Privacy Policy

PERSONAL DATA PROCESSING POLICIES AND PROCEDURES MATT S.A.S.

OBJECTIVE OF THE PERSONAL DATA PROCESSING POLICY

MATT S.A.S. (hereinafter "MATT" or the "Company"), committed to the security of personal information of its users, customers, suppliers, contractors, employees, and the general public, in order to strictly comply with current regulations on Personal Data protection contained in Law 1581 of 2012 and Decree 1377 of 2013 and other provisions that modify, add or complement them, hereby presents its Personal Data Processing Policy (hereinafter the "Policy").

In this Policy, the Company details the procedures and policies to protect the Personal Data of Data Subjects, as well as the purposes for which Personal Data is collected, the rights of Data Subjects, and the procedures that must be followed to exercise such rights and the area responsible for handling complaints and claims.

The Policy will apply to all Processing carried out by the Company, its employees, representatives, agents, and contractors and, where applicable, by those third parties with whom all or part of any activity related to Personal Data Processing in the territory of the Republic of Colombia is agreed upon.

The Policy is directed to all Data Subjects whose Personal Data is subject to Processing as a consequence of or in connection with their relationship with the Company, whether such Processing is carried out by the Company or by third parties who do so by commission.

MATT, in compliance with the constitutional right to Habeas Data, only processes Personal Data when previously authorized by its Data Subject, implementing clear measures on confidentiality and privacy that prevent adulteration, loss, consultation, unauthorized or fraudulent use of Personal Data.

DEFINITIONS

The terms defined below shall have the meaning indicated below. In case of any difference between the terms defined herein and those established in Law 1581 of 2012, the latter shall prevail.

  • Personal Data: Any information linked or that can be associated with one or several determined or determinable natural persons.
  • Sensitive Data: Personal Data whose improper use affects the privacy of the Data Subject or may generate discrimination.
  • Data Processor: The natural or legal person, public or private, who by themselves or in association with others, carries out the Processing of Personal Data on behalf of the Data Controller.
  • Data Controller: Natural or legal person, public or private, who by themselves or in association with others, determines the Processing of Personal Data. For the purposes of this Policy, it will be the Company.
  • Data Subject: Natural or legal person whose Personal Data is subject to Processing.
  • Transfer: The Transfer of data takes place when the Controller and/or Processor of Personal Data, located in Colombia, sends the Personal Data information to a recipient, who in turn is responsible for the Processing and is located within or outside the country.
  • Transmission: Processing of Personal Data that implies the communication to a third party within or outside the territory of the Republic of Colombia, when such communication has the purpose of carrying out Processing by the Processor on behalf of and for the Controller, to fulfill the purposes of the latter.
  • Processing: Any operation or set of operations, electronic, automatic, or mechanical performed on Personal Data, that allow collection, storage, use, circulation, conservation, ordering, storage, modification, relationship, evaluation, blocking, destruction, and in general, the processing of Personal Data, as well as its Transfer and/or Transmission to third parties through communications, consultations, interconnections, assignments, data messages.

PRINCIPLES FOR PERSONAL DATA PROCESSING

This Policy is governed by and shall be subject to the principles that govern the Processing of Personal Data, as follows:

  1. Principle of legality: The Processing of Personal Data is a regulated activity that must comply with the provisions of Law 1581 of 2012 and Decree 1377 of 2013 and other provisions that develop, add or modify them.

  2. Principle of purpose: The Processing must obey a legitimate purpose in accordance with the Constitution and the Law, which will be informed to the Data Subject.

  3. Principle of freedom: Processing can only be exercised with the prior, express, and informed consent of the Data Subject. Personal Data may not be obtained or disclosed without prior authorization, or in the absence of legal or judicial mandate that relieves consent.

  4. Principle of truthfulness or quality: Personal Data subject to Processing must be truthful, complete, accurate, updated, verifiable, and comprehensible. The Processing of partial, incomplete, fractioned data or data that leads to error is prohibited.

  5. Principle of transparency: In Processing, the Data Subject's right to obtain from the Controller or Processor, at any time and without restrictions, information about the existence of Personal Data that concerns them must be guaranteed.

  6. Principle of restricted access and circulation: Processing is subject to the limits derived from the nature of Personal Data. In this sense, Processing may only be done by persons authorized by the Data Subject and/or by the persons provided for in Law 1581 of 2012.

  7. Principle of security: Information subject to Processing by the Data Controller or Data Processor shall be handled with the technical, human, and administrative measures necessary to provide security to the records, avoiding their adulteration, loss, consultation, unauthorized or fraudulent use.

  8. Principle of confidentiality: All persons involved in the Processing of Personal Data that are not public in nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the duties involved in the Processing, being able to only supply or communicate Personal Data when it corresponds to the development of activities authorized in Law 1581 of 2012 and under the terms of the same.

AUTHORIZATION, PROCESSING, AND STORAGE OF PERSONAL DATA

To perform any Processing of Personal Data, the Company will request, at the latest at the time of Personal Data collection, authorization from the Data Subjects to perform such Processing, informing about the specific purposes for which such consent is obtained. The Personal Data collected, therefore, may only be used by the Company, its employees, representatives, agents, and contractors and, where applicable, by those third parties with whom all or part of any activity related to Personal Data Processing is agreed upon for the purposes described in this Policy. The Company will inform the Data Subject, upon request made in accordance with the procedures provided for this purpose, about the authorized persons and/or third parties with whom all or part of the Processing is agreed upon.

The Company does not usually collect Personal Data from minors under 18 years of age. However, in the event of requiring it, it will request the consent of parents, guardians, or legal representatives before carrying out the Processing. For the Processing of this Personal Data, the Company will ensure to respond to and respect the best interests of the minor under 18 years of age, (ii) ensure respect for their fundamental rights, and (iii) listen to the minor to assess their opinion according to their maturity, autonomy, and ability to understand the matter.

In the case of sensitive Personal Data, the Data Subject will be informed that such data corresponds to the category of "Sensitive Data," with which they are not obliged to authorize its Processing. In any case, the Company will expressly inform the purposes for which it requests Sensitive Data and will strictly observe the legal limitations on the Processing of Sensitive Data.

The Company will subject Sensitive Data to Processing only when the Data Subject has granted their authorization, except in cases where the law does not require such authorization. The Company will not condition, in any case, any activity on the delivery of Sensitive Data.

Although the Company has a solid and reliable technological infrastructure that allows it to perform Processing of Sensitive Data with the highest diligence and security standards, there are circumstances inherent to Processing that may expose Personal Data to certain risks, which includes but is not limited to security risks, virus risks, corruption risks, and service outages, among others.

The authorization of Data Subjects may be manifested by: (i) writing, (ii) orally, or (iii) through unequivocal conduct that reasonably allows concluding that authorization was granted.

MATT will preserve proof of such authorizations appropriately, respecting the principles of confidentiality and privacy of information.

PURPOSES AND TYPES OF PERSONAL DATA SUBJECT TO PROCESSING

Types of Personal Data included in MATT's database

The following are the Personal Data of Data Subjects that are collected by MATT in the development of its corporate purpose:

  1. Names and surnames
  2. Gender of the Data Subject
  3. Date of birth
  4. Address
  5. City
  6. Phone number
  7. Email address

However, the Company may request the Personal Data it considers necessary for its operation, which will be duly informed by the Company at the latest at the time of collection. All Personal Data collected may be stored and hosted in Colombia and/or abroad.

Purposes of Personal Data Processing

The Personal Data collected by MATT is included in a database to which only Company personnel authorized for this purpose in the exercise of their functions have access, warning that in no case is it authorized for the Processing of Personal Data for purposes different from those described here:

  1. Conduct advertising and marketing campaigns to offer discounts or promotions of own products or services or those of third parties;
  2. Inform about changes in products or services;
  3. Implement loyalty programs;
  4. Evaluate the quality of products and services;
  5. Prepare market studies to establish consumption preferences or determine payment habits;
  6. Carry out commercial agreements, events, or institutional programs directly or in association with third parties;
  7. Provide products and services directly or through third parties, and receive feedback;
  8. Inform about new products or services;
  9. Statistical study activities;
  10. Send information about activities developed by the Company or send information considered of interest through different means;
  11. Comply with legal obligations to provide information to administrative entities, as well as to competent authorities that so require;
  12. Execute obligations derived from commercial and labor contracts in which MATT is a party;
  13. Support the Company's audit processes;
  14. Conduct satisfaction surveys;
  15. Confirm necessary data for product delivery and/or service provision;
  16. Carry out the procedures for handling PQRs submitted to the Company;
  17. Any other purpose that may result from the development of the contract or commercial relationship between MATT and the Data Subject.

In any case, the Company may request Personal Data for purposes other than those established here, taking into account that such purposes will be informed previously and, at least, at the time of collection.

The Personal Data provided by the Data Subject will only be used for the purposes indicated here and once the purpose of the Processing for which they were collected ceases, they will be deleted from MATT's databases.

RIGHTS OF PERSONAL DATA SUBJECTS

In accordance with art. 8 of Law 1581 of 2012, the Data Subject of Personal Data will have the following rights:

  1. Know, update and rectify their Personal Data before the Data Controllers or Data Processors. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned data that leads to error, or those whose Processing is expressly prohibited or has not been authorized;

  2. Request proof of the authorization granted to the Data Controller except when the law indicates that authorization is not necessary, in accordance with the provisions of article 10 of law 1581 of 2012;

  3. Be informed by the Data Controller or the Data Processor, upon request, regarding the use that has been given to their Personal Data;

  4. File complaints before the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other regulations that modify, add or complement it;

  5. Revoke the authorization and/or request the deletion of data when the Processing does not respect the principles, rights, and constitutional and legal guarantees. The revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that in the Processing the Controller or Processor has engaged in conduct contrary to this law and the Constitution;

  6. Access free of charge to their Personal Data that has been subject to Processing.

The exercise of Rights may be carried out by (i) the Data Subject, who must prove their identity sufficiently through the different means made available by the Data Controller, (ii) their successors, who must prove such quality, (iii) the representative and/or attorney of the Data Subject, with prior accreditation of representation or power of attorney, and (iv) by stipulation in favor of another or for another.

The rights of children and adolescents will be exercised by the persons who are empowered to represent them.

PROCEDURES FOR THE EXERCISE OF DATA SUBJECTS' RIGHTS OVER PERSONAL DATA

The Personal Data subject to Processing and included in the Company's databases are collected in the exercise of activities developed by reason of or in connection with commercial, contractual, labor, or any other nature relationships that the Company develops with Data Subjects.

The Company has different channels such as our website, social networks, telephone service line, commercial and labor contracts, through which the Company obtains the Personal Data referred to in this Policy. At any time, the Company may use any other channel, instrument, and/or means to perform Personal Data Processing.

The Personal Data collected by the Company is stored through duly licensed software, which is provided by specialized providers in the matter, with whom confidentiality agreements are signed for the adequate protection of such data. The software system has all necessary measures aimed at protecting Personal Data against loss, abuse, adulteration, fraud, or access/use by unauthorized third parties.

In order to protect and maintain the confidentiality of Data Subjects' Personal Data, the Company determines that the procedure to know, update, rectify, delete information or revoke the authorization for Personal Data Processing, implies the duty of the Data Subject to contact MATT through the means provided for this purpose, namely:

  1. Making the request by telephone through the service lines provided for this purpose in accordance with the provisions of this Policy;
  2. Sending a scanned written request to the email address provided by the Company, which must be accompanied by a copy of the Data Subject's identification document;
  3. Sending a written request to the Company's registered office, which must be accompanied by a copy of the Data Subject's identification document.

Data Subjects may, at any time, request the Company to delete their data and/or revoke authorization. The right of deletion is not absolute and the Company may deny its exercise in the following events:

  1. When the Data Subject has a legal or contractual duty to remain in the database or the Data Controller has a legal or contractual obligation that requires maintaining the Personal Data;
  2. The deletion of Personal Data hinders judicial or administrative proceedings linked to tax obligations, the investigation and prosecution of crimes, or the updating of administrative sanctions;
  3. The Personal Data is necessary to protect the legally protected interests of the Data Subject, to carry out an action in the public interest, or to comply with a legally acquired obligation by the Data Subject or the Data Controller.

Procedure to know, update, rectify, delete information or revoke Authorization

The Data Subject of Personal Data, their successors, their representatives and/or attorneys may make QUERIES about the Personal Data that rests in the Company's databases, according to the following rules:

  1. The request will be analyzed to verify the identification of the Data Subject. If the request is made by a person other than the Data Subject and it is not proven that they act in representation of the latter in accordance with current laws, the request will be rejected.

  2. All queries will be answered within a maximum term of ten (10) business days counted from the date of receipt. When it is not possible to attend to the query within said term, the interested party will be informed, expressing the reasons for the delay and indicating the date on which their query will be attended, which in no case may exceed five (5) business days following the expiration of the first term.

Procedure for the presentation of CLAIMS for updating, correction, deletion, revocation of authorization

The Data Subject, or their successors, who consider that the information contained in MATT's Databases should be subject to correction, updating or deletion, or when they notice the alleged breach of any of the Company's duties, may submit a CLAIM according to the following rules:

  1. The request will be analyzed to verify the identification of the Data Subject. If the request is made by a person other than the Data Subject and it is not proven that they act in representation of the latter in accordance with current laws, the request will be rejected.

  2. The claim must contain the following information:

    • The identification of the Data Subject
    • Contact information (physical and/or electronic address and contact phones)
    • Documents that prove the identity of the Data Subject, or the representation
    • Clear and precise description of the Personal Data regarding which the Data Subject seeks to exercise any of the rights
    • Description of the facts that give rise to the claim
    • Documents to be asserted
    • Signature and identification number

  3. If the claim is incomplete, the Company will require the interested party within five (5) days following the receipt of the claim to correct the failures. After two (2) months from the date of the requirement, without the applicant presenting the required information, it will be understood that they have withdrawn from the claim.

  4. If the area that receives the claim is not competent to resolve it, it will transfer it to whom it corresponds within a maximum term of two (2) business days and will inform the interested party of the situation.

  5. Once the complete claim is received, a legend that says "claim in process" and the reason for it will be included in the database, in a term no longer than two (2) business days. Said legend must be maintained until the claim is decided.

  6. The maximum term to attend to the claim will be fifteen (15) business days counted from the day following the date of its receipt. When it is not possible to attend to the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be attended, which in no case may exceed eight (8) business days following the expiration of the first term.

  7. The Data Subject has the right, at any time, to request the deletion of their Personal Data. The deletion implies the total or partial elimination of Personal Data from the Databases, according to what is requested by the Data Subject. The right of deletion is not absolute and the Company may deny its exercise in the following events:

    • The Data Subject has a legal or contractual duty to remain in the database or the Controller has a legal or contractual obligation that requires maintaining the Personal Data
    • The deletion of Personal Data hinders judicial or administrative proceedings linked to tax obligations, the investigation and prosecution of crimes, or the updating of administrative sanctions
    • The Personal Data is necessary to protect the legally protected interests of the Data Subject, to carry out an action in the public interest, or to comply with a legally acquired obligation by the Data Subject or the Controller

INFORMATION AND MECHANISMS PROVIDED BY MATT AS DATA CONTROLLER

| Information | Detail | |------------|----------| | Business name | MATT S.A.S. | | Tax ID | 901492626 | | Domicile | Medellín | | Address | Cra 34 # 7 – 11 | | Phone numbers | 3052167699 | | Email | 2g@matt.com.co | | Website | https://www.matt.com.co |

AREA RESPONSIBLE FOR PERSONAL DATA PROCESSING

The Administrative Area of MATT is in charge of receiving petitions, complaints, or claims from personal data subjects. This area will be responsible for carrying out the internal management necessary to ensure a clear, efficient, and timely response to the Data Subject.

POLICY VALIDITY

This Matt Policy is effective from its publication.

Personal Data subject to Processing will remain in the Company's Databases, based on the temporality criterion for the contractual term of the product or service, in accordance with the purposes mentioned in this Policy.

The Company may modify this Policy when it deems necessary without notifying the Personal Data Subject, provided that the modifications are not substantial. A substantial modification will be understood for the purposes of this Policy as a change in relation to the purposes of Processing and/or the contact information of the Data Controller.