Privacy and personal data protection policy

INTRODUCTION

In accordance with Law 1581 of 2012 and its regulatory decrees, ARROYO CONSULTING LLC. (hereinafter "Arroyo") adopts this personal data protection and privacy policy, which regulates the collection, storage, treatment, protection and administration of the data that "ARROYO" obtains from its clients, suppliers, employees and others. people with whom ARROYO has or will have any relationship of any nature.

ARROYO may modify this policy, in order to adapt it to changes in current legislation and jurisprudence and adapt it to industry practices. In that event, it will announce on its website, or by other appropriate means, the introduction of such changes with due anticipation.

The information that freely and voluntarily customers, suppliers, employees or any other person provides Arroyo by any means, is entered in their databases, for which ARROYO is responsible.

ARROYO treats personal data adequately and securely, complying with all legal requirements and following all the parameters of the ISO 27001 standard on Information Security.

GENERAL ASPECTS OF THE TREATMENT

Identification of the person responsible for the Treatment:

Arroyo Consulting LLC, with a main address at Nashville (TN. USA); website: www.arroyoconsulting.net, email: contact@arroyoconsulting.net, telephone: +1(972)6729004.

Nature of Personal Information Collected:

ARROYO will collect contact information and any other information that is pertinent from in accordance with the nature of the relationship that ARROYO maintains with the owner of the data, be it labor, commercial or of any other nature.

In general, the personal data that ARROYO collects has the following nature depending on the owner of the data, as follows:

Interested in business relationships. People who of their own volition contact ARROYO through their websites, email, telephone calls or other means, in order to request information about their products or services, evaluate possibilities of commercial alliances, provide ARROYO with their products and services and in general, evaluate the possibility of developing some kind of relationship with the company. In these cases, the information requested is of a basic nature, related to the identification of the person and company to which it belongs, position, email, telephone, city and subject. Sometimes, when contacted through the Arroyo website, the company's servers obtain, for statistical purposes, data in relation to the operating system used by the person who contacts ARROYO, the version and type of browser and the IP adress.

Client, suppliers and others. When a definitive commercial relationship is established, ARROYO collects the information necessary to adequately manage said relationship, in accordance with the parameters established in this policy and complying with all the requirements of the law and the respective contracts.

Interested in joining ARROYO. People who voluntarily send their CV to the company, in order to be taken into account in the selection processes. The information provided in the CV is used solely for the purposes of the selection, recruitment and hiring process, by the personnel of the area in charge of carrying out said processes. ARROYO does not share the information collected with any natural or legal person outside the company.

Employees. Information about employees is strictly confidential and complies with the requirements of Colombian law. It is only used by those who, by reason of their position, have to do with the management of the employment relationship. ARROYO does not publish data or information related to employees to people outside the employment relationship or to entities and people outside the company.

Information sources:

ARROYO collects information from the following sources:

Directly from the owner of the information.

Automatically when the owner of the information uses the ARROYO websites. The ARROYO websites use cookies and other tools that collect information from those who visit them; By simply entering these websites, the following information can be automatically obtained:

• The hyperlinks you have clicked on.
• Information about the browser you are using.
• Details of the pages you have viewed.
• Your IP address
• The sites you visited before arriving at the Portal

Taking into account the above, if the Owner of the information does NOT want it to be collected automatically, he or she must disable the automatic acceptance settings in his Internet browser. There you can block it, as well as detect when such information is being sent to your computer. It should be taken into account that, if cookies are disabled, the experience on the website may be affected.

From other sources. ARROYO may obtain personal information from public databases or from third parties authorized by the owner of the data to share information.

Treatment to which the data will be submitted.

The personal information obtained by ARROYO, may be subject to storage, use, circulation or deletion, depending on the purpose for which it was collected, and / or in accordance with the provisions of the law.

The information subject to Treatment must be true, complete, exact, updated, verifiable and understandable.

Purpose of the treatment.

The information collected by ARROYO is used, with the authorization of its holders, for the following purposes:

1. Offer information about products and services, as well as commercial opportunities.
2. Materialize potential legal relationships with people interested in being clients, suppliers or employees of ARROYO.
3. Provide the owner of the information with the contracted services, as well as the assistance, consulting and support necessary to fulfill the obligations arising from the commercial relationship.
4. Keep clients updated on the development of commercial processes that are carried out, as well as the offer or execution of services provided by ARROYO, including services in the cloud.
5. Carry out the necessary steps to comply with the obligations inherent to the services and products contracted with ARROYO.
6. Carry out marketing, promotion, advertising, purchases, service and product improvements, consultations, controls, verifications, alliances, agreements, as well as any other activity related to ARROYO's services and its current and future products.
7. Keeping internal statistics and evaluating the quality of the products and services offered, as well as the level of satisfaction of customers, suppliers and interested parties, through satisfaction surveys and other mechanisms that are enabled for this purpose.
8. Do your own administrative, accounting and tax management, including, but not limited to, billing management, collection and payment management, supplier management, client management and reports to tax authorities.
9. Link personnel to the company and comply with their legal obligations as an employer, such as, but not limited to, personnel management, temporary and internship management, payroll management, occupational risk prevention, personnel training, affiliations and payments to the system of social security and labor welfare.
10. Comply with its legal and statutory obligations.
11. Respond to inquiries, complaints and claims.
12. Carry out activities aimed at controlling and minimizing risks in terms of the security of the physical facilities and virtual sites of the company.
13. Transfer and / or transmit data to third parties within or outside the country, if there is a need to do so, provided that said persons guarantee suitable conditions of confidentiality and security of the information transferred and / or transmitted.

The aforementioned activities, for which personal data are used, are carried out by ARROYO or by those ARROYO hires to carry them out, according to their needs. In any case, ARROYO will ensure that third parties hired to process data comply with these policies and with the parameters established by law.

Treatment of sensitive data.

Sensitive data are those that affect the privacy of the owner or whose improper use may generate discrimination, such as those related to their racial or ethnic origin, sexual life, health, biometric data (that is, those that allow a person to be identified by their traits physical, voice, movement, such as: photos, fingerprints, signatures, etc.,) or data related to their religious or philosophical conviction or political orientation.

The owner of the information has the right not to provide sensitive information requested by ARROYO. Likewise, the owner is recommended to refrain from sending information of a sensitive nature that is not necessary for the provision of ARROYO services.

Treatment of data of minors.

ARROYO only processes information or personal data of minors that have been collected with the express consent of parents or their legal representatives, as the case may be, and only for those purposes that are pertinent in accordance with this policy.

Authorization for the processing of personal data.

ARROYO will inform the owner of the personal information about this policy and will obtain the respective authorization to process their personal data. It will also inform the owner about the changes made to this policy and will obtain a new authorization in case the change refers to the purpose of the treatment.

The authorization may be obtained by ARROYO by means of a written document, via email, verbally or by telephone, or by any other means that allows the respective authorization to be kept, consulted or proven. Likewise, the authorization of the holder may be manifested through unequivocal behaviors that allow to reasonably conclude that the authorization was granted. In no case will ARROYO assimilate the owner's silence to unequivocal conduct.

ARROYO will not require authorization from the owner of the personal information in the case of:

• Information required by a public or administrative entity in the exercise of its legal functions or by court order;
• Data of a public nature;
• Cases of medical or health emergency;
• Treatment of information authorized by law for historical, statistical or scientific purposes;
• Data related to the Civil Registry of Persons.

Confidentiality.

ARROYO does not make public the personal information of its employees, clients, suppliers, interested parties, or any other person with whom it has a relationship of any kind and will only disclose such information to those persons authorized by ARROYO who must know it to do the respective treatment of the information or to those persons authorized by law.

DUTIES OF ARROYO

ARROYO can be both responsible and in charge of the processing of personal data. In the event that you perform both roles, you must comply with the legal duties of each of them, namely:

ARROYO's duties as responsible for the Treatment

As the person responsible for the Treatment, ARROYO has the following duties:

1. To guarantee the Holder, at all times, the full and effective exercise of the right to habeas data.
2. Request and keep, under the conditions provided in Law 1581 of 2012, and its regulatory decrees, a copy of the respective authorization granted by the Holder;
3. Properly inform the Holder about the purpose of the collection and the rights that assist him by virtue of the authorization granted.
4. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
5. Guarantee that the information provided to the Treatment Manager is true, complete, accurate, updated, verifiable and understandable.
6. Update the information, communicating in a timely manner to the Person in Charge of Treatment, all the news regarding the data that you have previously provided and adopt the other necessary measures so that the information provided to it is kept up-to-date.
7. Rectify the information when it is incorrect and communicate the pertinent to the Person in Charge of Treatment.
8. Provide the Treatment Manager, as the case may be, only data whose Treatment is previously authorized in accordance with the provisions of Law 1581 of 2012.
9. Require the Treatment Manager at all times, respect the conditions of security and privacy of the information of the Holder.
10. Process inquiries and claims made under the terms set forth in Law 1581 of 2012.
11. Adopt an internal manual of policies and procedures to ensure proper compliance with the law and, especially, to attend to inquiries and claims.
12. Inform the Treatment Manager when certain information is under discussion by the Holder, once the claim has been submitted and the respective process has not been completed.
13. Inform at the request of the Owner about the use given to their data.
14. Inform the Superintendency of Industry and Commerce when there are violations of the security codes and there are risks in the administration of the information of the Holders.
15. Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

ARROYO's duties as Data Controller.

1. Guarantee the Holder, at all times, the full and effective exercise of the right to habeas data.
2. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
3. Timely update, rectify or delete the data in accordance with the law.
4. Update the information reported by those responsible for Treatment within five (5) business days from receipt.
5. Process the queries and claims made by the Holders in the terms indicated in the law.
6. Adopt an internal manual of policies and procedures to guarantee adequate compliance with the law and, especially, for the attention of queries and claims by the Holders.
7. Register in the database the legends "claim in process" in the manner in which it is regulated by law.
8. Insert in the database the legend "information in judicial discussion" once notified by the competent authority about judicial processes related to the quality of personal data.
9. Refrain from circulating information that is being controversial by the Holder and whose blocking has been ordered by the Superintendency of Industry and Commerce.
10. Allow access to information only to people who can have access to it.
11. Inform the Superintendency of Industry and Commerce when there are violations of the security codes and there are risks in the administration of the information of the Holders.
12. Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

RIGHTS OF THE INFORMATION HOLDER

The holders of the information have the following rights:

1. To know, update and rectify personal data against ARROYO. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or those whose treatment is expressly prohibited or has not been authorized.
2. Request proof of the authorization granted to ARROYO, except when expressly excepted as a requirement for Treatment in accordance with the law.
3. Be informed by ARROYO, upon request, regarding the use that has been given to your personal data.
4. Submit complaints to the Superintendency of Industry and Commerce for violations of the personal data protection regime.
5. Revoke the authorization and / or request the deletion of personal data when the principles, rights and constitutional and legal guarantees are not respected in the treatment.
6. Free access to personal data that have been subject to Treatment.

PROCEDURES

Area responsible for the attention to requests, queries, complaints and claims.

The Information Security area will be responsible for responding to the requests, queries, complaints and claims of the data holders, in accordance with the procedures described below.

Queries.

The owner of the information or his successors in title have the right to consult the owner's personal information, processed by ARROYO. For this, you can file the query at the address: XXXXXXXXX, or by phone +1 (972) 672 9004, or send it to the email: contact@arroyoconsulting.net.

When making the request, the following information must be provided:

• If it is the Holder: Copy of the identity document (CC, TI, CE or passport).
• If it is the successor: Copy of the identity document, civil registration of death of the Holder, document that proves the quality in which he acts and the number of the holder's identity document.
• If it is a legal representative and / or attorney-in-fact: Copy of valid identity document, power of attorney for the process and the number of the holder's identity document.

The consultation will be answered within a maximum term of ten (10) business days from the date of filing of the same.

When it is not possible to attend the consultation within said term, the interested party will be informed of the reasons for the delay and the date on which the consultation will be attended, which in no case may exceed five (5) business days following the expiration of the foreground.

Claims:

The owner of the information has the right to request the update, rectification and deletion of personal information, as well as revoke the authorization granted to ARROYO. For this, you can file the claim at the address: XXXXXXXXX, or by phone +1 (972) 672 9004, or send it to the email: contact@arroyoconsulting.net.

When making the claim, the following information must be provided:

• If it is the Holder: Copy of the identity document (CC, TI, CE or passport).
• If it is the successor: Copy of the identity document, civil registration of death of the Holder, document that proves the quality in which he acts and the number of the holder's identity document.
• If it is a legal representative and / or attorney-in-fact: Copy of valid identity document, power of attorney for the process and the number of the holder's identity document.

Additionally, the request must clearly indicate what is intended with the claim, that is, if an update, correction or deletion of the data or a revocation of the authorization granted to ARROYO for the Treatment of personal information is required.

Likewise, the request must identify the owner, make a description of the facts that give rise to the claim, provide the contact information and provide the documents that you want to enforce.

If the application is incomplete, the interested party will be required to correct the failures within five (5) business days after receiving the claim. After two (2) months from the date of the request, without the interested party presenting the required information, it will be understood that the claim has been withdrawn.

Once the complete claim is received, the legend "request in process" and the reason for it will be included in the database, within a term not exceeding two (2) business days. Said legend will be kept until the request is determined.

The maximum term to attend the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to attend the request within said term, the interested party will be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first finished.

VALIDITY OF THE PRIVACY AND PERSONAL DATA PROTECTION POLICY.

This policy will be in force from its disclosure by any means. ARROYO reserves the right to update or modify it at any time, of which it will give timely notice by any means, to the recipients of the same.

VALIDITY OF THE ARROYO DATABASES

's personal databases will be in force for the period of time required by the applicable law, or by the contract that regulates them, or for the time necessary to fulfill the purpose of the database in accordance with this policy. In no case will ARROYO suppress or eliminate databases that by law must remain in force for a specific time, when the period of validity established in the contract that regulates them or the purpose for which they were created, determine a period of validity less than legally established

If you wish to inform ARROYO of your wish not to store any type of personal information for any type of purpose, click on the following link Cancellation of Registration to Arroyo Information Systems