Define corporate policies and regulations for the processing of personal data, which may involve the collection, storage, use, circulation, deletion, transmission, transfer and/or reception of the same, in order to comply with the provisions of Law 1581 of 2012 and its Regulatory Decree 1377 of 2013.

This Personal Data Protection Policy will apply to all Databases and/or Files containing Personal Data that are subject to Processing by GOLDFISH SAS, (hereinafter THE COMPANY).

Article 15 of the Political Constitution of Colombia: “All people have the right to their personal and family privacy and to their good name, and the State must respect them and ensure that they are respected. In the same way, they have the right to know, update and rectify the information that has been collected about them in databases and in the archives of public and private entities”.

Ley Estatutaria 1581 de 2012: “Por la cual se dictan disposiciones generales para la protección de datos personales”.

Decreto 1377 de 2013 del Ministerio de Comercio, Industria y Turismo: “Por el cual se reglamenta parcialmente la Ley 1581 de 2012”.

GOLDFISH SAS. Company with registered office at Carrera 13 No. 83-19 Piso 5, in the city of Bogotá D.C., Colombia. Email admincol@goldfish.com.co, phone 301 3501270.

• Autorización: Consentimiento previo, expreso e informado del Titular para llevar a cabo el Tratamiento de Datos Personales.
• Aviso de Privacidad: Comunicación verbal o escrita generada por el responsable, dirigida al Titular para el Tratamiento de sus Datos Personales, mediante la cual se le informa acerca de la existencia de las Políticas de Tratamiento de información que le serán aplicables, la forma de acceder a las mismas y las finalidades del Tratamiento que se pretende dar a los datos personales.
• Base de Datos: Conjunto organizado de Datos Personales que sea objeto de tratamiento.
• Personal Data: Any information linked to or that can be associated with one or more specific or determinable natural persons.
• Data Processor: Natural or legal person, public or private, who, on their own or in association with others, carries out the Processing of Personal Data on behalf of the Data Controller. In events where the person responsible does not act as Database Manager, it will be expressly identified who will be the Manager.
• Data Controller: Natural or legal person, public or private, who, on their own or in association with others, decides on the Database and/or Data Processing.
• Terms and Conditions: general framework in which conditions are established for participants in promotional or related activities.
• Owner: Natural person whose Personal Data is subject to Treatment.
• Treatment: Any operation or set of operations on Personal Data, such as collection, storage, use, circulation or deletion.
• Transfer: The transfer of data takes place when the person responsible and/or processor of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is the Data Controller and is inside or outside the country.
• Transmission: Processing of Personal Data that involves the communication of the same within or outside the territory of the Republic of Colombia when the purpose of carrying out a Treatment by the Processor on behalf of the person responsible.

THE COMPANY, acting in its capacity as Data Controller, for the proper development of its business activities, as well as for the strengthening of its relationships with third parties, collects, stores, uses, circulates and suppresses Personal Data corresponding to natural persons with whom it has or has had a relationship, such as, without the enumeration implying limitation: workers and their families, shareholders, customers, distributors, suppliers, creditors and debtors.

Personal Data is subject to Treatment by THE COMPANY for the following purposes:
7.1. To send information to your workers and family members;
7.2. For the provision of health services to the families of the COMPANY's workers who benefit from the health service;
7.3. For the recognition, protection and exercise of the rights of the shareholders of THE COMPANY;
7.4. To strengthen relationships with your consumers and customers, by sending relevant information, service orders from suppliers and/or customers, answering Requests, Complaints and Complaints (PQRs) by the customer service area, evaluating the quality of your customer service and inviting you to events organized or sponsored by THE COMPANY, among others;
7.5. For the verification of your creditors' balances;
7.6. For marketing, statistical, research and other commercial purposes that do not contravene current legislation in Colombia;
7.7. To meet judicial or administrative requests and to comply with judicial or legal orders;
7.8. To eventually contact you, via email, or by any other means, to natural persons with whom you have or have had a relationship, such as, without the enumeration implying limitation, workers and their families, shareholders, consumers, customers, distributors, suppliers, creditors and debtors, for the above-mentioned purposes.

Natural persons whose Personal Data is subject to Treatment by THE COMPANY, have the following rights, which they can exercise at any time:
8.1. Know the Personal Data on which THE COMPANY is carrying out the Treatment. Likewise, the Data Controller may request at any time that their data be updated or rectified, for example, if they find that their data are partial, inaccurate, incomplete, fractional, misleading, or those whose Processing is expressly prohibited or has not been authorized.
8.2. Request proof of the authorization granted to THE COMPANY for the Processing of your Personal Data.
8.3. To be informed by THE COMPANY, upon request, regarding the use that the COMPANY has given to your Personal Data.
8.4. Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of the Personal Data Protection Act.
8.5. Request the COMPANY to delete your Personal Data and/or revoke the authorization granted for the Processing of the same, by filing a complaint, in accordance with the procedures established in paragraph 11 of this Policy. However, the request for the deletion of the information and the revocation of the authorization will not proceed when the Data Subject has a legal or contractual duty to remain in the Database and/or Archives, nor while the relationship between the Owner and THE COMPANY, on the basis of which their data was collected, is in force.
8.6. Free access to your Personal Data being Processed.

• IMPORTANT: ”The request for the deletion of the information and the revocation of the authorization will not proceed when the Owner has a legal or contractual duty to remain in the database” Article 9 — Decree 1377 of 2013 of the Ministry of Commerce, Industry and Tourism.

THE COMPANY must request prior, express and informed authorization from the Holders of the Personal Data for whom it requires carrying out the Treatment.

9.1. Prior authorization means that consent must be granted by the Owner, at the latest at the time of collection of Personal Data.

9.2. Express authorization means that the Owner's consent must be explicit and concrete, and open and non-specific authorizations are not valid. The Data Controller is required to express their willingness to authorize THE COMPANY to carry out the Processing of their Personal Data.

This expression of will of the Owner can take place through different mechanisms made available by THE COMPANY, such as:

In writing, for example, filling out an authorization form
Orally, for example, in a telephone conversation or video conference.
Through unambiguous conduct that allows us to conclude that you granted your authorization, for example, through your express acceptance of the Terms and Conditions of an activity within which the authorization of the participants is required for the Processing of their Personal Data.

• IMPORTANT: Under no circumstances will THE COMPANY assimilate the Owner's silence to unequivocal conduct.

Whatever the mechanism used by THE COMPANY, it is necessary that the authorization be kept in order to be consulted later.

9.3. Informed Authorization means that, at the time of requesting consent from the Owner, the following must be clearly informed:

The identification and contact details of the person responsible and the Data Processor.
The specific purposes of the Treatment that is intended to be carried out, that is: how and for what purpose the collection, use and circulation of Personal Data will be carried out.
What are the rights you have as a Personal Data Subject; for this purpose, see paragraph 6 of this Policy.
The optional nature of the answer to the questions that are asked, when they relate to sensitive data or to the data of children and adolescents.

In accordance with the Personal Data Protection Act, data of a sensitive nature are considered to be data that affects privacy or whose misuse may lead to discrimination, such as those related to:
Racial or ethnic origin.
Political orientation.
Religious/philosophical convictions.
Membership in unions, social organizations, human rights organizations or political parties.
Health.
Sex life.
Biometric data (such as fingerprint, signature and photo).
The Processing of Personal Data of a sensitive nature is prohibited by law, unless there is express, prior and informed authorization from the Owner, among other exceptions enshrined in Article 6 of Law 1581 of 2012.
In this case, in addition to complying with the requirements established for authorization, THE COMPANY must:
Inform the Data Controller that because they are sensitive data, they are not obliged to authorize their Processing.
Inform the Data Controller which of the data that will be subject to Treatment are sensitive and the purpose of the Treatment.

• IMPORTANT: No activity may be conditioned on the Data Controller providing sensitive Personal Data.

In accordance with Article 7 of Law 1581 of 2012 and Article 12 of Decree 1377 of 2013, THE COMPANY will only carry out the Processing, that is, the collection, storage, use, circulation and/or deletion of Personal Data corresponding to children and adolescents, as long as this Treatment responds to and respects the best interests of children and adolescents and ensures respect for their fundamental rights.

Once the above requirements have been met, THE COMPANY must obtain the Authorization of the legal representative of the child or adolescent, after the minor's exercise of his right to be heard, an opinion that will be evaluated taking into account his maturity, autonomy and ability to understand the matter.

The Holders of the Personal Data that are being collected, stored, used and put into circulation by THE COMPANY, may at any time exercise their rights to know, update, rectify and delete information and revoke authorization.
For this purpose, the following procedure will be followed, in accordance with the Personal Data Protection Act:

12.1. ATTENTION AND RESPONSE TO REQUESTS AND INQUIRIES:
What does the procedure consist of?
The Owner or his successors may request from THE COMPANY, through the means indicated below:
· Information about the Owner's Personal Data that are subject to Treatment.
· Request proof of the authorization granted to THE COMPANY for the Processing of your Personal Data.
· Information regarding the use that has been given by THE COMPANY to your personal data.
Means enabled for submitting requests and inquiries:
THE COMPANY has provided the following means for receiving and answering requests and inquiries, all of which make it possible to keep proof of them:
· Communication addressed to GOLDFISH SAS in the city of Bogotá D.C. Carrera 13 No. 83-19, Floor 5, Ofc 68.
· Request submitted to the email: admincol@goldfish.com.co
Attention and response from THE COMPANY:
Requests and inquiries will be answered within a maximum period of ten (10) business days from the date of receipt of the requests. When it is not possible to respond to the request or query within that period, the interested party will be informed, stating the reasons for the delay and stating the date on which their request or query will be answered, which in no case may exceed five (5) business days following the expiration of the first term.

12.2. ATTENTION AND RESPONSE TO COMPLAINTS AND GRIEVANCES:
What does the procedure consist of?
The Owner or his successors may request to THE COMPANY, through a complaint or complaint submitted through the channels indicated below:
· The correction or updating of information.
· The deletion of your Personal Data or the revocation of the authorization granted for the Processing of the same.
· That the alleged breach of any of the duties contained in the Personal Data Protection Act be corrected or corrected.
The request must contain the description of the facts giving rise to the complaint or claim, the address and contact details of the applicant, and must be accompanied by the documents that you want to assert.
Means enabled for filing complaints and claims:
THE COMPANY has provided the following means for receiving and dealing with complaints and claims, all of which make it possible to keep proof of their submission:
· Communication addressed to GOLDFISH SAS., Carrera 13 No. 83-19 5th floor in the city of Bogotá D.C
· Request submitted to the email: admincol@goldfish.com.co
Attention and response from THE COMPANY:
If the complaint or complaint is submitted incomplete, THE COMPANY must request the interested party within five (5) days of receiving the complaint or complaint to remedy the faults. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that he has abandoned the complaint or claim.
In the event that whoever receives the complaint or complaint is not competent to resolve it, they will send it to GOLDFISH SAS., within a maximum period of two (2) business days and will inform the interested party of the situation.
Once the complete complaint or complaint has been received, a legend will be included in the Database that says “pending complaint” and the reason for it, within a period not exceeding two (2) business days. This legend must be kept until the complaint or claim is decided.
The maximum period for dealing with the complaint or complaint will be fifteen (15) business days from the day following the date of its receipt. When it is not possible to respond to the complaint or complaint within that period, the interested party will be informed of the reasons for the delay and the date on which their complaint or claim will be dealt with, which in no case may exceed eight (8) business days following the expiration of the first term.

THE COMPANY, in strict application of the Principle of Security in the Processing of Personal Data, will provide the technical, human and administrative measures that are necessary to provide security to records, avoiding adulteration, loss, unauthorized or fraudulent consultation, use or access. The obligation and responsibility of THE COMPANY is limited to having the appropriate means for this purpose. THE COMPANY does not guarantee the total security of your information nor is it responsible for any consequence derived from technical failures or improper access by third parties to the Database or Archive on which the Personal Data subject to Processing by THE COMPANY and its Managers are located. THE COMPANY will require the service providers it contracts to adopt and comply with appropriate technical, human and administrative measures for the protection of Personal Data in relation to which such providers act as Processors.

THE COMPANY may provide Personal Data to third parties not linked to THE COMPANY when:
1. These are contractors executing contracts for the development of THE COMPANY's activities;
2. By transfer to any title of any line of business to which the information relates.

In any case, contracts for the transmission of Personal Data, which are signed between THE COMPANY and the Processors for the Processing of Personal Data, the information will be required to be treated in accordance with this Personal Data Protection Policy and the following obligations will be included at the head of the respective Processor:
· To Process, on behalf of THE COMPANY, Personal Data in accordance with the principles that protect them.
· Safeguard the security of databases containing Personal Data.
· Keep confidential regarding the Processing of Personal Data.

This Personal Data Protection Policy has been in effect since January 01, 2020.

In accordance with Statutory Law 1581 of 2012 on Data Protection and its regulatory regulations, the user is informed that the data entered in this form will be incorporated into a database under the responsibility of GOLDFISH SAS, being treated for commercial purposes, information on behavior and commercial credit; and accounting, fiscal and administrative management.

You can exercise your rights of access, correction, deletion, revocation or complaint for data infringement, by writing to GOLDFISH SAS, to the email address admin@goldfish.com.co, indicating in the subject the right you wish to exercise, or by ordinary mail sent to Carrera 13 # 83 — 19 Piso 05 Oficina 68, BOGOTÁ D.C.

*The user declares to have read the previous clause and to be satisfied with it, with the acceptance of which he sent his data.

In compliance with Statutory Law 1581 of 2012 on Data Protection (LEPD) and regulations that regulate it, the purpose of this Privacy Notice is to obtain the express and informed authorization of the Data Controller for the processing and transfer of their data to third parties. The treatment conditions are as follows:

1. GOLDFISH SAS, identified with NIT No. 900687156-3, will be responsible for the processing of your personal data.
2. In order to receive comprehensive customer service, the personal data collected will be processed for the following purposes: commercial purposes, information on behavior and commercial credit; and accounting, fiscal and administrative management.
3. The Data Controller's data processing policy, as well as any substantial changes that may occur in it, can be consulted at the following email: admincol@goldfish.com.co
4. The Data Controller can exercise the rights of access, correction, deletion, revocation or claim for infringement of their data by writing to GOLDFISH SAS at the email address admincol@goldfish.com.co indicating in the subject the right they wish to exercise; or by postal mail sent to Carrera 13 # 83 — 19 Piso 05 Oficina 68, BOGOTÁ D.C.