For the Processing of Personal Data, THE COMPANY will apply the following principles, which constitute the rules to follow in the collection, management, use, processing, storage, and sharing of personal data:

• Legality: The Processing of personal data will be carried out in accordance with applicable legal provisions (Statutory Law 1581 of 2012 and its regulatory decrees).
• Purpose: The Processing of personal data will be carried out in accordance with applicable legal provisions (Statutory Law 1581 of 2012 and its regulatory decrees).
• Freedom: The collection of Personal Data can only be carried out with the prior, express, and informed authorization of the Data Subject.
• Accuracy or Quality: Information subject to the Processing of Personal Data must be truthful, complete, accurate, updated, verifiable, and comprehensible.
• Transparency: The Processing of Personal Data guarantees the Data Subject's right to obtain information about the existence of data concerning them at any time and without restrictions.
• Restricted Access and Circulation: The Processing of personal data can only be carried out by persons authorized by the Data Subject and/or those provided for by law.
• Security: Personal Data subject to Processing will be managed with all necessary security measures to prevent its loss, alteration, consultation, unauthorized or fraudulent use or access.
• Confidentiality: All employees working at THE COMPANY are required to maintain confidentiality regarding the personal information they access during their work at THE COMPANY.

Natural persons whose Personal Data is processed by THE COMPANY have the following rights, which they can exercise at any time:

• To know the Personal Data that THE COMPANY is processing. Likewise, the Data Subject may request at any time that their data be updated or corrected, for example, if they find that their data is partial, inaccurate, incomplete, fragmented, misleading, or if the Processing is expressly prohibited or not authorized.
• To request proof of the authorization granted to THE COMPANY for the Processing of their Personal Data.
• To be informed by THE COMPANY, upon request, about the use that has been made of their Personal Data.
• To file complaints with the Superintendence of Industry and Commerce for violations of the provisions of the Personal Data Protection Law.
• To request THE COMPANY to delete their Personal Data and/or revoke the authorization granted for its Processing by filing a claim in accordance with the procedures established in paragraph 13 of this Policy. However, the request to delete the information and revoke the authorization will not proceed when the Data Subject has a legal or contractual obligation to remain in the Database and/or Files, nor while the relationship between the Data Subject and THE COMPANY, under which the data was collected, remains in force.
• To access free of charge their Personal Data that has been processed.

The rights of Data Subjects may be exercised by the following persons:

• By the Data Subject;
• By their successors, who must prove such capacity.
• By the representative and/or attorney of the Data Subject, upon accreditation of representation or power of attorney;
• By stipulation in favor of another or for another.

THE COMPANY recognizes that Personal Data belongs to the individuals to whom it refers, and only they can decide about it. In this sense, THE COMPANY will use the collected Personal Data solely for the purposes for which it is duly authorized and always in compliance with the regulations in force on Personal Data Protection.

THE COMPANY will comply with the duties established for the Controllers of Processing, contained in Article 17 of Law 1581 of 2012 and other regulations that modify, replace, or complement it.

The Process and Continuous Improvement area is in charge of the development, implementation, training, and compliance with this Policy. For this purpose, all employees who process Personal Data in the different areas of THE COMPANY are required to report these Databases to the Process and Continuous Improvement area and immediately forward to it any requests, complaints, or claims they receive from Personal Data Holders.

The Process and Continuous Improvement area has also been designated by THE COMPANY as the responsible area for attending to requests, inquiries, complaints, and claims through which the Data Holder may exercise their rights to access, update, correct, and delete data and revoke authorization. This area can be contacted via email: [email protected]

THE COMPANY will request prior, express, and informed authorization from the Personal Data Holders whose data it intends to process.

This expression of will by the Holder may be provided through different mechanisms made available by THE COMPANY, such as:

• In writing, by filling out an authorization form for Personal Data Processing determined by THE COMPANY;
• Verbally, during a telephone or video conference conversation.
• Through unequivocal actions that allow the conclusion that authorization has been granted, by expressly accepting the Terms and Conditions of an activity where participants' authorization for the Processing of their Personal Data is required.
• IMPORTANT: Under no circumstances will THE COMPANY interpret the Holder's silence as an unequivocal action.

10.1. Processing of Sensitive Personal Data

The Processing of Sensitive Personal Data is prohibited by law unless prior, express, and informed authorization is obtained from the Data Subject, among other exceptions provided in Article 6 of Law 1581 of 2012. In this case, in addition to meeting the established requirements for authorization, THE COMPANY will inform the Data Subject:

• That they are not obligated to authorize the Processing of their Sensitive Data.
• Which data to be processed is sensitive and the purpose of the Processing.
• Additionally, THE COMPANY will process the collected sensitive data under security and confidentiality standards appropriate to its nature. To this end, THE COMPANY has implemented administrative, technical, and legal measures contained in its Policy and Procedures Manual, which is mandatory for its employees and, where applicable, its suppliers, affiliated companies, and business partners.

10.2. Processing of Personal Data of Children and Adolescents

According to Article 7 of Law 1581 of 2012 and Article 12 of Decree 1377 of 2013, THE COMPANY will only process data related to children and adolescents when such Processing complies with and respects the best interests of children and adolescents and ensures the respect of their fundamental rights.

Once the above requirements are met, THE COMPANY must obtain authorization from the legal representative of the child or adolescent, following the exercise of the minor's right to be heard, whose opinion will be considered based on their maturity, autonomy, and capacity to understand the matter.

Data Subjects whose Personal Data is processed by THE COMPANY have the right to access their Personal Data and details of its Processing, as well as to rectify or update it if it is inaccurate or request its deletion if they consider it excessive or unnecessary for the purposes for which it was collected. The mechanisms implemented to ensure the exercise of these rights through a request are:

• Request submitted via email: [email protected]
• Request submitted via phone: +57 602 489 8897
• Communication addressed to: ALLTIC S.A.S, domiciled at Carrera 65 A # 12 A – 10, Cali, Colombia

This channel can be used by Data Subjects or third parties authorized by law to act on their behalf to exercise the following rights:

11.1 Procedure for Submitting Requests and Inquiries

• The Data Subject may consult their personal data at any time. To do this, they may submit a request indicating the information they wish to access through any of the mechanisms mentioned above.
• The Data Subject or their successors must prove their identity, that of their representative, or their representation or stipulation in favor of another. If the request is submitted by a person other than the Data Subject and it is not proven that they act on behalf of the Data Subject, it will be considered not submitted.
• The request and/or inquiry must include at least the name and contact address of the Data Subject or any other means to receive the response, as well as a clear and precise description of the personal data the Data Subject wishes to consult or inquire about.
• If the request and/or inquiry is incomplete, THE COMPANY will request the missing information from the interested party within five (5) days of receiving the request. If the required information is not provided within two (2) months from the date of the request, the request will be considered abandoned.
• Requests and/or inquiries will be addressed by THE COMPANY within ten (10) business days from the date of receipt. If it is not possible to respond within this period, the applicant will be informed of the delay, the reasons for it, and the date on which the request or inquiry will be addressed, which in no case may exceed five (5) additional business days.

11.2 Procedure for Submitting Complaints and Claims

In accordance with Article 14 of Law 1581 of 2012, when the Data Subject or their successors consider that the information processed by THE COMPANY should be corrected, updated, or deleted, or when it should be revoked due to an alleged breach of any duties under the Law, they may submit a request to THE COMPANY, which will be processed under the following rules:

• The Data Subject or their successors must prove their identity, that of their representative, or their representation or stipulation in favor of another. If the request is submitted by a person other than the Data Subject and it is not proven that they act on behalf of the Data Subject, it will be considered not submitted.
• The request for correction, updating, deletion, or revocation must be submitted through the means enabled by THE COMPANY, as indicated in this document, and must include, at a minimum, the following information:

1. The name and address of the Data Subject or any other means to receive the response.
2. The documents proving the identity of the applicant and, where applicable, their representative with the respective authorization.
3. A clear and precise description of the personal data the Data Subject seeks to exercise any of their rights over and the specific request.

• If the request is incomplete, THE COMPANY will request the missing information within five (5) days of receipt. If the required information is not provided within two (2) months, the request will be considered abandoned.
• If the recipient of the request is not competent to resolve it, they will forward it to ALLTIC S.A.S's Legal Department within two (2) business days and inform the applicant of the situation.
• Once the request is received, a note stating 'claim in process' and the reason for it will be added to the Database within two (2) business days. This note will remain until the matter is resolved.
• The maximum term for resolving this request will be fifteen (15) business days from the day after its receipt. If it is not possible to resolve it within this term, the applicant will be informed of the delay, the reasons for it, and the date on which the claim will be resolved, which in no case may exceed eight (8) additional business days.

THE COMPANY may disclose Personal Data it processes to its affiliated companies worldwide for use and Processing in accordance with this Personal Data Protection Policy. Likewise, THE COMPANY may provide Personal Data to third parties not affiliated with THE COMPANY under the following circumstances:

• To contractors in the execution of contracts for the development of THE COMPANY's activities;
• By transfer of any business line to which the information relates.
• In any case, when THE COMPANY intends to send or transmit data to one or more Processors located inside or outside the Republic of Colombia, it will establish contractual clauses or enter into a data transmission agreement that, among other things, includes the following:
  1. The scope and purposes of the Processing.
  2. The activities the Processor will perform on behalf of THE COMPANY.
  3. The obligations the Processor must fulfill regarding the Data Subject and THE COMPANY.
  4. The obligation of the Processor to process the data according to the authorized purpose and comply with the principles established in Colombian law and this policy.
  5. The obligation of the Processor to adequately protect the personal data and databases and maintain confidentiality regarding the processing of the transmitted data.
  6. A description of the specific security measures to be adopted by both THE COMPANY and the Processor at the data destination.

• THE COMPANY will not request authorization when the international transfer of data is covered by any of the exceptions provided in the Law and its Regulatory Decrees.