Privacy Policy

TREEOMA is committed to safeguarding the integrity, confidentiality, and availability of the information requested from individuals. Privacy protection is essential; therefore, compliance with data protection regulations is guaranteed.

This personal data protection policy covers all personal data collected and used on the website within the national territory.

1. General Considerations

In accordance with the provisions of Articles 17(k) and 18(f) of Law 1581 of 2012, as well as Articles 13 to 19 of Decree 1377 of 2013, and as provided in Law 1266 of 2008, the Personal Data Treatment Policies (the “Policy”) are established below. These will be mandatory for all individuals who enter, use, and manage the TREEOMA website, especially TREEOMA employees. They will also be responsible for ensuring that the same are known by third parties and other persons who may become involved.

This policy applies to TREEOMA’s databases, the website, its collaborators, contractors, and others to whom it may apply.

1. Definitions

a) Authorization: Prior, express, and informed consent of the data subject to carry out the processing of personal data.

b) Privacy Notice: Verbal or written communication generated by the Controller, addressed to the Data Subject for the Processing of their personal data, through which they are informed about the existence of the information Treatment policies that will be applicable, the way to access them, and the purposes of the Treatment intended for the personal data.

c) Database: An organized set of personal data that is subject to processing.

d) Personal Data: Any information linked or that can be associated with one or more determined or determinable natural persons.

e) Private Data: Data that due to its intimate or reserved nature is only relevant to the holder.

f) Semi-private Data: Semi-private data is data that is not intimate, reserved, nor public, and whose knowledge or disclosure may interest not only the holder but a certain sector or group of people or society in general.

g) Public Data: Data that is neither semi-private, private, nor sensitive. Public data includes, among others, data relating to a person’s civil status, profession, trade, or quality as a merchant or public servant. By its nature, public data can be contained in public records, public documents, gazettes, official bulletins, and duly executed judicial sentences that are not subject to reservation.

h) Sensitive Data: Sensitive data is understood as those that affect the privacy of the Data Subject or whose misuse can lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, union membership, social organizations, human rights organizations, or that promotes the interests of any political party or guarantees the rights and guarantees of opposition political parties, as well as data relating to health, sexual life, and biometric data.

i) Processor: A natural or legal person, public or private, who by themselves or in association with others, carries out the processing of personal data on behalf of the data controller.

j) Controller: A natural or legal person, public or private, who by themselves or in association with others, decides on the database and/or the processing of the data.

k) Data Subject: A natural person whose personal data is subject to processing.

l) Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.

m) Transmission: Processing of personal data that involves the communication thereof within or outside the territory of the Republic of Colombia when the object is the realization of a Treatment by the Processor on behalf of the Controller.

n) Transfer: Data transfer occurs when the Controller and/or Processor of personal data, located in Colombia, sends the information or personal data to a receiver, who in turn is responsible for processing and is located inside or outside the country.

1. Governing Principles:

a) Legality principle in data processing: This principle refers to the Processing referred to in the applicable law, which is a regulated activity that must be subject to the law and other provisions that develop it.

b) Purpose principle: It is defined as follows: The processing must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Data Subject.

c) Freedom principle: It refers to the fact that Processing can only be exercised with the prior, express, and informed consent of the Data Subject. Personal data cannot be obtained or disclosed without prior authorization or in the absence of legal or judicial mandate that releases the consent.

d) Principle of veracity or quality: It establishes that the information subject to Processing must be truthful, complete, exact, updated, verifiable, and understandable. The Processing of partial, incomplete, fragmented data or that induces error is prohibited.

e) Transparency principle: In Processing, the right of the Data Subject to obtain information from the Controller or Processor at any time and without restrictions concerning the existence of data that concerns them must be guaranteed.

f) Principle of restricted access and circulation: The Treatment is subject to the limits derived from the nature of the personal data, the applicable legal provisions, and the Constitution. In this sense, the Treatment may only be carried out by persons authorized by the Data Subject and/or by those provided for in the law. Personal data, except for public information, may not be available on the Internet or other means of mass dissemination or communication, unless access is technically controllable to provide restricted knowledge only to the holders or third parties authorized by law.

g) Security principle: The information subject to Processing by the Controller or Processor referred to by the law must be handled with the necessary technical, human, and administrative measures to grant security to the records, avoiding their adulteration, loss, consultation, unauthorized or fraudulent use or access.

h) Confidentiality principle: All persons involved in the Processing of personal data that are not public in nature are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks that comprise the processing ends, and may only supply or communicate personal data when it corresponds to the development of the activities authorized by law and under the terms thereof.

i) Principle of continuity of data protection: In the Transfer of data, the Controller must ensure the level of protection of the personal data of the holders from a country so that the protection does not diminish when their information is exported to another or other countries.

j) Principle of Accountability: The Controller of personal data processing must prove that they have adopted the necessary measures to comply with the obligations established in terms of personal data protection.

k) Data minimization: Only personal data that are absolutely necessary for the processing purpose can be requested.

l) Limitation of storage: Personal data will be kept for as long as necessary to fulfill the purpose. In the case of an existing contractual relationship, the data will be maintained throughout the duration of the contractual relationship, and if it ends for any reason, the data will be kept for the time required by applicable legislation and until the moment when responsibilities arising from that contractual relationship no longer exist.

1. Databases

TREEOMA processes the following databases for the purposes mentioned below:

a) Customer and website user database: The database is collected and updated to operate and develop the company’s corporate purpose. It contains: names, identification numbers, telephone numbers, email addresses, and physical addresses.

Processing will include the collection, storage, copying, delivery, updating, ordering, classification, correction, verification, use for statistical purposes, and, in general, employment and utilization of all data provided by users and customers.

b) Supplier database: The processing of data in this database is carried out to correctly manage the commercial relationship between TREEOMA and its suppliers, including receiving commercial information, receiving invoices or payment requests, making payments, requesting quotations, and ensuring compliance with contracted services. Once the relationship with the supplier ends, the personal data are deleted.

It contains: names, tax identification numbers, email addresses, addresses, and bank accounts for payment transfers.

Processing will include the collection, storage, copying, delivery, updating, ordering, classification, correction, verification, use for statistical purposes, and, in general, employment and utilization of all data provided by suppliers to correctly manage the commercial relationship between them and TREEOMA.

c) Employee database: The processing of data in this database is carried out to correctly manage the employment relationship between TREEOMA and its workers. Once the employment relationship ends, the personal data are deleted.

It contains: names, identification numbers, email addresses, phone numbers, addresses, information on disabilities.

Processing will include the collection, storage, copying, delivery, updating, ordering, classification, correction, verification, use for statistical purposes, and, in general, employment and utilization of all data provided by employees to correctly manage the employment relationship between them and TREEOMA.

The database is found in physical and/or electronic files, managed directly by TREEOMA Administration and only accessible to them. No data of minors are included.

1. Rights of the Data Subjects

Data Subjects will have the following rights:

a) To know, update, and rectify their personal data before the Controllers or Processors. This right can be exercised, among others, concerning partial, inaccurate, incomplete, fragmented data that induces error, or those whose Processing is expressly prohibited or has not been authorized.

b) To request proof of the authorization granted to the Controller, except when expressly exempted as a requirement for Processing, in accordance with the provisions of Article 10 of Law 1581 of 2012.

c) To be informed by the Controller or the Processor, upon request, regarding the use that has been made of their personal data.

d) To file complaints with the Superintendence of Industry and Commerce for violations of the provisions of the law and other regulations that modify, add to, or complement it.

e) To revoke the authorization and/or request the deletion of the data when the Processing does not respect constitutional and legal principles, rights, and guarantees. Revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that in the Processing the Controller or Processor has engaged in behavior contrary to the law and the Constitution.

f) To access free of charge their personal data that has been subject to Processing. In the exercise of the rights listed above, consultations may be made, and claims deemed necessary to ensure the respect of such rights can be made.

g) Other rights that are contained in the current regulations regarding the matter.

To exercise the rights established in this section, the Data Subject must send a communication to the email address (operaciones@treeoma.com) with the following information: (i) the right that is intended to be exercised; (ii) name of the data subject; (iii) identification document; (iv) personal data on which the request is based; (v) email address for notifications, and (vi) contact phone number.

1. TREEOMA’s Obligations

TREEOMA must comply with the following duties:

a) Guarantee the Data Subject, at all times, the full and effective exercise of the right to habeas data.

b) Request and retain a copy of the respective authorization granted by the Data Subject.

c) Properly inform the Data Subject about the purpose of the collection and the rights they have by virtue of the authorization granted.

d) Retain the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use, or access.

e) Ensure that the information provided to the Processor is truthful, complete, accurate, updated, verifiable, and understandable.

f) Update the information, timely communicating to the Processor all the updates concerning the data that has been previously provided and adopting the necessary measures to keep the information provided to them up-to-date.

g) Correct the information when it is incorrect and inform the Processor accordingly.

h) Provide the Processor, as the case may be, with only the data whose Processing has been previously authorized.

i) Require the Processor at all times to respect the security and privacy conditions of the Data Subject’s information.

j) Process the queries and claims made in the terms indicated by the law.

k) Inform the Processor when certain information is under discussion by the Data Subject once the claim has been filed and the respective process has not been completed.

l) Inform at the Data Subject’s request about the use made of their data.

m) Inform the data protection authority when security breaches occur and when there are risks in the administration of Data Subjects’ information.

n) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

o) Other duties provided by law.

1. Sensitive Data

In accordance with current regulations on the Protection of Personal Data, TREEOMA is committed to fully complying with the protection and proper processing of sensitive data, including biometric data, film records, or any other that may exist in the future, the data of children and adolescents who enter TREEOMA’s facilities, understood as Sensitive Data those that affect the Data Subject’s privacy or whose misuse can generate discrimination, such as racial or ethnic origin, political orientation, religious or philosophical beliefs, union membership, social organizations, human rights organizations, or that promotes the interests of any political party or guarantees the rights and guarantees of opposition political parties, as well as data relating to health, sexual life, and biometric data.

1. Processing of Special Categories of Data

According to the current regulations on the Protection of Personal Data, TREEOMA is prohibited from processing sensitive data, except when:

a) The Data Subject has explicitly authorized such Processing.

b) The Processing is necessary to safeguard the Data Subject’s vital interest, and they are physically or legally incapacitated.

c) The Processing is carried out in the course of legitimate activities and with the due guarantees by a foundation, NGO, association, or any other non-profit organization, whose purpose is political, philosophical, religious, or trade union-related, provided that it refers exclusively to its members or to persons who maintain regular contacts due to their purpose. In these cases, the data cannot be supplied to third parties without the Data Subject’s authorization.

d) The Processing refers to data necessary for the recognition, exercise, or defense of a right in a judicial process.

e) The Processing has a historical, statistical, or scientific purpose. In this case, measures must be taken to suppress the identity of the Data Subjects.

1. Processing of Data of Children and Adolescents

TREEOMA is prohibited from processing such data, except when they are of a public nature and such processing responds to and respects the best interests of children and adolescents. Likewise, for the Processing of such data, respect for the rights of children and adolescents will be ensured.

1. Procedure for the Exercise of Rights by Data Subjects

The Data Subject, their successors, their representative and/or attorney, or anyone determined by stipulation in favor of another, may exercise their rights by contacting us through written communication addressed to the area in charge of personal data protection at TREEOMA. The communication may be sent to the following email address: (operaciones@treeoma.com) or through written communication filed at TREEOMA’s main office located at Carrera 12 No 21 – 42, Armenia, Quindío.

10.1. Queries

The Data Subject’s personal information that rests in TREEOMA’s databases may be consulted, and TREEOMA will be responsible for providing all the information contained in the individual record or linked to the identification of the applicant.

Once received, the query will be addressed within a maximum period of ten (10) business days from the date of receipt.

When it is not possible to address the query within this period, the interested party will be informed, expressing the reasons for the delay and indicating the new date on which such query will be addressed, which in no case may exceed five (5) business days after the expiration of the first period.

10.2. Claims

When it is considered that the information contained in a TREEOMA database should be corrected, updated, or deleted, or when it is noted that any of the duties contained in the Habeas Data Law have been breached, a claim may be filed, which will be processed under the following rules:

The claim will be submitted through written communication addressed to TREEOMA, identifying the Data Subject, describing the facts that give rise to the claim, the address, and attaching the documents that are to be considered.

• If the claim is incomplete, the interested party will be required within five (5) days following the receipt of the claim to correct the deficiencies. • After two (2) months from the date of the requirement, without the applicant presenting the required information, it will be understood that the claim has been abandoned. • In the event that TREEOMA receives a claim for which it is not competent to resolve, it will refer it to the appropriate party within a maximum period of two (2) business days and inform the Data Subject. • Once the complete claim has been received, TREEOMA will include in the respective database a note stating “claim in process” and the reason for it, within a period not exceeding two (2) business days. It will keep this note in the data in question until the claim is resolved. • The maximum term to resolve the claim will be fifteen (15) business days from the day following its receipt. When it is not possible to resolve the claim within this period, TREEOMA will inform the Data Subject of the reasons for the delay and the new date on which their claim will be addressed, which in no case may exceed eight (8) business days after the expiration of the first period.

The Data Subjects of the information may exercise the rights to know, update, rectify and delete information, revoke the initially granted authorization, consult information, file claims, and in general, other rights established in Article 8 and related articles of Law 1581 of 2012, through the following means:

Email: operaciones@treeoma.com

Physical address: Carrera 12 No 21 – 42, Armenia, Quindío.

TREEOMA, within the legal deadline, will address the rights exercised by the Data Subjects of the information, their requests, consultations, and/or claims through the Data Protection Officer.

According to Article 9 of Decree 1377 of 2013, the request for information and the revocation of the authorization will not proceed when the Data Subject has a legal or contractual obligation to remain in the database.

1. Data Protection Officer

As provided in Article 23 of Decree 1377 of 2013, a person or area must be designated to assume the function of personal data protection and to process requests from Data Subjects for the exercise of the rights referred to in Law 1581 of 2012.

The functions of the Data Protection Officer will be as follows:

a) Promote the development and implementation of a system that allows managing the risks of personal data processing. b) Coordinate the definition and implementation of controls for the Comprehensive Personal Data Management Program. c) Serve as a liaison and coordinator with the other areas of TREEOMA to ensure a transversal implementation of the Comprehensive Personal Data Management Program. d) Promote a culture of data protection within TREEOMA. e) Maintain an inventory of databases within TREEOMA. f) Register TREEOMA’s databases in the National Database Registry and update the report following the instructions issued by the SIC. g) Obtain the conformity declarations of the SIC when required. h) Review the contents of international data transmission contracts signed with Processors not resident in Colombia. i) Analyze the responsibilities of each organizational position to design a specific data protection training program for each. j) Provide the necessary training to new employees who have access, due to their employment conditions, to personal data managed by the organization. k) Integrate data protection policies into the activities of other areas of the organization (human resources, security, call centers, and supplier management). l) Measure participation and evaluate performance in data protection training. m) Require that in the employee performance evaluations, it is ensured that they have satisfactorily completed the personal data protection training. n) Oversee the implementation of internal audit plans to verify compliance with personal information treatment policies. o) Monitor the Comprehensive Personal Data Management Program. p) Continuously control and update the personal information inventory to identify and evaluate new collections, uses, and disclosures. q) Review policies following the results of evaluations or audits. r) Keep as historical documents the impact assessments and threat assessments to security and risks. s) Periodically review and modify training and education as a result of continuous evaluations and communicate changes made to the program controls. t) Review and adapt response protocols in handling violations and incidents to implement best practices or recommendations and lessons learned from subsequent incident reviews. u) Review and, where appropriate, modify the requirements established in contracts signed with Data Processors. v) Update and clarify external communications to explain data processing policies. w) Report and deliver a semi-annual report to the Legal Representative on risk evolution, implemented controls, monitoring, and in general on personal data processing at TREEOMA.

1. Areas Responsible for Addressing Requests, Queries, and Claims from Data Subjects Exercising Their Rights

The Data Protection Officer will be responsible for addressing requests, queries, and claims from Data Subjects in the exercise of their rights at TREEOMA.

1. Database Security Measures

TREEOMA will apply the best practices, the greatest effort, and diligence in the Processing of the databases under its responsibility, whether as Controller or Processor, to ensure the security and confidentiality of the data and TREEOMA’s databases in accordance with applicable standards, TREEOMA’s information security policies, and procedures.

1. Prevalence of Substantive Standards on the Matter

Considering that this document aims to comply with the regulations governing the protection of the right to habeas data enshrined in the Constitution, the statutory laws on the matter, and the regulations issued by the National Government for this purpose, the interpretation of the entity’s policies will be at all times subordinate to the content of such superior provisions. Therefore, in case of incompatibility or contradiction between these policies and the higher regulations, the latter will be applicable.

1. Effective Date of the Personal Data Processing Policy

This version of the Personal Data Processing Policy is effective as of August 9, 2024.

1. Privacy Notice

As stipulated in Article 14 of Decree 1377 of 2013, if it is not possible to make the Personal Data Processing Policy available to the Data Subject, the Controllers must inform the Data Subject of the existence of such policies and how to access them through a Privacy Notice in a timely manner and in any case no later than at the time of data collection.

1. Security Incident Management

TREEOMA commits to managing information security incidents in accordance with current personal data protection regulations and those that modify, add to, and complement them. Likewise, the security incident response protocol is established in TREEOMA’s information security policies and procedures.

a) A person responsible for handling security incidents has been designated, with the following functions: b) Respond to inquiries about security incidents. c) Review and evaluate the management indicators corresponding to the handling of security incidents to be presented to the legal representative. d) Call upon the participation of other TREEOMA collaborators when the incident warrants it (Communications, Human Resources, Legal Management, Technology, Information Security Management Representative).

1. Policy Review

The personal data protection policy may be updated at any time. In such a case, the date of the last update will be changed, and the date of the changes will be indicated. This Personal Data Protection Policy may be requested by interested parties at the email address operaciones@treeoma.com.

TREEOMA collects or uses personal data for business needs and acts as the data controller.

Specifically, TREEOMA commits to:

• Obtain and process personal data fairly and legally; • Obtain personal data for specific, explicit, and legitimate purposes, and not process or treat it subsequently in a way that is incompatible with those purposes; • Process only personal data that is adequate, relevant, and not excessive concerning the purposes for which it is obtained and its subsequent processing; • Ensure that personal data is accurate, complete, and, if necessary, updated; • Maintain personal data for no longer than is necessary for the purposes for which it was obtained and processed and in accordance with applicable legislation and specific provisions for service delivery.

TREEOMA will retain personal data for the time necessary for the purposes of the processing for which it was collected; however, we may retain the data for a longer period in the application of legal provisions. In the case of a longer retention for other reasons, we will inform you of such reasons and the applicable retention period when collecting the personal data.

To determine the retention period of personal data, we specifically use the following criteria:

• When the user requests a service, we retain the personal data for the duration of our contractual relationship and in accordance with the specific rules applicable to the service provided; • When the user contacts us for an inquiry, we will retain the personal data for the time necessary to process and address their inquiry; • In cases where consent has been provided for direct marketing actions, we will retain the personal data until requested to delete it or after a period of inactivity;

TREEOMA is committed to keeping personal data secure and taking all precautions to do so.

According to this personal data protection policy, applicable laws and regulations require that personal data be protected against unauthorized access, modification, disclosure, loss, or destruction.