Personal Data Protection Policies
CONTENT
How do we protect your Personal Data and Privacy?
What regulations do we have to comply with in the processing of your personal data?
To be clear when reading our Policy!
Who are our data subjects?
What principles do we guarantee in the processing of your personal data?
What Information Do We Collect From You?
What do we use the information we collect for?
How may we process your personal information?
Why do we share information with third parties?
What are our obligations to you when dealing with your personal information?
How do we obtain your authorization/consent for the processing of your personal information?
What are your rights?
How can you exercise your rights?
Where can you exercise your rights?
What is the area responsible for processing your requests for inquiries or complaints?
Can we change this Policy?
How long are the Databases and this Policy valid?
Who is responsible for your personal information?
1. How do we protect your Personal Data and Privacy?
Your privacy is important to Sanmor Tech S.A.S. (hereinafter "Soulbit" or "the Company"), and therefore, Soulbit recognizes the importance of the security, privacy, and confidentiality of the personal data of its employees, potential customers, customers, suppliers, and in general all of its stakeholders with respect to whom it processes personal information.
In compliance with constitutional and legal mandates, we make available the following Personal Data Protection Policy (hereinafter the "Policy"), applicable to all activities that involve the processing of personal information by Soulbit as the data controller and any of its processors.
This Policy supersedes all prior agreements, whether oral or written, between You and Soulbit regarding the collection, use, storage, circulation, disclosure, and deletion of your personal data, and may be modified by Soulbit at any time, informing such modifications to the owners of the information through the channels that the Company provides for such purpose, as provided by local regulations.
2. What regulations do we have to comply with in the processing of your personal data?
This Policy was developed in compliance with Law 1581 of 2012 – Personal Data Protection Law (hereinafter "LPDP"), Decree 1074 of 2015, and other provisions that add, modify, regulate, expand, complement or delete them.
Our Policy is intended to ensure the constitutional right of all individuals to know, update, and rectify information that has been collected about them in databases or files that Soulbit has collected. For the purposes of this Policy, Soulbit will be responsible for personal information.
3. To be clear when reading our Policy!
Below, we point out key concepts to understand and take into account while reading our Policy:
a) Authorization: Prior, express and informed consent of the owner of the personal data to carry out the processing of personal data. Consent may be granted in writing, orally, or through unequivocal conduct by the Owner that allows concluding that the authorization was granted.
b) Privacy Notice: The verbal or written communication whose purpose is to inform the Data Owner about the existence of a personal data processing policy, applicable in the process of processing their information.
c) Database: The organized set of personal data that will be subject to Processing by Soulbit. Databases are considered information assets that contain information organized on magnetic or physical media of potential customers, customers, suppliers, and employees, among others.
d) Personal Data: Any information linked to or that can be associated with one or more specific or determinable natural persons. Personal data is classified as:
Public Data: Data that is not private or sensitive. Examples: name, ID, marital status, gender.
Semi-private Data: Data that is not intimate, reserved, or public in nature and whose disclosure may be of interest not only to its owner, but also to a certain sector or group of people or society in general, such as financial and credit data.
Sensitive Data: Data that affects the privacy of the owner or whose improper use may generate discrimination, such as racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, or human rights groups, as well as data related to health, sex life, and biometric information (fingerprints, photographs, iris, facial or palm recognition, etc.).
Personal data of minors is always considered sensitive, regardless of type. Its processing is prohibited, except in the following cases:
Explicit authorization from the Owner.
Safeguarding the vital interest of the holder.
Legitimate activities by Foundations, NGOs, associations, or non-profits.
Recognition, exercise or defense of a right in a judicial process.
Historical, statistical or scientific purpose (data must be anonymized).
e) Data Processor: Natural or legal person who processes personal data on behalf of the Data Controller.
f) Data Controller: Natural or legal person who decides on the database and/or processing of the data.
g) Information Repository: Organized set of data in physical or magnetic media, possibly containing personal information.
h) Data Owner: Natural person whose personal data are subject to processing.
i) Transfer: Sending of data to another Controller, inside or outside the country.
j) Transmission: Communication of data for processing by a Processor on behalf of the Controller.
k) Processing: Any operation on personal data, such as collection, storage, use, circulation, or deletion.
4. Who are our data subjects?
In the development of our corporate purpose and the different support activities for its fulfillment, we may process the personal data of various data subjects, such as:
Potential customers
Clients
Potential suppliers
Suppliers
Aspiring employees
Employees
Petitioners and/or Claimants
5. What principles do we guarantee in the processing of your personal data?
Soulbit develops the processing of Personal Data respecting general and special rules, applying the following principles:
a) Principle of legality: All processing is subject to Law 1581 of 2012, Law 1266 of 2008, and related provisions.
b) Principle of purpose: Processing must serve a legitimate purpose consistent with the law and as informed to the owner.
c) Principle of freedom: Processing may only occur with the free, prior, express, and informed consent of the owner.
d) Principle of truthfulness or quality: Information must be truthful, complete, accurate, updated, verifiable, and understandable.
e) Principle of transparency: Soulbit guarantees the right to obtain information about the existence of data concerning you at any time.
f) Principle of restricted access and circulation: Private information can only be accessed by authorized persons or as legally allowed.
g) Security principle: Personal information will be handled with technical, human, and administrative measures to ensure security.
h) Principle of confidentiality: All persons involved in data processing are obligated to maintain confidentiality, even after their relationship with Soulbit ends.
i) Principle of temporality: Data will be retained only for as long as necessary to achieve its purpose or as required by law.
6. What Information Do We Collect From You?
Information You Provide to Us
When you purchase any Soulbit product, sign up for an event, apply for a job, become a supplier, or otherwise provide us with your personal information, you agree that we may collect certain Personal Information from and about you, such as:
Full name, identification, date of birth, or any acceptable identity document.
Financial information (income, assets, equity, liabilities, tax returns).
Transaction information and source of funds.
Any data required to provide a product.
Digital identity and reputation information available in online environments (social networks, messaging apps, etc.).
Biometric data for identity verification or when required by law.
For legal entities (companies, corporations, partnerships, etc.), we may collect the above information for each authorized person, including legal representatives, partners, associates, and administrators.
Information Provided by Third Parties
Soulbit may obtain Personal Information about you from affiliated entities, business partners, or other independent third-party sources, and all information collected will be treated according to this Policy.
Information our systems collect
When you use our services or participate in contests or surveys via Soulbit platforms, we may collect data such as device information, operating system, IP address, location data, browser info, and transaction details. We may also use Cookies, Web Beacons, and Tagging to evaluate and improve user experience, communications, and services.
7. What do we use the information we collect for?
Marketing Activities
We may analyze and use your information to better understand the use of our products and to identify other products or services of Soulbit or third parties which may be of interest to you, and we may share your information within Soulbit for these purposes.
We may also use and share your Personal Information within Soulbit so that we and our business partners can contact you directly to inform you about products, services, offers, promotions, events, marketing campaigns, and research, through mail, telephone, email, or internet-based communication tools.
We will not share your Personal Information with third parties outside of Soulbit for marketing purposes without your express consent.
If you have a product with Soulbit, you agree that we may use, disclose and collect information about you from public entities such as the National Registry of Civil Status, information operators, and control entities (when applicable), to offer you services, strengthen the relationship, and respond to your requests. We may continue to use and disclose your Personal Information even after the termination of the relationship.
You may revoke your consent to the use and disclosure of your Personal Information for the marketing purposes listed above at any time.
Cookies, Web Beacons, and Tagging
Cookies are information stored on your device to help websites remember your preferences. We use cookies for proper website functioning, to offer Soulbit’s products and services, and to analyze visitor behavior to improve user experience.
Web Beacons are images inserted into webpages or emails to monitor visitor activity (IP address, time spent, browser type, etc.).
Tagging refers to code snippets that track user activity for analysis and experience optimization.+
Management of the Business Relationship
Subject to applicable legal requirements, by establishing a business relationship with Soulbit, you expressly authorize us to use, disclose, collect, verify, share and exchange information about you with third parties for the development of all matters related to the business relationship.
You agree that while you are linked to Soulbit in a business or commercial relationship, we may collect, use, and disclose your Personal Information, and transmit or transfer it to any third party for purposes including but not limited to:
Verify your identity.
Validate your information.
Comply with regulatory reports to local, national, or international authorities.
Configure, manage and offer products that meet your needs, and respond to requests, complaints, or claims.
Associate and analyze information related to your digital reputation.
Deepen the business relationship by offering you our products.
Comply with legal and regulatory requirements.
Respond to lawful court orders or instructions from competent authorities.
Manage and assess risks, investigate claims, detect or prevent fraud or criminal activity.
Report information to credit, financial, or commercial risk centers.
Share data with third-party service providers (technological, accounting, tax, logistics, etc.).
Provide information to public authorities when required.
Any other sharing expressly authorized by you.
You must keep your personal data accurate and up to date and are responsible for the consequences of not doing so.
Monitoring
Soulbit is entitled to monitor its products to comply with legal and regulatory obligations, employing systems to prevent or detect fraud or crimes such as money laundering or financing of terrorism. We may share your data with affiliates, strategic partners, and subsidiaries for these purposes.
We may record and retain phone calls or other communications with you for recordkeeping, service quality, dispute resolution, and training. Such records are protected under this Policy and destroyed according to applicable retention periods.
Employee Selection and Hiring
By starting a selection process or employment relationship with Soulbit, you consent to us processing your personal information to:
Manage personnel selection and recruitment processes.
Conduct human resources activities (payroll, benefits, welfare, occupational health, etc.).
Register employees in company systems for accounting and administrative purposes.
Make payments derived from employment or contract termination.
Contract labor benefits with third parties (e.g., insurance, health plans).
Notify emergency contacts.
Manage training and access to work tools.
Conduct forensic analyses or investigations when necessary to safeguard assets.
Processing of Personal Data of Children and Adolescents
Soulbit will only process data of minors when it serves their best interests and respects their fundamental rights. Authorization must be obtained from the legal representative after the minor has been heard.
Supplier and Contractor Management
Soulbit may process personal data of suppliers and contractors to:
Conduct due diligence and background checks.
Assess and manage contractual risk.
Comply with operational, legal, and security parameters.
Fulfill authority requirements when necessary for justice or public interest.
Share or transfer data with affiliates, partners, or authorized third parties (domestic or international).
Register and process supplier payments.
Formalize and manage contractual, financial, or logistical obligations.
Verify reputation and AML/CFT risks.
Evaluate supplier performance.
8. How may we process your personal information?
Personal Information may be shared with:
i. Soulbit affiliates, partners and business collaborators.
ii. Service providers (technology, data transmission, identity verification, etc.).
iii. National, departmental, or municipal public authorities.
iv. Marketing providers for campaign analysis and optimization (may include IP, device IDs, OS version, etc.).
v. UX providers for user experience analysis (may include interaction data and device details).
vi. Digital asset service providers such as Stilllman Digital to enable sending and receiving assets.
You may revoke consent for transmission of your data to third parties by contacting us at the addresses at the end of this Policy. Revocation may limit or terminate service provision.
Transfers may occur internationally, including to countries without adequate data protection levels (e.g., Brazil, the U.S.). By accepting this Policy, you consent to such transfers.
Soulbit and its partners may carry out the following:
Store, record, and process your data in databases.
Order, classify, and verify information.
Analyze and compare data internally or with affiliates.
Transfer or transmit data internationally as required for operations or compliance.
International Transfer Example:
Data may be transmitted to Argentina (authorized by EU Decision 2003/490/EC).
Purpose: Administrative, operational, and commercial support between Sanmor Tech S.A.S. (Controller) and Soulbit (Processor).
Obligations: Both parties safeguard security, maintain confidentiality, allow audits, and ensure compliance with Law 1581.
9. Why do we share information with third parties?
Not all products or services are provided directly by Soulbit. We may use third-party service providers or partners to process Personal Information on our behalf. Such entities must comply with our Data Protection Policy and use the data only for identified purposes.
Soulbit may verify compliance through audits or supervision and require evidence from partners. Non-compliance may lead to corrective action or contractual review.
10. What are our obligations to you when dealing with your personal information?
As Data Controller, Soulbit undertakes to:
a) Guarantee full and effective exercise of the right of habeas data.
b) Request and retain proof of authorization.
c) Inform you of collection purposes and your rights.
d) Keep information secure from unauthorized access or alteration.
e) Ensure information is truthful, complete, and updated.
f) Communicate updates promptly to processors.
g) Rectify incorrect data.
h) Process only authorized data.
i) Require processors to maintain data security.
j) Respond to queries and complaints.
k) Inform processors of ongoing data disputes.
l) Inform data subjects of data use upon request.
m) Report security breaches to authorities.
n) Comply with requirements issued by the Superintendence of Industry and Commerce.
11. How do we obtain your authorization/consent for the processing of your personal information?
Before processing your Personal Information, Soulbit requests prior, express, and informed authorization, except in the cases defined in Article 10 of Law 1581 of 2012. Authorization may be granted:
In writing.
Orally.
By unequivocal conduct indicating consent.
Safeguarding Personal Information
The information collected is used strictly for purposes related to our corporate activities. Access is restricted to authorized and trained employees. We employ physical, electronic, and procedural security measures to ensure confidentiality.
You agree that Soulbit may retain and use your Personal Information even after termination of your relationship, as permitted by law.
Accuracy of Personal Information
While linked to Soulbit, you must provide accurate and updated information and notify any changes promptly.
12. What are your rights?
As the Data Subject, you have the right to:
a) Know, update, and rectify your personal data.
b) Request proof of authorization, except when legally exempt.
c) Be informed about how Soulbit processes your data.
d) File complaints with the Superintendence of Industry and Commerce for violations of Law 1581.
e) Revoke authorization or request deletion of data when processing violates the law or Constitution.
You cannot revoke consent or request deletion when legal or contractual duties require retention in Soulbit’s databases.
13. How can you exercise your rights?
Procedures for Accessing, Viewing, Rectifying, and Updating Your Personal Information
You have the right to access your personal data and the details of the processing of such Personal Information, as well as to rectify and update them if they are inaccurate, or to request their deletion when you consider that they are excessive or unnecessary for the purposes for which they were obtained, or to object to their Processing for specific purposes.
Consultations
Authorization for the processing of your Personal Information in the different scenarios described in this Policy will be obtained by Soulbit through requests made available to you in each of the channels or information capture points associated with our activities.
Through the Consultations procedure, you may:
a) Request access to your Personal Information.
b) Request proof of the authorization granted by you to Soulbit for the processing of your personal information.
c) Consult the use of your personal information.
Inquiries must be submitted through the channels provided and following the procedure described below:
At any time and free of charge, you may make inquiries regarding the personal data that is processed by Soulbit. In all cases, the identity and the authority to make the consultation must be accredited.
The query will be answered within a maximum term of ten (10) business days from receipt. When it is not possible to respond within that term, the interested party will be informed of the reasons, indicating a new date for resolution, which will not exceed five (5) additional business days.
Claims
You may request the correction and updating of personal information, the deletion of data, and the partial or total revocation of the authorization given to Soulbit, through the presentation of a claim that will follow the following procedure:
At any time and free of charge, you may make claims regarding the personal data processed by Soulbit. In all cases, identity and authority must be accredited.
The claim shall be addressed within a maximum period of fifteen (15) business days from the day following its receipt. When not possible within that term, Soulbit will inform you of the reasons for delay and the new date for response, which may not exceed eight (8) additional business days.
The minimum requirements established in this Policy are those stipulated in Law 1755 of 2015 (Right to Petition). Accordingly, your request must include at least:
a) Identification of the Owner (name and ID).
b) Description of the facts giving rise to the query or complaint.
c) Purpose of the petition.
d) Notification address (physical or electronic).
e) Supporting documents (especially for claims).
Prerequisite for filing complaints with the Superintendence of Industry and Commerce
If you wish to file a complaint with the Superintendence of Industry and Commerce regarding personal data, you must first exhaust the consultation or claim process with Soulbit, in accordance with the above indications. Soulbit reiterates its full willingness to address your concerns.
14. Where can you exercise your rights?
You may exercise your rights and submit inquiries and/or complaints through:
a) Internet: www.soulbit.io, through the “Help Center”, as well as the chat or widget on the same website.
b) Email: notificaciones@sanmortech.com
The response time for your inquiries and/or claims will begin once Soulbit has effective knowledge of your request through these established channels.
15. What is the area responsible for processing your requests for inquiries or complaints?
Soulbit, through its Customer Experience Area, will attend to all requests, queries, and claims from data subjects so that they can exercise their rights to know, update, rectify, and delete data and revoke authorization related to the protection of personal data.
16. Can we change this Policy?
You acknowledge and agree that we may modify, change, or replace this Policy at any time, to consider changes in laws, regulations, or other circumstances that may arise.
In accordance with current regulations, we will notify you of any modifications or material changes made to this Policy through the means that Soulbit has established for this purpose.
17. How long are the Databases and this Policy valid?
Validity of the Databases:
Personal Data will remain in our databases for the term required by law for document and information conservation and for as long as necessary for the activities mentioned above, and as long as the Owner does not revoke authorization (where such revocation is appropriate).
Validity of the Policy:
From the time of its publication and availability.
18. Who is responsible for your personal information?
Information of the Data Controller:
Sanmor Tech S.A.S.
Main address: Calle 93B No. 13-30, Bogotá D.C., Colombia
Website: www.soulbit.io
Email: notificaciones@sanmortech.com
Soulbit