Personal Data Processing Policy

In compliance with article 15 of the Political Constitution of Colombia, Statutory Law 1581 of 2012, Decree 1377 of 2013 and Single Regulatory Decree 1074 of 2015, Sumerce Guru adopts this Personal Data Processing Policy (the "Policy"), which is binding in all its activities.

Note: Law 1581 is a Colombian statute applicable to processing carried out in Colombian territory. This English version is provided for convenience; the Spanish version at sumerce.guru/proteccion-datos.html is the authoritative legal text for Colombian jurisdiction.

1. Identification of the data controller

Controller: Sumerce Guru

Legal representative: César Camilo Monsalvo Escobar

Domicile: Bogotá D.C., Colombia

NIT: [pending registration]

Habeas data contact: contacto@sumerce.guru

Website: sumerce.guru

2. Responsible area

Reception, processing and response to requests, queries and complaints related to personal data processing is handled by Sumerce Guru's internal management, through the email contacto@sumerce.guru.

3. Definitions

For the purposes of this Policy, the definitions set forth in article 3 of Law 1581 of 2012 and article 3 of Decree 1377 of 2013 apply. Among them:

Authorization: prior, express and informed consent from the data subject to carry out the processing of personal data.
Database: organized set of personal data subject to processing.
Personal data: any information linked or that may be associated with one or several determined or determinable natural persons.
Sensitive data: data affecting the privacy of the data subject or whose improper use may generate discrimination (health, sexual orientation, racial origin, philosophical, religious or political convictions, among others).
Processor: natural or legal person processing personal data on behalf of the controller.
Controller: natural or legal person deciding on the database and/or the processing of data.
Data subject: natural person whose personal data is being processed.
Processing: any operation or set of operations on personal data (collection, storage, use, circulation, deletion).

4. Processing principles

Sumerce Guru observes the principles set forth in article 4 of Law 1581 of 2012:

Legality: processing is subject to the Constitution and the law.
Purpose: processing obeys legitimate purposes, which are communicated to the data subject.
Freedom: processing is carried out only with prior, express and informed consent of the data subject.
Truthfulness or quality: information is truthful, complete, accurate, updated, verifiable and understandable.
Transparency: the data subject can obtain information at any time on the existence and processing of their data.
Restricted access and circulation: processing is carried out by authorized persons or those with a relationship with the data subject.
Security: data is processed under technical and administrative security measures.
Confidentiality: persons involved in the processing are obliged to guarantee reserve of the information.

5. Processing purposes

Sumerce Guru processes personal data for the following general purposes:

Manage the pre-contractual, contractual and post-contractual relationship with clients, suppliers, partners and collaborators.
Contact the data subject to respond to inquiries, send requested information or formulate commercial proposals.
Execute the contracted services and fulfill the obligations derived therefrom.
Comply with legal, tax, accounting, regulatory and document retention obligations.
Prevent fraud and preserve the security of the site and communications.
Improve the quality of services through aggregated and anonymous site-usage analysis.
Send commercial communications about our services, provided the data subject has granted prior, express and informed authorization.
Comply with requests from competent authorities in accordance with the law.

6. Rights of the data subject

Under article 8 of Law 1581 of 2012, the data subject has the right to:

Access, update and rectify their personal data with the controller and/or processor.
Request proof of the authorization granted to the controller, except when expressly exempted as a requirement for processing.
Be informed, upon request, regarding the use given to their personal data.
File before the Superintendence of Industry and Commerce (SIC) complaints for violations of the law and other provisions that modify, add to or complement it.
Revoke authorization and/or request deletion of data when the processing does not respect constitutional and legal principles, rights and guarantees.
Access their personal data that has been processed free of charge.

7. Channel and procedure for exercising rights

Data subjects may exercise their rights via the email contacto@sumerce.guru, sending a request containing at minimum:

Full name and identification document number.
Clear email subject: "Habeas data query" or "Habeas data claim".
Clear and precise description of the request and the facts giving rise to it.
Contact means to receive the response (physical or electronic address).
Supporting documents, if any.

7.1 Response deadlines

Queries (article 14, Decree 1377 of 2013): will be addressed within a maximum term of ten (10) business days from the date of receipt. When it is not possible to address the query within that term, the interested party will be informed, stating the reasons for the delay and indicating the date on which it will be addressed, which in no case may exceed five (5) business days following the expiration of the first term.

Claims (article 15, Decree 1377 of 2013): will be addressed within a maximum term of fifteen (15) business days from the day following the date of receipt. When it is not possible to address the claim within that term, the interested party will be informed of the reasons for the delay and the date the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

7.2 Prior claim to the SIC

In accordance with the paragraph of article 16 of Law 1581, the data subject or successor may only file a complaint before the Superintendence of Industry and Commerce once they have exhausted the query or claim procedure with Sumerce Guru.

8. Authorization of the data subject

Sumerce Guru obtains authorization for the processing of personal data through mechanisms that allow unequivocal demonstration of the data subject's consent. Authorization is considered granted when:

The data subject voluntarily completes forms or consent checkboxes on the site.
The data subject voluntarily contacts Sumerce Guru through published channels (email, WhatsApp, etc.) for commercial or professional purposes.
The data subject signs a commercial proposal, contract or agreement referencing this Policy.
The data subject accepts the cookie notice that includes reference to this Policy.

Authorization may be revoked at any time by the data subject, unless a legal or contractual duty requires the data to be retained.

9. Processing of sensitive data and minors

Sumerce Guru does not request or process sensitive data or data of minors in the ordinary course of its activity. If a specific project requires processing any of these, a special procedure will be followed with express, specific and written authorization of the data subject (or legal representative, in the case of minors), observing the applicable special provisions.

10. Transfer and transmission of data

Sumerce Guru may transfer or transmit personal data to third parties located within or outside Colombian territory in the following cases:

To data processors (technology providers) acting on behalf of Sumerce Guru for the provision of services.
By legal mandate or requirement of a competent authority.
With express authorization of the data subject.
When necessary for the execution of a contract signed with the data subject.

International transfers are carried out in accordance with article 26 of Law 1581 of 2012, verifying that the destination country offers adequate levels of protection or adopting the necessary contractual safeguards.

11. Security measures

Sumerce Guru implements reasonable technical, human and administrative measures to protect personal data against loss, unauthorized access, alteration or improper use. Among them:

Encryption of in-transit communications (HTTPS/TLS).
Role-based access controls and principle of least privilege.
Strong authentication on operating platforms.
Periodic backups with restoration testing.
Security and confidentiality contractual clauses with data processors.
Team training in privacy and information security.

12. Retention period

Data is retained during the time necessary to fulfill the processing purposes and applicable legal obligations. Once such term expires, data is deleted or irreversibly anonymized.

13. Validity

This Policy enters into force from its publication at sumerce.guru/en/data-protection.html. Sumerce Guru reserves the right to modify it when necessary due to regulatory, technological or operational changes; in such case, it will publish the updated version with the corresponding date. The databases administered by Sumerce Guru will have indefinite validity as long as the purposes justifying their processing and applicable legal obligations persist.

14. Control authority

The control authority in personal data protection matters in Colombia is the Superintendence of Industry and Commerce (SIC), through the Delegate Office for the Protection of Personal Data. Any data subject may go to said entity to file complaints, once internal proceedings with Sumerce Guru have been exhausted.

15. Contact

For any inquiry related to personal data processing carried out by Sumerce Guru, please write to contacto@sumerce.guru.