Pyramid Consulting S.A.S Data Protection Policy

PYRAMID CONSULTING S.A.S., identified with NIT 900.063.781-9, with address at Carrera 7 # 156- 68 Torre 3 office 703, as the person responsible for the processing of personal data, is allowed to inform the update of the privacy notice and the privacy policy protection of personal data of its clients, users, suppliers and employees that was communicated and published on the portal www.pyramidconsulting.co.

Frequently Asked Questions Regarding the Protection of your Personal Data

How does Pyramid Consulting S.A.S collect your information?

PYRAMID CONSULTING S.A.S., only collects your personal data when you provide them directly. If you are related to any of our databases, it is because you have had or maintain a commercial relationship with PYRAMID CONSULTING S.A.S, or because you have voluntarily provided your data in commercial events where PYRAMID CONSULTING S.A.S participates.

Who has access to the information?

PYRAMID CONSULTING S.A.S is always committed to presenting new solutions that improve the value of its services. To achieve this goal, your information may be shared internally and with some of our business partners, such as affiliates and national and international links. PYRAMID CONSULTING S.A.S takes all possible measures so that the information provided is used in compliance with the Security and Privacy Policy.

How do you want the information used?

By providing your personal data, you are automatically authorizing PYRAMID CONSULTING S.A.S. to use it in accordance with this Security and Privacy Policy. If you do not agree with the proposal of use suggested by PYRAMID CONSULTING S.A.S, you may limit its use or request its deletion by writing to treatment.datos@pyramidconsulting.co or through the line 3000069 ext 2201 or by written communication filed in the Carrera 7 #156-68 Tower 3 Office 703.

General recommendations for minors

If you are a minor, request permission from your parents or guardians before disclosing your personal data to any person or by digital means.

Introduction

Below are the information processing policies that govern the activity carried out by PYRAMID CONSULTING S.A.S. and the management of its databases. This document is developed in compliance with Law 1581 of 2012 and its regulatory decrees, through which the general provisions for the protection of personal data are issued, according to which all public or private entities that handle personal data must adopt an internal manual of policies and procedures to guarantee adequate compliance with the Law and, in particular, to ensure the effective exercise of the rights of the holders. All the information received by PYRAMID CONSULTING S.A.S through its different communication channels, in digital or printed media, and that make up our databases, obtained from clients, suppliers, employees or contractors, and other information holders, is governed by the following usage policies. These data may be stored and/or processed on servers located in computer centers, whether owned or contracted with third-party providers, which is authorized by our clients, contractors, employees, and suppliers by accepting this Privacy Policy.

Definitions

1. Authorization: Prior, express and informed consent issued by the owner of any personal data for the responsible company to process their personal data.

2. Owner: Natural person whose data is processed by the company.

3. Database: Set of personal data stored physically or digitally.

4. Personal data: Information that is linked to a person. It is any piece of information linked to one or several determined or determinable persons or that can be associated with a natural or legal person. Personal data can be public, semi-private or private.

5. Treatment: Any operation or set of operations on personal data within which its collection, storage, use, circulation or deletion may be included.

6. Person in charge of the treatment: Natural or legal person, public or private, that by itself or in association with others, performs some treatment on personal data on behalf of the person in charge of the treatment.

7. Responsible for the treatment: Natural or legal person, public or private, that by itself or in association with others, decides on the database and/or the treatment of the data.

8. Public data: It is that data classified as such according to the mandates of the law or the Political Constitution. The data contained in public documents, enforceable judicial sentences that are not subject to confidentiality and those related to the civil status of people are public, among others.

9. Semi-private data: Semi-private data that is not of an intimate, reserved, or public nature and whose knowledge or disclosure may be of interest not only to its owner but to a certain sector or group of people or to society in general, such as financial data and commercial activity credit.

10. Private data: It is the data that, due to its intimate or reserved nature, is only relevant to the owner.

11. Sensitive data: Those related to racial or ethnic origin, membership in unions, social or human rights organizations, political, religious convictions, sexual life, biometric or health data. This information may not be provided by the Holder of this data.

12. Privacy Notice: Physical, electronic document generated by the person responsible for the treatment that is made available to the owner with the information related to the existence of the information treatment policies that will be applicable to him, the way to access them and the characteristics of the Treatment that is intended to be given to personal data.

General disposition

Article 1. Applicable legislation. This manual was prepared taking into account the provisions contained in Law 1581 of 2012 “By which general provisions are issued for the protection of personal data” and Decree 1377 of 2013 “By which Law 1581 of 2012 is partially regulated” .

Article 2. This manual will apply to the processing of personal data collected and managed by PYRAMID CONSULTING S.A.S.

Article 3. Object. Protect and guarantee, based on this manual, the fundamental right of habeas data regulated by Law 1581 of 2012, which regulates the procedures for the collection, management and treatment of personal data carried out by PYRAMID CONSULTING S.A.S.

Article 4. Validity of the database. PYRAMID CONSULTING S.A.S., will apply the validity communicated in the medium through which the data was captured, therefore PYRAMID CONSULTING S.A.S may process and keep my personal data as long as it is necessary to fulfill my request and any obligation between PYRAMID CONSULTING S.A.S. or attention to any complaint or judicial or extrajudicial claim. Article 5. Principles for the processing of personal data. In the development, interpretation and application of this law, the following principles will be applied harmoniously and comprehensively:

a) Principle of purpose: The Treatment of personal data collected by PYRAMID CONSULTING S.A.S must be informed to the Owner.

b) Principle of freedom: Treatment can only be exercised with the prior, express and informed consent of the owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent.

c) Principle of veracity or quality: The information subject to Treatment must be truthful, complete, exact, updated, verifiable and understandable. The Processing of partial, incomplete, fractional or misleading data is prohibited.

d) Principle of transparency: In the Treatment, the right of the Owner to obtain from the person in charge at any time and without restrictions, information about the existence of data that concerns him must be guaranteed.

e) Principle of access and restricted circulation: Personal data, except for public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the owners or authorized third parties. 5

f) Principle of security: The information subject to Treatment by the person in charge, must be handled with the technical, human and administrative measures that are necessary to grant security to the records avoiding their adulteration, loss, consultation, use or unauthorized access or fraudulent.

g) Principle of confidentiality: All persons involved in the processing of personal data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks that comprise the treatment.

Article 6. Rights of the owners of the information in accordance with the provisions of Law 1581 of 2012. The owner of the personal data has the following rights:

a) Know, update and correct your Personal Data. With the power to exercise this right, among others, in relation to information, partial, inaccurate, incomplete, divided, misleading information or whose treatment is prohibited or unauthorized.

b) Require proof of the consent granted for the collection and processing of Personal Data.

c) To be informed by PYRAMID CONSULTING S.A.S of the use that has been given to the Personal Data.

d) Submit complaints to the Superintendence of Industry and Commerce in the event that there is a violation by PYRAMID CONSULTING S.A.S, of the provisions of Law 1581 of 2012, Decree 1377 of 2013 and other regulations that modify, add or complement, in accordance with the provisions on the procedural requirement established in article 16 Law 1581 of 2012

e) Revoke the authorization granted for the processing of Personal Data.

F). Request to be removed from your database. This suppression or elimination implies the total or partial elimination of the personal information in accordance with what is requested by the owner in the databases of PYRAMID CONSULTING S.A.S. It is important to take into account that the right of deletion is not absolute and the person in charge can deny the exercise of it when the owner has a legal and/or contractual duty to remain in the database, the deletion of the data hinders legal proceedings or administrative or the Investigation and prosecution of crimes, the data that is necessary to comply with a legal obligation acquired by the owner.

g). Have access to the Personal Data that PYRAMID CONSULTING S.A.S. has collected and processed.

Article 7. Duties of the person responsible for the information. As the person responsible for the Processing of personal data, and in accordance with the provisions of Law 1581 of 2012, PYRAMID CONSULTING S.A.S, undertakes to comply with the following duties, in relation to the processing of personal data:

a) Guarantee the owner of the information, at all times, the full and effective exercise of the right of habeas data;

b) Keep a copy of the respective authorization granted by the owner;

c) Duly inform the owner about the purpose of the collection and the rights that assist him by virtue of the authorization granted;

d) Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;

e) Process the queries and claims made by the holders of the information in the terms indicated by articles 14 and 15 of Law 1581 of 2012;

f) Inform at the request of the Owner about the use given to their data;

g) Inform the Superintendence of Industry and Commerce when there are violations of the security codes and there are risks in the administration of the information of the Holders.

h) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

j) Refrain from circulating information that is being controversial by the owner and whose blocking has been ordered by the Superintendence of Industry and Commerce;

k) Allow access to information only to authorized persons.

l) Inform through the means that it considers pertinent the new mechanisms that it implements so that the holders of the information make their rights effective.

Article 8. Authorization. PYRAMID CONSULTING S.A.S, in its capacity as responsible for the processing of personal data, has provided the necessary mechanisms to obtain the authorization of the owners, guaranteeing in any case that it is possible to verify the granting of said authorization. The holders of personal data may revoke the consent to the processing of their personal data at any time, as long as it is not prevented by a legal provision. To do this, they must contact PYRAMID CONSULTING S.A.S., by email: treatment.datos@pyramidconsulting.co or by written communication sent to Carrera 7 #156-68 Torre 3 Office 703 or through line 3000069 ext 2201

Article 9. Purpose of the authorization. The Treatment of the personal data of the Holders will be carried out by PYRAMID CONSULTING S.A.S, with the following purpose: Carry out the pertinent steps for the development of the company’s corporate purpose in what has to do with the fulfillment of the contract object entered into with the Owner of the information. Make invitations to events and offer new products and services. Manage procedures (requests, complaints, claims). Measure levels of satisfaction regarding the services provided. Provide contact information to the commercial force and/or distribution network, telemarketing, market research and any third party with which PYRAMID CONSULTING S.A.S. has a contractual relationship for the development of activities of this type (market research and telemarketing, etc. ) for their execution. Contact the Owner through telephone means to carry out surveys, studies and/or confirmation of personal data necessary for the execution of a contractual relationship. Contact the Owner through electronic means – SMS or chat to send news related to loyalty campaigns or service improvement, account statements or invoices in relation to the obligations derived from the contract entered into between the parties. Provide the information to third parties with which PYRAMID CONSULTING S.A.S. has a contractual relationship and that it is necessary to deliver it to fulfill the contracted object. Transmit personal data outside the country to third parties with which PYRAMID CONSULTING S.A.S., has signed a data processing contract and it is necessary to deliver it to them for the fulfillment of the contractual object. Transfer personal data outside the country to subsidiaries of PYRAMID CONSULTING S.A.S., to comply with the applicable anti-money laundering regulations. Offer corporate welfare programs and plan business activities for the owner and his beneficiaries (children, spouse, permanent partner). and other internal administrative and/or commercial purposes. We warn that third-party providers and/or contractors may be involved in these activities, with which PYRAMID CONSULTING S.A.S., may, among others, hire the storage and/or processing of information and personal data for the correct execution of the contracts entered into with us. . Said contractors and/or suppliers are under an obligation to make appropriate use of the information provided by our clients.

In their capacity as holders of the data collected, by accepting this privacy policy, our clients authorize PYRAMID CONSULTING S.A.S., the provision of said information to control and surveillance authorities, police or judicial, by virtue of a legal or regulatory requirement. and/or use or disclose this information and personal data in defense of their rights and/or their assets insofar as said defense is related to the products and/or services contracted by their clients.

Article 10. Form and mechanisms to grant authorization. The authorization may be in a physical, electronic document or in any other format that allows guaranteeing its subsequent consultation. The aforementioned authorization may be obtained by any of the following means: a. Quotes, b. Bills of Sale, c. Marketing Activities, d. events, e.g. Service orders, Service or Solution Delivery Act.

Article 11. Procedure to guarantee the right to submit queries and/or claims. The holders of the information may exercise their rights at any time and free of charge, after proving their identity. The request must be made by one of the following means: email customer service treatment.datos@pyramidconsulting.co.co, line 3000069 ext 2201 and reception of written communications at Carrera 7 #156-68 Tower 3 Office 703.

You must include the following information in the application:

• Names and surnames.

• Document type.

• Document number.

• Telephone.

• Email.

• Country.

• Affair.

RESPONSE TO QUERIES. In any case, regardless of the mechanism implemented for the attention of consultation requests, they will be attended to within a maximum term of ten (10) business days from the date of receipt. When it is not possible to respond to the query within said term, the interested party will be informed before the expiration of 10 days, stating the reasons for the delay and indicating the date on which the query will be addressed, which in no case may exceed five ( 5) business days following the expiration of the first installment.

RESPONSE TO CLAIMS. The maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to attend to it within said term, the interested party will be informed before the expiration of the aforementioned term of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

If the claim received does not have complete information that allows it to be processed, that is, with the identification of the Holder, the description of the facts that give rise to the claim, the address, and accompanying the documents that you want to assert, the interested within five (5) days of receipt to correct the failures. After two (2) months from the date of the request without the applicant submitting the required information, it will be understood that he has withdrawn the claim.

Article 12. Information security and confidentiality measures. For the storage of the data, the Company allows the authentication, access and consultation of the same through domain policies, which restrict the access of the information at the level of the organizational structure of PYRAMID CONSULTING S.A.S., which guarantee the integrity, confidentiality and availability of information.

However, the above, the client assumes the risks derived from delivering this information in a medium such as the Internet, which is subject to various variables – third-party attacks, technical or technological failures, among others. PYRAMID CONSULTING S.A.S., does not guarantee the total security of your information nor is it responsible for any consequence derived from technical failures or improper entry by third parties to the Database or file in which the Personal Data object of Treatment by THE COMPANY and its Managers. THE COMPANY will require the service providers it hires to adopt and comply with the appropriate technical, human and administrative measures for the protection of Personal Data in relation to which said providers act as Managers.

Transfer, Transmission and Disclosure of Personal Data

Article 13. Veracity of the information. Our clients, contractors, employees and suppliers must provide truthful information about their personal data in order to make possible the provision of services by PYRAMID CONSULTING S.A.S.

Article 14. Designation. PYRAMID CONSULTING S.A.S, designates the Administrative Area and Legal Area or whoever acts in its place, to comply with the function of protection of personal data, as well as to process the requests of the owners, for the exercise of rights as owner of the information.

Article 15. Validity of the manual. This manual is effective as of January 18, 2017. The databases in which personal data will be recorded will be valid for the same time as the information is maintained and used for the purposes described in this policy. Once that purpose(s) is fulfilled and provided there is no legal or contractual duty to retain your information, your data will be deleted from our databases.

Cordially

PYRAMID CONSULTING S.A.S