These Data Protection and Privacy Policies constitute a contract between Users (detailed definition in the AL2 Terms of Use (https://www.al2.com.ar/terminos-y-condiciones.html) and the company FERSI S.A. (Hereinafter “AL2”), CUIT 30-68246273-2, with address at Av. Eduardo Madero 942, 7th Floor, C.A.B.A. and govern the access, visit, use and any interaction that is generated through the website www.al2.com.ar (hereinafter, the "WEBSITE") and/or the MOBILE APPLICATION provided by AL2. Users who wish to contact AL2 in order to make inquiries and requests for information may do so by sending an email to Soporteal2@al2.com.ar. AL2 will respond to the query or request within a period of 72 business hours.

The protection of the privacy of clients, officials, employees, suppliers and third parties is important for all the actions of FERSI S.A., as well as the security of the information related to them.

All information received by AL2. of its clients, officials, employees, suppliers and third parties will be duly protected, in such a way that it cannot be communicated, modified or disclosed publicly, except under the conditions and in the cases that the current legislation establishes or authorizes and consequently, it will use all technical means and takes all the necessary legal safeguards to ensure the protection of personal data and their privacy.

AL2 will act in good faith at all times, based on principles of trust, transparency and security, in accordance with current legislation.

The relationships of AL2. with its clients, officials, employees, suppliers and third parties will be developed in an environment of cordiality, balance and harmony in compliance with the spirit of this Policy.

AL2 will guarantee the confidentiality of the data provided by its clients, officials, employees, suppliers and third parties at all times, as established by current legislation.

For the interpretation of the terms that will be used in the Policy as well as in the regulations, it will be understood, according to Art. 2 of Law 25.326:

• Personal data: Information of any kind referring to determined or determinable natural persons or persons of ideal existence.
• Sensitive data: Personal data that reveals racial and ethnic origin, political opinions, religious, philosophical or moral convictions, union membership and information regarding health or sexual life.
• File, registry, base or database: Indistinctly, they designate the organized set of personal data that is subject to treatment or processing, electronic or not, whatever the modality of its formation, storage, organization or access.
• Data processing: Systematic operations and procedures, electronic or not, that allow the collection, conservation, arrangement, storage, modification, relationship, evaluation, blocking, destruction, and in general the processing of personal data, as well as its transfer to third parties. through communications, consultations, interconnections or transfers.
• Responsible for file, registry, database or data bank: Physical person or person of ideal existence, public or private, who is the owner of a file, registry or database.
• Computerized data: Personal data submitted to electronic or automated treatment or processing.
• Owner of the data: Any natural person or person of ideal existence with legal adress or delegations or branches in the country, whose data is subject to the treatment referred to in the Law N° 25.326.
• Data user: Any person, public or private, who performs data processing at their discretion, either in their own files, records or data banks or through a connection with them.
• Data dissociation: Any processing of personal data in such a way that the information obtained cannot be associated with a determined or determinable person.
• Registration of data for advertising purposes: In the case of collection of addresses, distribution of documents, advertising or direct sales and other similar activities, through which data are processed that are suitable to establish specific profiles for promotional, commercial or advertising purposes ; or allow consumption habits to be established, and provided that they are documents accessible to the public or have been provided by the owners themselves or obtained with their consent.

AL2 collects personal information in order to provide the services detailed in its Terms of Use (https://www.al2.com.ar/terminos-y-condiciones.html).

In this sense, AL2 will collect - on the website https://prod.al2.com.ar -, the following personal data provided directly by the User:

• Image of the National Identity Document (from which AL2 extracts Names, Surnames, ID Number and Address).
• Contact Information (such as Telephone Number, Email address, Address).
• Bank account data and payment information.
• Biometric data for Identity validation purposes (for which the use of the "Photographic Camera" and "Fingerprint" of the User's devices will be required).
• Contact List through which the User makes use of services provided by AL2, such as sending money between accounts.

Also, AL2 will automatically collect:

• IP address used by the User when Using the services provided by AL2
• Transactional Information and movements within AL2 (Purchases, Payments, Transfers, Fiscal Data, Bank Accounts, Bank Keys / Uniform Virtual "CBU / CVU", Messages sent to AL2).

The personal data collected by AL2> will be used for the purpose of:

• Identification, registration, identity validation of users as well as updating and correction of the information provided by the user.
• Provide support and solutions to the user.
• Offer and manage products and services in accordance with its corporate purpose.
• Provide products, services and benefits.
• Respond to comments, complaints and suggestions from users.
• Facilitate the use of the services provided by AL2 and contracted by the user.

In the case of people of ideal existence, the personal data of the attorney will be collected (in the same way as for a natural person), statute, power of attorney, Assembly minutes, condition before the treasury and financial situation. In compliance with the provisions of arts. 2 and 7 of Law 25.326, AL2 will not request information that is incompatible with the purpose of its activities, or that directly or indirectly reveals sensitive data, such as data that reveals racial and ethnic origin, political opinions, religious, philosophical or moral convictions, union affiliation, information regarding health or sexual life, except for those data that are strictly necessary. AL2 will use the information of its clients, officials, employees, suppliers and third parties for the purposes of: scientific, statistical use, to respond to your requests and/or claims, to include you as a supplier and/or client, to improve our service and the content of our Website and/or mobile application, to provide you with useful information, news and updates on products and services and obtain your opinion about our services. AL2 will use your personal data in compliance with the obligations imposed by the Personal Data Protection Law 25.326 and its regulations, respecting the rights granted by law. AL2 may hire third parties to carry out certain tasks such as support and management of minor functionalities of the application in which end user data is not altered or displayed. Said third parties will only have access to the Information necessary to fulfill their tasks and functions, and may not use it for other purposes. In the event that it is verified that the personal data collected is not useful or that the purpose for which it was collected was fulfilled, it must be destroyed in accordance with the Secure Information Elimination Procedure.

In compliance with Art. 10 of Law 25.326, AL2 will not sell, rent or share the personal information of clients, officials, employees, suppliers and third parties except in the ways established in this policy.

AL2 may hire third parties to carry out certain tasks such as UX/UI design, administrative/accounting back office. Said third parties will only have access to the Information necessary to fulfill their tasks and functions, and may not use it for other purposes.

The personal data collected by AL2 may be transferred to another continuing entity in the event of a sale, merger, division, or other legal figure that implies a corporate transaction.

AL2 will do everything in its power to protect the privacy of the information. But eventually, it may happen that by virtue of court orders or legal regulations, could be forced to reveal information to the authorities or third parties.

AL2 may collect and process information about your visits to the Website/application, such as the pages you visit and the searches you perform. This information is used to improve the content of the Website/application and to obtain and compile statistics on how individuals use the Website/application for internal and marketing purposes and to offer services to you. For these purposes, "cookies" may be installed, which are a small data set, which are sent to your browser and stored on your computer's hard drive. These "cookies" do not harm your computer and the USER may program your browser to notify you when you receive a "cookie", so that you can decide, in each case, whether to accept it or not.

According to art. 25 of Law 25.326 and Decree 1558/2001 in case of processing of personal data on behalf of third parties, AL2 will sign a contract with said third parties in relation to the treatment which establishes that said third party may not apply or use it for a purpose other than that which appears in the service contract, or assign them to other people. In said contract, it must be provided that once the contractual provision has been fulfilled, the personal data processed must be destroyed, unless there is an express authorization when the possibility of subsequent orders is presumed, in which case it may be stored with due security conditions for a period of up to two years. These contracts must contain security levels provided for in Law 25.326 and complementary regulations. Likewise, such contracts must provide, in particular: (i) that the person in charge of the treatment only acts following the instructions of the responsible of the treatment; (ii) that the obligations of article 9 of Law No. 25.326 are also incumbent on the person in charge of the treatment.

The “AGENCIA DE ACCESO A LA INFORMACIÓN PÚBLICA”, in its capacity as Control Body of Law No. 25.326, has the power to deal with complaints and claims filed by those who are affected in their rights due to non-compliance with current regulations on protection of personal data.

Right to Information: Any person may request the control entity regarding the existence of personal databases, purposes and managers. The information must be clear, comprehensive and complete.

Right of Access: The owner may access and modify their profile data directly from the application. As for the rest of the data that Fersi S.A. collects, to exercise their right of access, the user must send an email to soporteal2@al2.com.ar with the subject "DERECHO DE ACCESO" from the email that was initially registered, and determining the means by which they wish to be such access is provided (it is suggested to do so via email). We inform you that in order to provide an answer, the user must comply with the identity accreditation process that FERSI S.A. will indicate for said purposes.

Right of Rectification, Update or Deletion of data: When any data collected by FERSI S.A. is erroneous or out of date, the owner may update it either through their user profile or by sending an email to soporteal2@al2.com.ar with the subject "DERECHO DE RECTIFICACION" and specifying in the body of the mail the data that must be rectified. We inform you that in order to proceed with the rectification of the data, the user must comply with the identity accreditation process that FERSI S.A. will indicate for such purposes.

Last modification 26/04/2023

---

FERSI SA, understanding the importance of adequate information management, has committed to the implementation of an information security management system seeking to establish a framework of trust in the exercise of its duties with the State and citizens, all framed in strict compliance with the laws and in accordance with the mission and vision of the entity.

For FERSI SA, the protection of information seeks to reduce the impact generated on its assets, due to the risks identified systematically in order to maintain a level of exposure that allows us to respond for its integrity, confidentiality and availability, according to with the needs of the different interest groups identified

In accordance with the foregoing, this policy applies to the Entity in its officials, employees, third parties, suppliers and users, taking into account that the principles on which the development of actions or decision-making around the ISMS is based will be determined by the following premises:

• Minimize risk in the most important functions of the entity.
• Comply with the principles of information security.
• Comply with the principles of the administrative function.
• Maintain the trust of your customers, partners and employees.
• Support technological innovation.
• Protect technological assets.
• Establish policies, procedures and instructions on information security.
• Strengthen the culture of information security in the officials, employees, third parties, suppliers and clients of FERSI S.A.
• Guarantee business continuity in the event of incidents.
• FERSI S.A. has decided to define, implement, operate and continuously improve an Information Security Management System, supported by clear guidelines aligned to business needs and regulatory requirements.

The security principles that support the ISMS are established below

From FERSI S.A.:

FERSI S.A. will protect your information from threats originated by his empleyees.

FERSI S.A. It will protect processing facilities and the technological infrastructure that supports your critical processes.

FERSI S.A. will control the operation of your business processes, guaranteeing the security of technological resources and data networks.

FERSI S.A. will implement access control to information, systems and network resources.

FERSI S.A. It will ensure that security is an integral part of the life cycle of information systems.

FERSI S.A. through adequate management of security events and weaknesses associated with information systems, it will guarantee an effective improvement of its security model.

FERSI S.A. will guarantee compliance with legal, regulatory and contractual obligations.

The compliance of the Information Security and Privacy policy will bring with it the legal consequences that apply to the Entity's regulations, including what is established in the regulations that are the responsibility of the national and territorial Government regarding Information Security and Privacy refers.

Last modification 26/04/2023