Data Processing

Privacy and Personal Data Processing Policies — Business Unit: TWC

W PAYMENTS of THE WEBCAM COMPANY hereinafter “TWC”, the business unit, based in Medellín - Antioquia, recognizes the importance of security, privacy, and confidentiality of personal data of its clients, users, collaborators, suppliers, shareholders, allies, and in general, all its stakeholders regarding whom it processes personal information. Therefore, in compliance with constitutional and legal provisions, it has adopted the present POLICY FOR PERSONAL DATA PROCESSING.

It is very important for USERS, whether legal or natural persons, to carefully study this confidentiality and privacy policy to be well-informed about the service we provide at TWC. Accepting the terms described in the privacy policy is not mandatory, but if authorization to process the data is not granted, accessing the information and carrying out the processes and consultations for the required purposes will not be possible, which means access to the services we offer will be restricted. Your consent will imply that these terms are read, understood, and fully accepted.

APPLICABLE REGULATIONS

Listed below are the main regulations in force in Colombia regarding personal data protection, with which TWC is fully committed to complying.

• Article 15 of the Political Constitution of Colombia

• Statutory Law 1266 of 2008

• Law 1273 of 2009

• Statutory Law 1581 of 2012

• Decree 1377 of 2013

• Decree 886 of 2014

• Decree 1074 of 2015

• Title V of the Sole Circular of the Superintendency of Industry and Commerce.

RECIPIENTS

This policy is directed at our customers, users, collaborators, suppliers, allies, and generally, our stakeholders for whom TWC processes personal information.

DEFINITIONS

The following definitions will be taken into account for the purposes of this policy:

• Authorization: is the prior, express, and informed consent of the information holder to carry out the processing of personal data.

• Database: an organized set of personal data subject to processing.

• Successor: is a person who has succeeded another due to their death (can also be understood as heirs or legatees).

• Personal Data: any information linked or that can be associated with one or several determined or determinable natural persons.

• Public Data: data that the law or Constitution determines as such, as well as all those that are neither semi-private nor private.

• Private Data: is data that, due to its intimate or reserved nature, is only relevant to the information holder.

• Semi-private Data: is data that does not have an intimate, reserved, or public nature, and whose knowledge or disclosure may interest, not only its holder, but a certain sector or group of people.

• Sensitive Data: is data that affects the holder’s privacy or whose misuse can lead to discrimination.

• Data Processing Manager: a natural or legal person, public or private, who by itself or in association with others, processes personal data on behalf of the data controller.

• Data Controller: a natural or legal person, public or private, who by itself or in association with others, is responsible for the processing of personal data.

• Holder: a natural person whose personal data is processed. For TWC, holders of the information are clients, users, collaborators, suppliers, allies, shareholders, visitors, our stakeholders, and any other natural person whose data is processed by TWC, whether directly or indirectly.

• Data Transfer: occurs when the controller and/or person in charge of processing personal data, located in Colombia, sends the information or personal data to a receiver, which in turn is the processing controller and is located inside or outside of the country.

• Data Transmission: processing of personal data that involves the communication of these within or outside the territory of Colombia, with the purpose for a manager to process it on behalf of the controller.

• Processing: any operation or set of operations on personal data, such as collection, storage, use, circulation, or suppression.

GUIDING PRINCIPLES FOR PERSONAL DATA PROCESSING

TWC commits to the information holders to process their personal data in accordance with the following principles:

• Principle of Legality in Data Processing: TWC is aware that processing referred to in Law 1581 of 2012 is a regulated activity, which must adhere to what is established in it and other provisions that develop it.

• Principle of Finality: TWC will process data with a legitimate purpose, in accordance with the Constitution and the Law, which will be informed to the holder.

• Principle of Freedom: TWC will process data only with the prior, express, and informed consent of the holder. Personal data cannot be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate.

• Principle of Truthfulness or Quality: the information subject to processing must be truthful, complete, updated, verifiable, and comprehensible. TWC prohibits the processing of data that is fractioned or induces error.

• Principle of Transparency: TWC acknowledges that data holders have the right to obtain information concerning them at any time and without restrictions.

• Principle of Restricted Access and Circulation: processing is subject to limitations derived from the nature of personal data, in accordance with the provisions of Law 1581 of 2012 and the Constitution. In this regard, processing can only be done by persons authorized by the holder and/or by people provided for by law. With the exception of public information, TWC will not make personal data available on the internet or other mass disclosure or communication media, unless access is technically controllable to provide restricted knowledge only to holders or third parties authorized according to Law 1581 of 2012.

• Principle of Security: TWC will manage the information subject to processing referred to in Law 1581 of 2012 with the necessary technical, human, and administrative measures to secure the records, prevent their alteration, loss, unauthorized or fraudulent consultation, use, or access.

• Principle of Confidentiality: all people involved in the processing of personal data that is not of a public nature are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks comprising the processing has ended. They may only supply or communicate personal data when this corresponds to the development of activities authorized by Law 1581 of 2012 under its terms.

TWC will request authorization in such a way that the information holder gives their prior, express, and informed consent for the processing their personal data is subjected to.

Authorization may also be obtained from unequivocal conduct of the data holder, which allows reasonably concluding that they granted their consent for the processing of their information. Such conduct must clearly manifest the will to authorize the processing.

The consent of the holder can be obtained by any means that can be objected to further consultation, such as written, verbal, virtual communication, or unequivocal conduct.

Due to its nature and social purpose, TWC receives, collects, registers, preserves, stores, elaborates, modifies, reports, consults, delivers, transmits, transfers, shares, and deletes personal information, for which it obtains the prior authorization of the holder.

The authorization given to TWC by the holders of the information allows, among other things, carrying out the following purposes: offering and providing information about products and services, as well as consulting, reporting, and updating data with information and risk operators; updating current contractual relationships and complying with agreed obligations.

TWC will adequately retain proof of such authorizations, ensuring and respecting the principles of privacy and confidentiality of the information.

Moreover, when dealing with data related to the following types of information, TWC will have the following special considerations:

Sensitive Data

For the processing of sensitive data, TWC will inform the data holder of the following:

• For the processing of this type of information, the holder is not obliged to give their authorization or consent.

• Explicit and prior notice will be given about the type of sensitive data that will be requested.

• The processing and the purpose of the sensitive data will be communicated.

• The authorization of the sensitive data will be prior, express, and clear.

TWC informs the data holders that in compliance with Article 10 of Law 1581 of 2012, the holder’s authorization is not necessary in the following cases: (1) information required by a public or administrative entity in the exercise of its legal functions or by court order, (2) data of a public nature, (3) cases of medical or sanitary urgency, (4) processing information authorized by law for historical, statistical, or scientific purposes, and (5) data related to the Civil Registry of Persons.

Accordingly, TWC may obtain the data holder's authorization through various means such as verbal, written authorization, either provided through physical or virtual channels designed for that purpose. 

RIGHTS OF THE HOLDER

The information holders whose data TWC processes are entitled to:

• Know, update, rectify, suppress, or revoke their personal data and be informed of the processing that TWC carries out on their personal data.

• Request the portability of their personal data when applicable.

• Submit requests and claims related to the current regulation on Personal Data Protection.

• Request revocation of authorization and/or deletion of a personal data if it is determined that TWC exhibits conduct contrary to the current regulation. The request for deletion or revocation will not proceed when holders have a legal or contractual obligation to remain in TWC’s database.

In accordance with Art. 20 of Decree 1377 of 2013, the exercise of the aforementioned Rights may be carried out by the following individuals:

• By the Holder, who must sufficiently prove their identity through the various means provided by the responsible party.

• By their successors, who must prove such status.

• By the Holder's representative and/or attorney-in-fact, upon proving representation or power of attorney.

• By stipulation in favor of or for another.

• The rights of children or adolescents will be exercised by people authorized to represent them.

DUTIES OF TWC

TWC as the responsible party for the personal data stored in its databases commits to:

• Guarantee the holder the full and effective exercise of their rights.

• Request and keep a copy of the authorization given by the holder or proof of it.

• Inform the holder about the purposes of data collection, usage of their personal data and rights due to the given authorization.

• Maintain the information under security conditions to prevent its alteration, loss, consultation, unauthorized use, or access.

• Ensure that the information provided to third parties or the processing officer is truthful, complete, accurate, updated, verifiable, and comprehensible.

• Update the information held by any third party or officer regarding all innovations related to the provided data and take the necessary measures to keep the information updated.

• Rectify information upon becoming aware of its incorrectness.

• Ensure that third parties and/or officers handling the personal information for which TWC is responsible have effective measures and policies in place to ensure the adequate processing of such information. Similarly, they will be required to commit to adhering to and applying the provisions of this Personal Data Processing Policy and other guidelines established by TWC or certify that their internal policies include at least the provisions outlined here. If the issuance of certification is not possible, TWC must corroborate that the internal policies of the third parties and/or officers meet security and/or privacy criteria equivalent to or higher than those outlined here. In this respect, third parties and/or officers must adopt security and privacy measures and conditions for the personal data shared with them, at least at the same level of protection adopted by TWC.

• Process consultations and claims in accordance with what is provided in this Policy and the law.

• Inform the data protection authority of security violations and risks in the administration of the holder’s information when they occur.

CONSULTATION, COMPLAINT, AND CLAIM PROCEDURE

Information holders can use the following procedures when needing to make a consultation, complaint, or claim:

Consultations

Holders, their successors, or any other person who may have a legitimate interest may request to be informed about the personal data of the holder stored in any of TWC’s databases.

In accordance with the above, TWC will guarantee the right to consultation, providing personal information linked to the holder.

Consultations regarding topics of access to information, evidence of authorization granted by the holder, usage, and purposes of the personal information, or any other consultation related to the personal information provided by the holder, must be submitted through the channels enabled by TWC.

The consultation will be addressed within a maximum period of 10 business days from the date of receipt.

When it is not possible to address the consultation within the prescribed time, the interested party will be informed, stating the reasons for the delay and the date on which the consultation will be addressed, which will not exceed 5 business days following the expiration of the first term, in accordance with the provisions of Article 14 of Law 1581 of 2012.

Claims

Correction, updating, and deletion:

Holders, their successors, or any other person with a legitimate interest, who consider that the information contained in any database of TWC should be subject to correction, updating, or deletion, or who perceive a possible breach of the duties established in Law 1581 of 2012 and its regulatory decrees, may submit a claim following the requirements of Article 15 of the same law.

Requirements to file a claim:

• Identification of the holder or the person filing the claim, stating their name and identification number.

• Describe the reason for the claim clearly and explicitly, detailing the facts that originated it, presenting the documents intended to be used.

• Prove the legitimate interest of the person acting or attach the necessary supports if needed.

• Indicate the phone, physical address, and email address to which the notification and the response to the request should be sent.

In any case, if the claim is incomplete, the interested party will be required within five (5) days following its receipt to rectify the errors. If two (2) months have passed since the date of the request, and the information required has not been presented, TWC will understand that the claim has been withdrawn.

When TWC is not the competent entity to resolve the claim presented, it will be forwarded to the appropriate party within two (2) business days, informing the interested party of this situation.

If the claim is received complete, a legend stating “claim in process” and the reason for this, will be included in the database within no more than two (2) business days. This legend will remain until the claim is resolved.

Furthermore, the maximum period to resolve the claim will be fifteen (15) business days counted from the day following the receipt date. When it is not possible to address it within that period, the interested party will be informed of the reasons for the delay and the date on which the claim will be resolved, which in no case may exceed eight (8) business days following the expiration of the first term.

Holders, their successors, or any other person with a legitimate interest, may file a complaint with the SIC, but only after the consultation or claim procedure has been exhausted with TWC as the responsible party and/or any manager, in accordance with Article 16 of Law 1581 of 2012.

Suppression of Information and Revocation of Authorization:

TWC has adopted an internal process for cases in which requests for suppression of information and/or revocation of authorization occur.

CHANNELS FOR CONSULTATIONS, COMPLAINTS, AND CLAIMS

TWC has enabled the following attention channels for data holders to exercise their rights to know, update, rectify, and/or suppress their personal information:

Email: to file a claim about the handling of personal data, information holders can send a request to the email address info@wpayments.co

TRANSFER AND TRANSMISSION OF PERSONAL DATA

Occasionally, TWC, as the responsible party for the personal information stored in its databases and in the development of the purposes described in the present document, may carry out national or international data transfer or transmission.

TWC is committed to verifying the level of protection and security standards of the recipient country of the personal information, performing the declaration of conformity (when applicable), and signing a transfer contract or another legal instrument that ensures the protection of the personal data subject to transfer.

As part of this exchange relationship, TWC has adopted various guidelines for relationships with third parties, to protect the information involved in this activity.

In the interest of protecting the information, TWC will verify if the SIC has included the respective country on the list of countries offering an adequate level of data protection or will review the relevant regulations in the recipient country of the information. In both cases, the policies and procedures of the controller or manager (as applicable) will be reviewed to determine if they meet the conditions to guarantee adequate levels of security for the information subject to transmission or transfer.  

RELATIONSHIP WITH THIRD PARTIES AND/OR MANAGERS

In the development of this Policy and internal provisions for the proper handling of personal data, TWC will ensure that third parties it connects or enters into commercial, labor, or alliance relationships with, align their behaviors with the data protection regime in Colombia.

In view of the above, TWC, without prejudice to all the documentation, models, and means provided for the request of authorization for processing, privacy notices, and contractual and/or legal coverage, may request information from third parties and/or managers that is appropriate and relevant to verify and observe compliance with the provisions contained in this policy and in the personal data protection regime in Colombia.

In this regard, TWC may require third parties and/or managers to accredit beforehand, during, or post-relationship, the compliance with the personal data protection regime requirements. This way, a review and supervision of compliance with legal and/or contractual requirements may be requested periodically or eventually, through evidence or documentation of the management carried out, making visits to the third party’s premises, among other activities that can be coordinated to validate compliance.

TWC will ensure that procedures are in place so that once the legal or contractual relationship with the third party and/or the manager of personal information is over, it retrieves, eliminates, destroys, or performs any other activity that TWC considers pertinent to give adequate treatment to the information shared with this third party and/or manager.

EFFECTIVE DATE

This Personal Data Processing Policy was approved on December 11, 2025, and takes effect from that date.