Personal Data Processing Policies

PRAGMA S.A., a Colombian commercial corporation identified with Tax ID (NIT) No. 811,004,057-1 (hereinafter, “Pragma” or the “Company”), acting as the Data Controller, hereby sets forth this Personal Data Processing Policy (the “Policy”), the purpose of which
is to establish the guidelines necessary to ensure the protection of individuals’ right to privacy through the lawful processing and safeguarding of personal data contained in the Company’s databases, in accordance with applicable law.

This Policy shall apply, unless expressly stated otherwise and to the extent permitted by applicable regulations, to PRAGMA S.A., as well as to its parent companies, subsidiaries, branches, and any entities over which it exercises control (collectively, the “Affiliates”).
This Policy applies to personal data contained in databases under the responsibility of Pragma and its Affiliates (hereinafter, the “Data Controller”), which may be subject to access or processing by the Company, its personnel, or authorized third parties.

By accepting or consenting to this Policy, you represent and warrant that you are the lawful data subject or that you have obtained the necessary authorizations or legal authority to  provide such data, and that you have full legal capacity under applicable law. By doing so, you acknowledge and agree to the terms and conditions set forth herein.

DEFINITIONS

Affiliate: Any entity that maintains a control relationship with PRAGMA S.A., or that carries out joint, complementary, or related activities with PRAGMA S.A. under alliances, contracts, or business collaboration schemes, where personal data processing is required for authorized purposes and in compliance with applicable regulations.

The extension of this Policy to Affiliates shall only apply where such entities expressly adopt data protection standards consistent with this Policy, without prejudice to their independent obligations under the laws of their respective jurisdictions.

Each Affiliate shall remain independently responsible for complying with applicable data protection laws and obligations toward data subjects.

Authorization: Prior, express, and informed consent granted by the Data Subject for the processing of personal data.

Database: An organized set of personal data subject to processing.

Personal Data: Any information relating to or capable of being associated with an identified or identifiable natural person.

Sensitive Personal Data: Personal data that affects the privacy of the Data Subject or whose misuse may result in discrimination, including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data,
sex life, or biometric data.

Data Processor: A natural or legal person, public or private, who processes personal data on behalf of the Data Controller.

Data Controller: A natural or legal person, public or private, who determines the purposes and means of the processing of personal data.

Data Subject: A natural person whose personal data is processed.

Data Transfer: The transmission of personal data by the Data Controller and/or Data Processor located in Colombia to another Data Controller located inside or outside the country.

Data Transmission: The communication of personal data within or outside Colombia for processing by a Data Processor on behalf of the Data Controller.

Processing: Any operation performed on personal data, including collection, storage, use,
disclosure, transfer, or deletion.

I. IDENTIFICATION OF THE DATA CONTROLLER

II. DATA PROCESSING PRINCIPLES

All personal data processing carried out by the Company and its Affiliates shall be governed by applicable Colombian data protection laws and, where relevant, internationally recognized data protection principles, including but not limited to legality, purpose limitation, consent, data accuracy, transparency, restricted access, security, and confidentiality.

III. PURPOSES AND SCOPE OF DATA PROCESSING

Personal data may be collected and processed for purposes including, but not limited to:

• Fulfillment of the Company’s corporate purpose.
• Compliance with legal and regulatory obligations.
• Commercial management, customer relations, analytics, and business development.
• Credit, financial, and risk assessments.
• Marketing, communications, and promotional activities, where authorized.
• Employment, labor, and social security obligations.
• Security, fraud prevention, anti-money laundering, and compliance activities.
• Transfers or disclosures to Affiliates, service providers, or third parties, where legally permitted and contractually safeguarded.

Authorization shall not be required where processing is permitted by law, including public data, medical emergencies, or legal mandates.

VI. DATA CONTROLLER AND DATA PROCESSOR

Acceptance of this Policy authorizes the Company to transfer or transmit personal data to Affiliates, service providers, or third parties, domestically or internationally, subject to contractual safeguards and applicable law.

VII. PROCEDURES FOR QUERIES AND CLAIMS

Requests may be submitted to info@pragma.com.co and will be addressed within legally established timeframes.

VIII. INFORMATION SECURITY MEASURES

The Company implements reasonable administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, loss, misuse, or disclosure, consistent with applicable legal requirements and industry standards.

IX. APPLICABLE LAW

This Policy is primarily governed by Colombian data protection laws, including Law 1581 of 2012, as amended. Where applicable, the Company seeks to align with internationally recognized frameworks, including the GDPR and the California Consumer Privacy Act
(CCPA), to the extent legally required.

X. EFFECTIVE DATE

This Policy is effective as of January 1, 2026.

 

Marcos Vélez Botero
Chief Vision Officer