Data Treatment

Privacy Policies and Personal Data Treatment

PINGUINO WALLET from PINGUINO CAPITAL S.A.S., hereinafter “PINGUINO,” a commercial unit with its main office in the city of Medellín – Antioquia, recognizes the importance of the security, privacy, and confidentiality of the personal data of its clients, users, collaborators, suppliers, shareholders, allies, and, in general, all its stakeholders regarding which it handles personal information, therefore, in compliance with constitutional and legal provisions, it adopted this POLICY FOR THE TREATMENT OF PERSONAL DATA.

It is very important for USERS, whether a legal or natural person, to conduct a thorough study of this confidentiality and privacy policy, with the aim of being well informed about the service provided by PINGUINO. It is not mandatory to accept the terms described in the privacy policy, but if authorization to treat the data is not provided, access to the information will not be possible, nor will the processes or inquiries for the required purposes be conducted, so access to the services offered will not be possible. Your consent will imply that these terms have been read, understood, and accepted in their entirety.

APPLICABLE REGULATIONS

Below are the main current regulations in Colombia regarding the protection of personal data, with which PINGUINO is fully committed to complying.

  • Article 15 of the Political Constitution of Colombia

  • Statutory Law 1266 of 2008

  • Law 1273 of 2009

  • Statutory Law 1581 of 2012

  • Decree 1377 of 2013

  • Decree 886 of 2014

  • Decree 1074 of 2015

  • Title V of the Single Circular of the Superintendence of Industry and Commerce.

RECIPIENTS

This policy is directed towards our clients, users, collaborators, suppliers, allies, and generally our stakeholders regarding whom PINGUINO conducts personal information treatment.

DEFINITIONS

The following definitions will be taken into account for the purposes of this policy:

  • Authorization: is the prior, express, and informed consent of the data subject to carry out the processing of personal data.

  • Database: an organized set of personal data subject to processing.

  • Successor: is the person who has succeeded another due to their death (can also be understood as heirs or legatees).

  • Personal Data: any information linked or that can be associated with one or several determined or determinable natural persons.

  • Public Data: data that the law or the Constitution determines as such, as well as all those that are not semi-private or private.

  • Private Data: is data that by its intimate or reserved nature is only relevant to the data subject.

  • Semi-private Data: is data that does not have an intimate, reserved, or public nature and whose knowledge or disclosure may be of interest not only to its holder but to a certain sector or group of people.

  • Sensitive Data: is data that affects the privacy of the data subject or whose improper use may lead to discrimination.

  • Data Processor: a natural or legal person, public or private, who alone or in association with others, performs the processing of personal data on behalf of the data controller.

  • Data Controller: a natural or legal person, public or private, who alone or in association with others, performs the processing of personal data.

  • Data Subject: a natural person whose personal data is subject to processing. For PINGUINO, data subjects will be clients, users, collaborators, suppliers, allies, shareholders, visitors, our stakeholders, and any other natural person whose data is subject to processing by PINGUINO, either directly or indirectly.

  • Data Transfer: occurs when the data controller and/or processor of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible for processing and is located inside or outside the country.

  • Data Transmission: processing of personal data that involves the communication of such data within or outside the territory of Colombia, so that a processor performs processing on behalf of the data controller.

  • Processing: any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.

GUIDING PRINCIPLES OF PERSONAL DATA PROCESSING

PINGUINO commits to the data subjects to process their personal data in accordance with the following principles:

  • Principle of legality in data processing: PINGUINO is aware that the processing referred to in Law 1581 of 2012 is a regulated activity, which must be subject to what is established in it and in other provisions that develop it.

  • Principle of purpose: PINGUINO will process the data for a legitimate purpose, in accordance with the Constitution and the Law, which will be informed to the data subject.

  • Principle of freedom: PINGUINO will only process the data with the prior, express, and informed consent of the data subject. Personal data cannot be obtained or disclosed without prior authorization or in the absence of a legal or judicial mandate.

  • Principle of truthfulness or quality: the information subject to processing must be truthful, complete, updated, verifiable, and understandable. In PINGUINO, the processing of fragmented or misleading data is prohibited.

  • Principle of transparency: PINGUINO recognizes that data subjects have the right to obtain at any time and without restrictions, information about the existence of data concerning them.

  • Principle of restricted access and circulation: processing is subject to the limits derived from the nature of the personal data, in accordance with the provisions of Law 1581 of 2012 and the Constitution. In this sense, processing may only be carried out by persons authorized by the data subject and/or by the persons provided for by law. Except for public information, PINGUINO will not make personal data available on the Internet or other mass communication or dissemination media, unless access is technically controllable to provide restricted knowledge only to data subjects or third parties authorized under Law 1581 of 2012.

  • Principle of security: PINGUINO will handle the information subject to processing referred to in Law 1581 of 2012 with the necessary technical, human, and administrative measures to ensure the security of the records, preventing their alteration, loss, consultation, use, or unauthorized or fraudulent access.

  • Principle of confidentiality: all persons involved in the processing of personal data that are not public in nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks that comprise the processing, being able to only supply or communicate personal data when it corresponds to the development of activities authorized in Law 1581 of 2012 and in the terms of this policy.

PINGUINO will request authorization in such a way that the data subject grants their prior, express, and informed consent for the processing to which their personal data is subjected.

Authorization may also be obtained from unequivocal behaviors of the data subject, which reasonably allow concluding that they have granted their consent for the processing of their information. Such behaviors must clearly express the will to authorize the processing.

The consent of the data subject may be obtained by any means that can be subject to later verification, such as written, verbal, virtual communication, or through unequivocal behaviors.

By virtue of its nature and social purpose, PINGUINO receives, collects, registers, preserves, stores, processes, modifies, reports, consults, delivers, transmits, transfers, shares, and deletes personal information, for which it obtains prior authorization from the data subject.

The authorization granted to PINGUINO by data subjects allows, among other things, the realization of the following purposes: to offer and supply information about products and services, as well as to consult, report, and update their data with information and risk operators; to update existing contractual relationships and to comply with agreed obligations.

PINGUINO will keep proof of such authorizations adequately, ensuring and respecting the principles of privacy and confidentiality of the information.

Likewise, in PINGUINO, when it comes to information related to the following types of data, the following special considerations will be taken into account:

Sensitive Data

  • For the processing of sensitive data, PINGUINO will inform the data subject of the following:

  • For the processing of this type of information, the data subject is not obliged to give their authorization or consent.

  • It will be explicitly and prior communicated which type of sensitive data will be requested.

  • The processing and purpose that will be given to sensitive data will be communicated.

  • The authorization of sensitive data will be prior, express, and clear.

PINGUINO informs data subjects that, in accordance with Article 10 of Law 1581 of 2012, the authorization of the data subject will not be necessary when it relates to: (1) information required by a public or administrative entity in the exercise of its legal functions or by judicial order, (2) public nature data, (3) cases of medical or sanitary emergency, (4) processing of information authorized by law for historical, statistical, or scientific purposes, and (5) data related to the Civil Registry of Individuals.

By virtue of the above, PINGUINO may obtain authorization from the data subject through different means, such as verbal, written consent, whether granted through physical or virtual channels designed for that purpose.

RIGHTS OF THE DATA SUBJECT

The data subjects whose information is subject to processing by PINGUINO may:

  • Know, update, rectify, suppress, or revoke their personal data and be informed of the processing that PINGUINO carries out on personal data.

  • Request the portability of their personal data when applicable.

  • File requests and claims related to current regulations on Personal Data Protection.

  • Request the revocation of authorization and/or suppression of a personal data if it is determined that PINGUINO exhibits behavior contrary to current regulations. The request for suppression or revocation will not proceed when data subjects have a legal or contractual obligation to remain in the database of PINGUINO.

In accordance with Art. 20 of Decree 1377 of 2013, the exercise of the aforementioned Rights may be exercised by the following persons:

By the Data Subject, who must sufficiently prove their identity by the different means made available by the controller.

  • By their successors, who must prove such capacity.

  • By the representative and/or attorney of the Data Subject, prior accreditation of representation or power of attorney.

  • By stipulation in favor of another or for another.

  • The rights of children, girls, or adolescents will be exercised by the persons who are empowered to represent them.

DUTIES OF PINGUINO

PINGUINO, as the data controller of the personal data stored in its databases, commits to:

  • Guarantee the data subject full and effective exercise of their rights.

  • Request and keep a copy of the authorization given by the data subject or proof of it.

  • Inform the data subject about the purposes of the collection, the uses of their personal data, and their rights in relation to the authorization given.

  • Keep the information secure to prevent its alteration, loss, consultation, use, or unauthorized access.

  • Guarantee that the information supplied to third parties or data processors is truthful, complete, exact, updated, verifiable, and understandable.

  • Update the information that any third parties or processors may have, regarding all changes concerning the supplied data and adopt the necessary measures to ensure that the information is updated.

  • Rectify the information when it becomes aware that it is incorrect.

  • Ensure that third parties and/or processors of the personal information for which PINGUINO is responsible have effective measures and policies to guarantee the proper processing of that information. Likewise, it will demand a commitment to comply with and apply what is provided in this Personal Data Processing Policy and other guidelines established by PINGUINO or certify that their internal policies at least encompass the provisions laid out herein. If the issuance of certification is not possible, PINGUINO must verify that the third parties’ and/or processors’ internal policies contain security and/or privacy criteria equivalent to or greater than those provided herein. In this sense, the third parties and/or processors must adopt security and privacy measures for the personal data shared with them that are, at a minimum, at the same level of protection adopted by PINGUINO.

  • Attend to inquiries and claims made in accordance with what is provided in this Policy and the law.

  • Inform the data protection authority when security breaches occur and risks exist in the management of the information of data subjects.

PROCEDURE FOR INQUIRIES, COMPLAINTS, AND CLAIMS

Data subjects may use the following procedures when they require any inquiry, complaint, or claim.

Inquiries

Data subjects, their successors, or any other person who may have a legitimate interest may request to be informed about the personal data of the subject that is stored in any PINGUINO database.

In this regard, PINGUINO will guarantee the right to inquiry, informing the personal information related to the data subject.

Inquiries regarding access to information, confirmations of authorizations granted by the data subject, uses and purposes of personal information, or any other inquiries related to the personal information provided by the data subject must be submitted through the channels enabled by PINGUINO.

The inquiry will be attended to within a maximum term of 10 business days from the date of receipt thereof.

When it is not possible to attend to the inquiry within the provided term, the interested party will be informed, indicating the reasons for the delay and the date on which the inquiry will be attended to, which will not exceed 5 business days following the expiration of the first term, in accordance with the provisions of Article 14 of Law 1581 of 2012.

Complaints

Correction, updating, and suppression:

Data subjects, their successors, or any other person with a legitimate interest who considers that the information contained in any of PINGUINO's databases should be subject to correction, updating, or suppression, or who notices a possible non-compliance with the duties established in Law 1581 of 2012 and its regulatory decrees, may file a complaint following the requirements of Article 15 of the same law.

Requirements to file a complaint:

  • Identification of the data subject or the person filing the complaint, indicating their name and identification number.

  • Clearly and expressly describe the reason for the complaint, outlining the facts that originated it, presenting the documents you intend to value.

  • Prove the legitimate interest with which the complaint is made and attach, if necessary, the relevant supports.

  • Indicate the phone number, physical address, and email address to which the notification should be sent and the response to the request.

In any case, if the complaint is incomplete, the interested party will be required within five (5) days following its receipt to correct the deficiencies. If two (2) months have passed since the date of the requirement without the requestor presenting the required information, PINGUINO will understand that the complaint has been withdrawn.

When PINGUINO is not the competent entity to resolve the filed complaint, it will transfer it to the appropriate party within a maximum term of two (2) business days, and the interested party will be informed of this situation.

If the complaint received is complete, a legend stating “complaint in process” and the reason for it will be included in the database, within a term no greater than two (2) business days. This legend will remain until the complaint is resolved.

Now, the maximum term to address the complaint will be fifteen (15) business days from the day following its receipt. When it is impossible to attend to it within this period, the interested party will be informed of the reasons for the delay and the date on which their complaint will be resolved, which in no case shall exceed eight (8) business days after the expiration of the first term.

Data subjects, their successors, or any other person with a legitimate interest may file a complaint with the SIC, but only after they have exhausted the inquiry or complaint process with PINGUINO, as the controller and/or any processor, in accordance with the provisions of Article 16 of Law 1581 of 2012.

Suppression of information and revocation of authorization:

PINGUINO has adopted an internal process for those cases where requests for suppression of information and/or revocation of authorization are presented.

CHANNELS FOR INQUIRIES, COMPLAINTS, AND CLAIMS

PINGUINO has enabled the following channels for data subjects to exercise their rights to know, update, rectify, and/or suppress their personal information.

Email: to file a complaint regarding the handling of personal data, data subjects may send a request to the email address info@pinguinowallet.com

TRANSFER AND TRANSMISSION OF PERSONAL DATA

Occasionally, PINGUINO, as the responsible party for the personal information stored in its databases and in the development of the purposes described in this document, may conduct national or international transfer or transmission of data.

PINGUINO is committed to verifying the level of protection and security standards of the receiving country for personal information, making a declaration of conformity (when applicable) and signing a transfer contract or another legal instrument that guarantees the protection of the personal data object of the transfer.

By virtue of this exchange relationship, PINGUINO has adopted various guidelines for its relationship with third parties in order to protect the information object of this activity.

In order to protect the information, PINGUINO will verify if the SIC has included the respective country in the list of countries that offer an adequate level of data protection or will review the current regulations in the receiving country of information, as well as, in both cases, the policies and procedures of the processor or controller (according to the applicable case), to determine whether there are suitable conditions to guarantee adequate security levels for the information subject to transmission or transfer.

RELATIONSHIP WITH THIRD PARTIES AND/OR PROCESSORS

In the development of this Policy and internal provisions for the proper management of personal data, PINGUINO will ensure that third parties it engages with or establishes commercial, labor, or alliance relationships align their behaviors with the regime of personal data protection in Colombia.

In this regard, PINGUINO, without prejudice to all documentation, models, and means provided for the request for authorization for processing, privacy notices, records, and contractual and/or legal coverage, may request from third parties and/or processors suitable and pertinent information to verify and observe compliance with the provisions contained in the present policy and the personal data protection regime in Colombia.

In this sense, PINGUINO may request third parties and/or processors to prove in advance, during, or after the relationship that links them, compliance with the requirements of the personal data protection regime. Thus, periodic or eventual reviews and supervision of compliance with legal and/or contractual requirements may be requested through evidence or documentation of the management carried out, visits to third parties’ facilities, among other activities that may be coordinated to validate compliance.

PINGUINO will ensure to implement procedures so that once the legal or contractual relationship with the third party and/or processor of the personal data is terminated, the information that has been shared with such third party and/or processor is collected, deleted, destroyed, or any other activity that PINGUINO deems appropriate to provide adequate treatment to the information.

VALIDITY

This Personal Data Treatment Policy was approved on December 11, 2025, and will come into effect on that same date.



Data Processing

Privacy Policies and Personal Data Processing

PINGUINO WALLET of PINGUINO CAPITAL S.A.S., hereinafter "PINGUINO," a commercial unit, with its main address in the city of Medellín – Antioquia, recognizes the importance of security, privacy, and confidentiality of the personal data of its clients, users, collaborators, suppliers, shareholders, allies, and generally all its stakeholders regarding which it processes personal information. Thus, in compliance with constitutional and legal provisions, it adopted this POLICY FOR THE PROCESSING OF PERSONAL DATA.

It is of great importance for the USER, whether a legal entity or natural person, to carry out a detailed study of this privacy and confidentiality policy, with the aim of being well informed regarding the service we provide at PINGUINO. Acceptance of the terms described in the privacy policy is not mandatory, but without the authorization to process the data, one will not be able to access the information, and processes or consultations for the required purposes cannot be carried out, therefore access to the services we offer will not be possible. Your consent will be understood as having read, understood, and accepted this in its entirety.

APPLICABLE REGULATIONS

The following are the main current regulations in Colombia regarding the protection of personal data, with which PINGUINO is fully committed to comply.

  • Article 15 of the Political Constitution of Colombia

  • Statutory Law 1266 of 2008

  • Law 1273 of 2009

  • Statutory Law 1581 of 2012

  • Decree 1377 of 2013

  • Decree 886 of 2014

  • Decree 1074 of 2015

  • Title V of the Single Circular of the Superintendency of Industry and Commerce.

RECIPIENTS

This policy is directed to our clients, users, collaborators, suppliers, allies, and generally our stakeholders regarding whom PINGUINO processes personal information.

DEFINITIONS

The following definitions will be taken into account for the purposes of this policy:

  • Authorization: it is the prior, express, and informed consent of the data subject to carry out the processing of personal data.

  • Database: organized set of personal data subject to processing.

  • Successor: is the person who has succeeded another due to their death (can also be understood as heirs or legatees).

  • Personal Data: any information linked or that may be associated with one or several determined or determinable natural persons.

  • Public Data: data that the law or the Constitution determines as such, as well as all those that are not semi-private or private.

  • Private Data: is the data that by its intimate or reserved nature is only relevant to the data subject.

  • Semi-private Data: is data that does not have an intimate, reserved, or public nature and whose knowledge or disclosure may interest not only its holder but also a certain sector or group of people.

  • Sensitive Data: is the data that affects the intimacy of the holder or whose improper use may generate discrimination against them.

  • Data Processor: natural or legal person, public or private, who by themselves or in association with others processes personal data on behalf of the data controller.

  • Data Controller: natural or legal person, public or private, who by themselves or in association with others processes personal data.

  • Data Subject: natural person whose personal data is subject to processing. For PINGUINO, the data subjects will be the clients, users, collaborators, suppliers, allies, shareholders, visitors, our stakeholders, and any other natural person whose data is subject to processing by PINGUINO, either directly or indirectly.

  • Data Transfer: occurs when the data controller and/or processor of personal data, located in Colombia, sends the information or personal data to a receiver, who in turn is responsible for processing and is located either within or outside the country.

  • Data Transmission: processing of personal data that involves the communication of such data inside or outside the territory of Colombia so that a processor carries out processing on behalf of the controller.

  • Processing: any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.

GUIDING PRINCIPLES OF PERSONAL DATA PROCESSING

PINGUINO commits to the data subjects to process their personal data in accordance with the following principles:

  • Principle of legality in terms of data processing: PINGUINO is aware that the processing referred to in Law 1581 of 2012 is a regulated activity that must adhere to what is established in it and in other provisions that develop it.

  • Principle of purpose: PINGUINO will process the data for a legitimate purpose, according to the Constitution and the Law, which will be informed to the data subject.

  • Principle of freedom: PINGUINO will process the data only with the prior, express, and informed consent of the data subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of legal or judicial mandate.

  • Principle of truthfulness or quality: the information subject to processing must be truthful, complete, updated, verifiable, and understandable. In PINGUINO, the processing of fragmented data or that may induce error is prohibited.

  • Principle of transparency: PINGUINO knows that data subjects have the right to obtain at any time and without restrictions, information about the existence of data concerning them.

  • Principle of restricted access and circulation: processing is subject to the limits derived from the nature of personal data, according to the provisions of Law 1581 of 2012 and the Constitution. In this sense, processing may only be carried out by persons authorized by the data subject and/or by persons provided for in the law. Except for public information, PINGUINO will not make personal data available on the internet or other means of mass dissemination or communication, unless access is technically controllable to provide restricted knowledge only to the owners or third parties authorized under Law 1581 of 2012.

  • Principle of security: PINGUINO will manage information subject to processing as referred to in Law 1581 of 2012 with the technical, human, and administrative measures necessary to provide security to the records, avoiding their alteration, loss, consultation, unauthorized or fraudulent use or access.

  • Principle of confidentiality: all persons involved in the processing of personal data that do not have a public nature are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks included in the processing has ended, and may only provide or communicate personal data when it corresponds to the development of activities authorized by Law 1581 of 2012 and in the terms of this.

PINGUINO will request authorization in such a way that the data subject gives their prior, express, and informed consent for the processing to which their personal data is subject.

Authorization may also be obtained based on unequivocal conduct of the data subject, which allows concluding reasonably that they granted their consent for the processing of their information. Such conduct must clearly express the willingness to authorize the processing.

The data subject's consent may be obtained by any means that can be consulted later, such as written, verbal, virtual communication, or through unequivocal behavior.

By virtue of its nature and corporate purpose, PINGUINO receives, collects, registers, conserves, stores, processes, modifies, reports, consults, delivers, transmits, transfers, shares, and deletes personal information, for which it obtains prior authorization from the data subject.

The authorization granted to PINGUINO by the data subjects allows, among other things, for carrying out the following purposes: offering and supplying information about products and services, as well as consulting, reporting, and updating its data with information and risk operators; updating existing contractual relationships and fulfilling agreed obligations.

PINGUINO will keep proof of such authorizations adequately, ensuring and respecting the principles of privacy and confidentiality of the information.

Similarly, at PINGUINO, when it comes to information related to the following types of data, the following special considerations will be had:

Sensitive Data

  • For the processing of sensitive data, PINGUINO will inform the data subject of the following:

  • For the processing of this type of information, the data subject is not obliged to give their authorization or consent.

  • It will be explicitly and prior informed what type of sensitive data will be requested.

  • The processing and purpose that will be given to the sensitive data will be communicated.

  • The authorization of sensitive data will be prior, express, and clear.

PINGUINO informs data subjects that, in accordance with Article 10 of Law 1581 of 2012, the authorization of the data subject will not be necessary when it comes to: (1) information required by a public or administrative entity in the exercise of its legal functions or by court order, (2) publicly available data, (3) cases of medical or health emergency, (4) processing of information authorized by law for historical, statistical, or scientific purposes, and (5) data related to the Civil Registry of Persons.

By virtue of the above, PINGUINO may obtain authorization from the data subject through different means, such as, verbal or written authorization, the latter provided through physical or virtual channels designed for that purpose.

RIGHTS OF THE DATA SUBJECT

Data subjects whose information is subject to processing by PINGUINO may:

  • Know, update, rectify, suppress or revoke their personal data and be informed of the processing that PINGUINO performs on their personal data.

  • Request portability of their personal data when applicable.

  • Present requests and complaints related to the current regulations on Personal Data Protection.

  • Request revocation of the authorization and/or suppression of personal data if it is determined that PINGUINO presents a behavior contrary to the current regulations. The request for suppression or revocation will not proceed when data subjects have the legal or contractual duty to remain in PINGUINO's database.

In accordance with Article 20 of Decree 1377 of 2013, the exercise of the aforementioned rights may be exercised by the following individuals:

By the Data Subject, who must sufficiently prove their identity through the various means made available by the data controller.

  • By their successors, who must prove such status.

  • By the representative and/or attorney of the Data Subject, upon proving the representation or empowerment.

  • By stipulation in favor of another or for another.

  • The rights of children and adolescents will be exercised by those authorized to represent them.

DUTIES OF PINGUINO

PINGUINO, as the responsible entity for personal data stored in its databases, commits to:

  • Guarantee to the data subject the full and effective exercise of their rights.

  • Request and keep a copy of the authorization given by the data subject or proof of it.

  • Inform the data subject about the purposes of the collection, the uses of their personal data, and their rights regarding the authorization given.

  • Keep the information in secure conditions to prevent its alteration, loss, consultation, unauthorized use, or access.

  • Guarantee that the information provided to third parties or processors is truthful, complete, accurate, updated, verifiable, and understandable.

  • Update the information that any third party or processor has regarding any changes related to the provided data and adopt the necessary measures to keep the information updated.

  • Rectify the information when it becomes known to them that it is incorrect.

  • Ensure that third parties and/or data processors that PINGUINO is responsible for have effective measures and policies to guarantee the appropriate processing of such information. Likewise, they will require the commitment to adhere and apply what is provided in this Personal Data Processing Policy and other guidelines established by PINGUINO or certify that their internal policies cover at least the provisions set forth here. If it is not possible to issue the certification, PINGUINO must verify that the internal policies of third parties and/or processors include security and/or privacy criteria equivalent to or exceeding those provided herein. In this sense, third parties and/or processors must adopt the security and privacy measures for personal data shared with them, at least at the same level of protection adopted by PINGUINO.

  • Process consultations and claims formulated in accordance with the provisions of this Policy and the law.

  • Inform the data protection authority when security breaches occur and risks exist in the administration of the information of the data subjects.

PROCEDURE FOR CONSULTATIONS, COMPLAINTS, AND CLAIMS

Data subjects may use the following procedures when they require to make any consultation, complaint, or claim.

Consultations

Data subjects, their successors, or any other person who may have a legitimate interest, may request to be informed about the personal data of the data subject that is stored in any PINGUINO database.

In accordance with the above, PINGUINO will guarantee the right to consultation, informing the data subject of the personal information linked to them.

Consultations related to access to information, proof of the authorization granted by the data subject, uses and purposes of the personal information, or any other consultation related to the personal information provided by the data subject must be submitted through the channels enabled by PINGUINO.

The consultation will be addressed within a maximum period of 10 business days from the date of receipt of it.

When it is not possible to address the consultation within the stipulated term, the interested party will be informed, stating the reasons for the delay and the date on which the consultation will be addressed, which will not exceed 5 business days following the expiration of the first term, in accordance with what is established in Article 14 of Law 1581 of 2012.

Claims

Correction, updating, and suppression:

Data subjects, their successors, or any other person with a legitimate interest, who consider that the information contained in any of PINGUINO's databases should be corrected, updated, or deleted or that they see a possible violation of the duties established in Law 1581 of 2012 and its regulatory decrees, may submit a claim following the requirements of Article 15 of the same law.

Requirements to submit a claim:

  • Identification of the data subject or of the person submitting the complaint, stating their name and identification number.

  • Clearly and expressly describe the reason for the claim, stating the facts that originated it, presenting the documents they wish to rely on.

  • Prove the legitimate interest with which the person presenting the claim acts and attach, if necessary, the corresponding supports.

  • Indicate the phone number, physical address, and email to which the notification should be sent and the response to the request.

In any case, if the claim is incomplete, the interested party will be required within five (5) days following receipt of it to correct the shortcomings. If two (2) months have passed since the date of the request, without the requester providing the required information, PINGUINO will understand that they have withdrawn the claim.

When PINGUINO is not the competent entity to resolve the claim presented, it will be referred to the responsible party within a maximum period of two (2) business days, and the interested party will be informed of this situation.

In the event that the claim is received complete, a legend saying "claim in process" and the reason for this will be included in the database within no more than two (2) business days. This legend will remain until the claim is resolved.

Now, the maximum term to address the claim will be fifteen (15) business days from the day after the date of receipt. When it is not possible to address it within this term, the interested party will be informed of the reasons for the delay and the date on which their claim will be resolved, which in no case may exceed eight (8) business days following the expiration of the first term.

Data subjects, their successors, or any other person with a legitimate interest may file a complaint with the SIC, but only after having exhausted the procedure of consultation or claim with PINGUINO, as the responsible party and/or any processor, in accordance with the provisions of Article 16 of Law 1581 of 2012.

Suppression of information and revocation of authorization:

PINGUINO has adopted an internal process for cases where requests for suppression of information and/or revocation of authorization are submitted.

CHANNELS FOR CONSULTATIONS, COMPLAINTS, AND CLAIMS

PINGUINO has enabled the following channels for data subjects to exercise their rights to know, update, rectify, and/or suppress their personal information.

Email: to make a complaint about the handling of personal data, data subjects can send a request to the email address info@pinguinowallet.com

TRANSFERS AND TRANSMISSIONS OF PERSONAL DATA

Eventually, PINGUINO, as the responsible entity for the personal information stored in its databases and in development of the purposes described in this document, may carry out national or international transfer or transmission of data.

PINGUINO is committed to verifying the level of protection and security standards of the receiving country of the personal information, to make the declaration of conformity (when applicable), and to sign a transfer contract or other legal instrument that guarantees the protection of the personal data subject to transfer.

By virtue of this exchange relationship, PINGUINO has adopted various guidelines for the relationship with third parties, in order to protect the information subject to this activity.

In order to protect the information, PINGUINO will check whether the SIC has included the respective country in the list of countries that provide an adequate level of data protection or will review the current regulations in the receiving country of the information, as well as, in both cases, the policies and procedures of the processor or controller (as applicable), to determine whether suitable conditions exist to guarantee adequate levels of security for the information subject to transmission or transfer.

RELATIONSHIP WITH THIRD PARTIES AND/OR PROCESSORS

In the development of this Policy and the internal provisions for the proper handling of personal data, PINGUINO will ensure that third parties with which it is linked or with which it establishes commercial, labor, or alliance relationships adjust their conduct to the personal data protection regime in Colombia.

In view of the above, PINGUINO, without prejudice to all the documentation, models, and means provided for the request for authorization for processing, the privacy notices, records, and contractual and/or legal covers, may request third parties and/or processors suitable and pertinent information to verify and observe compliance with the provisions contained in this policy and in the personal data protection regime in Colombia.

In this sense, PINGUINO may request third parties and/or processors to demonstrate compliance with the requirements of the personal data protection regime, either prior, during, or after the relationship that links them, in such a way that a review and supervision may be requested on an occasional or periodic basis, of compliance with legal and/or contractual requirements, through evidence or support of the management carried out, visit the third party's facilities, among other activities that may be coordinated to validate compliance.

PINGUINO will ensure to have procedures so that once the legal or contractual relationship with the third party and/or processor of personal information ends, the information that has been shared with such third party and/or processor is collected, deleted, destroyed, or any other activity that PINGUINO considers pertinent for proper treatment.

DURATION

This Personal Data Processing Policy was approved on December 11, 2025, and comes into effect from that same date.