Subscribe to our Newsletter, Funtrition® News!

PERSONAL DATA PROTECTION AND PROCESSING POLICY

  Code: POL-0004-FTN | Versión: 01

FUNTRITION SAS
NIT 901.415.267-1
Av Boyacá # 20 – 92
Telephone 6583900
hello@funtrition.com
Bogotá DC – Colombia.

The purpose of this “Personal Data Protection and Processing Policy” (hereinafter “The Policy”) is to establish the rules on the protection of Personal Data that will be adopted and accepted by the company FUNTRITION SAS (hereinafter “FUNTRITION”), when Responsible and/or in charge of the Processing of Personal Data.
 
The purpose of this Policy is to compile the principles and rules that regulate the processing of personal data with respect to all the Holders who relate to FUNTRITION to guarantee regulatory compliance in all operations and activities.
 
In compliance with the provisions of Decree 255 of 2022 (Binding Corporate Rules), the provisions established in this Policy are mandatory for FUNTRITION, acting as a Controller and/or as a Data Processor as appropriate, as well as by its shareholders, collaborators, and stakeholders.
 
This Policy includes mechanisms to ensure that the data is:

  • Treated in a lawful, fair and transparent manner in relation to the holder of the personal data.

  • Collected for specific, explicit and legitimate purposes, and are not subsequently processed in an incompatible manner with such purposes.

  • Adequate, relevant and limited to the minimum necessary in relation to the purposes for which they are processed.

  • Accurate and kept up to date; taking all reasonable measures to ensure that inaccurate personal data is deleted or rectified without delay.

  • Preserved in a way that allows the holder to be identified, for a period no longer than is necessary according to the purpose.

  • Treated under the control of the Data Controller, who, for each processing operation, guarantees and demonstrates compliance.

 
This Policy is issued as part of the efforts to adopt measures of demonstrated responsibility (Accountability) to verify that useful, timely, relevant and efficient measures have been implemented in FUNTRITION.
 
This Policy is binding on the controlling company of FUNTRITION with which it has signed an Agreement for the Provision of Back Office services (hereinafter, the “Service Agreement”) in which it expresses its acceptance.
 
FUNTRITION 's collaborators, who have been informed of its existence, indicating that it is a Policy with mandatory compliance and establishing that, in accordance with the applicable legislation and the employment contracts signed with each of these, the corresponding disciplinary regime is applicable in case of non-compliance with them.
 
Transfers of personal data are carried out between FUNTRITION and its controlling company, within the framework of the Service Agreement, during the normal course of its activities; and such data can be stored in centralized databases accessible by both companies from any part of the world where they have a presence.
 
This Policy is not a Contract, it simply indicates our desire to protect your private personal information.
 
In compliance with the provisions of Statutory Law 1581 of 2012 and its Regulatory Decree 1377 of 2013, the company FUNTRITION SAS (hereinafter “FUNTRITION”) informs the Policy for the Protection and Treatment of Personal Data.
 

  1. LOCATION
    This document is located digitally on the Intranet and on the company's website.

  2. AIM
    Establish the criteria for the collection, consultation, storage, ordering, classification, cataloging, analysis, processing, use, circulation and deletion of personal data that is subject to processing by FUNTRITION, either as a Controller and/or a Data Processor). Either as a Controller or a Data Processor in compliance with the current legal regime contained in Statutory Law 1581 of 2012 and other corresponding regulations.

  3. SCOPE
    FUNTRITION 's databases, whether as "Responsible" and/or "Processor" and in relation to all activities carried out in execution of its corporate purpose and in relation to all stakeholders with which it relates.

  4. RESPONSIBILITY
    It is aimed at direct and indirect collaborators, contractors, consultants, suppliers and third parties related to FUNTRITION.

  5. IDENTIFICATION OF THE COMPANY RESPONSIBLE FOR THE TREATMENT
    This Policy applies in relation to the company FUNTRITION SAS, a private company identified with NIT No. 901.415.267-1, commercial registration No. 02619945 of September 28, 2020, with main address at Av Boyacá # 20–92 the city of Bogotá DC (Colombia), telephone 6583900, hello@funtrition.com  

  6. SERVICE CHANNELS
    FUNTRITION     company database. Through the following service channels:

    City

    Address

    Email

    Bogotá DC (Colombia)

    Av. Boyacá # 20 - 92

    habeasdata@funtrition.com

  7. LEGAL BASIS

    1. Political Constitution of Colombia, article 15.

    2. Law 1266 of 2008.

    3. Regulatory Decrees 1727 of 2009 and 2952 of 2010.

    4. Law 1581 of 2012.

    5. Partial Regulatory Decree 1377 of 2013.

    6. Decree 886 of 2014.

    7. Sole Decree 1074 of 2015.

    8. Decree 255 of 2022.

    9. Law 2300 of 2023.

    10. All other consistent regulations related to the protection of personal data in Colombia.

  8. DEFINITIONS
    For the purposes of interpretation, application and implementation of this Policy, the following definitions will apply:

    1. AUTHORIZATION: Prior, express and informed consent of the holder to carry out the processing of personal data.

    2. PRIVACY NOTICE: Verbal or written communication generated by the person responsible for the information addressed to the holder for the processing of their personal data, through which they are informed about the existence of the information processing policies that will be applicable to them, the form to access them and the purposes of the treatment that is intended to be given to personal data.

    3. SERVICE AGREEMENT: It is the Contract signed between FUNTRITION SAS and its controlling parent company registered in its certificate of existence and legal representation, through which the second provides Back Office or comprehensive administrative support services to the first.

    4. DATABASE: Organized set of personal data that is subject to processing.

    5. CHANNELS TO EXERCISE RIGHTS: It refers to the means of receiving and responding to requests, queries and claims that the Data Controller and the Data Processor must make available to the Holders of the information.

    6. PERSONAL DATA: Any piece of information linked to one or more specific or determined people or that can be associated with a natural person.

    7. PUBLIC DATA: It refers to data that is not semi-private, private or sensitive. Public data are considered, among others, data relating to people’s marital status, their profession or trade, and their status as a trader or public servant. Due to its nature, public data may be contained, among others, in public records, public documents, official gazettes and journals, and duly executed judicial rulings that are not subject to confidentiality.

    8. SENSITIVE DATA: Sensitive data is understood to be data that affects the holder’s privacy or whose improper use may lead to discrimination, such as data that reveals racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, human right organizations or that promote the interests of any political party or that guarantee the rights and warranties of opposition political parties, as well as data related to health, sexual life, and biometric data.

    9. DATA PROCESSOR: Natural or legal person, public or private, who, by themselves or in association with others, carries out the Processing of personal data on behalf of the Data Controller.

    10. HABEAS DATA: Right of any person to know, update and rectify the information that has been collected about

    11. BINDING CORPORATE RULES: These are the policies, principles of good governance or codes of good business practices with mandatory compliance assumed by the data controller, established in the Colombian territory, to carry out transfers or a set of transfers of personal data to a controller that is located outside the Colombian territory and that is part of the same business group.

    12. PERSONAL DATA PROTECTION AND PROCESSING POLICY: The formal document approved by FUNTRITION that reflects the conditions applicable to any processing operation regarding Personal Data

    13. DATA CONTROLLER: Natural or legal person, public or private, who, by themselves or in association with others, decides on the database and/or processing of the data.

    14. HOLDER: Natural person whose personal data is processed.

    15. PROCESSING: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

    16. TRANSFER: The transfer of data takes place when the person responsible and/or in charge of the processing of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible for the treatment and is located inside or outside the country.

    17. TRANSMISSION: Processing of personal data that involves the communication thereof within or outside the territory of the Republic of Colombia when its purpose is to carry out processing by the person in charge on behalf of the person responsible.

  9. BEGINNING
    In the development, interpretation and application of Law 1581 of 2012, which establishes general provisions for the protection of personal data and the regulations that complement, modify or add to it, the following guiding principles will be applied in a harmonious and comprehensive manner:

    1. PRINCIPLE OF LEGALITY: Data processing is a regulated activity that must be subject to what is established in the law and the other provisions that develop it.

    2. PRINCIPLE OF PURPOSE: The treatment must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the holder. Regarding the collection of personal data, FUNTRITION It will be limited to those data that are relevant and appropriate for the purpose for which they were collected or required in accordance with the internal procedural manual for the management of information and databases.

    3. PRINCIPLE OF FREEDOM: Treatment can only be carried out with the prior, express, and informed consent of the holder. Personal data may only be obtained or disclosed with prior authorization, or with the existence of a legal or judicial mandate that relieves consent.

    4. PRINCIPLE OF VERACITY OR QUALITY: The information subject to treatment must be true, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fragmented or misleading data is prohibited.

    5. PRINCIPLE OF TRANSPARENCY: in the treatment, the holder's right to obtain from the data controller or the data processor, at any time and without restrictions, information about the existence of data concerning him or her must be guaranteed.

    6. PRINCIPLE OF ACCESS AND RESTRICTED CIRCULATION: The treatment is subject to the limits that derive from the nature of the personal data, the provisions of the law and the Constitution. In this sense, the treatment can only be carried out by people authorized by the holder and/or by the people provided for by law. Personal data, except public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide knowledge restricted only to the holders or third parties authorized in accordance with the law.

    7. SECURITY PRINCIPLE: The information subject to treatment by FUNTRITION must be handled with the technical, humane and administrative measures that are necessary to provide security to the records, avoiding their adulteration, loss, consultation, unauthorized or fraudulent use or access.

    8. PRINCIPLE OF CONFIDENTIALITY: FUNTRITION is obliged to guarantee the confidentiality of the information, even after its relationship with any of the tasks included in the treatment has ended and may only supply or communicate personal data when this corresponds to the development of activities authorized by law.

  10. RIGHTS THAT ASSIST THE HOLDER OF THE INFORMATION.
    The holder of the personal data will have the following rights:

    1. Know, update and rectify your personal data against FUNTRITION in its capacity as data controller. This right may be exercised, among others, against partial, inaccurate, incomplete, fragmented, misleading data, or data whose processing is expressly prohibited or has not been authorized.

    2. Request proof of authorization granted to FUNTRITION except when expressly excepted as a requirement for treatment.

    3. Be informed by FUNTRITION, upon request, regarding the use that has been given to your personal data.

    4. Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other regulations that modify, add or complement it.

    5. Revoke the authorization and/or request the deletion of the data when the processing does not respect constitutional and legal principles, rights and guarantees.

    6. Access free of charge to your personal data that has been processed.

  11. RIGHTS OF BOYS, GIRLS AND ADOLESCENTS.
    In the Treatment, respect for the prevailing rights of children and adolescents will be ensured. The Processing of personal data of children and adolescents is prohibited, except for data that is public in nature.

  12. FUNTRITION DUTIES.

    1. Make use of the information contained in the databases only for the purpose for which it is authorized.

    2. Guarantee the holder, at all times, the full and effective exercise of the right of Habeas Data.

    3. When personal data is collected, it must be limited to that which is relevant and appropriate for the purpose for which it is required in accordance with the provisions of the law. To do so, no deceptive or fraudulent means will be used.

    4. Maintain the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.

    5. Timely update, rectify or delete the data in the terms indicated by this policy in the Procedure-Claim section.

    6. Enable electronic means of communication or others that it deems pertinent that allow to attend in a timely manner the queries and claims presented by the holders of the information.

    7. The requested information must be provided free of charge and by any means, as required by the holder. The information must be easy to read, without technical barriers that prevent access, and must strictly correspond to that stored in the database.

    8. In the event that the certification of the authorized information is physically requested and/or it needs to be sent by certified mail, the company FUNTRITION may require the applicant to pay the corresponding amount in expenses, without at any time being able to charge more than what is actually invoiced; in the event of being required, the company FUNTRITION must demonstrate to the Superintendence of Industry and Commerce the support of such expenses.

    9. Adopt the other necessary measures so that the information provided to it remains up to date.

    10. Rectify information when it is incorrect.

    11. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

    12. Refrain from circulating information that is being controversial by the holder and whose blocking has been ordered by the Superintendency of Industry and Commerce.

    13. Allow access to information only to people who can have access to it.

    14. Inform the Superintendency of Industry and Commerce when violations of security codes occur and there are risks in the administration of the holders' information.

    15. Establish the necessary mechanisms to obtain the authorization of the holders of the processing of their data, which may be granted through a physical document, electronic document or in any other format that guarantees subsequent consultation.

    16. Keep proof of authorization and deliver a copy to the holder of the information if required.

    17. Establish simple and free mechanisms that allow the holder to request the report, modification, deletion or updating of the data, which can be the same mechanisms used for the granting of consent without prejudice to the expenses that may be presented on the issuance and the sending of it.

    18. The information subject to processing must be protected through the use of technical, human and administrative measures that are necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access. To this end, FUNTRITION will maintain mandatory security protocols for personnel with access to personal data and information systems.

    19. FUNTRITION staff that intervenes in the processing of personal data is obliged to guarantee the confidentiality of the information, even after the end of its relationship with any of the tasks that the processing includes in accordance with the provisions of the employment contract and/or other provisions subject to the relationship between the Collaborator and the company.

    20. Designate a “Personal Data Protection Officer” who assumes the function of protecting personal data and who will also ensure that, through the customer service channels, the holders' requests are processed.

    21. In principle, the processing of personal data of children and adolescents is prohibited by law, unless it is data of a public nature and/or when such processing meets the parameters and requirements established in this Policy.

    22. Use personal data in accordance with the authorization given by the holder and will only transmit or transfer it to allies, affiliates or subsidiaries, third parties that may use the information to carry out their work acting on behalf of FUNTRITION. and/or complying with the requirements of the authorities, adhering to the laws that apply on the matter and respecting the Service Agreements in force with third parties.

    23. Collect, store, use or circulate personal data for as long as is reasonable and necessary, in accordance with the purposes that justified its processing, considering the legal provisions and administrative, accounting, fiscal, legal and historical aspects of the information. Once the purpose of the treatment has been fulfilled and without prejudice to legal regulations that provide otherwise, FUNTRITION must delete personal data. Notwithstanding the above, personal data must be preserved when required to comply with a legal or contractual obligation.

    24. Prove the existence of the “Personal Data Protection and Processing Policy” and the way to access it, which will be published on the company's website, on social networks and at the main headquarters.

    25. Comply with the following parameters, for the collection, use and processing of personal data, FUNTRITION:

      1. The processing of the personal data collected must obey a legitimate purpose of which the holder must be informed.

      2. The processing of personal data can only be carried out with the prior, express and informed consent of the holder.

      3. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that requires consent.

      4. The information subject to processing must be true, complete, accurate, up-to-date, verifiable and understandable.

      5. The processing of partial, incomplete, fragmented or misleading data is prohibited.

      6. Guarantee the right of the holder to obtain, at any time and without restrictions, information about the existence of data that concerns him or her.

    26. Request again from the holder of the information, authorization for data processing, in the event of a substantial modification to this “Personal Data Protection and Processing Policy”.

  13. AUTHORIZATION FOR THE PROCESSING OF PERSONAL DATA
    Without prejudice to the exceptions provided for in the Law, the processing of the holder's personal data requires the prior and informed authorization of the Holder, which must be obtained by any means that can be subject to subsequent consultation.
     
    The authorization must contain the following information:

    1. Name and identification of the person from whom authorization is being requested.

    2. Identification of the data being collected.

    3. Purpose of the data subject to authorization.

    4. Information on the procedure to exercise rights to access, correct, update or delete the personal data provided.

    5. The rights that assist you as the holder.

    6. Service channels provided by FUNTRITION.

      City

      Address

      Email

      Bogotá DC (Colombia)

      Av. Boyacá # 20 - 92

      Habeasdata@funtrition.com

  14. EVENTS IN WHICH THE AUTHORIZATION OF THE HOLDER OF THE PERSONAL DATA IS NOT NECESSARY.
    The authorization of the holder of the information will not be necessary in the following cases:

    1. Information required by a public or administrative entity in the exercise of its legal functions or by court order.

    2. Public data.

    3. Medical or health emergency cases.

    4. Processing of information authorized by law for historical, statistical or scientific purposes. Data related to people’s Civil Registry.

  15. LEGITIMATION FOR THE EXERCISE OF THE HOLDER'S RIGHT
    The rights of the holders established in the Law may be exercised by the following people:

    1. By the holder, who must sufficiently prove his or her identity.

    2. By the holder’s assignees, who must prove such quality.

    3. By the representative and/or attorney-in-fact of the holder, prior accreditation of the representation or power of attorney.

    4. By stipulation in favor of another or for another. The rights of children and adolescents will be exercised by the people who are empowered to represent them.

  16. TREATMENT TO WHICH THE DATA WILL BE SUBMITTED AND THE PURPOSE THEREOF.
    The processing of personal data of all the holders who relate to FUNTRITION for the purposes of fulfilling its corporate purpose, including clients, suppliers and consumers, will be framed in the legal order and in accordance with the following purposes in general terms or those that are reported at every moment in which personal data collection operations are carried out:

    1. Internal management and commercial relationship management of its interest groups, clients, distributors and suppliers of the different business segments.

    2. Sending communications, correspondence, text messages, instant messaging systems, emails or telephone contact with its clients, distributors and consumers in relation to its commercial, advertising, marketing, promotional, sales and other related activities.

    3. Personnel selection processes, management of contractual relationships, labor relations and guaranteeing compliance with the obligations derived from it, granting benefits to its collaborators by itself or through third parties.

    4. Analysis of potential with essentially commercial purposes, whether of suppliers, distributors and/or clients.

    5. Manage procedures (requests, complaints, claims), carry out risk analysis, carry out satisfaction surveys regarding the company's goods and services.

    6. nvestigation of events emanating from manufactured and/or marketed products.

    7. Monitor the people who consume and/or acquire the products manufactured and/or marketed by the company.

    8. Deploy corporate social responsibility activities towards stakeholders.

    9. Manage the security of people, property and information assets in the custody of the organization.

    10. Create databases for the purposes described in this authorization.
       
      Specifically in relation to each interest group, FUNTRITION may have the following purposes:

      1. Purposes regarding Clients or Users of the Products or services:

        1. Carry out the pertinent steps for the development of the pre-contractual, contractual and post-contractual stage with FUNTRITION, with respect to any of the products or services offered by FUNTRITION, which the Holder has or has not acquired or with respect to any underlying business relationship it has with it.

        2. Register the Holder in the systems, forms, lists, files, physical or electronic, managed by FUNTRITION, for the purposes of the execution of the commercial legal relationship established with FUNTRITION.

        3. Advance the electronic billing procedures for the products or services acquired by the Holder.

        4. Maintain operations support, incident monitoring and compliance with contractual and legal obligations.

        5. Comply with your legal and contractual obligations.

        6. Send messages, notifications or alerts through any means to send and disseminate legal, security information, promotions, commercial, advertising, marketing, institutional or educational campaigns, sweepstakes, events or other benefits.

        7. Send electronic messages or make telephone contacts, or through any means, to advance the confirmation of personal data of the Holder necessary for the execution of the legal relationship that has been established with FUNTRITION.

        8. Contact the Holder through email, instant messaging, text messages, formal communications, telephone calls and/or any means known or unknown to send contractual, informative documents, account statements or invoices in relation to the obligations derived from the contracts entered into with FUNTRITION, in its different commercial establishments.

        9. Provide information to third parties with whom you have a contractual relationship, and it is necessary to deliver it to them for the fulfillment of the contracted object.

        10. FUNTRITION 's filing and document management tasks, in accordance with current legal provisions.

        11. For administrative and analytical purposes, such as information systems management, accounting, billing and auditing, marketing, check processing and verification.

        12. Share information with commercial allies to offer products and services, complying with all authorizations required by law and this Policy.

        13. FUNTRITION products, invite to events or programs organized by the company.

        14. Consult, verify and confirm credit and commercial information of the Holder, in Risk and/or Information Centers or any other public or private, national, foreign or multilateral entity that administers or manages databases or credit information, or any other financial entity in Colombia, or abroad or of a multilateral nature, all the information that refers to the Holder, about its credit, financial, commercial, services and third countries behavior of the same nature, for the purposes of evaluating and granting financing for the assets or products purchased with FUNTRITION, as long as you have the corresponding authorization.

        15. To make reports to the risk and information centers, all the conditions and procedures established in current laws will be met and especially in relation to Law 1266 of 2008 and related regulations.

        16. Manage the risk of Money Laundering and Terrorist Financing and Corruption and Bribery.

      2. Purposes regarding Job Candidates:

        1. Process the employment applications that FUNTRITION receives from the candidates, process them and define them within the stipulated time, according to the selection process or the call.

        2. Contact the Holder through email, instant messaging, text messages, formal communications, telephone calls and/or any means known or unknown in relation to the selection process or the call.

        3. Evaluate the worker's work capacity, to establish their suitability for future employment and/or to comply with the requirements of occupational preventive medicine.

        4. FUNTRITION 's filing and document management tasks, in accordance with the current legal provisions.

        5. Manage the risk of Money Laundering and Terrorist Financing and Corruption and Bribery.

      3. Purposes regarding workers (collaborators):

        1. To manage compliance with the terms established in the employment relationship such as: affiliation and contributions to social security entities, creation of an employment contract, generation and processing of payroll payments and labor benefits.

        2. Comply with regulations on labor matters, social security, pensions, professional risks, family compensation funds (Comprehensive Social Security System) and taxes.

        3. Comply with the instructions of the competent judicial and administrative authorities.

        4. Implement labor and organizational policies and strategies.

        5. Include the Holder employed in the development of the different training, development, well-being, occupational health and safety programs and activities that FUNTRITION establishes for its Collaborators and beneficiaries.

        6. Carry out preventive or occupational medicine procedures, in conjunction with the occupational risk administrator.

        7. Contact the workers to instruct them on tasks regarding their assigned job functions.

        8. FUNTRITION 's filing and document management tasks, in accordance with the current legal provisions.

        9. Create ID badges and/or identification mechanisms for the employed Holder, with their biometric data, so that they can carry it and identify themselves as a FUNTRITION employee. This purpose is necessary in accordance with FUNTRITION 's security policy and will be handled as sensitive information with express authorization.

        10. FUNTRITION facilities, using biometric data, to facilitate access and circulation in FUNTRITION 's physical facilities. This purpose is necessary in accordance with FUNTRITION 's security policy and the sensitive information that is processed will be managed in accordance with current law and this Policy.

        11. Contact the Holder through email, instant messaging, text messages, formal communications, telephone calls and/or any means known or unknown to send contractual, informative documents or invoices in relation to the obligations derived from the contracts entered into with FUNTRITION.

        12. Share information with commercial allies to offer products and services, complying with all authorizations required by law and this Policy.

        13. FUNTRITION products, invite events or programs organized by the company.

        14. For administrative and analytical purposes, such as information systems management, accounting, billing and auditing, marketing, check processing and verification.

        15. FUNTRITION 's website and social networks and in publications in printed media, information brochures, management reports, billboards, corporate material, among other media digital and printed, as part of your internal and external communications in your role as an employer, to document the organizational structure or training, development, well-being, occupational health and safety activities established by FUNTRITION.

        16. In the case of former collaborators, FUNTRITION may store, even after the employment contract has ended, the information necessary to comply with the obligations that may arise by virtue of the employment relationship that existed in accordance with the Colombian legislation, as well as provide labor certifications. that are requested by former collaborators or by third parties against whom they carry out a selection process.

        17. Manage the risk of Money Laundering and Terrorist Financing and corruption.

      4. Purposes regarding Suppliers or Contractors:

        1. Register the Holder in the systems, forms, lists, files, physical or electronic, managed by FUNTRITION, for the purposes of providing the contracted services.

        2. Advance electronic billing procedures for contracted services.

        3. Maintain operations support, incident monitoring and compliance with contractual and legal obligations.

        4. Comply with your legal and contractual obligations.

        5. Send electronic messages or make telephone contacts, or through any means, to advance the confirmation of the Holder’s personal data necessary for the execution of the legal relationship that has been established with FUNTRITION.

        6. Contact the Holder through email, instant messaging, text messages, formal communications, telephone calls and/or any other means known or unknown, to send contractual, informative documents, account statements or invoices in relation to the obligations derived from the contracts entered into with FUNTRITION, in its different commercial establishments or offices.

        7. Grant access to the interaction portals of suppliers and/or contractors to supply all the processes required internally by FUNTRITION.

        8. Provide information to third parties with whom you have a contractual relationship, and it is necessary to deliver it to them for the fulfillment of the contracted object.

        9. FUNTRITION 's filing and document management tasks, in accordance with current legal provisions.

        10. Validate, verify and consult the economic and transactional information of the Holder with the purpose of establishing the legal relationship with FUNTRITION.

        11. For administrative and analytical purposes, such as information systems management, accounting, billing and auditing, marketing, check processing and verification.

        12. Share information with commercial allies to offer products and services, complying with all authorizations required by law and this Policy.

        13. FUNTRITION products and/or services, invite to events or programs organized by the company.

        14. Consult, verify and confirm credit and commercial information of the Holder, in Credit Risk or Information Centers, or any other public or private, national, foreign or multilateral entity that administers or manages databases or credit information, or any other financial entity in Colombia, or from abroad or of a multilateral nature, all information that refers to the Holder, about its credit, financial, commercial, services and third countries behavior of the same nature.

        15. To make reports to the risk and information centers, all the conditions and procedures established in current laws will be met and especially in relation to Law 1266 of 2008 and related regulations.

        16. Manage the risk of Money Laundering and Terrorist Financing and Corruption and Bribery.

      5. Purposes regarding FUNTRITION Shareholders:

        1. Comply with the obligations and rights derived from being a FUNTRITION shareholder.

        2. Send you electronic, physical and/or telephone communications to your contact information to inform you, summon or call you to meetings of FUNTRITION 's corporate bodies where required, and/or to send you the documents and reports that will be put up for consideration in such meetings.

        3. Send you pieces of communication and information necessary for the exercise of your rights as a shareholder of FUNTRITION, and/or for the fulfillment of the obligations carried by FUNTRITION in favor of its shareholders.

        4. Carry out comprehensive administration activities of the shareholder registry book.

        5. Contact the Holder through email, instant messaging, text messages, formal communication, telephone calls and/or any other means known or unknown, to send contractual documents, information, account statements in relation to their quality of service. FUNTRITION shareholder.

        6. FUNTRITION 's filing and document management tasks, in accordance with current legal provisions.

        7. Provide information related to procedures, complaints and requests from shareholders.

        8. FUNTRITION products, invite to events or programs organized by the Organization.

        9. Give access to the information to the judicial or administrative authorities that request such data in the exercise of their functions.

        10. Manage the risk of Money Laundering and Terrorist Financing and Corruption and Bribery.

        11. Compliance with the necessary activities and purposes of the issuer-shareholder relationship

      6. Processing of Sensitive Personal Data obtained through Video Surveillance
        FUNTRITION         uses various means of video surveillance installed in different internal and external locations of its facilities or offices. For this reason, it informs the general public about the existence of these mechanisms by posting and disseminating information notices with details of the contact channels and the policies that govern such treatment.
         
        The information collected through this mechanism is used for security purposes, controlling and identifying access to FUNTRITION headquarters, offices and commercial establishments; maintain security and access control to buildings, establishments open to the public and other facilities; promote the safety of people, property and facilities; the improvement of our service and experience at FUNTRITION facilities , as well as evidence in any type of process before any type of authority or organization.
         
        FUNTRITION does not deliver the video recordings obtained to any third party, unless there is a court order or a competent authority or the law allows it.
         
        The authorization in relation to the handling of these personal data is understood to be granted through the unequivocal action of entering the facilities that are subject to video surveillance and monitoring by FUNTRITION.

        In any case, FUNTRITION reserves the right to inform the Holders of the purpose of each Processing of information on personal data at the time of collecting it through the Authorization. In the event that the personal data no longer fulfills the purpose for which it was obtained, it will be deleted from our databases under the terms and conditions established by the Colombian legislation and/or the Personal Data Treatment Protection Policy.

  17. SENSITIVE DATA
    In the case of sensitive personal data, it may be used and processed when:
    1. The Holder has given explicit authorization to such Treatment, except in cases where the granting of such authorization is not required by law.
    2. The Treatment is necessary to safeguard the vital interest of the Holder and the Holder is physically or legally incapacitated. In these events, legal representatives must grant their authorization.
    3. The Treatment refers to data that is necessary for the recognition, exercise or defense of a right in a judicial process.
    4. The Treatment has a historical, statistical or scientific purpose. In this event, measures must be adopted leading to the deletion of the identity of the Holders.
  18. DATA ON CHILDREN AND ADOLESCENTS
    The processing of personal data of children and adolescents is prohibited, except when it concerns data of a public nature, and when such processing meets the following parameters and/or requirements:
    1. That they respond to and respect the best interests of children and adolescents.
    2. That respect for their fundamental rights is ensured.
       
      Once the above requirements have been met, the legal representative of the children or adolescents shall grant authorization, after the minor has exercised his or her right to be heard, an opinion that shall be assessed considering maturity, autonomy and ability to understand the matter. The FUNTRITION company will ensure the appropriate use of the processing of personal data of children or adolescents.

      It is presumed that whoever grants the Authorization for the Processing of Personal Data on behalf of a minor has the legal authority to do so, so it is understood that such statement is made under oath.
  19. PEOPLE TO WHOM THE INFORMATION MAY BE PROVIDED
    The information that meets the conditions established by law may be provided to the following people:
    1. To the holders, their assignees (when those are missing) or their legal representatives.
    2. To public or administrative entities in the exercise of their legal functions or by court order.
    3. To third parties authorized by the holder or by law.
  20. INTERNATIONAL DATA TRANSFER
    The transfer of personal data to any person whose seat is a country not safe for data protection is prohibited. Safe countries are understood to be those that have adopted Personal Data Protection Guidelines in their internal legislation and/or comply with the standards set by the Superintendency of Industry and Commerce.
     
    Exceptionally, international data transfers may be made through FUNTRITION. when:
    1. The holder of the data has granted prior, express and unequivocal authorization to carry out the transfer.
    2. The transfer is necessary for the execution of a contract between the holder and FUNTRITION as responsible and/or in charge of the treatment.
    3. In the case of bank and stock exchange transfers in accordance with the legislation applicable to such transactions.
    4. It involves data transfer within the framework of international treaties that are part of the Colombian legal system.
    5. Legally required transfers to safeguard a public interest.
    6. Transfers included within the framework of the existing Services Agreement.
       
      At the time of an international transfer of personal data, prior to sending or receiving them, FUNTRITION will sign the agreements that regulate in detail the obligations, charges and duties that arise for the intervening parties.
      The agreements or contracts that are entered into must comply with the provisions of this Policy, as well as the legislation and jurisprudence that may be applicable regarding the protection of personal data.
      It will correspond to the Personal Data Protection Officer of FUNTRITION to give a prior favorable concept the on agreements or contracts that involve an international transfer of personal data, considering as guidelines the applicable principles included in this Policy. Likewise, it will be up to you to make the pertinent queries before the Superintendency of Industry and Commerce to ensure the circumstance of “safe country” in relation to the territory of destination and/or origin of the data.
  21. INTERNATIONAL TRANSMISSION OF PERSONAL DATA
    In the contractual relationships that FUNTRITION celebrates with the suppliers located in third countries that do not have an adequate level of protection, in which these, in their capacity as Processors, carry out any type of personal information treatment; the holders do not need to be informed or obtain their prior consent The foregoing, provided that there is a contract that regulates:
    1. The scope of the treatment.
    2. The activities that the third party in charge will carry out on behalf of FUNTRITION.
    3. The obligations of the third-party provider as a manager towards the holders and FUNTRITION as the one responsible, in accordance with the provisions of the Colombian law.
    4. The obligation to process personal data only for the contracted purposes.
    5. The prohibition of processing personal data for unauthorized uses.
    6. The obligation to process personal data in compliance with the current Colombian legislation.
    7. The obligation to comply with the principles applicable to the processing of personal data in force in Colombia.
    8. The obligation to adopt security measures according to the criticality of the personal information processed under the contract concluded.
    9. The obligation to process personal data in compliance with the principle of confidentiality.
    10. The obligation to notify within the term of the current law in Colombia any security incident that compromises the personal data processed.
    11. The obligation to comply with the internal policy and regulations adopted by FUNTRITION regarding the protection of personal data.
    12. The obligation to establish the channels for the exercise of habeas data to the holders of the personal data, as well as the information requirements that FUNTRITION has.
    13. The other obligations required of those in charge under the provisions of the Colombian personal data protection regime.
  22. PERSONAL DATA RETENTION
    The custody of the information in each Database will be the one that is reported at the time of the data collection or that established by FUNTRITION in accordance with the purpose. The FUNTRITION Databases will have the period of validity that corresponds to the purpose for which their treatment was authorized and the special rules that regulate the matter, as well as those rules that establish the exercise of the corporate purpose of FUNTRITION. In any case, the information provided will remain stored for as long as necessary to allow us to fulfill the purposes set forth herein and to comply with legal and/or contractual obligations under FUNTRITION, especially in labor, accounting, fiscal and tax matters. for all the time necessary to address the provisions applicable to the matter in question and the administrative, labor, accounting, fiscal, legal and historical aspects of the information, or in any event provided for by law.
     
    For the purposes of determining the reasonableness of the time of permanence of Personal Data in the Databases, by virtue of the nature of each Personal Data, the documentary retention times contained in Annex 1 of this Policy will be applied.
  23. PROCEDURES FOR ATTENDING QUERIES, CLAIMS AND PETITIONS.
    1. ​INQUIRIES. The holders or their assignees may consult the personal information of the holder that resides in any FUNTRITION database. The holder may send questions or queries related to their personal data collected and processed by FUNTRITION in the service channels set forth in this Policy.
       
      FUNTRITION will resolve your concerns or queries within ten (10) business days from the date on which you received it. When it is not possible to attend to the query within such term, the interested party will be informed before the expiration of ten (10) days, expressing the reasons for the delay and indicating the date on which their query will be attended to, which in no case may exceed five (5) business days following the expiration of the first term. 
       
    2. CLAIMS. The holder (or their assignees) who considers that the information contained in any FUNTRITION database must be corrected, updated or deleted, or when they notice the alleged breach of any of the legal duties, they may present the claim through the service channels set forth in this Policy.
       
      The claim must contain at least: The identification of the holder of the personal data, the description of the facts that give rise to the claim, the holder’s address, and it must accompany the documents that you want to assert. If this information is not contained, the interested party will be required within five (5) days of receipt to correct the deficiencies. After two (2) months from the date of the request without the applicant presenting the required information, it will be understood that the claim has been withdrawn.
       
      Once the complete claim is received, it will be included in the database maintained by FUNTRITION a « CLAIM IN PROCESS " caption and the reason for it, will be included within a period of no more than two (2) business days. Such caption must be maintained until the claim is decided.
       
      The maximum term to attend to the claim will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to attend to it within such term, the interested party will be informed before the expiration of the aforementioned period about the reasons for the delay and the date on which their claim will be attended to, which in no case may exceed eight (8) business days following the expiration of the first term.
    3. SUPPRESSION. The right to delete data is not absolute, FUNTRITION may deny it when:
      a.     The holder has a legal or contractual duty to remain in the database.
      b.     The deletion of data hinders judicial or administrative actions linked to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.
      c.      The data is necessary to protect the legally protected interests of the holder; to carry out an action based on the public interest, or to comply with an obligation legally acquired by the holder.
      d.     If the deletion of personal data is appropriate, FUNTRITION must operationally carry out the deletion in such a way that the deletion does not allow the recovery of the information, without prejudice to the technological trace of the existence of the respective Data in the Database.
  24. AREA RESPONSIBLE AND IN CHARGE OF THE PROTECTION OF PERSONAL DATA
    FUNTRITION    , within compliance with the provisions of Law 1581 of 2012 and other regulations that govern the protection of personal data in Colombia, has established an internal structure in charge of giving full compliance to all regulations and this Policy, as shown below:
    PERSONAL DATA PROTECTION OFFICER
    He will be the person in charge of leading the personal data protection program at FUNTRITION, processing the requests of the Holders for the exercise of rights and has the following functions:
    a.     Respond to all requests, inquiries, queries or claims presented by the Holders.
    b.     FUNTRITION 's personal data protection system.
    c.     Serve as a liaison and a coordinator with the other areas of FUNTRITION to ensure a transversal implementation of the System.
    d.     Maintain an inventory of the Databases within FUNTRITION and update the annual report according to instructions from the Competent Authority in Colombia (Superintendency of Industry and Commerce).
    e.     Register and update the Databases with the National Registry of Databases (RNBD)
    f.      Obtain declarations of conformity when necessary.
    g.     Integrate personal data protection and processing policies within FUNTRITION 's activities.
    h.     Measure the participation and rate performance in personal data protection training.
    i.      Ensure the implementation of monitoring plans to verify compliance with this Policy.
    j.      Accompany and assist FUNTRITION in responding to visits, requests for information, disciplinary processes and/or responding to requirements from the Competent Authorities.
    k.     Monitor work plans and/or personal data protection management programs.
    l.      Prepare information security incident reports.
    m.   Consolidate and continually improve the activities that are part of the work plans and/or personal data protection program.
    n.     Promote the implementation of a system that allows managing the risks of personal data processing.
    o.     Promote the culture of personal data protection at FUNTRITION.
    p.     FUNTRITION operations that may have an impact in relation to the protection of personal data.
    q.     FUNTRITION positions to design a training program appropriate to each profile.
    r.      Design and execute a general personal data protection training program at FUNTRITION.
    s.     Require that within the evaluation of the positions of FUNTRITION collaborators it is necessary to have satisfactorily passed the training on personal data protection.
    t.      Present internal reports addressed to the Senior Management of FUNTRITION and/or the authorities in charge of controlling compliance with the rules and Policies.
    u.     Make proposals for improvements, adjustments, modifications or new internal provisions in accordance with the regulations issued in relation to the protection of personal data at FUNTRITION.
    v.     Submit to Senior Management the approval of documents related to personal data protection at FUNTRITION.

    FUNTRITION 'S PERSONAL DATA PROTECTION OFFICER will be the person responsible for ensuring the protection of personal data and who will also ensure that the requests, queries and claims of the holders for the exercise of the rights of access, consultation, and rectification are processed and channeled through the service channels, updating, deletion and revocation referred to in this policy, in accordance with the regulations related to the subject.
  25. INFORMATION SECURITY
    Information security is important to FUNTRITION, which is why it has physical, electronic and procedural protection measures for the confidential handling of the information contained in its database and institutional documents that make up the Information Security System. which must be applied in harmony with this Policy.
     
    Likewise, FUNTRITION undertakes to take all necessary security measures to protect personal data from loss, misuse, unauthorized or fraudulent access, disclosure without authorization, alteration, among others. The controlling parent company by virtue of the Back Office Service Provision Agreement is obliged to protect the personal data in the same way, maintaining absolute confidentiality regarding its content, in accordance with this Policy.
     
    FUNTRITION is exempted from illegal manipulations by third parties, technical or technological failures, which are outside its scope of protection.
     
  26. ATTENTION TO REQUIREMENTS OF ADMINISTRATIVE AND JUDICIAL ENTITIES
    The PERSONAL DATA PROTECTION OFFICER will be the person in charge, together with the legal representative of the company, of attending to any visit request for information or request in relation to personal data. FUNTRITION may reveal the personal information of its Holders at the request of the competent Judicial or Administrative Authorities in accordance with the current legislation. FUNTRITION will not assume any damages arising from this disclosure of information, in compliance with orders from competent administrative or judicial authorities.
     
  27. STORAGE AND PROCESSING OF PERSONAL DATA
    The Personal Data collected will be stored in physical and/or digital databases or in a hybrid form as appropriate to the type of data in question and the purpose of the processing of the Personal Data. Likewise, the processing may be manual and/or automated. as appropriate, ensuring in all cases the security of the information.
  28. MECHANISM ESTABLISHED TO MAKE CHANGES KNOWN SUBSTANTIAL IN POLITICS
    In accordance with the provisions of the Law, FUNTRITION will inform the holders of the information of any substantial modification that may arise in the Personal Data Processing Policy and for this purpose, it will use the appropriate means to inform the holders of these changes. the information through the website (https://funtrition.com) and/or email and/or phone call and/or text messages and/or WhatsApp.
  29. VALIDITY PERIOD OF THE DATABASES
    The length of personal data storage time in the databases will depend on the type of data and the existing legal obligations regarding the conservation of such data. For this purpose, FUNTRITION will internally analyze in detail the type of data of the holder and will guarantee the maximum period of permanence, in accordance with the attached personal data retention table (ANNEX 1), a retention table that will be modified accordingly in compliance with the regulatory changes that affect it.
  30. VALIDITY AND MODIFICATIONS
    This policy was approved by the Senior Management of FUNTRITION and came into effect on March 1, 2024, and modifies all provisions that had been issued in advance in the organization.
     
    The databases in which the personal data will be registered will be valid for as long as the information is maintained and used for the purposes described in this Policy. Once these purposes are fulfilled and provided that there is no legal or contractual duty to keep your information, your data will be deleted from our databases.
     
  31. APPROVAL AND DISCLOSURE
    This document was reviewed, analyzed and approved for implementation by FUNTRITION S.A. on March 1, 2024. FUNTRITION will make the corresponding disclosure with the corresponding stakeholders, and it will be recorded.

Employees