Privacy Policy and Data Protection

¿Estas seguro que tu producto esta siendo usado correctamente por tus clientes?

Privacy Policy and Data Protection

In compliance with the provisions of Law 1581 of 2012 and National Decree 1377 of 2013, as well as the constitutional rights, freedoms, and guarantees referred to in Article 15 of the Political Constitution, and the right to information enshrined in Article 20 of the same, which dictate the general provisions for the protection of personal data, and due to its strong commitment to the protection of personal data, PARUMA S.A.S issues this policy to ensure that the personal data provided and authorized by our users, customers, applicants, employees, suppliers, shareholders, and other subjects of the community who interact with PARUMA S.A.S, hereinafter “The Users,” are stored internally with high security standards that guarantee their proper processing and custody.

1. Objective

This Policy on Personal Data Protection for Individuals and Companies (hereinafter the “Policy”) aims to regulate the collection, storage, use, circulation, and deletion of personal data in PARUMA S.A.S (hereinafter, “THE COMPANY”), providing tools to ensure the authenticity, confidentiality, and integrity of information.

2. Scope

This Policy on Personal Data Protection for Individuals and Companies applies to all databases and/or files containing personal data for individuals or companies that are subject to processing by THE COMPANY.

3. Definitions

  • Authorization: The prior, express, and informed consent of the Data Subject to process personal data.
  • Privacy Notice: Verbal or written communication generated by the data controller, addressed to the Data Subject for the processing of their personal data. It informs the Data Subject about the existence of the information processing policies applicable to them, how to access them, and the purposes of the processing of personal data.
  • Database: An organized set of personal data subject to processing.
  • Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.
  • Clients: Natural or legal persons, public or private, with whom THE COMPANY has a commercial relationship.
  • Users: Natural or legal persons who use the services offered by THE COMPANY.
  • Crowdter Community or Crowdters: Natural persons who freely register in the community to participate in missions and challenges launched by THE COMPANY.
  • Personal Data: Any information linked to or that can be associated with one or more specific or identifiable natural persons. Examples of personal data include names, identity card numbers, addresses, email addresses, telephone numbers, marital status, health data, fingerprints, salaries, assets, financial status, etc.
  • Sensitive Data: Sensitive data is defined as data that affects the Data Subject’s privacy or whose improper use may lead to discrimination. This includes data that reveals racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations, or the promotion of interests of any political party or that ensures the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.
  • Public Data: Data that the law or the Constitution determines as such, as well as all data that is not semi-private or private.
  • Private Data: Data that, due to its intimate or confidential nature, is only relevant to the data subject.
  • Semi-Private Data: Data that is not intimate, confidential, or public by nature and whose knowledge or disclosure may be of interest not only to the data subject but also to a certain sector or group of people.
  • Data Subject: Natural person whose personal data is subject to processing.
  • Data Processor: Natural or legal person, public or private, that, either alone or in association with others, processes personal data on behalf of the data controller. In cases where the data controller does not act as the Database Manager, it will be explicitly identified who the Data Processor is.
  • Data Controller: Natural or legal person, public or private, who, either alone or in association with others, makes decisions regarding the database and/or data processing.
  • Claim: A request from the data subject or persons authorized by them or by law to correct, update, or delete their personal data or to revoke the authorization in cases established by law.
  • Transfer: Data transfer occurs when the data controller and/or data processor, located in Colombia, sends information or personal data to a recipient, who, in turn, is the data controller for processing and is located within or outside the country.
  • Transmission: Processing of personal data that involves the communication of such data within or outside the territory of the Republic of Colombia for the purpose of data processing by the Processor on behalf of the Controller.

4. Rights of Data Subjects

Data Subjects have the following rights:

a) To know, update, and rectify their personal data in relation to the Data Controllers or Data Processors. This right can be exercised, among other things, against partial, inaccurate, incomplete, misleading, or data whose processing is expressly prohibited or not authorized.

b) To request proof of the authorization granted to the Data Controller, except when expressly exempted as a requirement for processing, in accordance with the provisions of Article 10 of this law.

c) To be informed by the Data Controller or Data Processor, upon request, regarding the use that has been made of their personal data.

d) To file complaints with the Superintendency of Industry and Commerce for violations of the provisions of this law and other regulations that modify, add, or complement it.

e)  To revoke the authorization and/or request the deletion of data when the principles, constitutional and legal rights, and guarantees are not respected in the processing. Revocation and/or deletion shall proceed when the Superintendency of Industry and Commerce has determined that the Data Controller or Processor has engaged in conduct contrary to this law and the Constitution.

f) To access their personal data that have been processed by the following persons.

  • By the Data Subject;
  • By their successors, who must prove such status;
  • By the representative and/or attorney-in-fact of the Data Subject, subject to proof of their representation or authorization;
  • By stipulation in favor of another or for another.

5. Processing and Purposes of the Data Processed by the Company

5.1. General Purposes for the Processing of Personal Data:
  • Allow Data Subjects to participate in marketing and promotional activities (including participation in contests, raffles, and giveaways) carried out by THE COMPANY.
  • Allow members of the Crowdter community to participate in missions and challenges organized by THE COMPANY.
  • Evaluate service quality, conduct market studies on consumption habits, statistical analysis, and other activities to understand our users for improving services and processes and for internal purposes.
  • Control access to THE COMPANY’s platforms.
  • Control access to THE COMPANY’s workplaces and establish security measures, including the establishment of video-surveillance areas.
  • Respond to inquiries, comments, requests, complaints, and claims made by Data Subjects and control access to other authorities that, under applicable law, should receive personal data.
  • Potentially contact, by email or other means, individuals with whom THE COMPANY has or has had a relationship, including but not limited to members of the Crowdter community, workers, and their families, shareholders, users, customers, distributors, suppliers, creditors, and debtors, for the aforementioned purposes.
  • Transfer collected information to different areas of THE COMPANY.
  • For the attention of judicial or administrative requirements and compliance with judicial or legal mandates.
  • Register personal data in THE COMPANY’s information systems and in its commercial and operational databases.
  • Any other activity of a similar nature to those described above that is necessary to carry out THE COMPANY’s corporate purpose.
5.2. Regarding the personal data of our Clients and Users:
  • o fulfill the obligations contracted by THE COMPANY with its Clients.
  • Send information about changes in services or conditions.
  • Send information about offers related to the products or services offered by THE COMPANY or its related companies.
  • Facilitate communication between THE COMPANY’s Clients and Users.
  • To strengthen relations with Users and Clients by sending relevant information, taking orders, and evaluating the quality of the service.
  • To determine pending obligations, consult financial information and credit history, and report to credit information bureaus for unpaid obligations concerning debtors.
  • To improve, promote, and develop products of THE COMPANY and its related companies worldwide.
  • Allow companies related to THE COMPANY, with whom it has contracts that include provisions to ensure the security and proper processing of personal data, to contact the Data Subject to offer goods or services of interest.
  • Use various services through THE COMPANY’s websites, mobile applications, or other tools, including downloading content and formats.
5.3. Regarding Supplier Data:
  • To invite them to participate in selection processes and events organized or sponsored by THE COMPANY.
  • To evaluate compliance with their obligations.
  • To record them in THE COMPANY’s systems.
  • To process payments and verify outstanding balances.

6. Principles Applicable to the Processing of Personal Data

For the processing of Personal Data, THE COMPANY will apply the following principles, which constitute the rules to be followed in the collection, handling, use, processing, storage, and exchange of personal data:

  • Legality: The processing of personal data will be carried out in accordance with applicable legal provisions (Statutory Law 1581 of 2012 and its regulatory decrees).
  • Purpose: Processing must be for a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Data Subject.
  • Freedom: The collection of Personal Data may only be exercised with the prior, express, and informed consent of the Data Subject.
  • Veracity or Quality: Information subject to the processing of Personal Data must be truthful, complete, accurate, up-to-date, verifiable, and understandable.
  • Transparency: In the processing of Personal Data, the Data Subject’s right to obtain information about the existence of data concerning them at any time and without restrictions is guaranteed.
  • Access and Restricted Circulation: The processing of personal data may only be carried out by persons authorized by the Data Subject and/or persons provided for by law.
  • Security: Personal data subject to processing must be managed with the technical, human, and administrative measures necessary to provide security for records, preventing their alteration, loss, consultation, use, or unauthorized or fraudulent access.
  • Confidentiality: All employees working for THE COMPANY and members of the Crowdter community are obligated to maintain confidentiality regarding personal information and that of our customers to which they have access in the course of their work at THE COMPANY and/or in missions and challenges in which they participate.

7. Duties of the Company as the Data Controller

THE COMPANY is aware that Personal Data is the property of the individuals to whom it refers, and only they can decide on the same. In this sense, THE COMPANY will use the Personal Data collected only for the purposes for which it is duly authorized and, in any case, respecting the current regulations on the Protection of Personal Data.

8. Authorization

THE COMPANY will request prior, express, and informed authorization from Data Subjects regarding the Personal Data on which it needs to carry out Processing.

This expression of will by the Data Subject can be given through different mechanisms made available by THE COMPANY, such as:

  • Acceptance on THE COMPANY’s platforms.
  • In writing, by completing a data processing authorization form determined by THE COMPANY.
  • Verbally, through a phone conversation or video conference.
  • Through unequivocal conduct indicating that they have granted their authorization, by expressly accepting the Terms and Conditions of an activity within which the participants’ authorization for the Processing of their Personal Data is required.

Important: In no case will THE COMPANY equate the Data Subject’s silence to unequivocal conduct.

9. Special Provisions for the Processing of Personal Data

9.1. Processing of Sensitive Data:

The processing of sensitive personal data is prohibited by law, unless it is carried out with the explicit, prior, and informed consent of the Data Subject, among other exceptions established in Article 6 of Law 1581 of 2012.

In this case, in addition to complying with the requirements for authorization, THE COMPANY will inform the Data Subject:

  • That, as sensitive data, they are not obligated to authorize their Processing.
  • Which of the data will be processed is sensitive and the purpose of the processing.

Additionally, THE COMPANY will process sensitive data collected under security and confidentiality standards appropriate to their nature. To this end, THE COMPANY has implemented administrative, technical, and legal measures described in this policy that are mandatory for its employees and Crowdter community and, where applicable, its suppliers, affiliated companies, and business partners.

9.2. Processing of Personal Data of Children and Adolescents:

In accordance with Article 7 of Law 1581 of 2012 and Article 12 of Decree 1377 of 2013, THE COMPANY will only process the personal data of children, adolescents when such processing is in line with and respects the best interests of children and adolescents and ensures the respect of their fundamental rights.

10. Procedure for Handling and Responding to Requests, Queries, Complaints, and Claims from Data Subjects

Data Subjects whose Personal Data is processed by THE COMPANY have the right to access their Personal Data and the details of such processing, as well as to rectify and update them if they are inaccurate or to request their deletion when they consider them to be excessive or unnecessary for the purposes that justified their collection or to object to the processing for specific purposes.

The avenues that have been implemented to ensure the exercise of these rights through the submission of the respective request are as follows:

  • Communication addressed to PARUMA S.A.S using the means established on THE COMPANY’s platforms: Contact Us Form, email:,, and messages via the WhatsApp option published on each platform.
  • Requests submitted through the contact phone number established on THE COMPANY’s platforms.

Requests, queries, complaints, and claims will be processed by THE COMPANY within 15 business days.

These channels can be used by Data Subjects, or by third parties authorized by law to act on their behalf, in order to exercise the following rights:

10.1. Procedure for Making Requests and Queries:
  • The Data Subject may query their personal data at any time. To do so, they may submit a request specifying the information they wish to know, through any of the aforementioned mechanisms.
  • The Data Subject or their successors must prove their identity, that of their representative, representation, or stipulation for another or for someone else. When the request is made by a person other than the Data Subject and it is not proven that they are acting on behalf of the Data Subject, the request will be considered not filed.
  • The query and/or request must contain at least the name and contact address of the Data Subject or any other means to receive a response, as well as a clear and precise description of the personal data about which the Data Subject seeks to exercise the right of query and/or request.
10.2. Procedure for Making Complaints and Claims:

In accordance with Article 14 of Law 1581 of 2012, when the Data Subject or their successors believe that the information processed by THE COMPANY should be subject to correction, updating, or deletion, or should be revoked due to alleged non-compliance with any of the duties set out in the Law, they may submit a request to THE COMPANY, which will be processed according to the following rules:

(i) The Data Subject or their successors must prove their identity, that of their representative, representation, or stipulation for another or for someone else. When the request is made by a person other than the Data Subject and it is not proven that they are acting on behalf of the Data Subject, the request will be considered not filed.

(ii) The request for rectification, updating, deletion, or revocation must be made through the means provided by THE COMPANY as indicated in this document and must contain at least the following information:

  • The name, email address, and home address of the Data Subject, or any other means to receive a response.
  • The documents that prove the identity of the applicant and, if applicable, that of their representative with the respective authorization.
  • A clear and precise description of the personal data about which the Data Subject seeks to exercise any of the rights and the specific request.

(iii) Members of the Crowdters community can autonomously and directly update, rectify, or delete their data or unsubscribe through the means enabled on the community platform.

11. Information Obtained Passively

When services contained within THE COMPANY’s platforms are used, information is obtained passively through information management technologies, such as “cookies,” through which information about the hardware and software of the equipment, IP address, browser type, operating system, domain name, access time, and the addresses of the originating websites is captured. However, directly Personal Data of users is not collected through the use of these tools. Information about the pages the person most frequently visits on these websites to understand their browsing habits will also be collected. However, users of THE COMPANY’s websites have the option to configure the operation of “cookies” in accordance with the settings of their internet browser.

12. Security of Personal Data

In strict application of the Principle of Security in the Processing of Personal Data, THE COMPANY will provide the technical, human, and administrative measures necessary to provide security for records, preventing their alteration, loss, consultation, use, or unauthorized or fraudulent access. THE obligation and responsibility of THE COMPANY are limited to providing adequate means for this purpose. THE COMPANY does not guarantee the total security of your information or accept responsibility for any consequences resulting from technical failures or improper access by third parties to the Database or file containing the Personal Data subject to processing by THE COMPANY and its Processors. THE COMPANY will require service providers to adopt and comply with the appropriate technical, human, and administrative measures to protect Personal Data in connection with which such providers act as Processors.

13. Transfer, Transmission, and Disclosure of Personal Data

THE COMPANY may provide Personal Data to third parties not affiliated with THE COMPANY when:

  • They are contractors executing contracts for the development of THE COMPANY’s activities.
  • By transfer for any business line related to the information.

In any case, when THE COMPANY wishes to send or transmit data to one or more Processors located inside or outside the territory of the Republic of Colombia, it will establish contractual clauses or conclude a Personal Data transmission agreement in which, among other things, the following will be agreed:

(i) The scope and purposes of the processing.

(ii) The activities the Processor will perform on behalf of THE COMPANY.

(iii) The obligations that the Processor must fulfill regarding the Data Subject and THE COMPANY.

(iv) The duty of the Processor to process the data in accordance with the authorized purpose and observing the principles established in Colombian law and this policy.

(v) The obligation of the Processor to adequately protect personal data and databases, as well as to maintain confidentiality regarding the processing of the transmitted data.

THE COMPANY will not request authorization when the international transfer of data is covered by one of the exceptions provided for in the Law and its Regulatory Decrees.

14. Applicable Legislation

This Personal Data Protection Policy, the Privacy Notice, and the Authorization Format Annex, which are part of this Policy, are governed by the provisions of the current legislation on the protection of Personal Data referred to in Article 15 of the Political Constitution of Colombia, Law 1266 of 2008, Law 1581 of 2012, Decree 1377 of 2013, Decree 1727 of 2009, and other regulations that amend, repeal, or replace them.

15. Validity

This Personal Data Protection Policy has been in effect since August 1, 2017.

Start improving your projects




Paruma contact

Success Story

Discover our success stories.

Validación de ID menores

Validation of minor IDs – Daviplata

Paruma’s work involved gathering parents or guardians of minors aged 14 to 17 interested in opening Daviplata accounts for their children. The research was conducted in multiple phases, from beta testing to the production of the application.

Scroll to Top
Abrir chat
Hola 👋
¿En qué podemos ayudarte?