Objetive:
The purpose of this policy is to implement Law 1581 of 2012 and its regulatory decrees on the protection of personal data, and therefore to inform all LIGHTNING KOFFEE employees, its business partners, suppliers, customers, collaborators, contractors and, in general, any person whose Personal Data is being or is going to be subject to Treatment by it, the mechanisms and procedures implemented by LIGHTNING KOFFEE to protect the rights to privacy, intimacy and habeas data, as well as the detailed process and procedure that the Holders must follow to exercise their rights; and finally, to describe the purposes and types of Treatment to which the Personal Data to which LIGHTNING KOFFEE has access as part of its commercial activities will be subjected.
The personal data in custody of LIGHTNING KOFFEE, in its capacity as responsible and/or in charge depending on the case, will be treated in compliance with the principles and regulations provided by Colombian laws, existing national legislation and good practices applicable to the regime of personal data protection, in accordance with what is determined by the Privacy and Personal Data Protection Policy defined below.
Recipients of the policy:
LIGHTNING KOFFEE and all companies it may form a group with at some moment, that carry out activities in Colombia, even if they are domiciled in a different country, and that collect data from people for purposes related to their activities.
Contact Details:
Lightning Koffee LLC
Headquarters: Casper, United States.
Address: 312 W 2nd St Unit #A2299 Casper, WY 82601, United States
Policy:
1. Definitions: For the implementation of these policies, the meaning of following terms are given:
a) Authorization: Previous, express, and informed consent of the Data Subject to carry out the Treatment of personal data. b) Privacy Notice: Verbal or written communication generated by the responsible party, directed to the Data Subject for the processing of their personal data, through which they are informed about the existence of information processing policies that will be applicable, how to access them, and the purposes of the processing intended for the personal data. c) Database: An organized set of personal data that is subject to processing. d) Personal Data: Any information linked or that can be associated with one or more specific or identifiable natural persons. e) Public Data: Data that is not semi-private, private, or sensitive. Data relating to a person’s marital status, their profession or trade, and their status as a merchant or public servant are considered public data, among others. By their nature, public data may be contained, among other things, in public records, public documents, gazettes, and official bulletins, and duly executed judicial rulings that are not subject to reservation. f) Sensitive Data: Sensitive data are those that affect the privacy of the Data Subject or whose improper use can generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, human rights, or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties as well as data related to health, sexual life, and biometric data. g) Data Processor: A natural or legal person, public or private, who alone or in association with others, carries out the processing of personal data on behalf of the Data Controller. h) Data Controller: A natural or legal person, public or private, who alone or in association with others, decides on the database and/or the processing of the data. i) Data Subject: A natural person whose personal data is subject to Processing. j) Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion. k) Transfer: The transfer of data occurs when the data controller and/or data processor, located in Colombia, sends the information or personal data to a recipient, who is also a data controller and is located inside or outside the country. l) Transmission: Processing of personal data that involves the communication of the data within or outside the territory of the Republic of Colombia when it is intended for the realization of processing by the data processor on behalf of the data controller.
2-Capacities as Data Controller and Data Processor:
In the event that LIGHTNING KOFFEE has both the capacities of Data Controller and Data Processor, it must comply with the duties required for each of them, in accordance with what is established in this policy.
3-Duties of LIGHTNING KOFFEE:
a) Guarantee the Data Subject, at all times, the full and effective exercise of the right of habeas data. b) Request and maintain, under the conditions provided by law and in this policy, a copy of the respective authorization granted by the Data Subject. c) Properly inform the Data Subject about the purpose of the collection and the rights that assist them by virtue of the authorization granted. d) Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access. e) Ensure that the information provided to the Data Processor is truthful, complete, exact, up-to-date, verifiable, and understandable. f) Update the information, timely communicating to the Data Processor, all news regarding the data that it has previously provided and adopt the other necessary measures so that the information provided to it remains updated. g) Rectify the information when it is incorrect and communicate the pertinent information to the Data Processor. h) Provide the Data Processor, depending on the case, only data whose Processing is previously authorized in accordance with what is mentioned in this policy. i) Require the Data Processor at all times to respect the security and privacy conditions of the Data Subject’s information. j) Process queries and complaints made in the terms indicated in this policy. k) Inform the Data Processor when certain information is under discussion by the Data Subject, once the claim has been submitted and the respective procedure has not yet finished. l) Inform the Data Subject upon request about the use given to their data. m) Inform the data protection authority when there are violations of the security codes and risks in the administration of the Data Subjects’ information. n) Comply with the instructions and requirements issued by the Colombian Superintendency of Industry and Commerce. o) In the case that LIGHTNING KOFFEE acts as the Data Processor, in addition to complying with the previously mentioned duties, it must comply with the following duties: (i) Update the information reported by the Data Controllers within five (5) business days of its receipt. (ii) Record in the database the legend “Claim in Process” in the form regulated by the Law. (iii) Insert in the database the legend “Information in Judicial Discussion” once notified by the competent authority about judicial processes related to the quality of the personal data. (iv) Refrain from circulating information that is being disputed by the Data Subject and whose blockade has been ordered by the Superintendency of Industry and Commerce. (v) Allow access to information only to people who should have access to it.
4- Data Processor:
LIGHTNING KOFFEE may subcontract third parties for the processing of certain functions or information as Data Processors. When it actually subcontracts the processing of personal information to third parties or provides personal information to third-party service providers, LIGHTNING KOFFEE warns these third parties about the need to protect such personal information with appropriate security measures, prohibits the use of information for their own purposes, and requests that personal information not be disclosed to others. The processing carried out with respect to personal data consists of its acquisition, collection, storage, use, circulation, correction, or deletion.
5- Collection of personal data:
The collection of data should be limited to those personal data that are relevant and adequate for the purpose for which they are requested.
6-Purpose of personal data collection:
LIGHTNING KOFFEE may collect data for the following purposes and this should be informed to the Data Subject: a) Execute the existing contractual relationship with its clients, suppliers, and workers, including the payment of contractual obligations and the shipping of products; b) Provide the services and/or products required by its users; c) Inform about new products and/or services, changes, or modifications in these; d) Send to physical mail, email, cell phone or mobile device, via text messages (SMS and/or MMS) or through any other similar and/or digital means of communication created or to be created, commercial, advertising or promotional information about the products and/or services, events and/or non-commercial promotions, with the aim of promoting, inviting, directing, executing, informing and generally, carrying out campaigns, promotions or contests of a commercial nature, promoted by LIGHTNING KOFFEE and/or by third parties and generally conducting promotion and marketing activities. e) Evaluate the quality of our products and/or services, as well as carry out internal statistics. f) Inform about the status of orders or requirements. g) Attend complaints and claims. h) Invite to events. i) Support internal or external audit processes. j) Register the information of employees (active and inactive) in the LIGHTNING KOFFEE databases. k) TTransmit and/or transfer personal data to third parties inside or outside the country according to the needs of LIGHTNING KOFFEE. l) Comply with its legal and statutory obligations. m) Hire staff and fulfill its legal obligations as an employer, such as personnel management, payroll payment, social benefit payment, occupational risk prevention, staff training or capacity building, among others. n) Manage its own administrative, accounting, tax, and financial affairs, which includes carrying out collection and payment management, invoicing, supplier management, customer management, investment management, reporting to tax authorities, among others. o) Transfer personal data to the competent authorities to whom they must be transferred by legal requirement or court order p) Conduct training on the company’s products or services, aimed at suppliers, clients, and/or strategic or commercial partners. q) Share information through social networks or by any other means provided by LIGHTNING KOFFEE.
Regarding the data
(i) collected directly at the reception of our facilities,
(ii) taken from the documents provided by people to security personnel and
(iii) obtained from video recordings made inside or outside LIGHTNING KOFFEE facilities, these will be used to control the Company’s operation and for security purposes of the people, goods, and facilities of LIGHTNING KOFFEE and may be used as evidence in any type of process or disciplinary procedure.
If personal data is provided, such information will be used only for the purposes indicated here, and therefore, LIGHTNING KOFFEE will not proceed to sell, license, transmit, or disclose it, unless:
(j) there is express authorization to do so;
(jj) it is necessary to allow contractors or agents to provide the commissioned services;
(jjj) it is necessary in order to provide our services and/or products;
(iv) the information is related to a merger, consolidation, acquisition, disinvestment, or other restructuring process of the company;
(v) it is required or permitted by law.
7. Authorization of the Data Subject:
Personal data can only be collected with the express authorization of the Data Subject. To this effect, at the time of data collection, the Company should do the following: a) Request the Data Subject’s authorization for the Processing of the data. b) Inform the Data Subject about: The personal data that will be collected. All the specific purposes for which the information is being obtained and their consent. About the existence of these data protection policies and how to access them. About their rights. About the claim and inquiry mechanisms.
9. Rights of the Personal Data Subject:
The Personal Data Subject has the following rights:
a) To know, update, and rectify their personal data vis-à-vis LIGHTNING KOFFEE or the Processors appointed by it.
b) To request proof of the authorization granted to LIGHTNING KOFFEE for processing, unless expressly exempted as a requirement for processing, in accordance with the law.
c) To be informed by LIGHTNING KOFFEE or by the Processor appointed by it, upon request, about the use made of their personal data.
d) To request, through a claim, the deletion of their personal data and/or revoke the authorization granted for their Processing. The request for deletion of information and the revocation of authorization will not proceed when the Data Subject has a legal or contractual duty to remain in the database, for example, when they have outstanding debts with LIGHTNING KOFFEE.
e) To access their personal data that has been processed and the treatment given to it, free of charge. f) To request, through a claim, the correction or update of their personal data.
g) To submit complaints to the Colombian Superintendency of Industry and Commerce.
10. Data Subject’s Claim Mechanisms:
The Company must inform the Data Subject and make available free and easily accessible mechanisms to consult, request data deletion, revoke the given authorization, correct or update their personal data.
11. Responsible for addressing requests, inquiries, and claims:
The Accounting department will be responsible for addressing the requests, inquiries, or claims that data subjects present to LIGHTNING KOFFEE.
12. Data Subject’s Inquiry and Claim Mechanisms:
The personal data subject may communicate via the email *email* to consult their information, submit their data deletion request, submit the revocation of the given authorization, and request the correction or update of their personal data. Through the referred service channels, LIGHTNING KOFFEE will process inquiries and claims related to Personal Data in accordance with the Law, the Manual, and this Policy. Some of the functions that the specialized service line and/or email will perform in relation to Personal Data are:
a) Receive and handle all requests from Data Subjects, process and respond to requests.
b) Respond to Data Subjects about those requests that do not proceed according to the Law.
Ensure the protection of Personal Data. Ensure the implementation of good Personal Data management practices within LIGHTNING KOFFEE, register the Databases managed by LIGHTNING KOFFEE in the National Database Register, and update this registration when necessary.
13. Inquiry Procedure:
LIGHTNING KOFFEE will respond to inquiries from Data Subjects within a maximum period of ten (10) business days. Should this not be feasible, the Data Subject will be informed about the reasons for the delay and the expected response date. The subsequent term will not exceed five (5) business days following the expiration of the initial deadline.
14. Complaint Procedure:
LIGHTNING KOFFEE will process complaints from Data Subjects as follows: a) The Data Subject must submit their complaint via email *email to be created* and provide the following information: (i) Identification of the Data Subject. (ii) A description of the facts leading to the complaint. (iii) Contact address. (iv) Any documents that substantiate their standing or those that they wish to assert. b) LIGHTNING KOFFEE will acknowledge receipt of the complaint to the Data Subject and will notify the Data Subject about the need to complete the information or complaint within five (5) business days of receiving the complaint to rectify any errors. If two (2) months pass from the date of the request without the Data Subject submitting the required information, it will be understood that they have abandoned the complaint. c) If the person receiving the complaint is not competent to resolve it, they will transfer it to the appropriate party within a maximum term of two (2) business days and will inform the interested Data Subject of the situation. d) Upon receipt of a complete complaint, the database will be updated with a note stating “complaint in process” and the reason for it within no more than two (2) business days. This note will remain until the complaint is resolved. The Data Processor will also be timely informed if necessary, so they can take the respective measures according to the law. e) The maximum period for addressing the complaint will be fifteen (15) business days counted from the day following its receipt. If it is not possible to handle the complaint within this period, the interested party will be informed of the reasons for the delay and the date when their complaint will be addressed, which in no case can exceed eight (8) business days following the expiration of the first term.
15. Individuals Legally Authorized to Submit Complaints or Inquiries:
The following individuals may submit complaints or inquiries about personal data: a) The Data Subject, who must sufficiently prove their identity through the means made available by the Responsible Party. b) The Data Subject’s heirs, who must demonstrate their heirship. c) The representative and/or attorney-in-fact of the Data Subject, after accrediting representation or power of attorney. d) By stipulation in favor of another or for another. e) Those individuals who are authorized to represent the rights of children and adolescents.
16. Sensitive Data Processing:
The Processing of sensitive data is prohibited, except in the following cases:
a) When the Data Subject has explicitly authorized this Processing, except in cases where the law does not require the granting of such authorization.
b) When the Processing is necessary to safeguard the vital interest of the Data Subject and they are physically or legally incapacitated. In these events, their legal representatives must give their authorization.
c) When the Processing pertains to data that is necessary for the recognition, exercise, or defense of a right in a judicial process.
d) When the Processing has a historical, statistical, or scientific purpose. In this case, measures must be taken to suppress the identity of the Data Subjects.
Sensitive data will only be processed when the Data Subject has given their explicit authorization to such Processing, except for the aforementioned exceptions.
17. Processing of Data for Children and/or Adolescents:
LIGHTNING KOFFEE may request information from individuals under 18 years of age, in which case, it will seek Authorization from parents or legal guardians before Processing the Personal Data of the minor. Parents or legal guardians may alter or revoke the Authorization as described in this Policy.
Sensitive Data will be Processed with reasonable diligence and security standards. Access to Sensitive Data will be limited to safeguard its privacy, and thus only authorized personnel will have access to this type of information.
The Authorization for the Processing of Sensitive Data is optional and entirely discretionary for the Data Subject, therefore the Data Subject may choose not to Authorize the Processing of their Sensitive Data.
When LIGHTNING KOFFEE carries out the Processing of Personal Data of children and/or adolescents, it will comply with the following parameters and requirements: The Processing will respond to and respect the best interests of the children and adolescents. Their fundamental rights will be respected at all times.
18. Security:
Modifications: This Policy will be in effect from its publication and may be modified from time to time by LIGHTNING KOFFEE, and will be part of the contracts that LIGHTNING KOFFEE enters into, where relevant. Any substantial modification of this Policy will be communicated in advance to the Data Subjects through efficient mechanisms, such as the LIGHTNING KOFFEE website and/or emails.
19. Modifications:
This Policy will be in effect from its publication and may be modified from time to time by LIGHTNING KOFFEE, and will be part of the contracts that LIGHTNING KOFFEE enters into, where relevant. Any substantial modification of this Policy will be communicated in advance to the Data Subjects through efficient mechanisms, such as the LIGHTNING KOFFEE website and/or emails.
20. Validity:
The company’s Personal Data Databases will be valid for the preservation period required by the applicable law, or for the time required in a particular contract, or for the period of time necessary for the respective processing according to the purpose for which the personal data were collected, provided that this period is not shorter than the period of preser v ation of in formation required b y la w or b y the applicable contract, in case the y apply.
