Personal Data Protection Policy

1. Legal framework

This Policy is issued in compliance with Colombian Law 1581 of 2012 (General Regime for Personal Data Protection — Habeas Data), Decree 1377 of 2013 and related Colombian regulations. Its purpose is to inform the Data Subject how Serenity Spa & Estética collects, stores, uses, transfers and protects their personal information.

2. Data Controller

3. Personal data we collect

• Identification: full name, ID document number (when applicable), email, phone / WhatsApp.
• Contact: address in Bogotá (only if the customer provides it for in-home services).
• Transactional: purchase records, gift cards bought, payment methods used through authorized gateways (full card numbers are never stored).
• Health data relevant to the service: only information voluntarily provided to ensure safe treatment (allergies, pregnancy, contraindications).
• Browsing data: IP address, device type, usage behavior, collected via cookies and analytics tools.

4. Purposes of processing

1. To manage the purchase and delivery of digital gift cards, services and plans offered on the website.
2. To contact the Data Subject by email, WhatsApp or phone to confirm appointments and deliver purchase receipts.
3. Electronic invoicing and compliance with tax and accounting obligations.
4. Customer service, claims management and post-sale support.
5. To send commercial communications — only with the Data Subject's express consent.
6. To improve the website experience through anonymous analytics and heatmaps.
7. To comply with judicial or administrative authorities.

5. Rights of the Data Subject

Under article 8 of Law 1581 of 2012, the Data Subject has the right to:

• Know, update and rectify their personal data.
• Request proof of the authorization granted for processing.
• Be informed about how their data has been used.
• File complaints with the Superintendencia de Industria y Comercio (SIC) for breaches of the Law.
• Revoke authorization and/or request deletion when constitutional and legal rights are not respected.
• Access free of charge their personal data subject to processing.

6. How to exercise your rights

Send a request to [email protected] or via WhatsApp at +57 321 309 6389 including: full name, ID number, clear description of the query or claim, contact details for our reply, and supporting documents when applicable.

Response times (articles 14 and 15 of Law 1581 of 2012):

• Queries: up to 10 business days, extendable by 5 additional business days.
• Claims: up to 15 business days, extendable by 8 additional business days when complexity justifies it.

7. Data transfer to third parties

To deliver the service, your data may be shared exclusively with the following Processors under contracts that ensure compliance with Law 1581 of 2012:

• Payment gateways (e.g. Bold S.A.S.) to process electronic transactions.
• Transactional email providers (e.g. Resend, Brevo) to deliver the digital gift card and service communications.
• Hosting and technical service providers (e.g. Cloudflare).
• Analytics tools (Google Analytics 4, Microsoft Clarity) with pseudonymized data.
• Authorities when a legitimate judicial or administrative requirement exists.

Serenity Spa & Estética does NOT sell, rent or commercialize personal data to third parties for marketing purposes.

8. Cookies

The website uses first- and third-party cookies to improve navigation, analyze traffic and personalize content. The Data Subject can accept, customize or reject cookies via the banner shown on their first visit, or configure their browser to block them. Consent given through the banner is valid for twelve (12) months.

9. Security measures

We implement reasonable technical and administrative measures to protect your personal data against unauthorized access, alteration, loss or misuse, including TLS encryption, role-based access control, monitoring, regular backups and digital signatures in payment transactions.

10. Data retention

Personal data is retained for the time necessary to fulfill the purposes described and thereafter for applicable legal periods (tax and accounting obligations). After that period, data is securely deleted or anonymized.

11. Minors

Our services are aimed at people over 18 years of age. We do not knowingly collect data from minors. If a parent or legal guardian detects that a minor has submitted data without authorization, they may request its immediate deletion by contacting us.

12. Supervisory authority

The Data Subject whose rights have been infringed may file a claim with the Superintendencia de Industria y Comercio (SIC), Colombia's data protection authority, after exhausting the procedure with the Controller. More information: www.sic.gov.co.

13. Effective date and amendments

This Policy is effective from May 21, 2026. Any material amendment will be communicated through the website. Personal databases will remain valid for the duration of the commercial or legal relationship.