Personal Data Processing Policy
Regulatory Framework
This Personal Data Processing Policy is based on the provisions of the Political Constitution of Colombia, particularly Articles 15 and 20, which recognize and guarantee the fundamental rights to habeas data, privacy, good name, and freedom of information. Likewise, it is regulated by the set of normative provisions that make up the general data protection regime in Colombia, including:
  • Law 1581 of 2012: Establishes general provisions for the protection of personal data.
  • Decree 1377 of 2013: Partially regulates Law 1581 of 2012 regarding the authorization of the data subject for the processing of their data and the mechanisms of information.
  • Decree 886 of 2014: Regulates the minimum criteria for the implementation of the Internal Manual of Policies and Procedures.
  • External Circular 002 of 2015 from the Superintendence of Industry and Commerce (SIC): Establishes guidelines on the National Registry of Databases (RNBD) and orientations for compliance with the data protection regime.
  • Law 1266 of 2008: Regime of financial habeas data and credit information.
  • Law 1273 of 2009: Creates a new legally protected asset (the protection of information and data) and includes computer crimes.
  • Decree 1378 of 2021: Regulates requirements and conditions for international transfers of personal data.
  • Constitutional Court and Council of State rulings: That develop and clarify the scope of the right to habeas data, including Ruling C-748 of 2011, which declared Law 1266 of 2008 constitutional.
  • Guidelines and instructions from the SIC: Technical and educational documents that guide the implementation of the Personal Data Protection Management System (SGPDP).
Additionally, since BILLETERA DIGITAL P2P INC engages in activities related to digital and technological financial services, complementary rules on information security, electronic commerce, and financial risk prevention also apply, including:
  • Law 527 of 1999: Regulates electronic commerce, digital signatures, and data messages.
  • Decree 333 of 2014 and Decree 1499 of 2017: Establish digital security guidelines in Colombia.
  • SARLAFT / SAGRILAFT standards issued by the Financial Superintendence and the Superintendence of Companies: Applicable to the prevention of money laundering and terrorism financing, since personal data processing may be linked to due diligence and Know Your Customer (KYC) processes.
Thus, BILLETERA DIGITAL P2P INC and its product BilleteraP2P guarantee that the processing of personal data is carried out in accordance with Colombian legislation, under standards of security, confidentiality, legality, and responsibility, applying the principle of accountability required by the SIC.
Purpose of Data Processing
Personal data collected by BILLETERA DIGITAL P2P INC through BilleteraP2P will be used to:
  • Allow access, use, and updates to the BilleteraP2P app.
  • Manage registration, identity verification (KYC), and user authentication processes.
  • Execute transactions within the platform (P2P transfers, withdrawals, digital payments, etc.).
  • Fulfill contractual, legal, and regulatory obligations in financial, foreign exchange, and tax matters.
  • Send commercial information, app updates, and changes to policies or terms of use.
  • Conduct statistical analysis, market research, and consumer profiling to improve services.
  • Handle requests, inquiries, complaints, and claims (PQRS).
  • Prevent fraud, money laundering, and terrorism financing risks, and comply with SARLAFT / SAGRILAFT obligations.
  • Maintain historical records of the commercial and contractual relationship.
  • Carry out other lawful purposes related to the company’s corporate purpose.
Governing Principles
The processing of personal data carried out by BILLETERA DIGITAL P2P INC through BilleteraP2P will be guided by the following principles:
  • Legality
  • Purpose
  • Freedom
  • Veracity/Quality
  • Transparency
  • Restricted Access and Circulation
  • Security
  • Confidentiality
  • Necessity and Proportionality
  • Accountability
Rights of Data Subjects
According to current legislation, data subjects have the right to:
  • Know, update, and rectify their personal data.
  • Request proof of the authorization granted for data processing.
  • Be informed about how their data is used.
  • File complaints before the SIC for violations of data protection rules.
  • Revoke consent and/or request deletion of their data, unless there is a legal or contractual obligation preventing it.
  • Access their personal data free of charge.
Procedure to Exercise Rights
Channels:
  • Email: soporte@billeterap2p.co
  • Physical address: [● Main company address] – Cúcuta, Norte de Santander, Colombia.
  • Office hours: Monday to Friday, 8:00 a.m. to 5:00 p.m. (business days).
For inquiries:
  • Users may request information on their personal data, processing purpose, and use.
  • Response time: within 10 business days from receipt. If delayed, the user will be notified, with a maximum extension of 5 additional business days.
For complaints:
  • Data subjects or their successors may file a complaint for correction, update, deletion, or suspected non-compliance.
  • The complaint must include identification, facts, contact details, and supporting documents.
  • If incomplete, the user will be asked to correct it within 5 business days; otherwise, it will be considered withdrawn after 2 months.
  • Once complete, the record will include a “claim in process” note.
  • Complaints must be resolved within 15 business days from receipt. If more time is needed, the user will be informed, with an additional maximum of 8 business days.
Security Measures
a) Technical Measures:
  • SSL/TLS encryption for sensitive data transmission.
  • Data encryption at rest and in transit, aligned with financial industry standards.
  • Strong authentication controls (passwords, 2FA, tokens, biometrics).
  • Intrusion detection and monitoring systems.
  • Secure backups in segregated environments.
  • Continuous patching and updates.
  • Role-based internal access controls.
b) Administrative Measures:
  • Internal Security and Data Protection Policy Manual (per Decree 886 of 2014).
  • Registration and maintenance of databases in the RNBD.
  • Clear roles and responsibilities for data management.
  • Regular risk assessments and mitigation plans.
  • Data protection and confidentiality clauses in employee, contractor, and supplier contracts.
c) Human Measures:
  • Continuous training on data protection, fraud prevention, SARLAFT/SAGRILAFT.
  • Physical access controls to facilities with sensitive data.
  • Incident response protocols.
d) Reference Standards:
  • ISO/IEC 27001
  • NIST Cybersecurity Framework
  • PCI DSS for electronic payment data security
Validity
This policy takes effect upon publication on the website and will remain valid indefinitely as long as the relationship between the data subject and BILLETERA DIGITAL P2P INC persists, or as long as necessary to fulfill the stated purposes. Personal data will be kept for the time required to fulfill processing purposes and comply with legal or contractual obligations.

Legal Team
BILLETERA DIGITAL P2P INC
Incorporation number: BC1549233