Privacy Policy

WHAT INFORMATION DO WE REQUEST AND HOW DO WE USE IT?

At www.HolaMonday.com, we request information from our customers in an effort to enhance the experience and communication of products, services, and promotions. We collect data such as your name, email, and address, which you provide when registering on our site or placing an order. For security purposes, we do not directly request information about your payment methods, and such information remains private between you and our electronic payment system provider.

At www.HolaMonday.com, we may use the information collected online to process and fulfill your requests. We also use email addresses in various places within the site to send email communications related to your requests. Additionally, we maintain a record of your purchases and any other information that allows us to enhance and personalize your shopping experience. We also monitor the site to analyze traffic patterns in order to improve its design and the products and services we offer. At www.HolaMonday.com, we recognize the need to use your information responsibly.

To provide you with better service, we may cross-reference the information you provide through our website, www.HolaMonday.com, with publicly available information or with some partner establishments or subsidiaries. By cross-referencing this information, we can offer you more targeted communication about our products, events, promotions, or personalize your shopping experience.

Your personal data will not be rented or sold for any reason, but they may be shared when you participate in a giveaway conducted with another company with which we have partnered, which may be of interest to you.

SECURITY

When placing an order with us, we want you to feel confident that your personal information and credit card data are completely secure. At www.HolaMonday.com, in order to provide maximum security for the payment system, we use "secure payment" systems from top-tier financial institutions in e-commerce. In this regard, confidential payment data is transmitted directly and encrypted to the corresponding financial institution.



Through this document, the company Niños Pixies S.A.S., hereinafter referred to as the "Company," in compliance with the regulatory provisions set forth in Law 1581 of 2012, Regulatory Decree 1377 of 2013, and other related regulations, implements its Policy for the Treatment and Protection of Personal Data (hereinafter the "Policy").

For these purposes, it is important to note that the Company is a commercial entity domiciled in Bogotá, specializing in "retail trade of clothing through the internet" as stated in its corporate purpose.

Therefore, in line with the Company's corporate purpose and in the exercise of its powers, it is possible to determine that there are personal data that constitute Databases owned by the Company, which are processed in accordance with the guidelines established in the current legal framework applicable in Colombia.

Hence, the Policy will be applied both to protect the personal data and transactional information currently processed by the Company and those that may be processed in the future as part of its economic activities.

GENERAL PROVISIONS

  1. Identification of the Controller. Niños Pixies S.A.S., a commercial entity identified with Tax ID 900839070-2, headquartered at Carrera 7 #148-71, Apt 602, Bogotá, phone (+57) 320 9938241, email hola@holamonday.com, and website www.HolaMonday.com.

  2. Objective. For the purposes of this Policy, the Company acts as the Data Controller for personal data collected directly from data subjects. Therefore, the main objective of the Policy is to define and subsequently determine all matters related to the procedures, principles, and security policies under which the Company will ensure the proper treatment of personal data collected in the course of its corporate purpose.

  3. Legal Framework. The Policy was developed in strict compliance with all provisions of the current legal regulations on this matter. Thus, this document complies with Articles 15 and 20 of the Colombian Constitution, Law 1581 of 2012, which establishes "general provisions for the protection of personal data," Regulatory Decree 1377 of 2013, and any other regulations that may modify, regulate, or supplement the applicable regulations on the Protection of Personal Data.

  4. Definitions. As stipulated in Article 3 of Decree 1337 of 2013 and Article 3 of Law 1581 of 2012, the following terms are defined throughout the Policy:

    • File: A set of data recorded as a single storage unit containing personal data.
    • Authorization: The prior, express, and informed consent of the data subject to carry out the processing of personal data, obtained at the time of data collection.
    • Privacy Notice: Verbal or written communication generated by the Controller, addressed to the data subject, for the processing of their personal data, informing them about the existence of the Information Processing Policy that applies, how to access it, and the purposes of the data processing.
    • Database: An organized set of personal data subject to processing.
    • Heir: A person who has succeeded another due to the latter's death (heir).
    • Personal Data: Any information related to one or more identified or identifiable natural persons.
    • Public Data: Data that are not semi-private, private, or sensitive. Public data include, among others, information related to individuals' marital status, profession or occupation, and their status as traders or public servants. By nature, public data may be contained, among others, in public records, public documents, gazettes, official bulletins, and duly executed court rulings not subject to confidentiality.
    • Sensitive Data: Sensitive data refers to data that affect the data subject's privacy or whose misuse could lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations, or that promote the interests of any political party or guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.
    • Data Processor: A natural or legal person, public or private, who, alone or in association with others, processes personal data on behalf of the Data Controller.
    • Data Controller: A natural or legal person, public or private, who, alone or in association with others, decides on the database and/or the processing of the data contained therein.
    • Data Subject: A natural person whose personal data are processed.
    • Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.
    • Transfer: Data transfer occurs when the Data Controller and/or Data Processor of personal data, located in Colombia, sends the information or personal data to a recipient who, in turn, is the Data Controller and is located inside or outside the country.
    • Transmission: Processing of personal data that involves the communication of such data within or outside the territory of the Republic of Colombia when it is intended for processing by the Processor, on behalf of the Controller.
    • Deletion: The action that the data subject requests from the Data Controller and/or Processor, exercising their right to freedom and purpose regarding their information.

    It should be noted that the definitions included in this Policy were taken from the applicable regulations in effect at the time, which regulate the proper protection of personal data of natural persons concerning their circulation and processing.

  5. Principles. In accordance with current regulations, the Company has incorporated the general principles related to the processing of personal data into the Policy. These principles have a broad application that encompasses the entire content of the Policy. These fundamental principles are taken from Article 4 of Law 1581 of 2012.

  6. Validity and Application. The Databases and the Policy will have an indefinite term, in accordance with the duration of the Company's corporate purpose.

    The Policy will apply to the processing of Databases in which the Company acts as the Data Controller and/or Processor, starting from the date of its publication, rendering ineffective any other institutional provisions contrary to it.

    Therefore, any situation not covered by the Policy will be regulated in accordance with the General Data Protection Regulations in force in Colombia and other applicable regulations on this matter.

RESPONSIBILITIES OF THE DATA CONTROLLER AND/OR PROCESSOR – RIGHTS OF DATA SUBJECTS 7. Duties of the Company as the Data Controller. The Company has the following duties as the Data Controller, which are derived from the applicable legislation, without prejudice to all other duties provided for in the regulations that govern or may govern this matter:

  • Ensure that the Data Subject can fully and effectively exercise their rights concerning their personal data at all times.
  • Only allow authorized persons to access the Data Subject's information.
  • Rectify the information when it is incorrect and communicate accordingly.
  • Request and retain a copy of the Authorization granted by the Data Subject for the processing of their personal data.
  • Properly inform the Data Subject about the purpose of data collection and the rights stemming from the granted Authorization.
  • Ensure that the information is truthful, complete, accurate, up-to-date, verifiable, and understandable. Moreover, always substantiate that the information must correspond to the personal data initially provided for processing.
  • Safeguard the information with physical and digital security measures to prevent tampering, loss, consultation, unauthorized or fraudulent use or access, and any conduct regulated and sanctioned by laws on computer crimes.
  • Timely update the information, addressing any changes regarding the Data Subject's data within a period not exceeding five (5) business days from the date of receipt of the request.
  • Implement all necessary measures to keep the information up-to-date.
  • Establish a data processing procedure regarding queries and claims that Data Subjects may make.
  • Identify when specific information is in dispute by the Data Subject.
  • Respect the security and privacy conditions of the Data Subject's information.
  • Process queries and claims in accordance with the deadlines set by the law.
  • Inform, at the request of the Data Subject, about the use of their data.
  • Comply with the requirements and instructions issued by the Superintendency of Industry and Commerce on the specific subject.
  • Refrain from circulating information that is being disputed by the Data Subject and is blocked by the Superintendency of Industry and Commerce or any other competent public entity in charge of making such decisions.
  • Use the Data Subject's personal data only for purposes for which it is duly authorized in accordance with the provisions of Law 1581 of 2012, Decree 1377 of 2013, and other regulations that develop and complement the matter.

  1. Assignment of Company's Personal Data to a Third Party. For the fulfillment of its corporate purpose, the Company may entrust the processing of personal data it holds to a third party. The purpose of this is to allow the third party to carry out communications, promotions, marketing, notifications, data updates, loyalty plans, special programs, and projects that enable, among other things, the fulfillment of the following purposes through physical and digital means:

    • Establishing, subscribing, or maintaining contractual relationships with Data Subjects.
    • Processing information required for labor and corporate matters of the Company.
    • Handling confidential, private, and non-disclosable information.
    • Fulfilling the purpose of the service as a supplier.

    All of the above while always respecting the purposes authorized by the data subject or authorized by law.

    The Data Processor of any Database provided or shared by the Company must comply with the following duties:

    • Ensure that the Data Subject can fully and effectively exercise the right to habeas data.
    • Update the information reported by the Company within five (5) business days from the date of receipt.
    • Timely carry out the Update, Rectification, or Deletion of data in accordance with the terms established by the Law.
    • Keep the information under the necessary security conditions to prevent tampering, loss, consultation, unauthorized or fraudulent use or access.
    • Process queries and complaints filed by Data Subjects in the terms established by the Law.
    • Record the legend "claim in process" in the Databases as regulated in the regulations related to the processing of personal data.
    • Insert the legend "information under judicial discussion" in the Database once notified by the competent authority regarding judicial processes related to the quality of personal data.
    • Adopt an internal policy of procedures to ensure compliance with the regulations related to the processing of personal data, especially for the handling of queries and claims by Data Subjects.
    • Allow access to the information only to persons authorized to access it.
    • Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.
    • Refrain from circulating information that is being disputed by the Data Subject and is blocked by the Superintendency of Industry and Commerce.
    • Inform the Superintendency of Industry and Commerce of any violations of security codes and risks in the management of Data Subjects' information.

  2. Rights of Data Subjects. According to the applicable data protection law, the following are the rights of Data Subjects who have authorized the processing of their data by the Company:

    • Access, know, update, rectify, and delete their personal data from the Company in its capacity as the Data Controller.
    • File complaints with the Superintendency of Industry and Commerce for breaches of Law 1581 of 2012, following the consultation or requirement procedure with the Company.
    • Request proof of the Authorization granted by the Data Subject or the Data Controller to the Company, by any valid means.
    • Be informed by the Company, upon request, about the use it has made of their Personal Data.
    • Revoke the Authorization or request the Deletion of data when the processing does not comply with constitutional and legal principles, rights, and guarantees.
    • Access their Personal Data that have been processed by the Company free of charge.

    The Company acknowledges that the personal data in its Databases belong to the Data Subject who authorized their processing.


  3. INFORMATION PROCESSING

    1. Data Collection Channels The Data Subject may authorize the Company to process their personal data through various means, including but not limited to:
    • Physical documents
    • Electronic documents
    • Data messages
    • Internet
    • Websites
    • Any other format that allows the Data Subject's consent through unequivocal conduct, through which it can be concluded that if the Data Subject or the authorized person had not performed such conduct, the data would not have been stored or captured in the Database.

    Authorization will be requested by the Company prior to the processing of personal data.

    1. Mechanisms for Collecting Personal Data The Company collects Personal Data through the following mechanisms:

    Virtual: The Company collects personal data using non-presential technological means previously enabled (Website and Official Social Media Accounts), following established formats. Written: This method involves the physical and in-person collection of personal data by the Company in the course of its business activities, such as in documents related to the constitution or modification of the shareholding composition of the company, contracts with Suppliers, contracts with employees, candidate resumes, and data capture forms in establishments owned or operated by third parties.

    1. Information Capture Fields In accordance with data protection principles, the collection of personal data will be limited to those that are relevant and appropriate for the purpose for which they are collected or required by the Company.

    2. Authorization for the Use of Personal Data The Company, acting as the Controller of personal data and Transactional Information, obtains clear, express, prior, informed, and unambiguous authorization from Data Subjects through electronic forms, data collection formats, and other means it deems necessary.

    For this purpose, the Company will request authorization from Data Subjects, informing them of the purpose for which their personal data will be processed, except in cases expressly authorized by law, which are regulated in Article 10 of Law 1581 of 2012.

    1. Revocation of Authorization All Data Subjects can revoke their authorization granted to the Company for the processing of their personal data at any time and even request the deletion or removal of their personal data from the Databases, provided that such action does not contravene current legal or contractual provisions.

    The Company will ensure that Data Subjects have easy access to these requests, establishing simple and straightforward mechanisms to allow Data Subjects to revoke their authorization or request the deletion of their personal data, at least through the same means by which they initially granted it.

    In the case of revocation of consent, Data Subjects should note that revocation can be total or partial with respect to the authorized purposes. (i) If revoked entirely, the Company must cease any processing of the data provided by the Data Subject; (ii) if revoked partially, only for specific types of processing, the Company will cease processing for the purposes expressly revoked by the Data Subject. In this latter case, the Company may continue processing personal data for purposes that were not revoked.

    1. Processing of Data and Purpose The Company will process the data of Data Subjects with whom it has established a relationship as the Controller of Processing and Transactional Information for the provision of value-added services, following the provisions of Law 1581 of 2012 and Law 1266 of 2008, as applicable, and in general for the fulfillment of its corporate purpose.

    In any case, the Company will collect and process the personal data of Data Subjects for specific purposes, which vary depending on the Database, as described below:

    Payroll:

    • Conduct selection processes.
    • Develop and execute the employment relationship, if established.
    • Send information through any means (email, physical mail, SMS, phone calls, data messages, etc.) regarding selection processes, employment contract execution, sick leave, payments, campaigns, product and service information, activity notifications, promotions, offers, and launches.
    • Conduct training and development programs.
    • Perform performance evaluations.
    • Provide employment or commercial references when requested.
    • Validate employment or commercial references provided by the Data Subject.
    • Provide personal commercial information for the execution of contractual relationships acquired by the Company with third parties.
    • Update personal data.
    • Consult, report, process, and disclose all information related to financial, commercial, and service behavior to any Information Operator (Credit Bureau) or any national, foreign, or multilateral public or private entity that manages or handles databases for commercial and credit service purposes.
    • Initiate affiliation procedures for the social security system.
    • Process biometric data for the implementation and use of access and security systems requiring biometric authentication.

    Purchases, Payments, and Accounting:

    • Establish communication channels with the Data Subject, including email, phone calls, SMS, or any known or future communication channel, provided it is authorized by the Data Subject.
    • Create and manage purchase orders.
    • Manage payments to suppliers.
    • Analyze information for statistical purposes.
    • Provide personal commercial information for the execution of contractual relationships acquired by the Company with third parties.
    • Request proposals and quotations.
    • Handle complaints.
    • Contact potential or current suppliers for purchases and contracts.
    • Send and request information about product performance.
    • Update personal data.
    • Evaluate the quality of contracted products and services.
    • Conduct marketing and advertising activities related to the Company's corporate purpose.
    • Consult, report, process, and disclose all information related to financial, commercial, and service behavior to any Information Operator (Credit Bureau) or any national, foreign, or multilateral public or private entity that manages or handles databases for commercial and credit service purposes.
    • Analyze, evaluate, and consult the information provided by the Data Subject in lists for the control of money laundering and terrorism financing administered by any national or foreign authority.

    Commercial:

    • Establish communication channels with the Data Subject, including email, phone calls, SMS, or any known or future communication channel, provided it is authorized by the Data Subject.
    • Offer incentives to customers to boost sales through discounts, gifts, bonuses, or any activity related to customer loyalty.
    • Conduct transactional behavior studies, consumption habits, and interests for the offering of its own services, third-party services, or future partners' services for the execution of segmented strategies.
    • Handle customer service procedures and complaints of all types.
    • Execute data updating and commercial campaigns.
    • Coordinate, execute, and promote strategic campaigns of the Company and the offering of services.
    • Conduct surveys to understand customer preferences.
    • Send commercial campaigns.
    • Generate sales invoices.
    • Share personal commercial information with partner companies, associates, branches, franchises, subsidiaries, and third parties with whom Data Processing Agreements have been signed for the offering of value-added services.
    • Consult, report, process, and disclose all information related to financial, commercial, and service behavior to any Information Operator (Credit Bureau) or any national, foreign, or multilateral public or private entity that manages or handles databases for commercial and credit service purposes.
    • Analyze, evaluate, and consult the information provided by the Data Subject in lists for the control of money laundering and terrorism financing administered by any national or foreign authority.
    • Invite Data Subjects to participate in training programs, logistical coordination, sales, or any other activity related to the Company's corporate purpose.

    Shareholders:

    • Establish communication channels with the Data Subject, including email, phone calls, SMS, or any known or future communication channel, provided it is authorized by the Data Subject.
    • Maintain a register of the Company's shareholders and the exercise of their rights.
    • Maintain the Shareholder Registry Book of the company.
    • Provide and deliver information regarding dividend or profit payments.
    • Analyze, evaluate, and consult the information provided by the Data Subject in lists for the control of money laundering and terrorism financing administered by any national or foreign authority.

    1. Processing of Data of Children and Adolescents In the processing of personal data, the Company will ensure the respect of the prevailing rights of minors (children and adolescents). Therefore, in case of collecting personal data related to these individuals, compliance with Article 7 of Law 1581 of 2012 and other related provisions will be observed.

    2. Processing of Sensitive Personal Data The Company acknowledges that it processes personal data that are sensitive in nature. Therefore, when collecting personal data of this nature, the Company will comply with Article 6 of Decree 1377 of 2013 and other related provisions.

    SECURITY MEASURES

    In order to ensure the protection of the personal data of third parties obtained through the channels authorized by this Policy, the Company has established a set of security measures that will be used and implemented to ensure the adequate protection of all information that is subject to processing.

    With the above, it is reasonably considered that the Company has adequate and sufficient document management and information protection models to properly comply with its legal obligations regarding the care and custody of information provided by third parties.

    1. Security Procedures The Company, in its effort to achieve adequate protection of information covered by this Policy, has implemented various security mechanisms to safeguard and prevent any deterioration, loss, or leakage of information contained in its Databases.

    One of these mechanisms relates to the location of the Database, which is hosted in the cloud (Dropbox), with appropriate access controls in place, including:

    A logical security model that restricts user access to the data.

    PROCEDURES FOR HANDLING INQUIRIES AND CLAIMS

    1. Customer Service Channels For handling inquiries and claims related to the processing of Personal Data, they may be submitted through the following URL:

    2. Procedure for Submitting an Inquiry When the Data Subject wishes to inquire about, access information, or request a copy of the Authorization, the Customer Service department will respond to the inquiry within ten (10) business days from the date of receipt.

    If it is not possible to respond to the inquiry within the specified period, the requester will be informed of this situation, the reasons for the delay, and the date on which the request will be resolved, which in no case will exceed five (5) business days after the expiration of the initial term.

    1. Procedure for Submitting a Claim When the Data Subject wishes to rectify, update, or delete any of their data or revoke their Authorization, the Customer Service department will respond to the claim within fifteen (15) business days from the date of receipt.

    If it is not possible to respond to the claim within the specified period, the requester will be informed of this situation, the reasons for the delay, and the date on which the request will be resolved, which in no case will exceed eight (8) business days after the expiration of the initial term.

    1. Response Medium The Company will respond to inquiries and claims from Data Subjects within the deadlines established in sections 20 and 21 of this Policy, in writing, to the physical or electronic address provided by the requester for this purpose.

    If the requester provides both a physical and an electronic address or more than one of either, the Company will decide to which address the response will be sent.

    1. Authorized Persons to Submit Inquiries or Claims In accordance with applicable regulations, the following persons are authorized to submit an inquiry or a claim to the Company:
    • Data Subjects
    • Heirs of the Data Subjects
    • Legal representatives
    • Public or administrative entities exercising their legal functions or by court order
    • Third parties authorized by the Data Subject or by law

    1. Database Updates The Company will update its Databases permanently in accordance with the provisions of Law 1581 of 2012.

    2. Transfer of Data for Processing by Third Parties, National and International The Company may transmit or transfer partially or totally Personal Data and transactional information to third parties in the country or abroad as part of its corporate purpose. For this purpose, the Company requests the Data Subject's Authorization and implements the necessary actions to comply with the legal provisions of Colombian law, through the signing of Data Transfer and Processing Agreements.

    3. Information Security The Company has an Information Security Policy, which is an integral part of this Policy.

    4. Procedure for Amendments to this Policy Each decision that determines the need to make any modification to this Policy will be recorded in writing and signed by the members.

    Any modification that follows the established procedure will become part of this Policy and will therefore be mandatory and immediately enforceable.

    1. Effectiveness This Policy will take effect from the date of its publication and will supersede any other institutional provisions that are contrary to it. Any aspect related to the subject matter of this Policy that is not contained in it will be regulated in accordance with the General Regime for the Protection of Personal Data in force in the Republic of Colombia.