PERSONAL DATA PROTECTION POLICY

HIGH TECH SOFTWARE S.A.S.

‍

Last Updated: [January, 2026]

‍

1. INTRODUCTION
   In compliance with Law 1581 of 2012, which regulates the protection of personal data in Colombia, HIGH TECH SOFTWARE S.A.S. (hereinafter “HIGH TECH”, “BLEND” or “NUVU”) informs its clients, suppliers, employees, and the general public of its personal data processing policy, with the purpose of ensuring transparent, lawful, and secure handling of personal information under its responsibility.
   ‍
2. PURPOSE
   The purpose of this Personal Data Processing Policy is to establish the general guidelines for the collection, storage, use, deletion, and protection of personal data recorded in any database owned by HIGH TECH SOFTWARE S.A.S., in the course of its activities, whether acting as Data Controller or Data Processor.
   
   Additionally, this document seeks to establish a clear regulatory and operational framework to protect and guarantee the fundamental rights of data subjects with respect to personal data and sensitive data, through the adoption of effective practices, controls, and procedures that prevent, mitigate, and contain the inherent risks associated with the handling, processing, storage, transfer, and deletion of personal information.
   
   Likewise, it aims to ensure the integrity, confidentiality, availability, and lawfulness of data processing within the organization, in compliance with Law 1581 of 2012, Decree 1377 of 2013, and other applicable regulations, thereby strengthening the trust of clients, employees, and involved third parties.
   
   Statutory Law 1581 of 2012, as the main regulatory framework for personal data protection, establishes the minimum conditions that must be observed to ensure proper processing of personal data by Data Controllers, including the requirement to create and make available a policy, which is fulfilled through this document.
   
   BLEND, in its capacity as Data Controller of personal information, is committed to complying with the applicable regulations and, consequently, will promote respect for the principles and rules on personal data protection directly and through its employees, contractors, and data processors.
   ‍
3. SCOPE
   This policy applies to all employees, contractors, suppliers, clients, and any natural or legal person who has access to, manages, or handles personal data under the responsibility of HIGH-TECH SOFTWARE S.A.S., regardless of the medium or format in which such data is stored (physical or digital). It covers all processes related to the collection, storage, use, transfer, deletion, and any other activity related to the processing of personal data within the organization.
   ‍
4. IDENTIFICATION OF THE DATA CONTROLLER
   HIGH TECH SOFTWARE S.A.S. – NUVU / BLEND
   Tax ID (NIT): 900718336-7
   Telephone: 1703250
   Email: [email protected]
   ‍
5. LEGAL FRAMEWORK
   This personal data policy is governed by the provisions of Article 15 of the Political Constitution of Colombia, Law 1581 of 2012, Decree 1377 of 2013, Compilatory and Regulatory Decree 1074 of 2015, and other complementary regulations in force regarding personal data protection.
   ‍
6. DEFINITIONS
   For the purposes of this policy, the following terms shall have the meanings assigned by law:
   ‍
   
   • National Personal Data Protection Authority: The Superintendence of Industry and Commerce – Office for Personal Data Protection.
   • Authorization: Prior, express, and informed consent of the Data Subject to carry out the processing of personal data.
   • Database: An organized set of personal data subject to processing.
   • Personal Data: Any information linked or that may be associated with one or more identified or identifiable natural persons.
   • Habeas Data: The right of every person to know, update, and rectify information collected about them in public or private databases.
   • Data Processor: A natural or legal person, public or private, who processes personal data on behalf of the Data Controller.
   • Data Controller: A natural or legal person, public or private, who decides on the database and/or the processing of data.
   • Data Subject: The natural person whose personal data is subject to processing.
   • Processing: Any operation or set of operations performed on personal data, such as collection, storage, use, circulation, or deletion.
   • Transfer: Occurs when the Data Controller and/or Processor located in Colombia sends personal data to a recipient who is also a Data Controller, located inside or outside the country.
   • Transmission: Processing of personal data involving the communication thereof inside or outside Colombia for processing by a Data Processor on behalf of the Data Controller.
   • Privacy Notice: A document made available to the Data Subject to inform them about the processing of their personal data.
   • Sensitive Data: Data that affects the privacy of the Data Subject or whose improper use may lead to discrimination, including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual life, or biometric data.
     ‍
7. PRINCIPLES
   HIGH TECH SOFTWARE S.A.S shall always carry out the processing of personal data applying the principles set forth in Article 4 of Statutory Law 1581 of 2012. These principles are:
   ‍
   
   • Principle of Legality in Data Processing: HIGH TECH SOFTWARE S.A.S understands that the processing of personal data is a regulated activity that must comply with the provisions of this policy, the Political Constitution, the law, and judicial decisions issued by the Colombian State.
   • Principle of Purpose: The processing carried out by HIGH TECH SOFTWARE S.A.S shall pursue a legitimate purpose in accordance with the Political Constitution and the law, and the data subject shall always be informed of such purposes.
   • Principle of Freedom: Processing may only be carried out with the prior, express, and informed consent of the data subject. Personal data may not be obtained or disclosed without prior authorization or in the absence of a legal or judicial mandate that waives consent.
   • Principle of Veracity or Quality: The information processed by HIGH TECH SOFTWARE S.A.S must be truthful, complete, accurate, updated, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited.
   • Principle of Transparency: The processing carried out by HIGH TECH SOFTWARE S.A.S shall always guarantee the right of the data subject to obtain information regarding the existence of data concerning them at any time and without restrictions.
   • Principle of Restricted Access and Circulation: The processing carried out by HIGH TECH SOFTWARE S.A.S is subject to the limits arising from the nature of personal data, legal provisions, and the Political Constitution. Therefore, it shall only be carried out by persons authorized by the data subject and/or by those provided for by law. Personal data, except for public information, may not be available on the internet or other mass communication or dissemination media unless access is technically controllable to provide restricted knowledge only to data subjects or authorized third parties in accordance with Law 1581 of 2012.
   • Principle of Security: Processing shall be conducted using the technical, human, and administrative measures necessary to provide security to the records and prevent their alteration, loss, consultation, unauthorized use, or fraudulent access.
   • Principle of Confidentiality: All persons involved in the processing of personal data carried out by HIGH TECH SOFTWARE S.A.S are required to guarantee the confidentiality of the information, even after the contractual relationship has ended. HIGH TECH SOFTWARE S.A.S collaborators are only authorized to supply or communicate personal data when such disclosure is required for the development of legally authorized activities and under the same legal terms. Only public information is exempt from this duty of confidentiality.
   • Principle of Ease of Access: HIGH TECH SOFTWARE S.A.S shall facilitate the exercise of the right of access to information, excluding requirements or conditions that may hinder or prevent data subjects from accessing it.
     
     
8. PROCESSING AND PURPOSES
   HIGH TECH SOFTWARE S.A.S shall use personal data from employees, clients, suppliers, and third parties in general for the following purposes:
   
   
   1. To develop the contractual relationship established with the data subject, either directly or on behalf of the Controller of the Processing.
   2. To evaluate candidates for potential hiring as employees of HIGH TECH, either directly or on behalf of the Controller.
   3. To register in internal databases and platforms the information required to carry out user onboarding or complete forms necessary to access the services offered.
   4. To carry out advertising on its own behalf or on behalf of third parties within the business model of HIGH-TECH SOFTWARE S.A.S.
   5. To ensure the safety and physical integrity of persons, assets, and facilities of HIGH-TECH SOFTWARE S.A.S.
   6. To process salary, fee, or compensation payments to workers, suppliers, contractors, or strategic partners through banking institutions.
   7. To report and pay social security contributions.
   8. To generate certifications required by data subjects.
   9. To consolidate records and respond to petitions, complaints, and claims from data subjects.
   10. To learn about and monitor the financial suitability and commercial behavior of suppliers, clients, and contractors.
   11. For the execution of service contracts involving the processing of personal information.
   12. To comply with constitutional, legal, contractual, and regulatory obligations established in Colombian law.
   13. To create employee benefit policies that support mutual professional, personal, and social development.
   14. Any other purpose related to the processing of information that enables the performance of HIGH-TECH SOFTWARE S.A.S functions, and that in all cases shall be consistent with and respectful of applicable legislation.
       ‍
9. TYPES OF PERSONAL DATA COLLECTED
   HIGH TECH SOFTWARE S.A.S collects and processes different types of personal data depending on the nature of the relationship with the data subject, including:
   
   
   • Identification data: Full name, identification number, address, telephone number, email, among others.
   • Employment data: Information related to employment, job position, employment history, references, disciplinary and academic background.
   • Financial data: Banking information, credit history, and data for payments or compensation.
   • Sensitive data: When strictly necessary and with express authorization, information related to health, physical or mental condition, sexual orientation, ethnic origin, religious or political beliefs.
   • Contact and communication data: Addresses, telephone numbers, and digital means for effective communication.
   • Biometric data: For ensuring security and access control to facilities, in accordance with applicable rules.
   • Navigation and technological data: When digital platforms are used, information may be collected regarding navigation behavior to improve service and user experience.
     ‍
10. RIGHTS OF DATA SUBJECTS
    Data subjects shall enjoy the following rights, as well as any others granted by law:
    ‍
    
    1. To know, update, and rectify their personal data before the Controller or Processors. This right may be exercised, among others, regarding partial, inaccurate, incomplete, fragmented, or misleading data, or data whose processing is prohibited or unauthorized.
    2. To request proof of authorization granted to the Controller, except where authorization is not required.
    3. To be informed, upon request, about the use made of their personal data by the Controller or Processor.
    4. To request deletion or suppression of their data when they believe that constitutional or legal principles, rights, or guarantees have not been complied with.
    5. To revoke authorization and/or request deletion when processing does not respect constitutional and legal principles, rights, and guarantees. Revocation or deletion shall proceed when the Superintendence of Industry and Commerce determines that the Controller or Processor has engaged in conduct contrary to the law or Constitution.
    6. To access, free of charge, the personal data processed.
    7. To file complaints before the Superintendence of Industry and Commerce for violations of applicable data protection rules.
       ‍
11. AUTHORIZATION
    For HIGH TECH SOFTWARE S.A.S. to carry out the processing of personal data, it is necessary to have the prior, express, and informed consent of the data subject. The authorization shall be requested in clear and accessible terms, specifying the purpose of the processing and the identity of the Controller.
    
    The data subject shall have the right to know at any time the scope of the authorization granted and may revoke it at any time, provided that no legal obligations prevent such revocation.
    
    Without prejudice to the exceptions established in Statutory Law 1581 of 2012, as a general rule for the processing of personal data, HIGH TECH SOFTWARE S.A.S shall collect the prior and informed authorization of the data subject, which may be obtained by any means that can later be subject to consultation.
    
    The authorization of the data subject shall not be necessary when:
    ‍
    
    1. 1. The information is required by a public or administrative entity in the exercise of its legal functions or by judicial order.
    2. 2. The data are public in nature.
    3. 3. There are cases of medical or health urgency.
    4. 4. The processing is authorized by law for historical, statistical, or scientific purposes.
       
       
    5. To collect the authorization for the processing of personal data, HIGH TECH shall implement physical, electronic, or any other methods allowing later consultation or obtaining proof of the authorization granted by the data subject, whether in written or verbal form, or through unequivocal conduct by the data subject that reasonably allows concluding that authorization was granted.
       ‍
12. PROCESSING OF SENSITIVE DATA
    HIGH TECH SOFTWARE S.A.S shall only process sensitive data in the following cases:
    ‍
    
    1. The data subject has granted explicit authorization for such processing, except in cases where authorization is not required by law.
    2. The processing is necessary to safeguard the vital interest of the data subject and the data subject is physically or legally incapacitated. In such cases, legal representatives must grant authorization.
    3. The processing is carried out in the course of legitimate activities and with due safeguards by a foundation, NGO, association, or any nonprofit organization with political, philosophical, religious, or union-related purposes, provided that the data refer exclusively to their members or persons with regular contact for such purposes. In these cases, the data may not be disclosed to third parties without the authorization of the data subject.
    4. The processing concerns data necessary for the recognition, exercise, or defense of a right in a judicial proceeding.
    5. The processing is necessary to guarantee the safety of persons, assets, and facilities through mechanisms such as video surveillance and biometric access control.
    6. The processing has historical, statistical, or scientific purposes. In such cases, measures shall be adopted to suppress the identification of data subjects.
       ‍
13. VIDEO SURVEILLANCE AND BIOMETRIC DATA
    HIGH TECH SOFTWARE S.A.S facilities are equipped with video surveillance systems using security cameras to ensure the protection of persons, information, and assets. Therefore, all individuals entering the facilities, including clients, suppliers, employees, contractors, and visitors, may be recorded for security and control purposes.
    
    Additionally, for employees and contractors with recurring access to the facilities, an access control system based on facial recognition is implemented. The use of this system entails the collection and processing of biometric data, specifically facial images, which shall be used exclusively for access control and security purposes, within the purposes described herein and in accordance with Law 1581 of 2012 and its regulatory provisions.
    
    By entering or regularly accessing the facilities, data subjects accept and consent to the processing of such information for identification and access control purposes. HIGH TECH guarantees that the data obtained through video surveillance and facial recognition systems shall be processed under strict security and confidentiality standards and exclusively for the purposes authorized under applicable data protection legislation.
    ‍
14. DUTIES OF THE DATA CONTROLLER
    As Controller of personal data processing, HIGH TECH SOFTWARE S.A.S shall comply with the following duties:
    ‍
    
    1. Guarantee the data subject, at all times, the full and effective exercise of the right of habeas data.
    2. Request and retain, under the conditions set forth by law, a copy of the authorization granted by the data subject.
    3. Properly inform the data subject about the purpose of the collection and the rights granted under the authorization.
    4. Store information with necessary security measures to prevent alteration, loss, consultation, unauthorized use, or fraudulent access.
    5. Ensure that information provided to the Processor is truthful, complete, accurate, updated, verifiable, and understandable.
    6. Update the information, notifying the Processor in a timely manner of all developments regarding data previously provided, and take necessary steps to ensure that the information remains current.
    7. Rectify information when incorrect and communicate such correction to the Processor.
    8. Provide the Processor, as applicable, only with data whose processing is authorized under the applicable law.
    9. Require the Processor to always respect the security and privacy conditions of the data subject’s information.
    10. Adopt an internal manual of policies and procedures to ensure proper compliance with the law, particularly for handling consultations and claims.
    11. Inform the Processor when certain information is under dispute by the data subject, once a claim has been submitted and until the process is completed.
    12. Inform the data subject, upon request, of the use made of their data.
    13. Notify the data protection authority of security breaches and risks in the administration of personal data.
    14. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
        ‍
15. PROCEDURE FOR HANDLING CONSULTATIONS, CLAIMS, AND REQUESTS, AND MECHANISMS TO EXERCISE DATA SUBJECT RIGHTS
    The data subject, their successors, representative and/or attorney, or anyone designated through stipulation in favor of another, may exercise their rights by contacting us through written communication addressed to the area responsible for personal data protection. Communication may be sent to the following e‑mail address: [email protected]
    ‍
16. CONSULTATIONS
    Personal information of the data subject stored in HIGH TECH’s databases may be consulted. HIGH TECH shall provide all information contained in the individual record or information linked to the identification of the requesting party.
    
    Consultations shall be addressed within a maximum term of ten (10) business days from the date of receipt.
    
    If it is not possible to address the consultation within this term, the requester shall be informed of the reason for the delay and the new response date, which may not exceed five (5) business days following the expiration of the initial term.
    ‍
17. CLAIMS
    When the data subject believes that information contained in a HIGH TECH SOFTWARE S.A.S database should be corrected, updated, or deleted, or identifies alleged non‑compliance with data protection obligations, they may file a claim, which will be processed under the following rules:
    
    The claim shall be submitted through written communication addressed to HIGH TECH SOFTWARE S.A.S, including the identification of the data subject, a description of the facts giving rise to the claim, an address, and supporting documents.
    
    If the claim is incomplete, the requester shall be notified within five (5) business days following receipt to correct the deficiencies. If two (2) months pass from the date of the request without the requester supplying the missing information, the claim shall be deemed withdrawn.
    
    If HIGH TECH receives a claim for which it is not competent, it shall transfer it to the appropriate party within two (2) business days and inform the data subject.
    
    Upon receiving a complete claim, HIGH TECH shall record the legend “claim in process” in the corresponding database, along with the reason for the claim, within a maximum of two (2) business days. This note shall remain until the claim is resolved. The maximum term for resolving the claim shall be fifteen (15) business days from the day following its receipt. If it is not possible to respond within that term, HIGH TECH shall inform the data subject of the reason for the delay and indicate the response date, which shall not exceed eight (8) additional business days.
    ‍
18. TRANSFER AND TRANSMISSION OF PERSONAL DATA
    To provide its services, HIGH TECH SOFTWARE S.A.S may transfer and transmit personal data of its users to third parties, for which prior and express authorization from users shall be obtained to allow processing, transfer, and/or transmission of their personal data. Thus, databases may be provided to third parties with the express authorization of the data subject in accordance with applicable regulations.
    
    When HIGH TECH sends or transfers data to another country, authorization from the data subject shall be required unless otherwise provided by law. Before transferring data internationally, the responsible parties must verify that prior, express, and unequivocal authorization exists.
    
    Transfers may occur only if the receiving country offers an adequate level of data protection complying with standards established by the Superintendence of Industry and Commerce, which may never be lower than those required by law. Transfers shall be made solely to third parties with whom HIGH TECH has contractual, commercial, and/or legal relationships.
    ‍
19. AMENDMENTS
    HIGH TECH SOFTWARE S.A.S reserves the right to modify the Personal Data Processing and Protection Policy at any time. However, any modification shall be communicated in a timely manner to data subjects through usual communication channels at least ten (10) business days prior to its entry into force. If a data subject disagrees with the new General or Specific Policy and has valid reasons constituting just cause to revoke authorization, they may request the deletion of their information through the channels indicated in this policy.
    
    However, data subjects may not request deletion of their data when HIGH TECH has a legal or contractual duty to process such data.
    ‍
20. EFFECTIVE DATE
    This Personal Data Processing Policy of HIGH TECH SOFTWARE S.A.S has been in force since July 14, 2025.
    
    HIGH TECH shall retain personal data as long as necessary or relevant for the purpose for which they were collected, or for the duration of tasks assigned by the Controller, in accordance with rules on document retention and contractual terms established with the Controller.
    
    Likewise, the information contained in HIGH TECH’s databases shall remain valid for the period required for its processing, according to the purposes of the processing, without prejudice to the data subject’s right to request deletion.
    ‍
21. CONTACT CHANNELS
    To exercise rights related to personal data, and for consultations, claims, or requests, data subjects may contact the following channels:
    ‍
    
    • Email: [email protected]
    • Physical address: Carrera 7 # 7121 Torre A Piso 12 – Bogotá D.C.

The organization is committed to responding to all requests promptly, within the terms established by applicable law.