Purpose of this Policy

The main purpose of this Policy is to inform the Data Controllers of their rights, the procedures and mechanisms provided by the Company to enforce the rights of the Data Controllers, and to inform them of the scope and purpose of the Processing to which the Personal Data will be submitted in case the Data Controller grants its express, prior and informed authorization.

2. Definitions

Expressions used in initial capital letters in this Policy shall have the meaning given to them herein, or the meaning given to them by applicable law or case law, as such law or case law may be amended from time to time.

a) “Authorization“means the prior, express and informed consent of the Data Subject to carry out the Processing of his or her Personal Data.

b) “Database“means the organized set of Personal Data that is the object of Processing;

c) “Personal Data” o “Personal Information“means any information linked or linkable to one or more specific or identifiable natural person(s).

d) “Public Data“means Personal Data that is not semi-private, private or sensitive. Data related to the marital status of individuals, their profession or trade and their status as merchants or public servants, among others, are considered public data. By their nature, public data may be contained, inter alia, in registers, databases, etc., and may be used by the public sector.

public records, public documents, official gazettes and bulletins and duly executed court rulings that are not subject to confidentiality.

e) “Sensitive Data“Data that affects the privacy of the Data Subject or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sex life, and biometric data.

f) “Data Processor“is the natural or legal person, public or private, that by itself or in association with others, carries out the Processing of personal data on behalf of the Controller.

g) “Applicable Law“means any constitutional, legal, regulatory or any other regulation in the jurisdiction that is applicable to the protection of personal data and the fundamental right to Habeas Data, in force on the date on which this Policy comes into force or that comes into force subsequently, including Law 1581 of 2012 and Decree 1377 of 2013, and other provisions that modify, add to or complement them, including the jurisprudential precedents of the high courts that interpret the scope of the aforementioned regulations.

h) “Data Controller” o “Controller“is the natural or legal person, public or private, who by himself or in association with others, decides on the Data Base and/or the Processing of Personal Data.

i) “Holder“of the Personal Data is the natural person whose personal data is the object of Processing;

j) “Transmission“means the Processing of Personal Data that involves the communication of such Personal Data within or outside the territory of the Republic of Colombia when the purpose is the performance of a Processing by the Processor on behalf of the Controller.

k) “Transfer“The transfer of Personal Data takes place when the Responsible and/or Processor of Personal Data, located in Colombia, transfers the information or Personal Data to a recipient, which in turn is the Data Controller and is located inside or outside the country.

l) “Processing of Personal Data“is any operation or set of operations on Personal Data, such as collection, storage, use, circulation or deletion.

3. Personal Information Processed

Personal Information comprises any information relating to the personal or material circumstances of an identified or identifiable individual, directly or indirectly.

The Personal Information collected by the Company includes: first name, last name, gender, age, images, e-mail account, landline and/or cell phone number, address, city and department.

The Company also collects information that, by itself, does not directly identify or associate a specific individual. Some examples of this information are: occupation, strata of place of residence, hobbies, among other data that allow the Company to better understand the behavior of its customers so that it can improve its products, services and marketing and advertising campaigns.

4. Treatment and Purposes

Your Personal Data and other Personal Information will be collected, used, managed, transferred, transmitted and deleted for the following purposes:

a) Conduct audits, data analysis, and research to improve products, services, and communications with customers, employees, suppliers, shareholders, and other interested parties.

b) Create, develop, operate, deliver, and improve our products, services, content, and advertising.

c) Manage all the information necessary to comply with the Company’s legal, tax and commercial, corporate and accounting obligations.

d) Comply with the Company’s internal processes for managing suppliers and contractors.

e) To comply with the contracts for the sale of products or services entered into with customers and suppliers.

f) Sending information and advertising to customers, suppliers, employees and shareholders about websites, Google and Facebook campaigns, e-Mail marketing and digital publications.

g) Use personal images of the entity’s employees, its customers, attendees at events organized by C.A.T Group and third parties to carry out advertising and digital marketing campaigns.

h) To carry out the control and prevention of fraud and money laundering, including, but not limited to, consultation in restrictive lists, and all the necessary information required for SARLAFT.

i) The process of filing, updating of systems, protection and custody of the Company’s information and databases.

j) Processes within the Company, for development or operational and/or systems management purposes.

k) The transmission of Personal Data to third parties with whom agreements have been entered into for this purpose, for commercial, administrative, marketing and/or operational purposes, including, but not limited to, the issuance of cards, personalized certificates and certifications to third parties, in accordance with the legal provisions in force.

l) Transfer to commercial allies of the Company or third parties with whom contracts have been entered into for this purpose, some of your personal data such as full name with surnames, ID number, landline and/or cell phone number, data relating to your consumption habits, e-mail and age.

m) In the event of a merger, acquisition or sale of the Company, we may transfer some or all of the personal information we have in our databases to the relevant third party in any of the aforementioned transactions.

n) Maintain and process by computer or other means known or to be known, any type of information received from the client in order to provide the pertinent services and products.

o) Use of images.

p) Monitor by means of video surveillance systems, for security-related purposes, the activities carried out at points of sale owned or managed by the Company.

q) Monitor and use the images captured through video surveillance systems in order to control and supervise the development and performance of work activities in the work space or workstation of the Company’s employees.

r) Interview and select candidates for different job positions. s) Control logical (access to company networks, files, applications) and physical access to the Company’s offices and points of sale.

The Personal Information contained in our Databases is collected through our personal information collection forms in customer service, marketing and advertising events, personal request, telephone call or through our web pages or social networks. We will always request the express and informed authorization of the owner for the processing of their personal data. The information collected is stored physically in the collection formats used and in electronic files where the information is condensed.

5. Recordings and photographs of personal images

The Company, as part of its digital marketing and advertising strategy, carries out campaigns in which it publishes images, references, articles or communications from the Company’s employees, its customers or attendees at events organized by C.A.T Group. This personal data will not be used or shared with third parties for commercial purposes or activities other than to publicize the activities and services of the Company, and other purposes contained in this Policy. The Company undertakes to carefully review the Personal Information that will be published in order to safeguard the dignity, privacy or good name of the persons who may appear in its marketing and advertising campaigns.

The transfer of rights to images, photographs or videos taken and/or filmed within the scope of the work and/or professional relationship with the Company, and in general other personal data shared through any means of dissemination and communication, do not imply any right to receive compensation or recognition of any kind, since the authorization and transfer of rights are made free of charge.

The delivery of information by the Holders in any form, does not transfer to the entity the intellectual property or moral rights over it. The intellectual property rights shall remain with the Holder.

6. Personal Data of Minors

The Company does not process Personal Data of minors. However, if applicable, the Processing of Personal Data of minors or adolescents by The Company will always be carried out respecting the following requirements:

1. Always respond to and respect the best interests of children and adolescents. 2. Always ensure respect for their fundamental rights.

3. That, as far as possible, such Processing is carried out taking into account the opinion of the child Data Subjects considering the following factors:

a. Maturity

b. Autonomy

c. Ability to understand the purpose of such Treatment

d. Explaining the consequences of Treatment

7. Protection of Personal Information

The security of your Personal Information is very important to the Company. To do so, we use appropriate tools that allow us to treat it in accordance with the purposes stated in this Policy and to keep it securely.

8. Rights of the Data Subject

In accordance with Law 1581 of 2012Personal Data Holders have the following rights:

a) To know, update and rectify their personal data before the Company or those in charge of their processing. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorized.

b) Request proof of the Authorization granted to the Company, unless the Applicable Law indicates that such Authorization is not necessary.

c) Submit requests to the Company or the Data Processor regarding the use that has been made of their Personal Data, and that they provide such information. d) File complaints before the Superintendence of Industry and Commerce for violations to the Applicable Law.

e) Revoke your Authorization and/or request the deletion of your Personal Data from the Company’s databases, when the Superintendence of Industry and Commerce has determined by means of a final administrative act that, in the Processing, the Company or the Data Processor has incurred in conduct contrary to the Applicable Law or when there is no legal or contractual obligation to maintain the Personal Data in the database of the Controller.

f) Request access and access free of charge to their Personal Data that have been subject to Processing in accordance with article 21 of Decree 1377 of 2013. article 21 of Decree 1377 of 2013. g) To know the modifications to the terms of this Policy prior and effi ciently to the implementation of the new modifications or, failing that, of the new information treatment policy.

h) To have easy access to the text of this Policy and its modifications.

i) To have easy and simple access to the Personal Data under the control of the Company in order to effectively exercise the rights granted to the Data Controllers by the Applicable Law.

j) To know the office or person authorized by the Company to whom he/she may submit complaints, queries, claims and any other request regarding his/her Personal Data.

9. Designated Privacy Area for the Protection of Personal Data

The Company has designated the Operations and Operations and Logistics C.A.T for the reception and attention of requests, complaints, claims and queries of any kind related to Personal Data. The Personal Data Protection Officer will handle queries and complaints regarding Personal Data in accordance with Applicable Law and this Policy.

Some of the particular functions of this area in relation to Personal Data are:

a) Receive the requests from the Personal Data Owners, process and answer those based on the Applicable Law or these Policies, such as: requests to update Personal Data; requests to know the Personal Data; requests to delete Personal Data in accordance with the provisions of the Applicable Law, requests for information on the use given to their Personal Data, requests to update Personal Data, requests for proof of the Authorization granted, when it has been granted in accordance with the Applicable Law.

b) To provide answers to the Personal Data Owners on those requests that do not proceed in accordance with the Applicable Law. Customer Service contact information is as follows:

– AddressSantiago de Cali, Valle del Cauca, Colombia

– Physical addressAvenida 7N # 28N-17, in Santiago de Cali, Cali.

– E-mail address: aespinosa@catgrouponline.co

– Phone: (+57 2) 553 27 05

– Position of the contact personPersonal Data Protection Officer

10. Procedures for exercising the rights of the Personal Data Subjects.

For inquiries

a) The Company shall provide mechanisms so that the Data Subject, his/her successors in title, his/her representatives and/or attorneys-in-fact, those who have been stipulated in favor of or for another, and/or the representatives of minors, may make inquiries regarding the Personal Data of the Data Subject that is stored in the Company’s Databases.

b) These mechanisms may be physical (as a counter procedure), electronic (through the mail) or electronic (through the mail). protecciondedatos@catgrouponline.co) or by telephone (call (+57 2) 553 27 05).

c) Whatever the means, the Company shall keep proof of the consultation and its resolution.

d) If the applicant has the capacity to formulate the consultation, in accordance with the criteria for accreditation established in the Law 1581 of 2012 and the Decree 1377 of 2013The Company will collect all information about the Registrant that is contained in that person’s individual record or that is linked to the identification of the Registrant, and the Company will collect all information about the Registrant that is contained in that person’s individual record or that is linked to the identification of the Registrant.

The Company’s database and will make it known to the requesting party. e) The officer in charge of answering the query will respond to the applicant as long as he/she has the right to do so because he/she is the Data Subject, his/her successor, assignee, proxy, representative, has been stipulated by or for another, or is the legal responsible in the case of minors. This response will be sent within ten (10) business days from the date the request is received by the Company.

f) If the request cannot be processed within ten (10) working days, the applicant will be contacted to inform him/her of the reasons why the status of his/her request is being processed. For this purpose, the same or a similar means to the one used by the Data Subject to communicate his or her request will be used.

g) The final response to all requests shall not take more than fifteen (15) working days from the date on which the initial request was received by the Company.

For claims

a) The Company has mechanisms available for the Data Subject, their assignees, representatives and/or attorneys-in-fact, those who stipulated by or for another, and/or the representatives of minors, to make claims regarding (i) Personal Data Processed by the Company that must be corrected, updated, updated, updated, updated, updated, updated, corrected, updated, updated, updated, updated, updated, updated, updated, updated, updated, updated, updated, updated, updated, updated, updated, updated, updated, updated, updated, updated, updated, updated, updated, updated, updated, updated, updated or deletion, or (ii) the alleged breach of the Company’s duties under Applicable Law.

b) These mechanisms may be physical (as a counter procedure), electronic (through the mail protecciondedatos@catgrouponline.co) or by telephone (call (+57 2) 553 27 05).

c) The claim must be filed by the Data Subject, his or her successors in title or representatives or accredited in accordance with Law 1581 y Decree 1377as follows:

– You should contact the Company electronically at the following e-mail address protecciondedatos@catgrouponline.cophysically at the address Avenida 7N # 28N-17; or by telephone at the service line (+57 2) 553 27 05.

– It must contain the name and identification document of the Holder. – It must contain a description of the facts that give rise to the claim and the objective pursued (update, correction or deletion, or fulfillment of duties).

– The address and contact and identification data of the claimant must be provided. – It must be accompanied by all the documentation that the claimant wishes to assert.

d) The Company, before attending to the claim, shall verify the identity of the Personal Data Subject, his/her representative and/or proxy, or the accreditation that there was an estimate by or for another. For this purpose, it may require the original identification document of the Holder, and the special or general powers of attorney or documents that may be required, as the case may be.

e) If the claim or the additional documentation is incomplete, the Company shall require the claimant, one time only, within five (5) days after receipt of the claim, to correct the deficiencies. If the claimant does not submit the required documentation and information within two (2) months from the date of the initial claim, it will be understood that the claim has been withdrawn.

f) If for any reason the person who receives the claim within the Company is not competent to resolve it, he/she shall refer it to the Compliance Officer within two (2) business days after receiving the claim, and shall inform the claimant of such referral.

g) Once the claim with the complete documentation is received, a legend will be included in the Company’s Data Base where the Data Subject to claim is stored, stating “claim in process” and the reason for the claim, within a term no longer than two (2) business days. This legend should be maintained until the claim is decided.

h) The maximum term to address the claim shall be fifteen (15) business days from the day following the date of its receipt. When it is not possible to meet the Within such term, the interested party will be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

Both for consultations or claims, the Holders may exercise their rights of Applicable Law and carry out the procedures established in this Policy, by presenting their citizenship card or identification document in original or copy. Minors may exercise their rights personally, or through their parents or adults with parental authority, who must prove it by means of the appropriate documentation.nent. Likewise, the rights of the Holder may be exercised by the assignees who can prove such quality, the representative and/or attorney-in-fact of the holder with the corresponding accreditation and those who have made a stipulation in favor of another or for another.

11. Validity

This Policy is effective as of June 4, 2013. This Policy may be amended at any time by the Company. For this purpose, it shall give notice published on its Web page and shall keep it published for a term of ten (10) calendar days. Once this term has expired, it is understood that those who do not request the deletion of their Personal Data from the Company’s Databases, know, accept and accept the new ITP and the corresponding modifications.

Personal Data that is stored, used or transmitted will remain in our Database, based on the criteria of temporality and necessity, for as long as it is reasonably required for the purposes mentioned in this Policy and for which it was collected. In general, the information in our databases remains confidential.The information will continue to be processed for as long as a legal or contractual relationship with the Data Subject is maintained. In any case, the information will not be processed for a period exceeding twenty (20) years from its collection in accordance with the legal or contractual circumstances that make it necessary to handle the information, without prejudice to the need to comply with any legal obligation.

12. Company Roles in Treatment

C.A.T GROUP S.A.S., identified with NIT 900442190 – 2, domiciled in Santiago de Cali, at Avenida 4N # 6-67, cellular (+57) 315 3493135, and email address ctoro@catgrouponline.co, assumes the roles of Responsible and Responsible for the Processing of Personal Data, as well as the duties imposed by the regulations in force for these roles within the aforementioned Processing.

End of PTI

ctoro@catgrouponline.co