VINDAM S.A.S., a commercial company legally constituted and registered with the Cali Chamber of Commerce, under the laws of the Republic of Colombia, identified with NIT 901998930-6, located at Avenida 3ra C norte #42-73, Cali - Valle del Cauca, hereinafter referred to in this document as THE COMPANY, with email ceo.vindam@gmail.com, pursuant to the provisions of current regulations regarding personal data protection, namely Law 1581 of 2012, Decree 1377 of 2013, Decree 886 of 2014, and even the new regulatory compendium of Decree 1074 of May 26, 2015, allows itself to bring to the knowledge of the public interest, its clients, employees, allies, collaborators, and suppliers its INFORMATION AND PERSONAL DATA TREATMENT POLICY (PTIDP). With this document, the objective is to inform the holders of their personal data, state entities, private entities, and interested third parties, of the treatment that THE COMPANY will give to these when they are in its possession. Likewise, the processes for access to information, claims, requests, complaints, or claims regarding the handling of such information in light of the Constitution, the Law, and Jurisprudence. I. APPLICABLE REGULATORY FRAMEWORK The legal framework of this PTIDP of THE COMPANY is established primarily in the Political Constitution of Colombia, in its articles 15 and 20, which determine the right to information, liberties, and guarantees of all citizens regarding their personal data. Secondly, the provisions of Statutory Law 1581 of 2012, through which general provisions for the protection of information and personal data are dictated. Thirdly, the regulatory provisions established by the National Government in Decrees 1377 of 2013, Decree 886 of 2014, and even the new Decree 1074 of May 26, 2015; As well as in the Decrees that subsequently became Laws following the framework of the Pandemic generated by COVID-19 such as Law 2213 of 2022. II. OBJECT This PTIDP complies with articles 17 and 18 of Law 1581 of 2012, as well as what is determined by articles 2.2.2.25.3.1, 2.2.2.25.3.2, and 2.2.2.25.3.3 of Decree 1074 of 2015. In this sense, the object of this document or the regulations stipulated here is to establish the parameters for the handling of personal data by VINDAM S.A.S. and that, in turn, all holders, State entities, private companies, or interested third parties have full knowledge of the treatment and, in the case of holders or authorities, the purposes given to their data once obtained by any of our dependencies. III. DEFINITIONS AND CONCEPTS • Authorization: Prior, express, and informed consent supplied by the holder of the information and personal data, which may be granted to THE COMPANY so that it can develop the purposes established in its PTIDP. • Database: The organized set of personal data that will be subject to treatment by THE COMPANY, taking into account what is established in the PTIDP. • Sensitive data: Sensitive data must be understood as established in Article 5 of Law 1581 of 2012, that is, those data that affect the privacy of the holders or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sexual and reproductive life, and biometric data. • Personal data: Understood as any information linked or that can be associated with one or several specific or determinable natural persons. • Public data: Understood as public data that which is not consecrated by the constitution or the law as semi-private, private, or sensitive. That is, among others, those relating to the civil status of persons, their profession, trade, and their quality as a merchant or public servant are considered public data. In general, any data that can be obtained without any reservation. Public data may be contained, among others, in public records, public documents, gazettes, and official bulletins, as well as in duly executed judicial sentences that are not subject to reservation by express legal provision. • Responsible for the treatment: Must be understood as any natural or legal person, public or private, who by itself or in association with others, decides on the databases and/or the treatment of personal data. Taking into account this PTIDP, the responsible for the treatment is THE COMPANY, by itself. • Person in charge of the treatment: Will be understood as any natural or legal person, public or private, who by itself or in association with others, carries out the treatment of personal data on behalf of the responsible for the treatment. In this case and in accordance with this Information and Personal Data Treatment Policy, the person in charge is THE COMPANY by itself; or third parties it delegates for these purposes. • Holder: Understood as any natural or legal person whose personal data is subject to treatment in the databases handled and administered by THE COMPANY. • Treatment: Must be understood as any operation or set of operations on personal data such as collection, storage, use, circulation, or deletion developed by THE COMPANY always in light of this PTIDP. • Transfer: Understood as the transfer of data between the responsible and/or person in charge of the treatment of personal data, located in Colombia, with a recipient outside the country who in turn will act through their respective responsible or person in charge. • Transmission: Understood as a modality of treatment of information and personal data that implies the communication of the same, internally within THE COMPANY or with external third parties, within or outside the territory of the Republic of Colombia, when its purpose is the realization of treatment activities by the person in charge who will receive them; However, all transmission must be done with the authorization of the responsible party. • Privacy notice: Understood as the verbal or written communication generated by the responsible for the treatment, directed to the holder of the information and personal data, through which they are informed about the existence of the PTIDP of THE COMPANY that will be applicable to them, the way to access them, and the purposes of the treatment intended to be given to their personal data and information by THE COMPANY. GUIDING PRINCIPLES OF THE PTIDP OF VINDAM S.A.S. • Principle of legality: The treatment referred to in Law 1581 of 2012 is a regulated activity that must be subject to what is established therein, Decree 1074 of 2016, Law 2213 of 2022, and other norms that develop, modify, or add to them. • Principle of purpose: The treatment must obey one or several legitimate purposes according to the Constitution and the Law, which must be informed to the holder. • Principle of freedom: The treatment can only be exercised with the prior, express, and informed consent of the holder. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent. • Principle of Truthfulness or Quality: The information subject to treatment must be truthful, complete, exact, updated, verifiable, and understandable. The treatment of partial, incomplete, fractioned, or misleading data is prohibited. • Principle of transparency: In the treatment, the right of the holder to obtain from our company, at any time and without restrictions, information about the existence of data concerning them must be guaranteed. • Principle of Access and Restricted Circulation: The treatment is subject to the limits derived from the nature of the personal data, the provisions of the Law, and the Constitution. In this sense, the treatment may only be done by persons authorized by the holder and/or by the persons provided for in the Law. Personal data, except public information, may not be available on the Internet or other means of mass disclosure or communication, unless access is technically controllable to provide restricted knowledge only to the holders or authorized third parties in accordance with the law. • Principle of security: The information subject to treatment by THE COMPANY must be handled with the technical, human, and administrative measures necessary to provide security to the records, preventing their adulteration, loss, consultation, use, or unauthorized or fraudulent access. • Principle of Confidentiality: All persons involved in the treatment of personal data that do not have the nature of public are obliged to guarantee the reservation of the information, even after the end of their relationship with any of the tasks that comprise the treatment, being able only to supply or communicate personal data when this corresponds to the development of the activities authorized in the Law and in the terms thereof. IV. SCOPE OF APPLICATION. The PTIDP will be applicable to the treatment that all officials, collaborators, workers, allies, and shareholders of THE COMPANY must give to the information and personal data administered by it. However, branches, subsidiaries, and third parties, to which by virtue of the purposes of the databases, have access to them, must also proceed in accordance with what is established by the parameters of this PTIDP and in what is not provided therein to what is established in the Political Constitution of Colombia, Laws, and Jurisprudence. All the foregoing without prejudice to the legal and regulatory precepts that regulate these procedures generally in Colombia. V. PURPOSE OF THE TREATMENT OF INFORMATION AND PERSONAL DATA Through this PTIDP that regulates the treatment that will be given to personal data and information by the company, it is guaranteed that the information and personal data collected and administered by VINDAM S.A.S will be solely and exclusively for the development of activities directly linked to the corporate purpose of THE COMPANY. Specifically the following purposes: • Accounting, fiscal, and administrative management - Management of collections and payments; • Accounting, fiscal, and administrative management - Billing management; • Marketing; • Commercial distribution activities related to the purchase and sale of its services; • Advertising and commercial prospecting - Own advertising; • Advertising and commercial prospecting - Market segmentation; • Advertising and commercial prospecting - Decision support systems; • Data migrations and management thereof, without access to them; VI. RIGHTS OF THE HOLDERS OF THE PTIDP. In accordance with Article 8 of Statutory Law 1581 of 2012, which establishes the rights of data holders, THE COMPANY guarantees through this PTIDP, the exercise of the following rights of holders among others: • Request proof of the authorization granted to THE COMPANY in its capacity as responsible and in charge of the treatment, except when expressly excepted as a requirement for treatment, in accordance with the provisions of Article 10 of Law 1581 of 2012. • Be informed by THE COMPANY, in its capacity as responsible and in charge of the treatment, upon request, regarding the use that has been given to their personal data. • File complaints with the Superintendence of Industry and Commerce for violations of the provisions of the PTIDP, Law 1581 of 2012, and other norms that modify, add, or complement it once the requirement of procedibility established in this PTIDP has been exhausted. • Revoke the authorization and/or request the deletion of the personal data when in the treatment of those that THE COMPANY does not respect constitutional and legal principles, rights, and guarantees. In any case, said revocation and/or deletion will proceed only when the Superintendence of Industry and Commerce has determined that, in the development of treatment activities, the company has incurred in conduct contrary to Law 1581 of 2012 and the National Constitution of the Republic of Colombia. VII. THE EXERCISE OF THE RIGHTS OF THE HOLDERS OF THIS POLICY. Taking into account what is established in article 2.2.2.25.4.1 of the Single Regulatory Decree 1074 of 2015, the rights of the holders of personal data and information may be exercised by the people mentioned below: • By the respective holder, who must prove their identity sufficiently by the different means made available by the responsible party. • By their successors, who must prove such quality. • By the representative and/or attorney of the holder, prior accreditation of the representation or power of attorney. • By stipulation in favor of another or for another. • Given the case where the holder of the information is a minor, their rights may be exercised only by the persons who, in accordance with the law, are empowered to represent them. VIII. AUTHORIZATION BY THE HOLDERS OF INFORMATION AND PERSONAL DATA THE COMPANY allows itself to accredit that any activity of collection, conservation, use, handling, updating, correction, deletion and in general, any activity through which it is intended to obtain and/or treat personal data and information owned by third parties, must be carried out through prior, express, and free authorization from their respective holders. With the granting of authorization by the holder for the collection and treatment of information and personal data, it will be understood that they have read this PTIDP or failing that, they were previously informed through the privacy notice that it is published in the access links and on the website of THE COMPANY and that it can be consulted at any time and by any person without any type of restriction. Likewise, through the authorization for the conservation, administration, collection, and treatment of information and personal data, the holder declares that such data and information are truthful, complete, exact, updated, verifiable, understandable, and correspond to the current reality for the moment they are supplied. THE COMPANY will have available to all holders of information and personal data subject to treatment, the document through which they granted the respective authorization, with the sole purpose that they can access it upon request for the purpose of proving the means and the date on which it was granted. The authorization granted by the information holder may be in writing, whether in a physical, digital document, or on magnetic media, as well as in audio files, online data storage technological platforms, or in any other suitable and apt means to prove the existence of the holder's consent and authorization for the treatment of their personal data. Law 1581 of 2012 in Article 10 establishes that the authorization of the holder will not be necessary when it comes to: 1. Information required by a public or administrative entity in the exercise of its legal functions or by court order. 2. Data of a public nature or domain. 3. Cases of medical or sanitary urgency. 4. Information treatment authorized by law for historical, statistical, or scientific purposes. 5. Data related to the civil registration of persons. In light of what is established in articles 8 and 9 of Law 1581 of 2012, the holders of information or personal data may at any time request the deletion of their data and/or revoke the authorization granted to THE COMPANY for its treatment. In accordance with article 2.2.2.25.2.8 of the Single Regulatory Decree 1074 of 2015, the request for deletion of information and the revocation of authorization will not proceed when the holder thereof has a legal or contractual duty to remain in the database. Once the request is filed through the channels established in this PTIDP and THE COMPANY has not made any response or failing that has not deleted the data of the claimant holder, they will be fully entitled to go to the Superintendence of Industry and Commerce so that said entity, using its sanctioning and jurisdictional powers (article 22 law 1581 of 2012), orders THE COMPANY the deletion and/or revocation of the authorization deprecated by the holder. By virtue of what is regulated in the first paragraph of article 6 of Law 1581 of 2012, the treatment of sensitive personal data is prohibited as a general rule. However, in accordance with literal d) of the mentioned provision, the treatment of said data is allowed when it occurs by virtue of the purposes they have, that is, when these are directly linked to a specific objective they are permitted, in this case, it is the recognition, exercise, or defense of a right in a judicial process. In this sense, taking into account that within the corporate purpose of THE COMPANY is the provision of services or advice, the treatment of sensitive data is allowed, since data relating to health, sexual orientation, may be used for the exercise of rights and the protection of fundamental freedoms and prerogatives established in the political constitution. In light of what is established in article 2.2.2.25.2.3 of the Single Regulatory Decree 1074 of 2015, THE COMPANY will request express and written authorization from the holder of the sensitive data to consent to its treatment, prior verifiable communication of the following determinations: 1. That they are not obliged to authorize the treatment of sensitive data as long as it is not their will. 2. That responding to any question or questioning that THE COMPANY makes in relation to their sensitive personal data is optional. 3. Which of their sensitive data will be subject to treatment by THE COMPANY and for what purpose. 4. That all information regarding sensitive data provided to collaborators and dependents will be covered by the commercial professional secrecy that THE COMPANY must keep in the terms of law, and that appropriate and suitable measures will be used for its protection. THE COMPANY'S PTIDP recognizes that data pertaining to minors, as established in Article 7 of 1581 of 2012 regarding children and adolescents, are highly sensitive and their treatment is prohibited. However, in those cases where they are of public knowledge, their treatment is legally permitted, or when required to guarantee their fundamental rights. In this sense, THE COMPANY guarantees that it will refrain from treating private and semi-private data in which the holder is a minor, without it being absolutely necessary. Now, for said treatment, the authorization of the minor's representative will be required in the terms established by law and this PTIDP. THE COMPANY, through this PTIDP and by virtue of Law 1581 of 2012, guarantees that the information contained in its database will be used correctly, for lawful purposes and keeping the habeas data right protected by the Political Constitution harmless. The treatment of the personal data described above by the company will be circumscribed solely to the activities of collection, storage, and use of said information with the purposes established above. THE COMPANY guarantees all holders of information and personal data that it will not be used for purposes other than those respectively authorized by their holders in the authorization documents, that it will not be marketed to third parties under any figure, nationally or internationally, without prior express authorization by the holders. However, it is pertinent to highlight that without prejudice to the holder of the data manifesting their intention to revoke the authorization given to THE COMPANY for the conservation of their data, by virtue of a legal or contractual obligation, the data must be preserved, said revocation will not have the pertinent effects. IX. SECURITY, CUSTODY, CARE, AND SAFEGUARD POLICY OF PERSONAL DATA. The security, custody, care, and safeguard policy of personal data at VINDAM S.A.S aims primarily to guarantee the comprehensive protection of the personal information of its clients and employees. This is achieved through the implementation of rigorous security measures, both technological and organizational. To guarantee the security and confidentiality of the information, VINDAM S.A.S. supports its technological infrastructure on services from globally recognized providers for their high security standards: 1. **Security in hosting and data transmission**: Our services are hosted on secure infrastructures (Hostinger), and all communications and information transfers are made using the secure protocol **HTTPS (SSL/TLS)**. This ensures that data travels encrypted between the user and our servers, protecting them from unauthorized interception. 2. **Database Security (Supabase / PostgreSQL)**: For the storage of personal data, we use **Supabase**, a platform built on PostgreSQL, one of the most robust and secure databases in the world. We implement: * **Encryption at rest**: Stored data is encrypted, guaranteeing that, even in the unlikely event of physical access to disks, the information remains unreadable without the corresponding keys. * **Access Control (Row Level Security)**: We use Row Level Security (RLS) policies to ensure that each user can only access the information corresponding to them, preventing unauthorized cross-access. * **Secure Authentication**: Access to database administration is restricted and protected by robust authentication mechanisms. 3. **Vulnerability Management and Updates**: THE COMPANY keeps its systems and libraries updated to mitigate known vulnerabilities. We perform periodic security reviews in accordance with best web development practices. All these technical measures are complemented by internal administrative policies that restrict access to personal data solely to authorized personnel who require it for the fulfillment of their duties, who are obliged to maintain strict confidentiality. X. DEPARTMENT RESPONSIBLE FOR INQUIRIES, PETITIONS, COMPLAINTS, AND CLAIMS OF HOLDERS THE COMPANY has designated the Administrative Area to attend immediately and adequately to the petitions, complaints, claims, and requests raised by holders to it. For this purpose, Telephone (+57) 3147896054 was enabled; or email ceo.vindam@gmail.com, where general information will be provided to personal data holders or their representatives and they can update, correct, rectify, and request any novelty regarding information and personal data, including revoking the authorization granted for treatment. The physical address was also enabled, filing your request in person at the address Avenida 3ra C norte #42-73, Cali - Valle del Cauca. In the terms of article 13 of Law 1581 of 2012, information and personal data may be Supplied, upon written request for the purpose, to the following persons: 1. To the respective holders, their successors, or their legal representatives. 2. To public or administrative entities in the exercise of their functions. 3. To third parties who have been expressly authorized by the data holder or who by express legal provision are empowered to request the information. XI. PROCESS TO RESOLVE PETITIONS, COMPLAINTS, AND CLAIMS Giving scope to what is established in Law 1581 of 2012, in its Article 14 and what is established in the previous section of this PTIDP, THE COMPANY will have a maximum term of TEN (10) business days counted from the day following its filing, to answer each and every one of the inquiries that have been filed by the holders or their successors through any of the means established in the previous section and of which there is proof. These inquiries must be about or directed to consult or know the personal information that is subject to treatment by THE COMPANY. Given the case that it is not possible to attend the inquiry within said term, the interested party will be informed, expressing the reasons for the delay and indicating the date on which their inquiry will be attended, a term that may not exceed five (5) business days following the expiration of the first term. Secondly, in compliance with the provisions of Article 15 of Law 1581 of 2012, THE COMPANY allows itself to communicate to all interested parties and holders of data treated by it, that regarding requests not related to an inquiry of the information subject to treatment or that enshrine a claim regarding correction, updating, or deletion, or when they notice the alleged breach of any of the duties of this PTIDP or Law 1581 of 2012, the term to respond will be fifteen (15) business days, counted from the day following its filing. All claims must be formulated in writing to the email ceo.vindam@gmail.com. A) EMAIL FOR PERSONAL DATA PROTECTION Complying with what is established by Law 1581 of 2012, Law 2213 of 2022, and its regulatory decrees, THE COMPANY has made available to all interested parties the email ceo.vindam@gmail.com for all inquiries, petitions, complaints, or claims derived from the treatment given to information and personal data. B) PROCEDIBILITY REQUIREMENT In accordance with what is established in Article 16 of Law 1581 of 2012, its regulatory decrees and what is established in this PTIDP, holders are warned that the inquiry or claim before THE COMPANY constitutes a requirement of procedibility to file a complaint before the Superintendence of Industry and Commerce. XII. VALIDITY OF THIS POLICY. This PTIDP governs from October fifteen (15) of the year two thousand and twenty-five (2025) and indefinitely, that is, its content obliges THE COMPANY, its workers, collaborators, external advisors, shareholders, and any external or internal third party that has a relationship with the treatment of information and personal data. To provide publicity to this PTIDP, it will be published through a hyperlink, being available immediately and sustained during its validity, on the official website of THE COMPANY: https://vindam.com/. THE COMPANY reserves the right to make modifications, adjustments, and/or updates to the content of its PTIDP in any of its sections.

What are cookies? Cookies are files that can be downloaded to your computer through web pages. They are tools that play an essential role for the provision of numerous information society services. Among others, they allow a web page to store and retrieve information about the browsing habits of a user or their equipment and, depending on the information obtained, they can be used to recognize the user and improve the service offered. Types of cookies Depending on who is the entity that manages the domain from where the cookies are sent and processes the data obtained, two types can be distinguished: Own cookies: those that are sent to the user's terminal equipment from a computer or domain managed by the editor itself and from which the service requested by the user is provided. Third-party cookies: those that are sent to the user's terminal equipment from a computer or domain that is not managed by the editor, but by another entity that processes the data obtained through the cookies. In the event that cookies are installed from a computer or domain managed by the editor itself but the information collected through them is managed by a third party, they cannot be considered as own cookies. There is also a second classification according to the period of time they remain stored in the client's browser, which may be: Session cookies: designed to collect and store data while the user accesses a web page. They are usually used to store information that is only interested in keeping for the provision of the service requested by the user on a single occasion (e.g. a list of products purchased). Persistent cookies: the data remains stored in the terminal and can be accessed and processed during a period defined by the person responsible for the cookie, and which can range from a few minutes to several years. Finally, there is another classification with five types of cookies according to the purpose for which the data obtained is processed: Technical cookies: those that allow the user to navigate through a web page, platform or application and the use of the different options or services that exist in it, such as, for example, controlling traffic and data communication, identifying the session, accessing parts of restricted access, remembering the elements that make up an order, carrying out the purchase process of an order, making the application for registration or participation in an event, using security elements during navigation, storing content for the dissemination of videos or sound or sharing content through social networks and integrated chat. Personalization cookies: allow the user to access the service with some predefined general characteristics based on a series of criteria in the user's terminal such as the language, the type of browser through which the service is accessed, the regional configuration from where the service is accessed, etc. Analysis cookies: allow the person responsible for them to monitor and analyze the behavior of the users of the websites to which they are linked. The information collected through this type of cookies is used in the measurement of the activity of the websites, application or platform and for the elaboration of navigation profiles of the users of said sites, applications and platforms, in order to introduce improvements based on the analysis of the usage data made by the users of the service. Vindam.com uses **Google Analytics** for these purposes. External social network cookies and Chat: they are used so that visitors can interact with the content of different social platforms (Facebook, YouTube, Twitter, LinkedIn, etc.) and allow the operation of the integrated chat service. The conditions of use of these cookies and the information collected is regulated by the privacy policy of the corresponding social platform or service provider. Deactivation and elimination of cookies You have the option to allow, block or delete the cookies installed on your computer by configuring the browser options installed on your computer. By disabling cookies, some of the available services may no longer be operational. The way to disable cookies is different for each browser, but it can usually be done from the Tools or Options menu. You can also consult the browser's Help menu where you can find instructions. The user may at any time choose which cookies they want to work on this website. You can allow, block or delete the cookies installed on your computer by configuring the browser options installed on your computer: Microsoft Internet Explorer or Microsoft Edge: http://windows.microsoft.com/es-es/windows-vista/Block-or-allow-cookies Mozilla Firefox: http://support.mozilla.org/es/kb/impedir-que-los-sitios-web-guarden-sus-preferencia Chrome: https://support.google.com/accounts/answer/61416?hl=es Safari: http://safari.helpmax.net/es/privacidad-y-seguridad/como-gestionar-las-cookies/ Opera: http://help.opera.com/Linux/10.60/es-ES/cookies.html In addition, you can also manage the cookie store in your browser through tools such as the following: Ghostery: www.ghostery.com/ Your online choices: www.youronlinechoices.com/es/ Cookies used on vindam.com Below are the cookies that are being used on this portal as well as their typology and function: Acceptance of the Cookies Policy Vindam.com assumes that you accept the use of cookies. However, it displays information about its Cookies Policy at the bottom or top of any page of the portal with each login in order for you to be aware. Given this information, it is possible to carry out the following actions: Accept cookies. This notice will not be displayed again when accessing any page of the portal during this session. Close. The notice is hidden on this page. Modify your configuration. You can obtain more information about what cookies are, know the Cookies Policy of Vindam.com and modify your browser settings.

MANUAL OF POLICIES AND PROCEDURES FOR THE PROTECTION AND PROCESSING OF PERSONAL DATA AND ATTENTION TO REQUESTS, INQUIRIES, AND CLAIMS (HABEAS DATA MANUAL) VINDAM S.A.S., a commercial company legally constituted and registered with the Cali Chamber of Commerce, under the laws of the Republic of Colombia, identified with NIT 901998930-6, located at Avenida 3ra C norte #42-73, Cali - Valle del Cauca, hereinafter referred to as "THE CONTROLLER", issues this Manual in compliance with Law 1581 of 2012 and Single Regulatory Decree 1074 of 2015, regarding the personal data protection regime, with the purpose of guaranteeing that the processing of personal data is carried out in strict compliance with applicable regulations, safeguarding the rights of consumers, users, and other natural persons whose data is subject to processing, collectively referred to as "HOLDERS" and indistinctly as "THE HOLDER". I. PURPOSE AND CONTACT This Manual aims to establish the internal policies and procedures for the protection and processing of personal data by VINDAM S.A.S., as well as the mechanisms for attending petitions, inquiries, complaints, and claims (PQR) from Holders, pursuant to the provisions of Statutory Law 1581 of 2012, Decree 1377 of 2013, Decree 886 of 2014, Decree 1074 of 2015, and Law 2213 of 2022. Any petition, inquiry, complaint, or claim may be sent to the email: juridicavindam@gmail.com Controller identification: - Company name: VINDAM S.A.S. - Tax ID (NIT): 901998930-6 - Address: Avenida 3ra C norte #42-73, Cali - Valle del Cauca, Colombia - PQR email: juridicavindam@gmail.com - Website: https://vindam.com/ II. AGE OF MAJORITY No collection or processing of personal data of children or adolescents will be carried out, as the website, its content, and the services offered by VINDAM S.A.S. are exclusively directed at adults. Any suspicion that a Holder is a minor will result in the denial of service, blocking of the email, and immediate deletion of other personal data (real or not) that the Holder has supplied. III. TYPES OF DATA COLLECTED For registration on the website, requesting information, acquiring services, or product demonstrations by VINDAM S.A.S., Holders are required to provide the following personal data: 1) First and last names. 2) Email address. 3) Company or organization name. 4) Telephone country code and phone number. 5) Job function or title. 6) Country of residence. 7) Free-text messages (specific inquiries or requests). IV. PROCESSING AND PURPOSES The processing of Holders' personal data includes collection, storage, administration, use, and deletion in the manner permitted by Law and in accordance with the following purposes: 1. Verify that Holders are adults, including possible comparisons of information with public databases. 2. Maintain communication with Holders regarding products and services offered by VINDAM S.A.S. 3. Manage and execute product demonstrations, including activation of artificial intelligence chatbots and callbots. 4. Initiate and conduct automated telephone calls through artificial intelligence agents as part of the callbot service offered by VINDAM S.A.S. 5. Offer and promote, by any means, products and services of THE CONTROLLER, or third parties having a legal link with THE CONTROLLER, including conversational automation solutions powered by artificial intelligence. 6. Maintain information on requests, petitions, complaints, and claims presented by Holders regarding activities developed by THE CONTROLLER. 7. Perform statistical, demographic, and market analysis to improve the products and services offered. 8. Comply with contractual obligations agreed with the Holders. 9. Accounting, fiscal, and administrative management, including billing, collections, and payments. 10. Comply with legal, judicial, or administrative requirements. THE CONTROLLER has the obligation to maintain the confidentiality of personal data subject to processing and may only disclose them by express request of surveillance and control entities and authorities having the legal power to request it, and will allow at all times and free of charge to know, update, and correct the personal information of the Holder in accordance with Article 8 of Law 1581 of 2012. In development of the principle of purpose, the collection of personal data is limited to those personal data that are pertinent and adequate to fulfill the purposes expressed in this Manual. Except in cases expressly provided by Law, personal data may not be collected without authorization from the Holder. V. PRINCIPLES FOR PERSONAL DATA PROCESSING In the development, interpretation, and application of this Manual, the following principles will be applied harmoniously and integrally: 1. Principle of legality in data processing: The processing referred to in this Manual is a regulated activity that must be subject to what is established in the Law and other provisions developing it. 2. Principle of purpose: Processing must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Holder. 3. Principle of freedom: Processing can only be exercised with the prior, express, and informed consent of the Holder. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate relieving consent. 4. Principle of truthfulness or quality: Information subject to processing must be true, complete, exact, updated, verifiable, and understandable. Processing of partial, incomplete, fractioned, or misleading data is prohibited. 5. Principle of transparency: Processing must guarantee the right of the Holder to obtain from THE CONTROLLER, at any time and without restrictions, information about the existence of data concerning them. 6. Principle of restricted access and circulation: Processing is subject to limits derived from the nature of personal data, provisions of the Law, and the Constitution. In this sense, processing may only be done by persons authorized by the Holder and/or by persons provided for in the Law. Personal data, except public information, may not be available on the Internet or other means of mass disclosure or communication, unless access is technically controllable to provide restricted knowledge only to Holders or third parties authorized according to Law. 7. Principle of security: Information subject to processing by THE CONTROLLER must be handled with technical, human, and administrative measures necessary to grant security to records avoiding their adulteration, loss, consultation, use, or unauthorized or fraudulent access. 8. Principle of confidentiality: All persons intervening in the processing of personal data that do not have the nature of public are obliged to guarantee the reservation of information, even after their relationship with any of the tasks comprising the processing has ended, being able only to supply or communicate personal data when this corresponds to the development of activities authorized in the Law. VI. PROCESSING OF SENSITIVE DATA In accordance with Article 5 of Law 1581 of 2012, sensitive data are those that affect the privacy of the Holder or whose improper use can generate discrimination, such as those revealing racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, human rights organizations, or that promote interests of any political party or guarantee rights and guarantees of opposition political parties, as well as data relating to health, sexual life, and biometric data. VINDAM S.A.S. does not collect or process sensitive data through its website or its registration and service request forms. VII. RIGHTS OF HOLDERS Holders of personal data or their successors have the following rights: 1. Receive information about: (i) the processing to which their personal data will be subjected and its purpose, (ii) the optional character of answers to questions regarding sensitive data, (iii) the rights assisting them as a Holder, and (iv) the identification, physical or electronic address, and telephone of THE CONTROLLER. 2. Obtain from THE CONTROLLER, at any time and without restrictions, information about the existence of data concerning them. 3. Be informed by THE CONTROLLER, upon request, regarding the use given to their personal data. 4. Request proof of authorization granted to THE CONTROLLER except when expressly excepted as a requirement for processing, in accordance with Article 10 of Law 1581 of 2012. 5. That their personal data not be disclosed without prior authorization, except legal or judicial mandate relieving such consent. 6. Receive free of charge all information contained in the individual record or linked to the identification of the Holder, when the Holder or their successors so request through channels arranged for this purpose by THE CONTROLLER. 7. Access their personal data and exercise their rights over them through mechanisms arranged for this purpose by THE CONTROLLER. 8. Consult their personal data free of charge: (i) at least once every calendar month, and (ii) every time there are substantial modifications to information processing policies; all through mechanisms arranged for this purpose by THE CONTROLLER. 9. Receive a response to all inquiries made about their personal data within legal terms and in any case, in a term not exceeding fifteen (15) business days, in terms provided in Article 14 of Law 1581 of 2012. 10. Receive a response to all claims made about their personal data within legal terms and in any case, in a term not exceeding twenty-three (23) business days, in terms provided in Article 15 of Law 1581 of 2012. 11. Request update and/or rectification of their personal data to THE CONTROLLER. 12. Revoke authorization and/or request deletion of their personal data, through PQR procedures arranged for this purpose by THE CONTROLLER. The Holder may not revoke authorization and/or request deletion of their personal data when they have a legal or contractual duty to remain in the database. 13. Be informed about any substantial change, referring to the identification of THE CONTROLLER or the purpose of processing, in the content of processing policies, before or at the latest at the moment of implementing new policies. 14. File complaints with competent authorities for infringements of the Law. VIII. PROCEDURE FOR EXERCISE OF RIGHTS BY HOLDERS Holders of personal data must direct their requests or claims to the email: juridicavindam@gmail.com 1. Procedure for inquiries: THE CONTROLLER must address inquiries within a term of ten (10) business days counted from the date the request is received. When it is not possible to comply with this time, the interested party must be informed expressing the reasons for delay and the date their request or inquiry will be addressed, in a term not exceeding five (5) business days following the expiration of the first term. 2. Procedure in case of claims: The Holder or successor considering that information contained in a database should be corrected, updated, or deleted, or when noticing alleged non-compliance with any duties contained in the Law or this Manual, may file a claim to THE CONTROLLER, which will be processed under the following rules: 3. The claim must be formulated with the identification of the Holder, description of facts giving rise to the claim, address, and accompanying documents to be asserted. If the claim is incomplete, the interested party will be required within five (5) days following receipt thereof to remedy faults. After two (2) months from the date of request, without the applicant presenting required information, it will be understood that the claim has been abandoned. 4. Once the complete claim is received, a legend saying "claim in process" and the reason thereof will be included in the database, in a term not exceeding two (2) business days. Said legend must be maintained until the claim is decided. 5. The maximum term to address the claim will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to address the claim within said term, the interested party will be informed of reasons for delay and date their claim will be addressed, which in no case may exceed eight (8) business days following expiration of the first term. 6. Procedure for revocation of authorization and/or request for data deletion: Holders may at any time request THE CONTROLLER to delete their personal data and/or revoke authorization granted for processing thereof, by filing a claim, according to Article 15 of Law 1581 of 2012, Article 2.2.2.25.2.6 of Decree 1074 of 2015, and the procedure indicated in this Manual. If the respective legal term expires and THE CONTROLLER has not eliminated personal data, the Holder will have the right to request the Superintendency of Industry and Commerce to order revocation of authorization and/or deletion of personal data. However, according to Articles 2.2.2.25.2.6 and 2.2.2.25.2.8 of Decree 1074 of 2015, the request for deletion of information and revocation of authorization will not proceed when the Holder has a legal or contractual duty to remain in the database. IX. TEMPORAL LIMITATIONS TO PERSONAL DATA PROCESSING THE CONTROLLER may only collect, store, use, or circulate personal data for a reasonable and necessary time, according to purposes justifying processing, attending to applicable provisions and administrative, accounting, fiscal, legal, and historical aspects of information. Once the purpose(s) of processing is fulfilled, THE CONTROLLER will proceed to delete personal data in their possession. However, personal data must be kept when required for compliance with a legal or contractual obligation. X. VALIDITY The validity period of the database will be indefinite. This Manual enters into force from February 20, 2026. VINDAM S.A.S. reserves the right to make modifications, adjustments, and/or updates to the content of this Manual in any of its sections, which will be communicated to the Holders through the means arranged for such purpose.

Consumer Protection Authority In compliance with the provisions of Law 1480 of 2011 (Consumer Statute), users are informed that, if they consider their rights as consumers violated, they may file a complaint or claim with the competent authority in the Republic of Colombia. Superintendency of Industry and Commerce (SIC) Official website: https://www.sic.gov.co National consumer hotline: 01 8000 910165 The foregoing is understood without prejudice to previously exhausting the service channels arranged by this website, through the email juridicavindam@gmail.com