Terms and Conditions PAYCOP INTERNATIONAL S.A.

1. 1. INTRODUCTION

   In strict compliance with current Personal Data Protection regulations, in accordance with Law 1581 of 2012, Decree 1377 of 2013, Law 1266 of 2008, and other related or complementary regulations, PAYCOP INTERNATIONAL S.A. (hereinafter PAYCOP) presents its “Personal Data Processing Policy” to safeguard the personal information provided by the Data Subjects. The following applies to the website and its derived uses.

2. 2. DEFINITIONS

   1. a. DATA SUBJECT:

      A natural or legal person whose data is subject to processing.

   2. b. DATA PROCESSOR:

      A natural or legal person, public or private, that processes personal data on behalf of the Controller.

   3. c. DATA CONTROLLER:

      A natural or legal person, public or private, who makes decisions regarding the processing of personal data, either individually or in association with others.

   4. d. AUTHORIZATION:

      The prior, express, and informed consent of the Data Subject to carry out the processing of personal data.

   5. e. PROCESSING:

      Refers to the data lifecycle, from its collection to its deletion.

   6. f. TRANSFER:

      Occurs when the Controller and/or Processor of personal data located in Colombia sends the information or personal data to another Controller, either within or outside the country.

   7. g. TRANSMISSION:

      The processing of personal data that involves communication of such data within or outside the territory of the Republic of Colombia when the purpose is to perform processing by the Processor on behalf of the Controller.

3. 3. DATA CONTROLLER:

   The parties responsible for data processing are PAYCOP, which provides the following information:

   PAYCOP INTERNATIONAL S.A.

   Identification number: NIT. 901.900.843 - 2

   Domicile: Bogotá, Colombia.

   Address: Cra.12 #93-31.

   Email: linea.etica@paycop.co - contacto@paycop.co

   It should be noted that the controllers may transmit and transfer information in accordance with the purposes outlined in this document.

4. 4. DATA PROCESSING:

   1. a. Regarding the main sources of data collection:

      1. Through agreements or commitments entered into with PAYCOP.
      2. Through the exchange of emails.
      3. Through the forms submitted to PAYCOP.
      4. Through meetings or phone communications.
      5. Through access to PAYCOP’s websites or applications.
      6. Through data transmission or transfer.
      7. Through conversations carried out by electronic means.
      8. Through physical forms.
      9. Through requests to perform transfers.

   2. b. Regarding use:

      It will be carried out according to the stated purposes.

   3. c. Regarding storage:

      Both internal and cloud servers will be used. For these purposes, the information will be protected by access credentials with restricted knowledge within the company.

   4. d. Regarding deletion or removal:

      It will occur whenever the Data Subject requests it or when the purpose has been fulfilled. However, deletion may not occur if there is a legal requirement to retain the data.

   5. e. Transfer and transmission:

      Transfer and transmission will be carried out to fulfill the stated purposes. It should be noted that the information of shopkeepers and drivers may be shared with third parties offering alternative financing services and/or improved product and benefit offerings.

5. 5. RIGHTS AND DUTIES OF THE DATA SUBJECT:

   According to Article 8 of Law 1581 of 2012, the Data Subject has the right to:

   1. "a) Know, update, and rectify their personal data before the Controllers or Processors. This right may be exercised, among others, regarding partial, inaccurate, incomplete, fragmented data, or data that induces error, or whose processing is expressly prohibited or unauthorized;"

   2. b) Request proof of the authorization granted to the Controller, except when expressly exempted as a requirement for processing, in accordance with Article 10 of this law;

   3. c) Be informed by the Controller or Processor, upon request, about how their personal data has been used;

   4. d) Submit complaints to the Superintendence of Industry and Commerce for violations of this law and any other related regulations;

   5. e) Revoke authorization and/or request the deletion of data when the processing does not comply with constitutional and legal principles, rights, and guarantees. Revocation and/or deletion shall proceed when the Superintendence of Industry and Commerce determines that the Controller or Processor has engaged in conduct contrary to this law and the Constitution;

   6. f) Freely access their personal data that has been processed.

   The Data Subject has the duty to:

   1. Submit a written request to PAYCOP to be informed about the use of their Personal Data, if they wish to know this information.
   2. Provide accurate, up-to-date, and truthful information at all times.

6. 6. PURPOSES OF PERSONAL DATA PROCESSING

   The purposes of data processing by PAYCOP are as follows:

   1. a. Personal Data Management:
      1. Organize, catalog, classify, divide, or separate and store personal data within PAYCOP’s systems and files.
   2. b. Commercial Relationship:
      1. Maintain, develop, and manage the commercial relationship between the Data Subject and PAYCOP.
      2. Generate loyalty strategies with the Data Subject.
      3. Establish commercial partnerships with third parties.
      4. Develop the corresponding project.
      5. Maintain contact with Data Subjects for future events or projects that may arise. This implies that the Controllers may retain information even after the PAYCOP service is no longer in use for purposes such as invitations, statistical analysis, product offerings, and similar uses.
   3. c. Internal Operations:
      1. Carry out processes for operational development and systems management.
      2. Promote partnerships with third parties focused on alternative finance.
   4. d. Service Personalization:
      1. Provide services and products tailored to specific needs.
      2. Send information about updates, news, newsletters, and advertisements.
   5. e. Service Analysis and Improvement:
      1. Maintain a historical record of information for interest and needs analysis.
      2. Develop marketing strategies based on user behavior.
      3. Promote partnerships with allies that offer alternative financial services.
      4. Conduct commercial prospecting and market segmentation.
   6. f. User Management:
      1. Conduct satisfaction surveys and offer services.
      2. Manage requests, complaints, and claims, and direct them to the responsible areas.
   7. g. Legal Compliance and Reporting:
      1. Submit reports to supervisory and control authorities.
      2. Fulfill administrative, commercial, and advertising uses according to client agreements.
      3. Manage accounting, economic, fiscal, and administrative matters.
      4. Access credit bureaus to verify clients’ financial status.
      5. Preserve information in accordance with legal provisions.
   8. h. Data Transfer and Transmission:
      1. Transfer personal data to company suppliers and strategic partners.
      2. Send information to Data Processors.
      3. Report to credit bureaus in case of financial default.

7. 7. DATA TO BE PROCESSED:

   The information that PAYCOP intends to process includes:

   1. First and last name.
   2. Nationality.
   3. Mobile phone number.
   4. Email address.
   5. Company of employment.
   6. Position or job title.
   7. Work address.
   8. Corporate email address.
   9. Corporate phone number.
   10. Identification data.
   11. Contact information.
   12. Employment data.
   13. Advertising ID.
   14. National ID (DNI).
   15. IMEI.
   16. BSSID.

8. 8. ACCESS CHANNELS AND MECHANISMS PROVIDED BY PAYCOP:

   PAYCOP will provide the following channels for Data Subjects to exercise their rights: linea.etica@paycop.co and contacto@paycop.co

9. 9. LEGAL PROCEDURE FOR INQUIRIES, COMPLAINTS, AND CLAIMS:

   The procedure for Data Subjects to exercise their rights to access, update, rectify, and delete information, and to revoke authorization, consists of sending an email to linea.etica@paycop.co and contacto@paycop.co, in which the Data Subject identifies the specific right being requested. The response timelines that PAYCOP will follow are:

   1. a. Access 10 business days + 5 (for delays)
   2. b. Rectification 15 business days + 8 (for delays)
   3. c. Deletion 15 business days + 8 (for delays)
   4. d. Objection 15 business days + 8 (for delays)

   All timelines are counted from the date the request is received from the interested party.

   The request must include the following elements:

   1. a. The Data Subject’s full name.
   2. b. Type and number of identification.
   3. c. A detailed description of the facts motivating the request.
   4. d. The address or preferred notification method to receive any response.
   5. e. Any documents the Data Subject wishes to attach to the request.

   Please note that the area responsible for handling requests, inquiries, and claims—before which the Data Subject may exercise the rights to access, update, rectify, and delete data, and to revoke authorization—is the Legal Department.

10. 10. VALIDITY:

    This Personal Data Processing Policy is effective as of February 17, 2025, and will remain in force as long as the purposes of processing persist.

    PAYCOP may modify this data processing policy without prior notice and at any time. Therefore, the Data Subject should regularly review the website, as the updated document will always be available to them. If the Data Subject disagrees with any modifications, they must notify us at linea.etica@paycop.co and contacto@paycop.co.