1. AIM

CBD VITAL STORE, in compliance with legal mandates, establishes this policy in order to guarantee the constitutional right of all persons to the protection of personal and family privacy, establishing effective instruments and controls in order to give adequate treatment to the personal information that CBD VITAL STORE has obtained in the development of its activities.

  1. SCOPE

The Personal Data Processing Policy will be applicable to any record of personal data held by CBD VITAL STORE, delivered by the data owner freely and verbally, in an original or digital document and who acknowledges that he or she has read and accepts these terms and conditions.

  1. DEFINITIONS

3.1 Authorization: prior, express and informed consent of the owner to carry out the processing of personal data.

3.2 Privacy notice: verbal or written communication generated by the controller addressed to the owner for the processing of his/her personal data, through which he/she is informed about the existence of the information processing policies that will be applicable to him/her, the way to access them and the purposes of the data processing.

3.3 Database: organized set of personal data, subject to processing.

3.4 Personal Data: any piece of information linked to one or more specific or identifiable persons or that can be associated with a natural or legal person.

3.5 Public Data: is data that is not semi-private, private or sensitive. Public data includes, among others, data relating to the civil status of persons, their profession or occupation and their status as a merchant or public servant. By its nature, public data may be contained in, among others, public records, public documents, official gazettes and bulletins and duly executed court rulings that are not subject to reservation.

3.6 Sensitive data: sensitive data is understood to be data that affects the privacy of the holder or whose improper use may lead to discrimination, such as data that reveals racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sexual life, and biometric data.

3.7 Data processor: natural or legal person, public or private, who by itself or in association with others, processes personal data on behalf of the Data Controller.

3.8 Data Protection Law: Law 1581 of 2012 and its regulatory Decrees or the regulations that modify, complement or replace them.

3.9 Habeas Data: the right of any person to know, update, delete and rectify the information that has been collected about them in the database and in the files of public and private entities.

3.10 Data controller: natural or legal person, public or private, who by itself or in association with others, decides on the database and/or data processing.

3.11 Owner: natural person whose personal data is processed.

3.12 Processing: any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

3.13 Transfer: The transfer of data takes place when the person responsible for and/or in charge of processing personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible for the processing and is located within or outside the country.

3.14 Transmission: processing of personal data that involves the communication of the same within or outside the territory of the Republic of Colombia, with the purpose of carrying out data processing by the person in charge and on behalf of the person responsible for the personal data.

  1. INTRODUCTION

This Personal Data Processing Policy is developed in accordance with the provisions of the Political Constitution, Law 1581 of 2012, Regulatory Decree 1377 of 2013 and other complementary provisions, for its application by CBD VITAL STORE, based on the collection, storage, use, circulation, deletion and all those activities that constitute the processing of personal data related to its corporate purpose.

4.1 PRESENTATION OF THE ENTITY AND CORPORATE PURPOSE

CBD VITAL STORE is a company dedicated to the production of fine chocolates. For the production of the products, the best chocolates from the Republic of Colombia are selected. They are distinguished by the strict selection of their raw materials used, starting with cocoa, their interest in developing the aromas of chocolate and their fine manufacturing methods.

The main objective of CBD VITAL STORE is the dedication to the manufacture and marketing of chocolate products and their derivatives.

4.2 PURPOSE OF THE DATABASE

The authorization for the processing of personal data allows CBD VITAL STORE to collect, transfer, store, use, circulate, delete, share, update and transmit, for the purposes of fulfilling its corporate purpose and for the following purposes:

  • Make invitations to events and offer new products and services
  • Conduct satisfaction surveys regarding the goods and services offered by CBD VITAL STORE
  • Provide contact information to the sales force and/or distribution network, telemarketing, market research and any third party with which CBD VITAL STORE has a contractual relationship for the development of activities of this type (market research and telemarketing, etc.) for the execution of the same.
  • Contact the Owner through electronic means – SMS or chat to send news related to loyalty campaigns or service improvements.

4.3 PRINCIPLES IN DATABASE MANAGEMENT

  • PRINCIPLE OF LEGALITY: Data processing is an activity that must be subject to the provisions of the law and other provisions that develop it.
  • PURPOSE PRINCIPLE: The processing must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Owner. Regarding the collection of personal data, the data will be limited to those that are pertinent and adequate for the purpose for which they were collected or requested.
  • PRINCIPLE OF FREEDOM: The processing may only be carried out with the prior, express and informed consent of the Owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that waives consent.
  • PRINCIPLE OF TRUTHFULNESS OR QUALITY: The information subject to processing must be true, complete, accurate, up-to-date, verifiable and understandable. The processing of partial, incomplete, fragmented or misleading data is prohibited.
  • PRINCIPLE OF TRANSPARENCY: The treatment must guarantee the right of the owner to obtain from the data controller or the data processor, at any time and without restrictions, information about the existence of data that concerns him/her.
  • PRINCIPLE OF RESTRICTED ACCESS AND CIRCULATION: The processing is subject to the limits arising from the nature of the personal data, the provisions of the law and the Constitution. In this regard, the processing may only be carried out by persons authorized by the owner and/or by the persons provided for by law. Personal data, except for public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the owners or authorized third parties in accordance with the law.
  • SECURITY PRINCIPLE: The information subject to processing by CBD VITAL STORE must be handled with the technical, human, and administrative measures that are necessary to provide security to those registered, avoiding its adulteration, loss, consultation, use, or unauthorized or fraudulent access.
  • PRINCIPLE OF CONFIDENTIALITY: CBD VITAL STORE is obliged to guarantee the confidentiality of the information, even after its relationship with any of the tasks that comprise the treatment has ended, and may only provide or communicate personal data when this corresponds to the development of the activities authorized by law.
  1. DATA PROCESSING POLICY:

5.1 POLICY STATEMENT

By implementing this policy, CBD VITAL STORE seeks to guarantee the constitutional right to protection of personal and family privacy of all citizens, defining specific instruments and controls to provide appropriate treatment to the information it collects and manages as a result of its function, in order to comply with its legal and regulatory duty.

This policy establishes the terms, conditions and purposes under which CBD VITAL STORE, as the party responsible for the collection of personal data obtained through its various service channels and the documentation required to fulfil its functions, processes the information of all persons who at any time, due to the activity they carry out, have provided personal data.

These terms and conditions apply to any registration of personal data made in person and/or virtually for the provision of goods or services to CBD VITAL STORE or for the request and obtaining of any service or product provided by CBD VITAL STORE. The data owner registers or provides his/her information freely and voluntarily and acknowledges that he/she has read and expressly accepts these terms and conditions.

5.2 RIGHTS OF THE OWNER:

The owner of the personal data will have the following rights:

  • To know, update, delete and rectify your personal data before CBD VITAL STORE every time you use or purchase the products in the store. This right may be exercised, among others, against partial, inaccurate, incomplete, fractional data, which may lead to error, or those whose processing is expressly prohibited or has not been authorized.
  • Be informed by CBD VITAL STORE, upon request, regarding the use it has given to your personal data.
  • Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other regulations that modify, add to or complement it.
  • Revoke authorization and/or request deletion of data when the Processing does not respect constitutional and legal principles, rights and guarantees.
  • Access free of charge to your personal data when it has been processed.

5.3 CBD VITAL STORE DUTIES

CBD VITAL STORE, without prejudice to the provisions provided for by law, will have the following duties:

  • Guarantee the holder, at all times, the full and effective exercise of the right to habeas data.
  • Request and keep a copy of the respective authorization granted by the owner.
  • Properly inform the owner of the purpose of the collection and the rights granted to him/her by virtue of the authorization granted.
  • Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.
  • Ensure that information is truthful, complete, accurate, up-to-date, verifiable and understandable.
  • Update the information as provided by the Holder, thus taking into account any new developments regarding the Holder's data, in accordance with the Rules of the Accreditation Service.
  • Correct information when it is incorrect and communicate what is relevant.
  • Respect the security and privacy conditions of the owner's information.
  • Process queries and complaints made in accordance with the terms set out by law.
  • Inform, at the request of the owner, about the use given to their data.
  • Inform the data protection authority when security code violations occur and there are risks in the management of data subject information.
  • Comply with the requirements and instructions issued by the Superintendency of Industry and Commerce on the particular subject.
  • Use only data whose processing has been previously authorized in accordance with the provisions of Law 1581 of 2012.
  • CBD VITAL STORE will use the personal data of the owner only for those purposes for which it is duly authorized and in all cases respecting the current regulations on the protection of personal data.

5.4 STORAGE OF PERSONAL DATA:

CBD VITAL STORE requests the necessary data from the people with whom it interacts to carry out its activities and all the information required by the government for the billing and payment process. In some cases, it may request additional and sensitive information, which is freely and voluntarily provided by the data owner.

Once personal data has been provided voluntarily and freely through the different channels: physical forms, digital forms, email, request for data update via telephone, among others, they are stored in the relevant database according to the service or related activity. The databases are hosted on a restricted access computer, located in our facilities. Only authorized personnel who have signed confidentiality agreements can access it and therefore the personal data of our clients and suppliers.

5.5 PERIOD OF VALIDITY OF THE DATABASES – PRINCIPLE OF EXPIRATION:

According to the conditions agreed in the application form, there will be no place for the total or partial deletion of the data managed by CBD VITAL STORE and contained in said document while there is a relationship between the Owner and the company, and five (5) more years counted from the termination of the last contractual relationship.

Likewise, for internal staff, there will be no place for the total or partial deletion of the data managed by CBD VITAL STORE while there is a contractual link between the Owner and the company, and five (5) more years, counted from the termination of the last contractual relationship.

In the case of suppliers, there will be no place for the total or partial deletion of the data captured by CBD VITAL STORE, as long as the commercial relationship with the supplier is maintained and for up to two (2) additional years from the last transaction or purchase made by the company with said supplier.

5.6 INFORMATION SECURITY:

CBD VITAL STORE is committed to the correct use and treatment of personal data contained in its databases, avoiding unauthorized access by third parties who may know or violate, modify, disclose and/or destroy the information stored therein.

Access to the different databases is restricted, even for employees and collaborators who are not directly involved in the processing of personal data or in the management of processes related to customer service, suppliers and human resources. All employees are committed to the confidentiality and proper handling of the databases in accordance with the guidelines on the processing of information established by law.

As is public knowledge, no Internet transmission is absolutely secure nor can this be guaranteed. The client assumes the hypothetical risk that this implies, which he accepts and is aware of. It is the client's responsibility to have all security controls on his equipment or private networks for his navigation to the portals that he currently manages or that the company may use in the future.

5.7 HANDLING QUERIES, REQUESTS, COMPLAINTS AND CLAIMS:

Queries, requests and complaints made by the owners of personal data under processing, to exercise their rights to know, update, rectify and delete data, or revoke authorization must be addressed to contacto@cbdvitalstore.com.co .

The administrator will be the contact person for the owners of personal data, for all the purposes provided for in the authorization granted in this document, in accordance with the procedure established below.

5.8 MODIFICATIONS TO THE POLICY:

CBD VITAL STORE reserves the right to modify its personal data processing policies and procedures at any time, unilaterally. Any changes will be published and announced. In addition, previous versions of this personal data processing policy will be kept. The continued use of the services or failure to disassociate from them by the data subject after notification of the new guidelines constitutes acceptance of the same.

5.9 REQUESTS FROM DATA OWNERS:

5.9.1 Request to know, update, rectify or delete customer information:

The interested party will submit the application in writing, either electronically to the email address contacto@cbdvitalstore.com.co ; or by physical means, through a letter filed at the CBD VITAL STORE facilities, describing the express request to know, update, rectify or delete information under data protection, in accordance with the provisions of point 5.5 “Period of validity of the databases - Principle of expiration” of this document.

The company administration will process the request within 8 business days following the request.

Once the request has been processed, the administrator will send a communication to the applicant indicating the process carried out in accordance with the request received and the data processing policy adopted by CBD VITAL STORE.

5.9.2 Request to know, update, rectify or delete internal personnel information:

The interested party will submit the request in writing, by electronic means, to the email indicated by the administrator, describing the express request to know, update, rectify or delete the information under data protection, in accordance with the provisions of point 5.5 “Period of validity of the Databases - Principle of expiration” of this document.

The administrator will process the request within 8 business days of the request.

Once the request has been processed, the administrator will send a communication to the applicant, via email or physically, indicating the procedure carried out in accordance with the request received and with the data processing policy adopted by CBD VITAL STORE.

5.9.3 Request to know, update, rectify or delete supplier information:

The interested party will submit the request in writing, either by electronic means to the email address contacto@cbdvitalstore.com.co , describing the express request to know, update, rectify or delete information under data protection, in accordance with the provisions of point 5.5 “Period of validity of the Databases – Principle of expiration” of this document.

The administrator will process the request within 8 business days of the request.

Once the request has been processed, the administrator will send a communication to the applicant, via email or physically, indicating the procedure carried out in accordance with the request received and with the data processing policy adopted by CBD VITAL STORE.

5.9.4 Events in which the authorization of the Owner of the personal data is not necessary.

The authorization of the owner of the information will not be necessary in the following cases:

  • Information required by a public or administrative entity in the exercise of its legal functions or by court order
  • Public data
  • Cases of medical or health emergencies
  • Processing of information authorized by law for historical, statistical or scientific purposes.
  • Data related to the Civil Registry of individuals.
American Express Apple Pay Maestro Mastercard Visa Diners Club