SMARTFASTPAY'S PERSONAL DATA PROCESSING AND PROTECTION POLICY
Legal SMARTFASTPAY'S PERSONAL DATA PROCESSING AND PROTECTION POLICY

SMARTFASTPAY'S PERSONAL DATA PROCESSING AND PROTECTION POLICY

COLOMBIA.

In accordance with Articles 15 and 20 of the Political Constitution of Colombia, Statutory Law 1581 of 2012, and Decree 1377 of 2013, SmartFastPay Colombia, a company identified with NIT 901.547.645 – 7 (hereinafter “SmartFastPay”), adopts this Personal Data Processing Policy (hereinafter the “Policy”) for the purpose of ensuring the proper handling of the Personal Data collected by SmartFastPay. Likewise, pursuant to the aforementioned regulations, we inform you that the Personal Data collected by SmartFastPay will be subject to collection, storage, updating, rectification, use, and circulation under the terms set forth in this Policy. In this Policy you will find the corporate guidelines, in accordance with Colombian law, under which we carry out the Processing of Personal Data, the purpose of the Processing, the rights granted to Data Subjects, as well as the internal and external procedures for the exercise and protection of such rights before SmartFastPay.

1. IDENTIFICATION OF THE CONTROLLER AND THE DATA PROTECTION OFFICER.

SMARTFASTPAY TEC & SERVE S.A.S.

NIT: 901.547.645 – 7

Principal domicile: Bogotá D.C.

Electronic address: leo@smartfastpay.com

Telephone: 3204540697.

Email address for data subject requests: dpo@smartfastpay.com

Name and title of the Personal Data Protection Officer (OPD): Fernando Arenas Molinet – Country Manager Colombia.

2. SCOPE.

This Policy shall apply to all Personal Data and/or files or any other type of information that is used or stored in SmartFastPay's Databases and that is subject to Processing by SmartFastPay as the Controller of Personal Data Processing.

This Policy guarantees compliance with the criteria for obtaining, collecting, using, Processing, handling, exchanging, Transferring, and Transmitting Personal Data, and establishes the responsibilities of SmartFastPay and its employees in the handling and Processing of the Personal Data stored in its Databases.

3. DEFINITIONS.

It shall be understood that any term defined in the singular shall also include its plural form and vice versa, unless the meaning of the text requires a different interpretation.

3.1. Authorization: Prior, express, and informed consent of the Data Subject to carry out the Processing of Personal Data.

3.2. Data Protection Authority: The Superintendence of Industry and Commerce.

3.3. Privacy Notice: The physical, electronic, or any other known or yet-to-be-known format document made available to the Data Subject for the purpose of informing them about the Processing of their Personal Data. The Privacy Notice informs Data Subjects about the existence of the information processing policies that will apply, how to access them, and the characteristics of the Processing intended for the Personal Data.

3.4. Database: An organized set of Personal Data that is subject to Processing.

3.5. Merchant: A legal entity with which SmartFastPay has an established business partnership relationship.

3.6. Consent: A manifestation of will, informed, free, and unequivocal, through which the holder of personal data accepts that a third party uses their information.

3.7. Personal Data: Any information linked to or that may be associated with one or more identified or identifiable natural persons.

3.8. Sensitive Data: Data that affects the privacy of the Data Subject or whose improper use may lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in trade unions, social organizations, human rights organizations, or organizations that promote the interests of any political party or guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sex life, and biometric data.

3.9. Processor: A natural or legal person, public or private, that by itself or jointly with others processes Personal Data on behalf of the Controller.

3.10. Habeas Data: The right of every person to know, update, and rectify the information collected about them in files and databases of a public or private nature.

3.11. Platform: Tool developed and marketed by SmartFastPay.

3.12. Controller: A natural or legal person, public or private, that by itself or jointly with others decides on the database and/or the Processing of the data.

3.13. Data Subject: A natural person whose Personal Data is subject to Processing.

3.14. Transmission: Refers to the communication of personal data by the Controller to the Processor, located within or outside the national territory, so that the Processor, on behalf of the Controller, processes personal data;

3.15. Transfer: Refers to the act by the Controller and/or Processor, located in Colombia, of sending information or personal data to a recipient who is also a Controller and is located within or outside the country.

3.16. Processing: Any operation or set of operations performed on Personal Data, such as collection, storage, use, circulation, or deletion.

3.17. Users: A natural person, legal entity, or autonomous patrimony that uses SmartFastPay's services to execute payment orders or fund transfers.

3.18. Personal Data security breach: Any security breach resulting in the accidental or unlawful destruction, loss, or alteration of Personal Data stored or processed, or the unauthorized disclosure of or access to such data.

3.19. Notification principle: Data Subjects will be informed in a timely manner of any material change to this Policy before it enters into force, through the usual communication channels and SmartFastPay's website.

4. GOVERNING PRINCIPLES APPLICABLE TO PERSONAL DATA MATTERS.

4.1. Principle of legality in data Processing: The Processing of Personal Data shall be carried out within the applicable legal framework and in accordance with the Authorization granted by the Data Subject.

4.2. Purpose limitation principle: Processing must serve a legitimate purpose in accordance with the Constitution and the law, and such purpose must be informed to the Data Subject.

4.3. Principle of freedom: Processing may only be carried out with the prior, express, and informed Consent of the Data Subject. Personal Data may not be obtained or disclosed without prior Authorization, or in the absence of a legal or judicial mandate that exempts such Consent.

4.4. Principle of truthfulness or quality: Information subject to Processing must be truthful, complete, accurate, updated, verifiable, and understandable. The Processing of partial, incomplete, fragmented, or misleading data is prohibited.

4.5. Principle of transparency: Processing must guarantee the Data Subject's right to obtain from the Controller or the Processor, at any time and without restrictions, information about the existence of data concerning them.

4.6. Principle of restricted access and circulation: Processing is subject to the limits derived from the nature of the Personal Data, the provisions of the law, and the Constitution. In this regard, Processing may only be carried out by persons authorized by the Data Subject and/or by persons provided for by law. Personal Data, except for public information, may not be made available on the Internet or other means of mass disclosure or communication, unless access is technically controllable to provide restricted knowledge only to Data Subjects or third parties authorized by law.

4.7. Principle of security: Information subject to Processing by the Controller or Processor must be handled with the technical, human, and administrative measures necessary to provide security to the records and prevent their tampering, loss, consultation, use, or unauthorized or fraudulent access.

4.8. Principle of confidentiality: All persons involved in the Processing of Personal Data that is not public in nature are obliged to ensure the confidentiality of the information, even after their relationship with any of the activities comprising the Processing has ended, and may only supply or communicate Personal Data when this corresponds to the development of activities authorized by law and under its terms.

4.9. Principle of data minimization: The Processing of Personal Data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.

4.10. Principle of storage limitation: The Processing of Personal Data shall be carried out for the time that is reasonable and necessary, in accordance with the purposes that justify the Processing. Once the purposes of the Processing have been fulfilled, and without prejudice to legal provisions stating otherwise, the Personal Data provided shall be deleted.

5. INTENDED RECIPIENTS.

This Policy is addressed to all natural persons whose Personal Data is included in SmartFastPay's Databases.

SmartFastPay assumes that the Data Subject's decision not to provide information that is indispensable in nature constitutes their withdrawal from the relationship they have with SmartFastPay.

6. PURPOSE OF PROCESSING.

The Personal Data provided by the Data Subject to SmartFastPay shall be stored in SmartFastPay's Databases, to which the Data Subject expressly authorizes access, so that its related companies, affiliates, parent companies, subsidiaries, and/or strategic partners may act as Processors and fulfill one or more of the following purposes:

A. Confirm Users' identity to ensure the security and authenticity of transactions.

B. Improve the security of future transactions by identifying User preferences, sending notifications about the status of requests, and issuing relevant promotional content.

C. Transmit Personal Data to the Processor so that it may properly manage it.

D. Carry out statistical studies on the User's tastes and preferences.

E. Prevent fraud and financial risks related to money laundering and terrorist financing.

F. Verify financial and credit information with credit bureaus.

G. Corroborate the data provided by Users.

H. Report to credit bureaus on the fulfillment of financial obligations.

I. Comply with obligations arising from or related to requirements from judicial or administrative authorities.

J. Protect Users from cybercrime by verifying the authenticity of operations.

K. Facilitate the resolution of disputes or claims related to transactions.

L. Keep transaction records to support internal and external audit processes.

M. Protect sensitive data.

N. Carry out accounting and tax records.

O. Submit reports to oversight and control authorities.

P. Fulfill obligations undertaken with Merchants.

Q. Send information to governmental or judicial entities upon their express request.

R. Any other purpose resulting from the development of the transaction or the existing relationship between the User and SmartFastPay.

Accordingly, in order to carry out the purposes described, SmartFastPay may:

A. Know, store, manage, and process all information provided by Data Subjects.

B. Organize, catalogue, classify, divide, or separate the information provided by Data Subjects in such a way that agile access and better information management can be achieved.

C. Verify, corroborate, check, validate, investigate, or compare the information provided by Data Subjects.

D. Access, consult, compare, and assess all information regarding the data subjects that is stored in the databases of any lawfully established credit, financial, criminal records, or security reporting agency, whether public or private, national or foreign.

6.1. PERSONAL INFORMATION COLLECTED BY SMARTFASTPAY.

The table below sets out the categories of personal information that SmartFastPay may collect:

Categories of Information

Includes information such as:

Identity and contact information

Full name, type and number of identity document (citizenship ID card, foreign ID card, passport), email address, telephone number, home address or business establishment address.

Transaction and payment information.

Processed transaction data, amounts, dates, banking information required for payment processing, data required by payment service providers.

Commercial information. IP addresses, platform access logs, technical information required for the operation and security of the system (where applicable).

Information for regulatory compliance.

Data required for fraud prevention, compliance with SARLAFT obligations, identity verification, and reporting to competent authorities.

Depending on the relationship the Data Subject has with SmartFastPay (for example, Merchant, User, customer, supplier, or business partner) and the way in which they interact with the company (by phone, online, or through the platform), SmartFastPay may collect, use, receive, store, analyze, combine, transfer, delete, or otherwise process different categories of personal information. Accordingly, SmartFastPay will store the data in the corresponding database in Google Cloud, depending on the type of Processing.

6.2. DISCLOSURE OF PERSONAL INFORMATION TO THIRD PARTIES.

a) Merchant onboarding process for the use of payment gateway services.

SmartFastPay may share personal information with external third parties necessary for the operation of its platform and the fulfillment of its legal obligations, including:

(i) Payment service providers and other processors with which SmartFastPay has a contractual relationship to facilitate Users' transactions;

(ii) Technology infrastructure providers that provide data storage and processing services with appropriate security standards;

(iii) Technology and business partners with whom SmartFastPay has a contractual relationship, who only access the information necessary to provide the entrusted services and may not use it for purposes other than those agreed.

b) Disclosure of information for regulatory compliance and fraud prevention.

SmartFastPay may share personal data with third parties, subject to the legal provisions applicable to the domestic and international transmission of personal data, in the following cases:

(i) Government entities such as administrative authorities, the Financial Superintendence of Colombia, tax entities, supervisory and control bodies, and judicial authorities, when necessary to address legal requirements, judicial proceedings, or comply with SARLAFT obligations;

(ii) Security service providers located in Colombia or abroad, who provide fraud detection and prevention services, transaction risk analysis, and anti-fraud tools;

(iii) Authorized SmartFastPay personnel, authorized developers, and management personnel, who have controlled access through security credentials and restricted-permission systems.

c) Protective measures for the disclosure of information.

In all cases of transmission of personal information, SmartFastPay shall:

(i) Verify that third parties have adequate security measures for the protection of Personal Data;

(ii) Execute confidentiality agreements where appropriate;

(iii) Limit access to information strictly necessary for the provision of the agreed service;

(iv) Implement controls to prevent unauthorized use of the shared information.

d) Limitation of liability for third-party processing.

SmartFastPay does not exercise control over third-party websites (including affiliated merchants, payment service providers, and other platforms) and assumes no responsibility whatsoever for the processing of Data Subjects' personal information on them. Each third party is responsible for implementing its own data protection policies in accordance with applicable regulations.

7. NATIONAL DATABASE REGISTRY.

In accordance with Article 25 of Law 1581 of 2012 and its regulatory decrees, Smartfastpay shall register its databases together with this Policy in the National Database Registry administered by the Superintendence of Industry and Commerce, in accordance with the procedure established for such purpose.

8. DATA SUBJECT'S AUTHORIZATION FOR THE PROCESSING OF PERSONAL DATA.

In accordance with Article 9 of Law 1581 of 2012, SmartFastPay, as Controller, shall adopt procedures to request, no later than at the time of collection of the Personal Data, the Authorization for its Processing and shall inform which Personal Data will be collected, as well as the specific purposes of the Processing.

In the case of Personal Data contained in publicly accessible sources, regardless of the means through which access is obtained, such data may be processed by SmartFastPay freely and autonomously, provided that by its nature it is public data.

For the Processing of Personal Data, SmartFastPay shall previously inform Data Subjects which Personal Data it requires and the reason for requesting it, understanding that such purpose shall always be related to the activities derived from the current relationship between the parties and from the development of SmartFastPay's corporate purpose, in accordance with the provisions of this Policy.

With respect to the manner of obtaining Authorization, SmartFastPay shall collect the information corresponding to Personal Data in writing, through the forms and texts established for that purpose, whether physically or by electronic means, ensuring in all cases that proof of the Authorization is retained for subsequent review by the Data Subject. Where relevant, the Authorization may be included in contracts to be entered into with third-party holders of Personal Data to whom this Policy applies.

8.1. The Authorization must contain the following information:

8.1.1. Identification of the Controller

8.1.2. The type of Personal Data to be Processed.

8.1.3. The purpose for which the Personal Data will be Processed.

8.1.4. The rights of the Data Subjects.

8.1.5. The communication channels through which Data Subjects may submit inquiries and/or complaints to the Controller.

8.1.6. Identification of the Personal Data Protection Officer.

8.1.7. Redirection to the Policy.

8.1.8. In the event sensitive data is collected, it shall be clarified that the Data Subject is not obliged to grant Authorization.

8.2. Events in which Authorization is not required:

8.2.1. Information required by a public or administrative entity in the exercise of its legal functions or by court order.

8.2.2. Publicly available data.

8.2.3. Cases of medical or health emergency.

8.2.4. Processing of information authorized by law for historical, statistical, or scientific purposes.

8.2.5. Data related to the civil registry of persons.

9. DATA SUBJECT'S AUTHORIZATION FOR THE PROCESSING OF SENSITIVE DATA.

SmartFastPay, in its capacity as Controller, shall identify the sensitive data that it may eventually collect or process in order to fulfill the following objectives:

(i) implement special care and strengthen its responsibility regarding the Processing of this type of data, which translates into a higher level of compliance in terms of the principles and duties established by current data protection regulations;

(ii) establish the technical, legal, and administrative security levels to process such information appropriately;

(iii) increase access and use restrictions by SmartFastPay personnel in its capacity as employer and by its third-party contractors or suppliers;

(iv) proceed with the Processing of such data only under the following assumptions:

A. The Data Subject has given explicit Authorization for such Processing, except in cases where such Authorization is not required by law.

B. The Processing is necessary to safeguard the vital interest of the Data Subject and the Data Subject is physically or legally unable to give consent. In such events, the legal representatives must grant their Authorization.

C. The Processing is carried out in the course of legitimate activities and with due safeguards by a foundation, NGO, association, or any other non-profit organization whose purpose is political, philosophical, religious, or trade-union related, provided that it refers exclusively to its members or to persons who maintain regular contact by reason of its purpose. In such events, the data may not be provided to third parties without the Data Subject's authorization.

D. The Processing refers to data necessary for the recognition, exercise, or defense of a right in judicial proceedings.

E. The Processing has a historical, statistical, or scientific purpose. In such event, measures must be adopted to remove the identity of the Data Subjects.

In the Processing of sensitive data, where such Processing is permitted pursuant to Article 6 of Law 1581 of 2012, SmartFastPay must comply with the following obligations:

A. Inform the Data Subject that, because it is sensitive data, they are not required to authorize its Processing.

B. Explicitly and previously inform the Data Subject, in addition to the general requirements for Authorization for the collection of any type of Personal Data, which of the data to be processed is sensitive and the purpose of its Processing, and also obtain their express consent.

10. AUTHORIZATION FOR THE PROCESSING OF MINORS' DATA.

SmartFastPay does not directly process the Personal Data of minors.

However, in particular, the company collects and processes the Personal Data of its employees' minor children for the sole purpose of complying with the obligations imposed by law on employers in relation to social security system enrollments and partial benefits, and in particular to allow the enjoyment of children's fundamental rights to health and recreation.

SmartFastPay shall process the Personal Data of children and adolescents while always respecting the following requirements:

10.1. To serve and respect the best interests of children and adolescents.

10.2. To ensure, by the Controller, respect for their fundamental rights.

10.3. To ensure that the minor's legal representative grants the Authorization, after the minor has exercised their right to be heard.

Where applicable, SmartFastPay shall obtain the corresponding Authorization for Processing, always bearing in mind the best interests of the minor and respect for the prevailing rights of children and adolescents.

In any case, within the framework of the activities carried out by SmartFastPay, the provision of minors' Personal Data is optional and must be made with the consent of the parents or legal representatives of the minor. Authorizations for minors' Personal Data shall be granted jointly by the parents, guardians, legal representatives, or conservators. Consequently, the parents' signature shall constitute legal Authorization, and the minor's signature shall represent their consent to the Authorization granted by the parents, guardians, legal representatives, or conservators.

This consent of the minor is important because their opinion must be assessed in the exercise of the Authorization and taken into account in proportion to their maturity, autonomy, capacity, and understanding of the matter.

11. PROCEDURE FOR THE STORAGE OF PERSONAL DATA INFORMATION.

The information contained in SmartFastPay's Databases is subject to different forms of Processing, such as collection, exchange, updating, processing, reproduction, compilation, storage, use, systematization, and organization, all partially or totally in fulfillment of the purposes established herein. The information may be delivered, Transmitted, or Transferred to public entities, business partners, contractors, affiliates, parent companies, subsidiaries, and strategic partners whenever this is for the purpose of fulfilling the purposes referred to in this Policy.

SmartFastPay shall adopt the appropriate technical, technological, and administrative measures to ensure the care and preservation of Data Subjects' Personal Data, preventing its alteration, loss, consultation, use, or unauthorized or fraudulent access.

Likewise, SmartFastPay shall implement sufficient mechanisms to preserve the confidentiality of the information and shall refrain from using the information for purposes other than those authorized.

12. PROCEDURE FOR THE USE AND CIRCULATION OF INFORMATION.

12.1. Transfer of Personal Data.

If third parties unrelated to SmartFastPay or its affiliates, parent companies, subsidiaries, and/or strategic partners require validating, rectifying, or confirming information corresponding to the Data Subjects' Personal Data contained in the Databases, prior and express authorization from the Data Subject shall be required for the Transfer to take place.

SmartFastPay may not use Data Subjects' Personal Data for commercial purposes other than those included in its corporate purpose and the services established therein.

12.2. Transmission of Personal Data.

If third parties unrelated to SmartFastPay or its affiliates, parent companies, subsidiaries, and/or strategic partners require, within the aforementioned purposes, the collection of information, SmartFastPay may transmit the corresponding Personal Data of the Data Subjects to them if so required for the ordinary course of their business. However, for the Transmission to take effect, prior and express authorization from the Data Subject is required.

12.3. International transfers and transmissions of data.

SmartFastPay may carry out international Transfers and Transmissions of Personal Data when necessary for the functioning of its technology infrastructure and the provision of its services. These international operations shall only be carried out with providers that offer adequate guarantees for the protection of Personal Data.

Before carrying out international transfers of personal data, SmartFastPay shall verify that the recipient country offers an adequate level of protection in accordance with Colombian regulations. Otherwise, it shall request prior authorization from the Superintendence of Industry and Commerce and adopt the necessary contractual safeguards.

13. PROTECTION OF THE INFORMATION PROVIDED.

SmartFastPay protects the Personal Data provided by Data Subjects by adopting guidelines and controls aimed at preventing unauthorized access, modification, disclosure, or destruction of the information stored in its Databases.

In compliance with the obligation described above, SmartFastPay adopts the following protocols:

13.1. Controls in information systems to ensure the ongoing reliability, integrity, and availability of Personal Data.

13.2. Verification, assessment, and evaluation processes regarding the technical and security measures adopted for the protection of Personal Data.

13.3. Security protocols to prevent unauthorized access to Databases stored both physically and electronically.

13.4. Implementation and improvement of controls in physical facilities to protect Personal Data maintained in physical form, in order to mitigate the harmful effects that could arise from the materialization of a risk faced by the Personal Data managed by SmartFastPay.

14. STORAGE PERIOD.

Personal Data, and other information processed for any of the purposes mentioned in this Policy, shall not be kept for longer than strictly necessary for the fulfillment of the purposes for which it is intended, except when supported by Colombian Personal Data protection legislation.

Data and electronic documents containing Personal Data may be retained longer than necessary for their purposes in cases of legal or regulatory obligation, reduction of fraud risk, or the full exercise of the right of defense.

15. RIGHTS OF DATA SUBJECTS.

The rights of Personal Data Subjects are as follows:

15.1. To know, update, and rectify their Personal Data before the Controller or the Processors. This right may be exercised, among others, regarding partial, inaccurate, incomplete, fragmented, or misleading data, or data whose Processing is expressly prohibited or has not been authorized.

15.2. To limit or object at any time to the Processing of their Personal Data before the Controller or Processor. If limitation is requested, the Controller must obtain a new Authorization from the Data Subject that conforms to the limitation requested.

15.3. To obtain confirmation from the Controller that their Personal Data is being processed in accordance with the authorized purposes.

15.4. To request from the Controller the portability of the Personal Data they have provided and its transmission to another Controller.

15.5. To request proof of the Authorization granted to the Controller, except where it is expressly exempted as a requirement for Processing.

15.6. To be informed by the Controller or the Processor, upon request, regarding the use made of their Personal Data.

15.7. To file complaints before the Superintendence of Industry and Commerce or the competent Data Protection Authority for infringements of the law and other rules that amend, add to, or complement it.

15.8. To revoke the Authorization and/or request deletion of the data when the Processing does not respect constitutional and legal principles, rights, and guarantees. Revocation and/or deletion shall proceed when the Superintendence of Industry and Commerce has determined that the Controller or Processor has engaged in conduct contrary to the law and the Constitution in the Processing. Without prejudice to the foregoing, the Data Subject may request deletion of the data when: (i) the Processing is no longer necessary in accordance with the purposes for which the data was collected; (ii) the Authorization for Processing is revoked; and (iii) the Data Subject objects to the Processing.

15.9. To access free of charge their Personal Data that has been subject to Processing.

16. PROCEDURE FOR THE EXERCISE OF DATA SUBJECTS' RIGHTS.

The Data Subject of the Personal Data shall have the right to: (i) access the Personal Data they provide and the details of its Processing; (ii) rectify it if it is incomplete or inaccurate; (iii) delete it if they consider that it is not required for any of the purposes indicated in this Policy or if it is being used for purposes to which they have not consented.

In any case, without prejudice to the provisions set forth below, any request by the Data Subject in exercise of the aforementioned rights must provide and indicate: (i) their name and address; (ii) a copy of the identification document (Citizenship ID Card, Foreign ID Card, Passport); (iii) a clear and precise description of the Personal Data they wish to access or wish to rectify or delete, as well as any other element that facilitates the location of their data.

16.1. Inquiry and complaint channels.

The Data Subject's personal information stored in SmartFastPay's Databases may be consulted, and the company shall be responsible for providing all information contained therein or linked to the identification of the applicant, always using clear and simple language.

The inquiry shall be made through the email address dpo@smartfastpay.com.

Once received by SmartFastPay, it shall be answered within a maximum term of ten (10) business days counted from the date of receipt thereof. The information requested by the Data Subject may

be provided in writing, by email, or by any other means as required by the Data Subject.

When it is not possible to answer the inquiry within such period, the interested party shall be informed, stating the reasons for the delay and indicating the new date on which the inquiry will be answered, which in no case may exceed five (5) business days following the expiration of the initial term.

16.2. Complaints.

When it is considered that the information contained in a SmartFastPay Database should be corrected, updated, or deleted, or when an alleged breach of any of the duties contained in the Habeas Data law is identified, a complaint may be submitted to SmartFastPay, which shall be processed under the following rules:

16.2.1. The complaint shall be submitted by email to dpo@smartfastpay.com, with identification of the Data Subject, a description of the facts giving rise to the complaint, the address, and the documents the complainant wishes to rely upon.

If the complaint is incomplete, the interested party shall be required within ten (10) days following receipt of the complaint to correct the deficiencies. If two (2) months elapse from the date of the request without the applicant submitting the required information, it shall be understood that the complaint has been withdrawn.

16.2.2. In the event SmartFastPay receives a complaint for which it is not competent to resolve, the company shall forward it to the appropriate party within a maximum term of five (5) business days and shall inform the Data Subject.

16.2.3. The maximum term for responding to the complaint shall be fifteen (15) business days counted from the day following the date of its receipt. When it is not possible to respond to the complaint within such period, SmartFastPay shall inform the Data Subject of the reasons for the delay and the new date on which the complaint will be addressed, which in no case may exceed eight (8) business days following the expiration of the term.

17. DUTIES OF THE CONTROLLER OF PERSONAL DATA PROCESSING.

The Client, as Controller of Personal Data Processing, shall comply with the following duties:

17.1. Guarantee the Data Subject, at all times, the full and effective exercise of the right of habeas data.

17.2. Request and retain, under the conditions provided by law, a copy of the respective Authorization granted by the Data Subject.

17.3. Properly inform the Data Subject about the purpose of the collection and the rights granted by virtue of the Authorization granted.

17.4. Preserve the information under the security conditions necessary to prevent its tampering, loss, consultation, use, or unauthorized or fraudulent access.

17.5. Where applicable, ensure that the information supplied to the Processor is truthful, complete, accurate, updated, verifiable, and understandable.

17.6. Where applicable, inform the Processor of any rectification, deletion, or limitation of Processing carried out by the Data Subject.

17.7. Ensure that only the Personal Data necessary for each of the specific purposes of the Processing is processed. Where applicable, update the information, communicating in a timely manner to the Processor all updates regarding the data previously supplied and adopt any other measures necessary so that the information supplied to the Processor remains updated.

17.8. Rectify the information when it is incorrect and communicate the relevant information, where applicable, to the Processor.

17.9. Where applicable, provide the Processor, as the case may be, only with data whose Processing has been previously authorized in accordance with the law.

17.10. When the Processing is carried out by a Processor, endeavor to choose one that offers sufficient guarantees in accordance with the provisions of this Data Processing Policy.

17.11. Execute with the Processor a confidentiality agreement and/or equivalent document, establishing, without limitation, the obligations and rights of the Controller, the purpose, duration, nature, types of Personal Data to be processed, the purpose of the Processing, and the commitment to process Personal Data in accordance with the Law and this Policy.

17.12. Where applicable, require the Processor at all times to respect the security and privacy conditions of the Data Subject's information, as well as their rights.

17.13. Process the inquiries and complaints submitted under the terms set forth in Law 1581 of 2012.

17.14. Adopt an internal manual of policies and procedures to ensure proper compliance with the law and, in particular, for handling inquiries and complaints.

17.15. Inform, at the Data Subject's request, about the use made of their data.

17.16. Inform the Data Protection Authority when breaches of security codes occur and there are risks in the administration of Data Subjects' information.

17.17. Inform, at the time of requesting the Data Subject's Authorization for the Processing of Personal Data, of the following: (i) the Processing to which their Personal Data will be subject and its purpose; (ii) the option to decide whether to respond to inquiries related to sensitive data or data of children or adolescents; (iii) the rights they have as a Data Subject; and (iv) the identification data, physical or electronic address, and telephone contact details of the Controller.

17.18. Seek to prevent the occurrence of any event involving a Personal Data security breach.

17.19. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

18. REVOCATION OF AUTHORIZATION AND/OR DELETION OF PERSONAL DATA.

The Data Subject may revoke at any time the Consent or Authorization given for the Processing of their Personal Data, provided that there is no impediment established in a legal or contractual provision.

Likewise, the Data Subject has the right to request at any time that SmartFastPay delete or remove their Personal Data.

Such deletion implies the total or partial elimination of personal information, in accordance with what is requested by the Data Subject in the records, files, databases, or Processing carried out by SmartFastPay.

The right to cancellation is not absolute and therefore SmartFastPay may deny the revocation of Authorization or deletion of Personal Data in the following cases:

18.1. The Data Subject has a legal or contractual duty to remain in the Database.

18.2. The deletion of data hinders judicial or administrative actions related to tax obligations, the investigation and prosecution of crimes, or the updating of administrative sanctions.

18.3. The data is necessary to protect the legally protected interests of the Data Subject; to carry out an action in the public interest; or to comply with a legal obligation lawfully assumed by the Data Subject.

19. AREA RESPONSIBLE FOR THE IMPLEMENTATION AND OBSERVANCE OF THE POLICY.

In compliance with the principle of demonstrated accountability, SmartFastPay has internally appointed Fernando Arenas Molinet as personal data protection officer (“OPD”), who shall be responsible for ensuring compliance with this Policy and Colombian personal data protection legislation, as well as the implementation of best practices for personal data management within SmartFastPay. The designated OPD is internally responsible for updating and disseminating the Policy, and therefore any changes made to it must be approved by him.

If you, as a Personal Data Subject, do not agree with the changes made to it, you may exercise your Habeas Data rights through the channels and in the manner established in this Policy.

20. TERM AND AMENDMENT OF THE POLICIES.

SmartFastPay always seeks to improve its operations to ensure quality services and protections, so this Policy may eventually be updated or unilaterally amended by SmartFastPay.

Any changes made to the Policy will be reflected on page [*]. Any amendment to the Policy shall enter into force one calendar day after its publication on the official website.

This Policy is signed and enters into force as of the first (1st) day of August two thousand twenty-five.

___________________________

LEONARDO CHARLESON DE AVIZ LEANDRO

Legal Representative

SMARTFASTPAY TEC & SERVE S.A.S.

end-section

SmartFastPay Tec & Serve S.A.S.

NIT: 901.547.645-7

Cra 15 #92-98, office 706, Bogotá D.C.

Tel: 320-454-0697

Email: dpo@smartfastpay.com

Message icon

Top questions answered

FAQ Portal
What does SmartFastPay do? Toggle content

SmartFastPay Technology and Services is a Brazilian company that offers local payment methods for national or international websites. We process payments in local currency or market-specific solutions. To use our services, you must be registered on the partner Sites to whom we offer the services.


As SmartFastPay is a payment and technology company, we do not have the autonomy to cancel and/or decide any internal processes of our partners. Therefore, all information about delivery, tracking, refunds, and other details of your purchase should be requested directly from your shopping site.

How long does it take to confirm my payment? Toggle content

The payment processing time may vary according to the payment method used.


We do not have autonomy over the processing time since we depend on the settlement/confirmation of the bank. When we receive the payment confirmation from the bank, the transaction is automatically approved, and the credit is sent to the purchase site.


If the indicated processing time has exceeded the expected period, we ask that you contact the purchase site sending the payment voucher.


  • PIX: Instantaneous or up to 11 minutes
  • Traditional Boleto: Between 24h to 72h
  • Credit Card: Instantaneous
  • Debit Card: Instantaneous
  • TED Bank Transfer: If made within business hours, TED transfers can take up to 2 hours to be identified by the receiving bank and compensated in your contact's account. However, if transfers are made outside business hours or on weekends, they will be scheduled for the next business day.
  • DOC Bank Transfer: an option for transfers from one bank to another, when performed until 9:59 PM on a business day, the operation is compensated on the next business day. After this time and on weekends and holidays, the credit only occurs on the second business day.

Didn't find your question?

Didn't find your question?

Talk to our support

News, product updates and insights straight to your inbox.