Privacy policy and authorization for the treatment of your personal information

The company MINKA COLOMBIA S.A.S., domiciled in the city of Bogotá D.C. and identified with NIT 901.047.009-7 (after this, the "Company" or "MINKA"), complying with the regulations contained in Statutory Law 1581 of 2012, Decree 1074 of 2015 and the other concordant regulations, by which general provisions are issued for the protection of personal data, in its capacity as Responsible for the Treatment of Personal Data, it is allowed to make known this Policy of Privacy and Protection of Personal Data (from now on the "Policy") to regulate the collection, storage, treatment, administration, transfer, transmission, protection, and deletion of information received from the owners of personal data or third parties through the different channels of data collection that it has arranged in the development of its activities.

I. Definitions:

For the purposes of this Policy, the words defined below will have the meaning assigned in this chapter, whether or not they are written in capital letters or whether they are in the plural or singular.

  1. Authorization: Prior, express, and informed consent is required from the Holder to process personal data.
  2. Database: Organized set of Personal Data that is subject to Treatment.
  3. Personal Data: Any information linked to or that may be associated with one or more determined or determinable natural persons.
  4. Sensitive Data: Sensitive data is understood to be those that affect the privacy of the Holder or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership of unions, social, human rights organizations or that promote the interests of any political party or that guarantee the rights and warrants of opposition political parties as well as data related to health, sexual life, and biometric data, among others.
  5. Private Data: It is the data that, due to its intimate or reserved nature, is only relevant to the owner.
  6. Semi-private Data: It is data that is neither intimate, reserved, nor public in nature and whose knowledge or disclosure may be of interest to its owner and to a particular sector or group of people or society in general.
  7. Public data is classified according to the mandates of the law or the Political Constitution, including all those that are not semi-private or private.
  8. Person in charge of the Treatment: Natural or legal person, public or private, that by itself or in association with others, carries out the Treatment of Personal Data on behalf of the person in charge of the Treatment of Personal Data.
  9. Responsible for Treatment: Natural or legal person, public or private, that by itself or in association with others, decides on the database and/or the Treatment of the data. For the purposes of this Policy, the Responsible Party will be the Company.
  10. Data owner: A natural person whose personal data is subject to Treatment.
  11. Treatment: Any operation or set of operations on Personal Data, such as collection, storage, use, circulation, or deletion.
  12. Transfer: The transfer of data takes place when the Controller and/or Processor of personal data, located in Colombia, send the information or personal data to a recipient, who in turn is Responsible for the Treatment and is located inside or outside the country.
  13. Transmission: Processing personal data that involves the communication of the same within or outside Colombia when its purpose is to carry out a Processing by the Processor on behalf of the Controller.

II. Authorization to carry out the Processing of Personal Data:

Given that the Policy is available to anyone who wishes to consult it, it is established that the Processing of Personal Data carried out by the Company will have the free, prior, express, and informed consent of the Holder of said data and will be previously authorized. When indicated using a physical, electronic document, or any other format, or by any other unequivocal conduct such as the mere fact of supplying your Personal Data, on your behalf or through an interposed person, either i) directly to the Company or ii) to third parties who in turn have the authorization to transfer or transmit them to other people.

If the Holder wants his Personal Data to be deleted from the Company's Databases, he must expressly state it from the moment in which he has provided his Personal Data or becomes aware of this Policy to the email admin@minka.io

III. Responsible for Treatment:

The legal person responsible for processing personal data and, therefore, for the database in which they are located is MINKA COLOMBIA S.A.S., a legally constituted company identified with 901.047.009-7, with the primary address in the city of Bogota, DC, Colombia.

  • Responsible area: Administration and Finance area
  • Telephone: 350 538 9480
  • Email: admin@minka.io
  • Physical address: Cra. 11B #99-25, 9th floor, office 113, Bogotá

IV. Treatment of Personal Data:

The Company, in its capacity as duly authorized Data Controller, and any Data Processor designated by it may process the Personal Data provided, which includes the collection, storage, processing, use, updating, circulation, administration, transfer, transfer, transmission, protection, and deletion of the same.

Likewise, it is highlighted that the Company may, among others:

a) Appoint one or more Persons in Charge of the Treatment of Personal Data;

b) Transfer and/or transmit the Personal Data subject to Treatment to the companies that are part of its business group, that is, to parent companies, affiliates, or subsidiaries, as well as to any other third party, inside or outside the national territory, either they are legal or natural persons, national or foreign, even when in the country of location of the receiver there are no regulations that establish a data protection standard similar to those in force in the national territory;

c) Provide said Personal Data to agents, subcontractors, and other third parties to achieve the purposes listed in the following section and

d) Reveal the information when required by the authorities duly empowered by administrative or judicial order.

V. Treatment of Sensitive Personal Data:

The Company will not carry out any processing of sensitive data without the due prior, informed, and express authorization of the Owner of the information, except in cases where the granting of the same is not required by law, and one of the following exceptions is present:

  1. When the treatment is necessary to safeguard, the vital interest of the Owner and the Owner is physically or legally incapacitated.
  2. When the treatment is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association, or any other non-profit organization whose purpose is political, philosophical, religious, or union, provided that they refer exclusively to its members or to people who maintain regular contact due to its purpose, in which cases, the data cannot be provided to third parties without the authorization of the Owner.
  3. When processing refers to data that is necessary for the recognition, exercise, or defense of a right in a judicial process.
  4. When the treatment has a historical, statistical, or scientific purpose, measures must be adopted to delete the Holders' identities.
  5. When done in compliance with a public or administrative order in exercising legal functions or by court order.

Answers to questions about sensitive data are optional and will not be mandatory. Under no circumstances will the Company condition any activity on delivering Sensitive Data. Sensitive Data will be treated with the greatest possible diligence and with the highest security standards.

VI. Purposes of the Treatment of Personal Data:

The Company will carry out the Processing of Personal Data for the following specific purposes:

a) Perform basic administrative management tasks.

b) Provide services and products required and comply with the other obligations contracted with the Holder.

c) Execute and fulfill the contracts signed with its clients, suppliers, and workers, including paying contractual obligations.

d) Evaluate the quality of the Company's services.

e) Develop marketing or promotional activities.

f) Develop the selection, evaluation, and employment process.

g) Carry out the necessary activities to manage the requests, complaints, and claims presented by customers, users, and/or third parties and direct them to the areas responsible for issuing the corresponding responses.

h) Respond to legal requirements of administrative and judicial entities.

i) Support external or internal audit processes.

j) The control and prevention of fraud, money laundering, and the financing of terrorism.

k) The development of marketing activities, research and market analysis, or any other commercial activity permitted by Colombian law.

l) Consult and access the Holder's information (private, semi-private, sensitive, or reserved) in different databases or Public or Private Entities, whether in Colombia, abroad, or internationally.

m) Consult the Holder's information in Financial Information Centers and report information to these databases when there is merit to do so with complete legal requirements for that purpose.

n) In general, to carry out the Treatment directly, as this term is defined in Law 1581 of 2012, through a treatment manager located in Colombia or in any other country to whom the Holder's data will be provided through international or national transmission or transfers, as the case may be.

VII. Rights of the Holders of Personal Data:

The rights that assist the Owners of Personal Data are:

a) Know, update, and rectify the personal data in front of the Persons Responsible for the Treatment of Persons in Charge of the Treatment. This right may be exercised, among others, against partial, inaccurate, incomplete, fragmented, misleading data or those whose Treatment is expressly prohibited or has not been authorized;

b) Request proof of the authorization granted to the Treatment Manager except when expressly excepted as a requirement for Treatment, following the provisions of article 10 of Law 1582 of 2012;

c) Be informed by the Treatment Manager or the Treatment Manager, upon request, regarding the use that has been given to personal data;

d) Submit complaints to the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other regulations that modify, add, or complement it;

e) Revoke the authorization and/or request the deletion of the data when the principles, rights, and constitutional and legal guarantees are not respected in the Treatment. The revocation and/or suppression will proceed when the Superintendence of Industry and Commerce has determined that in the Treatment, the Responsible or Person in Charge has incurred conduct contrary to the law and the Constitution;

f) Free access to your personal data that has been subject to Treatment.

In turn, the Holder agrees to provide true, truthful, exact, authentic, and in-force content and is responsible for its content and the damages it causes to the company or third parties.

VIII. Security Measures for the Protection of Personal Data:

The Company will adopt the security techniques necessary to secure the records, avoiding their adulteration, loss, consultation, use, or unauthorized or fraudulent access. Said measures will respond to the minimum requirements of current legislation, and their effectiveness will be periodically evaluated. However, the Company will not be liable in the event of a violation of its security systems when there is a force majeure or fortuitous event.

The Company does not assume any responsibility for damages of any nature that may arise from viruses or other harmful elements in the services provided by third parties that may cause alterations in the user's computer system, electronic documents, or files.

IX. Area responsible for the Processing of Personal Data:

The Administration and Finance area will handle requests, queries, and claims before which the Holder of the information may exercise their rights and, therefore, know, update, modify, rectify, correct, or delete the information provided at any time. For this purpose, you must email your request to admin@minka.io or call 350 538 9480.

X. Procedure for Personal Data Owners to exercise their rights:

The data owner may know, update, rectify, and delete the information provided. They may also exercise their right to revoke the authorization provided for their treatment by sending the respective request to the email admin@minka.io or the telephone line 350 538 9480. For this purpose, the Holder must at least indicate the names and surnames, type of document and number, telephone, email, description of the matter, and the specific changes you want to make. This will ensure that we process your request correctly.

The query will be answered within ten (10) business days from the date of receipt. When it is not possible to attend to the query within said term, the interested party will be informed, stating the reasons for the delay and indicating the date on which their query will be attended, which in no case will exceed five (5) business days following the due date of the first term.

When the data owner considers that their information should be corrected, updated, or deleted or notices an alleged breach of any of their rights, the maximum term to address the complaint or claim will be fifteen (15) business days from the day following the date of receipt of the document.

When it is not possible to address the complaint or claim within said term, the interested party will be informed of the reasons for the delay and the date on which it will be attended to, which in no case may exceed eight (8) business days following the expiration of the first term. If the claim is incomplete, the interested party will be required to correct the deficiencies within five (5) days following receipt of the complaint and/or claim. If two (2) months have elapsed from the date of the request without the applicant presenting the required information, the complaint or claim will be deemed withdrawn.

XI. Personal Data of Minors:

The Company does not accept or process the Personal Data of children under eighteen years of age since the services offered are reserved for those with the legal capacity to contract. Therefore, minors must refrain from contracting the services.

XII. Provision of information Delivery of information and personal data to public entities and control entities:

The Company, upon prior written request from the competent authority, will provide information on its management related to the storage, use, and processing of personal data to authorities and control bodies that require it.

The Company may provide the information found in its Databases additionally to:

  • The Owners of the data, their successors or legal representatives;
  • Public or administrative entities in the exercise of their legal functions or by court order;
  • Third parties authorized by the Owner or by law.

To respond to requests for the delivery of personal information from public entities and control entities, the Company will validate that the delivery is (i) based on a legal duty, (ii) is presented in a format and through an official channel, whether physical or digital, designated by the Company for this purpose, (iii) has been requested by the entity, and (iv) is subscribed by personnel authorized to make the request, with prior validation of their identity. This information delivery will follow the greatest possible diligence and with the highest security standards.

Additionally, the Company will review:

  • The feasibility of delivering the requested information considering general information (statistics, percentages) or the anonymization of data that prevents the identification of the Owners, unless by explicit request it is indicated how said information should be delivered.

If delivery is viable, formal methods will be used for sending it (corporate email), complying with the file transfer security protocol (FTPS/SFTP), or any other means that provide security measures for delivering equal or superior information.

XIII. National or International Transmission and/or Transfer:

The Company may share personal data information with those third parties necessary for the development of its activities and corporate purpose, always protecting the rights and information of the data owner. The Transmission or Transfer of Personal Data that is carried out will observe the rules established for this purpose by the applicable regulations and the control authority, especially the following:

  • When it comes to national transmissions or transfers of personal data, the Company will ensure compliance with the requirements of current data protection legislation and the protection measures by the person in charge or new person in charge, as the case may be.
  • If it is an international transfer, the country receiving the personal data must ensure adequate levels of protection in the manner established by the Control Authority in Colombia so that it can issue the declaration of conformity to which it refers. This is the first paragraph of Article 26 of Law 1581 of 2012.
  • When the receiving country does not comply with adequate data protection standards, the transmission or transfer will be prohibited unless one of the following legal exceptions is configured: i) the Owner has given express and unequivocal authorization for the transfer or transmission of data. ii) Exchange of medical data when required by the owner for health and public hygiene reasons. iii) Bank or stock transfers following the applicable legislation. iv) Transfers agreed upon within the framework of international treaties to which Colombia is a party, based on the principle of reciprocity. v) Transfers necessary for executing a contract between the Owner and the person responsible for the treatment or the execution of pre-contractual measures as long as there is authorization from the Owner.

XIV. Modifications to the Policy:

The Company may modify or amend this Policy at its discretion. When modifications or changes are made to it, the date of the change will be updated, and the modification or amendment will be effective as of the updated date. It is recommended that you periodically review this Policy to be informed about any changes that may occur.

XV. Policy Validity:

This Policy will become effective on July 16th, 2024. Both the Policy and the Databases containing the information provided may remain in force for the duration of the company MINKA COLOMBIA S.A.S. without prejudice to the fact that the company may modify this policy at any time and unilaterally.