Book Now
Book Now

INFORMATION PROCESSING POLICIES – PONTUM S.A.S.

I. GENERAL INFORMATION

PONTUM S.A.S. (hereinafter, the “Company”) is a Colombian commercial company domiciled in the city of Medellín, duly incorporated and registered with the Medellín Chamber of Commerce for Antioquia, identified with Tax ID No. 890.929.080-7. The Company is engaged in providing real estate services, including intermediation, promotion, purchase, sale, leasing, administration, and management of real estate properties located in Colombia, whether owned by the Company or by third parties.

In line with its corporate purpose, the Company receives, collects, and/or accesses Personal Data either directly from Data Subjects or through third parties with whom it has entered into agreements for the processing of Personal Data.

Additionally, the Company has agreements or contracts for the processing of Personal Data with several of its Strategic Partners (hereinafter, the “Allied Companies”). Therefore, whenever these policies refer to the Company, the Allied Companies shall also be deemed included.

This Policy applies to all databases—both physical and digital—that contain Personal Data and are subject to Processing by the Company, acting as either the Controller or the Processor.

1.1 PURPOSE OF THE POLICY

The primary purpose of this Policy is to inform the Data Subjects of Personal Data about:
 (i) the scope and purpose of the Processing to which their Personal Data will be subjected once they provide their prior, express, and informed authorization;
 (ii) the rights available to them, as well as the channels, procedures, and mechanisms made available by the Company to exercise such rights; and
 (iii) the authorized personnel within the Company responsible for addressing inquiries, complaints, and claims related to the Processing of their Personal Data, to establish the necessary guidelines for compliance with legal obligations regarding Personal Data protection.

1.2 SCOPE OF THE POLICY

This Information Processing Policy applies and is mandatory for all Personal Data processed in any manner by the Company and/or by third parties with whom the Company agrees, in whole or in part, to carry out any activity related to the Processing of Personal Data recorded in the Company’s databases.

1.3. DEFINITIONS

The meanings of the following terms are those contained in Statutory Law 1581 of 2012 and Regulatory Decree 1377 of 2013:

  • Authorization: Prior, express, and informed consent of the Data Subject for the Processing of Personal Data.

     

  • Privacy Notice: Verbal or written communication generated by the Controller and directed to the Data Subject, informing them of the existence of the Information Processing Policy applicable to them, how to access it, and the purposes of the Processing to be carried out on their Personal Data.

     

  • Database: An organized set of Personal Data subject to Processing, regardless of its method of creation, storage, organization, or access.

     

  • Data Quality: Personal Data subject to Processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. When in possession of partial, incomplete, fragmented, or misleading Personal Data, the Company must refrain from processing such data or must request that Data Subjects complete or correct the information.

     

  • Restricted Circulation: Personal Data shall only be processed by Company personnel or by those who, within their functions, are responsible for carrying out such activities. Personal Data may not be provided to unauthorized individuals or to those not enabled by the Company to process it.

     

  • Confidentiality: An element of information security that establishes who may access information and under what circumstances.

     

  • Financial Data: All Personal Data related to the creation, performance, and termination of monetary obligations, regardless of the nature of the contract giving rise to them, is governed by Law 1266 of 2008 or complementary, modifying, or additional regulations.

     

  • Personal Data: Any information linked to, or that may be associated with, one or more identified or identifiable natural persons.

     

  • Public Data: Data that is not semi-private, private, or sensitive. Public Data includes, among others, information relating to a person’s marital status, profession or occupation, and their capacity as a merchant or public official. By nature, Public Data may be contained in public registries, public documents, official gazettes and bulletins, and final judicial rulings not subject to confidentiality.

     

  • Sensitive Data: Data that affects the privacy of the Data Subject or whose improper use may result in discrimination. Examples include data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social or human rights organizations, or groups promoting the interests of any political party or guaranteeing the rights of opposition parties, as well as data relating to health, sex life, and biometric information.

     

  • Rights of Children and Adolescents: Processing shall ensure respect for the prevailing rights of children and adolescents. Only public data concerning minors may be processed.

     

  • Processor: A natural or legal person, public or private, who, alone or jointly with others, carries out the Processing of Personal Data on behalf of the Controller.

     

  • Digital Information: All information stored or transmitted by electronic and digital means, such as email or other information systems.

     

  • Controller: A natural or legal person, public or private, who, alone or jointly with others, decides on the database and/or the Processing of Personal Data.

     

  • Data Subject: The natural person whose Personal Data is subject to Processing.

     

  • Transfer: Occurs when the Controller and/or Processor of Personal Data located in Colombia sends such data to a recipient who, in turn, is a Controller, whether inside or outside the country.

     

  • Transmission: Processing of Personal Data that involves communicating such data to a third party within or outside Colombia when such communication is for Processing by the Processor on behalf of and under the responsibility of the Controller, to fulfill the Controller’s purposes.

     

Processing: Any operation or set of operations performed on Personal Data, such as collection, storage, use, circulation, or deletion.

1.4. OUR COMMITMENT

The Processing and safeguarding of Personal Data by the Company, in its capacity as Controller and/or Processor, as applicable, will be carried out in accordance with the purposes, principles, and obligations outlined in this Policy and as provided by Colombian law and other relevant regulations.

II. PURPOSES OF PROCESSING

In the course of its corporate purpose, the Company may Collect, Store, Use, Transfer, Transmit, and, in general, carry out any activity or operation (Processing) on the Personal Data of its clients, suppliers, shareholders, employees, job applicants, former personnel, and other third parties related to the Company, who have granted prior, express, and informed authorization for the Processing of their Personal Data.

The Company shall process Personal Data for the purposes informed at the time the Personal Data is collected and only when such purposes have been expressly authorized by the Data Subject, including but not limited to the following:

  1. Maintain updated records of employees, suppliers, clients, and others in the Company’s databases.
     b. Fulfill the Company’s obligations of a tax, labor, contractual, commercial, corporate, and accounting nature. Handle petitions, complaints, claims, and suggestions (PQRS). Verify the legal, financial, and technical information of Data Subjects in the various administrative, contractual, or commercial processes undertaken by the Company.
     c. Transmit or Transfer Personal Data to third parties for commercial, administrative, and/or operational purposes, in accordance with applicable legal provisions.
     d. Prepare actuarial and technical studies, statistics, surveys, and market trend analyses regarding the products and services offered by the Company.
     e. Send commercial and/or marketing information.
     f. For security purposes and the prevention of unlawful activities such as fraud, corruption, money laundering, and/or terrorism financing, including, but not limited to, consulting binding or restrictive lists and public databases.
     g. Provide Personal Data to supervisory and oversight authorities, whether administrative, police, judicial, national, or international.
     h. Transmit Personal Data abroad to third parties with whom PONTUM S.A.S. has entered into a data processing agreement, when necessary for the fulfillment of the contractual purpose.
     i. Any other purpose arising from the development of the commercial or contractual relationship that links the Company to the Data Subject, or determined in processes for obtaining Personal Data for Processing, always in accordance with the Law.
III. PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA

In accordance with Our Commitment, established in section 1.4 of this Policy, the Processing of Personal Data by the Company and/or by third parties acting as Data Processors shall be carried out in compliance with the applicable regulations and in line with the following principles:

  1. Restricted access and circulation: Processing is subject to the limits derived from the nature of the Personal Data, the Constitution, and the law. Accordingly, Processing may only be carried out by persons authorized by the Data Subject and/or by those provided for by law. Personal Data, except for public information, may not be made available on the Internet or through other mass communication or disclosure means, unless access can be technically controlled to provide restricted knowledge solely to Data Subjects or third parties authorized by law.
  2. Confidentiality: All persons involved in the Processing of Personal Data that is not of a public nature are required to guarantee the confidentiality of the information, even after their relationship with any of the tasks included in the Processing has ended. They may only provide or communicate Personal Data when it pertains to the activities authorized by law. At the termination of said relationship, Personal Data must continue to be Processed in accordance with this Policy and the law.
  3. Purpose: Processing must serve a legitimate purpose in accordance with the Constitution and the law, which must be disclosed to the Data Subject at the time their Authorization is obtained. Personal Data may not be Processed for purposes other than those informed and consented to by the Data Subjects.
  4. Comprehensive interpretation of constitutional rights: Rights shall be interpreted in harmony and on an equal footing with the right to information provided in Article 20 of the Constitution and other applicable constitutional rights.
  5. Legality: Processing referred to in Law 1581 of 2012 and its Regulatory Decrees 1377 of 2013 and 886 of 2014 is a regulated activity that must adhere to the provisions established therein and to any others that may amend or develop them.
  6. Freedom: Processing may only be carried out with the prior, express, and informed consent of the Data Subject. Personal Data may not be obtained or disclosed without prior authorization, except where there is a legal or judicial mandate that waives the need for consent.
  7. Necessity: The Personal Data being Processed must be strictly necessary for fulfilling the purposes pursued by the database.
  8. Temporality: The Company will not use the Data Subject’s information beyond the reasonable period required by the purpose that was informed to the Data Subject, and only to the extent that the purpose of the Processing justifies it. Once the Processing purpose(s) has been fulfilled, and without prejudice to legal provisions stating otherwise, the data shall be deleted. Notwithstanding the foregoing, Personal Data must be retained when required for compliance with a legal or contractual obligation.
  9. Transparency: The Data Subject’s right to obtain information from the Controller or the Processor, at any time and without restrictions, regarding the existence of data concerning them, shall be guaranteed. This is in accordance with section VIII of this Policy.
  10. Security: Personal Data shall be Processed with the necessary technical, human, and administrative measures to ensure the security of the records, preventing their alteration, loss, unauthorized use, or fraudulent access.
  11. Accuracy or quality: Information subject to Processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The Processing of partial, incomplete, fragmented, or misleading data is prohibited; in such cases, the Company may request the Data Subject to complete or correct the information.
IV. TRANSFER AND TRANSMISSION OF PERSONAL DATA

The Company may transfer and transmit Personal Data to third parties with whom it enters into agreements or contracts for the Processing of Personal Data. Such agreements or contracts shall, at a minimum, specify:

  • The scope of the Processing.

  • The activities to be carried out by the Processor on behalf of the Controller for the Processing of Personal Data.

  • The obligations of the Processor toward the Data Subject and the Controller.

  • The obligation to process Personal Data on behalf of the Controller, in accordance with the principles that protect such data.

  • The obligation to safeguard the security of the databases containing Personal Data.

  • The obligation to maintain confidentiality regarding the Processing of Personal Data.

By entering into such agreements or contracts, the Processor undertakes to apply the Controller’s obligations under this Information Processing Policy and to process Personal Data in accordance with the purposes authorized by the Data Subjects and with the applicable laws in force.

In the case of Transfers, compliance shall be ensured with the obligations outlined in Law 1581 of 2012 and its regulatory decrees. If international Transfers take place, PONTUM S.A.S. shall guarantee that the recipient country complies with adequate data protection standards.

V. RIGHTS OF PERSONAL DATA SUBJECTS
5.1 Rights

Personal Data Subjects are entitled to the following rights, as established by law:

  1. To know, update, and rectify their Personal Data before the Controllers and/or Processors. This right may be exercised, among others, in relation to partial, inaccurate, incomplete, fragmented, or misleading data, or data whose Processing is expressly prohibited or has not been authorized.
  2. To request proof of the authorization granted to the Controller and/or Processor, except in cases where such approval is expressly exempted as a requirement for Processing, in accordance with Article 10 of Law 1581 of 2012.
  3. To be informed by the Controller and/or Processor, upon request, regarding the use given to their Personal Data.
  4. To file complaints before the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and any other rules that amend, supplement, or complement it.
  5. To revoke the authorization and/or request the deletion of data when deemed appropriate or when Processing does not respect constitutional and legal principles, rights, and guarantees. Revocation and/or deletion shall proceed when the Superintendence of Industry and Commerce has determined that the Controller and/or Processor engaged in conduct contrary to Law 1581 of 2012 and the Constitution.
  6. To access free of charge their Personal Data that have been subject to Processing.
  7. To refrain from answering questions regarding Sensitive Data. Responses concerning Sensitive Data, or data regarding children and adolescents, are optional.
5.2 Authorization of the Data Subject

Without prejudice to the exceptions provided by law, the Processing of Personal Data requires the prior and informed authorization of the Data Subject, which must be obtained by any means subject to subsequent consultation.

Authorization shall be deemed valid when expressed:
 (i) in writing,
 (ii) digitally,
 (iii) orally, or
 (iv) through unequivocal conduct by the Data Subject that reasonably indicates that authorization was granted, such as when entering premises with full knowledge of the existence of video surveillance systems.

5.3 Cases Where Authorization Is Not Required

The Data Subject’s authorization shall not be required in the following cases:

  • Information requested by the Company or by court order.

  • Data of a public nature.

  • Cases of medical or health emergency.

  • Processing of information authorized by law for historical, statistical, or scientific purposes.

  • Data related to the Civil Registry of Persons.

Anyone accessing Personal Data without prior authorization must in all cases comply with the provisions of Law 1581 of 2012 and other applicable rules in force.

5.4 Provision of Information

The information requested by Data Subjects shall primarily be provided by electronic means, or by any other means only if expressly requested by the Data Subject.

The information provided by the Company shall be delivered without technical barriers that impede access. Its content shall be easily readable, accessible, and must fully correspond to that contained in the database.

5.5 Duty to Inform the Data Subject

When requesting authorization from the Data Subject, the Company must clearly and expressly inform them of the following:

  1. The Processing to which their Personal Data will be subjected and its purpose.
     b. The optional nature of responses to questions regarding Sensitive Data or data about children and adolescents.
     c. The rights to which they are entitled as Data Subjects.
     d. The identification, physical or electronic address, and telephone number of the Controller.

As Controller of Personal Data, the Company must retain proof of compliance with this provision and, upon request by the Data Subject, provide them with a copy thereof.

5.6 Persons to Whom Information May Be Supplied

Information that meets the conditions established by law may be provided to the following:

  • Data Subjects, their successors, or their legal representatives.

  • Public or administrative entities in the exercise of their legal functions or by court order.

  • Third parties authorized by the Data Subject or by law.
VI. DUTIES OF CONTROLLERS

Controllers of Processing must comply with the following duties, without prejudice to other provisions established by Law and any other applicable regulations:

  1. Guarantee the Data Subject, at all times, the complete and adequate exercise of the right of habeas data.

  2. Request and retain, under the conditions established in Law 1581 of 2012, a copy of the respective authorization granted by the Data Subject.

  3. Properly inform the Data Subject of the purpose of the collection and the rights granted under the authorization.

  4. Maintain the information under the necessary security conditions to prevent its alteration, loss, consultation, use, or unauthorized or fraudulent access.

  5. Ensure that the information provided to the Processor is truthful, complete, accurate, updated, verifiable, and understandable.

  6. Update the information by timely communicating to the Processor all updates regarding the data previously provided, and take all necessary measures to ensure the information remains up-to-date.

  7. Rectify the information when it is incorrect and communicate the necessary corrections to the Processor.

  8. Provide the Processor, as applicable, only with data whose Processing has been previously authorized in accordance with the Law.

  9. Require the Processor, at all times, to respect the security and privacy conditions of the Data Subject’s information.

  10. Handle inquiries and claims submitted, in accordance with the terms established by Law 1581 of 2012.

  11. Inform the Processor when certain information is under dispute by the Data Subject, once a claim has been filed and while the procedure has not been completed.

  12.  Inform the Data Subject, upon request, about the use given to their data

  13. Notify the data protection authority when there are breaches of security codes and risks in the administration of Data Subjects’ information.

  14. Comply with the Company’s Personal Data Processing Policy.

  15. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

VII. DUTIES OF PROCESSORS

Processors must comply with the following duties, without prejudice to other legal provisions:

  1. Guarantee the Data Subject, at all times, the complete and effective exercise of the right of habeas data.
  2. Maintain the information under the necessary security conditions to prevent its alteration, loss, consultation, use, or unauthorized or fraudulent access.
  3. Timely carry out the updating, rectification, or deletion of Personal Data in accordance with Law 1581 of 2012 and Section VIII of this Policy.
  4. Update the information reported by the Controllers within five (5) business days from receipt.
  5. Handle inquiries and claims submitted by Data Subjects in accordance with Law 1581 of 2012 and Section VIII of this Policy.
  6. Record in the database the note “claim in process” in the manner regulated by Law 1581 of 2012.
  7. Insert in the database the note “information under judicial discussion” once notified by the competent authority of judicial proceedings related to the quality of the Personal Data.
  8. Refrain from circulating information that is disputed by the Data Subject and whose blocking has been ordered by the Superintendence of Industry and Commerce.
  9. Allow access to the information only to authorized individuals.
  10. Notify the Superintendence of Industry and Commerce when there are breaches of security codes and risks in the administration of Data Subjects’ information.
  11. Comply with the Company’s Personal Data Processing Policy.
  12. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
VIII. SENSITIVE DATA
8.1 Sensitive Data

The Processing of Sensitive Data, as referred to in Article 5 of Law 1581 of 2012, is prohibited, except in the following cases expressly set out in Article 6 of said law:

  1. The Data Subject has given their explicit authorization for such Processing, except in cases where such authorization is not required by law.
     b. The Processing is necessary to safeguard the vital interest of the Data Subject, and the Data Subject is physically or legally incapable of granting authorization. In such events, legal representatives must provide authorization.
     c. The Processing is carried out in the course of legitimate activities, with appropriate guarantees, by a foundation, NGO, association, or any other non-profit organization whose purpose is political, philosophical, religious, or trade-union related, provided that the Processing refers exclusively to their members or individuals in regular contact due to such purpose. In such cases, data may not be provided to third parties without the Data Subject’s authorization.
     d. The Processing relates to data necessary for the recognition, exercise, or defense of a right in a judicial process.
     e. The Processing has a historical, statistical, or scientific purpose. In such cases, measures must be adopted to ensure the anonymization of the Data Subjects.

Authorization for the Processing of Sensitive Data must be explicit, and in the case of minors, the superior interest of the child must always prevail, with authorization granted by their legal representatives and respecting the child’s right to be heard, considering their maturity, autonomy, and capacity to understand the matter.

When Processing Sensitive Personal Data, where such Processing is allowed under Article 6 of Law 1581 of 2012, the following obligations must be fulfilled:

  1. Inform the Data Subject that, due to the nature of Sensitive Data, they are not obliged to authorize its Processing.

     

  2. Explicitly and previously inform the Data Subject, in addition to the general requirements for authorization, which of the data to be processed is Sensitive, the purpose of the Processing, and obtain their express consent.

     

No activity may be conditioned on the Data Subject providing Sensitive Data.

8.2 Rights of Children and Adolescents

The Processing of Personal Data of children and adolescents is prohibited, except when dealing with public data and when such Processing complies with the following parameters and/or requirements:

  1. That it responds to and respects the best interests of children and adolescents.
     b. That it ensures respect for their fundamental rights.

Once these requirements are met, the legal representative of the child or adolescent shall grant authorization, after the child has exercised their right to be heard. The opinion of the child will be taken into account according to their maturity, autonomy, and capacity to understand the matter.

IX. PROTECTION OF PERSONAL DATA
9.1 General Duty

All members of the Company, in the course of carrying out their duties, shall assume the responsibilities and obligations related to the proper handling of personal information, from its collection, storage, use, and circulation to its final disposition.

9.2 Use of Information

Personal information contained in the databases must be used and processed in accordance with the purposes described in this Policy.

Suppose any area identifies new uses different from those described in this Personal Data Processing Policy. In that case, it must notify the Company’s Data Protection Officer, who will evaluate and, where applicable, manage its inclusion in this Policy.

Additionally, the following considerations apply:

  • If an area other than the one that initially collected the Personal Data requires use of the data, such use may only be carried out when it is foreseeable based on the Company’s corporate purpose and for a purpose contemplated in this Policy.

  • Each area must ensure that recycling practices involving physical documents do not disclose confidential information or Personal Data. Resumes, academic diplomas, academic or employment certificates, medical examination results, or any document containing personally identifiable information must not be recycled.

  • Employees may not make decisions that have significant impact on personal information or legal implications based solely on information generated by the information system; such data must be validated through other physical or manual instruments, or, when necessary, directly with the Data Subject.

  • Only authorized employees and contractors may introduce, modify, or delete data contained in databases or documents subject to protection.

  • User access permissions are granted by the Company’s IT Department, in accordance with pre-established profiles defined by the process leaders requiring personal information.

  • Any use of information other than that established must be previously reviewed with the Company’s Data Protection Officer.

9.3 Storage of Information

The storage of digital and physical information shall be carried out using media that have appropriate safeguards for data protection. This includes physical, IT, and technological security controls, whether in Company facilities and/or data centers or document centers managed by third parties.

9.4 Destruction

The destruction of physical and electronic media shall be carried out using mechanisms that do not allow reconstruction. Destruction shall only take place when it does not contravene any legal provision, and a record of the action must always be maintained.

If a Processor has provided Personal Data or databases to an area for a specific purpose, that area may not use such information for purposes other than those described in this Policy. Upon completion of the activity, the area that requested the information must delete the database or Personal Data used, avoiding the risk of outdated information or pending claims by a Data Subject. Destruction also applies to information in the possession of third parties as well as within Company facilities.

9.5 Incident Management Procedure for Personal Data

An incident shall be understood as any anomaly that affects or could affect the security of databases or the information contained therein.

If an incident is detected, the user must immediately notify the Company’s Data Protection Officer, who shall adopt the appropriate measures. Incidents may affect both digital and physical databases and will trigger the following activities:

  1. Incident Notification: If an incident is suspected to affect databases containing personal information, it must be reported to the Company’s Data Protection Officer, who will ensure its registration in the National Database Registry.
     b. Incident Management: Each employee, contractor, consultant, or third party is responsible for promptly reporting any suspicious event, weakness, or policy violation that may affect confidentiality, integrity, or availability of Company databases.
     c. Identification: All suspicious or abnormal events that indicate potential loss of confidentiality must be evaluated to determine whether they constitute an incident and must be reported to the appropriate organizational level. Any decision involving investigative or judicial authorities must be taken jointly by the Data Protection Officer and the Company’s Legal Department.
     d. Reporting: All incidents and suspicious events must be reported as soon as possible to the Data Protection Officer. If sensitive or confidential information is lost, disclosed to unauthorized personnel, or suspected of being so, the Data Protection Officer must be notified immediately. Employees must report to their direct supervisor and the Data Protection Officer any damage or loss of computers or devices containing Personal Data held by the Company. The Data Protection Officer shall inform the Delegation for Personal Data Protection of the Superintendence of Industry and Commerce (SIC) within 15 days of becoming aware of the incident.
     e. Disclosure Restrictions: Unless there is a duly justified request from the competent authority, no employee shall disclose information regarding IT systems or networks affected by cybercrime or abuse. The Legal Department shall intervene to provide appropriate advice for any required data disclosure.
     f. Criminal Offenses: If a cybercrime is identified under Law 1273 of 2009, the Data Protection Officer and the Legal Department shall report it to the competent judicial investigation authorities. During investigations, the “Chain of Custody” must be ensured to preserve the information for potential legal actions.
     g. Resolution: The IT Department, along with any involved areas and those directly responsible for managing Personal Data, must take measures to prevent recurrence of the security incident by correcting vulnerabilities.
     h. Incident Closure and Follow-Up: The IT Department, together with the Data Protection Officer and the areas using or requiring the information, shall initiate and document all review tasks regarding actions taken to remedy the security incident. The Data Protection Officer shall prepare an annual analysis of reported incidents, and its conclusions shall be used to develop awareness campaigns to reduce the likelihood of future incidents.
     i. Mandatory Reporting to SIC: Security incidents affecting the database must be reported to the National Database Registry within fifteen (15) business days of detection and notification to the responsible area.
     j. Containment, Investigation, and Diagnosis: The Data Protection Officer must ensure that actions are taken to investigate and diagnose the causes of the incident, and that the entire management process is documented with the support of the IT Department. Process leaders and/or information asset owners must internally report incidents associated with Personal Data to the Data Protection Officer, who will then report them to the National Database Registry within the legal timeframe.
9.6 Video Surveillance

The Company has video surveillance cameras for compliance with physical security policies, in accordance with the standards established in the Guidelines for the Protection of Personal Data in Video Surveillance Systems issued by the SIC as the competent authority.

Images shall be retained for a maximum period of ninety (90) days. If an image is involved in or serves as evidence for a claim, complaint, or judicial process, it shall be retained until the process is resolved.

X. PROCEDURES TO EXERCISE DATA SUBJECTS’ RIGHTS

The Company has designated the Administrative and Accounting Department of PONTUM S.A.S. as responsible for managing Personal Data and handling requests, complaints, and claims (PQRS) from Data Subjects, who may exercise their rights through the following channels:

  • Physical Address: Carrera 43ª No.1ª Sur 29, Floor 6, Medellín.

  • Email: cat-servicioalcliente@catinmobiliario.com

  • Telephone: (604) 313 728 72 66

Once a PQRS is received, the person responsible for responding will verify the sender’s information and proceed to reply according to the type of request, in compliance with the Law:

• Inquiries

Data Subjects, or their successors, may consult the personal information of the Data Subject stored in the Company’s database. In such cases, the Company must provide all information contained in the individual record or linked to the Data Subject, after verifying the requester’s identity, within a maximum of ten (10) business days from the date of receipt of the request.

When it is not possible to respond within this timeframe, the Company shall notify the requester, explaining the reasons for the delay and indicating the date on which the inquiry will be answered, which may not exceed five (5) business days following the expiration of the initial period.

Special laws or regulations issued by the National Government may establish shorter deadlines, depending on the nature of the Personal Data.

• Claims

Data Subjects, or their successors, who consider that the information contained in a database should be corrected, updated, or deleted, or who identify noncompliance with any duties contained in this Policy or in the Law, may file a claim with the Company, which will be processed under the following rules:

  • The claim must be submitted through the Company’s designated channels, including identification of the Data Subject, a description of the facts giving rise to the claim, a notification address, and supporting documents.

  • If the claim is incomplete, the requester will be notified within five (5) days of receipt to correct the deficiencies. If two (2) months pass without the requester providing the required information, it will be understood that the claim has been withdrawn.

  • If the person receiving the claim is not competent to resolve it, they must forward it to the appropriate party within two (2) business days and inform the requester.

  • Once a complete claim is received, a note stating “claim in process” and its reason shall be included in the database within no more than two (2) business days. This note shall remain until the claim has been resolved.

The maximum time to address the claim shall be fifteen (15) business days from the day following its receipt. If it is not possible to respond within this timeframe, the requester shall be informed of the reasons for the delay and the date on which the claim will be resolved, which may not exceed eight (8) business days after the initial period expires.

XI. APPLICATION AND TERM

This Information Processing Policy has been drafted in accordance with Article 13, “Information Processing Policies,” of Decree 1377 of 2013, issued by the Ministry of Commerce, Industry, and Tourism, which partially regulates Statutory Law 1581 of 2012, supplemented by Decree 886 of 2014. Its purpose is to develop the constitutional right of all individuals to know, update, and rectify information collected about them in databases or files, as well as the other rights, freedoms, and constitutional guarantees referred to in Article 15 of the Colombian Constitution, and the right to information as enshrined in Article 20 of the same.

This Policy shall form an integral part of all agreements and contracts entered into by the Company and may be consulted by Data Subjects on the PONTUM S.A.S. website at the following link: https://pontum.co/

Any modification or update to this Policy shall be published on the Company’s website or sent to the physical or electronic address of the Data Subjects contained in the Company’s database.

This Personal Data Processing Policy shall be effective as of January 1, 2025. The databases in which Personal Data is recorded shall remain valid for as long as the information is maintained and used for the purposes described in this Policy.

Once the purpose(s) of Processing have been fulfilled, and provided that there is no legal or contractual obligation to retain the information, the data shall be deleted from our databases. PONTUM S.A.S. will maintain a record of previous versions for traceability purposes.

Logo-footer

Information

Contact Us

Instagram Whatsapp

Location

Cra. 4 No. 35-75, Calle La Iglesia y Mantilla
Historic Center, Centro, 130001
Cartagena de Indias, Colombia

View map

Copyright 2026 © Casa Trujillo

Scroll al inicio