Personal Data Processing Policy

1. Data controller

Controller: Angélica Peña and Gabriel Pérez, co-owners of apartment 412 at the Miró Guadalupe building, Cra. 57 #2-01, Cuarto de Legua, Cali, Valle del Cauca, Colombia.

Contact channel for personal data matters: apto412.miroguadalupe@gmail.com.

2. Data subjects and categories of data processed

Guests: full name; identity document type and number (CC, CE, PA, TI); issuing country, document expiry date, and migration entry date (foreigners only); vehicle plate (optional); phone and email (optional); check-in/check-out dates and associated apartment.

Owners: name, document type and number, email, WhatsApp, unit number(s), and listing data.

Site visitors: aggregated, anonymous usage metrics (Vercel Analytics — no tracking cookies, no personal identifiers).

No sensitive data is collected (health, biometrics, political or religious orientation, union membership). Minors' data (TI document) is processed only as accompanying guests, provided by the responsible adult on the booking.

3. Purposes of processing

Guests: (a) identity verification to authorize building entry and coordination with reception/security; (b) arrival and departure logging (building logbook); (c) compliance with migration and tax obligations applicable to foreign guests (DIAN, Migración Colombia); (d) operational contact during the stay.

Owners: management of the Platform relationship, listing publication, invoicing of direct-booking commissions, and operational notifications.

Visitors: aggregated audience and site performance measurement.

4. How data is collected and consent

Directly from the data subject: Platform forms with an express authorization checkbox and a link to this Policy.

Through the apartment owner: when the owner provides their guests' data to reception for entry pre-authorization (replacing the manual Excel/WhatsApp flow). In that case, the owner declares having obtained the prior, express, and informed authorization of their guests; that declaration is recorded in the system.

Authorization may be granted in writing, electronically, or through unequivocal conduct as per Decree 1377 of 2013.

5. Retention periods

Colombian guests (CC, TI): maximum six (6) months after check-out.

Foreign guests (CE, PA): five (5) years after check-out, due to migration and tax obligations.

Owners: while the Platform relationship is active and thereafter for the legal terms applicable to contractual and tax obligations.

Once the periods expire, data is permanently deleted through automated processes.

6. Security measures

Encryption in transit (HTTPS) and at-rest encryption of identifying fields (identity document, vehicle plate).

Role-based access control: reception staff only see the operational information they need; apartment access codes are never visible to staff.

Audit log of all access to personal data (who, what, when).

7. Hosting and processors

Information is hosted with cloud infrastructure providers (Vercel and Supabase) acting as data processors, on servers that may be located outside Colombia (United States) and that meet international information security standards.

Data is not sold, rented, or shared with third parties for their own commercial purposes. It is only disclosed to competent authorities when required by law (e.g., foreign guest reports).

8. Rights of data subjects

Under article 8 of Law 1581 of 2012, data subjects may: access, update, and rectify their data; request proof of authorization; be informed about how their data is used; file complaints with the Superintendence of Industry and Commerce (SIC); revoke authorization and/or request deletion when no legal or contractual duty prevents it.

Deletion of foreign guests' data is subject to the five (5) year legal retention period.

9. Procedure to exercise these rights

Send your request to apto412.miroguadalupe@gmail.com including: full name, document number, description of the request (access, update, rectification, deletion, or revocation), and a reply channel.

Inquiries: answered within ten (10) business days. Claims: answered within fifteen (15) business days, per article 15 of Law 1581 of 2012. Incomplete requests will be returned for completion within five (5) days.

Once the procedure with the Controller is exhausted, the data subject may file a complaint with the SIC's Personal Data Protection Office (www.sic.gov.co).

10. Validity and changes

This Policy is effective as of its publication date and remains in force while the Platform processes personal data. Any substantial change will be published on this page with its update date and, where required by law, communicated to data subjects.

The databases described are registered and kept up to date in the SIC's National Database Registry (RNBD).