1. OBJECTIVE AND SCOPE OF APPLICATION OF THE PERSONAL DATA PROCESSING POLICY

COMPLIANCE SOLUTIONS S.A.S. (hereinafter “COMPLIANCE SOLUTIONS” or the “Company”), in order to strictly comply with current regulations on the protection of Personal Data, in accordance with the provisions of Law 1581 of 2012, Decree 1377 of 2013, and other provisions that amend, add to, or supplement them, hereby presents its Personal Data Processing Policy (Privacy Policy) (hereinafter the “Policy”), which establishes general provisions for the protection of information related to, or that may be associated with, one or more identified or identifiable natural persons (“Personal Data”), by virtue of the prior authorization granted by the Data Subjects.

This Policy shall apply to all Data Subjects who have a relationship with COMPLIANCE SOLUTIONS and/or whose Personal Data has been collected and processed in any manner as a result of, or in connection with, a relationship established with COMPLIANCE SOLUTIONS, whether such Processing is carried out by COMPLIANCE SOLUTIONS or by third parties acting on its behalf.

This Policy shall apply to all Processing carried out in the territory of the Republic of Colombia by COMPLIANCE SOLUTIONS and, as applicable, by those third parties with whom agreements are entered into for the performance of all or part of any activity related to the Processing of Personal Data.

In this Personal Data Processing Policy (Privacy Policy), COMPLIANCE SOLUTIONS details the general corporate guidelines taken into account in order to protect Data Subjects’ Personal Data, the purposes of Processing, the rights of Data Subjects, the area responsible for handling complaints and claims, and the procedures to be followed to access, update, rectify, and delete the information.

COMPLIANCE SOLUTIONS, in compliance with the constitutional right to Habeas Data set forth in Article 15 of the Colombian Constitution, only collects and processes Personal Data when it has been previously authorized by the Data Subject, implementing clear measures regarding the confidentiality and privacy of Personal Data. In cases where Authorization is not required for the Processing of Personal Data, the Company shall also implement the necessary measures to process the information in accordance with current provisions.

2. DEFINITIONS

The expressions used in capital letters in this Policy shall have the meaning given herein, or the meaning established by applicable Law or case law, as amended from time to time. Any discrepancy between the terms defined herein and those established in the Law shall be resolved in favor of the definitions provided by Law:

1. 1. 1. 1. Authorization: The prior, express, and informed consent of the Data Subject for the Processing of their Personal Data.
         2. Personal Data: Any information linked or that may be associated with one or more identified or identifiable natural persons.
         3. Sensitive Data: Personal Data that affects the Data Subject’s privacy or whose misuse may lead to discrimination, such as data revealing union membership, racial or ethnic origin, political orientation, religious, moral, or philosophical beliefs, membership in unions, social organizations, human rights organizations, or entities promoting political party interests or guaranteeing the rights of opposition political parties, as well as data relating to health, sex life, and biometric data.
         4. Processor: A natural or legal person, public or private, who, alone or in association with others, processes Personal Data on behalf of the Controller.
         5. Personal Data Processing Policy (Privacy Policy): Refers to this document.
         6. Controller: The natural or legal person, public or private, who, alone or in association with others, decides on the database and/or the Processing of Personal Data. In this case, it refers to COMPLIANCE SOLUTIONS.
         7. National Database Registry: The public directory of databases subject to Processing, managed by the Superintendence of Industry and Commerce of Colombia.
         8. Data Subject: A natural person whose Personal Data is subject to Processing.
         9. Transfer: The transfer of Personal Data occurs when the Controller and/or Processor of Personal Data located in Colombia sends the Personal Data to a recipient, who in turn acts as Controller, located within or outside the country.
         10. Transmission: Processing  that involves communication of Personal Data to a third party, within or outside the territory of the Republic of Colombia, when such communication is intended to allow the Processor to process the data on behalf of and under the responsibility of the Controller, in order to fulfill the Controller’s purposes.
         11. Processing: Any operation or set of operations on Personal Data, such as collection, storage, use, circulation, or deletion, as well as their Transfer and/or Transmission to third parties through communications, queries, interconnections, assignments, or data messages.

3. PRINCIPLES

COMPLIANCE SOLUTIONS, in the course of its business activities, shall collect, use, store, transmit, transfer, and in general, Process Data Subjects’ Personal Data in accordance with the purposes established in this Policy. In all Processing of Personal Data carried out by COMPLIANCE SOLUTIONS, the Controllers, Processors, and/or third parties to whom Personal Data is transferred shall comply with the principles and rules established in the Law and in this Policy, in order to guarantee Data Subjects’ right to Habeas Data and comply with the legal obligations and COMPLIANCE SOLUTIONS’ internal guidelines. These principles are:

1. 1. 1. 1. Principle of Legality in Processing Personal Data: The Processing of Personal Data is a regulated activity that must comply with the provisions of Law 1581 of 2012, Decree 1377 of 2013, and other applicable regulations.
         2. Principle of Purpose: Processing must serve a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Data Subject.
         3. Principle of Freedom: Processing can only be carried out with the prior, express, and informed consent of the Data Subject. Personal Data may not be obtained or disclosed without prior authorization, unless there is a legal or judicial mandate that exempts such consent.
         4. Principle of Truthfulness or Quality: The information subject to Processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The Processing of partial, incomplete, fragmented, or misleading data is prohibited.
         5. Principle of Transparency: Processing must guarantee the Data Subject’s right to obtain from the Controller or Processor, at any time and without restrictions, information about the existence of data concerning them.
         6. Principle of Restricted Access and Circulation: Processing is subject to the limits derived from the nature of Personal Data. In this regard, Processing may only be carried out by those authorized by the Data Subject and/or by those provided for in Law 1581 of 2012.
         7. Principle of Security: Information subject to Processing by the Controller or Processor must be managed with the technical, human, and administrative measures necessary to ensure security of the records, preventing their alteration, loss, consultation, unauthorized or fraudulent use, or access.
         8. Principle of Confidentiality: All persons involved in the Processing of Personal Data that is not public in nature, must guarantee the confidentiality of the information, even after their relationship with any of the activities involving Processing has ended, and may only supply or disclose Personal Data when such disclosure corresponds to the development of activities authorized by Law 1581 of 2012 and under its terms.

4. INFORMATION AND MECHANISMS PROVIDED BY COMPLIANCE SOLUTIONS AS THE CONTROLLER OF PERSONAL DATA PROCESSING

• Company name: COMPLIANCE SOLUTIONS S.A.S.
• Tax ID (NIT): 901.623.271-1
• Domicile: Bogotá D.C.
• Address: Calle 86 # 8-05. Apt. 901.
• Telephone (WhatsApp): (+57) 318 7346184
• Email: maria@e-thepi.com
• Website: www.e-thepi.com

5. AUTHORIZATION, PROCESSING, AND STORAGE OF PERSONAL DATA

At the time of collection of Personal Data, prior authorization shall be requested from the Data Subjects, informing them of the specific purposes of the Processing for which such consent is obtained, except in such cases where any of the exceptions contained in Article 10 of Law 1581 of 2012 applies.

COMPLIANCE SOLUTIONS shall carry out the Processing of Personal Data voluntarily provided by the Data Subject. In general, COMPLIANCE SOLUTIONS shall collect, store, use, circulate, transmit, and transfer the Personal Data it processes. This information may only be used by COMPLIANCE SOLUTIONS, its employees, consultants, advisors, Processors, and expressly authorized business and strategic partners who require access to such information. In any case, COMPLIANCE SOLUTIONS shall provide the Data Subject, upon request, with complete information about the persons authorized and/or the third parties who carry out the Processing of their Personal Data.

COMPLIANCE SOLUTIONS may request Sensitive Data from the Data Subjects at any time, when such information is relevant for the development of its corporate purpose, informing the Data Subject, at the time of collection, that the data requested is of such nature, and specifying which type of Sensitive Data is to be collected. COMPLIANCE SOLUTIONS may process sensitive data if (i) the Data Subject gives explicit and voluntary consent for specified purposes; (ii) Processing is necessary to comply with legal obligations; (iii) Processing is necessary to protect the vital interests of the Data Subject or another natural person; (iv) Processing refers to Personal Data made public by the Data Subject; (v) Processing is necessary for the formulation, exercise, or defense of claims or when judges or courts act in the exercise of their judicial function; (vi) Processing is necessary for reasons of essential public interest; or (vii) Processing is mandatory by Law.

COMPLIANCE SOLUTIONS shall strictly observe the legal limitations on the Processing of Sensitive Data and Sensitive Data shall be processed with the greatest possible diligence and with the highest security standards. Limited access to Sensitive Data shall be a guiding principle to safeguard its privacy and, therefore, only authorized personnel shall have access to such information.

The authorization of Data Subjects for the Processing of their Personal Data may be expressed in: (i) writing, (ii) orally, or (iii) through unequivocal conduct that reasonably allows the conclusion that authorization was granted.

COMPLIANCE SOLUTIONS shall keep proof of such authorizations properly, respecting the principles of confidentiality and privacy of information.

6. PURPOSES OF THE PROCESSING OF PERSONAL DATA

The Personal Data collected by COMPLIANCE SOLUTIONS is included in one or more Databases, accessible to authorized personnel of COMPLIANCE SOLUTIONS in the exercise of their duties, noting that under no circumstances is Processing of the information authorized for purposes other than those described herein, and which are communicated to the Data Subject no later than at the time of collection.

1. 1. 1. 1. Legal, regulatory, and compliance purposes: Includes the activities necessary to comply with legal, contractual, and regulatory obligations, respond to requests from authorities, and apply measures for the prevention of fraud, money laundering, terrorist financing, and other legal risks.
         2. Internal operational and administrative purposes: Covers the actions required for service delivery, internal administration, information validation, and the management of suppliers and contractors, as well as other activities inherent to the organization’s operational functioning.
         3. Commercial, marketing, and relationship‑management purposes: Corresponds to activities related to service promotion, the sending of commercial information, market research, and the management of relationships with clients, partners, and affiliated entities.
         4. Statistical, analytical, and continuous‑improvement purposes: Includes the use of data for statistical analysis, performance measurement, system security, usage analytics, and the optimization of platforms, processes, and services.
         5. Purposes associated with digital training platforms (LMS): Includes the activities necessary to manage and operate online training platforms, such as—but not limited to—user account management, registration and tracking of academic progress, provision of technical support, personalization of the user experience, and the implementation of digital security measures that ensure the integrity and availability of the information processed in such environments.

The information provided by the Data Subject shall only be used for the purposes set forth herein. Once the need for Processing of the Personal Data ceases, such data shall be deleted from COMPLIANCE SOLUTIONS’ databases.

If COMPLIANCE SOLUTIONS requests sensitive data, it is noted that providing this information shall not be mandatory under any circumstances, and in the event of non-authorization by the Data Subject, no retaliation shall be taken.

7. TRANSMISSION OF PERSONAL DATA BY CORPORATE CLIENTS

Legal entities that contract the services of COMPLIANCE SOLUTIONS and require the use of digital platforms designed to manage, automate, and optimize online training processes may provide COMPLIANCE SOLUTIONS with the Personal Data of their employees, contractors, or collaborators, strictly for the purpose of enabling access to, use of, and operation of such platforms, in accordance with the purposes previously disclosed in this Policy.

COMPLIANCE SOLUTIONS states and guarantees that it uses a digital platform owned by the company, over which it acts as Data Controller, and which has appropriate technical, human, and organizational measures to protect Personal Data in accordance with this Policy and applicable regulations.

When receiving Personal Data from employees, contractors, or collaborators of corporate clients, COMPLIANCE SOLUTIONS will act as Data Processor and undertakes to:

1. 1. 1. 1. Process the Personal Data solely for the purposes described herein.
         2. Not use the Personal Data for its own purposes or for purposes other than those authorized.
         3. Implement appropriate security measures.
         4. Ensure the confidentiality of the information.
         5. Delete the email addresses and other Personal Data provided by the client within six (6) months following the termination of the service, unless there is a legal obligation to retain such data.

Corporate clients guarantee that they have the prior, express, and informed authorization of the Data Subjects to provide their Personal Data to COMPLIANCE SOLUTIONS and that such transmission is carried out in accordance with the applicable personal data protection regulations.

8. INFORMATION SECURITY

COMPLIANCE SOLUTIONS implements reasonable technical, human, and organizational measures to protect Personal Data against loss, unauthorized access, misuse, alteration, or destruction. These measures include access controls, encryption, incident management, internal audits, and business continuity protocols.

9. DATA PROCESSORS

When COMPLIANCE SOLUTIONS engages Data Processors to carry out Processing activities, they must comply with the obligations established in this Policy and in Law 1581 of 2012, ensuring adequate levels of security and confidentiality.

10. INTERNATIONAL TRANSFERS 

Any international Transfer of Personal Data will be carried out only to countries that provide adequate levels of protection or when there is the Data Subject’s express authorization or a legal basis permitting such transfer.

11. RIGHTS OF THE PERSONAL DATA SUBJECT

In accordance with Article 8 of Law 1581 of 2012, the Data Subject shall have the following rights:

1. 1. 1. 1. To know, update, and rectify their Personal Data before the Controllers or Processors. This right may be exercised, among others, with respect to partial, inaccurate, incomplete, fragmented data, data that may induce error, or data whose Processing is expressly prohibited or has not been authorized.
         2. To request proof of the authorization granted to the Controller, except where expressly exempted as a requirement for Processing, pursuant to Article 10 of Law 1581 of 2012.
         3. To be informed by the Controller or Processor, upon request, of the use given to their Personal Data.
         4. To file complaints before the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other rules that amend, add to, or supplement it.
         5. To revoke authorization and/or request deletion of the data, provided there is no legal or contractual obligation requiring the Data Subject to remain in the database.
         6. To access their Personal Data free of charge that has been subject to Processing, at least once per calendar month, and whenever substantial modifications to the Processing policies occur.

12. DUTIES OF THE CONTROLLER OF PERSONAL DATA PROCESSING

When COMPLIANCE SOLUTIONS acts as Controller, it shall have the following obligations and/or commitments:

1. 1. 1. 1. Obtain prior authorization when required by applicable regulation.
         2. Classify the requested data.
         3. File and manage the authorization granted by the Data Subject.
         4. Comply with the principles set out in this Policy.
         5. Address queries, complaints, or claims filed by the Data Subject.
         6. Secure the data provided through information security procedures. 

13. PROCEDURES TO BE FOLLOWED BY THE DATA SUBJECT TO EXERCISE THEIR RIGHTS OVER PERSONAL DATA

Data Subjects may exercise the aforementioned rights by submitting an electronic request via email to datos@e-thepi.com

13.1 Procedure to make inquiries (request proof of authorization, know which data has been collected, and know how such data has been processed)

The Data Subject of Personal Data, their successors, representatives, and/or attorneys-in-fact may make inquiries regarding the Personal Data held in the COMPLIANCE SOLUTIONS Databases, in accordance with the following rules:

1. 1. 1. 1. The request shall be reviewed to verify the identity of the Data Subject. If the request is made by a person other than the Data Subject and it is not proven that they are acting on their behalf in accordance with current laws, the request shall be rejected.
         2. All inquiries shall be answered within a maximum of ten (10) business days from the date of receipt. When it is not possible to respond within that period, the interested party shall be informed of the reasons for the delay and the date on which the inquiry will be answered, which shall not exceed five (5) business days after the initial deadline.

13.2 Procedure for filing claims for updating, correction, deletion, or revocation of authorization

The Data Subject or their successors, who consider that the information contained in the COMPLIANCE SOLUTIONS Databases should be corrected, updated, or deleted, or when they observe the alleged non-compliance with any of the duties, may file a claim in accordance with the following rules:

1. 1. 1. 1. The request shall be reviewed to verify the identity of the Data Subject. If the request is made by a person other than the Data Subject and it is not proven that they are acting on their behalf in accordance with current laws, the request shall be rejected.
         2. The claim must contain the following information: (i) Identification of the Data Subject; (ii) Contact details (physical and/or electronic address and telephone numbers); (iii) Documents proving the identity of the Data Subject, or representation; (iv) Clear and precise description of the Personal Data in respect of which the Data Subject seeks to exercise any rights; (v) Description of the facts giving rise to the claim; (vi) Supporting documents; and (vii) Signature and identification number.
         3. If the claim is incomplete, COMPLIANCE SOLUTIONS shall require the interested party to correct the deficiencies within five (5) days following receipt of the claim. If two (2) months pass from the date of the request without the applicant providing the required information, it shall be understood that the claim has been withdrawn.
         4. If the area receiving the claim is not competent to resolve it, it shall transfer the claim to the appropriate area within a maximum of two (2) business days and inform the interested party.
         5. Once the complete claim is received, a note stating “claim in process” and the reason for it shall be included in the database within a maximum of two (2) business days. This note shall be maintained until the claim is resolved.
         6. The maximum period to address the claim shall be fifteen (15) business days from the day following receipt. When it is not possible to respond within that period, the interested party shall be informed of the reasons for the delay and the date on which the claim will be resolved, which shall not exceed eight (8) business days after the initial deadline.

14. COOKIES

A cookie refers to a file that is sent with the purpose of requesting permission to be stored on your computer. Once you accept, the file is created, and the cookie is then used to gather information regarding web traffic, facilitating future visits to a recurring website. Another function of cookies is that they allow websites to recognize individual users and thereby provide a better and more personalized service.

The COMPLIANCE SOLUTIONS website uses cookies to identify the pages visited and their frequency. This information is used solely for statistical analysis and is then permanently deleted.

You can delete cookies at any time from your computer. However, cookies help provide better service to websites; they do not give access to your computer or personal information unless you provide it directly.

You may accept or decline the use of cookies; however, most browsers automatically accept cookies to improve web service. You can also change your computer’s settings to decline cookies. If you choose to decline, some of our services may not be available.

15. VALIDITY OF THE POLICY

This version of the Policy is effective as of 04/01/2026.

The Personal Data included in Databases subject to Processing shall remain and be processed based on the temporality criterion for the contractual term of the product or service, during the period in which the purpose for which it was collected subsists, plus the term established by law.

This Policy may be amended by COMPLIANCE SOLUTIONS when required without prior notice, provided such amendments are not substantial. Only modifications regarding the purposes of Processing and the Controller’s data, or any other substantial modification, shall be previously communicated to the Data Subjects.

16. VERSION CONTROL

• Effective date of version 1: 06/23/2023
• Effective date of version 2: 04/01/2026