Identification of the Data Controller

Responsible: TMSOFT S.A.S.

NIT: 900.293.377-2

Main address: Bogotá D.C., Colombia

Contact email for personal data: [email protected]
Service channels:

Contact form on nebula123.com |

Phone: +57 333 600 3000 |

Email: [email protected]

This Policy applies to the nebula123.com website, its subdomains, and associated digital services (the "Platforms"). Nebula is a service provided by TMSOFT S.A.S.

The present Privacy and Personal Data Processing Policy is incorporated by reference into the Nebula Terms and Conditions and forms an integral part of the contract concluded with our Clients.

Scope and legal basis

This Policy applies to the processing of personal data collected by Nebula through the nebula123.com site, its applications, API, and service channels. When we act as processors on behalf of our Clients, the processing is governed by the Client's instructions and the DPA.

Dual role in processing: TMSOFT S.A.S. acts as Controller regarding the personal data collected through nebula123.com and its subdomains for site management, handling inquiries, and commercial relationships.

When we provide messaging services, phone calls, email, WhatsApp Business, or other Nebula functionalities on behalf of our Clients, we process personal data as a Processor. In this scenario, the Client is the Controller, and we follow their lawful and documented instructions, in accordance with this Policy and the Terms and Conditions. As a Processor, we limit processing to the entrusted purposes; apply appropriate security measures; may link Sub-processors under equivalent obligations; carry out necessary transmissions and, where applicable, international transfers to provide the service; and, upon termination of the relationship, we will proceed to return or delete the data processed on behalf of the Client, retaining only the minimum information required for evidentiary, audit, and legal compliance purposes.

Contractual incorporation and prevalence in personal data matters

This Policy is an integral part of the Nebula Terms and Conditions of Use and the contracts, service orders, commercial proposals, annexes, or agreements entered into with Clients, where applicable.

In case of contradiction between this Policy and the Terms and Conditions exclusively in matters related to the processing of personal data, this Policy shall prevail. If there is a Data Processing Agreement or DPA signed with the Client, said document shall prevail over this Policy and the Terms and Conditions regarding the processing of personal data carried out on behalf of the Client.

Key definitions

  • Personal data: Any information linked or that can be associated with one or more specific or determinable natural persons.

  • Sensitive data: Information that affects privacy or whose improper use may generate discrimination (e.g., health, sexual orientation, biometric data).

  • Data Subject: Natural person to whom the data refers.

  • Processing: Any operation on personal data (collection, storage, use, circulation, or deletion).

  • Data Controller: natural or legal person, public or private, who by itself or in association with others decides on the database and/or the Processing of personal data.

  • Data Processor: natural or legal person, public or private, who performs the Processing of personal data on behalf of the Data Controller.

Principles for Processing

We process data in accordance with the principles of legality, purpose, freedom, veracity, transparency, access and restricted circulation, security, and confidentiality. Legal bases include: (a) consent; (b) contractual necessity; (c) compliance with legal obligations; and (d) legitimate interest when appropriate and compatible with the subject's rights.

Data we collect

Depending on your relationship with nebula123.com, we may process:

  • Identification and contact: name, type and number of document, email, phone, address.

  • Transactional and service data: request content, usage history, preferences, support tickets.

  • Navigation data: IP addresses, device identifiers, pages visited, cookies, and similar technologies.

  • Billing and payments: data necessary to process payments through third parties, payment gateways. (we do not store full card data).

  • Customer service: recordings or logs of interactions when applicable.

  • Suppliers and allies: data of representatives and contacts.

We do not generally request sensitive data or data from minors.

We may process, among others, identification and contact data; Platform usage data; transactional data; and technical metadata. Purposes: (a) provision, maintenance, and improvement of the service; (b) support and transactional communications; (c) billing and collection; (d) security, fraud prevention, and incidents; (e) analytics and product development; (f) commercial communications when a valid legal basis and opt-out mechanisms exist; and (g) compliance with legal and regulatory obligations.

National Registry of Databases

When TMSOFT S.A.S. is legally obliged, it will register and keep up to date the information of its personal databases before the National Registry of Databases ---RNBD--- administered by the Superintendency of Industry and Commerce, in accordance with applicable regulations and instructions issued by said authority.

This obligation will apply regarding the databases for which TMSOFT S.A.S. acts as Data Controller. When TMSOFT S.A.S. acts as Data Processor on behalf of its Clients, it will be the Client's responsibility to comply with the obligations of the Controller, including those related to the RNBD when applicable.

Purposes of Processing

We process your data to:

  1. Service provision: create and manage accounts, provide Platform functionalities, handle requests and complaints.

  2. Support and improvement: incident diagnosis, usage analytics, performance and security tests.

  3. Artificial Intelligence functionalities: When the Client activates artificial intelligence functionalities within Nebula, the data and content processed (including audios, texts, and metadata) may be used for processing, transcription, translation, summary, sentiment analysis, or response generation, as well as for the continuous improvement and training of the specific models assigned to the Client, always under strict security and confidentiality conditions.

  4. Commercial and contractual relationship: order management, billing, collection, payments, and compliance with legal obligations.

  5. Communications: sending service notifications. Commercial or advertising mailings will be made only with your authorization (opt-out available).

  6. Fraud prevention and security: authentication, monitoring, risk management, and regulatory compliance.

  7. Experience improvement and personalization: remembering preferences and relevant content through cookies and similar technologies, when you authorize it.

  8. Supplier management: selection, evaluation, and administration of contracts and payments.

  9. Compliance with authority mandates: handling judicial or administrative requirements.

Data Subject Rights

Data subjects can:

  • Know, update, and rectify their data.
  • Be informed about the use.
  • Submit inquiries and complaints.
  • Revoke authorization and/or request deletion when appropriate.
  • Access their data for free at least once a month and whenever there are substantial changes.

Inquiry and complaint procedures

  • Inquiries: will be responded to within ten (10) business days, extendable for an additional five (5) days.
  • Complaints: will be resolved within fifteen (15) business days, extendable for eight (8) additional days when necessary.

Channel: contact form indicated on the site. All requests must include the identification of the subject or their representative, a description of the facts, and supporting documents.

Processors, sub-processors, and international transfers

We may share data with Processors and Sub-processors who act under our instructions and under equivalent confidentiality and security agreements. Where international transfer exists, we will apply appropriate safeguards (e.g., contractual clauses, binding corporate rules, or other permitted mechanisms). We will maintain a master list of sub-processors available and notify relevant changes with reasonable notice.

Cookies and similar technologies

We use cookies and similar technologies to operate the Platform, understand its use, and, where applicable, serve advertising. We will display a banner with options "Accept all / Reject non-essential / Configure" and a preference center to manage consent by category. Consult the Cookie Policy for details on third parties, purposes, and validity.

Information security and incidents

We implement reasonable technical, organizational, and administrative measures to protect data against unauthorized access, use or disclosure, loss, alteration, or destruction. We perform continuous testing and improvements proportional to the risk and nature of the data.

Incident management and notification to authority

In case of a security incident that compromises personal data:

  • We will activate our response plan.
  • We will record and document the event.
  • We will notify the Superintendency of Industry and Commerce (SIC) and, when required, the Data Subjects, within fifteen (15) business days following the detection of the incident.

The notification will include the nature of the incident, compromised data, actions taken, and recommendations.

Data retention and deletion

We keep data for the time necessary to fulfill informed purposes, contractual, accounting, tax, and legal obligations, or as long as a relationship with the Subject exists. When they are not necessary and there is no legal duty to preserve them, we will proceed to delete or securely anonymize them.

Changes to this Policy

We may update this Policy to reflect changes in regulations or our processes. We will publish the current version on nebula123.com with the last updated date and, when changes are material, we will inform you through registered channels.

Data of children and adolescents

Nebula does not direct its services to minors. We do not knowingly collect data from children or adolescents.

Acceptance

By using our Platforms, registering, or providing us with data by any means, you declare that you have read and accepted this Policy and the corresponding privacy notice.

Privacy Notice (summary)

The responsible TMSOFT S.A.S. (NIT 900.293.377-2) will process your data to provide and improve the services of nebula123.com, manage the commercial relationship, and comply with legal obligations. You have the right to know, update, rectify, and delete your data, and to revoke authorization. To exercise them, contact us. For more information, see the full Policy.

Last updated: May 15, 2026 Version: 2.0