Personal Data Processing Policy

Through this policy, APPING S.A.S, in compliance with the provisions of Law 1581 of 2012 and Decree 1377 of 2013, aims to make effective the constitutional guarantee of protection to personal and family privacy of all citizens, establishing instruments and controls to provide appropriate treatment to the information it manages.

APPING S.A.S, as the responsible party for Personal Data Processing for the proper development of its commercial activities, as well as for strengthening its relationships with third parties, collects, stores, uses, circulates, and deletes Personal Data corresponding to natural or legal persons with whom it has or has had relationships, such as (without limitation): workers, suppliers, shareholders, consumers, clients, distributors, creditors, and debtors.

Likewise, we wish to inform the general guidelines that will be applied to all databases and/or files containing personal data used for the proper development of commercial activities.

Personal data are subject to processing by APPING S.A.S for the following purposes:

• Commercial, advertising, or promotional information about services, events and/or promotions of commercial or non-commercial nature, in order to promote, invite, direct, execute, inform, and generally carry out campaigns, promotions, or contests of a commercial or advertising nature.
• To be part of the maintenance and modernization process of our services.
• For determining pending obligations, consulting financial information and credit history, and reporting to risk bureaus for information on unfulfilled obligations, regarding its debtors.
• For handling judicial or administrative requests and complying with judicial or legal mandates.
• To eventually contact, via email or any other means, natural or legal persons with whom it has or has had a relationship.

• 1
  To know the personal data about which APPING S.A.S is carrying out processing. Similarly, the data subject can request at any time that their data be updated or rectified, for example, if they find that their data are partial, inaccurate, incomplete, fragmented, misleading, or those whose processing is expressly prohibited or not authorized.
• 2
  To be informed by APPING S.A.S, upon request, about the use it has made of their Personal Data.
• 3
  To file complaints with the Superintendence of Industry and Commerce for violations of the provisions of the Personal Data Protection Law.
• 4
  To request APPING S.A.S to delete their Personal Data and/or revoke the authorization granted for their Processing, by filing a claim, in accordance with the procedures established in section 7 of this policy. However, the request for deletion of information and revocation of authorization will not proceed when the data subject has a legal or contractual duty to remain in the Database and/or Files, nor while the relationship between the DATA SUBJECT and APPING S.A.S remains in force, under which their Data were collected.
• 5
  To access free of charge their Personal Data that have been subject to processing.

The ADMINISTRATIVE Department of APPING S.A.S is responsible for the development, implementation, training, and compliance of this policy. For this purpose, all employees who process Personal Data in the different areas of APPING S.A.S are required to report these Databases to this Department and immediately forward to it all requests, complaints, or claims received from Personal Data Subjects.

The ADMINISTRATIVE Department will be responsible for handling requests, inquiries, complaints, and claims before which the data subject may exercise their rights to know, update, rectify, and delete the data and revoke the authorization.

Prior, express, and informed authorization will be requested from the data subjects whose personal data require processing. This consent may be given through different mechanisms such as:

• In writing, for example: By completing the Data Protection notice.
• Orally, for example: In a telephone conversation or video conference.
• Through any means that can be consulted and verified.

Once their Personal Data have been provided voluntarily and freely, they are stored in the relevant databases according to their classification. The databases are behind a firewall for greater security. Only authorized personnel who have signed information confidentiality agreements can access them, and therefore the personal data of our clients and/or users.

To make requests, inquiries, or claims in order to exercise the rights to know, update, rectify, delete data, or revoke the granted authorization, the data subject may use any of the following communication channels:

Requests and inquiries will be handled within a maximum term of fifteen (15) business days counted from the date of receipt. When it is not possible to handle the request or inquiry within that term, the interested party will be informed, expressing the reasons for the delay and indicating the date when their request or inquiry will be handled, which in no case may exceed five (5) business days following the expiration of the first term.

This Personal Data Processing Policy was last updated on January 13, 2026. With the purpose of always improving regulatory compliance and protecting personal data, it is clarified that this Policy may have updates. Therefore, it is recommended that data subjects visit it periodically to be aware of changes.