1. INTRODUCTION AND COMMITMENT

Productora GA RD SRL, a company registered under Dominican Republic law with tax identification number RNC (Registro Nacional del Contribuyente): 1-31-3253-1, and its affiliates (“GARD,” “we,” “us,” “our”) are committed to protecting the privacy and personal data of all individuals who interact with our website, applications, and services (collectively, the “Services”).

This Privacy Policy explains how we collect, process, use, share, protect, and retain personal data in accordance with the Dominican Republic’s Personal Data Protection Law (Law No. 172-13 as amended, the “Dominican Data Protection Law”), the European Union’s General Data Protection Regulation (GDPR) where applicable, and other relevant international data protection standards.

By using our Services, you acknowledge that you have read and understood this Privacy Policy and consent to our collection and processing of your personal data as described herein. If you do not agree with our practices, please do not use our Services.

2. DATA CONTROLLER AND CONTACT INFORMATION

2.1 Data Controller

Productora GA RD SRL is the data controller responsible for the collection and processing of your personal data. We determine the purposes and means of processing.

Registered Address:
Calle Restauración 249, Santo Domingo, Distrito Nacional 10212, Dominican Republic.

Tax Identification Number RNC (Registro Nacional del Contribuyente): 1-31-3253-1.

Website: https://grupogard.com

2.2 Data Protection Officer (DPO) / Privacy Contact

For all privacy-related inquiries, requests, and data subject rights, please contact:

Privacy Contact:

• Email: [email protected]
• Telephone: +1 (829) 273-0683.
• Mailing Address:
  Calle Restauración 249, Santo Domingo, Distrito Nacional 10212, Dominican Republic.

Response Time: We will respond to all privacy inquiries and data subject requests within ten (10) business days, and no later than thirty (30) days as required by Dominican Data Protection Law.

3. PERSONAL DATA WE COLLECT

3.1 Categories of Personal Data

We collect the following categories of personal data, depending on how you interact with our Services:

3.2 Special Categories of Data

We do not intentionally collect sensitive personal data including health information, biometric data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, or data concerning sex life or sexual orientation, unless:

• You explicitly provide such information for a specific, lawful purpose;
• You provide explicit written consent;
• Processing is necessary for employment purposes (with proper safeguards); or
• You have made such data manifestly public.

If you inadvertently provide such data, we will delete it unless there is a specific legal basis to retain it.

3.3 Data Collected from Children

Our Services are not directed to children under the age of 16 years old. We do not knowingly collect personal data from children under 16 without verifiable parental consent.

If you are between 16 and 18 years of age, we require your parent or legal guardian’s consent to process your personal data. If we discover we have collected data from a child under 16 without parental consent, we will delete it immediately.

If a parent or guardian believes we have collected data from their child, please contact us immediately at [email protected].

4. LEGAL BASIS FOR PROCESSING

Under Dominican Data Protection Law, we only process personal data when we have a lawful basis to do so. The following are our legal bases:

4.1 Consent

• Purpose: Marketing communications, optional surveys, non-essential cookies, recruitment outreach beyond initial interest.
• Application: You have provided explicit, informed consent, which you may withdraw at any time.
• Withdrawal: Contact us at [email protected]

4.2 Contractual Necessity

• Purpose: Fulfilling requests for information, processing registrations, delivering Services, processing transactions, managing event participation.
• Application: Processing is necessary to perform a contract to which you are a party or to take steps at your request prior to entering into a contract.

4.3 Legal Obligation

• Purpose: Compliance with applicable laws, regulations, court orders, government requests.
• Application: Processing is required by Dominican law, international law, or other applicable jurisdiction.

4.4 Legitimate Interests

• Purpose: Improving our Services, analyzing user behavior, detecting fraud, maintaining security, recruitment for similar positions, aggregated analytics.
• Application: Our interests are balanced against your privacy rights; we have conducted impact assessments and implement safeguards.
• Your Right: You have the right to object to processing on this basis (see Section 10).

4.5 Vital Interests

• Purpose: Protecting health, safety, or life in emergency circumstances.
• Application: Processing is necessary to protect vital interests of you or another person.

5. HOW WE USE YOUR PERSONAL DATA

5.1 Primary Uses

We process your personal data for the following purposes:

5.2 Recruitment-Specific Processing

If you apply for a position at GARD:

• Your personal data will be processed to evaluate your application.
• With your explicit consent, we will retain your information for future relevant opportunities.
• We will request your consent annually to continue holding your information in our recruitment file.
• You may withdraw consent at any time.
• If not retained in the recruitment file, your data will be deleted within 6 months of the recruitment process ending.

5.3 Automated Decision-Making and Profiling

We do not currently use automated decision-making or profiling to make decisions that significantly affect you (such as hiring decisions). If this changes, we will update this policy and provide separate notice and safeguards.

6. COOKIES, TRACKING TECHNOLOGIES, AND IP ADDRESSES

6.1 Cookie Policy

Our Services use cookies and similar tracking technologies. We categorize them as follows:

6.2 Explicit Consent for Non-Essential Cookies

We do not use non-essential tracking cookies without your explicit prior consent. When you first visit our site, you will be presented with a cookie banner that allows you to:

• Accept All: Accept all cookies including marketing and analytics.
• Reject All: Reject all non-essential cookies.
• Manage Preferences: Choose which cookie types to accept.
• Cookie Settings: Access a detailed cookie management page at any time.

You may withdraw your cookie consent at any time by accessing our cookie settings or contacting us at [email protected]. Withdrawal does not affect the lawfulness of processing before withdrawal.

6.3 IP Addresses

We automatically log your IP address (the location of your computer on the Internet) to:

• Diagnose technical problems with our servers.
• Administer and maintain the site’s security.
• Track traffic patterns and analyze site usage.
• Detect and prevent fraud.

Legal Basis: Legitimate interests (site security and functionality)
Retention: Technical logs retained for 30 days; aggregated data retained for analytical purposes.

6.4 Third-Party Cookies

Our site may include content from third-party providers (e.g., embedded videos, widgets). These third parties may set their own cookies. We are not responsible for their cookie practices. We recommend reviewing their privacy policies.

Third parties that may set cookies on our site:

• Google Analytics (analytics).
• LinkedIn platform.
• WhatsApp, Facebook and Instagram (Meta) platforms.

7. SHARING YOUR PERSONAL DATA

7.1 General Principle

GARD will not share your personal data with third parties without a lawful basis and, where required, your consent. We take commercially reasonable steps to prevent unauthorized disclosure.

7.2 Categories of Recipients

A. GARD Affiliates

Your personal data may be shared with GARD affiliates and subsidiaries for the purposes described in this policy. All affiliates are bound by similar data protection obligations.

• The Solomon Brokerage Firm (Estonia).
• Latin American Center for Digital Transformation – CLTD (Mexico, Estonia, Dominican Republic, El Salvador).
• G3SIS Water Division (Latin America).
• COOPRESOL (Dominican Republic).

B. Authorized Service Providers (Data Processors)

We share personal data with third-party service providers who process data on our behalf under written Data Processing Agreements (“DPAs”). These include:

Your Right: You may request a list of specific service providers and their data protection certifications by contacting [email protected].

C. Legal Requirements and Government Authorities

We may disclose your personal data without your consent when:

1. Required by Law: We are compelled by a court order, subpoena, legal process, government investigation, or regulatory authority.
2. Public Interest: Disclosure is necessary to prevent, investigate, or prosecute fraud, security breaches, or other illegal activity.
3. Protection of Rights: Disclosure is necessary to protect our rights, privacy, safety, or property, or those of our users or the public.

Notification: Except where prohibited by law, we will notify you of such disclosures if legally permitted to do so.

D. Intellectual Property Rights Protection

We may disclose contact information in response to written inquiries from legitimate intellectual property rights holders regarding allegations of infringement arising from content you have posted or submitted to our Services.

E. Business Transfers (Merger, Acquisition, Restructuring)

If GARD merges with, is acquired by, or sells substantially all of its assets or a majority of its equity to a third party:

• Transfer Notice: We will notify you of such transfer via email or prominent notice on our site.
• New Privacy Policy: The acquiring entity may operate under a different privacy policy.
• Your Choice: You will have the opportunity to withdraw consent or object before data is transferred.
• Successor Obligations: Any acquiring entity will be required to honor the commitments made in this policy.

8. INTERNATIONAL DATA TRANSFERS

8.1 Transfer Mechanisms

Personal data collected in the Dominican Republic may be transferred to and processed in other countries where GARD or its service providers operate, including:

• Estonia: Head office of The Solomon Brokerage Firm and CLTD operations.
• China: Headquarters of strategic partners PowerChina, LONGi, and CNTY for utility-scale project coordination.
• United States: Processing of technical and analytical data via Google services.

• Mechanism: Standard Contractual Clauses (SCCs) and Data Processing Agreements.
• Safeguards: Technical encryption (SSL/TLS), password-protected access controls, and regular security audits.

For transfers outside the Dominican Republic:

8.2 Your Rights Regarding Transfers

• You may request information about transfer mechanisms by contacting [email protected]
• You may object to transfers to certain countries.
• For transfers to countries without adequate data protection, we implement contractual safeguards.

8.3 No Unilateral Transfer

GARD will not transfer your personal data to countries with inadequate data protection standards without appropriate legal mechanisms in place.

9. DATA RETENTION AND DELETION

9.1 Retention Schedule

We retain personal data only as long as necessary for the purposes described in this policy. The following schedule applies:

9.2 Right to Erasure (Right to Be Forgotten)

You have the right to request erasure of your personal data in the following circumstances:

• The data is no longer necessary for the original purpose.
• You withdraw consent and there is no other legal basis.
• You object to processing on the basis of legitimate interests.
• The data was unlawfully processed.
• Erasure is required by law.

Exceptions: We may retain data if:

• Retention is required by applicable law.
• Data is necessary for legal claims or defense.
• Data relates to ongoing recruitment or employment.
• Data is necessary for security, fraud prevention, or public interest.

How to Request: Contact [email protected] with “Right to Erasure Request” in the subject line. Provide sufficient detail to identify your data. We will respond within 10 business days.

Partial Erasure: If erasure is not possible due to legal obligations, we will block access to the data instead.

9.3 Anonymization and Aggregation

Data that has been anonymized or aggregated in a way that you are no longer identifiable may be retained and used indefinitely without your further consent, as it is no longer personal data under Dominican Data Protection Law.

10. YOUR PRIVACY RIGHTS AND HOW TO EXERCISE THEM

Under the Dominican Personal Data Protection Law and applicable international standards, you have the following rights:

10.1 Right to Information (Already Provided)

You have the right to know that your personal data is being collected and processed. This Privacy Policy fulfills this obligation.

10.2 Right of Access

You have the right to obtain confirmation of whether we hold your personal data and to receive a copy of it.

How to Request:

• Email: [email protected].
• Include: “Right of Access Request” in subject line, sufficient identifying information.
• Response Time: 10 business days (no later than 30 days under Dominican law).
• Format: We will provide data in a clear, intelligible format.
• Cost: Free of charge (unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee).

What You Will Receive:

• Copy of your personal data we hold.
• Purpose of processing.
• Categories of recipients.
• Retention period.
• Your rights.

10.3 Right to Rectification (Correction)

You have the right to correct inaccurate or incomplete personal data.

How to Request:

• Email: [email protected] with “Right to Rectification Request” in subject line.
• Specify which data is inaccurate and provide correct information.
• Response Time: 10 business days.
• Notification: We will notify third-party recipients of the correction where feasible.

Online Self-Service: You may also correct certain data directly in your account profile (if applicable).

10.4 Right to Erasure (Right to Be Forgotten)

As detailed in Section 9.2, you have the right to request deletion of your personal data in certain circumstances.

10.5 Right to Restrict Processing

You have the right to request that we limit the processing of your personal data (e.g., restrict marketing communications while keeping data in systems for legal compliance).

How to Request:

• Email: [email protected] with “Right to Restrict Processing” in subject line.
• Specify which processing activities you wish to restrict.
• Response Time: 10 business days.

Effect: Restricted data will not be processed except as necessary for storage and legal compliance, until you request removal of the restriction.

10.6 Right to Object

You have the right to object to processing of your personal data on the basis of legitimate interests.

How to Request:

• Email: [email protected] with “Right to Object” in subject line.
• Specify which processing activity you object to
• Provide your grounds for objection.
• Response Time: 10 business days.

Marketing Communications: For email or other marketing, you may object by clicking the “unsubscribe” link in the communication or contacting us.

Effect: Upon receiving a valid objection, we will cease the processing activity unless we demonstrate compelling legitimate grounds that override your interests.

10.7 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller (if technically feasible).

How to Request:

• Email: [email protected] with “Right to Data Portability Request” in subject line.
• Response Time: 10 business days.
• Format: We will provide data in CSV, JSON, or other standard format (as available).

Limitations: This right does not apply to data that cannot be technically separated or that is aggregated with others’ data.

10.8 Right to Withdraw Consent

If we process your data based on your consent, you have the right to withdraw that consent at any time, without penalty.

How to Withdraw:

• Email: [email protected] with “Consent Withdrawal Request”.
• Specify which consent(s) you are withdrawing.
• Withdrawal is effective immediately for future processing.
• Past processing based on the original consent remains lawful.

Examples:

• Unsubscribe from marketing emails.
• Withdraw consent for non-essential cookies.
• Withdraw consent for recruitment file retention.

10.9 Right Not to Be Subject to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects on you (such as automatic hiring decisions).

Currently, GARD does not use fully automated decision-making for significant decisions. If this changes, we will update this policy and provide appropriate notice and safeguards, including the right to human review.

10.10 Right to Lodge a Complaint

In accordance with Law No. 172-13 on the Protection of Personal Data, the Dominican Republic does not currently have a centralized, independent data protection supervisory authority. Users are advised that the primary body responsible for protecting fundamental rights, including the right to personal data protection, is the Ombudsman (Defensor del Pueblo).

Dominican Authority:
Defensor del Pueblo de la República Dominicana (Ombudsman of the Dominican Republic).

Address: Av. Tiradentes esquina Av. 27 de Febrero, Plaza Merengue, Santo Domingo de Guzmán, Distrito Nacional, República Dominicana
Website:  https://www.defensordelpueblo.gob.do
Email:  [email protected]
Telephone: +1 (809) 381-4777

Other Authorities:

• If you are in the EU, you may also complain to your national data protection authority.
• If you are in other jurisdictions with data protection authorities, you may lodge complaints with them.

11. DATA SECURITY AND PROTECTION

11.1 Security Measures

GARD implements comprehensive technical and organizational security measures to protect your personal data from loss, misuse, alteration, unauthorized access, and destruction. These include:

Technical Measures:

• Encryption: Data in transit is encrypted using SSL/TLS protocols (HTTPS).
• Data at Rest: Sensitive personal data is encrypted at rest using industry-standard encryption.
• Access Controls: Only authorized personnel with a need-to-know have access to personal data.
• Multi-Factor Authentication: Administrative access requires multi-factor authentication.
• Regular Security Testing: We conduct penetration testing, vulnerability assessments, and security audits.
• Intrusion Detection: Automated monitoring systems detect suspicious activity.

Organizational Measures:

• Data Protection Training: All personnel handling personal data receive data protection training.
• Confidentiality Agreements: All employees and contractors sign confidentiality agreements.
• Access Logs: We maintain logs of who accessed personal data and when.
• Incident Response Plan: We have documented procedures for responding to security breaches.
• Third-Party Security: Service providers are required to maintain comparable security standards (verified through contracts and audits).

11.2 Limitations on Security Guarantees

Despite these precautions, no system is completely secure. GARD cannot guarantee that unauthorized persons will not obtain access to your personal data. Transmission over the Internet is not completely secure. You use our Services at your own risk. We are not responsible for circumvention of security measures.

11.3 Password and Account Security

You are responsible for:

• Maintaining the confidentiality of your password and access credentials.
• Notifying us immediately of any unauthorized use of your account.
• Logging out of your account when finished, especially on shared computers.

We recommend using a strong, unique password and not sharing your credentials.

12. DATA BREACH NOTIFICATION

12.1 Notification Procedures

In the event of a personal data breach (unauthorized access, loss, alteration, or destruction of data), GARD will:

1. Assess Risk: Determine whether the breach poses a risk to your rights and freedoms.
2. Internal Notification: Notify affected individuals without undue delay (typically within 3 business days).
3. Government Notification: Notify the Dominican data protection authority if required by law.
4. Content of Notice: The breach notification will include:
   
   • Description of the breach.
   • Likely consequences for affected individuals.
   • Measures taken or proposed to address the breach and mitigate harm.
   • Contact information for further details
   • Recommendations for protecting yourself.

12.2 Notification Methods

Breach notifications will be sent via:

• Email to your last known email address.
• Registered mail to your postal address (if email is unavailable).
• Prominent notice on our website.

12.3 Exceptions to Notification

We may not notify you if:

• The breach involves encrypted or anonymized data that cannot be decrypted or de-anonymized.
• We have implemented appropriate technical measures that render data unreadable.
• Risk assessment shows the breach poses no risk to your rights and freedoms.

13. THIRD-PARTY LINKS AND EXTERNAL SERVICES

13.1 Third-Party Websites

Our Services may contain links to third-party websites, applications, and services. GARD is not responsible for the privacy practices, security measures, or content of third-party sites.

When you click a link to a third-party site:

• You are leaving GARD’s Services.
• The third party’s privacy policy applies, not ours.
• Any data you provide to the third party is governed by their policies.
• We recommend reviewing their privacy policies before providing data.

13.2 Embedded Content and Framing

Some content on our Services may be supplied by third parties (e.g., embedded videos, widgets, framed content).

We do not control:

• Information collection practices of third-party content providers.
• How third parties use data they collect.
• The accuracy or legality of third-party content.

Contact Third Parties Directly: For privacy inquiries about third-party content, contact the third-party provider directly.

13.3 Social Media Integration

If we offer social media integration (e.g., login with Facebook/Google, share buttons), third-party platforms may collect data about your use of our Services. We are not responsible for their practices. Review their privacy policies directly.

14. MARKETING COMMUNICATIONS AND PREFERENCES

14.1 Email Marketing

We may send you marketing communications (promotional offers, newsletters, service updates) based on your consent. You will never receive marketing emails from us without your explicit opt-in consent.

14.2 Opting In to Marketing

How to Subscribe:

• During registration, opt-in to specific email lists or marketing categories
• Request to be added by emailing [email protected] with “Subscribe to Marketing” in the subject line.

What You Will Receive:

• Promotional emails about products, services, or events.
• Newsletters with industry updates and insights.
• Invitations to webinars, events, or surveys.
• Product announcements and special offers.

14.3 Managing Your Preferences

You have complete control over which marketing communications you receive.

How to Manage Preferences:

1. Unsubscribe Link: Every marketing email includes an “unsubscribe” link at the bottom. Click it to opt out.
2. Preference Center: Access your preference center at https://grupogard.com/cookies to select which types of communications you want.
3. Email Us: Contact [email protected] with “Update Marketing Preferences” in subject line, specifying which communications you want or don’t want.
4. Opt Out Completely: Request complete removal from all marketing lists.

Response Time: We will process preference changes within 5 to 10 business days (though removal from ongoing campaigns may take up to 5 business days).

14.4 Transactional Communications

Even if you opt out of marketing, we will still send you transactional communications, such as:

• Account confirmation and password resets.
• Order confirmations and shipping updates.
• Service announcements and security alerts.
• Responses to your inquiries.

These are not marketing; they are necessary to maintain your account and our relationship.

15. CONTACT US AND EXERCISE YOUR RIGHTS

15.1 Primary Contact Method

For all privacy-related inquiries, requests, and to exercise your rights, please contact:

Email: [email protected]
Telephone: +1 (829) 273-0683
Mailing Address:
Productora GA RD SRL
Calle Restauración 249, Santo Domingo, Dominican Republic.

15.2 Types of Requests We Accept

• Privacy Inquiries: Questions about this policy or our data practices.
• Right of Access: Request copies of your personal data.
• Rectification: Correct inaccurate data.
• Erasure: Request deletion of your data.
• Restrict Processing: Limit how we use your data.
• Data Portability: Receive your data in portable format.
• Objections: Object to processing on legitimate interest basis.
• Consent Withdrawal: Withdraw consent for marketing, cookies, etc.
• Complaint: Report a concern or violation.

15.3 Request Procedures

To submit a request:

1. Email: Send a request to [email protected] with:
   
   • “[Type of Request]” in the subject line (e.g., “Right of Access Request”).
   • Your full name
   • Email address and/or telephone number.
   • Sufficient detail to identify your data (account number, dates, etc.).
   • Specific request and supporting explanation.
   • Your signature (digital signature acceptable).
2. Mailing Address: Send a written request to the mailing address above with the same information.
3. In Person: Visit our offices during business hours to submit a request in person.

15.4 Verification

To protect your privacy, we may request additional information to verify your identity before processing your request. This may include:

• Government-issued ID.
• Confirmation of personal details.
• Proof of residence.

15.5 Response Time and Fees

15.6 Denial of Requests

If we deny a request, we will explain:

• Reasons for denial.
• Your right to lodge a complaint with the data protection authority.
• Information about the appeal process (if any).

16. CHILDREN’S PRIVACY

16.1 Age Restrictions

Our Services are not intended for children under 13 years of age. We do not knowingly collect personal data from children under 13 without verifiable parental consent.

16.2 Parental Consent for Ages 13-18

For individuals between 13 and 18 years of age, we require verifiable consent from a parent or legal guardian before processing personal data.

Process for Obtaining Parental Consent:

• We will request email from the parent/guardian.
• Parent/guardian will receive a verification email with consent details.
• Parent/guardian must confirm consent before the child’s account is activated.
• Parents/guardians may withdraw consent at any time.

16.3 Data Involving Minors

Personal data involving minors will be:

• Processed with greater care and security.
• Not sold or disclosed to third parties for marketing.
• Used only for the stated purposes.
• Deleted upon request from the parent/guardian.

16.4 Parental Rights

A parent or legal guardian of a minor may:

• Request access to the minor’s personal data.
• Correct inaccurate information.
• Request deletion.
• Withdraw consent.
• Opt the minor out of all non-essential processing.

Contact: Email [email protected] with “Parental Request” in the subject line, including proof of guardianship and the minor’s name.

16.5 Discovery of Unauthorized Child Data

If we discover we are processing personal data from a child under 13 without proper parental consent, we will:

• Delete the data immediately.
• Notify the parent/guardian if we can identify them.
• Not use the data for any purpose.

17. SPECIAL PROVISIONS FOR DIFFERENT JURISDICTIONS

17.1 Dominican Republic

This Privacy Policy is primarily designed to comply with the Dominican Personal Data Protection Law (Law No. 172-13). Residents of the Dominican Republic have all rights outlined in this policy and Section 10.

17.2 European Union (GDPR)

If you are an EU resident, your personal data is processed in accordance with the GDPR. You have additional rights and protections, including:

• Right to lodge a complaint with your national data protection authority.
• All rights listed in Section 10 apply with full GDPR protections.
• We will not transfer your data outside the EEA without appropriate safeguards.

17.3 Other Jurisdictions

For residents of other countries with data protection laws (e.g., California’s CCPA, Canada’s PIPEDA, Brazil’s LGPD):

• Your local data protection laws apply in addition to this policy.
• You have rights under your local laws in addition to those described here.
• For jurisdiction-specific rights and requests, contact [email protected].

18. AUTOMATED DECISION-MAKING AND PROFILING

18.1 Current Practices

GARD does not currently use fully automated decision-making or profiling to make decisions that significantly affect you, such as:

• Automatic job hiring or rejection.
• Automatic loan/credit decisions.
• Automatic benefit determinations.
• Other decisions with significant legal or practical effect.

18.2 Future Use

If GARD introduces automated decision-making in the future, we will:

• Update this policy with clear disclosure.
• Provide you with advance notice.
• Explain the logic, significance, and consequences of the automation.
• Offer you the right to human review and decision-making.
• Allow you to contest automated decisions.
• Implement safeguards to prevent discrimination.

18.3 Right to Object

If we do use automated decision-making, you have the right to:

• Request explanation of the automated decision.
• Obtain human review by GARD personnel.
• Provide input or challenge the decision.
•  

19. DATA PROTECTION IMPACT ASSESSMENTS

19.1 Commitment to Impact Assessments

GARD conducts Data Protection Impact Assessments (DPIAs) for high-risk processing activities, including:

• Large-scale collection of personal data.
• Processing of sensitive data.
• Automated decision-making or profiling.
• New technologies or processing methods.
• Processing that may restrict individuals’ rights or freedoms.

19.2 Your Right to Know

You may request information about whether a DPIA has been conducted for processing that affects you. Contact [email protected] with “DPIA Inquiry” in the subject line.

19.3 Documentation

GARD maintains documentation of:

• Processing activities and purposes.
• Data flows and recipients.
• Security measures and safeguards.
• Risk assessments and mitigation strategies.
• Lawful basis for each processing activity.

This documentation is available upon request by data protection authorities.

20. COOKIES AND PREFERENCE MANAGEMENT

20.1 Detailed Cookie Information

Essential Cookies (No Consent Required):

• Session cookies that maintain your login.
• Security cookies that detect suspicious activity.
• Preference cookies that remember your language and settings.
• Load-balancing cookies that optimize site performance.

Analytics Cookies (Consent Required):

• Google Analytics: Measures site traffic, user behavior, conversion rates.
• Facebook Pixel, Google Ads, and LinkedIn Insight Tag: These tools are used to track user interactions and engagement with advertisements to measure marketing effectiveness and deliver targeted content.
• Duration: Up to 2 years
• Data: Pages visited, time on page, geographic location, device type, browser

Marketing Cookies (Consent Required):

• Retargeting pixels: Show you relevant ads after you leave our site.
• Facebook Pixel, Google Ads, etc.: Track conversions and user journeys.
• Duration: Up to 2 years
• Data: Products viewed, pages visited, time on site.

20.2 Managing Your Cookie Preferences

At Any Time, You Can:

1. Visit our Cookie Preferences page at https://grupogard.com/cookies.
2. Click “Manage Cookies” in the footer of our website.
3. Email [email protected] with “Cookie Preferences Change” in subject line.
4. Adjust settings in your browser to reject cookies (note: this may limit site functionality).

Browser-Level Controls:

• Chrome: Settings > Privacy and Security > Cookies and other site data.
• Firefox: Preferences > Privacy & Security > Cookies and Site Data.
• Safari: Preferences > Privacy > Cookies and website data.
• Edge: Settings > Privacy > Cookies and other site data.

20.3 Do Not Track Signals

Some browsers allow you to send a “Do Not Track” signal. GARD honors Do Not Track signals by disabling non-essential tracking cookies if you have Do Not Track enabled in your browser.

21. LEGITIMATE INTERESTS ASSESSMENT

21.1 Processing Based on Legitimate Interests

Where we process personal data based on legitimate interests (as stated in Section 4.4), we have balanced our interests against your privacy rights and conducted impact assessments.

21.2 Our Legitimate Interests Include:

21.3 Balancing Test

For each legitimate interest, we have assessed:

• Necessity: Is processing necessary to achieve the interest?
• Proportionality: Is the processing proportional to the interest?
• Your Expectations: Would you reasonably expect this processing?
• Your Interests: Do your privacy interests override our interests?
• Safeguards: What safeguards protect your rights?

You may request documentation of this balancing test by contacting [email protected].

22. POLICY UPDATES AND AMENDMENTS

22.1 Right to Update This Policy

GARD reserves the right to modify this Privacy Policy at any time to reflect:

• Changes in our data practices.
• Changes in applicable law.
• Improvements to our privacy protections.
• Feedback from users and regulators.

22.2 Notification of Changes

We will notify you of material changes by:

1. Email Notification: Sending an email to your registered email address (at least 30 days before changes take effect).
2. Website Notice: Displaying a prominent notice on our website homepage.
3. In-Service Notice: Displaying a notice when you log into your account.
4. Effective Date: Stating the new effective date clearly.

What Constitutes “Material Change”:

• Changes to the types of data we collect.
• Changes to how we use your data.
• Changes to recipients of your data.
• Reduction in your privacy rights.
• Changes to contact information or complaint procedures.

Minor Changes (clarifications, corrections, non-substantive updates) may be made without 30-day notice.

22.3 Your Consent to Changes

By continuing to use our Services after we notify you of material changes, you consent to the updated policy. If you do not agree with changes, you have the right to:

• Withdraw consent.
• Request deletion of your data (subject to legal retention obligations).
• Stop using our Services.
• Object to specific processing activities.

22.4 Version History

23. ACCOUNTABILITY AND GOVERNANCE

23.1 Data Protection Compliance Program

GARD has implemented a comprehensive data protection compliance program including:

Governance:

• Data Protection Officer oversight (if required).
• Privacy committee reviewing policies and practices.
• Regular compliance audits and assessments.
• Incident response and breach notification procedures.

Training & Awareness:

• Annual data protection training for all personnel.
• Role-specific training for those handling personal data.
• Awareness campaigns about privacy best practices.

Documentation:

• Records of all processing activities.
• Data Processing Agreements with service providers.
• Policies and procedures for data handling.
• Incident logs and corrective action records.

23.2 Regulatory Cooperation

GARD cooperates fully with:

• Dominican data protection authority (Defensor del Pueblo de la República Dominicana (Ombudsman of the Dominican Republic)).
• Other regulatory and law enforcement authorities.
• Data subjects in exercising their rights.

23.3 Breach Management

GARD maintains:

• Incident Response Team: Trained personnel to respond to breaches.
• Documentation: Records of all incidents and responses.
• Notification Procedures: Protocols for timely notification to affected individuals and authorities.
• Remediation: Steps taken to prevent recurrence.

24. THIRD-PARTY DATA PROCESSORS AND CONTROLLERS

24.1 Data Processor Relationships

When GARD engages service providers to process personal data on our behalf, we ensure:

Contractual Requirements:

• Written Data Processing Agreement (DPA) with each processor.
• Clear description of processing scope, purposes, and duration.
• Explicit authorization limits (processors cannot use data for their own purposes).
• Confidentiality obligations.
• Security standards matching GARD’s commitments.
• Sub-processor notification and approval procedures.
• Audit and inspection rights.
• Data subject rights assistance (processors must help you exercise your rights).
• Deletion or return of data upon termination.

24.2 Joint Controllers

In some cases, GARD may be a joint controller with another entity (both entities determine purposes and means of processing). In such cases:

• A Joint Controller Agreement will be in place.
• You will be notified of joint control.
• Contact information for both controllers will be provided.
• Each controller is responsible for complying with your rights requests.

24.3 Sub-Processors

Some of our processors may engage their own sub-processors. You have the right to:

• Know who sub-processors are.
• Object to engagement of new sub-processors.
• Request a list of current sub-processors.

How to Request: Contact [email protected] with “Sub-Processor Inquiry” in subject line.

25. COMPLAINT AND DISPUTE RESOLUTION

25.1 Internal Complaint Process

If you have a privacy concern or believe your rights have been violated:

Step 1: Contact Us

• Email: [email protected] with “Privacy Complaint” in subject line.
• Include: Your name, description of the issue, what you’re requesting as resolution, and any supporting documentation.
• Timeline: You will receive acknowledgment within 5 business days.

Step 2: Investigation

• GARD will investigate your complaint thoroughly.
• You may be contacted for additional information.
• Investigation will be completed within 30 days (may be extended for complex issues).

Step 3: Response

• We will provide a written response explaining:
  
  • Our findings.
  • Whether we found a violation.
  • Corrective actions taken or proposed.
  • Your right to escalate to the data protection authority.

Step 4: Appeal

• If you’re unsatisfied with our response, you may request escalation to our Data Protection Officer or management.
• Additional review will be conducted within 15 business days.

25.2 Regulatory Complaint Process

Escalation to National Authorities:

• General Personal Data: Complaints regarding general data processing violations should be directed to the Defensor del Pueblo.
• Financial & Credit Data: Complaints specifically regarding credit bureau (SIC) data or financial sector infringements should be directed to the Superintendencia de Bancos de la República Dominicana via their ProUsuario platform.

Dominican Authority:
Defensor del Pueblo de la República Dominicana (Ombudsman of the Dominican Republic).

Address: Av. Tiradentes esquina Av. 27 de Febrero, Plaza Merengue, Santo Domingo de Guzmán, Distrito Nacional, República Dominicana
Website:  https://www.defensordelpueblo.gob.do
Email:  [email protected]
Telephone: +1 (809) 381-4777

Other Authorities:

• EU Residents: Your national data protection authority (find it at edpb.eu).
• Canadian Residents: Office of the Privacy Commissioner of Canada (priv.gc.ca).
• Other Jurisdictions: Your country’s data protection or privacy commissioner.

25.3 Dispute Resolution

• Mediation: Conducted in Santo Domingo, Dominican Republic, through neutral mediators such as those appointed by the Dominican Chamber of Commerce.
• Arbitration: Binding arbitration administered by the American Chamber of Commerce of the Dominican Republic (AMCHAM), the International Chamber of Commerce (ICC), or under UNCITRAL Rules.

25.4 No Retaliation

GARD will not retaliate or discriminate against you for:

• Exercising your privacy rights.
• Lodging a complaint with a regulatory authority.
• Objecting to processing.
• Withdrawing consent.

26. CONTACT INFORMATION FOR REGULATORY AUTHORITIES

26.1 Dominican Republic

In accordance with Law No. 172-13 on the Protection of Personal Data, the Dominican Republic does not currently have a centralized, independent data protection supervisory authority. Users are advised that the primary body responsible for protecting fundamental rights, including the right to personal data protection, is the Ombudsman (Defensor del Pueblo).

Dominican Authority:
Defensor del Pueblo de la República Dominicana (Ombudsman of the Dominican Republic).

Address: Av. Tiradentes esquina Av. 27 de Febrero, Plaza Merengue, Santo Domingo de Guzmán, Distrito Nacional, República Dominicana
Website:  https://www.defensordelpueblo.gob.do
Email:  [email protected]
Telephone: +1 (809) 381-4777

Complaint Process:

• Complaints may be filed in writing or electronically.
• Provide your name, contact information, description of violation, and supporting evidence.
• Authority will investigate and provide written response within specified timeframe.

26.2 Other Regulatory Bodies

If you are subject to multiple jurisdictions, data protection authorities include:

27. DEFINITIONS

For clarity, the following terms have these meanings in this Privacy Policy:

28. MISCELLANEOUS PROVISIONS

28.1 Entire Agreement

This Privacy Policy, together with our Terms of Service and other posted policies, constitutes the entire agreement between you and GARD regarding the processing of your personal data. This policy supersedes all prior privacy statements or policies.

28.2 Severability

If any provision of this Privacy Policy is found to be invalid or unenforceable under applicable law, that provision will be severed and the remainder of the policy will continue in full force and effect.

28.3 Governing Law

This Privacy Policy is governed by the laws of the Dominican Republic, without regard to conflicts of law principles. However, to the extent you are subject to GDPR or other jurisdiction-specific data protection laws, those laws will apply to the extent they conflict with Dominican law.

28.4 Jurisdiction and Venue

For disputes arising under this Privacy Policy:

• Jurisdiction: Courts of the Dominican Republic.
• Venue: Santo Domingo, Distrito Nacional.
• Exception: You retain the right to lodge complaints with data protection authorities in any jurisdiction where you have rights under local law.

28.5 No Waiver

GARD’s failure to enforce any provision of this Privacy Policy does not constitute a waiver of that provision or any other provision.

28.6 Interpretation

• Headings are for convenience only and do not affect interpretation.
• Use of “including” means “including without limitation”.
• “Or” is not exclusive
• Singular and plural forms are interchangeable.

28.7 Language

In accordance with Section 13.4.4 of our Terms & Conditions, please be advised that while this policy is provided in English for your convenience, any formal legal proceedings or regulatory filings within the Dominican Republic will be conducted in Spanish.

29. ACKNOWLEDGMENT AND CONSENT

29.1 Your Acknowledgment

By using GARD’s Services, you acknowledge that you have:

• Read this entire Privacy Policy.
• Understood how we collect, process, and protect your personal data.
• Understood your rights and how to exercise them.
• Agreed to the collection and processing of your personal data as described herein.
• Consented to the storage of your information in our systems.

29.2 Withdrawal of Consent

You may withdraw this consent at any time by:

• Contacting us at [email protected] with “Consent Withdrawal” in the subject line.
• Specifying which processing activities you withdraw consent from.
• Requesting deletion of your data (subject to legal retention obligations).

Withdrawal does not affect the lawfulness of processing before withdrawal.

29.3 No Obligation to Provide Data

You are not obligated to provide personal data to GARD. However:

• Certain data may be necessary to use our Services.
• If required data is not provided, we may be unable to fulfill your requests or provide services.
• Optional data will be clearly marked as such.

30. FINAL PROVISIONS

30.1 Contact Us for Any Questions

If you have any questions, comments, or concerns about this Privacy Policy or our privacy practices, please contact us:

Email: [email protected]
Telephone: +1 (829) 273-0683
Mailing Address:
Productora GA RD SRL
Calle Restauración 249, Santo Domingo, Dominican Republic.
Website: https://grupogard.com

We welcome your feedback and are committed to addressing your concerns promptly.

30.2 Effective Date and Updates

Effective Date: January 1, 2018. (This policy replaces all prior privacy policies)

Last Updated: April 10, 2026

Next Review Date: January 1, 2027. (We review this policy annually.