Personal Data Processing Policy

1. Data Controller Identification

Full legal name

Efrain Camilo Hernandez Arias

Colombian national ID (Cédula de ciudadanía)

1.110.561.913

Trade name

VantLabs — "Purposeful software for Latin America"

Data subject contact channel (PQRSD)

legal@vantlabs.io

Physical address for notifications

Available upon request at legal@vantlabs.io

2. Processing Principles

The processing of personal data is governed by the principles set out in Article 4 of Law 1581 of 2012: legality, purpose limitation, freedom, accuracy, transparency, restricted access and circulation, security, and confidentiality. No personal data will be collected, used, or transferred without a legal basis or without the prior, express, and informed consent of the data subject.

3. Data Collected and Processing Purposes

The contact form on vantlabs.io collects: full name, email address, subject, and message content. Processing of this data has three purposes: (i) to handle inquiries, comments, or requests submitted through the contact form; (ii) to send replies and commercial communications when expressly requested by the data subject; (iii) to perform aggregated and non-identifiable site usage analysis when analytics tools are enabled, subject to prior specific consent from the data subject. Data is not used for individual profiling, automated advertising, or AI model training.

4. Data Subject Consent

Voluntarily completing the contact form constitutes the data subject's prior, express, and informed consent to the processing of their personal data for the purposes described in section 3. This consent may be revoked at any time by written request to legal@vantlabs.io, without retroactive effect.

5. Data Subject Rights

Pursuant to Article 8 of Law 1581 of 2012, data subjects have the following rights:

• To know, update, and correct their personal data.
• To request proof of the consent granted to the Data Controller.
• To be informed, upon request, of the use that has been made of their personal data.
• To file complaints with the Superintendencia de Industria y Comercio (SIC) for violations of Law 1581 of 2012.
• To revoke consent and/or request deletion of data when constitutional and legal principles, rights, and guarantees are not respected.
• To access their personal data that has been processed, free of charge.

The right to data portability is not recognised, as it is not provided for under Law 1581 of 2012.

6. Channel and Procedure for Exercising Rights (PQRSD)

Data subjects may exercise their rights by sending a written request to legal@vantlabs.io including: (i) full name and ID number, (ii) a clear description of the request, and (iii) contact details for the response. Requests will be addressed within ten (10) business days, extendable by five (5) additional business days when it is impossible to attend to the query within the initial term, pursuant to Article 14 of Decree 1377 of 2013. If the request is incomplete, the applicant will be notified within five (5) days of receipt to complete it.

7. International Data Transfers

The operation of this website involves service providers with servers located in the United States: Vercel Inc. (hosting infrastructure) and Resend Inc. (email delivery). The United States is not included in the SIC's list of countries with an adequate level of data protection. Therefore, transfers of data to these providers are conditional on the data subject's express consent, obtained through voluntary completion of the contact form. These providers act as data processors and are subject to their own privacy policies and applicable security frameworks.

8. Data Retention

Personal data collected through the contact form will be retained for two (2) years from the date of the last interaction with the data subject. Upon expiry of this period, data will be deleted or anonymised, unless a longer legal retention obligation applies or the data subject has previously requested deletion.

9. Security Measures

Reasonable technical and organisational measures are implemented to protect personal data against unauthorised access, loss, alteration, or disclosure, in accordance with the security principle of Article 4 of Law 1581 of 2012.

10. Supervisory Authority

The Colombian authority responsible for overseeing compliance with personal data protection legislation is the Superintendencia de Industria y Comercio (SIC), headquartered in Bogotá D.C., Republic of Colombia. Data subjects may file complaints with the SIC after exhausting the internal procedure with the Data Controller.

11. Effective Date and Updates

This Policy takes effect on 9 April 2026 (version 1.0) and remains in force until replaced by an updated version. Any material changes will be communicated to data subjects whose data is being processed, by publication through this same channel.