DATA PROCESSING POLICY

PERSONAL DATA PROCESSING POLICY

For YEAPP, the proper processing of the personal data of our stakeholders is of vital importance, information that they themselves have provided us for various purposes. In all processes we ensure the confidentiality of the information thanks to the fact that we have the support of the ideal tools depending on the activities for which the information has been delivered.

In accordance with the above and as those responsible for the use of the information of our public of interest, we comply with Law 1581 of 2012 on the Protection of Personal Data, for this reason we make available to you:

The personal data processing policy of YEAPP SAS.

To consult our policy, select "personal data processing policy " at www.yeapp.com/data

PERSONAL DATA PROCESSING POLICY
Company name: YEAPP SAS
NIT: 900.311.748-6
Address: Carrera 19b # 84-17 Floor 4 Tower: OVER III. Bogota, DC 110221
Telephone : (1) 7430077
Email: customerservice@YEAPP.com
Website: www.YEAPP.com

1. LEGAL REGULATIONS AND SCOPE OF APPLICATION:
This personal data processing policy is prepared in accordance with the provisions of the Political Constitution, Law 1581 of 2012, Regulatory Decree 1377 of 2013 and other complementary provisions and will be applied by YEAPP SAS regarding the collection, storage, use , circulation, deletion and all those activities that constitute processing of personal data.

2. DEFINITIONS:
For the purposes of the execution of this policy and in accordance with legal regulations, the following definitions will be applicable: a) Authorization: Prior, express and informed consent of the Owner to carry out the Processing of personal data; b) Privacy notice: Physical, electronic document or any other format generated by the Controller that is made available to the Owner for the processing of their personal data. In the Privacy Notice, the owner is informed of the information regarding the existence of the information processing policies that will be applicable to them, the way to access them and the purpose of the treatment that is intended to be given to personal data; c) Database: Organized set of personal data that is subject to Processing; d) Personal data: Any information linked or that can be associated with one or several specific or determinable natural persons; e) Public data: It is the data classified as such according to the mandates of the law or the Political Constitution and that which is not semi-private, private or sensitive. Public are, among others, data relating to the marital status of people, their profession or trade, their status as a merchant or public servant and those that can be obtained without any reservation. Due to its nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins; f) Private data: It is the data that, due to its intimate or reserved nature, is only relevant to the owner; g) Sensitive data: Sensitive data is understood to be data that affects the privacy of the Owner or whose improper use may lead to discrimination, such as data that reveals racial or ethnic origin, political orientation, religious or philosophical convictions, membership of unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life and biometric data; h) Data Processor: Natural or legal person, public or private, who, by themselves or in association with others, carries out the Processing of personal data on behalf of the Data Controller; i) Responsible for the Treatment: Natural or legal person, public or private, who alone or in association with others, decides on the database and/or the Processing of the data; j) Owner: Natural person whose personal data is the subject of Treatment; k) Treatment: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion thereof.

PURPOSE FOR WHICH THE COLLECTION OF PERSONAL DATA AND THE PROCESSING OF THE SAME IS CARRIED OUT:
YEAPP SAS may use personal data to: a) Execute the existing contractual relationship with clients, suppliers, contractors and workers, including the payment of contractual and labor obligations; b) Provide the services and/or products required by clients, suppliers, contractors and workers. c) Inform about new products or services and/or changes in them; d) Evaluate the quality of the service; e) Carry out internal studies on consumer habits; f) Send to physical, electronic mail, cell phone or mobile device, via text messages (SMS and/or MMS) or through any other analog and/or digital means of communication created or to be created, commercial, advertising or promotional information about the products and/or services, events and/or promotions of a commercial or non-commercial nature, in order to promote, invite, direct, execute, inform and in general, carry out campaigns, promotions or contests of a commercial nature or advertising, advanced by YEAPP SAS and/or by third parties; g) Develop the selection, evaluation and employment linking process including the classification of information, storage, filing of Personal Data, delivery of information to third parties in charge of the selection processes, verification, comparison, evaluation of work and personal skills. of the prospectuses regarding the selection criteria of YEAPP SAS and before the link, the registration of information in social security entities such as social security systems in health, professional risks, pensions, family compensation funds, Colombian Institute of Family Welfare , National Learning Service and all those entities that Colombian labor law establishes for the fulfillment of the obligations derived from employment contracts. h) Develop the process of selection, evaluation and linking of contractors including the classification of information, storage, filing of Personal Data, delivery of information to third parties in charge of the selection processes, verification, comparison, evaluation of professional competencies and personal characteristics of the prospects with respect to the selection criteria of YEAPP SAS and in the face of the contractual relationship, the registration of information in professional risk entities, reception and verification of contributions to comprehensive social security systems, including social security systems in health, pensions, Family Compensation Funds and the information that is required by tax regulations for the payment of collection accounts and/or invoices. i) Support internal or external audit processes; j) Register the information of former employees and/or pensioners (active and inactive) in the YEAPP SAS databases, especially the classification, storage, filing of Personal Data collected during the employment relationship for the issuance of certifications related to the relationship of the data owner with YEAPP SAS and the sending of information of interest. k) Provide, share, send or deliver personal data to affiliated, linked, associated, subordinate companies or with commercial links with YEAPP SAS located in Colombia or any other country in the event that said companies require the information for the purposes indicated here. l) Transfer to the countries where the data centers of the service provider of platforms based on cloud technology, used by YEAPP SAS, are located and deliver the personal data to the service provider, who in that event will act as Data Processor. m) Use them for security purposes of people, property and facilities of YEAPP SAS and be used as evidence in any type of process. If personal data is provided, said information will be used only for the purposes indicated here, and therefore, YEAPP SAS will not proceed to sell, license, transmit, or disclose it, unless: (i) there is express authorization to do so; ( ii ) is necessary to allow contractors or agents to provide the entrusted services; ( iii ) is necessary in order to provide our services and/or products; ( iv ) it is necessary to disclose it to the entities that provide marketing services on behalf of YEAPP SAS or to other entities with which there are joint market agreements; (v) the information is related to a merger, consolidation, acquisition, divestiture, or other corporate restructuring process; (vi) that is required or permitted by law. YEAPP SAS may subcontract to third parties for the processing of certain functions or information. When the processing of personal information is actually outsourced to third parties or personal information is provided to third-party service providers, YEAPP SAS warns said third parties about the need to protect said personal information with appropriate security measures; the use of the information to own purposes and it is requested that personal information not be disclosed to others. SENSITIVE PERSONAL DATA. Employees, clients or suppliers of YEAPP SAS who act as Information Holders and/or legal representatives in the case of information about minor children, are informed of the optional and voluntary nature of answering questions that relate to Sensitive Data. or about minors, and in the terms of literal a) of article 6 of Law 1581 of 2012, prior to the collection, storage, use, circulation, deletion, and in general, processing of this data, including digital fingerprints, photographs, videos and other data that may be considered sensitive in accordance with the Law, written authorization will be requested from the owner for the Treatment, which will have the purpose of executing control, tracking, monitoring, surveillance and, in general, guaranteeing security. of its facilities; as well as documenting union activities and complying with legal obligations of a labor nature and related to the employment contract. 4. PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA:
The processing of personal data at YEAPP SAS will be governed by the following principles: a) Principle of purpose: The processing of the personal data collected must obey a legitimate purpose, which must be informed to the Owner; b) Principle of freedom: Treatment can only be carried out with the prior, express and informed consent of the Owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that requires consent; c) Principle of truthfulness or quality: The information subject to Treatment must be truthful, complete, exact, updated, verifiable and understandable. The Processing of partial, incomplete, fragmented or misleading data will not be carried out; d) Principle of transparency: In the Treatment, the right of the Owner to obtain from YEAPP SAS at any time and without restrictions, information about the existence of data that concerns them must be guaranteed ; e) Principle of restricted access and circulation: Treatment is subject to the limits derived from the nature of the personal data, the provisions of this law and the Constitution. Personal data, except public information, and the provisions of the authorization granted by the data owner, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only. to the Owners or authorized third parties; f) Security principle: The information subject to Processing by YEAPP SAS must be protected through the use of the technical, human and administrative measures that are necessary to provide security to the records, avoiding their adulteration, loss, consultation, use or access. unauthorized or fraudulent; g) Principle of confidentiality: All persons involved in the Processing of personal data are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks included in the Processing has ended.
FIRST PARAGRAPH: In the event that sensitive personal data is collected, the Owner may refuse to authorize its Treatment.

5. RIGHTS OF THE HOLDERS OF PERSONAL DATA SUBJECT TO PROCESSING BY YEAPP SAS:
The holders of personal data themselves or through their representative and/or attorney-in-fact or their successor in title may exercise the following rights, with respect to the personal data that are subject to processing by YEAPP SAS: a) Right of access: Under from which you will be able to access the personal data that are under the control of YEAPP SAS, for the purposes of consulting them free of charge at least once every calendar month, and every time there are substantial modifications to the Information Processing Policies that motivate new consultations; b) Right to update, rectification and deletion: Under which you may request the updating, rectification and/or deletion of the personal data being processed, in such a way that the purposes of the processing are satisfied; c) Right to request proof of authorization: except in events in which, according to current legal regulations, authorization is not required to carry out the treatment; d) Right to be informed regarding the use of personal data; e) Right to file complaints with the Superintendence of Industry and Commerce: for violations of the provisions of current regulations on the processing of personal data; f) Right to require compliance with orders issued by the Superintendence of Industry and Commerce.

FIRST PARAGRAPH: For the purposes of exercising the rights described above, both the owner and the person who represents him or her must demonstrate their identity and, if applicable, the capacity by virtue of which they represent the owner. SECOND PARAGRAPH: The rights of minors will be exercised through the people who are authorized to represent them.

6. DUTIES OF YEAPP SAS:
All those obliged to comply with this policy must keep in mind that YEAPP SAS is obliged to comply with the duties imposed by law in this regard. Consequently, the following obligations must be met: A. Duties when acting as responsible: (i) Request and keep, under the conditions provided in this policy, a copy of the respective authorization granted by the owner. ( ii ) Inform the owner clearly and sufficiently about the purpose of the collection and the rights granted to him by virtue of the authorization granted. ( iii ) Inform, at the request of the owner, about the use given to their personal data ( iv ) Process the queries and claims formulated in the terms indicated in this policy (v) Ensure that the principles of truthfulness, quality, security and confidentiality in the terms established in the following policy (vi)-Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access. ( vii ) Update information when necessary. ( viii ) Rectify personal data when appropriate. B. Duties when acting as Personal Data Processor. If you carry out data processing on behalf of another entity or organization (Data Controller), you must comply with the following duties: (i) Establish that the Data Controller is authorized to provide the personal data that will be processed as Processor (ii) Guarantee the owner , at all times, the full and effective exercise of the right of habeas data a. ( iii ) Maintain the information under the security conditions necessary to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access. ( iv ) Timely update, rectify or delete the data. (v) Update the information reported by the Data Controllers within five (5) business days from receipt. (vi) Process queries and claims made by the owners in the terms indicated in this policy. ( vii ) Register in the database the legend “claim in process” in the manner established in this policy. ( ix ) Insert in the database the legend “information under judicial discussion” once notified by the competent authority about judicial processes related to the quality of personal data. (x) Refrain from circulating information that is being controversial by the owner and whose blocking has been ordered by the Superintendence of Industry and Commerce. (xi) Allow access to the information only to people authorized by the owner or empowered by law for this purpose. ( xii ) Inform the Superintendency of Industry and Commerce when violations of security codes occur and there are risks in the administration of the owners' information. ( xiii ) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce. C. Duties when processing through a Processor (i) Provide the Processor with only the personal data whose processing is previously authorized. For the purposes of the national or international transmission of data, a contract for the transmission of personal data must be signed or contractual clauses agreed upon as established in article 25 of decree 1377 of 2013. (ii) Guarantee that the information provided to the Processor of the treatment is true, complete, accurate, up-to-date, verifiable and understandable. ( iii ) Communicate in a timely manner to the Data Processor all the news regarding the data that you have previously provided and adopt the other necessary measures so that the information provided to it remains updated. ( iv ) Inform the Data Processor in a timely manner of the rectifications made to the personal data so that he or she can proceed to make the pertinent adjustments . (v) Demand that the Data Processor, at all times, respect the security and privacy conditions of the owner's information. (vi) Inform the Data Processor when certain information is under discussion by the owner, once the claim has been submitted and the respective process has not been completed. D. Duties regarding the Superintendency of Industry and Commerce (i) Inform it of possible violations of security codes and the existence of risks in the administration of the owners' information. ( ii ) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

7. REQUEST FOR AUTHORIZATION TO THE OWNER OF THE PERSONAL DATA:
In advance and/or at the time of collecting personal data, YEAPP SAS will request the owner of the data for authorization to collect and process it, indicating the purpose for which the data is requested, using automated technical means for these purposes. written or oral, allowing proof of the authorization and/or unequivocal conduct described in article 7 of Decree 1377 of 2013 to be preserved. Said authorization will be requested for the time that is reasonable and necessary to satisfy the needs that gave rise to the authorization. request for the data and, in any case, with observance of the legal provisions that govern the matter.

8. PRIVACY NOTICE:
In the event that YEAPP SAS cannot make this information processing policy available to the owner of the personal data, it will publish the privacy notice attached to this document, the text of which will be kept for later consultation by the owner of the data. data and/or the Superintendence of Industry and Commerce.

9. TEMPORARY LIMITATIONS ON THE PROCESSING OF PERSONAL DATA.
YEAPP SAS may only collect, store, use or circulate personal data for as long as is reasonable and necessary, in accordance with the purposes that justified the processing, taking into account the provisions applicable to the matter in question and the administrative aspects. accounting, fiscal, legal and historical information. Once the purpose(s) of the processing have been fulfilled and without prejudice to legal regulations that provide otherwise, the personal data in its possession will be deleted. Notwithstanding the above , personal data must be preserved when required to comply with a legal or contractual obligation.

10. AREA RESPONSIBLE AND PROCEDURE FOR THE EXERCISE OF THE RIGHTS OF PERSONAL DATA HOLDERS:
The QUALITY AREA of YEAPP SAS will be responsible for addressing the requests, complaints and claims formulated by the data owner in exercise of the rights contemplated in section 5 of this policy, with the exception of that described in literal e). For these purposes, the owner of the personal data or whoever acts as his representative may send his request, complaint or claim from Monday to Friday from 8:00 am to 5:00 pm to the email customerservice@YEAPP.com, call the telephone line of YEAPP SAS, (1) 7430077, or file it at the following address corresponding to our offices: Carrera 19b # 84-17 Floor 4 Tower: OVER III Bogotá, DC 110221 The request, complaint or claim must contain the identification of the Owner, the description of the facts that give rise to the claim, the address, and accompanying the documents that you want to assert. If the claim is incomplete, the interested party will be required within five (5) days following receipt of the claim to correct the deficiencies. After two (2) months from the date of the request, without the applicant presenting the required information, it will be understood that the claim has been abandoned. In the event that the person who receives the claim is not competent to resolve it, he or she will forward it to the appropriate person within a maximum period of two (2) business days and will inform the interested party of the situation. Once the complete claim is received, a legend that says “claim in process” and the reason for it will be included in the database within a period of no more than two (2) business days. Said legend must be maintained until the claim is decided. The maximum term to address the claim will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to address the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

11. SECURITY MEASURES:
In development of the security principle established in Law 1581 of 2012, YEAPP SAS will adopt the technical, human and administrative measures that are necessary to provide security to the records, preventing their adulteration, loss, consultation, unauthorized or fraudulent use or access. The personnel who process personal data will execute the established protocols in order to guarantee the security of the information.

12. MODIFICATIONS
This Personal Data Processing Policy may be modified at any time by YEAPP SAS. It will be available to employees, contractors and suppliers in its updated version on the website www.YEAPP.com If changes are made to the formal part of the procedures, such as changes of address, telephone, contact email, URL , area in charge, they will be reflected in the document and made known through the company's website or through suitable mechanisms that allow consultation of the documents. Due to legal provisions , if changes are made to the purposes of the processing of personal data, notice of the change will be given to the owners of the personal data that are registered in the company's databases and the latest version will be made available to them. of the Personal Data Processing Policy and the corresponding form to obtain a copy of your new authorization.
13. EFFECTIVE DATE:
This Personal Data Policy came into effect on January 1, 2017.

The Personal Data that is stored, used or transmitted will remain in the YEAPP SAS Databases for as long as necessary to fulfill the purposes mentioned in this document.

Sincerely,

YEAPP SAS
Carrera 19b #84-17 Floor 4 Tower: OVER III
Bogota, DC 110221