Privacy Statement

PUY Group SAS is a B2B automated financial reconciliation platform built on blockchain and smart contracts, designed for pension funds, fiduciaries, corporate banking, and stock brokers in Colombia and Latin America.

We understand that you are aware of and care about your own personal privacy interests, and we take that seriously. This Privacy Statement describes PUY Group SAS's policies and practices regarding its collection and use of your personal data, and sets forth your privacy rights. We recognize that information privacy is an ongoing responsibility, and so we will from time to time update this Privacy Statement as we undertake new personal data practices or adopt new privacy policies.

PUY Group SAS is a fully remote company with operations in Colombia. PUY has designated its CEO as the data protection contact for you to reach if you have any questions or concerns about PUY's personal data policies or practices. If you would like to exercise your privacy rights, please direct your query to PUY's data protection contact.

PUY Group SAS collects personal information about its website visitors and customers. With a few exceptions, this information is generally limited to:

• Name
• Job title
• Employer name
• Work address
• Work email
• Work phone number

We use this information to provide prospects and customers with PUY's financial reconciliation services.

We do not sell personal information to anyone and only share it with third parties who are facilitating the delivery of our services.

From time to time, PUY receives personal information about individuals from third parties. Typically, information collected from third parties will include further details on your employer or industry. We may also collect your personal data from a third party website (e.g. LinkedIn).

As is true of most other websites, PUY's website (puygroup.com) collects certain information automatically and stores it in log files. The information may include internet protocol (IP) addresses, the region or general location where your computer or device is accessing the internet, browser type, operating system and other usage information about the use of PUY's website, including a history of the pages you view.

We use this information to help us design our site to better suit our users' needs. We may also use your IP address to help diagnose problems with our server and to administer our website, analyze trends, track visitor movements, and gather broad demographic information that assists us in identifying visitor preferences.

PUY has a legitimate interest in understanding how members, customers and potential customers use its website. This assists PUY with providing more relevant products and services, with communicating value to our customers, and with providing appropriate staffing to meet customer needs.

PUY's website uses cookies and similar tracking technologies to improve your browsing experience, analyze site traffic, and personalize content. Cookies are small text files stored on your device when you visit our site.

We use the following types of cookies:

• Essential cookies: Necessary for the basic functioning of the website and platform.
• Analytical cookies: Help us understand how visitors interact with our site, allowing us to improve our offering.
• Preference cookies: Allow the website to remember information that changes the way the site behaves or looks, such as your preferred language.

You can control and/or delete cookies as you wish. You can delete all cookies that are already on your computer and you can set most browsers to prevent them from being placed. If you do this, however, you may have to manually adjust some preferences every time you visit a site and some services and functionalities may not work.

For more information about our use of cookies, contact us at soporte@puygroup.com.

PUY collects data in the context of providing its financial reconciliation services to enterprise clients. Data processed in the service context includes financial transaction data, account information, and portfolio position data provided by clients for reconciliation purposes.

All data processed through PUY's services is subject to the terms of the data processing agreement signed with each client. PUY acts as a data processor on behalf of its enterprise clients for service data, and as a data controller for platform user account data.

Service data is processed exclusively for the purpose of providing, maintaining, and improving PUY's reconciliation services, and is not used for any other purpose without the explicit consent of the client.

The personal information PUY collects from you is stored in one or more databases hosted by third parties located in the United States. These third parties do not use or have access to your personal information for any purpose other than cloud storage and retrieval.

Our third-party sub-processors include:

• Amazon Web Services (AWS) — Cloud infrastructure, storage, and compute services
• MongoDB Atlas — Managed database service
• GitHub — Version control and CI/CD
• Microsoft 365 / Entra — Corporate productivity and identity

We do not otherwise reveal your personal data to non-PUY persons or businesses for their independent use unless: (1) you request or authorize it; (2) it is required to comply with the law; (3) the information is provided to our agents, vendors or service providers who perform functions on our behalf; (4) to address emergencies; or (5) to address disputes or claims.

We may gather aggregated data about our services and website visitors and disclose the results of such aggregated (but not personally identifiable) information to our partners, service providers, and/or other third parties for marketing or promotional purposes.

PUY Group SAS is headquartered in Colombia and operates as a fully remote company. Information we collect about you may be processed in the United States, where our cloud infrastructure providers (primarily AWS) are located. By using PUY's services, you acknowledge that your personal information may be processed in the United States.

The United States has not sought nor received a finding of "adequacy" from the European Union under Article 45 of the GDPR. Pursuant to Article 46 of the GDPR, PUY is providing for appropriate safeguards by entering binding, standard data protection clauses, enforceable by data subjects in the EEA and the UK.

PUY also enters into data processing agreements and model clauses with its vendors whenever feasible and appropriate. Since it was founded, PUY has received zero government requests for information.

For more information, please contact us at soporte@puygroup.com.

The European Union's General Data Protection Regulation (GDPR), Colombia's Law 1581 of 2012 (Personal Data Protection Law), and other countries' privacy laws provide certain rights for data subjects. Data Subject rights under GDPR include the following:

• Right to be informed
• Right of access
• Right to rectification
• Right to erasure (right to be forgotten)
• Right to restrict processing
• Right of data portability
• Right to object
• Rights related to automated decision making including profiling

This Privacy Statement is intended to provide you with information about what personal data PUY collects about you and how it is used.

If you wish to confirm that PUY is processing your personal data, or to have access to the personal data PUY may have about you, please contact us. You have a right to correct (rectify) the record of your personal data maintained by PUY if it is inaccurate. You may request that PUY erase that data or cease processing it, subject to certain exceptions.

Reasonable access to your personal data will be provided at no cost. To exercise any of these rights, contact us at soporte@puygroup.com.

PUY implements appropriate technical and organizational measures to protect your personal information against unauthorized access, disclosure, alteration, or destruction. Our security measures include:

• Data encryption at rest (AES-256) and in transit (TLS 1.3)
• Mandatory two-factor authentication (2FA) for all platform users
• Role-based access controls with the principle of least privilege
• Continuous infrastructure monitoring via AWS GuardDuty and Vanta
• Immutable blockchain-based audit trail for all platform actions
• Periodic access reviews and security audits

PUY is pursuing SOC 2 Type II certification via Vanta, demonstrating our commitment to the highest standards of information security.

While no security system is completely infallible, PUY takes all reasonable precautions to protect your data.

Your personal data is stored by PUY on its servers, and on the servers of the cloud-based database management services PUY engages, located in the United States (AWS us-east-1).

PUY retains service data for the duration of the customer's business relationship with PUY and for a period of time thereafter, to analyze the data for PUY's own operations, and for historical and archiving purposes associated with PUY's services.

PUY retains prospect data until such time as it no longer has business value and is purged from PUY systems. All personal data that PUY controls may be deleted upon verified request from Data Subjects or their authorized agents.

For more information on where and how long your personal data is stored, and for more information on your rights of erasure and portability, please contact us at soporte@puygroup.com.

PUY Group SAS is a platform designed exclusively for business use (B2B). We do not knowingly attempt to solicit or receive information from children. If you believe we have collected personal information from a minor, please contact us immediately at soporte@puygroup.com so that we can take appropriate action.

If you have questions, concerns, complaints, or would like to exercise your privacy rights, please contact us through any of the following:

We are committed to responding to all privacy requests within 30 business days of receipt. If you are not satisfied with our response, you may escalate your complaint to Colombia's Superintendencia de Industria y Comercio (SIC) or, if you are located in the European Union, to your country's data protection authority.