PRIVACY POLICY

INTERNATIONAL MEDICAL CONNECTIONS S.A.S. acting as Data Controller for the personal data collected from its stakeholder groups in the development of its corporate purpose, in order to ensure proper compliance with Law 1581 of 2012, Regulatory Decree 1377 of 2013 and/or the norms that modify, add, or complement them; through this document, adopts the policies for the protection of personal data (hereinafter the “Policy”) in order to inform the data subjects (hereinafter the “Data Subjects”) of their rights and the procedures to guarantee respect for them. It also aims to establish criteria for the collection, storage, use, circulation, and deletion of collected personal data.

To address queries, requests, or complaints related to personal data protection, the company provides the following channels:

To provide clarity to Data Subjects regarding the regulatory framework governing the processing of personal data,

the most relevant regulations on the subject are listed below:

Regarding the stipulations of Article 2 of Law 1581 of 2012, this Policy shall apply exclusively to the processing of personal data registered in the databases of the Data Controller or Data Processors. Therefore, and in accordance with the cited regulation, this Policy shall not apply in the following cases:

• To databases or files maintained in an exclusively personal or domestic context.
• To databases and files intended for national security and defense, as well as the prevention, detection, monitoring, and control of money laundering and terrorist financing.
• To databases whose purpose is and contain intelligence and counterintelligence information.
• To databases and files of journalistic information and other editorial content.
• To databases and files regulated by Law 1266 of 2008.
• To databases and files regulated by Law 79 of 1993.

This Policy applies to the Data Controller of the information, including, without limitation, data collected by physical means, through the website, software and/or applications developed and/or operated byINTERNATIONAL MEDICAL CONNECTIONS S.A.S.

The Data Controller may collect, use, process, consult, update, modify, delete, store, and share the personal data of Data Subjects according to their stakeholder group. Such processing will be carried out in accordance with applicable legal frameworks and may involve providers, contractors, or other persons with whom there is a permanent or occasional relationship. In any case, the use of the data will be limited to the purposes authorized by each Data Subject and defined in this Policy.

Sensitive data: Sensitive data are understood as those that affect the privacy of the data subject or whose improper use may lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, human rights organizations, or that promote the interests of any political party or guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.

• The data subject has given explicit authorization for such processing, except in cases where granting such authorization is not required by law.
• The processing is necessary to safeguard the vital interest of the data subject and they are physically or legally incapacitated. In these events, legal representatives must grant their authorization.
• The processing is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association, or any other non-profit organization, whose nature is political, philosophical, religious, or union-related, provided it refers exclusively to its members or persons who maintain regular contact due to their status. In these events, the data may not be provided to third parties without the authorization of the data subject.
• The processing refers to data necessary for the recognition, exercise, or defense of a right in a judicial process.
• The processing has a historical, statistical, or scientific nature. In this event, measures must be adopted to remove the identity of the data subjects.

Sensitive data collected will be processed for the purposes indicated in the authorizations requested from each Data Subject and/or for those related in Appendix No. 1 of this Policy.

In accordance with the provisions of Law 1581 of 2012, regulated by Regulatory Decree 1377 of 2013, the following terms are defined:

In development of Law 1581 of 2012, which regulates the protection of personal data, the following principles must be applied comprehensively:

• Principle of legality: Data Processing will be carried out in accordance with Law 1581 of 2012 and related regulations.
• Principle of purpose: Data will only be used for legitimate purposes informed to the Data Subject.
• Principle of freedom: Data will only be processed with prior, express, and informed consent of the Data Subject, except by legal or judicial mandate.
• Principle of truthfulness or quality: Information must be truthful, complete, accurate, up-to-date, and verifiable.
• Principle of transparency: The Data Subject may at any time know the existence and use of their data.
• Principle of restricted access and circulation: Data may only be processed by authorized persons and will not be freely available in public media.
• Principle of security: Technical, human, and administrative measures will be applied to protect data against unauthorized access or use.
• Principle of confidentiality: Non-public information will be kept confidential, even after the relationship ends, except by legal or contractual authorization.

Data Subjects whose personal data are processed by The Company may exercise the rights contemplated in Law 1581 of 2012, Regulatory Decree 1377 of 2013, and especially those listed below

• Know, update, and correct their data.
• Request proof of the authorization given.
• Know how their data are used.
• Revoke authorization and request data deletion.
• Access their data free of charge.
• File complaints with the SIC.
• Not answer questions about sensitive data or data of minors.

Data Subjects whose personal data are processed by The Company may exercise the rights contemplated in Law 1581 of 2012, Regulatory Decree 1377 of 2013, and especially those listed below

• Guarantee the right of hábeas data.
• Request and keep authorizations.
• Inform the purpose of data use.
• Protect information with security measures.
• Maintain truthful and updated information.
• Rectify incorrect data.
• Respond to queries and claims.
• Report security incidents to the SIC.

For the processing of personal data of stakeholder groups, the Data Controller will request prior and informed authorization from the Data Subject, which must be obtained by any means as long as it can be consulted later, including:

• Physical
• Digital
• Telephonic

• The use of data requires prior authorization (physical, digital, or telephonic).
• The data subject may revoke the authorization at any time, unless there is a legal or contractual obligation.
• Authorization is not required in cases of:
• • Court order
  • Public information
  • Medical emergencies
  • Statistical purposes

It is recorded that, in the event that INTERNATIONAL MEDICAL CONNECTIONS S.A.S. were to request sensitive information or information about children and adolescents, the response to this type of data is entirely optional. The above in accordance with Article 5 of Law 1581 of 2012. Personal data of children and adolescents collected will be processed in accordance with the stipulations of Decree 1377 of 2013.

The Data Controller's website does not use cookies or web bugs to collect personal data from the user, but their use is limited to facilitating the user's access to the website. The use of session cookies, not permanently stored on the user's device and that disappear when the browser is closed, is limited solely to collecting technical information to identify the session in order to facilitate secure and efficient access to the website and/or application. If you do not wish to allow the use of cookies, you may reject them or delete existing ones by configuring your browser and disabling the Java Script code of the browser in the security settings.

The Management will be the area in charge of receiving requests, complaints, or claims from Personal Data Subjects. This area will be responsible for carrying out the necessary internal handling to guarantee a clear, efficient, and timely response to the Data Subject.

Queries, requests, and claims must be submitted by the Personal Data Subject, successors, or representatives, through the aforementioned means and must include the identification of the Data Subject, successor, or representative, a description of the facts giving rise to the claim, supporting documents, and attach contact and/or notification details.

The Data Controller, in compliance with letter g) of Article 4 of Law 1581 of 2012, has implemented the necessary technical, human, and administrative measures to guarantee the security of the records, preventing their alteration, loss, consultation, unauthorized or fraudulent use or access.

On the other hand, through the signing of the corresponding transmission contracts, it requires the data processors with which it works or may work to implement the necessary security measures to guarantee the security and confidentiality of information in the processing of personal data.