A. WHO WE ARE 

Perenne Servicios S.A.S., identified with NIT 901.890.087-6 and owner of the website www.casasenvilladeleyva.com informs the general public of this Policy for the Treatment of Personal Data, in order to comply with Law 1581 of 2012 and its regulatory decrees. 

B. SCOPE OF THE DATA PROCESSING POLICY

The purpose of this policy is to establish the principles, parameters and rules regarding data protection that Perenne will adopt and accept when it is responsible for the processing of personal data in accordance with the provisions of current Colombian regulations. Based on the above, it will be of mandatory knowledge and compliance for Perenne, its collaborators and employees, as well as for the Users of https://perennerenting.com/ or any of the technological platforms that Perenne enables or develops in the future (the "Platform"). 

C. LEGAL FRAMEWORK 

1. Article 15 of the Political Constitution of Colombia, which enshrines the rights to privacy, good name and the protection of Personal Data or habeas data. 
2. Law 1266 of 2008, which developed articles 15 and 20 of the Political Constitution related to the knowledge, updating and rectification of information collected on individuals in data banks and other rights and freedoms and constitutional guarantees related to the collection, processing and circulation of personal data. 
3. Law 1581 of 2012, which establishes general provisions for the protection of Personal Data. 
4. Decree 1377 of 2013, which partially regulates Law 1581 of 2012 in aspects related to the authorization of the Data Subject, transfers of Personal Data and the responsibility demonstrated in relation to the processing of Personal Data, among others. Both decrees are compiled in the Sole Regulatory Decree 1074 of 2015. 
5. Decree 886 of 2014 through which Law 1581 of 2012 is partially regulated in relation to the National Database Registry. 
6. Any other provision that modifies, regulates, substitutes or repeals the aforementioned rules.      

D. DEFINITIONS 

1. Authorization: Prior, express and informed consent of the Data Subject to carry out the Processing of personal data. 
2. Data Base: Organized set of personal data that is subject to Processing.
3. Personal data: Any information linked or that can be associated to one or several determined or determinable natural persons. 
4. Public data: Data that is not semi-private, private or sensitive. Public data includes, among others, data contained in public documents and data related to the civil status of individuals; 
5. Semi-private data: Semi-private data is data that is not of an intimate, reserved or public nature and whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector or group of persons or to society in general. 
6. Sensitive data: Sensitive data are understood as those that affect the privacy of the Data Subject or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sex life, and biometric data. 
7. Data Processor: Natural or legal person, public or private, that by itself or in association with others, performs the Processing of personal data on behalf of the Data Controller.
8. Data Controller: Natural or legal person, public or private, who by himself or in association with others, decides on the database and/or the processing of data. 
9. Data Subject: Natural person whose personal data is the object of processing. 
10. Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion. 
11. Transfer: The transfer of data takes place when the Controller and/or Processor of personal data, located in Colombia, sends the information or personal data to a recipient, which in turn is the Data Controller and is located inside or outside the country. 
12. Transmission: Processing of personal data that involves the communication of such data within or outside the territory of the Republic of Colombia when its purpose is the performance of a Processing by the Processor on behalf of the Controller.
13. Allied Establishments: Owners and/or managers of the properties offered and rented by Perenne through any digital or traditional channel. The Allied Establishments may require the information of the Holders for the effective provision of their services. 

E. PRINCIPLES

Any transaction carried out by Perenne in connection with personal data that it may obtain in the course of its business will be subject to the principles set out below: 

1. Principle of legality: The processing referred to in this law is a regulated activity that must be subject to the provisions of this law and other provisions that develop it; 
2. Principle of purpose: The processing must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Data Subject; 
3. Principle of freedom: Processing may only be carried out with the prior, express and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of legal or judicial mandate that relieves the consent; 
4. Principle of truthfulness or quality: The information subject to processing must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is prohibited;
5. Principle of transparency: The right of the Data Subject to obtain from the Data Controller or the Data Processor, at any time and without restrictions, information about the existence of data concerning him/her, must be guaranteed; 
6. Principle of restricted access and circulation: Processing may only be carried out by persons authorized by the Data Subject and/or by the persons provided for in Law 1581 of 2012; Personal data, except for public information, may not be made available on the Internet or other means of mass dissemination or communication, unless access is technically controllable to provide restricted knowledge only to Data Subjects or authorized third parties in accordance with this law; 
7. Security Principle: The information subject to Processing by the Data Controller or Data Processor referred to in this law, shall be handled with the technical, human and administrative measures necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access; 
8. Principle of confidentiality: All persons involved in the processing of personal data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the processing, and may only provide or communicate personal data when it corresponds to the development of the activities authorized by law and under the terms of the same.

F. PURPOSES OF DATA PROCESSING

Perenne, may act as responsible and/or in charge of the Processing of Personal Data mainly in the following cases: 

I. Fulfill the obligations derived from the contractual relations that may be established with me; allow the creation of the User account of the Holder when he/she wishes to use the platform; grant me a guarantee on the services provided when appropriate; and inform me about commercial conditions and after-sales services, among other actions derived from the business we entered into;

II. Perform business intelligence actions, customer prospecting, market research and trends; identify traceability and consumption patterns for statistical purposes; understanding of profiles, navigation routes, brand tracking and other behaviors in social networks;

III. Contact me to invite me to participate in the loyalty program through any of the means and channels that I have freely informed as Holder;

IV. Communicate promotions about products, goods and services, as well as send me gifts for advertising campaigns through any of the means and channels that I have freely informed as Owner;

V. Send me advertising about products, goods and services, as well as invitations to related events of interest;

VI. Administer the loyalty program, including the accumulation and redemption of points;

VII. To deliver them to third parties in charge of any of the treatments mentioned herein, national or foreign;

VIII. Transfer the data provided by the Data Subject to the Allied Establishment contracted by the Data Subject or User to provide the services offered through the Platform. In such case, the Allied Establishment will become Responsible for the processing of personal data, according to its own Personal Data Processing Policy;

IX. Consult them in databases with public vocation for risk management.

In the cases indicated above, Perenne will strictly comply with the legal norms and internal policies that have been established for the collection, storage, updating, use, circulation, transfer, transmission and deletion of Personal Data. 

Perenne, may transfer the personal information of the owners to companies in charge of data processing, who must meet the requirements of the law to have such quality. Likewise, it may transfer personal data to the Allied Establishments, so that they can provide the service for which they were hired by the Data Subject, in accordance with what is indicated in the Terms and Conditions made known to the Data Subject. In such cases, the Data Subject understands, acknowledges and accepts that the processing of his/her data shall be subject to the Personal Data Processing Policy of the respective Allied Establishment, which shall act as the Controller. 

G. TREATMENT OF SENSITIVE DATA 

Notwithstanding the exceptions provided by law, the processing of sensitive data requires the prior, express and informed authorization of the Data Subject, which must be obtained by any means that may be subject to consultation and subsequent verification. In the Processing of sensitive personal data, when such Processing is possible in accordance with the provisions of Article 6 of Law 1581 of 2012, Perenne shall comply with the following obligations:

I. To inform the Data Subject that since it is sensitive data, he/she is not obliged to authorize its processing;

II. Inform the Data Subject explicitly and in advance, in addition to the general requirements of authorization for the collection of any type of personal data, which of the data to be processed are sensitive and the purpose of their processing, and also obtain his or her express consent;

No activity provided by Perenne will be conditioned to the provision of sensitive personal data by the Holder. 

H. TREATMENT OF PERSONAL DATA OF CHILDREN AND ADOLESCENTS

Perenne will not request personal data of a private nature from minors staying in any of the accommodations offered. Therefore, it will not carry out any kind of treatment on them. 

However, if at any time it becomes necessary to collect data from minors in order to comply with the contractual obligations contracted by Perenne with its clients, such information will be treated under the standards defined for sensitive data and such treatment must comply in all cases with the following parameters and requirements:

I. That it responds to and respects the best interests of children and adolescents.

II. To ensure respect for their fundamental rights.

Once the above requirements have been met, the legal representative of the child or adolescent will grant the authorization after the minor has exercised his or her right to be heard, an opinion that will be assessed taking into account the maturity, autonomy and capacity to understand the matter. Perenne, in the event that it collects data from children and adolescents, will ensure the proper use of such data. For this purpose, the principles and obligations established in Law 1581 of 2012 and other applicable regulations shall be applied. The family and society must ensure that those responsible for the processing of personal data of minors comply with the obligations established in Law 1581 of 2012 and other applicable regulations.

I. RIGHTS OF THE OWNERS

1. To know, update, rectify and/or delete their data, the latter when there is no legal or contractual duty that requires the retention of their personal data by the Controller. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorized. 
2. Request proof of the authorization granted to the Data Controller, except when expressly exempted as a requirement for the Processing, in accordance with the provisions of Article 10 of Law 1581 of 2012. 
3. To be informed by the Data Controller or the Data Processor, upon request, regarding the use that has been made of their personal data. 
4. File before the Superintendence of Industry and Commerce complaints for violations of the provisions of Law 1581 of 2012 and other rules that modify, add or complement it, once the procedural requirement established in Art. 16 of Law 1581 of 2012 has been exhausted. 
5. To revoke the authorization and/or request the deletion of the data when the principles, rights and constitutional and legal guarantees are not respected in the Processing. The revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that in the Processing the Controller or Processor has incurred in conduct contrary to this law and the Constitution. 
6. Access free of charge to your personal data that have been subject to Processing, in the terms established in Art. 21 of Decree 1377 of 2013. 

J. PERENNE'S DUTIES AS A PERSONAL DATA CONTROLLER

1. Guarantee to the Data Subject, at all times, the full and effective exercise of the right of habeas data. 
2. Request and keep, under the conditions provided by law, a copy of the respective authorization granted by the Holder.
3. Duly inform the Data Subject about the purpose of the collection and the rights he/she has by virtue of the authorization granted. 
4. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access. 
5. Ensure that the information provided to the Data Processor is truthful, complete, accurate, updated, verifiable and understandable. 
6. Update the information, communicating in a timely manner to the Data Processor, all developments regarding the data previously provided and take other necessary measures to ensure that the information provided to it is kept up to date. 
7. Rectify the information when it is incorrect and communicate the pertinent to the Data Processor. 
8. To provide to the Data Processor, as the case may be, only data whose Processing is previously authorized in accordance with the provisions of the law. 
9. To require the Data Processor at all times to respect the security and privacy conditions of the Data Subject's information. 
10. Process inquiries and claims formulated under the terms set forth in the law.
11. Maintain an internal manual of policies and procedures to ensure proper compliance with the law and, in particular, to deal with queries and complaints.
12. Inform the Data Processor when certain information is under discussion by the Data Subject, once the claim has been filed and the respective process has not been completed. 
13. Inform upon request of the Data Subject about the use given to their data. 
14. Inform the data protection authority when there are violations to the security codes and there are risks in the administration of the information of the Data Holders. 
15. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce. 

K. DUTIES OF COMPANIES THAT CHOOSE PERENNIAL AS DATA PROCESSORS OF PERSONAL DATA

The Data Processors shall have the following duties towards the Data Subjects and shall make all reasonable efforts to ensure that they are guaranteed: 

1. Guarantee to the Data Subject, at all times, the full and effective exercise of the right of habeas data. 
2. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.      
3. Timely update, rectification or deletion of data under the terms of this law. 
4. Update the information reported by the Data Controllers within five (5) business days from its receipt. 
5. To process the queries and claims formulated by the Holders under the terms set forth in this law. 
6. Adopt an internal manual of policies and procedures to ensure proper compliance with this law and, in particular, for the attention of queries and claims by the Holders. 
7. Register in the database the legend "claim in process" in the form regulated in the present law. 
8. Insert in the database the legend "information under judicial discussion" once notified by the competent authority about judicial processes related to the quality of the personal data. 
9. Refrain from circulating information that is being disputed by the Holder and whose blocking has been ordered by the Superintendence of Industry and Commerce. 
10. Allow access to information only to those who can access it. 
11. Inform the Superintendence of Industry and Commerce when there are violations to the security codes and there are risks in the administration of the information of the Holders.
12. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce. 

In the event that the qualities of Data Controller and Data Processor concur in the same person, he/she will be required to comply with the duties foreseen for each of them.

L. AUTHORIZATIONS

Any activity that Perennerealizeswith the Personal Data, such as collection, storage, use, circulation, suppression or in general the treatment of the same, must be previously, informed and expressly authorized by its Owners. Likewise, it may also correspond to the fulfillment of legal and contractual duties that require the conservation of certain personal information. 

Perenne will make the following information available to the Data Subjects before they express their consent: 

1. The processing to which your personal data will be submitted and the purpose of such processing.
2. The optional nature of the answer to the questions asked, when they deal with sensitive data or with the data of children and adolescents.
3. The rights you have as Holder.
4. The identification, physical or electronic address and telephone number of the Data Controller. 

The collection of Personal Data shall be limited to those personal data that are relevant and adequate for the purpose for which they are collected or required in accordance with the regulations in force. Except in the cases expressly provided for by law, no personal data may be collected without the authorization of the Data Subject. 

The authorization by the Data Subject for the Processing of his/her personal data, must be made at the latest, at the time of data collection. 

M. EXERCISE OF THE RIGHTS OF THE OWNERS

Inquiries:

In order to comply with any request for information, Perenne has provided the following channels through which the owners or their assignees may exercise their right of consultation: 

 N. Contact

Alejandra Barrera Forero 

1. Email

alejandrabarreraforero@gmail.com 

2. Telephone

+57 3152309335

O. Claims:

The Data Subject or his Causahabientes who consider that the personal information managed by Perenne should be corrected, updated, deleted, or if they notice a breach by Perenne or any of its Agents, may file a complaint in the following terms: 

1. The claim shall be formulated by means of a request addressed to Perennial. The claim shall include:
   1. The identification of the holder.
   2. The description of the facts giving rise to the claim.
   3. The address where you will receive notifications.
   4. The documents that accredit it to make the claim. 
2. If the claim is incomplete, the interested party will be required within five (5) days after receipt of the claim to correct the faults. 
3. After one (1) month from the date of the request, without the applicant submitting the required information, it will be understood that the claim has been abandoned. 
4. Once the completed claim is received, the personal information must be marked with the corresponding legend "claim in process" and the reason for the claim, this must occur within a maximum term of two (2) business days.      
5. The maximum term to respond to the claim is fifteen (15) business days, if it is not possible to do so within this term, the interested party will be informed of the reasons for the delay and the date on which it will be attended, which may not exceed eight (8) business days following the expiration of the first term. 

P. TERM OF VALIDITY OF DATA CONSERVATION

The data will be kept as long as the purpose for which they were collected or known exists and for the term established by the laws and contractual obligations that require them.

Q. NOTICE OF POLICY UPDATES

Any substantial change in the content of this Policy, related to the identification of the Controller and the purpose of the Processing of Personal Data, which may affect the content of the authorization, will be communicated through Perenne's website: https://casasenvilladeleyva.com/. In case of being substantial, they will be informed in a timely manner, always prioritizing the rights of the Data Controllers, through their e-mail. 

R. FINAL CONSIDERATIONS

This Personal Data Processing Policy became effective on March 15, 2024 and is available to Users and the general public at the following address: https://casasenvilladeleyva.com/. 

***This is Perenne's Personal Data Processing Policy***.