Due to the commercial acivity executed by EXSIS Digital Angels in compliance with Decree 1377 from year 2013, the data handling, protection and privacy policy that Exsis Digital Angels implements is established.

COMPANY NAME: EXSIS DIGITAL ANGELS S.A.S. (hereinafter EXSIS), company with pure colombian capital and funds, which belongs to the Colombian common regime and dedicated to offering software solutions that allow to meet needs and expectations when handling customers’ data handling, utilizing the lastest technology and advances guaranteeing quality both in products creation and services.

DOMICILE: Bogota.ADDRESS: Street 145 # 48-16, Bogota D.C.E-MAIL: habeasdata@exsis.com.coPERSON IN CHARGE, CONTACT NUMBER: 4846750 Ext. 1021II. LEGAL FRAMEWORKPolitical constitution, 15th article.The 1266 Act from year 2008The 1581 Act from year 20121727 and 2952 Regulatory decrees from years 2009 and 20101377 Partial Regulatory decree from year 2013.

AUTHORIZATION: The holder’s previous, explicit and informed approval or permission to carry out the data handling its protection and privacy.PRIVACY NOTICE: verbal or written communication generated by the temporary responsible person directed towards the holder for data handling, protection and privacy, by which the existence of applicable data handling, protection and privacy policies are informed, how to access these policies and the purposes of data handling, protection and privacy that is intended for personal data privacy.DATABASE: dataset that is composed of personal data subject to data handling.SUCCESSOR: a person who takes over the rights of another because of death or inheritance (heir).PERSONAL DATA: any piece of information involved with one person or several determined individuals or determinable people able to join a natural or juridical person.PUBLIC DATA: it is the data that is not semi-private, private or sensitive. Public data is considered to be, amongst others, data related to people’s marital status, profession or job, quality as merchant or public servant. By nature, public data can be contained, amongst others, in public records or documents, official legal bulletins, gazetes and legal decisions properly executed that are not subject to legal reserve.SENSITIVE DATA: is any data that affects the holder’s intimacy, political orientation, religious or philosophical beliefs, participation in trade unions, social, human rights, or organizations that support political parties’ interests, or those who guarantee rights and political opposition, as well as, those related to health, sexual life and biometric data.MANDATORY DATA: It is understood as the holders’ personal mandatory data to continue with the company’s operation. The mandatory in essence data should be provided by the data holders or legitimate ones, who can exert these rights.TEMPORARY RESPONSIBLE PERSON FOR DATA PRIVACY: a natural, juridical, public or private person, who on her or his own or together with others, executes personal data handling on behalf of the responsible person for data privacy.DATA PRIVACY ACT: It is all the regulation involved with the 1581 act from year 2012 and its regulatory Decrees, regulations and ammendments that modify, complement or substitute regulations.HABEAS DATA: is the right that any person has to know, to update and to change information that has been gathered or collected in the databases and files from public and private entities.RESPONSIBLE PERSON FOR DATA PRIVACY: a natural or juridical, public or private person who on his or her own or together with others, decides about the database and/or about data handling or its privacy.HOLDER: is a natural person whose personal data is subject to data Handling.DATA HANDLING: are any operations or set of operations about personal data, such as collection, gathering, usage, distribution or deletion.TRANSFERENCE: Data transference occurs when the temporary or responsible person for personal data privacy, located in Colombia, submits data or personal data to a recipient, who is also responsible for personal data handling and located in Colombia or abroad.TRANSMISSION: Data handling or Data privacy that conveys communication of Data handling or Data privacy within Colombia’s national territory or abroad when the purpose is to have date managed by the temporary responsible person on behalf of the responsible person for data privacy.

For the development, interpretation and law enforcement from the 1581 act from year 2012 by which general dispositions are dictated for the personal data privacy and the regulations that complement, modify and change this act, the following governing principles will be applied in a harmonic and integral way:

a) PRINCIPLE OF LEGALITY: data privacy is a regulated activity that must stick to what is established in the law and other dispositions related to it.b) PRINCIPLE OF PURPOSE: the data privacy must follow a legitimate purpose in compliance with the Constitution and Laws, and must be notified to the holder.Regarding personal data collection, EXSIS will only collect data that is pertinent and reasonable for the purpose that it was meant to be collected or gathered. The holder needs to be notified of the reason why and purpose for which the information is being required and the specific usage that this information will have.c) PRINCIPLE OF FREEDOM: Privacy data and its handling can only be exerted with previous, expressed and informed approval or permission from the holder. Personal data will not be obtained or disclosed without previous authorization, or in absence of legal or judicial order affecting the permission.d) PRINCIPLE OF VERACITY OR QUALITY: data subject to privacy and data handling must be reliable, complete, exact, updated, verifiable and understandable. Incomplete, parcial, fragmented or misleading data handling is prohibited.e) PRINCIPLE OF TRANSPARENCY: with data handling the holder’s right must be guaranteed to obtain information about the existence of data that he or she is interested in, in any moment and with no restraints by the person who is responsible for data privacy or the temporary person in charge.f) PRINCIPLE OF ACCESS AND RESTRICTED CIRCULATION: the data handling sticks to the limits that derive from the nature of personal data, Law dispositions and the Constitution. In this way, data handling can only be executed by individuals who are authorized by the holder or individuals allowed by Law. Personal data, except for public data, will not be available on the internet nor any other means of advertisement or massive communication, unless the access is technically controlled to offer a restricted access of information only for the holders or a third person authorized by law.g) PRINCIPLE OF SAFETY: data subject to EXSIS handling, needs to be handled with the technical, human and administrative measures that are necessary to provide security to the records preventing adulteration, loss, consultation, use or unauthorized or fraudulent use or access from happening.h) PRINCIPLE OF CONFIDENTIALITY: EXSIS is obligued to guarantee the reserve of data, even after finishing its relation with any of the tasks that handling requires, being only able to supply or communicate personal data when it corresponds to the development of legal activities.

EXSIS is committed to protecting the privacy and guaranteeing the habeas data rights, so that customers are able to know, update and modify personal data handled by EXSIS. For this reason, in compliance with the 1581 act from year 2012 and the 1377 Decree from year 2013, it is stated how the holder counts on the below rights:

a) To know, to update and to modify his or her personal details before EXSIS or its managers, in its responsible for private data handling condition. This right can be exerted, amongst others, when Partial, inaccurate, incomplete, fragmented, misleading personal data or those prohibited or those ones that have not been authorized occur.b) To request proof of authorization granted to EXSIS, unless there exists a legal disposition that indicates the authorization is unnecessary or that it has been validated according to the 10th article of the 1377 Decree.c) To request petitions to EXSIS regarding the personal data use and to receive such information.d) To file a complaint before the superintendence of industry and commerce for infractions related to the 1581 act from year 2012 and the 1377 Decree from year 2013.e) To revoke his or her authorization and/or to request personal data deletion from EXSIS databases, only if a legal duty does not exist (when the user has has bought an article or service there are legal and tax obligations to have a the record of purchase for the bought items, hence this information must remain on the EXSIS record of sales, this, with foundation on the 60th article C.Co) or a an EXSIS holder contractual type of obligation, under which the holder has no right to request his or her personal data deletion or to revoke his or her authorization for data handling. If there are no legal or contractual pending duties and EXSIS has not deleted the holder’s personal data from its database or has not revoked the authorization from whom is legitimate to do so within the legal terms, the holder will be able to go before the superintendence of Industry and Commerce to demand the revocation of authorization and/or the personal data deletion.f) To request and gain free access to his or her personal data that has been subject to data handling.These Policies guarantee that any provided piece of information will be kept private and secure. To certify this, we provide in this document the details of which data we obtained and the way we used it. We never gather data without previous, explicit and informed approval or permission, unless personal data was under handling process by EXSIS before the 1377 Decree from year 2013 was issued and the procedure in the 10th article from that mentioned Decree has been implemented. This document is an integral part of EXSIS Terms and conditions. By the acceptance of these Terms and conditions you accept you have been informed about our Policy.

According to the data handling and data protection policy, in this document, the duties for which EXSIS is responsible are the following ones, subject to legal dispositions contained in the law.

a) To guarantee the holder, at any time, the full and effective exercise of the habeas data right.b) To request and to keep the corresponding holder’s granted authorization copy.c) To inform accurately the holder about the data collection purpose and rights in favor due to the granted authorization.d) To keep the data under the necessary security conditions to prevent adulteration, loss, consultation, use or unauthorized or fraudulent access from happening.e) To guarantee that the data is realiable, complete, precise, updated, verifiable and understandable.f) To update data, taking care of the customers’ requests about the holder’s data. Additionally, all possible measures must be implemented, so that data remains up-to-date.g) To correct data when it is incorrect and to communicate it.h) To respect the holder’s data privacy and security conditions.i) To process requests and filed claims within legal the terms specified by law.j) To identify when specific information is under discussion by the holder.k) To inform upon holder’s request about the use of his or her data.l) To inform the data protection authority when a breaching of the law codes occurs or should risks exists in the holder’s data handling procedure.m) To comply with the requirements and instructions that the Superintendence of Industry and Commerce resolves on a particular matter.n) To use only data whose handling is previously authorized in compliance with the 1581 act from year 2012.o) EXSIS will utilize the holder’s personal data only for the purposes it is entitled and respecting in all cases valid laws and regulations about data protection.

Our services are only available for those individuals who have capacity to hire or to be hired. Therefore, those who do not comply with this requirement will need to avoid providing personal data to be included in our databases. Although this can be done with the parent’s help or tutors, according to what is written in our Terms and conditions, the tutor or legal representative of the minor will grant authorization once the child has exerted his or her right to be listened and his or her opinion has been valuated according to his or her maturity, autonomy and capacity to take care of this issue. Minors’ Personal data must respect the overall interest of children, girls and adolescents and protect their fundamental rights. In compliance with the 1377 Decree from year 2013, EXSIS will not handle minors’ sentitive personal data, defined by the 1581 act from year 2012 as those which affect the holder’s intimacy or those whose improper use can generate discrimination, such as those that disclose trade union affiliations, racial or ethnic origin, political orientation, religious, moral or philosophical beliefs, the affiliation to trade unions, social or human rights organizations that promote political parties that guarantee rights and guarantee political parties opposition, as well as data related to health, sexual life, and biometric data.

Subject to legal exceptions, the holder’s data handling requires previous, informed authorization from the holder, and this authorization will have to be obtained through any means that can be consulted later.

EXSIS will inform in advance to the holders about the required personal data and the reason why the information is needed, understanding that the above mentioned purpose will always be related to EXSIS economic activity. Regarding the authorization obtention, EXSIS will gather data related to personal data in a strictly manner using the assigned forms and texts for this activity.In the documents, formats and/or texts that EXSIS assigns for the task the following will always be included:a. The mention of the personal data policy, in this document, and its location on the corporate website.b. Contact information regarding the responsible person for the data handling.c. A space for the holder’s signature or, in any particular case the legal representative, or legitimate third person for the exercise of the rights.

EXSIS, according to legal terms, generated a notification which communicates that holders can exert their “personal data handling” rights over the website www.exsis.co and the e-mail habeasdata@exsis.com.co.

The holder’s authorization information will not be necessary in the following cases:

a) Data required by a public or administrative entity in exercise of legal functions or by judicial requirement.b) Data of public nature.c) Medical or sanitary urgency cases.d) Data handling authorized by law for historical, statistical or scientific purposes. Data related to people’s civil registration.

The holder’s rights established in the Law will be exerted by the following individuals:a) By the holder, who will have to credit his or her identity in a sufficient manner throughout the possible means that EXSIS offers to him or herb) By the holder’s successors, who will have to credit such quality.c) By the representative and/or holder’s power of attorney, previous to the full accreditation of the representation or the power of attorney.d) By stipulation in favor of someone or for someone.

The employees and customer’s mandatory personal data handling will be framed in the legality in order to provide an excellent service and to make more effective, agile and safer operations that users execute, EXSIS will gather the holder’s personal data only for the following purposes:

a) To make EXSIS transactions more effective and saferb) To comply with customers and users’ service agreements, in compliance with the objectives to provide offers, sales, and EXSIS services or products.c) To complement the data and, in general, to move forward the necessary activities to manage requests, complaints and claims filed by EXISIS customers or users and by third parties, to redirect them to responsible areas to provide the corresponding responses.d) To send information and EXSIS commercial proposals about products, as well as to have marketing and/or services commercialization activities and/or products that EXSIS could possibly offer.e) To conduct market research, statistics, surveys, market trends analysis, satisfaction surveys about services provided by EXSIS.f) For personal data transmission to a third party with whom agreement were made with this intention for commercial, administrative and/or operational purposes.g) To manage all necessary data for EXSIS tax, commercial records, corporate and accounting obligations compliance.h) To be able to proceed with billing/invoicing and EXSIS cash collections.i) To send information or messages about new products and/or services, to show the current advertisement or promotion, banners, EXSIS news and any other information we think is convenient.j) To share personal data with service companies or outsourcing companies that contribute to facilitate operations with EXSIS, including, payment methods, insurance or payment management intermediaries. EXSIS will do its best to create third parties’ policies with similar standars to those contained in this document, using agreements and contracts both with signatures.k) To provide the holder’s personal data to entities involved with conflicts resolution that are qualified to do so.

In case of sensitive personal data, it will be possible to use the data handling when:

a) The Holder has given explicit authorization for the data handling, except for cases where the authorization is unnecessary by law;b) Data handling is necessary to safeguard the holder’s vital interest and when the holder is physically or juridically handicapped. In these events, the legal representatives will have to grant their authorization;c) The handling happens during the legitimate activities guaranteed by a foundation, ONG, association or any other non-profit organism, whose political, philosophical, religious intention or trade union intention, only if they refer exclusively to their members or to people who maintain regular contact due to the intention. In this case, data will not be given to a third person without the holder’s authorization;d) The data handling refers to data that is necessary for the acknoledgement, exercise or defense of a right in a judicial process;e) The handling has a historical, statistical or scientific purpose. In this case measures need to be taken to end up with the holder’s identity deletion.

The information that complies with the established conditions by law can be provided to the following individuals:a) To the holders, their successors (if they are missing) or their legal representatives.b) To public or administrative entities in exercise of their legal functions or by judicial order.c) To a third person authorized by the holder or by the law.

EXSIS has assigned as the responsible area to take care of compliance of this policies within the company - the configuration management area- with support of the juridical direction, functional areas that coordinate and handle the holder’s personal data and data security professionals. This department will be ready to resolve requests, inquiries and claims from the holders and to update, modify, delete personal data over the e-mail habeasdata@exsis.com.co

EXSIS has a Manual of complaints and claims (PR_003 Complaints and Claims), the above mentioned document specifies the procedure that is demanded to resolve issues. a) consultations:The Holders or their successors will be able to consult the holder’s personal data which EXSIS has, EXSIS will give all data contained in individual records that is linked to the holder’s identification.The consultation will be sent through the e-mail habeasdata@exsis.com.co The consultation will be taken care of with a deadline of twenty-four (24) hours from its receiption date. When it woul not be possible to respond within thee above mentioned term, the interested party will be informed, expressing the reasons of the delay and indicating the resolution date for the consultation, which needs to be provided not later than within five (5) working days from the first expiration date.b) Claims:The Holder or his or her successors who consider the data contained in a database must be object of correction, update or deletion, or when they warn a possible non compliance of any of the legal duties they will be able to file a claim before EXSIS which will be handled with following the rules below:i. The holder’s claim will be done directly to EXSIS and the claim should be sent to the e-mail habeasdata@exsis.com.co with the holder’s identity, the facts description which originated the claim, the address, and with all necessary support documentation. If the claim is incomplete, the interested party will be required to provide complete information within twenty-four (24) hours. two (2) months later after the requirement, without providing the required data, is understood as cancelation of the right to claim.ii. if the claim receiver is not competent to resolve it, it will transfer the claim to a competent person in a maximum term of two (2) working days and he or she will inform about the situation to the interested party.iii. Once the e-mail is received in the e-mail address habeasdata@exsis.com.co with complete information about the claim, it will be flagged with "claim in process" and the reason why it occurred in not later than two (2) working days. The above mentioned tag will be there until it gets a final resolution.iv. The maximum deadline to take care of the claim will be fifteen (15) working days from the day of reception. If it was not possible to take care of the claim within the above mentioned term, the the interested party will be informed of the delay and the reasons for this to happen and date to look into the claim, which cannot exceed eight (8) working days from the first expiration date.c) Request of update, modification and data suppression.EXSIS will modify and update, upon holder’s request, data which is incomplete or inaccurate, according to the procedure and the terms in this document, for this the holder will send the request to the e-mail habeasdata@exsis.com.co indica- ting the update, modification and data suppression and will provide support documentation for his request.d) Revocation of the authorization and/or data suppressionThe holders’ personal data can revoke the personal data handling authorization at any moment, and any time only if a legal disposition does not prevent it from happening, for this EXSIS will provide the holder with the e-mail habeasdata@ exsis.com.co.If the respective legal term is due, EXSIS, according to the case, has not deleted the personal data, the Holder will request the Supervision of Industry and Commerce to revoke the authorization and/or the personal data suppression. In this situation the procedure described in the 22nd article of the 1581 Act from year 2012 will be applied.

The Policy is available to the Holders of Data from the 1st of July year 2013 and can be consulted on the website "www.exsis.co"Any substantial modification to the policy about the responsible person or purposes of data handling will be notified before implementing any changes to the Holders using the web page "www.exsis.co" or any other efficient mechanism for this purpose.