PRIVACY POLICY AND PERSONAL INFORMATION MANAGEMENT - GOWST

DATA CONTROLLER IDENTIFICATION

GOWST - Commercial Establishment
Address: Calle 13 Sur #2A-101, Colombia
Communications: legal@gowst.co
Classification: Personal information processing controller

STATEMENT OF PRINCIPLES

At Gowst we understand that digital privacy is not a luxury, but a fundamental right in the information age. Our mission is to return control of personal data to their true owners: our users.

As digital guardians, we implement enterprise-level security architectures and cutting-edge encryption protocols to create an ecosystem where privacy and functionality coexist harmoniously. We believe that protecting personal information should not compromise the digital experience, but enhance it.

This policy describes with absolute transparency how our digital vault collects, protects, processes and manages personal information, establishing a new standard in responsible management of sensitive data.

REGULATORY FOUNDATION

Our operation complies with and exceeds requirements established by:

Political Constitution of Colombia (Articles 15 and 20)
Statutory Law 1581 of 2012 (Personal Data Protection)
Decree 1377 of 2013 (Regulatory of Law 1581)
Law 2300 of 2023 (“Stop Bothering” - Digital Intimacy Protection)
SIC Resolutions on Artificial Intelligence and Data Security
Financial Superintendence Regulations (for payment operations)

NATURE OF OUR PLATFORM

WHAT IS GOWST VAULT?

Gowst operates as a personal data digital vault, a technological fortress designed to centralize, protect and control sensitive information of our users when they interact with the digital ecosystem.

FUNDAMENTAL VALUE PROPOSITION

Proactive Protection: Multi-layer encryption and advanced obfuscation of sensitive data
Granular Control: Precise management of what information is shared, with whom and when
Total Traceability: Complete record of the digital footprint of each shared data
Secure Simplification: Automation of form filling without compromising privacy

CATEGORIES OF INFORMATION COLLECTED

1. PRIMARY IDENTITY INFORMATION

Identification data: Full name, identity document, date of birth
Contact information: Physical and electronic addresses, telephone numbers
Access credentials: Authentication data and multi-factor verification
Complementary documentation: Profile photos, digital signatures

2. DEMOGRAPHIC AND CONTEXTUAL INFORMATION

Demographic data: Gender, age, marital status, occupation
Geographic information: City and country of residence, location preferences
Socioeconomic data: Educational level, work sector, consumption preferences
Family information: Family composition, dependents (when relevant)

3. TECHNICAL AND DIGITAL BEHAVIOR INFORMATION

Device data: Unique identifiers, technical specifications, operating system
Browsing information: Usage patterns, session time, functionalities used
Geolocation data: Approximate location (when authorized)
Configured preferences: Personalized categories, privacy levels, activated alerts

4. THIRD-PARTY AND PARTNER INFORMATION

Verification data: Validation information from authorized sources
Sharing records: History of data provided to third parties
Commercial partner information: Complementary data from integrated platforms
Interaction metadata: Usage and access records by authorized third parties

5. FINANCIAL AND TRANSACTIONAL INFORMATION

Billing data: Information for payment processing and subscriptions
Transaction history: Record of contracted services and payment status
Payment method information: Masked card data and payment methods
Tax data: Information required for tax compliance

COLLECTION METHODS

DIRECT COLLECTION

Main User Portal: Through our advanced registration system that implements multiple identity verification and granular privacy preference configuration, allowing users to establish from the beginning what information they want to share and under what conditions.

Configuration Interfaces: Through specialized panels where users can:

Securely upload and categorize personal information
Establish granular permissions by data type
Configure alerts and notifications for information use
Define access levels for different categories of third parties

COLLECTION THROUGH INTEGRATIONS

Authorized Third-party APIs: Secure connectivity with trusted platforms through OAuth protocols and encrypted API keys, ensuring that only information specifically authorized by the user is accessed.

Technology Partners: Information exchange under strict confidentiality agreements and data protection with service providers specialized in identity verification and information validation.

AUTOMATED COLLECTION

Intelligent Prefill Systems: Automated capture of usage patterns and filling preferences to optimize user experience while maintaining total control over what information is shared.

Traceability Monitoring: Automatic recording of all interactions where user data has been used, creating a complete history of the digital footprint of each piece of information.

PROCESSING PURPOSES

MAIN PROTECTION PURPOSES

A. DIGITAL VAULT SERVICES:

Secure and encrypted storage of sensitive personal information
Implementation of obfuscation protocols for identity protection
Management of granular access and permission control by data type
Creation of secure backups with end-to-end encryption

B. SECURE AUTOMATION:

Facilitation of automatic form filling on third-party sites
Optimization of registration and verification processes without compromising privacy
Intelligent synchronization of information between authorized platforms
Prevention of unnecessary exposure of sensitive data

C. CONTROL AND TRACEABILITY:

Generation of complete records of data use and sharing
Creation of real-time alerts about personal information access
Development of transparency dashboards for digital footprint visualization
Facilitation of personal privacy audits

EXPERIENCE AND FUNCTIONALITY PURPOSES

D. INTELLIGENT PERSONALIZATION:

Interface adaptation according to individual privacy preferences
Workflow optimization based on secure usage patterns
Development of recommendations on data protection best practices
Personalization of security levels according to user risk profile

E. DIGITAL ECOSYSTEM INTEGRATION:

Facilitation of secure connections with authorized third-party services
Enabling information exchanges under explicit consent
Development of interoperability standards that prioritize privacy
Creation of trust networks between users and service providers

RESPONSIBLE COMMERCIAL PURPOSES

F. ETHICAL MONETIZATION:

Revenue generation through premium advanced protection services
Facilitation of commercial connections under explicit user consent
Development of business models that reward privacy protection
Creation of data markets where the user maintains control and receives benefits

COMPLIANCE AND SECURITY PURPOSES

G. LEGAL AND REGULATORY OBLIGATIONS:

Compliance with data protection and privacy requirements
Collaboration with competent authorities when legally required
Implementation of anti-fraud measures and prevention of malicious use
Maintenance of records for audits and compliance reviews

LEGAL BASIS FOR PROCESSING

Processing is based on free, prior, express and informed consent of the data subject, implemented through:

Granular configuration: Specific permissions by data type and purpose
Dynamic consent: Possibility to modify permissions at any time
Total transparency: Clear information about each specific use of data
Third-party control: Individual authorization for each external access

BALANCED LEGITIMATE INTEREST

In specific cases, justified by:

Service security: Fraud prevention and platform protection
Protection improvement: Development of better security and privacy measures
Technical compliance: Basic operation of encryption and storage services

FULFILLMENT OF CONTRACTUAL OBLIGATIONS

For effective provision of services contracted by the user and compliance with applicable legal obligations.

DATA SUBJECT RIGHTS

ENHANCED FUNDAMENTAL RIGHTS

1. RIGHT TO TRANSPARENT ACCESS:

Complete visualization: Comprehensive dashboard of all stored data
Usage history: Detailed record of each access and sharing
Total traceability: Visual map of the digital footprint of each data
Export: Obtaining information in standard and interoperable formats

2. RIGHT TO INSTANT RECTIFICATION:

Real-time correction: Immediate modification of inaccurate information
Automatic update: Propagation of changes to authorized third parties
Cross-validation: Verification of consistency between sources
Modification history: Complete record of changes made

3. RIGHT TO GUARANTEED ERASURE:

Secure deletion: Irreversible cryptographic erasure of data
Deletion propagation: Notification to third parties for deletion
Compliance verification: Confirmation of effective deletion
Backup cleanup: Deletion in all backup copies

4. RIGHT TO ENHANCED PORTABILITY:

Standard format: Export in JSON, XML and other interoperable formats
Assisted migration: Tools to transfer data to other services
Compatibility: Formats that facilitate import into similar platforms
Guaranteed integrity: Completeness verification in transfers

5. RIGHT TO GRANULAR OPPOSITION:

Control by data type: Specific restriction by information categories
Limitation by third party: Selective blocking of access to specific partners
Temporary suspension: Processing pause without data deletion
Advanced configuration: Personalized rules for use and access

FACILITATED RIGHTS EXERCISE

Contact Channels:

Integrated system: Direct management from the user platform
Specialized email: legal@gowst.co for complex queries
Live chat: Immediate support for rights exercise
Direct telephone: Specialized line in data protection

Optimized Procedure:

Immediate request: Automatic processing for simple actions
Identity verification: Secure authentication protocols
Accelerated processing: Maximum 10 business days for complex cases
Documented confirmation: Complete evidence of actions performed

ADVANCED SECURITY MEASURES

MULTI-LAYER SECURITY ARCHITECTURE

Level 1 - End-to-End Encryption:

Advanced algorithms: Implementation of AES-256 and RSA-4096
Key management: Automatic rotation protocol for encryption keys
Encryption in transit: TLS 1.3 for all communications
Encryption at rest: Storage with field-level encryption

Level 2 - Advanced Access Control:

Multi-factor authentication: Verification through multiple channels
Advanced biometrics: Integration with biometric recognition systems
Session management: Granular control of access and session times
Real-time auditing: Continuous monitoring of access and activities

Level 3 - Infrastructure Protection:

Certified data centers: Facilities with SOC 2 and ISO 27001 certification
Geographic redundancy: Backups in multiple secure locations
24/7 monitoring: Continuous surveillance by cybersecurity specialized teams
Incident response: Automated detection and response protocols

DATA PROTECTION MEASURES

Obfuscation and Anonymization:

Advanced obfuscation techniques: Intelligent masking of sensitive data
Pseudonymization: Replacement of direct identifiers with secure tokens
Statistical aggregation: Processing of aggregated data without individual identification
Data minimization: Collection limited to strictly necessary information

Vulnerability Management:

Penetration testing: Regular security assessments by third parties
Code analysis: Continuous security review of source code
Proactive updates: Immediate application of security patches
Incident simulations: Regular emergency response exercises

AUTHORIZED THIRD PARTIES UNDER STRICT CONTROL

1. CERTIFIED TECHNOLOGY PARTNERS:

Infrastructure providers: Only those with equivalent security certifications
Verification services: Platforms specialized in identity validation
Payment processors: Only regulated and certified entities
Backup providers: Services with guaranteed end-to-end encryption

2. COMMERCIAL THIRD PARTIES UNDER CONSENT:

Integrated platforms: Only those specifically authorized by each user
Complementary services: Connections that improve experience without compromising privacy
Commercial partners: Exchanges that generate direct value for the user
Trust networks: Verified ecosystems of mutual data protection

3. AUTHORITIES AND LEGAL COMPLIANCE:

Judicial requirements: Only under specific and limited legal orders
Data protection authorities: Collaboration for compliance investigations
Regulatory entities: Information required by specific regulations
Security investigations: Cooperation in cases of fraud or illicit activities

MANDATORY SAFEGUARDS

Reinforced Protection Contracts:

Equivalent security clauses: Same protection standards
Purpose limitation: Exclusive use for specific authorized purposes
Re-sharing prohibition: Absolute restriction of transfer to fourth parties
Continuous auditing: Regular supervision of obligation compliance

User Control:

Granular authorization: Specific permission for each type of exchange
Immediate revocation: Ability to withdraw authorizations at any time
Real-time notification: Immediate alerts about any sharing
Third-party dashboard: Complete visualization of all authorized access

SECURE INTERNATIONAL TRANSFERS

INTERNATIONAL TRANSFER PROTOCOLS

When technologically necessary to transfer information outside Colombia:

Mandatory Prior Assessment:

Adequacy analysis: Verification of protection level in destination country
Risk assessment: Specific analysis of geopolitical and legal threats
Local alternatives: Prioritization of solutions within national territory
Specific authorization: Explicit user consent for each transfer

Additional Protection Measures:

Reinforced encryption: Additional protocols for data in international transit
Contractual clauses: Specific international protection agreements
Continuous supervision: Specialized monitoring of international transfers
Right of revocation: Possibility to withdraw data from international territories

RESPONSIBLE RETENTION AND DELETION

DEFINED CONSERVATION PERIODS

Active User Information:

During contractual relationship: While service is active
Grace period: 90 days after termination for reactivation
Security data: Access logs for 1 year for audits
Backup information: Automatic deletion according to defined policies

Compliance Records:

Consents: 5 years after revocation for legal evidence
Financial transactions: According to Financial Superintendence regulations
Access audits: 3 years for security investigations
Legal communications: According to applicable legal prescription periods

CERTIFIED DELETION

Secure Deletion Process:

Cryptographic erasure: Irreversible destruction of encryption keys
Physical deletion: Secure destruction of storage media
Multi-level verification: Deletion confirmation in all systems
Documented certification: Formal evidence of completed deletion

TRACKING TECHNOLOGIES AND PRIVACY

Essential Security Cookies:

Session authentication: Secure maintenance of user sessions
Privacy preferences: Reminder of protection settings
Fraud detection: Identification of anomalous access patterns
Basic functionality: Fundamental platform operation

Anonymized Usage Analytics:

Aggregated metrics: Statistics that do not allow individual identification
Security optimization: Identification of potential vulnerabilities
Experience improvement: Development of better privacy interfaces
Threat analysis: Detection of attack patterns or malicious access

ADVANCED PRIVACY MANAGEMENT

User Granular Control:

Configuration by category: Specific management of each type of tracking
Extreme privacy mode: Operation with minimum technical data
Tracking alerts: Notifications about any analysis activity
Privacy dashboard: Complete visualization of tracking activity

UPDATES AND CONTINUOUS EVOLUTION

COMMITMENT TO CONTINUOUS IMPROVEMENT

Privacy Development:

Proactive implementation: Adoption of new protection technologies
User consultation: Community participation in privacy decisions
Research and development: Continuous investment in better security practices
Regulatory adaptation: Immediate update before new regulatory frameworks

CHANGE COMMUNICATION

Transparent Notification:

Executive summary: Clear explanation of main changes
Impact analysis: Specific assessment on user privacy
Transition period: Sufficient time for adaptation and configuration
Feedback channel: Mechanism for user comments and suggestions

Communication Channels:

Platform notification: Prominent alerts within the system
Email: Direct communication to registered addresses
Transparency portal: Section dedicated to privacy updates
Explanation webinars: Live sessions to explain complex changes

SPECIALIZED CONTACT AND SUPPORT

DATA PROTECTION TEAM

Chief Privacy Officer:

Direct email: privacy@gowst.co
Specialized line: +57 (xxx) xxx-xxxx
Priority chat: Immediate access from platform
Extended hours: Monday to Saturday, 7:00 AM - 8:00 PM

Security Technical Support:

Technical email: security@gowst.co
Emergencies: 24/7 line for security incidents
Ticket portal: Specialized system for complex queries
Documentation: Complete knowledge base on privacy

SUPERVISORY AUTHORITIES

Superintendence of Industry and Commerce:

Web portal: www.sic.gov.co
National line: 01 8000 910165
Physical headquarters: Carrera 13 No. 27-00, Bogotá D.C.

Ombudsman’s Office:

Free line: 01 8000 914814
Portal: www.defensoria.gov.co

Last Update Date: 18/08/2025 Version: 2.0 - Digital Vault
GOWST - Commercial Establishment
”Protecting your digital identity, empowering your privacy”

Go back