privacy policity icon

Privacy Policy

The Privacy Policy or Personal Information Processing is presented below. Panda Server SAS, in complying with Colombian regulations, especially the Statutory Law 1581 of 2012, determined by the honorable Constitutional Court through the statement C-748-11 of October 6th 2011, regulatory decrees, and any other rule that can modify or abolish the above mentioned, acts with the purpose of respecting the privacy of every account holder that has provided information and especially those whose personal information is to be stored in the database in any form by the Enterprise, valid for Colombia and internationally in relation to the website https://panda.exchange or any other website, app or media and/or service belonging to Panda Exchange as well as any of the companies of Panda Server SAS, and any of its affiliated, parent, related and/or subordinate enterprises (named for the purpose of this policy as Panda Exchange).

Panda Exchange, which is responsible for the processing of personal information, hereby informs every employee and third parties in any category (customers, users, suppliers, etc.) and in general any personal information holder, the content and the extent of the internal policy in relation to the processing of personal information.This policy for data processing also applies to every user of Panda Exchange services, that is to say, natural and legal persons, the latter in the events where it must be applied according to the corresponding law of protection of Personal Information. As owner of the personal information, the user of Panda Exchange consents to the processing when, while using Panda Exchange apps or website, the platform asks for verification and approval of the checkbox for acceptance of the Information Processing Policy or through any activity in any Panda Exchange resource. Similarly, the user expresses by the acceptance of this policy, that que provided information is true and there has been no omission or alteration of any data.

The right to the protection of personal information is protected by the Political Constitution of Colombia, specifically in its article 15:

All individuals have the right to personal and family privacy and to their good reputation, and the State has to respect them and to make others respect them. Similarly, individuals have the right to know, update, and rectify information collected about them in data banks and in the records of public and private entities. Freedom and the other guarantees approved in the Constitution will be respected in the collection, processing, and circulation of data. Correspondence and other forms of private communication may not be violated. They may only be intercepted or recorded on the basis of a court order in cases and following the formalities established by law. With the purpose to prevent the perpetration of terrorist acts, an statutory law will regulate the form and conditions for the authorities mentioned in it, based on serious reasons, to intercept or register the correspondence and other forms of private communication, without previous court order, with immediate notification to the General Attorney of the Nation and subsequent court control within the next 36 hours. At the beginning of every session the Government will submit a report on the usage of this competence. In case of abuse by any officer in the measures referred to in this article, it will be considered a very serious offense, without prejudice to the other responsibilities that may ensue. For tax or legal purposes and for cases of inspection, the oversight and intervention of the State may demand making available accounting records and other private documents within the limits provided by law.

Modified by Legislative Act in February 2003.

The Honorable Constitutional Court, though several statements have concluded that the Habeas data is a base right of the people's freedom and self determination.

Consequently, before performing any action in or through Panda Exchange, the user must read carefully this Information Processing Policy, prior to accepting it and providing us their personal information. If the user does not agree with our Privacy Policy, should refuse to give authorization. The user is not compelled to provide us with personal information; nevertheless, if they chose not to do it, they will not be able to use some of our services and we will not be able to answer their questions and needs. Finally, there is a permanent access to the Information Processing Policy on the home page of our website.

The guidelines and policies of Panda Exchange in order to grant the right of Habeas data and methods for the protection of the stores information are kept available for any interested party.

1. Identification of the responsible of the data processing

Business name: Panda Server SAS, hereinafter “Panda Exchange”, or, “The Company”, joint-stock companies.

Address: Bogotá D.C. N.I.T. 901.228.802-9, con sede principal en la Carrera 7 #66-34.

E-mail: hola@panda.exchange

Telephone number: +57 19088452

2. Applicable legal framework:

• Political Constitution, article 15.

• Act 1266 of 2008.

• Act 1581 de 2012.

• Regulatory decrees 1727 of 2009, and, 2952 of 2010.

• Partial regulatory decree 1377 of 2013.

• Constitutional Court Sentences C-1011 of 2008, and, C-748 of 2011.

3. Glossary:

• Authorization: Previous and express consent informed by the owner to perform the processing of Personal Information.

• Claim: Request by the Owner of the data or by the people authorized or by law to correct, update or delete personal information or to revoke authorization in cases established by law.

• Clients: Natural or legal, public or private persons that the Company has commercial relation with.

• Consumer: Natural person that uses the goods and services produced by the Company.

• Database: Organized set of personal data objects of processing.

• Owner: Natural person whose Personal Information is object to processing.

• Personal data: Any information linked or that can be related to one or several natural people either determined or determinable. Some of the personal data include: full name, ID number, address, e-mail, telephone number, marital status, fingerprint, income, goods, financial status, etc.

• Person in charge of processing: Natural or legal, public or private person who processes the Personal Information , by themselves or in association, on behalf of the Responsible of Processing. In the events where the Responsible does not work as the Person in charge of the Database, the Person in charge will be expressly nominated.

• Privacy notice: Verbal or written statement provided by the Responsible, directed to the Owner for the Processing of their Personal Information, by means of which they are informed about the existence of the applicable Information Processing Policy, the way to access it and the aim of the Processing intended for the personal information.

• Processing: Any operation or set of operations about Personal Information, such as gathering, storage, usage, movement or deletion.

• Responsible for Processing: Natural or legal, public or private person, who makes decisions, by themselves or in association, about the Database and/or Data Processing.

• Sensitive data: Information affecting the privacy of the Owner or whose misuse could cause discrimination, such as the data revealing racial or ethnic origin, political orientation, religious or philosophical belief, belonging to unions, belonging to social and human rights organization or those that ensure the rights and guarantees of opposition political parties; as well as information related to health, sexual life and biometric data, among other things, the capture of still or moving pictures, fingerprints, photografies, iris, voice, face and palm recognition, etc.

• Terms and Conditions: general framework that establishes the conditions for participants of promotional activities and the like.

• Transference: The transference of data takes place when the Responsible and/or Person in charge of Processing of Personal Information, based in Colombia, sends the personal information or data to a receiver, which in turn is the Responsible for Processing and inside or outside of the country.

• Transmission:Processing of Personal Information that implies the communication of them inside or outside of the Colombian Republic territory for its processing by the Person in charge on behalf of the Responsible.

4. Rights of the owner of the information:

According to the current regulations applicable with regard to data protection, the rights of the owners of the personal information are listed below:

i. Accessing, knowing, updating and correcting personal information in the Company as it is the responsible for the processing. This right can be exercised, among other things, in case of partial, inaccurate, incomplete or fractionated data, that may mislead, or those whose processing is expressly prohibited or do not have authorization.

ii. Requesting a proof of the authorization provided to the Company for data processing, through any valid means, except for the cases that do not need authorization.

iii. Being informed by the Company, on request, regarding the use made of their personal information.

iv. Submitting to the Superintendence of Industry and Commerce, or the entity in charge, claims of infractions of the law 1581 of 2012 and other regulations that modify, add or complement it, following consultation request to the Company.

v. Canceling the authorization and/or requesting the deletion of the information when the processing does not respect the constitutional and legal principles, rights and guarantees.

vi. Free-of-charge access to the personal information that has been processed, at least once a month, and after every substantial modification of the current policy that may cause new consultations.

These rights can be exercised by the owner or their successors, following due accreditation, attorneys or representatives of the owner after an accreditation of the documents supporting this condition, or, third parties authorized by the owner for this specific purpose.

5. Duties of the Company as responsable and entity in charge of personal information processing:

The Company is aware that the Personal Information is property of the people it refers to and only they can make decisions about it. In this respect, the Company will use Personal Information gathered exclusively for the purposes it is authorized to, and with respect to the current regulation about the Protection of Personal Information, in every case.

The Company will fulfill the duties intended for the Responsibles of the Processing, under article 17 of the Act 1581 of 2012 and related rules regulate, modify or replace it.

Panda Exchange, in strict application of the Principle of Security in Personal INformation Processing, will provide the required technical, human and administrative measures in order to ensure security for the records avoiding their unauthorized or fraudulent adulteration, loss, consultation, usage or access. The duty and responsibility of the Company is limited to make the appropriate means available for this goal. The Company does not guarantee the total security of the information nor is it responsible for any consequence resulting from technical failures or unauthorized access of third parties to the Database or file where the Personal Information, object of processing by the Company and its Person in charge, is stored. The Company will require the services providers hired by it to adopt and comply with the appropriate technical, human and administrative measures for the protection of Personal Information, in relation to which such providers will be in charge.

6. Authorization and acceptance of the owner:

The Company will request a previous and express authorization of the Owners of the Personal Information on which the processing will be made.

This declaration of will from the Owner can be expressed through several means made available by the Company, such as:

• Written permission, submitting an authorization format for the Personal Information Processing specified by the Company.

• Oral authorization, through a telephone conversation or videoconference.

• Through clear behaviors that allow the conclusion that the authorization has been given, through the express acceptance of Terms and Conditions in an activity that requires the authorization of the participants for Personal Information Processing.

IMPORTANT: Under no circumstances the Company will assume that silence on the part of the Owner is a clear behavior.

• Through an electronic document, data message, Internet, websites, in any other format that ensures its further consultation, or through an ideal technical or technological device, that allows to express or obtain the acceptance by click or double click, through which it can be undoubtedly concluded that, thanks to a certain behavior by the Owner, the information is gathered and stored.

Such authorization will be electronically and physically kept.

7. Sensitive Information Processing:

In the case of sensitive personal information, the Company can use and process it when:

a. The owner has given the express authorization, except in the cases where, by law, consent is not required.

b. The processing is necessary in order to preserve the Owner’s vital interest if they are physically or juridically disabled. In such events, the legal representatives must give authorization.

c. The processing is made in the course of legitimate activities and with due guarantees from a foundation, NGO, association or any other non-profit organization, whose aim is political, philosophic, religious or trade union, as long as they only refer to their members or the people with frequent contact for the same purpose. In such events, the information will not be given to third parties without previous authorization of the owner.

d. The processing refers to necessary information for recognition, exercise or defense of a right in a court process.

e. The processing has a historical, statistical or scientific aim. In such events, measures leading to the removal of the identity of the owners must be taken.

8. Procedure for assistance in case of consultations, complaints and claims, rectification requests, updating and information removal:

The Owners of the Personal Information processed by Panda Exchange have the right to access their Personal Information and the details of such processing, as well as to correct it and to update it if the data are inaccurate or to ask for its removal when they consider that the information is excessive or unnecessary for the original purpose or if the Owners do not agree with the Processing for specific aims.

The means that have been made available in order to ensure the exercise of such rights through the submission of the correspondent request are:

• A written communication addressed to Anna Lezama, Panda Exchange COO.

• Request via email: data@panda.exchange

These contact points can be used by the owners or their successors, after having proved their condition, attorneys or representatives of the owner, previously accredited by a document, or third parties enabled by the owner for such purpose.

1. Consultations

The owners or their successors will be able to consult the personal information of the owner that lies in THE COMPANY, who will provide all the information kept in the individual record or that is linked to the identification of the Owner.

Regarding the assistance of consultation requests of personal information, THE COMPANY guarantees:

1. To establish forms, systems and other simplified methods, which must be disclosed by THE COMPANY.

2. To establish forms of communication that it considers relevant.

3. The assistance of the request should be addressed in no longer than fifteen (15) working days. In case of any change, it will be notified by THE COMPANY within that period to the interested party including the reasons for a possible delay of the answer and the date scheduled for the answer no longer than other fifteen (15) working days.

2. Complaints and claims, correction requests, updates and information removal:

In compliance with the requirements of the Article 14 of the Act 1581 of 2012, when the Owner or their successors consider that the information processed by the Company must be corrected, updated or deleted, or when it must be revoked because of the alleged failure to comply with any of the duties mandated by the Law, they will be able to submit a request in the Company, which will be processed under the following rules:

(i) The Owner or their successors must certify their identity, their representative’s identity, the representation or stipulation in favor of another or for another person. When the request is made by a person other than the Owner and they are not properly identified, it will be considered as not submitted.

(ii) The request for correction, update, removal or revoking must be submitted through the means enabled by the Company that are mentioned in this document and it must contain, at least the following information:

• The full name and home address of the Owner or any other method to receive the answer.

• The documents to certify the identity of the requester and, if necessary, of the representative with the corresponding authorization.

• The description in a clear and accurate way of the personal information on which the Owner wants to exercise some rights and the specific request.

(iii) If the request is submitted incomplete, the Company should ask the interested party within the next five (5) days from the reception to mend the fault. If the requester does not submit the necessary information two (2) months after the request date, it will be understood that the requester desisted from the submission.

(iv) In case the receiver of the request is not able to solve it, in a period no longer than two (2) working days, the situation will be informed to the requester.

(v) Once the request is received, it will be included in the Database with a label of claim in process and its reason, in a period no longer than two (2) working days. That label must be kept until its solution.

(vi) The maximum period to address the request will be fifteen (15) days from the next day of the reception. In case it is not possible to address it within such period, the requester will be informed about the reasons of the delay and the date for the claim processing, which under no circumstances can be longer than eight (8) working days after the expiration of the first term.

9. National Registry of Databases:

The Company reserves, in the events contemplated by law and for the sake of the development of its social purpose, the faculty to keep and catalog certain information lying in its databases or databanks, as confidential according to the current regulations, their statutes and rules, all of the above and in line with the fundamental and constitutional right of free business.

The Company will proceed, according to the current regulation issued by the National Government for that purpose, to register the databases in the National Registry of Databases (RNBD by its acronym in Spanish) that will be managed by the Superintendence of Industry and Commerce. The RNBD is the public directory of databases object to Processing that operate in the country; whose consultation is available for the citizens, in accordance to the regulations issued by the National Government for this purpose.

10. General Processing of Personal Information:

Panda Exchange, acting as Responsible of Personal Information Processing, for the proper development of commercial activities, as well as for the enhancement of its relationships with third parties, gathers, stores, uses, circulates, and deletes Personal Information related to natural persons with whom it is or has been related, including but not limited to workers and their relatives, stakeholders, consumers, clients, suppliers, creditors and debtors, for the following purposes:

Consumers: Natural person who consumes goods and services produced by the Company.

1. To gather, record and update databases with the purpose of informing, notifying, assisting and verifying activities as Clients or Users.

2. To systematize data for accounting purposes and business activities.

3. To inform about products and services.

4. To provide general assistance.

5. To inform suppliers based abroad about needs and profiles of products and services.

6. To gather, record and update databases with the purpose of informing, notifying, assisting and verifying activities as Supplier.

7. To systematize data for accounting purposes, invoicing activities and billing records.

8. To comply with legal obligations in charge of Panda Exchange

9. To confirm received personal information for its confirmation and comparison with public or centralized databases, and risk-prevention systems, specialized companies references and contacts.

10. To transfer information about the data to public entities. To transmit, transfer or communicate to any public authority in any of the countries where Panda Exchange works (e.g. UIAF, General Attorney of the Nation, National Police, and every administrative or legal authority in the exercise of their duties).

11. Use the data for statistics or studies related to the internal organization of Panda Exchange.

12. Use the information for work performance evaluations.

13. To publish images, personal information videos, pictures, and any other method of media playback or not, for marketing purposes, and other Panda Exchange departments.

14. To add personal information to folders and files along with the operation history of the user.

15. To share personal information with any other Panda Exchange companies, including but not limited to its parent, subsidiary, associate and subordinate companies; and/or its suppliers, whenever it is necessary in order to provide services.

16. To share the information with financial entities, entities that provide the payment means available on the platform, franchises, verification entities, networks and any other that participates in the payment processing and validation.

17. To share information with operators, agents or service providers associates or contractors of Panda Exchange. In every case, Panda Exchange will request the receiver of the information to take all the organizational measures and appropriate techniques in order to protect the Personal Information and respect the related regulations.

18. To share information with providers of services of regulatory compliance, under the terms allowed by law.

19. To share Personal Information with enterprises candidates to merge with Panda Exchange or with enterprises that aim to acquire, partially or fully, any of Panda Exchange’s companies. In any case, this Policy will rule the terms of use of information, until it is replaced or changed, depending on the situation.

20. To disclose personal information when Panda Exchange is compelled to do it in compliance with the policies of credit card managing or regulations of financial institutions that take part in the processing and validation of payments.

21. To disclose personal information, on the occasion of a legal process, litigation and/or at the request of public and government authorities inside or outside the country of residence of the User or in compliance of mandatory procedures, such as, reports intended for government entities with regard to withholdings and taxes.

22. To disclose personal information when there are enough signs to believe that the disclosure of personal information is necessary to avoid damages or financial losses for Panda Exchange or any other users of Panda Exchange services.

23. To disclose personal information when it is required to inform about any suspicions of illegal activity.

24. To use Personal Information, when Panda Exchange truly believes that doing it is necessary: (i) to comply with the applicable law; (ii) to protect all users from undesired mail or stop fraud attempts that target the users or the system; (iii) for the operation and maintenance of websites, products and services, for example, to avoid or put an end to an attack targeting Panda Exchange’s social media and/or computer systems; (iv) to protect the rights and properties of Panda Exchange; (v) to demand the compliance of the terms that rule the use of the website, products or services.

25. To use every or some Personal Data in servers placed in different countries where Panda Exchange provides its services in Latin America and where the user lives as an Owner. This processing can be performed by Panda Exchange (any of Panda Exchange Companies) or by third parties put in charge by Panda Exchange for this purpose. The mentioned transference is necessary to make possible the provision of services.

26. To use the obtained information through cookies or other technologies to analyze the pages visited by the user or visitor, the searches conducted, to improve the commercial and promotional initiatives, to display publicity or promotions, interest banners, news about Panda Exchange. Also, Panda Exchange will be able to use cookies to promote and enforce regulations and security of the website and any of the services it provides.

27. To verify the User’s identification.

28. To authenticate and validate that every interaction on the platform is not fraudulent and/or some impersonation.

29. To use the Personal Information in transactional or monitoring reports that can be used by Panda Exchange.

30. To compare information.

31. To use the Personal Information for internal aims, such as audits, reports, analysis or data mining, research for improvement of products, services and communications.

32. To personalize, measure and improve the services provided by Panda Exchange, as well as the web page and access to Panda Exchange services.

33. Information related to the user’s habits and the use of Panda Exchange services, the access to the website, User’s movements and transactions, as well as any other information related to and generated by the interaction with the platform and derived transactions, will be used for analysis from Panda Exchange and the development or improvement of products and/or services, or to offer promotions and benefits that, based on panda Exchange’s judgement will be worthwhile or relevant for the Users and will be able to improve the interaction and use of Panda Exchange and/or future developments.

34. To request the opinion or participation of Users through electronic surveys and to send notifications and commercial and publicity information from Panda Exchange, or from third parties that include promotions.

35. To organize and host promotion or marketing contests, games, offers or operations, and similar events related to Panda Exchange.

36. To back up databases, in order to protect them and guarantee the service continuity of Panda Exchange.

37. To share information with service providers or “outsourcing” companies that contribute to the improvement or enabling of the operations through Panda Exchange such as, But not limited to: payment methods, insurances or intermediaries for payment managing, call-centers, etc.

38. To advance user’s satisfaction surveys.

39. Sending information about general interest.

40. Sending commercial or promotional information.

41. Sending notifications, information about the account status, and further information related to the services portfolio of Panda Exchange through any means.

42. To bill the use of Panda Exchange services.

43. To register with the relevant authorities the data when required by law.

11. Validity:

This Personal Information Processing and Protection Policy is in effect since July 1st, 2021.

Arley Lozano Jaramillo

Legal Representative

July 2021