INFORMATION AND PERSONAL DATA PROCESSING POLICY

ASSISTCARGO SAS · Information and Personal Data Processing Policy

GENERAL INFORMATION

ASSISTCARGO SAS, recognizing the constitutional right to protection of personal data—i.e., every person’s right to know, update, rectify and/or cancel the information and personal data that has been collected about them and/or is processed in public or private databases and data compilations—established in Article 15 of the 1991 Political Constitution of Colombia and developed through Law 1581 of 2012 (“Statutory Law on Personal Data”), which sets forth the General Provisions for Personal Data Protection, and aware of the responsibility it has regarding the processing of personal data of data subjects, in order to guarantee the aforementioned constitutional right applicable to any personal data collected according to the purposes provided by law, the respective authorizations, and within the ordinary course of the Company’s business, issues this PERSONAL DATA PROCESSING POLICY, which is mandatory for all natural or legal persons who process personal data recorded in our databases, so that such data is processed in accordance with the current national personal data protection regime in the Republic of Colombia, under these guidelines.

ASSISTCARGO SAS hereby informs all interested parties and persons with whom it may have any relationship that the personal data obtained through any of its business lines, commercial establishments, service channels, or information collection channels will be processed in accordance with the principles and duties established by Law 1581 of 2012 and other regulations governing this matter. For all relevant purposes, ASSISTCARGO SAS is domiciled at Calle 60ª Sur # 68-08 Torre 2- 1806, Bogotá D.C., and may be contacted at: habeasdata@assistcargo.com

PURPOSE

This data processing and protection policy aims to provide the necessary and complete information to establish guidelines that guarantee the protection of personal data processed in connection with commercial, business, labor, and in general any relationship that involves the collection of data by the Company, in order to comply with the law; and to define procedures for responding to data subjects’ rights, as well as the criteria for collection, storage, use, circulation and deletion of personal data by the Company in the development of its corporate purpose.

Therefore, it establishes proper handling to protect the confidentiality, privacy and intimacy of personal data, setting criteria for collection, storage, use, circulation and deletion, ensuring information secrecy and the security of the processing that will be given to personal data of clients, contractors, suppliers and other persons who provide information to the company, in compliance with the principles, rights, freedoms and guarantees established by law.

SCOPE OF APPLICATION AND ADDRESSEES

The Company will comply with everything related to privacy and personal data processing established by Law 1581 of 2012 and its regulatory Decree 1377 of 2013 and any amendments thereto, as well as Article 269 of Law 1273 of 2009; and, in general, all regulations related to habeas data.

This policy applies to all personal data recorded in databases that are processed by the data controller, and in general to the protection of personal information obtained within the mission-driven and regular activities of the Company.

REACH

To provide an expedited and lawful response to the different requests and claims made by Data Subjects, as well as their heirs or any other person duly authorized. To comply with current regulations on Personal Data Protection and any requirements derived from the accountability principle. To provide proper protection to the interests and needs of data subjects whose personal information is processed by the Company.

DEFINITIONS

For purposes of understanding personal data processing, the following definitions apply, aligned with Article 3 of Law 1581 of 2012 and Article 3 of Decree 1377 of 2013.

Personal data: Any information linked to or that may be associated with one or more identified or identifiable natural persons.
Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
Authorization: Prior, express and informed consent by the Data Subject to carry out the Processing of Personal Data.
Data Subject: The natural person whose personal data is subject to Processing.
Data Controller: A natural or legal person, public or private, who alone or jointly with others decides on the database and/or the processing of data.
Data Processor: A natural or legal person, public or private, who alone or jointly with others processes personal data on behalf of the Data Controller.
Database: An organized set of personal data that is subject to Processing.
Co-owner: A natural or legal person with an ownership relationship with private property and common areas that make up the co-ownership.
Employee: A natural person who works for the Company under an employment contract in exchange for salary.
Contractor: A natural and/or legal person providing professional services under a professional services agreement.
Customer: A natural person who uses the Company’s services under an existing commercial relationship.
Supplier: A natural and/or legal person who supplies goods and/or services to the Company due to an existing commercial relationship (a contract is not necessarily required).
Former employee and former contractor: A natural and/or legal person who previously provided services to the Company under an employment and/or services agreement whose relationship ended for any of the causes established therein.
Prospective customer: A consumer or company with an interest in purchasing a product or service.
Candidate: A natural person interested in participating in recruitment processes to join the Company.
Company: Assistcargo SAS

PRINCIPLES

In the development, interpretation and application of the law and regulations, the following principles shall apply in a harmonious and comprehensive manner:

Lawfulness: Processing is regulated and must comply with applicable laws and regulations.
Purpose limitation: Processing must have a legitimate purpose consistent with the Constitution and the law and must be informed to the Data Subject.
Freedom: Processing may only be carried out with the Data Subject’s prior, express and informed consent, unless a legal or judicial mandate provides otherwise.
Accuracy/Quality: Data must be truthful, complete, accurate, updated, verifiable and understandable. Partial, incomplete, fragmented or misleading data must not be processed.
Transparency: The Data Subject has the right to obtain information about the existence of data concerning them at any time and without restrictions.
Restricted access and circulation: Processing must respect constitutional and legal limits; only authorized persons may process data.
Security: Technical, human and administrative measures must be used to prevent alteration, loss, consultation, use or unauthorized/fraudulent access.
Confidentiality: All persons involved in processing non-public data must ensure confidentiality even after their relationship ends.
Retention limitation (temporality): Data must be retained only for the time reasonably necessary to fulfill the purposes and any legal/contractual obligations; afterward, it must be deleted.
Necessity: Only strictly necessary data for the pursued purposes should be processed.

SPECIAL CATEGORIES OF DATA

SENSITIVE DATA

Sensitive data is understood as data affecting the Data Subject’s intimacy or whose improper use may lead to discrimination, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, membership in social or human rights organizations, or data related to health, sexual life, and biometric data.

Sensitive data processing is prohibited, except when:

The Data Subject has given explicit authorization, unless authorization is not required by law.

Processing is necessary to safeguard the vital interest of the Data Subject and the Data Subject is physically or legally unable to give consent (in such case, legal representatives must authorize).

Processing relates to data necessary for the recognition, exercise or defense of a right in judicial proceedings.

Processing has a historical, statistical or scientific purpose (in which case measures must be adopted to remove Data Subjects’ identity).

PROCESSING AND PURPOSES

Personal data will be processed for the following purposes, depending on the databases processed by the controller and the applicable category:

Partners/Shareholders: Administrative, economic, payment, tax and accounting management.
Employees: Compliance with labor obligations; payroll; legal and conventional benefits; performance and quality evaluations; tax, economic and accounting management; occupational risk prevention and workplace safety; recruitment and promotion; and any other purpose derived from law or the employment relationship.
Contractors: Compliance with service agreement obligations; fees management; evaluations; tax/economic/accounting management; occupational risk prevention and workplace safety; selection and promotion; and any other purpose derived from law or the contractual relationship.
Customers: Administrative management; collections and payments; invoicing; economic, accounting and tax management; commercial relationship history; own or third-party advertising; marketing; commercial prospecting; customer management; and any other purpose derived from law or the contractual relationship.
Suppliers: Administrative management; tax; collections and payments; economic and accounting management; commercial relationship history; supplier management; and any other purpose derived from law or the contractual relationship.
Prospects: Advertising and commercial prospecting; offering products and services; marketing; opinion surveys; prospect profiling analysis.
Candidates: Recruitment and selection management; psychometric tests; security analysis and home visits.

Data may eventually be shared with third parties and authorities that exercise inspection, control and oversight functions; it may also be used to send commercial, legal or general interest information, among others.

Collected information will not be used at any time for activities or purposes different from the Company’s lines of business.

Personal data will be kept only for the duration of the contractual, commercial and/or labor relationship, or for the time required by Colombian law or considering the relevance of the purposes for which it was collected. In all cases, the Company must ensure confidentiality even after the relationship ends.

TRANSFER AND TRANSMISSION OF PERSONAL DATA

The Company may transfer and transmit personal data to third parties with which it has operational relationships that provide services necessary for its operation, or as required by law. In such cases, the necessary measures will be adopted so that persons with access to personal data comply with this Policy, personal data protection principles, and legal obligations.

If the Company transmits data to one or more processors located within or outside Colombia, it will establish contractual clauses or execute a personal data transmission agreement stating:

The scope of processing,

The activities the processor will perform on behalf of the controller,

The processor’s obligations towards the Data Subject and the controller.

Through such agreement, the processor commits to apply the controller’s information processing policy and to process data according to the purposes authorized by the Data Subjects and applicable laws.

In addition to applicable legal obligations, the processor must:

Process personal data on behalf of the controller according to applicable principles.

Safeguard the security of databases containing personal data.

Maintain confidentiality regarding the processing of personal data.

RIGHTS AND LAWFULNESS CONDITIONS

DATA SUBJECT RIGHTS

In processing personal data, the Company will respect Data Subjects’ rights at all times, including:

To know, update and rectify data before the Company and/or processors.
To request proof of the authorization granted, except where the law provides an exception.
To be informed, upon request, about the use given to the data.
To revoke authorization and/or request deletion when legal and constitutional principles are not respected; deletion/revocation applies when the competent authority determines unlawful conduct, and provided there is no legal/contractual obligation to retain the data.
To access, free of charge, the personal data that has been processed.

DATA SUBJECT AUTHORIZATION

Without prejudice to legal exceptions, processing requires prior and informed authorization from the Data Subject, obtained by any means that allows subsequent verification. Authorization may be in writing, orally, or through unequivocal conduct that reasonably indicates consent (e.g., submitting a resume to participate in recruitment processes or entering premises with knowledge of CCTV systems).

PROVISION OF INFORMATION

Information requested by Data Subjects will be provided mainly by electronic means, or otherwise if requested. Information will be delivered without technical barriers; it will be easy to read and access and will match the information contained in the database.

DUTY TO INFORM THE DATA SUBJECT

At the time of requesting authorization, the Company must clearly inform:

The processing and its purpose.

The optional nature of answering questions regarding sensitive data.

The Data Subject’s rights.

The controller’s identification, physical/electronic address and telephone.

The Company must keep proof of compliance and provide a copy to the Data Subject upon request.

PERSONS TO WHOM INFORMATION MAY BE DISCLOSED

Information that meets legal requirements may be disclosed to:

Data Subjects, their heirs, or their legal representatives.

Public or administrative authorities exercising legal functions or by court order.

Third parties authorized by the Data Subject or by law.

DUTIES OF CONTROLLERS AND PROCESSORS

DUTIES OF THE DATA CONTROLLER

The Company, as controller, must (among others):

Guarantee the full and effective exercise of habeas data rights.
Request and keep a copy of the authorization granted by the Data Subject.
Inform the Data Subject about collection purposes and their rights.
Keep data with appropriate security conditions to prevent tampering, loss or unauthorized access.
Ensure data provided to processors is accurate, complete, updated and understandable.
Update/rectify data and communicate changes to the processor.
Provide processors only data that has been previously authorized for processing.
Require processors to respect security and privacy conditions at all times.
Process queries and claims within legal timeframes.
Adopt procedures to ensure compliance, especially for handling queries and claims.
Inform the processor when a Data Subject’s claim is under dispute and pending resolution.
Inform the Data Subject, upon request, about the use of their data.
Report to the data protection authority when security violations occur and risks exist.

DUTIES OF THE DATA PROCESSOR

Processors (and the Company when acting as a processor) must (among others):

Guarantee the full and effective exercise of habeas data rights.
Keep data under appropriate security conditions.
Update, rectify or delete data in a timely manner.
Update data reported by controllers within five (5) business days of receipt.
Process Data Subject queries and claims according to this policy.
Refrain from circulating information under dispute by the Data Subject.
Allow access only to persons who may access it.
Verify the controller has authorization to process the Data Subject’s personal data.

GENERAL ACTIONS FOR PERSONAL DATA PROTECTION

Below are the general guidelines applied by the Company to comply with obligations under personal data protection principles. These guidelines complement existing general policies/procedures (e.g., information and data management policies and procedures) and do not replace them.

INFORMATION PROCESSING

All members of the Company, in performing their duties, will assume responsibilities and obligations for the proper handling of personal information, from collection and storage to use, circulation and final disposal.

USE OF INFORMATION

Personal information contained in databases must be used according to the purposes described in the “Processing and Purposes” section. If a department identifies new uses, it must inform Human Resources (or the department that manages such information), which will evaluate and, if applicable, manage its inclusion in this policy.

If a department different from the one that collected the data initially needs to use it, it may do so only if it is a foreseeable use within the services offered and for a purpose contemplated in this policy.

Departments must ensure that document recycling practices do not disclose confidential information or personal data. Resumes, academic degrees/certificates, medical exam results, or any document that identifies a person must not be recycled.

If a processor provided data for a specific purpose, the receiving department must not use it for a different purpose; once finished, it must delete the dataset to avoid outdated information or conflicts with pending Data Subject claims.

Staff must not make decisions with significant impact or legal implications exclusively based on system outputs; they must validate information through other instruments or directly with the Data Subject when necessary.

Only authorized employees/contractors may enter, modify or cancel data in protected databases/documents. Access permissions are granted by the Human Resources area according to predefined profiles.

Any different use must be previously consulted with each area leader.

INFORMATION STORAGE

Digital and physical information is stored in environments with appropriate controls for data protection, including physical and IT security controls, technological controls, and environmental controls in restricted areas, in own facilities and/or third-party data/document centers.

DESTRUCTION

Destruction of physical and electronic media is performed through mechanisms that do not allow reconstruction, only when it does not contravene legal requirements, always keeping traceability. This includes information held by third parties and in own facilities.

INCIDENT MANAGEMENT PROCEDURE INVOLVING PERSONAL DATA

An incident is any anomaly that affects or may affect the security of databases or information therein. If an incident is known, the user must report it to Human Resources, which will adopt appropriate measures.

The responsible area will inform the Company’s management within 15 days from the time it becomes aware. Incidents may affect digital or physical databases and trigger:

Incident notification: If an incident may affect personal data, it must be reported to Human Resources, which will report to management.

Incident handling: Everyone must promptly report suspicious events, weaknesses or policy violations affecting confidentiality, integrity and availability of assets and personal information.

Identification: Suspicious or abnormal events must be evaluated to determine whether they are incidents and be reported appropriately.

Reporting: Incidents must be reported as soon as possible through internal channels. If sensitive/confidential information is lost or disclosed, HR must be notified immediately. Loss or damage of devices containing personal data must be reported. Unless required by a competent authority, no employee should disclose information about affected systems. Legal counsel should intervene for authority requests.

Containment, investigation and diagnosis: HR must ensure investigation and documentation, with management support.

Resolution: Involved areas must prevent recurrence by correcting vulnerabilities.

Closure and follow-up: Management, HR and relevant areas will review and document remediation actions. HR will prepare an annual incident analysis to support awareness campaigns.

TRAINING OF EMPLOYEES AND CONTRACTORS

The Company will develop annual training and awareness programs on personal data protection and information security. It will communicate these policies and train partners, suppliers and contractors at least annually, keeping evidence of attendance and knowledge. New partners/contractors must receive training upon onboarding. Human Resources will define training and evaluation plans based on regulatory changes.

EXCEPTIONS

The personal data protection regime does not apply in the following cases:

Databases or files maintained exclusively in a personal or household context.
Databases/files intended for national security and defense, and for AML/CFT prevention, detection, monitoring and control.
Databases intended for and containing intelligence and counterintelligence information.
Databases/files of journalistic information and other editorial content.
Databases/files regulated by Law 1266 of 2008.
Databases/files regulated by Law 79 of 1993.

QUERIES AND COMPLAINTS

Data subject queries and complaints must follow Articles 14 and 15 of Law 1581 of 2012, Decree 1377 of 2013, and any amendments, and must be submitted in writing to:

Calle 60ª Sur # 68-08 Torre 2- 1806, Bogotá D.C. · Phone (+57) 315 3815665 · Email: habeasdata@assistcargo.com

Indicating:

Full name of the Data Subject.

Copy of the Data Subject’s ID and, if applicable, the representative’s ID and proof of representation.

Description of the request.

Address for notifications, date and signature/company of the applicant.

Children and adolescents’ rights will be exercised by those legally authorized to represent them.

Responses will be provided within 10 and 15 business days from receipt for queries and complaints, respectively.

PUBLICATION AND AMENDMENTS

The Company will publish and keep this policy available for consultation and may amend it at any time; amendments will be published on the Company website (https://www.assistcargo.com/) or through the means it determines.

If changes affect processing purposes, the Company will request a new authorization from the Data Subject through broadly disseminated mechanisms (national/local newspapers, magazines, websites, posters, etc.).

If within thirty (30) business days from implementation of such notice mechanisms the Data Subject does not contact the controller/processor to request deletion under this policy, the Company may continue processing the data for the stated purposes.

POLICY EFFECTIVE DATE

This policy becomes effective as of its publication on https://www.assistcargo.com/

This Policy has been effective since February 1, 2026.

___________________________

MARTÍN ADRIAN QUINTEIRO

Legal Representative

ASSISTCARGO SAS

Tax ID (NIT): 901.188.010-1