The following is the Personal Data Policy of SAASXCHANGE, LLC. 1. GENERAL PROVISIONS  

1.1. Purpose 

The purpose of this Personal Data Policy is to ensure proper compliance with the  applicable rules regarding the protection of personal data and to inform on the use that  SAASXCHANGE, LLC gives to the information provided by the Data Subjects, and to  inform about the procedures and mechanisms to handle the Personal Data collected for  the purposes foreseen with the previous authorization. 

1.2. Scope of application 

This Personal Data Policy is applicable to the processing of personal data recorded in  any database that makes them susceptible to processing by SAASXCHANGE, LLC. 

1.3. Definitions 

a. Authorization: Prior, express, and informed consent of the Data Subject to carry  out the processing of their Personal Data. 

b. Database: Organized set of Personal Data that is subject to processing. It may  be automated or physical according to its form of processing or storage. 

c. Data Controller: Natural or legal person, public or private, that by itself or in  association with others, decides on the Database and/or the Treatment of the  data. 

d. Data Processor: Natural or legal person, public or private, who by itself or in  association with others, carries out the processing of Personal Data on behalf of  the Data Controller.  

e. Data Subject: Natural person whose Personal Data is the object of Treatment. 

f. Personal Data: Any information linked or that may be associated to one or  several determined or determinable natural persons. 

g. Private Data: That which, due to its intimate or reserved nature, is only relevant  to the Data Subject. 

h. Products: Refers to goods or services. 

i. Public Data: Data that is not Semi-Private, Private or Sensitive. Public Data are  considered, among others, the data related to the marital status of individuals,  their profession or trade, and their status as merchant or public servant. Due to  their nature, public data may be contained, among others, in public records,  public documents, official gazettes and bulletins and duly executed court rulings  that are not subject to confidentiality. 

j. Sensitive Data: Data that affects the privacy of the Data Subject or whose  improper use may generate discrimination, including but not limited to data  revealing racial or ethnic origin, political orientation, religious or philosophical  convictions, membership in unions, social organizations, human rights  organizations or that promote the interests of any political party or that guarantee  the rights and guarantees of opposition political parties, as well as data relating  to health, sex life and biometric data.  

k. Transfer: The Transfer of data takes place when the Controller and/or Processor  of personal data, located in Colombia, sends the information or personal data to  a recipient, which in turn is responsible for the processing and is located inside  or outside the country. 

l. Transmission: Treatment of Personal Data that involves the communication of  the same within or outside the territory of the Republic of Colombia when its  purpose is the performance of a Treatment by the Processor on behalf of the  Controller.  

m. Treatment: Any operation or set of operations on Personal Data, such as  collection, storage, use, circulation, or deletion. 

1.4. Guiding Principles applicable to the Treatment of Personal Data In order to ensure the Treatment of Personal Data carried out by SAASXCHANGE, LLC  as Controller and/or Data Processor, the following principles shall apply: 

a. Legality: The Treatment performed by SAASXCHANGE, LLC on Personal Data  will be subject to the provisions of applicable rules. 

b. Purpose: The Treatment carried out by SAASXCHANGE, LLC will obey a  legitimate purpose in accordance with the Constitution and the law, which will be  informed to the Data Subject. 

c. Freedom: Treatment may only be carried out with the prior, express, and  informed consent of the Data Subject. Personal Data may not be obtained or  disclosed without prior authorization, or in the absence of a legal or judicial  mandate that relieves the consent. 

d. Truthfulness or Quality: The information subject to Treatment must be truthful,  complete, accurate, updated, verifiable and understandable. The processing of  partial, incomplete, fractioned, or misleading data is prohibited. 

e. Transparency: The right of the Data Subject to obtain from SAASXCHANGE,  LLC as Controller and/or Processor, at any time and without restrictions,  information about the existence of data concerning them, shall be guaranteed in  the Treatment. 

f. Access and Restricted Circulation: The Treatment is subject to the limits  derived from the nature of the Personal Data. In this sense, the Treatment may  only be carried out by persons authorized by the Data Subject or by the persons  authorized by applicable law.

g. Security: The information subject to Treatment by SAASXCHANGE, LLC as  Data Controller and/or Data Processor, shall be handled with the technical,  human, and administrative measures necessary to provide security to the records  avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent  access. 

h. Confidentiality: All persons involved in the Processing of Personal Data that are  not of a public nature are obliged to guarantee the confidentiality of the  information, even after the end of their relationship with any of the tasks that  comprise the Treatment and may only provide or communicate Personal Data  when it corresponds to the development of the activities authorized by law. 


Personal Data will be collected, stored, transmitted, transferred, processed, and used for  all those aspects inherent to the Products offered by SAASXCHANGE, LLC, and the  execution of contracts with customers and users, therefore, they will be used for the  following purposes: 

a. To fulfill the obligations contracted by SAASXCHANGE, LLC with its Users and  Customers.  

b. To send information about the Products offered by SAASXCHANGE, LLC. 

c. To send information about changes in the conditions of the Products offered by  SAASXCHANGE, LLC.  

d. Send to the physical mail, email, cell phone or mobile device, via text messages  (SMS and/or MMS) or through any other analog and/or digital means of  communication created or to be created, commercial, advertising or promotional  information about the Products of SAASXCHANGE, LLC, events and/or  promotions of commercial or non-commercial nature of these, in order to  promote, invite, direct, execute, inform and generally carry out campaigns,  promotions or contests of commercial or advertising nature, advanced by  SAASXCHANGE, LLC and/or by third parties. 

e. To treat the data of SAASXCHANGE, LLC Users and Customers provided by  third parties for the purposes stated herein. 

f. To transfer or transmit the Personal Data to third parties in Colombia and abroad  for free or onerous title for commercial use, especially to SAASXCHANGE, LLC's  clients for the management of their campaigns. 

g. To transfer or transmit the personal data of Users and Customers of  SAASXCHANGE, LLC, to Data Processors in Colombia and abroad when it is  necessary for the execution of contracts with customers by SAASXCHANGE,  LLC. 

h. To elaborate analytical studies that include any details related to the Products  offered by SAASXCHANGE, LLC in order to share them with partners linked to  SAASXCHANGE, LLC's business. 

i. To strengthen relationships with its customers and suppliers, by sending relevant  information and evaluation of the quality of SAASXCHANGE, LLC's Products.  

j. For the determination of outstanding obligations, the consultation of financial  information and credit history and the reporting to information centers of  unfulfilled obligations, with respect to its debtors.  

k. To control access to the offices of SAASXCHANGE, LLC, and to establish  security measures, including the establishment of video-monitored areas.  

l. To respond to inquiries, requests, complaints and claims that are made by the  Data Subjects and transmit the Personal Data to control agencies and other  authorities that under the applicable law must receive the Personal Data.  

m. To register the Personal Data in the information systems of SAASXCHANGE,  LLC and in its commercial and operational databases.  

n. To provide, share, send or deliver your personal data to parent companies,  subsidiaries, affiliates, related or subordinate companies of SAASXCHANGE,  LLC located in Colombia or abroad in the event that such companies require the  information for the purposes indicated herein. 

o. For other purposes necessary to comply with the contracts signed with Users and  Customers of SAASXCHANGE, LLC. 


Personal data Data Subjects have the right to: 

a. Know, update, and rectify their personal data against the Data Controllers or Data  Processors. This right may be exercised, among others, against partial,  inaccurate, incomplete, fractioned, misleading data, or data whose processing is  expressly prohibited or has not been authorized. 

b. Request proof of the authorization granted. 

c. To be informed by the Data Controller or the Data Processor, upon request,  regarding the use made of their personal data. 

d. File complaints with the competent authorities for violations of the provisions of  applicable laws.

e. Revoke the authorization and/or request the deletion of the data when the  Treatment does not respect the principles, rights and constitutional and legal  guarantees.  

f. Free of charge Access to their personal data that has been subject to Treatment. 


4.1. Inquiries 

SAASXCHANGE, LLC has the e-mail so the Data Subject, their  assignees, their representatives and proxies, and representatives of minor holders, can make inquiries regarding what personal data of the holder is held in the databases of  SAASXCHANGE, LLC. 

4.1.1. The person responsible for answering the query, will respond to the  applicant as long as they have the right to do so because they are the  Data Subject of the personal data, their assignee, attorney-in-fact,  representative, or is the legal responsible in the case of minors. This  response will be sent within ten (10) business days from the date on which  the request was received by SAASXCHANGE, LLC.  

4.1.2. If the request cannot be fulfilled within ten (10) business days, the  applicant will be contacted to communicate the reasons why the status of  the request is being processed. For this purpose, the same or a similar  means to the one used by the Holder to communicate his request shall be  used. 

4.1.3. The final response to all requests will not take more than fifteen (15) working days from the date on which the initial request was received by  SAASXCHANGE, LLC to the email 

4.2. Claims 

SAASXCHANGE, LLC has the email so the Holder, their assignees,  their representatives and attorneys, and representatives of minor Holders, can make  claims regarding (i) personal data processed by the company that should be corrected,  updated, or deleted, or (ii) the alleged breach of the applicable rules on the subject. 

4.2.1. The claim must be submitted by the Holder, its assignees or  representatives or accredited in accordance with the e-mail and must contain the following information:  

a. Name and identification document of the Holder.  

b. A description of the facts that give rise to the claim and the objective pursued  (update, correction or deletion, or fulfillment of duties). 

c. The address and contact and identification data of the claimant.

d. Accompanied by all the documentation that the claimant wishes to assert. SAASXCHANGE, LLC before attending the claim will verify the identity of the Data  Subject of the personal data, its representative or proxy, or the accreditation that there  was a stipulation by or for another. For this purpose, it may require the original  identification document of the Data Subject, and the special or general powers of  attorney or documents required as the case may be. 

4.2.2. If the claim or additional documentation is incomplete, SAASXCHANGE,  LLC will require the claimant only once within five (5) days after receipt of  the claim to correct the faults. If the claimant does not submit the required  documentation and information within two (2) months from the date of the  initial claim, it will be understood that the claim has been withdrawn. 

4.2.3. If for any reason the person who receives the claim is not competent to  resolve it, the General Management shall forward it within two (2) working  days after receiving the claim and shall inform the claimant of such  referral. 

4.2.4. Upon receipt of the claim with complete documentation, a legend will be  included in the database of SAASXCHANGE, LLC where the data of the  Holder subject to claim is located, that says, "claim in process" and the  reason for it, within a period not exceeding two (2) working days. This  legend shall be maintained until the claim is decided. 

4.2.5. The maximum term to address the claim shall be fifteen (15) business  days from the day following the date of receipt. When it is not possible to  address the claim within such term, the interested party will be informed  of the reasons for the delay and the date on which the claim will be  addressed, which in no case may exceed eight (8) business days  following the expiration of the first term. 

The personal data collected, stored, transmitted, transferred, processed, and used will  remain in SAASXCHANGE, LLC's database, based on the criteria of temporality and  necessity, for as long as necessary for the purposes mentioned in this Policy, for which  they were collected.