Personal Data Processing Policy

1. Identification of the Data Controller

• Company name: NEXERA TECHNOLOGIES S.A.S
• Tax ID (NIT): 902.025.881-2
• Address: Calle 134ª No. 19-34, Bogotá D.C., Colombia
• Contact email: [email protected]
• Website: www.vitalgo.co

2. Scope and Purpose

The main purpose of this policy is to establish the guidelines under which NEXERA TECHNOLOGIES S.A.S., through the technological platform called "VitalGo" hereinafter "Vitalgo" or the "Company" or the "Controller", processes personal data collected through its digital platform www.vitalgo.co, in compliance with Law 1581 of 2012, Decree 1377 of 2013 and other concordant regulations, guaranteeing the fundamental right of Habeas Data of all natural persons, hereinafter, the "Data Subjects" whose personal data is processed by the Company. The aim is to guarantee the rights of personal data subjects, especially in the context of technological services applied to the health sector.

This Policy applies to all databases, both physical and digital, that contain personal data and that are subject to Processing by the Company, either as Controller or as Data Processor.

PARAGRAPH. Applicable Legislation and Extraterritorial Application: Notwithstanding that the processing of personal data under this Policy is governed primarily by Law 1581 of 2012 and Decree 1377 of 2013 of the Republic of Colombia, Vitalgo acknowledges that the applicable regulations may vary depending on the extraterritorial application of data protection laws of those countries where Data Subjects have their domicile or residence outside Colombian territory. Consequently, it shall be understood that, as a general rule, Colombian law applies, unless there is a mandatory rule of law in another jurisdiction that must be complied with by legal obligation or by virtue of the cross-border nature of the service provided by the Company.

3. Definitions

For the purposes of this Policy, the following legal definitions are adopted and included:

• Authorization: Prior, express and informed consent of the data subject to carry out the processing of their personal data.
• Database: Organized set of personal data that is subject to Processing.
• Personal Data: Any information linked to or that can be associated with an identified or identifiable natural person.
• Public Data: Data that is not semi-private, private or sensitive. Public data includes, among others, data related to the marital status of persons, their profession or trade, and their status as a merchant or public servant.
• Sensitive Data: Information that affects the privacy of the data subject or whose improper use may lead to discrimination, such as health data, biometric data, sexual orientation, religion, among others.
• Data Processor: Natural or legal person who processes personal data on behalf of the controller.
• Data Controller: Natural or legal person who decides on the database and/or the processing of data. In this case, NEXERA TECHNOLOGIES S.A.S.
• Accountability: Principle by which the Controller must be able to demonstrate, at the request of the authority, that it has implemented appropriate and effective measures to comply with the law.
• Data Subject: Natural person whose personal data is subject to processing.
• Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
• Transfer: Sending of personal data to a recipient who, in turn, is a Data Controller and is located within or outside the country.
• Transmission: Communication of personal data within or outside Colombia, between the controller and the data processor.

4. Guiding Principles for Personal Data Processing

VITALGO guarantees that the processing of personal data will be carried out in accordance with the following principles, in line with Article 4 of Law 1581 of 2012:

• Legality: Processing shall be subject to the provisions of the law.
• Purpose: Processing shall serve a legitimate purpose, which shall be specifically informed to the Data Subject.
• Freedom: Processing may only be exercised with the prior, express and informed consent of the data subject.
• Truthfulness or Quality: Information subject to Processing must be truthful, complete, accurate, updated, verifiable and understandable. Processing of partial data or data that may lead to error is prohibited.
• Transparency: The data subject has the right to obtain information about their data at any time.
• Restricted Access and Circulation: Processing shall be subject to the limits of the nature of the data and the law. Data shall not be available through mass media.
• Security: Technical, human and administrative measures necessary to provide security to records must be adopted, preventing their alteration, loss, consultation, use or unauthorized access.
• Confidentiality: Persons involved in processing are obligated to guarantee the confidentiality of information.
• Accountability: VITALGO will implement useful and timely measures to comply with the law and will be able to demonstrate such compliance to the competent authority.

5. Processing of Sensitive Data and Minors

Vitalgo processes sensitive data and data of minors under strict security conditions and reinforced consent. This includes, but is not limited to:

Detailed Clinical Information

• Medical History: Includes past and current diagnoses, laboratory and imaging test results.
• Diseases and Health Conditions: Record of chronic, acute diseases and any other relevant condition.
• Allergies: Precise identification of allergies to medications, foods and other environmental agents.
• Medications: Current and past prescriptions, dosage, frequency and duration of treatment.
• Medical and Surgical Procedures: Documentation of interventions performed or planned.
• Mental Health Data: Relevant information about the user's psychological and psychiatric state, if applicable to the service.

Biometric Data Processing

Vitalgo may collect and process biometric data, specifically facial scanning of the Data Subject, for the exclusive purpose of validating their identity and ensuring that access to clinical information is performed by the legitimate holder or authorized personnel. As this is sensitive data, the Data Subject is informed of the following:

• Granting authorization for biometric data processing is optional (voluntary).
• However, refusal to provide this data or revoke authorization may prevent the use of certain advanced security functionalities or identity validation necessary for platform access.
• Vitalgo will implement encryption and technical security measures to ensure that biometric information is not used for purposes other than system authentication and security.

Processing of Minor's Information

Mandatory Reinforced Consent: Processing of minors' data is carried out solely and exclusively with prior, express and informed authorization from their legal representatives (parents or guardians).

When processing involves personal data of minors, Vitalgo acts with special diligence to verify that authorization is granted by their legal representative. To this end, we apply the following protocols:

• We request documentation proving kinship or legal representation (such as the adult's ID and the minor's birth certificate). In cases where representation does not fall to parents, corresponding legal support will be required (custody ruling or special power of attorney). If Vitalgo deems an additional document necessary to validate kinship with the minor, it will be requested.
• Registration of a minor on our platforms requires a sworn statement from the adult, who certifies having legal authority to act on behalf of the minor. Vitalgo reserves the right to validate information consistency and reject registration if documentation is insufficient or untruthful.
• We clearly inform about the purpose of processing, security measures and channels to exercise rights. We also respect the principle of progressive autonomy, encouraging the minor to be heard and understand the process according to their age and maturity.
• We maintain a secure record of all authorizations to guarantee traceability and compliance with the Best Interest of the Minor.

Assessment of Minor's Opinion: The minor's legal representative must inform the minor about the purpose of processing and collect their opinion, taking into account the maturity, autonomy and capacity of the child or adolescent to understand the matter. Vitalgo will presume that the legal representative has complied with this duty when accepting terms and conditions on behalf of the minor.

Principle of Best Interest of the Minor: All information is processed under the principle of guaranteeing the best interest of the minor, ensuring maximum confidentiality and limiting access only to medical and technical personnel strictly necessary for service provision.

Security and Confidentiality Measures

• All sensitive data is stored and transmitted using end-to-end encryption techniques, complying with health industry security standards.
• Access to this information is restricted through strict access controls, defined roles and permissions.
• Periodic security audits are performed to ensure ongoing compliance with data protection policies.

6. Purposes of Processing

The Company collects personal data through channels such as its website, social networks, events, contracts, selection processes and cookies. Purposes will be specific to each type of Data Subject:

For Users and Clients of the Vitalgo Platform

Vitalgo acts as Data Controller and will use personal data for the following purposes:

• Allow controlled and immediate access to user's personal clinical information in medical emergency situations through QR code scanning.
• Send real-time notifications to the user so they can authorize or reject access to their medical information.
• Train and optimize Artificial Intelligence algorithms for orientative medical triage, without binding diagnostic effects.
• Conduct demographic, statistical and public health studies based on anonymized data.
• Manage registration, authentication and account administration within the platform.
• Send commercial, promotional and/or informational communications related to products and services offered by Vitalgo, only with prior and express authorization from the data subject (opt-out mechanism available).
• Perform identity validation of the Data Subject through facial and/or documentary biometry tools, for the exclusive purpose of preventing identity fraud, ensuring that access to medical records is made only by the Data Subject or authorized professionals, and strengthening platform security protocols.

For Healthcare Professionals

Vitalgo will process personal data of professionals who register or use the platform to:

• Verify identity and validity of professional registration through integration with the National Unique Registry of Healthcare Human Resources (RETHUS).
• Manage credentials for controlled access to users' clinical information.
• Generate technical records (logs) of each consultation, including location, date, device and identity, to guarantee patient safety and comply with custody duty for ten (10) years.
• Record that access to data is performed under professional autonomy, the professional being solely responsible for diagnosis or treatment derived from the consultation.

As Data Processor (Institutional Client Supplier Data)

Vitalgo may act as Data Processor, in which case it will limit itself to processing personal data according to documented instructions from the Controller (institutional client), in accordance with the processing contract and applicable legislation. Purposes include:

• Facilitate interoperability of clinical data and controlled access to medical information by medical personnel authorized by the Controller.
• Guarantee traceability and access security through technological tools provided by Vitalgo.
• Process data in the cloud according to high standards of security, encryption and audit.

In these cases, Vitalgo does not make decisions about the use or content of data, nor about the legal basis for processing, and commits to comply exclusively with the instructions of the Data Controller, under the terms established in the respective contract.

For Employees and Job Candidates

Vitalgo will process personal data of current and former employees and candidates to:

• Evaluate resumes and work and academic backgrounds.
• Conduct interviews, psychometric tests and other selection processes.
• Formalize employment contracts and manage the employment relationship (payroll, social security, affiliations, etc.).
• Comply with legal obligations in labor, social security and tax matters.
• Provide extra-legal benefits, if applicable.
• Execute disciplinary or administrative processes, when applicable.
• Manage employment records.

For Suppliers and Contractors (Vitalgo's Own)

Vitalgo will process personal data of suppliers and contractors for the purpose of:

• Verify legal, disciplinary, contractual and financial backgrounds.
• Manage contracting, evaluation and monitoring processes of the supplier or contractor.
• Comply with contractual, tax, accounting and commercial obligations.
• Make payments, issue certifications and reports required by public or private entities.
• Establish effective communication channels within the contractual relationship.

For Website Visitors and Social Media Contacts

Vitalgo may collect and process personal data from visitors to its website and social networks to:

• Attend requests or inquiries made through contact forms, chat or messaging.
• Manage digital marketing campaigns, with the possibility of exercising the right to object at any time.
• Perform analysis on website traffic through cookies, in accordance with the Cookie Policy.
• Record access logs, geolocation, device and entry date for security reasons.

7. International Transfer and Transmission of Data

International Data Transmission

The Company may use cloud service providers (IaaS/PaaS) such as Amazon Web Services (AWS), Google Cloud and/or Azure for information storage and processing. This constitutes International Data Transmission, as these providers act as Data Processors. These operations are formalized through Data Transmission Contracts (Data Processing Agreements - DPA), where Processors are required to comply with the security and confidentiality standards of Colombian Law.

International Data Transfer

The Company's platform allows the Data Subject to authorize access to their medical information by healthcare professionals located abroad through QR code scanning. This action constitutes an international data transfer that is permitted under the exceptions of Article 26 of Law 1581 of 2012, specifically based on:

• Data Subject Authorization: Access only occurs when the Data Subject has granted prior, express and unequivocal consent, which is managed through real-time notification and authorization that the system requests from the user at the time of scanning.
• Medical data exchange: The transfer is necessary for health and public hygiene reasons, as its purpose is to facilitate medical treatment of the Data Subject in professional care or emergency scenarios.

Vitalgo implements access records (logs) of location, date and device to audit these transfers and clarifies that the receiving professional is solely responsible for the medical act and independent treatment of the information provided.

8. Data Subject Rights

In accordance with Article 8 of Law 1581 of 2012, Data Subjects have the following rights:

• Know, update and rectify their personal data.
• Request proof of authorization granted.
• Be informed about the use given to their data.
• File complaints with the Superintendency of Industry and Commerce (SIC) for violations of the law.
• Revoke authorization and/or request data deletion when principles and legal rights are not respected.
• Access their personal data that has been subject to Processing free of charge.

9. Service Channels and Procedures

Data subjects may exercise their rights by request to the email: [email protected]

Procedure for exercising rights

For inquiries or complaints related to personal data processing, the data subject must send an email to [email protected] including:

• Full name of the data subject.
• Identification number.
• Clear description of the right to be exercised (inquiry, rectification, deletion, revocation, etc.).
• Electronic or physical address to receive the response.
• Documents proving identity or legal representation, if applicable.

Response times

Inquiries, Right of access, use: Will be addressed within a maximum term of ten (10) business days from the date of receipt. If it cannot be addressed within said term, the interested party will be informed, stating the reasons and indicating the date it will be addressed, which shall not exceed five (5) business days following the expiration of the first term.

Claims, Rectification, update, deletion, revocation, non-compliance: Will be addressed within a maximum term of fifteen (15) business days from the day following the date of receipt. If it cannot be addressed within said term, the interested party will be informed of the reasons for the delay and the date their claim will be addressed, which may not exceed eight (8) business days following the expiration of the first term.

Vitalgo, in compliance with the Accountability principle, has a Data Protection Officer. This role has the function of coordinating the implementation of technical and administrative security measures, supervising the processing of sensitive data and minors' data, and acting as liaison for the exercise of Data Subjects' rights. The Data Protection Officer will be responsible for managing user requests and ensuring internal compliance with this policy. For any communication related to personal data protection, they may be contacted at: [email protected]

10. Policy Validity

This Policy is effective from its publication date.

Information collected will be stored and processed for the time necessary to fulfill the described purposes and legal obligations. In compliance with commercial and tax regulations on the preservation of accounting documents and transaction records, personal data will be kept for a period of ten (10) years from the end of the contractual relationship or the last transaction, after which secure deletion will proceed.

Any substantial modification to this Policy will be communicated in a timely manner to Data Subjects through usual communication channels or by publication on the www.vitalgo.co website.

11. Liability Clause and Global Scope

Vitalgo acts exclusively as a provider of technological solutions and infrastructure facilitator so that Personal Data Subjects can centralize, manage and share their health information under their own control and traceability. Given Vitalgo's nature as a technological intermediary, the framework of operational independence and delimitation of responsibilities is governed by the following conditions:

• Access to information by healthcare professionals —whose identity is validated through the National Unique Registry of Healthcare Human Resources (RETHUS)— is carried out under the principle of professional autonomy and independence. Vitalgo does not interfere, supervise or have control over clinical judgment, diagnosis or treatment. Consequently, any decision or action derived from access to data constitutes an independent Medical Act, the responsibility for which falls exclusively on the treating professional.
• It is expressly stated that Vitalgo does not act as Data Processor on behalf of healthcare professionals or healthcare institutions. There is no subordination or mandate relationship for information processing on behalf of the professional; Vitalgo is a personal management platform at the service of the Data Subject, who is the only one authorized to grant access to their information through the system's real-time validation and notification mechanisms.
• For non-medical third parties (family members, caregivers or insurers), access is strictly conditioned on prior and express approval from the Data Subject. This sovereign control of data guarantees that responsibility for who views the information and for what purpose remains with the Data Subject.
• In case of access from abroad, these are considered international transfers authorized by the Data Subject through express and real-time consent. Vitalgo guarantees complete traceability of the event (geolocation, identity and timing), but is not responsible for subsequent use the recipient makes of said information outside national territory.

Vitalgo will retain access records as proof of traceability and legal compliance, but clarifies that professionals and authorized third parties act autonomously. Their access to the platform does not imply representation, agency or employment relationship with Vitalgo, being solely responsible for the ethical and legal use of the information consulted.