Personal Data Processing Policy 

CERCA TECHNOLOGY S.A.S.

PERSONAL DATA PROTECTION AND PROCESSING POLICY 

March 2025

1. General Principles and Provisions 

Cerca Technology S.A.S., a commercial entity incorporated under Colombian law, identified with Tax ID (NIT) 830.087.915-9, headquartered in Bogotá D.C., Cundinamarca, at Carrera 14 #99 – 33 Office 402, REM Tower (hereinafter «the Controller«), ensures the protection of rights such as Habeas Data, privacy, intimacy, good name, image, and autonomy. All actions shall be governed by the principles of good faith, legality, informational self-determination, liberty, and transparency. 
 
Any person who, in the course of any activity—whether commercial, labor-related, permanent, or occasional—provides any kind of personal information to the Controller, where it acts as either the data controller or data processor, shall have the right to access, update, and rectify said data. 
 
In compliance with Law 1581 of 2012, Decree 1074 of 2015, and related regulations, this Personal Data Protection and Processing Policy aims to safeguard the personal information provided by data subjects to the Controller, including shareholders, suppliers, clients, employees, contractors, and any other individual whose data may be collected, processed, stored, or used by the Controller, either directly or through third-party processors. 

2. Controller Identification 

For inquiries regarding the processing of personal data, you may contact the Controller through the following channels:

Address: Carrera 14 #99 – 33, Office 402, REM Tower, Bogotá D.C., Colombia 
Email: manejodatospersonales@cercatech.com 
Phone: +57-6017456702 

3. Scope of Application

This Policy applies to all personal data databases—regardless of their classification (private, semi-private, public, sensitive, or biometric)—processed by the Controller in its capacity as Data Controller. For interpretation purposes, all definitions and principles in Articles 3 and 4 of Law 1581 of 2012, Decree 1377 of 2013, Law 1266 of 2008, and any amendments or additions thereto shall be adopted. 
 
The Controller may request, consult, share, report, process, update, compile, store, use, or delete personal data for data subjects with whom it has, has had, or expects to have any type of relationship, provided prior authorization has been granted. The Controller implements clear measures to protect the confidentiality and privacy of such data. 
 
Data subjects are informed that it is optional to provide sensitive personal data or data of children and adolescents, given their special constitutional and legal protection. 

4. Legal Framework 

This policy is governed by the following:

• Partial Regulatory Decree No. 1377 of 2013 
• Colombian Political Constitution, Article 15 
• Law 1266 of 2008 
• Law 1581 of 2012 
• Regulatory Decrees 1727 of 2009 and 2952 of 2010 

5. Processing and Purpose

Personal data shall be subject to collection, storage, use, circulation, and deletion. The Controller will process data strictly for the purposes authorized and outlined in this policy, including but not limited to: 

Employees and collaborators

1. Fulfill the obligations assumed by the Controller with the data subject, regarding the payment of salaries, social benefits, and other contributions set forth in the employment contract or as required by law. 
2. Offer corporate wellness programs and plan business activities for the data subject and their beneficiaries (children, spouse, permanent partner). 
3. Offer training and/or personal development programs. 
4. Provide information regarding the granting and management of permits, licenses, and authorizations. 
5. Provide information on prevention, promotion, and occupational risks. 
6. Provide information on employment promotion and management, as well as recruitment and personnel selection. 
7. Provide information on data update campaigns and changes in the processing of personal data. 
8. Contact the data subject by any means for statistical purposes and employee rotation within the company. 
9. Inform them of decisions that concern them regarding the company and the duties they perform within it. 
10. With respect to this database, I authorize the collection of facial images, as sensitive data, for the purpose of controlling access to and exit from the company, and to establish compliance with working hours in accordance with the signed contract. 
11. Communicate matters related to services and other activities inherent to the functions of the Controller, and compliance with the obligations undertaken with contractors, contracting parties, clients, suppliers, and employees. 
12. File complaints, claims, or reports before the competent authorities or entities in case of breach of contracts or agreements. 

Clients.

1. Carry out the relevant procedures for the development of the Controller’s corporate purpose. 
2. Send invitations to events. 
3. For commercial, administrative, marketing, and sales purposes. 
4. Conduct satisfaction surveys regarding the services provided by the Controller. 
5. Contact the data subject by any means (telephone or electronic, SMS or chat) to conduct surveys, studies, and/or confirm personal data necessary for the performance of the contractual or commercial relationship. 
6. Contact the data subject by any means to send news related to loyalty campaigns or service improvement, promotion, and advertising marketing. 
7. Contact the data subject by email or any other agreed means for the delivery of account statements, invoices, collection efforts, and/or payments related to the obligations arising from the contract entered into between the parties. 
8. Provide information to third parties with whom the Controller has or may have a contractual or commercial relationship, when it is necessary to fulfill the contracted purpose. 
9. Provide information on data update campaigns and changes in the processing of personal data. 
10. File complaints, claims, or reports before the competent authorities or entities in case of breach of contracts or agreements. 
11. Contact the data subject by any means for statistical purposes and for registering the entry and exit of documents.
12. Respond to complaints, claims, or requests. 

Suppliers and Contractors 

1. Carry out the relevant procedures for the development of the Controller’s corporate purpose, in connection with the fulfillment of the contract or service order entered into with the data subject. 
2. For accounting, financial, and commercial purposes; for informational, marketing, and sales purposes; business performance; and requests for quotations. 
3. Contact the data subject via email to send account statements and invoices related to obligations arising from the contract entered into between the parties. 
4. Contact the data subject by any means, including email, to carry out collection and/or payment procedures as applicable. 
5. Provide information on data update campaigns and changes in the processing of personal data. 
6. Contact the data subject by any means for statistical purposes and for registering the entry and exit of documents. 
7. File complaints, claims, or reports before the competent authorities or entities in case of breach of contracts or agreements. 
8. Ensure security or fraud prevention 
9. Other purposes that, in the fulfillment of its corporate purpose, require the collection of personal data for processing in accordance with applicable legal provisions. 

Sensitive Personal Data 

Sensitive data are understood as those that affect the privacy of the data subject or whose improper use may lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in trade unions, social or human rights organizations, or organizations that promote the interests of any political party or safeguard the rights and guarantees of opposition political parties. Sensitive data also include information related to health, sexual life, and biometric data, among others, such as the capture of still or moving images, fingerprints, photographs, iris scans, voice, facial, or palm recognition, etc. 

The Controller shall process personal data considered sensitive, when required, for the fulfillment of its corporate purpose, provided that: 

1. The data subject has given explicit authorization for such processing, except in cases where by law such authorization is not required or is unnecessary due to the nature of their relationship with the Company. 
2. The processing is necessary to safeguard the vital interest of the data subject, and the subject is physically or legally incapacitated, in which case the legal representatives or those providing support shall grant the authorization. 
3. The processing concerns data necessary for the recognition, exercise, or defense of a right in a judicial proceeding. 
4. The processing has a historical, statistical, or scientific purpose. 

6. Data Subject’s Authorization

The collection, storage, use, circulation, or deletion of personal data by the Controller requires the free, prior, express, and informed consent of the data subject.

Means and Forms of Granting Authorization

Authorization may be recorded in a physical document, electronic document, data message, Internet, websites, or any other format that ensures subsequent consultation, or through a suitable technical or technological mechanism that allows consent to be granted or obtained via click or double-click, making it unequivocally clear that, had the data subject not acted, the data would never have been captured and stored in the database. Authorization shall be generated by the Controller and made available to the data subject in advance and prior to the processing of their personal data.

Proof of Authorization 

The Controller shall use the mechanisms currently available, and implement and adopt the necessary actions to maintain records or suitable technical or technological mechanisms indicating when and how authorization was obtained from data subjects for the processing of their personal data. To comply with the foregoing, physical files or electronic repositories may be established, either directly or through third parties engaged for such purpose. 

Cases Where Authorization Is Not Required 

The authorization of the data subject shall not be required in the following cases: 

1. Information requested by a public or administrative entity in the exercise of its legal duties or by court order. 
2. Data of a public nature. 
3. Cases of medical or health emergencies. 
4. Processing of information authorized by law for historical, statistical, or scientific purposes. 
5. Data related to the Civil Registry of Persons. 

7. Rights of Children and Adolescents 

In the processing of data, the prevailing rights of minors shall be respected. The processing of personal data of minors is prohibited, except for those data of a public nature. 

It is the responsibility of the State and educational institutions of all kinds to provide information and training to legal representatives and guardians regarding the potential risks that minors face with the improper processing of their personal data, and to provide knowledge regarding the responsible and safe use by children and adolescents of their personal data, their right to privacy, and the protection of their own personal information and that of others. 

8. Duties of Cerca as Controller of Personal Data Processing

The Controller shall at all times bear in mind that personal data belong to the individuals to whom they refer, and only those individuals may decide on such data. Accordingly, the Controller shall use them solely for the purposes for which it is duly authorized, and always in compliance with the applicable regulations on personal data protection. 

Consequently, when Cerca acts as the Controller of personal data processing, it shall comply with the following duties: 

1. Guarantee the data subject, at all times, the full and effective exercise of the right of habeas data. 
2. Request and keep a copy of the respective authorization granted by the data subject. 
3. Properly inform the data subject about the purpose of the data collection and the rights conferred by virtue of the authorization granted. 
4. Keep the information under the necessary security conditions to prevent its alteration, loss, consultation, unauthorized or fraudulent use, or access. 
5. Ensure that the information provided to the data processor is truthful, complete, accurate, up-to-date, verifiable, and understandable. 
6. Update the information, promptly communicating to the processor any changes regarding the data previously supplied, and adopt all other necessary measures to keep the information provided up-to-date. 
7. Rectify the information when it is incorrect and communicate the relevant updates to the processor. 
8. Provide the data processor, as appropriate, only with data whose processing has been previously authorized. 
9. Require the data processor, at all times, to respect the security and privacy conditions of the data subject’s information. 
10. Handle inquiries and claims submitted. 
11. Inform the data processor when certain information is under dispute by the data subject, once a claim has been filed and the respective procedure has not yet been concluded. 
12. Inform the data subject, upon request, of the use given to their data. 
13. Inform the data protection authority when security codes are violated and risks exist in the administration of data subjects’ information. 

9. Rights of the Data Subject

In accordance with the provisions of the current and applicable regulations on personal data protection, the data subject has the following rights: 

1. To access, know, rectify, and update their personal data before the Controller, in its capacity as responsible for the processing. 
2. To request, through any valid means, proof of the authorization granted to the Controller, in its capacity as responsible for the processing. 
3. To receive information from the Controller, upon request, regarding the use given to their personal data. 
4. To turn to legally constituted authorities, in particular the Superintendence of Industry and Commerce, and to file complaints regarding violations of the provisions of applicable regulations, after first submitting a consultation or request to the Controller. 
5. To modify and revoke the authorization and/or request the deletion of data when the processing does not respect the constitutional and legal principles, rights, and guarantees in force. 
6. To be informed of and have free access to their personal data that have been subject to processing. 

These rights may be exercised by: 

1. The data subject, who must sufficiently prove their identity by the means made available by the Company. 
2. The successors in title of the data subject, who must prove such status. 
3. The representative and/or attorney-in-fact of the data subject, subject to prior accreditation of representation or power of attorney. 

10. Procedure for the Exercise of Data Subjects’ Rights 

The Controller has designated the Administrative and Financial Department as responsible for handling procedures related to the exercise of the rights of the data subjects whose personal data will be processed in accordance with this policy. 

The exercise of the rights mentioned in the preceding section may be carried out by the data subjects, their successors in title, or the data subject’s representative and/or attorney-in-fact, through the following procedures: 

Guarantees of the Right of Access

The Controller shall guarantee the right of access when, upon prior verification of the identity of the data subject, legitimacy, or the legal capacity of their representative, the Controller makes available, at no cost whatsoever, the respective personal data in a detailed and comprehensive manner, through all types of means, including electronic means that allow the data subject direct access to their data. Such access must be offered without limitation and must allow the data subject to review and update their data online. 

Procedure for Inquiries 

Data subjects or their successors in title may inquire about the personal information of the data subject contained in any database. Accordingly, the Controller shall guarantee the right of inquiry by providing data subjects with all the information contained in the individual record or that is linked to the identification of the data subject. 

With regard to the handling of requests for personal data inquiries, the Controller guarantees to: 

• Enable electronic communication channels or other means deemed appropriate. 
• Establish forms, systems, and other simplified methods, which must be disclosed in the privacy notice. 
• Use customer service or claims services currently in operation.

In any case, regardless of the mechanism implemented to address requests for inquiries, such requests shall be answered within a maximum period of ten (10) business days from the date of receipt. When it is not possible to respond to the inquiry within said term, the data subject shall be informed before the expiration of the 10 days, stating the reasons for the delay and indicating the date on which the inquiry will be answered, which in no case may exceed five (5) business days following the expiration of the initial period. 

Procedure for Claims 

The data subject, their successors in title, or representatives who consider that the information contained in the databases must be corrected, updated, or deleted may file a claim with the Company, which shall be processed as described below. 

The claim may be filed by the data subject, in accordance with the provisions set forth in Article 15 of Law 1581 of 2012, Decree 1377 of 2013, and any other rules that amend or supplement them. 

Implementation of Procedures to Guarantee the Right to File Claims

At any time and free of charge, the data subject or their representative may request from the Controller the rectification, updating, or deletion of their personal data, upon verification of their identity. 

The rights of rectification, updating, or deletion may only be exercised by: 

1. The data subject or their successors in title, upon verification of their identity, or through electronic means that allow for their identification.
2. Their representative, upon proof of such representation. 

When the request is submitted by a person other than the data subject, proper evidence of authority or power of attorney must be provided; otherwise, the request shall be deemed not submitted. 

The request for rectification, updating, or deletion must be submitted through the channels provided by the Controller and must contain, at a minimum, the following information: 

• The name and address of the data subject or any other means to receive a response.
• Documents proving the identity of the data subject or the legal capacity of their representative. 
• A clear and precise description of the personal data for which the data subject seeks to exercise any of the rights. 
• Any additional elements or documents that may facilitate the location of the personal data.

Claims shall be resolved within a period not exceeding fifteen (15) business days, counted from the day following their receipt, extendable for an additional eight (8) business days, counted from the expiration of the initial term. In such case, the Company shall inform the data subject of the reasons for the extension. 

Rectification and Updating of Data 

The Controller is obligated to rectify and update, at the request of the data subject, any information that is incomplete or inaccurate, in accordance with the procedure and terms described above. In this regard, the following shall be taken into account: 

In requests for rectification and updating of personal data, the data subject must indicate the corrections to be made and provide documentation supporting their request. The Controller has full discretion to enable mechanisms that facilitate the exercise of this right, provided that they benefit the data subject. Accordingly, electronic means or other channels deemed appropriate may be enabled. 

The Controller may establish forms, systems, and other simplified methods, which must be communicated to the data subject and made available on the Company’s website. 

Deletion of Data 

The data subject has the right, at any time, to request from the Controller the deletion (erasure) of their personal data when: 

1. They consider that such data are not being processed in accordance with the principles, duties, and obligations provided under current regulations. 
2. The data are no longer necessary or relevant for the purpose for which they were collected. 
3. The period required to fulfill the purposes for which the data were collected has expired. 

Such deletion implies the total or partial removal of personal information, as requested by the data subject, from the records, files, databases, or processing carried out by the Controller. It is important to note that the right of cancellation is not absolute, and the Controller may deny its exercise when: 

1. The data subject has a legal or contractual obligation to remain in the database. 
2. The deletion of the data could hinder judicial or administrative proceedings related to tax obligations, the investigation and prosecution of crimes, or the updating of administrative sanctions. 
3. Los datos sean necesarios para proteger los intereses jurídicamente tutelados del titular; para realizar una acción en función del interés público, o para cumplir con una obligación legalmente adquirida por el titular.

Revocation of Authorization 

Data subjects may revoke their consent for the processing of their personal data at any time, provided such revocation is not prevented by a legal or contractual provision. 

To this end, the Controller shall establish simple and free mechanisms that allow the data subject to revoke their consent, at least by the same means through which it was granted. 

It should be noted that there are two modalities in which the revocation of consent may occur. The first applies to the totality of the purposes consented to, in which case the Controller must cease processing the data subject’s data entirely. The second applies to specific types of processing, such as for advertising or market research purposes. Under the second modality, that is, the partial revocation of consent, other purposes of processing authorized by the data subject remain valid, as long as the data subject agrees to them. 

Means of Submission and Requirements 

The data subject, their representative, or their successors in title, regardless of the procedure chosen, must provide at least the following information:

• Name of the data subject and/or their representative and/or successors in title. 
• Copy of the identification document of the data subject and/or their representative and/or successors in title. 
• Description of the facts giving rise to the claim, inquiry, or deletion of information. 
• Physical address, email address, and contact phone number of the data subject and/or their representative and/or successors in title. 
• NIT number, if the applicant is a legal entity. 
• Supporting documents they wish to submit. 
• Signature, type, and identification number. 

The means enabled for the submission of requests shall be: 

• Address: Carrera 14 # 99 – 33, Office 402, Torre REM 
• Email: manejodatospersonales@cercatech.com

Under no circumstances may a data subject exercise their right under Law 1581 of 2012 verbally or by telephone, in order to preserve proof of the request submitted and, additionally, to ensure certainty regarding the date from which the legal terms begin to run for the Controller to issue a response to the request submitted by the data subject. 

Requests Not Meeting Legal Requirements and Withdrawal of the Claim 

If the claim is incomplete, the applicant shall be requested, within five (5) business days following the receipt of the claim, to correct, clarify, or amend the inconsistencies. The data subject shall then have five (5) calendar days from the date of such request to rectify their application. If they fail to do so, it shall be understood that the applicant has withdrawn the claim.

11. Information Security and Security Measures

In compliance with the principle of security established in the applicable regulations, the Controller shall adopt the necessary technical, human, and administrative measures to safeguard records and prevent their alteration, loss, consultation, use, or unauthorized or fraudulent access. 

12. Use and International Transfer of Personal Data and Personal Information by Cerca Technology S.A.S. 

Depending on the nature of the permanent or occasional relationships that any personal data subject may have with the Controller, all of their information may be transferred abroad, subject to applicable legal requirements. By accepting this policy, the data subject expressly authorizes the transfer of their personal information. Such information shall be transferred for all relationships that may be established with the Controller. 

Without prejudice to the obligation to observe and maintain the confidentiality of the information, the Controller shall take the necessary measures to ensure that such third parties become aware of and commit to complying with this Policy, with the understanding that the personal information they receive may only be used for matters directly related to their relationship with the Controller, and only for as long as said relationship lasts. Such information may not be used or destined for any other purpose. 

The Controller may also share personal information with governmental or public authorities of various kinds (including, among others, judicial or administrative authorities, tax authorities, and criminal, civil, administrative, disciplinary, and fiscal investigation bodies), as well as third parties involved in civil legal proceedings and their accountants, auditors, lawyers, and other advisors and representatives, whenever necessary or appropriate: 

1. To comply with applicable laws, including laws other than those of the data subject’s country of residence; 
2. To comply with legal proceedings; 
3. To respond to requests from public and governmental authorities, including those of countries other than the data subject’s country of residence; 
4. To enforce our terms and conditions; 
5. To protect our operations; 
6. To safeguard our rights, privacy, security, or property, as well as those of the data subject or third parties; 
7. To obtain applicable remedies or limit the damages that may affect us. 

Term of Validity 

This Personal Data Processing Policy shall enter into force on March 27, 2025, and shall remain in effect indefinitely, in line with the corporate purpose of Cerca Technology S.A.S. 

Any material change to this Personal Data Processing Policy shall be timely communicated to the data subjects through the usual means of contact and/or via the website: https://www.cercatechnology.com/.