Data Processing Policies


Alianza Explora SAS commercial establishment (hereinafter, identified with the NIT. 900.987.559-5, with its main address at Calle 36 # 26 - 48 Int 110 Office 301, Bucaramanga, Colombia, recognizes the importance of security, privacy and confidentiality of personal data of its customers, users, employees, suppliers, shareholders, partners and in general all its stakeholders with respect to which it processes personal information, so in compliance with the constitutional and legal provisions, adopted this Política para el tratamiento de datos personales de

1. Applicable regulations

The following is a list of the main regulations in force in Colombia regarding the protection of personal data, to whose compliance is fully committed and which have been taken into account for the development of this Política y el Sistema Integral de Gestión de Datos Personales de

Article 15 of the Political Constitution of Colombia.
Statutory Law 1266 of 2008.
Law 1273 of 2009.
Statutory Law 1581 of 2012.
Decree 1377 of 2013.
Decree 886 of 2014.
Decree 1074 of 2015.
Title V of the Sole Circular of the Superintendence of Industry and Commerce.

Translated with (free version)

2. Context and scope

According to Article 15 of the Political Constitution of Colombia, all persons have the right to know, update and rectify the information held about them in data centers. For its part, Law 1581 of 2012, established the general regime of Personal Data Protection in Colombia, developing the constitutional principles under which everyone has the right to know, update and rectify the personal information held in databases or files (manual or automated), and to receive truthful and verifiable information. In as responsible for information, we have a special regulation on the Data Protection of our customers, and we define processes and policies that seek to ensure confidence, security and quality in the use of information. receives, registers, keeps, modifies, reports, consults, delivers, shares and eliminates information with the authorization of the owner of the same. The data allow us to offer and provide information on products and services to consult, report and update before the operators of information and risk; update the status of contractual relations, comply with the agreed obligations, prevent the risk of money laundering, terrorist financing, among others. obtains the authorization of the owner of the data through different means, such as written, verbal or virtual authorization for the purposes described in this policy.

3. Addressees

The present policy is directed to our clients, users, collaborators, suppliers, allies and in general our stakeholders about whom processes personal information.

4. Definitions

The following definitions shall be taken into account for the purposes of this policy:

Authorization: is the prior, express and informed consent of the owner of the information to carry out the processing of personal data.
Privacy Notice: is the verbal or written communication that aims to inform the owner of the data about the data protection policy of
Database: organized set of personal data subject to processing.
Causahabiente: is the person who has succeeded another, because of his death (can also be understood as heirs or legatees).
Personal Data: any information linked or that may be associated to one or several determined or determinable natural persons.
Public Data: data that the law or the Constitution determines as such, as well as all those that are not semi-private or private.
Private Data: data that, due to its intimate or reserved nature, is only relevant to the owner of the information.
Semi-private data: data that is not of an intimate, reserved or public nature and whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector or group of persons.
Sensitive Data: data that affects the privacy of the owner or whose improper use may lead to discrimination.
Data Processor: natural or legal person, public or private, who by himself or in association with others, carries out the processing of personal data on behalf of the data controller.
Data Controller: natural or legal person, public or private, which by itself or in association with others, performs the processing of personal data.
Data subject: natural person whose personal data is the object of processing. For will be holders of information customers, users, partners, suppliers, partners, shareholders, visitors, our stakeholders and any other natural person whose data are processed by, either directly or indirectly.
Data Transfer: occurs when the person responsible and/or in charge of the processing of personal data, located in Colombia, sends the information or personal data to a recipient, which in turn is responsible for the processing and is located inside or outside the country.
Data Transmission: processing of personal data that involves the communication of such data within or outside the territory of the Republic of Colombia when the purpose of the processing is carried out by the processor on behalf of the data controller.
Processing: any operation or set of operations on personal data, such as collection, storage, use, circulation or suppression.

5. Guiding principles for the processing of personal data is committed to the holders of the information to treat their personal data in accordance with the following principles:

Principle of legality of data processing is aware that the treatment referred to in Law 1581 of 2012 is a regulated activity that must be subject to the provisions therein and other provisions that develop it.

Principle of finality will process the data for a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the owner..

Principle of freedom will process data only with the prior, express and informed consent of the owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of legal or judicial mandate.

Principle of truthfulness or quality

The information to be processed must be truthful, complete, updated, verifiable and understandable. prohibits the processing of fractioned or misleading data.

Principle of transparency knows that the owners of the information have the right to obtain at any time and without restriction, information about the existence of data concerning him/her.

Principle of restricted access and circulation

The treatment is subject to the limits derived from the nature of the personal data, the provisions of Law 1581 of 2012 and the Constitution. In this sense, the treatment may only be done by persons authorized by the owner and/or by the persons provided by law. With the exception of public information, will not make personal data available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to holders or authorized third parties in accordance with law 1581 of 2012.

Safety principle will handle the information subject to treatment referred to in Law 1581 of 2012, with the technical, human and administrative measures necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.

Principle of confidentiality

All persons involved in the processing of personal data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the processing, and may only provide or communicate personal data when this corresponds to the development of the activities authorized in Law 1581 of 2012 and under the terms of the same.

6. Authorizations will request authorization so that the owner of the information grants prior, express and informed consent to the treatment to which their personal data are subject. The authorization may also be obtained from unequivocal conduct of the owner of the data, which allow us to reasonably conclude that he/she gave his/her consent for the processing of his/her information. Such conducts must clearly externalize the will to authorize the processing. The consent of the owner may be obtained by any means that may be subject to subsequent consultation, such as written, verbal, virtual communication or by unequivocal conduct. By virtue of its nature and corporate purpose, receives, collects, records, preserves, stores, modifies, reports, consults, delivers, transmits, transfers, shares and deletes personal information, for which it obtains the prior authorization of the owner.

The authorization granted by the owners of the information to allows, among other things, the realization of the following purposes: will keep proof of such authorizations in an appropriate manner, ensuring and respecting the principles of privacy and confidentiality of information. Learn here the authorization for the treatment of personal information signed by our customers.

Likewise, in when dealing with information related to the following types of data, the following special considerations will be taken into account:

Sensitive Data

For the treatment of sensitive data, will inform the owner of the data as follows:

For the treatment of this type of information the holder is not obliged to give his authorization or consent.
It will be informed explicitly and in advance what kind of sensitive data will be requested.
The treatment and purpose of the sensitive data will be communicated.
The authorization of sensitive data shall be prior, express and clear.

Data on children and adolescents. will ensure that the processing of this type of data is carried out in accordance with the rights of children and adolescents. In this sense, their special nature will be protected and will ensure respect for their fundamental rights, in accordance with the provisions of articles 5, 6 and 7 of Law 1581 of 2012, and articles 6 and 12 of Decree 1377 of 2013, and other rules that modify or add to them. For purposes of complying with the above, shall act in accordance with the following: informs all its stakeholders that, in accordance with Article 10 of Law 1581 of 2012, the authorization of the holder will not be necessary when dealing with:

7. Purposes

The following are the main purposes for which processes personal information:

Customers and/or users

Suppliers and allies

Aspirantes y colaboradores

The information that collects from applicants or candidates for positions within the organization is treated in order to perform the evaluation of income and the process of linking the applicant. The treatment of the personal information of our collaborators has as purpose the management of the existing labor relations with them, as well as the development of the different activities established by the organization. Among which we highlight the following:

In the case of former employees, will store, even after the end of the employment contract, the information necessary to comply with the obligations that may arise under the employment relationship that existed under Colombian law, or under the services that by virtue of the relationship may be provided, as well as provide labor certifications that are requested by the former employee or by third parties against whom the former employee carries out a selection process.


Shareholders' personal information and data, including personal information, contact information, as well as information and documentation provided through virtual channels, telephone channel, email and information updates will be collected, consulted, updated, modified and processed directly by and/or by third parties designated by it, for the following purposes:

Acceso a edificios, vigilancia y seguridad de las instalaciones informs all owners that the data collected directly at the security points of the administrative headquarters, buildings, branches and other facilities, which are provided in documents of security personnel, and the data obtained from video recordings that are made inside or outside the facilities of are used for security purposes of persons, property and facilities.

8. Duration of data processing

Personal data will be subject to treatment by during the contractual term in which the holder of the information has the product, service, contract or relationship, plus the term established by law.

9. Rights of the holder

The owners of the information that is processed by may:

In accordance with art. 20 of Decree 1377 of 2013, the exercise of the aforementioned rights may be exercised by the following persons:

10. Duties of as responsible for the personal data stored in its databases, undertakes to:

Likewise, it will require them to commit to accept and apply the provisions of this Personal Data Processing Policy and other guidelines established by or certify that their internal policies include at least the provisions set forth herein.

If it is not possible to issue the certification, must corroborate that the internal policies of the third parties and/or persons in charge include security and/or privacy criteria equivalent or superior to those provided herein. In this sense, the third parties and/or persons in charge must adopt the security and privacy measures and conditions for the personal data, which are shared with them, at least at the same level of protection adopted by

11. Attention to queries, complaints and claims

The owners of the information when they need to make a query, complaint or claim may make use of:


The owners, their assignees or any other person who may have a legitimate interest, may request to be informed about the personal data of the owner that are stored in any database of According to the above, will guarantee the right of consultation, giving to know the personal information linked to the owner. The consultations that deal with issues of access to information, proof of the authorization granted by the holder, uses and purposes of personal information, or any other query related to the personal information provided by the holder, must be submitted through the channels enabled by The query will be answered within a maximum period of ten (10) working days from the date of receipt of the same. When it is not possible to attend the consultation within the term provided, the interested party will be informed, indicating the reasons for the delay and the date on which the consultation will be attended, which shall not exceed five (5) business days following the expiration of the first term, in accordance with the provisions of Article 14 of Law 1581 of 2012.


Correction, updating, suppression and revocation of claims.

The owners, their assignees or any other person with a legitimate interest, who consider that the information contained in any of the databases of should be subject to correction, updating or deletion or who notice a possible breach of the duties established in Law 1581 of 2012 and its regulatory decrees, may file a claim following the requirements of Article 15 of the same law.

Requirements for filing a claim

In any case, if the claim is incomplete, the interested party will be required within five (5) days of receipt thereof to correct the faults. If after two (2) months from the date of the requirement, without the applicant submitting the required information, will understand that the claim has been abandoned. When is not the competent entity to resolve the claim submitted, it will be transferred to the appropriate party within a maximum period of two (2) working days, and the interested party will be informed of this situation. In the event that the claim is received complete, will be included in the database a legend that says "in process" and the reason for it, within a period not exceeding two (2) business days. This legend will remain until the claim is resolved and will be adjusted according to internal procedures. However, the maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to deal with it within such term, the interested party will be informed of the reasons for the delay and the date on which the claim will be resolved, which in no case may exceed eight (8) business days following the expiration of the first term. The owners, their assignees or any other person with a legitimate interest, may file a complaint with the Superintendence of Industry and Commerce, but only once they have exhausted the process of consultation or complaint to as responsible and / or any manager, in accordance with the provisions of Article 16 of Law 1581 of 2012.

Deletion of information

Channels of attention for queries, complaints and claims has enabled for the holders of personal data the following channels of attention for the exercise of their rights to know, update, rectify and / or delete their personal information.

Physical branches

Telephone branch office

E-mail box

Transferencia y transmisión de datos personales  is committed to verify the level of protection and security standards of the country receiving the personal information, make the declaration of conformity (when applicable) and sign a transfer contract or other legal instrument to ensure the protection of personal data transferred. By virtue of this exchange relationship,, has adopted several guidelines for the relationship with third parties, in order to protect the information subject of this activity. In order to protect the information, will verify if the Superintendence of Industry and Commerce has included the respective country in the list of countries that offer an adequate level of data protection or will review the regulations in force in the country receiving the information, to determine if it has the appropriate conditions to ensure adequate levels of security for the information subject to transmission or transfer.

12. Relationship with third parties and/or persons in charge

In the development of this Policy and internal provisions for the proper handling of personal data, will ensure that third parties with whom it is linked or with whom it establishes business relationships, labor or alliances, adapt their conduct to the regime of protection of personal data in Colombia.

In attention to the above,, without prejudice to all documentation, models and means provided for the request for authorization for treatment, privacy notices, records and contractual and / or legal coverage, may request third parties and / or managers suitable and relevant information to verify and observe compliance with the provisions contained in this policy and the regime of protection of personal data in Colombia.

In this sense, may request third parties and/or persons in charge to prove, before, during or after the relationship that binds them, compliance with the requirements of the personal data protection regime. In such a way that a review and supervision may be requested on an eventual or periodic basis, of compliance with legal and/or contractual requirements, through evidence or support of the management carried out, visits to the facilities of the third party, among other activities that may be coordinated to validate compliance.

13. Cookies in order to improve its service on the website and digital applications, uses its own and third party cookies to optimize the experience of our customers and users, monitor statistical information, present content and advertising related to user preferences when browsing our website, platforms and / or technological and / or digital applications.

The information collected through cookies is encrypted and will not be used to identify and / or disclose user information. Likewise, no user data is collected, such as: number of debit or credit cards, or other financial or credit information. For more information about the use of cookies on the website and digital applications, you can consult the policies on cookies has established or will establish

14. Policy and supplementary guidelines and amendments to this policy

By virtue of this policy, may develop policies on specific aspects (for example, cookies policy), as well as guidelines, directives and circulars aimed at its implementation, provided that they are consistent with the regulatory framework and this policy.

This policy may be modified at any time in order to adapt it to new practices that are developed or to legislative or jurisprudential developments in the field. Any update will be made available to the holders of personal information on the site in any other medium deemed relevant, indicating the effective date of the corresponding modification or update, as the case may be.

15. Validity

This Personal Data Processing Policy is effective as of the date of its approval (June 25, 2020).