In accordance with the Political Constitution of Colombia, Law 1581 of 2012, Regulatory Decree 1074 of 2015, and other complementary provisions, this Personal Data Processing Policy establishes how RICARDO ESCOBAR ARBELAEZ S.A.S. (hereinafter “INGELAM“), duly established in Colombia, identified with Tax ID (NIT) 900.640.435-0, with its address at Calle 65A No. 23B — 127 in the city of Manizales, Caldas, with email address servicioalcliente@ingelam.com.co and mobile phone number (+57) 3102665552, collects and processes the personal data of data subjects.

1. Scope

This Policy regulates all organizational processes of INGELAM that involve the processing of personal data. It generally informs all individuals who have provided, or may in the future provide, their personal data to the company about the Policy applicable to all databases and the personal data contained therein.

2. Legal Framework

This policy was developed considering the current legislation on Personal Data Protection, Statutory Law 1581 of October 17, 2012, Decree 1377 of 2013 “Which partially regulates Law 1581 of 2012” and Article 2.2.2.25.1.1, Section 1, Chapter 25 of Decree 1074 of 2015, as well as any law that complements, adds, and/or modifies it.

3. Definitions

For the purposes of this Policy, the terms set forth below shall have the following meanings:

• Authorization: Prior, express, and informed consent of the Data Subject to carry out the Processing of personal data.

• Privacy Notice: Verbal or written communication generated by the company and addressed to the Data Subject, informing them about the existence of this Policy, how to access it, and the purposes of the Processing intended for the personal data. The privacy notice is used only if INGELAM is unable to make this Policy publicly available.

• Database: Organized set of personal data that is subject to Processing.

• Personal Data: Any information linked to or that can be associated with one or more determined or determinable natural persons.

• Public Personal Data: Data that is not semi-private, private, or sensitive, and which by its nature may be contained in public records, public documents, official gazettes, official bulletins, and/or duly executed judicial rulings that are not subject to reservation. Data relating to a person’s civil status, profession, trade, and/or status as a merchant or public servant are considered public data, among others.

• Private Personal Data: Data that, due to its intimate or reserved nature, is only relevant to the Data Subject.

• Semi-Private Personal Data: Data whose knowledge or disclosure may be of interest to the Data Subject and to a certain sector or group of people.

• Sensitive Personal Data: Data that affects the privacy of the Data Subject or whose misuse may lead to discrimination, such as data that reveals racial or ethnic origin; political orientation; religious or philosophical convictions; membership in unions, social organizations, human rights organizations, or that promotes the interests of any political party or guarantees the rights and guarantees of opposition political parties; data related to health, sexual life; and biometric data.

• Data Processor: Natural or legal person, public or private, who, by themselves or in association with others, processes personal data on behalf of the Data Controller.

• Personal Data Protection Officer: Person within the organization responsible for the personal data protection function.

• Complaint: Request by the Data Subject or persons authorized by them or by law for the correction, updating, or deletion of information, revocation of authorization, or when they notice the alleged breach of any of the duties contained in the law.

• Inquiry: Request by the Data Subject or persons authorized by them or by law to consult the personal information of the Data Subject held in the Company’s database.

• Data Controller: Natural or legal person, public or private, who, by themselves or in association with others, decides on the database and/or the Processing of the data.

• Data Subject: Natural person whose personal data is subject to Processing.

• Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.

• Transfer: Occurs when the Data Controller and/or Data Processor of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is a Data Controller and is located inside or outside the country.

• Transmission: Processing of personal data that involves the communication of such data within or outside the territory of the Republic of Colombia when it is intended for Processing by the Processor on behalf of the Controller.

4. Principles

• Principle of Legality: Processing is a regulated activity that must adhere to the provisions of the law and other implementing regulations.

• Principle of Purpose: Processing must serve a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Data Subject.

• Principle of Freedom: Processing can only be exercised with the prior, express, and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves the consent requirement.

• Principle of Truthfulness or Quality: Information subject to Processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The Processing of partial, incomplete, fragmented, or misleading data is prohibited.

• Principle of Transparency: The Processing must guarantee the right of the Data Subject to obtain from the Data Controller or the Data Processor, at any time and without restrictions, information about the existence of data concerning them, in accordance with the regulations governing this access.

• Principle of Restricted Access and Circulation: Processing is subject to the limits derived from the nature of the personal data, the law, and the Constitution. In this sense, Processing may only be carried out by persons authorized by the Data Subject and/or by persons authorized by law; Personal data, except for public information, may not be available on the Internet or other means of mass dissemination or communication, unless access is technically controllable to provide restricted knowledge only to the Data Subjects or authorized third parties.

• Principle of Security: Information subject to Processing by the Data Controller or Data Processor must be handled with the technical, human, and administrative measures necessary to provide security to the records, preventing their tampering, loss, consultation, unauthorized or fraudulent use or access.

• Principle of Confidentiality: All persons involved in the Processing of personal data that are not public in nature are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks comprising the Processing has ended, and may only supply or communicate personal data when it corresponds to the development of authorized activities.

5. Processing and Purpose for which Personal Information is Collected

INGELAM will carry out activities such as the collection, storage, use, circulation, and deletion of personal data, with the main purpose of fulfilling its functions, always acting in accordance with the purposes provided for in the Law that regulates its operation, in this Policy, and in the prior, express, and informed authorizations granted by the Data Subjects.

Notwithstanding such authorizations, the Company is committed to fulfilling its obligations as Data Controller, adopting all necessary technical, organizational, and security measures to prevent the alteration, loss, processing, or unauthorized access to the data, in accordance with the provisions of Law 1581 of 2012 and Decree 1377 of 2013.

In any case, at the time of collecting personal data, the Company will previously inform the Data Subject about the specific purposes of the Processing, through the corresponding authorization for the Processing of Personal Data. In this regard, it is clarified that such purposes will be framed within the following:

5.1. Purposes for the processing of personal data that apply to all stakeholder groups:

• • • Storage of information and/or Personal Data in physical files or servers owned by the company and/or third parties, located inside or outside the country, in countries considered safe by the Superintendency of Industry and Commerce or those that are not, provided that the Data Processors storing the information have confidentiality, privacy, and information protection and custody policies, and a Confidentiality and Personal Data Transmission Agreement is signed with them.

    • Transmit or transfer such data to commercial allies, clients, affiliates, and/or subsidiaries in Colombia and/or abroad.

    • Registration of document entry and exit.

    • Convening and execution of programs, meetings, trainings, and events, as well as preservation of documentary records thereof, such as attendance lists, photographs, voice recordings, and/or videos.

    • Consultation, verification, and analysis in restrictive and control lists, such as lists linked to SAGRILAFT, as well as in public or private databases related to judicial, criminal, disciplinary, tax records, and any other list containing information on crimes of corruption, money laundering, terrorist financing, or any illicit activity.

    • Inclusion in WhatsApp groups or chats.

    • Preparation and execution of surveys and interviews.

    • Sending communications related to the purposes contained in this Privacy Policy, the corporate purpose of the company, and/or its strategic allies, advertising, marketing, promotions, events, commercialization and promotion of products and/or services, contests, data update campaigns and information on changes in personal data processing, loyalty programs, raffles, games, and shows, content updates on the website, alliances, and benefits. The above will be carried out through the professional, business, and/or personal contact channels authorized by the Data Subjects; these include, but are not limited to, landline and/or mobile phone, physical and/or electronic mail, SMS and/or MMS text messages, social networks, electronic media, website, and/or any other means of communication.

    • Registration and control of access and entry to the Company’s facilities.

    • Support in internal and/or external audit processes, fiscal reviews, advisory services, consulting, and implementation of improvement plans.

    • Management of administrative procedures for planning, organization, direction, and operation.

    • Compliance with obligations derived from contracts entered into between the Data Controller and the Data Subjects, or with their contractors or employers.

    • Financial and administrative management, creation of third-party records and registration in the Data Controller’s databases.

    • Tax, economic, and accounting management.

    • Handling of PQR’s (Complaints, Claims, and Requests) submitted by Data Subjects or those who prove legitimacy to do so.

    • Management of collections and payments.

    • Creation and administration of usernames and passwords for accessing different applications, platforms, websites, email accounts, and/or technological and computing equipment of the Data Controller.

    • Custody and management of information and databases.

    • Recording of calls, meetings, or virtual or in-person events they attend.

    • Periodic updating of Data.

    • Judicial procedures, handling of requests from authorities, and compliance with legal obligations.

    • Processing of images through video surveillance systems for the purposes indicated in this policy.

    • Retention for statistical and historical purposes and/or to comply with legal obligations regarding the retention of information and documents.

5.2. Purposes for the processing of personal data of applicants, active and inactive employees, and their families:

• • • Administer and operate, directly or through third parties, personnel selection and hiring processes, including the evaluation and rating of participants, as well as the verification of work and personal references, and the conduct of security studies.

    • Development of the selection process through interviews and medical, psychotechnical, and competency tests as required.

    • Timekeeping control.

    • Hotel reservations, air or land tickets, delivery of gas and toll vouchers, per diems, and vehicle requests, among others, in case of relocation by direct and indirect employees.

    • Identification and monitoring of occupational health and safety risks, personnel hiring and termination, payroll, and promotions.

    • Implementation of health promotion and prevention programs and occupational risks.

    • Retention of resumes and results of selection processes for future personnel hiring processes and/or for compliance with current legal regulations.

    • Employment contracting, signing of contracts and agreements to modify employment and apprenticeship contracts.

    • Registration of information of direct and indirect employees, active and inactive, retirees, and their families, for the development of activities related to affiliation and payment of social security and parafiscal contributions, payroll, bonuses, vacations, recognition of pension rights, and settlements.

    • Making necessary payments derived from the execution of the employment contract and/or its termination, and other social benefits as per applicable law.

    • Issuance of certificates.

    • Compliance with current regulations on occupational health, safety, and environment, among others, collection and analysis of health information and socio-demographic profile of direct and indirect employees, active and inactive.

    • Activities related to organizational climate, culture, and well-being of direct and indirect employees and their families.

    • Management of permits, licenses, authorizations, sanctions, reprimands, warnings, defenses, and dismissals with or without just cause.

    • Training and education of direct and indirect personnel.

    • Competency and performance evaluations.

    • Salary deductions permitted by current regulations and practice, and registration of garnishments by request of the competent authority.

    • Delivery of work uniforms/equipment.

    • Consultation and evaluation of all information about the applicant for the position stored in legitimately constituted judicial or security background databases, of a state or private nature, national or foreign.

    • Transmission and/or transfer of data.

5.3. Purposes for the processing of personal data of website users, potential customers, and customers:

• • • Behavior analysis, market segmentation, and market intelligence.

    • Offering and quoting goods and/or services of the Data Controller and/or its strategic allies.

    • Subscription, modification, and execution of contracts.

    • Compliance with legal and contractual obligations.

    • Billing management and issuance of invoices, either electronically or physically.

    • Debt collection management under the guidelines of Law 2300 of 2023.

    • Customer loyalty, profile analysis, commercial prospecting.

    • Consult, verify, and report to legally constituted financial or risk information bureaus the credit, financial, commercial, and service behavior of the Data Subject, as well as the fulfillment of their contractual obligations, in order to assess credit risk, conduct credit studies, and advance collection or portfolio recovery processes.

    • Evaluation of the quality of goods and/or services provided by the Data Controller.

    • Custody and management of information and databases.

    • Registration and enrollment process for academic programs.

    • Enablement of payment methods, use of payment gateways, and other related matters.

    • Conduct studies on consumption habits, preferences, and purchase interest.

    • Establish fluid, current, and repeated communication regarding services, products, promotions, and everything related to the corporate purpose.

    • Carry out marketing, promotion, and/or advertising activities for ourselves or third parties repeatedly, as indicated by Law 2300 of 2023.

    • Inform about changes in products and services related to the ordinary course of the company’s business.

    • Monitor satisfaction.

    • Process complaints, petitions, claims, or recommendations.

    • Transmit or transfer data to parent companies, affiliated companies, commercial allies, clients, suppliers, affiliates, and/or subsidiaries located in Colombia and/or abroad.

5.4. Purposes for the processing of personal data of strategic allies, suppliers or contractors, and their collaborators:

• • • Invitations to quote.

    • Registration and management of the selection and evaluation process for Suppliers and Contractors.

    • Management of the purchase of goods and/or services.

    • Verification of legal, technical, and/or financial requirements.

    • Billing and payment management for goods and/or services.

    • Contact for the development of signed contracts or service and/or purchase orders issued, until their termination.

    • Verification of compliance with occupational health, safety, and environmental regulations.

    • Verification of compliance with the regulations governing Personal Data Protection.

    • Inventory control.

    • Issuance of commercial references.

    • Custody and management of information and databases.

    • Conducting training sessions.

    • Management of procedures (requests, complaints, claims).

    • Processing of information including name, logo, contact details, images, photographs, videos, and other associated elements, for publication through internal or external media, social networks, institutional website, advertising material, or any other dissemination channel used by the Company, in order to promote, communicate, or inform about alliances, activities, events, projects, or other topics of interest.

    • Transmission and/or transfer of personal data.

5.5. Purposes for the processing of personal data of shareholders:

• • • Sending information related to the company’s own activities.

    • Convening meetings.

    • Management of dividend and profit payments.

    • Modifications, additions, and general changes related to legal and shareholder aspects.

    • Notarial records.

    • Registration of shares and obligations.

    • Signing of minutes.

    • Comply with legal provisions regarding tax withholding, monitoring, and reporting of information to control entities.

    • Sending and inclusion in WhatsApp chats or groups or any instant messaging medium or application, for sending information and messages related to the corporate purpose of the Company, including, but not limited to, landline and/or mobile phone, physical and/or electronic mail, SMS and/or MMS text messages, social networks, electronic media, and/or any other means of communication.

    • Manage procedures (requests, complaints, claims).

5.6. Purposes for the processing of personal data captured by security and video surveillance:

• • • Guarantee the physical security of facilities, assets, and persons within the perimeter covered by video surveillance cameras.

    • Access control.

    • Corroborate the attendance and presence of the Data Subject within the facilities.

    • Monitor compliance with internal codes of conduct, safety, and occupational health.

    • Protect the Company’s assets against theft, damage, vandalism, or misuse.

    • Serve as evidence in disciplinary processes.

    • Support investigations by competent authorities in case of incidents, crimes, or emergencies.

    • Facilitate decision-making in cases of work accidents, medical emergencies, or evacuations.

    • Monitor critical operations or production zones in real time, as part of operational control.

    • Identify unauthorized persons within the facilities or detect entries during non-permitted hours.

    • Generate and preserve visual records as part of risk management controls.

    • Retain images as backup for legal, disciplinary, or contractual processes, within the time limits established by law and the internal retention periods.

Note. The personal images of individuals visiting our facilities will be recorded on our DVR for a period of [__ (__) days] and will then be automatically deleted.

6. Data Retention Period:

INGELAM processes and stores personal data in strict compliance with applicable legislation and according to the purposes for which such data has been collected. Consequently, data will be stored and retained only for the appropriate time strictly necessary to fulfill those purposes, unless: (i) a specific legal obligation requires its retention for a determined period; (ii) it is necessary to retain it for a longer period in order to exercise or defend rights in judicial or administrative proceedings, up to one (1) year after the corresponding judgment becomes final; or (iii) the right to deletion is exercised or authorization is revoked, within the limits established by law.

7. Rights of the Data Subject:

In accordance with Article 6 of Law 1266 of 2008 and Article 8 of Law 1581 of 2012, the rights that you have as a Data Subject in relation to your personal data are:

• To know, update, and rectify your personal data with the Data Controllers or Data Processors. This right can be exercised, among others, regarding partial, inaccurate, incomplete, fragmented, misleading data, or those whose Processing is expressly prohibited or has not been authorized.

• To request proof of the authorization granted to the Data Controller, except when expressly exempted as a requirement for Processing, in accordance with the provisions of Article 10 of this law.

• To be informed by the Data Controller or the Data Processor, upon request, about the use given to your personal data.

• To file complaints with the Superintendency of Industry and Commerce for violations of the provisions of this law and other norms that modify, add, or complement it.

• To revoke the authorization and/or request the deletion of the data when the Processing does not respect constitutional and legal principles, rights, and guarantees. Revocation and/or deletion will proceed when the Superintendency of Industry and Commerce has determined that the Controller or Processor has engaged in conduct contrary to this law and the Constitution.

• To access free of charge your personal data that has been subject to Processing.

• To file complaints with the Superintendency of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other norms that modify, add, or complement it.

Below, you can find the procedure through which the Company guarantees the exercise of the rights described above.

8. Procedure for Exercising Your Rights as a Data Subject:

Data Subjects may exercise the rights described in this section by submitting a request to any of the following service channels:

The procedure will be conducted according to the following provisions:

• Inquiries: The Data Subject, or an authorized person, may submit requests related to the right to consult the personal information held in the Company’s databases. The inquiry will be addressed within a maximum term of ten (10) business days, counted from the date of receipt of the request. When it is not possible to address the inquiry within this period, the interested party will be informed of the reasons for the delay, indicating the date on which a response will be provided, which may not exceed five (5) business days following the expiration of the first term.

• Complaints: A Data Subject who believes that the information contained in the Company’s databases should be corrected, updated, deleted, who requires revocation of the granted authorization, or who identifies an alleged breach of legal duties, may file a complaint. The complaint will be addressed within a maximum period of ten (10) business days counted from the date of receipt. If it is not possible to address the complaint within this term, the interested party will be informed of the reasons for the delay and will be indicated the date on which a response will be provided, which may not exceed eight (8) business days following the expiration of the first term.

Once the request is received, a legend stating “complaint in process” and the reason for it will be included in the database within a term not exceeding two (2) business days. This legend will be maintained until the complaint is decided.

Finally, it is clarified that the request for deletion of information and revocation of authorization will not proceed when the Data Subject has a legal or contractual duty to remain in the INGELAM database.

9. Duties of the Data Controller:

INGELAM, as Data Controller, has the following duties:

• Guarantee the Data Subject, at all times, the full and effective exercise of the Right of Habeas Data.

• Request and keep, by any means and under the conditions provided in Law 1581 of 2012, a copy of the respective authorization granted by the Data Subject.

• Properly inform the Data Subject about the purpose of the collection and the rights they have by virtue of the authorization granted.

• Keep the information under the necessary security conditions to prevent its tampering, loss, consultation, unauthorized or fraudulent use or access.

• Guarantee that the information provided to the Data Processor is truthful, complete, accurate, up-to-date, verifiable, and understandable.

• Update the information, communicating in a timely manner to the Data Processor all updates regarding the data previously provided to them, and adopt other necessary measures so that the information provided to them remains updated.

• Rectify the information when it is incorrect and communicate the relevant details to the Data Processor.

• Supply the Data Processor, as the case may be, only with data whose Processing has been previously authorized in accordance with the provisions of Law 1581 of 2012.

• Require the Data Processor at all times to respect the security and privacy conditions of the Data Subject’s information.

• Process inquiries and complaints made in the terms indicated in Law 1581 of 2012.

• Adopt an internal manual of policies and procedures to ensure adequate compliance with Law 1581 and especially for handling inquiries and complaints.

• Inform the Data Processor when certain information is under dispute by the Data Subject.

• Inform the Data Subject upon request about the use given to their data.

• Inform the data protection authority when there are breaches of security codes and risks in the administration of the Data Subjects’ information.

• Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

10. Authorization:

INGELAM will request prior, express, and informed authorization from the Data Subjects of the Personal Data it requires to Process. This expression of will by the Data Subject can be given through the following mechanisms:

• In writing, by completing a specific authorization form for the Processing of Personal Data.

• Orally, through a telephone conversation or video conference.

• Through unambiguous conduct that allows concluding that the Data Subject granted their authorization.

In no case shall the Data Subject’s silence be assimilated to unambiguous conduct.

11. Validity and Changes to the Policy:

This Policy will come into effect from its publication and may be modified at any time. Any substantial change will be duly communicated to the Data Subjects of the personal data, at the latest at the time the new version of the Policy is implemented, through the following table: