Polytropic Privacy Policy Last updated: May 30th, 2022 Hermes Ventures S.A.S.. (โHermes Venturesโ, โPolytropicโ, โusโ, โweโ or โourโ) recognizes the need for appropriate protection and management of personal data and information shared with us. This privacy policy (โPrivacy Policyโ) will help you understand the personal data that we collect from you as a user of our website or software platform (collectively the โService(s)โ) or as a customer (โuserโ, โyouโ or โyourโ, interpreted accordingly), what we use the data for and the choices you have regarding our use and collection of personal data and information. This Privacy Policy addresses the privacy rights of individuals who: โ visit our Website or use our Software Platform (as defined below) and/or Services; โ interact with us on behalf of a Customer (as defined below) in connection with the provision of our Services; โ interact with us on behalf of a Service Provider (as defined below) in connection with the products and services that our Service Provider provides to us; โ interact with us on behalf of a business partner in connection with our relationship with the business partner; โ apply to work with us; โ receive marketing communications from us; and/or โ interact with us by registering for, attending and/or otherwise taking part in our trade events, webinars, or conferences or who communicate with us via email, phone, or in-person. Definitions โControllerโ means a person or entity that, alone or jointly with others, determines the purposes (i.e. โwhyโ) and means (i.e. โhowโ) of the Processing of Personal Data (both as defined below). โCookiesโ are small text files sent to your computer for record-keeping purposes and this information is stored in a file on your computerโs hard drive. A persistent cookie retains user preferences for a particular website allowing those preferences to be used in future browsing sessions and remains valid until its set expiry date (unless deleted by the user before the expiry date). A temporary cookie, on the other hand, will expire at the end of the user session, when the web browser is closed. โCustomerโ means a business that has, formerly had, or is contemplating purchasing or using our Services, or any party that is employed by such business and accesses Services pursuant to such business purchasing or using our Services. โPersonal Dataโ means any information relating to an identified or identifiable natural person. โProcessโ and โProcessingโ means any operation or set of operations which are performed on Personal Data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, erasure, deletion or destruction. โProcessorโ means a person or organization that engages in Processing. โRepresentativeโ means an individual who (i) acts on behalf of, or is employed by, a Customer, including, a Customerโs employees, agents, and representatives, (ii) acts on behalf of a Service Provider (as defined below), including a Service Providerโs employees, agents, and representatives, (iii) acts on behalf of a business partner, including a business partnerโs employees, agents and representatives or (iv) otherwise interacts with us in any manner, for example through our Website, Software Platform or uses our Services (all as defined below), in any manner whatsoever. โService Providerโ means a supplier, subcontractor, vendor or other third party who provides services to us. โWebsite(s)โ means all of the websites and/or applications maintained by us that display a link to this Privacy Policy. โWebsite Visitorโ means an individual who visits our Website. By visiting this Website (www.polytropic.co) or using our Software Platform, you are accepting and consenting to the practices described in this Privacy Policy. ADDITIONAL COUNTRY/REGION-SPECIFIC PRIVACY TERMS Depending on your current country of residence, a section of this Privacy Policy may apply to you. Please refer to the Section that applies to you in addition to the general terms of this Privacy Policy. Country of Residence Applicable Section of the Privacy Policy All countries GENERAL PRIVACY POLICY (Sections 1-12) California, USA GENERAL PRIVACY POLICY & APPENDIX A: CALIFORNIA RESIDENTS EEA/EU/UK/Switzerland GENERAL PRIVACY POLICY & APPENDIX B: GDPR PRIVACY POLICY Colombia General Privacy Policy & APPENDIX D โ Colombia Privacy Terms (Spanish) Polรญtica de Privacidad General & Anexo D: Tรฉrminos de Privacidad Colombia (espaรฑol) In the event of conflict and/or discrepancy between the privacy terms of the General Privacy Policy (Sections 1-12 below) and those that are region-specific (i.e. Appendices A and B), region-specific terms will prevail. GENERAL PRIVACY POLICY 1. Personal Data We Collect We collect and Process the following categories of Personal Data from Customers, Service Providers, business partners, Representatives, Website Visitors, prospective employees, individuals that receive marketing communications from us and individuals that interact with us by registering for, attending and/or otherwise taking part in our webinars or conferences or who communicate with us via email, phone or in person, in each case to operate its business for the specific purposes identified below. Contact and Account Data. The personal details provided when users sign up to our Service. This includes the user's name, e-mail address, telephone number, address, job title and password, organization (if a legal entity), and other ways for us to contact you. Information about user transactions. Details about the transactions you carry out and the payments to and from your accounts with us. Payment Information. If payment for our Services is made via credit card, this may include the card number, expiration date, security code and billing address. If payment is used via (international) wire transfer, this may include the name and bank code, branch name and number, account number, IBAN and/or SWIFT code, among others. If payment is made via eWallet services (e.g. PayPal, Payoneer, etc.), this may include the account username, e-mail address or any other information that identifies the relevant user account or digital wallet. If payments to us are made via third-party payment processing platforms, these third parties will collect your Personal Data related to such payments and we will not retain this information. In such cases, the third partyโs privacy policy will apply. Data and Information Provided in IM Chats. To serve our users better, we make instant messaging (IM) tools available to our users. Any Personal Data or information provided via this medium will be collected and stored. Biographical Data. Details about you that are stored in documents in different formats, or copies of them. This could include things like (without limitation) data contained in your passport, national ID, social security or any other identification documents. For the purposes of background checks, third parties may collect selfie photos and/or videos that run facial recognition software for identity verification. Personal Data Provided by Telephone. We have customer service agents available to speak with our Customers 24/7. Calls may be recorded and any Personal Data and/or information provided over the telephone, including payment information, will be collected and stored. Other Data and/or Information. We collect any other Personal Data and/or information you choose to provide to us through any and all available channels, participating in user/customer surveys or otherwise visiting and interacting with our Website and/or Software Platform. 2. Non-Personal Information We may also collect information that is related to you but that does not personally identify you. Non-personal Information also includes data that could personally identify you in its original form, but that we have modified (e.g. by aggregating, anonymizing, or de-identifying such information) in order to remove or hide any characteristics that may lead to your identification. 3. How We Use Personal Data We use Personal Data in the following cases: We use information that we collect about you or that you provide to us, including any personal information: โ To present our Website and its contents to you. โ To provide you with information, products, or services that you request from us. โ To fulfill any other purpose for which you provide it. โ For any other purpose with your consent. We may also use your information to contact you about goods and services that may be of interest to you. 4. With Whom We Share Collected Personal Data Vendors and Service Providers. We may disclose Personal Data about you and/or other information you provide us to vendors, suppliers and Service Providers we retain in connection with our business, including but not limited to website hosting, data hosting, data analysis, order fulfillment, information technology and related infrastructure services, customer service, email delivery, tax and financial advisers, legal advisers, accountants or auditors. Merger or Acquisition. We may disclose Personal Data collected about you and/or other information you provide us to a third party who acquires any part of our business, whether such acquisition is by way of merger, consolidation, divestiture, spin-off, or purchase of all or a substantial portion of our assets. Disclosure Permitted by Law. We may disclose Personal Data collected about you and/or other information you provide us to law enforcement authorities, government or public agencies or officials, regulators, and/or to any other person or entity having appropriate legal authority or justification for receipt of your Personal Data and/or other information, if required or permitted to do so by law or legal process, in order to respond to claims, protect our rights, interests, privacy, property or safety, as well as those of our shareholders, employees or contractors. 5. Communications We may contact you with newsletters and other marketing information that may be of interest to you. You may opt out of receiving any or all of these marketing communications from us at any time, by clicking on the unsubscribe link or instructions provided in any email we send or by contacting us. Please note that we may still send you transactional or administrative messages related to the Services even after you have opted out of receiving marketing communications. 6. Cookies + Other Web Technologies Our Services may use persistent and temporary Cookies and similar technologies. Information collected through the use of Cookies includes, but is not limited to user login information and time zone setting. We use Cookies for several purposes, including but not limited to: (i) to improve the user experience, (ii) to collect anonymous and aggregated statistical data about usersโ visits to our Website, Software Platform and/or use of our Services. We use this data to analyze how our Service is used and how to improve it, and we may use said data to advertise third-party products online. Unless you set up your internet browser not to accept Cookies, it will accept the use of them. You can always disable Cookies in your browserโs preferences even if you have consented to the use of Cookies in the past. You may also delete Cookies stored on your computer at any given time. Please note that disabling Cookies may negatively impact your online experience with our Service and prevent you from logging in to our Website. Amplitude. We use Amplitude (https://amplitude.com/) as an analytics tool to help us get a better understanding of how visitors use our Website and Software Platform. The information generated by the Amplitude Cookies about users of our Service is transmitted to and stored by Amplitude. 7. Information Security The security of your Personal Data is extremely important to us. We take the appropriate steps to protect the information you provide us from loss, misuse, unauthorized access or disclosure, alteration and destruction, both against external and internal threats. Where we have given you (or where you have chosen) a password or other login information which enables you to access certain restricted parts of our Service, you are responsible for doing everything you reasonably can to keep this information secret. You must not share your password or login information with anyone else. As no data transmission or security system can be guaranteed as 100% secure, we cannot ensure or warrant the security of any Personal Data and/or information that you transmit to us; nonetheless, we adopt all measures and make use of technology trusted by the industry to provide as much security as possible. As such, you transfer Personal Data and/or information to us at your own risk. 8. Personal Data and/or Information Collected from Other Sources We may also collect Personal Data and/or information about you from other sources in order to help us correct or supplement our records, to improve the quality or personalization of our service to you, and to prevent or detect fraud. We work closely with third parties (e.g. business partners, Service Providers, sub-contractors, advertising networks, analytics providers, search information providers, fraud protection services) and may receive Personal Data and/or information about you from them. In order to provide and improve our Services, we may engage with Service Providers. In the process of supplying services to us, these Service Providers may need to collect Personal Data about you. 9. Disclosure of Personal Data Via Links to Third-Party Websites, Services, and Applications Using our Website or the Services may link to third-party websites, services and/or applications. We are not responsible for any Personal Data collected through these means. Personal Data collected in this manner is governed through the third-party websiteโs privacy policy. Any interactions you have with these websites, services and/or applications are beyond our control. We urge you to read the privacy and security policies of any external websites before providing any Personal Data while accessing those websites. 10. Minors Our Software Platform and Services are not directed to minors under the age of 18. We perform age verification on users that access our Software Platform, and if you are under the age of 18, you will be unable to contract our Services. 11. Modifications to this Privacy Policy We may revise this Privacy Policy from time to time. The most current version of the Privacy Policy will govern our collection, use, and disclosure of Personal Data and/or information about you. If we make material changes to this Privacy Policy, we will notify you by email or by posting a notice on our Website and/or Software Platform prior to the effective date of the changes. By continuing to access or use the Service after those changes become effective, you acknowledge and agree to the revised Privacy Policy. 12. Contact us You may contact us concerning our Privacy Policy by writing to privacy@polytropic.com. Please write "Privacy Policy Issue" on the subject line. ADDITIONAL COUNTRY/REGION-SPECIFIC PRIVACY TERMS IMPORTANT: Please check the table above to see if these apply to you. APPENDIX A: CALIFORNIA RESIDENTS Note: This section applies specifically to California Residents. California Residents This appendix (โAppendix Aโ or โCCPA Privacy Termsโ) addresses the specific disclosure requirements under the California Consumer Privacy Act of 2018 (โCCPAโ). It applies to personal information about California residents using our Website and Services. For purposes of the CCPA, personal information means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household (โPersonal Informationโ). In the event of a conflict between Appendix A and any of our other privacy policies and or terms, Appendix A shall control only with respect to the Personal Information of California residents. Personal Information Categories Appendix A covers our Personal Information collection and usage more fully. The chart below describes the categories of Personal Information we collect and the sources from which we collect the Personal Information, organized into the categories specified by the CCPA. Personal Information Category Sources Personal Information described in Cal. Civ. Code ยง1798.80(e) (such as name, address, telephone number, education, employment history, credit card or debit card number) Information you provide directly or through your interactions with our Services. Identifiers (e.g., real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, or other similar identifiers) Information you provide to us directly or through your interactions with our Website, Software Platform and/or Services. Characteristics of protected classifications under California or Federal law (e.g., your gender or age) (โCharacteristics of Protected Classificationsโ) Information you provide to us directly. Commercial Information (e.g., information regarding products or services purchased, obtained, or considered) Information you provide to us directly, through your interactions with our Website, Software Platform and/or Services. Internet or Other Electronic Network Activity Information (e.g., browsing history, search history and other information) Your interactions with our Website, Software Platform and/or Services. Professional or Employment-Related Information Information you provide to us directly. Inferences Information you provide to us directly or through your interactions with our Website, Software Platform and/or Services. Audio, electronic, visual or similar information Information you provide directly or through your interactions with our Services. California Residents' Privacy Rights California residents have rights to request access to or deletion of their Personal Information and may not be discriminated against because they exercise any of their rights under the California Consumer Privacy Act in violation of Cal. Civ. Code ยง1798.125. You can make requests by sending an email to us with details of your specific request. We may ask that you provide certain information to verify your identity, and the information we request from you will depend on your prior interactions with us and the sensitivity of the Personal Information in question. Once confirmed, we will respond to your request in accordance with the CCPA. If we deny your request, we will explain why. You may designate an authorized agent to make a request under the CCPA on your behalf if: (1) the authorized agent is a natural person or a business entity registered with the Secretary of State of California; and (2) you sign a written declaration that you authorize the authorized agent to act on your behalf. We may ask that you provide certain information to verify your identity and that you authorized the authorized agent to act on your behalf. If you provide an authorized agent with power of attorney pursuant to Probate Code sections 4000 to 4465, it may not be necessary to perform these steps and we will respond to any request from such authorized agent in accordance with the CCPA. If you have any questions regarding our Privacy Policy or specifically these CCPA Privacy Terms, or would like to change your preferences, you may contact us using the contact information contained in Section 12 of our Privacy Policy.} APPENDIX B: GDPR PRIVACY TERMS Note: This section applies specifically to EEA/EU/UK/Switzerland residents. This appendix (โAppendix Bโ or โGDPR Privacy Termsโ) applies to the Processing of Personal Data by us in our role as a Controller, or as otherwise covered by the European Union General Data Protection Regulation 2016/679 (โGDPR"), when individuals: โ visit or use our Website; โ interact with us either on your own behalf or on behalf of a Customer in connection with the provision of our Services; โ interact with us on behalf of a Service Provider in connection with the products and services our Service Provider provides to us; โ interact with us on behalf of a business partner in connection with our relationship with the business partner; โ apply to work with us; โ receive marketing communications from us; and/or โ interact with us by registering for, attending and/or otherwise taking part in our trade events, webinars, or conferences or communicate with us via email, phone, or in-person interactions. These GDPR Privacy Terms do not apply to any Personal Data Processed, stored, or hosted by Customers using any of our Services or to the extent that we Process Personal Data in the role of a Processor on behalf of our Customers. Where we act as Processors on behalf of our Customers, that Processing is subject to the protections contained in our data processing agreements with Customers. We have no control over, and are not responsible for, any Personal Data that our Customers may store or host on their equipment or otherwise Process while using our Services. We are not responsible for the privacy or data security practices of our Customers, which may differ from those set forth in our Privacy Policy and/or these GDPR Privacy Terms. For information related to how our Customers Process Personal Data, please contact the respective Customer directly. Furthermore, these GDPR Privacy Terms do not apply to any third-party websites or services that may be linked to our Website or the Services unless that website or service is controlled by us and displays our Privacy Policy and/or these GDPR Privacy Terms. We have no control over, and are not responsible for, the data collection and/or handling practices of these third-party websites or services outside our Website or Services. We encourage you to read the privacy statements of any third-party websites or services linking to (or linked to via) the Website or Services. In the event of a conflict and/or discrepancy between these GDPR Privacy Terms and our general Privacy Policy, these GDPR Privacy Terms will prevail. Our Contact Details If you have any questions or concerns as to how your Personal Data is Processed, please write to us using the contact information contained in Section 12 of our Privacy Policy. Our Data Collection Practices We collect and Process the following categories of Personal Data from Customers, Service Providers, business partners, Representatives, Website Visitors, prospective employees, individuals that receive marketing communications from us and individuals that interact with us by registering for, attending and/or otherwise taking part in our webinars or conferences or who communicate with us via email, phone or in person, in each case to operate its business for the specific purposes identified below. โ Personal Details include data such as names, titles, company names, departments, email addresses, physical street addresses, telephone numbers, and social media usernames of individuals. โ Login Credentials include data such as usernames and passwords of individuals needed to access our Services. โ Unique IDs include data that we obtain from (a) prospective employees, (b) Website Visitors, or (c) other individuals that interact with us. โ Customer Support Records include data such as call details and other similar data regarding customer support communications and chat sessions with Representatives. โ Website and Service Records include data related your interactions with our Website and Services and other online content such as log data (i.e. login information, preferences and settings, etc.). โ Employment Information includes details such as descriptions of roles performed and locations of employment. Why do we collect Personal Data, what are the sources of Personal Data, what are the purposes for Processing and what is the lawful basis? The table below sets out the types of Personal Data we Process, the purposes of Processing such Personal Data and our lawful basis for doing so. The lawful basis will vary with the type of Processing involved and will typically include Processing (i) necessary for us to pursue our legitimate business interests, (ii) based on your consent, where this is required by data protection laws, and (iii) necessary for us to comply with our legal obligations. Where we rely on our legitimate business interests, we have explained what the grounds are for that reliance. Table 1. Polytropic Data Processing and Lawful Basis Purpose for Processing Personal Data Lawful Basis for Collecting Personal Data To interact with Customers, Service Providers and business partners. When a Customer places an order for our Services, we Processes the following categories of Personal Data necessary to deliver and provide Services to our Customers: โ Personal Details โ Login Credentials โ Unique IDs We also collect and Process Personal Data when engaging with Service Providers or business partners, as well as when we purchase products and services from them. We have a legitimate business interest in Processing Personal Data in order to engage in transactions with our Customers, Service Providers and business partners, as well as to efficiently run our business. To manage the security of our Website, Software Platform, systems and Services. In order to grant a Customer, Service Provider, business partner or prospective employee access rights to our systems or Services and to monitor applicable security thereof, we collect and Process the following categories of Personal Data from the Representatives of such Customer, Service Provider or business partner or the prospective employee: โ Personal Details โ Unique IDs โ Access Credentials and Visitation Records We have a legitimate business interest in protecting the security of our Website, Software Platform, systems and Services. To provide technical support and customer assistance. We collect and Process the following categories of Personal Data to provide our Customers and their Representatives with general and technical support: โ Personal Details โ Login Credentials โ Unique IDs โ Customer Support Records We have a legitimate business interest in being able to provide our Customers and technical support and customer assistance. To communicate and respond to requests and inquiries. When a Customer, Service Provider, business partner or other person or entity contacts us by email, phone, text or by submitting a contact form on our Website, we collect and Process the following categories of Personal Data from their Representatives or other related individuals in order to communicate with Customer, Service Provider, business partner or such other person or entity, as applicable, and respond to their requests and inquiries. We also collect and Process the following Personal Data from Representatives who register for a trade event, webinar, conference: โ Personal Details โ Unique IDs โ Website Records โ Marketing and Event Records We have a legitimate business interest in being able to communicate with its Customers, Service Providers, business partners and other persons or entities and respond to their inquiries and requests. To market our Services and tailor our marketing and sales activities. We may Process the following categories of Personal Data when marketing new and existing Services and features to our Customers and other persons and entities and in an effort to personalize such experience. We also collect and Process the following Personal Data from Representatives who register for a trade event, webinar, or conference: โ Personal Details โ Unique IDs โ Website Records โ Marketing and Event Records Except in cases where opt-in consent is required by law for the Processing of email addresses, IP addresses or other unique identifiers to send or Process electronic communications (emails, texts, Cookies, etc.), we process this data for marketing purposes on the basis of its legitimate interests. To analyze, improve, and optimize the use, function and performance of our Website, Software Platform and Services. We may Process the following categories of Personal Data in order to analyze, improve, and optimize the use, function and performance of our Website, Software Platform and Services, including for quality assurance and training purposes, as well as for marketing and sales campaigns. โ Personal Details โ Unique IDs โ Website Records โ Marketing and Event Records We have a legitimate business interest in improving and optimizing the use of our Website, Software Platform and Services. To comply with applicable laws, regulations and internal policies, practices, and procedures. We may be required to disclose certain categories of Personal Data in order to comply with applicable laws and regulations, e.g. to respond to a request from a government agency or to defend a legal claim. Additionally, we may also be required to process certain categories of Personal Data when conducting internal audits and investigations to ensure compliance with internal and external policies, practices, and procedures. We have a legitimate business interest in complying with all applicable laws, regulations, and internal policies. To receive applications for employment. We may Process the following categories of Personal Data when receiving, reviewing, using, and storing applications for employment, including from prospective employees who visit our Website or other online locations where jobs may be posted and applications may be submitted: โ Personal Details โ Login Credentials โ Unique IDs โ Education and Work History We have a legal obligation to collect certain information in order to confirm your right to work in the country to which you have applied. Additionally, we have a legitimate business interest in Processing the Personal Data of job applicants who seek to join the company to assess them as candidates for employment. Sharing Personal Data with Third Parties Except as described below, we will not share or disclose Personal Data with or to outside third parties. Any and all Personal Data provided to us by a Customer, Website Visitor, business partner, or other third party is transferred only on a โneed to knowโ basis in keeping with the purposes outlined in our Privacy Policy and/or these GDPR Privacy Terms. Service Providers. We may share Personal Data with our Service Providers in connection with advertising, hosting, data analytics, information technology and infrastructure, order management and fulfillment, billing, contract management, email delivery, auditing, events and other related activities. We provide such Personal Data or authorize the Processing of such Personal Data only as necessary to enable our Service Providers to perform their designated functions. Our contractual agreements with them (1) require them to act only under our instruction and for the purpose(s) directed by us with respect to such Personal Data; and (2) prohibit them from sharing such Personal Data with any third parties without our authorization. Business Partners. We may also share your Personal Data with trusted business partners pursuant to our contractual arrangements with them, which will include appropriate safeguards to protect any Personal Data that we share with these partners. These may include, but are not limited to third parties that organize trade shows, consultants, experts and auditors. Affiliated Entities. We share Personal Data with our affiliates. Subject to local requirements, this Personal Data may be used to provide Services offered by our affiliates, for the affiliates to provide support to the affiliated entity that is sharing the Personal Data or for any other purposes described in our Privacy Policy and/or these GDPR Privacy Terms. For example, affiliates may share Personal Data about our Customers, Service Providers, business partners, representatives, prospective employees and Website Visitors for direct marketing purposes. Fraud Prevention and Protection of Legal Rights. We may use and disclose Personal Data to the appropriate regulatory, legal, judicial or law enforcement authorities and our advisors and investigators when: (i) we believe, at our sole discretion, that such disclosure is necessary to investigate, prevent, or respond to suspected illegal or fraudulent activity or to protect our safety, rights and/or property or that of our group of companies and/or Customers, Service Providers, business partners, Representatives, Website Visitors, prospective employees, employees, contractors, among others; (ii) we suspect abuse of the Website, Software Platform and/or Services or unauthorized access to any system, spamming, denial of service attacks or any other similar attacks; (iii) exercising or protecting legal rights or defending against legal claims; or (iv) pursuing available remedies, as well as mitigating or limiting the damages that we may sustain. We may disclose Personal Data to our partners, Service Providers and law enforcement to secure our Website, Software Platform and/or Services, including to detect, prevent, and investigate security incidents or violations to our Privacy Policy and/or applicable laws. Law Enforcement. We may have to disclose the Personal Data of our Customers, Service Providers, business partners, representatives, applicants, Website Visitors or other third parties if a court, law enforcement or other public or government authority with appropriate jurisdiction requests that we provide said Personal Data and we believe, at our reasonable discretion, that such request was made in compliance with the applicable law. Corporate Reorganization. We may transfer the Personal Data of our Customers, Service Providers, business partners, Representatives, Website Visitors or other third parties to another third party in the case of the reorganization, sale, merger, joint venture, assignment, transfer or other alienation of any or all of our business, assets and/or stocks, including in the event of bankruptcy or corporate restructuring. Except as otherwise provided by a bankruptcy or other court, the use and disclosure of all transferred Personal Data will be subject to compliance with applicable data protection laws. Any Personal Data that an individual submits or that is collected after the reorganization may be subject to a new privacy policy adopted by the successor entity, which will be informed to you as provided under Section 11 of our Privacy Policy. Service Improvements. We may disclose Personal Data to our Service Providers in order to improve our Website, Software Platform and/or Services, such as to identify bugs, repair errors or ensure that services function as intended, or to conduct internal research and analysis in order to improve our technology. Cross-Border Transfers of Personal Data If we transfer EEA/EU/UK/Switzerland Personal Data to affiliates outside this EEA/EU/UK/Switzerland region, we will put in place appropriate intra-group agreements in accordance with the GDPR requirements, including use of the EU commission-approved standard contractual clauses (โSCC(s)โ) for Controllers as appropriate. If we transfer EEA/EU/UK/Switzerland Personal Data to third parties, such as Service Providers or business partners in countries outside the EEA/EU/UK/Switzerland region, we will put in place the EU SCCs or other relevant international transfer documentation that complies with the GDPR requirements. We will also put in place a GDPR-compliant data processing agreement. Data Retention We will retain Personal Data that we collect and Process where we have a justifiable business need to do so and/or for as long as it is needed to fulfill the purposes outlined in our Privacy Policy and these GDPR Privacy Terms. We may retain Personal Data as required by law, such as for tax, legal and/or accounting purposes. When we have no justifiable business need to process your Personal Data (e.g. after all of our necessary interactions have ended, our internal record keeping policies no longer require us to continue to process your Personal Data and we have no other legal obligations to retain your Personal Data), we will either delete or anonymize your Personal Data, at our reasonable discretion. Data Subject Rights under the GDPR The GDPR grants individuals who are in the EU/EEA/UK the rights as detailed in the paragraphs below, with some limitations. Individuals may contact us through our contact information contained in Section 12 of our Privacy Policy to exercise any of these rights and we will respond with the requested action or information, as applicable, or we will let you know why such rights do not apply to you. These rights are not absolute and are subject to various conditions under the applicable data protection and privacy legislation, as well as the laws and regulations that apply to us. In some cases, the exercise of these rights (e.g. erasure, deletion, objection, restriction or the withholding or withdrawing of consent to Processing) may make it impossible for us to provide our Services. Right to Not Provide Consent or to Withdraw Consent. We may seek to rely on your consent in order to Process certain Personal Data. Where we do so, you have the right to not provide your consent and the right to withdraw your consent at any time. If you withdraw your consent, this will not affect the lawfulness of the Processing conducted based on consent before its withdrawal. Right of Access. You have the right to obtain confirmation as to whether or not we collect or Process Personal Data concerning you and, if this is the case, you have the right to request a copy of such Personal Data in digital format. Right of Rectification. You have the right to require that we correct any inaccurate Personal Data concerning you and that we supplement incomplete Personal Data. Right of Erasure. Under certain circumstances, you have the right to request that we erase Personal Data concerning you; e.g. if it is no longer necessary for the purposes for which it was originally collected and we do not otherwise have a legitimate reason to retain the Personal Data. We may need to retain certain Personal Data when legally required for internal, record keeping purposes and/or in order to complete any transactions initiated prior to your request to remove or delete your Personal Data. When we are unable to delete Personal Data from our systems, we will anonymize it so it will no longer be directly or indirectly linked to your identity or identifiable. Right to Restrict Processing. Under certain circumstances, you have the right to request that we restrict the Processing of your Personal Data that we have collected; e.g. when you believe that your Personal Data that we retain is not accurate or unlawfully held. Right to Data Portability. Under certain circumstances, you have the right to receive the Personal Data concerning you that you have provided to us in a structured, commonly used, machine readable format, and for us to transmit the data to another entity where technically feasible. Right to Object to the Processing. Under certain circumstances, you have the right to request that we stop Processing your Personal Data, including when we rely on legitimate interests as a legal basis set forth in Table 1 above. If you receive commercial electronic communications from us, you can unsubscribe from the receipt of future commercial electronic communications from us by clicking on the โunsubscribeโ link provided in such communications. Please also note that if you do opt out of receiving commercial electronic communications from us, we may still send you important administrative messages (such as updates about your account or changes to the Services) and you cannot opt out from receiving these messages, unless you stop engaging our Services. Right to Not be Subject to Decisions Based Solely on Automated Processing that Produce Legal Effects. We do not make decisions based solely on automated Processing - including profiling - that produces legal effects or similarly affects you. Right to Complaint before a Supervisory Authority. You have the right to lodge a complaint with a Supervisory Authority if you believe that our Processing of Personal Data relating to you is inconsistent with our obligations under the GDPR. In this situation, we ask you please consider contacting us first, so that we can try and assist with your query or address your concern. In order to exercise any of your rights as set forth herein, please contact us in writing, via email or postal mail as indicated in Section 12 of our Privacy Policy, so that we may consider your request under the applicable law. We may ask that you provide the following Personal Data for us to promptly address your request: โ The name, user ID, pseudonym, email address or other identifier you have provided to us or, if you have not otherwise previously interacted with us, your first and last name and an address where we can contact you; โ The country in which you are located; โ A clear description of the Personal Data or content that you wish to receive or to be deleted or corrected and/or the action you wish to be taken; and โ Sufficient information to allow us to locate the content or Personal Data to be deleted, removed and/or corrected. For your protection, we may only respond to requests with respect to the Personal Data that is associated with the particular email address that is registered under your user account. In addition, please note that, depending on the nature of your inquiry, request and/or complaint, we may need to verify your identity before implementing your request and require documentary proof of identity, such as in the form of a government issued ID and proof of your physical address. We will make all efforts to comply with your request as soon as reasonably practicable and in any case within the timelines prescribed by the applicable law. However, we reserve the right to refuse to act on a request that is manifestly unfounded or excessive (e.g. because it is repetitive) and/or to charge a fee that takes into account the administrative costs for providing the information or the communication or taking the action requested, in the cases where such action is justified. APPENDIX C: LGPD Privacy Terms (Portuguese) Note: This section applies specifically to Brazil residents. APPENDIX D: COLOMBIA PRIVACY TERMS (SPANISH) Note: This section only applies to Colombian residents. ANEXO D: TรRMINOS DE PRIVACIDAD PARA COLOMBIA (ESPAรOL) Obs.: Esta secciรณn sรณlo aplica a residentes en el territorio de la Repรบblica de Colombia. 1. GENERALIDADES De conformidad con el artรญculo 15 de la Constituciรณn Polรญtica, relativo al derecho que tienen todas las persona a conocer, actualizar y rectificar las informaciones que se hayan recogido sobre ellas en bases de datos; el artรญculo 20 de la Constituciรณn Polรญtica, sobre el derecho a la informaciรณn; la Ley Estatutaria 1581 de 2012 โPor la cual se dictan disposiciones generales para la protecciรณn de datos personalesโ, el Decreto 1377 de 2013, โPor el cual se reglamenta parcialmente la Ley 1581 de 2012โ y demรกs normas reglamentarias; Polytropic, teniendo en cuenta su responsabilidad en el tratamiento de datos personales de otros, en cumplimiento de las normas seรฑaladas, adopta este Anexo con temas complementarios para Colombia a su Polรญtica de Privacidad sombrilla (General Privacy Policy โ ). 2. CAMPO DE APLICACIรN El Anexo D se aplica a clientes, contratistas, empleados, proveedores o, de cualquier otra persona que por algรบn motivo suministre informaciรณn a Polytropic, mientras se encuentren en el territorio de la Repรบblica de Colombia. 3. PRINCIPIOS PARA EL TRATAMIENTO DE DATOS PERSONALES El Anexo D se aplica a clientes, contratistas, empleados, proveedores o, de cualquier otra persona que por algรบn motivo suministre informaciรณn a Polytropic, mientras se encuentren en el territorio de la Repรบblica de Colombia. Polytropic como Responsable del Tratamiento, aplicarรก, de manera armรณnica e integral, los siguientes principios rectores en la recolecciรณn, manejo, uso, tratamiento, almacenamiento e intercambio de datos personales: 1. Principio de legalidad en materia de Tratamiento de datos: En el Tratamiento de datos personales, Polytropic darรก aplicaciรณn al artรญculo 15 de la Constituciรณn Polรญtica; al artรญculo 20 de la Constituciรณn Polรญtica; a la Ley Estatutaria 1581 de 2012; al Decreto 1377 de 2013; al Decreto 1074/15 y a las demรกs normas vigentes y aplicables y demรกs disposiciones que la desarrollen, que rigen el tratamiento de datos personales y demรกs derechos fundamentales conexos. 2. Principio de finalidad: El Tratamiento de datos personales que sean acopiados o recogidos por Polytropic o a los que esta tenga acceso, obedecerรก a una finalidad legรญtima de acuerdo con la Constituciรณn y las Leyes, la cual debe ser informada al Titular. 3. Principio de libertad: El Tratamiento de datos personales sรณlo puede ejercerse con el consentimiento, previo, expreso e informado del Titular. Los datos personales no podrรกn ser obtenidos o divulgados sin previa autorizaciรณn, o en ausencia de mandato legal o judicial que releve el consentimiento. 4. Principio de veracidad o calidad: La informaciรณn sujeta a captura, recolecciรณn, uso y tratamiento de datos personales debe ser veraz, completa, exacta, actualizada, comprobable y comprensible. Se prohรญbe el Tratamiento de datos parciales, incompletos, fraccionados o que induzcan a error. 5. Principio de transparencia: En el Tratamiento de datos personales debe garantizarse el derecho del Titular a obtener de Polytropic o del Encargado del Tratamiento, en cualquier momento y sin restricciones, informaciรณn acerca de la existencia de datos que le conciernan. 6. Principio de acceso y circulaciรณn restringida: El Tratamiento de datos personales se sujeta a los lรญmites que se derivan de la naturaleza de los datos personales y, a las normas vigentes y aplicables que rigen el tratamiento de datos personales y demรกs derechos fundamentales conexos. En este sentido, los datos personales sรณlo podrรกn ser objeto de Tratamiento por personas autorizadas por el Titular, y salvo la informaciรณn pรบblica, no podrรกn estar disponibles en Internet u otros medios de divulgaciรณn o comunicaciรณn masiva, salvo que el acceso sea tรฉcnicamente controlable para brindar un conocimiento restringido sรณlo a los Titulares o terceros autorizados conforme a la ley. 7. Principio de seguridad:La informaciรณn sujeta a Tratamiento por parte de Polytropic, se manejarรก con las medidas tรฉcnicas, humanas y administrativas existentes que sean necesarias para otorgar seguridad a los registros, evitando su adulteraciรณn, pรฉrdida, consulta, uso o acceso no autorizado o fraudulento. 8. Principio de confidencialidad: Todas las personas que intervengan en el Tratamiento de datos personales o que tengan acceso a informaciones que se encuentren en Bases de Datos y que no tengan la naturaleza de pรบblicos, estรกn obligadas a garantizar la reserva de la informaciรณn, inclusive despuรฉs de finalizada su relaciรณn con alguna de las labores que comprende el Tratamiento de la informaciรณn, pudiendo sรณlo realizar suministro o comunicaciรณn de datos personales cuando ello corresponda al desarrollo de las actividades autorizadas en las normas vigentes y aplicables que rigen el tratamiento de datos personales, y demรกs derechos fundamentales conexos. Todas las personas que trabajen actualmente o sean vinculadas a futuro para tal efecto, en la administraciรณn y manejo de bases de datos, deberรกn suscribir otro sรญ a su contrato laboral o de prestaciรณn de servicios para efectos de asegurar tal obligaciรณn. 4. DERECHOS DE LOS TITULARES DE DATOS PERSONALES Todo proceso que conlleve el Tratamiento de datos personales por parte de cualquier รกrea de la compaรฑรญa, tanto de visitantes, clientes, contratistas, trabajadores, proveedores y, en general, cualquier tercero con el cual Polytropic sostenga relaciones comerciales y laborales, deberรก tener en cuenta los derechos que le asisten a ese Titular de los datos, los cuรกles se enuncian a continuaciรณn: 1. Conocer, actualizar, consultar o rectificar sus datos personales, en cualquier momento, frente a Polytropic, respecto a aquellos datos que considere parciales, inexactos, incompletos, fraccionados y/o que induzcan a error. 2. Solicitar en cualquier momento una prueba de la autorizaciรณn otorgada a Polytropic para el Tratamiento de sus datos personales. 3. Ser informado por Polytropic, previa solicitud del Titular de los datos, respecto del uso que le ha dado a los mismos. 4. Presentar ante la Superintendencia de Industria y Comercio las quejas que considere pertinentes para hacer valer su derecho al Habeas Data frente a Polytropic. 5. Revocar la autorizaciรณn y/o solicitar la supresiรณn de algรบn dato, cuando considere que la Polytropic no ha respetado sus derechos y garantรญas constitucionales. 6. Acceder, en forma gratuita, a los datos personales que voluntariamente decida compartir con Polytropic, para lo cual la compaรฑรญa se encargarรก de conservar y archivar de forma segura y confiable los formatos de autorizaciรณn de cada uno de los Titulares de datos personales debidamente otorgadas. 5. TRATAMIENTO DE LOS DATOS SENSIBLES Dato sensible: Aquellos que afectan la intimidad del Titular o cuyo uso indebido puede generar su discriminaciรณn, tales como los relacionados con el origen racial o รฉtnico, la pertenencia a sindicatos, organizaciones sociales o de derechos humanos, convicciones polรญticas, religiosas, de la vida sexual, biomรฉtricos o datos de la salud y, los datos biomรฉtricos, como huellas digitales, fotografรญas, iris, reconocimiento de voz, facial o de palma de mano. Esta informaciรณn podrรก no ser otorgada por el Titular de estos datos. Polytropic podrรก hacer la captura, recolecciรณn, uso y tratamiento de los datos catalogados como sensibles cuando: a) El Titular haya dado su autorizaciรณn previa y explรญcita a dicho Tratamiento, salvo en los casos que por ley no sea requerido el otorgamiento de dicha autorizaciรณn. b) El Tratamiento sea necesario para salvaguardar el interรฉs vital del Titular y este se encuentre fรญsica o jurรญdicamente incapacitado. En estos eventos, los representantes legales deberรกn otorgar su autorizaciรณn. c) El Tratamiento sea efectuado en el curso de las actividades legรญtimas y con las debidas garantรญas por parte de una fundaciรณn, ONG, asociaciรณn o cualquier otro organismo sin รกnimo de lucro, cuya finalidad sea polรญtica, filosรณfica, religiosa o sindical, siempre que se refieran exclusivamente a sus miembros o a las personas que mantengan contactos regulares por razรณn de su finalidad. En estos eventos, los datos no se podrรกn suministrar a terceros sin la autorizaciรณn del Titular. d) El Tratamiento se refiera a datos que sean necesarios para el reconocimiento, ejercicio o defensa de un derecho en un proceso judicial. El Tratamiento tenga una finalidad histรณrica, estadรญstica o cientรญfica. En este evento deberรกn adoptarse las medidas conducentes a la supresiรณn de identidad de los Titulares. 6. TRANSFERENCIA DE DATOS Si Polytropic transfiere los Datos Personales a su casa matriz o a otras sucursales, se aplicarรก la Polรญtica de Privacidad Sombrilla. Si Polytropic transfiere los Datos Personales a terceros, tales como proveedores de servicios o socios de negocios, mediarรก un acuerdo de procesamiento de datos que cumpla con la legislaciรณn aplicable vigente. 8. PROCEDIMIENTOS PARA EL EJERCICIO DE LOS DERECHOS DEL TITULAR DE LOS DATOS PERSONALES El usuario podrรก ejercer su derecho a conocer, actualizar, rectificar y suprimir los datos personales que haya suministrado a Polytropic, enviando una comunicaciรณn, en cualquier momento y de manera gratuita, a travรฉs del siguiente correo electrรณnico: privacy@polytropic.com. De conformidad con lo dispuesto en el Artรญculo 20 del Decreto 1377 de 2013, los derechos de los Titulares establecidos en la Ley, podrรกn ejercerse por: a) El Titular, quien deberรก acreditar su identidad en forma suficiente por los distintos medios que le ponga a disposiciรณn el Responsable. b) Por sus causahabientes, quienes deberรกn acreditar tal calidad. c) Por el representante y/o apoderado del Titular, previa acreditaciรณn de la representaciรณn o apoderamiento. La peticiรณn o derecho que ejercita el Titular de los datos personales deberรก contener, como mรญnimo: 1. Identificaciรณn del Titular. 2. Los datos de contacto para recibir notificaciones. 3. Los documentos que acrediten en debida forma la personerรญa o mandato para actuar, si fuera el caso. 4. La descripciรณn clara y precisa de los datos personales respecto de los cuales el Titular busca ejercer alguno de los derechos. Estos derechos se podrรกn ejercer, entre otros, frente a datos parciales, inexactos, incompletos, fraccionados, que induzcan a error o, aquellos cuyo tratamiento estรฉ expresamente prohibido o no haya sido autorizado por su Titular. 9. CONSULTAS Los Titulares, sus causahabientes o representantes podrรกn consultar la informaciรณn personal del Titular que repose en cualquier base de datos de Polytropic, suministrando a estos toda la informaciรณn contenida en el registro individual o que estรฉ vinculada con la identificaciรณn del Titular. La consulta se formularรก por escrito, a travรฉs del medio indicado en el numeral 8, siempre y cuando sea el Titular de los datos o su representante. 10. RECTIFICACIรN O ACTUALIZACIรN DE DATOS Los Titulares, sus causahabientes o representantes que consideren que la informaciรณn contenida en una base de datos de Polytropic debe ser objeto de rectificaciรณn o actualizaciรณn, podrรกn presentar un reclamo ante Polytropic, el cual serรก tramitado bajo las siguientes reglas: El reclamo se formularรก mediante solicitud dirigida a Polytropic, a travรฉs del medio indicado en el numeral 8, con la siguiente informaciรณn: 1. Identificaciรณn del Titular. 2. Los datos de contacto para recibir notificaciones. 3. Los documentos que acrediten en debida forma la personerรญa o mandato para actuar, si fuere necesario. 4. La descripciรณn de los hechos que dan lugar al reclamo. 5. La descripciรณn clara y precisa de los datos personales respecto de los cuales el Titular busca la rectificaciรณn o actualizaciรณn. 6. Los documentos que se quieran hacer valer. 11. SUPRESIรN DE DATOS Los Titulares, sus causahabientes o representantes podrรกn solicitar, en todo momento y de forma gratuita, a Polytropic, la supresiรณn de sus datos personales cuando: a) Consideren que los mismos no estรกn siendo tratados conforme a los principios, deberes y obligaciones previstas en la normatividad vigente y en la presente Polรญtica. b) Hayan dejado de ser necesarios o pertinentes para la finalidad para la cual fueron recabados. c) Se haya superado el periodo necesario para el cumplimiento de los fines para los que fueron recabados. Esta supresiรณn implica la eliminaciรณn total o parcial de la informaciรณn personal de acuerdo con lo solicitado por los Titulares, sus causahabientes o representantes, en los registros, archivos y bases de datos administrados por Polytropic. El reclamo se formularรก mediante solicitud dirigida a Polytropic, a travรฉs del medio indicado en el numeral 8, con la siguiente informaciรณn: 1) Identificaciรณn del Titular. 2) Los datos de contacto para recibir notificaciones. 3) Los documentos que acrediten en debida forma la personerรญa o mandato para actuar, si fuere necesario. 4) La descripciรณn de los hechos que dan lugar al reclamo. 5) La descripciรณn clara y precisa de los datos personales respecto de los cuales el Titular busca la rectificaciรณn o actualizaciรณn. 6) Los documentos que se quieran hacer valer. Ahora bien, es importante tener en cuenta que el derecho de cancelaciรณn no es absoluto y el Responsable puede negar el ejercicio del mismo cuando: 1) El Titular tenga un deber legal o contractual de permanecer en la base de datos. 2) La eliminaciรณn de datos obstaculice actuaciones judiciales o administrativas vinculadas a obligaciones fiscales, la investigaciรณn y persecuciรณn de delitos o la actualizaciรณn de sanciones administrativas. 3) Los datos sean necesarios para proteger los intereses jurรญdicamente tutelados del Titular; para realizar una acciรณn en funciรณn del interรฉs pรบblico, o para cumplir con una obligaciรณn legalmente adquirida por el Titular. 12. REVOCATORIA DE LA AUTORIZACIรN Los Titulares, sus causahabientes o sus representantes podrรกn, en todo momento y de forma gratuita, revocar el consentimiento al Tratamiento de sus datos personales, siempre y cuando no lo impida una disposiciรณn legal o contractual. Para ello, el Titular podrรก revocar su consentimiento mediante el mismo medio por el que lo otorgรณ. Al respecto, se debe tener en cuenta que existen dos modalidades de revocaciรณn del consentimiento: Una de ellas se da sobre la totalidad de las finalidades consentidas y, la otra, se da sobre algunos tipos de tratamiento determinados. 13. DEBERES COMO ENCARGADO DEL TRATAMIENTO Polytropic se encarga directamente del tratamiento y custodia de los Datos Personales captados y almacenados. Sin embargo, se reserva el derecho a delegar en un tercero tal Tratamiento, para lo cual exigirรก al Encargado la atenciรณn e implementaciรณn de las Polรญticas y procedimientos idรณneos para la protecciรณn de los datos personales y la estricta confidencialidad de los mismos, de acuerdo con la normatividad vigente. 14. MEDIDAS DE SEGURIDAD ADOPTADAS CON RELACIรN AL TRATAMIENTO DE DATOS PERSONALES Polytropic adoptarรก las medidas tรฉcnicas, humanas y administrativas necesarias para garantizar la seguridad y confidencialidad de los datos y para evitar su alteraciรณn, pรฉrdida, consulta, uso o acceso no autorizado. Los datos personales que el Titular de la informaciรณn suministre a Polytropic bajo cualquier medio, serรกn administrados de forma confidencial, con las debidas garantรญas constitucionales, legales y demรกs normas aplicables a la protecciรณn de datos personales. 15. RESPONSABLE DEL TRATAMIENTO DE DATOS PERSONALES El responsable de la captura, recolecciรณn, uso y tratamiento de sus datos personales es la sociedad Hermes Ventures S.A.S., identificada con el NIT 901590826_5, con domicilio en La ciudad de Medellin,, Colombia, correo electrรณnico privacy@polytropic.com.