PRIVACY POLICY FOR CUSTOMERS, PARTNERS, AND USERS

 

This Privacy Policy (hereinafter the «Policy») of the company FINTURU LLC (hereinafter Finturu), will be applied to all databases and/or files that include personal data that are subject to processing by FINTURU as Responsible and Responsible for the processing of personal data,  accordance with current regulations for the processing of personal information of customers, partners, suppliers, contractors, users, employees, shareholders, visitors and the general public (the «Stakeholders»). 

Likewise, it is intended to make known the rights of the holders of personal data and the necessary channels for them to exercise their rights, among which are: the rights of access, rectification, updating, cancellation and opposition of personal information whose treatment is exercised by Finturu, through consultations or claims.

I. FINTURU AS DATA CONTROLLER

1. RIGHTS OF THE HOLDERS OF PERSONAL DATA

In compliance with the fundamental guarantees enshrined in the Constitution and the law, and without prejudice to the provisions of the other rules governing the matter, the Owners of personal data shall have the following rights, without limitation:

1. Right of access to your personal information subject to processing.
2. Right to update personal data subject to processing.
3. Right to rectification of personal data subject to processing. 
4. Right to object to personal data being processed
5. The right to request the deletion of personal data when the processing does not respect the principles, rights and constitutional and legal guarantees.
6. The right to request proof of the authorization given for the treatment. 
7. Right to revoke consent to the processing of personal data.
8. Right to file complaints and claims. 
9. Right to require compliance with orders by administrative and judicial authorities.
10. The right to be informed by the Responsible and/or Charged of the use and treatment that will be given to the personal data, as well as of the modifications and updates of the protection policies, security measures and purposes. 

Finturu guarantees the security and confidentiality of the information when it is subject to treatment and the guiding principles of the applicable Policies. 

2. FINTURU’S DUTIES FOR INFORMATION PROCESSING 

In accordance with the Regulatory Framework, the legal norms that regulate its legal relations with the Holders, and especially, the specific obligations it assumes towards the Holders, Finturu has as a general duty in the Processing of Protected Information to respect and guarantee at all times the rights of the Holders, guaranteeing, when applicable and according to the nature of the information used, the confidentiality, reserve, security and integrity of this.

Special duties of Finturu, when acting as Controller of Personal Data and Credit Personal Data, are, among others, the following:

1. Guarantee to the Data Subject, at all times, the full and effective exercise of the right of habeas data.
2. Request and keep a copy of the respective authorization granted by the Data Subject, in the case of Personal Data.
3. Duly inform the Data Subject about the purpose of the collection and the rights he/she has by virtue of the authorization granted.
4. Inform at the request of the holder about the use given to their personal data by the company.
5. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.
6. Ensure that the information provided to the Data Processor is truthful, complete, accurate, updated, verifiable and understandable.
7. Update the information. Rectify information when it is incorrect.
8. Respect for the security and privacy conditions of the Holder’s information.
9. To process the queries and claims formulated, under the terms of this policy.
10. Inform the data protection authority when there are violations to the security codes and there are risks in the administration of the information of the Data Holders.

Finturu will not collect, store or process sensitive data, unless strictly necessary. 

3. PURPOSES OF DATA PROCESSING

• Purpose of processing the personal data of Allies, prospects, Users and Customers.

The collection, storage, use and/or circulation of personal data of allies, prospects, users and/or clients of Finturu, has as its main purpose the provision of the services offered and/or contracted.

Likewise, in order to develop the corporate purpose of the company, the processing of the data will be focused on the following purposes: 

1. Sort, catalog, classify, divide or separate and store personal data within Finturu’s systems and files
2. Use of personal data to be applied through digital devices for the recognition and identification of personal characteristics.
3. Development of the commercial relationship between the Data Subject, the partner, the user, the client and Finturu.
4. Provide information about the products and/or services offered by Finturu.
5. Provide the necessary information, through the website, applications, whatsapp or commercial channels about the products or services offered through Finturu.
6. For the provision of services offered by the company, channeling the needs of products and services.
7. Follow up customers, according to the particular needs of the user, in order to offer an alternative access to the products and services offered.
8. Send information about offers, news, news, newsletters, forums, events, advertising or marketing, sales. Making use of means such as email, calls, PUSH notifications, text messages (SMS), offers of products and / or services found through the commercial channels of the company. 
9. To keep a historical record of the information, with the purpose of customer satisfaction for the offering of different products and services, or the renewal of those acquired. 
10. Carry out marketing strategies by studying user behavior in relation to offers, sending promotions, activities of interest about the industry, invitations to company events, sending periodic campaigns about products and services.
11. Development of commercial prospecting and market segmentation.
12. Conduct satisfaction and offer surveys to qualify the service and attention through the channels provided for this purpose. 
13. Carry out the necessary activities to manage requests, complaints and claims from users and direct them to the areas responsible for issuing the corresponding responses.
14. Submit reports to the inspection, surveillance and control authorities, and process the requirements made by administrative or judicial entities.
15. Administrative, commercial and advertising uses that are established in the agreements signed with the clients.
16. Accounting, economic, fiscal and administrative management of clients.
17. Transfer or transmission of data nationally or internationally to suppliers or companies with which Finturu develops activities in compliance with its corporate purpose. Likewise, transfer may be made to strategic allies of the company to carry out marketing, advertising and promotional activities associated with the corporate purpose; all in accordance with the provisions of the regulations. 
18. Request collection authorization from the entities defined and authorized to do so.

In the event that other types of purposes are used in the processing of personal data, the prior, express and informed authorization of the Data Subject will be requested. 

• Purpose of the processing of employee and candidate data

Before starting the employment relationship, Finturu will inform workers and candidates in the selection processes the purposes of the treatment that will be given to the personal data they provide in this process, and will be responsible for requesting the corresponding authorization for processing, which will be limited to:

1. Classifying, storing and archiving the personal data of the candidates of the selection processes.
2. Verify and obtain background information and references from natural or legal persons, former employers provided by the candidates in resumes, forms, among others. 
3. Deliver or transmit the information to third parties in charge of the selection processes.
4. Verify, compare and evaluate the work and personal competencies of prospects against the selection criteria.
5. Comply with the legal duties to which the company is bound.  
6. I send job offers.
7. Perform maintenance, development and/or control of the employment relationship between the Data Subject.
8. To advance processes within the company, for operational development and/or systems administration purposes.
9. Perform economic, accounting, tax and administrative management records, for the management of collections and payments, invoicing and compliance with financial obligations. 
10. Perform tax returns or management of tax information and collection.
11. Contact of a guardian in case of emergency.
12. Perform human resources management in matters related to training, temporary employment, social benefits, occupational risk prevention, employment promotion and management, personnel selection, time control and, in general, payroll-related matters.
13. Manage labor social benefits, pensions, subsidies and other economic benefits.
14. Process the preparation of certifications related to your status as an employee, such as income and withholding certificates, labor certificates, etc.
15. Security and access control to the company’s offices
16. Inform clients about the work team and personnel involved in the provision of services.
17. To report to the inspection, surveillance and control authorities. 
18. Process responses to requests from administrative or judicial entities.
19. All other administrative, commercial and labor uses that are established in the contracts or that derive from their work activity.
20. Transfer or transmission of data nationally or internationally if appropriate, for purposes related to the operation of Finturu or related companies, in accordance with the provisions of law and always ensuring compliance with the requirements established in the regulations.

In the event that other types of purposes are used in the processing of personal data, the prior, express and informed authorization of the Data Subject will be requested. 

• Purpose of the processing of personal data of allies and third parties

The collection and processing of personal data of suppliers will be done with the main purpose of contacting and contracting the products or services that Finturu requires for the functioning of its operation and in the scope of specific contracts, prioritizing in each case, likewise will have the following purposes:

1. Company linkage.
2. Coordinate the information of the products or services to be offered.
3. Request or perform consulting, auditing, advisory or related services with suppliers.
4. Coordinate the delivery of products or services 
5. To know and deliver to the users or Clients the information of the services or products.
6. Comply with the company’s internal processes for supplier and contractor management.
7. To advance processes within the company, for operational development and/or systems administration purposes.
8. Perform tax returns or management of tax information and collection.
9. Maintain a record of supplier information. 
10. Make reports to the inspection, surveillance and control authorities and/or respond to the requirements of administrative entities.
11. To make collection and payment arrangements. 
12. Check in and check out of the facilities. 
13. Verify the information provided by suppliers to control and prevent fraud.
14. Manage administrative procedures to develop any activity in compliance with the contracted object. 
15. Transfer or transmission of data nationally or internationally if appropriate, for purposes related to the operation of Finturu or related companies, in accordance with the provisions of law and always ensuring compliance with the requirements established in the regulations.
16. All other administrative and commercial uses established in the contracts or deriving from its activity.

For other purposes or treatment, prior, express and informed authorization will be requested from the Data Subject.  

• Purpose of the processing of personal data of members or shareholders

The collection and processing of personal data of Finturu’s partners will be of a private nature and will be carried out in order to allow the exercise of rights and duties related to such condition, as well as to carry out the following purposes:

1. To perform the economic, accounting, fiscal and administrative management record.
2. To issue certifications related to the ownership of shares, as well as the issuance of share certificates and any others necessary for the proper development of the corporate purpose, with prior authorization of the same.
3. To carry out processes within the company, with the purpose of operational development and/or operation of the company.
4. To carry out any other purpose necessary for the development of the rights and duties inherent in their capacity as shareholders.
5. Transfer or transmission of data nationally or internationally, if applicable, for purposes related to the operation and search for financing of Finturu or related companies, in accordance with the provisions of law and always ensuring compliance with the requirements established in the regulations.

4. TRANSFER AND TRANSMISSION OF PERSONAL DATA 

FINTURU may also share data within or outside the country with: 

1. Their parent, affiliated or subsidiary companies: for purposes of centralized information storage and for statistical and historical customer record purposes; for possible fraud or impersonation investigations, criminal activities and for conducting research and testing of our products and services (current or future);  
2. Authorities, agencies or governmental entities: for compliance with obligations under applicable law and/or in compliance with requirements made by them; as the case may be; 
3. FINTURU’s allies that require access to information, in order to adequately provide their products or services.  
4. Unrelated third parties (service providers in their capacity as data processors or also known as FINTURU’s data processors), with the exclusive purpose of assisting FINTURU in the provision of its services.
5. Third parties with whom it has an operational relationship that provide services necessary for its proper operation, or in accordance with the functions established by law. In such cases, the necessary measures will be adopted so that the persons who have access to your personal data comply with this Policy and with the principles of personal data protection and obligations established in the Law. 
6. Unrelated third parties (including supervised financial institutions) and competent authorities, in order to investigate or prevent possible cases of fraud, impersonation or possible criminal conduct. 

NOTE: In the case of domestic transmissions or transfers of personal data, Finturu will ensure compliance with the requirements of applicable data protection legislation and protection measures by the processor or new data controller, as the case may be.

In the case of an international transfer, it must be ensured that the country receiving the personal data provides adequate levels of protection, in the manner established by the Control Authority. When the receiving country does not comply with adequate standards of data protection, the transmission or transfer will be prohibited unless the Data Subject has given express and unequivocal authorization for the transfer or transmission of data.

5. AUTHORIZATION AND CONSENT OF THE HOLDER

The consent and authorization by the data subject is a requirement established by the regulations, which must be granted to the persons responsible for the processing of personal data. Consent for the use of data must be prior, express and informed. That is to say, the Data Subject must authorize in advance in a clear and specific manner the processing of the data, understanding the effects that may derive from it.

People who want to make use of any of the services offered by the company, or its platforms, must register and authorize the processing of personal data to make use of them. Therefore, within the channels of attention will be informed about the policy and the scope of the same will be available on the website of Finturu, which must be accepted at the time of making the request for a service or that at the time of use of the service the Ally must have the user’s authorization. 

6. PROCEDURE FOR INQUIRIES, PETITIONS, COMPLAINTS AND CLAIMS

Inquiries, requests, complaints or claims to exercise their rights of «Habeas Data», the Data Subject may submit it digitally to the email privacy@finturu.com . The terms for the response to petitions and queries will be those established by law for such purpose.

The applicant must provide all the necessary information to advance the respective analysis of the situation, establishing a clear description of the facts or of the request, information of the applicant, identification, form of notification, when acting on behalf of a third party, as well as the documentation that supports such capacity, among others.

The Holder, without prejudice to the foregoing, and/or in the event that his request or claim has not been answered, may resort to the competent authorities to enforce his rights as a consumer.

II. FINTURU AS INFORMATION OFFICER

The Services, including messaging, personalized campaigns, follow-up of the Ally’s clients, for the purposes of which it is necessary to collect and process personal information, therefore, when FINTURU acts as the data processor of the Ally, all its staff is obliged to:

1. Use the personal data to be processed only for the purpose of this order. In no case may they use the data for their own purposes, compatible or different from the aforementioned purpose.
2. Treat the data only in accordance with the instructions of the data controller. If FINTURU in its role as data processor considers that any of the instructions infringes the national or international regulations in force regarding data protection, it will immediately inform the data controller for the corresponding purposes.
3. To keep a record, through its platform, of the processing activities carried out on behalf of the controller within the framework of the Terms and Conditions Agreement.
4. Not to communicate the data to third parties, except with the express authorization of the Client, in the legally admissible cases.
5. FINTURU may subcontract data processing to other companies, as long as the subcontractor is obliged to comply with the obligations established in this document for the data processor and the instructions issued by the controller. It is up to the initial processor (FINTURU) to regulate the new relationship, so that the sub-processor is subject to the same conditions (e.g. instructions, obligations, security measures) and with the same formal requirements as him/her, regarding the proper processing of personal data and the guarantee of the rights of the data subjects.
6. Maintain the duty of confidentiality with respect to the personal data to which it has had access by virtue of this assignment, even after the end of its object.
7. Ensure that persons authorized to process personal data undertake to respect confidentiality and to comply with the corresponding security measures, of which they must be duly informed.
8. To keep at the disposal of the person in charge the documentation that proves compliance with the obligation established in the previous section.
9. Ensure the necessary training in personal data protection for persons authorized to process personal data.
10. Assist the data controller in responding to the exercise of the rights of access, updating, rectification, inclusion, deletion and challenge of personal valuations. If a data owner exercises the aforementioned rights before FINTURU, FINTURU will inform the Ally at the e-mail address indicated for such purpose. In no case shall FINTURU process or respond to such requests.
11. FINTURU will notify the Ally (data controller) immediately through the indicated e-mail address of all personal data security breaches of which it becomes aware, together with all relevant information for the documentation and communication of the incident, if available.
    If available, the following information, as a minimum, shall be provided:
    (a) description of the nature of the personal data security breach, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected. (b) name and contact details of the data protection officer or other point of contact from whom further information may be obtained. c) a description of the possible consequences of the personal data breach. d) a description of the measures taken or proposed to be taken to remedy the personal data breach, including, if applicable, measures taken to mitigate the possible adverse effects.
    If and to the extent that it is not possible to provide the information simultaneously, the information shall be provided in a phased manner without undue delay.
12. Provide support to the data controller in the performance of data protection impact assessments, where appropriate and without involving additional work or tasks for FINTURU.
13. Make available to the person in charge all information necessary to demonstrate compliance with its obligations, as well as for the performance of audits or inspections carried out by the person in charge or another auditor authorized by the person in charge.
14. Implement security measures aimed at: a) guaranteeing the confidentiality, integrity, availability and permanent resilience of the processing systems and services, b) restoring the availability and access to personal data quickly in the event of a physical or technical incident, c) verifying, evaluating and assessing, on a regular basis, the effectiveness of the technical and organizational measures implemented to ensure the security of the processing.
15. Designate a Data Protection Officer (DPO), according to the legislation in force and communicate his/her identity and contact details to the Partner. Data Protection Officer (DPO): FINTURU Data Protection Department Contact:  privacy@finturu.com

DESTINATION OF THE DATA

FINTURU undertakes to return to the PARTNER the personal data and, if applicable, the media on which they are stored, once the service has been rendered. The return must entail the total deletion of the existing data on the computer equipment used by the person in charge. However, FINTURU may keep a copy of the personal data processed, as long as responsibilities may arise from the performance of the service, in accordance with the legal requirements.

OBLIGATIONS OF THE PARTNER (DATA CONTROLLER)

It is the responsibility of the data controller:

1. To have the authorization of the owners of the information to be able to treat it as the person in charge of it.
2. Allow the person in charge to have access to the information necessary to fulfill the contracted treatment.
3. Ensure, prior to and throughout the processing, that the processor complies with the applicable regulations on the protection of personal data.
4. Report, notify and remedy security breaches and incidents. The Ally (data controller) will notify FINTURU (data processor) immediately via email at privacy@finturu.com of all personal data security breaches of which it becomes aware, together with all relevant information for the documentation and communication of the incident, if available.
   If available, the following information, at a minimum, shall be provided:
   (a) description of the nature of the personal data security breach, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected.
   b) name and contact details of the data protection officer or other point of contact from whom further information may be obtained.
   c) description of the possible consequences of the personal data breach.
   d) a description of the measures taken or proposed to be taken to remedy the personal data breach, including, where appropriate, measures taken to mitigate the possible negative effects.
   If and to the extent that it is not possible to provide the information simultaneously, the information shall be provided in a phased manner without undue delay.
5. Comply with requests related to the exercise of the rights of access, rectification, updating, inclusion or deletion of the personal data processed and challenge of personal assessments. Compliance on the part of the Ally shall not generate additional tasks or costs for FINTURU, unless specifically agreed upon.
6. Oversee treatment, including conducting inspections and audits.
7. Designate a Data Protection Officer (DPO) according to current regulations and communicate his/her identity and contact details to the person in charge. Data Protection Officer (DPO): FINTURU Data Protection Department Contact: privacy@finturu.com

INTERNATIONAL TRANSFER OF DATA

In case of international transfer of data, servers located in the United States of America or in European Union countries considered to have adequate standards for data protection will be used to the extent possible. FINTURU will provide reasonable support to enable compliance by Ally with the requirements imposed for the transfer of personal data to third countries with respect to data subjects located in the EEA, Switzerland and the United Kingdom.

VALIDITY OF THE POLICY

This is a Board Policy and was most recently revised on February 28, 2025.

REVISION HISTORY

Date: 2025-02-28

Reviewed/Approved by: Board of Directors

Global policy update