CIGTECH S.A.S., identified with NIT.901. .157.947-2, in accordance with the provisions contained in Law 1581 of 2012 and Decree 1377 of 2013, legal entity considered responsible and/or in charge of the processing of personal data, adopts this privacy and personal data protection policy, regarding its collection, storage and administration received from customers, suppliers, contractors, independent advisors, consultants, collaborators and in general from any natural person who is the owner of the personal data subject to processing (hereinafter "Data Subject" or "Data Subjects").

CIGTECH S.A.S. respects the privacy of each of the data of the Data Controllers, and in general, of any natural person who is the owner of personal data provided or provides their information.

In this sense, CIGTECH S.A.S., receives the information and stores it in a safe and appropriate manner. However, the Holders may check the accuracy of this information and take steps to update it and/or request its deletion. The information is collected, processed and used in accordance with the legal regulations in force.

Thus, CIGTECH S.A.S. collects and stores the personal information related to the Data Controllers for consultation, processing and use purposes, only and exclusively if the Data Controllers voluntarily decide to provide the information and give their authorization in this regard. All information voluntarily provided by the Holders is part of a "database" which is governed by Law 1581 of 2012 and Decree 1377 of 2013 and other regulations that modify, add or complement them.

The data is collected for the development and execution of the corporate purpose and the ordinary course of business of the company and compliance with legal provisions, contractual or business commitments.

Before storing or handling personal data, CIGTECH S.A.S. complies with the following requirements:

a) The Data Subject must give his explicit authorization to such processing, except in cases where by law the granting of such authorization is not required.

b) In the event that the data subject is physically or legally incapacitated, the legal representatives must give their authorization.

c) State to the owner the reason for which the data will be used and delimit the limits of such treatment.

The databases will be valid for a period equal to the period in which the purpose or purposes of the processing are maintained in each database, or the period of validity indicated by a legal or contractual cause or specific activity.

RIGHTS OF OWNERS

a) To know, update and rectify their personal data with respect to the data controllers or data processors. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or those whose processing is expressly prohibited or has not been authorized under the terms of Law 1581 of 2012 (or in its absence with the rules that regulate, add, implement, supplement, modify, delete or repeal).

b) Request proof of the authorization granted to the Data Controller, except when expressly exempted as a requirement for the Processing, in accordance with the provisions of Article 10 of Law 1581 of 2012 (or in the absence thereof with the rules that regulate, add, implement, supplement, amend, delete or repeal it) or when the continuity of treatment has been presented in accordance with Article 10 paragraph 4 of Decree 1377 of 2013.

c) Be informed by the Data Controller or the Data Processor, upon request, regarding the use that has been made of their personal data.

d) File before the Colombian Personal Data Protection Authority complaints for violations of the provisions of Law 1581 of 2012 (or in its absence with the rules that regulate, add, implement, supplement, amend, delete or repeal it).

e) To revoke the authorization and/or request the deletion of the data when the Processing does not respect the principles, rights and constitutional and legal guarantees. The revocation and/or deletion will proceed when the Colombian Personal Data Protection Authority has determined that in the Processing the data controller or Data Processor has incurred in conduct contrary to Law 1581 of 2012 (or in its absence with the rules that regulate, add, execute, complement, modify, suppress or repeal it) and/or the Constitution. The request for deletion of the information and the revocation of the authorization shall not proceed when the Data Subject has a legal or contractual duty to remain in the database or the data controller has a legal or contractual duty to continue with the processing.

f) Access free of charge to their personal data that have been subject to processing. The holder may consult his personal data free of charge: (i) at least once every calendar month, and (ii) whenever there are substantial modifications to the guidelines for the processing of information that motivate him to make new consultations.

The above are the PRIVACY POLICY AND PERSONAL DATA PROTECTION POLICY OF CIGTECH S.A.S. Date of publication January 31, 2020.