Data Privacy Policy

The protection of personal data is of vital importance to GRUPO TRANSOCEANICA. Our processes, processing activities, and services are designed to ensure data protection and information security as part of our institutional objectives. For this reason, through this Policy, we inform our employees, candidates, suppliers, customers, visitors, and other data subjects, in a clear and transparent manner, about the processing of their personal data.

1.- What is the purpose of our Privacy Policy?

The main purpose of our Privacy Policy is to comply with the duty to inform and to strengthen the level of trust between the companies that make up GRUPO TRANSOCEANICA, as Data Controllers, and the data subjects. We provide information on how GRUPO TRANSOCEANICA processes your personal data in the activities it carries out for the performance of its operations. We also inform you about your rights and the mechanisms available to exercise them.

This Policy shall apply to all databases containing personal data of employees, candidates, customers, suppliers, visitors, and data subjects in general, which are processed by GRUPO TRANSOCEANICA. The activities carried out by the companies, as Data Controllers, comply with the principles and rights set forth in the Organic Law on Personal Data Protection (LOPDP), its General Regulations (RGLOPDP), and the resolutions issued by the Superintendence of Personal Data Protection (SPDP).

This Privacy Policy is supplemented by the other notices related to the protection of personal data that the Data Controllers issue or may issue. This Privacy Policy is available on the company’s website: https://www.transoceanica.com.ec

2.- Who is responsible for the processing of personal data?

Each of the companies that make up GRUPO TRANSOCEANICA is responsible for the processing of personal data, as applicable to the activities they carry out. The corporate names of the Data Controllers are:

  1. TRANSOCEANICA CIA. LTDA., identified with Taxpayer Identification Number (Registro Único de Contribuyentes) No. 0990082820001, with email address pdp@transoceanica.com.ec, and principal domicile at Edificio SUDAMERICA, 7th floor, Malecón 1401 and Illingworth Street, in the canton of Guayaquil, province of Guayas, Ecuador.
  2. TRANSOCEANICA LOGISTICS TCLOG S.A., identified with Taxpayer Identification Number (Registro Único de Contribuyentes) No. 0990137331001, with email address pdp@transoceanica.com.ec, and principal domicile at Edificio SUDAMERICA, 7th floor, Malecón 1401 and Illingworth Street, in the canton of Guayaquil, province of Guayas, Ecuador.
  3. TRANSPOINT S.A., identified with Taxpayer Identification Number (Registro Único de Contribuyentes) No. 0991074147001, with email address pdp@transoceanica.com.ec, and principal domicile at Edificio SUDAMERICA, 7th floor, Malecón 1401 and Illingworth Street, in the canton of Guayaquil, province of Guayas, Ecuador.
  4. TRANSOCEANICA AGENCIA ADUANERA TRANSADUANEC S.A.S., identified with Taxpayer Identification Number (Registro Único de Contribuyentes) No. 0993387382001, with email address pdp@transoceanica.com.ec, and principal domicile at Edificio SUDAMERICA, 7th floor, Malecón 1401 and Illingworth Street, in the canton of Guayaquil, province of Guayas, Ecuador.

For the purposes of this Policy, you may contact the companies of GRUPO TRANSOCEANICA by email at pdp@transoceanica.com.ec and by telephone at 043810110.

3.- What categories of personal data do we process?

Depending on the data subject and the processing activities we carry out, the categories of data may include the following:

  1. Identification data: Such as first name, surname, national ID number, email address, country and city of residence, address, telephone number, username, mobile phone number, driver’s license, vehicle license plate, image, and signature.
  2. Personal characteristics data: Such as date of birth, nationality, place of birth, age, marital status, and sex.

  3. Data related to family dependents: Such as name, national ID number, and date of birth of children and spouse, and the spouse’s workplace or occupation.

  4. Profile and aptitude data: Such as community activities, hobbies, and administrative, cognitive, behavioral, commercial, emotional, and relational competencies.
  5. Academic and professional data: Such as level of education, academic degrees, courses, specialization, LinkedIn profile, curriculum vitae, work experience, languages, places of study, personal or professional references, certifications, affiliations, licenses, registration, or permits necessary for the performance of the activity or provision of the service.
  6. Employment data: Such as position, date of hiring, compensation, deductions, employment history, employment benefits, bank accounts, previous workplaces, and employment references.
  7. Health data: Such as blood type, occupational and pre-occupational medical examinations, illnesses, injuries, occupational disease, workplace accidents, and data related to the disability status of the individual and their relatives.
  8. Sensitive data: Such as fingerprint biometric data and the biometric template derived from facial recognition.
  9. Location data: Such as GPS location or trip identifier.
  10. Commercial and economic activity data: Such as the service offered, the economic activity carried out, and public office status, when applicable.
  11. Financial and/or credit data: Such as information contained in bank certificates or the consultation of credit information in legally authorized records or bureaus.
  12. Judicial or administrative data provided by the data subject and/or obtained from publicly accessible sources: Such as judicial records, criminal records, and administrative violations.

4.- For what purposes and on what legal basis do we process personal data?

The personal data processing activities we carry out are focused on protecting the rights of data subjects and on the principle of proportionality. This means that, in each case, we process data that is adequate, relevant, and limited to the fulfillment of the explicit purposes that motivated its collection, in order to enable the performance of the employment, commercial, contractual, or other relationship.

Depending on the data subject, we use their personal data for the following activities and according to the following legal bases set forth in the Organic Law on Personal Data Protection:

a) Based on compliance with legal obligations:

  1. For compliance with legal obligations and the exercise of specific rights corresponding to the companies that make up GRUPO TRANSOCEANICA, including the provisions established in regulations related to: prevention of money laundering, terrorist financing, and other crimes (UAFE); personal data protection; tax and fiscal management (SRI); customs and commercial matters (SENAE); labor and social security matters (IESS, Ministry of Labor); and other sector-specific regulations applicable to the line of business, including audit processes and reporting to supervisory authorities.
  2. For accounting and tax management, for the purpose of generating and processing invoices and/or tax documents required by law, filing tax returns, maintaining the business’s accounting entries and records, and carrying out payroll payment management for employees in relation to their compensation and other social benefits.

b) Based on the implementation of pre-contractual measures and the fulfillment of contractual obligations:

  1. For logistics management, which includes the identification, access control, and authorization of authorized persons at terminals, ports, airports, ships, and vessels; as well as the coordination of cargo loading, unloading, storage, dispatch, and transportation operations for goods and containers.
  2. To manage the relationship with suppliers and drivers, for the purpose of maintaining an information record, including data verification, supplier evaluation and qualification, driver management and control, monitoring the location and traceability of cargo during active trips through geolocation systems, approval and execution of payments, response to requests, and delivery of communications.
  3. For personnel recruitment management, for the purpose of carrying out the recruitment process for potential candidates for available positions, including profile evaluation, verification of employment history, psychometric and knowledge testing, validation of references, and subsequent hiring of employees.
  4. For the management of human resources records and activities, for the purpose of maintaining a record of the companies’ employees and administering activities and information related to their duties and employment relationship, such as: identification, duties, compliance with obligations, authorizations with third parties and execution of activities on behalf of the employer, notices of entry and exit before the IESS, employment settlements, promotions, transfers, occupational examinations, medical reviews, performance evaluations, workplace climate, continuing education and training processes, assignment and review of work tools according to the position, management of employment benefits, among others.
  5. For communications management, for the purpose of contacting the employee, customer, or supplier and sending communications and notices for the performance of the legal relationship, risk prevention processes, and other activities inherent to the line of business.
  6. For shift assignment management, for the purpose of serving customers through the different platforms of the group companies.
  7. For commercial and sales management, for the purpose of processing information for the performance of operations or development of the services contracted by the customer, including the verification of the customer’s information and that of their collaborators and/or recipients; as well as the commencement of the commercial relationship and compliance with legal, tax, and customs requirements. This management includes handling requests, support, collection management, and contact regarding incidents.
  8. For the management of activities related to the purchase and sale of airline tickets, including ticket reservations and tourism packages.

c) Based on free, unequivocal, and informed consent:

  1. For the review of credit information, including the assessment of the commercial and risk profile, in order to verify compliance with obligations, indebtedness level, and to manage credit lines, inquiries, and verification of credit profile information in duly authorized Credit Data Records and/or Credit Bureaus, always observing the security measures, principles, and limitations applicable to such purpose.
  2. For hiring analysis management, for the purpose of reviewing and evaluating the information provided by the candidate in selection processes according to the company’s requirements, including pre-occupational examinations, background checks, and subsequent storage of information for possible future hiring processes. These processing activities shall be carried out in accordance with the internal procedures and protocols established by GRUPO TRANSOCEANICA.
  3. For the processing of employees’ biometric data, exclusively under the following modalities and purposes: (i) fingerprint for monitoring and recording attendance during the workday; and (ii) facial recognition for access control to the group’s facilities and physical areas. Under no circumstances is the original biometric image stored; only the derived mathematical template is retained. Each modality requires independent explicit consent. For this processing, Grupo Transoceánica has carried out a proportionality test and a Data Protection Impact Assessment (DPIA), in accordance with the pronouncements of the Superintendence of Personal Data Protection, and implements appropriate technical, legal, and organizational measures to ensure the confidentiality, integrity, availability, and resilience of personal data, limiting access solely to authorized personnel.
  4. For the communication of the personal data of its employees to allied companies providing private insurance, prepaid health services, hospital health centers, and supermarket chains, solely for the formalization, administration, and management of private medical insurance, comprehensive prepaid health care services, and the benefits and discounts granted by Grupo Transoceánica as part of its employment benefits. For these purposes, the recipient companies of the information shall process the personal data as independent Data Controllers, in accordance with the Organic Law on Personal Data Protection and its General Regulations.
  5. For the management of corporate and/or commercial publications in which the image of employees or customers is included, directly or indirectly, for the purpose of disseminating, disclosing, or publishing them through GRUPO TRANSOCEANICA’s official channels, corporate social media accounts, or other communication media.

d) Based on our legitimate interest:

  1. For the management of access control and authorization to the facilities of the companies that make up GRUPO TRANSOCEANICA, for the purpose of preserving the security of the establishment, movable property, and infrastructure through formal physical access control for any type of visitor or person entering the premises, always observing the security measures, principles, and limitations applicable to such purpose.
  2. For facility security management, for the purpose of safeguarding the safety of people, facilities, and assets of the companies of GRUPO TRANSOCEANICA, which involves the use of video surveillance tools. At the entrance to our facilities, the existence of video surveillance cameras is disclosed through visible informational signs. The cameras record images only at points where this is justified to ensure the security of property and persons, without video surveillance of spaces that affect the privacy of data subjects.
  3. For the prevention, detection, and reporting of fraud, money laundering, terrorist financing, and related crimes, within the framework of the due diligence and regulatory compliance obligations applicable to Grupo Transoceánica.
  4. For internal communication and coordination among the legal entities that make up GRUPO TRANSOCEANICA, to the extent necessary and proportionate for the shared storage and management of information systems and logistics or administrative operations.
  5. To maintain the security of information and communication technology networks and systems within the companies that make up Grupo Transoceánica.

e) Processing of personal data contained in publicly accessible databases, in order to verify public information of data subjects for the execution and formalization of the legal relationship, provided that such information is relevant and proportionate to the purpose of the processing, which may include judicial records, criminal records, administrative violations, among others.

5.- How do we obtain personal data?

GRUPO TRANSOCEANICA collects your personal data through the following sources:

  1. Data provided directly by the data subject at the beginning and during the performance of the employment, contractual, or commercial relationship; as well as through consent forms, contracts, purchase orders, shipments, transport waybills, customs documents, First Time Forms, among others. If the data subject does not provide the requested data or provides erroneous or inaccurate data, the companies of GRUPO TRANSOCEANICA will not be able to fulfill the purposes established for the processing.
  2. Data provided upon entering the facilities, as well as data provided during security, access control, and video surveillance processes.
  3. Data collected from publicly accessible sources, authorized Credit Bureaus, records of competent public entities, and other sources permitted by law.
  4. Data provided by the Evaluar platform for the processing of candidate information within the framework of selection processes.
  5. Data generated in the context of the employment relationship or the provision of services, such as attendance records, performance evaluations, geolocation data during active transportation trips, records from corporate information systems, among others.

6.- To whom do we disclose or transfer personal data?

For the execution of the processing activities described and for compliance with legal and contractual obligations, GRUPO TRANSOCEANICA may disclose and/or transfer your personal data to the following persons or entities:

  1. Public sector entities and institutions in accordance with their legitimate powers, such as the Internal Revenue Service (SRI), the Ecuadorian Social Security Institute (IESS), the Ministry of Labor, the Financial and Economic Analysis Unit (UAFE), the Superintendence of Banks, the Superintendence of Companies, the National Customs Service of Ecuador (SENAE), the Superintendence of Personal Data Protection (SPDP), judicial and administrative authorities, among others.
  2. External auditors in compliance with contractual and legal obligations applicable to the group companies.
  3. Allied companies providing private insurance, prepaid health services, hospital health centers, and supermarket chains, only in cases requested and authorized by the data subject for the formalization, administration, and management of private medical insurance, comprehensive prepaid health care services, and the benefits and additional discounts offered to the employees of the companies that make up Grupo Transoceánica as part of corporate wellbeing. The complete list of recipients is available to any data subject upon request, without prejudice to the information previously and directly provided to them.
  4. Access to personal data is granted, to the extent necessary for the processing, to service providers and data processors that assist in the management and fulfillment of the activities of the group companies, such as: technical support providers, technology infrastructure providers (Azure, Amazon Web Services), cybersecurity and data center providers; continuous improvement, procurement, development, and risk providers; physical security providers; occupational physicians; consultants and other professional service providers acting on behalf of Grupo Transoceánica, under express instructions and contractual obligations of confidentiality and security.
  5. Entities or customers before whom it is necessary to identify employees for the administration and/or execution of contractual relationships, evidencing the relationship with the company, for logistics, delivery, courier, and other activities inherent to the line of business.
  6. The other companies that make up GRUPO TRANSOCEANICA, to the extent necessary and proportionate for the shared storage and management of information systems and logistics or administrative operations.

The processing of personal data is generally carried out within Ecuador. However, GRUPO TRANSOCEANICA may carry out international transfers of data to recipients located outside the country. In such cases, international transfers shall be carried out in accordance with the mechanisms and safeguards established in Articles 54 to 60 of the Organic Law on Personal Data Protection, its General Regulations, and the complementary rules issued by the Superintendence of Personal Data Protection, in particular Resolution No. SPDP-SPD-2026-0004-R on National and International Transfers of Personal Data.

7.- How long do we retain personal data?

Personal data shall be stored solely and exclusively for the time necessary to fulfill the processing purposes, in accordance with the legal periods established in the applicable regulations, and for no longer than the time necessary for the limitation period of legal actions. After this period, the data shall be deleted, blocked, or anonymized in accordance with the mechanisms, tools, and strategies implemented by GRUPO TRANSOCEANICA and as provided under the regulations in force.

The specific retention periods are as follows:

  1. In the case of personal data processing carried out on the basis of the contractual relationship between the parties, such data shall be retained for as long as the legal relationship remains in force and, once it has ended, for up to a maximum period of ten (10) years, in consideration of the legal limitation periods applicable to the obligations arising from such relationship.
  2. The retention period for personal data of job candidates for future selection processes shall be a maximum of one (2) year from the completion of the process.
  3. In cases of processing involving video surveillance, the data shall be retained for a maximum period of ninety (90) days.
  4. The WORKER’s biometric data shall be retained for as long as the employment relationship remains in force and the consent remains valid. Once the employment relationship has ended or consent has been revoked, the EMPLOYER shall proceed with the secure deletion of biometric data within a period of 3 days. The attendance marking history linked to the fingerprint system shall be retained, once the employment relationship has ended, for a maximum period of 10 years aligned with the legal limitation periods, counted from the date of termination. Once this period has elapsed, these records shall be deleted, blocked, or anonymized in accordance with the applicable regulations.
  5. In those cases where it is necessary to retain information for a period longer than the one provided herein, for purposes of evidence, backup, or compliance with legal or regulatory obligations, the personal data shall be duly blocked or encrypted, and its processing shall be strictly limited to those purposes.

All of the foregoing is without prejudice to the possibility that information may be retained for a longer period in those cases where this is necessary for purposes of evidence, backup, compliance with legal or regulatory obligations, or by order of a competent authority. In such cases, the information shall remain duly blocked and may only be accessed and processed for the fulfillment of such obligations or pursuant to the corresponding order of the competent authority.

8.-  What happens when incorrect or inaccurate data is provided to us?

Data subjects must provide GRUPO TRANSOCEANICA with truthful, updated, and accurate information for the proper processing and execution of the employment, commercial, and/or contractual relationship. Data subjects have the right to a quality service; for this purpose, we need you to entrust us with your information, because if you refuse to provide it or provide it erroneously or inaccurately, we will not be able to carry out the activities mentioned in this Policy or provide our services with the highest quality standard that characterizes us. The data subject has the obligation to promptly notify GRUPO TRANSOCEANICA of any modification or update to their personal data.

9.-  What security measures are applied?

GRUPO TRANSOCEANICA adopts the technical, organizational, and legal security measures necessary for the protection of the information of the personal data subject, in order to prevent its alteration, loss, processing, and/or unauthorized access, taking into consideration the nature of the information and the risks to which it is exposed according to its processing activities. These measures include:

  1. Logical access control based on roles and the principle of least privilege, with multi-factor authentication (MFA) in critical systems and management of individual credentials.
  2. Infrastructure hosted in secure environments: servers and applications distributed across Microsoft Azure, Amazon Web Services (AWS), and external data centers, with contracts that include periodic backups, a disaster recovery plan (DRP) and business continuity plan (BCP), continuous availability monitoring, and certified physical and logical protection.
  3. Isolation of critical systems from the administrative network; continuous updating of operating systems and software to avoid the use of end-of-service versions.
  4. Intrusion detection and prevention system (IDS/IPS) and updated EDR antivirus and anti-malware software on all devices.
  5. Policies for the use of physical media: removable storage devices (USB drives, external drives) subject to restricted use and mandatory encryption; high-risk USB and Bluetooth ports disabled by default.
  6. Confidentiality agreements signed by all personnel who access personal data, with an obligation that remains in effect after the employment or contractual relationship has ended.
  7. Periodic staff training on data protection and information security.

GRUPO TRANSOCEANICA has carried out the necessary actions to ensure compliance with data protection regulations, guaranteeing at all times the confidentiality, integrity, availability, and resilience of the personal data and systems of the companies. However, given the vulnerabilities to which digital environments may be exposed, we cannot guarantee the absolute security of data in the event of attacks or breaches by third parties.

10.- What are your rights and how may you exercise them?

According to the circumstances applicable in each case and the legislation in force regarding personal data protection, you have the following rights:

  1. Right of Access: You will be provided with further details on the use we make of your data, the categories processed, the purposes, the recipients, the retention period, among other aspects related to the processing of your personal data.
  2. Right to rectification and updating: Any data that has been modified or changed may be updated, and any inaccuracy in the personal data we process shall be rectified, in accordance with the guidelines of the LOPDP.
  3. Right to erasure: Any personal data for which we no longer have a legal basis or legitimate interest for processing shall be deleted.
  4. Withdrawal or revocation of consent: When the processing is based on consent, you may withdraw your consent so that such specific processing is discontinued, without affecting the lawfulness of the processing carried out prior to its withdrawal.
  5. Right to Object: The data subject may object to or refuse the processing of data when:
    1. The fundamental rights and freedoms of third parties are not affected, the law allows it, and the information is not public information, of public interest, or subject to processing ordered by law.
    2. The processing of personal data is intended for direct marketing; the data subject shall have the right to object at any time to the processing of personal data concerning them, including profiling; in which case, the personal data shall no longer be processed for such purposes.
    3. Consent is not required for the processing as a result of the existence of a legitimate interest, and the objection is justified by a specific personal situation of the data subject, provided that the law does not provide otherwise.
  6. Right to Restriction: You may request the restriction of the processing of your data in the following situations:
    1. When the data subject disputes the accuracy of the personal data, while the Data Controller verifies its accuracy.
    2. The processing is unlawful and the data subject objects to the deletion of the personal data and instead requests the restriction of its use.
    3. The Controller no longer needs the personal data for the purposes of the processing, but the data subject needs it for the formulation, exercise, or defense of claims.
    4. When the data subject has objected to the processing pursuant to the provisions of the LOPDP, while it is verified whether the legitimate grounds of the Controller prevail over those of the data subject.
  7. Right to Portability: The portability of your data in a compatible, updated, structured, commonly used, interoperable, and machine-readable format, preserving its characteristics; or the transmission of such data to other controllers in accordance with the guidelines of the LOPDP, where technically possible.
  8. Right not to be subject to fully or partially automated decisions, including profiling, that produce legal effects concerning them or that infringe their fundamental rights and freedoms.
  9. All other rights contemplated in the LOPDP and its General Regulations.

The companies of GRUPO TRANSOCEANICA shall verify the legitimacy of the request and, if the information requires clarification or expansion, may require the data subject, only once and within a period of five (5) days from receipt of the request, to clarify or complete it. The summoned data subject shall have a period of ten (10) days, counted from the day following the date on which they were notified, to clarify or complete the request.

If the data subject clarifies or completes the request within the granted period, the Controller shall duly address it. Requests regarding the right of access, rectification and updating, erasure, and objection shall be answered within a period of fifteen (15) days. Any request concerning the exercise of other rights that do not have a specific response period under the LOPDP shall be addressed within a period of ten (10) days counted from the day following receipt of the request and/or the clarification submitted, as applicable, pursuant to Article 62 of the LOPDP.

If the summoned data subject does not clarify or complete their request within the period of ten (10) days counted from the day following the date on which they were notified, the request shall be filed, and the data subject shall be notified accordingly.

To exercise these rights, the data subject may submit a written request to the address indicated in Section 2 of this Policy, according to each Data Controller. In addition, GRUPO TRANSOCEANICA makes the following email address available: pdp@transoceanica.com.ec. The data subject must submit the written request including, at a minimum, the following information:

  1. The name and email address of the Data Subject or any other means to receive the response and notifications.
  2. A document evidencing the identity of the applicant.
  3. A clear and precise description of the personal data with respect to which the Data Subject seeks to exercise any of the rights, and the specific request.

Without prejudice to the foregoing, the companies of GRUPO TRANSOCEANICA may deny the submitted request with due justification. In addition, GRUPO TRANSOCEANICA may retain certain information of the Data Subject requesting suppression or erasure, so that it may serve as evidence in the event of a possible claim against any of the group companies. The duration of such retention shall be for the time necessary according to the limitation periods applicable to the obligations, in order to defend against any eventual claim that the Data Subject may initiate.

If the erasure of personal data is appropriate but cannot be carried out due to technical limitations, such data shall be anonymized so that it cannot be used to identify or make the Data Subject identifiable.

If you are not satisfied with the use made of your personal information or with the response received when exercising your rights, you have the right to file a complaint with the Personal Data Protection Authority (Superintendence of Personal Data Protection — SPDP), through the channels made available by that institution for such purpose.

11.- Amendments to the Personal Data Protection Policies

GRUPO TRANSOCEANICA expressly reserves the right to amend, update, or supplement these Personal Data Protection Policies at any time, when necessary to adapt them to regulatory changes, new processing activities, or improvements in privacy practices. Any amendment, update, or expansion made to the Policies shall be communicated through GRUPO TRANSOCEANICA’s official channels, directing data subjects to review the amendments to this document.

12.- Applicable law and dispute resolution

The terms of this Policy are governed by and interpreted in accordance with the laws in force in the Republic of Ecuador, including the Organic Law on Personal Data Protection, its General Regulations, and the resolutions issued by the Superintendence of Personal Data Protection, and shall be subject to the competence and jurisdiction of the Judges of the city of Guayaquil and of Ecuador’s Personal Data Protection Authority, as applicable.