Privacy Policy of Oceanidad

Oceanidad is committed to protecting your personal information and respecting your privacy. This Privacy Policy explains how we collect, use, and share your data when you visit our website, make a donation, or participate in our programs. It complies with all applicable Colombian laws.

I. IDENTIFICACIÓN DEL RESPONSABLE DEL TRATAMIENTO

Name: OCEANIDAD

Tax no.: 901.905.376-7

Address: Condominio Monte Ruitoque, Casa 70, Vereda Acapulco, Girón – Santander, Colombia

E-Mail: contact@oceanidad.com

Phone no.: +57 305 290 4674/ +57 302 611 4952

Data protection officer: Jennifer Eva María Bachmann, C.E. 966858

Deputy protection officer: Eddy Katherine Aparicio Echeverria, C.C. 1092352435

II. PREAMBLE

This Privacy and Personal Data Processing Policy reflects the institutional commitment of the OCEANIDAD Foundation to the comprehensive protection of the fundamental rights to privacy, good name, and habeas data, ensuring that the processing of personal information is carried out in accordance with the principles, duties, and obligations established in Colombian law.

In pursuing its statutory and mission-related purposes, the Foundation carries out activities that involve the collection, storage, use, circulation, transmission, transfer, and, in general, any operation or set of operations performed on the personal data of natural persons with whom it maintains various relationships (donors, beneficiaries, volunteers, employees, contractors, suppliers, institutional partners, and third parties).

Accordingly, it is necessary to establish an internal regulatory framework that defines the procedures, criteria, and measures to ensure lawful, fair, transparent, and secure processing of information.

This legal instrument constitutes an expression of the Foundation’s autonomy and responsible self-regulation in compliance with the personal data protection regime, in harmony with the principles of the Political Constitution, statutory legislation, and applicable regulations.

It also serves as an internal management and control tool that guides those responsible for and in charge of data processing in the proper handling of personal information within the scope of their roles and responsibilities.

The Foundation recognizes that personal information is an intangible asset requiring high standards of diligence, confidentiality, and security; therefore, it adopts this policy as a permanent institutional commitment to compliance, continuous improvement, and absolute respect for human dignity and informational self-determination.

III. PURPOSE

The purpose of this Policy is to define the legal and functional scope of the Privacy and Personal Data Processing Policy adopted by the OCEANIDAD Foundation, which constitutes the internal regulatory framework governing the entity’s actions regarding the collection, storage, use, circulation, transmission, transfer, and deletion of personal data under its custody.

This Policy is issued in observance of Articles 15 and 20 of the Political Constitution of Colombia, Statutory Law 1581 of 2012, Decree 1377 of 2013, Decree 1074 of 2015 (Book 2, Part 2, Title 2, Chapter 25), Law 1266 of 2008, and the guidelines and rulings of the Superintendence of Industry and Commerce as the national data protection authority.

The legal purpose of this Policy is to ensure the effective exercise of the fundamental right to habeas data by establishing institutional guidelines that guarantee that all processing of personal information is carried out in full compliance with the principles of legality, purpose, freedom, truthfulness or quality, transparency, restricted access and circulation, security, and confidentiality, as provided in Article 4 of Law 1581 of 2012.

This Policy regulates the internal procedures and establishes the responsibilities of the Foundation and its collaborators regarding the proper processing of personal data belonging to individuals connected with its mission-related activities — including donors, beneficiaries, volunteers, employees, contractors, suppliers, and other third parties — ensuring that such processing serves legitimate, proportional, and previously informed purposes.

This section therefore serves as the legal foundation clause legitimizing the existence and application of this Policy, which is binding, mandatory, and of a permanent nature, subject to future updates required by legal, jurisprudential, or institutional changes.

IV. LEGAL FRAMEWORK

This section defines the legal, regulatory, and doctrinal provisions supporting the adoption and implementation of the Foundation’s Privacy and Personal Data Processing Policy, ensuring that all institutional actions involving personal information are conducted within a framework of legality, transparency, and accountability.

The applicable legal regime in Colombia is based primarily on Articles 15 and 20 of the Political Constitution, which establish the fundamental rights to privacy, good name, information, and habeas data, granting every individual the right to know, update, and rectify the information held about them in databases or files, as well as the guarantee that data collection and processing are carried out with respect for fundamental rights and freedoms.

In accordance with these constitutional mandates, the Congress of the Republic enacted Statutory Law 1581 of 2012, establishing general provisions for the protection of personal data, including guiding principles, the roles of data controllers and processors, data subjects’ rights, and applicable procedures for the exercise and protection of such rights. This law forms the structural axis of Colombia’s data protection system and serves as the mandatory reference for institutional policies in this field.

Regulatory Decree 1377 of 2013 developed the operational and procedural aspects of Law 1581 of 2012, specifying conditions for obtaining authorization, the duty to inform, applicable security measures, the regime for international data transfers, and mechanisms for handling inquiries and claims.

Decree 1074 of 2015 consolidated and systematized the applicable regulations on this matter, providing regulatory coherence to Colombia’s data protection regime.

Law 1266 of 2008 established the general regime for personal data protection in financial, credit, commercial, and service contexts, representing a significant normative precedent that coexists with Law 1581 of 2012.

Additionally, Decree 886 of 2014 regulates the National Database Registry administered by the Superintendence of Industry and Commerce, the competent authority for oversight, control, and sanctions in data protection matters.

The Foundation also adheres to the guidelines, circulars, and rulings issued by the Superintendence of Industry and Commerce, as well as the jurisprudence of the Constitutional Court and the Council of State, which constitute binding interpretive sources for the application and updating of this Policy.

This legal framework provides the institutional legitimacy and juridical validity for this instrument, ensuring coherence, security, and effectiveness in the management, processing, and protection of personal data collected by the Foundation in the performance of its mission.

V. SCOPE

This section defines the subjective, objective, and territorial scope of application of the Foundation’s Privacy and Personal Data Processing Policy, specifying the individuals, activities, processes, and institutional operations subject to compliance.

The scope of this Policy covers all personal data processing operations carried out by the Foundation in connection with its mission-related, administrative, contractual, labor, commercial, financial, and social activities, whether performed directly, through third parties, or via technological platforms.

This Policy applies to all areas, departments, employees, contractors, volunteers, and collaborators who, in the exercise of their duties or responsibilities, engage in any type of personal data processing. It also applies to third parties with whom the Foundation establishes legal relationships involving access to, provision, processing, or custody of personal data.

The territorial scope of this Policy includes all activities conducted within the Republic of Colombia and, complementarily, international data processing operations resulting from transmissions or transfers to other countries, provided such operations comply with Colombian law and international data protection standards.

This Policy applies to all databases and archives containing personal data collected, processed, and managed by the OCEANIDAD Foundation, including information about donors, beneficiaries, volunteers, employees, contractors, suppliers, partners, visitors, and website users.

VI. GUIDING PRINCIPLES OF DATA PROCESSING

This section establishes the guiding principles that orient, limit, and condition all personal data processing activities carried out by the Foundation, in accordance with applicable legislation and recognized national and international standards.

These principles form the mandatory ethical and legal framework governing the actions of those responsible for and in charge of processing, ensuring that every operation on personal data adheres to the principles of lawfulness, legitimate purpose, proportionality, necessity, and respect for the fundamental rights of data subjects.

Strict compliance with these principles ensures that institutional data management aligns with the right to habeas data, prevents unauthorized or abusive use of information, and fosters an organizational culture of transparency, accountability, and effective privacy protection.

Accordingly, the principles governing this Policy are:

a) Legality: Processing shall be conducted in accordance with the law.
b) Purpose: Data shall be collected for legitimate and specific purposes.
c) Freedom: Processing shall occur with prior, express, and informed consent.
d) Accuracy: Information shall be truthful, complete, and up-to-date.
e) Transparency: Data subjects have the right to access information about processing.
f) Restricted access and circulation: Data shall be used only by authorized persons.
g) Security: Technical and administrative measures shall be applied to protect data.
h) Confidentiality: All personal information shall be treated as confidential.

VII. CATEGORIES OF PERSONAL DATA PROCESSED

The OCEANIDAD Foundation processes personal data belonging to various categories of data subjects, including donors, volunteers, beneficiaries, employees, contractors, suppliers, directors, and website users. The personal data collected include the following:

1. Through the Website

  • Full name

  • Email address

  • Telephone number

  • Contact information

  • Browsing data (cookies, IP address, device)

  • Declared interests and preferences

2. Payments and Receipts

  • Financial information (bank accounts)

  • Transaction history

  • Billing information

  • Payment receipts

3. Suppliers

  • Legal name / corporate name

  • Tax or identification number (NIT/RUT/ID document)

  • Business contact information

  • Banking details for payments

  • Certifications and legal documentation

4. Volunteers

  • Complete personal data

  • Academic and professional background

  • Criminal record certificates

  • Relevant health information

  • Emergency contact details

  • Photographs and audiovisual material

5. Donations

  • Donor information (natural or legal person)

  • Donation amount and frequency

  • Related tax information

  • Destination or allocation preferences

6. Employees and Contractors

  • Full personal information

  • Employment and academic history

  • Social security and health data

  • Financial information (payroll)

  • Contracting documents

  • Performance evaluations

7. Networking

  • Legal or individual name

  • Tax identification number (NIT)

  • Email address

  • Telephone number

8. Data Collected via Online Store

Symbolic Adoptions

  • Full name of the adopter

  • Identification document

  • Email address

  • Shipping address (for certificates or kits)

  • Adopted species information

  • Adoption frequency and amount

  • Personalized message (optional)

  • Communication preferences

Meditation Programs

  • Full name of participant

  • Email address

  • Age or age range

  • Previous experience in meditation

  • Schedule preferences

  • Relevant health data (if applicable)

  • Payment method and history

  • Feedback and evaluations

Payments and Transactions

  • Credit/debit card details (processed via payment gateway)

  • Transaction receipts

  • Billing address

  • Purchase history

  • Preferred payment method

Additional Data

  • Product/service preferences

  • Purchase frequency

  • Comments and reviews

  • Participation data in recurring programs

  • Communication consent records

9. Data Collected in Fieldwork

Environmental Data Forms

  • Date

  • Time

  • Tide

  • Beaufort scale

  • Wind direction

  • Sun brightness

  • Wave height

  • Precipitation

  • Temperature

  • Cloud coverage

  • Variations

  • Visibility

Scientific Data Forms

Sightings:

  • Date

  • Sighting number

  • Initial time

  • Initial latitude

  • Initial longitude

  • Initial GPS point

  • Locality

  • Species

  • Distance from boat

  • Minimum number of individuals

  • Maximum number of individuals

  • Minimum number of calves

  • Maximum number of calves

  • Initial behavior

  • Number of samples

  • Type of samples

  • Dorsal photos of the group (yes/no)

  • Drone videos (yes/no)

  • Group behavior

  • Final time

  • Final latitude

  • Final longitude

  • Final GPS point

Samples:

  • Date

  • Sighting number

  • Species

  • Sample number

  • GPS point of sampled animal

  • Time

  • Individual reaction

  • Wound photographs (yes/no)

  • Group behavior change and notes

VIII. CHANNELS AND MEANS OF DATA COLLECTION

Data may be collected through both physical and digital formats (events, donations, registrations), as well as through the Foundation’s website, social media, and email correspondence.

1. Digital Channels

  • Website and online forms

  • Electronic payment platforms

  • Institutional email accounts

  • Oceanidad user accounts:
    facturas.oceanidad@gmail.com,
    jennifer.bachmann@oceanidad.com,
    angelica.rueda@oceanidad.com

  • Social networks and messaging platforms

  • Web analytics tools (e.g., Google Analytics)

  • Management systems (e.g., Trello, accounting software)

2. Physical / In-Person Channels

  • Printed forms at events and field trips

  • Legal and contractual documentation

  • Interviews and selection processes

  • Workshops and training sessions

3. Technical / Specialized Channels

  • Mobile applications for fieldwork

  • Scientific records and research logs

  • Environmental and biodiversity monitoring systems

4. Administrative Channels

  • Onboarding forms (volunteers, employees, suppliers)

  • Surveys and evaluations

  • Financial and billing documentation

IX. Processing of Data of Children and Adolescents

The processing of personal data belonging to minors shall only be conducted when it meets the following requirements:

  1. It responds to and respects the best interests of the child or adolescent.

  2. Consent is granted by the parent or legal guardian.

  3. The minor’s right to be heard is respected, taking into account their level of maturity.

The Foundation will adopt appropriate measures to safeguard such data, in accordance with Law 1581 of 2012 and Decree 1377 of 2013.

X. Duties of the Foundation as Data Controller

In its capacity as Data Controller, the Foundation undertakes to:

  1. Guarantee to the data subject, at all times, the full and effective exercise of the right of habeas data.

  2. Request and keep a copy of the authorization granted by the data subject.

  3. Inform the data subject of the purpose for which the data will be collected and the rights they are entitled to.

  4. Maintain the information under the necessary security conditions to prevent unauthorized alteration, loss, or access.

  5. Update, rectify, or delete data in a timely manner when inaccuracies are detected or when requested by the data subject.

  6. Process inquiries and claims in accordance with the procedures set forth in this policy.

  7. Disclose only data whose processing has been authorized.

  8. Report to the Superintendence of Industry and Commerce (SIC) any security breaches or irregularities in data management.

XI. Rights of Data Subjects

Data subjects have the following rights:

  1. To know, update, and rectify their personal data.

  2. To request proof of authorization for the processing of their data.

  3. To be informed of how their data have been used.

  4. To submit complaints to the Superintendence of Industry and Commerce for violations of data protection rules.

  5. To revoke their authorization and/or request the deletion of their data when constitutional and legal principles are not respected.

  6. To access their personal data free of charge.

XII. Procedures for Inquiries and Claims

Inquiries:
Data subjects or their legal representatives may submit inquiries regarding the information that resides in the Foundation’s databases. The Foundation shall respond within ten (10) business days from the date of receipt.
If it is not possible to respond within this period, the data subject shall be informed of the reasons for the delay and the date on which the response will be provided, which shall not exceed five (5) additional business days.

Claims:
When a data subject believes that their data should be corrected, updated, or deleted, or that the Foundation is in breach of any of its duties, they may file a claim.
The Foundation shall respond within fifteen (15) business days following receipt. If it is not possible to address the claim within this timeframe, the Foundation shall inform the claimant of the reasons for the delay and the expected date of resolution, which shall not exceed eight (8) additional business days.

XIII. Security and Confidentiality Measures

The Foundation implements technical, human, and administrative measures necessary to ensure the security of personal data, to prevent unauthorized access, and to guarantee their confidentiality and integrity.
Only authorized personnel shall have access to personal data, and they are obligated to maintain strict confidentiality, even after the termination of their relationship with the Foundation.

XIV. Validity of Databases and Retention of Information

The Foundation will retain personal data for the duration necessary to fulfill the purposes for which they were collected, or as required by applicable laws and regulations.
Once the purpose of processing has been achieved, and unless otherwise required by law, data will be deleted from the databases using secure procedures that prevent recovery.

XV. Validity and Publication of the Policy

This Privacy and Data Processing Policy shall come into force on the date of its publication and shall remain in effect for an indefinite period, as long as the Foundation continues to process personal data.
Any modification to this policy will be communicated through the Foundation’s official channels, including its website and email notifications to registered data subjects.