TITLE I. PRESENTATION.

ARTICLE 1. PARCHITA PACIFLORA SAS, identified with NIT 900.245.841, with main address at Calle 9 C Sur No. 50 FF-71, Medellín, Antioquia, recognizes the importance of the security, privacy and confidentiality of the personal data of its clients, users, collaborators, suppliers, shareholders, allies and in general of all its interest groups regarding which it processes personal information, and therefore, in compliance with the constitutional and legal provisions, it has adopted this POLICY FOR THE PROCESSING OF PERSONAL DATA.

TITLE II. REGULATIONS AND CONTEXT.

ARTICLE 2. Listed below are the main regulations in force in Colombia regarding the protection of personal data, with whose compliance PARCHITA PACIFLORA SAS is fully committed and which have been taken into account for the purposes of developing this Policy and the comprehensive personal data management system of PARCHITA PACIFLORA SAS.

• Article 15 of the Political Constitution of Colombia.
• Statutory Law 1266 of 2008.
• Law 1273 of 2009.
• Statutory Law 1581 of 2012.
• Decree 1377 of 2013.
• Decree 886 of 2014.
• Decree 1074 of 2015.
• Title V of the Single Circular of the Superintendency of Industry and Commerce.

ARTICLE 3. CONTEXT. PARCHITA PACIFLORA SAS, as the responsible party for its actions and guided by its corporate values, has created this Personal Data Processing Policy, in accordance with the provisions adopted by Law 1266 of 2008 and Law 1581 of 2012, as well as their regulatory decrees.

In this regard, Law 1266 of 2008 established a special regime for the protection of personal data related to the processing of financial, credit, commercial, service, and third-country data. Law 1581 of 2012, for its part, established the general regime for the Protection of Personal Data in Colombia, developing the constitutional principles under which every person has the right to know, update, and rectify personal information held in databases or files (manual or automated), and to receive truthful and verifiable information.

TITLE III. SCOPE AND RECIPIENTS.

ARTICLE 4. SCOPE: PARCHITA PACIFLORA SAS, as the data controller, has defined policies, processes and procedures that ensure the security and quality of the processing of information, in compliance with Article 15 of the Colombian Political Constitution and, in particular, with current regulations regarding the protection of personal data, and in particular with the provisions of Law 1581 of 2012, Decree 1377 of 2013 and any other provisions that modify, add to or complement it.

This Policy describes the guidelines that will be followed to protect the personal data of information holders and to properly process them.

The processing carried out by PARCHITA PACIFLORA SAS will always be based on the authorization granted by the owner and will take into account the expressly informed purposes.

Likewise, PARCHITA PACIFLORA SAS in the development of its activity and management, and in order to provide business collaboration between the companies of the group, during the execution of its activities may carry out the processing of personal data jointly with the entities that belong or may belong to PARCHITA PACIFLORA SAS, or to whoever represents its rights or holds in the future the status of creditor, assignee, or any status vis-à-vis the owners of the information.

It will be understood that PARCHITA PACIFLORA SAS and the entities that belong or may become part of the Group in accordance with the law, its subsidiaries and/or affiliates, or the entities in which they, directly or indirectly, have shareholdings or are associated, domiciled in Colombia and/or abroad, are part of.

ARTICLE 5. RECIPIENTS: This policy is addressed to our clients, users, collaborators, suppliers, allies and, in general, our interest groups about whom PARCHITA PACIFLORA SAS processes personal information.

TITLE IV. PRINCIPLES.

ARTICLE 6. PARCHITA PACIFLORA SAS undertakes to process the personal data of information holders in accordance with the following principles:

• Principle of legality in data processing: PARCHITA PACIFLORA SAS is aware that the processing referred to in Law 1581 of 2012 is a regulated activity, which must be subject to the provisions of the Law and other provisions that develop it.
• Purpose principle: PARCHITA PACIFLORA SAS will process the data for a legitimate purpose, in accordance with the Constitution and the law, which will be communicated to the owner.
• Principle of freedom: PARCHITA PACIFLORA SAS will process data only with the prior, express, and informed consent of the data subject. Personal data may not be obtained or disclosed without prior authorization or in the absence of a legal or judicial order.
• Principle of truthfulness or quality: the information processed must be truthful, complete, up-to-date, verifiable, and understandable. PARCHITA PACIFLORA SAS prohibits the processing of fragmented or misleading data.
• Transparency Principle: PARCHITA PACIFLORA SAS is aware that data subjects have the right to obtain information about the existence of data concerning them at any time and without restrictions.
• Principle of restricted access and circulation: Processing is subject to the limits derived from the nature of the personal data, in accordance with the provisions of Law 1581 of 2012 and the Constitution. In this regard, processing may only be carried out by persons authorized by the data subject and/or by the persons provided for by law. With the exception of public information, PARCHITA PACIFLORA SAS will not make personal data available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the data subjects or authorized third parties in accordance with Law 1581 of 2012.
• Security Principle: PARCHITA PACIFLORA SAS will handle the information subject to processing as referred to in Law 1581 of 2012 with the technical, human and administrative measures necessary to ensure the security of the records, preventing their adulteration, loss, consultation, use or unauthorized or fraudulent access.
• Confidentiality principle: All persons involved in the processing of personal data that are not public are required to guarantee the confidentiality of the information, even after their relationship with any of the tasks involved in the processing has ended. They may only provide or communicate personal data when this corresponds to the development of the activities authorized by Law 1581 of 2012 and under the terms thereof.

TITLE V. AUTHORIZATIONS.

ARTICLE 7. PARCHITA PACIFLORA SAS will request authorization so that the data subject grants prior, express, and informed consent to the processing of their personal data.

Authorization may also be obtained through unequivocal conduct by the data subject, which reasonably allows us to conclude that they have given their consent for the processing of their information. Such conduct must clearly demonstrate their willingness to authorize the processing.

The data subject's consent may be obtained by any means that can be subsequently consulted, such as written, verbal, virtual communication, or through unequivocal conduct.

By virtue of its nature and corporate purpose, PARCHITA PACIFLORA SAS receives, collects, records, preserves, stores, modifies, reports, consults, delivers, transmits, transfers, shares and deletes personal information, for which it obtains the prior authorization of the owner.

The authorization granted to PARCHITA PACIFLORA SAS by the data subjects allows, among other things, the following purposes: to offer and provide information on products and services, as well as to consult, report, and update your data to information and risk managers; to update current contractual relationships; and to fulfill agreed obligations.

PARCHITA PACIFLORA SAS will appropriately retain proof of such authorizations, ensuring and respecting the principles of privacy and confidentiality of the information.

Likewise, at PARCHITA PACIFLORA SAS, when dealing with information related to the following types of data, the following special considerations will be taken into account:

1. Sensitive data.

For the processing of sensitive data, PARCHITA PACIFLORA SAS will inform the data subject of the following:

• For the processing of this type of information, the owner is not required to give his or her authorization or consent.
• You will be explicitly informed in advance what type of sensitive data will be requested.
• The processing and purpose for which sensitive data will be used will be communicated.
• Authorization for sensitive data will be prior, express and clear.

1. Data on children and adolescents.

PARCHITA PACIFLORA SAS will ensure that the processing of this type of data is carried out in accordance with the rights of children and adolescents. In this regard, their special nature will be protected and their fundamental rights will be respected, in accordance with the provisions of Articles 5, 6, and 7 of Law 1581 of 2012, and Articles 6 and 12 of Decree 1377 of 2013, and any other regulations that modify or supplement them.

In order to comply with the above, PARCHITA PACIFLORA SAS will act in accordance with the following:

• Authorization from the child or adolescent's legal representative will be requested prior to exercising the minor's right to be heard. This opinion will be assessed taking into account the child's maturity, autonomy, and ability to understand the matter, in order to process their personal data.
• The optional nature of answering questions about the data of children or adolescents will be reported.
• You will be explicitly informed in advance which data are being processed and the purpose thereof.

PARCHITA PACIFLORA SAS informs all its stakeholders that, in accordance with article 10 of Law 1581 of 2012, the authorization of the owner will not be necessary when it comes to: (1) information required by a public or administrative entity in the exercise of its legal functions or by court order, (2) data of a public nature, (3) cases of medical or health emergencies, (4) processing of information authorized by law for historical, statistical or scientific purposes, and (5) data related to the Civil Registry of Persons.

TITLE VI. PURPOSES OF CUSTOMERS, SUPPLIERS, APPLICANTS, SHAREHOLDERS, AND ACCESS TO FACILITIES.

ARTICLE 8. PURPOSE. The following are the main purposes for which PARCHITA PACIFLORA SAS processes personal information:

ARTICLE 9. PURPOSE OF CLIENTS AND/OR USERS:

• Understand your financial, commercial, and credit behavior and compliance with your legal obligations.
• Carry out all necessary steps to confirm and update customer information.
• Validate and verify customer identity for the purpose of offering and managing products and services, as well as sharing information with various market players.
• Establish a contractual relationship, as well as maintain and terminate a contractual relationship.
• Offer and provide products or services through any medium or channel according to the customer profile and technological advances.
• Receive information from PARCHITA PACIFLORA SAS regarding current and future commercial campaigns, promotions of our own and third-party products and services, and other communications necessary to keep the customer informed and connected via: phone calls, text messages, email, Facebook, Twitter, Instagram, or any social media integration or instant messaging, among others; receive messages related to debt collection and recovery management, either directly or through a third party contracted for this purpose.
• Provide and administer financial services appropriately, including debt collection.
• Provide commercial, legal, product, safety, service, or any other type of information.
• Knowing the customer's location and contact information for security notifications and offering benefits and commercial offers.
• Conduct commercial, statistical, risk, market, interbank, and financial analysis and research, including contacting the client for these purposes.
• Know the status of the operations (active, passive or of any nature) or those that the client may enter into in the future with PARCHITA PACIFLORA SAS
• Prevent money laundering and terrorist financing, as well as detect fraud, corruption, and other illegal activities.
• Perform, validate, authorize, or verify transactions, including, when required, the consultation and reproduction of sensitive data such as fingerprints, images, or voice, among others.
• Conduct satisfaction surveys regarding the services provided by PARCHITA PACIFLORA SAS
• Consult fines and penalties with the various administrative and judicial authorities or public databases responsible for managing data of this nature.

ARTICLE 10. PURPOSE OF SUPPLIERS AND PARTNERS:

• Carry out the process of linking the supplier or partner with the Organization, generating the development of internal procedures, which include relationship, accounting, financial, commercial, logistical, among others.
• Manage and verify business and reputational backgrounds, as well as the risks of money laundering and terrorist financing, as well as detect and/or prevent fraud, corruption, and other illegal activities.
• Manage and strengthen contractual relationships with suppliers or partners, allowing for greater control over the obligations assumed by both parties.
• Review and evaluate the results of the supplier or ally, in order to strengthen the contracting processes within PARCHITA PACIFLORA AS

ARTICLE 11. PURPOSE OF APPLICANTS AND COLLABORATORS:

The information that PARCHITA PACIFLORA SAS collects from applicants or candidates for positions within the organization is processed for the purpose of conducting the entrance assessment and the candidate engagement process.

The processing of our employees' personal information is intended to manage existing employment relationships with them, as well as to carry out the various activities established by the organization.

In the case of former employees, PARCHITA PACIFLORA SAS will store, even after the employment contract has ended, the information necessary to comply with the obligations that may arise from the employment relationship that existed in accordance with Colombian legislation, as well as provide employment certifications that are requested by the former employee or by third parties with whom it carries out a selection process.

ARTICLE 12. PURPOSE OF THE SHAREHOLDERS:

The information and personal data of shareholders, including personal and contact information, as well as information and documentation provided through virtual channels, telephone channels, email, and information updates, will be collected, consulted, updated, modified, and processed directly by PARCHITA PACIFLORA SAS and/or by third parties designated by it, for the following purposes:

• Comply with the obligations and rights derived from their status as Issuer and Depositor respectively.
• Carry out comprehensive management activities for the shareholders' registry.
• Provide information related to procedures, complaints, and shareholder requests.
• Provide access to information to judicial or administrative authorities that request such data in the exercise of their functions.
• Manage the risk of money laundering, terrorist financing, and corruption.
• The fulfillment of the necessary activities and purposes of the issuer-shareholder relationship.

ARTICLE 13. ACCESS TO BUILDINGS, SURVEILLANCE AND SECURITY OF FACILITIES:

Have information on each of the employees of PARCHITA PACIFLORA SAS and on visitors who enter the company's facilities.

Control and identify access to the company.

Maintain security and access control to company facilities.

PARCHITA PACIFLORA SAS informs all owners that the data collected directly upon entering the facilities, provided in documents by security personnel, and the data obtained from video recordings made inside or outside the facilities of PARCHITA PACIFLORA SAS, are used for the purposes of security of people, property and facilities.

Personal data will be subject to processing for the duration of the contractual term in which the data subject holds the product, service, contract, or relationship, plus the term established by law.

TITLE VII. RIGHTS AND DUTIES.

ARTICLE 14. RIGHTS OF THE HOLDER: The holders of the information processed by PARCHITA PACIFLORA SAS may:

Know, update, rectify, delete, or revoke your personal data and be informed of the processing of your personal data by PARCHITA PACIFLORA SAS.

Request the portability of your personal data when appropriate.

Submit requests and complaints related to current regulations on Personal Data Protection.

Request revocation of authorization and/or deletion of personal data if it is determined that PARCHITA PACIFLORA SAS is engaging in conduct contrary to current regulations. The request for deletion or revocation will not be admissible when the data subjects have a legal or contractual obligation to remain in the PARCHITA PACIFLORA SAS database.

Pursuant to Article 20 of Decree 1377 of 2013, the following persons may exercise the aforementioned rights:

• By the owner, who must sufficiently prove his identity by the various means made available to him by the responsible party.
• By their successors in title, who must prove such status.
• By the representative and/or attorney of the owner, upon prior accreditation of the representation or power of attorney.
• By stipulation in favor of another or for another.
• The rights of children and adolescents shall be exercised by those empowered to represent them.

ARTICLE 15. DUTIES OF PARCHITA PACIFLORA SAS:

PARCHITA PACIFLORA SAS, as the party responsible for the personal data stored in its databases, undertakes to:

• Guarantee the holder the full and effective exercise of his or her rights.
• Request and keep a copy of the authorization granted by the owner or proof thereof.
• Inform the data subject about the purposes of the collection, the uses of their personal data, and their rights based on the authorization granted.
• Keep information secure to prevent tampering, loss, unauthorized access, use, or consultation.
• Ensure that the information provided to third parties or data processors is truthful, complete, accurate, up-to-date, verifiable, and understandable.
• Update any information held by any third party or third party with regard to any new developments related to the data provided and take the necessary measures to ensure the information is up-to-date.
• Correct information when you become aware that it is incorrect.
• Ensure that third parties and/or those responsible for processing personal information for which PARCHITA PACIFLORA SAS is responsible have effective measures and policies to guarantee the proper handling of said information. Likewise, they will be required to commit to complying with and applying the provisions of this Personal Data Processing Policy and other guidelines established by PARCHITA PACIFLORA SAS or certify that their internal policies include at least the provisions set forth herein. If certification is not possible, PARCHITA PACIFLORA SAS must corroborate that the internal policies of third parties and/or those responsible include security and/or privacy criteria equivalent to or superior to those set forth herein. In this regard, third parties and/or those responsible must adopt security and privacy measures and conditions for the personal data shared with them, at least at the same level of protection adopted by PARCHITA PACIFLORA SAS.
• Process inquiries and complaints submitted in accordance with this Policy and the law.
• Inform the data protection authority when security breaches occur and risks exist in the management of data subjects' information.

TITLE VIII. PROCEDURE FOR CONSULTATIONS, COMPLAINTS AND CLAIMS.

ARTICLE 16. PROCEDURE. Data subjects may use the following procedures when they need to make a query, complaint, or claim.

ARTICLE 17. CONSULTATIONS. Data subjects, their successors in title, or any other person who may have a legitimate interest may request information about the data subject's personal data stored in any PARCHITA PACIFLORA SAS database.

In accordance with the above, PARCHITA PACIFLORA SAS will guarantee the right of consultation, providing the holder with personal information.

Queries regarding access to information, proof of authorization granted by the owner, uses and purposes of personal information, or any other query related to the personal information provided by the owner, must be submitted through the channels enabled by PARCHITA PACIFLORA SAS.

The query will be answered within a maximum period of ten (10) business days from the date of receipt.

When it is not possible to respond to the query within the established term, the interested party will be informed, indicating the reasons for the delay and the date on which the query will be responded to, which will not exceed five (5) business days following the expiration of the first term, in accordance with the provisions of article 14 of Law 1581 of 2012.

ARTICLE 18. CLAIMS, CORRECTION, UPDATE AND DELETION:

Owners, their successors in title, or any other person with a legitimate interest who considers that the information contained in any of PARCHITA PACIFLORA SAS's databases should be corrected, updated, or deleted, or who perceive a possible breach of the obligations established in Law 1581 of 2012 and its regulatory decrees, may file a claim in accordance with the requirements of Article 15 of the same law.

Requirements for filing a claim:

• Identification of the owner or the person filing the claim, stating their name and identification number.
• Describe the reason for the claim clearly and expressly, stating the facts that gave rise to it, and presenting the documents you intend to assert.
• Prove the legitimate interest of the person filing the claim and attach, if necessary, the corresponding supporting documents.
• Indicate the telephone number, physical address, or email address to which notification should be sent and the response to the request should be sent.

In any case, if the claim is incomplete, the interested party will be required within five (5) days of receipt to correct the deficiencies. If two (2) months have passed since the date of the request and the applicant has not submitted the required information, PARCHITA PACIFLORA SAS will understand that the claim has been withdrawn.

When PARCHITA PACIFLORA SAS is not the competent entity to resolve the claim presented, it will be forwarded to the corresponding party within a maximum period of two (2) business days, and the interested party will be informed of this situation.

If the claim is received in full, a message stating "claim in process" and the reason for the complaint will be added to the database within a period of no more than two (2) business days. This message will remain in effect until the claim is resolved.

However, the maximum term for addressing the claim will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to address it within this term, the interested party will be informed of the reasons for the delay and the date on which their claim will be resolved, which in no case may exceed eight (8) business days following the expiration of the first term.

Owners, their successors in title, or any other person with a legitimate interest may file a complaint with the SIC, but only after they have exhausted the consultation or claim process with PARCHITA PACIFLORA SAS, as the responsible party and/or any person in charge, in accordance with the provisions of Article 16 of Law 1581 of 2012.

ARTICLE 19. DELETION OF INFORMATION AND REVOCATION OF AUTHORIZATION:

PARCHITA PACIFLORA SAS has adopted an internal process for cases in which requests for deletion of information and/or revocation of authorization are submitted.

1. The process includes the analysis of the submitted application and the following events may arise from it:
2. The information must be deleted.
3. The revocation of the authorization is appropriate.
4. The deletion of the information is not appropriate, since the owner has a legal or contractual obligation to remain in the database managed by PARCHITA PACIFLORA SAS.
5. Revocation of the authorization is not applicable, since the owner has a legal or contractual obligation that requires PARCHITA PACIFLORA SAS to process his or her personal information.

In the last two cases (numbers 3 and 4), the information will remain in the databases and in any case, this information may be given restrictive treatment.

ARTICLE 20. CHANNELS FOR HANDLING INQUIRIES, COMPLAINTS AND CLAIMS:

PARCHITA PACIFLORA SAS has enabled the following channels for personal data holders to exercise their rights to know, update, rectify and/or delete their personal information.

Physical: Data subjects may visit PARCHITA PACIFLORA SAS facilities and submit their request within the terms established by law.

Email: Data subjects may file a complaint regarding the handling of their personal data by emailing info@parchita.com.co

Suggestions, compliments, or requests for information can also be made through these means.

However, although the main communication channels regarding personal data protection have been defined, it is important to note that PARCHITA PACIFLORA SAS has a telephone line available to address any concerns and assist with your needs in accordance with the terms and conditions of use, access requirements, and type of request.

ARTICLE 21. PARCHITA PACIFLORA SAS, as the party responsible for the personal information stored in its databases and in the development of the purposes described in this document, may eventually carry out national or international transfers or transmissions of data.

PARCHITA PACIFLORA SAS is committed to verifying the level of protection and security standards of the country receiving the personal information, making the declaration of compliance (when applicable) and signing a transfer contract or other legal instrument that guarantees the protection of the personal data subject to transfer.

By virtue of this exchange relationship, PARCHITA PACIFLORA SAS has adopted various guidelines for the relationship with third parties, in order to protect the information subject to this activity.

In order to protect the information, PARCHITA PACIFLORA SAS will verify whether the Superintendency of Industry and Commerce has included the respective country in the list of countries that offer an adequate level of data protection or will review the regulations in force in the country receiving the information, as well as, in both cases, the policies and procedures of the person in charge or responsible (as applicable), to determine if the ideal conditions are in place to guarantee adequate levels of security for the information being transmitted or transferred.

ARTICLE 22. RELATIONSHIP WITH THIRD PARTIES OR MANAGERS:

In implementing this Policy and the internal provisions for the proper handling of personal data, PARCHITA PACIFLORA SAS will ensure that third parties with which it engages or with which it establishes commercial, labor, or alliance relationships adapt their conduct to the personal data protection regime in Colombia.

In light of the foregoing, PARCHITA PACIFLORA SAS, without prejudice to all documentation, forms and means provided for requesting authorization for processing, privacy notices, records and contractual and/or legal coverage, may request suitable and relevant information from third parties and/or those in charge to verify and observe compliance with the provisions contained in this policy and in the personal data protection regime in Colombia.

In this regard, PARCHITA PACIFLORA SAS may request third parties and/or processors to demonstrate, before, during, or after the relationship between them, compliance with the requirements of the personal data protection regime. A review and monitoring of compliance with legal and/or contractual requirements may be requested, occasionally or periodically, through evidence or supporting documentation of the actions taken, visits to the third party's facilities, among other activities that may be coordinated to validate compliance.

PARCHITA PACIFLORA SAS will ensure that procedures are in place so that once the legal or contractual relationship with the third party and/or person in charge of the personal information has ended, it is collected, deleted, destroyed, or any other activity that PARCHITA PACIFLORA SAS considers pertinent is carried out to adequately process the information that has been shared with said third party and/or person in charge.

TITLE X. VALIDITY.

This Personal Data Processing Policy takes effect from the date of its approval.

For the record, it is signed in the city of Medellín, on the 6th day of March, 2024.