Privacy Policy

INFORMATION PROCESSING POLICY

This document sets forth a description of the policy for the processing of personal data of natural persons (hereinafter the Policy) that is applied by ESENCIA CAFETERA, in compliance with Law 1581 of 2012 “By which general provisions are issued for the protection of personal data” and its regulatory decree (or any other rule that regulates, adds to, executes, complements, modifies, eliminates or repeals Law 1581 of 2012).

1.OBJECT

This Policy establishes the legal guidelines under which ESENCIA CAFETERA processes personal data, setting out the purposes, the rights of the data subjects, as well as the procedures for exercising such rights before ESENCIA CAFETERA.

2. DEFINITIONS

The following definitions are terms established in Law 1581 of 2012 and must be taken into account in order to understand this Policy.

1. a) Authorization : Prior, express and informed consent of the Holder to carry out the Processing of personal data;
2. b) Database : An organized set of personal data that is subject to processing;
3. c) Personal data : Any information linked to or that can be associated with one or more specific or identifiable natural persons;
4. d) Processor : Natural or legal person, public or private, who, alone or in association with others, carries out the processing of personal data on behalf of the Data Controller ;
5. e) Data Controller : Natural or legal person, public or private, who alone or jointly with others, decides on the database and/or the processing of the data;
6. f) Data Subject : Natural person whose personal data is subject to Processing;
7. g) Processing : Any operation or set of operations performed on personal data;
8. h) Sensitive data : data related to racial or ethnic origin, membership in trade unions, social or human rights organizations, political or religious beliefs, sexual orientation, biometric data, or health data. This information may not be provided by the data subject.

3. PRINCIPLES GUIDING THE PROCESSING OF PERSONAL DATA

The processing of personal data must be carried out respecting the general and special rules and principles established in Law 1581 of 2012 and its regulatory decree, which include:

1. a) Principle of legality in matters of data processing: The processing of personal data is a regulated activity that must comply with the provisions of Law 1581 of 2012 and other provisions that develop it.
2. b) Principle of purpose: The processing of personal data is for a legitimate purpose in accordance with the Constitution and Law 1581 of 2012, which must be communicated to the Data Subject;
3. c) Principle of freedom: Processing may only be carried out with the prior, express and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that waives the requirement for consent;
4. d) Principle of truthfulness or quality: The information subject to Processing must be truthful, complete, accurate, verifiable and understandable. The Processing of partial, incomplete, fragmented or misleading data is prohibited;
5. e) Principle of transparency: In the Processing, the right of the Data Subject to obtain from the Controller or the Processor, at any time and without restrictions, information about the existence of data concerning him or her must be guaranteed;
6. f) Principle of restricted access and circulation: The Processing is subject to the limits derived from the nature of the personal data, the provisions of this law and the Constitution. In this sense, the Processing may only be carried out by persons authorized by the Data Subject and/or by the persons provided for in Law 1581 of 2012;
7. g) Security Principle: The information subject to Processing by the Data Controller or Data Processor referred to in Law 1581 of 2012, must be handled with the technical, human and administrative measures that are necessary to provide security to the records, preventing their alteration, loss, consultation, use or unauthorized or fraudulent access;
8. h) Principle of confidentiality: All persons involved in the processing of personal data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks that comprise the processing has ended, and may only supply or communicate personal data when it corresponds to the development of the activities authorized in Law 1581 of 2012 and in accordance with its terms .

4. AUTHORIZATION

4.1. Each piece of personal data to be used by ESENCIA CAFETERA must have authorization, which must be obtained from the data subject prior to, and at the latest at, the time of collection of the personal data, either in the following form: (i) oral; ( ii ) written; ( iii ) by checkbox ; ( iv ) through unambiguous conduct of the data subject that reasonably allows the conclusion that authorization was granted. However, under no circumstances may the silence of the data subject regarding authorization be considered unambiguous conduct.

4.2. When requesting authorization, the data subject must be informed:

(i) The treatment to which your personal data will be subjected and the purpose thereof ;

(i) The optional nature of the response to the questions asked, when these relate to sensitive data or to the data of girls, boys and adolescents;

( iii ) The rights you have as the Holder;

( iv ) The identification, physical or electronic address and telephone number of the Data Controller .

4.3. Cases in which authorization is not required: The Holder’s authorization will not be necessary when it comes to:

(i) Information required by a public or administrative entity in the exercise of its legal functions or by court order.

( ii ) Data of a public nature.

( iii ) Cases of medical or health emergency.

( iv ) Processing of information authorized by law for historical, statistical or scientific purposes.

(v) Data related to the Civil Registry of Persons.

5. TREATMENT

Personal data is collected, stored, organized, used, cleaned, analyzed, circulated, transmitted, transferred, updated, rectified, suppressed, deleted, cross-referenced with information from the company and/or authorized third parties and generally managed in accordance with and in proportion to the purpose or purposes of each processing activity.

5.1. Processing of sensitive data

Sensitive data: In accordance with the provisions of Law 1581 of 2012 in its Article 5, sensitive data is understood as: “those that affect the privacy of the Holder or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties as well as data relating to health, sexual life and biometric data.”

ESENCIA CAFETERA will apply the legal limitations to the processing of sensitive data, therefore ensuring that:

1. a) The Data Subject has given explicit authorization to said Processing, except in cases where the granting of such authorization is not required by law.
2. b) The processing is necessary to protect the vital interests of the data subject and the data subject is physically or legally incapable of giving consent. In these cases, the legal representatives must give their authorization.
3. c) The processing is carried out in the course of legitimate activities and with appropriate safeguards by a foundation, NGO, association, or any other non-profit organization whose purpose is political, philosophical, religious, or trade union-related, provided that the processing relates exclusively to its members or to persons who maintain regular contact with it in connection with its purpose. In these cases, the data may not be disclosed to third parties without the data subject’s consent.
4. d) The processing refers to data that is necessary for the recognition, exercise or defense of a right in a judicial process.
5. e) The processing has a historical, statistical or scientific purpose . In this event, measures will be taken to suppress the identity of the data subjects.

5.2. Processing of personal data of children and adolescents:

In principle, Law 1581 of 2012 prohibits any processing of personal data of children and adolescents.

Notwithstanding the foregoing, the interpretation given by the Constitutional Court exceptionally establishes the processing of personal data of children and adolescents when the following criteria are met:

(i) The purpose of the treatment responds to the best interests of children and adolescents.

( ii ) Ensure respect for the fundamental rights of children and adolescents.

( iii ) In accordance with the maturity of the child or adolescent, their opinion should be taken into account.

( iv ) Compliance with the requirements set forth in Law 1581 of 2012 for the processing of personal data.

Therefore, once these requirements are met, the processing of personal data can be carried out; however, it should be clarified that the authorization for said processing must be granted by the legal representative of the minor, who, in principle, will be jointly his parents, and the provisions of Law 1581 of 2012 must be applied, that is, the prior authorization provided for in said Law.

6. PURPOSES

The personal information of the Data Subjects that is processed has the following purposes:

(i) Strengthen the ESENCIA CAFETERA brand.

( ii ) Conduct statistical studies that allow for the design of improvements in the services provided or products offered.

( iii ) Manage basic administrative tasks.

( iv ) To inform by any means, the news, current and future products and services related to offers, events, promotional activities and other commercial purposes directly or indirectly related to the activity of the tour operator agency ESENCIA CAFETERA and/or news, products and services promoted directly by the strategic partners of ESENCIA CAFETERA that generate added value for users and/or clients.

(v) Sending advertising material related to the products and services of ESENCIA CAFETERA, its authorized assignees, licensees.

(vi) Analyze and measure the quality of the products and services offered by ESENCIA CAFETERA, its authorized representatives, assignees, and licensees.

( vii ) To be used by ESENCIA CAFETERA in the ordinary course of its business.

( viii ) Design improvements to products, processes, services, create new products and services.

7. DUTIES OF ESENCIA CAFETERA AS CONTROLLER OF PERSONAL DATA

Controllers must comply with the following duties, without prejudice to the other provisions of this Law and other laws governing their activity:

(i) Guarantee to the Holder, at all times, the full and effective exercise of the right of Habeas Data;

( ii ) Request and keep, under the conditions provided for in this Law, a copy of the respective authorization granted by the Holder;

( iii ) Duly inform the Holder about the purpose of the collection and the rights that he/she has by virtue of the authorization granted;

( iv ) Keep the information under the necessary security conditions to prevent its alteration, loss, consultation, use or unauthorized or fraudulent access;

(v) Ensure that the information provided to the Data Processor is truthful, complete, accurate, up-to-date, verifiable and understandable;

(vi)) Update the information, promptly communicating to the Data Controller all changes regarding the data previously provided and take other necessary measures to ensure that the information provided to the Data Controller remains up to date;

( vii ) Rectify the information when it is incorrect and communicate the relevant information to the Data Controller;

( viii ) Provide the Data Processor, as the case may be, only with data whose processing has been previously authorized in accordance with the provisions of this Law;

( ix ) Require the Processor at all times to respect the security and privacy conditions of the Data Subject’s information;

(x) Process inquiries and claims made in accordance with the terms set forth in this Law;

(xi) Adopt an internal manual of policies and procedures to ensure proper compliance with this Law and, in particular, to handle inquiries and complaints;

( xii ) Inform the Processor when certain information is under discussion by the Data Subject, once the complaint has been filed and the respective process has not been completed;

( xiii ) Inform the Holder, upon request, about the use given to their data;

( xiv ) Inform the data protection authority when security code violations occur and there are risks in the management of the information of the Data Subjects.

( xv ) Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

8. DUTIES OF ESENCIA CAFETERA, IN CASE OF ACTING AS PROCESSOR OF PERSONAL DATA

Data Processors shall comply with the following duties, without prejudice to the other provisions of this Law and other laws governing their activity:

(i) Guarantee to the Holder, at all times, the full and effective exercise of the right of Habeas Data;

( ii ) Keep the information under the necessary security conditions to prevent its alteration, loss, consultation, use or unauthorized or fraudulent access;

( iii ) To promptly update, rectify or delete the data in accordance with the terms of this Law;

( iv ) Update the information reported by the Data Controllers within five (5) business days from receipt;

(v) Process inquiries and claims made by the Holders in accordance with the terms set out in this Law;

(vi) Adopt an internal manual of policies and procedures to ensure proper compliance with this Law and, in particular, to address inquiries and complaints from Data Subjects;

( vii ) Register in the database the legend “claim in process” in the manner regulated in this Law;

( viii ) Insert the legend “information under judicial discussion” into the database once notified by the competent authority about judicial processes related to the quality of the personal data;

( ix ) Refrain from circulating information that is being disputed by the Holder and whose blocking has been ordered by the Superintendency of Industry and Commerce;

(x) Allow access to information only to people who are authorized to access it;

(xi) Inform the Superintendency of Industry and Commerce when violations of security codes occur and there are risks in the management of the information of the Holders;

( xii ) Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

PARAGRAPH 1. In the event that the roles of Data Controller and Data Processor are held by the same person, the person will be required to fulfill the duties established for each role.

PARAGRAPH 2. ESENCIA CAFETERA will ensure that the Processors of Personal Data comply with the obligations established herein.

9. RIGHTS OF THE DATA SUBJECTS

ESENCIA CAFETERA will ensure that the rights of the owners of the personal data contained in its databases are respected; these rights are:

1. a) To know, update and rectify your personal data held by ESENCIA CAFETERA and other companies responsible for processing your personal data. This right may be exercised, among others, with respect to data that is partial, inaccurate, incomplete, fragmented, misleading, or whose processing is expressly prohibited or has not been authorized.
2. b) Request proof of the authorization granted, except when expressly excepted in the Law as a requirement for the Treatment, in accordance with the provisions of Article 10 of Law 1581 of 2012 (or in its absence with the rules that regulate, add, execute, complement, modify, suppress or repeal it) or when the continuity of the treatment has been presented in accordance with Article 10 numeral 4° of Decree 1377 of 2013.
3. c) To be informed by ESENCIA CAFETERA or any of the companies in charge of the Processing of personal data, upon request, about the existence of data concerning him/her and the use that has been made of his/her personal data.
4. d) To be informed, upon request, regarding the use that has been made of their personal data.
5. e) To submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other regulations that modify, add to or complement it;
6. f) Revoke authorization and/or request the deletion of data when the processing does not respect constitutional and legal principles, rights, and guarantees. Revocation and/or deletion will proceed when the Superintendency of Industry and Commerce has determined that the controller or processor has engaged in conduct contrary to the Law and the Constitution;

The request for deletion of information and revocation of authorization will not proceed when the Holder has a legal or contractual duty to remain in the database or the controller has a legal or contractual duty to continue with the Processing.

1. g) Access free of charge to your personal data that has been processed.

10. PROCEDURES FOR INQUIRIES AND COMPLAINTS

For the purpose of enabling data subjects to make requests, inquiries and claims, to know, update, rectify, delete information and revoke the authorization granted or request proof thereof and in general exercise their rights, the email address [email protected] has been provided, addressed to ESENCIA CAFETERA.

10.1 Inquiries: Holders or their heirs may inquire about the Holder’s personal information held in any database, whether public or private.

The Data Controller or Processor must provide all information related to the Data Subject.

10.1.1. Timeframe: Inquiries must be addressed within a maximum of ten (10) business days from the date of receipt . If it is not possible to address the inquiry within this timeframe, the interested party will be informed of the reasons for the delay and the date on which their inquiry will be addressed, which in no case may exceed five (5) days following the expiration of the initial timeframe.

10.2. Claims : The Holder or his heirs who consider that the information contained in a database should be subject to: correction, updating or deletion, or when they notice that there is an alleged breach of the duties contained in the Law, may file a claim.

10.2.1. Requirements for submitting claims :

(i) The complaint must be addressed to the Data Controller or Processor;

( ii ) Must contain identification of the holder.

( iii ) Description of the facts giving rise to the claim.

( iv ) The physical address or email address; and

(vi) The documents required to support the claim;

10.2.2. If the claim is incomplete: the interested party will be required within five (5) days of receiving the claim to correct the deficiencies. If the interested party does not submit the required information within two (2) months, it will be understood that they have withdrawn the claim.

10.2.3. If the claim is complete: Once the claim is received, and no later than two (2) business days after receiving it, it will be included in the database with a note stating “claim in process” and the reason for the claim . This note must remain until the claim is resolved.

10.2.4 Timeframe: The maximum timeframe for addressing the claim will be fifteen (15) business days, starting from the day after the date of receipt. If it is not possible to address the claim within this timeframe, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the initial timeframe.

10.3. When data deletion is requested, it cannot be carried out when:

(i) It is a legal or contractual obligation to retain such data.

( ii ) Retaining the data is essential to safeguard the interests of the Data Subject or the Public Interest.

( iii ) The suppression hinders or impedes the exercise of the functions of the administrative or judicial authorities.

( iv ) The request is made by a third party unrelated to the holder and who is not duly authorized.

10.4. When requesting revocation of authorization: the interested party must specify whether the revocation is total or partial. Revocation of authorization is partial when the interested party states that they wish to revoke the processing of their personal data for certain specific purposes, such as advertising, contests, consumer studies, etc. Revocation of authorization is total when the interested party requests that the processing of personal data be stopped for all authorized purposes.

Complaints to the Superintendency of Industry and Commerce:

The Holder or successor may only file a complaint with the Superintendency of Industry and Commerce once the consultation or claim procedure provided for in the Policy has been exhausted.

11. POLICY CHANGES

ESENCIA CAFETERA reserves the right to revise this Policy at any time. ESENCIA CAFETERA will publish any changes to this Policy on the website where they are available. When substantial modifications are made to this Policy, data subjects will be notified by sending a notice to the email address they have registered, either before or at the latest upon implementation, informing them that they can consult the new policy on the website where it is available. This notice will indicate the date from which the new policy will take effect. When the change relates to the purposes of data processing, data subjects will be asked for new authorization to apply the changes.

12. REQUIREMENTS OF THE AUTHORITIES

ESENCIA CAFETERA, its authorized representatives, assignees, and licensees will cooperate with the competent authorities to ensure compliance with the laws regarding the protection of industrial property, copyright, fraud prevention, and other matters.

The Data Subjects expressly authorize ESENCIA CAFETERA to provide any personal information about them in order to comply with any request from a competent authority and to cooperate with said authorities to the extent that we, at our sole discretion, deem necessary and appropriate in connection with any investigation of an offense, violation of the Consumer Protection Statute, infringement of intellectual or industrial property rights, or other activity that is illegal or that may expose ESENCIA CAFETERA, its authorized representatives, assignees, or licensees to any legal liability. Furthermore, the Data Subjects authorize the disclosure of their personal data to the competent authorities in connection with any investigations they may conduct.

13. CURRENT NATIONAL LEGISLATION AND APPLICABLE JURISDICTION

This Policy is governed by the laws of the Republic of Colombia and by the provisions of Law 1581 of 2012, its regulatory decree and other regulations that modify, repeal or replace them.

14. VALIDITY

This Policy will come into effect as of November 2025.

The databases will have a validity equal to the period in which the purpose or purposes of the processing are maintained in each database, or the validity period indicated by a legal, contractual or jurisprudential cause in a specific way.