PERSONAL DATA PROTECTION AND PROCESSING POLICY

The Personal Data Protection and Processing Policy for clients, contractors, employees, and anyone related to FINUP COLOMBIA SAS seeks to develop and protect the constitutional right to Habeas Data, in compliance with Law 1581 of 2012, Regulatory Decree 1377 of 2013, and other complementary provisions that form part of the general framework for personal data protection in Colombia. Accordingly, this policy governs the processing of personal data of clients and other interested parties of FINUP COLOMBIA SAS, a commercial company identified by Tax Identification Number (NIT) 901.905.648-5, incorporated under the laws of the Republic of Colombia and domiciled in the city of Bogotá, D.C. (hereinafter referred to as FINUP).

FINUP is committed to protecting the privacy of all information that may be associated with or related to specific natural or legal persons (hereinafter referred to as Personal Data for the purposes of this document) to which FINUP has access in the course of its financial and commercial activities. Accordingly, any information to which FINUP has access, whether free of charge or for a fee, through any transfer or transmission, will be governed by these regulations.

FINUP may have access through different communication channels, physical or digital, regarding the collection, storage, administration, use, processing, analysis, transfer, transmission, protection and deletion of identification data (name, ID, age, gender), contact data (telephone, email, address), education data (level of education, institutions, degree of study, date in which the educational process was carried out), consumption preferences, visits and internet behavior, financial, stock market, risk rating information, as well as personal or commercial references of the natural or legal person and other data relevant to the commercial operation or that may be considered public, private, semi-private or sensitive.

FINUP may obtain the information detailed in this document through digital or physical means, directly from the data subjects or through the use of the company's internet platforms, with the express prior authorization of the Client or User. Any interaction that Clients or interested parties have on the FINUP Platform (https://finupcolombia.co) where private, semi-private, or sensitive information is requested, constitutes the data subject's express consent to the use of said data as described in this Privacy and Personal Data Processing Policy. The purposes for which the information will be collected are described in the privacy notice and this document related to the personal data protection and processing policies. The handling, collection, storage and processing of personal data collected will be carried out in accordance with the provisions relating to Law 1581 of 2012, the various circulars related to the handling of information by the Superintendency of Industry and Commerce and the Financial Superintendency, with this policy of protection and processing of personal data, the privacy notice and the internal manuals of the processing of personal data that will be developed in accordance with this document.

Please note that FINUP may use artificial intelligence tools to process information. Therefore, your information may be transmitted or transferred, as applicable, to various artificial intelligence companies, including but not limited to Weak AI, Strong AI, Reactive AI, Limited Memory AI, Theory of Mind AI, Self-Aware AI, Supervised Learning, Unsupervised Learning, Reinforcement Learning, Artificial Neural Networks, Generative Models, Natural Language Processing (NLP), Computer Vision, Expert Systems, and Autonomous Robotics. These transmissions or transfers of personal data will be based on the tasks you perform on the FINUP Platform. By using the Platform, you consent to these activities.

1. Definitions

Privacy Notice: This is a physical, electronic or other format document, generated by the Data Controller, which is made available to the Data Subject for the Processing of their Personal Data, through which Data Subjects are informed of the existence of the information processing policies applied by the Data Controller, how to access them and the characteristics of the Processing that is intended to be given to the personal data.
Authorization: This is the prior, express and informed consent of the Data Subject and the company that initiates the process within the platform to carry out the Processing of Personal Data.
Database: An organized set of personal data that is subject to processing.
Personal Data: Only data relating to one or more specific or identifiable natural persons is considered personal data.
Sensitive Data: Sensitive data is understood to be data that affects the privacy of the Data Subject or whose misuse could lead to discrimination, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, membership in trade unions, social or human rights organizations, or organizations that promote the interests of any political party or guarantee the rights and protections of opposition political parties, as well as data relating to health, sex life, and biometric data. FINUP will not request any sensitive data from its clients through this portal or through any other means.
Private data: is data that, due to its intimate or confidential nature, is only relevant to the owner.
Public data: This refers to data classified as such according to the mandates of the law or the Political Constitution, and any data that is not semi-private, private, or sensitive. Public data includes, among others, data relating to a person's marital status, profession or occupation, status as a merchant or public servant, and any data that can be obtained without restriction. By their nature, public data may be contained in, among other sources, public registries, public documents, official gazettes, and bulletins.
Data Controller: A natural or legal person, public or private, who, alone or jointly with others, decides on the database and/or the processing of the data. For this purpose, the Data Controller will be FINUP and the legal entity that initiates the process on the Platform.
Platform: The term Platform refers to the website https://finupcolombia.co or any website related to the somosfinup domain through which FINUP services are provided or requested.
Data Processor: A natural or legal person, public or private, who, alone or jointly with others, processes personal data on behalf of the Data Controller. For this purpose, the Data Processor will be FINUP and the legal entity that initiates the process on the Platform. When using the https://finupcolombia.co platform, depending on its use, the processing of personal data may be entrusted to artificial intelligence platforms such as ChatGPT, Gemini, Claude, Copilot, Midjourney, Dall-e, Stable Diffusion, Jasper AI, Synthesia, ElevenLabs, Runway, DeepL, Notion AI, Google Bard, Hugging Face, and OopenAI Codex.
Data Subject: A natural or legal person whose personal data is processed. For this purpose, the Data Subjects will be the users who purchase tourism products and services through different sales channels on the Platform.
Processing of Personal Data: Any operation or set of operations performed on Personal Data, such as collection, storage, use, circulation or deletion.
User: Any natural or legal person who accesses the services that are embodied in the Platform and requests the services provided by FINUP.

2. Information about FINUP

FINUP, a legal entity identified with NIT 901.905.648-5, constituted in accordance with the laws of the Republic of Colombia and domiciled in the city of Bogotá DC, whose corporate name is FINUP COLOMBIA SAS. In the development of its commercial and financial activities, FINUP provides its clients with a Platform and services whose objective is to provide solutions to settle debts through financial advice and the creation of an investment plan. FINUP verifies the information provided by each of the users, under the prior and express authorization of this Personal Data Protection and Processing Policy, to determine the veracity of documents and personal, private or semi-private information, where the following are analyzed, among other elements: (i) social security status, (ii) judicial or police records; (iii) facial recognition, (iv) reports in risk centers and restricted lists, (v) verification of employment certificates, (vi) verification of academic certificates, (vii) home visits, (viii) employment references, (ix) academic references, (x) commercial references; (xi) information stored in public databases; (xii) information stored in private databases that have been provided through prior authorization of the data subject; (xiii) analysis of the business model, (xiv) identification documents; (xv) legal documents of incorporation; (xvi) any other documents that ensure the probity of security in access to the services provided by FINUP.

FINUP may carry out the verification through its platform, of its contractors, workers or third parties, natural or legal persons, with prior authorization from the data subject, including, among others, the following documents, information or verification:

Basic verification (Validity of identification document – National Civil Registry; Criminal record – National Police; Disciplinary record – Attorney General's Office; Tax record – Comptroller General's Office; Traffic violations – Integrated Information System on Fines and Sanctions for Traffic Violations (SIMIT); Driver's License – National Single Transit Registry (RUNT); Status of the Single Tax Registry (RUT) – National Directorate of Taxes and Customs (DIAN); Status of social security in health, status of pensions, occupational risks, family compensation fund, health – Single Registry of Affiliates (RUAF); International criminal record – Interpol).
Verification on restricted lists (verification of candidates on national and international lists of money laundering and terrorist financing (OFAC Records -“Clinton List”-, Politically Exposed Persons -PEP)
Credit profile verification in credit bureaus.
Verification of employment certificates (Verification of employment certificates, confirming the existence of companies, dates worked).
Employment reference checks (interviews with previous employers or direct supervisors, using standard questions or you can provide a customized list of questions). Personal references (interviews with people close to the candidate, using standard questions. The Client can provide a customized list of questions).
Home visit (Validates business information, the address of the individual, or the address of the legal entity to determine the existence of the address). Detailed information regarding each of the services provided through the FINUP Platform is described in its Terms and Conditions, which are available on the website. As a result of providing the services offered through the Platform, FINUP implements this Privacy and Data Protection Policy, which seeks to guarantee the protection and storage of databases containing personal or socially relevant information of clients under strict parameters of security, transparency, and confidentiality. 3. Application This Privacy and Data Protection Policy refers to and applies generally to FINUP clients, as well as to business partners, affiliated businesses, employees, collaborators, contractors, and any person whose personal data is or will be processed by the company. The purpose of this Privacy and Data Protection Policy is to guarantee the rights of data subjects, as well as to inform them of the mechanisms and procedures for exercising their rights, asking questions, filing complaints, and making claims. In general, this Privacy and Data Protection Policy seeks to develop and protect the constitutional right of all individuals to habeas data, in compliance with the provisions of Law 1581 of 2012, Regulatory Decree 1377 of 2013, and other complementary provisions that form part of the general framework for the protection of personal data in Colombia. The information collected may also have the following purposes, applications, or objectives: (i) for its storage in FINUP databases; (ii) to establish, maintain, and provide feedback on the business relationship; (iii) to ensure the effectiveness and security of transactions carried out at FINUP; (iv) to ensure the protection and exercise of your rights, as well as those of FINUP and/or its contractors, to the extent possible in accordance with the processing carried out by FINUP. (v) to fully comply with the contracted services; (vi) to carry out activities necessary to manage inquiries and complaints submitted and direct them to the responsible area; (vii) to send information on commercial offers of FINUP services, as well as to develop marketing, statistical, research, commercialization, and/or other commercial service purposes that are provided or that may be provided or offered, provided that they do not contravene the legislation in Colombia; (viii) for the transmission of any information of a financial, commercial, credit or service nature; (ix) for the strengthening of commercial relationships by sending relevant information, taking orders, attending to requests, complaints and claims, as well as to carry out quality evaluations; (x) to verify balances, proceed to invoice and collect for contracted services; (xi) for the verification of compliance with legal and/or contractual obligations; (xii) to improve and promote the service provided by FINUP; (xiii) to attend to judicial or administrative requirements, and to comply with judicial or legal mandates; (xiv) to transmit personal data to third parties with whom contracts have been entered into for the purpose of carrying out and fulfilling the service offered through FINUP; (xv) to manage all the information necessary for compliance with tax obligations and commercial, corporate and accounting records; (xvi) to send information about new products or services, news and other information that FINUP deems appropriate; (xvii) to share personal data with service companies or outsourcing companies that contribute to facilitating operations through FINUP, including payment methods, insurance or payment management intermediaries; (xviii) for any request made by the Financial Superintendency in compliance with the circulars issued for the processing of personal data; (xix) to verify credit ratings with any other financial, commercial, civil, national or foreign entities or with national or foreign credit bureaus; (xx) to execute mandate activities in accordance with any contracts entered into by the data subject with FINUP; (xxi) to inform FINUP's contractors or employees for the purpose of carrying out activities related to the provision of educational services; (xxii) to inform third parties who control matters related to hosting, software, source code, and any other elements necessary for the development of the Platform; (xxiii) to analyze the behavior of data subjects who have acquired services provided by FINUP in order to provide better service or develop marketing campaigns based on the understanding of the data subjects on the Platform; (xxiv) to make telephone calls, send text messages to cell phones, send emails, or contact data subjects through the means and mechanisms provided on the Platform to offer acquired services or new FINUP services; (xxv) If necessary, to transmit or transfer the personal data of the data subjects, who expressly and previously accept that FINUP may carry out or execute such legal acts; (xxvi) to share the personal data of the data subjects with legal entities abroad, shareholders, legal representatives or any other persons who so require in the development and execution of the services that were contracted by the data subject and for the use of the Platform; (xxvii) to communicate with the data subjects in order to understand the user experience and receive complaints, opinions, claims, as well as to make calls aimed at resolving said experience on the education platform or any other platforms produced or created by FINUP; (xxviii) If necessary for the execution of its services, FINUP may transfer or transmit personal data to third parties located within or outside the Colombian territory, guaranteeing at all times compliance with the provisions established in Law 1581 of 2012 and the regulations that complement or modify it. To this end, FINUP will implement transmission and transfer agreements that ensure adequate levels of data protection, aligned with international standards and the applicable regulations in each destination jurisdiction. Likewise, all necessary measures will be taken to safeguard the confidentiality, integrity, and availability of the data subjects' personal information. In addition, FINUP will process the personal and financial data provided and collected from data subjects in order to verify and analyze their creditworthiness, assess financial risks, prevent fraud, and detect potential irregularities. This allows for informed decision-making in the provision of our services. Furthermore, this processing facilitates quick and secure access through our digital platforms and social media. This Policy will apply throughout the territory of the Republic of Colombia by FINUP, its employees, and, where applicable, by those third parties with whom the company agrees to carry out all or part of any activity related to the processing of personal data for which the company is responsible. Likewise, this policy will apply to third-party individuals or legal entities with whom the company enters into or establishes any contractual relationship, so that these individuals are aware of their obligations, purposes, and the security and confidentiality protocols they must adopt when processing data on behalf of the company. 4. Information Collected FINUP, in the course of its business activities and specifically for the provision of the verification services described and stored in its Terms and Conditions, requests various personal data from its clients, and in turn, these clients must request from their prospective employees, clients, or associated third parties, data necessary to properly carry out the contracted verification processes electronically. For this purpose, FINUP may request and process the following data in accordance with this Privacy and Personal Data Protection Policy, although this list is not exhaustive:
Full Name.
Date and place of birth.
Identity document number.
Copy of identity document.
Nationality.
Telephone number.
Email.
Home address.
Financial, banking and/or credit information.
Tax Identification Number.
Shareholding Composition.
Certificate of existence and
legal representation.
Single Taxpayer Registry.
Certificate of bank accounts of the natural or legal person.
Business, personal, or academic references.
Images, photographs, or any other graphic elements that may be useful for conducting a feasibility analysis for the provision of services. FINUP may request, in general, any information necessary for the provision of services acquired through the Platform. FINUP will not collect information that is not necessary for the provision of its services and will store it under international cybersecurity standards. In any case, FINUP may also collect and store information provided by third parties, provided that the owners of this information have previously and expressly accepted a Data Protection and Processing Policy that fully complies with legal requirements. Data Processing and Purpose: The data you provide may be subject to one or more of the following processing activities:
To process, complete, update, modify, cancel or print the services you have contracted through FINUP by any means: electronic, telephone or in person, including the verification of information sources and data contained in the lists listed in section 1 of this Data Protection Policy.
It is established that the collection of information regarding the debts of the Holders is carried out through an integrated system that incorporates the use of credit bureau platforms, CRM systems, websites, social networks, referrals, and cold calling strategies. This allows for obtaining accurate and up-to-date data for the verification and analysis of the credit situation of the interested parties. Simultaneously, customer access to services is primarily through our digital platforms and social networks, guaranteeing a fast, secure registration process in accordance with current data protection regulations in Colombia.
To generally fulfill the obligations contracted with the Platform's Clients.
If necessary for the provision of its services, FINUP may transfer or transmit personal data to third parties located within or outside of Colombia, guaranteeing at all times compliance with the provisions of Law 1581 of 2012 and any supplementary or amending regulations. To this end, FINUP will implement transmission and transfer agreements that ensure adequate levels of data protection, aligned with international standards and the applicable regulations in each destination jurisdiction. Furthermore, all necessary measures will be taken to safeguard the confidentiality, integrity, and availability of the data subjects' personal information.
For sending notifications via email regarding the Platform service:
Confirmation of contracted services, modifications, cancellations, balances and invitations to evaluate or give opinions on the contracted services and the service received from FINUP, its employees or representatives.
To receive phone calls to verify operations or transactions made via the internet, telephone or in person if FINUP or its representatives deem it necessary.
To receive telephone calls to request information or documents that allow establishing the identity of the client or the credit card holder if FINUP considers it necessary.
To receive technical, operational or commercial information from FINUP, advertising or promotional information about products and/or services, or promotions in order to promote, invite, direct, execute, inform and in general, carry out commercial or advertising campaigns or promotions.
To maintain and constantly update databases that generate statistics that allow us to improve the services our clients receive.
Sharing, including the transfer and transmission of personal data to third parties to achieve the purposes related to the operation and provision of services and products that are acquired with FINUP. The performance of any complementary or auxiliary activity necessary for the proper marketing of the aforementioned verification products and services.
Conduct internal studies on compliance with commercial relationships and market studies at all levels.
Respond to legal requirements from administrative and judicial entities. Provide and offer a range of products and services that FINUP can offer you.
To send you promotions, advertising, and discount coupons for our products, as well as those of companies with which we have a corporate relationship. For the transmission of any financial, commercial, credit, or service information for statistical, control, or supervisory purposes that must be processed, reported, stored, consulted, supplied, or updated with information centers or databases duly constituted for such purpose, as deemed appropriate, under the terms and for the time established by the database systems, regulations, and authorities.
For verification of debt information or the specific use of platforms such as: including but not limited to Hubspot, Auco and Powwi.
In general, FINUP will collect, use, manage, store, analyze, anonymize, index, segment, profile, summarize, process, transmit, transfer, verify, collect payments, and share information with credit bureaus, if necessary. Therefore, the personal data processed by FINUP will be used solely for the purposes outlined below or those accepted by the data subjects at the time of data collection. FINUP will have access to the information collected when you subscribe to our promotions, offers, or services program via email. FINUP may also access the information collected when it is transmitted or transferred, in accordance with the provisions of Chapter Five (5) of Decree 1377 of 2014. Promotional messages or notices are sent only to those who have agreed to subscribe, and you can unsubscribe at any time by clicking the link provided in each message we send. Our emails may also include offers from third parties who are our business partners. 5. Quality and transparency in the handling of personal data At FINUP, we are committed to providing truthful, complete, verifiable, transparent, secure, and confidential treatment to all the information you provide us. The processing of partial, incomplete, fragmented, or misleading data is prohibited. 6. Information Security

In light of the above, FINUP has implemented the necessary technical, human and administrative security measures within its scope to ensure confidentiality and to prevent the alteration, loss, consultation and unauthorized or fraudulent use or access of the data that has been collected and will be processed in accordance with this Privacy and Personal Data Protection Policy.

7. Authorizations

FINUP requires the free, prior, express, and informed consent of the data subject. Therefore, in its capacity as the Data Processor, it has implemented the necessary mechanisms to obtain authorization from data subjects, ensuring in all cases that it is possible to verify the granting of said authorization.

The information is stored in secure systems by Data Processors duly authorized by the Data Subject in accordance with this policy. Leads are managed through the HubSpot CRM, signatures are formalized through our partners at Auco, and documentation is stored in the Powwi digital wallet. These contractually bound Processors are obligated to comply with data protection policies and measures equivalent to those described herein, guaranteeing the integrity, confidentiality, and availability of the information at all times. The Processors and third parties may change in accordance with FINUP's internal and business structure. The Data Subject authorizes FINUP to transfer data to different Processors as needed, provided they maintain similar levels of data protection and comprehensive data management to that of the Data Controller.

FINUP will obtain authorization through different means, including electronic documents, physical documents, data messages, the Internet, websites, or any other format that in any case allows obtaining consent through unequivocal conduct through which it is concluded that if the same had not been carried out by the Data Subject or the person authorized to do so, the data would not have been stored or captured in the database.

Authorization will be requested prior to the processing of personal data of both individuals and clients. Consequently, clients, users, and other interested parties of the service offered by FINUP accept the processing of their personal data in accordance with the terms of this Privacy and Personal Data Protection Policy when they provide their personal data to FINUP through its electronic platform and, in general, through any means of communication, unless they expressly indicate otherwise in writing.

The Holders acknowledge that they are authorizing FINUP, as the data controller, to process the personal data of each of the holders, in accordance with the purposes described in this document.

8. Risk management in the processing of personal data

In compliance with Law 1581 of 2012 and Decree 1377 of 2013, as well as in observance of the principles of security, demonstrated responsibility and restricted access, FINUP reports the adoption of actions aimed at minimizing data security incidents in the risk management plan to identify, measure, control and monitor the risks associated with the processing of personal data.

Risk Management Plan

The risk management plan is structured through stages according to the collection and processing of data:

Identification Stage

It seeks to document the possible risks associated with the processing of personal data in the exercise of its purposes, considering the situations and internal technological, administrative and operational measures.

Actions:

Identifying databases, digital platforms, and physical documents where information is collected and stored.
Analysis of processes involving data processing such as collection, storage, transfer, and the exercise of rights of the data subjects.
Record of previous security incidents to identify patterns or weaknesses and areas for strengthening.

FINUP will be able to use risk matrices that include technological risk categories such as cyberattacks, unauthorized access, and human error.

Measurement Stage

During this stage, the probability of occurrence of the identified risks and their potential impact on the holders and the institution will be analyzed in percentage terms.

Actions:

Risk classification based on severity and probability of occurrence.
Estimation of the results in case of occurrence.

Specific Metrics:

Technological Incident Index: Number of unauthorized accesses or security breaches detected for temporary periods at the internal discretion of the responsible party.
Average Detection Time: Time that elapses from the start of an incident until its identification and resolution or until the implementation of damage mitigation strategies.
Potential Financial Impact: Calculation based on data recovery costs, legal penalties, and loss of trust from data subjects.

Control and strengthening phase

Preventive and corrective measures will be designed and implemented to mitigate the identified risks and strengthen treatment practices.

Actions:

Implementation of technological controls such as data encryption, multi-factor authentication (2FA), and continuous platform monitoring, according to the discretion of the Controller.
Development of operational manuals to regulate access to sensitive data and limit the number of people with administrative permissions.
Establishment of protocols for the secure handling of physical data, such as registration systems for access to files and documents.

Monitoring Stage

Its objective is to constantly monitor the effectiveness of the measures implemented and the evolution of the identified risks.

Actions:

Periodic internal and external audits to assess compliance with risk management policies.
Quarterly review of key metrics results to adjust control measures.
Implementation of an early warning system to identify potential threats in real time.

Specific Deadlines for Incident Notification

FINUP undertakes to notify any security incident that compromises personal data to the affected data subjects and to the Superintendency of Industry and Commerce within the timeframes established by applicable regulations:

Notification to the Superintendency of Industry and Commerce:

Maximum 15 business days from the moment the incident is identified, in accordance with the provisions of the SIC.

Report Contents:

Description of the incident and its scope.
Type of personal data compromised.
Number of affected account holders.
Cause of the accident.
Corrective actions implemented.

Mechanism: Submission through the official channels established by the SIC, such as the incident report form available on its platform.

Notification to Data Subjects:

Maximum 5 business days from the identification of the impact on personal data.

Notification Content:

Nature of the incident and its potential impact.
Type of data compromised.
Measures taken to mitigate the damage.
Tools available for account holders to protect themselves from the impact of the incident.

Mechanism: Email, SMS messages or phone calls, depending on the contact details provided by the owners.

9. Rights of the Holder

FINUP is committed to protecting the privacy of Platform users and guaranteeing their data protection rights so that they can access, update, rectify, and request the deletion of their personal data. Therefore, we inform users that, in accordance with Law 1581 of 2012 and Decree 1377 of 2013, they have the following rights: (i) To access, update, and rectify their personal data held by FINUP; (ii) To request proof of the authorization granted to FINUP in its capacity as Data Controller/Processor; (iii) To be informed by FINUP about the uses or processing of their personal data, upon request. (iv) To file complaints with the Superintendency of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and Decree 1377 of 2013, once the consultation or claim process before FINUP has been exhausted; (v) To revoke the authorization and/or request the deletion of the data, when the Processing does not respect the constitutional and legal principles, rights and guarantees; and (vi) To access their personal data that has been subject to Processing free of charge.

Data subjects may exercise their legal rights and carry out the procedures established in this Policy by presenting their national identity card or any other identification document. Minors may exercise their rights personally or through their parents or legal guardians, who must provide the relevant documentation to demonstrate their legal guardianship. Likewise, any authorized representative may exercise the data subject's rights by presenting the corresponding document.

10. Sensitive Data

In the course of its business activities, the company may collect and process Sensitive Data, such as, but not limited to: (i) Images, photographs or voice recordings; (ii) Data that may imply discrimination due to its processing, such as information relating to political, religious or philosophical affiliation.

Similarly, other sensitive data relating to health, gender, and any information whose processing could involve discrimination against the data subjects may be processed. In the latter case, the data subjects will be informed so that they can give their independent and free consent regarding the processing of such sensitive data, which is more delicate.

We will ensure that this data is processed with the highest security standards. Limited access to Sensitive Data is included within the framework of its privacy security; therefore, only authorized personnel will have access to this information.

FINUP will not process personal data as a controller or processor of minors, even if it has the consent of the adults in charge.

11. Procedures

Any procedure can be carried out via the following email address: info@finupcolombia.co and the address: Carrera 15 93 A 62, Office 601, Bogotá, Colombia. These entities are responsible for managing procedures related to the protection of personal data. In order for the data subject to access their personal information and exercise their rights to know, update, rectify, and request the deletion of the personal data processed, we present below the existing procedures applicable to the processing of their personal information:

Consultations

In accordance with Article 14 of Law 1581 of 2012, data subjects or their successors may consult the data subject's personal information held in any database. Consequently, FINUP has appropriate mechanisms in place to enable data subjects to exercise their right to access their information, providing them with all the information contained in their individual record or linked to their identification.

The right of consultation referred to, as well as the other rights whose procedure is explained below, may only be exercised by the owner of the information or his successors, after accreditation of his identity, or through electronic instruments that allow him to identify himself or his representative, after accreditation of the representation.

Consultation requests will be addressed within a maximum of ten (10) business days from the date of receipt. If it is not possible to address the consultation within this period, the interested party will be informed before the 10 days expire, stating the reasons for the delay and indicating the date on which their consultation will be addressed, which in no case may exceed five (5) business days following the expiration of the first period.

Complaints

In accordance with the provisions of Article 14 of Law 1581 of 2012, the Data Subject or their successors who consider that the information contained in a database should be corrected, updated or deleted, or when they notice the alleged breach of any of the duties contained in Law 1581 of 2012, may file a claim before, which will be processed under the following rules:

The claim must be submitted by the data subject or their representative, in accordance with Article 15 of Law 1581 of 2012, using the form(s) provided for this purpose by the Data Controller. If the claim received does not contain complete information to allow for its processing—that is, the data subject's identification, a description of the facts giving rise to the claim, the address, and any supporting documents—the interested party will be notified within five (5) days of receipt to correct the deficiencies. If the applicant fails to provide the required information within two (2) months of the notification date, the claim will be considered withdrawn.

If the person receiving the complaint is not competent to resolve it, they will forward it to the appropriate person within a maximum of two (2) business days and inform the interested party of the situation.

Once the complete claim is received, a note stating "claim in process" and the reason for the claim will be added to the FINUP database within no more than two (2) business days. This note will remain until the claim is resolved.

The maximum time to address the claim will be fifteen (15) business days, starting from the day after the date of receipt. If it is not possible to address it within this period, the interested party will be informed before the expiration of said period of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first period.

Suppression

The data subject has the right, at any time, to request FINUP to delete their personal data when they consider that it is not being processed in accordance with the principles, duties and obligations provided for in Law 1581 of 2012; It has ceased to be necessary or relevant for the purpose for which it was collected; or The period necessary for the fulfillment of the purposes for which it was collected has been exceeded.

This deletion involves the total or partial removal of personal information, as requested by the data subject, from the records, files, databases, or processing systems used by FINUP. However, the company may deny this request when the data subject has a legal or contractual obligation to remain in the database; when the deletion of data would hinder judicial or administrative proceedings related to tax obligations, the investigation and prosecution of crimes, or the enforcement of administrative sanctions; or when the data is necessary to protect the legally protected interests of the data subject; to carry out an action in the public interest; or to comply with a legally acquired obligation of the data subject.

Revocation of Authorization

Data subjects may withdraw their consent to the processing of their personal data at any time, provided that no legal provision prevents them from doing so. To this end, FINUP will establish simple and free mechanisms that allow data subjects to withdraw their consent.

There are two ways in which consent can be revoked. The first is for all the purposes for which consent was given, meaning that FINUP must completely cease processing the data subject's data. The second is for specific types of processing, such as for advertising or market research purposes. With the second option, that is, the partial revocation of consent, other processing purposes that the data controller, in accordance with the authorization granted, may carry out and with which the data subject agrees, remain unaffected.

Therefore, when submitting a request to FINUP to revoke consent, the data subject must indicate whether the revocation is total or partial. In the latter case, the data subject must specify which processing activity they object to.

There will be cases in which consent, due to its necessary nature in the relationship between data subjects and the controller for the fulfillment of a contract or by legal provision, cannot be revoked.

12. Data Transfers and Transmission

The Client and Users accept and understand that some of the personal data they provide upon accessing the platform will be transferred to affiliated, associated, or related companies to process and complete the contracted services. Similarly, FINUP receives personal data from its affiliates or associates. The purpose of the processing is always the same as, analogous to, or compatible with the purpose for which the personal data was initially collected, and to fulfill our obligations to clients in providing services that democratize access to financial services.

FINUP reserves the right to disclose personal information provided via telephone or online in the following cases:

At the request of state authorities, where necessary or appropriate to investigate unlawful or fraudulent acts.
To establish or defend FINUP's rights against fraud, legal claims, or in compliance with the law.
Prepare reports on the handling of information by the
Financial Superintendency.
For compliance with the requirements issued by the Financial Superintendency or the
Superintendence of Industry and Commerce.
In compliance with tax or administrative audits carried out by public law entities in fulfillment of legal duties.
As a result of data transmission or transfer contracts; for which the Holder authorizes its transmission or transfer to third parties who are considered as business partners, contractors or strategic contractors.
To verify the information provided by the Holder through digital, electronic or physical means with third parties who have the capacity to verify it.
To conduct a review of the information provided to
Credit bureaus, financial institutions or entities, credit institutions, public or private institutions that can verify, corroborate and store the data of the holders.
In order to analyze the financial viability of accessing the services provided by FINUP.
As a result of a request made by any State authority at the national, departmental, municipal or district level.
If FINUP deems it necessary to investigate or act upon reports of fraud or illegal activity on this site.
Procedure for exercising the rights to know, update, rectify and delete information and revoke authorization.

Law 1581 of 2012 establishes the rights that the Data Subject has the right to exercise at any time regarding their personal data, and these are: access to their personal data to know the details of its processing; updating of the same, rectification in case of being inaccurate, incorrect or outdated and cancellation or deletion when they consider that they are not required for any of the purposes indicated in this privacy policy, are being used for purposes not consented to or the contractual or service relationship has ended.

Additionally, Data Subjects have the right to be informed of any substantial changes made to this Privacy and Personal Data Protection Policy, including, but not limited to, changes in the identification of the Data Controller and the purpose of processing their personal data. Consequently, Data Subjects will receive a new request for authorization to process their information when FINUP makes changes to this Privacy Policy that modify the purpose of processing stipulated herein.

If you need access to the personal data you provided or wish to exercise any of the rights granted to you by law as a Data Subject or your representative, please contact info@finupcolombia.co and indicate:

Full name and telephone number or address.
Copy of an official photo ID or proof that you are the owner of the data you wish to access or the legal representative of the owner.
Specify what you want done with your personal data.
Other documentation that you intend to use.

If FINUP requires further information from the Data Subject to analyze the request, it will communicate this within five (5) days of receiving the request or complaint. If the applicant fails to provide the required information within two (2) months of the request date, it will be understood that they have withdrawn their claim.

13. Responsibility

FINUP will not be liable, civilly, commercially, criminally or under any other liability within the Colombian legal framework in accordance with the limits established in the applicable legislation.

In particular, FINUP is not responsible for the veracity of the data provided by the sources and users of the Platform.

Customer Responsibility

The Holder, being a client or interested party of FINUP, accepts that he is responsible to any authority regarding the databases in his possession, and will hold FINUP harmless against any claim issued by any authority regarding the databases in his possession.

For verifications regarding third parties, the Client expressly agrees and declares under oath that it has obtained authorization for the processing of personal data of its potential clients, employees, service providers or any Third Party whose data is submitted for verification in FINUP, including authorization for the transmission of said Third Party's data to companies outside its core business for the Verification process.

14. Changes and updates to this policy

FINUP reserves the right to modify or change this policy if necessary or due to regulatory changes. Changes take effect upon publication. By using this site and processing reservations with FINUP (by any means), you agree to this privacy policy. If you have any questions about this policy, please contact us, describing your situation in detail, and we will try to resolve it.

15. Validity of the Privacy and Personal Data Protection Policy.

This Privacy and Personal Data Protection Policy comes into effect on the day of its publication.

The information provided by the Data Subjects will be stored for a period of ten (10) years from the date of publication of this Privacy and Personal Data Protection Policy. This is to comply with applicable regulations regarding administrative, accounting, tax, and legal matters for the Data Controller and Processor.

Date of issue of the personal data protection policy: 14/02/2025

Date of last revision of the personal data protection policy: 14/02/2025

Notifications for FINUP: Physical address: Carrera 15 93 A 62 Office 601 Bogotá, Colombia Email: Carrera 15 93 A 62 Office 601 Mobile: 3219034002