This document contains the Personal Data Protection Policy (hereinafter the "Policy") under which the processing of personal data is carried out by OFICOMCO S.A.S. (hereinafter THE COMPANY) in compliance with the provisions of Law 1581 of 2012, Decree 1377 of 2013, and other regulations that modify, add or complement them (the "Applicable Rules").

It shall apply to the personal data of natural persons that are included in the COMPANY's databases.

• Authorisation: prior, express and informed consent of the Data Subject to carry out the Processing of personal data;
• Database: an organized collection of personal data which is the subject of processing.
• Personal data: any information linked or capable of being linked to one or more natural persons;
• Processor: a natural or legal person, public or private, who, alone or in association with others, carries out the processing of personal data on behalf of the controller.
• Controller: a natural or legal person, public or private, who alone or in association with others, decides on the database and/or the processing of the data.
• Data subject: natural person: customers, consumers, employees, former employees, suppliers, among others, whose personal data are processed.
• Transfer: activity in which the controller and/or processor of personal data, located in Colombia, sends the information or personal data to a recipient, which in turn is responsible for the processing and is located inside or outside the country.
• Transmission: processing of Personal Data that involves the communication of such Personal Data within or outside the territory of the Republic of Colombia when the purpose of the Processing is carried out by the Processor on behalf of the Controller.
• Processing: any operation or set of operations on personal data, such as collection, storage, use, circulation, transfer or deletion;

In carrying out the Processing of Personal Data, the controller shall comply with the requirements of the applicable rules, and shall take into account the following guidelines:

• This Policy shall at all times comply with the provisions of the Applicable Rules, and shall be made available to data subjects and third parties who wish to consult it.
• Currently, THE COMPANY is responsible for the processing of personal data collected by its personnel, by third parties to whom it has entrusted this task, or by any electronic means that it makes available to the data subjects for this purpose.
• The personal data contained in the databases of the data controller will be handled under strict security and confidentiality policies.
• The Data Controller collects Personal Data in order to carry out the Processing for the following purposes:
• To carry out marketing, promotion and/or advertising activities, market research, own or third party, through various suitable means such as invoices, e-mails or electronic messages, text messages (SMS) and telephone communications.
• To carry out tasks required for the offering and/or provision of services, such as sales, invoicing, collection, payment collection, enabling payment methods, technical support, service improvement, programming, control, fraud prevention or any other activity related to current or future products of the data controller, which are relevant or necessary for the fulfilment of its corporate purpose or contractual obligations.
• To have contact with customers of the services in relation to the data controller's current or future products or services and about promotions, packages, releases or additional services.
• Comply with the obligations contracted with the Data Subjects, including suppliers, customers, employees, former employees, future employees.
• Conduct studies on consumer habits.
• Share, Transfer and Transmit data to business partners, subsidiary companies, parent company for the purpose of commercial activities and promotion of products or services owned by such companies or to persons with whom the Data Controller has or may have a business relationship that is related to the contracts for the provision of services to the data subjects.
• Transfer, transmit and share personal data to third parties that have or may have business links with the Company that is related to the Data Subjects' service provision contracts.
• When Personal Data is transferred or transmitted, it shall remain confidential information and may not be processed for purposes other than those established in these policies or those indicated in the document containing the contractual relationship to be executed. In the event of a Transfer, whoever receives the information shall be considered the Data Controller and shall apply its privacy policies.
• To attend to and manage requests and suggestions made by customers, suppliers and third parties in general.
• When this Policy undergoes any change, it will be necessary to notify the Personal Data Subjects of such change. Such change may be made through the means of communication normally used between the Parties.
• The area responsible within THE COMPANY for the Processing of Personal Data, and for dealing with queries or claims related to Personal Data is called PERSONAL DATA PROCESSING.

Proof of authorisations granted shall be requested and retained.

The Data Subject shall have the following rights:

• To know, update and rectify their personal data. You may exercise this right, among others, against partial, inaccurate, incomplete, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorised;
• Request proof of the authorisation granted, except when expressly exempted as a requirement for the processing, in accordance with the provisions of Law 1581 of 2012;
• To be informed, upon request, of the use made of his or her personal data;
• File complaints with the Superintendency of Industry and Commerce for infringements of the provisions of this law and other regulations that modify, add to or complement it;
• To revoke the authorisation and/or request the deletion of the data when the Processing does not respect the constitutional and legal principles, rights and guarantees. The revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that the processing has been carried out in conduct contrary to this law and the Constitution.

The revocation of the authorisation or deletion of the data does not proceed when the Data Subject has a legal or contractual duty to remain in the database;

• Access free of charge, as established in article 21 of Decree 1377 of 2013, to their personal data that have been subject to Processing.

For the exercise of the rights mentioned herein by the Personal Data Holders, they may contact the area responsible for the Processing of Personal Data, and the handling of queries and complaints regarding the same. The exercise of the rights must be exercised in accordance with the provisions of the following paragraph, and in accordance with the requirements of the Applicable Rules.

In order to exercise the rights of the Data Controller, the Data Controller shall make available to the Data Controllers appropriate means of communication for this purpose. In this regard, the area responsible for the Processing of Personal Data and attention to queries and claims may be contacted at the following e-mail addresses: ofihelp@ofi.com or ayuda@ofi.com.co or through the website: https://ofi.com.co/contacto/ and by calling the hotline: +(57) 1 794-3660.

The procedure to be followed for the exercise of the rights of the Data Subjects shall be as follows:

• Consultations:
  • When the Data Subject, his/her representative or assignee requires to consult his/her Personal Data contained in the databases of the Data Controller, the latter shall respond to the consultation within ten (10) working days from the date of receipt of the consultation made.
  • If it is not possible to deal with the query within this period, the interested party shall be informed, stating the reasons for the delay and indicating the date on which the query will be dealt with, which in no case may exceed five (5) working days following the expiry of the first period.

• Claims:
  • The Data Subject, his representative or assignee may request the correction, updating or deletion by submitting a claim, which must be processed by means of a written request containing the following information: i) Identification of the Data Subject, ii) Description of the facts giving rise to the claim, iii) Correspondence address of the Data Subject, iv) Supporting documents for the request.
  • If the request is incomplete, the Data Controller, or the area in charge thereof, shall require the data subject to provide additional documents within five (5) days following receipt of the claim. The data subject shall have up to sixty (60) days to respond to the information requested; if no response is provided, it shall be understood that the claim has been withdrawn.
  • Upon receipt of the complaint, a note stating that a complaint is in progress shall be included in the respective database within two (2) days of receipt of the complaint.
  • The complaint must be dealt with within fifteen working days of receipt. If it is not possible to deal with it within this period, the interested party will be informed, and the reasons for the delay will be given, and a response will be given within a maximum of eight (8) days.

The exercise of the data subjects' rights may be made at any time. For the purposes of consultation of their Personal Data, the same shall be provided free of charge, under the terms of Decree 1377 of 2013.

1. Visit the website https://ofi.com.co
2. Select the option "Personal Data Protection Policy" https://ofi.com.co/politica-proteccion-de-datos-personales/

To guarantee the high satisfaction of our customers through quality standards and continuous improvement in our processes for the design, delivery, implementation, monitoring and support of technological solutions, committing to comply with the applicable requirements of the regulations; maintaining the criteria of profitability and promoting the integral development of our Ofi talents.