Akua Personal Data Processing Policy

Policy Owner: Head of Legal - Lina Oviedo

Effective Date: September 12, 2024

General Description

This policy establishes the general guidelines that Akua will apply to the processing of personal data for which Akua is Responsible and/or to those for which it acts as the Data Processor and as a company specialized in the processing of transactional data for purchasers, is committed to complying with international and local regulations on data protection.

Scope of Application

This policy applies to all activities of collection, storage, use, circulation and deletion of personal data, especially transactional data, carried out by Akua, both inside and outside Colombia. Akua acts as the processor of personal data provided by purchasers and aggregators and complies with all obligations deriving from the GDPR and Colombian regulations.

Definitions

  • Personal Data: Information linked to or that can be associated with one or more specific or determinable natural persons.
  • Transactional Data: Information related to financial transactions, such as payment data, purchase histories, bank account numbers, BIN numbers, and any other data generated during the process of acquiring goods or services.
  • Sensitive Data: Information that affects the privacy of the owner or whose misuse may lead to discrimination, such as racial origin, political orientation, religious beliefs, biometric data, among others.
  • Owner: Natural person whose personal data are being processed.
  • Responsible for the Treatment: Natural or legal person who decides on the basis of data and the processing of data. In this case, the purchasers and aggregators are responsible for the treatment. Akua acts solely as the Data Controller for the Personal Data of its employees, contractors, suppliers and customers.
  • Responsible for the Treatment: Natural or legal person who processes the data on behalf of the person responsible. In this case, Akua acts as a processor for the personal data provided by the purchasers and aggregators of the Transactional Data.

Principles

In compliance with the General Data Protection Regulation (GDPR), Akua adheres to the following principles:

  • Legality, Loyalty and Transparency: Akua ensures that personal data is treated lawfully, fairly and transparently in relation to the data subjects.
  • Purpose Limitation: The data will be collected for specific and legitimate purposes, and will not be treated in a way that is incompatible with those purposes.
  • Data Minimization: Akua ensures that the personal data collected is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  • Accuracy: Personal data will be accurate and will be kept up to date when necessary.
  • Storage Limitation: Personal data will be kept in a form that allows the identification of the owners only for the time necessary for the purposes of the treatment.
  • Integrity and Confidentiality: Akua implements appropriate technical and organizational measures to ensure the security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.

Duties

Akua assumes the following specific obligations, in terms of Personal Data Processing:

  • Get Prior and Express Consent: Before collecting or processing personal data, Akua must obtain the prior, express and informed consent of the owners, except in cases authorized by law, or in which case in which case I acted as Data Processor for the processing of personal data, subject to those agreed with the Responsible for such Personal Data.
  • Registration: Akua will comply with local laws and rules regarding Personal Data Protection, and will register and register its databases in the corresponding Registry in accordance with the jurisdiction and with the competent authority.
  • Rights of the Owners: Akua guarantees that the owners can exercise their rights to access, update, rectify, delete and revoke consent to their personal data.
  • Data Retention: Personal data will only be kept for as long as necessary to fulfill the purposes of the treatment, respecting the deadlines established in Colombian regulations.
  • Security Measures: The necessary technical and organizational measures will be implemented to ensure the security of personal data, in accordance with the provisions of the Information Security Policy.
  • International Data Transfer: Akua may transfer data to other jurisdictions, including the United States of America, provided that local provisions applicable to the jurisdiction in which such personal data are held and ensuring that recipient countries provide adequate levels of data protection.

Purposes of Transactional Data Processing

As a data processor, Akua will use transactional data for the following purposes:

  • Transaction Processing: Process data generated in payment transactions and other financial services associated with purchasers and aggregators.
  • Fraud Prevention: Implement risk analysis measures to detect and prevent fraudulent activities.
  • Regulatory Compliance: Comply with legal and regulatory obligations imposed by financial and data protection authorities.
  • Service Improvement: Analyze data to optimize and improve the services offered to purchasers and aggregators, within the framework of authorized purposes.

Security Measures

Akua will implement the necessary security measures to protect Transactional Data against unauthorized access, loss, alteration or improper disclosure. These measures include, but are not limited to the following and to what is set out in the Information Security Policy:

  • Data Tokenization: All transactional data will be tokenized, meaning that sensitive information will be replaced by a unique identifier (token) that has no value outside the Akua tokenization system.
  • Controlled Access: Tokenized data will be accessible only through the cryptographic keys and the authorization established in Akua's cybersecurity procedures.
  • Data Encryption: In addition to tokenization, data will be encrypted during storage and transmission, using robust encryption standards.
  • Regular Audits: Regular audits of security systems are carried out to ensure compliance with regulations and to identify and mitigate any vulnerabilities.

International Data Transfer

In carrying out its activities as a data processor, Akua may transfer transactional data to other jurisdictions, including the United States of America. This transfer will be carried out in compliance with the applicable regulations in the matter, in the jurisdiction where the transactional data is located. Akua will ensure that international transfers are carried out under adequate security standards and with protection equivalent to that required in the jurisdiction where the data is located or from which the transactional data will be transferred.

Procedure for the Exercise of Rights

The owners may exercise their rights by means of a written request addressed to Akua via email dataprivacy@akua.la which will be resolved by Akua within the time limits established by law.

Amendments to the Policy

Akua reserves the right to change this policy at any time. Any changes will be informed to the owners through the registered means of contact and/or through publication on the company's website.

Responsible for the Treatment

  • Akua is the Data Processor of personal and transactional data provided by the purchasers and aggregators.
  • Any questions or complaints related to data processing may be addressed to dataprivacy@akua.la
  • This policy is effective as of its date of publication and will be available to the owners at any time through the website www.akua.la