Personal Data Treatment Policy

Politica de Tratamiento de Datos Personales — Ley 1581 de 2012

Table of Contents

1. Objective 2. Scope 3. Definitions 4. Guiding Principles 5. Data Collected 6. Authorization 7. Treatment Operations 8. Purposes per Stakeholder 9. Sensitive Data 10. Transmission and Transfer 11. Titular Rights 12. Procedures 13. Information Security 14. Policy Updates and Validity

At [COMPANY_NAME] ("Naskia"), we understand the importance of protecting the security, privacy, and confidentiality of the personal data entrusted to us by our customers, users, employees, suppliers, and all our stakeholders. Guided by our corporate values and our commitment to transparency and respect for personal information, we have developed this Personal Data Treatment Policy (hereinafter "Policy").

This Policy complies with Article 15 of the Political Constitution of Colombia, Law 1266 of 2008, Law 1581 of 2012, its regulatory decrees, and any regulation that modifies, complements, or replaces the foregoing.

Data Controller:

[COMPANY_NAME]

NIT: [NIT]

[ADDRESS], [CITY], Colombia

Contact email: [PRIVACY_EMAIL]

1. Objective

The purpose of this Policy is to inform, clearly and simply, how Naskia collects, uses, stores, circulates, and protects your personal data. We also seek to ensure that you fully understand your rights and are informed of the measures implemented to protect your information. Additionally, this Policy establishes the procedures for properly handling queries and claims related to the treatment of your personal data.

2. Scope

This Policy applies to all databases containing personal data that are subject to treatment by Naskia. It is directed at our customers (complex administrators), users (residents, owners, security guards), employees, suppliers, and all stakeholders whose personal data is processed by Naskia in connection with the operation of the residential complex management platform.

3. Definitions

Authorization
Prior, express, and informed consent that the data subject must grant for personal data treatment to take place.
Database
Organized set of personal data that is subject to treatment.
Personal Data
Any information linked to or that can be associated with one or more determined or determinable natural persons.
Private Data
Data that, by its intimate or reserved nature, is only relevant to its holder.
Semi-Private Data
Data that is not intimate or public in nature, and whose disclosure may be of interest to its holder and a specific sector or the general public.
Sensitive Data
Data that affects the intimacy of the holder or whose improper use may generate discrimination.
Public Data
Data that the law or the Constitution determines as such, as well as all data that is neither semi-private nor private.
Data Processor (Encargado)
Natural or legal person who, by itself or in association with others, carries out data treatment on behalf of the data controller.
Data Controller (Responsable)
Natural or legal person who, by itself or in association with others, decides on the database and/or the treatment of the data.
Titular
Natural person whose personal data is subject to treatment. For Naskia, titulars include administrators, residents, owners, security guards, employees, and suppliers.
Treatment
Any operation or set of operations on personal data, including collection, storage, use, circulation, or suppression.
Transfer
Occurs when the controller and/or processor, located in Colombia, sends personal data to a recipient who is also a controller, inside or outside the country.
Transmission
Treatment of personal data that involves communication within or outside Colombia when aimed at treatment by a processor on behalf of the controller.

4. Guiding Principles

In compliance with Law 1581 of 2012, Naskia adopts and applies the following principles:

Legality

Data treatment must follow the provisions of Law 1581 of 2012 and applicable regulations.

Purpose

Treatment must respond to a legitimate purpose, informed to the holder prior to collection.

Freedom

Treatment may only take place with the prior, express, and informed consent of the holder. No holder can be obligated to grant authorization.

Accuracy / Quality

Information subject to treatment must be truthful, complete, accurate, updated, verifiable, and understandable.

Transparency

The right of the holder to obtain information about the existence of data concerning them must be guaranteed at all times.

Restricted Access and Circulation

Treatment is subject to the limits derived from the data's nature and applicable regulations. Data may not be published on the internet or in mass media without authorization.

Security

Technical, human, and administrative measures necessary to provide security to databases and prevent their adulteration, loss, or unauthorized consultation must be adopted.

Confidentiality

All persons involved in the treatment of personal data that is not of a public nature are obligated to guarantee the confidentiality of the information.

5. Data Collected

Naskia collects personal data of a public, private, and semi-private nature. In certain cases, and always with the prior, express, and informed authorization of the holder, it may also collect sensitive data. The categories of data collected include:

  • Identification data (name, national ID number, date of birth).
  • Contact data (email address, phone number, residential address within the complex).
  • Platform role and residence data (assigned role, complex, tower, floor, apartment unit).
  • Financial data for subscription billing (processed by the payment gateway; Naskia does not store card numbers).
  • Platform activity logs (login times, actions performed, PQRS, bookings, assembly records).
  • Visitor records (name, ID, vehicle plate, entry/exit times) managed by the security module.
  • Electronic records (IP address, device information, cookies, navigation data).

6. Authorization

Naskia will request the authorization of the data holder in a way that grants prior, express, and informed consent for the treatment of personal information.

Authorization may also be obtained from unequivocal conduct of the holder that reasonably concludes that consent has been granted. Such conduct must clearly reflect the holder's willingness to authorize the treatment.

Authorization is not required (Art. 10, Law 1581/2012) when:

  • Information is required by a public or administrative entity in the exercise of its legal functions or by court order.
  • Data is of a public nature.
  • Cases of medical or sanitary urgency.
  • Treatment is authorized by law for historical, statistical, or scientific purposes.
  • Data relates to the Civil Registry.

7. Treatment Operations

Naskia, its current or future processors, and other responsible parties may carry out the following operations on personal data:

Collect Store Use Update Analyze Circulate Consult Transmit Transfer Delete Report Validate

This treatment may be carried out both in Colombia and abroad, using physical and software infrastructure contracted by Naskia. These third parties may in turn contract other providers, but always under conditions that ensure the same protection of your data.

8. Purposes per Stakeholder Type

Complex Administrators, Residents, Owners, and Security Guards

  • Validate and verify identity; manage user account creation and role assignment.
  • Provide, operate, and improve all Naskia platform modules.
  • Process subscription payments and manage billing records for the complex.
  • Send platform notifications, announcements, and PQRS status updates.
  • Manage amenity booking schedules and enforce booking rules.
  • Register and control visitor access through the security module.
  • Record assembly attendance, voting, and minutes.
  • Respond to customer support requests, queries, complaints, and claims.
  • Perform statistical analysis to measure and improve platform usage.
  • Comply with legal, tax, and regulatory obligations applicable to Naskia.
  • Prevent fraud and unauthorized access to the platform.
  • Transmit or transfer data to hosting providers, payment processors, and email service providers who act as processors under Naskia's instructions.
  • Any other purpose specified in the respective authorizations granted by you.

Suppliers, Contractors, and Partners

  • Manage administrative, accounting, financial, and operational aspects of the contractual relationship.
  • Verify legal, technical, and financial requirements.
  • Conduct internal and external audits.
  • Carry out tax management and billing procedures.
  • Comply with legal, contractual, regulatory, and corporate obligations.

9. Sensitive Personal Data

Sensitive data is defined as data that affects or may affect the intimacy of the holder or whose improper use may generate discrimination. This includes data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, trade union membership, health data, sexual life, and biometric data.

The treatment of sensitive data by Naskia may only be carried out: (i) with the explicit and voluntary authorization of the holder; (ii) when required by law; (iii) when treatment is necessary to protect the vital interest of the holder; (iv) when data is necessary for the recognition, exercise, or defense of a right in a judicial process; or (v) when treatment has a historical, statistical, or scientific purpose. The holder is never obligated to authorize the treatment of sensitive data.

10. Transmission and Transfer of Personal Data

In accordance with the purposes described in this Policy, Naskia, as the controller of personal data stored in its databases, may carry out national and international transfers or transmissions of personal data to:

  • Cloud hosting providers — for platform infrastructure and data storage, acting as processors under Naskia's instructions.
  • Payment gateway (Wompi) — for secure processing of subscription payments.
  • Email service providers — for transactional email delivery (notifications, PQRS updates, subscription confirmations).
  • Judicial or administrative authorities — when required by law or court order.

In all international transfer cases, Naskia commits to ensuring that recipient third parties implement the necessary measures to guarantee the integrity, availability, and confidentiality of the information, in compliance with Title V of the SIC's Circular Unica and Art. 26 of Law 1581 of 2012.

11. Rights of the Data Subject (Titular)

Naskia guarantees the following rights to all data subjects:

  • Know, update, and rectify personal data held by Naskia.
  • Be informed of the use given to personal data, upon prior request.
  • File complaints with the Superintendencia de Industria y Comercio (SIC) for violations of data protection law.
  • Request proof of the authorization granted to Naskia as controller.
  • Revoke authorization and/or request deletion of data, unless a legal or contractual obligation requires its retention.
  • Access personal data that has been subject to treatment, free of charge.
Rights may be exercised directly by the holder, by their successors, by their legal representative or attorney, or by any other person authorized by the holder or applicable regulations. Rights of minors may be exercised directly or through their parents or guardians.

12. Procedures for Exercising Rights

Data Protection Channel:

  • Email: [PRIVACY_EMAIL]
  • Phone: [PHONE]
  • Address: [ADDRESS], [CITY], Colombia

12.1 Consultation Procedure

  • 1. The request will be analyzed to verify the identity of the holder.
  • 2. Consultations will be addressed within a maximum of 10 business days from the date of receipt. If it is not possible to attend to the consultation within this period, the interested party will be informed of the reasons and the new resolution date, which may not exceed 5 additional business days.

12.2 Claim Procedure

  • 1. The request will be analyzed to verify the identity of the holder.
  • 2. If the claim is incomplete, the holder will be notified within 5 business days to correct it. If not corrected within 2 months, the claim will be considered withdrawn.
  • 3. Once the complete claim is received, a 'claim in process' note will be added to the database within 2 business days.
  • 4. Claims will be resolved within 15 business days from receipt of the complete claim. If not possible, the holder will be informed and given a new resolution date, not exceeding 8 additional business days.

12.3 Minimum Content of Requests

  • Full name of the data holder and, if applicable, of the authorized representative.
  • Precise and complete description of the facts underlying the claim.
  • Email address to receive the response and be informed of the status of the process.
  • Supporting documents and evidence, if the applicant considers them relevant.

13. Information Security

Naskia strictly complies with all requirements established by regulatory bodies regarding information security and cybersecurity. We implement technical, human, and administrative measures necessary to prevent adulteration, loss, unauthorized consultation, use, or fraudulent access to personal data. These include encrypted communications (HTTPS), access controls, role-based permissions, multi-tenant data isolation, and regular security reviews.

14. Policy Updates and Validity

Naskia reserves the right to modify this Policy at any time in order to adapt it to new practices, legislative provisions, or jurisprudential decisions related to personal data protection. Any update will be published and available on the Naskia platform. Updates will include the effective date of the modifications, ensuring transparency and timely access.

Any substantial change to the Policy concerning the identification of the Controller or the purpose of treatment, which affects the content of the authorization given by the holder, will be communicated to the data holders prior to implementation.

Effective date: February 2026

This Policy supersedes any prior version.

Last updated: February 2026

Also see: Privacy Policy  |  Cookie Policy  |  Terms and Conditions