingly, any digital, magnetic, physical file containing personal data subject to processing will be destroyed. Once the deletion request is submitted through the means established in this policy, deletion will be carried out within three business days following the request. The request for information deletion and the revocation of authorization will not proceed when the data subject has a legal or contractual duty to remain in the database. 

RIGHTS OF DATA SUBJECTS, PROCEDURE FOR REQUESTING REVOCATION, CONSULTATION, OR MODIFICATION OF INFORMATION. 

In the event that Innovaryx acts as the data controller or processor and upon a request from the data subject, safeguarding the rights to rectify, delete, or modify, it will proceed with the request. In such a case, the data subject or their legal representative must follow the following procedure: 1. Submit a written request to the email management@innovaryx.com, which must contain at least: a) Complete identification of the requester, b) Detailed description of the request or claim, c) Data of the data subject's location (name, phone, address). Depending on the nature of the request, it may be resolved within ten (10) business days following its submission. If it cannot be resolved within this period, the requester will be informed, and an additional five (5) days will be provided to process the request. In case of authorization revocation, the data subject must submit the request detailing the purpose of the same. To manage the revocation with Innovaryx, the same steps and requirements established in the procedure for updating, correcting, rectifying, or deleting personal data must be followed. If the request is incomplete, the interested party will be required to correct the deficiencies within five (5) days after receiving the claim. If, after two (2) months from the date of the request, the requester does not correct their petition, it will be considered that they have withdrawn the claim. If the recipient of the claim is not competent to resolve it, it will be forwarded to the appropriate authority within a maximum of two (2) business days, and the interested party will be informed of the situation.

13. International Data Transfer and Transmission

Innovaryx, in accordance with Law 1581 of 2012, will process data with third countries that provide adequate levels of data protection as determined by the Superintendence of Industry and Commerce in Chapter V of the Circular Única. International processing will not occur without the consent of the data subject, as stated in Article 25 of Decree 1377 of 2013. With the acceptance of this policy, the data subject expressly authorizes the transfer and transmission of their personal information to third countries.

14. Treatment of Personal Data from Platform, Corporate Websites, and Social Networks

Innovaryx, through its technological platform or corporate websites, will collect personal data, which is stored in a database that is confidential and will only be disclosed with the express authorization of the data subject or when requested by a Competent Authority. The purposes for which the personal data collected through Innovaryx's websites, technological platform, and social networks are used will be: 

1) Offering services and solutions of the company in its different lines of business: 

  • a) Consulting: Specialized advisory services in areas related to IT and Business; 
  • b) Software Factory: Technological services or solutions oriented to meet the needs of companies. 

2) Publishing events of interest. 

3) Legal, accounting, administrative, commercial, promotional, informative, marketing, and sales purposes. 

4) Carrying out promotional campaigns, marketing, advertising. 

5) Ensuring the rights of individuals under the Consumer Statute (Law 1480 of 2011). 

6) Sending information concerning the services and solutions offered. 

7) Maintaining communication with internal or external clients. 

8) Addressing doubts and concerns. 

9) Conducting surveys. 

10) Sending notifications. 

11) Requesting opinions or recommendations about the quality of service. The information will be processed for the period agreed with the data subject through authorization, and in accordance with the legal or contractual circumstances that gave rise to the collection of the information. Upon acceptance of this policy by the data subjects, personal data may be shared with other users, consultants, other participants, and third parties linked to the Company through any form of contracting, partners, shareholders, polling companies, service providers to Innovaryx, the foregoing is an illustrative treatment, in any case, data will be processed, complying with legal obligations and for the fulfillment of the purpose of the collection.

15. Treatment of Data of Children and Adolescents

Innovaryx adheres to the provisions of Article 7 of Law 1581 of 2012 "Rights of Children and Adolescents." In the Treatment, respect for the prevailing rights of children and adolescents will be ensured. The Treatment of personal data of children and adolescents is prohibited, except for data of a public nature. The processing of personal data of children and adolescents may be carried out when it involves data of a public nature, and the processing of personal data of children and adolescents may be exceptionally possible when the following criteria are met: a) The purpose of the processing responds to their best interest; b) The respect for their fundamental rights is ensured; c) Considering the maturity of the child or adolescent, their opinion is taken into account; and d) The principles provided for in Law 1581 of 2012 for the processing of personal data are complied with. In any case, Innovaryx will collect, when appropriate, the respective authorization from their legal representatives, always bearing in mind the aforementioned and as established in Article 44 of the Political Constitution of Colombia.

16. Treatment of Sensitive Data

Innovaryx will not process sensitive data, except when: 

  • a) The Owner has given explicit authorization for such processing, except in cases where authorization is not required by law; 
  • b) The processing is necessary to safeguard the vital interests of the Owner and they are physically or legally incapacitated. In these cases, legal representatives must give their authorization; 
  • c) The processing is carried out in the course of legitimate activities and with the proper safeguards by a foundation, NGO, association, or any other non-profit organization, whose purpose is political, philosophical, religious, or union-related, provided that it exclusively concerns its members or individuals who maintain regular contacts due to its purpose. In these cases, data cannot be provided to third parties without the authorization of the Owner; 
  • d) The processing pertains to data that is necessary for the recognition, exercise, or defense of a right in a judicial proceeding; 
  • e) The processing has a historical, statistical, or scientific purpose. In this case, measures must be taken to ensure the anonymity of the Owners.

17. Duties of Innovaryx

Innovaryx undertakes to safeguard the information disclosed to it by the data subjects, not allowing access by unauthorized third parties or for purposes other than those informed at the time the user grants authorization. Consequently, it will use security standards in custody, administration, and generally when processing data, whether as a data controller or processor. It will inform data subjects of their rights and, in particular, commits to: 

  • a) Ensure the data subject's full and effective exercise of the right to habeas data at all times; 
  • b) Request and retain, under the conditions provided in this policy and in the law, a copy of the respective authorization granted by the data subject; 
  • c) Properly inform the data subject about the purpose of the collection and the rights granted by virtue of the authorization granted; 
  • d) Preserve the information under the necessary security conditions to prevent its alteration, loss, consultation, unauthorized or fraudulent use, or access; 
  • e) Ensure that the information provided to the data processor is truthful, complete, accurate, updated, verifiable, and understandable; 
  • f) Update the information by timely informing the data processor of any updates regarding the data previously provided and take other necessary measures to keep the information provided to them updated; 
  • g) Rectify the information when incorrect and communicate the pertinent information to the data processor; 
  • h) Provide the data processor, as applicable, only with data whose processing has been previously authorized in accordance with the law; 
  • i) Demand from the data processor at all times respect for the security and privacy conditions of the data subject's information; 
  • j) Handle inquiries and complaints in the terms indicated in this policy or in the law; 
  • k) Adopt an internal manual of policies and procedures to ensure the adequate compliance with this policy and especially for the handling of inquiries and complaints; 
  • l) Inform the data processor when certain information is under dispute by the data subject, once the claim has been filed and the respective process has not yet concluded; 
  • m) Inform, upon request of the data subject, about the use given to their data; 
  • n) Inform the data protection authority when breaches of security codes occur and there are risks in the management of data subjects' information; 
  • o) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

18. Purpose of Data Processing

Innovaryx is a digital company dedicated to providing software development and technology solutions implementation services in Colombia and abroad, as well as consultancy services, among other services related to IT and Business. The data collected will aim to fulfill the company's social purpose and especially the provision of the services offered, as well as other related or complementary activities.

19. Modification of the Policy

Innovaryx reserves the right to modify this policy as needed in the course of its activities and in accordance with legal requirements and recommendations issued by the Superintendence of Industry and Commerce. In such an event, users will be informed of the terms of the current policy. If a data subject does not agree with the new Policy, they may request the removal of their information from the Company through the channels indicated in this document. Data subjects may not request the removal of their personal data when the Company has a legal or contractual obligation to process the data.