Personal Data Processing Policy

Last updated: June 2025

1. Data controller

Paddock Enterprise S.A.S.
Tax ID (NIT): [NIT_PLACEHOLDER]
Domicile: Bogotá D.C., Colombia
Email: hola@paddockent.com
Habeas Data requests: databreach@paddockent.com
Website: paddockent.com

2. Legal framework

This policy is governed by the Colombian Constitution (Article 15), Statutory Law 1581 of 2012, Regulatory Decree 1377 of 2013 (compiled in Single Decree 1074 of 2015, Book 2, Part 2, Title 2, Chapter 25), and the instructions of the Superintendence of Industry and Commerce (SIC).

3. Definitions

For the purposes of this policy, the definitions of Article 3 of Law 1581 of 2012 are adopted:

  • Personal data: any information linked or that may be associated with a specific or determinable natural person.
  • Data subject: natural person whose personal data is subject to processing.
  • Data controller: natural or legal person who decides on the database and/or data processing.
  • Data processor: natural or legal person who processes data on behalf of the controller.
  • Processing: any operation on personal data (collection, storage, use, circulation, deletion).
  • Authorization: prior, express, and informed consent of the data subject for the processing of their data.

4. Guiding principles

Personal data processing is governed by the principles of:

  • Legality: processing is subject to the law.
  • Purpose: processing serves a legitimate purpose communicated to the data subject.
  • Freedom: processing is only carried out with prior, express, and informed authorization.
  • Truthfulness: information must be truthful, complete, accurate, and up to date.
  • Transparency: the data subject may know at any time about the existence of processing.
  • Restricted access and circulation: processing is subject to the limits of the nature of the data.
  • Security: information is handled with technical, human, and administrative measures to prevent alteration, loss, unauthorized consultation or use.
  • Confidentiality: persons involved in processing are obligated to guarantee the confidentiality of information.

5. Data we collect

Paddock collects the following categories of personal data:

  • Identification data: full name, email address.
  • Profile data: selected role (driver, workshop, or mechanic).
  • Usage data: pages visited, platform interactions, IP address, browser type, operating system.
  • Vehicle data: make, model, year, license plate, service history (when voluntarily provided by the data subject).
  • Approximate location data: city or area, solely to connect with nearby workshops.

6. Purposes of processing

Personal data will be processed for the following purposes:

  • Managing waitlist registration and account creation.
  • Providing platform services: connecting drivers, workshops, and mechanics.
  • Sending service-related communications (confirmations, reminders, updates).
  • Sending commercial and promotional communications (only with express authorization).
  • Conducting statistical analysis and service improvement in an aggregated and anonymized manner.
  • Complying with legal and regulatory obligations or requirements from competent authorities.
  • Preventing fraud and ensuring platform security.
  • Managing requests, complaints, and claims (PQR).

7. Authorization

Paddock obtains prior, express, and informed authorization from the data subject before collecting their personal data, through electronic forms with an express acceptance checkbox. Authorization may be revoked at any time by written request to databreach@paddockent.com, unless there is a legal or contractual duty that prevents deletion.

8. Data subject rights (ARCO)

In accordance with Article 8 of Law 1581 of 2012, data subjects have the right to:

  • Access: know, update, and rectify their personal data.
  • Rectification: request correction of inaccurate, incomplete, or outdated data.
  • Cancellation (deletion): request deletion of their data when they consider it is not being processed in accordance with the law.
  • Opposition: oppose the processing of their data for legitimate reasons.
  • Revocation: revoke the authorization granted for processing.
  • Proof of authorization: request proof of the authorization granted.
  • Information: be informed about the use given to their data.
  • Complaint to the SIC: file complaints with the Superintendence of Industry and Commerce for violations of the law.

9. Procedure to exercise rights

Data subjects may exercise their rights by sending a request to databreach@paddockent.com indicating:

  • Full name and identification document of the data subject.
  • Clear description of the facts and the right to be exercised.
  • Email address for notifications.
  • Supporting documents (if applicable).

10. Response deadlines

Inquiries will be answered within a maximum of ten (10) business days from the date of receipt. Claims will be answered within a maximum of fifteen (15) business days. When it is not possible to respond within these deadlines, the data subject will be informed of the reasons and the date of response, which may not exceed five (5) additional business days for inquiries or eight (8) additional business days for claims.

11. International transfers and transmissions

Paddock may transfer or transmit personal data to processors located in other countries (cloud infrastructure providers, email services, analytics tools) only when:

  • The destination country offers adequate levels of data protection according to the SIC.
  • Express authorization from the data subject has been obtained.
  • A data transmission contract exists that guarantees security and confidentiality conditions.
  • It is necessary for the execution of a contract between the data subject and the controller.

12. Security measures

Paddock implements technical, human, and administrative measures to protect personal data:

  • Data encryption in transit (TLS/HTTPS) and at rest.
  • Role-based access control with multi-factor authentication.
  • Continuous access monitoring and security alerts.
  • Periodic staff training on data protection.
  • Vulnerability assessments and penetration testing.
  • Encrypted backups with limited retention.

13. Data retention

Personal data will be retained for the time necessary to fulfill the purposes of processing and applicable legal obligations. Once the purpose is fulfilled, data will be securely deleted, unless there is a legal obligation to retain it. Waitlist data will be retained until platform launch or until the data subject requests deletion.

14. Sensitive data and minors

Paddock does not collect sensitive data (racial origin, political orientation, religious convictions, biometric data, health status) or data from minors. The platform is directed exclusively at persons over 18 years of age.

15. Security incidents

In the event of a security incident that compromises personal data, Paddock will notify the Superintendence of Industry and Commerce and affected data subjects within the deadlines established by current regulations. Notifications will be made through databreach@paddockent.com.

16. Validity and modifications

This policy takes effect from its publication and will remain in force as long as Paddock Enterprise S.A.S. processes personal data. Any modification will be communicated to data subjects through the usual channels (email and website) at least ten (10) business days prior to its effective date.

17. Contact

For any inquiry, request, or claim related to personal data processing:

Paddock Enterprise S.A.S.
General email: hola@paddockent.com
Habeas Data email: databreach@paddockent.com
Website: paddockent.com