PERSONAL DATA PROTECTION POLICY — NEION APP S.A.S.

Applies to databases and files containing personal information of suppliers, clients, employees, or any other person whose data are processed by NEION APP S.A.S.

For this policy: • Authorization: Prior, express, informed consent of the data subject to process their personal data. • Database: An organized set of personal data processed under the Law. • Files: Sets of documents kept by the company containing regulated personal information. • Personal data: Information linked or associable to one or more identified or identifiable natural persons. • Sensitive data: Data affecting privacy or whose misuse may cause discrimination (e.g. racial or ethnic origin, political views, religious or philosophical beliefs, union membership, human rights, health, sex life, biometric data). • Processor: Natural or legal person that processes data on behalf of the controller. • Controller: Natural or legal person that decides on the database and processing. • Third party: Any natural or legal person other than those belonging to NEION APP S.A.S. • Data subject: Natural person whose personal data are processed. • Transfer: When the controller and/or processor in Colombia sends data to another controller, inside or outside the country. • Transmission: Communication of data inside or outside Colombia for processing by a processor on behalf of the controller. • Processing: Any operation on personal data such as collection, storage, use, disclosure, or deletion.

Processing follows the principles of lawfulness, purpose, freedom (prior, express, informed consent unless legally exempt), accuracy, transparency, restricted access and circulation, security, and confidentiality, in line with the Constitution and Law 1581 of 2012.

Personal data, except public information, shall not be available on the internet or mass media unless access is technically controllable for restricted access by data subjects or authorized third parties as provided by law.

Data subjects may, among others: • Access, update, and rectify their data before the controller or processor. • Request evidence of authorization granted, unless exempt by law. • Be informed, upon request, of the use made of their data. • File complaints with the Superintendence of Industry and Commerce. • Revoke authorization and/or request deletion when principles and rights are not respected, as determined by the authority. • Access their processed data free of charge.

Articles 15 and 20 of the Colombian Constitution recognize privacy, good name, and the right to know, update, and rectify information held in databases, as well as freedom of information.

Law 1581 of 2012 develops habeas data and related guarantees. Decree 1377 of 2013 regulates aspects of the law; Decree 1074 of 2015 (commerce sector) sets duties for websites regarding integrity of information and recording data as received from users.

7.1 NEION APP S.A.S., NIT 901.640.283-1, is responsible for processing personal data in its databases and files under Law 1581 of 2012, Decree 1377 of 2013, Decree 1074 of 2015, and related rules.

7.1.2 For requests or claims: email Info@neion.co and phone 301 479 0586 (Customer service).

7.1.3 Personnel who process personal databases must comply with this policy and internal procedures.

7.1.4 The company shall register applicable databases in the National Database Registry (RNBD).

Compliance: The company meets legal requirements for data protection.

Purpose: The specific purpose of processing is communicated and aligns with the corporate purpose.

Authorization: Processing is based on prior, express, informed consent obtained by verifiable means. Authorization is not required when information is required by a public or judicial entity, is public, there is medical or health emergency, processing is authorized for historical, statistical, or scientific purposes, or data relate to civil registry.

Accuracy: Information provided by the data subject must be truthful, complete, accurate, verifiable, and up to date.

Access and circulation: Only with the data subject’s authorization or legal grounds; mass-media disclosure only with controls consistent with internal policies.

Security: Technical, human, and administrative measures to prevent tampering, loss, unauthorized or fraudulent access or consultation.

Confidentiality: Information remains confidential even after processing activities end.

Sensitive data: Only with explicit authorization; vital interest of an incapacitated data subject (with legal representatives); judicial rights; historical, statistical, or scientific purposes with identity suppression where applicable.

8.1 Authorizations: Written authorization is requested from natural-person suppliers, clients, workers, and contractors where applicable.

8.2 Queries: Via Info@neion.co. Response within fifteen (15) business days; if delayed, reasons and a new date within five (5) additional business days (Law 1755 of 2015).

8.3 Claims: Same channel. Must include identification, facts, address, and attachments if any. Incomplete claims may be completed within five (5) days. Response within fifteen (15) business days or justified extension. Claims are registered in the RNBD when required.

8.4 Transfer and transmission: To the data subject or representatives; public entities under law or court order; authorized third parties. Operational third parties only with the data subject’s authorization; they become processors and must comply with law and contracts.

8.5 International transfers: When the destination country provides adequate protection per SIC standards and express authorization applies, or for public health, banking/securities transfers, international treaties, contract performance, or legal public-interest or judicial requirements.

This policy is published at https://neion.co/

Effective March 16, 2023, until replaced or substantially amended.