Last Updated: 05/09/2025

THE COMPANY KODIAK SERVICES INT'L INC identified with Nit.900613669-2, with its main address in the city of Bogota, Calle 124 # 7 - 35 Office 502, telephone PBX 5801522, hereinafter referred to as the company, by virtue of its status as responsible for the processing of personal data obtained within the framework of its mission, is committed to the protection and treatment of the same, in order to ensure the protection of the fundamental rights of its owners, in compliance with current legislation and its strategic direction, will direct all its efforts to safeguard the constitutional guarantees enshrined in the Colombian Constitution, concerning the right of all persons to their family and personal privacy, as well as the possibility of knowing, updating and rectifying the information that has been collected about them in the various databases of public and private entities; therefore, has established this policy which is based on the following principles:

• LEGALITY: Data processing is a regulated activity that must be subject to the provisions of the law and other provisions that develop it.
• PURPOSE: The processing must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the owner. Regarding the collection of personal data, the company will limit itself to those data that are pertinent and adequate only for the purpose of processing.
• LIBERTY: The treatment can only be exercised with the prior, express, and informed consent of the holder. Personal data may not be obtained or disclosed without prior authorization, or in the absence of legal or judicial mandate that relieves the consent.
• TRUTH OR QUALITY: The information subject to processing must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fragmented or misleading data is prohibited.
• TRANSPARENCY: In the processing, the holder's right to obtain from the data controller or data processor, at any time and without restrictions, information about the existence of data concerning him/her, must be guaranteed.
• ACCESS AND RESTRICTED CIRCULATION: The processing is subject to the limits derived from the nature of the personal data, the provisions of the law and the Constitution. In this sense, the processing may only be carried out by people authorized by the owner and/or by the persons provided for by law. Personal data, except for public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the owners or third parties authorized by law.
• SECURITY: The information subject to treatment will be handled with the technical, human and administrative measures necessary to provide security to the records, avoiding its adulteration, loss, consultation, use or unauthorized or fraudulent access.
• CONFIDENTIALITY: The company will ensure the confidentiality of the information, even after the end of its relationship with any of the tasks that comprise the treatment, only allowing the provision or communication of personal data when it corresponds to the development of the activities authorized by law.

The company will guarantee that the collection, use, storage, circulation, transmission, transfer, updating, deletion and/or any other type of processing of personal data will be carried out in a consensual manner and have the sole purpose of:

1. In compliance with regulations applicable to the handling of supplier information including, but not limited to tax, accounting and commercial.
2. The development of the processes of customer management related to procedures, inquiries, complaints and claims.
3. Execution of contracts signed with any third party
4. Sending information, communication and others related to the development of the contracted commercial relationship.
5. Manage and databases.
6. To execute everything related to the contractual relationship, processes of affiliation, payment of payroll, settlement of social security contributions, payment of parafiscal, communication, security, training, statistics, social welfare and all information and activities in which employees and their families are related or linked.
7. To carry out all the steps and/or internal procedures of the company to carry out the selection processes.
8. In response to fiscal, legal or commercial control agencies that require information contained in the company's database.
9. In compliance with administrative, judicial or legal mandates.
10. To correspond to legal violations.
11. For the issuance of certifications related to the relationship of the owner of the data with the company.
12. In order to safeguard and guarantee the security of people, goods and physical facilities.
13. In access control to the buildings.
14. Any other purpose resulting from the development of the contract or the relationship between the holder and the company.
15. For the development of administrative processes of its missionary activity, therefore, when required, may contract for services to be provided by third parties, in these cases the information will be transferred with the necessary security measures to safeguard the privacy of the owner and the proper provision of the service, and compliance with other legal and constitutional duties.

On the other hand, the company recognizes that the owner of the data can make use of its legal power to:

1. Know at any time, the information that about his person is deposited in our databases.
2. Request the rectification and updating of their data in the databases under to treatment.
3. To revoke the authorization of treatment of those data contained in the databases in responsibility of the company.
4. Be informed of the request of third parties, other than judicial or administrative authorities, to obtain their data and to consent, by means of express authorization, or deny the delivery thereof.
5. To bring before the competent authorities the actions derived from the non-compliance of the treatment policy described herein.
6. Any other rights granted by the Constitution and the law.

In accordance with the above, when the owner of the data considers that it has been used inappropriately, the purposes described above have not been fulfilled or the legal mandates or fundamental rights have been ignored, the procedure to be followed is as follows:

Send written communication to our offices addressed to the Administrative Area and/or send it to the e-mail: [email protected]

The company will proceed to respond depending on whether the request is a query or claim as follows:

1. The inquiry will be answered within a maximum term of (10) working days from the date of receipt of the same. If it is not possible to attend the consultation within such term, the interested party will be informed, stating the reasons for the delay and indicating the date on which the consultation will be attended, which in no case may exceed five (5) business days following the expiration of the first term.
2. Requests for updating correction, rectification or deletion of data will be answered within fifteen (15) working days from the day following the date of receipt. When it is not possible to respond within such term, the interested party will be informed before the expiration of such term for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

Any substantial change in this treatment policy, in the terms described in Article 5 of Decree 1377 of 2013, must be communicated in a timely manner to the holders of personal data in an efficient manner, before implementing the new policies.

The present policies are effective from the date of their publication.

As a rule, the term of the authorizations on the use of personal data is understood to be in force during the exercise of the corporate purpose of KODIAK SERVICES INTL INC.

Attachment: KSIC_PLC_MNG_002_R05_POLÍTICA_PARA_LA_PROTECCION_Y_TRATAMIENTO_DE_DATOS_PERSONALES