Data Processing

Privacy and Personal Data Processing Policies — Business Unit: TWC

W PAYMENTS from THE WEBCAM COMPANY, hereinafter referred to as “TWC”, a business unit with main domicile in the city of Medellín – Antioquia, acknowledges the importance of the security, privacy, and confidentiality of personal data from its clients, users, collaborators, suppliers, shareholders, partners, and in general, all its stakeholders regarding whom it processes personal information. Therefore, in compliance with constitutional and legal regulations, it has adopted the present PERSONAL DATA PROCESSING POLICY.

It is highly important for USERS, whether a legal or natural person, to thoroughly study this confidentiality and privacy policy to be well informed about the service we provide at TWC. It is not mandatory to accept the terms described in the privacy policy, but if authorization to process the data is not provided, access to the information will not be possible, nor will processes be conducted or consultations for the required purposes, which means the services we offer will not be accessible. Your consent will imply that these terms have been read, understood, and fully accepted.

APPLICABLE LEGISLATION

Below are the primary regulations in Colombia regarding personal data protection with which TWC is fully committed to complying.

• Article 15 of the Political Constitution of Colombia

• Statutory Law 1266 of 2008

• Law 1273 of 2009

• Statutory Law 1581 of 2012

• Decree 1377 of 2013

• Decree 886 of 2014

• Decree 1074 of 2015

• Title V of the Single Circular of the Superintendence of Industry and Commerce.

RECIPIENTS

This policy is directed towards our clients, users, collaborators, suppliers, partners, and in general our stakeholders on whom TWC conducts personal information processing.

DEFINITIONS

The following definitions will be taken into account for the purposes of this policy:

• Authorization: it is the prior, express, and informed consent of the information holder to carry out the processing of personal data.

• Database: organized set of personal data subject to processing.

• Successor: the person who has succeeded another, due to their death (also understood as heirs or legatees).

• Personal Data: any information linked or that may be associated with one or more specific or determinable individuals.

• Public Data: data that the law or the Constitution defines as such, as well as any that are not semi-private or private.

• Private Data: is data of an intimate or reserved nature that is solely pertinent to the information holder.

• Semi-private Data: data that is neither intimate, reserved, nor public and whose knowledge or disclosure may interest not only the holder but a certain sector or group of people.

• Sensitive Data: data that affects the holder's privacy or whose misuse can lead to discrimination.

• Data Processing Manager: a natural or legal person, public or private, who processes personal data on behalf of the data controller.

• Data Controller: a natural or legal person, public or private, who processes personal data.

• Data Subject: a natural person whose personal data is subject to processing. For TWC, data subjects include clients, users, collaborators, suppliers, partners, shareholders, visitors, our stakeholders, and any other individual whose data is processed by TWC, either directly or indirectly.

• Data Transfer: occurs when the personal data controller and/or processor, located in Colombia, sends the information or personal data to a recipient, who is also responsible for data processing and is located inside or outside the country.

• Data Transmission: the processing of personal data that implies the communication of such data within or outside Colombia, so a processor conducts treatment on behalf of the controller.

• Processing: any operation or set of operations on personal data, such as collection, storage, use, circulation, or suppression.

GUIDING PRINCIPLES OF PERSONAL DATA PROCESSING

TWC is committed to the information holders to process their personal data following these principles:

• Principle of legality in data processing: TWC is aware that the processing referred to in Law 1581 of 2012 is a regulated activity that must comply with what is established in it and in other provisions that develop it.

• Purpose principle: TWC will process data with a legitimate purpose, according to the Constitution and the Law, which will be informed to the holder.

• Principle of freedom: TWC will process data only with the prior, express, and informed consent of the holder. Personal data cannot be obtained or disclosed without prior authorization or in the absence of a legal or judicial mandate.

• Principle of accuracy or quality: the information subject to processing must be truthful, complete, up-to-date, verifiable, and comprehensible. In TWC, the processing of data that is fragmented or that induces error is prohibited.

• Principle of transparency: TWC knows that data holders have the right to obtain information at any time and without restrictions about the existence of data concerning them.

• Principle of access and restricted circulation: processing is subject to the limits arising from the nature of personal data, according to the provisions of Law 1581 of 2012 and the Constitution. In this sense, processing can only be done by persons authorized by the holder and/or by persons provided for by law. Except for public information, TWC will not make personal data available on the Internet or other mass dissemination or communication media, unless access is technically controllable to provide a restricted knowledge only to holders or third parties authorized under Law 1581 of 2012.

• Security principle: TWC will handle the subject data in compliance with Law 1581 of 2012, employing the necessary technical, human, and administrative measures to ensure security in the records, preventing their alteration, loss, consultation, unauthorized access, or fraudulent use.

• Confidentiality principle: all persons involved in the processing of personal data that are not public in nature are required to guarantee the confidentiality of the information, even after the end of their relationship with any tasks involving such processing, being able to supply or communicate personal data only when this corresponds to the development of activities authorized in Law 1581 of 2012 and under its terms.

TWC will request authorization in such a way that the information holder provides prior, express, and informed consent for the processing to which their personal data is subject.

Authorization can also be obtained from unequivocal actions of the data holder, which reasonably allow concluding that they consented to the processing of their information. Such actions must clearly express the will to authorize the processing.

The holder's consent may be obtained by any means that can be queried later, such as written, verbal, virtual communication, or by unequivocal actions.

By its nature and social purpose, TWC receives, collects, records, preserves, stores, elaborates, modifies, reports, consults, delivers, transmits, transfers, shares, and eliminates personal information, for which it obtains the prior authorization of the holder.

The consent granted to TWC by the information holders allows, among other things, the following purposes: offering and supplying information about products and services, as well as consulting, reporting, and updating their data with information and risk operators; updating contractual relationships and fulfilling agreed obligations.

TWC will properly keep evidence of such authorizations, upholding and respecting the principles of privacy and confidentiality of information.

Likewise, at TWC, when it comes to information relating to the following types of data, special considerations will be observed:

Sensitive Data

For the processing of sensitive data, TWC will inform the data holder of the following:

• For this type of information processing, the holder is not required to give their authorization or consent.

• The type of sensitive data to be requested will be explicitly and previously informed.

• The processing and purpose of the sensitive data will be communicated.

• The authorization for sensitive data will be prior, express, and clear.

TWC informs the information holders that, in accordance with Article 10 of Law 1581 of 2012, the holder's authorization will not be necessary in cases such as: (1) information required by a public or administrative entity in exercising its legal functions or by court order, (2) public nature data, (3) cases of medical or health emergencies, (4) information processing authorized by law for historical, statistical, or scientific purposes, and (5) data related to the Civil Registry of Persons.

As a result of the above, TWC may obtain authorization from the data holder through various means, such as verbal, written authorization, the latter provided by physical or virtual channels designed for such purpose. 

RIGHTS OF THE DATA HOLDER

The holders of the information subject to processing by TWC may:

• Know, update, rectify, suppress, or revoke their personal data and be informed about the processing that TWC performs on the personal data.

• Request the portability of their personal data when applicable.

• Submit requests and complaints related to the current regulations on Personal Data Protection.

• Request the revocation of the authorization and/or suppression of a personal data in case it is determined that TWC has a conduct contrary to the current regulations. The suppression or revocation request will not proceed when holders have a legal or contractual duty to remain in TWC's database.

In accordance with art. 20 of Decree 1377 of 2013, the exercise of the above-mentioned rights may be executed by the following people:

1. By the Holder, who shall prove their identity sufficiently by the different means provided by the responsible party.

2. By their successors, who must prove such status.

3. By the representative and/or attorney-in-fact of the Holder, upon proof of representation or power of attorney.

4. By stipulation in favor of or for another.

5. The rights of children or adolescents will be exercised by persons authorized to represent them.

OBLIGATIONS OF TWC

TWC as responsible for the personal data stored in its databases, commits to:

• Ensure the holder the full and effective exercise of their rights.

• Request and keep a copy of the authorization given by the holder or proof of it.

• Inform the holder about the purposes of the collection, the uses of their personal data, and their rights in relation to the authorization given.

• Preserve the information under secure conditions to prevent its alteration, loss, consultation, unauthorized use, or access.

• Ensure that the information supplied to third parties or data processors is truthful, complete, accurate, up-to-date, verifiable, and understandable.

• Update the information any third party or processor has about all news concerning the data provided and take the necessary measures to keep the information updated.

• Rectify the information upon becoming aware that it is incorrect.

• Ensure that third parties and/or those responsible for information processing for which TWC is responsible have effective measures and policies to ensure proper management of such information. In addition, require them to comply with and apply the provisions outlined in this Personal Data Processing Policy and other guidelines established by TWC, or to certify that their internal policies capture at least the provisions outlined here. If it is not possible to issue the certification, TWC must corroborate that the policies of third parties and/or processors incorporate security and/or privacy criteria equivalent to or superior to those outlined here. In this regard, third parties and/or processors must adopt security and privacy measures for personal data shared with them, at least at the same protection level adopted by TWC.

• Process consultations and claims as per what is provided in this Policy and the law.

• Inform the data protection authority when there are security breaches and risks to the management of holders' information.

PROCEDURE FOR CONSULTATIONS, COMPLAINTS, AND CLAIMS

Information holders may use the following procedures when they require making any inquiry, complaint or claim.

1. Consultations

The holders, their successors, or any other person with a legitimate interest, may request information about the personal data of the holder that is stored in any TWC database.

With this in mind, TWC will guarantee the right to consultation, providing access to the personal information related to the holder.

Consultations concerning access to information, proof of authorization granted by the holder, uses, and purposes of personal information, or any other consultation related to the personal information provided by the holder, should be submitted through the channels enabled by TWC.

The consultation will be attended to within a maximum of 10 business days from the date of receipt.

When it is not possible to address the consultation within the stipulated time, the interested party will be informed, indicating the reasons for the delay and the date the consultation will be addressed, which will not exceed 5 business days following the expiration of the first period, as stated in article 14 of Law 1581 of 2012.

1. Complaints

Correction, update, and deletion:

The holders, their successors, or any other person with a legitimate interest considering that the information contained in one of TWC's databases needs correction, update, or deletion, or who identifies a possible breach of the duties established in Law 1581 of 2012 and its regulatory decrees, may file a complaint following the requisites of article 15 of the same law.

Requirements for filing a claim:

• Identification of the holder or the person filing the complaint, indicating their name and identification number.

• Clearly and expressly describe the reason for the complaint, where the facts that caused it are established, presenting the documents to be validated.

• Accredit the legitimate interest with which the complainant acts and attach, if necessary, the corresponding supports.

• Indicate the phone, physical and electronic address to which the response to the request must be notified and sent.

In any case, if the complaint is incomplete, the interested party will be required within five (5) days of receipt to remedy the errors. If two (2) months pass from the date of the requirement, with the applicant failing to present the required information, TWC will understand that the complaint has been withdrawn.

If TWC is not the competent entity to resolve the submitted claim, it will be transferred to the appropriate party within a maximum of two (2) business days, and the particular situation will be informed to the interested party.

Suppose the complaint is received complete, a legend indicating “complaint in process” and the reason for it will be included in the database in no more than two (2) business days. This legend will remain until the claim is resolved.

Nonetheless, the maximum term for addressing the complaint will be fifteen (15) business days from the day following its receipt. When it is not possible to address it within this period, the interested party will be informed of the reasons for the delay and the date the claim will be resolved, which in any case shall not exceed eight (8) business days following the expiration of the first term.

The holders, their successors, or any other person with a legitimate interest may file a complaint with the SIC, but only after exhausting the consultation or claim procedure with TWC, as responsible and/or any processor, following what is provided in Article 16 of Law 1581 of 2012.

Suppression of information and revocation of authorization:

TWC has adopted an internal process for those cases in which information deletion and/or authorization revocation requests are submitted.

CHANNELS FOR CONSULTATIONS, COMPLAINTS, AND CLAIMS

TWC has enabled the following channels for holders of personal data to exercise their rights to know, update, rectify, and/or delete their personal information.

• Email: to file a complaint about personal data management, information holders can send a request to the email info@somoswebcam.com

TRANSFER AND TRANSMISSION OF PERSONAL DATA

Occasionally, TWC, as responsible for the personal information stored in its databases and in the development of the objectives described in this document, may carry out national or international data transfers or transmissions.

TWC is committed to verifying the level of protection and security standards of the recipient country of the personal information, making the declaration of conformity (where applicable) and signing a transfer contract or another legal instrument that ensures the protection of the personal data subject to transfer.

As part of this exchange relationship, TWC has adopted various guidelines for relationships with third parties to protect the information subject to this activity.

To protect the information, TWC will verify whether the SIC has included the respective country on the list of countries that offer an adequate level of data protection or review the current regulations in the recipient country of the information, as well as, in both scenarios, the policies and procedures of the person responsible (depending on the applicable case) to determine if suitable conditions are in place to guarantee adequate levels of security for the information subject to transmission or transfer. 

RELATIONSHIPS WITH THIRD PARTIES AND/OR MANAGERS

In the development of this Policy and the internal provisions for the proper handling of personal data, TWC will ensure that third parties it is linked with or with which it establishes commercial, labor relationships or alliances comply with the personal data protection regime in Colombia.

In this respect, TWC, without prejudice to all the documentation, models, and means provided for the authorization request for processing, privacy notices, records, and contractual and/or legal coverage, may require third parties and/or processors relevant and pertinent information to verify and observe compliance with the provisions contained in this policy and Colombia's personal data protection regime.

In this sense, TWC may request third parties and/or processors to certify in advance, during or after the relationship that links them, the fulfillment of the requirements of the personal data protection regime. Accordingly, an eventual or periodic review and supervision of compliance with legal and/or contractual requirements might be requested through management evidence or support, visits to the third party's facilities, among other activities that might be coordinated to validate compliance.

TWC will ensure the procedures are in place so that once the legal or contractual relationship with the third party and/or information manager is terminated, recovery, elimination, destruction, or any other activity deemed pertinent by TWC is undertaken for adequately processing the information shared with said third party and/or processor.

VALIDITY

This Personal Data Processing Policy was approved on July 14, 2025, and is effective from the same date.