Identification of the person responsible for the Treatment

Responsible: TMSOFT S.A.S.
NIT: 900.293.377-2
Primary address: Bogotá D.C., Colombia
Contact email for personal information: [email protected]

Attention channels:
Contact form at nebula123.com |
Telephone: +57 333 600 3000 |
Email: [email protected]

This Policy applies to the nebula123.com website, its subdomains and associated digital services (the "Platforms"). Nebula is a service provided by TMSOFT S.A.S.
This Privacy and Personal Data Processing Policy is incorporated by reference into Nebula's Terms and Conditions and is an integral part of the contract entered into with our Clients.

Scope and legal basis

This Policy applies to the processing of personal data collected by Nebula through the site nebula123.com, its applications, API and service channels.
When we act as processors on behalf of our Clients, the processing is governed by the instructions of the Client and the DPA.

Double role in treatment:
TMSOFT S.A.S. acts as Controller with respect to the personal data collected through nebula123.com and its subdomains for the management of the site, response to queries and commercial relationship.

When we provide messaging services, phone calls, email, WhatsApp Business or other Nebula functionalities on behalf of our Clients, we process personal data as Processor.
In this scenario, the Client is the Controller of the treatment and we follow their lawful and documented instructions, in accordance with this Policy and the Terms and Conditions.

As Processor, we limit the processing to the assigned purposes; we apply appropriate security measures; we may bind Subprocessors under equivalent obligations; we carry out the transmissions and, when applicable, international transfers necessary to provide the service; and, upon termination of the relationship, we will proceed to return or delete the data processed on behalf of the Client, keeping only the minimum information required for evidentiary, audit and legal compliance purposes.

Acceptance of Terms

3.1 Contractual consent

Use of the Nebula platform ("nebula123.com", "we" or the "Platform") constitutes full acceptance of these T&C and the Privacy Policy.
Acceptance is deemed to have been made when the user/client (the "Client")
(i) select the acceptance boxes when registering,
(ii) continue to use the service, or
(iii) integrates our APIs.### 3.2 Incorporation by reference The Privacy Policy published on our website is part of this contract with the same scope and binding force as these T&C.
Any reference to the "Agreement" includes, in addition to these T&Cs, the Privacy Policy and the Data Processing Commission Annex (DPA) when applicable.

3.3 Order of priority in matters of personal data

In case of conflict between these T&C and the Privacy Policy exclusively in aspects of personal data processing, the Privacy Policy will prevail.
If there is DPA/Commission Annex signed with the Client, the DPA will prevail over the Privacy Policy and the T&C regarding the treatment.

3.4 Disclosure and access

The Client declares to have read and understood the Privacy Policy available on our website and undertakes to communicate it to its end users when appropriate.

Key definitions

  • Personal data: Any information linked or that can be associated with one or more specific or determinable natural persons.
  • Sensitive data: Information that affects privacy or whose improper use can lead to discrimination (e.g., health, sexual orientation, biometric data).
  • Holder: Natural person to whom the data refers.
  • Processing: Any operation on personal data (collection, storage, use, circulation or deletion).
  • Responsible/Processor: Who decides on the database and who carries out the processing on behalf of the person responsible, respectively.

Principles for Treatment

We process data in accordance with the principles of legality, purpose, freedom, veracity, transparency, restricted access and circulation, security and confidentiality.
The legal bases include:
(i) consent;
(ii) contractual necessity;
(iii) compliance with legal obligations; and
(iv) legitimate interest when appropriate and compatible with the rights of the owner.

Data we collect

Depending on your relationship with nebula123.com, we may deal with:

  • Identification and contact: name, type and number of document, email, telephone, address.
  • Transactional and service data: request content, usage history, preferences, support tickets.
  • Navigation data: IP addresses, device identifiers, pages visited, cookies and similar technologies.
  • Billing and payments: data necessary to process collections through third parties, payment gateways. (We do not store complete card data).
  • Customer service: recordings or logs of interactions when applicable.
  • Suppliers and allies: data on representatives and contacts.

We do not request sensitive data or data from minors in general.We may process, among others, identification and contact data; Platform usage data; transactional data; and technical metadata.

Purposes:
(i) provision, maintenance and improvement of the service;
(ii) transactional support and communications;
(iii) billing and collection;
(iv) security, fraud prevention and incidents;
(v) analytics and product development;
(vi) commercial communications (with valid legal basis and opt-out mechanisms);
(vii) compliance with legal and regulatory obligations.

Purposes of Treatment

  1. Service provision: create and manage accounts, provide Platform functionalities, respond to requests and complaints.
  2. Support and improvement: incident diagnosis, usage analytics, performance and security testing.
  3. Commercial and contractual relationship: order management, billing, collections, payments and compliance with legal obligations.
  4. Communications: sending service notifications. Commercial or advertising shipments will be made only with your authorization (opt out available).
  5. Fraud prevention and security: authentication, monitoring, risk management and regulatory compliance.
  6. Improved experience and personalization: remember preferences and relevant content through cookies and similar technologies, when you authorize it.
  7. Supplier management: selection, evaluation and administration of contracts and payments.
  8. Compliance with authority mandates: attention to judicial or administrative requirements.

Authorization of the Owner

We request prior, express and informed authorization by verifiable means (e.g., checkboxes, web forms, contractual clauses, time-stamped electronic media) and retain proof of authorization.
Authorization is not required in the cases provided for by law (public data, medical/health emergency, authority requirements, historical/statistical/scientific purposes), respecting the applicable principles.

Rights of the Holders

Holders can:

  • Know, update and rectify your data.
  • Be informed about the use.
  • Submit queries and complaints.
  • Revoke the authorization and/or request deletion when appropriate.
  • Access your data for free at least once a month and every time there are substantial changes.

Consultation and complaint procedures

  • Queries: will be responded to within ten (10) business days, extendable for an additional five (5) days.
  • Claims: will be resolved within fifteen (15) business days, extendable for eight (8) additional days when necessary.

Channel: contact form indicated on the site.
All requests must include identification of the owner or his representative, description of the facts and supporting documents.

Processors, subprocessors and international transfersWe may share data with Processors and Subprocessors who act on our instructions and under equivalent confidentiality and security agreements.

Where there is international transfer, we will apply appropriate safeguards (e.g. contractual clauses, binding corporate rules or other permitted mechanisms).
We will maintain a master list of subprocessors available and will notify relevant changes with reasonable advance notice.

Cookies and similar technologies

We use cookies and similar technologies to operate the Platform, understand its usage and, where applicable, serve advertising.
We will display a banner with options "Accept all / Reject non-essential / Configure" and a preference center to manage consent by category.
Consult the Cookie Policy for details about third parties, purposes and validity.

Information security and incidents

We implement reasonable technical, organizational and administrative measures to protect data against unauthorized access, use or disclosure, loss, alteration or destruction.
We perform continuous testing and improvements proportional to the risk and nature of the data.

Incident management and notification to authority

In the event of a security incident that compromises personal data:

  • We will activate our response plan.
  • We will record and document the event.
  • We will notify the Superintendency of Industry and Commerce (SIC) and, when required, the Owners, within fifteen (15) business days following the detection of the incident.

The notification will include the nature of the incident, compromised data, actions taken and recommendations.

Data retention and deletion

We keep the data for the time necessary to fulfill informed purposes, contractual, accounting, tax and legal obligations, or as long as there is a relationship with the Owner.
When they are not necessary and there is no legal duty to preserve them, we will proceed to delete them or securely anonymize them.

Changes to this Policy

We may update this Policy to reflect changes in regulations or our processes.
We will publish the current version on nebula123.com with the last updated date and, when changes are material, we will inform you through registered channels.

Data on boys, girls and adolescents

Nebula does not direct its services to minors.
We do not knowingly collect data from children or adolescents.

Acceptance

By using our Platforms, registering or providing us with data by any means, you declare that you have read and accepted this Policy and the corresponding privacy notice.

Privacy Notice (summary)The person responsible TMSOFT S.A.S. (NIT 900.293.377-2) will process your data to provide and improve the services of nebula123.com, manage the commercial relationship and comply with legal obligations.

You have the right to know, update, rectify and delete your data, and to revoke the authorization.
To exercise them, contact us. For more information, see the full Policy.

Last updated: October 6, 2025
Version: 2.0