Política de Tratamiento de Datos Personales
Version 1.0 · Updated 26 de June de 2026
UXEM Entertainment Group S.A.S.
PERSONAL DATA PROCESSING POLICY
Habeas Data — Law 1581 of 2012 (Colombia)
Tax ID (NIT): 901811705-2
Medellín, Antioquia, Colombia
Version 1.0 | In effect as of April 9, 2026
1. IDENTIFICATION OF THE DATA CONTROLLER
The Data Controller responsible for the processing of personal data collected through the uxem.com.co platform is:
• Corporate name: UXEM Entertainment Group S.A.S.
• Tax ID (NIT): 901811705-2
• Registered office: Medellín, Antioquia, Republic of Colombia
• Email for personal data matters: legal@uxem.com.co
• Website: uxem.com.co
UXEM is in the process of registering with the National Database Registry (Registro Nacional de Bases de Datos, “RNBD”) administered by the Superintendence of Industry and Commerce (Superintendencia de Industria y Comercio, “SIC”), in compliance with Article 25 of Law 1581 of 2012 and Decree 886 of 2014.
2. LEGAL FRAMEWORK
This Policy is based on the following legal provisions in force in the Republic of Colombia:
• Article 15 of the Political Constitution of Colombia: Recognizes the right to personal and family privacy and the right to habeas data.
• Law 1581 of 2012: General provisions for the protection of personal data.
• Decree 1377 of 2013 (consolidated into Sole Regulatory Decree 1074 of 2015): Partially regulates Law 1581 of 2012, in particular matters relating to the data subject's authorization, processing policies, and international transfers.
• Decree 886 of 2014: Regulates the National Database Registry (RNBD) before the SIC.
• Circulars and guidelines of the Superintendence of Industry and Commerce (SIC): As the supervisory authority on personal data protection matters in Colombia.
3. DEFINITIONS
For the purposes of this Policy, the following terms shall be understood as follows:
• Personal data: Any information linked to, or that may be associated with, one or several identified or identifiable natural persons.
• Sensitive data: Data that affects the Data Subject's privacy or whose misuse may give rise to discrimination against the Data Subject. Sensitive data includes: racial or ethnic origin, political affiliation, religious or philosophical beliefs, membership in trade unions, health data, data concerning sex life, and biometric data (Article 5, Law 1581/2012).
• Data Subject: The natural person whose personal data is processed.
• Data Controller: The natural or legal person, public or private, that, alone or jointly with others, decides on the database and/or the processing of the data. For purposes of this Policy: UXEM Entertainment Group S.A.S.
• Data Processor: The natural or legal person, public or private, that, alone or jointly with others, processes personal data on behalf of the Data Controller (e.g., cloud service providers, payment gateways).
• Processing: Any operation or set of operations performed on personal data, such as collection, storage, use, circulation, or deletion.
• Transfer: A processing activity that involves the communication of personal data by the Data Controller or Data Processor to a recipient that itself becomes a Data Controller and that is located within or outside the country.
• Transmission: Processing of personal data that involves communicating such data within or outside national territory when the purpose is for a Data Processor to carry out processing on behalf of the Data Controller.
• Authorization: The Data Subject's prior, express, and informed consent for the processing of personal data.
• Database: An organized set of personal data that is subject to processing.
4. DECLARATION REGARDING SENSITIVE DATA
UXEM expressly declares that it does NOT collect or process sensitive data within the meaning of Article 5 of Law 1581 of 2012.
UXEM does not request, store, or process information related to:
• Racial or ethnic origin.
• Political affiliation.
• Religious or philosophical beliefs.
• Membership in trade unions or social organizations.
• Health status data.
• Data concerning sex life or sexual orientation.
• Biometric data.
Clarification regarding financial and tax data: Banking data (account number, account holder name), tax data (NIT, RUT, Form W-8BEN or equivalents for international withholdings), and payment information collected by UXEM for royalty payment and invoicing purposes do NOT constitute sensitive data under Article 5 of Law 1581 of 2012. Such data is treated as ordinary personal data under the security measures described in Section 12 of this Policy.
5. PERSONAL DATA COLLECTED BY UXEM
5.1 Identification Data
• Full name or artist name.
• Identity document number (national ID card, passport, or equivalent document depending on country of residence).
• Email address.
• Phone or mobile number.
• Country and city of residence.
• Date of birth (for age verification purposes).
5.2 Financial and Tax Data
• Bank account number or digital wallet for royalty transfers.
• Name of the destination account holder.
• History of accrued royalties and payments made.
• Tax information: NIT, RUT (Colombia), Form W-8BEN or equivalents for international users, in compliance with tax obligations.
Subscription payment method data processed by the enabled payment gateway. Clarification: UXEM does not store full credit or debit card numbers; such processing is the exclusive responsibility of the contracted payment gateway (PayU, Stripe, or another gateway enabled on the platform).
5.3 Music Metadata
The following data is associated with the Data Subject but consists primarily of music-industry identifiers. It is collected to provide the distribution service:
• Titles of songs, albums, and EPs.
• Names of artists, songwriters, producers, and other artistic credits.
• ISRC (International Standard Recording Code), UPC (Universal Product Code), and ISWC (International Standard Musical Work Code) codes, whether assigned by UXEM or provided by the User.
• Musical genres, language, release date, and distribution territories.
• Audio files, song lyrics, and cover artwork uploaded by the User.
Note: Music metadata (ISRC, UPC, ISWC, titles, credits) is not personal data in the strict sense under Law 1581 of 2012, but because it is linked to the identity of the artist or label, UXEM applies to it the same protection and confidentiality measures described in this Policy.
5.4 Platform Usage Data
• IP address and approximate geolocation.
• Device type, operating system, and web browser.
• Pages and features visited within the platform.
• Session time and activity logs.
• Automatically generated technical diagnostic data.
6. PURPOSES OF PROCESSING
6.1 Primary Purposes — Legal Basis: Contractual Performance
Processing of data is necessary to provide the services contracted by the User:
• Creation, management, and administration of the User's account on the platform.
• Distribution of the User's musical content to the selected digital streaming and download platforms (DSPs).
• Assignment and registration of ISRC, UPC, and ISWC codes on behalf of the artist or label.
• Collection, settlement, and transfer of royalties generated on DSPs to the User.
• Billing for contracted subscription services.
• Provision of technical support and handling of User requests and claims.
• Management of disputes regarding ownership or content.
6.2 Secondary Purposes — Legal Basis: Specific Consent
Subject to the User's separate authorization:
• Sending commercial communications, newsletters, promotions, and UXEM news.
• Conducting satisfaction surveys and market research.
• Personalizing the User's experience within the platform and suggesting features.
• Preparing statistical audience reports and musical performance reports for the User.
6.3 Legal Compliance Purposes — Legal Basis: Legal Obligation
• Compliance with tax and accounting obligations before Colombian tax authorities and those of other countries, as applicable.
• Responding to requests, orders, or requirements from judicial, administrative, or oversight authorities.
• Prevention, detection, and investigation of fraud, unauthorized use of the platform, and other unlawful conduct.
7. LEGAL BASIS FOR PROCESSING
UXEM's processing of personal data is based on one of the following legal grounds:
• Informed consent (Art. 9, Law 1581/2012): For processing not essential to the performance of the contract, particularly commercial communications and personalization. Consent is obtained through explicit acceptance on the registration form (see Section 8).
• Contractual performance: For all processing necessary to provide the music distribution service requested by the User (account management, distribution, royalty payment, support).
• Legal obligation: For processing required by tax or accounting regulations, or upon the request of competent authorities.
• Legitimate interest: Exclusively for platform security, fraud prevention, and protection of the rights of UXEM and other Users, provided that the Data Subject's fundamental rights and freedoms do not prevail.
8. AUTHORIZATION OF THE DATA SUBJECT
8.1 Method of Collection
The Data Subject's authorization is obtained in a prior, express, and informed manner through a mandatory and independent checkbox located on the platform's registration form. Registration cannot be completed unless the User checks this box.
8.2 Exact Text of the Authorization Checkbox
I have read and accept the Personal Data Processing Policy of UXEM Entertainment Group S.A.S. (NIT 901811705-2) and I authorize the processing of my personal data for the primary purposes described in that Policy, in accordance with Law 1581 of 2012 and Decree 1377 of 2013. I understand that I may exercise my rights of Access, Rectification, Cancellation, Objection, Portability, and Revocation by writing to legal@uxem.com.co.
8.3 Authorization for Secondary Purposes
Commercial communications and other secondary purposes described in Section 6.2 require an additional, independent checkbox with the following suggested text:
I agree to receive commercial communications, news, and newsletters from UXEM. I may unsubscribe at any time by writing to legal@uxem.com.co.
8.4 Revocation of Authorization
The Data Subject may revoke their authorization at any time through a written request sent to legal@uxem.com.co. Revocation does not have retroactive effect and will not affect processing carried out under the previously granted authorization, nor processing necessary to comply with legal or contractual obligations in force.
9. RIGHTS OF THE DATA SUBJECT (ARCO+)
The Data Subject of personal data has the following rights, exercisable at any time:
9.1 Catalog of Rights
• Access: To know, free of charge, what personal data of theirs is being processed by UXEM, its origin, purpose, and uses.
• Rectification: To request the update or correction of personal data that is inaccurate, incomplete, or outdated.
• Cancellation / Deletion: To request the deletion of their personal data when: (i) it is no longer necessary for the purposes that justified its collection; (ii) authorization has been revoked and no legal basis exists to continue processing; or (iii) the processing violates Law 1581/2012 or other regulations. Deletion may be denied if there is a legal obligation to retain the data or if the data is necessary for the performance of an existing contract.
• Objection: To object to the processing of their data for specific purposes, particularly commercial communications and personalization.
• Portability: To request delivery of their data in a structured, commonly used format, to the extent technically feasible and permitted by Colombian regulations. UXEM is progressing in implementing this functionality in line with regulatory trends.
• Revocation of consent: To withdraw authorization granted for processing based on consent, without retroactive effect.
9.2 Procedure for Exercising Rights — Article 15, Law 1581/2012
Step 1 — Filing the request
The Data Subject, their successor, or legal representative must send an email to legal@uxem.com.co with the subject line: “PERSONAL DATA REQUEST - [type of request]”, indicating:
• Full name of the Data Subject.
• Identity document number.
• A clear and precise description of the request (inquiry, claim, or type of right to be exercised).
• Supporting documents, if applicable.
• Contact details of the requester.
Step 2 — Correction of an incomplete request
If the request is incomplete, UXEM will contact the Data Subject within five (5) business days of receipt to request the missing information. The Data Subject will have two (2) months to complete the request. If this period elapses without the required information being provided, the request will be deemed withdrawn.
Step 3 — “In process” notation
When a request involves rectification, updating, or deletion of data held in third-party (processor) databases, UXEM will include the notation “claim in process” in the record and will notify the corresponding Data Processor within two (2) business days following the filing of the request.
Step 4 — Response deadlines
• Inquiries: UXEM will respond within ten (10) business days following the filing date. When it is not possible to address the inquiry within that term, the Data Subject will be informed before the deadline, stating the reasons for the delay and the date on which the inquiry will be addressed, which in no case may exceed five (5) business days following the expiration of the first term.
• Claims (rectification, deletion, objection): UXEM will respond within fifteen (15) business days following the filing date. If it is not possible to address the claim within that term, the Data Subject will be informed before the deadline, stating the reasons and the new response date, which may not exceed eight (8) business days following the expiration of the first term.
Appeal before the SIC
If the Data Subject believes that UXEM has violated their rights, they may file a complaint with the Superintendence of Industry and Commerce (SIC), once the claim procedure before UXEM has been exhausted:
• Website: www.sic.gov.co
• Citizen service line: 601 592 0400
10. TRANSFER AND TRANSMISSION OF DATA TO THIRD PARTIES
10.1 Recipients of Processing
UXEM may transfer or transmit personal data to the following third parties, under confidentiality and data processing agreements, and only to the extent necessary for each purpose:
a) Digital Streaming and Download Platforms (DSPs)
Recipients: Spotify AB (Sweden), Apple Inc. (USA), Amazon.com, Inc. (USA), Google LLC — YouTube Music (USA), Deezer S.A. (France), Tidal (USA), TikTok / ByteDance (China/Ireland), and other DSPs enabled on the platform.
Data transmitted: Music metadata, artist name, ISRC/UPC/ISWC codes, and other information necessary for publishing the content.
Legal basis: Contractual performance — necessary for the distribution service.
b) Payment Gateways
Recipients: PayU Colombia S.A.S., Stripe, Inc. (USA), or other enabled payment gateways.
Data transmitted: Identification and payment data necessary to process subscriptions and royalty transfers.
Legal basis: Contractual performance and legal obligation (billing).
c) Cloud Service Providers (Data Processors)
Recipients: Amazon Web Services (AWS), Google Cloud Platform (GCP), DigitalOcean, or other technology infrastructure providers.
Data transmitted: All data stored on the platform, in encrypted form.
Legal basis: Contractual performance — necessary for the technical operation of the platform.
d) Collective Management Organizations (CMOs)
Recipients: SAYCO (Colombia), ACINPRO (Colombia), ASCAP, BMI, SESAC (USA), PRS for Music (United Kingdom), and international equivalents.
Data transmitted: Artist identification data, music metadata, and information necessary for rights management.
Legal basis: Express consent of the User for intermediation before CMOs.
e) Judicial and Administrative Authorities
Recipients: Courts, tribunals, the Attorney General's Office (Fiscalía General de la Nación), DIAN, SIC, or other competent Colombian or foreign authorities.
Data transmitted: Whatever data is required by judicial, administrative, or legal order.
Legal basis: Legal obligation.
10.2 International Data Transfers
Since several of the aforementioned recipients are located outside Colombia, UXEM guarantees that international transfers of personal data are carried out by adopting the measures contemplated in Articles 26 and 27 of Law 1581 of 2012 and Decree 1377 of 2013, which include:
• Entering into contractual data transmission agreements that impose on the foreign Data Processor obligations equivalent to those provided for under Colombian law.
• Requiring that the recipient guarantee adequate levels of data protection.
• Verifying that the destination countries have legislation providing sufficient data protection guarantees.
For Data Subjects residing in the European Economic Area (EEA): To the extent the General Data Protection Regulation (GDPR) is mandatorily applicable, UXEM applies the safeguards provided for under that regulation (European Commission standard contractual clauses or other equivalent measures).
This reference applies solely when UXEM actively offers its services to residents of the European Economic Area. Otherwise, it is informational in nature.
11. PROCESSING OF DATA OF MINORS
The UXEM platform is not directed at persons under eighteen (18) years of age. Accordingly:
• The registration process requires the User to declare, by checking an express box, that they are over 18 years of age or have the authorization of their legal representative.
• This declaration constitutes a statement made under oath, and responsibility for its accuracy rests exclusively with the User.
If UXEM detects or receives notice that an underage User has registered without the proper authorization of their legal representative:
• The account will be immediately and preventively suspended.
• A verification process will be initiated and the legal representative's authorization will be requested.
• If such authorization is not provided within ten (10) business days, the account and all associated data will be permanently deleted.
• Content that was distributed during the period the account was active will be removed from DSPs within the technical timeframes permitted by each platform.
Legal representatives of minors who authorize use of the platform shall assume full responsibility for compliance with these terms and the obligations arising from the service.
12. SECURITY MEASURES
12.1 Technical Measures
• Encryption of data in transit using TLS/HTTPS protocols across all communications between the user and the platform.
• Encryption of data at rest in databases and cloud storage.
• Mandatory two-factor authentication (2FA) for UXEM internal personnel with access to systems containing personal data.
• Intrusion detection and prevention systems (IDS/IPS).
• Periodic backups stored in secure environments.
12.2 Organizational Measures
• Role-based access control (RBAC): only personnel with a justified operational need have access to personal data.
• Internal policies on password management, clean-desk practices, and device use.
• Confidentiality agreements signed by all personnel and collaborators with access to personal data.
• Periodic audits and reviews of information systems and access.
• Internal security incident management procedures.
12.3 Procedure for Security Breaches
In the event of a security incident affecting Data Subjects' personal data, UXEM will:
• Immediately activate its internal incident response protocol.
• Notify the Superintendence of Industry and Commerce (SIC) within fifteen (15) business days following detection of the incident, in accordance with Article 17(f) of Law 1581 of 2012 and SIC guidelines.
• Inform affected Data Subjects when the incident may pose a significant risk to their rights and freedoms, using clear language and indicating the measures adopted to mitigate the risk.
13. DATA RETENTION PERIOD
UXEM will retain personal data for the time strictly necessary to fulfill the purposes of processing and applicable legal obligations, in accordance with the following criteria:
• Account and service contract data: For the duration of the contractual relationship and for an additional period of five (5) years following its termination, to address potential civil or contractual liability claims.
• Financial and tax data: For the time required under Colombian tax and accounting regulations, currently a minimum of ten (10) years (Article 28, Commercial Code; Article 632, Tax Statute).
• Music metadata (ISRC, UPC, ISWC, credits): Indefinitely, given their nature as music-industry records with historical value and for purposes of identifying works and recordings.
• Technical logs and platform usage data: A maximum of twelve (12) months, unless retention is required by a competent authority or for the defense of ongoing claims.
• Data for commercial communications: Until the Data Subject revokes their consent for this specific purpose, regardless of the duration of the service contract.
14. COOKIES AND TRACKING TECHNOLOGIES
The uxem.com.co platform uses cookies and similar technologies (web beacons, tracking pixels, local storage) for the following purposes, classified by category:
• Strictly necessary cookies: Essential for the technical operation of the platform (session management, authentication, security, language preferences). They cannot be disabled without affecting the platform's operation. They do not require prior consent.
• Analytics cookies: Allow measurement of traffic, pages visited, and User behavior to improve the platform (e.g., Google Analytics). They require the User's consent.
• Preference cookies: Store the User's customized settings (e.g., visual theme, notifications). They require the User's consent.
• Marketing cookies: Used to personalize content and track advertising campaigns. They are activated only with the User's prior, express consent.
The User may manage or disable non-essential cookies through the cookie preferences panel available on the platform, or through their browser's privacy settings (Chrome, Firefox, Safari, Edge, or others). Disabling essential cookies may affect the availability or proper functioning of key platform features, including login and account management.
15. DATA SUBJECT CONTACT CHANNEL
To exercise ARCO+ rights, revoke authorizations, file complaints, or make any request related to the processing of their personal data, the Data Subject may contact UXEM through the following channel:
• Exclusive email: legal@uxem.com.co
• Standard subject line: “PERSONAL DATA REQUEST - [type of request]”
• Subject line examples: “PERSONAL DATA REQUEST - ACCESS” / “PERSONAL DATA REQUEST - DELETION” / “PERSONAL DATA REQUEST - OBJECTION TO COMMUNICATIONS”
• Service hours: Monday through Friday, 8:00 a.m. to 5:00 p.m., Colombia time (UTC-5). Excludes national holidays.
• Response time: Maximum of 15 business days for claims and 10 business days for inquiries, with the extensions established under Law 1581 of 2012 (see Section 9.2).
If the Data Subject believes that UXEM has violated their habeas data rights and has exhausted the claim procedure before UXEM without obtaining a satisfactory response, they may approach the Superintendence of Industry and Commerce (SIC) directly:
• Website: www.sic.gov.co
• Citizen service line: 601 592 0400
16. MODIFICATIONS TO THIS POLICY
UXEM reserves the right to update or modify this Policy at any time, to reflect regulatory, technological, operational, or business changes. Modifications will be communicated to the Data Subject at least fifteen (15) calendar days before their effective date, through:
• Email sent to the address registered on the User's account.
• A prominent notice on the uxem.com.co platform and/or upon login.
If the Data Subject does not agree with the modifications, they may request cancellation of their account before the effective date. Continued use of the platform after that date will constitute acceptance of the updated Policy.
17. EFFECTIVE DATE
This Personal Data Processing Policy takes effect on April 9, 2026, and will remain in force until modified or replaced by a subsequent version duly published at uxem.com.co/politica-de-datos.
UXEM Entertainment Group S.A.S.
NIT: 901811705-2 | Medellín, Antioquia, Colombia
legal@uxem.com.co | uxem.com.co/politica-de-datos
Version 1.0 | In effect as of April 9, 2026