PERSONAL DATA PROTECTION POLICY

SUMāTO Group SAS / SUMāTO Group LLC committed to the legal use, the treatment in accordance with the established purposes and the security and privacy of the information it collects, stores, uses, circulates or deletes, containing personal data and in compliance with the legal mandate, established in the Political Constitution of Colombia (arts. 15 and 20), Law 1581 of 2012 “whereby general provisions are issued for the protection of personal data” and Decree 1377 of 2013 “whereby Law 1581 of 2012 is partially regulated” and to the institutional commitment regarding the treatment of information, establishes general measures to ensure adequate levels of security and privacy for the protection of personal data, in order to avoid possible adulterations, losses, consultations, uses or unauthorized access, applicable to personal data recorded in any database managed by SMT and whose owner is a natural person.

DEFINITIONS Authorization: Prior, express and informed consent of the Data Subject, to carry out the processing of personal data. Privacy Notice: Verbal or written communication generated by the responsible party, addressed to the holder for the processing of his/her personal data, by which he/she is informed about the existence of the information processing policies that will be applicable to him/her, how to access them and the purposes of the processing intended to be given to the personal data.  Database: Organized set of personal data that is subject to processing. Personal data: Any information linked or that may be associated to one or several determined or determinable natural persons. Public data: Data that is not semi-private, private or sensitive. Public data includes, among others, data relating to the marital status of individuals, their profession or trade, and their status as merchants or public servants. Due to their nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins and duly executed court rulings that are not subject to confidentiality.  Semi-private data: Semi-private data is data that is not of an intimate, reserved or public nature and whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector or group of persons or to society in general, such as financial and credit data of commercial activity or services referred to in Title IV of Law 1266 of 2008. Sensitive data: Sensitive data is understood as that which affects the privacy of the holder or whose improper use may generate discrimination, such as that which reveals racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, human rights organizations or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.  Private data: Private data. It is the data that, due to its intimate or reserved nature, is only relevant to the owner. Data processor: Natural or legal person, public or private, who by himself or in association with others, carries out the processing of personal data on behalf of the data controller. Controller: Natural or legal person, public or private, who by himself or in association with others, decides on the database and the processing of the data. Data subject: Natural person whose personal data is the object of processing. Transfer: The transfer of data takes place when the person responsible and/or in charge of the processing of personal data, located in Colombia, sends the information or personal data to a recipient, which in turn is responsible for the processing and is located inside or outside the country.  Transmission: Processing of personal data that involves the communication of the same within or outside the territory of the Republic of Colombia when the purpose is the performance of a Processing by the Processor on behalf of the Controller.  Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or suppression.

OBJECTIVE To establish the guidelines to obtain the authorization of the owners, to carry out the processing of personal data, the purposes of use, the rights of the owners, the channels of attention, as well as the internal procedures for the processing.

SCOPE This policy applies to all personal information registered in the databases of the SUMāTO Group SAS, which acts as the party responsible for the processing of personal data. All employees, contractors and third parties who have a relationship with SUMāTO Group SAS, who are responsible for the processing of personal data, are subject to this policy.