This Data Protection Policy (the “Policy”) aims to establish and inform the treatment given by LIMITLESS INVERSIONES S.A.S, a company domiciled in Bogotá, Colombia, and identified with the Tax ID (NIT) 901.565.398 – 9 (“The Company”) to the personal data provided by patients and/or clients of TOTAL DEFINER BEAUTY SPA (“the SPA”), as well as to disseminate and protect the rights of the holders of such personal data. This policy defines the minimum requirements to ensure an adequate level of protection within the Company for the collection, use, disclosure, transfer, storage, and other personal data processes.
Please read this privacy notice carefully, as it provides important information on how we handle your personal information and your rights. If you have any questions about any aspect of this privacy notice, you can contact us using the following email: Tdbeauty@totaldefiner.com
During the processing of personal data and Sensitive personal data, the company will comply with the guiding principles of data protection established in the applicable regulations, such as: i) legality; ii) purpose; iii) consent; iv) truthfulness; v) transparency; vi) restricted access and circulation; vii) security; and viii) confidentiality.
CATEGORIES OF PERSONAL DATA SUBJECT TO PROCESSING
To comply with the purposes of processing indicated in this privacy notice, it is necessary to collect and process the following personal data:
Contact details (telephone number, email, Whatsapp)
Date of birth
Country of Residence
Economic, financial, banking data
The requested personal data are mandatory, so refusal to provide them will mean the impossibility of carrying out the provision of contracted services. Data marked with an asterisk (*) in the forms provided by LIMITLESS INVERSIONES S.A.S. will be necessary to comply with the established contractual or legal purpose.
Therefore, if the user does not provide them, it will not be possible to provide the services by the SPA.
Method of data collection
We and our external service providers passively collect and use information in a variety of ways, including:
Through forms on the website.
Through social networks.
Through your browser: Certain information is collected by most browsers, such as your Media Access Control (MAC) address, the type of computer (Windows or Macintosh), screen resolution, operating system version, and the type and version of the internet browser. We may collect similar information, such as your device type and identifier, if you access the site through a mobile device.
You may refuse to accept these cookies by following your browser’s instructions; however, if you do not accept them, you may experience some inconvenience in your use of the site. You may also not receive advertising or other offers from us that are relevant to your interests and needs.
For the processing of personal data, the Company will request prior, express, informed, and clear authorization from the data subject. This is except for cases where applicable regulations allow data processing without requiring authorization.
The processing of personal data will be carried out in the terms of the express consent authorized by the data subject and/or their representative and only for the purposes provided therein.
Consent is not required for the processing of personal data when:
• Information required by a public or administrative entity in the exercise of its legal functions or by court order.
• Data of a public nature.
• Cases of medical or sanitary emergency.
• Processing of information authorized by law for historical, statistical, or scientific purposes.
Personal data will only be processed for the time that is reasonable and necessary, according to the purposes that justified it, attending to the applicable provisions on the matter (e.g., administrative, accounting, promotional, fiscal, legal, and historical aspects of the information). Once the purpose or purposes of the processing are fulfilled, and notwithstanding legal norms that provide otherwise, the Company must proceed to delete the personal data in its possession, without prejudice to the possibility of retaining those required for the fulfillment of a legal or contractual obligation.
The processing of personal data will be carried out under high standards of security and confidentiality, using the data exclusively for the purpose described in the corresponding privacy notice, and conforming to the requirements of the applicable regulations.
The Company will provide the necessary technical, human, and administrative measures to grant security to the records, avoiding their alteration, loss, consultation, use, or unauthorized or fraudulent access. The obligation and responsibility of the Company are limited to having appropriate means to this end. The Company does not guarantee the total security of your information nor is responsible for any consequence derived from technical failures or improper access by third parties to the database or file where the personal data processed by the Company and its managers are stored. The Company will require third parties with whom it contracts or with whom it exchanges information to adopt and comply with adequate technical, human, and administrative measures for the protection of personal data for which such third parties act as managers.
PROCESSING AND PURPOSE
The Company, acting as the responsible party for the processing of personal data, for the proper development of the activities contemplated in its corporate purpose, collects, stores, uses, circulates, deletes, processes, compiles, reproduces, exchanges, updates, disposes of, communicates, and transmits, as applicable, personal data of individuals with whom it has or has had a relationship.
The general purposes for which the Company processes these personal data include the following:
Conduct activities inherent to the corporate purpose of the Company.
Perform commercial and marketing activities through the processing of personal data of customers and suppliers.
Send important information about your relationship with the Company, as well as about products, campaigns, events, about the Company’s websites or digital initiatives, modifications of the Company’s terms, conditions, and policies.
Follow up on activities, management of actions, identification of opportunities, quality of services, for administrative, organizational, academic, scientific, research purposes, reporting obligations established by law or by Codes of Ethics.
Comply with legal, judicial, and contractual obligations.
For commercial purposes, such as data analysis, conducting market studies, audits, development of new products, improvement of the Company’s website, improvement of the Company’s products and services, identification of site usage trends, and determining the effectiveness of our promotional campaigns.
Respond to your inquiries and meet your requests, as well as send you requested documents or email alerts.
Monitor and process reports of product quality complaints and adverse events.
Share it with our external service providers who provide services such as website hosting and moderation, mobile application hosting, data analysis, payment processing, order fulfillment, infrastructure provision, IT services, customer service, email and direct mail delivery services, credit card processing, client and supplier analysis, audit services, and other services, to enable them to provide those services.
• Share it with a third party in the event of a reorganization, merger, sale, division, joint venture, assignment, transfer, or other disposition of all or part of our business activities, assets, or shares (including acts related to any bankruptcy process or similar), as well as any change in the corporate or administrative structure of the Company.
• Respond to requests from public and governmental authorities, including public and governmental authorities from your country of residence and foreign ones.
• Enforce our terms and conditions.
RIGHTS OF THE DATA
The rights that assist you as the holder of personal data being processed by the Company are described below:
• Know, update, and rectify your personal data against the Company. This right can be exercised, among others, against partial, inaccurate, incomplete, fragmented data that leads to error, or those whose processing is expressly prohibited or has not been authorized.
• Request proof of the authorization granted to the Company for the processing of Personal Data.
• Be informed by the Company, upon request, about the use that has been given to your personal data;
• Submit complaints to the competent authority for infringements of personal data protection.
• Revoke the authorization and/or request the deletion of the data; notwithstanding the foregoing, the deletion or revocation will not proceed when the holder has a legal or contractual duty to remain in the database nor while the relationship between the holder and the Company that gave rise to the collection of personal data is in force.
• Access your personal data that has been processed free of charge.
PROCEDURE TO EXERCISE THE RIGHTS TO KNOW, UPDATE, RECTIFY AND DELETE INFORMATION, AND REVOKE AUTHORIZATION FOR PROCESSING
The holder, heirs, representatives, or proxies may consult, update, rectify, and/or delete their personal data being processed by the Company, as well as revoke the authorization for processing, at any time and at no cost.
For these purposes, you must send a detailed communication of your request to the following email address: using the following email address: email@example.com
In all communications sent to the Company, include an email or physical address so that the company can respond to your request.
Your request will be attended to within a maximum term of ten (10) business days from the date of receipt. When it is not possible to attend to the inquiry or request within this term, you will be informed, stating the reasons for the delay and indicating the date on which your inquiry or request will be attended to, which in no case may exceed five (5) business days following the expiration of the first term.
The Company may deny access to personal data, or the revocation of the authorization, or the request for deletion of data in the following cases:
When the applicant is not the holder of the personal data, their successor (e.g. Heirs, Successor) or the legal representative is not duly accredited for this purpose;
When the applicant is not a public or administrative entity acting within its legal functions, or there is no judicial order.
When the Data Subject has a legal or contractual duty to remain in the database.
For queries whose frequency is more than once per calendar month, the Company may only charge the data subject for the shipping, reproduction, and if applicable, certification of documents. Reproduction costs shall not exceed the costs of recovering the corresponding material.
PROCEDURE FOR HANDLING COMPLAINTS AND CLAIMS
If you consider that the information contained in a database should be subject to correction, updating, or deletion, or when you notice the alleged non-compliance with any of the duties contained in this data policy, you may file a claim with the Company at the email or address detailed further below.
For these purposes, you must send a detailed communication in order to file a complaint or claim to the following email address, with the following information: firstname.lastname@example.org
Description of the facts that give rise to the claim
An email address so that the Company can respond to your claim
Attach any document(s) you wish to assert
Incomplete Claim: If the claim is incomplete, you will be required within five (5) business days following the receipt of the claim to provide the missing information. If two (2) months pass from the date of the request, without the applicant presenting the required information, it will be assumed that the claim has been abandoned.
Complete Claim: Once the complete claim is received, a legend that says “claim in process” and the reason for it will be included in the database within no more than two (2) business days. This legend must be maintained until the claim is decided.
The maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to address the claim within such term, the interested party will be informed of the reasons for the delay and the date their claim will be addressed, which in no case may exceed eight (8) business days after the expiration of the first term.
CHANGES TO THIS PRIVACY NOTICE
We may update this notice (and any supplementary privacy notice) from time to time, as shown below. We will notify you of changes as required by applicable law.