Privacy Policy and Personal Data Processing

1. Introduction and purpose

FOUNDATION FOR INTEGRAL DEVELOPMENT IN GENDER AND FAMILY GENFAMI (hereinafter, “Genfami”, “us” or the “Controller”), identified with NIT 900291489-1, residing at 15th Street, #, 88-21, Suite 702, and email privacidad@ganfami.org, recognizes the importance of privacy and the protection of personal data of individuals who interact with its digital channels, social programs, and projects.

This Data Protection Policy (the “Policy”) governs the collection, storage, use, circulation, deletion, and other processing activities related to personal data obtained through the website https://genfami.org, its digital forms, messaging channels (including WhatsApp Business), associated social networks, and other Genfami contact points.

This Policy is issued in compliance with Law 1581 of 2012, Decree 1377 of 2013, Decree 1074 of 2015 (Chapter 25) of the Republic of Colombia and, where applicable, the General Data Protection Regulation (EU) 2016/679 (GDPR) for data subjects located in the European Economic Area.

2. Definitions

Headline Natural person whose personal data is processed.
Personal data: any information linked or that can be associated with an identified or identifiable natural person.
Sensitive data: those that affect the privacy of the data subject or whose misuse could lead to discrimination (health, sexual orientation, biometric data, political opinions, data concerning minors, vulnerable socioeconomic situations, among others).
Data controller: Genfami, who decides the purposes and means of processing.
Data controller Natural or legal person who processes data on behalf of the Controller (technology providers, hosting, messaging, analytics).
Authorization prior, express, and informed consent of the data subject for the processing of their personal data.
Privacy Notice: physical, electronic, or verbal communication generated by Genfami to inform the holder about the applicable processing policies.

3. Personal Data We Collect

Depending on the channel and purpose, Genfami may collect the following categories of data:

3.1 Identification and Contact Information

First name and last name.
Type and number of document (when indispensable).
Email, mobile phone number, city, country, and time zone.
Cargo, community organization, or role (when applicable).

3.2 Sociodemographic and Contextual Data

Age or age range, gender, preferred language.
Approximate geographic location (city/municipality) for focusing social programs.
Declared socioeconomic level, vulnerability status, and family environment conditions (when relevant to the program).
Family composition (when required by the program).

3.3 Sensitive Data

When Genfami programs require it (emotional support, mental health, early childhood, family well-being), we may collect sensitive data such as: self-reported emotional state, well-being indicators, declared health conditions, family situation (separation, grief, violence), among others. The processing of this data requires express, explicit, and informed authorization from the data subject and will be carried out with reinforced security measures.

3.4 Minor Data

When a program is directed at children or adolescents, data will be supplied and authorized exclusively by the parent or legal guardian of the minor. Genfami will always protect the best interests of the minor, in accordance with Article 7 of Law 1581 of 2012 and Article 12 of Decree 1377 of 2013.

3.5 Navigation and Technical Data

IP address (anonymized in analytics), browser type, operating system, device.
Pages visited, time spent browsing, traffic source (UTM).
Advertising identifiers (when applicable to Google Ads/Meta Ads).
Cookies and similar technologies (see Part II — Cookie Policy).

3.6 Messaging and Interaction Data

Content of messages exchanged via WhatsApp Business API and other conversational channels.
Conversation metadata: timestamp, read status, template used, referral path.
Labels and attributes assigned to the user in the management platform (Respond.io or other).

4. Purposes of the processing

Genfami processes personal data for the following purposes, subject to the data subject's authorization:

Manage the operation of Genfami's social programs, projects, and initiatives, including registration, support, monitoring, and impact indicators.
Communicate with the stakeholder to respond to requests, provide program information, and send content related to their participation.
Operate the website https://genfami.org and improve its functionality, security, and user experience.
Provide conversational support via WhatsApp Business API and associated digital channels, including automated flows with artificial intelligence support.
Activate clinical referral or specialized support protocols when the content of the conversation warrants it, in accordance with the Part IV Guidelines.
Send marketing communications, newsletters, and awareness campaigns, provided the data subject has expressly authorized this purpose (opt-in).
Measure the effectiveness of advertising campaigns on platforms like Google Ads and social media, as well as segment audiences for remarketing campaigns targeting adults.
Conduct statistical analyses, impact assessments, and reports for allies, donors, and cooperating entities, using aggregated or anonymized data.
Comply with legal, contractual, regulatory obligations, or requirements of competent authorities.
Attend to, process, and respond to inquiries, requests, complaints, claims, and the exercise of rights by data subjects.
Manage donations, volunteer work, and strategic partner relationships.
Empower the internal team and improve process quality, using anonymized examples.

5. Legal Basis for Processing

The processing of personal data by Genfami is primarily based on:

Prior, express, and informed consent from the title, obtained through the mechanisms described in Part III of this document.
Legitimate interest from Genfami as a social organization, since it pursues goals of collective well-being and the information is handled with measures that respect the fundamental rights of the data subject.
Compliance with legal obligations applicable to Genfami and the programs it runs.
Execution of an agreement a contractual relationship when there is a formal link with the holder.

6. Processing of sensitive data

Genfami does not condition the provision of its services on the supply of sensitive data, except when the nature of the program makes it indispensable. In all cases:

Express, explicit, and independent authorization will be requested for the processing of sensitive data.
The data subject may refuse to provide sensitive data without affecting their access to general information.
Enhanced technical, administrative, and human security measures will be applied (encryption in transit and at rest, access control, anonymization in analytics, specific team training).
Access will be restricted to strictly authorized personnel with signed confidentiality agreements.
When possible and proportionate, anonymized or pseudonymized data will be used.

7. Processing of Minors' Data

Genfami handles the personal data of children and adolescents in accordance with the principle of the best interests of the child. Consequently:

Authorization for treatment will be granted by the minor's father, mother, guardian, or legal representative.
Consent will be obtained through verifiable mechanisms (digital form with a specific checkbox + confirmation email or equivalent).
The minor's right to be heard will be respected and their opinion will be valued when they are mature enough.
Personalized marketing, advertising profiling, or remarketing will not be conducted using data from minors.
Information about minors will be kept only for the strictly necessary period for the purpose and will be subsequently deleted or anonymized.

8. Holder's Rights

Pursuant to Law 1581 of 2012, Decree 1377 of 2013, and, where applicable, the GDPR, the data subject has the following rights:

Access: to access the personal data stored in Genfami's databases.
Update and correction: request correction of partial, inaccurate, incomplete, or outdated information.
Deletion: request the deletion of data when it is deemed that the data is not being processed in accordance with legal principles and obligations, or when the purpose for which it was collected has been fulfilled.
Revocation of authorization: withdraw consent at any time, without retroactive effect.
Authorization test: request evidence of consent granted.
Usage information: to be informed about how your data has been used.
File a complaint present complaints to the Superintendence of Industry and Commerce (SIC) in Colombia, or the competent authority in your country of residence.
For EU/EEA headlines (GDPR): additionally, the right to data portability, to restrict processing, to object to processing based on legitimate interests, and not to be subject to automated decision-making with significant legal effects.

9. Procedure for Exercising Rights

The holder may exercise their rights by sending a request to the email address privacidad@ganfami.org indicating: (i) full name, (ii) type and number of document, (iii) clear description of the right being exercised, (iv) preferred contact channel for the response, and (v) when applicable, documentary support for the invoked right.

Response times:

Inquiries: up to ten (10) business days from receipt, extendable by five (5) additional days.
Claims: up to fifteen (15) business days from the day after receipt, extendable for an additional eight (8) days when justified.
For data subjects covered by GDPR: up to thirty (30) calendar days, extendable by two (2) additional months in complex cases.

Data Conservation

Personal data will be kept for the time necessary to fulfill the informed purpose, attend to legal obligations, and resolve any potential claims. Reference times:

Data category	Shelf life
General Contact (Web Form)	Up to 2 years from last contact.
Program beneficiaries	Program duration + 5 years (social reporting and traceability obligations).
Sensitive data (health, well-being)	Minimum necessary for the purpose; anonymization after case closure.
Minors' data	Only during the term of the program; deletion or anonymization upon termination.
WhatsApp conversations	12 months, except in cases of referral (where they are retained according to protocol).
Donors and allies	10 years (Colombian accounting and tax obligations).
Newsletter subscribers	Until the account holder unsubscribes + 6 months of backup.

11. Data Controllers and International Transfers

To operate its services, Genfami relies on technological providers who act as data processors under contracts that include data protection clauses. The main ones are:

Provider	Purpose	Country / Transfer Mechanism
Google LLC (Analytics, Ads)	Web analytics, advertising, and remarketing	USA — Google's Standard Contractual Clauses (SCCs) and Data Processing Terms
Meta Platforms Inc. (WhatsApp Business)	Conversational messaging and HSM templates	US / Ireland — WhatsApp Business Terms and Conditions
Respond.io	Multichannel conversational management platform	Hong Kong / Malaysia — Data Processing Agreement
Hosting provider	Website hosting	Hostinger — Lithuania
Transactional email provider	Email and Newsletter Sending	Google Workspace — United States

Some of these providers process data in countries that may not have the same level of protection as Colombia or the European Union. In those cases, Genfami requires contractual guarantees (Standard Contractual Clauses, Data Processing Addenda) and, where enforceable, transfer impact assessments.

12. Cookies, Google Analytics, and Google Ads

Genfami uses cookies and similar technologies to operate the website, measure its performance, and, with the owner's authorization, run advertising campaigns on platforms such as Google Ads and Meta Ads. The details, classification, and management mechanisms are described in Part II - Cookie Policy of this document.

Regarding Google Ads and Google Analytics, Genfami declares: (i) does not collect personally identifiable information through Google Ads tags without consent; (ii) does not use sensitive data (health, vulnerability, minors' data) for remarketing or ad targeting purposes; (iii) complies with Google's User Data Policy and Google's EU User Consent Policy; (iv) anonymizes IP addresses in Google Analytics when technically feasible.

13. Safety Measures

Genfami implements reasonable and proportionate technical, administrative, and human measures to the risk, aligned with good information security practices:

In-transit encryption (HTTPS/TLS) on all website forms and communications.
Role-based access control, multifactor authentication for personnel with database access.
Confidentiality agreements signed by staff and suppliers.
Internal Incident Management and Breach Notification Policy within Reasonable Timeframes (72 hours where GDPR applies).
Periodic training for the team on data protection and digital security.
Regular review and update of technology providers and their processing agreements.
When viable, anonymization or pseudonymization of sensitive data.

14. Policy Modifications

Genfami may update this Policy whenever it deems necessary to reflect regulatory, operational, or technological changes. Any modification will be published at https://genfami.org, and when changes are substantial or affect authorized purposes, new authorization will be requested from the data subject through appropriate channels.

15. Control and Contact Authorities

For inquiries, exercise of rights, or complaints related to the processing of personal data:

Data controller: FOUNDATION FOR INTEGRAL DEVELOPMENT IN GENDER AND FAMILY GENFAMI

Email privacidad@ganfami.org

Address: 15th Street, #, 88-21, Bogotá, Colombia.

Phone: +57 312 593 69 89

Supervisory Authority: Superintendence of Industry and Commerce (SIC) — Data Protection Delegation, Bogotá D.C., Colombia. www.sic.gov.co

16. Validity

This Policy is effective May 15, 2026, and supersedes any previous versions. Databases managed by Genfami are valid for the duration of the program or relationship with the data subject, without prejudice to the retention periods set out in section 10.

Cookie Policy

1. What are cookies?

Cookies are small text files that a website installs on a user's browser or device when they visit it. They allow the site to remember information about their browsing (preferences, session, language) and, in some cases, collect data for analytics or advertising. Together with similar technologies (pixels, tags, local storage), they form the technical basis for operating the website https://genfami.org and measuring its impact.

2. Types of cookies we use

Genfami classifies cookies according to their purpose and origin:

Category	Does it require consent?	Description
Strictly necessary (technical)	No	They enable the basic functioning of the site: session, security, load balancing, accessibility. The site cannot operate without them.
Preferences	Recommended	Remembers user preferences (language, region, font size) to improve the experience.
Analytics	Yes	They collect aggregate website usage information (pages viewed, time, traffic source). Includes Google Analytics (_ga, _gid, _gat).
Advertising / Marketing	Yes	They allow displaying relevant advertising and measuring conversions. Includes Google Ads (_gcl_au, _gac_*), remarketing, and, when applicable, Meta Pixel.
From third parties	Yes	Cookies managed by external providers (Google, Meta, embedded platforms like YouTube/Vimeo) are subject to their own policies.

3. Detailed cookie list

Cookie	Provider	Type	Duration	Purpose
_ga	Google	Analytics	2 years	Identify the user anonymously
_gid	Google	Analytics	24 hours	Distinguish users
_gat	Google	Analytics	1 minute	Limit the request rate
_gcl_au	Google Ads	Advertising	90 days	Conversion Attribution
IDE / NID	Google	Advertising	13–24 months	Remarketing and advertising personalization
cookie consent	GENFAMI	Technique	12 months	Check the user's consent preference

The above list is indicative and may be updated. It is recommended to review it periodically.

4. Legal basis for the use of cookies

Technical cookies: Genfami's legitimate interest in operating the site correctly.
Analytical, advertising, and third-party cookies: prior, express, and informed consent of the user, granted through the cookie banner.

5. Consent Banner

Manage consent

To offer the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent may adversely affect certain features and functions. [Accept] [Decline] [View preferences] [Privacy Policy].

How to manage cookies

The user can manage cookie usage in the following ways:

Through the consent banner when first entering the site.
Modifying your preferences at any time from the “Cookie Settings” link located in the footer.
From your browser's settings: Chrome, Firefox, Safari, Edge, and others allow you to block, delete, or limit the use of cookies.
For Google Analytics, install the opt-out add-on: https://tools.google.com/dlpage/gaoptout
For personalized Google advertising: https://adssettings.google.com
For Meta advertising: https://www.facebook.com/adpreferences

7. Consequences of rejection

Rejecting optional cookies does not prevent you from browsing the site, but it may affect the availability of some functionalities, the accurate measurement of program impact, and the ability to receive relevant advertising content.

8. Validity and Updates

This Cookie Policy is reviewed at least once a year or when new technologies are incorporated into the site. The last update is indicated in the footer of the document.

Guidelines for Using Information on WhatsApp and Associated Digital Channels

1. Purpose and Scope

This document establishes the operational, ethical, and compliance guidelines for the use of personal information in conversational and digital channels associated with Genfami projects. It applies to all staff, volunteers, allies, and suppliers who have access to or are involved in the operation of the following channels:

WhatsApp Business API (via Meta Cloud API or authorized BSP provider).
Conversational management platform Respond.io (or equivalent).
Social media messaging channels associated with programs (Instagram DM, Facebook Messenger, Telegram, among others).
AI-powered bots and conversational agents linked to projects.

2. Guiding Principles

Prior consent No proactive conversation is initiated without registered opt-in.
Minimization Only the strictly necessary information is requested for the purpose.
Explicit purpose: Every interaction has a stated purpose for the user.
Transparency The user knows they are speaking with Genfami and, when applicable, with an automated agent.
Confidentiality The information exchanged is treated as confidential and is shared only with authorized individuals.
Careful and no harm: In the presence of risk signals (emotional, physical, rights violations), Section 8 diversion protocols are activated.
No discrimination The use of AI and automation is audited to avoid biases.

3. Opt-in and opt-out

3.1 Valid Opt-in Mechanisms

Specific field in digital form (see Part III, Section 7).
Verbal or written confirmation recorded on the management platform when the user initiates contact.
Initial message sent by the user to Genfami's official WhatsApp number (when this is the first contact).
Explicit consent at an in-person event, workshop, or conference, recorded on a printed or digital form.

3.2 Opt-out Mechanisms

Keywords at any point in the conversation: LOW, STOP, CANCEL, EXIT.
Request to the privacy email.
Verbal request to a human agent on the team.

The opt-out must be processed within 24 hours of receipt, logging it into the platform with a timestamp and reason.

4. 24-Hour Service Window and Templates (HSM)

According to the WhatsApp Business policy:

Once the user sends a message, a 24-hour service window opens during which Genfami can freely respond with session messages.
Outside of that window, only pre-approved Meta templates (HSMs) can be sent, associated with categories like utility, marketing, or authentication.
Marketing templates require express opt-in and must comply with Meta's policies on frequency and content.
Genfami maintains an internal repository of approved templates with their category, language, purpose, and restrictions.

5. Types of Authorized Templates

Category	Examples of use	Requirements
Utility	Registration confirmation, session reminder, status update	Prior opt-in and direct linking with the stated purpose
Marketing	Campaign invitations, program news, educational content	Express opt-in marketing, reasonable frequency, visible opt-out option
Authentication	Verification codes (when applicable)	Strict use for authentication, not combined with other messages

6. Sensitive Data Handling in Channels

When a conversation involves sensitive data (emotional health, vulnerable family situations, data about minors), the following rules apply:

Sensitive data that is not strictly necessary for the purpose of the conversation is avoided.
The user is informed about the sensitive nature of the information and asked for explicit confirmation of their authorization.
Messages containing sensitive data are labeled as “restricted” on the platform and their visibility is limited to authorized personnel.
Sensitive data is not stored in unencrypted spreadsheets, personal emails, or unprotected devices.
It is preferable to work with anonymized summaries when it is necessary to report the case.

7. Clinical Referral or Specialized Support Protocol

Genfami does not provide emergency clinical care services. When a conversation reveals signs of severe emotional risk (suicidal ideation, self-harm, active violence, violation of a minor's rights), the following protocol is activated:

Detection: the agent or conversational flow identifies alert signals through keywords or by human operator assessment.
Pause and containment: an empathetic message is sent acknowledging the situation and communicating that a human team member will resume the conversation.
Derivation: The corresponding support line for the user's country and city is provided clearly and verifiably (in Colombia: 106 Bogotá, 123 national, EPS lines, and institutional services).
Record: the case is flagged as “high sensitivity referral” and is kept with restricted access to a single authorized team.
Follow-up: When relevant and authorized, follow-up is performed within the deadlines defined by the program, always respecting the user's decision.
Learning: Anonymously documented to feedback flow improvement and team training.

8. Anonymization and Reporting

For reports to allies, donors, funders, or Genfami publications:

Aggregate or anonymized data are used as a general rule.
Any testimonial or individual case requires express, separate, and revocable authorization from the holder or legal representative.
Direct identifiers (name, number, exact location) are removed or replaced with pseudonyms in reports.

9. Conversation Storage and Retention

Conversations are stored on the platform authorized by Genfami (Respond.io or other) with multi-factor authentication.
The default retention period is 12 months from the last message, except in cases of high sensitivity referrals.
After the retention period, conversations are deleted or anonymized for statistical purposes.
Data is not exported to personal spreadsheets or shared via unencrypted channels.

10. Data Processors and Responsibilities

The described channels involve the following Data Controllers, whose contracts must remain in force:

Meta Platforms Inc. (WhatsApp Business API).
Respond.io or another authorized conversational management platform.
BSP (Business Solution Provider) when applicable.
AI model providers, if used for conversation analysis or response generation.

Genfami annually documents and reviews the list of Processors, their Data Processing Agreements (DPAs), and their compliance level.

11. Team Roles and Responsibilities

Role	Responsibility
Project Leader	Oversee the general compliance with the guidelines, approve workflows and templates before their publication.
Privacy Officer	Resolve title inquiries, audit consent records, validate changes to forms.
Human conversational agent	Handles cases, identifies alert signals, activates referral protocols, registers labels.
Technical team / AI	Configure flows, monitor bot behavior, perform quality tests, and bias audits.
Allies and volunteers	Sign a confidentiality agreement before accessing any information, they receive mandatory training.

12. Incident and Breach Management

In the event of an incident affecting the confidentiality, integrity, or availability of data in the channels:

Immediate containment: isolate the source, suspend compromised access, preserve technical evidence.
Internal notification to the privacy officer and project lead within the first 12 hours.
Scope Assessment: Affected users, data types, risk.
Notification to the supervisory authority: SIC in Colombia when the incident warrants it, EU authority within no more than 72 hours when GDPR applies.
Communication to stakeholders when there is high risk, with a description of the incident and mitigation measures.
Post-Incident Report and Remediation Plan with Owners and Deadlines.

13. Mandatory Training

All individuals with access to the channels receive initial training on privacy, handling sensitive data, and referral protocols.
Annual refresh and at the start of each new campaign.
Signed record of attendance and approval of internal assessment.

14. Audit and Review

Quarterly internal audit of conversation samples (no identifiers) to review quality and compliance.
Annual review of technology suppliers, templates, workflows, and compliance metrics.
Update guidelines at least once a year or when a significant regulatory, operational, or technological change occurs.

Appendix C — Version Control

Version	Date	Changes
1.0	May 26, 2026	Initial version of the integrated legal package for Genfami.