Data Processing

Privacy Policy, Personal Data Processing, and Regulatory Compliance

W PAYMENTS TECHNOLOGY ECOSYSTEM

1. REGULATORY FRAMEWORK AND PROCESSING STATEMENT

To ensure the highest international standards for information protection and in observance of the constitutional mandates in force in the jurisdiction of material operation, specifically Statutory Law 1581 of 2012 and Regulatory Decree 1377 of 2013 of the Republic of Colombia, this Comprehensive Policy governs the processing of information within the B2B infrastructure ecosystem operated under the WPAYMENTS brand.

It is imperative to establish that W PAYMENTS provides, exclusively, a software license for the orchestration, visibility, and routing of data instructions. The operating entity does not collect, receive, or directly hold trust funds or financial assets. Accordingly, the processing of information responds to an unavoidable mandate of regulatory compliance, technological traceability, and the security of the underlying payment networks.

2. CORPORATE DEFINITIONS

For the proper and complete interpretation of this document, the following structural definitions are established:

• B2B Client: A natural person or legal entity that subscribes to the services of the W PAYMENTS Platform to orchestrate and manage its own payment and settlement instructions.

• End User: A natural person who interacts with the Platform interfaces for the purpose of initiating or receiving a transaction linked to a B2B Client.

• Third-Party Partners: Regulated financial institutions, clearing networks, acquirers, and liquidity providers that execute the actual settlement and the cross-border movement of funds.

• Sensitive Data: Information that affects the privacy of the data subject, including, in a strict sense, the biometric elements required for non-face-to-face identity verification.

3. THE DOCTRINE OF DIVIDED ROLES AND RESPONSIBILITIES

Given the technical complexity of the orchestration ecosystem, the operating entity limits its legal responsibility under two autonomous spheres:

The Platform acts as the Data Controller solely and exclusively with respect to the corporate, financial, and legal-representation data of its B2B Clients, determining the purposes and technical means for its management.

By contrast, with respect to the personal data, payment instruments, and transaction records of End Users, W PAYMENTS acts strictly as a Data Processor. The technological infrastructure serves as a routing conduit to Third-Party Partners, while the B2B Client bears the non-negotiable legal obligation to act as the Controller and obtain the corresponding prior consents.

4. CATEGORIES OF DATA COLLECTED

In the ordinary course of its technology operations, the Platform collects the following categories of information:

• Corporate and Risk Information: Constitutive documents, government IDs, information about beneficial owners, liveness checks using biometrics, and formal statements of source of funds.

• Transactional and Telematic Information: Transaction volumes, cryptographic identifiers, network addresses, geolocation metadata, and technical fingerprints of the devices used to access the system.

5. EXHAUSTIVE AND NON-NEGOTIABLE PURPOSES OF PROCESSING

The processing of information managed through the Platform will be subject to technical and compliance purposes, described below:

• Comprehensive Financial Compliance: Carry out the customer due diligence protocols required by Third-Party Partners to mitigate identity theft, verify that no restricted international lists are involved, and route the necessary validations for anti-money laundering and counter-terrorism financing prevention.

• Technology Operations: Configure, encrypt, and channel payment instructions from their origin in the interface to the destination financial institutions.

• Administrative Purposes: Settle technology licensing fees, issue the corresponding invoices, and manage critical system notifications.

6. INTERNATIONAL DATA TRANSMISSION AND TRANSFER

The W PAYMENTS architecture as a global orchestrator makes it technically unfeasible to operate on a data network restricted by territory. In light of the above, by accepting this Policy, the operating entity is expressly, irrevocably, and permanently authorized to transmit and transfer databases across borders to credit institutions in foreign jurisdictions, as well as to cloud infrastructure providers and fraud intelligence platforms, which need to process such data to materialize and secure the transaction lifecycle.

7. PROCESSING OF SENSITIVE DATA AS AN OPERATIONAL IMPERATIVE

The capture and validation of sensitive data, specifically facial biometrics, complies with an unavoidable standard imposed by destination financial networks and international due diligence regulations. While providing this information is legally optional for the data subject, the system architecture does not allow transactions to be processed without meeting these security parameters. Therefore, refusing to provide the required biometric data will technically disable access to the Platform and orchestration services.

8. B2B CLIENT INDEMNITY OBLIGATIONS

The B2B Client declares under oath that it has the legal, express, and demonstrable authorizations of its respective End Users to integrate their data into the W PAYMENTS infrastructure. The B2B Client assumes the unconditional obligation to defend and hold harmless the operating entity from any fine, complaint, or administrative sanction arising from its negligence in obtaining, safeguarding, or managing such authorizations.

9. RIGHTS OF DATA SUBJECTS

In strict accordance with the regulations protecting the right to Habeas Data, the data subject has the right to know, update, and correct their personal data. Likewise, they have the right to request proof of the authorization granted, be informed about the circulation of their data, and request the revocation or deletion of the information, subject to the technical and regulatory limitations described in this Policy.

10. REGULATORY RETENTION AND EXCEPTION TO DELETION

The guarantee of the right to delete personal information will be formally denied when the continued presence of the data subject in the databases responds to a current legal or contractual duty, such as ongoing commercial disputes or fraud investigations. Additionally, transactional and identity metadata will be retained under logical lock for a non-negotiable period of five to ten years, for the sole purpose of complying with financial crime prevention laws and being available exclusively for judicial requests or formal audits by Third-Party Partners.

11. COMPREHENSIVE PROCEDURE FOR INQUIRIES AND CLAIMS

Any request related to the management of personal data must be submitted in writing to the compliance officer. Information inquiries will be answered within a maximum period of ten business days. Formal claims for the correction or deletion of data, duly supported, will be resolved within fifteen business days. In cases where the operating entity acts solely as Data Processor, the claims received will be immediately transferred to the corresponding B2B Client, who will assume the legal obligation to issue a substantive response.

12. CORPORATE IDENTIFICATION AND APPLICABLE JURISDICTION

For all technical, operational, and legal purposes arising from the management of the technology infrastructure, ownership of the software and the legal responsibility of the W PAYMENTS ecosystem rest exclusively with TWC INTERNATIONAL LLC, a limited liability company duly organized and existing under the laws of the State of Wyoming, United States of America. Without prejudice to the voluntary adoption of the highest local standards for the protection of user information in Colombia, the corporate parent and the implementation of this instrument are governed by the regulations of its jurisdiction of incorporation.

• Official Notification Channel: legal@twcinternational.llc

13. TERM AND DOCUMENT UPDATES

This instrument takes effect as of the date of its publication on the Platform’s official channels. The archive of corporate and transactional data will remain in force for the duration of the commercial relationship and will extend for the periods established for regulatory retention. The operating entity reserves the unilateral right to modify this policy structure, issuing the respective notices through the user interfaces.