Skip to Content

Privacy Policy

IntroductionScopeDefinitionsPrinciples of personal data processingAuthorizationsAccess to personal dataPurposes of processingPrivacy and Security CommitmentProcessing of sensitive dataProcessing of sensitive dataTransmission of personal dataTemporary limitations on the processing of personal dataPROHIBITION OR REVOCATION OF AUTHORIZATION FOR THE PROCESSING OF PERSONAL DATARIGHTS OF DATA SUBJECTSPROCEDURES FOR HANDLING INQUIRIES AND REQUESTSPROCEDURES FOR HANDLING INQUIRIES AND REQUESTSREQUESTS OR INQUIRIESCLAIMSAUTHORIZED PERSONS FOR PROVIDING INFORMATION ON PERSONAL DATACONTACT INFORMATION FOR BIODIVERSAL AS THE DATA PROCESSING RESPONSIBLE PARTYMODIFICATION OF THIS POLICY

Introduction

BIODIVERSAL S.A.S. BENEFIT AND COLLECTIVE INTEREST – BIC(hereinafter BIODIVERSAL), has committed to developing its activities in compliance with Law 1581 of 2012, Regulatory Decree 1377 of 2013, Decree 886 of 2014, and other regulations that make up the Personal Data Protection Regime of Colombia, as well as the highest applicable standards in this area. BIODIVERSAL is committed to the security of personal data of its clients, contractors, suppliers, employees, and the general public.

Scope

This Policy is publicly accessible, which is why anyone who wishes to know the standards and procedures established by BIODIVERSAL regarding the Processing of Personal Data and the protection of the information contained in its Databases can access and consult it permanently.

In order to guarantee the rights of the information Holders, this Policy must be complied with by all workers linked to BIODIVERSAL. It will also apply to all agents, representatives, advisors, contractors, and individuals acting on behalf of this company who carry out any type of personal data processing. For the purposes of this policy, all previously described individuals will be referred to as "BIODIVERSAL Personnel."

Definitions

Authorization:It is the prior, express, and informed consent of the Data Subject to carry out the Processing of Personal Data, in accordance with the purposes and terms of this Privacy and Personal Data Protection Policy.

Database:It is the organized set of Personal Data in digital, electronic, or physical medium, subject to Processing.

Personal Data:It is the information that identifies a person, or linked information that can be associated with one or more specific or determinable natural persons.

Private Personal Data:It is the information that only concerns the Data Subject, which has a reserved nature.

Sensitive Personal Data:These are personal data that affect the privacy of the Data Subject, whose improper use may lead to discrimination, such as those revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations, or that promote the interests of any political party or guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.

Public Data:These are data that are not private, semi-private, or sensitive. Public data includes, among others, information related to a person's marital status, profession or trade, and their status as a merchant or public servant. By their nature, public data may be contained, among others, in public records, public documents, gazettes, official bulletins, and duly executed judicial rulings that are not subject to confidentiality.

Data Processor:It is the natural or legal person who, on their own or in association with others, carries out the Processing of Personal Data on behalf of BIODIVERSAL.

BIODIVERSAL Staff:All individuals linked to BIODIVERSAL who are responsible for the processing of personal data and who must comply with this Personal Data Protection Policy.

Data Processing Responsible:It is BIODIVERSAL when it decides, on its own or in association with others, on the purposes and the processing of the Personal Data contained in its Databases.

Data Subject:Natural person whose Personal Data is subject to Processing.

Transfer:It is the sending of Personal Data carried out by a Responsible and/or Data Processing Manager located in Colombia to a Responsible for Processing located inside or outside the country.

Transmission:It is the Processing of Personal Data that involves the communication of such data, inside or outside the territory of Colombia, carried out by the Manager on behalf of the Responsible.

Processing:It is any operation or set of operations on Personal Data, such as collection, storage, use, circulation, or deletion.

Principles of personal data processing

For the Processing of Personal Data, BIODIVERSAL will take into account the following principles:

Principle of Legality in Data Processing:the Processing of Personal Data will be subject to the provisions established in the applicable laws in Colombia and in other regulations that develop these laws.

Principle of Purpose:the Processing will obey a legitimate purpose in accordance with the Constitution and the Law of Colombia, which will be informed to the Data Subject.

Principle of Freedom:the Processing may only be carried out with the prior, express, and informed consent of the Data Subject. Personal Data will not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves the consent.

Principle of Truthfulness or Quality:the information subject to Processing will be truthful, complete, accurate, updated, verifiable, and understandable.

Principle of Transparency:the right of the Data Subject to obtain information about their Personal Data at any time and without restrictions will be guaranteed by BIODIVERSAL or the Data Processor.

Principle of Access and Restricted Circulation:the Processing will be subject to the limits derived from the nature of the Personal Data, the provisions of applicable laws on the matter, and, in particular, this Policy. That is, Personal Data, except for public information, will not be available on the Internet or other means of mass dissemination or communication, unless access is technically controllable to provide restricted knowledge only to the Data Subjects or authorized third parties.

Principle of Security:the Personal Data subject to Processing by BIODIVERSAL or its Processor(s) will adhere to the technical, human, and administrative measures necessary to ensure the security of the Personal Data, preventing its alteration, loss, consultation, unauthorized use, or fraudulent access.

Confidentiality Principle:All BIODIVERSAL personnel involved in the Processing of Personal Data are required to ensure the confidentiality of this data, even after their relationship with any of the tasks involved in the Processing has ended, and may only supply or communicate Personal Data when it corresponds to the development of activities authorized by law.

Authorizations

BIODIVERSAL will request authorization in such a way that the data subject gives their prior, express, and informed consent for the processing to which their personal data is subject.

Authorization may also be obtained from unequivocal behaviors of the data subject, which allow for a reasonable conclusion that they have given their consent for the processing of their information. Such behaviors must clearly express the willingness to authorize the processing.

The consent of the data subject may be obtained by any means that can be subject to later consultation, such as written, verbal, virtual communication, or unequivocal behaviors.

By virtue of its nature and social purpose, BIODIVERSAL receives, collects, records, preserves, stores, modifies, reports, consults, delivers, transmits, transfers, shares, and deletes personal information, for which it obtains prior authorization from the data subject.

The authorization granted to BIODIVERSAL by the information holders allows, among other things, the realization of the following purposes: to offer and provide information about products and services, as well as to consult, report, and update their data with information and risk operators; to update existing contractual relationships and comply with agreed obligations, among others (see numeral VIII of purposes).

BIODIVERSAL will keep proof of such authorizations in an appropriate manner, ensuring and respecting the principles of privacy and confidentiality of the information.

Likewise, at BIODIVERSAL, when it comes to information related to the following types of data, the following special considerations will be taken into account:

  • Sensitive data

For the processing of sensitive data, BIODIVERSAL will inform the data holder of the following:

    • For the processing of this type of information, the holder is not obliged to give their authorization or consent.
    • It will be explicitly and beforehand informed what type of sensitive data will be requested.
    • The processing and purpose that will be given to the sensitive data will be communicated.
    • The authorization for sensitive data will be prior, express, and clear.
  • Data of children and adolescents.

BIODIVERSAL will ensure that the processing of this type of data is carried out in accordance with the rights of children and adolescents. In this sense, their special nature will be protected, and their fundamental rights will be respected, in accordance with the provisions of Articles 5, 6, and 7 of Law 1581 of 2012, and Articles 6 and 12 of Decree 1377 of 2013, and other regulations that modify or add to them.

In order to comply with the above, BIODIVERSAL will act in accordance with the following:

    • Authorization will be requested from the legal representative of the child or adolescent prior to the exercise of the minor's right to be heard, an opinion that will be assessed taking into account maturity, autonomy, and the ability to understand the matter, for the purpose of processing their personal data.
    • The optional nature of responding to questions about the data of children or adolescents will be communicated.
    • It will be explicitly and beforehand informed what data is subject to processing and the purpose of this.

BIODIVERSAL informs all its stakeholders that, in accordance with Article 10 of Law 1581 of 2012, the authorization of the holder will not be necessary when it comes to: (1) information required by a public or administrative entity in the exercise of its legal functions or by court order, (2) publicly available data, (3) cases of medical or health emergencies, (4) processing of information authorized by law for historical, statistical, or scientific purposes, and (5) data related to the Civil Registry of Persons.

Access to personal data

The information stored in BIODIVERSAL's databases may be shared internally with employees responsible for processing personal data in accordance with the purposes mentioned in this Policy and/or in the authorization request for processing granted by the holder.

BIODIVERSAL will not share or deliver Personal Data stored in its Databases with third parties unrelated to this company. However, when the purpose requires it, Personal Data may be legitimately transmitted or transferred to business partners or service providers of BIODIVERSAL, to fulfill specific contractual or commercial objectives. If BIODIVERSAL deems it necessary to carry out a transfer of Personal Data, it will only be done in strict compliance with legal requirements.

In any of these events, BIODIVERSAL is committed to taking all necessary measures to ensure that the processing of information by its Managers and/or its business partners or service providers is carried out in strict compliance with this Policy.

Purposes of processing

Without prejudice to what is stated in the corresponding authorization request or contract, the processing of Personal Data carried out by BIODIVERSAL has, in general, any of the following purposes:

  1. To carry out all activities necessary for the development of the corporate purpose of BIODIVERSAL.
  2. To adequately provide the contracted services, as well as to keep the Holders informed about the progress, status, and other matters related to the contracted activity.
  3. To carry out all activities necessary to properly execute existing contracts with workers, suppliers, customers, and other business contacts.
  4. To maintain efficient communication of information that is useful for the development and fulfillment of existing contracts with workers, suppliers, customers, and other business contacts.
  5. Carry out the administrative procedures associated with the development of the corporate purpose of BIODIVERSAL.
  6. Send commercial information about the activities carried out by BIODIVERSAL and about the launch of new products or services.
  7. Send communications via physical mail, email, mobile device, or through any other analogous and/or digital means of communication with commercial, advertising, or promotional information about the services, events, promotions, campaigns, and/or contests of a commercial or advertising nature conducted by BIODIVERSAL.
  8. Contact customers in case of complaints, claims, or suggestions regarding the service of BIODIVERSAL.
  9. Conduct satisfaction campaigns, monitor the provision of services, and evaluate the quality of services provided by employees.
  10. Fulfill the obligations contracted with the employees of BIODIVERSAL regarding the payment of salaries, social benefits, and others arising from the employment relationship.
  11. Develop selection, evaluation, and employment processes.
  12. Contact and hire suppliers of products or services that BIODIVERSAL needs for the development of its activities and the natural provision of its facilities or offices; as well as make necessary requests to report the tax information related to them.
  13. Present information to control and oversight authorities and support internal or external audit processes.
  14. Conduct statistical studies or accounting processes.
  15. Comply with legal norms of knowledge of the Holder.
  16. Establish, maintain, and deepen the contractual relationship.
  17. Update the information.
  18. Evaluate credit risk.
  19. Determine the level of indebtedness on a consolidated basis.
  20. For sending messages that contain commercial, marketing, personal, institutional, product or service information, or any other kind that BIODIVERSAL considers to mobile and/or cellular phones, email, physical mail, or by any other means.
  21. To be consulted, exchanged, or circulated by BIODIVERSAL with any entity in the real sector, entities subject to inspection and supervision by the Financial Superintendency, and/or with any information operator and/or national or foreign database.
  22. Validate and verify the identity of the client for the offering and management of products and services, as well as to share information with various market players, including but not limited to strategic allies.

Privacy and Security Commitment

BIODIVERSAL is committed to the confidentiality and privacy of Personal Data stored in its Databases, under access and availability restrictions, preventing consultation by unauthorized third parties.

Based on the above, BIODIVERSAL guarantees to the Holders of Personal Data the preservation of this data under standard security conditions typical in the industry, which prevent its alteration, loss, theft, public consultation, unauthorized or fraudulent use or access, as well as the implementation of internal practices that contribute to a secure information environment.

Processing of Personal Data of children and adolescents.

BIODIVERSAL understands that the Processing of Personal Data of children or adolescents is prohibited, except when it concerns publicly available data. Therefore, it commits not to collect Personal Data from individuals under 18 years of age without the authorization of their legal representative, in which case BIODIVERSAL will take into account: i) respect for fundamental rights; and ii) respect for the best interests of children and adolescents.

In this case, BIODIVERSAL will make its best effort to verify that the person acting as the legal representative of the child or adolescent actually holds this position. However, BIODIVERSAL will operate under the good faith of the person granting the authorization for the processing of the personal data of the child or adolescent and indicating that they have the status of legal representative.

Processing of sensitive data

BIODIVERSAL commits to avoiding the Processing of Sensitive Data. However, when such data is absolutely necessary, it will take responsibility for the Processing of Sensitive Data (according to the purposes listed previously) and commits to:

  1. Inform the Data Subject explicitly and in advance, in addition to the general requirements for authorization for the collection of all Personal Data, that the data to be processed is sensitive and the specific purpose of the Processing of these Sensitive Personal Data.
  2. Inform the Data Subject that, due to the nature of Sensitive Personal Data, they are not obligated to authorize its Processing.

Notwithstanding the above, BIODIVERSAL appreciates the prudence and discretion of the Holders in the disclosure of Sensitive Data and requests that under no circumstances be disclosed to BIODIVERSAL without having given their prior, free, and informed consent. If you have any doubts regarding the necessity of providing Sensitive Data, please contact us before providing it.

Processing of sensitive data

BIODIVERSAL commits to avoiding the Processing of Sensitive Data. However, when such data is absolutely necessary, it will take responsibility for the Processing of Sensitive Data (according to the purposes listed previously) and commits to:

  1. Inform the Data Subject explicitly and in advance, in addition to the general requirements for authorization for the collection of all Personal Data, that the data to be processed is sensitive and the specific purpose of the Processing of these Sensitive Personal Data.
  2. Inform the Data Subject that, due to the nature of Sensitive Personal Data, they are not obligated to authorize its Processing.

Notwithstanding the above, BIODIVERSAL appreciates the prudence and discretion of the Holders in the disclosure of Sensitive Data and requests that under no circumstances be disclosed to BIODIVERSAL without having given their prior, free, and informed consent. If you have any doubts regarding the necessity of providing Sensitive Data, please contact us before providing it.

Transmission of personal data

In the event that BIODIVERSAL does not have the technical capacity to develop certain activities involving the Processing of Personal Data, it may transmit the Personal Data or the Personal Databases it deems relevant to third-party Data Processors.

In these cases, BIODIVERSAL will ensure that the Processor complies with the terms established in this Privacy Policy and Personal Data Processing and that it meets the same standards of protection, information security, and guarantees for the Data Subjects.

Temporary limitations on the processing of personal data

BIODIVERSAL will maintain a record of information related to workers, suppliers, and/or clients during and after the termination of the contractual relationship. These records may include Personal Data, which, after the contractual termination, will be kept for a reasonable time until the information contained therein is no longer required to comply with legal, administrative, audit, or regulatory requirements.

Additionally, BIODIVERSAL, after the termination of its contractual relationship, will retain contact information of Data Subjects for sending news, updating information, and invitations to events held or sponsored by BIODIVERSAL. This is unless a request for revocation of the Processing of Personal Data is made, in which case the information will be deleted for the mentioned purposes.

Finally, BIODIVERSAL will store and Process the Personal Data necessary to fulfill its legal obligations.

PROHIBITION OR REVOCATION OF AUTHORIZATION FOR THE PROCESSING OF PERSONAL DATA

Data Subjects are free to prohibit or not authorize the Processing of their Personal Data by BIODIVERSAL, except in cases where legal or contractual requirements necessitate the retention of this data. However, if some clients, suppliers, current or former employees do not authorize the use of their Personal Data or request the revocation of the authorization for the Processing of their Personal Data, it is possible that BIODIVERSAL may not be able to continue the business relationship or may not be able to continue providing services due to the lack of necessary information for these purposes.

In this regard, in the event of insistence by the Data Subject on the revocation of authorization for the Processing of Personal Data, BIODIVERSAL is not responsible for pre-contractual or contractual non-compliance, or for the transfer of specific benefits that third parties with whom BIODIVERSAL communicates regularly may access, as a result of the lack of authorization or its revocation for the Processing of personal data.

RIGHTS OF DATA SUBJECTS

Data Subjects whose Personal Data is stored in BIODIVERSAL's Databases have the following rights:

To know, update, and rectify their Personal Data: Data Subjects may exercise this right against partial, inaccurate, incomplete, fragmented data that may lead to error.

In compliance with the principles that must govern the Processing of Personal Data, BIODIVERSAL is committed to making its best effort to ensure that the information contained in its Databases is accurate, complete, and up to date. To this end, BIODIVERSAL may request its clients, suppliers, and employees to update it on a permanent basis.

Right to request proof of authorization:Data Subjects may request proof of the authorization granted for the Processing of their data, except in the cases specified in this Policy.

Right to be informed about the use of their Personal Data:Data Subjects have the right to know at any time the use that has been made of their Personal Data, upon request directed to BIODIVERSAL or its Manager.

Right to revoke authorization and/or request the deletion of personal data:Data Subjects may revoke the authorization granted to BIODIVERSAL for the Processing of their Personal Data if they demonstrate that the principles, rights, and constitutional and legal guarantees have not been respected, as well as request the deletion of Personal Data for which their Processing is not expressly prohibited or has not been authorized.

Right to access their Personal Data:Data Subjects subject to Processing may access their data free of charge.

Right to file complaints:Data Subjects may file complaints with the Superintendence of Industry and Commerce for violations of the provisions of current regulations.

Right to refrain from answering questions about sensitive data:Data Subjects subject to Processing may refrain from answering questions about sensitive data. Responses regarding sensitive data or data concerning children and adolescents will be optional.

PROCEDURES FOR HANDLING INQUIRIES AND REQUESTS

Directly responsible for handling requests, inquiries, or complaints

Right to refrain from answering questions about sensitive data: Data Subjects whose Personal Data is being processed may refrain from answering questions about sensitive data. Responses regarding sensitive data or data concerning children and adolescents will be optional.

Information Security Officer: Ana María Peláez

Email:legal@thecoffeehub.co

PROCEDURES FOR HANDLING INQUIRIES AND REQUESTS

Directly responsible for handling requests, inquiries, or complaints

Right to refrain from answering questions about sensitive data: Data Subjects whose Personal Data is being processed may refrain from answering questions about sensitive data. Responses regarding sensitive data or data concerning children and adolescents will be optional.

Information Security Officer: Ana María Peláez

Email:legal@thecoffeehub.co

REQUESTS OR INQUIRIES

The inquiry or request should be directed to the email: legal@thecoffeehub.co.

In the email, the Data Subject must fully identify themselves and clearly describe their request or inquiry. If not acting as the Data Subject, please indicate the capacity in which you are acting and attach the document that authorizes you to make the request or inquiry, such as a power of attorney, civil registry, among others.

BIODIVERSAL will address your request or inquiry within a maximum period of ten (10) business days from the date of receipt of the inquiry.

When it is not possible to address the inquiry within the mentioned term, BIODIVERSAL will inform the interested party stating the reasons for the delay and indicating the new term to address their request or inquiry, which will not exceed five (5) business days, counted from the expiration of the term in the previous point.

CLAIMS

The request for correction, update, or deletion of Personal Data must be directed to the following email address:legal@thecoffeehub.co

In the email, the Holder must fully identify themselves. If not acting as the Holder, please indicate the capacity in which you are acting and attach the document that authorizes you to make the request or inquiry, such as a power of attorney, civil registry, among others.

If the claim relates to a possible breach of any of BIODIVERSAL's duties, the reason for the breach must be detailed.

If the claim is incomplete, BIODIVERSAL will require the interested party within five (5) business days following receipt of this to correct its inaccuracies. After two (2) months from the date of the request, if the applicant does not provide the required information, BIODIVERSAL will understand that the claim has been withdrawn.

If BIODIVERSAL receives a claim that it is not competent to resolve, it will forward it to the appropriate party within a maximum term of two (2) business days and will inform the interested party of the situation.

Once the complete claim is received, BIODIVERSAL will include in the corresponding Database a note stating "claim in process" and the reason for it, within no more than two (2) business days. This note will remain until the claim is decided.

BIODIVERSAL will address the claim within a maximum period of fifteen (15) business days counted from the day following the date of its receipt.

When it is not possible to address the claim within that period, BIODIVERSAL will inform the interested party of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

AUTHORIZED PERSONS FOR PROVIDING INFORMATION ON PERSONAL DATA

For all purposes, BIODIVERSAL may only provide information contained in its Databases to:

  1. The Holders, their heirs, or their legal representatives.
  2. Public or administrative entities in the exercise of their legal functions or by court order.
  3. Third parties authorized by the Holder or by law.

BIODIVERSAL reserves the right to request additional documentation in order to verify the identity of the person requesting the information.

CONTACT INFORMATION FOR BIODIVERSAL AS THE DATA PROCESSING RESPONSIBLE PARTY

Company name: BIODIVERSAL S.A.S. BENEFIT AND COLLECTIVE INTEREST – BIC

NIT: 901.179.541 – 0

Address: Bogotá, Bogotá D.C., Colombia

Address: Calle 98 #7a-72

Contact phone: +57 310 5875103

Email:legal@thecoffeehub.co

Website: https://biodiversal.com/

MODIFICATION OF THIS POLICY

This policy may be modified at any time, which is why we recommend regularly or periodically reviewing it on our website.