Data Processing Policy

1. GENERALITIES
In compliance with the provisions of Statutory Law 1581 of 2012 and its Regulatory Decree 1377 of 2013, SORETEX SAS adopts this policy for the processing of personal data, which will be informed to all owners of the data collected or that may be obtained in the future in the exercise of commercial or labor activities. In this way, SORETEX SAS declares that it guarantees the rights of privacy, intimacy, in the processing of personal data, and consequently all its actions will be governed by the principles of legality, purpose, freedom, truthfulness or quality, transparency, restricted access and circulation, security and confidentiality. All persons who, in the development of different commercial, labor, among others, whether permanent or occasional, may provide the Company with any type of information or personal data, may know, update and rectify it.



2. COMPANY NAME
SORETEX SAS, a company dedicated to the production and marketing of women's sportswear, established in 2018, registered with the Cali Chamber of Commerce.

ADDRESS AND ADDRESS: The company has its domicile in the city of Cali and is located at Calle 10 No. 23 A-11 Barrio Bretaña.
EMAIL: soretexdecolombia@gmail.com
PHONE: (572) 5572822 CELL PHONE: 3135351122



3. LEGAL FRAMEWORK
Political Constitution, Article 15. Law 1266 of 2008; Law 1581 of 2012 Regulatory Decrees 1727 of 2009 and 2952 of 2010, Partial Regulatory Decree 1377 of 2013; Constitutional Court Judgments C-1011 of 2008 and C-748 of 2011.



4. SCOPE OF APPLICATION
This policy will apply to personal data recorded in any database of the company SORETEX SAS whose owner is a natural or legal person.



5. DEFINITIONS
For the purposes of this policy and in accordance with current regulations on personal data protection, the following definitions will be taken into account:

1. Authorization: Prior, express and informed consent of the Owner to carry out the Processing of personal data.
2. Privacy Notice: Verbal or written communication generated by the Controller, addressed to the Data Subject for the processing of their personal data, through which they are informed of the existence of the information processing policies that will be applicable to them, how to access them, and the purposes of the processing intended to be given to the personal data.
3. Database: Organized set of personal data that is the object of processing.
4. Successor: person who has succeeded another due to the latter's death (heir).
5. Personal data: Any information linked to or that can be associated with one or more specific or identifiable natural persons.
6. Public data: Data that is not semi-private, private, or sensitive. Public data includes, among others, data relating to a person's marital status, their profession or occupation, and their status as a merchant or public servant. By its nature, public data may be contained in, among other things, public registries, public documents, official gazettes and bulletins, and duly enforceable court rulings that are not subject to confidentiality.
7. Sensitive data: Sensitive data is understood to be that which affects the privacy of the Owner or whose improper use may lead to discrimination, such as data that reveals racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.
8. Data Processor: Natural or legal person, public or private, who, by itself or in association with others, carries out the processing of personal data on behalf of the Data Controller.
9. Data Controller: Natural or legal person, public or private, who, by itself or in association with others, decides on the database and/or the processing of the data.
10. Owner: Natural person whose personal data is subject to processing.
11. Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
12. Transfer: Data transfer occurs when the controller and/or processor of personal data, located in Colombia, sends the information or personal data to a recipient, who is in turn the controller and is located within or outside the country.
13. Transmission: processing of personal data that involves communicating the same within or outside the territory of the Republic of Colombia when the purpose is to carry out processing by the data processor on behalf of the controller.

The definitions included in this document are taken from current Colombian regulations governing the protection of personal data.



6. PRINCIPLES
To ensure the protection of personal data, the Company will harmoniously and comprehensively apply the following principles, in light of which the processing, transfer, and transmission of personal data must be carried out:

1. Principle of legality in data processing: Data processing is a regulated activity, which must be subject to the current and applicable legal provisions governing the subject matter.
2. Principle of purpose: The activity of processing personal data carried out by the Company or to which it has access will obey a legitimate purpose in accordance with the Colombian Political Constitution, which must be informed to the respective owner of the personal data.
3. Principle of freedom: Personal data may only be processed with the prior, express, and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a statutory or judicial order evidencing consent.
4. Principle of truthfulness or quality: Information subject to the processing of personal data must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited.
5. Principle of transparency: In the processing of personal data, SORETEX SAS will guarantee the Data Subject the right to obtain, at any time and without restrictions, information about the existence of any type of information or personal data that may be of interest to or owned by the Data Subject.
6. Principle of restricted access and circulation: The processing of personal data is subject to the limits derived from the nature of the data, the provisions of the law, and the Constitution. Consequently, processing may only be carried out by persons authorized by the data subject and/or by the persons provided for by law. Personal data, except for public information, may not be made available on the internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the data subjects or third parties authorized by law. For these purposes, SORETEX SAS's obligation will be to use means.
7. Security principle: Information subject to processing by SORETEX SAS must be handled with the technical, human, and administrative measures necessary to ensure the security of records, preventing their alteration, loss, unauthorized or fraudulent access, or consultation.
8. Confidentiality Principle: All persons within the Company who administer, manage, update, or have access to any type of information contained in databases are obligated to guarantee the confidentiality of that information. Therefore, they undertake to preserve and maintain in a strictly confidential manner and not to disclose to third parties any information they may acquire in the course of performing their duties, except in the case of activities expressly authorized by data protection law. This obligation persists and will continue even after their relationship with any of the tasks involved in the Processing process has ended.



7. RIGHTS OF THE INFORMATION HOLDER
In accordance with current data protection regulations, the following are the rights of personal data subjects:

1. Access, access, update, and rectify your personal data with SORETEX SAS, as the data controller. This right may be exercised, among others, with respect to data that is partial, inaccurate, incomplete, fragmented, misleading, or whose processing is expressly prohibited or unauthorized.
2. Request proof of the authorization granted to the company for data processing, by any valid means, except in cases where authorization is not required.
3. Be informed by SORETEX SAS, upon request, regarding the use that has been given to your personal data.
4. Submit complaints to the Superintendency of Industry and Commerce, or the entity acting in its place, for violations of the provisions of Law 1581 of 2012 and other regulations that modify, add to, or complement it, after a consultation or request process has been submitted to the Company.
5. Revoke authorization and/or request the deletion of data when the processing does not respect constitutional and legal principles, rights, and guarantees.
6. Access your personal data that has been processed free of charge, at least once every calendar month, and whenever there are substantial modifications to this policy that motivate new inquiries.
These rights may be exercised by:
- The owner, who must sufficiently prove his identity by the different means made available to him by the company.
- The holder's successors in title, who must prove such status.
- The representative and/or attorney of the owner, upon prior accreditation of the representation or power of attorney.

• Other rights in favor of or for which the data subject has stipulated. Rights of children and adolescents: in the processing of personal data, respect for the prevailing rights of minors will be ensured. The processing of personal data of minors is prohibited, except for data that is public in nature, and in this case, the processing must comply with the following parameters:

1. Respond to and respect the best interests of minors.
2. Ensure respect for the fundamental rights of minors.



8. DUTIES OF THE COMPANY AS CONTROLLER AND IN CHARGE OF THE PROCESSING OF PERSONAL DATA
THE COMPANY recognizes that individuals hold ownership of personal data, and therefore, they alone have sole discretion over such data. Therefore, SORETEX SAS will use personal data for the purposes expressly authorized by the data subject or by current regulations. In the processing and protection of personal data, the company shall have the following obligations, without prejudice to any other obligations set forth in the provisions that regulate or may regulate this matter:

1. Guarantee the holder, at all times, the full and effective exercise of the right to habeas data.
2. Request and retain a copy of the respective authorization granted by the owner for the processing of personal data.
3. Properly inform the owner about the purpose of the collection and the rights to which he or she is entitled by virtue of the authorization granted.
4. Keep the information under the necessary security conditions to prevent its alteration, loss, consultation, use or unauthorized or fraudulent access.
5. Ensure that the information is truthful, complete, accurate, up-to-date, verifiable and understandable.
6. Update the information promptly, taking into account any new developments regarding the data subject's information. Additionally, all necessary measures must be implemented to ensure the information remains up-to-date.
7. Rectify information when it is incorrect and communicate what is relevant.
8. Respect the security and privacy conditions of the owner's information.
9. Process queries and complaints made in accordance with the terms established by law.
10. Identify when certain information is being disputed by the owner.
11. Inform the owner, upon request, about the use given to their data.
12. Inform the data protection authority when security code violations occur and there are risks in the management of data subjects' information.
13. Comply with the requirements and instructions issued by the Superintendency of Industry and Commerce on the particular subject.
14. Use only data whose processing has been previously authorized in accordance with the provisions of Law 1581 of 2012.
15. Ensure the appropriate use of the personal data of children and adolescents, in those cases where the processing of their data is authorized.
16. Record the legend 'claim in process' in the database in the manner regulated by law.
17. Insert the legend 'information under judicial discussion' into the database once notified by the competent authority about judicial proceedings related to the quality of personal data.
18. Refrain from circulating information that is being disputed by the owner and whose blocking has been ordered by the Superintendency of Industry and Commerce.
19. Allow access to information only to people who can access it.
20. Use the data subject's personal data only for those purposes for which it is duly authorized and in all cases respecting current regulations on personal data protection.



9. AUTHORIZATION AND CONSENT OF THE OWNER
It requires the free, prior, express and informed consent of the owner of the personal data for the processing of the same, except in cases expressly authorized by law, namely:

1. Information required by a public or administrative entity in the exercise of its legal functions or by court order.
2. Data of a public nature.
3. Cases of medical or health emergencies.
4. Processing of information authorized by law for historical, statistical or scientific purposes.



10. PRIVACY NOTICE
The Privacy Notice is the physical, electronic, or other format document made available to the data subject to inform them about the processing of their personal data. This document communicates to the data subject information related to the existence of the company's data processing policies that will apply to them, how to access them, and the characteristics of the intended processing of their personal data. The privacy notice must contain, at a minimum, the following information:

1. The identity, address and contact details of the data controller.
2. The type of processing to which the data will be subjected and its purpose.
3. The rights of the owner.
4. General mechanisms
established by the controller so that the data subject is aware of the information processing policy and any substantial changes that may occur. In all cases, the controller must inform the data subject how to access or consult the information processing policy.
5. The optional nature of the response to questions about sensitive data.



11. PROCEDURE FOR HANDLING QUERIES, COMPLAINTS, REQUESTS FOR RECTIFICATION, UPDATING AND DELETION OF DATA
Inquiries: Data subjects or their successors in title may consult the data subject's personal information held by the Company. The Company will provide all information contained in the individual record or linked to the Data Subject's identification. Regarding the handling of personal data inquiries, the Company guarantees:

• Enable electronic or other means of communication that it deems relevant.
• Establish simplified forms, systems, and other methods, which must be disclosed in the privacy notice.
• Use the customer service or complaints services that it has in operation.
• In any case, regardless of the mechanism implemented for handling consultation requests, they will be attended to within a maximum period of ten (10) business days from the date of receipt. When it is not possible to attend to the consultation within this period, the interested party will be informed before the expiration of the 10 days, stating the reasons for the delay and indicating the date on which their consultation will be attended to, which in no case may exceed five (5) business days following the expiration of the first period.
• Questions can be sent to soretexdecolombia@gmail.com



12. NATIONAL DATABASE REGISTRY SORETEX SAS
In the cases contemplated by law and its statutes and internal regulations, it reserves the right to maintain and classify certain information held in its databases or banks as confidential in accordance with current regulations, its statutes and regulations, all of the foregoing and in accordance with fundamental and constitutional rights.



13. INFORMATION SECURITY AND SECURITY MEASURES
In compliance with the security principle established in current regulations, SORETEX SAS will adopt the necessary technical, human, and administrative measures to ensure the security of records, preventing their alteration, loss, unauthorized or fraudulent access, or access.



14. USE AND INTERNATIONAL TRANSFER OF PERSONAL DATA AND PERSONAL INFORMATION BY SORETEX SAS
In compliance with the Company's institutional mission and strategic development plan, and given the nature of the permanent or occasional relationships that any personal data subject may have with us, the Company may transfer and transmit all personal data, including internationally, provided that applicable legal requirements are met. Consequently, by accepting this policy, the data subjects expressly authorize the transfer and transmission of their personal data, including internationally. The data will be transferred for all relationships that may be established with SORETEX SAS. For the international transfer of personal data of the holders, the company will take the necessary measures so that third parties know and agree to observe this policy, with the understanding that the personal information they receive may only be used for matters directly related to SORETEX SAS and only while it lasts and may not be used or destined for a different purpose or end.



15. VALIDITY

This policy is effective as of its issuance on January 15, 2018, and the databases subject to processing will remain in effect as long as necessary for marketing purposes and the provision of any type of service.

MARIA SORELLY PINEDA ECHEVERRI
CC 67.021.580
GENERAL MANAGER AND LEGAL REPRESENTATIVE
SORETEX SAS
NIT 901.144.198-6