Madero & Asociados S.A.S. (hereinafter, “Madero Law”) adopts this Personal Data Protection Policy (hereinafter, the “Privacy Policy” or this “Policy”). The purpose of this Privacy Policy is to ensure that Data Subjects whose Personal Data are processed in Databases or files managed by Madero Law may authorize, know, include, update, rectify, and delete their Personal Data or information collected about them.

This Privacy Policy is issued in compliance with the constitutional and statutory provisions governing personal data protection, including Article 15 of the Political Constitution of Colombia; Law 1266 of 2008; Law 1581 of 2012; and Decrees 1377 of 2013 and 886 of 2014, consolidated in Decree 1074 of 2015 (Single Regulatory Decree).

The procedures and guidelines established in this Privacy Policy apply to the Processing of any Databases or files created, managed, and/or maintained by Madero Law, whether acting as Controller or Processor.

This Privacy Policy is binding upon:

1. Madero Law and its partners;
2. Natural persons working at Madero Law, including those engaged under employment contracts or any other contractual modality;
3. Suppliers, subcontractors, or any other contractors of Madero Law;
4. Data Subjects, who may consult the procedure established herein to exercise their legal rights; and
5. Any other persons required to comply with this Privacy Policy pursuant to contractual provisions or binding regulations.

For the purposes of this Privacy Policy, the following definitions apply:

1. “Authorization”: Prior, express, and informed consent of the Data Subject for the Processing of Personal Data.
2. “Privacy Notice”: A verbal or written communication issued by Madero Law, as Controller, addressed to the Data Subject, informing about the existence of this Privacy Policy, the manner of accessing it, and the purposes of the intended Processing.
3. “Database”: An organized set of Personal Data subject to Processing.
4. “Automated Databases”: Databases stored and managed using IT or technological tools.
5. “Manual Databases”: Files organized and stored in physical form.
6. “Collaborator”: Any contractor, intern, or individual rendering services for Madero Law who is not considered an Employee. Includes persons engaged through third parties.
7. “Personal Data”: Any information linked or that may be linked to one or more identified or identifiable natural persons, such as name, ID number, address, images, fingerprint, political views, trade union membership, worldview, education, or sexual orientation.
8. “Private Data”: Data of an intimate or reserved nature, relevant only to the Data Subject.
9. “Public Data”: Data not classified as private, semi-private, or sensitive. Examples include marital status, profession, trade, and status as a merchant or public servant. Such data may be contained in public records, public documents, official gazettes, or final judicial decisions not subject to confidentiality.
10. “Semi-Private Data”: Data not intimate, reserved, or public, whose knowledge or disclosure may interest both the Data Subject and society in general.
11. “Sensitive Data”: Data affecting privacy or whose misuse may cause discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, union membership, health information, sex life, or biometric data.
12. “Processor (Encargado)”: The natural or legal person who processes Personal Data on behalf of the Controller.
13. “Information Operator”: The entity that receives Personal Data from the source, manages it, and provides it to users under the law.
14. “Publicly Accessible Sources”: Databases containing public data available for consultation by any person.
15. “Habeas Data”: The constitutional right allowing Data Subjects to demand access, correction, deletion, updating, or certification of their Personal Data.
16. “Reserved Public Information”: Information held by an obligated entity that is exempt from public access due to harm to public interests, pursuant to Article 19 of Law 1712 of 2014 or any norm that amends or replaces it.
17. “Personal Data Protection Officer”: The person designated by Madero Law to address Data Subjects’ requests regarding their rights.
18. “Controller (Responsable)”: The person or entity deciding on the Database and/or Processing of Personal Data.
19. “Data Subject (Titular)”: The natural person whose Personal Data are processed by Madero Law. This includes clients, suppliers, employees, and collaborators.
20. “Transfer”: The sending of Personal Data to a recipient who is also a Controller, inside or outside Colombia.
21. Transmission: The communication of Personal Data to a Processor, inside or outside Colombia.
22. “Processing”: Any operation performed on Personal Data, such as collection, storage, use, circulation, or deletion.

For the Processing of Personal Data, as well as in the development, interpretation, and implementation of this Policy, the following principles shall apply harmoniously and comprehensively:

1. Principle of Legality: The Processing of Personal Data by Madero Law shall be subject to the regulations in force in the Republic of Colombia.
2. Principle of Integral Interpretation of Constitutional Rights: The procedures and guidelines set forth in this Policy shall be interpreted to properly protect constitutional rights such as habeas data, the right to a good name, honor, privacy, and information. The rights of Data Subjects shall be interpreted in harmony and balance with the right to information set out in Article 20 of the 1991 Political Constitution and other applicable constitutional rights.
3. Principle of Purpose: The Processing of Personal Data carried out by Madero Law must pursue legitimate objectives in accordance with the Constitution and the law, which shall be communicated to the Data Subject.
4. Principle of Freedom: The Processing of Personal Data carried out by Madero Law may only be exercised with the prior, express, and informed consent of the Data Subject. Personal Data may not be obtained or disclosed without prior Authorization, or absent a legal or judicial mandate waiving consent.
5. Principle of Truthfulness or Quality: Information subject to Processing must be truthful, complete, accurate, up to date, verifiable, and understandable. The Processing of partial, incomplete, fragmented, or misleading data is prohibited.
6. Principle of Transparency: Madero Law shall guarantee the right of Data Subjects to obtain from the Controller or Processor, at any time and without restrictions, information about the existence and content of Personal Data concerning them.
7. Principle of Restricted Access and Circulation: Processing by Madero Law is subject to the limits arising from the nature of Personal Data, as established in Law 1581 of 2012, Decree 1074 of 2015, the Constitution, habeas data provisions, and other applicable regulations. Processing may only be conducted by persons authorized by the Data Subject and/or those provided for in current regulations. Personal Data, except for public information, may not be made available on the Internet or other mass dissemination or communication media unless access is technically controllable to grant restricted knowledge only to Data Subjects or third parties authorized by law.
8. Principle of Security: Personal Data subject to Processing by Madero Law shall be handled with the technical, human, and administrative measures necessary to safeguard the records and prevent adulteration, loss, consultation, use, or unauthorized or fraudulent access.
9. Principle of Confidentiality: All persons involved in the Processing of Personal Data that are not public in nature are obliged to guarantee the confidentiality of the information—even after the termination of their relationship with any of the tasks comprising the Processing—and may only provide or communicate Personal Data when this corresponds to activities authorized by Law 1581 of 2012 and under the terms of this Policy.
10. Principle of Temporality: Personal Data shall be retained only for the time that is reasonable and necessary in accordance with the purposes that justified the Processing.
11. Principle of Demonstrable Accountability: Madero Law shall implement appropriate, effective, and verifiable measures to ensure compliance with legal obligations regarding the protection of Personal Data.

As Controller, Madero Law will carry out the Processing of Personal Data consisting of collecting, storing, organizing, using, processing, transmitting, transferring, updating, rectifying, recording, managing, deleting, and suppressing Personal Data, according to their nature and in line with the purposes established in the Authorization and in this Policy. This information may be used by Madero Law, its Employees, Collaborators, consultants, advisors, and third parties expressly authorized by Madero Law who require access to this information to perform contracts and/or tasks for the benefit of Madero Law. Madero Law processes the Data Subjects’ Personal Data according to the purposes for which they were collected and in accordance with applicable laws, regulations, and contracts.

Processing may be carried out through physical, automated, or digital means, according to the type and method of collection (e.g., digital platforms, websites, cookies). On this basis, Madero Law may contact the Data Subject by telephone through calls and/or text messages such as SMS and/or MMS, or through digital means (instant messaging apps and social networks, such as WhatsApp), either directly or through third parties.

Madero Law may transmit and/or transfer Personal Data to parent companies, affiliates, subsidiaries, any related company, and, in general, to third parties in Colombia or abroad so that they may process such data for the purposes authorized by the Data Subject and/or contained in this Policy.

The Data Subject acknowledges and accepts that the information provided may be stored, processed, or managed on servers located within or outside the national territory, including countries that may not have data protection levels equivalent to those of the contractual jurisdiction. Consequently, the Data Subject grants express consent for such information to be transferred to and hosted on those servers, in accordance with the terms set forth herein.

The receiving party shall adopt reasonable measures to ensure the security, confidentiality, and integrity of the information, in line with national and international data protection standards, and shall execute any agreements necessary to ensure the proper Processing of Personal Data for exclusively administrative or operational purposes.

Personal Data collected and processed by Madero Law are included in Databases accessible to authorized Employees and Collaborators of the company in the performance of their functions, or to third parties expressly authorized by Madero Law. Processing shall be carried out in accordance with the purposes set forth in this Policy, the Privacy Notice, and those expressly authorized by the Data Subject at the latest at the time of data collection.

Madero Law will process your Personal Data based on the following general purposes:

1. Carry out activities and actions necessary to fulfill Madero Law’s corporate purpose and ordinary course of business, including campaigns, projects, and innovation initiatives.
2. Fully comply with pre-contractual, contractual, and post-contractual duties and obligations.
3. Send advertising and commercial information and communicate events of interest.
4. Adequately know the Data Subjects with whom relationships are proposed and services are to be provided, and assess the present or future risk of such relationships and services.
5. Contact Data Subjects to send information related to the contractual and obligational relationship, as applicable.
6. Communicate, publicize, and/or provide information related to products and/or services of Madero Law or third parties.
7. Conduct satisfaction surveys regarding products and services offered by Madero Law or third parties.
8. Conduct market research, surveys, statistics, and similar activities.
9. Undertake strategic, economic, financial, and commercial planning.
10. Carry out information updating processes.
11. Transfer and/or Transmit Personal Data within and outside the country to related companies, commercial allies, or any third party pursuant to a commercial or contractual relationship, legal obligation, or lawful link that so requires, to process the data in accordance with the Authorization granted by the Data Subject.
12. Enable the exercise of Data Subjects’ rights.
13. Perform accounting, administrative, logistics, and commercial management.
14. Control risks of money laundering, terrorist financing, corruption, transnational bribery, fraud, and similar risks, including checks against national and international lists and databases for the prevention of unlawful activities.
15. Allow access to Madero Law’s premises and safeguard the security of persons, assets, and facilities, which may include video surveillance activities.
16. Submit reports to supervisory and control authorities and respond in a timely manner to requests made by various administrative or judicial authorities.
17. Present evidence in administrative proceedings and in judicial, arbitral, or alternative dispute resolution mechanisms.
18. Any other purposes determined by Madero Law in its capacity as Controller.

In addition to the general purposes set forth in Article 8 of this Policy, the Processing of clients’ Personal Data shall be carried out for the following specific purposes:

1. Address requests submitted by the client.
2. Provide the contracted services.
3. Transfer or Transmit information to national or international contractors of Madero Law involved in the provision of the contracted services, in order to provide such services and in accordance with the Authorization granted by the client.
4. Maintain a history of commercial relationships.
5. Collect and use transactional and market intelligence data for transactional information platforms, directories, and law firm rankings.
6. Collect and use information for commercial research and for marketing and advertising of products of Madero Law and third parties.
7. Carry out information updating processes.
8. Perform billing and collection processes.
9. Verify legal and commercial suitability.
10. Verify and consult Personal Data in public or private, national and international lists and databases related directly or indirectly to judicial, criminal, tax, disciplinary records, liability for harm to state property, disqualifications and incompatibilities, money laundering, terrorist financing, corruption, transnational bribery, wanted lists, and other databases or systems reporting links to any unlawful activities.
11. Consult, at any time, databases managed by credit bureaus or other operators, for all relevant information to assess the Data Subject’s (or their company’s) performance as a debtor, payment capacity, and feasibility of entering into or maintaining a contractual or commercial relationship. This may be done for the benefit of Madero Law or third parties, including offering third-party products based on such information.
12. Report to credit bureaus or other data operators regarding compliance or non-compliance with credit obligations of the Data Subject (or the company they represent), legal obligations of a patrimonial nature, location and contact details, credit applications, and other matters relating to the Data Subject’s commercial, financial, or socioeconomic relationships.
13. Transfer and/or Transmit information to national or international allies with whom Madero Law develops activities and commercial relationships in accordance with its corporate purpose, to develop marketing and advertising activities and any other activities aligned with its corporate purpose and in accordance with the Authorization granted by the client.
14. Transfer and/or Transmit information to third parties for the development of commercial relationships, product and service improvement, centralized storage, and marketing and advertising activities.
15. Comply with requirements from authorities.

In addition to the general purposes set forth in Article 8 of this Policy, the Processing of suppliers’ Personal Data shall be carried out for the following specific purposes:

1. Perform the provision of the contracted services.
2. Send advertising and commercial information and communicate events of interest.
3. Handle requests and claims.
4. Manage procedures for initiation, development, execution, and termination of contracts.
5. Comply with contractual or legal obligations.
6. Verify and consult Personal Data in public or private, national and international lists and databases related directly or indirectly to judicial, criminal, tax, disciplinary records, liability for harm to state property, disqualifications and incompatibilities, money laundering, terrorist financing, corruption, transnational bribery, wanted lists, and other databases or systems reporting links to any unlawful activities.
7. Carry out information updating processes.
8. Contact Data Subjects to send or receive information related to the executed contract.
9. Comply with Madero Law’s internal policies.
10. Manage administrative, accounting, tax, financial, operational, and logistics aspects associated with the fulfillment of obligations by both parties.
11. Maintain a history of commercial relationships.
12. Transmit and/or Transfer information to third parties, within and outside the country, for the development of contractual relationships and/or any management related to the Controller’s activities.
13. Consult, at any time, databases managed by credit bureaus or other operators for all relevant information to assess the Data Subject’s (or their company’s) performance as a debtor, payment capacity, and feasibility of entering into or maintaining a contractual or commercial relationship. This may be done for the benefit of Madero Law or third parties, including offering third-party products based on such information.
14. Report to credit bureaus or other data operators regarding compliance or non-compliance with credit obligations of the Data Subject (or the company they represent), legal obligations of a patrimonial nature, location and contact details, credit applications, and other matters relating to the Data Subject’s commercial, financial, or socioeconomic relations.
15. Comply with requirements from authorities.

In addition to the general purposes set forth in Article 8 of this Policy, the Processing of Personal Data of persons applying to work at Madero Law, its employees, former employees, and Collaborators shall be carried out for the following specific purposes:

1. Execute and fulfill the purpose of the employment contract or any other agreement governing their engagement with Madero Law.
2. Manage human resources.
3. Review, verify, and monitor the use of technological tools and work equipment provided.
4. Conduct investigations in disciplinary proceedings.
5. Fully comply with pre-contractual, contractual, and post-contractual duties and obligations.
6. Comply with labor law obligations and those related to the comprehensive social security system, including enrollments with third-party entities as applicable.
7. Manage requests, complaints, or claims.
8. Develop and administer hiring processes.
9. Make payments of salaries, bonuses, parafiscal contributions, insurance, among others.
10. Comply with administrative and/or judicial orders.
11. Conduct performance evaluations, surveys, and training programs, whether internal or by third parties.
12. Carry out information updating processes.
13. Offer extra-legal benefits.
14. Conduct wellness activities.
15. Manage logistics related to the provision of legal services, including but not limited to booking air tickets, lodging, transportation, meals, and other services associated with domestic and international travel.
16. Comply with internal policies and the internal work regulations.
17. Conduct investigations, use and present evidence, and impose disciplinary sanctions, as applicable.
18. Contact the Data Subject to perform the purpose of the contract or selection process, and to send relevant and interest-based information.
19. Verify and consult Personal Data in public or private, national and international lists and databases related directly or indirectly to judicial, criminal, tax, disciplinary records, liability for harm to state property, disqualifications and incompatibilities, money laundering, terrorist financing, corruption, transnational bribery, wanted lists, and other databases or systems reporting links to any unlawful activities.
20. Transmit and/or Transfer information to third parties, within and outside the country, for the development of contractual relationships and/or any other matter related to the Controller’s activities.

In addition to the general purposes set forth in Article 8 of this Policy, the Processing of Personal Data of visitors and persons entering Madero Law’s premises shall be carried out for the following specific purposes:

1. Verify the identity of persons entering the premises and maintain an updated log of entries and exits as a measure of institutional security and risk prevention.
2. Safeguard the integrity of employees, contractors, visitors, documents, assets, and the firm’s physical infrastructure.
3. Record and use CCTV camera footage or images to conduct internal investigations and/or present them to the authorities.
4. Monitor common areas through security cameras for deterrent, preventive, evidentiary, and internal control purposes.
5. Facilitate evacuation processes, medical assistance, or contact with family members or authorities in emergency situations.
6. Address requests from administrative, judicial, or oversight authorities, as applicable.

All Processing of Personal Data by Madero Law must be authorized in advance, expressly, and in an informed manner by the Data Subject, unless the data is public in nature and/or there is another legal justification allowing the Processing. Even in such cases, the remaining provisions contained in the regulations and in this Policy shall be observed.

Authorization may be granted through physical or technical means that facilitate the expression of the Data Subject’s will. Such Authorization shall be deemed to meet legal requirements when granted: (i) in writing; (ii) orally; or (iii) through unequivocal conduct allowing a reasonable conclusion that the Data Subject consented to the Processing of their Personal Data, provided that such Authorization can be subsequently consulted. Silence shall never be construed as unequivocal conduct.

Madero Law shall keep a copy or evidence of the Authorization obtained, which may be consulted by the Data Subject or by competent authorities upon request.

Given the nature of the services and products offered by Madero Law, it may be necessary to process Sensitive Data, for example, data related to health, biometric data, membership in trade unions or political organizations, and Personal Data of minors. In Processing such data, Madero Law shall retain them with appropriate security measures and shall guarantee the best interests of minors and their fundamental rights.

When Processing minors’ Personal Data, Authorization must be granted by the minor’s legal representative, after the minor has been heard, in accordance with a reasonable assessment of the minor’s level of maturity, autonomy, and ability to understand the matter.

No activity may be conditioned on the Data Subject providing Sensitive Personal Data.

Any Authorization granted for the Processing of Personal Data in which Madero Law acts as Controller or Processor must contain at least the following information:

1. A description of the Processing to which the Personal Data will be subjected, including its objectives and the period during which they will be stored.
2. An express indication of the optional nature of the Authorization regarding the Processing of Sensitive Data and Personal Data of minors.
3. The rights afforded to the Data Subject under the law.
4. The means available to the Data Subject to exercise their rights.
5. Identification of Madero Law, including corporate name, physical or electronic address, and contact telephone number.
6. A notice that the Processing of Personal Data will not be indefinite but limited to the previously informed purposes and applicable legal terms.
7. The possibility for the Data Subject to revoke Authorization and/or request deletion of their Personal Data at any time, in accordance with the procedures set forth in this Policy and by law.

Pursuant to Article 10 of Law 1581 of 2012, Madero Law may process Personal Data without prior Authorization from the Data Subject in the following cases:

1. When information is requested by a public or administrative entity in the exercise of its legal functions or by court order.
2. When the data are public in nature.
3. In cases of medical or health emergency.
4. When the Processing has historical, statistical, or scientific purposes, provided that the Data Subject is not identifiable.
5. When data relate to the civil registry of persons.

In these events, although Authorization is not required, Madero Law shall ensure compliance with other principles and duties under applicable law, especially regarding security, confidentiality, and protection of the Data Subject.

The Data Subject shall have the following rights:

1. To know, update, request deletion of, and rectify their Personal Data before the Controllers or Processors. This right may be exercised, among others, with respect to partial, inaccurate, incomplete, fragmented, or misleading data, or data whose Processing is expressly prohibited or has not been authorized.
2. To request proof of the Authorization granted to the Controller, except when Authorization is expressly excepted as a requirement for Processing under Article 10 of Law 1581 of 2012.
3. To be informed by the Controller or the Processor, upon request, about the use given to their Personal Data.
4. To file complaints before the Superintendence of Industry and Commerce for violations of personal data protection regulations.
5. To revoke Authorization and/or request deletion of their Personal Data, except where a legal or contractual duty prevents deletion from the Controller’s databases. Revocation and/or deletion shall proceed when the Superintendence of Industry and Commerce determines that the Processing has involved conduct contrary to Law 1581 of 2012 or the Constitution.
6. To access free of charge their Personal Data subject to Processing at least once per calendar month and whenever there are substantial modifications to the information Processing policies that prompt new consultations. For additional requests within the same calendar month, the Controller may charge the Data Subject the costs of shipping, reproduction, and/or certification, provided such costs are communicated in advance and do not exceed the actual expenses incurred by Madero Law.

These rights may be exercised via the following contact channel: info@maderolaw.com.

Madero Law, in its capacity as Controller of Personal Data, undertakes to comply with the duties established in Article 17 of Law 1581 of 2012, Decree 1377 of 2013, and other complementary regulations, and in particular the following:

1. Guarantee the full and effective exercise of the Data Subject’s rights.
2. Request and keep a copy of the Authorization granted by the Data Subject, when required for Processing.
3. Clearly and sufficiently inform the Data Subject about the objectives of Processing and the rights granted under the Authorization.
4. Maintain information under adequate security conditions to prevent adulteration, loss, consultation, use, or unauthorized or fraudulent access.
5. Update Data Subjects’ information and promptly communicate to the Processor any changes to previously supplied data.
6. Rectify information when incorrect and communicate the correction to the Processor.
7. Handle consultations and claims submitted by Data Subjects within the timelines established by law.
8. Inform the Data Subject, upon request, about the use given to their Personal Data.
9. Adopt effective internal policies and procedures to ensure compliance with data protection regulations, including handling consultations and claims.
10. Record in the databases the legends “claim in process” and “information under judicial dispute,” as applicable.
11. Refrain from circulating information disputed by the Data Subject and whose blocking has been ordered by the Superintendence of Industry and Commerce.
12. Allow access to information only to persons authorized to know it.
13. Provide the Processor only truthful, complete, accurate, up-to-date, verifiable, and understandable information.
14. Ensure that the Processing carried out by Processors is limited to data whose use has been previously authorized by law.
15. Require the Processor to respect the security and confidentiality conditions of the information.
16. Inform the Processor when certain information is under dispute by the Data Subject, once the corresponding claim has been filed and until the process is concluded.
17. Promptly report to the Superintendence of Industry and Commerce any security incident affecting the information processed.
18. Comply at all times with the instructions and requirements issued by the Superintendence of Industry and Commerce in the exercise of its legal functions.

When it is not possible to make the Personal Data Processing Policy directly available to the Data Subject, Madero Law, as Controller, shall inform the Data Subject through a Privacy Notice that shall include at least the following:

1. The existence and objectives of the Processing of Personal Data.
2. The minimum information that must be provided to the Data Subject in order to obtain Authorization for the Processing of Personal Data, pursuant to Article 15 of Decree 1377 of 2013.
3. The rights of the Data Subject under applicable regulations (to know, update, rectify, delete, revoke Authorization, among other recognized rights).
4. The channels and means provided by Madero Law to exercise such rights.
5. The Controller’s contact details: corporate name, physical and electronic address, and telephone number.
6. The manner and link through which the Data Subject may consult the full Processing Policy.
7. The mechanism by which the Data Subject will be informed about substantial changes to the policy or the notice.
8. A clear warning about the possibility of revoking Authorization and requesting deletion of Personal Data.

The Privacy Notice shall be permanently available on the official website of Madero Law: Privacy Notice.
Important Note: Madero Law reserves the right to modify the content of the Privacy Notice. Any substantial change will be timely communicated through publication in the Privacy Notice.

In order to fully uphold the constitutional guarantee of Habeas Data, Madero Law guarantees Data Subjects, their representatives and/or attorneys-in-fact, or their successors, the right to submit inquiries and claims regarding the Data Subject’s personal information held in any Database subject to Processing by Madero Law.

To this end, Madero Law shall process all inquiries and claims through the administrative area. Madero Law has enabled the email info@maderolaw.com for this purpose.

Important Note: The Data Subject, representatives and/or attorneys-in-fact, or successors must attach to the inquiry or claim a copy of their identification document and any other documents deemed necessary to support the request. If the inquiry or claim concerns a deceased Data Subject, the spouse, permanent partner, and/or successors must submit the request, attaching an authentic copy of the Data Subject’s death certificate and an authentic copy of the civil registry evidencing the relationship (marriage, birth, etc.) or an out-of-court statement in cases of de facto marital union.

The rules for addressing Inquiries submitted by Data Subjects, their representatives or attorneys-in-fact, or their successors, and for ensuring due compliance with Article 14 of Law 1581 of 2012, are as follows:

1. By communication to info@maderolaw.com, Data Subjects, their successors, representatives, and/or attorneys-in-fact may submit inquiries regarding the Personal Data stored in Madero Law’s Databases, such as requests for proof of Authorization, knowledge of collected Personal Data, and the Processing that has been carried out.
2. For filing and addressing the inquiry, the Data Subject must provide the following information:
   1. Full name (first and last name).
   2. Contact details (physical and/or electronic address and contact telephone numbers).
   3. Means to receive a response to the inquiry.
   4. A clear, specific, detailed, and substantiated description of the inquiry’s purpose.
   5. If the requester is not the Data Subject, they must establish and prove the legitimate interest with which they act, always attaching supporting documents.
3. The request will be analyzed to verify the Data Subject’s identity. If the request is submitted by a person other than the Data Subject and they do not prove that they are acting on the Data Subject’s behalf in accordance with current laws, the request will be rejected.
4. All inquiries shall be answered within a maximum of ten (10) business days from the date of receipt. When it is not possible to address the inquiry within this term, the interested party will be informed of the reasons for the delay and the date on which the inquiry will be addressed, which in any case may not exceed five (5) business days following the expiration of the initial term.

The procedure to address claims submitted by Data Subjects, in accordance with Article 15 of Law 1581 of 2012, is as follows:

1. By communication to info@maderolaw.com, Data Subjects, their successors, representatives, and/or attorneys-in-fact may submit claims regarding the Personal Data stored in Madero Law’s Databases, such as requests to update, correct, and/or delete Personal Data or to revoke Authorization.
2. For filing and addressing the claim, the Data Subject must provide the following information:
   1. Full name (first and last name).
   2. Contact details (physical and/or electronic address and contact telephone numbers).
   3. Means to receive a response to the claim.
   4. Reasons/facts giving rise to the claim with a brief description of the right to be exercised (to know, update, rectify, request proof of Authorization, revoke, delete, access the information).
   5. If the requester is not the Data Subject, they must establish and prove the legitimate interest with which they act, always attaching supporting documents.
3. The request will be analyzed to verify the Data Subject’s identity. If the request is submitted by a person other than the Data Subject and they do not prove that they are acting on the Data Subject’s behalf in accordance with current laws, the request will be rejected.
4. The claim shall be submitted by a request addressed to Madero Law at info@maderolaw.com. If the claim is incomplete, the interested party will be asked within five (5) days following receipt to remedy the defects. If two (2) months elapse from the date of the request without the applicant providing the required information, it shall be understood that they have withdrawn the claim.
5. Madero Law will address the claim within a maximum term of fifteen (15) business days from the day following the date of receipt. When it is not possible to address the claim within this term, the interested party will be informed of the reasons for the delay and the date on which the claim will be addressed, which in any case may not exceed eight (8) business days following the expiration of the initial term.

Data Subjects have the right to request total or partial deletion of their Personal Data from Madero Law’s Databases at any time, particularly in the following cases:

1. When they consider that the data is not being processed in accordance with the principles, duties, and obligations established by law or in this Policy. In such case, Madero Law will verify whether Processing contrary to the rules has occurred and will proceed with deletion if appropriate, or when so ordered by the data protection authority.
2. When Personal Data are no longer necessary or pertinent for the objective for which they were collected.
3. When the period necessary to fulfill the objective that justified collection or Processing has elapsed.

Notwithstanding the foregoing, the right to deletion is not absolute. Madero Law may deny the request in the following events:
When the Data Subject has a legal or contractual duty to remain in the database, or the Controller is legally obliged to retain the information.

1. When deletion of the data would hinder ongoing judicial or administrative proceedings related to tax obligations, criminal investigations, or administrative sanctions.
2. When the data are necessary to protect legally protected interests of the Data Subject, to carry out an action in the public interest, or to comply with a current legal or contractual obligation.
3. When the data correspond to accounting records required by law, e.g., data of completed transactions. In such cases, Madero Law will not delete the data, as the purpose for which they are collected corresponds solely to the purpose required by law.

In such case, Madero Law will notify the Data Subject in writing of the reasons for accepting or denying the deletion request.

Data Subjects may at any time request the total or partial revocation of the Authorization granted to Madero Law for the Processing of their Personal Data, provided that there is no legal or contractual obligation justifying their retention.

Revocation may refer to all initially authorized objectives or only to some of them, such as sending advertising information, commercial communications, newsletters, events, or surveys.

To exercise this right, the Data Subject must submit a request in accordance with Article 20 of this Policy, clearly indicating the scope of the revocation. The Company will assess the request’s admissibility under the terms established by this Policy and the law and will notify the Data Subject of its decision in writing.

Revocation of Authorization shall not proceed when:

1. There is a legal or contractual duty to continue Processing Personal Data.
2. Revocation would prevent or interfere with Madero Law’s compliance with legal or judicial obligations.
3. There are reasons of public interest or protection of third parties’ fundamental rights that justify the continuation of Processing.

Madero Law may use cookies and other identification technologies on the digital platforms it manages and operates—its website, electronic communications, advertisements, publicity, and other online services—for the following objectives: user authentication, enhancing the user’s online experience, enabling content sharing on social networks, measuring site traffic, and, in general, for the objectives contained in this Policy.

Madero Law has appointed a Personal Data Protection Officer, responsible for ensuring compliance with this Policy and addressing Data Subjects’ requests. To exercise their rights, Data Subjects may contact the Officer at: info@maderolaw.com.

Personal Data collected and, in general, processed by Madero Law will remain in the Firm’s Databases for as long as the Personal Data fulfill the objectives set forth in this Policy. Once those objectives have been fulfilled, and provided there is no legal or contractual duty to retain the information, the Data Subject’s Personal Data will be deleted from our Databases.

The following documents, adopted by Madero Law, form an integral part of this Personal Data Processing Policy, including but not limited to: the Privacy Notice, Authorization forms, and internal procedures for handling Data Subjects’ rights, provided that they are consistent with this Policy and current personal data protection regulations.

This Personal Data Processing Policy shall be effective as of the date of its publication.