INTRODUCTION

CARBON OFFSET PARTNERS SAS (commercially known as SUSTRIVE SAS) is a commercial company, identified with NIT 901.500.085-1 (hereinafter referred to as "SUSTRIVE"), domiciled in Bogotá, Cundinamarca, Colombia.

LEGAL FRAMEWORK

This Personal Data Protection Policy Manual is governed by the following legal provisions:   Article 15 of the Political Constitution of Colombia, Law 1266 of 2008, Law 1581 of 2012, Decree 1727 of 2009, Decree 2952 of 2010, Unified Decree 1074 of 2015, External Circular No. 02 of November 3, 2015, and any additional or modifying provisions.

GENERAL PRINCIPLES

The company guarantees to all data subjects the protection of rights such as habeas data, privacy, intimacy, good name, and image. Therefore, all actions will be governed by the principles of good faith, legality, information self-determination, freedom, and transparency.

Employees, contractors, suppliers, clients, and any third parties who provide any type of personal or sensitive information to SUSTRIVE S.A.S. will have the right to know, update, rectify, and delete their information at any time.

DEFINITIONS OF GENERAL PRINCIPLES

In accordance with the legal framework of this manual, SUSTRIVE S.A.S. provides the following definitions to data subjects and the general public:

A-. Authorization

Prior, express, and informed consent given by the data subject for the processing of their personal and/or sensitive data, according to the type of information being requested.

B-. Database

An organized set of personal data that is subject to processing.

C-. Personal Data

Any information linked to or that may be associated with one or more identifiable natural persons.

D-. Data Processing Manager

A natural or legal person, public or private, who processes personal data on behalf of the data controller.

E-. Data Controller

A natural or legal person, public or private, who independently or in association with others, determines the purposes and means of processing personal data.

F-. Data Subject

A natural person whose personal data is being processed.
For minors, special protection applies to safeguard their fundamental rights. However, SUSTRIVE S.A.S. does not typically collect data from minors, except in specific cases such as its "USERS" database.

G-. Data Processing

Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.

DEFINITIONS OF SPECIFIC PRINCIPLES

In compliance with applicable regulations, SUSTRIVE S.A.S. ensures strict adherence to all data collection, management, processing, storage, and sharing principles for personal and/or sensitive data:

A-. Principle of Legality

The collection, use, storage, and processing of personal and/or sensitive data will be carried out in compliance with current and applicable legal provisions governing the processing of personal data and other related fundamental rights.

B-. Principle of Freedom

The collection, use, storage, and processing of personal and/or sensitive data can only be carried out with the prior, express, and informed consent of the Data Subject.

Personal data cannot be obtained or disclosed without prior authorization unless there is a legal, statutory, or judicial mandate that exempts the need for consent.

C-. Principle of Purpose

The collection and processing of personal data by SUSTRIVE S.A.S. will be conducted only for legitimate purposes, which will be communicated to the data subject.

D-. Principle of Truthfulness or Quality

The personal data subject to collection and processing must be accurate, complete, verifiable, updated, and comprehensible. Processing partial, incomplete, fragmented, or misleading data is prohibited.

E-. Principle of Transparency

In the collection, use, storage, and processing of personal data, the Data Subject's right to obtain, at any time and without restrictions, information regarding the existence of any type of personal data of their interest or ownership must be guaranteed.

F-. Principle of Restricted Access and Circulation

Personal data, except for public information, may not be made available on the Internet or other mass communication or dissemination media unless access is technically controllable to provide restricted knowledge only to Data Subjects or authorized third parties.

G-. Principle of Security

Personal data and information used, collected, stored, and processed by SUSTRIVE S.A.S. will be subject to protection to the extent that technical resources and minimum standards allow, through the adoption of technological protection measures, protocols, and all kinds of administrative measures necessary to ensure the security of records and electronic repositories, preventing their alteration, modification, loss, consultation, and, in general, any unauthorized use or access.

SUSTRIVE S.A.S. commits to the data subjects that it will do everything in its power to uphold this principle at all times.

H-. Principle of Confidentiality

All individuals who manage, handle, update, or have access to any type of information contained in the SUSTRIVE S.A.S. databases commit to maintaining strict confidentiality and not disclosing it to third parties. This includes all personal, commercial, accounting, technical, or any other type of information provided in the execution and exercise of their functions. Personal data may only be shared or disclosed when required for the development of activities authorized by the applicable law and under its terms.

In this regard, SUSTRIVE S.A.S. states that it has signed a Confidentiality Agreement with every individual who has access to the company's databases.

SENSITIVE DATA

Sensitive data is understood as information that affects the privacy of the data subject or whose improper use may result in discrimination. This includes data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, union membership, social or human rights organizations, political party affiliation, or guarantees for opposition political parties. It also includes data related to health, sexual life, biometric data (such as fixed or moving images, fingerprints, photographs, iris scans, voice recognition, facial or palm recognition, etc.).

Processing of Sensitive Data:

The use and processing of sensitive data will be permitted only when:

A-. The Data Subject has given explicit authorization for such processing, except in cases where the law does not require such authorization.

In these events, the following procedure will apply:

SUSTRIVE S.A.S. will inform the Data Subjects: (i) that they are not required to authorize the processing of this type of data and (ii) which data are considered Sensitive and the purpose of their processing.

B-. The processing is necessary to safeguard the vital interest of the Data Subject and they are physically or legally incapacitated. In these cases, legal representatives must provide authorization.

C-. The processing is carried out in the course of legitimate activities with due guarantees by a foundation, NGO, association, or any other non-profit organization whose purpose is political, philosophical, religious, or union-related, provided that such data relate exclusively to its members or persons who have regular contact due to its purpose. In these cases, the data may not be provided to third parties without the Data Subject's authorization.

D-. The processing is necessary for the recognition, exercise, or defense of a right in a judicial process.

E-. The processing is intended for historical, statistical, or scientific purposes. In these cases, measures must be adopted to ensure the suppression of the Data Subjects' identities.

AUTHORIZATION

Without prejudice to the exceptions provided in the legal framework outlined in this Manual, the processing of data requires the prior, express, and informed authorization of the data subject. This authorization will be obtained through a form that the data subject will sign, acknowledging that their data will be subject to processing by SUSTRIVE S.A.S., and it will be available for future consultation and verification. This signature may be collected physically on a printed document, digitally on a computer, or through a form on a SUSTRIVE S.A.S. website using the digital tools made available by the company.

In addition to a signature, the authorization may also be documented through a physical or electronic document, a data message, the Internet, a website, or even verbally through a telephone conversation—as long as there is a record, log, or recording as proof. Any other format that allows for future consultation and verification will also be valid.

If SUSTRIVE S.A.S. requests personal data from data subjects through any of its websites, it will provide a prior option for them to accept or decline the authorization for processing their data. The full text of the authorization will be displayed before the user can accept or reject it.

If the data subject clicks "accept," SUSTRIVE S.A.S. will consider this as free and informed consent to all the terms mentioned.

In the case of personal data of minors, their legal representatives will be responsible for granting authorization, ensuring that the minor is given the opportunity to express their views before consent is provided.

PURPOSE OF DATA PROCESSING

The personal and/or sensitive data collected by SUSTRIVE S.A.S for the proper development of its corporate purpose have the following purposes:
Employees and/or Contractors:

A-. Comply with legal obligations to provide information to administrative entities, as well as to the competent authorities that require it.

B-. Share information with third parties that provide services to SUSTRIVE S.A.S. and that, for the fulfillment of their functions, must access the information, such as legal service providers, software service providers, travel and/or tourism agencies, tax auditors, among others. These third parties are required to maintain the confidentiality of the provided information.

C-. Carry out administrative tasks related to labor or contractual relationships; sending pay stubs, reports, and certifications.

D-. Make salary payments, social benefits, extralegal benefits, and other financial compensations related to the employment relationship.

E-. Conduct disciplinary processes, issue warnings, and manage termination of employment; send information about job opportunities.

F-. Process payments, contributions, and reports to social security entities, pension and severance funds, insurance companies, and family compensation funds.

G-. Conduct advertising and marketing campaigns to offer discounts or promotions on products or services, either owned by SUSTRIVE S.A.S or from third parties with whom SUSTRIVE S.A.S has agreements.

Suppliers:

A-. Conduct accounting, tax, and administrative management.

B-. Carry out administrative tasks related to the contractual, legal, or commercial relationship between SUSTRIVE S.A.S and the Data Subject.

C-. Comply with legal obligations to provide information to administrative entities, as well as to the competent authorities that require it.

D-. Share information with third parties that provide services to SUSTRIVE S.A.S and that, for the fulfillment of their functions, must access the information, such as courier service providers, software service providers, among others. These third parties are required to maintain the confidentiality of the provided information. This obligation will be regulated through a Confidentiality Agreement.

E-. Draft contracts, purchase orders, or service orders, process advance payments, invoices, and collection accounts.

F-. Conduct advertising and marketing campaigns to offer discounts or promotions on products or services, either owned by SUSTRIVE S.A.S or from third parties with whom SUSTRIVE S.A.S has agreements.

G-. Enter into commercial agreements, organize events, or conduct institutional programs.

Clients:

A-. Establish commercial and business relationships with data subjects.

B-. Deliver communications regarding the commercial relationships established with each of the data subjects.

C-. Provide information on general topics that may be of interest.

D-. Conduct and send advertising and marketing campaigns to offer discounts or promotions on products or services, either owned by SUSTRIVE S.A.S or from third parties with whom SUSTRIVE S.A.S has agreements.

E-. Maintain accurate and updated information on each of the data subjects.

F-. Comply with legal obligations.

G-. Offer products or services.

H-. Facilitate the offering, execution, and closing of business deals.

I-. Sell databases to potential third-party buyers.

J-. Conduct market research.

The information provided by the Data Subject to SUSTRIVE S.A.S by any means, whether in writing (physical or electronic), by telephone, or by mail (physical or electronic), will only be used for the purposes described herein. Once the need for the processing of personal data ceases, the data may be deleted from the SUSTRIVE S.A.S database or stored securely to be disclosed only when required by law.

It is important to note that the right to deletion is not absolute, and the responsible party may deny its exercise when:

A-. The data subject has a legal or contractual obligation that requires them to remain in the database.

B-. The deletion of data hinders judicial or administrative actions related to tax obligations, the investigation and prosecution of crimes, or the updating of administrative sanctions.

C-. The data is necessary to protect the legally protected interests of the data subject, to perform an action in the public interest, or to fulfill a legally acquired obligation by the data subject.

RIGHTS OF DATA SUBJECTS

SUSTRIVE S.A.S informs all data subjects that, in accordance with legal provisions, they have the following rights:

A-. Request at any time that SUSTRIVE S.A.S rectify, modify, update, or delete their information.

B-. Request proof of authorization for data processing, except as provided by Law 1581 of 2012, Decree 1377 of 2013, and other regulations that amend or replace them.

C-. Be informed by SUSTRIVE S.A.S, upon request, about the use applied to their personal and/or sensitive data.

D-. Provided that legal requirements are met, file complaints with the Superintendence of Industry and Commerce for violations in accordance with the provisions of Law 1581 of 2012, Decree 1377 of 2013, and other regulations that amend, add, or complement them.

E-. Revoke authorization and/or request the deletion of data and its administration in cases of violation of constitutional and legal rights and guarantees.

F-. Access their personal and/or sensitive data disclosed to SUSTRIVE S.A.S free of charge.

G-. Except in expressly authorized cases, demand the confidentiality and reservation of the provided information.

PROCEDURES ESTABLISHED FOR DATA SUBJECTS TO EXERCISE THEIR RIGHTS

Procedure for Consulting, Updating, Rectifying, or Deleting Information:

At any time and free of charge, the data subject or their representative may request SUSTRIVE S.A.S’s General Manager—who was designated by the company’s governing bodies to oversee the rights of data subjects—to address queries and claims of any kind, such as the rectification, updating, or deletion of their personal data, subject to verification of their identity.

The rights of rectification, updating, or deletion may only be exercised by:

A-. The data subject or their successors, upon verification of their identity, either in person or through electronic means that allow identification.

B-. Their representative, upon verification of legal representation.

The request for rectification, updating, or deletion must be submitted in writing to the following email address: inquiry@sustrive.com

And must include the following information:
 

• The data subject’s name and address where they can receive a satisfactory response.
   

• A copy of documents verifying their identity or that of their representative.
   

• A clear and precise description of the personal data the data subject seeks to consult, rectify, update, or delete.
   

• If applicable, any additional elements or documents that SUSTRIVE S.A.S may request to correctly identify the personal data related to the request.

The person responsible for handling the data subject’s requests regarding the management and processing of their information will be in charge of responding to any type of request, ensuring compliance with the applicable legal framework, and adhering to the timeframes established by law.

Procedure to Revoke Authorization for Personal Data Processing

Data subjects may revoke their consent for the processing of their personal data at any time, provided that it is not prevented by a legal or contractual obligation. To do so, they must follow the same procedure outlined above and specify in their request that they wish to revoke the authorization for the processing of their personal data.

DEPARTMENT RESPONSIBLE FOR PERSONAL DATA PROCESSING

SUSTRIVE S.A.S has designated the Administration Department as responsible for the compliance of its Personal Data Protection System:

    Email: inquiry@sustrive.com

The person in charge of the administration department of SUSTRIVE S.A.S will be responsible for assisting the data subject and fulfilling the function of data protection. They will process requests from data subjects to exercise their rights of access, consultation, rectification, updating, deletion, and revocation, as provided by current data protection regulations.

The designated person at SUSTRIVE S.A.S will be available to assist data subjects with these processes at the specified email address: inquiry@sustrive.com

PROCEDURE FOR CONSULTING PERSONAL INFORMATION AT SUSTRIVE S.A.S

Queries will be addressed within a maximum period of ten (10) days from the date of receipt. If the query cannot be answered within this period, the data subject will be informed of the reasons for the delay, and in no case may the response exceed five (5) additional business days after the original deadline.

If the data subject considers that their information contained in a database should be corrected, updated, or deleted, or if they detect a possible failure to comply with legal obligations, they may submit a claim as follows:

The claim from the data subject must include the following:

A-. Identification, a description of the facts giving rise to the claim, and a notification address, all accompanied by supporting documents for the claim.

B-. If the claim is incomplete, SUSTRIVE S.A.S will request the interested party to correct the deficiencies within five (5) days following receipt of the claim. If the applicant does not provide the required information within two (2) months from the date of the request, it will be understood that they have withdrawn the claim.

C-. Once the claim is received, a note will be added to the database stating "claim in process" along with the reason for the claim, within a maximum of two (2) business days.

D-. The maximum period for resolving the claim will be fifteen (15) business days from the day after the request is received. If it is not possible to resolve the claim within this period, the interested party will be informed of the reasons for the delay and the date on which their claim will be resolved, which in no case may exceed eight (8) additional business days after the original deadline.

IMPORTANT: Data subjects or their successors may only file a complaint with the Superintendence of Industry and Commerce after submitting a query or claim to SUSTRIVE S.A.S and not receiving a satisfactory response.

OBLIGATIONS OF SUSTRIVE S.A.S REGARDING THE PROCESSING OF PERSONAL DATA

SUSTRIVE S.A.S will always keep in mind that personal and/or sensitive data belong to the individuals they refer to, and only they can decide how their data is used. In this regard, SUSTRIVE S.A.S will only use personal data for the purposes it is duly authorized for, while strictly complying with applicable data protection laws.

DUTIES OF SUSTRIVE S.A.S AS THE DATA CONTROLLER

When acting as the data controller, SUSTRIVE S.A.S will comply with the following duties:

A-. Ensure that the Data Subject can fully and effectively exercise the right to habeas data at all times.

B-. Request and retain a copy of the respective authorization granted by the Data Subject.

C-. Properly inform the Data Subject about the purpose of data collection and the rights they have under the granted authorization.

D-. Store the information under the necessary security conditions to prevent its alteration, loss, consultation, use, or unauthorized or fraudulent access.

E-. Ensure that the information provided to the data processor is truthful, complete, accurate, up-to-date, verifiable, and comprehensible.

F-. Update the information, promptly communicating any changes regarding previously provided data to the data processor and adopting necessary measures to ensure that the supplied information remains up to date.

G-. Rectify information when it is incorrect and communicate the correction to the data processor.

H-. Provide the data processor, as applicable, only the data whose processing has been previously authorized.

I-. Require the data processor to always respect the security and privacy conditions of the Data Subject’s information.

J-. Process queries and claims submitted by Data Subjects.

K-. Inform the data processor when certain information is under dispute by the Data Subject after a claim has been filed and while the process remains unresolved.

L-. Provide the Data Subject, upon request, with information regarding the use of their data.

M-. Notify the data protection authority when security breaches occur and pose risks in the management of Data Subjects’ information.

INFORMATION SECURITY

In accordance with the security principle established in applicable regulations, SUSTRIVE S.A.S has adopted and will continue to implement technical, human, and administrative measures necessary to secure its databases and prevent their alteration, loss, consultation, use, or unauthorized or fraudulent access.

The Company is committed to adopting the best information security policies to always safeguard the rights of Data Subjects.

POLICY VALIDITY

This manual has been in effect since March 1, 2020, and supersedes any special regulations or manuals previously adopted by SUSTRIVE S.A.S.