LUMIA Clinic

Privacy Policy

How we protect and manage your personal data

1. GENERAL INFORMATION

LUMIA ODONTOLOGÍA S.A.S., in development of its corporate purpose related to the provision of general and specialized dentistry services, will be responsible for data processing as well as the collection and storage of data related to patients, suppliers, employees, and any natural person who provides their personal data to the company. This policy is governed by the provisions of Law 1581 of 2012 and its regulatory decrees.

LUMIA ODONTOLOGÍA S.A.S., in development of its corporate purpose will be responsible for data processing as well as the collection and storage of data related to patients, suppliers, employees, and any natural person who provides their personal data to the company for the provision of dental services.

2. LEGAL FRAMEWORK AND APPLICABLE JURISPRUDENCE

The processing of personal data in Colombia is regulated by Law 1581 of 2012, which establishes general provisions for the protection of personal data. This law is complemented by:

  • Colombian Constitution (Articles 15 and 20)
  • Law 1581 of 2012 and Decree 1377 of 2013
  • Decree 1074 of 2015
  • Resolution 839 of 2017 from Ministry of Health
  • Law 2015 of 2020 and Resolution 1888 of 2025
  • Judicial rulings and precedents from Constitutional Court

7.8. IDENTIFICATION OF THE DATA CONTROLLER

Company: LUMIA ODONTOLOGÍA S.A.S.

Tax ID: 901.823.286-1

Address: Calle 33B #20-03 Local 9909, Manizales, Caldas, Colombia

Phones: 606 8902828 / 3164052829

Email: lumiaodontologia@gmail.com / lumiagestion01@gmail.com

Website: www.lumiaodontologia.com

3. PRINCIPLES

The principles established below constitute the essential foundations for the protection of personal data, and any regulated activity must comply with them and the other provisions that develop them.

  1. Principle of legality: The processing of personal data is a regulated activity that must comply with the provisions of this law and other provisions that develop it.
  2. Principle of purpose: The processing of personal data collected by LUMIA ODONTOLOGÍA S.A.S. must serve a legitimate purpose of which the data subject must be informed.
  3. Principle of freedom: Processing can only be carried out with the prior, express, and informed consent of the data subject, or in the absence of a legal or judicial mandate that relieves consent.
  4. Principle of truthfulness or quality: The information subject to processing must be truthful, complete, accurate, updated, verifiable, and understandable. Processing of partial, incomplete, fragmented, or misleading data is prohibited.
  5. Principle of transparency: The processing must guarantee the data subject's right to obtain information from LUMIA ODONTOLOGÍA at any time and without restrictions about the existence of data concerning them.
  6. Principle of restricted access and circulation: Processing is subject to the limits derived from the nature of personal data, the provisions of this law, and the Constitution. In this sense, processing can only be done by persons authorized by the data subject and/or by the provisions of the law.
  7. Principle of security: The information subject to processing by LUMIA ODONTOLOGÍA S.A.S. must be protected through the use of technical, human, and administrative measures that are necessary to provide security to the records, avoiding their adulteration, loss, consultation, use, or unauthorized or fraudulent access.
  8. Principle of confidentiality: All persons involved in the processing of personal data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks that comprise the processing has ended.

4. DEFINITIONS

Authorization:
Prior, express, and informed consent of the data subject to carry out the processing of personal data.
Privacy Notice:
Physical, electronic document, or in any other format generated by the data controller that is made available to the data subject for the processing of their personal data.
Database:
Organized set of personal data that is subject to processing.
Personal Data:
Any information linked to or that may be associated with one or more determined or determinable natural persons.
Sensitive Data:
Data that affects the privacy of the data subject or whose improper use may generate discrimination.
Data Controller:
Natural or legal person, public or private, that by itself or in association with others, decides on the database and/or the processing of the data.
Data Processor:
Natural or legal person, public or private, that by itself or in association with others, performs the processing of personal data on behalf of the data controller.
Data Subject:
Natural person whose personal data is subject to processing.
Processing:
Any systematic operation and procedure, automated or not, that allows the collection, storage, use, circulation, or deletion of personal data.
Transfer:
Data processing that involves the communication of personal data inside or outside the territory of the Republic of Colombia when it has as its purpose the performance of a processing by the processor on behalf of the controller.
Transmission:
Processing of personal data that involves the communication of such data inside or outside the territory of the Republic of Colombia when the purpose is for the processor to perform the processing on behalf of the controller.

5. AUTHORIZATION

The collection, storage, use, circulation, and deletion of personal data requires the free, prior, express, and informed consent of the data subjects, which must be obtained through any means that may be subject to subsequent consultation.

Authorization is a declaration that informs the data subject of the personal data:

  • The purpose for which the data will be collected and used.
  • The optional nature of the response to the questions asked.
  • The rights that assist them as data subjects and the procedure to exercise them.
  • The identification, physical or electronic address, and telephone number of the data controller.
  • The general treatment to which the data will be subjected and the purpose of the processing.

5.1. Forms of Authorization

Authorization can be granted through different means, including:

  • Physical or electronic documents
  • Data messages or email
  • Any digital format that allows guaranteeing subsequent consultation
  • Unambiguous conduct of the data subject

5.2. Proof of Authorization

LUMIA ODONTOLOGÍA S.A.S. must keep proof of the authorization granted by the data subjects, which may be contained in physical or electronic documents.

5.3. Cases Where Authorization Is Not Required

Authorization is not required in the following cases:

  • Information required by a public or administrative entity in exercise of its legal functions or by court order.
  • Data of a public nature.
  • Cases of medical or health emergency.
  • Processing of data authorized by law for historical, statistical, or scientific purposes.
  • Data related to the Civil Registry of Persons.

The above is in accordance with the provisions of Article 10 of Law 1581 of 2012.

6. PRIVACY NOTICE

The privacy notice is a physical, electronic document, or in any other format generated by the data controller that is made available to the data subject for the processing of their personal data. In any case, the privacy notice must be made available to the data subject and must contain at least the following information:

  • The identity, address, and contact details of the data controller.
  • The type of processing to which the data will be subjected.
  • The general purposes of the processing.
  • The rights that assist the data subject and the procedure to exercise them.
  • The date from which the privacy notice becomes effective.

10. PURPOSES OF PERSONAL DATA PROCESSING

LUMIA ODONTOLOGÍA S.A.S. collects, stores, uses, circulates, deletes, and processes personal data for the following purposes:

  1. Analysis of the treated population and delivery of RIPS to control agencies - Ministry of Health and Social Protection, Superintendency of Health, EPS, ARL, and other entities that require it by legal mandate -; research and epidemiological studies.
  2. Carry out processes of updating, programming, and confirmation of schedules and appointment care.
  3. Sending information to the subscriber about promotions, events, and oral health advertising campaigns, changes, or news, and treatment and/or product offers.
  4. Evaluation of the quality of treatments and services provided.
  5. Virtual monitoring of the evolution of dental treatments.
  6. Comply with the legal and/or contractual obligations of LUMIA ODONTOLOGÍA S.A.S.
  7. Carry out commercial due diligence and commercial communication and marketing activities.
  8. Comply with commercial and labor obligations derived from the relationship with suppliers, employees, and contractors.
  9. Carry out depersonalized statistical analysis for internal purposes and business intelligence.
  10. Security and fraud prevention purposes, as well as compliance with legal obligations related to fraud prevention.

Regarding data considered as Sensitive, in accordance with the provisions of Law 1581 of 2012, LUMIA ODONTOLOGÍA S.A.S. will process them only when there is explicit authorization from the data subject, except in cases where the law provides otherwise.

7. RIGHTS AND DUTIES

7.1. Rights of Data Subjects

Data subjects have the following rights:

  • Know, update, and rectify their personal data before LUMIA ODONTOLOGÍA S.A.S., as the data controller or processor. This right may be exercised, among others, against partial, inaccurate, incomplete, fragmented, misleading data, or data whose processing is expressly prohibited or has not been authorized.
  • Request proof of the authorization granted to the data controller, except when expressly excepted as a requirement for processing, in accordance with the provisions of Article 10 of the aforementioned law.
  • Be informed by the data controller or processor, upon request, regarding the use that has been made of their personal data.
  • File complaints before the Superintendency of Industry and Commerce for violations of the provisions of this law and other regulations that modify, add to, or complement it.
  • Revoke the authorization and/or request the deletion of the data when the processing does not respect the principles, rights, and constitutional and legal guarantees. Revocation and/or deletion will proceed when the Superintendency of Industry and Commerce has determined that the data controller or processor has engaged in conduct contrary to this law and the Constitution.
  • Access free of charge to their personal data that have been subject to processing.

In the processing of personal data, the rights of minors will be protected in any case, in accordance with the provisions of Article 7 of Law 1581 of 2012.

7.2. Duties of Data Subjects

Data subjects have the following duties:

  • Provide truthful, complete, and accurate information.
  • Update their personal data when necessary.
  • Report changes in their personal data.

7.3. Duties of Data Controllers

Data controllers have the following duties:

  • Guarantee the data subject's exercise of their rights.
  • Keep the information under the necessary security conditions.
  • Update the information when necessary.
  • Rectify the information when it is incorrect.
  • Provide the data subject with proof of authorization.
  • Inform the data subject about the purpose of the collection.
  • Inform the data subject about the processing of their data.

7.4. Duties of Data Processors

Data processors have the following duties:

  • Guarantee the data subject's exercise of their rights.
  • Keep the information under the necessary security conditions.
  • Update the information when necessary.
  • Rectify the information when it is incorrect.
  • Provide the data subject with proof of authorization.
  • Inform the data subject about the purpose of the collection.
  • Inform the data subject about the processing of their data.

7.5. Processing of Minors' Data

The processing of personal data of minors requires authorization from the legal representative and assessment of the minor's opinion according to their maturity and understanding capacity.

7.6. Health Data and Clinical Records

Clinical records will be kept for a minimum period of 15 years counted from the date of the last care, in accordance with Resolution 839 of 2017 from the Ministry of Health. Health-related data are considered sensitive data and require express authorization from the data subject.

8. PROCEDURE FOR QUERIES AND REQUESTS BY DATA SUBJECTS

Every data subject has the right to make queries and requests to LUMIA ODONTOLOGÍA S.A.S. regarding their personal data. The procedures for exercising these rights are as follows:

8.1. Queries

Data subjects may consult their personal data at any time. The query will be answered within a maximum of 10 business days from the date of receipt. When it is not possible to attend to the query within said term, the interested party will be informed of the reasons for the delay and the date on which their query will be attended to, which in no case may exceed 5 business days following the expiration of the first term.

8.2. Claims

Data subjects may request the correction, update, or deletion of their personal data, or revoke the authorization granted. The claim will be answered within a maximum of 15 business days from the date of receipt. When it is not possible to attend to the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be attended to, which in no case may exceed 8 business days following the expiration of the first term.

8.3. Contact Channels

  • WhatsApp: 3164052829
  • Email: lumiaodontologia@gmail.com / lumiagestion01@gmail.com
  • Web form: www.lumiaodontologia.com/privacidad

9. PROCESSING THROUGH DIGITAL CHANNELS (WEBSITE, APPS, AND WHATSAPP)

9.1. Website and Applications

For data processing through the website and applications, LUMIA ODONTOLOGÍA S.A.S. implements digital privacy notices, cookie management policies, and technical mechanisms for exercising rights.

9.2. WhatsApp Business

For data processing through WhatsApp Business, LUMIA ODONTOLOGÍA S.A.S. implements privacy notices, data protection measures, and procedures for exercising rights through this channel.

12. LEGAL FRAMEWORK AND SCOPE OF APPLICATION

The provisions of Articles 15 and 20 of the Colombian Constitution and Law 1581 of 2012 and its regulatory decrees are applied.

11. INFORMATION SECURITY

11.1. Security Measures

LUMIA ODONTOLOGÍA S.A.S. will adopt the technical, human, and administrative measures that are necessary to provide security to the records, avoiding their adulteration, loss, consultation, use, or unauthorized or fraudulent access.

11.2. Implementation of Security Measures

The security measures will be implemented taking into account the nature of the personal data, the risks to which they are exposed, and the technical and economic possibilities of implementation.

UPDATE ADDENDUM — PERSONAL DATA PROCESSING POLICY (Version 2.0)

Effective date: September 24, 2025

This addendum updates the Personal Data Processing Policy of LUMIA ODONTOLOGÍA S.A.S., incorporating the latest regulatory changes and best practices in data protection.

13. FINAL PROVISIONS

The Habeas Data area is responsible for complying with the provisions of this policy and ensuring the protection of personal data in all company processes.

CONTACT INFORMATION

LUMIA ODONTOLOGÍA S.A.S.

Tax ID: 901.823.286-1

Address: Calle 33B #20-03 Local 9909, Manizales, Caldas, Colombia

Phones: 606 8902828 / 3164052829

Email: lumiaodontologia@gmail.com / lumiagestion01@gmail.com

Website: www.lumiaodontologia.com

Attention Form: www.lumiaodontologia.com/privacidad