Personal Data Processing Policy

ZABIO S.A.S.

Version 2.1 – May 2026

1. Introduction

Thank you for using Zabio. This Personal Data Processing Policy (hereinafter, the "Policy") describes how Zabio S.A.S. collects, uses, stores, transmits, transfers, and generally processes the personal data of data subjects linked to the Zabio technology platform, as well as the guarantees and rights available to them.

This Policy is complemented by the Terms and Conditions of Use of the Zabio Platform, the applicable mandate agreements, the SAGRILAFT Manual, and other contractual and regulatory documents governing operations. We recommend that you read it carefully before using the Platform. By accepting the authorization for personal data processing, you acknowledge having read, understood, and accepted this Policy.

If at any time you disagree with the processing of your personal data as described herein, you may choose not to provide your authorization. However, this may result in the inability to access some or all of the Platform's services.

2. Purpose

The purpose of this Policy is to: (i) inform data subjects how Zabio S.A.S. processes their personal data; (ii) describe the purposes, principles, and applicable security measures; (iii) detail the rights available to data subjects and the procedures to exercise them; (iv) identify the third parties with whom Zabio shares information in the course of operations; and (v) ensure compliance with applicable Colombian regulations.

3. Identification of the Data Controller

Legal name: Zabio S.A.S.

Tax ID (NIT): 901.818.731-6.

Principal domicile: Carrera 15 # 95-35, Office 205, Bogota D.C., Colombia.

Official habeas data channel: info@zabio.com

Website: www.zabio.com

Responsible area: Requests related to personal data processing are handled by the Compliance area of Zabio S.A.S., through the channel indicated in section 25 of this Policy.

For the provision of certain services, Zabio S.A.S. may rely on related entities or partners that operate international infrastructure. In particular, bridging and blockchain analytics services may be channeled through SureFX LLC, a company incorporated in the State of Wyoming (U.S.A.), a related entity that acts exclusively as support infrastructure. Zabio S.A.S. maintains in all cases its capacity as Data Controller with respect to the personal data of data subjects linked to the Platform.

For purposes of personal data protection, SureFX LLC and other third parties involved in bridging, blockchain analytics, technology infrastructure, validation, monitoring, or transaction processing services may act, depending on the specific case, as Data Processors, sub-processors, or independent Data Controllers. When acting on behalf of Zabio S.A.S., they must process personal data exclusively in accordance with Zabio's documented instructions, under data transmission agreements or equivalent contractual instruments that include obligations of confidentiality, security, limited purpose, incident response, use restrictions, and return, deletion, or anonymization of information as applicable.

4. Scope of Application

This Policy applies to all data subjects whose personal data is processed by Zabio S.A.S. in connection with the Platform or its operations, including, among others: users and end users, prospects, operating partners, technology partners, suppliers, contractors, shareholders, employees, job candidates, beneficiaries, and visitors.

The Policy applies to all personal data processing carried out within the territory of the Republic of Colombia and, likewise, to cases in which the Controller or Processor is located outside Colombia but, due to international standards or current treaties, must comply with Colombian personal data protection legislation, particularly when the data subject is a resident of Colombia. When, due to the data subject's residence, the place of service provision, the location of an independent Processor or Controller, or the international nature of the operation, foreign data protection regulations apply, Zabio may supplement this Policy with privacy notices, jurisdictional annexes, or specific authorizations, without prejudice to the minimum rights recognized to the data subject under Colombian law when applicable.

5. Applicable Regulatory Framework

This Policy is governed by the following Colombian regulations, as well as by any regulations that may amend, supplement, or replace them:

Political Constitution of Colombia, articles 15 and 20.
Law 1266 of 2008 (management of financial, credit, commercial, and services information).
Law 1273 of 2009 (computer crimes).
Law 1581 of 2012 (general regime for personal data protection).
Decree 1074 of 2015, which compiles Decree 1377 of 2013 (regulatory of Law 1581).
Law 2157 of 2021 (Financial Habeas Data Act) and related regulations.
Circulars and resolutions issued by the Superintendence of Industry and Commerce (SIC).

Additionally, Zabio S.A.S. observes sector-specific regulatory frameworks applicable to operations with digital assets and the prevention of Money Laundering, Terrorism Financing, and Financing of the Proliferation of Weapons of Mass Destruction (ML/TF/FPWMD), as well as, when applicable, the Crypto-Asset Reporting Framework (CARF) adopted by the OECD to the extent that Colombian law incorporates it.

6. Definitions

For the purposes of this Policy, the following definitions are adopted, without prejudice to the definitions contained in the Terms and Conditions of Use of the Zabio Platform, which apply supplementarily:

Authorization: Prior, express, and informed consent of the data subject to carry out the Processing of their personal data.

Privacy Notice: Verbal or written communication generated by the Controller, directed to the data subject for the Processing of their personal data, through which the applicable policies are communicated.

Database: An organized set of personal data subject to Processing.

Personal Data: Any information linked to or that may be associated with one or more identified or identifiable natural persons.

Public Data: Data classified as such by law or the Constitution, as well as data that is not semi-private, private, or sensitive.

Semi-private Data: Data that is not intimate, reserved, or public in nature and whose knowledge or disclosure may be of interest to its owner and to a specific sector or group of persons.

Private Data: Data that, due to its intimate or reserved nature, is only relevant to its owner.

Sensitive Data: Data that affects the intimacy of the data subject or whose misuse may generate discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social or human rights organizations, health-related data, sexual life data, and biometric data.

Data Processor: A natural or legal person who, by itself or in association with others, processes personal data on behalf of the Controller.

Data Controller: A natural or legal person who decides on the Processing of personal data. For the purposes of this Policy, the Controller is Zabio S.A.S.

Data Subject: A natural person whose personal data is subject to Processing.

Transfer: The sending of personal data by the Controller to a recipient who is also a Controller, located within or outside the country.

Transmission: The communication of personal data by the Controller to a Processor, located within or outside the country, for processing on behalf of the Controller pursuant to a data transmission agreement.

Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, transmission, transfer, deletion, or any other form of use.

7. Principles

The Processing of personal data by Zabio is carried out in accordance with the following principles:

Legality: Processing is subject to the Constitution, Law 1581 of 2012, and other related regulations.
Purpose: Data is only processed for legitimate purposes, which are communicated to the data subject.
Freedom: Processing is only carried out with the prior, express, and informed consent of the data subject, except in cases exempted by law.
Truthfulness or quality: Information subject to Processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable.
Transparency: The data subject is guaranteed the right to obtain information about data held about them.
Restricted access and circulation: Processing may only be carried out by authorized persons or by those with legal authority to do so.
Security: Reasonable technical, human, and administrative measures are adopted to protect data.
Confidentiality: Persons involved in Processing must guarantee the confidentiality of information, even after their relationship with Zabio has ended.

8. Categories of Personal Data Processed

Zabio may collect and process the following categories of personal data, depending on the type of data subject, access channel, product or service, and applicable legal requirements:

8.1. Identification Data

Full names; type and number of identity document; date and place of issuance; nationality; signature; photo.

8.2. Contact Data

Physical address; email; landline or mobile phone number; city and country of residence; postal code.

8.3. Sociodemographic Data

Date of birth; sex; gender; marital status; educational level; profession or occupation; classification in the System for Identification of Potential Beneficiaries of Social Programs (Sisben) when applicable.

Information associated with Sisben classification will be processed exclusively as a complementary variable for socioeconomic consistency, fraud prevention, risk analysis, quota allocation or restriction, transaction monitoring, and compliance with internal ML/TF/FPWMD policies. Zabio will not use this information to make discriminatory decisions or to automatically exclude data subjects based on their socioeconomic status, without prejudice to the application of enhanced controls when there is inconsistency between the declared profile, available supporting documents, and transactional behavior.

8.4. Financial, Tax, and Economic Data

Information on income, expenses, assets, liabilities, linked financial products; financial institution and account number; bank statements; tax returns; employment or income source certifications; tax residence; source of funds supporting information; tax information required by frameworks such as CARF; corporate structure, shareholders, and ultimate beneficial owners for corporate users.

8.5. Transactional and Operational Data

Wallet addresses; types of crypto-assets; number of units; rates and amounts; number of transactions; value in legal tender; counterparties; transaction channel; date and time; mandate acceptance; instructions given; logs.

8.6. Technical and Electronic Data

IP address; device identifiers; browser; operating system; approximate geolocation; cookies and tracking technologies; access and browsing records.

8.7. Biometric and Identity Validation Data

Identity document photograph; selfie; liveness proof video; facial features and biometric templates obtained for identity verification. These data qualify as Sensitive Data and receive the treatment provided for in section 9 of this Policy.

8.8. Compliance and Risk Prevention Data

Information obtained from Restrictive Lists (OFAC, UN, local PEP lists, Zabio's internal watchlist); validation results against public sources; information on criminal records or negative reports in credit bureaus when applicable; blockchain analytics results (wallet risk association, screening); information on unusual or suspicious transactions.

The consultation of records, public sources, financial, credit, commercial, services information, or negative reports will only be carried out when the data subject's authorization or legal authorization exists, and will be limited to information that is necessary, relevant, and proportional for the purposes of fraud prevention, identity validation, contractual compliance, risk management, ML/TF/FPWMD prevention, or compliance with authority requirements.

8.9. Commercial and Relationship Data

Information about interactions with Zabio (complaints, support, surveys); preferences; communications; consents granted; history of services provided.

9. Sensitive Data

Zabio only processes Sensitive Data when one of the following conditions is met: (i) the data subject has granted express, prior, informed, and specific authorization for such Processing, unless the law exempts such authorization; (ii) Processing is necessary to safeguard the vital interest of the data subject and they are physically or legally incapacitated; (iii) Processing is carried out in the course of legitimate activities with appropriate safeguards; (iv) Processing relates to data necessary for the recognition, exercise, or defense of a right in judicial proceedings; or (v) Processing has a historical, statistical, or scientific purpose, in which case anonymization measures are adopted.

In Zabio's operations, the main Sensitive Data processed is biometric data required for identity validation (selfie, liveness proof, facial templates). This data is only processed with the express and specific authorization of the data subject, granted at the time of onboarding, and is used exclusively for identification, authentication, fraud prevention, and compliance with legal and regulatory obligations.

Authorization for the Processing of Sensitive Data, including biometric data, must be requested in an express, prominent, and differentiated manner from other general authorizations, informing the data subject that they are not legally required to authorize such Processing. However, when such data is necessary to verify identity, prevent fraud, comply with legal obligations, execute high-risk operations, or protect the security of the Platform, the refusal to provide it may prevent onboarding, authentication, or execution of certain operations.

The data subject has the right not to answer questions concerning Sensitive Data. The refusal to provide biometric data may result in the inability to complete the onboarding process or to execute certain operations.

10. Data of Children and Adolescents

The Zabio Platform is directed exclusively to persons of legal age. Zabio does not intentionally onboard children or adolescents as users of the Platform nor allow them to execute operations with digital assets, stablecoins, or fiat resources, unless there is express legal authorization, valid authorization from their legal representatives, and verification that the Processing serves their best interests and respects their prevailing rights. If it is detected that a user is a minor, Zabio may reject, suspend, or terminate the relationship, in accordance with its internal compliance policies.

11. Dual Role as Data Controller and Data Processor

Depending on the flow and the applicable contractual relationship, Zabio S.A.S. may act as:

(a) Data Controller, when it collects data directly from the data subject in connection with their onboarding, execution of operations under direct mandate, or any direct interaction with the Platform; and

(b) Data Processor, when, under a successive mandate, it receives personal data from the Operating Partner (in its capacity as Legal Operator vis-à-vis the end user) to execute the backend operation under the latter's instructions, pursuant to the applicable mandate agreement. In such case, the Operating Partner retains its capacity as Data Controller vis-à-vis the end user, and Zabio acts on its behalf subject to the instructions given, the security measures, and other contractual terms.

The specific capacity assumed by Zabio in each flow shall be determined pursuant to the applicable mandate agreement, the Platform's Terms and Conditions, and other contractual documents.

In successive mandate schemes, although Zabio may act as Data Processor with respect to data received from the Operating Partner for the backend execution of the operation, it may act as an independent Controller with respect to Processing it must carry out for compliance with legal, regulatory, tax, fraud prevention, SAGRILAFT, CARF, authority response, evidence preservation, or defense of its rights obligations. In such cases, Zabio will process data in accordance with the purposes stated in this Policy and applicable regulations.

12. Purposes of Processing

Zabio processes the personal data of data subjects for the following purposes, depending on the type of data subject and the context of the relationship:

12.1. Purposes Common to All Data Subjects

Onboarding, identity validation, and authentication.
Compliance with legal, regulatory, and contractual obligations.
Prevention of Money Laundering, Terrorism Financing, and Financing of the Proliferation of Weapons of Mass Destruction (SAGRILAFT/ML/TF/FPWMD).
Validation against national and international Restrictive Lists (OFAC, UN, PEP, internal list).
Handling of PQR (petitions, complaints, and claims), claims, consultations, and requests.
Information security, fraud prevention and detection, impersonation, or misuse.
Traceability and preservation of digital evidence.
Compliance with requirements from competent authorities.
National and international tax reporting, including, when applicable, CARF.

12.2. Purposes Regarding Users and Prospects

Execution of the mandate (direct or successive) and tokenization, detokenization, conversion, transfer, delivery, receipt, or settlement operations of digital assets, stablecoins, and fiat resources.
Allocation, adjustment, restriction, suspension, or withdrawal of the Authorized Monthly Quota (CMA).
Transaction monitoring, identification of unusual or suspicious transactions, and reporting to authorities when applicable.
Processing of charges, commissions, margins, and accounting reconciliation of operations.
Operational communications related to the account, operations, and services.
Sending commercial, promotional, advertising, or marketing communications for own or partner services, only when the data subject has granted specific authorization for this purpose and without the refusal to receive such communications affecting access to the Platform's operational services. The data subject may revoke this authorization or opt out of commercial communications at any time.
Experience improvement, usage analytics, new product development, and service personalization.
Determination of outstanding obligations and, when applicable, consultation and reporting to financial or credit information bureaus, pursuant to Law 1266 of 2008.

12.3. Purposes Regarding Partners, Suppliers, and Contractors

Due diligence prior to contractual engagement.
Entering into and execution of contracts, including invoicing, payments, and reconciliation.
Compliance with accounting, tax, and internal control obligations.

12.4. Purposes Regarding Employees, Candidates, and Beneficiaries

Selection, hiring, execution, and termination of employment or service provision relationships.
Payroll administration, social security, benefits, training, and welfare.
Compliance with labor, health and safety at work obligations, and post-contractual preservation in accordance with applicable legal periods.

12.5. Purposes Regarding Visitors and Website Users

Operation, security, and improvement of the website and the Platform.
Statistical and usage analysis.
Handling of communications received through digital channels.

12.6. Profiling, Analytics, and Technology-Assisted Decisions

Zabio may use technological tools, business rules, risk models, transactional analytics, biometrics, list screening, blockchain analytics, and automated or semi-automated mechanisms to validate identity, prevent fraud, allocate or restrict quotas, detect unusual transactions, identify red flags, monitor the Platform, and manage ML/TF/FPWMD risks.

These tools do not necessarily replace human review when the decision may produce significant effects on onboarding, service continuity, blocking, rejection, or restriction of operations. The data subject may file inquiries or claims regarding such decisions through the habeas data and customer service channels.

13. Data Processors and Third Parties with Whom Data Is Shared

For the provision of services, Zabio may share personal data, as transmission or transfer as applicable, with the following categories of third parties:

(i) Operating Partners and Technology Partners involved in the onboarding, mandate, operation, collection, disbursement, validation, or user service flow;

(ii) identity verification, KYC/KYB, biometrics, liveness proof, authentication, OTP, and fraud prevention providers;

(iii) restrictive list, PEP, sanctions, records, reputational analytics, and public source screening providers;

(iv) blockchain analytics, wallet monitoring, crypto-asset traceability, and transactional risk assessment providers;

(v) technology infrastructure, cloud, hosting, cybersecurity, communications, support, storage, and data processing providers;

(vi) financial institutions, payment gateways, liquidity providers, custodians, exchanges, blockchain networks, bridging providers, and operational infrastructure entities, including SureFX LLC when involved in the operation;

(vii) legal, accounting, tax advisors, auditors, reviewers, and consultants subject to confidentiality duties;

(viii) administrative, judicial, tax, financial, supervisory authorities, judicial police, or financial intelligence units, when there is a legal obligation, valid requirement, or need for defense of rights.

When such third parties act as Processors, Zabio will enter into data transmission agreements or equivalent instruments. When they act as independent Controllers, they must process data in accordance with their own policies, applicable regulations, and authorized or legally permitted purposes.

14. International Data Transfer and Transmission

Due to the technological and international nature of the services, Zabio may transfer or transmit personal data to Processors or Controllers located outside Colombia. In such cases, Zabio guarantees, pursuant to article 26 of Law 1581 of 2012 and Decree 1074 of 2015, that one of the following conditions is met: (i) the recipient country provides adequate levels of data protection according to the standards set by the SIC; (ii) the express and unequivocal authorization of the data subject has been obtained; (iii) the transfer is necessary for the execution of a contract or for handling a request from the data subject; (iv) the transfer is necessary for compliance with legal or regulatory obligations; or (v) standard contractual clauses or equivalent instruments that guarantee data protection have been signed.

For transfers to countries that have not been declared to have adequate protection, Zabio enters into contractual instruments with third parties that ensure the protection of personal data (data processing agreements, standard contractual clauses, security annexes), as well as equivalent obligations regarding confidentiality, incident notification, limited purpose, and data subject rights.

In cases of international data transmission to Processors located outside Colombia, Zabio will ensure that a transmission contract or equivalent instrument exists that establishes, at a minimum, the scope of Processing, authorized activities, Processor obligations, security measures, confidentiality, sub-processing restrictions, data subject rights handling, incident notification, and rules for return, deletion, or anonymization of information.

When the operation involves international transfer to independent Controllers located in jurisdictions without adequate protection levels, Zabio will verify the existence of an enabling legal basis or will request the express and unequivocal authorization of the data subject, when required.

15. Processing in the Context of Blockchain and Digital Assets

Zabio's operations are executed on blockchain infrastructure, which imposes particular considerations regarding the Processing of personal data that the data subject acknowledges and accepts:

Immutability: Transactions recorded on public blockchains are, by their technical nature, immutable and cannot be deleted. Therefore, Zabio applies a principle of data minimization on-chain: only information strictly necessary for the technical execution of the operation is recorded on-chain (typically wallet addresses, amounts, hashes, and pseudonymized references).
Identifiable off-chain data: Identifiable personal data (identity, biometrics, contact, financial, documentary evidence) is stored in off-chain databases under security and restricted access controls, and is never published on-chain.
Pseudonymization: Wallet addresses are considered pseudonymized data; they can be linked to the data subject only through complementary information stored off-chain by Zabio or its compliance partners.
Automatic cross-border transfer: The replication of blockchain records in globally distributed nodes means that on-chain data (not identifiable on its own) circulates internationally. The data subject acknowledges and accepts this technical characteristic as a condition for using the Platform.
Technical limitations on the right to deletion: The exercise of the right to deletion over data contained on-chain has technical limitations inherent to the immutable nature of blockchain. Zabio guarantees effective deletion of identifiable data stored off-chain when appropriate, and implements delinking or anonymization mechanisms to mitigate reverse traceability of on-chain data.

Acceptance of these technical characteristics does not imply the data subject's waiver of their habeas data rights. When a right cannot be materially exercised over on-chain records due to technical immutability reasons, Zabio will adopt reasonable measures over off-chain information under its control, including updating, delinking, anonymization, access restriction, or deletion, as applicable and provided there is no legal or contractual duty of preservation.

16. Data Subject Rights

In accordance with article 8 of Law 1581 of 2012 and related regulations, the data subject has the following rights:

To know, update, and rectify their personal data before Zabio, in its capacity as Data Controller.
To request proof of the authorization granted to Zabio, except in cases where the law does not require it.
To be informed, upon request, about the use Zabio has given to their personal data.
To file complaints before the Superintendence of Industry and Commerce (SIC) for violations of data protection regulations.
To revoke the authorization and/or request deletion of data when the Processing does not comply with legal principles, rights, and guarantees, or when it is no longer necessary for the authorized purposes.
To access their personal data that has been subject to Processing free of charge, at least once per calendar month.
To object to Processing when it is not appropriate under the law or when the legal basis is consent and it has been revoked.
To request, when technically and legally feasible, the delivery of their personal data in a structured or interoperable format, in accordance with Zabio's technical capabilities, applicable legal restrictions, and without affecting third-party rights, trade secrets, Platform security, or preservation duties.

The data subject may exercise these rights directly or through their legal representative or agent. Data may only be delivered to those who prove they are the data subject or legitimate representative, as set forth in section 17.

17. Procedure for Exercising Rights

17.1. Channel

Requests for exercising rights may be submitted via email to info@zabio.com with the subject line "Personal data request," or through other channels that Zabio may enable.

17.2. Minimum Request Content

Identification of the data subject and, when applicable, of the legal representative or agent.
Clear and precise description of the facts giving rise to the request and the right to be exercised.
Physical or electronic address for notifications.
Supporting documents the applicant wishes to invoke.

17.3. Response Times

Inquiries: Will be answered within a maximum period of ten (10) business days from the date of receipt. When it is not possible to answer the inquiry within that period, the data subject will be informed before expiration, stating the reasons for the delay and indicating the date on which the inquiry will be answered, which may not exceed an additional five (5) business days.
Claims: The maximum period for addressing claims shall be fifteen (15) business days from the day following the date of receipt. When it is not possible to address the claim within that period, the data subject will be informed of the reasons for the delay and the date on which the claim will be addressed, which may not exceed an additional eight (8) business days.
Incomplete requests: When the request does not contain the minimum required information, the applicant will be asked to remedy it within five (5) business days; after two (2) months without a response, the request will be deemed withdrawn.

To file a complaint before the Superintendence of Industry and Commerce for alleged violations of personal data protection regulations, the data subject must, when required by applicable regulations, have previously exhausted the inquiry or claim process before Zabio.

17.4. Applicant Authentication

To prevent impersonation, Zabio may request additional authentication mechanisms from the applicant (security questions, OTP, biometrics, or other suitable mechanisms) before processing the request.

18. Zabio's Duties

18.1. As Data Controller

Guarantee the data subject the full and effective exercise of their rights.
Request and preserve the authorization granted by the data subject.
Inform the data subject about the purpose of Processing and their applicable rights.
Preserve information under reasonable security measures that prevent alteration, loss, consultation, unauthorized or fraudulent use or access.
Ensure that information provided to the Processor is truthful, complete, accurate, up-to-date, verifiable, and understandable.
Promptly update data when changes occur and communicate updates to the Processor.
Rectify data when necessary and communicate corrections to the Processor.
Provide the Processor only with data whose Processing has been previously authorized.
Require the Processor to respect the security and privacy conditions of the data subject's information.
Process inquiries and claims filed within the terms established by law.
Adopt an internal manual of policies and procedures to ensure proper compliance with the law.
Inform the Processor when certain information is being disputed by the data subject.
Notify the SIC when there are violations of security codes and risks in information management.
Comply with instructions issued by the SIC.

18.2. As Data Processor

Guarantee the data subject the full and effective exercise of their rights.
Preserve information under reasonable security measures.
Promptly update, rectify, or delete data as informed by the Controller.
Update information reported by Controllers within five (5) business days from receipt.
Process inquiries and claims.
Record in the database the legend "claim in process" when applicable.
Insert the legend "information under judicial dispute" when ordered by a competent authority.
Refrain from circulating information that is being disputed and whose blocking has been ordered.
Allow access to information only to authorized persons.
Inform the SIC about violations of security codes and risks in information management.
Comply with the Controller's and SIC's instructions.

19. Information Security and Incident Notification

Zabio adopts reasonable technical, human, and administrative measures to protect the confidentiality, integrity, and availability of personal data, including, among others: encryption in transit and at rest for sensitive data; profile-based access controls and multi-factor authentication; environment segregation; audit and log monitoring; backup and continuity policies; periodic staff training; confidentiality clauses with employees, contractors, and third parties.

In the event of detecting a security incident that compromises personal data, Zabio will conduct an immediate investigation, notify the Superintendence of Industry and Commerce within the legal timeframes, and, when applicable, inform affected data subjects with a description of the nature of the incident, the categories of data compromised, the measures adopted, and recommendations to mitigate potential consequences.

Zabio will maintain an internal security incident management procedure that includes identification, containment, impact analysis, documentation, remediation, reporting to authorities when appropriate, and communication to affected data subjects when the incident may pose a significant risk to their rights. The decision to notify data subjects will be made considering the nature of the incident, the categories of data involved, the likelihood of impact, and available mitigation measures.

20. Retention, Deletion, and Archival

Personal data will be retained for the time reasonably necessary to fulfill the authorized purposes and, in any case, for the applicable legal periods. In particular:

Transactional, compliance, KYC information, and documentary evidence will be retained for a minimum of ten (10) years from the end of the relationship with the data subject, in accordance with the SAGRILAFT Manual and applicable regulations.
Employee labor and post-contractual information will be retained for the periods required by labor and archival legislation.
Accounting and tax records will be retained for the periods required by tax and accounting regulations.
Marketing and commercial communications information will be retained while the data subject's authorization is maintained and, once revoked, for the periods necessary to demonstrate compliance.

After legal periods expire, data will be securely deleted or anonymized, unless additional retention is necessary to address ongoing investigations or claims.

Biometric data will be retained only for the time necessary for identity validation, authentication, fraud prevention, security, regulatory compliance, claims handling, or defense of rights purposes, and will be deleted, anonymized, or delinked when no longer necessary, unless there is a legal, contractual, or evidentiary duty of retention.

21. Cookies and Tracking Technologies

The Zabio Platform and website use cookies and similar technologies (pixel tags, device identifiers, analytics tools) to ensure service operation, improve user experience, collect metrics, and, when applicable, offer personalized content or advertising.

The details of cookies used, their purpose, duration, and mechanisms to manage or disable them are described in the Zabio Cookie Policy, available on the website. The user may configure their browser to block or delete cookies; however, this may affect the functioning of certain sections of the Platform.

Strictly necessary cookies for operation, security, authentication, and fraud prevention may be used as part of service provision. Non-essential analytics, personalization, or advertising cookies will be managed according to available configuration options and, when required by applicable regulations, based on the data subject's authorization.

22. Policy Modifications

Zabio may modify this Policy to keep it updated and aligned with regulatory, operational, technological, or business changes. Modifications will be communicated to data subjects through reasonable means, including publication of the current version on the website and, when appropriate, direct communications to data subjects.

When modifications substantially affect data subject rights or authorized purposes, a new authorization will be requested before applying Processing under the new conditions, unless the law exempts such requirement.

Processing carried out under previous versions will be governed by the provisions applicable at the time of Processing, without prejudice to data subject rights recognized by law.

23. Effectiveness

This Personal Data Processing Policy (Version 2.1) takes effect on the date of its publication on the Zabio website (May 2026) and will remain in effect until modified or replaced by a new version. Databases managed by Zabio will be maintained while Processing purposes and applicable legal periods persist.

24. Data Subject Authorization

By accepting this Policy and granting the corresponding authorization, the data subject authorizes Zabio S.A.S. to process their personal data in accordance with the stated purposes, the types of data described, and the processing channels provided for in this Policy. When Processing involves Sensitive Data, commercial communications, international transfers requiring express authorization, or purposes not necessary for service provision, Zabio will request authorization in an express, prominent, or separate manner, as appropriate. Authorization may be manifested by any suitable means (checkboxes, digital acceptance, OTP, biometrics, data messages, electronic signature, verbal acceptance supported by mandate certificates, or other mechanisms), which shall have full evidentiary validity.

The data subject's refusal to authorize non-necessary purposes, such as commercial or advertising communications, will not affect their access to the Platform's operational services. The refusal to authorize processing necessary to validate identity, prevent fraud, comply with legal obligations, execute operations, or manage risks may prevent onboarding or execution of certain operations.

Authorization may be revoked by the data subject at any time, unless there is a legal or contractual duty requiring the preservation or Processing of the data.

25. Contact Information

Controller: Zabio S.A.S., Tax ID (NIT) 901.818.731-6.

Domicile: Carrera 15 # 95-35, Office 205, Bogota D.C., Colombia.

Email: info@zabio.com