Privacy notice of Serviap S.A. DE C.V.

COMPREHENSIVE PRIVACY NOTICE

This document constitutes the integral Privacy Notice of SERVIAP S.A. DE C.V. with address located at Sor Juana Inés De La Cruz No. 22, Piso 3, Oficina 320-B, Colonia Tlalnepantla Centro, Municipio Tlalnepantla de Baz, C.P. 54030, State of Mexico, who is responsible for the treatment of the personal data you provide us, which will be protected in accordance with the provisions of the Federal Law for the Protection of Personal Data in Possession of Individuals and the provisions that emanate from it or are related to it.

1.- DEFINITIONS For the purposes of this Notice and in accordance with the Federal Law for the Protection of Personal Data in Possession of Individuals, the following definitions shall apply:

A. Privacy Notice: Physical and/or electronic document generated by the responsible party that is made available to the holder, prior to the processing of his/her personal data.

B. Personal Data: Any information concerning an identified or identifiable natural person.

C. Controller: It is understood as the individual or legal entity that decides on the processing of the Personal Data of the Data Subject, in this case, SERVIAP.

D. Processor: Refers to the individual or legal entity that, independently or together with others, processes Personal Data on behalf of the Controller.

E. Data Subject: The natural person to whom the Personal Data belongs, or who is authorized to provide Personal Data of a third party in accordance with the applicable laws, who provides such Personal Data to the Controller.

F. Transfer: Any communication of data made to a person other than the Controller or the Processor.

G. Portal: The reference to a Portal in this document means the reference to https://serviapgroup.com/privacy-policy.

H. ARCO Rights: Rights of Access, Rectification, Cancellation and Opposition.

I. Tacit Consent: It shall be understood that the Data Subject has consented to the processing of the data, when the Privacy Notice has been made available to him/her and he/she does not express his/her opposition.

2. OWNER CONSENT

For the purposes of the provisions of Article 17 of the Federal Law for the Protection of Personal Data in Possession of Individuals, the Data Subject declares that: (i) the Controller has disclosed this Privacy Notice, (ii) has read, understood and accepted the terms set forth in this Privacy Notice; therefore, he/she grants his/her consent regarding the processing of his/her Personal Data for the purposes set forth in the Federal Law for the Protection of Personal Data in Possession of Individuals and other applicable legislation. In the event that the Personal Data collected includes sensitive or financial Personal Data, by signing the corresponding contract, either in printed format or through electronic means and its corresponding processes for the formation of consent, for example, but not limited to, the provision of Personal Data through dialogue windows, or the display and traversal of terms and conditions on screen, acts that constitute the express consent of the holder in terms of the second paragraph of article 8 of the Federal Law for the Protection of Personal Data in Possession of Individuals and other applicable legislation, and (iii) that it grants its consent for SERVIAP, or its agents to transfer Personal Data to national or foreign third parties, with the understanding that the treatment that these third parties give to its Personal Data must comply with the provisions of this Privacy Notice, and (iv) that it grants its consent to SERVIAP, or its agents, to transfer Personal Data to national or foreign third parties, with the understanding that the treatment that these third parties give to its Personal Data must comply with the provisions of this Privacy Notice.

In the event that the Data Subject does not object to the terms of this Privacy Notice within 48 hours after it is made available, its content shall be deemed to have been agreed and consented to, in terms of the third paragraph of Article 8 of the Federal Law for the Protection of Personal Data in Possession of Individuals. The consent of the Data Subject may be revoked at any time by the Data Subject, without retroactive effect, under the terms and in accordance with the procedures set forth below under this Privacy Notice.

However, in any provision of this Privacy Notice, the Data Subject acknowledges that his or her consent for the processing of Personal Data by the Controller or third parties shall not be required in any of the cases indicated in Article 10 of the Federal Law for the Protection of Data in Possession of Individuals.

ARCO Rights

You have the right to know what personal information we have about you, what it is used for and the conditions of the use we make of it (Access). Likewise, it is your right to request the correction of your personal information in case it is outdated, inaccurate or incomplete (Rectification); that we remove it from our records or databases when you consider that it is not being used in accordance with the principles, duties and obligations under the law (Cancellation); as well as oppose the use of your personal data for specific purposes (Opposition). These rights are known as ARCO rights.

3. PURPOSE OF THE PRIVACY NOTICE; INFORMATION COLLECTED; PURPOSE OF PERSONAL DATA

The purpose of this Privacy Notice is to establish the terms and conditions under which SERVIAP will receive and protect the Personal Data of the Data Subject, in order to safeguard his privacy and his right to informational self-determination, in compliance with the provisions of the Federal Law for the Protection of Personal Data in Possession of Individuals; will use the Personal Data of the Data Subject, and if applicable, transfers of Personal Data to third parties.

The Controller will collect and process the Personal Data of the Data Subject, that information that can reasonably identify him/her, through the receipt of documents, either in printed and/or digital format.

3.1. COLLECTED INFORMATION

The information that the Data Controller may collect will consist of, by way of example, but not limited to: first and last name; date of birth; age; marital status; nationality; domicile, whether private, work or fiscal; e-mail; personal or work address; telephone, home or work number; cell phone number; credit card, debit card or bank account number; Federal Taxpayers Registry Code (RFC); Unique Population Registry Code (CURP); affiliation number to the Mexican Social Security Institute, as well as others of a similar nature.

Personal Data Collection

The collection of Personal Data may be carried out when the Data Subject communicates by telephone with the Controller or with its Agents, or by direct delivery to the Controller, as well as through the use of emails and/or through the use of its websites and social networks, by voluntarily providing information through the dialogue windows enabled on the sites, or through the use of automatic data capture tools. These tools allow the collection of information that your browser sends to those websites, such as: the type of browser you use, the user’s language, access times, and the address of the websites you used to access the Responsible or Entrusted sites.

The Controller may also collect Personal Data from publicly available sources and other commercially available sources to which the Data Subject has consented to share his or her personal information.

3.2. PURPOSE OF PERSONAL DATA

The personal data of the holder are collected and processed by the responsible or its agents in order to allow the responsible to carry out the following activities and purposes:

• Provision of professional services related to our corporate purpose.
• Payroll administration.
• Management consulting in corporate areas.
• Personalized customer service related to the services described.
• Integration of customer and supplier files.
• Compliance with local and federal regulations.

In case the Holder does not want his/her personal data to be used for the purposes mentioned above, he/she should indicate it below:

• Reports on our activities or services and programs of our company. ()
• Reports on various topics of interest to our company. ()
• Contact you via email or phone to share news of interest about SERVIAP (articles, congresses, promotions, services, courses and events, etc.).

The refusal to use the Personal Data for the above purposes will not be a reason to deny the User the provision of the services and activities that he/she has contracted with SERVIAP.

SERVIAP may share your Personal Data with service providers for the administration and management of databases; automated processing of Personal Data and its storage; authentication and validation of e-mails; auditing services, and other services of a similar nature to those described. The use of the data shared will be subject to the provisions of this Privacy Notice.

Our legal basis for collecting and using your personal information will depend on the personal information in question and the specific context in which we collect it. In general, we collect and process your personal information on one or more of the following bases:

• Your consent. For example, situations where we have obtained your consent to process your personal information for certain activities (such as the use of cookies for online tracking and analysis). You are free to withdraw your consent at any time by contacting us at [email protected]. If you withdraw your consent, it will not affect the lawfulness of any processing based on your consent before you withdraw it.
• To fulfill a contractual obligation. At the time of collection, we will inform you whether the provision of your personal information is mandatory and of the possible consequences if you do not provide us with your information.
• To comply with Serviap’s legal obligations where laws or regulations require the processing of your personal information (e.g. health and safety, tax and anti-money laundering laws) or where we need your personal information to protect your vital interests or those of another person.
• Serviap’s legitimate interests, which include the provision of this website and/or the relevant Services, and/or the conduct of marketing activities, provided that our legitimate interests are not outweighed by any prejudice or harm to your rights and freedoms.

If you have any questions or need more information about the legal basis on which we collect your personal information, please contact us at [email protected].

4. USE OF COOKIES

The correct functioning of SERVIAP and its suppliers’ sites requires the enabling of “cookies” in your Internet browser. Cookies are small data files that are transferred from the website to your computer’s hard drive when you browse the site. Cookies can be either session or persistent. Session cookies do not remain on your computer after you close your browser, while persistent cookies remain on your computer until they are deleted or expire.

In most browsers, cookies are automatically accepted with default settings. You can adjust your browser preferences to accept or reject cookies. Disabling cookies may disable various functions of SERVIAP websites or cause them to display incorrectly. If you prefer to delete the cookie information sent by SERVIAP, you can delete the file(s) at the end of each browser session. You can consult relevant information on the sites of the main Internet browsers.

The website uses cookies and similar technologies, such as pixel tags and software development kits, to help personalize your online experience. For detailed information about cookies and the types of cookies we use, please read our cookie policy.

Cookies cannot be used to run programs or deliver viruses to your computer. Cookies are uniquely assigned to you and can only be read by a web server in the domain that issued the cookie to you.

Use of Web Beacons (also known as Internet tags, pixel tags and clear GIFs). SERVIAP may use Web beacons, alone or in combination with cookies, on its Web sites and in HTML emails, to collect information about the use of the Web sites and your interaction with the email. A Web beacon is an electronic image, called a single pixel (1×1) or GIF, that can recognize information processed on your computer, such as cookies, the time and date the site and its sections are displayed.

Links in SERVIAP e-mails. Emails that include links allow SERVIAP to know if you activated the link and visited the destination website, and this information may be included in your profile. The Personal Data that SERVIAP obtains from its commercial sources may be used together with the Personal Data it collects through its websites.

5. DATA TRANSFER

We inform you that your personal data is shared with persons, companies, organizations and authorities other than the responsible party, and for the purposes described below:

6. INTERNATIONAL TRANSFERS

Serviap may transfer your personal information to other companies within the Serviap group of companies and/or its business partners, if necessary for the purposes described in this Privacy Statement. This may involve transferring your personal information to countries outside your home country or region, including outside the European Economic Area or the United Kingdom if that is your region, which may have a different level of data protection than your home country. Such countries may include, but are not limited to, the United States and other countries in which Serviap or its subsidiaries, affiliates or business partners do business. In order to provide adequate protection for the transfer of your personal information, we have contractual arrangements such as Standard Contractual Clauses (as applicable) with our subsidiaries, affiliates and business partners regarding such transfers. We will take all reasonable technical and organizational measures to safeguard the personal information we transfer.

7. PROTECTION AND SECURITY OF PERSONAL DATA

The Responsible Party and/or its Agents shall keep the Personal Data of the Data Subject for the time necessary to process their requests for information about our services, as well as to keep accounting, financial and auditing records in accordance with the Federal Law for the Protection of Personal Data in Possession of Individuals and the commercial, fiscal and administrative legislation in force.

8. PROCEDURE FOR EXERCISING RIGHTS ARC

In order to exercise the ARCO Rights, the Data Subject or his/her representative must submit a written request for Access, Rectification, Cancellation or Opposition with the following information and documentation:

(a) Name of the Data Subject and address or other means to communicate the response to his/her request;

b) Documents proving his/her identity (simple printed or electronic copy of his/her voter’s credential, passport or temporary or permanent resident card) or, if applicable, the legal representation of the Data Subject (simple printed or electronic copy of the simple power of attorney with the handwritten signature of the Data Subject, the attorney-in-fact and their respective official identifications – (voter’s credential, passport, temporary or permanent resident card);

c) The clear and precise description of the Personal Data with respect to the specific search of the ARCO Rights; and

d) Any other element or document that facilitates the location of the Personal Data of the Data Subject.

In the case of requests for rectification of Personal Data, the respective Data Subject shall also indicate the modifications to be made and provide the documentation supporting his/her request.

For the reception, registration and attention of requests to exercise your right of access, rectification, cancellation and opposition to your Personal Data, as well as to limit the use or disclosure of your data and other rights provided for in the Federal Law for the Protection of Personal Data in Possession of Individuals, please contact:

E-mail: [email protected]

The Controller or its Agents shall respond to the respective Data Subject within a maximum term of twenty working days, counted from the date on which the request for access, rectification, cancellation or opposition was received, communicating the determination adopted, so that, if applicable, it becomes effective within fifteen days from the date on which the response is communicated to the Data Subject. In the case of requests for access to Personal Data, the Controller or its Agents shall proceed to deliver them upon proof of the identity of the applicant or his legal representative, as the case may be. The aforementioned deadlines may be extended only in terms of the Federal Law for the Protection of Personal Data in Possession of Individuals.

The delivery of Personal Data will be free of charge, and it will only correspond to cover the justified shipping costs or the cost of reproduction in copies or other formats.

For requests for cancellation of Personal Data, in addition to the provisions of this Privacy Notice, the provisions of Article 26 of the Federal Law for the Protection of Personal Data in Possession of Individuals shall apply, including the cases of exception to the cancellation of Personal Data indicated.

Under applicable law, you may have one or more of the following:

• right to know, access and request information about the personal information we hold about you, including details of how we use that information and with whom we share it;
• right to request a copy of the personal information we hold about you;
• right to amend, correct or rectify your personal information if any of the information held about you is incorrect or out of date;
• right to portability of your personal information;
• right to request deletion of your personal information;
• right to demand that we cease processing your personal information or restrict the processing of your personal information;
• right to withdraw your consent to the processing of your personal information, to the extent that our processing relies on your consent as the lawful basis for the processing; and/or
• right to provide us with instructions about the processing of your personal information in the event of your death.

9. CHANGES TO THE PRIVACY NOTICE

SERVIAP reserves the right to periodically update this Notice to reflect changes in our information practices. It is the responsibility of the Holder to periodically review the content of the Privacy Notice on the site https://serviapgroup.com/privacy-policy. The Responsible Party shall understand that if it does not express otherwise, it means that the Holder has read, understood and accepted the terms established, which constitutes its consent to the changes established in such updates regarding the treatment of its Personal Data for the purposes of the Federal Law for the Protection of Personal Data in Possession of Individuals and other applicable laws.

10. PROTECTING CHILDREN’S PRIVACY

Serviap does not knowingly collect or solicit Personal Information from anyone under the age of 16. Children under the age of 16 are not the target audience for our website. If you are under 16, please do not provide us with any Personal Information. We encourage parents and legal guardians to monitor their children’s Internet usage and to help enforce our Policy by instructing their children never to provide Personal Information through our website.

11. ARTIFICIAL INTELLIGENCE (IA) SERVICE PROVIDERS (PROCESSORS)

Our Platform incorporates AI functionalities that can be powered by third parties, such as our, our AI-powered chatbot and our Customer-facing candidate analytics tool.

When Serviap integrates AI providers, we are committed to implementing strict privacy safeguards.

At a minimum we contractually guarantee that Personal Data is not available to the vendor’s other users and is not used to train the vendor’s AI models.

Currently, none of our AI-based functionalities include any automated decision-making without human intervention. In addition, the use of our AI functionalities is optional.

We identify which AI functionalities operate with Personal Data, ensuring that our practices remain transparent and compliant.