PERSONAL DATA PROCESSING POLICY

First version 001-2025
Date: June 3, 2025

1. Purpose

In compliance with current regulations on the protection of Personal Data—namely Law 1581 of 2012, Regulatory Decree 1377 of 2013, and any amendments or supplementary provisions—KADREE TECH S.A.S. presents its Personal Data Processing Policy (hereinafter, the “Policy”). This Policy sets out general rules for safeguarding information related to, or that can be associated with, one or more identified or identifiable natural persons (the “Personal Data”), based on the prior authorization granted by the Data Subjects.

This Policy applies to all Data Subjects who have a relationship with KADREE TECH S.A.S. and/or whose Personal Data have been collected and processed in any way as a result of a relationship established with the Company—whether such processing is carried out by KADREE TECH S.A.S. or by third parties on its behalf.

This Policy covers all processing carried out within the territory of the Republic of Colombia by KADREE TECH S.A.S. and, where applicable, by any third parties with whom it contracts for any activities related to the Processing of Personal Data.

Within this Policy, KADREE TECH S.A.S. details its corporate guidelines for protecting Data Subjects’ Personal Data, the purposes of such processing, the rights of Data Subjects, the department responsible for handling complaints and claims, and the procedures to access, update, rectify, or delete Personal Data.

In keeping with the constitutional right of habeas data enshrined in Article 15 of the Political Constitution, KADREE TECH S.A.S. only collects and processes Personal Data with the prior, explicit, and informed authorisation of the Data Subject, implementing clear measures to ensure confidentiality and privacy. In cases where authorization is not required, the Company will nonetheless take all necessary measures to process information in accordance with applicable law.

2. Scope

This Policy applies to all Personal Data—for clients, suppliers, and employees—collected and/or incorporated into KADREE TECH S.A.S.’s databases. These parties are responsible for ensuring full compliance with this Policy.

KADREE TECH S.A.S. will take all measures within its reach to fully protect and process the Personal Data for which it is responsible, safeguarding individuals’ rights to privacy, intimacy, good name, and the rights to access, update, and rectify their data as held in the Company’s databases. Thus, this Policy applies both to Personal Data currently processed and to any that may be processed in the future.

3. Definitions

• AUTHORIZATION: Prior, express, and informed consent given by any person (the Data Subject) allowing the Data Controller to process their Personal Data.
• PRIVACY NOTICE: A physical, electronic, or other format document issued by KADREE TECH S.A.S. informing the Data Subject of the processing of their Personal Data, the applicable policies, and their rights.
• DATABASE: An organized set of Personal Data subject to processing (including both physical files and electronic records).
• PERSONAL DATA: Any information linked to or that can be associated with one or more identified or identifiable natural persons.
• PUBLIC DATA: Data that is neither semi-private, private, nor sensitive, such as marital status, occupation, or status as a public official.
• SEMI-PRIVATE DATA: Data that is not of an intimate, reserved, or public nature but whose knowledge or disclosure may interest a sector of people, e.g., financial or credit data.
• PRIVATE DATA: Data of an intimate or reserved nature, relevant only to the Data Subject and obtained exclusively with their authorization.
• SENSITIVE DATA: Data affecting the intimacy of the Data Subject or whose misuse may lead to discrimination, such as racial or ethnic origin, political orientation, religious or philosophical convictions, union membership, health information, sexual life, or bio-metric data.
• PROCESSOR (IN CHARGE): A natural or legal person, public or private, who processes Personal Data on behalf of the Data Controller.
• DATA CONTROLLER (RESPONSIBLE): A natural or legal person, public or private, who decides on the contents and use of the database and/or Data Processing.
• DATA SUBJECT (TITULAR): The natural person whose Personal Data is subject to Processing.
• TRANSFER: The transmission of Personal Data to a recipient who is also a Data Controller under Law 1581 of 2012.
• PROCESSING (TREATMENT): Any operation or set of operations on Personal Data carried out by KADREE TECH S.A.S.

4. Availability of the Policy

This Policy is available to Data Subjects through KADREE TECH S.A.S.’s disclosure channels. The Company, identified by NIT 900699822-2, is located at Calle 93B # 13-91, Office 600, Bogota; phone +57 300 8013539; email info@kadreetech.com; website: https://kadreetech.com.

5. Data Controller and Processor

KADREE TECH S.A.S. acts as Data Controller for Personal Data it collects directly from clients and as Processor under agreements with third parties to share data for commercial service offerings, always with prior express authorization and within the Company’s corporate purpose.

6. Data Subject Rights

Under Article 8 of Law 1581 of 2012, Data Subjects have the right to:

1. Access, update, and rectify their Personal Data held by KADREE TECH S.A.S. as Data Controller.
2. Request proof of the authorization granted to KADREE TECH S.A.S.
3. Be informed, upon request, of the uses made of their Personal Data.
4. Lodge complaints with the Superintendence of Industry and Commerce after exhausting the internal query or claim process.
5. Revoke authorization and/or request data deletion if principles, rights, or guarantees are violated.
6. Access their Personal Data free of charge.

7. Revocation of Authorization

Data Subjects may revoke authorization or request deletion of their Personal Data at any time, provided no legal or contractual obligation prevents it. Requests may be made by the same means used to grant authorization: info@kadreetech.com.

8. Obligations of KADREE TECH S.A.S.

As Data Controller (Art. 17, Law 1581/2012)

• Ensure the full exercise of habeas data rights.
• Keep copies of all authorizations.
• Inform Data Subjects of processing purposes and rights.
• Maintain security conditions preventing unauthorized access or alteration.
• Guarantee accuracy, completeness, and currency of data.
• Update or rectify data and notify Processors promptly.
• Process queries and claims per legal timelines.
• Adopt internal policies and procedures manual.
• Notify Processors of disputed data.
• Inform authorities of security breaches.
• Comply with Superintendence orders.

As Data Processor (Art. 18, Law 1581/2012)

• Ensure habeas data rights.
• Maintain data security.
• Update, rectify, or delete data promptly, within five (5) business days of receipt.
• Handle queries and claims per law.
• Maintain internal procedures manual.
• Mark records “claim in process” or “information under judicial dispute” as required.
• Abstain from circulating disputed data.
• Notify authorities of security breaches.
• Comply with Superintendence orders.

9. Guarantee and Authorization of Processing

KADREE TECH S.A.S. will process Personal Data (collection, storage, use, circulation, deletion) in accordance with constitutional and legal principles. It acts as Controller for staff, affiliates, clients, job candidates, and visitors, informing each group of processing methods and purposes via appropriate mechanisms. Records or technical means will evidence when and how authorizations were obtained. Data Subjects will have direct access to their information through suitable channels.

10. Purposes of Data Processing

Visitors, Clients, and Suppliers

• Send information on services, programs, and training.
• Inform about promotional campaigns.
• Conduct market research on trends and habits.
• Evaluate service quality and satisfaction.
• Promote, market, or advertise directly or via affiliates and third-party partners.
• Announce loyalty programs.
• Transfer data to affiliates and partners nationally or internationally.
• Any activity aligned with corporate purpose for marketing and advertising.

These activities may be carried out via physical or electronic means (e.g., text messages, other technologies). Acceptance of this Policy constitutes authorization for partial or full processing, including transfer abroad, for purposes such as product execution, accounting, payment processing, fraud detection, anti-money laundering, and other lawful activities.

Employees

• Recruitment, payroll, benefits, records, and termination processes.
• Human resources: payroll management, registrations, affiliations, notifications, and payments.
• Wellness and occupational risk prevention activities.
• Performance evaluations, induction, and training seminars.
• Time and access control (including biometric).
• Historical records for former employees.
• Security: video recordings in facilities (retained up to one year).
• Employees authorize processing of data provided during employment and thereafter if legally or contractually required.

11. Data Updating

KADREE TECH S.A.S. will continuously update its databases in accordance with Law 1581 of 2012.

12. Processing of Children’s and Adolescents’ Data

When processing minors’ data, the Company will respect their rights and comply with Law 1581 of 2012. Any questions about minors’ data are optional and require consent from a legal representative. Transfers of minors’ data occur only with parental authorization.

13. Right of Access

Under Article 14 of Law 1581 of 2012, Data Subjects may access their Personal Data in any database. KADREE TECH S.A.S. guarantees this right, responding within ten (10) business days of request via the contact methods and web portal https://kadreetech.com.

14. Data Transfers to Third Parties

KADREE TECH S.A.S. may transfer Personal Data, partially or wholly, to national or international third parties within its corporate purpose, always with prior authorization and legal safeguards, via formal agreements.

15. Complaints

At any time and free of charge, Data Subjects or their duly accredited representatives may request correction, updating, deletion of Personal Data, or revocation of authorization, in accordance with Law 1581 of 2012. Requests may be made by the Data Subject, their heirs (with identity proof), or legal representative. Secure mechanisms will ensure full exercise of rights under principles of confidentiality, integrity, and availability.

16. Guarantees of the Right of Access

KADREE TECH S.A.S. guarantees Data Subjects free, detailed access to their Personal Data through appropriate means.

17. Policy Validity

This Policy is effective as of its publication date and supersedes any conflicting institutional provisions. Matters not covered herein will be governed by the General Regime on Personal Data Protection in Colombia.