Personal Data Processing Policy

Cierre S.A.S., a commercial company incorporated under the laws of the Republic of Colombia, headquartered in Jamundi, is the data controller for personal data collected through the Cierre mobile application and the website cierre.com.co.

Data protection contact: Legal representative: Christopher Worrell Email: dpo@cierre.com.co Website: cierre.com.co

This policy is governed by the Political Constitution of Colombia (Article 15), Statutory Law 1581 of 2012, Regulatory Decree 1377 of 2013 (compiled in Decree 1074 of 2015), and other regulations that supplement or amend them.

Personal data: Any information linked or that may be associated with an identified or identifiable natural person.

Processing: Any operation on personal data, such as collection, storage, use, circulation, or deletion.

Data subject: The natural person whose personal data is subject to processing.

Data controller: Natural or legal person who decides on the processing of personal data.

Data processor: Natural or legal person who processes personal data on behalf of the controller.

Authorization: Prior, express, and informed consent of the data subject for personal data processing.

Database: Organized set of personal data that is subject to processing.

We collect the following types of personal data:

Registration data: Name, email address, phone number, and business name provided when creating an account.

Service usage data: Payment receipt images captured by the user, data extracted via OCR (amount, date, reference, sender, bank, destination account), and organized payment history.

Device data: Device type, operating system, app version, and anonymous identifiers for service improvement.

Billing data: Managed directly by Apple App Store or Google Play Store. Cierre does not store credit card data or user financial information.

Personal data is processed for the following purposes:

- Providing the service of capturing, OCR reading, verifying, and organizing payment receipts. - Enabling team management with roles (owner, manager, employee) and multiple stores. - Generating daily summaries, statistics, and payment data exports. - Performing automatic bank reconciliation when the user uploads bank statements. - Detecting duplicate receipts and alerting about inconsistencies. - Sending service-related communications (updates, security alerts). - Improving OCR accuracy and user experience through anonymized data.

In accordance with Law 1581 of 2012, as a data subject you have the right to:

- Know, update, and rectify your personal data. - Request proof of the authorization granted for processing. - Be informed about the use given to your personal data. - File complaints with the Superintendence of Industry and Commerce (SIC) for violations of the law. - Revoke the authorization and/or request deletion of your data when constitutional and legal principles, rights, and guarantees are not respected. - Access your personal data that has been subject to processing, free of charge.

To exercise any of the rights mentioned, you may:

- Send an email to dpo@cierre.com.co with the subject "Personal data rights". - Delete your data directly from the app settings.

Cierre will respond to requests within the following legal timeframes: - Inquiries: 10 business days from receipt (extendable by 5 additional business days). - Claims: 15 business days from receipt (extendable by 8 additional business days).

Cierre does not sell, rent, or share personal data with third parties for commercial purposes.

We may transmit data to cloud infrastructure providers (data processors) solely for service delivery, under contracts that guarantee the same level of protection required by Colombian law.

In case of international data transfer, we will verify that the receiving country has adequate levels of data protection as established by the SIC.

We implement technical and organizational measures to protect personal data against unauthorized access, loss, or alteration:

- Data encryption in transit (TLS/HTTPS) and at rest. - Encrypted storage on the user's device. - Role-based access control within the application. - Continuous infrastructure monitoring. - Periodic encrypted backups.

In compliance with Article 25 of Law 1581 of 2012, Cierre S.A.S. will register its databases with the National Database Registry (RNBD) administered by the Superintendence of Industry and Commerce.

This policy is effective as of February 18, 2026.

Cierre reserves the right to modify this policy at any time. Changes will be communicated through the application and/or website. Continued use of the service after publication of changes constitutes acceptance of the updated policy.