terms - RIWI

You can now register for our cohort 3, registrations  here

 Our incredible facilities are perfect for any event. We have the ideal space for you !  contact us

Do you need tech talent for your company ? We have the talent you need here

Contact us

RIWI S.A.S. PERSONAL DATA AND INFORMATION MANAGEMENT POLICY

GENERAL INFORMATION

This policy is defined in accordance with the enactment of Statutory Law 1581 of 2012, which “aims to develop the constitutional right of all individuals to know, update, and rectify the information collected about them in databases or records, as well as other constitutional rights, freedoms, and guarantees referred to in Article 15 of the Political Constitution, and the right to information established in Article 20 of the same.”

In light of this, Riwi S.A.S., considering the mandate outlined in paragraph k of Article 17 of Law 1581 of 2012 and Article 13 of Regulatory Decree 1337 of 2013, formulates this personal data processing policy with the general objective of addressing inquiries and complaints regarding the processing of personal data, ensuring the protection of the fundamental right of all individuals to data privacy.

GENERAL OBJECTIVE

With the implementation of this policy, Riwi S.A.S. aims to guarantee the confidentiality and security of personal data for individuals who have authorized the processing of their personal information, in compliance with the regulations governing the right to data privacy.

DEFINITIONS

Authorization

Consent that the holder of personal data gives, voluntarily, explicitly, and informed, allowing the processing of their personal data.”.

Privacy Notice

Document, either physical or electronic, generated by the data controller, providing the holder with information about the existence of data processing policies, how to access them, and the details of the processing intended for the personal data.”.

Database

An organized collection of personal data subject to processing.”.

Personal Data

Any information linked or that may be associated with one or more specific or identifiable individuals.”.

Processor

Natural or legal person, public or private, who processes personal data on behalf of the data controller.”.

Data Controller

Natural or legal person, public or private, who determines the purposes and means of processing personal data.”.

Data Subject

The natural person whose personal data is being processed.”.

Processing

Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.”.

DATA TYPES

Private Data

Data classified as such under the mandates of the law or the Constitution.

Public Data

Data classified as such under the mandates of the law or the Constitution.

Semiprivate Data

Data that is not intimate or reserved but also not public, and whose knowledge or disclosure may be of interest to not only the data subject but also to certain groups or society in general.

Sensitive Data

Data related to racial or ethnic origin, membership in trade unions, social or human rights organizations, political or religious convictions, sexual life, biometric data, or health information.

RIGHTS OF THE DATA SUBJECT IN RELATION TO THE DATA CONTROLLER

Every process involving personal data by Riwi S.A.S. must inform the data subject of the rights they are entitled to, which are:

A. Know, update, and rectify personal data with the data controller or processor

This right may be exercised, among other things, in relation to partial, inaccurate, incomplete, fragmented data, data that may lead to error, or data whose processing is expressly prohibited or has not been authorized.

B. Request proof of authorization granted to the data controller, unless explicitly exempted as a requirement for processing, in accordance with the Law

C. Revoke the authorization or request the deletion of data when the processing does not respect constitutional and legal rights, principles, and guarantees.

The revocation or deletion will proceed when the Superintendency of Industry and Commerce has determined that the responsible party or processor has engaged in actions contrary to the law and the Constitution.

D. Access, free of charge, the personal data concerning the data subject that has been processed.

In any case, a record must be kept, regardless of the medium in which it is contained, indicating the information that was presented to the data subject regarding the matter.

CIRCUMSTANCES WHERE AUTHORIZATION IS NOT REQUIRED

Authorization for processing personal data is not required in the following cases:

A. When information is required by a public or administrative entity in the exercise of its legal functions or by judicial order.

B. When it involves public data.

C. In cases of medical or health emergencies.

D. When the processing is authorized by law for historical, statistical, or scientific purposes.

E. When it involves data related to the civil registry of individuals.

Although in the cases indicated authorization from the data subject is not required, the data controller must comply with the regulations set forth in Law 1581 of 2012 and any other laws that replace, amend, modify, or complement it.

PERSONS WHO MAY BE PROVIDED WITH THE INFORMATION

The information collected, in compliance with this policy and Law 1581 of 2012, may be provided to:

A. Data subjects.

B. Legal heirs of the data subjects.

C. Legal representatives of the data subjects.

D. Public or administrative entities in the exercise of their legal functions or by judicial order.

E. Third parties authorized by the data subject.

F. Entities authorized by law.

In any case, the delivery to each of these individuals will take place only if they can reliably prove their role, all with the intention of preventing the release of information to unauthorized persons.

RESPONSIBILITIES OF THE DATA CONTROLLER OR PROCESSOR

The duties of those responsible or in charge of personal data processing, without prejudice to the others established in Law 1581 of 2012 and other regulations on the matter, are the following:

A. Ensure the holder, at all times, the full and effective exercise of the right to habeas data.

B. Request and retain, in compliance with Law 1581 of 2012, a copy of the authorization granted by the data subject.

C. Properly inform the data subject about the purpose of data collection and their rights under the authorization.

D. Keep the information under the necessary security conditions to prevent its alteration, loss, consultation, unauthorized use, or fraudulent access.

E. Guarantee that the information provided to the processor is truthful, complete, accurate, up-to-date, verifiable, and understandable.

F. Update the information, promptly communicated to the data processor, any changes regarding the data previously provided to them, and adopt the other necessary measures to ensure that the information supplied remains up to date.

G. Rectify the information when it is incorrect and communicate the relevant details to the data processor.

H. Provide the data processor, as appropriate, only with data whose processing has been previously authorized in accordance with the provisions of Law 1581 of 2012 and other regulations that amend, complement, or replace it.

I. Ensure that the data processor respects at all times the security and privacy conditions of the data subject’s information.

J. Process the inquiries and claims made in accordance with the terms set out in Law 1581 of 2012 and other regulations that amend, complement, or replace it.

K. Adopt an internal manual of policies and procedures to ensure proper compliance with Law 1581 of 2012, especially for handling inquiries and claims.

L. Inform the data processor when certain information is under dispute by the data subject, once a claim has been made and the respective procedure is not yet completed.

M. Inform, upon request of the data subject, about the use made of their data.

N. Inform the data protection authority when security breaches occur and there are risks in the management of the data subject’s information.

O. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

PURPOSES OF THE COLLECTION, USE, AND PROCESSING OF PERSONAL DATA

Riwi S.A.S., in the course of its corporate purpose and its relationships with third parties, constantly collects data to carry out various purposes and uses, including the following:

A. o seek closer knowledge with all individuals with whom it has any type of relationship.

B. To enter into all types of legal agreements.

C. For administrative, commercial, promotional, informational, marketing, and sales purposes.

D. To process payments for services rendered or goods offered in the market through payment methods other than the usual ones.

E. To offer all types of commercial products and services, as well as to carry out promotional, marketing, or advertising campaigns.

In order to achieve the purposes outlined above, the following actions may be carried out regarding the data subject’s personal data, which constitute data processing:

A. Obtain, store, compile, exchange, update, collect, process, reproduce, or dispose of partial or complete data or information of the data subject who authorizes data processing.

B. Classify, organize, and separate the information provided by the data subject who authorizes data processing.

C. Conduct investigations, compare, verify, and validate the data obtained in accordance with the law, with credit risk centers with which there are commercial relationships.

E. Extend the information obtained, under the terms of the habeas data law, to the companies with which it contracts services for the capture, storage, and management of its databases.

F. Transfer the data or partial or complete information to its subsidiaries, businesses, affiliated companies, and strategic partners.

AUTHORIZATION

For the purposes of achieving the previously mentioned goals, Riwi S.A.S. will require authorization from the data subject, which must be granted by the data subject freely, prior to, and expressly. To this end, appropriate mechanisms will be put in place to ensure that, in each case, the granting of authorization is verifiable.

The authorization may, in any case, be documented in any medium, whether physical, electronic, or in any other format, as long as it guarantees subsequent consultation.

The authorization is the consent that, in a prior, express, and informed manner, the data subject provides to carry out the processing of personal data, which is issued after notifying the data subject about:

A. Who is responsible or in charge of capturing the information containing personal data.

B. What personal data is being captured.

C. What are the purposes of the personal data processing.

D. What is the procedure for exercising the rights of access, correction, updating, or deletion of data.

E. The specifics regarding the collection of sensitive data.

METHOD OF OBTAINING AUTHORIZATION

The authorization referred to previously, in accordance with the provisions of Article 9 of Law 1581 of 2012, “must be obtained by any means that can be subject to subsequent consultation.”

In accordance with the aforementioned provision, Riwi S.A.S. may obtain the authorization in question by any of the following means:

A. In writing.

B. Verbally.

C. Unambiguous behaviors that reasonably allow concluding that the authorization was granted.

It is made clear that silence, in no case, may be construed as an unambiguous behavior that authorizes the processing of personal data.

In any case, those responsible for the data processing must keep proof of the authorization granted by the data subject for the processing of their data.

DATA COLLECTED BEFORE THE ISSUANCE OF DECREE 1337 OF 2013

Article 10 of Regulatory Decree 1337 of 2013, which regulates Law 1581 of 2012, provides the following:

“For data collected before the issuance of this decree, the following must be considered:

1. The data controllers must request authorization from the data subjects to continue processing their personal data as established in Article 7 of this decree, using efficient communication mechanisms, as well as informing them of data processing policies and the way to exercise their rights.

2. For the purposes of numeral 1, efficient communication mechanisms will be considered those that the controller or processor uses in the ordinary course of their interaction with the data subjects registered in their databases.

3. If the mechanisms mentioned in numeral 1 impose a disproportionate burden on the controller, or it is impossible to request consent from each data subject for the processing of their personal data and inform them of the data processing policies and how to exercise their rights, the controller may implement alternative mechanisms for the purposes set out in numeral 1, such as widely circulated national newspapers, local newspapers or magazines, the controller’s website, informational posters, among others, and inform the Superintendence of Industry and Commerce within five (05) days following their implementation.

To determine when there is a disproportionate burden on the controller, the following factors will be taken into account: economic capacity, number of data subjects, the age of the data, territorial and sectorial scope of the controller’s operations, and the alternative communication mechanism to be used, so that requesting consent from each data subject implies excessive costs that could jeopardize the controller’s financial stability, the performance of its business activities, or the viability of its planned budget.

It will also be considered impossible to request consent from each data subject for the processing of their personal data and inform them of the data processing policies and how to exercise their rights when the controller does not have contact data for the subjects, either because such data is not in their files, records, or databases, or because it is outdated, incorrect, incomplete, or inaccurate.

4. If, within thirty (30) business days from the implementation of any of the communication mechanisms described in numerals 1, 2, and 3, the data subject has not contacted the controller or processor to request the deletion of their personal data as per the terms of this Decree, the controller and processor may continue processing the data contained in their databases for the purposes indicated in the data processing policy, which was made known to the data subjects through these mechanisms, without prejudice to the data subject’s right to exercise, at any time, their right to request the deletion of the data.

5. In all cases, the controller and processor must comply with all applicable provisions of Law 1581 of 2012 and this Decree. Additionally, the purpose or purposes of the processing must be the same, analogous, or compatible with those for which the personal data was initially collected.”

Considering the above and that Riwi S.A.S. is framed within the circumstances set out in numeral 3 of Article 10 of Regulatory Decree 1337 of 2013, the respective privacy notice was posted on the official website, informing the data subjects of the existence of this privacy policy and stating that they had thirty (30) business days from the notice’s publication to request the deletion of their personal data. If no such request was made, Riwi S.A.S. could continue processing the personal data. This was done without prejudice to the data subjects’ right to exercise their right at any time and request the deletion of their data.

This procedure was reported to the Superintendence of Industry and Commerce, as required by the regulation.

PROTECTION OF PERSONAL DATA OF MINORS AND ADOLESCENTS

Riwi S.A.S. Riwi S.A.S., in compliance with Article 7 of Law 1581 of 2012, will refrain from processing the personal data of children, minors, and adolescents.

AREA RESPONSIBLE FOR HANDLING REQUESTS, INQUIRIES, AND COMPLAINTS

The area with which the data subject or their authorized representative can communicate to make any requests, inquiries, or complaints they deem necessary is the customer service department. The contact details are as follows:

Email address

info@riwi.io

Address

Cl. 16 #55-129, Guayabal, Medellín

Phone number

3017325327

PROCEDURE FOR INQUIRIES AND COMPLAINTS MADE BY DATA SUBJECTS

PROCEDURE FOR HANDLING INQUIRIES

Data subjects or their legal representatives may inquire about the personal information held in the databases of Riwi S.A.S. and must be provided with all information contained in the individual record or associated with the identification of the data subject.

Inquiries made by data subjects or their legal representatives will be processed under the following rules:

A. The inquiry must be made by sending an email or by submitting a written request in physical form to the person responsible for personal data processing.

B. The inquiry will be addressed within a maximum period of ten (10) business days from the receipt of the request.

C. If it is not possible to respond to the inquiry within the specified term, the inquirer will be informed of the reasons for the delay and the date on which the inquiry will be addressed, which in no case may exceed five (05) business days after the expiration of the original term.

For the purposes of this section, emails should be sent to the following website: www.riwi.io, and written requests should be sent to info@riwi.io.

All communications with the inquirer will be carried out at the contact address provided in the inquiry.

The inquirer may only file a complaint with the Superintendence of Industry and Commerce once the claim process has been exhausted with the data controller.

PROCEDURE FOR HANDLING COMPLAINTS

Any complaint submitted to Riwi S.A.S. by the data subject or their legal representatives regarding the handling and processing of their personal data will be resolved in accordance with the law governing the right to habeas data and will be processed under the following rules:

A. The complaint must be made by sending an email or by submitting a written request in physical form to the person responsible for personal data processing. The complaint must contain, at a minimum, the following information:

A.1. Identification of the data subject.

A.2. Description of the facts supporting the complaint.

A.3. What is being sought with the complaint.

A.4. The preferred method of receiving a response, with specific indication of the address or contact details for the chosen method.

A.5. Supporting documents that substantiate the complaint.

B. If the complaint is incomplete, the data subject will be asked to rectify the deficiencies within five (05) days from the submission of the complaint.

C. If two (02) months have passed since the request was made and the deficiencies have not been rectified, it will be understood that the complainant has withdrawn the complaint.

D. If the person receiving the complaint is not competent to resolve it, the matter will be forwarded to the appropriate party within a maximum of two (02) business days, and the complainant will be informed of the situation.

E. Once the complete complaint is received by the competent party, a note stating “complaint in process” along with the reason for the complaint will be included in the database, within no more than two (02) business days. This note must remain until the complaint is resolved.

F. The maximum term for addressing the complaint will be fifteen (15) business days from the day after the receipt of the complaint.

G. If it is not possible to address the complaint within the specified term, the complainant will be informed of the reasons for the delay and the date on which the complaint will be addressed. This date may not exceed eight (08) business days after the expiration of the original term.

For the purposes of this section, emails should be sent to the following website: www.riwi.io, and written requests should be sent to info@riwi.io.

All communications with the complainant will be carried out at the contact address provided in the complaint submission.

The complainant may only file a complaint with the Superintendence of Industry and Commerce once the complaint process with the data controller has been exhausted.

RESPONSIBLE FOR THE PROCESSING

In accordance with the provisions of numeral 1 of Article 13 of Regulatory Decree 1337 of 2013, the identification details of the party responsible for the processing of personal data are as follows:

Name or corporate name

Riwi S.A.S.

Address

Medellín, Antioquia, Colombia.

Cl. 16 #55-129, Guayabal, Medellín

Correo electrónico

info@riwi.io

Phone number

3017325327

VALIDITY

VALIDITY OF THE DATA PROCESSING POLICY

This data processing policy takes effect as of May 31, 2023.

VALIDITY OF THE DATABASE

The database created in accordance with the guidelines set forth herein has an indefinite validity.

Visit Us

For Coders
For Companies

Company

Offer

Others

Facebook Instagram Linkedin Twitter

© 2023 RIWI | Centro Comercial de Moda Outlet, Piso 3, Cl. 16 #55-129, Medellín, Colombia.