Privacy Policy

Colo Coffee S.A.S. (hereinafter referred to as "Colo"), a company domiciled in the city of Bogotá, located at Carrera 12A No. 83-48, with telephone number 7030325, and email address admin@colo.coffee, hereby establishes and makes public the principles and parameters by which it will carry out the processing of personal data that it collects in the course of its business, in both the capacities of data controller and data processor:


  1. Purpose
    Through this data processing policy, Colo aims to establish the rules applicable to the processing of personal data collected, used, and stored by this company in the course of its business, in the capacities of data controller and/or data processor as the case may be.

    All of the above is based on Statutory Law 1581 of 2012, regulated by National Decree 1377 of 2013, and Decree 1074 of 2015, complementary circulars and their constitutional foundations regarding the protection of privacy, protection of personal data, and the right to habeas data.

  2. Scope
    This policy shall apply to the processing of personal data carried out in Colombian territory, or when the norm applies to the controller and/or processor located outside Colombian territory, by virtue of international treaties, contractual relationships, among others.

    The provisions contained in this policy shall apply to any personal database that is in Colo's custody, whether as a data controller or data processor.

  3. Definitions
    In accordance with Law 1581 of 2012, for the purposes of this policy, the following terms shall have the following meanings:

    a) Authorizations: Prior, express, and informed consent of the data subject to process their personal data that do not have the characteristic of being public.

    b) Personal database: An organized set of data that is subject to processing by the company. It can be automated or physical according to its storage form.

    c) Personal data: Any information linked or that can be associated with one or more natural persons, identifying them.

    d) Sensitive personal data: Those that affect the privacy of the data subject or whose misuse may result in their discrimination. For this reason, they enjoy special protection, specifically referring to health, sex, political affiliation, race or ethnic origin, biometric data, membership in unions, among others.

    e) Data controller: A natural or legal person, public or private, who, alone or in association with others, decides on the database and its processing.

    f) Data processor: A natural or legal person, public or private, who, alone or in association with another, carries out the processing of personal data on behalf of the data controller.

    g) Data subject: The natural person whose data is being processed.

    h) Data processing: Any operation or set of operations performed on personal data such as collection, storage, use, deletion, etc.

    i) Responsible area: Person or group of people who have custody and responsibility for personal databases within the company.

    j) Habeas data: Fundamental right of every person to know, update, rectify and/or cancel at any time the information owned by them, which is managed by third parties.

  4. Data processing and purposes:
    The processing that Colo will carry out acting as controller and/or processor will be to collect, store, process, use, manage, circulate and transmit personal data, strictly following the guidelines established by law, for the following purposes, as applicable:

    4.1 Employee Data
    Colo will process the data collected in these databases for:

    a) Creating specific files for each worker with their personal data in order to use it whenever required.

    b) Complying with the obligations contracted by Colo in favor of the employee in the development of the employment contract signed with the employee.

    c) Carrying out the affiliation of employees and their designated beneficiaries, aimed at complying with the labor law obligations generated as a result of the employee's relationship with Colo.

    d) Assigning users and corporate email accounts, which involves the generation and sending of correspondence in the development of the contract signed between the worker and Colo.

    e) Consulting and safeguarding the academic, disciplinary and employment history of the employee in order to keep a historical record of such information of the workers who join the company, which can be used in the future to provide references if required.

    f) Complying with payment of payroll and parafiscal obligations caused in favor of the employee by virtue of their employment relationship.

    g) Creation of contact channels between the company, the employee, and their family members if required.

    h) Management of accounting and labor information to comply with contractual and legal requirements.

    i) Regarding former employees, the information will be kept if required by any judicial or administrative authority.

    j) Regarding candidates who provided their information when participating in selection processes, occasionally this information will be retained in order to make new contact in case a new vacancy opens.

    k) Biometric and video registration and control in order to safeguard people and property inside Colo and Colo-owned commercial establishments.

    4.2. Suppliers.
    Within the organization, it has been decided to organize these databases into three categories for ease of treatment, namely: fixed, occasional, and prospective suppliers. However, despite this internal scheme, the data compiled in this database will be used for:

    a) Collecting general and contact information of all suppliers who have provided, are providing, and may provide services to Colo.

    b) Establishing a contact channel between the suppliers and Colo.

    c) Preparation and submission of correspondence and information by Colo regarding internal, promotional, and lottery activities, in which the owners may participate.

    d) Generation and sending of correspondence in cases where Colo decides to promote its products, services, and others.

    e) Monitoring the execution of agreements, contracts, or purchase orders generated as a result of the commercial relationship between Colo and the supplier.

    f) Accounting registration and internal monitoring regarding payments to suppliers.

    g) Request for quotes, proposals, and purchase orders.

    h) Compliance with administrative, contractual, accounting, and/or tax obligations.

    i) Contact for quotes and request for new services and products required by the company in order to properly develop its corporate purpose.

    j) Verification of commercial references.

    4.3. Customers.
    In the course of its corporate purpose, Colo processes the information contained in this database for the following purposes:

    a) Marketing of products and services that Colo usually offers in the market as part of its business activities.

    b) Issuance of sales invoices generated from the purchase of products by the customer.

    c) Conducting follow-ups or studies aimed at improving the service provided, as well as the products marketed by Colo.

    d) Responding to requests, concerns, complaints, and inquiries raised by customers.

    e) Informing customers through any means about promotions, news, current and future products and services related to events, contests, promotional activities, special dates, birthday courtesies, and other commercial purposes directly or indirectly related to Colo's business activities, and/or promotions, news, products, and services promoted directly by Colo's strategic allies that provide added value to users and/or customers.

    f) Carrying out promotional activities, events, contests, and giveaways designed by Colo to build customer loyalty in a proper manner.

    g) Generating and sending information of interest regarding advertising, promotional activities, contests, and giveaways.

    h) Offering incentives to all customers who are part of the interest groups created by Colo, aimed at customer loyalty.

    i) Conducting satisfaction surveys on the overall functioning and services provided by Colo.

    j) Fulfillment of contractual obligations.

    k) Fulfillment of administrative, accounting, and/or tax obligations.

    l) If applicable, carrying out collection management activities in case of outstanding balances or overdue capital by customers.

    m) Inviting customers to events promoted or organized by Colo to promote and boost new products and services.

    n) Registering and controlling biometric and video data in order to safeguard the security of goods and people inside Colo's commercial establishments.

    4.4. Children and adolescents under the age of majority:
    In compliance with the provisions of Law 1581 of 2012 and Decree 1074 of 2015, this data will always be requested with the consent of the minor's representative, who will be previously informed about the treatment that will be given to the data, the purposes, and in full knowledge that they are not obligated to provide such data.

    Likewise, they will be treated in accordance with the development by the Colombian Constitutional Court, that is, always respecting their fundamental rights and seeking to achieve their well-being and the development of their superior interests.

    In this regard, Colo may request data from minors for the following purposes:

    a) Affiliations as beneficiaries of social services linked to social benefits at the request of their representative.

    b) Creation of a group of minors, children of employees, for Christmas gifts.

    c) Biometric control and registration of video installed in the company's commercial establishments in order to safeguard the security of the goods and people inside them.

    4.5. Biometric Data:
    Colo has decided to implement security systems (monitoring through Closed Circuit Television) in its facilities in order to prevent criminal activities, as well as to safeguard the integrity and security of the people and property located there.

    Finally, and specifically, any other purposes that Colo considers relevant for the proper and normal development of its social object, provided that they are previously informed to the data subject.

  5. Rights of data subjects:
    Data subjects whose information is processed by Colo as a responsible party or as a data processor have the following rights in accordance with the provisions of the Political Constitution of Colombia and the applicable and current regulations.

    The exercise of these rights may only be carried out exclusively by the data subject or by the persons authorized by him/her in accordance with the law.

    a) Know, update and rectify their personal data in relation to the Controllers or Processors. This right may be exercised, among others, with respect to partial, inaccurate, incomplete, fractioned, misleading data, or those whose processing is expressly prohibited or has not been authorized.

    b) Request proof of the authorization granted to the Controller, unless expressly excepted as a requirement for the Processing.

    c) Be informed by the Controller or Processor, upon request, about the use that has been given to their personal data.

    d) File complaints with the Superintendence of Industry and Commerce for violations of the provisions of this policy and the laws regulating the matter.

    e) Revoke the authorization and/or request the deletion of the data when the principles, constitutional and legal rights and guarantees are not respected in the Processing. The revocation and/or deletion shall be made when the Superintendence of Industry and Commerce has determined that the Controller or Processor have engaged in conduct contrary to this law and the Constitution.

    f) Access for free to personal data that have been subject to Processing.

  6. Duties of Colo regarding databases with personal information of third parties when acting as responsible and processor.

    6.1 Duties as Data Controller.
    When Colo assumes the role of Data Controller for personal data, it will carry out such management in compliance with the following duties, without prejudice to the other provisions provided by law.

    a) Guarantee the information owner at any time and free of charge the full and effective exercise of the rights to know, update, modify, and rectify their data.

    b) Request and keep, in cases where it is necessary, a copy of the respective authorization granted by the owner.

    c) Keep the information under the necessary security conditions to prevent its use, access, alteration, unauthorized or fraudulent consultation, alteration, or loss.

    d) Update the information and, in case of making substantial changes in the treatment of databases, inform both the owners and the processor, if any.

    e) Rectify the information when it is incorrect and inform the processor, if any.

    f) In case of a processor for information treatment, provide only data whose treatment is previously authorized by the owner.

    g) Process inquiries and claims made by information owners within the terms set forth by law and reflected in this processing policy.

    h) Socialize with the responsible areas within the company the procedures and policies to ensure compliance with the law regulating the matter.

    i) Inform, upon request of the owner, about the use given to their data.

    j) Inform the personal data protection authority when there are violations of information security standards and therefore risks in the management of owners' information.

    k) Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

    6.2 Duties as Data Processor. When Colo assumes the role of Data Processor for personal data under its custody, it must comply with the following duties, without prejudice to the other provisions provided by law.

    a) Guarantee the owner at all times the full and effective exercise of the right to habeas data.

    b) Keep the information under the necessary security conditions to prevent its alteration, loss, consultation, use, or unauthorized or fraudulent access.

    c) Timely update, rectification or deletion of data in accordance with the law.

    d) Update the information reported by data processors in accordance with the terms agreed upon in contracts with them.

    e) Process inquiries and complaints made by data subjects in accordance with this policy and the applicable law.

    f) Share with the relevant departments within the company the procedures and policies to ensure compliance with the law governing the matter.

    g) Refrain from circulating information that is being disputed by the data subject and whose blocking has been ordered by the Superintendence of Industry and Commerce.

    h) Allow access to information only to those individuals who have a legitimate right to access it.

    i) Notify the data protection authority when there are violations of information security standards and, therefore, risks in the management of data subjects' information.

    j) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

  7. Procedure for addressing requests and complaints by data subjects.

    In compliance with the fundamental right of data subjects to Habeas Data regarding their rights of access, consultation, update, rectification, or deletion, the following procedure will be followed:

    a) The rights regarding personal data can only be exercised directly by the data subject or by a legally authorized third party in accordance with Law 1581 of 2012. This condition will be accredited by a copy of the identity document, and in the case of authorization, a duly granted power of attorney.

    b) The request to exercise any of these rights must be made through the channel established by Colo in this Personal Data Processing Policy.

    c) The request to exercise the rights must contain:

    Name of the data subject and, if applicable, of their attorney or representative. Specific and precise request for the right they wish to exercise. In each case, the request must be reasonably justified so that Colo, as the data controller, can respond. Notification address. Documents supporting the request.

    Signature of the request.

    If any of the indicated requirements are missing, Colo will notify the applicant within 5 days of receiving the request so that they can be completed. If two months pass without the required information being provided, it will be understood that the request has been withdrawn.

    Internally, Colo will be responsible for creating a database of requests and complaints, as well as complying with the legal obligation to report them to the Superintendence of Industry and Commerce.

    If Colo acts as the information controller, it will respond to the complaint within a maximum of 15 business days from the day following the date of receipt. If it is not possible to respond to the complaint within that term, the interested party will be informed of the reasons for the delay and the date on which their complaint will be addressed, which cannot exceed 8 business days following the expiration of the initial term.

    In turn, if Colo acts as the data processor, it will inform the data subject or interested party about the situation and communicate the request to the data controller, so that they can respond to the consultation or complaint presented. This information will be provided to the data subject so that they are aware of the identity of the data controller and the main obligation to guarantee the exercise of their right.

    In accordance with the law, if it is necessary to go to the Superintendence of Industry and Commerce to exercise the legal actions contemplated for data subjects or interested parties, the procedure described here must be exhausted beforehand.

  8. Designated channel for receiving requests and complaints in exercise of the rights of data subjects.

    In any case, Colo acting as a data processor or data controller will receive requests and complaints in exercise of the rights of data subjects at the email address:

    admin@colo.coffee.

    This email will be monitored and managed by the administrative area of the company, who is aware of its legal obligations in order to attend to the requests made through this channel.

    Any changes to this channel will be duly communicated to the data subjects.
  9. Prohibitions.

    In the development of this Personal Data Processing Policy, and its correct application, the following prohibitions are established:

    a) Colo prohibits access, use, management, transfer, communication, storage, and any other processing of sensitive personal data without prior authorization from the data subject and Colo itself.

    b) Colo only processes personal data of children and adolescents under legal age with the express authorization of their legal representatives. Any processing of this type of data must ensure the prevailing rights recognized by the constitution for these individuals, and for specific purposes informed prior to their delivery.

    c) International transfer of personal data to third countries that do not provide adequate levels of data protection in accordance with Law 1581 of 2012 and the standards set by the Superintendency of Industry and Commerce is prohibited, applying the exceptions established for these cases.

  10. Data retention.

    The retention of data processed by Colo as a controller or processor will be determined by the purpose for which such data was collected or delivered to Colo, as the case may be.

    Therefore, once Colo's purpose has been fulfilled, it will proceed to their destruction or return, as appropriate.

    In any case, Colo is aware that there are legal, labor, accounting, and tax obligations that require the retention of certain data for a certain period of time. Colo commits to do so only and exclusively for such purposes, adopting the technical and security measures for adequate processing.

  11. Security measures.

    Colo, as a result of processing personal data that it collects or is responsible for, as the case may be, will adopt all physical, technological and administrative security measures that it considers pertinent depending on the data it handles, which will be applicable in all areas involved.

    Colo, in compliance with Law 1581 of 2012 and the requirements established by the Superintendency of Industry and Commerce, will report to the latter any case of information security failures that may have caused loss, theft, fraudulent consultation or modification, and the measures taken in this regard.

  12. Delivery of personal data to administrative and judicial authorities.

    In the event that authorities with jurisdictional or administrative functions request Colo to consult and/or deliver personal data recorded in their databases, such request will be internally evaluated, and if it meets all legal requirements, the case will be internally documented and added to the historical records that the company internally manages, in compliance with the applicable regulations.

  13. Term.

    This policy for the processing of personal data by Colo, acting as controller and processor of third-party information, has been approved and will be effective as of January 1, 2018, with an indefinite term until a substantial reform is carried out, which will be duly communicated through the established channels.