Privacy Notice Mexico

In compliance with the duty to safeguard information and personal data, and based on the provisions of articles 3, section I, 8, 12, 15, 16, and other related articles of the Federal Law on Protection of Personal Data Held by Private Parties, PROMEQUALIA S.A. DE C.V., trading under the name Prometeo, provides this Privacy Notice.

1.1 What does this Privacy Notice regulate?

This Privacy Notice (the “Notice”) reflects our commitment to protecting the privacy of individuals regarding their personal data. This Notice applies to individuals who visit our website, register to request information, or request a business contact or demonstration of our products. It also applies to individuals using our Services (as defined below) by accessing PrometeoApi.

1.2 What is the purpose?

To provide the necessary information to ensure the protection of personal data. We explain which data we collect, for what purposes, and the resources available to you.

Regarding our Services, we clarify that it is not possible to provide the Service without access to certain personal data, as detailed below.

PROMEQUALIA S.A. DE C.V., trading under the name "Prometeo," located at Av. Insurgentes Sur 1605, 15th Floor, Module IV, San José Insurgentes, Benito Juárez, Mexico City, is responsible for processing the personal data of website visitors and Clients (as defined below).

Purpose:

• To manage the web browsing experience.
• To handle any type of request, suggestion, or inquiry about our services made by interested parties.
• Commercial communications: Processing your data to inform you about activities, articles of interest, and general information about our services via email.
• To fulfill the Service you have contracted (if you are a "Client").
• To process your payment request (if you are an “End User”).

Transparency:

In certain cases, Prometeo, acting as a data controller in the context of the account pre-validation service, processes certain personal data of individuals (such as bank account holders) through its APIs. In compliance with applicable data protection laws, we aim to ensure transparency by clearly communicating:

• Our identity and contact details,
• The categories of personal data processed,
• The purposes and legal basis for the processing,
• The recipients of the data and any potential transfers,
• The rights available to data subjects.

When it is not possible to provide this information directly, it is made publicly available through this Privacy Policy.

For more information on how personal data is handled as part of our services, please refer to the applicable Data Processing Agreement (DPA).

Prometeo may collect personal data in the following cases:

(a) When browsing the website;

(b) When contracting and/or using the Services;

(c) When receiving personal data from other legitimate sources, pursue applicable regulations.

If you are browsing our website:

We request and may collect personal information about visitors when they submit forms from our website, such as their name, address, phone number, email, and related information such as their company name, website, and position. The following web forms are available on the page:

https://dashboard.prometeoapi.com/register-account/

https://share.hsforms.com/1vfZ4ObpXTcCsDXZ22yK4ug1upu8

https://prometeoapi.com/bancos

https://prometeoapi.com/creditos-prestamos

https://prometeoapi.com/ecommerce

https://prometeoapi.com/pasarela-de-pago

https://prometeoapi.com/borderless-banking

https://prometeoapi.com/validacion-cuenta-bancaria

Prometeo may use cookies and other information collection technologies for various purposes. These technologies can collect personal information, details about the devices and networks used to access our website, and other related information about your interactions with our website.

You can configure your browser to notify you when cookies are received or to prevent their installation. If you log in from another browser, you will need to repeat the steps, as you’ll be prompted with our cookie notice again.

If you use our Services:

When contracting and/or using our Services, we may collect the following data:

• Individuals: Full name, type and number of ID (e.g., TIN or another, depending on the country of issuance), and email.
• Entities: Corporate name, address, type, and tax identification number, representative’s details, and email.

Specifically, for certain Services (Account-to-Account Payments/Treasury Management), with your authorization, we may also collect:

• From the Client: Bank account number, account holder's name, and credential data (for certain Services requiring bank access).
• From the End User: Bank account number and credential data (for certain Services requiring bank access).*

(*) This access data enables Prometeo to provide the Service you are requesting.

6.1 How long will your data be kept?

Data will be retained for as long as necessary to fulfill the purpose of processing, according to the aforementioned purposes, or if legal obligations exist that dictate its retention. Once storage is no longer necessary, data will be deleted with appropriate security measures to ensure its anonymization or destruction.

6.2 Who do we share your personal data with?

Your personal data will not be shared with third parties unless it is necessary for the development and execution of the purposes of processing, in the following cases:

• With our service providers related to communications, with whom the CONTROLLER has signed confidentiality agreements as required by current privacy regulations.
• With Prometeo Group entities (affiliates, subsidiaries, and the Holding company) for the management and administration of the commercial agreement.
• With auditors, only to fulfill Prometeo's legal and regulatory obligations.
• With judicial or administrative authorities upon written request.

7.1 What are your rights?

Known as “ARCO” rights: Access, Rectification, Cancellation, and Opposition.

You have the right to:

• Access your personal data in our possession.
• Rectify incorrect or outdated data.
• Request the deletion of data when you consider it unnecessary for the stated purposes.
• Object to the use of your data for specific purposes.

7.2 How can you exercise them?

You can send a written request to the following email: datospersonales@prometeoapi.com, detailing:

• Your name or corporate name, depending on whether you are an individual or an entity.
• Type and number of identification (scan is required).
• Email address.

Alternatively, you can do so at the following address: Av. Insurgentes Sur 1605, 15th Floor, Module IV, San José Insurgentes, Benito Juárez, Mexico City. Responses will be sent to the email provided by the requester within 20 business days.

7.3 Options to limit the use or disclosure of personal data:

If you wish to revoke the consent granted for the processing of your personal data or limit its disclosure, you can submit your request via the following email: datospersonales@prometeoapi.com.
Responses will be sent within 20 business days to the email address provided by the requester.

Visitors, End Users, and Clients, by checking the appropriate boxes and entering data in the fields marked with an asterisk (*) on contact forms or download forms, expressly and freely accept that their data is necessary for the service request. Providing data in the remaining fields is voluntary. Visitors, End Users, and Clients guarantee that the personal data provided to the CONTROLLER is truthful and are responsible for informing any changes.

The CONTROLLER informs that all data requested through the website is necessary for optimal service provision. If all data is not provided, the information and services may not fully meet your needs.

Following current personal data protection regulations, the CONTROLLER complies with all legal and regulatory provisions, specifically those described in article 10 of Law 18.331, ensuring that data is processed lawfully, fairly, and transparently concerning the data subject, and is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

The CONTROLLER guarantees that appropriate technical and organizational policies have been implemented to ensure the security measures required by law, aiming to protect USERS' rights and liberties, and has communicated adequate information to enable them to exercise their rights.

For more information on privacy guarantees, you can contact the CONTROLLER at datospersonales@prometeoapi.com.

Under the Federal Law on Protection of Personal Data Held by Private Parties and its regulations, we inform you that your personal data may be transferred and processed outside of Mexico by third parties, such as affiliates, subsidiaries, technology service providers, or business partners, to fulfill the purposes described in this Privacy Notice.

Transfers will only be made to countries with equivalent or superior personal data protection levels as established by Mexican legislation or to countries with adequate mechanisms to guarantee data protection.

If it is necessary to transfer your personal data to a country that does not meet these conditions, we will request your express prior consent unless the transfer is required to fulfill a legal or contractual obligation.

By accepting this Privacy Notice, you expressly consent to the transfer of your personal data under the terms and conditions set out in this document, including international transfers, provided the necessary security measures are in place to protect your data. If you do not express opposition to such transfers, we will assume that consent has been granted.

Prometeo may modify this Notice at its sole discretion. If modified, the new version will be published on the Website. Your continued use of our Services and/or browsing of the Website after such changes will constitute an acceptance of the new terms.

IMPORTANT: If you do not agree with this Notice, you must stop using our services and/or accessing the Website.