PRIVACY AND PERSONAL DATA TREATMENT POLICY
Last updated: August 10, 2025
1. GENERAL INFORMATION
This policy governs the processing of personal data of customers, users, suppliers, or any other natural or legal person who has a relationship with CONSULTORÍA EN TECNOLOGÍA SOSTENIBLE S.A.S. BIC, established under the laws of the Republic of Colombia, domiciled in Bogotá (hereinafter Sustek.co). Sustek.co is committed to protecting privacy and all information that can be associated with or related to specific natural or legal persons (hereinafter referred to as Personal Data) to which Sustek.co has access in the course of its business activities. In this regard, the company receives, through various information channels, identification data (name, ID, age, or gender), contact information (phone, email, or address), consumer preferences, visit and internet behavior data, financial information, and other relevant data for business operations; this information may be obtained directly from the data subjects or through the use of the company's Internet platforms, with prior customer authorization.\n\nBy entering their data and information, the data subject expresses and grants their consent to the use of said data as described in this Privacy and Personal Data Treatment Policy.
2. APPLICATION OF THIS POLICY
This Policy applies generally to Sustek.co's customers, business partners, affiliated merchants, suppliers, employees, collaborators, contractors, and any person whose Personal Data is or will be processed by the company (hereinafter referred to as the Data Subjects). Its purpose is to guarantee the rights of the Data Subjects; inform about the mechanisms and procedures to exercise these rights; address questions, complaints, and claims; and communicate the purpose of the Personal Data within the business activity.\n\nThis Policy will apply throughout the territory of the Republic of Colombia by Sustek.co, its employees, and, where applicable, by those third parties with whom the company agrees to carry out all or part of any activity related to the Processing of Personal Data for which the company is responsible.\n\nLikewise, it will apply to third parties, whether natural or legal persons, with whom the company signs any type of contract, so that they are aware of their obligations, purposes, and the security and confidentiality schemes they must adopt when processing data on behalf of the company.
3. TREATMENT
In compliance with Decree 1377 of 2013, CONSULTORÍA EN TECNOLOGÍA SOSTENIBLE S.A.S. BIC, in the course of its business activities, will collect, use, manage, store, analyze, anonymize, index, segment, profile, compile, process, transmit, transfer, verify Personal Data, carry out collections, and share information with credit bureaus, if necessary, and will perform various operations with the Personal Data. Accordingly, the Personal Data processed by the company will be subject only to the purposes indicated below or those accepted by the Data Subjects at the time of collecting the Personal Data.
4. PURPOSE
Similarly, individuals who have access to Personal Data by law, contract, or other binding document will carry out the Processing for the following purposes: (i) To offer loyalty programs for the final consumer, promotions, and discounts; (ii) To inform about the existence of new products and services, both proprietary and from third parties; (iii) To track the behavior of Data Subjects, mobile phones, and their consumer preferences; (iv) To create profiles of Data Subjects who are users of the company's platforms based on their consumer preferences and their behavior on the internet and mobile phones; (v) To send information about news, updates, and promotions, both proprietary and from third parties; (vi) To send information about CRM programs, both proprietary and from third parties; (vii) To specify, analyze, and optimize existing and future products and services, both proprietary and from third parties; (viii) To export information about human resources, credit risks, and the control and prevention of money laundering; (ix) To build segmented databases; (x) To carry out activities of archiving, updating, storing, and processing information, either by itself or through third parties contracted for this purpose; (xi) To promote and market new and existing products and services, both proprietary and from third parties; to track, measure, and record the spending capacity of the Data Subjects; (xii) To index information and Personal Data based on the behavior of the Data Subjects and their consumer preferences; (xiii) To carry out marketing activities, sending information to physical addresses for advertising or marketing purposes or for the development and execution of previously acquired contractual obligations; (xiv) To conduct statistical analysis of the collected data to optimize the functioning of the provided service; (xv) To ensure the effectiveness and security of transactions carried out on Sustek.co; (xvi) To customize the website and/or mobile applications according to the tastes and interests of the end-user; (xvii) To fully comply with the services agreed upon with customers and users, according to their purposes, to provide the services of Sustek.co; (xviii) To supplement information and, in general, to carry out the necessary activities to manage requests, complaints, and claims submitted by users and third parties, and to direct them to the areas responsible for issuing the corresponding responses; (xix) To send information and commercial offers for Sustek.co's services, as well as to carry out marketing and/or commercialization activities for services it provides or may provide or offer in the future; (xx) To prepare market studies, statistics, surveys, market trend analysis, and satisfaction surveys on the services provided; (xxi) For the transmission of personal data to third parties with whom contracts have been signed for the purpose of carrying out and complying with the service offered through Sustek.co for commercial, administrative, and/or operational purposes; (xxii) To manage all necessary information for the fulfillment of tax obligations and commercial, corporate, and accounting records; (xxiii) To identify users when they access the Website; (xxiv) To proceed with the billing and collection of the service, and; (xxv) To transmit and/or transfer Personal Data to service companies or outsourcing companies that contribute to improving or facilitating operations through Sustek.co, including payment gateways, insurance, or any other companies that fulfill the purpose of this Privacy Policy. Sustek.co will ensure that the policies of third parties have standards similar to those of this Policy, through the signing of agreements, covenants, and/or contracts.\n\nThe Data Subject expressly acknowledges that the collected commercial information will be used for commercial purposes, which includes sending commercial and advertising information related to the products and/or services offered by Sustek.co, which may be done through (i) emails, (ii) text messages (SMS), and/or (iii) phone calls (mobile or landline).
5. RIGHTS OF THE DATA SUBJECT
Sustek.co is committed to protecting the privacy of the Data Subjects and guaranteeing their habeas data rights so that they can know, update, rectify, and request the deletion of their personal data under administration. Therefore, we inform you that the Data Subject, in accordance with Law 1581 of 2012 and Decree 1377 of 2013, has the following rights: (i) To know, update, and rectify their personal data before Sustek.co; (ii) To request proof of the authorization granted to Sustek.co as the Data Controller/Processor; (iii) To be informed by Sustek.co, upon request, about the use given to their Personal Data; (iv) To file complaints with the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and Decree 1377 of 2013, after having exhausted the consultation or claim process with Sustek.co; (v) To revoke the authorization and/or request the deletion of the data when the principles, rights, and constitutional and legal guarantees are not respected in the Processing; and (vi) To access their personal data that has been subject to Processing free of charge.\n\nThe Data Subjects may exercise their legal rights and carry out the procedures established in this Policy by presenting their identity card or any other identification document. Minors may exercise their rights personally or through their parents or the adults who have parental authority, who must prove it with the relevant documentation. Likewise, all legitimized persons may exercise the rights of the Data Subject by presenting the respective document.
6. CONTENT OF THE INFORMATION
For the development of its commercial activities and the correct provision of the offered service, Sustek.co will collect the following information: Personal identification information including but not limited to: names and surnames, telephone, address, and other types of information that allow identifying users. It will also request personal information to purchase services, namely: (i) Names and surnames; (ii) Address; (iii) Email address; (iv) Date of birth; (v) Telephone number; (vi) Data related to the payment method; (vii) Professional information, titles, and both personal and professional references; (viii) Any other information required for the provision of the offered services.\n\nIn the case of services that the company may offer through Internet platforms, Sustek.co will collect the following information: (i) IP (Internet Protocol) address in order to diagnose problems with our server, as well as to administer its Website. An IP address is a number that is assigned to your computer when you use the internet. Your IP address is also used to help identify you within a particular session and to collect general demographic information; (ii) Email address for the use of the Website; (iii) Financial information for the payment of services.
7. SENSITIVE DATA
In the exercise of its commercial object, the company may collect and process Sensitive Data, such as, but not limited to: (i) Images, photographs, and/or voice recordings, and (ii) Data that may imply discrimination due to its processing, such as information related to political, religious, or philosophical affiliation.\n\nLikewise, other Sensitive Data related to health, gender, and any information whose Processing may involve discrimination of the Data Subjects may be processed. In the latter case, the Data Subjects will be informed so that they can give independent and free consent for the Processing of such more delicate Sensitive Data.\n\nThis data will be treated with the highest security standards. Limited access to Sensitive Data is included within the security of their privacy; therefore, only authorized personnel may access such information.
8. AUTHORIZATION
The processing of data requires prior authorization from the Data Subject. For this, the company, its employees, and authorized third parties must collect the Personal Data and ensure that the Data Subject signs and is aware of this document for future inquiries.
9. PROCEDURES
In order for the Data Subject to access their personal information and exercise their rights to know, update, rectify, and request the deletion of the Personal Data that is managed, we present below the existing procedures applicable to the processing of your personal information:\n\n9.1. Inquiries.\nIn accordance with what is established in article 14 of Law 1581 of 2012, data subjects or their successors may consult the personal information of the Data Subject that rests in any database. Consequently, Sustek.co has adequate mechanisms for data subjects to exercise their right of consultation, providing them with all the information contained in the individual record or that is linked to the identification of the Data Subject.\nThe right of Consultation referred to, as well as the other rights whose procedure is explained below, may only be exercised by the Data Subject of the information or their successors, after accreditation of their identity, or through electronic instruments that allow them to be identified, or their representative, after accreditation of representation.\nConsultation requests will be attended to within a maximum term of ten (10) business days from the date of receipt. When it is not possible to attend to the consultation within said term, the interested party will be informed before the expiration of the 10 days, stating the reasons for the delay and indicating the date on which their consultation will be attended, which in no case may exceed five (5) business days following the expiration of the first term.\n\n9.2. Claims.\nIn accordance with what is established in article 14 of Law 1581 of 2012, the Data Subject or their successors who consider that the information contained in a database should be corrected, updated, or deleted, or when they notice the alleged breach of any of the duties contained in Law 1581 of 2012, may file a claim, which will be processed under the following rules:\nThe claim must be submitted by the Data Subject or their representative, taking into account what is stated in article 15 of Law 1581 of 2012, in the format(s) proposed for this purpose by the person responsible for the Information Processing. If the received claim does not have complete information to process it, that is, with the identification of the Data Subject, the description of the facts that give rise to the claim, the address, and accompanying the documents to be asserted, the interested party will be required within five (5) days following its receipt to correct the faults. After two (2) months from the date of the requirement without the applicant submitting the required information, it will be understood that the claim has been abandoned.\nIn the event that the person who receives the claim is not competent to resolve it, they will transfer it to the corresponding person within a maximum term of two (2) business days and will inform the interested party of the situation.\nOnce the complete claim is received, a legend that says \"claim in process\" and the reason for it will be included in the Database maintained by Sustek.co, within a term not exceeding two (2) business days. Said legend must be maintained until the claim is decided.\nThe maximum term to address the claim will be fifteen (15) business days from the day following the date of its receipt. When it is not possible to address it within said term, the interested party will be informed before the expiration of the referred period of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.\n\n9.3. Deletion.\nThe Data Subject has the right, at all times, to request Sustek.co to delete (eliminate) their Personal Data when they consider that they are not being processed in accordance with the principles, duties, and obligations provided for in Law 1581 of 2012; have ceased to be necessary or relevant for the purpose for which they were collected or; the period necessary for the fulfillment of the purposes for which they were collected has been exceeded.\nThis deletion implies the total or partial elimination of personal information in accordance with what is requested by the data subject in the records, files, databases, or treatments carried out by Sustek.co. However, the company may deny the exercise of this right when the Data Subject has a legal or contractual duty to remain in the database; the elimination of data hinders judicial or administrative actions related to tax obligations, the investigation and prosecution of crimes, or the updating of administrative sanctions or; the data are necessary to protect the legally protected interests of the Data Subject; to carry out an action in the public interest, or to comply with a legally acquired obligation by the Data Subject.\n\n9.4. Revocation of Authorization.\nThe Data Subjects of Personal Data can revoke their consent to the processing of their Personal Data at any time, as long as it is not prevented by a legal provision. For this, Sustek.co will establish simple and free mechanisms that allow the Data Subject to revoke their consent, at least by the same means by which it was granted.\nThere are two modalities in which the revocation of consent can occur. The first may be on the totality of the consented purposes, that is, that Sustek.co must stop processing the Data Subject's data completely; the second may occur on specific types of treatment, such as for advertising or market research purposes. With the second modality, that is, the partial revocation of consent, other purposes of the treatment that the person in charge, in accordance with the granted authorization, can carry out and with which the Data Subject agrees are maintained.\nTherefore, it will be necessary for the Data Subject, when submitting the request for revocation of consent to Sustek.co, to indicate whether the revocation they intend to make is total or partial. In the second hypothesis, it must be indicated with which treatment the Data Subject does not agree.\nThere will be cases in which consent, due to its necessary nature in the relationship between the Data Subject and the person responsible for the fulfillment of a contract or by legal provision, cannot be revoked.
10. DATA TRANSFER
The Data Subject expressly authorizes Sustek.co to share their Personal Data with its business partners who will develop and execute the service chosen by the user. Likewise, the Data Subject authorizes Sustek.co and its business partners to use the Personal Data provided in Sustek.co's own management and within the commercial alliances that Sustek.co subscribes to, in order to generate added value. Therefore, the Data Subject authorizes Sustek.co to keep, update, process, consult, and treat them in the ways established in this Policy.
11. COOKIES
Sustek.co uses “Cookies,” which are small units of information temporarily stored on the user's computer hard drive, useful for navigating the site. The information contained in 'Cookies' is used, for example, for session control, particularly for improved navigation and to obtain high performance as a user-friendly website, and to store personal information related to identification. Most web browsers automatically accept 'cookies'. The user can prevent this by changing their browser settings. You can delete the 'cookies' stored on the PC at any time by deleting the temporary Internet files (\"Tools/Extras\" in the browser bar - \"Internet Options\").
12. MINORS
Our services are only available to those who have the legal capacity to contract. Therefore, those who do not meet this condition must refrain from providing personal information to be included in our databases.\n\nSustek.co will not process sensitive data of minors, the latter being defined by Law 1581 of 2012 as those that affect the privacy of the Data Subject or whose improper use may generate discrimination, such as those that reveal union affiliations, racial or ethnic origin, political orientation, religious, moral, or philosophical convictions, membership in unions, social or human rights organizations, or that promote the interests of any political party or guarantee the rights and guarantees of opposition political parties.
13. SECURITY
In developing the principle of security established in Law 1581 of 2012, Sustek.co will adopt the necessary technical, technological, human, and administrative measures to grant security to the records, avoiding their adulteration, loss, consultation, use, or unauthorized or fraudulent access.\n\nSustek.co will maintain mandatory security protocols for personnel with access to personal data and information systems.
14. REQUEST HANDLING
To address any questions, queries, complaints, claims, or requests for any type of information related to your personal data, particularly to exercise your rights to know, update, rectify, and delete the data or revoke the granted authorization, the Data Subject must contact the administration area, by phone or by email at contact@sustek.co.
15. GENERAL CONSIDERATIONS OF THE RNBD
In the terms of article 2.2.2.26.1.3 of the Unique Regulatory Decree 1074 of 2015, Sustek.co, as a private legal entity acting as the data controller of personal data and information, must independently register the databases containing such information in the National Database Registry. This is in accordance with the terms and conditions of registration provided in Section 3 of Chapter 26 of the Unique Regulatory Decree 1074 of 2015, in which article 2.2.2.26.3.2 establishes that the Superintendence of Industry and Commerce will establish the procedure for registering databases in the National Database Registry that data controllers must comply with, after validating their identity, in accordance with the regulations issued by said entity.
16. CONSULTATION OF THE RNBD
Subject to the provisions of article 2.2.2.26.1.4 of the Unique Regulatory Decree 1074 of 2015, citizens may consult the minimum information provided for in article 2.2.2.26.1 of said decree in the National Database Registry – RNBD – 'in order to facilitate the exercise of their rights to know, update, rectify, delete the data and/or revoke the authorization.'
17. MINIMUM INFORMATION OF THE RNBD
In accordance with article 2.2.2.26.2.1 of the Unique Regulatory Decree 1074 of 2015, the minimum information that the National Database Registry – RNBD – must contain is the following:\n\n• Identification, location, and contact data of the data controller of the database, in this case, Sustek.co, including its name or business name and its tax identification number (NIT) as it is a legal entity (article 2.2.2.26.2.2 of the Unique Regulatory Decree 1074 of 2015).\n\n• Identification, location, and contact data of the data processor(s) of the database, in this case, Sustek.co, in its capacity as data controller of personal data and information, including its name or business name and its tax identification number (NIT) as it is a legal entity (article 2.2.2.26.2.3 of the Unique Regulatory Decree 1074 of 2015).\n\n• Channels for data subjects to exercise their rights, that is, those identified in Chapters VI and VII of this Personal Data Protection Policy.\n\n• Form of database processing, that is, whether the processing activities are carried out manually or automatically.\n\n• This Personal Data Protection Policy.\n\nIn parallel, the last paragraph of article 2.2.2.26.2.1 of the Unique Regulatory Decree 1074 of 2015 states that '[t]he Superintendencia of Industry and Commerce, as a personal data protection authority, may establish within the National Database Registry additional information to the minimum provided for in this article, using the powers attributed to it by Law 1581 of 2012 in literal h) of article 21,' a power it used through External Circular No. 002 of November 3, 2015, including in section 2.1 of said chapter, as additional minimum information to be supplied in the National Database Registry – RNBD – the following:\n\n• Information stored in the database.\n\n• Information security measures.\n\n• Origin of personal data.\n\n• International transfer of personal data.\n\n• International transmission of personal data.\n\n• National assignment or transfer of databases.\n\n• Reporting of news, differentiating between claims filed by data subjects* and security incidents*, which must be reported within the terms and opportunities established for it in numerals (i) and (ii) of literal g) of article 2.1 referenced above.\n\nThe scope of the additional information mentioned above will be that expressly described in article 2.1 of the Second Chapter of Title V of the Sole Circular of the Superintendence of Industry and Commerce, added by External Circular No. 002 of November 3, 2015.
18. PROCEDURE FOR REGISTRATION IN THE RNBD
Sustek.co will proceed to register its databases in the National Database Registry, subject to the provisions of article 2.2.2.26.3.1 of the Unique Regulatory Decree 1074 of 2015 and other binding regulations.\n\nThe registration of the company's databases will be carried out in accordance with the instructions contained in the 'User Manual of the National Database Registry –RNBD–', published on the website of the Superintendence of Industry and Commerce.
19. UPDATING OF THE INFORMATION CONTAINED IN THE RNBD
In accordance with the provisions of article 2.3 of the Second Chapter of Title V of the Sole Circular of the Superintendence of Industry and Commerce, added by External Circular No. 002 of November 3, 2015, Sustek.co will update the information contained in the RNBD.
20. MODIFICATIONS
Sustek.co reserves the right to modify this policy at any time and without prior notice. Any modification will take effect and will have effects on related third parties from its publication on the corresponding channel.
21. VALIDITY
This data policy comes into effect on August 10, 2025.\n\nThe Personal Data that are stored, used, or transmitted will remain in Sustek.co's database for the time necessary for the purposes mentioned in this Policy for which they were collected. Thus, the validity of the database is closely related to the purposes for which the personal data were collected. In this sense, the temporality or validity is subject to the purposes of the Treatment recorded herein.