information and personal data processing and privacy protection policy

1. Introduction:
Based on the Statutory Law 1581 of 2012 “Whereby general provisions are issued for the protection of personal data” and Decree 1377 of 2013, “Whereby Law 1581 of 2012 is partially regulated” FRAIER S.A.S. (“THE OPERATOR”), domiciled in the city of Bogotá D.C., as the party responsible for the processing of personal data of others, hereby adopts the policies and procedures to guarantee the right of individuals to know, update and rectify the information that has been registered about them in databases and/or files.

This Policy applies to all personal information of customers, prospects, contractors, suppliers, employees, or any other person who for any reason provides information to THE OPERATOR.

THE OPERATOR may update this policy at any time, either for attention to legislative, regulatory or jurisprudential developments, internal policies, or for any other reason or circumstance, which will be informed and made known in a timely manner, through a written document, publication on the website, verbal communication or by any other technology; for this reason it is recommended to the holder of the personal data, to review it regularly to ensure that you have read the most updated version.

In accordance with the current legislation on the matter, the following definitions are established, which will be applied and implemented taking into account the interpretation criteria that guarantee a systematic and integral application, and in accordance with the technological advances, technological neutrality; and the other principles and postulates that govern the fundamental rights that surround, orbit and surround the right of habeas data and protection of personal data.

• Authorization: Prior, express and informed consent of the holder to carry out the processing of personal data.
• Database: Organized set of personal data that is subject to Processing.
• Personal information: Any information linked or that can be associated to one or several determined or determinable natural persons.
• Data Processor: Natural or legal person, public or private, that by itself or in association with others, carries out the processing of personal data on behalf of the controller.
• Responsible for the Processing: Natural or legal person, public or private, who alone or in association with others, decides on the database and/or the processing of data.
• Holder: Natural person whose personal data is processed.
• Treatment: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

2. Responsible for the processing of personal data
The party responsible for the processing of your personal data is FRAIER S.A.S., a simplified joint stock company, incorporated and organized under the laws of the Republic of Colombia, domiciled in Bogotá D.C., identified with NIT 830.124.711-2, with its main office at Carrera 62 #10-40 Bogotá D.C., Tel: 601-7033421.

3. Personal information
This policy shall be applied to the personal data base registered and to be registered of guests, visitors, customers, suppliers, contractors, shareholders or employees or any natural or legal person who provides their data for legal, contractual, commercial or labor purposes.

THE OPERATOR may request, without limitation, the following information:

-Names and surnames
-Type and number of identification or passport
-Nationality and country of residence
-Date of birth and gender
-Marital status and relationship with minors using the services of the business establishment.
-Contact information such as address, email, landline and cell phone.
-Profession or trade and company where he/she performs his/her duties.
-Origin and destination
-Reason for the trip
-Credit card information

These data are confidential and will be stored in the computer centers of the establishment of commerce, own or outsourced to third parties, who will follow the same policy of data processing.

4. Purpose of personal data
The collection of personal data and its automated processing are intended to facilitate the management, administration, improvement and expansion of the various services and products, marketing, management or monitoring of incidents, as well as the sending of communications, and any other purpose that in the exercise of its corporate purpose requires. Thus, personal data are used exclusively for the following purposes, which you authorize by accepting this policy:

-To comply with the legal provisions and requirements of the different governmental entities.
-Creation and preservation of documents is legally required by accounting standards.
-Marketing of the products and services of the business establishment.
-Sending of communications and attention to requests, complaints and claims,
-Improvement of services offered
-Management of requests, complaints and claims.
-Allow auditing of third parties internal or external to the business establishment.

5. Exercise of the rights of the holder of the personal data to know, update, rectify and delete their information.
The holder may exercise his/her right to know, update, rectify and delete the personal data he/she has provided to THE OPERATOR by sending a communication, through the following means:

-Email: gerencia@fraier.com.co
-Telephone: 601-7033421

Pursuant to the provisions of Article 20 of Decree 1377 of 2013, the rights of the holders established in the Law may be exercised by:

-The Holder, who must prove his identity sufficiently by the different means made available to him by the responsible party.
-By their successors in title, who must prove their status as such.
-By the representative and/or attorney-in-fact of the Holder, upon accreditation of the representation or power of attorney.

The request or right exercised by the owner of the personal data must contain the name and surname of the user and the contact information to receive notifications. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorized by its owner.

The owner of the personal data may request to THE OPERATOR a copy of the data held about him/her, Likewise, THE OPERATOR will update, rectify or delete the data when they are inaccurate, incomplete or no longer necessary or relevant for the initial purpose.

The holder will be able to consult his personal data free of charge once every calendar month and every time there are substantial modifications to the data processing policies of THE OPERATOR.

In compliance with the above, the following procedure is established:

5.1 Processing of inquiries and complaints made Inquiries: The Holders or their successors in title may consult the personal information of the Holder contained in any database of THE OPERATOR, who will provide them with all the information contained in the individual record or that is linked to the identification of the Holder. The consultation shall be formulated in writing, in the areas indicated in paragraph 4, as long as it is the owner of the data. The consultation will be answered within ten (10) working days from the date of receipt of the same. When it is not possible to attend the consultation within said term, the interested party shall be informed, stating the reasons for the delay and indicating the date on which the consultation will be attended, which in no case may exceed five (5) working days following the expiration of the first term.

Claims: The Data Subject or his assignees who consider that the information contained in a database of THE OPERATOR should be corrected, updated or deleted, may file a claim before gerencia@fraier.com.co which will be processed under the following rules:

The claim shall be formulated by means of a request addressed to THE OPERATOR, with the following information:

-Holder Identification.
-The description of the facts giving rise to the claim.
-The address and accompanying documents need to be asserted.

If the claim is incomplete, the interested party will be required within five (5) days after receipt of the claim to correct the faults. After two (2) months from the date of the request, if the applicant has not submitted the required information, it will be understood that the claim has been withdrawn. If the person who receives the claim is not competent to resolve it, he/she will transfer it to the corresponding person within a maximum term of two (2) business days and will inform the interested party of the situation.

Once the complete claim has been received, it will be processed within a term no longer than fifteen (15) business days from the day following the date of its receipt. When it is not possible to attend the claim within such term, the interested party shall be informed of the reasons why THE OPERATOR has not been able to complete the process and the date on which the claim will be attended, which in no case may exceed eight (8) working days following the expiration of the first term. Revocation of authorization and/or deletion of data: The holders may at any time request THE OPERATOR as data controller the deletion of their personal data and/or revoke the authorization granted for the processing of such data. THE OPERATOR as data controller shall keep track of the receipt of the request for deletion of data or revocation of authorization, including its date of receipt. The maximum term to attend the revocation and/or suppression of data will be fifteen (15) working days from the day following the date of receipt. When it is not possible to attend the claim within such term, the interested party shall be informed of the reasons why THE OPERATOR has not been able to complete the process and the date on which the claim will be attended, which in no case may exceed eight (8) working days following the expiration of the first term. If upon expiration of the respective legal term, THE OPERATOR has not deleted the personal data, the Data Subject shall have the right to request the Superintendence of Industry and Commerce to order the revocation of the authorization and/or the deletion of the personal data, in accordance with the procedure described in Article 22 of Law 1581 of 2012.

6. Duties as data processor
THE OPERATOR is directly in charge of the treatment and custody of the Personal Data collected and stored; however, it reserves the right to delegate such treatment to a third party, for which it shall require the person in charge the attention and implementation of the policies and procedures suitable for the protection of personal data and the strict confidentiality of these, in accordance with the provisions of Article 18 of Law 1581 of 2012.

7. Sensitive Data
For the purposes of the Personal Data Protection Law and the present personal data processing policies, sensitive data are understood as those related to the privacy of the holder, such as those revealing racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sex life and biometric data. THE OPERATOR reiterates its apolitical nature, as well as that it is an entity without excluding religious or ethnic orientations. However, the holder of the personal information is not obliged to provide sensitive data, therefore, any request for such data will require express authorization.

8. Personal data of minors
The personal data on children and adolescents contained in the databases of THE OPERATOR and that are necessary for the provision of the services of LODGING, will be used solely and exclusively for the purpose of recording and gathering statistics. THE OPERATOR ensures its protection in accordance with the Political Constitution and the Law. In any case, any use of the data of minors that are registered in the databases of THE OPERATOR or that are requested must be expressly authorized by the legal representative of the child or adolescent, prior exercise of the minor’s right to be heard, an opinion that will be assessed considering the maturity, autonomy and ability to understand the matter. Likewise, THE OPERATOR will facilitate to the legal representatives of the minors the possibility that they can exercise the rights of access, cancellation, rectification and opposition of the data of their guardians.

9. Third parties
The databases or files will not be provided to third parties, unless expressly authorized by the owner, or in the cases provided by law. THE OPERATOR has entered into confidentiality agreements with all parties involved to ensure data protection.

10. Security measures adopted in relation to the processing of personal data
THE OPERATOR informs the holders of the personal data that it has adopted the necessary technical, human and administrative measures to guarantee the security and confidentiality of the data and to avoid its alteration, loss, consultation, use or unauthorized access. The personal data provided by the Holder of the information to THE OPERATOR shall be managed confidentially, with the due constitutional and legal guarantees and other applicable rules for the protection of personal data. The information will be incorporated in the different databases managed by THE OPERATOR, and whose responsibility and management is in charge of the commercial establishment.

THE OPERATOR has security protocols and access to information systems. Access to the different databases is restricted even for our employees and collaborators. Our employees are committed to confidentiality and proper handling of databases in accordance with the policies on the treatment of information established by law. The system where the databases are stored is physically protected in a secure location. Only authorized personnel can access it and therefore the personal data of those involved under a protected system.

Therefore, THE OPERATOR shall grant the guarantees and assume the obligations or liabilities for loss or theft of information from its computer system only when due to negligence or fraud, an unauthorized third party accesses the information, and shall diligently and prudently seek the security of the information in digital or physical media.

11. Acceptance of these policies
The holder of the personal data declares that he/she has read and accepts the present Policy of Treatment of Personal Data of THE OPERATOR. Taking into account that there is or may be a recurring relationship between the holders of personal data and THE OPERATOR and that the latter has explicitly requested from its prospects, collaborators and contractors the authorizations to continue with the processing of personal data already collected, in accordance with the provisions of Article 10 of Decree 1377 of 2013; THE OPERATOR will continue to use the stored data necessary to offer the services for normal operation, as long as the Data Subject does not contact the Controller to request the deletion of his/her personal data under the legal terms, without prejudice to the power of the Data Subject to exercise his/her rights at any time and request the deletion of the data.

12. Validity of personal data processing policies
The present personal data treatment policy will be in force as of its publication and during the time in which the commercial establishment carries out the activities of its corporate purpose.

13. Contact with the person in charge
For any information regarding this Data Protection Policy, please contact us at gerencia@fraier.com.co. This manual is effective as of its publication on the casarosada.co website.