Personal Data Treatment Policy

This policy is based on the following regulations: • Colombian Constitution (Art. 15 — Right to privacy and habeas data) • Law 1266 of 2008 — Financial habeas data • Decision C-748 of 2011 — Constitutional review • Law 1581 of 2012 — General personal data protection regime • Decree 1377 of 2013 — Partial regulation of Law 1581 • Decree 886 of 2014 — National Database Registry • Decree 1074 of 2015 — Single Regulatory Decree for the Commerce Sector

The Foundation manages identification, contact, personal, academic, and health data. Processing of sensitive data includes medical information for emergencies and psychological counseling, as well as biometric data (measurements, photographs, videos, recordings). Authorization for sensitive data processing is optional. Main purposes of data processing: • Providing early childhood care services • Offering after-school programs for children ages 5 to 18 • Recreation services for senior citizens • Educational management during enrollment at the foundation • Recreational, sports, cultural, and educational activities • Content generation and communications materials • Complementary services (nutrition, psychology, physical activity) • Transfer to oversight entities (Mayor's Office, Hospital Vista Hermosa, ICBF, district secretariats) • Evaluation and implementation of health programs • Ongoing communication with families regarding holistic development • Compliance with legal information retention requirements • Evaluation of financial suitability of suppliers • Operational monitoring and physical security • Service quality evaluation • Statistical and historical processes • Fundraising campaigns

As data controller, the Foundation must: • Guarantee the effective exercise of the habeas data right • Request and maintain a copy of the authorization granted by the data subject • Inform the data subject about the purposes of processing and their rights • Maintain information under adequate security conditions to prevent alteration, loss, consultation, unauthorized use, or access • Provide truthful and complete information to data processors • Update information promptly • Rectify incorrect data • Provide only data whose processing has been authorized • Respect confidentiality and require it from processors • Promptly handle inquiries and claims • Inform processors about pending claims • Report security breaches to the competent authority • Comply with instructions from the Superintendence of Industry and Commerce

When this policy cannot be delivered directly to the data subject, the Foundation will inform through a privacy notice about its existence and how to access it, prior to and in any case no later than the time of collection of personal data. The complete policy is published at www.cigarra.org.

The Data Protection Officer (Foundation Administrator) is responsible for handling inquiries and claims, defining and implementing actions in accordance with current regulations. Contact: esperanza.duque@cigarra.org

Claims for correction, updating, deletion of data, or for alleged failure to comply with legal duties will follow this procedure: 1. The data subject must file a request identifying the description of facts, their address, and the documents they wish to submit. If the request is incomplete, the interested party will be required to complete it within five (5) days. If two (2) months pass from the completion request without the interested party providing the required information, it will be understood that they have withdrawn the claim. 2. Upon receipt of the complete claim, the legend "claim in process" and the reason for it will be included in the database, within a maximum of two (2) business days. This legend will be maintained until the claim is resolved. 3. The maximum period for resolving the claim is fifteen (15) business days from the day following receipt of the complete claim. If it is not possible to address it within said period, the interested party will be informed of the reasons for the delay and the new resolution date, which in no case may exceed eight (8) business days following the expiration of the initial period.

Personal data will be retained in accordance with the principles of necessity, reasonableness, expiration, and temporality: • Minor beneficiaries: During the term of the relationship and compliance with legal or contractual obligations. • Former beneficiaries: Up to ten (10) years maximum after the end of the relationship. • Employees and suppliers: During the term of the contractual relationship and in accordance with applicable legal periods. • Program or employment candidates: One (1) year after the end of the process. Authorization remains in effect as long as the obligations that motivated it subsist. Once legal terms are fulfilled and the relationships that gave rise to processing are extinguished, data will be deleted. This policy is effective as of January 1, 2018.