1. General

VERSATILE TECHNOLOGY S.A.S. (hereinafter, "The Company") recognizes the importance of personal data protection and is committed to implementing appropriate measures to ensure the privacy of users. In this regard, we strictly adhere to Law 1581 of 2012, Decree 1377 of 2013, as well as international regulations such as the General Data Protection Regulation (GDPR) of the European Union, to ensure that data is treated responsibly and securely.

The purpose of this policy is to inform in a clear and transparent manner how we collect, use, store, share and protect the personal information of our customers, employees, suppliers and any other data subjects who interact with us. In addition, it sets out the rights of data subjects and the procedures for exercising them.

This document applies to all websites, applications, products and services offered by VERSATILE TECHNOLOGY S.A.S., including the domain loom.com.co, and any other service associated with our operation. The Company reserves the right to modify this policy at any time, in compliance with legislative changes or based on new operational needs, informing the owners through appropriate means.

2. Data Controller

VERSATILE TECHNOLOGY S.A.S., is a private law company domiciled in Medellin, Colombia, identified with Nit. 900.356.261-9. The Company is responsible for the processing of personal data collected and has the obligation to ensure that such data are handled in accordance with current regulations and the highest security standards.

For any inquiry related to the protection of personal data, holders may contact us through the following means:

• Address: Carrera 78 A # 46-77, Medellín, Colombia
• Phone: +57 (604) 358 0398
• E-mail: servicioalcliente@loom.com.co

It is important to note that VERSATILE TECHNOLOGY S.A.S. may appoint a Data Protection Officer (DPO, according to GDPR regulations), who will be in charge of supervising compliance with this policy and managing any inquiry or complaint related to the processing of personal data.

3. Definitions

To better understand this policy, it is important to know some key definitions related to personal data protection:

• Authorization: Prior, express and informed consent of the holder to carry out the processing of their personal data.
• Database: Organized set of personal data that is the object of processing.
• Personal Data: Any information linked or that can be associated to one or several determined or determinable natural persons, such as name, identification number, e-mail, address, among others.
• Sensitive Data: Information that affects the holder's privacy or whose improper use may generate discrimination, such as data on racial or ethnic origin, political orientation, religious or philosophical convictions, health status, sexual life, biometric data, among others.
• Data Processor: Natural or legal person, public or private, that carries out the processing of personal data on behalf of the controller.
• Habeas Data: Fundamental right that allows individuals to know, update and rectify the information that has been collected about them in databases.
• Responsible for the treatment: Natural or legal person, public or private, who decides on the database and/or the processing of personal data.
• Headline: Natural person whose personal data is processed.
• Treatment: Any operation or set of operations on personal data, such as collection, storage, use, circulation, deletion, among others.

4. Principles for the processing of personal data

The processing of personal data at VERSATILE TECHNOLOGY S.A.S. is governed by the following fundamental principles:

• Principle of Legality: The processing of personal data must be subject to the provisions of the law and other provisions that develop it.
• Principle of Finality: Personal data must be collected for a legitimate, explicit and clear purpose, which must be informed to the holder at the time of requesting authorization.
• Principle of Freedom: The treatment can only be exercised with the prior, express and informed consent of the holder. Personal data may not be obtained or disclosed without such authorization, except as provided by law.
• Principle of Truthfulness or Quality: The information subject to processing must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete or misleading data is prohibited.
• Principle of Transparency: The right of the owner to obtain information about the existence of data concerning him/her, at any time and without restrictions, must be guaranteed in the processing.
• Principle of Access and Restricted Circulation: The processing is subject to the limits derived from the nature of the personal data and the relevant legal provisions. Personal data, except for public information, may not be made available on the Internet or other means of mass dissemination, unless access is technically controllable to provide restricted knowledge only to owners or authorized third parties.
• Safety Principle: The information subject to treatment must be handled with the technical, human and administrative measures necessary to provide security to the records, avoiding its adulteration, loss, consultation, use or unauthorized or fraudulent access.
• Principle of Confidentiality: All persons involved in the processing of personal data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with one of the tasks involved in the processing.

5. Collection of personal data

VERSATILE TECHNOLOGY S.A.S. collects personal data in a variety of ways, including, but not limited to:

• Registration form: When users complete forms on our websites or applications.
• Direct interaction: When users provide information during the purchase of products, services or at events organized by the Company.
• Social networks: Through interaction with our social media profiles.
• Cookies and similar technologies: Through the use of cookies and similar technologies on our websites, in order to improve the user experience and analyze browsing behavior.

6. Purposes of the processing of personal data

Personal data collected by VERSATILE TECHNOLOGY S.A.S. is used for the following purposes:

• Commercial management: To carry out all the necessary steps for the development of our commercial activity, including the sale of products and services, customer service and order management.
• Marketing and advertising: To inform our customers about products, services, promotions, events and other activities related to our operation, as well as to conduct market research and statistical analysis.
• Legal compliance: Comply with legal obligations, such as issuing invoices, managing warranties and responding to requests from competent authorities.
• Continuous improvement: Evaluate and improve the quality of our products, services and technology platforms, based on user feedback and behavior.
• Security and fraud prevention: Protect our systems and data against security threats and detect possible fraudulent activities.

7. Processing of sensitive data

VERSATILE TECHNOLOGY S.A.S. is committed to treat sensitive data with the highest level of protection and only collect it when strictly necessary. Sensitive data includes, but is not limited to, health information, biometric data, and religious or political preferences.

Sensitive data will only be processed under the following conditions:

• Express consent: The owner must give his explicit consent for the processing of his sensitive data.
• Specific purpose: Sensitive data will only be used for the specific purposes informed to the owner.
• Reinforced protection: Additional security measures will be implemented to protect sensitive data against unauthorized access, loss or alteration.

8. Processing of data of minors

The processing of personal data of minors will be carried out in strict compliance with the applicable regulations, as established by Law 1581 of 2012 and Decree 1377 of 2013. VERSATILE TECHNOLOGY S.A.S. will only collect and process data of minors when it is necessary for the development of its activity, and always with the prior consent of their legal representatives.

In any case, respect for the fundamental rights of minors, including their right to protection and safety in the digital environment, shall be guaranteed.

9. Information security

VERSATILE TECHNOLOGY S.A.S. implements technical, administrative and information security measures to protect personal data against unauthorized access, alteration, loss or destruction. Our security system complies with recognized standards, such as ISO/IEC 27001, and is designed to ensure data integrity and confidentiality.

Security measures include:

• Data encryption: We use encryption technologies to protect information during transmission and storage.
• Access control: We implement restricted access controls, allowing access to data only to those employees or contractors who need the information to perform their duties.
• Security audits: We perform periodic security audits to identify and correct vulnerabilities in our systems.
• Training: We train our employees in information security and personal data protection to ensure compliance with our policies.

10. International transfer and transmission of personal data

In some cases, VERSATILE TECHNOLOGY S.A.S. may need to transfer or transmit personal data to third parties located in countries outside Colombia. This may occur, for example, when we use cloud storage services or technology service providers operating abroad.

When international data transfers are made, VERSATILE TECHNOLOGY S.A.S. will ensure that the recipient of the data complies with the protection standards established in Colombian legislation and, where applicable, in international regulations such as the GDPR. In particular, the following measures will be implemented:

• Standard contractual clauses: Contracts with third parties shall include clauses obliging the recipient to protect personal data in accordance with applicable standards.
• Risk assessment: We will conduct risk assessments to ensure that international data transfers do not expose data subjects to undue risk.
• Consent of the holder: Where required by law, we will obtain the consent of the data subject prior to the international transfer of his or her data.

11. Rights of the owners

In accordance with Law 1581 of 2012 and the GDPR, personal data subjects have the following rights:

• Right of access: To know, update and rectify your personal data before VERSATILE TECHNOLOGY S.A.S. or the persons in charge of the treatment.
• Right of rectification: Request correction of inaccurate or incomplete data.
• Right of suppression: Request the deletion of your data when you consider that they are not necessary for the purposes for which they were collected, provided that there is no legal or contractual obligation that requires their conservation.
• Right of opposition: Oppose the processing of your data in specific situations, especially in the case of direct marketing.
• Right to data portability: Receive the personal data you have provided to us in a structured, commonly used and machine-readable format, and transfer it to another data controller, when technically feasible.
• Right to revoke consent: To revoke the consent given for the processing of your personal data at any time.

To exercise these rights, the owners may contact VERSATILE TECHNOLOGY S.A.S. through the means indicated in section 2. The Company undertakes to respond to the requests of the owners within the deadlines established by law.

12. Procedures for inquiries, complaints and claims

VERSATILE TECHNOLOGY S.A.S. has established clear procedures for the attention of queries, complaints and claims related to the processing of personal data. Holders may submit their requests through the following means:

• E-mail: servicioalcliente@loom.com.co
• Phone: +57 (604) 358 0398
• Mailing address: Carrera 78 A # 46-77, Medellín, Colombia

Applications must include the following information:

• Identification of the holder: Full name and identification number.
• Description of the request: Details of the inquiry, complaint or claim.
• Supporting documentation: Copies of supporting documents, if applicable.

The application process includes the following steps:

1. Reception and verification: Once the application is received, it will be verified that it contains the necessary information to be processed.
2. Analysis and response: VERSATILE TECHNOLOGY S.A.S. will analyze the request and respond within a maximum of fifteen (15) business days. If more time is required to resolve the request, the holder will be informed of the delay and the estimated date of response.
3. Execution: If the request is admissible, the necessary actions will be taken to correct, update or delete the personal data as appropriate.

In case the holder is not satisfied with the response received, he/she may file a complaint with the Superintendence of Industry and Commerce, the entity in charge of supervising compliance with data protection regulations in Colombia.

13. Retention of personal data

VERSATILE TECHNOLOGY S.A.S. will retain personal data for as long as necessary to fulfill the purposes for which they were collected, or as long as required by legal, contractual or regulatory obligations.

Retention periods may vary according to the type of data and the purpose of the processing. For example:

• Commercial data: They will be retained as long as the holder maintains an active business relationship with the Company and for as long as necessary to comply with tax or contractual obligations.
• Marketing data: They will be kept until the owner requests their deletion or revokes his/her consent.
• Employee data: They will be kept for the duration of the employment relationship and for the years necessary to comply with labor and social security obligations.

Once the retention period has expired, the data will be securely and definitively deleted, unless there is a legal provision requiring its retention for an additional period.

14. Updates to the privacy policy

VERSATILE TECHNOLOGY S.A.S. reserves the right to update or modify this privacy policy at any time, to reflect changes in our practices, legal obligations, or improvements in the protection of personal data.

When significant changes are made to the policy, we will inform holders through our official channels, such as e-mails, notifications on our websites, or any other appropriate means.

It is the responsibility of the holders to periodically review this policy to be informed of any changes. Continued use of our services following the posting of changes will be deemed acceptance of the changes.

15. Annexes

To complement this privacy policy, VERSATILE TECHNOLOGY S.A.S. also has internal documents and procedures detailing our data security and handling practices. These include:

• Data Protection Policies and Procedures Manual: An internal document that establishes detailed guidelines on the management of personal data, including procedures for handling requests from data subjects and the security measures implemented.
• Privacy Impact Assessments (PIA): Analysis performed to identify and mitigate risks in the processing of personal data, especially in new projects or services.
• Contracts with Data Processors: Legal agreements with third parties that process personal data on behalf of VERSATILE TECHNOLOGY S.A.S., ensuring that they comply with our policies and current regulations.