Controller: PICK S.A.S., NIT 902051012-9, domiciled in Bogotá D.C., Colombia.

Address: Calle 97A # 7A-24, Bogotá D.C. Phone: 311 331 5304.

Official privacy channel for Habeas Data, inquiries, complaints, deletion, and consent revocation: pickglobalcontact@gmail.com.

The policy applies to users, prospects, support requesters, sponsors, contractors, partners, and other data subjects whose data Pick processes.

Identification and contact data: name, email, city, and phone number if shared through support or a commercial relationship.

Account and authentication data: email, Cognito-managed password, confirmation status, IP address, user-agent, and safety events.

Profile and product data: cities, interests, bio, photo, LinkedIn/Instagram links, matches, match codes, generated introductions, and WhatsApp clicks.

Support, reports, and feedback: requests, abuse reports, context submitted by the data subject, and response traceability.

Commercial, contractual, sponsor, contractor, billing, and compliance data when there is a relationship with Pick.

Pick does not request sensitive data in free-form fields. If a data subject voluntarily shares it, Pick handles it with minimization, security, and deletion when no longer needed.

Create and administer accounts; verify adulthood; prevent fraud, abuse, and impersonation.

Complete profiles, suggest matches, generate AI-assisted introductions, and enable WhatsApp communications when the user opens the link.

Handle safety, moderation, reports, blocks, support, feedback, inquiries, complaints, and Habeas Data requests.

Measure product activation and quality with data needed to operate the service; optional measurement or marketing only with separate, revocable authorization.

Comply with legal, contractual, accounting, tax, evidentiary, and dispute-resolution obligations.

Primary bases: prior, express, and informed authorization; performance of the agreement or pre-contractual steps; legal compliance; and exercise or defense of rights when applicable.

AWS (Cognito, API Gateway, Lambda, S3/CloudFront) for authentication, execution, safety, and media.

MongoDB Atlas for operational storage; AWS Bedrock for generated introductions using minimal context data.

WhatsApp receives the text and metadata when the user opens the deep link to continue outside Pick.

Measurement tools such as Meta Pixel only load if the data subject authorizes optional measurement.

Sponsors receive aggregate metrics or information needed for sponsored mechanics; Pick does not share individualized contact data without explicit authorization.

Data may be stored or processed outside Colombia using reasonable contractual, technical, and organizational safeguards.

Access, update, correct, and delete personal data.

Request proof of authorization, be informed about how data is used, submit inquiries and complaints, and revoke authorization when applicable.

Escalate to the Colombian Superintendence of Industry and Commerce when appropriate, especially if the data subject disagrees with Pick's response.

Send the request to pickglobalcontact@gmail.com with full name, identity document type and number, email or response channel, clear description, and supporting evidence if applicable.

Inquiries: response within 10 business days from receipt. If an extension is needed, Pick will explain the reason and new response date, not exceeding 5 additional business days.

Complaints, corrections, deletion, or revocation: response within 15 business days. If an extension is needed, Pick will explain the reason and new response date, not exceeding 8 additional business days.

For deletion, Pick verifies identity, locates the data, assesses legal or contractual retention duties, and deletes, anonymizes, or blocks what applies.

Each request must leave an internal trail of receipt, classification, responsible owner, response date, result, and support sent to the data subject.

Account and profile data are retained while the user relationship exists and for the time needed for legal, contractual, or evidentiary obligations.

Operational logs, reports, clicks, and safety events are retained for up to 12 months unless a legal, evidentiary, or safety reason requires longer retention.

Backups may be retained for up to 90 days. When backups are restored, applicable deletion rules will be re-applied.

Pick applies reasonable security controls, restricted access, encryption in transit, and operational traceability. Incidents will be documented and reported when legally required.

This policy is effective as of 2026-05-07 and remains in force while PICK S.A.S. processes personal data or until replaced by a new version.