ziro

Log in

ziro
ziro

Log in

Personal Data Processing Policy

Zíro's Personal Data Processing Policy.

In compliance with the provisions contained in Law 1266 of 2008 and Law 1581 of 2012 and their regulatory decrees; Decree 1377 of 2013 and Decree 886 of 2014, compiled by Decree 1074 of 2015 (the “Regulatory Decrees”); which aim to develop the constitutional right that all natural persons have to know, update, and rectify the information that has been collected about them in databases or files, We are Ziro S.A.S., a commercial company established as a simplified joint-stock company, identified with NIT 901592209-1, and with the website somosziro.com (“Ziro”) publishes its policy for the processing of personal data provided.

The present personal data processing policy (the “Policy”) is directed to Ziro's customers, users, and visitors of the Ziro website, and, in general, to any person whose Personal Data is being or will be processed by Ziro (the “Data Subject” or the “Data Subjects”).

Definitions

The terms used with an initial capital letter that are not expressly defined in this Policy shall have the definitions assigned to such terms in Law 1581 of 2012 and its Regulatory Decrees or the norms that modify, complement, or replace them.

The following terms have the meanings indicated below, wherever they appear in this Policy and whenever used with an initial capital letter:

Area responsible for handling inquiries, requests, complaints, or claims: Refers to the area or department of Ziro in charge of receiving and addressing inquiries and claims related to Personal Data, which is called the Personal Data Protection Office, which will process inquiries and complaints regarding Personal Data in accordance with Applicable Law. Requests will be addressed within a maximum period of fifteen (15) business days from the date of receipt.

The contact details of the Personal Data Protection Office and the Personal Data Protection Officer are:

Data Protection Officer: Personal Data Protection Office

Email address: hola@somosziro.com

Phone: +57 320 9860583

Address: Av. Santander 65 – 15, Local 115, Manizales, Caldas

Authorization: Prior, express, and informed consent of the Data Subject to carry out the Processing of Personal Data.

Privacy Notice: This refers to the physical, electronic, or any other format document, generated by Ziro, that has been made available to the Data Subject for the Processing of Personal Data, which informs the Data Subject about the existence of the Policy that will apply, how to access it, and the characteristics of the Processing intended for Personal Data.

Database: An organized set of Personal Data that is subject to the Processing of Personal Data.

Personal Data: Any information linked or that can be associated with one or several determined or determinable natural persons, according to the terms of Law 1266 of 2008 and Law 1581 of 2012.

Public Data: Public data includes, among others, data related to a person's marital status, their profession or trade, and their status as a merchant or public servant. By their nature, public data may be contained, among others, in public records, public documents, official gazettes, and judicial sentences that are not subject to reservation.

Sensitive Data: Sensitive data include those that affect the privacy of the Data Subject or whose misuse may cause discrimination, such as those revealing racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights organizations, or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.

Data Processor: A natural or legal person, public or private, who alone or in association with others, carries out the Processing of Personal Data on behalf of the Personal Data processor.

Habeas Data: The right of any person to know, update, and rectify the information that has been collected about them in the database and files of public and private entities.

Data Protection Law: This refers to Law 1266 of 2008, Law 1581 of 2012, and their Regulatory Decrees or the norms that modify, complement, or replace them.

Responsible for Processing: A natural or legal person, public or private, who alone or in association with others decides on the Database and/or Processing of Personal Data.

Data Subject: A natural person whose personal data is subject to Processing of Personal Data.

Processing of Personal Data or Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.

Transfer: The transfer of data occurs when the Personal Data processor, located in Colombia, sends Personal Data to a responsible recipient, located in Colombia and/or in the United States of America, who may determine how to perform the Processing of Personal Data provided by the Personal Data processor.

Transmission: The transmission of data occurs when the Personal Data processor, located in Colombia, sends Personal Data to a Data Processor located in Colombia and/or in the United States of America, who must perform the Processing of Personal Data delivered by the Personal Data processor in accordance with the guidelines of the Personal Data processor.

Data Protection Officer: According to Art. 2.2.2.25.4.4 of Decree 1074 of 2015, the data protection officer of Ziro will be the person in charge of ensuring the effective implementation of the policies and procedures adopted in this Policy to comply with the regulations, as well as the implementation of good practices in managing Personal Data. The Personal Data Protection Officer will be responsible for structuring, designing, and administering the program that allows Ziro to comply with the regulations regarding personal data protection, as well as establishing the controls of that program, its evaluation, and ongoing review. 

Principles

In all Processing of Personal Data carried out by Ziro; Ziro, the Data Processors, and/or third parties to whom Personal Data is Transmitted will comply with the principles established in the Applicable Law and in this Policy. These principles are as follows: (i) Principle of legality in data processing; (ii) Principle of purpose; (iii) Principle of freedom; (iv) Principle of veracity or quality; (v) Principle of transparency; (vi) Principle of restricted access and circulation; (vii) Principle of security; and (viii) Principle of confidentiality.

Purposes

Ziro, in the course of its commercial and financial activities, will collect, use, manage, store, analyze, anonymize, index, segment, profile, transmit, transfer, and perform various operations with Personal Data to fulfill the purposes indicated in this Article.

Furthermore, the Data Processors and/or third parties who have access to Personal Data by virtue of Applicable Law, a contract, or another binding document will perform the Processing of Personal Data to achieve the following purposes:

Clients

(i) to carry out all necessary efforts to confirm and update the information of the Data Subjects; (ii) to validate and verify the identity of the Data Subject for the offering and adequate provision of commercial and financial products and services from Ziro through any means or channel, including debt collection management; (iii) to establish a contractual relationship, as well as to maintain and terminate any type of contractual relationship; (iv) to contact for commercial, legal, marketing, and management purposes of the contractual relationship through any means; (v) to describe the mechanisms and procedures to protect the rights of the Data Subjects; (vi) to identify the person responsible for addressing inquiries and claims related to the Processing of Personal Data; (vii) to carry out statistical analysis; (viii) to conduct satisfaction and quality surveys for the Data Subjects; (ix) to verify and manage compliance with legal and contractual obligations; (x) to manage compliance with Ziro's internal policies; (xi) to transfer Personal Data to third parties, at Ziro's discretion, as well as to the holder of credit rights by virtue of the assignment of credit or to whom they designate; (xii) to offer and promote new and existing products; (xiii) to access the Personal Data contained in the databases of pension administrators and other third-party information operators for: (a) to carry out the preparation of credit scores, income validation tools, predictive income tools, tools to prevent fraud, impersonation, and generally to carry out appropriate risk management; and (b) to compare, contrast, and complement it with financial, commercial, credit, service information in credit information centers and/or operators of databases of financial, commercial, credit information, among others; (xiv) to consult Personal Data in information centers to know the performance as a debtor, payment capacity, or to assess the future risk of granting a credit; (xv) to report to information centers about the compliance or non-compliance with obligations regarding service provision or any other obligation acquired with Ziro, or whoever they designate; (xvi) to supply information centers with data related to credit requests, as well as others regarding commercial, financial, and generally socioeconomic relationships, among others.

Employees

(i) The management of work and general personnel activities, including recruiting, evaluations, performance management, promotions and succession planning, rehiring, salary management and payment administration and comments, salaries, and other awards such as stock options, stock grants, and bonuses, health care, pensions, and savings plans, and the creation and maintenance of internal employee directories; (ii) to communicate with workers; (iii) to protect the health and safety of employees and others, maintain and protect the IT infrastructure, office equipment, facilities, and other assets; (iv) to comply with legal and other requirements, such as income tax and national insurance deductions, record keeping and information obligations, physical access policies, conducting audits, facilitating compliance with government inspections and other requests from government or other public authorities, responding to legal processes such as subpoenas, defending rights and legal remedies, handling any internal complaint or claim, conducting investigations, and complying with internal policies and procedures; (v) to protect, enforce, or defend legal rights, privacy, security, or property of the Company, its affiliates, or its employees, agents, and contractors (including the enforcement of relevant agreements and terms of use); (vi) to protect the security, privacy, and protection of users of the Company's products or services or members of the public; or (v) to protect against fraud or for risk management purposes; (vi) Monitoring compliance with the code of conduct and internal policies, in accordance with the Company's policies and procedures regarding monitoring of telephone, email, internet, and other company resources, and other monitoring activities as permitted by local legislation.

Users and visitors of the Ziro website

(i) To provide access to the Ziro website and make it available to users and visitors (“Users and Visitors”); (ii) To ensure the proper operation of the website; (iii) To improve user experience, as well as the presentation, features, and functionalities of the Ziro website; (iv) To remember preferences; (v) To offer products and services, loyalty programs, promotions, and discounts through the website; (vi) To profile Users and Visitors of the Platform based on their consumption preferences, behavior, and activity on the website, on third-party websites linked to the Ziro website, and on search engines, application interfaces, social networks, and any other interface or functionality linked to the Ziro website; (vii) To make geographic references to offer personalized content according to location; (viii) To personalize the website and advertisements according to the likes and interests of Users and Visitors based on monitoring and tracking their activity on the website, on third-party websites linked to the Ziro website, and on search engines, application interfaces, social networks, and any other interface or functionality linked to the Ziro website; (ix) To record usage and behavior patterns and track, log, and trace the activity of Users and Visitors on the Ziro website, on third-party websites linked to the Ziro website, and on search engines, application interfaces, social networks, and any other interface or functionality linked to the Ziro website; (x) To monitor and ensure the correct use of the website by Users and Visitors and identify any attempt to infringe the security measures or technological protection measures of the website, misuse, fraud, or illegal activity through or on the Ziro website; (xi) To specify, analyze, and optimize existing and future products and services, whether they are from Ziro or third parties; (xii) To build databases; (xiii) To carry out archiving, updating, storage, and processing activities of information by Ziro or through third parties contracted for this purpose; (xiv) To conduct statistical analysis of the data collected to optimize the functioning of the Ziro website and analyze traffic on the Ziro website and on third-party pages and sites; (xv) To transfer and transmit to third parties, including in countries without an adequate level of protection, employees, contractors, and external service providers of hosting and content management for Ziro, advertising and marketing agencies, and authorities in the exercise of their administrative or judicial functions; (xvi) To protect, enforce or defend legal rights, privacy, security, or property of the Company, its affiliates, or its employees, agents, and contractors (including the enforcement of the relevant agreements and terms of use); and (xvii) To protect the security, privacy, and protection of the users of the Company’s products or services, Users or Visitors to the website, and members of the public.

The Ziro website may contain links or hyperlinks, hypertext, banners, and/or search tools that may take the Data Subject to other pages or platforms operated by third parties. Those pages may contain privacy policies that differ from this Policy, so any Processing of Personal Data carried out by third parties will be subject to the corresponding authorizations and policies. Ziro will not be responsible for the use, publication, disclosure, and/or dissemination regarding the Personal Data collected, used, published, disclosed, and/or disseminated through the pages of third parties.

This policy encompasses all Data Subjects including all customers, workers, collaborators, and in general, all persons who have a link with Ziro, and from whom Ziro receives Personal Data.

Rights of the Data Subjects

Ziro will respect and comply with all rights of the data subjects in accordance with the Applicable Law. Ziro guarantees the following rights to the Data Subjects:

To know, update and rectify their personal data against partial, inaccurate, incomplete, fragmented data, that induce error, or those whose Processing is expressly prohibited or has not been authorized;

To request proof of the authorization granted to Ziro in cases where Ziro carries out the processing of personal data as the Data Processor;

To be informed, upon request, regarding the use that Ziro has given to their Personal Data;

To revoke the authorization and/or request the deletion of data when the Processing does not respect the principles, rights, and constitutional and legal guarantees. The revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that in the Processing of the data, Ziro has incurred in conduct contrary to the Constitution, Law 1581 of 2012, its Regulatory Decree, or any regulations that modify, add to, or complement it;

To access, free of charge, their personal data that is subject to Processing; 

To file complaints with the Superintendence of Industry and Commerce or the competent authority regarding infringements of the law regulating the protection of personal data and other norms that amend, add to or supplement it, and

To communicate directly to the customer service line: +57 320 9860583

Use of Cookies and Online Tracking and Advertising Technologies

The Ziro website uses “cookies” and other similar online tracking and advertising technologies, such as web beacons, pixel tags or gifs, action tags, flash cookies, pixels, software development kits, application programming interfaces, web beacons, among others. When Users and Visitors access the website, Ziro and other service providers operating on behalf of Ziro or through the Ziro website automatically collect and store information that includes, but is not limited to: the IP address or device identification assigned to the end device, platform identification, personal computer, mobile device, or any other device or mechanism through which it accesses the website, text and image content, as well as data files provided for download, user activities on the website, the type of browsing browser, as well as the date and time of access and usage, cookies, digital fingerprints, web logs, web beacons, web crawlers, among others.

Ziro collects information regardless of whether the User or Visitor has logged in or is registered or not, and may associate such tracking data with their account (if they have one). Additionally, advertisers and third parties may collect information about their activity on the Ziro website, and any other website linked to Ziro, on devices related to the Data Subject and on third-party sites and applications through cookies and other tracking and advertising technologies.

The User or Visitor may choose not to authorize the use of cookies to Ziro directly on the website, and may also choose to control cookies, the use of tracking technologies, and advertising through the settings and controls on their devices (for example, they can reconfigure the advertising identifier of their mobile device or opt out of receiving interest-based ads).

Deletion of Sensitive Data

Data Subjects will have the right to consult their Sensitive Data and may exercise it at any time. In any case, the Data Subject explicitly authorizes the Processing of Sensitive Data with the authorization for the processing of Personal Data.

Procedure for Exercising the Rights of the Data Subject

Once the Data Subject determines that the information must be corrected, updated or deleted, when they consider that Ziro does not comply with the guidelines of Law 1581 of 2012, its Regulatory Decree; when they have any concerns or complaints regarding this Policy, they may submit a request to the responsible area. This communication must contain the information indicated in Article 15 of Law 1581 of 2012 and follow the procedure indicated below. The request must be channeled and submitted through the Personal Data Protection Officer of the area responsible for handling inquiries, requests, complaints, or claims.

Concerns and/or complaints: The Data Subject must formulate their concern and/or complaint in writing, and send it to the addresses described in Article I. This request must contain the identification of the Data Subject, a description of the facts giving rise to the complaint, the response address, and must accompany the documents they wish to invoke.

It should be noted that if the complaint is incomplete or confusing, the interested party will be required within five (5) days following the receipt of the complaint to remedy the deficiencies. After two (2) months from the date of the request, without the applicant presenting the required information, Ziro will understand that they have withdrawn the complaint.

Ziro has a maximum time to address the inquiry and/or complaint of fifteen (15) business days counted from the next day of the date of receipt. When it is not possible to address the complaint within this term, the Data Subject will be informed of the reasons for the delay and the date when their complaint will be addressed, which may not exceed eight (8) business days following the expiration of the first term.

On the other hand, Ziro has a maximum term of ten (10) business days, counted from the date of its complete receipt, to address consultation requests. When it is not possible to address the consultation within this term, the Data Subject will be informed before the expiration of the ten (10) days, stating the reasons for the delay and indicating the date when their consultation will be addressed, which may in no case exceed five (5) business days following the expiration of the first term.

Requests for Correction, updating, and/or deletion of data and requests for Consultation: When the Data Subject requests to correct, update, and/or delete their data from Ziro's database, or requests the consultation of their Personal Data stored in Ziro's database, the Data Subject must formulate it in writing and send it to the addresses described in Article I. The request must contain the identification of the Data Subject, a description of the facts giving rise to the claim, the address to which a response should be made, and must accompany the documents they wish to invoke, among which a copy of the citizenship ID or passport should be included. Additionally, when requesting the update or correction of a data, the Data Subject must declare that the new information they are providing to Ziro is truthful.

It should be noted that if the request is incomplete or confusing, the Data Subject will be required to correct the deficiencies within five (5) days following the receipt of the complaint. After two (2) months from the date of the request, without the applicant presenting the required information, Ziro will understand that they have withdrawn the request.

If the person receiving the request is not the competent officer to resolve it, they will refer it to the Personal Data Protection Officer within a maximum period of two (2) business days and will inform the interested party of the situation.

Ziro has a maximum time to address the request of fifteen (15) business days counted from the next day of the date of receipt. When it is not possible to address the request within such term, the Data Subject will be informed of the reasons for the delay and the date when their request will be addressed, which may not exceed eight (8) business days following the expiration of the first term.

Information Security and Security Measures

In development of the principle of security established in the current regulations, in accordance with the provisions of Article 19 of Decree 1377 of 2013, Ziro undertakes to adopt the instructions issued by the Superintendence of Industry and Commerce for this purpose, including information security policies and a technological infrastructure that reasonably and adequately protects Personal Data, limiting access to the data by Third Parties, as much as possible.

Additionally, the Data Subject accepts, recognizes, and authorizes that Ziro, the Data Processors, or third parties use cloud storage services for the Processing of Personal Data, without prejudice to the security measures established in this Article.


International Transmission of Personal Data

The Data Subjects accept that Ziro uses international parts for the Processing of their Personal Data and authorize Ziro and such third parties for the Processing of said Personal Data. The Data Subjects accept and acknowledge that the Transmission of Personal Data is necessary for the execution of the contracts entered into with Ziro.

In any case, the Transmission of Personal Data is carried out only to Third Parties with whom Ziro has a contractual link.

Validity and Modifications

This document comes into effect from its publication, in compliance with Article 13 of Decree 1377 of 2013, or the regulation that modifies or adds to it, and will remain in effect indefinitely. Personal Data will be Processed for the necessary time to develop the purposes of the Processing of Personal Data established here and those authorized by the Data Subjects.

This Policy may be modified from time to time by Ziro and will be part of contracts entered into by Ziro that imply the Processing of Personal Data. Any substantial modification to this Policy must be communicated in advance to the Data Subjects through efficient mechanisms, such as Ziro's website and/or email.