PRIVACY PRIVACY POLICY PERSONAL DATA TD TOYSTORE

This Privacy Policy (the “Policy”) aims to establish and inform the treatment provided by AH MEDTECH S.A.S, a company domiciled in Bogotá, Colombia, identified with NIT 901.173.141 – 0 (“The Company”) to the personal data of those who have provided them as users of TD TOY STORE, as well as to disseminate and protect the rights of the owners of said personal data. This policy defines the minimum requirements to ensure an adequate level of protection within the Company for the collection, use, disclosure, transfer, storage, and other processes of personal data.

During the processing of personal data and sensitive personal data, the Company will comply with the guiding principles of data protection established in the applicable regulations, such as: (i) legality; (ii) purpose; (iii) freedom; (iv) truthfulness; (v) transparency; (vi) access and restricted circulation; (vii) security; and (viii) confidentiality.

Categories of Personal Data Subject to Processing

To fulfill the purposes of the processing indicated in this privacy notice, it is necessary to collect and process the following personal data:

• Identification data.
• Contact information.
• Data and information related to your interests and preferences regarding our products, services, courses, conferences, and promotions.
• Traffic and location data (IPs).
• Economic, financial, and banking data. The requested personal data is mandatory, so the refusal to provide them will imply the impossibility of providing the contracted services. The data marked with an asterisk (*) in the forms provided by AH MEDTECH S.A.S. through the Platform will be necessary to comply with the contractual or legal purpose. Therefore, if the user does not provide them, it will not be possible to register on the TD TOY STORE Platform. We and our external service providers collect and use information passively in a variety of ways, including: Through your browser: Certain information is collected by most browsers, such as your Media Access Control (MAC) address, computer type (Windows or Macintosh), screen resolution, operating system version, and internet browser type and version. We may collect similar information, such as your device type and identifier if you access the site through a mobile device. Use of cookies: Cookies are a compilation of information stored directly on the computer you use. Cookies allow us to collect information such as browser type, time spent on the site, pages visited, and language preferences. We and our service providers use the information for security purposes, to facilitate navigation, display information more effectively, and personalize your experience when using the Site. We also use cookies to recognize your computer or device, making it easier to use

the Site, such as remembering what is in your shopping cart. Additionally, we use cookies to obtain statistical information about Site usage to continuously improve its design and functionality, understand how people use it, and help us answer questions about it. Cookies even allow us to select which of our ads or offers are most likely to attract you and display them while you are on the Site. We may also use cookies in online advertising to track consumer responses to our ads.

You can refuse to accept these cookies by following your browser’s instructions; however, if you do not accept them, you may experience some inconvenience in using the site. You may also not receive advertising or other offers from us that are relevant to your interests and needs. For more information about cookies, visit www.allaboutcookies.org.

Use of pixel tags, visitor counters, transparent GIFs, or other similar technologies: These may be used in connection with some pages of the site and HTML-formatted email messages to, among other things, track user actions on the site and email recipients, measure the success of our marketing campaigns, and compile statistics about site usage and response rates.

Online behavioral advertising: The use of cookies, pixel tags, visitor counters, transparent GIFs, or similar technologies allows our external providers to deliver ads about our products and services when you visit the Site or other websites or web properties via the Internet. These providers may place pixel tags, visitor counters, transparent GIFs, or similar technologies on the Site and other websites or web properties and may also place or recognize third-party cookies when you visit the Site or other websites or web properties. They may use information about your visits to the Site and other websites or web properties to provide ads about goods and services that may be of interest to you.

IP Address: Your IP address is a number that your Internet Service Provider (ISP) automatically assigns to the computer you are using. An IP address is automatically identified and recorded in our server log files when a user visits the Site, along with the visit time and the page(s) visited. Collecting IP addresses is common practice on the Internet and is done automatically by many websites. We use IP addresses for purposes such as calculating Site usage levels, helping to diagnose server problems, and managing the Site.

Device Information: We may collect information about your mobile device, such as a unique device identifier.

For the processing of personal data, the Company will request prior, express, informed, and clear authorization from the data subject. The foregoing, except for cases where applicable regulations allow the processing of data without requiring authorization.

The processing of personal data will be carried out in accordance with the express consent authorized by the data subject and/or their representative, and only for the purposes provided therein.

Consent will not be necessary for the processing of personal data when:

• Information required by a public or administrative entity in the exercise of its legal functions or by court order.
• Data of public nature.
• Cases of medical or health emergencies.
• Information processing authorized by law for historical, statistical, or scientific purposes. Personal data will only be subject to processing for as long as it is reasonable and necessary, in accordance with the purposes that justified it, and in compliance with the applicable provisions in the relevant matter (e.g., administrative, accounting,

tax, legal, and historical aspects of the information). Once the purpose(s) of the processing has been fulfilled, and without prejudice to legal norms to the contrary, the Company must proceed with the deletion of the personal data in its possession, without prejudice to the possibility of retaining those that are required to comply with a legal or contractual obligation.

The processing of personal data will be carried out under high standards of security and confidentiality, using the data exclusively for the purpose described in the corresponding privacy notice, and complying with the requirements of the applicable regulations.

The Company will provide the technical, human, and administrative measures that are necessary to provide security to the records, avoiding their alteration, loss, consultation, unauthorized or fraudulent use, or access. The Company’s obligation and responsibility are limited to providing the appropriate means for this purpose. The Company does not guarantee the total security of your information nor is it responsible for any consequences arising from technical failures or unauthorized access by third parties to the database or file where the personal data subject to processing by the Company and its processors are stored. The Company will require third parties it contracts with or shares information with to adopt and comply with appropriate technical, human, and administrative measures for the protection of personal data concerning which such third parties act as processors.

TREATMENT AND PURPOSE

The Company, acting as the data controller, for the proper development of the activities contemplated in its corporate purpose, collects, stores, uses, circulates, deletes, processes, compiles, reproduces, exchanges, updates, arranges, communicates, and transmits, as the case may be, personal data of individuals with whom it has or has had a relationship.

Among the general purposes for which the Company processes this personal data are the following:

• Conduct activities inherent to the Company’s corporate purpose.
• Carry out commercial and marketing activities through the processing of personal data of clients and suppliers.
• Send important information about your relationship with the Company, as well as about the products, campaigns, events, websites, or digital initiatives of the Company, and any modifications to the terms, conditions, and policies of the Company.
• Monitor activities, manage actions, identify opportunities, assess service quality, for administrative, organizational, academic, scientific, research, reporting obligations established by law or Codes of Ethics.
• Comply with legal, judicial, and contractual obligations.
• For commercial purposes, such as data analysis, market research, audits, new product development, website improvement, improvement of Company’s products and services, identification of site usage trends, and determination of the effectiveness of our promotional campaigns.
• Respond to your inquiries and address your requests, as well as send you the requested documents or email alerts.
• Track and process reports of product quality complaints and adverse events.
• Share it with our external service providers who provide services such as website hosting and moderation, mobile application hosting, data analysis, payment processing, order fulfillment, infrastructure provision, IT services, customer service, email and direct mail delivery services, credit card processing, customer and supplier analysis, audit services, and other services, in order to enable them to provide services.
• Share it with a third party in the event of a reorganization, merger, sale, divestiture, joint venture, assignment, transfer, or other disposition of all or part of our business, assets, or shares (including acts related to any

bankruptcy or similar process), as well as due to any changes in the

corporate or administrative structure of the Company.

• Respond to requests from public and government authorities, including public and government authorities in your country of residence and abroad.
• Enforce our terms and conditions. RIGHTS OF DATA SUBJECTS Below are the rights that you, as the data subject of the personal data processed by the Company, are entitled to:

• Know, update, and rectify your personal data in relation to the Company. This right may be exercised, among others, in relation to partial, inaccurate, incomplete, fragmented data, data that induces error, or those whose processing is expressly prohibited or has not been authorized.
• Request proof of the authorization granted to the Company for the processing of Personal Data.
• Be informed by the Company, upon request, regarding the use it has made of your personal data.
• Lodge complaints with the competent authority for violations of personal data protection.
• Revoke the authorization and/or request the deletion of the data, without prejudice to the foregoing, deletion or revocation shall not apply when the data subject has a legal or contractual duty to remain in the database or while the relationship between the data subject and the Company that led to the collection of the personal data is in effect.
• Access, free of charge, your personal data that have been subject to Processing. UPDATE, RECTIFY, AND DELETE INFORMATION AND REVOKE PROCESSING AUTHORIZATION The owner, successors, representatives, or authorized persons may consult, update, rectify, and/or delete their personal data processed by the Company, as well as revoke the processing authorization, at any time and at no cost. For these purposes, you must send a detailed communication of your request addressed to any of the following addresses: Email: johana@alfredohoyos.com In all communications sent to the Company, please include an email or physical address so that the company can respond to your request. Your request will be attended to within a maximum term of ten (10) business days counted from the date of receipt. If it is not possible to attend to the consultation or request within said term, you will be informed, stating the reasons for the delay and indicating the date on which your consultation or request will be attended to, which in no case may exceed five (5) business days following the expiration of the initial term. The Company may deny access to personal data, or the revocation of authorization, or the request for deletion of data in the following cases:

• When the requester is not the owner of the personal data, their successor (e.g. heirs, successor), or the legal representative is not duly accredited for it.
• When the requester is not a public or administrative entity exercising its legal functions, or there is no court order.
• When the Owner has a legal or contractual duty to remain in the database. •

For consultations with a frequency greater than one per calendar month, the Company may only charge the owner for the expenses of shipping, reproduction, and, if applicable, certification of documents. The reproduction costs may not exceed the costs of recovering the corresponding material.

PROCEDURE FOR HANDLING COMPLAINTS AND CLAIMS

If you believe that the information contained in a database should be corrected, updated, or deleted, or if you notice the alleged non-compliance with any of the duties contained in this data policy, you may submit a complaint to the Company at the email or address detailed below.

For these purposes, you must send a detailed communication in order to submit a complaint or claim:

• Identification.
• Description of the facts giving rise to the claim.
• An address for the Company to respond to your claim. • Attach any document(s) you wish to assert.

To the following email address: johana@alfredohoyos.com

Incomplete Claim: If the claim is incomplete, you will be requested, within five (5) business days following the receipt of the claim, to provide the missing information. Two (2) months after the date of the request, if the requester has not provided the required information, it will be understood that they have withdrawn the claim.

Complete Claim: Once the complete claim is received, a legend stating “claim in process” and the reason for it will be included in the database, within a period not exceeding two (2) business days. This legend must be maintained until the claim is decided.

The maximum term to address the claim will be fifteen (15) business days counted from the day following the date of its receipt. If it is not possible to address the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the initial term.

TRANSFER OF PERSONAL DATA

The Company may transmit your personal data to unrelated third parties that meet minimum data protection standards, when necessary to comply with contractual, legal obligations, or related to the business line associated with the information.

Likewise, considering that the Company’s domicile is located in Bogotá, Colombia, and in order to centralize information, your personal data will be transmitted and stored outside the country in which it is located. For this purpose, we take the appropriate legal and security precautions to safeguard the security and integrity of the transferred personal data.