CONTENT

How do we protect your Personal Data and Privacy?

What regulations do we have to comply with in the processing of your personal data?

To be clear when reading our Policy!

Who are our data subjects?

What principles do we guarantee in the processing of your personal data?

What Information Do We Collect From You?

What do we use the information we collect for?

How may we process your personal information?

Why do we share information with third parties?

What are our obligations to you when dealing with your personal information?

How do we obtain your authorization/consent for the processing of your personal information?

What are your rights?

How can you exercise your rights?

Where can you exercise your rights?

What is the area responsible for processing your requests for inquiries or complaints?

Can we change this Policy?

How long are the Databases and this Policy valid?

Who is responsible for your personal information?

How do we protect your Personal Data and Privacy?

Your privacy is important to Sanmor tech S.A.S. (hereinafter "Soulbit" or "the Company"), and therefore, Soulbit recognizes the importance of the security, privacy and confidentiality of the personal data of its employees, potential customers, customers, suppliers and in general of all its agents of interest with respect to whom it processes personal information; therefore, in compliance with constitutional and legal mandates, we make available to you the following Personal Data Protection Policy (hereinafter the "Policy"), applicable to all those activities that involve the processing of personal information by Soulbit as the data controller and any of its processors. This Policy supersedes all prior agreements, whether oral or written, between You and Soulbit regarding the collection, use, storage, circulation, disclosure and deletion of Your personal data, and the same, may be modified by Soulbit at any time, informing such modifications to the owners of the information, through the channels that the Company provides for such purpose,  as provided for by local regulations.

What regulations do we have to comply with in the processing of your personal data?

This Policy was developed in compliance with Law 1581 of 2012 - Personal Data Protection Law (hereinafter "LPDP"), Decree 1074 of 2015, and the other provisions that add, modify, regulate, expand, complement or delete them. Our Policy is intended to ensure the constitutional right of all individuals to know, update, and rectify information that has been collected about them in databases or files that Soulbit has collected. For the purposes of this Policy, Soulbit will be responsible for personal information.

To be clear when reading our Policy!

Below, we point out key concepts to understand and take into account while reading Our Policy:

a) Authorization: Prior, express and informed consent of the owner of the personal data to carry out the processing of personal data. Consent may be granted in writing, orally or through unequivocal conduct by the Owner that allows concluding that the authorization was granted.

b) Privacy Notice: It is the verbal or written communication whose purpose is to inform the Data Owner about the existence of a personal data processing policy, which will be applicable in the process of processing their information.

c) Database: It is the organized set of personal data that will be subject to Processing by Soulbit. Databases are considered information assets that contain information organized on magnetic or physical media of potential customers, customers, suppliers and employees, among others.

d) Personal Data: Any information linked to or that can be associated with one or more specific or determinable natural persons. Personal data is classified as:

Public Data: It is the data that is not private or sensitive. The following are considered public data, among others: name, identity document, marital status of people, gender, among others.

Semi-private data: Semi-private data is data that is not intimate, reserved, or public in nature and whose knowledge or disclosure may be of interest not only to its owner, but also to a certain sector or group of people or society in general, such as financial and credit data from commercial activity or services.

Sensitive Data: It is the data that affects the privacy of the owner or whose improper use may generate discrimination, such as that which reveals racial or ethnic origin, political orientation, religious or philosophical convictions, membership of unions, social organizations, human rights or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties as well as data related to health.  sex life and biometric information, among others, the capture of still or moving images, fingerprints, photographs, iris, voice, facial or palm recognition, among others. The personal data of minors is considered sensitive data, regardless of the type of data. The processing of this type of data is prohibited, except in the following cases:

○ Explicit authorization from the Owner.

○ Safeguarding the vital interest of the holder.

○ Legitimate activities by Foundations, Non-Governmental Organizations (NGOs), associations or non-profit organizations.

○ Recognition, exercise or defense of a right in a judicial process.

○ Historical, statistical or scientific purpose (in which case, the data must be anonymized).

e) Data Processor: Natural or legal person, public or private, who by itself or in association with others, processes personal data on behalf of the Data Controller.

f) Data Controller: Natural or legal person, public or private, who by itself or in association with others, decides on the database and/or the Processing of the data.

g) Information Repository: Organized set of data in physical or magnetic media, in which there may or may not be personal information of holders, which are not subject to reporting to the Control Entities.

h) Data Owner: Natural person whose personal data are subject to processing.

i) Transfer: The transfer of data takes place when the Controller and/or Processor of personal data sends the information or personal data to a recipient, who in turn is the Controller and is located inside or outside the country from which it was sent.

j) Transmission: Processing of personal data that involves the communication of the same within or outside the country, when its purpose is to carry out a processing of the Processor on behalf of the Controller.

k) Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

Who are our data subjects?

In the development of our corporate purpose and the different support activities for the fulfillment of it, we may process the personal data of various data subjects, such as:

Potential customers.

Clients.

Potential suppliers.

Suppliers.

Aspiring employees.

Employees.

Petitioners and/or Claimants.

What principles do we guarantee in the processing of your personal data?

Soulbit develops the Processing of Personal Data respecting the general and special rules on the matter, and applying the following principles in a harmonious and comprehensive manner:

a) Principle of legality: The provisions of Law 1581 of 2012, Law 1266 of 2008 and other provisions that add, modify, regulate, expand, complement or delete them will be applicable to the processing of the information contained in the Databases kept by Soulbit.

b) Principle of purpose: The processing of the information contained in the Databases kept by Soulbit, obeys a legitimate purpose in accordance with the Constitution, the Law and the purposes previously informed to the owner.

c) Principle of freedom: The processing of the information contained in the Databases kept by Soulbit may only be exercised when there is the free, prior, express and informed consent of the owner.

d) Principle of truthfulness or quality: The information subject to the Processing by Soulbit will be truthful, complete, accurate, updated, verifiable and understandable. Partial, incomplete, fragmented or misleading data will not be subject to Processing.

e) Principle of transparency: Soulbit guarantees the right you have to obtain at any time and without restrictions, information about the existence of data concerning you.

f) Principle of restricted access and circulation: The Processing of private information can only be consulted and accessed by you and/or by the persons you authorize, or the persons who have standing in accordance with the law. The activities of collection, processing and disclosure of personal information are subject to specific limits determined by the purpose of the database, by the authorization of the owner and by the principle of purpose.

g) Security principle: The information subject to Processing by Soulbit, referred to in Law 1581 of 2012, will be handled with the technical, human and administrative measures that are necessary to provide security to the records, preventing their adulteration, loss, consultation, use or unauthorized or fraudulent access.

h) Principle of confidentiality: All persons involved in the Processing of Personal Data that are not public in nature shall be obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks included in the Processing.

i) Principle of Temporality: The period of conservation of Personal Data will be that necessary to achieve the purpose for which it has been collected and/or while the owner has pending obligations, or for the additional time required by special or general regulations.

What Information Do We Collect From You?

Information You Provide to Us

When You purchase any Soulbit product; you sign up for an event, training, promotion, or contest with Soulbit; he aspires to a job at Soulbit; you work or have worked at Soulbit; you are a family member of a former Soulbit employee or employees; are a supplier or potential supplier or use any service or product, or have otherwise provided us with your personal information, and while you are our customer, you agree that we may collect certain Personal Information from and about you, such as:

Personally identifiable information, such as your full name, identification document, identification number, date of birth, as well as any other acceptable document, or means by which we can verify your identity;

Your financial information such as income, assets, equity, liabilities and credit history, tax return, etc.;

Information about your transactions, the origin of the resources available to Soulbit and the purposes for which you will use the funds;

Information we may require to provide you with a product;

Information related to your identity and digital reputation available in the digital environment, including instant messaging services in any digital format, social networks content, mobile and wearable devices and, in general, information related to your interaction on websites, applications, content and other products and services of third parties.

Biometric information for identity verification or when required by law.

For legal entities such as companies, partnerships, corporations, partnerships, trusts, estates, consortiums, temporary unions, collaborative partnerships, or investment clubs, You agree that we may collect the aforementioned information for each authorized person, including, without limitation: legal representatives, partners, associates, members, administrators, and executors, as applicable.

Information Provided by Third Parties

To the extent permitted by Law, Soulbit may also obtain Personal Information about You and add it to the Personal Information You provide to Us, whether from affiliated entities, business partners, and other independent third-party sources. Please note that all information we collect about you will be treated in accordance with the provisions of this Policy.

Information our systems collect.

When you apply for, sign up for, use a service, participate in any contest, survey, or event through Soulbit's technology platforms, we may collect information about your computer or device, operating system, internet connection, phone account, settings, IP address and device location data, browser information and transaction data, as well as Personal Information as described above. We may collect, use, disclose, and retain this information for the purposes described below, as well as to determine what settings are appropriate for your computer system, to provide or enhance digital functionality, and for security, internal analysis, and reporting purposes. You may withdraw consent to the collection, use, and disclosure of this information. However, in some cases such revocation may affect your use of the Soulbit platforms, the request or use of a service and/or your communication with us.

We or our service providers may also use various web 123 tools including Cookies, Web Beacons and Tagging on our websites and advertisements, for the purpose of evaluating and improving our websites and other electronic offerings, tailoring our services, improving your experience with us and communicating with you about products and services that may be of interest to you.

What do we use the information we collect for?

Marketing Activities

We may analyze and use your information to better understand the use of our products and to identify other products or services of Soulbit or third parties, which may be of interest to you, and we may share your information within Soulbit for these purposes.

We may also use and share your Personal Information within Soulbit so that we and our business partners can contact you directly to inform you about products, services, offers, promotions, events, market marketing and research and other valuable information from Soulbit and/or third parties, through mail, telephone, email and/or Internet Content Publishing Services and Tools.  among others. We will not share your Personal Information with third parties outside of Soulbit for marketing purposes without your express consent. If you have a product with Soulbit, you agree that we may use, disclose and collect information about you from public entities such as the National Registry of Civil Status, information operators, control entities (when applicable), to offer you services, deepen the relationship and/or study and respond to requests for services, techniques and/or security that you request at any time. We may continue to use and disclose your Personal Information even after the termination of the relationship arising from the provision of the product and/or service.

You may revoke your consent to the use and disclosure of your Personal Information for the marketing purposes listed above at any time.

1 Cookies are specific types of information that a website transmits to the user's computer hard drive, for the purpose of record keeping. Cookies can be used to facilitate the use of a website, by saving passwords and preferences, while the user is browsing the Internet. In general, it uses various types of cookies to: i) The correct functioning of the website; ii) To properly offer Soulbit's products and services; iii) Eventually, to see the browsing behavior of visitors on the website, as well as to record the content they see and those that are of interest to them. This helps us to improve the service we offer, as this way we can ensure that our users find the information they are looking for.

2 They are images inserted into an Internet page or email, which can be used to monitor the behavior of a visitor, such as storing information about the user's IP address, duration of interaction time on said page and the type of browser used, among others.

3 It is a custom code on a website that provides the ability to monitor user activity on the website. This software can be used to capture user activity for analysis in order to understand and improve the user experience and provide further security controls.

Management of everything related to the business relationship

Subject to applicable legal requirements, by establishing a business relationship with Soulbit, You expressly authorize that we may use, disclose, collect, verify, share and exchange information about You with third parties, for the development of all matters related to the business relationship.

You agree that while you are linked to Soulbit in a business or commercial relationship, we will be entitled to collect, use and disclose your Personal Information. As well as to use said information and transmit or transfer it to any third party or organization for the purposes indicated below:

Verify your identity;

Validate your Information;

Compliance with regulatory reports to local, national and/or international Regulators or Entities.

Configure, manage and offer products that meet your needs, through messages (SMS and MSM) to your mobile phone and/or through email, postal mail, landline or cell phone, social networks, instant messaging applications or any other means of contact of the owner, attend to any request, complaint or claim or demand.

Associate, link, complete, consult, link, bind, use, relate, gather, gather information related to your identity and digital reputation available in the digital environment, including instant messaging services and applications in any digital format, social networks of content, mobile and wearable devices and in general, information related to your interaction on websites, applications and content.

Deepen and continue the business relationship by offering you our products.

Comply with legal and regulatory requirements that apply to us.

Respond to a legally valid court order, demand, or petition, whether local or foreign, or to comply with instructions issued by a competent domestic or foreign authority.

Manage and assess risks.

Investigate and adjudicate claims or complaints.

To prevent or detect fraud or criminal activity or to manage and resolve any actual or potential loss in connection with crime or fraud.

Report, communicate or allow access to the information provided by you or that which is available about you to:

○ To legitimately constituted credit, financial, commercial or service risk centres, or to other financial institutions, in accordance with the applicable regulations.

○ To third parties who, as national or foreign suppliers, in the country or abroad, of technological, logistical, collection, accounting, tax, security or general support services, may have access to the information provided by you.

○ To the public authorities that in the exercise of their competence and with legal authorization request it, or before which it is appropriate to file a complaint, demand, call for arbitration, complaint or claim.

○ To any other natural or legal person whom You expressly authorize.

You will have the duty to inform of any necessary modification, change or update of your personal data and will be responsible for the consequences of not having timely and fully warned Soulbit about any of these.

Access, consult, compare, monitor, update and evaluate all the information about you that is stored in the databases of any judicial or security records center, of a state or private, national or foreign nature, or any commercial or service database.

Monitoring

Soulbit is entitled to monitor its product(s) in order to comply with local and international legal and regulatory obligations, for which we will employ, for example, monitoring systems in order to prevent or detect fraud or crimes such as money laundering or financing of terrorist activities. We may also share your Personal Information within Soulbit, parent company, affiliates, strategic allies, and subsidiaries, for the aforementioned purposes and other activities of its product(s), including: investigating unusual or suspicious activity and, if necessary, reporting such activity to the appropriate entities. We may also monitor, record and retain telephone calls or any other electronic communication with you, in order to keep an accurate record of the information you provide, to ensure that your instructions are properly followed with adequate levels of service, to resolve complaints, claims and disputes, and for training purposes. Records of electronic calls and communications are protected under this Policy and will be destroyed in accordance with retention periods established by applicable regulations, as well as internal processes. You also agree that the original documents or copies supplied by you that are in our possession on a permanent basis (in any form, including microfilming, photocopying, CD-ROM or images) or any recording of a communication entered into with you, including verbal communications, may be used in the parameters established in the regulations in force as evidence in any judicial or administrative process.

Employee Selection and Hiring

By starting a selection process or by being hired by Soulbit, you consent to us processing your personal information for the following purposes:

Manage and operate, directly or through third parties, the personnel selection and recruitment processes, including the evaluation and qualification of participants and the verification of information, if applicable.

Develop the activities of human resources management within the Company, such as payroll, affiliation to entities in charge of the provision of health and pension services, welfare and occupational health activities, among others.

Register the employee in the Company's computer systems, so that the accounting, administrative and financial activities of the contractual relationship can be carried out.

Make the necessary payments derived from the execution of the employment contract and/or its termination, and the other social benefits that may be due in accordance with the applicable law.

Contract labor benefits with third parties, such as life insurance, medical expenses, among others, if applicable.

Notify authorized contacts in case of emergencies during working hours or during the development of the same.

Coordinate professional development, employee training programs and access to computer resources for this purpose.

Plan business activities that may require information about employees' minor children.

Make use of the information provided to carry out forensic analysis and investigations directly or with the assistance of third parties, whether of a private nature or by court order in order to protect and safeguard the assets of the employee or Soulbit.

Processing of Personal Data of Children and Adolescents

Soulbit will only process personal data relating to children and adolescents, provided that this processing responds to and respects their best interests and ensures respect for their fundamental rights. Once the above requirements have been met, Soulbit will obtain the authorization of the legal representative of the child or adolescent, after the minor has exercised his or her right to be heard, an opinion that will be assessed taking into account maturity, autonomy and capacity to understand the matter.

Supplier and contractor management

Soulbit may process the personal information owned by its suppliers and/or contractors, for which it may:

Carry out due diligence processes and exercise the right to know the supplier sufficiently, including review of the judicial past and consultation at any time with risk centers, or any other authorized entity or information center.

Assess the present or future risk of the contractual relationship, as well as administer, manage and monitor it.

Comply with operational, legal, or security parameters that may be reasonably applicable, such as registration in vendor systems, updates, and evaluation visits.

Comply with the requirements made by the authorities, when necessary to safeguard the public interest, the procurement or administration of justice.

Use, share or transfer Personal Data to its parent company, its affiliates or subsidiaries, as well as to its business partners or third parties both inside and outside the country, national or foreign, public or private, in order to carry out the aforementioned activities.

Register contractors and suppliers in the Company's systems and process their payments.

Formalize the contractual, conventional or legal relationship for the purpose of managing the administrative, accounting, financial, operational and logistical aspects associated with the fulfillment of the contractual object.

Carry out the verification of commercial and reputational background and possible relationship risks, associated with money laundering and terrorist financing.

Evaluate the performance and results of the supplier or contractor in order to strengthen the procurement and purchasing processes.

How may we process your personal information?

 Personal Information may be shared with:

i. Soulbit affiliates, partners and/or business collaborators.

ii. Soulbit's service providers, including providers of technology, networking, data transmission, identification of persons, identity validation, and other providers that are necessary for Soulbit to properly provide all of its Services through the Platform, may act as processors. 

iii. National, departmental or municipal public and regulatory authorities and bodies. 

iv. Marketing service providers of Soulbit and/or its affiliates for the analysis of the User's activities and the optimization of advertising campaigns of Soulbit, its affiliates or the Service Providers, in which case the information processed may be: IP address; MAC addresses; Device IDs and Advertising IDs; HTTP header that includes the processor SDK version, country, language, device configuration, operating system version, as well as the application version; the User's Device and web activity information; and applications and tokens.

v. User experience (UX) service providers of Soulbit and/or its Affiliates for User experience analysis to improve the Platform, in which case the information processed may be: screens visited, interaction patterns (such as screen actions, gestures: taps, scrolls) and device details (type, version, model, operating system).

vi. Service providers of digital asset sending and receiving networks of Soulbit and/or its Affiliates, such as Stilllman Digital, including end users of such providers, to enable the service of sending and receiving digital assets through such networks, in which case the information processed may be: User's name and User's address on such network. You agree that other users of such network may access your username and address on that network.

You may at any time revoke your consent to the transmission of your Personal Information to third parties by contacting us personally or by email at the addresses specified at the bottom of this Policy. The revocation, depending on its scope, may result in us no longer being able to continue providing the Service.

Any of the entities indicated in the previous sections may be located outside Colombia, including in countries or international or supranational organizations that, according to the applicable legislation in force, do not provide adequate levels of protection of personal data, such as, among others, Brazil or the United States. Consequently, by accepting this Policy, the User grants their express consent that their Total Information, including their Personal Information, may be transferred internationally by Soulbit, including to countries or international or supranational organizations that do not provide adequate levels of protection of personal data, in accordance with the applicable legislation in force.

In accordance with the aforementioned purposes, Soulbit and/or the third parties hired to develop internal processes required for its operation, may carry out the following operations and/or activities:

Know, store and process all the information provided by you in one or more databases, in the format deemed most convenient.

Know, store, record, process and monitor all information provided by you verbally or in writing through any channel established by the Company, which may be used, including as evidence in any complaint, claim, conciliation or demand.

Order, catalog, classify, divide, or separate the information provided by you.

Verify, corroborate, check, validate, monitor, investigate, or compare the information provided by you with any information in your legitimate possession, including information known to our parent, affiliates, or subsidiaries thereof.

Analyze, process, evaluate, process or compare the information provided by you or collected by Soulbit through interaction on digital platforms related to the Company. The same authorisations that you granted will apply to the data resulting from analysis, processing, evaluation, processing and comparison.

Your Personal Information may be collected, used, disclosed and stored, transferred and transmitted to jurisdictions outside the national territory. Our parent, subsidiaries and subsidiaries, and our partners and suppliers may be located in different jurisdictions. Your Personal Information may be transferred or transmitted for any of the purposes described above with our suppliers, allies, within Soulbit, including our parent, its subsidiaries, subordinates, and joint ventures operating within or outside the national territory. In addition, your Personal Information may be accessible to competent authorities in accordance with local laws and regulations.

Who do we share data with and transfer it internationally?

Country to which the data will be transmitted: Argentina. In accordance with Chapter 3, paragraph 3.2 of Title V of the Single Circular of the Superintendence of Industry and Commerce, countries that have been declared with the appropriate level of protection by the European Commission are authorized in Colombia as a country with an adequate level of protection. In this regard, Argentina is authorized by European Commission Decision 2003/490/EC of June 30, 2003.

Purpose: The International Transmission of Personal Data that may take place on the occasion of this relationship with the User, is generated between Sanmor tech SAS. in the capacity of "Controller" and Soulbit or its affiliates in the capacity of "Processor", in which the Processor will execute its tasks contracted by the Controller. By means of this Agreement, the Parties agree to the International Transfer of Personal Data in favor of Soulbit or its affiliates, which occurs in accordance with the instructions of the Responsible Party and in compliance with the purposes indicated by the same as the Responsible Party for the "Processing of Personal Data" of the Responsible Party.

Purpose: The personal data processed by the Controller will be subject to Processing by the Processor solely and exclusively in compliance with the Instructions of the Controller. The personal data of the Controller will then be used, by the Processor, only for the development of the following activities and purposes on behalf of the Controller: 

Comply with administrative, operational, commercial and marketing promotion procedures by the Processor regarding the personal data of the Responsible Party in matters related to the service of Sanmor tech S.A.S. 

For any other purpose related to the commercial and business relationship between the Controller and the Processor. 

To process the personal data required for the operation of the services or products of Sanmor tech S.A.S. 

The Responsible Party will carry out the Processing of Personal Data safeguarding the security of the databases and will maintain confidentiality with respect to the Processing of Personal Data. 

Under the scope of the above purposes, the Processor is authorized to proceed with the Processing of the Personal Data of the Controller for as long as necessary. In no case will the International Transmission of Personal Data include the transfer of property rights derived from the existence of the Personal Data of the Data Controller.

4. Obligations of the Responsible Party: The Responsible Party declares and undertakes to: 

Provide instructions for the Processing of the Personal Data of the Responsible Party, under the International Transmission of Personal Data, and declare that they correspond to and are in accordance with the purposes that have been authorized by the owner of the personal data. 

In the event that prior Authorization is required for this International Transmission, the Controller declares that he/she has sufficient capacity to dispose of and decide on the Personal Data of the Responsible Party and that he/she has obtained the corresponding authorization from the owner, or his/her legal representative, and has kept a copy of the same through means that allow subsequent consultation.

The Processing of Personal Data of the Responsible Party under the figure of International Transmission of Personal Data by the Processor, has the purpose of fulfilling the purpose of this Agreement.

It will guarantee the Owners, through the mechanisms provided by law for this purpose, the exercise of the rights that correspond to them as Owners of Personal Data.

Comply with and comply in their entirety with the respective obligations according to the aforementioned role of Responsible in accordance with Law 1581. 

5. Obligations of the Processor: The Processor declares and undertakes to: 

To process, on behalf of the Responsible Party, the Personal Data of the Data Controllers in its capacity as Processor in accordance with this Agreement and in accordance with the principles that protect them, in accordance with the Instructions of the Responsible Party for this purpose. The Processor declares to know and abide by the content of the Information Processing Policy and/or Privacy Policy developed by the Responsible Party.

Safeguard the security of the Personal Data of Controllers and/or databases that contain them and that may be subject to International Transmission in accordance with Colombian Law.

Maintain absolute confidentiality with respect to the Processing of the Controller's Personal Data, including extending the duty of confidentiality to employees or other personnel who may be related to the Controller's Personal Data Processing through the signing of a confidentiality agreement. Processor personnel are required to conduct themselves in a manner consistent with the confidentiality guidelines imposed in this Agreement relating to confidentiality.

Provide training to its personnel related to security measures, being its personnel obliged to obtain certifications according to their role in terms of the administration and Processing of Personal Data. The Processor's personnel will only proceed with the Processing of Personal Data, insofar as it is necessary for compliance with the Controller's Instructions, and with sufficient authorization according to their position.

It will comply with the obligations of the Controller in accordance with the established Information Processing Policy.

It will support the Responsible Party in terms of allowing the exercise of the rights of the Controllers by proceeding with the delivery to the Responsible Party of any request, query, request, claim, among others, through which the Owner of Personal Data, contained in the Personal Data of the Responsible Party, intends the access, deletion, disclosure, correction or blocking of Personal Data that are subject to Processing in view of the execution of this Agreement. The Processor shall only be directly liable when required to do so by the law applicable to its own management.

Proceed to update and rectify the Personal Data of the Responsible Party, provided that the Responsible Party gives express and specific instructions for that purpose.

To send to the Data Controller all information on security incidents or breaches of security codes that determine the existence of risks in the management of the Data Subjects' information and, in particular, all the information that the Data Controller requires to inform the data protection authority and/or the Data Subjects about such breaches or security incidents.

To allow audits to be carried out on its services directly by the Data Controller or through third parties designated by the latter.

Why do we share information with third parties?

Not all products or services linked to your relationship with Soulbit are provided directly by The Company. We may use third-party service providers or partners (including the parent, its subsidiaries, and subordinates) to process or handle Personal Information on your behalf and provide support with various services, so you acknowledge and consent that we may share your Personal Information with such providers and/or partners for the purposes described above. When Personal Information is provided to our vendors and/or partners, Soulbit requires that such third parties protect Personal Information in a manner that is consistent with Soulbit's Privacy Program and Data Protection Policy, and that the information be used only for previously identified purposes.

Thus, Soulbit may request from third parties pertinent information that allows it to verify adequate compliance with the provisions contained in this Policy, as well as in the rules that regulate the matter. The Company reserves the right to carry out supervision on an occasional or periodic basis in relation to compliance with the legal and contractual requirements associated with the protection of personal data by suppliers or allied third parties, for which it may request support or evidence of compliance, and apply the measures it deems reasonable for its verification. In the event that a third party with a contractual or contractual relationship in force fails to comply with this Policy, it will lead to the preparation of a compliance plan by both parties in order to comply with the parameters required by law.

What are our obligations to you when dealing with your personal information?

Soulbit, as the Data Controller of your personal information, undertakes to you:

(a) To guarantee, at all times, the full and effective exercise of the right of habeas data;

b) Request and keep evidence of the respective authorization granted by You;

(c) To duly inform them of the purpose of the collection and the rights to which they are entitled by virtue of the authorization granted;

d) To keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;

e) To ensure that the information provided to the Data Processor is truthful, complete, accurate, updated, verifiable and understandable;

f) To update the information, communicating in a timely manner to the Data Processor, all the news regarding the data previously provided to it and to adopt the other necessary measures so that the information provided to it is kept up to date;

g) Rectify the information when it is incorrect and communicate the pertinent information to the Data Processor;

h) To provide the Data Processor, as the case may be, only data whose Processing is previously authorized;

i) Require the Data Processor at all times to respect the security and privacy conditions of their personal information;

(j) To process queries and complaints made;

k) Inform the Data Processor when certain information is under discussion by him/her, once the complaint has been filed and the respective procedure has not been completed;

l) Inform you, when you request it, about the use given to your data;

m) Inform the data protection authority when there are violations of security codes and there are risks in the administration of their information;

n) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

How do we obtain your authorization/consent for the processing of your personal information?

Prior to the start of the processing of your Personal Information, Soulbit asks you for authorization for the processing of your personal data. In turn, this authorization is collected in a prior, express and informed manner. The foregoing except for the cases defined in Article 10 of Law 1581 of 2012. Authorization may be granted by you through the following means:

In written form.

Orally.

By means of unequivocal conduct that allows it to be reasonably concluded that the authorization was granted.

Safeguarding Personal Information

The information we collect is used strictly for the purposes of executing and developing all activities derived from our corporate purpose. Our employees' access to your information is restricted and limited only to those who have authorization and training in the proper handling of Personal Information. We have adopted and implemented physical, electronic, procedural, and security practices to ensure that your Personal Information is kept confidential and secure as required by law and our internal procedures and practices.

Safeguarding Personal Information

You agree that we may maintain and use Personal Information about You in our records for the purposes described in this Policy, even if you cease to be a customer, subject to applicable regulations.

Accuracy of Personal Information

For as long as you have a contractual relationship with Soulbit, you must at all times provide and keep up to date all Personal Information, and you must notify us as soon as changes are made to it so that we can update your records.

What are your rights?

In compliance with constitutional and legal provisions, Soulbit, as the controller of your Personal Information, must guarantee you the exercise of the following rights:

a) Know, update and rectify your personal data.

b) Request proof of the authorization granted to Soulbit, except when expressly excepted, as a requirement for the Processing, in accordance with the provisions of Article 10 of Law 1581 of 2012.

c) To be informed by Soulbit, upon request, regarding the Treatment it gives to their personal data.

d) To file complaints with the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and the other regulations that modify, add or complement it.

e) Revoke the Authorisation and/or request the deletion of the data when the Processing does not respect the constitutional and legal principles, rights and guarantees. The revocation and/or suppression will proceed when the Superintendence of Industry and Commerce has determined that in the Treatment we have engaged in conduct contrary to the law and the Constitution.

Important: Under no circumstances may you revoke your consent and request the deletion of your personal data, when there is a legal or contractual duty that imposes on you the obligation to remain in our databases.

How can you exercise your rights?

Procedures for Accessing, Viewing, Rectifying, and Updating Your Personal Information

You have the right to access your personal data and the details of the processing of such Personal Information, as well as to rectify and update them if they are inaccurate, or to request their deletion when you consider that they are excessive or unnecessary for the purposes for which they were obtained, or to object to the Processing of them for specific purposes.

Consultations

Authorization for the processing of your Personal Information in the different scenarios described in this Policy will be obtained by Soulbit through requests made available to you in each of the channels or information capture points associated with our activities. Through the Consultations procedure, you may:

a) Request access to your Personal Information.

b) Request proof or proof of the authorization granted by you to Soulbit for the processing of your personal information.

c) Consult the use of your personal information

Inquiries must be submitted through the channels provided and following the procedure described below:

1. At any time and free of charge, you may make inquiries regarding the personal data that is processed by Soulbit. In all cases, the identity and the authority to make the consultation must be accredited.

2. The query will be answered within a maximum term of ten (10) business days from the receipt of the same. When it is not possible to respond to the query within said term, the interested party will be informed of the reasons, indicating the new date on which their query will be resolved, which will not exceed five (5) business days following the expiration of the first term.

Claims

You may request the correction and updating of personal information, the deletion of the data and the partial or total revocation of the authorization given to Soulbit, through the presentation of a claim that will follow the following procedure:

1. At any time and free of charge, you may make claims regarding the personal data that is processed by Soulbit. In all cases, the identity and the authority to make the claim must be accredited.

2. The claim shall be dealt with within a maximum period of fifteen (15) business days from the day following the date of receipt. When it is not possible to address the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

The minimum requirements established in this Policy are those stipulated in Law 1755 of 2015, regulations that regulate the Right to Petition in our country. According to the above, your request must be addressed to Soulbit and have at least the following items:

a) Contain the identification of the Owner (name and identification document).

b) Contain the description of the facts giving rise to the query or complaint.

c) The object of the petition.

d) Specify the Owner's notification address, whether physical or electronic (e-mail).

e) Attach the documents that you want to enforce (especially for claims).

Prerequisite for filing complaints with the Superintendence of Industry and Commerce

In the event that you wish to file a complaint with the Superintendence of Industry and Commerce regarding personal data, remember that you must have previously exhausted the consultation or claim process before Soulbit, in accordance with the aforementioned indications, warning our total willingness to address your concerns.

Where can you exercise your rights?

You may exercise your rights and submit Inquiries and/or Complaints, through:

a) Internet: www.soulbit.io, through the "Help Center"; as well as the chat or widget of the same website.

b) E-mail contact@soulbit.io

It is advised that the terms for the response to your Inquiries and/or Claims, will begin to count from the time Soulbit has effective knowledge of your request, through the channels established above.

What is the area responsible for processing your requests for inquiries or complaints?

Soulbit, through its Customer Experience Area, will attend to all requests, queries and claims from the owners of the information so that they can exercise their rights to know, update, rectify and delete the data and revoke the authorization related to the protection of personal data.

Can we change this Policy?

You acknowledge and agree that we may modify, change, or replace this Policy at any time, to take into consideration changes in laws and regulations, or other situation that may arise.

In accordance with current regulations, we will notify you of any modifications or material changes made to this Policy, by the means that Soulbit has for this purpose.

How long are the Databases and this Policy valid?

Validity of the Databases: The Personal Data will remain in our Databases for the term required by law for the conservation of documents and information and for the time that is necessary for the development of the aforementioned activities and as long as the Owner does not revoke the authorization, as long as such revocation is appropriate.

Validity of the policy: From the time of its availability and publication.

Who is responsible for your personal information?

Information from the information controller

Sanmor tech S.A.S., with principal address at Calle 93B No. 13-30 in the city of Bogotá D.C., website: www.soulbit.io, and e-mail: contact@soulbit.com.