2. DEFINITIONS:

     2.3        Sensitive Data: Data associated with the Owner’s privacy or whose inappropriate use may cause discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership of unions, organizations social rights, or promote the interests of any political party as well as data related to health, sexual life and biometric data, among others, the capture of a fixed image or in movement, fingerprints, photographs, iris, voice recognition, facial or palm, etc. 

     2.4        Public Data: Data that is not semi-private, private or sensitive, that can be treated by any person, without the need for authorization. Among others, the information contained in the civil registry of persons (for example, if one is single or married, male or female) and those contained in public documents (e.g, contained in Public Deeds), are public. public registers (e.g the record of disciplinary records of the Attorney General’s Office), in official gazettes and bulletins and in enforceable judicial sentences that are not subject to reservation.

     2.5        Data Processing: Any operation on personal data, such as collection, storage, use, circulation or deletion.

     2.6        Controller of data processor: Physical or legal person, public or private, that by itself or in association with others, decides on the database and / or the treatment of the data.

     2.7        Processor: Natural or legal person, public or private, that by itself or in association with others, performs the processing of personal data on behalf of Controller. 

     2.8        Authorization: Prior, express and informed consent of the Information Owner for the Processing of personal data. The consent may be granted in writing, orally or through unequivocal conduct of the Owner that allows concluding that the authorization was granted. 

     2.9        Privacy Notice: Verbal or written communication to inform the owner of the data about the existence of a manual of treatment policies that will be applicable to the processing of information. 

     2.10      Transfer: Sending data, inside or outside the national territory, whose sender and recipient is a Controller. 

     2.11      Transmission: Data Communication, inside or outside the Colombian territory, whose sender is Controller and its receiver is the Processor. 

     2.12      Data Protection Officer: Responsible for monitoring, controlling and promoting the application of the Personal Data Protection Policy within the Company.

3. PURPOSE OF COLLECTING PERSONAL DATA

        3.1 GENERAL PURPOSE

We collect information from our interactions with you, other customers and other parties to help us provide an enhanced shopping experience.

We seek to provide products, services, and valuable offers to you and your family through the information gathered.

We secure your information to maintain the confidentiality and integrity of your data.

We offer you choices about the way your personal information is collected and used.

If you have any questions or comments about any content please contact us.

As described in this Privacy Policy, we use the personal information for the purposes mentioned above internally within the Payless ShoeSource family of companies and in certain cases we allow access in a noncommercial way to certain third parties who provide services on our behalf.  

These companies include our processor of credit and debit card transactions, our shipper for delivery of orders, our website partner, and our web hosting service providers.

Our primary purpose for collecting personal information is for us to provide you with a secure, efficient and beneficial shopping experience.

We may use your personal information for orders to:

1. process and fulfill an order
2. notify you of order status
3. verify information about you and your order

We may contact you if we have questions regarding your order or purchase through email, phone or postal mail.

Additionally, we may use your personal information for marketing purposes to:

1.   improve services and content
2. customize advertising
3. inform you about future: 
1. promotional offers
2. special sales
3. new products
4. special program offers
5. service updates
6. communicate preferences you have indicated
7. any other purpose disclosed at the point of collection or in this Privacy Policy

These communications may be sent via email, postal mail, text message, or through a mobile application dependent upon your preferences. You always have the choice to opt-out of receiving these marketing communications and in response we may send a final confirming communication.

We may use your information to provide services and customer support that you may request, as well as to correct problems, resolve disputes and collect fees.

We may also use the information we collect as necessary to comply with legal requirements, to enforce the site Terms & Conditions, to prevent fraud, to co-operate with law enforcement and regulatory authorities and to stop other prohibited, illegal or harmful activities.

3.2 Promotional Participation

We may use your personal information to contact you if you participate in a sweepstakes, contest or promotion. This includes promotions on-line, over the phone, through a mobile application or at one of our stores. Contact may occur via email, postal mail, telephone, text message, or through a mobile application regarding our products, services, contests and promotions. You may choose at any time not to receive these marketing communications, but please note that  upon opting out we may send a final confirming communication or we may still need to contact you on a limited basis, however - for example, to notify winners and to fulfill promotional obligations.

4. PERSONAL DATA WE COLLECT FROM YOU

   4.1 GENERALITIES

When you register for one of our programs in one of our stores, online or through our mobile application, or when you purchase products from us online, we collect information such as:

1. your name
2. email
3. birth month and day
4. postal address
5. phone number
6. billing and credit card information
7. product preferences

You may also provide personal information when/if you post reviews, send us feedback or provide other user generated content at our site. We may from time to time use your postings or reviews to be placed on other areas of our site.

You may choose not to provide certain information, but choosing to do so may prevent you from being able to take advantage of many of Payless' programs. We currently do not sell, divulge, publish or rent your name or personal information for use by any outside companies or third parties and would request your consent before doing so in the future.

4.2 APPLYING FOR A JOB

If you apply to work with us, we will use the information you supply to process your application and to gather recruitment statistics. Payless may transfer your information outside of your home country and to other companies during the application process. Your personal information will be maintained in accordance with our records retention guidelines. If you have any questions please contact Customer Service by phone (+ 57 310 476 1511) or email servicioalclientecolombia@payless.com

4.3 HOW WE COLLECT ADDITIONAL INFORMATION

We may collect additional information about you from our joint marketing partners or from unrelated third parties. We may collect demographic & behavioral information, and we may use mailing lists from third parties. We may also maintain a record of your product interests and the purchases you make in-store, online or through our mobile application.

4.4 DATA WE COLLECT THROUGH TECHNOLOGY

    4.4.1 ONLINE THROUGH YOUR WEB BROWSER

We use computer "cookies" (which are text files placed on your computer) to make your shopping experience more efficient, convenient and personalized. By using the site you consent to our use of cookies.

Whenever you browse our site, we automatically receive and record information such as:

• your IP address
• browser type
• domain name
• specific web pages you click

This data may also be used in our business communications, but we do not identify individuals in these communications. Cookies should not contain personal data other than your IP address and is not required for you to browse our site. Cookies allow you to take full advantage of some of our site's features, and we recommend that you leave them turned on. To learn more about cookies and how to use them, visit the Help portion of your internet browser.

        4.4.2   GOOGLE ANALYTICS

We use Google Analytics, a web analytics service provided by Google, Inc. ("Google") to collect certain information relating to your use of the site and our services. Google Analytics uses "cookies" to analyze how users use the site. The information generated by the cookie about your use of our site (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the site, compiling reports on site activity for site operators and providing other services relating to site activity and internet usage.

Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this site.

By using this site, you consent to the processing of data about you by Google in the manner and for the purposes set out above. For more information regarding Google Analytics please visit Google's website, and pages that describe Google Analytics, such as www.google.com/analytics/learn/privacy.html.

        4.4.3   In-Store Cameras

We use in-store cameras and video recorders for security and operational purposes.

        4.4.4   Geo-Location Data

We may capture and record certain information regarding your location and use (also known as "Geo-Location" or "Location-Data") through your store purchase and online or mobile site interactions. This allows us provide you with the services or functionality offered by our programs.

We may link your Geo-Location to other information that you provide to us or that may be accessed in connection with your use of our programs or sites. Our ability to offer certain functionality through our online or mobile application is based on your use and acceptance of this Privacy Policy, which may include associated information to third-parties. Please reference our Terms and Conditions for more information on the use of our specific programs.

         4.4.5   Advertising & Do Not Track Mechanisms

We may use how you browse and shop in order to show you advertisements that are more relevant to your interests. We may use cookies and other information to provide relevant interest-based advertising to you. Interest-based ads are ads presented to you based on your browsing behavior in order to provide you with ads more tailored to your interests. These interest-based ads may be presented to you while you are browsing our site or third-party websites not owned by us.

What is "Do Not Track"? Do Not Track (DNT) is a privacy preference that users can set in their web browsers. DNT is a simple way for users to inform websites that they do not want certain information to be collected.

When you turn on DNT in your browser, we no longer have visibility to the websites you visit after you have left the Payless website. We still know the website you were visiting immediately before you came to Paylesscolombia.co and we will continue to track the parts of our site which you visit, including information about your checkout. However, when you turn on DNT in your browser, we stop collecting information about your recent visits to websites that have integrated our buttons or widgets. We stop collecting the unique browser cookie that links your browser to visits to these websites for tailoring suggestions or ads.

          4.4.6   Data Collection by Third Parties

We may also use third party companies to place advertising on other websites that are not owned by Payless. These advertising companies collect information about your visits to our site or interaction with our email through the use of tracking tools such as tags, pixel tracking and cookies, and your online activity at other sites.

These tools allow them to use information about your visits to help us serve you better. We also use web beacons to review how visitors navigate our site or interact with our email advertising. If you would like more information about this practice, and your choices and they relate to this practice, please contact Customer Service by phone (+ 57 310 476 1511) or email servicioalclientecolombia@payless.com

5. GENERAL GUARANTEE PRINCIPLE

PAYLESS guarantees the protection of rights such as Habeas Data, privacy, privacy, good name, honor and personal image, for this purpose, all actions will be governed by the principles of good faith, legality, self-determination computing, freedom and transparency. Anyone who, in the exercise of their activity, provides any type of information or personal data to the Company in its capacity as manager or controller, may exercise their rights as owner of the information to know, update and rectify it in accordance with the procedures established in the Applicable law and this policy. PAYLESS recognizes that its legitimate right to the processing of the personal data of the owners of information must be exercised within the specific framework of the legality and the consent of the owner, striving always to preserve the balance between the rights and duties of owner, controllers and the processors.

  5.1 SPECIFIC PRINCIPLES.

1.  Principle of legality: In the use, capture, collection and processing of personal data, will be applied to the current and applicable provisions governing the processing of personal data and other related fundamental rights. 
2. Principle of freedom: The use, capture, collection and processing of personal data can only be carried out with the prior, express and informed consent of the owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of legal, statutory, or judicial mandate that relieves consent. 
3. Principle of purpose: The use, capture, collection and processing of personal data to which it has access and are collected and collected in the development of the activities of the Company, will be subordinated and serve a legitimate purpose, which should be informed to the respective owner of the personal data. 
4. Principle of truth or quality: The information subject to use, capture, collection and processing of personal data must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is prohibited. 
5.  Principle of transparency: In the use, capture, collection and processing of personal data must guarantee the right of the Owner to obtain from the Company, at any time and without restrictions, information about the existence of any type of information or personal data that is of interest or ownership. 
6. Principle of access and restricted circulation: Personal data, except public information, may not be available on the Internet or other means of dissemination or mass communication, unless the access is technically controllable to provide restricted knowledge only to the Owners or authorized third parties. For these purposes the obligation of the Company, will be medium. 
7. Principle of security: The personal data and information used, captured, collected and subject to treatment in the development of PAYLESS activities, will be subject to protection insofar as the technical resources and minimum standards allow it, to through the adoption of technological protection measures, protocols, and all kinds of administrative measures that are necessary to grant security to the physical and electronic registries and repositories, avoiding their adulteration, modification, loss, consultation, and in general against any use or unauthorized access. 
8. Principle of confidentiality: Each and every person who manages, updates or has access to information of a personal nature, undertakes to keep in a strictly confidential manner and not disclose to third parties, personal, commercial information, accounting, technical, or any other type provided in the execution and exercise of their functions. This duty is extended to all those third allies, collaborators or related parties that are related through any conventional or contractual relation with the Company. 

6. DATABASE RESPONSABILITY

 Payless ShoeSource PSS De Colombia S.A.S. is the company responsible for the processing of personal data, however it does not commercialize, sell, exchange, or transfer such data to third parties for profit.  Payless does not divulge or distribute the personal data with the purpose of commercializing the data or profit.

Consequently, the Database, under  the applicable Colombian laws and regulations is considered an internal base, since the data is only shared with companies of the same economic group.

Payless adopts appropriate technical, human and administrative measures necessary to provide security for the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access. The staff that performs the processing of the personal data will execute the established protocols in order to protect the security of the information.

If you need to contact us, please contact Customer Service by phone (+ 57 310 476 1511) or email: servicioalclientecolombia@payless.com

   6.1 Who We Share Your Data With

      6.1.1 Payless Family and Affiliates

We share information within Payless ShoeSource PSS De Colombia S.A.S. and across the Payless ShoeSource family of companies, and we may use servers and resources of other members of the group to process your data. Our main servers are in Topeka, Kansas, USA and it is likely that your data will be held on servers there and at other Payless locations around the world, although from time to time we may hold customer data on third-party hosted servers under a services contract. By using and accessing our site, residents and citizens of countries and jurisdictions outside of the United States agree and consent to the transfer to and processing of personal information on servers located in the United States, and that the protection of such information may be different than required under the laws of your residence or location.

      6.1.2 Mergers & Acquisitions

If we sell or buy any business (in whole or in part), we may disclose your personal data to the buyers of the business and their advisors. If Payless or some of its assets are acquired by a third party, the data held will be one of the transferred assets which will become subject to the privacy policies of the acquiring party. Similarly, your personal information may be passed on to a successor in interest in the event of a reorganization, reconstruction, liquidation, bankruptcy or administration. It may be that any buyer or successor buys all or only part of our business. It may also be the case that they are not in the same line of business as Payless.

      6.1.3 Third Parties

We may combine your information with information we collect from other companies (such as demographic or behavioral data) to improve and personalize our services to you. We may also use third-party companies to assist in collection and analysis of data.

We may share your information with other companies that perform services specifically for Payless. For example, we may retain an outside company to create and distribute a direct mail or email offering. They may sometimes have access to information collected by us, including your personal data, in the course of providing products or services to us. In those situations, the outside company is performing work for Payless, and we take appropriate steps so that your personal information is used only to provide the services requested by us.

We may also disclose that personal information to third-parties to whom you explicitly ask us to send your information.

   6.2 Legal Requirements & Compliance

We reserve the right to release account and other personal information about you when we believe release is appropriate to comply with the law, in response to legal process and law enforcement requests, to enforce or apply our Terms and Conditions and other agreements, or to protect our rights, property, safety or other interests and those of our parent company, affiliates and shareholders, or others. This includes exchanging information with other companies and organizations for fraud protection and credit risk reduction.

7. RIGHTS OF THE OWNERS OF THE DATA

The owners of the personal data, have the following rights:

• Request to know, update and rectify the personal data to the Controller
• Request proof of the authorization granted.
• Be informed, virtual request, regarding the use that is given to personal data.
• Submit to the Superintendency of Industry and Commerce (SIC) complaints for infractions of the provisions on personal data regulations.
• Request the deletion of personal data.
• Revoke the approval by submitting a request for recovery. This does not apply when the Owner has a legal or contractual duty to remain in the database.
• Request the Superintendence of Industry and Commerce (SIC) to order the revocation of the authorization and / or the deletion of the data.
• Consult your personal data free of charge, at least once each calendar month and whenever there are substantial modifications of the information processing policies.

7.1 RIGHTS OF CHILDREN, GIRLS AND ADOLESCENTS.

The personal information of children and adolescents has special protection by PAYLESS. This information may be processed in the development of social activities, internal or external communication strategies, as well as the execution of programs or campaigns associated with the management of traditional or digital media seeking the promotion, development or sustainability of the main purpose of the Company.

The processing of this special type of data will require the development and disclosure by the Company of the specific terms and conditions of the respective activity, defining, among others, the requirements, conditions and restrictions for the processing of information of children and adolescents, taking into consideration at all times the best interests and respect for the prevailing rights of minors. In the absence of specific terms and conditions for the development of a specific program or activity that involves the processing of special data of minors, the provisions of this policy and the relevant special rules shall apply.

Whenever it is necessary to process the personal data of children and adolescents, the opinion of the minor will be taken into account according to the reasonable determination of their level of maturity and understanding of the specific case, which is presumed with the authorization conferred by the legal representative of the minor.

8. PAYLESS DUTIES

PAYLESS, when acting as Controller for the processing of personal data, will comply with the following duties:

1. Guarantee the Owner, at all times, the full and effective exercise of the right of habeas data.
2. Request and keep, copy of the respective authorization granted by the owner.
3. Properly inform the Owner about the purpose of the collection and the rights that assist him by virtue of the authorization conferred.
4. Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
5. Ensure that the information provided to the processor of processing is true, complete, accurate, updated, verifiable and understandable.
6. Update the information, communicating in a timely manner to the data processor, all the news regarding the data previously provided and adopt the other necessary measures so that the information provided to it is kept up-to-date.
7. Rectify the information when it is incorrect and communicate the pertinent information to the person in charge of the treatment.
8. Only provide the Processor with the information whose processing is previously authorized.
9. To demand from processor, respect for the security and privacy conditions of the Owner’s information
10. Process the queries and claims made.
11. Inform the processor when certain information is under discussion by the Owner, once the claim has been filed and the respective procedure has not been completed.
12. Inform the Owner’s request about the use given to their data.
13. Inform the data protection authority when there are violations of the security codes and there are risks in the administration of the information of the Owner.

8. OWNERS AUTHORIZATION

The collection, storage, use, circulation or deletion of personal data during the development of the activities described in this policy requires the free, prior, express and informed consent of the owner of the personal data.

The authorization for the processing of the personal information required in the different scenarios described in this policy, must be obtained through the requests and privacy notices made available to the owner in each of the means or points of capture of physical, verbal or digital information associated with the operation of the Company, which have been arranged through forms, notices or statements that inform the owner about the capture and subsequent processing of their personal data, their purposes, rights, means for the exercise of their rights and If appropriate, the way to access this policy.

The authorization of the Owner for will be conferred expressly under the different modalities established in the law according to the nature of the means of capture of information, such as written, verbal or through unequivocal actions or behavior of the Owner.

Authorization to process the data collected in the development of the activities described in this policy will depend on the nature of the means for information collection point. The means of proof to accredit the effective authorization for the process data will depend on the type of mechanism used to obtain the authorization, an example being the subscribed format, the registration of acceptance or entry to the website, the recording of the conversation among others. In the acceptance events by means of unequivocal behaviors, the integrated set of the following elements will be taken as sufficient proof of acceptance by the owner:

1. The authorization request model made available to the Owner at the moment of capturing his data.
2. The express indication in the authorization request form, of the unequivocal conduct of the owner that constitutes authorization to process data.
3. Evidence of the conduct of the unequivocal conduct on the part of the owner, being feasible to accredit the information provided by the owner or other type of evidence of express acceptance according to the nature of the mean.