Responsible Entity: TERRA BOMBA S.A.S

NIT: 901633020-2

Address: CR 4 46 42 ED LAGUNA DEL CABRERO T2 APTO 1605, CABRERO, Cartagena, Colombia

Email for data rights inquiries: [email protected]

Phone: +57 314 7380312

Websites and apps covered: palmaritobeach.com and palmaritobeach.sky-hub.co

Last update: 01/11/2025

Effective date: 01/11/2025

1. PURPOSE AND SCOPE

This Policy explains how TERRA BOMBA S.A.S collects, uses, stores, shares, and protects the personal data of individuals who interact with our websites, applications, service channels, and operations.

It applies to all data processing activities carried out by TERRA BOMBA S.A.S as Data Controller.

2. LEGAL FRAMEWORK

Colombia: Law 1581 of 2012; Decrees 1377 of 2013 and 1074 of 2015; SIC Guidelines; and when applicable, Law 1266 of 2008, Law 2157 of 2021, and Law 2300 of 2023.

International standards (reference): GDPR principles (EU) — lawfulness, transparency, minimization, integrity/confidentiality, and proactive accountability.

3. KEY DEFINITIONS

Personal Data: Information that identifies or makes an individual identifiable.

Sensitive Data: Information affecting privacy or that may cause discrimination.

Data Subject: Individual whose data is processed.

Processing: Any operation performed on personal data.

Processor: Third party processing data on behalf of the Controller.

Transmission: Sharing data with a Processor for processing.

International Transfer: Sending personal data to another country.

4. PRINCIPLES OF DATA PROCESSING

Lawfulness, purpose, freedom, accuracy, transparency, restricted access and circulation, security, confidentiality, proportionality, and demonstrable accountability.

5. DATA CATEGORIES AND PURPOSES

5.1 Commercial & Contractual Operations

Data: identification, contact, reservation information, payments, PQRS history.

Purposes: quotations, reservations, service provision, invoicing, PQRS management, fraud prevention, and legal compliance.

Legal basis (GDPR reference): contract execution, legal obligation, legitimate interest.

5.2 Marketing, Analytics & Personalization

Data: online identifiers (cookies/IDs), IP address, browsing behavior, preferences.

Purposes: audience measurement, UX improvement, segmentation, remarketing (with consent).

Legal basis: consent for non-essential cookies; legitimate interest for aggregated analytics.

5.3 Customer Support (email/chat/phone/WhatsApp)

Data: identification, contact, message content, recordings or transcripts when applicable.

Purposes: service assistance, support, quality control, and process improvement.

5.4 Vendor & HR Management

Data: contractual information, compliance, resumes, HR information, payroll data.

Purposes: selection, hiring, legal compliance, contractor management.

5.5 Sensitive Data & Minors

Processed only when strictly necessary and with explicit consent or legal authorization, ensuring the best interests of minors.

6. DATA SOURCES

Data is obtained from: user-provided information, interactions with digital channels, contractual relationships, or authorized partners.

7. AUTOMATED DECISIONS & PROFILING

We may use automated tools for segmentation, analytics, and recommendations.

We do not make exclusively automated decisions that produce legal or significant effects without human review.

Data Subjects may request human intervention, object, or express their viewpoint.

8. PROCESSORS, TRANSMISSIONS & INTERNATIONAL TRANSFERS

8.1 Processors & Safeguards

We use authorized Processors with equivalent legal and security standards under Law 1581/2012 and international frameworks.

Examples include:

• SKY TECHNOLOGIES GROUP LLC – CRM & automation

• Google Workspace (email & productivity)

• Google Analytics / Tag Manager

• Meta Platforms – advertising and measurement tools

International safeguards may include SCCs (EU), EU–US DPF certification, or other adequacy measures.

8.2 Contractual Basis

All data processing follows documented instructions, confidentiality requirements, security measures, sub‑processor controls, assistance for data rights, incident management, and final data deletion or return.

8.3 EU Representative

Not required at this time based on territorial scope and processing nature.

Reviewed periodically or upon material changes.

9. DATA RETENTION

• Tax/accounting/contractual: up to 10 years

• PQRS/support cases: 5 years

• Marketing data: until consent withdrawal or 24 months of inactivity

• HR: 10 years after termination

• Security logs: 12–24 months

Personal data is securely deleted or anonymized after retention periods.

10. DATA SUBJECT RIGHTS & CHANNELS

Rights: access, rectification, update, deletion, proof of consent, complaint submission, revocation, and free access.

Contact: [email protected]

Response times:

• Inquiries: up to 10 business days

• Complaints: acknowledgment within 2 business days; resolution up to 15 business days, extendable by 8 with justification.

Under GDPR when relevant: 1 month, extendable depending on complexity.

11. INFORMATION SECURITY

We implement technical, organizational, and physical measures: secure access controls, MFA, encryption (when applicable), environment segregation, backups, vulnerability management, incident response, confidentiality agreements, and vendor audits.

12. NATIONAL DATABASE REGISTRY (RNBD)

Databases are registered and updated as required by SIC.

13. COMMERCIAL COMMUNICATIONS (Law 2300/2023)

We respect permitted contact hours and offer opt‑out options in all communications, processed in reasonable timeframes.

14. POLICY CHANGES

Updates will be published with effective dates. Material changes will be notified through official channels.