1. INTRODUCTION

This policy establishes the company guidelines for the responsible management, protection, and processing of personal data in compliance with applicable data protection regulations. The purpose is to guarantee the confidentiality, integrity, and availability of the information provided by clients, employees, and partners.

2. SCOPE

This policy applies to all internal processes, digital platforms, databases, websites, applications, and communication channels administered by the company in which personal data is collected or processed.

3. PRINCIPLES

Personal data is processed under the following principles: lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability.

4. DATA COLLECTION

Personal data will be collected only through authorized and secure mechanisms such as official websites, contact forms, contracts, commercial proposals, invoicing processes, and WhatsApp Business communications.

5. LEGAL BASIS

Data processing activities are performed based on explicit consent of the data subject, contractual necessity, compliance with legal obligations, or legitimate business interests.

6. RIGHTS OF DATA SUBJECTS

Data subjects have the right to access their personal data, request rectification, request erasure, restrict processing, object to processing, and data portability. Requests must be

addressed through official company communication channels and will be attended within reasonable timeframes.

7. SECURITY MEASURES

The company implements administrative and technical safeguards including restricted access permissions, secure authentication methods, encrypted backups, confidentiality agreements, secure payment gateways, and continuous monitoring of digital channels.

8. DATA RETENTION

Personal data will be stored only for the time necessary to fulfill the purposes for which it was collected, unless longer retention is required by law.

9. DATA TRANSFERS

International data transfers will be performed only with trusted providers that guarantee adequate protection standards.

10. BREACH MANAGEMENT

In case of a personal data breach, the company will identify the scope of the incident, contain the risk, notify affected parties if necessary, and apply corrective actions.

11. RESPONSIBILITIES

All employees and contractors must comply with this policy. Management is responsible for ensuring its correct application and periodic review.

12. POLICY REVIEW

This policy will be reviewed annually or whenever significant changes occur in data processing activities.

Effective date: 2025

QUITO, ECUADOR

IMPEX FLOWERS