For PAYMENTS WAY SOLUTIONS S.A.S., privacy concerning all data and information processing is of utmost importance. Accordingly, we have created a policy framework that outlines the principles governing the processing of the information you provide us, the internal sources consulted, and the use given to the data obtained—ensuring that the DATA SUBJECT remains informed at all times.

It is crucial that you, as the DATA SUBJECT—whether a legal or natural person—carefully review this privacy and confidentiality policy in order to be fully informed about the processing of your information by PAYMENTS WAY SOLUTIONS S.A.S.

Over time, PAYMENTS WAY SOLUTIONS S.A.S. may need to update or modify the privacy policies contained in this document. If this occurs, we will notify you via our website and, if necessary, request your renewed consent via the most expedient means, clearly indicating what changes were made so that we can update our records.

As the DATA SUBJECT, you must understand that accepting the terms of this privacy policy is not mandatory. However, if PAYMENTS WAY SOLUTIONS S.A.S. does not have your authorization to process your data, we will be unable to access your information or carry out necessary verifications for the purposes outlined below. As a result, we will not be able to provide you with the full range of our services. Conversely, if you accept the policy, it will be understood that you have read, understood, and fully accepted its contents.

I. DATA CONTROLLER IDENTIFICATION

 

PAYMENTS WAY SOLUTIONS S.A.S. (hereinafter “PAYMENTS WAY”) is a Colombian commercial company headquartered at Carrera 11 A # 93-52, Office 503. Contact details can be found in the section designated for data processing service channels.

 

II. DEFINITIONS

 

To help you better understand the content of these policies, we hereby provide definitions for key terms as established by national data protection regulations:

2.1.  2.1. Law 1266 of 2008:

          a. Data Subject. The natural or legal person to whom the information stored in a data bank refers and who is subject to the right of habeas data and other rights and guarantees provided under this law.

          b. Personal Data. Any piece of information linked to one or more identified or identifiable individuals, or that can be associated with a natural or legal person. Non-personal data is not subject to the data protection regime of Law 1266 of 2008. When the law refers to “data,” it is presumed to be personal. Personal data can be public, semi-private, or private.

c. Public Data. Data qualified as such by law or the Political Constitution, and all data that is not semi-private or private under this law. Examples include public documents, enforceable judicial rulings not subject to confidentiality, and data related to civil status.

d. Semi-private Data Data that is not intimate, reserved, or public, and whose knowledge or disclosure may be of interest not only to the data subject but also to a specific group or society at large, such as financial and credit data.

e. Private Data Data that, by its intimate or reserved nature, is relevant only to the data subject.

f. Financial, Credit, Commercial, Service, and Foreign Country DataFor all purposes under Law 1266 of 2008
     this refers to information regarding the origin, execution, and termination of financial obligations,
     regardless of the nature of the underlying contract.

2.2.  Law 1581 of 2021

          g. Authorization. Prior, express, and informed consent of the data subject for the processing of personal data.

h. Database. Organized set of personal data subject to processing.

 i. Data Processor. Natural or legal person, public or private, who processes personal data on behalf of the Data Controller.

 j. Data Controller. Natural or legal person, public or private, who decides on the database and/or data processing.

k. Processing. Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.

2.3.  Decree 1074 of 2015

  I. Sensitive Data. Data that affects the privacy of the data subject or may be used improperly to discriminate,                         such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, union or human rights organization membership, or sexual life, as well as biometric data.

m. Transfer. Occurs when the Data Controller and/or Processor located in Colombia sends personal data to a recipient who is also a Data Controller and is located inside or outside the country.

n. Transmission. Processing of personal data involving its communication within or outside Colombian territory when intended for processing by the Processor on behalf of the Controller.

III. PRINCIPLES

 

3.1.  Legality: This privacy and confidentiality policy has been developed in accordance with Law 1581 of 2012 and other applicable regulations issued by Colombian oversight bodies.

3.2. Purpose: The processing of personal data must serve a legitimate purpose under Colombian law, as indicated herein or in our terms and conditions of use.

3.3. Freedom: Data processing may only occur with prior, express, and informed consent, which is confirmed through acceptance of this privacy policy.

3.4.  Veracity or Quality: Data must be truthful, complete, accurate, up-to-date, verifiable, and understandable. Processing of partial, incomplete, or misleading data is prohibited.

3.5.   Security: Data must be managed with the necessary technical, human, and administrative measures to ensure the integrity and protection of records and prevent unauthorized access or fraudulent use.

3.6.  Confidentiality: All information disclosed or accessed will be treated as confidential.

IV. RIGHTS OF THE DATA SUBJECT

Although the information disclosed remains the property of the DATA SUBJECT, they are entitled to rights that ensure proper handling of their data as outlined in this document.

4.1. According to Law 1266 of 2008:

4.1.1 With respect to database operators:

4.1.1.1 Exercise the right to habeas data through consultation or claims procedures.

4.1.1.2 Request protection of other constitutional or legal rights.

4.1.1.3 Request proof of authorization certification.

4.1.1.4 Request information about authorized users.

4.1.2. With respect to data sources:

4.1.2.1 To exercise the fundamental rights to habeas data and petition, whose compliance may be carried out through the operators, in accordance with the consultation and claim procedures of this law, without prejudice to other constitutional or legal mechanisms.

4.1.2.2 To request information or to request the updating or correction of the data contained in the database, which will be carried out by the operator based on the information provided by the source, as established in the procedure for consultations, claims, and petitions.

4.1.2.3 To request proof of the authorization, when such authorization is required in accordance with the provisions of this law.

4.1.3. With respect to the users:

4.1.3.1 To request information about the use that the user is giving to the information, when such information has not been provided by the operator.

4.1.3.2 To request proof of the authorization, when such authorization is required in accordance with the provisions of this law.

4.1.4. Additional rights:

4.1.4.1 To go before the supervisory authority to file complaints against the sources, operators, or users for violation of the rules on the management of financial and credit information.

4.1.4.2 To go before the supervisory authority to seek an order requiring an operator or source to correct or update their personal data, when applicable under the provisions of Law 1266 of 2008.

 

4.2. In accordance with Law 1581 of 2012, the rights are:

4.2.1 To know, update, and rectify your personal data with respect to the Data Controllers or Data Processors. This right may be exercised, among others, regarding partial, inaccurate, incomplete, fragmented data, data that leads to error, or data whose Processing is expressly prohibited or has not been authorized;

4.2.2. To request proof of the authorization granted to the Data Controller, except when expressly exempted as a requirement for Processing, in accordance with the provisions of Article 10 of this law;

4.2.3. To be informed by the Data Controller or the Data Processor, upon request, about the use that has been made of your personal data;

4.2.4. To file complaints with the Superintendence of Industry and Commerce for violations of the provisions of this law and other regulations that modify, add to, or supplement it;

4.2.5. To revoke the authorization and/or request the deletion of the data when the Processing does not respect constitutional and legal principles, rights, and guarantees. Revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that, during the Processing, the Data Controller or Processor engaged in conduct contrary to this law and the Constitution;

4.2.6. To access your personal data that has been subject to Processing free of charge.

V. PROCESSING AND PURPOSES FOR WHICH THE INFORMATION WILL BE SUBJECTED

In accordance with the privacy and confidentiality protection policy and based on the provisions of Colombian legislation, we inform you of the Processing that PAYMENTS WAY SOLUTIONS S.A.S. will carry out on the information you have provided and its respective purposes.

5.1. 5.1. To study, authenticate, and authorize the information for the use of products, services, and contracts: 

PAYMENTS WAY will carry out the counterpart knowledge and risk assessment process with the purpose of authenticating, validating, and authorizing the different contracting processes with clients, users, suppliers, and partners, as well as data update processes.

5.2. Payment order processing:

PAYMENTS WAY offers a wide variety of services in the market to process payments. To complete payments, it will receive information from cardholders and payment methods to verify the information and process these requests.

In this sense, it must be understood that in some cases PAYMENTS WAY acts as the data processor on behalf of the MERCHANT, who is the Data Controller; therefore, the data subject must review the MERCHANT’s policy.

Additionally, the collected information may be shared with payment networks and financial institutions under transactional security standards in order to process the payment.

PAYMENTS WAY may store encrypted payment method information when a cardholder authorizes it to perform future transactions.  

5.3. To ensure regulatory compliance in the market:

PAYMENTS WAY processes data with the purpose of complying with national legislation and regulations, as well as agreements with financial entities with which it maintains contractual relationships in the following ways:

5.3.1. To validate transaction information in order to implement a fraud prevention system and avoid                         identity theft risk. For this purpose, PAYMENTS WAY may receive and process data with specialized fraud prevention applications.

5.3.2. To exchange information with credit risk centers.

5.3.3. To exchange information to verify contracting risk.

5.3.4. To exchange information to confirm identity. 

5.3.5. To exchange information to cross-check against lists aimed at preventing ML/TF/FPADM and corruption risks.

5.3.6. To process the data if the right to dispute a transaction is exercised.

5.4. To manage the contractual relationship:

        With the acceptance of the terms described herein, the following actions are authorized:

5.4.1. To inform about service interruptions.

5.4.2. To request information and documentation about the merchant and their transactions.

5.4.3. To inform about products and services offered by PAYMENTS WAY and request updated documentation.

5.4.4. To provide support for PAYMENTS WAY's products and services.

5.4.5. To send transaction records and/or possible fraud cases.

5.5. To improve products and services:

       To improve our service, customer relationships, and market presence, the data will be used for:

4.5.1. Conducting market studies.

4.5.2. Conducting studies on interactions with products and services.

4.5.3. Generating statistical reports on merchant and customer behavior.

4.5.4. Sending commercial information about product improvements and new products.

5.6. To share information with third parties:

        On certain occasions, PAYMENTS WAY may enter into contracts to share collected information for commercial and operational purposes. In such cases, the data subject consents to the transfer and/or transmission of data under the standards established by current national legislation.

VI. INFORMATION SOURCES:

Below we list the channels through which information can be accessed:

6.1. Information provided directly: PAYMENTS WAY may collect information through various means, such as its websites, service platforms, and platforms authorized by the data subject. 

6.2. Information provided by third parties: PAYMENTS WAY may receive information from third parties under its commercial agreements or access public information permitted by current national legislation. In any case, when the information comes from third parties, the data subject must understand that it may be collected under the following circumstances:

6.2.1. By third parties with whom PAYMENTS WAY has entered into contracts involving information disclosure; in such cases, the third party must have the data subject's authorization.

6.2.2. Through social networks and platforms when authorized by the data subject.

6.2.3. From SUB-MERCHANTS where the data subject conducts payment transactions through the various methods offered by PAYMENTS WAY, in order to carry out the transaction.

6.2.4. From credit bureaus and banking institutions with which PAYMENTS WAY has relationships.

6.3. Cookies: When accessing the PAYMENTS WAY website or using transactional services, temporary information is stored on the device, known as cookies. These help track preferences and habits to provide better service. Certain functionalities can only be accessed through cookies; however, they can be deleted using browser tools. Cookies also allow for tokenization of information, making access to services easier by remembering passwords or form data used in payments.

VII. INTERNATIONAL DATA TRANSFER

The personal information you disclose to PAYMENTS WAY may be processed outside the jurisdiction of Colombia, either by our company and its subsidiaries or by third parties with whom PAYMENTS WAY has a contractual or commercial relationship. In any case, such processing will comply with the rules established by Colombian legislation, particularly:

a. Application of the general prohibition rules outlined in Article 26 of Law 1581 of 2012.

b. Execution of agreements with the data processors.

c. Execution of agreements in jurisdictions with adequate levels of data protection.

VIII. MINORS:

PAYMENTS WAY does not collect, disclose, or process minors' information, as all services are restricted to individuals of legal age.

PAYMENTS WAY is not responsible for unauthorized use of the payment platform or any of its services by minors using third-party information. Parents are advised to supervise minors when they access or use the Internet.

IX. HANDLING OF REQUESTS REGARDING DATA PROCESSING

9.1. Responsible party: PAYMENTS WAY has appointed a Data Protection Officer under the legal and administrative department. This official is responsible for processing requests submitted by data subjects in order to ensure data is handled in accordance with the company’s internal policies and national legislation.

9.2. Contact channels: Any data subject wishing to exercise the rights granted under national legislation and/or described in section four of this document may do so through the following channels:

• • • • • • • • Physical correspondence: Carrera 11 A # 93-52, Office 503
              • Email: SAC@paymentsway.co 
              • Phone number: 601 7035887

9.3. Requirements to submit a request: The data subject must send a written request containing at least the following information:

• • • • • • • • Date
              • Name of the legal entity represented (if applicable)
              • Identification number of the legal entity represented (if applicable)
              • Full name of the legal representative (if applicable)
              • Identification number of the legal representative (if applicable)
              • Full name of the data subject 
              • Identification number
              • Contact information (email and/or mobile number)
              • Subject (indicating whether the request concerns access, correction, update, proof of authorization, revocation, deletion, etc.)
              • Description of the facts giving rise to the request
              • Signature
              • Copy of identity document

X. PROCEDURE FOR HANDLING REQUESTS

Once the data subject submits the request, PAYMENTS WAY will review it to ensure it is clear and meets all requirements. In any case, PAYMENTS WAY may request additional information to verify the identity and/or further understand the request in order to respond accurately. The process will proceed as follows:

10.1. In the case of a consultation: The response time for PAYMENTS WAY is ten (10) business days from the date the request is received.

10.2. In the case of a claim: The response time for PAYMENTS WAY is fifteen (15) business days from the date the request is received.

10.3. Actual procedure: Upon receiving the request through the designated email or phone number, the Customer Service department will direct it to the Data Protection Officer, who will verify whether the request is complete or needs to be supplemented. If additional information is needed, the data subject will be informed within five (5) business days from receipt of the request, and the response time will restart once all requirements are fulfilled.

           Once the request contains the minimum required information, the Data Protection Officer will process it and respond to the data subject.

XI. DISCLAIMER:

PAYMENTS WAY SOLUTIONS S.A.S. does everything within its power and follows industry and commercial best practices to safeguard information using high security standards. However, it is possible that due to unforeseen external attacks or vulnerabilities not yet identified by oversight bodies or the industry (e.g., operating systems, network standards, encryption protocols, processors, etc.), security breaches may occur, resulting in the loss or leakage of information. For this reason, users acknowledge the risks associated with disclosing, sharing, or allowing access to information through electronic means, and thereby release PAYMENTS WAY SOLUTIONS S.A.S. from any liability should unforeseen events compromise the data subjects' rights.

XII. EFFECTIVENESS OF THE PRIVACY POLICY

This privacy policy has been designed to inform users how PAYMENTS WAY processes their information. Any general matter not regulated herein shall be governed by Law 1581 of 2012 and other relevant data protection laws. The data collected by PAYMENTS WAY will be retained for the duration of the contractual relationship and for up to five (5) years after the termination of such relationship. In no case will data be kept for less than five (5) years.

This policy takes effect as of November 15, 2023, and supersedes any previous documents that address the same subject matter or contain inconsistencies. 

MODIFICATIONS TO THE PRIVACY POLICY

The Privacy Policy may change over time. When this occurs, PAYMENTS WAY will notify data subjects through its website https://paymentsway.co/ and/or the email address registered by the data subject.

Likewise, it is essential that the data subject notifies PAYMENTS WAY of any changes to the information previously provided.