Data Processing
1. Legal Framework and Data Controller
In strict compliance with the provisions of Statutory Law 1581 of 2012, Regulatory Decree 1377 of 2013, and other regulations governing the protection of the right to Habeas Data in Colombia, this Personal Data Processing Policy is adopted by: Corporate Name: PINGÜINO CAPITAL S.A.S. NIT: 901151726-4.
2. Conceptual Framework and Definitions
For the correct interpretation of this document by our corporate partners and authorities, the following legal definitions are adopted:
Platform / Pingüino: The B2B software infrastructure, APIs, and dashboards provided by the Company for payment orchestration.
Data Subject: Any natural person whose personal data is subject to Processing.
Client: Corporate entity, BPO, or merchant that contracts the technological services of Pingüino (B2B).
Data Controller: The entity that, alone or jointly, decides on the database and/or the Processing of the data (The Client).
Data Processor: The entity that conducts the Processing of personal data on behalf of the Controller (Pingüino with respect to the Client's end users).
3. Role Doctrine in Technological Architecture (B2B)
Pingüino Capital S.A.S. provides "Software as a Service" infrastructure. Consequently, the Company structures its data liability under a strict division of roles:
Role as Controller: Pingüino acts as Controller solely and exclusively over the corporate, billing, legal representatives, and business contact data of its direct Clients.
Role as Processor (Technical Processor): Regarding the personal, financial, or transactional data of our Clients' end users or payers, Pingüino acts merely as a Processor. Our Platform operates as a data router to the financial infrastructure, so the processing guidelines rest with the originating Client.
4. Purposes of Information Processing
The collection, storage, use, distribution, transmission, or transfer of data will be carried out lawfully, for the following restrictive purposes:
4.1. Technological and Operational Purposes
Allow secure access, authentication, and use of the Platform and the API.
Orchestrate, parameterize, and route the payment instructions received.
Provide technical support, troubleshooting (troubleshooting), and systems auditing.
4.2. Regulatory Compliance Purposes (SAGRILAFT/AML)
Transmit transactional and identity information to financial networks and underlying Third Party Allies for the execution of due diligence (KYC/KYB).
Prevent, monitor, and report the risk of money laundering, terrorist financing, exchange evasion, or transactional fraud.
4.3. Administrative Purposes
Manage billing, collection of technology fees, and reporting to the competent tax authorities (DIAN).
Notify changes in the Terms of Service or in this Policy.
5. Client Obligations (Pinguino's Waiver of Liability)
Since Pingüino has no direct legal relationship with the Client's end users, the Client declares under oath and assumes the non-delegable obligation to:
Have obtained the prior, express, informed, and verifiable consent of its end users to collect and route their financial data through technological platforms.
Have explicitly informed its users that their information will be transmitted to technology providers such as Pingüino Capital S.A.S. and financial Third-Party Allies for settlement and Compliance purposes.
Assume 100% of the legal, penalizing, and financial liability before the Superintendencia de Industria y Comercio (SIC) for claims arising from the absence of such consent, holding Pingüino harmless from any demand.
6. Cross-Border Flow and Transmission to Third-Party Allies
The nature of the cross-border service makes the flow of data technologically imperative. The Holder and the Client irrevocably authorize Pingüino to transmit and/or transfer the databases to:
Third-Party Allies: Financial institutions, payment processors, exchanges, and acquirers (domestic or foreign) in charge of carrying out the clearing of funds.
Cloud Providers: Server hosting and cybersecurity companies located outside Colombian territory (e.g., USA, Europe), which have adequate levels of data protection according to international standards.
7. Processing of Sensitive Data and Minors
As a general rule, Pingüino does not require the processing of sensitive data. However, within the framework of the identity validation required by Third-Party Partners (KYC), information such as images of the identity document or facial recognition could be routed. The processing of this data is strictly voluntary. Pingüino prohibits the use of its API for processing transactions involving sensitive data of minors without the express authorization of their legal representatives.
8. Rights of data subjects (ARCO Rights)
In accordance with Article 8 of Law 1581 of 2012, data subjects possess the following rights:
To access, update, and rectify their personal data.
To request proof of the authorization granted to the Controller.
To be informed about the use that has been made of their data.
To file complaints with the SIC for violations of the regulations.
To revoke the authorization and/or request the deletion of the data, provided that there is no legal or contractual duty that obligates Pingüino to maintain it in its database (See Section 11).
9. Responsible Department and Customer Service Channels (PQRS)
To guarantee the exercise of the Rights of the Data Subjects, the compliance management of Pingüino Capital S.A.S. will act as the responsible department. For legal notifications, requirements from the Superintendence of Industry and Commerce, and requests regarding Habeas Data, the following unique and official channels are established:
Notification Address: Calle 17 A SUR 44 170 OF 102, Medellín, Antioquia, Colombia.
Official Emails: info@pinguinowallet.com
10. Regulated Procedure for Inquiries and Claims
To guarantee due process, Pingu00fcino establishes the following procedure:
Inquiries: The Data Subject may consult their information by sending a request to the authorized emails. Pingu00fcino will respond within a maximum term of ten (10) business days. If it is not possible to address it within said term, the reasons will be informed and it will be answered within a maximum of five (5) additional business days.
Claims (Correction, Update, or Deletion): The claim must include the identification of the Data Subject, a description of the facts, the address, and the supporting documents. If the claim is incomplete, the interested party will be required to complete it within the following five (5) days. If two (2) months pass without a response from the applicant, it will be understood as withdrawn. The maximum term to address the complete claim will be fifteen (15) business days, extendable by eight (8) additional days if the technical complexity warrants it.
Processing of Claims as a Processor: If Pingu00fcino receives a claim from an end user of the Client (where Pingu00fcino is only a Data Processor), the Company will transfer the claim to the Client (Data Controller) within a period of two (2) business days, notifying the applicant of this.
11. Exceptional Retention Policy (SAGRILAFT) and Security
Pingüino adopts technical, human, and administrative measures (database encryption, access controls) to ensure the security of the records.
Exception to Deletion: Although the Data Subject has the right to request the deletion of their data, Pingüino reserves the right to deny such deletion and retain transactional, corporate, and identity metadata for a period of five (5) to ten (10) years when such retention is required by anti-money laundering (AML) laws, tax regulations, or requirements from regulated Third-Party Allies.
12. Term and Modifications
This Data Processing Policy becomes effective upon its publication. The databases will remain in effect for the time necessary to fulfill the purposes described herein or as required by law. Pingüino reserves the right to make substantial modifications to this document, which will be communicated to the Client in a timely manner through corporate channels.
Modernize your global operation.
Pinguino Wallet coordinates international disbursements through a multi-rail infrastructure designed for precision, redundancy, and operational scale.