We may collect and process your personal data only to manage your account and provide the products and services you request. Occasionally, we would like to contact you about our products, services and other content that may be of interest to you. If you agree to our personal data processing policy, you agree to:
a) I agree to receive other communications from ORA ORA; In order to provide you with the content you request, we need to store and process your personal data. By agreeing to the collection and storage of your data, you authorize us to transfer, assign or provide such information to other entities necessary to carry out studies and analyses that allow us to offer you a better service.
b) I agree to allow ORA ORA to store and process my personal data; You can opt out of receiving these communications at any time. For more information on how to opt out of receiving communications, our privacy practices and our commitment to protecting your privacy, please review our Privacy Policy.

In order to comply with current legislation on data protection, especially Law No. 1581 of 2012 (and other regulations that modify, add to, complement or develop it) and Decree No. 1377 of 2013, we inform you below of the relevant aspects in relation to the collection, use, transmission and transfer, if applicable, of personal data that ORA ORA carries out on your personal data, by virtue of the applicable law or the authorization granted by you to carry out said processing, as well as the handling of said information.
In this personal data processing policy (the “Policy”) you will find the corporate and legal guidelines under which ORA ORA processes your data, the purpose, your rights as the owner, as well as the internal and external procedures for the exercise of such rights.
Pursuant to Article 15 of the Colombian Political Constitution and applicable law (Law 1266 of 2008, Law 1581 of 2012, Decree 1377 of 2013 and all regulations, additions, repeals or modifications thereto), we have a clear policy on privacy and protection of your personal data: we do not obtain personal information from third parties that have a commercial or legal relationship with ORA ORA, including you, as a User of the ORA ORA online platform, unless they have voluntarily provided it through their prior consent.

For the interpretation of this Policy, we ask you to take into account the following definitions:
• Personal data: Any information linked to or that can be associated with one or more specific or identifiable natural persons.
• Sensitive data: Data that affects the privacy of the Holder or whose improper use may lead to discrimination.
• Data Processor: Natural or legal person, public or private, who by itself or in association with others, carries out the Processing of personal data on behalf of ORA ORA as Data Controller.
• Processing Policy or Policy: This document refers to the personal data processing policy applied by ORA ORA in accordance with the guidelines of the current legislation on the matter.
• Data Controller: Natural or legal person, public or private, who by itself or in association with others, decides on the database and/or the Processing of the data, for the purposes of this policy, ORA ORA will act as Data Controller, in principle.
• Owner: Natural person whose personal data is subject to Processing, whether a client or any third party who, by reason of a commercial or legal relationship, provides personal data to ORA ORA.
• Transfer: Refers to the sending by ORA ORA as Data Controller or Data Processor, to a third agent or natural/legal person (receiver), within or outside the national territory for the effective processing of personal data.
• Transmission: refers to the communication of personal data by the Controller to the Processor, located within or outside the national territory, so that the Processor, on behalf of the Controller, processes personal data.
• Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
In order to understand the terms that are not included in the list above, you must refer to the current legislation, especially Law 1581 of 2012 and Decree No. 1377 of 2013, giving the meaning used in said regulation to the terms whose definition is in doubt.
Before storing or handling personal data, ORA ORA declares that it complies with the following requirements:
a) The Holder must give his/her explicit authorization to said treatment, except in cases where the granting of said authorization is not required by law.
b) In the event that the holder is physically or legally incapacitated, the legal representatives must grant their authorization.
c) State to the holder the reason why his/her data will be used and delimit the limits of said treatment.

The purpose of the databases of clients and/or Users of the ORA ORA online platform is to use the data for the proper provision of the service by ORA ORA, as well as to strengthen commercial communication channels for the benefit of the owners.
The personal data collected through the ORA ORA online platform from the Users will be processed for pre-contractual, contractual, post-contractual, commercial, customer service and marketing purposes, Offers, mailing campaigns, communication of launches and activations and brand campaigns.
Specifically, ORA ORA will process personal data to:
a) Carry out the relevant procedures for the development of the pre-contractual, contractual and post-contractual stage with ORA ORA and third parties that contract with it through the online platform, regarding any of the products and/or services offered by ORA ORA that it has or has not acquired or, regarding any business or commercial relationship it has with ORA ORA, as well as comply with Colombian or foreign law and the orders of judicial or administrative authorities.
b) Manage procedures (requests, complaints, claims), perform risk analysis, conduct satisfaction surveys regarding the services offered by ORA ORA, as well as those of ORA ORA's business partners.
c) Provide contact information and relevant documents to the sales force and/or distribution network, telemarketing, market research and any third party with which ORA ORA has a contractual relationship of any kind.
d) Disclose, transfer and/or transmit the personal data of the owner within and outside the country, to any company or third party as a result of a contract, law or lawful link that requires it, or to implement cloud computing services.
e) Create databases for the purposes described in this authorization.
f) ORA ORA may contact the owner of the data by any means it deems appropriate, including, but not limited to, text message (SMS), messaging through web applications, social networks, emails or commercial calls of a commercial or advertising nature. Likewise, the owner of the personal data authorizes ORA ORA to be contacted outside the hours established in Law 2300 of 2023, in accordance with the purposes established in this policy.

DUTIES OF THE PERSON RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA
Under the understanding that ORA ORA acts as the Controller of personal data, in accordance with the definitions of Law No. 1581 of 2012, it undertakes to:
a) Guarantee the Owner, at all times, the full and effective exercise of the right to habeas data;
b) Request and retain a copy of the respective authorization granted by the Owner in accordance with the provisions of Law 1581/2012;
c) Duly inform the Owner about the purpose of the collection and the rights that assist him by virtue of the authorization granted to ORA ORA;
d) Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access;
e) Ensure that the information provided to the Data Processor, where applicable, is true, complete, accurate, up-to-date, verifiable and understandable;
f) Update the information, communicating in a timely manner to the Data Processor all the new developments regarding the data previously provided and adopt the other measures necessary so that the information provided to the Data Processor is kept up-to-date where applicable;
g) Rectify the information when it is incorrect and communicate the relevant information to the Data Processor where applicable;
h) Provide the Data Processor, as the case may be, only with data whose processing is previously authorized in accordance with the provisions of Law 1581 of 2012;
i) Demand from the Data Processor at all times, respect for the security and privacy conditions of the Owner's information, where applicable;
j) Process queries and complaints made under the terms indicated by Law 1581 of 2012;
k) Adopt an internal manual of policies and procedures to ensure proper compliance with the Colombian regulatory framework on personal data protection, for handling queries and complaints;
l) Inform the Data Processor, if applicable, when certain information is being discussed by the Data Subject, once the claim has been submitted and the respective procedure has not been completed;
m) Inform the Data Subject at his/her request about the use given to his/her data;
n) Inform the data protection authority when security code violations occur and there are risks in the management of the Data Subjects' information;
o) Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

The rights of the owners of the information are:
a) To know, update and rectify their personal data with respect to the Data Controllers or Data Processors. This right may be exercised, among others, in the case of partial, inaccurate, incomplete, fragmented data that may lead to error, or data whose processing is expressly prohibited or has not been authorized under the terms of Law No. 1581 of 2012 (or, failing that, with the regulations that regulate, add to, execute, complement, modify, suppress or repeal it).
b) Request proof of the authorization granted to the Data Controller, except when it is expressly excepted as a requirement for the Treatment, in accordance with the provisions of article 10 of Law No. 1581 of 2012 (or failing that, with the regulations that regulate, add to, execute, complement, modify, suppress or repeal it) or when the continuity of the treatment has been presented in accordance with article 10, numeral 4° of Decree No. 1377 of 2013.
c) Be informed by the Data Controller or the Data Processor, upon request, regarding the use that has been given to your personal data. d) Submit complaints to the Colombian Personal Data Protection Authority for violations of the provisions of Law No. 1581 of 2012 (or, failing that, with the regulations that regulate, add to, execute, complement, modify, suppress or repeal it).
e) Revoke the authorization and/or request the deletion of the data when the Processing does not respect the constitutional and legal principles, rights and guarantees. Revocation and/or deletion will proceed when the Colombian Personal Data Protection Authority has determined that, in the Processing, the Controller or Processor has engaged in conduct contrary to Law No. 1581 of 2012 (or, failing that, with the regulations that regulate, add to, execute, complement, modify, suppress or repeal it) and/or the Constitution. The request for deletion of information and the revocation of authorization will not proceed when the Owner has a legal or contractual obligation to remain in the database or the person responsible has a legal or contractual obligation to continue with the processing.
f) Access free of charge to their personal data that have been subject to Processing. The owner may consult their personal data free of charge: (i) at least once every calendar month, and (ii) every time there are substantial modifications to the information processing guidelines that motivate them to make new queries.