Center for Stem Cells and Biotechnology – Regencord Laboratories

About us

This document sets out the Personal Data Processing Policy of the Center for Stem Cells and Biotechnology – Regencord Laboratories, a company based in Pereira, identified with NIT 900696340-0. We obtain, process, market, and store stem cells for therapeutic purposes and for scientific and technological research. Our headquarters are located at Calle 14 No. 23-41, Pereira, Risaralda. Phone: +57 310 411 6215. Website: www.regencord.com. Email: director@terapiacelular.com.co.

Regencord acts as both data controller and data processor, upholding the right to privacy, habeas data, and personal data protection as established by the Political Constitution of Colombia, Law 1581 of 2012, Decree 1377 of 2013, and other applicable regulations.

As part of its activities, Regencord has collected, stored, and used personal information for several years and intends to continue such processing. Therefore, this policy is adopted and made available to our internal and external audiences.

Regencord requires the free, prior, express, voluntary, and informed authorization of users, clients, and any individual to collect, store, use, process, compile, update, and manage their personal data (general, specific, and/or sensitive) included in our databases and electronic repositories. This information will be used exclusively for corporate functions as a manufacturer of pharmaceutical, medicinal chemical, and botanical products for therapeutic use, as well as for administrative, commercial, promotional, and contact purposes with data subjects.

This policy describes:

• Company identification.
• The purpose of data processing.
• Data subjects’ rights.
• The area responsible for handling inquiries and claims.
• Database retention period.

CHAPTER I – REGULATORY PROVISIONS

Article 15 of the Political Constitution of Colombia establishes that every person has the right to know, update, and rectify personal data held about them in databases or files of public or private entities. It also requires those who process personal data to respect constitutional rights and guarantees.

Over time, the Colombian regulatory framework has been consolidated through the following provisions:

• Law 1266 of 2008: right to financial habeas data.
• Law 1273 of 2009: criminalization of personal data violations.
• Statutory Law 1581 of 2012: minimum conditions for lawful data processing.
• Decree 1377 of 2013 and Decree 1074 of 2015: regulatory development.

CHAPTER II – PURPOSE AND SCOPE

This policy develops the constitutional right of habeas data and applies to all persons whose personal data have been collected, managed, or processed by the Center for Stem Cells and Biotechnology – Regencord Laboratories in the course of its business. This includes clients, users, patients, employees, suppliers, and any other natural or legal person.

Because Regencord provides services related to the collection, processing, application, and storage of stem cells for therapeutic and scientific purposes, as well as preventive medicine, it is committed to guaranteeing the confidentiality of collected data. The duty of confidentiality applies to all company personnel, especially with regard to health data, medical records, and any information classified as sensitive.

This policy also contemplates the processing of minors’ data and sensitive information, ensuring respect for data subjects’ rights pursuant to Law 23 of 1981, Resolution 1995 of 1999, and other applicable rules.

All third parties involved in the processing of personal data, including processors, must comply with this policy and legal provisions even after their relationship with the company ends.

This policy will be published on Regencord’s website and will be available to data subjects and authorized third parties with access to the databases.

CHAPTER III – DEFINITIONS

• Authorization: Prior, express, and informed consent from the data subject for personal data processing.
• Privacy notice: Written or verbal communication to the data subject describing the information processing policy.
• Database: Organized set of personal data.
• Personal data: Information associated with or linkable to an identified or identifiable natural person.
• Sensitive data: Information affecting the data subject’s privacy, such as racial origin, religious beliefs, health data, sexual life, etc.
• Processor: Person who processes data on behalf of the controller.
• Controller: Person who decides on the database and its processing.
• Processing: Any operation on personal data, such as collection, storage, use, circulation, or deletion.
• Transfer: Sending data to another country.
• Transmission: Communication of data within or outside Colombia for processing by a third party.
• Claim: Request by the data subject to correct, update, or delete data, or due to non-compliance.
• Inquiry: Request by the data subject to access their information.
• Data protection officer: Person designated to oversee compliance with this policy.

CHAPTER IV – PRINCIPLES GOVERNING PERSONAL DATA PROCESSING

The processing of personal data will be governed by the following principles:

• Lawfulness: Subject to the law.
• Purpose: Must pursue a legitimate purpose informed to the data subject.
• Freedom: Requires prior, express, and informed consent.
• Accuracy/Quality: Data must be truthful, complete, exact, up-to-date, and understandable.
• Restricted access and circulation: Data may only be processed by authorized persons.
• Security: Measures must be implemented to prevent alteration, loss, unauthorized access, or fraudulent use.
• Confidentiality: Everyone involved must guarantee secrecy of information, even after the relationship ends.
• Necessity and proportionality: Only strictly necessary data will be collected.
• Temporality: Data will be kept only as long as needed to fulfill their purpose.

CHAPTER V – PROCESSING

Regencord will request prior, express, and voluntary authorization to collect, store, use, delete, circulate, and share personal data—by physical or digital means—in accordance with this policy.

CHAPTER VI – CONTROLLER AND PROCESSOR

Centro de Células Madre y Biotecnología S.A.S.
NIT: 900696340-0
Address: Calle 14 No. 23-41, Barrio Álamos, Pereira – Risaralda, Colombia
Email: info@cemab.com.co
Phone: (606) 3210051

The Administrative Management area, together with Communications and IT, will be responsible for data processing. The processor will keep an updated report of the databases and will:

• Ensure the accuracy and security of data.
• Keep copies of authorizations.
• Allow access only to authorized persons.
• Handle inquiries and claims.
• Sign confidentiality agreements with anyone accessing the information.
• Report incidents or misuse of data.

CHAPTER VII – SENSITIVE DATA

Sensitive data are those that affect the privacy of the data subject or whose misuse may lead to discrimination. These include: racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social or human-rights organizations, health data, sexual life, and biometric data.

Processing of such data is prohibited, except when:

• The data subject has given explicit authorization.
• It is necessary to safeguard the vital interests of the data subject and they are physically or legally unable to consent.
• It is carried out within legitimate activities by foundations, NGOs, or non-profit associations.
• The processing concerns data necessary for the recognition, exercise, or defense of a right in judicial proceedings.
• It is required for reasons of public interest in accordance with the law.

CHAPTER VIII – RIGHTS OF DATA SUBJECTS

Data subjects have the following rights:

• To know, update, and rectify their data.
• To request proof of the authorization granted.
• To be informed of how their data have been used.
• To revoke authorization or request deletion when constitutional and legal principles are not respected.
• To access their processed personal data free of charge.

CHAPTER IX – DUTIES OF REGENCORD AS CONTROLLER

Regencord undertakes to:

• Guarantee the exercise of the data subject’s rights.
• Request and keep a copy of the authorization granted by the data subject.
• Inform the purpose of data processing.
• Store information under secure conditions.
• Update information in a timely manner.
• Rectify data when appropriate.
• Handle submitted inquiries and claims.
• Adopt security measures to prevent alteration, loss, consultation, use, or unauthorized access.

CHAPTER X – INQUIRIES AND CLAIMS

Data subjects may submit inquiries or claims related to their personal data by written communication to:

• Email: info@cemab.com.co
• Address: Calle 14 No. 23-41, Pereira – Risaralda

Inquiries will be answered within a maximum of 10 business days. In the case of claims, Regencord will respond within 15 business days from the day after receipt of a complete claim.

CHAPTER XI – DATABASE RETENTION

Personal data will be kept for as long as necessary to fulfill the purposes of processing, in accordance with applicable regulations. When those purposes have been fulfilled or the data subject revokes authorization, the data will be deleted or anonymized, unless there is a legal obligation to retain them.

CHAPTER XII – POLICY CHANGES

Regencord reserves the right to modify this policy at any time. Any changes will be communicated to data subjects through usual channels and will be available on the institutional website.

CHAPTER XIII – EFFECTIVE DATE

This policy takes effect as of January 1, 2024, and will remain in force while Regencord carries out personal data processing activities.

CHAPTER XIV – ACCEPTANCE OF THE POLICY

By providing their personal data to Regencord, the data subject declares that they have read, understood, and accepted this policy. Authorization may be granted in writing, verbally, or through unequivocal actions that reasonably indicate consent.

CHAPTER XV – SECURITY MEASURES

Regencord has adopted reasonable technical, human, and administrative measures to protect personal data and prevent alteration, loss, consultation, use, or unauthorized or fraudulent access. Access to data is restricted to authorized persons under confidentiality agreements.

CHAPTER XVI – HANDLING PETITIONS, INQUIRIES, AND CLAIMS

Regencord designates the Administrative Coordination as the area responsible for handling petitions, inquiries, and claims related to data-subject rights. The area can be contacted at:

• Email: info@cemab.com.co
• Address: Calle 14 No. 23-41, Pereira – Risaralda

CHAPTER XVII – PROCEDURE TO EXERCISE DATA-SUBJECT RIGHTS

To exercise the rights of access, update, rectification, and deletion, the data subject may submit an inquiry or claim through the channels defined in the previous chapter. The request must include:

• Name and identification of the data subject.
• Description of the facts giving rise to the claim.
• Notification address.
• Supporting documents.

If the claim is incomplete, the applicant will be asked to complete it within five (5) days. If two (2) months pass without a response, it will be understood that the claim has been withdrawn.

CHAPTER XVIII – INQUIRY PROCEDURES

Data subjects may consult their personal data in Regencord’s databases. The request will be handled within a maximum of 10 business days. If it cannot be addressed within that period, the applicant will be informed of the reasons for the delay and the response date, which may not exceed five additional business days.

CHAPTER XIX – CLAIMS PROCEDURE

When the data subject believes that information in a database should be corrected, updated, or deleted, or detects an alleged breach of the law, they may submit a claim to Regencord. It will be processed within 15 business days from the day after receipt of a complete claim.

CHAPTER XX – REVOCATION OF AUTHORIZATION AND/OR DATA DELETION

Data subjects may at any time request that Regencord delete their personal data or revoke the authorization granted for processing. This request may be denied if the data subject has a legal or contractual duty to remain in the database, or if deletion would hinder judicial or administrative actions.

CHAPTER XXI – INTERNATIONAL TRANSFER AND TRANSMISSION

When personal data are sent or transferred to another country, adequate protection will be ensured in accordance with international standards and Law 1581 of 2012. Regencord will enter into the necessary agreements to ensure compliance with this policy.

CHAPTER XXII – DURATION OF AUTHORIZATION

The data subject’s authorization for processing their personal data will remain valid while the relationship with Regencord persists and for the time necessary to fulfill the purposes of processing, unless otherwise required by law.

CHAPTER XXIII – MEDICAL RECORDS

Medical records are private, mandatory, and confidential documents that may only be accessed by third parties with the patient’s authorization or in cases provided by law. Regencord guarantees their preservation, integrity, and confidentiality.

CHAPTER XXIV – VIDEO SURVEILLANCE

Regencord informs that video-surveillance systems are used on its premises for security reasons. Collected images may be used as evidence in any type of proceeding before competent authorities.

CHAPTER XXV – CALL RECORDING

Telephone calls may be recorded for quality control, training, and security purposes. By contacting us, the data subject expressly authorizes such processing.

CHAPTER XXVI – USE OF COOKIES

Regencord uses cookies on its website to improve the user’s browsing experience. By navigating our site, you consent to the use of cookies. Users may configure their browsers to reject them.

CHAPTER XXVII – PHOTOGRAPHY & VIDEO

During events, campaigns, or activities, Regencord may take photographs or videos that include images of attendees. These images may be used in digital or print media for institutional, commercial, or promotional purposes.

CHAPTER XXVIII – EMPLOYEES, CONTRACTORS, AND SUPPLIERS

Regencord may collect and process personal data of its employees, contractors, and suppliers to comply with legal, contractual, and administrative obligations, including work references, evaluations, academic data, and family information.

CHAPTER XXIX – MINORS

The processing of minors’ personal data will always respect their fundamental rights and require authorization from their legal representative. Only necessary and pertinent data will be collected.

CHAPTER XXX – INTERNAL CONFIDENTIALITY POLICY

All employees, contractors, and third parties who access personal data must sign confidentiality agreements and strictly comply with this policy. Breaches may lead to disciplinary or contractual sanctions.

CHAPTER XXXI – ACCEPTANCE AND CHANGES TO THE POLICY

This policy may be modified at any time. Changes will be announced on Regencord’s website. By continuing to use our services, the data subject accepts the modifications made.