Privacy Notice

March 31, 2026

Privacy notice of Faro Innovación y Estrategia SAS (FaroNova) issued in compliance with Law 1581 of 2012 and Regulatory Decree 1377 of 2013.

1. Data Controller

This Privacy Notice constitutes FaroNova's Information Processing Policy pursuant to Decree 1074 of 2015.

• Legal name: Faro Innovación y Estrategia SAS

• Trade name: FaroNova

• Tax ID (NIT): Pending formal incorporation (*).

• Domicile: Bogotá D.C., Colombia

• Website: faronova.co

• Privacy email: privacidad@faronova.co

• Contact email: contacto@faronova.co

• WhatsApp: +57 317 378 4220

• Area responsible for data processing: General Management.

(*) Faro Innovación y Estrategia SAS is currently undergoing formal incorporation before the Bogotá Chamber of Commerce. The Tax ID (NIT) will be incorporated into this document once the process is completed. Upon formal incorporation, the company will evaluate the obligation to register before the National Database Registry (RNBD) of the Superintendence of Industry and Commerce in accordance with the criteria established by said entity.

2. Legal Framework

This Privacy Notice is issued in compliance with:

• Political Constitution of Colombia, Article 15 — Right to privacy, good name, and habeas data.

• Statutory Law 1581 of 2012 — General Personal Data Protection Regime.

• Law 1266 of 2008 — General provisions on habeas data and management of information in personal databases, particularly financial, credit, commercial, and services data.

• Decree 1377 of 2013 — Regulatory Decree of Law 1581 of 2012.

• Decree 1074 of 2015 — Single Regulatory Decree for the Commerce, Industry, and Tourism Sector (Title 26, Chapter 25).

• Other concordant regulations in force in the Republic of Colombia.

The processing of personal data by FaroNova serves a legitimate purpose in accordance with the Constitution and the law, pursuant to the principle of purpose established in Article 4, paragraph b) of Law 1581 of 2012.

3. Personal Data We Collect

FaroNova collects and processes the following categories of personal data. Pursuant to Article 3 of Law 1581 of 2012, personal data may be public, semi-private, private, or sensitive.

3.1. Registration and Account Data (semi-private data)

Purpose: Create and manage the User's account, provide contracted Services, and offer technical support.

• Full name.

• Corporate email address.

• Organization name.

• Position or role within the organization.

• Password (stored in encrypted form via AWS Cognito).

3.2. Authentication Data (private data)

Purpose: Authenticate the User, manage access control, and ensure account security.

• Session tokens (managed by AWS Cognito).

• Login information (date, time, IP address).

• Role and permissions within the platform.

Note on processing roles:

FaroNova acts as data controller with respect to registration, authentication, billing, support, contact, and website browsing data. With respect to personal data contained in files, queries, projects, or documents uploaded by corporate clients for their own use, the client acts as data controller and FaroNova acts as data processor, acting solely under the client's instructions and for the provision of the Service.

3.3. Data Generated by Service Usage

• Conversations with the Conversational Assistant: queries submitted to the Conversational Assistant are processed in real time by Amazon Bedrock and deleted immediately after generating the response (Zero Data Retention policy). FaroNova does not store, access, or review the content of these conversations in the ordinary course of service provision.

• Uploaded files: documents uploaded by the User to the platform are stored encrypted with AES-256 on Amazon S3 (server-side encryption, AWS-managed keys). Only the User, through their authenticated account, can access their content. FaroNova does not access the content of these files in the ordinary course of service provision.

3.4. Billing Data (semi-private data — subject to Law 1266 of 2008)

Purpose: Issue invoices and comply with Colombian tax obligations.

• Billing information (legal name, tax ID or identity document, fiscal address).

• Invoice history.

Billing is managed through electronic invoicing in accordance with Colombian regulations. FaroNova does not store or process credit card, debit card, or any other electronic payment instrument data in its systems. Should FaroNova implement an electronic payment system in the future, payment data will be processed by a PCI-DSS certified payment service provider, and this Notice will be updated in accordance with the modification procedure established in section 13.

This data is retained in accordance with Colombian tax obligations (minimum 5 years, Art. 632 of the Tax Statute) and is processed pursuant to Law 1266 of 2008 where applicable.

3.5. Usage Data (irreversibly pseudonymized data)

Purpose: Improve the Services through statistical analysis.

FaroNova collects statistics on Service usage. Before storage, user identifiers are irreversibly pseudonymized using a one-way cryptographic hash function (SHA-256 with fixed salt), making it impossible to recover the User's identity. These statistics may include usage frequency, most consulted modules, general query volume, navigation patterns, and session times.

Administrative reports aggregate statistics at the company level, not at the individual user level. Analytics data is retained for a maximum of ninety (90) days and is automatically deleted upon expiration. When a User's account is deleted, all associated analytics records are irreversibly purged.

3.6. Communication Data (semi-private data)

Purpose: Address support requests, manage feedback, and process rights exercise requests.

• Emails exchanged with the support team.

• Feedback provided about the Services. When submitting feedback through the platform, the message content and the User's email address may be shared with FaroNova's internal team via email notifications, in order to manage and follow up on the feedback received.

• Rights exercise requests.

3.7. Sensitive Data

FaroNova does not request, collect, or require sensitive data pursuant to Article 5 of Law 1581 of 2012 (data related to health, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical convictions, union membership or social organization participation, biometric data, or genetic data) for the provision of its Services.

The User must refrain from including their own or third-party sensitive data in their queries, files, or projects. If they do so, the User shall be solely responsible for the processing of such data and must have the express authorization of the data subject pursuant to Article 6 of Law 1581 of 2012.

4. Purposes of Processing

4.1. Necessary Purposes (contract execution)

• Create and manage the User's account.

• Provide the contracted Services (FaroMonitor, FaroPlanning).

• Authenticate the User and manage access control.

• Process payments and issue corresponding invoices.

• Provide technical support and customer service.

4.2. Legitimate Purposes (service improvement)

• Improve the Services through analysis of aggregated and anonymized usage statistics.

• Ensure the security and integrity of the platform.

• Detect and prevent fraudulent or unauthorized activities.

4.3. Informational Purposes (with consent)

• Send communications about updates, new features, and service security alerts.

• Send commercial information about other FaroNova products or services.

The User may revoke consent for informational purposes at any time, without affecting the provision of the Services.

5. Legal Basis for Processing

FaroNova will process personal data with the prior, express, and informed authorization of the data subject, pursuant to Article 9 of Law 1581 of 2012.

Authorization for the processing of personal data will be requested through a prior, express, and informed mechanism, separate from the mere acceptance of the Terms and Conditions. FaroNova will retain proof of authorization when such proof is required.

The requested authorization will expressly and unequivocally include:

• Authorization for the processing of personal data in accordance with the purposes described in this Notice (required to use the Services).

• Authorization for analytics cookies and anonymized usage statistics (optional, via separate opt-in during registration and modifiable at any time from Settings > Data Rights).

• Authorization to receive commercial and informational communications (optional, via separate opt-in during registration and revocable at any time).

• Express authorization for the international transmission of personal data to the United States of America, where the servers of FaroNova's infrastructure providers are located (Amazon Web Services, Google LLC, and Functional Software, Inc.), pursuant to Article 26 of Law 1581 of 2012, paragraph a) (express and unequivocal authorization of the data subject for the transfer).

Mandatory categories (personal data processing, international transmission) may be presented in a single grouped authorization mechanism, provided it explicitly references the legal documents detailing each purpose and scope. Optional categories (analytics, commercial communications) will always be presented via individual and separate opt-in.

The data subject may deny or revoke this authorization at any time. If the data subject does not authorize the international transmission of data, FaroNova will be unable to provide the Services, as they depend on infrastructure located outside Colombia.

In the following cases, FaroNova may process data without the data subject's authorization, pursuant to Article 10 of Law 1581 of 2012:

• Information required by a public or administrative entity in the exercise of its legal functions.

• Data of a public nature.

• Cases of medical or health emergency.

• Processing authorized by law for historical, statistical, or scientific purposes.

• Data related to the Civil Registry of Persons.

6. Cookies and Tracking Technologies

6.1. Website (faronova.co)

• _ga (Google Analytics 4) — Analytics — Distinguish unique users — Duration: 2 years.

• _gid (Google Analytics 4) — Analytics — Distinguish unique users — Duration: 24 hours.

• _ga_* (Google Analytics 4) — Analytics — Maintain session state — Duration: 2 years.

• Sentry — Performance — Error monitoring — Duration: session.

6.2. FaroMonitor (monitor.faronova.co)

• Session cookies (AWS Cognito) — Essential — User authentication.

• Proprietary analytics system — Analytics (optional and can be deactivated) — Page views and anonymized navigation patterns. Does not use third-party cookies.

6.3. FaroPlanning

• Session cookies (AWS Cognito) — Essential — User authentication.

• Proprietary analytics system — Analytics (with consent).

• Consent banner — Essential — Cookie preference management.

6.4. How to Manage Cookies

• Browser settings: most browsers allow blocking or deleting cookies from their privacy settings.

• Consent banner: on FaroMonitor and FaroPlanning, the User can manage their preferences directly.

• Settings panel: on FaroMonitor, the User can modify their cookie preferences at any time from Settings > Data Rights.

• Google Analytics opt-out: the User can install the Google Analytics opt-out browser add-on.

Disabling essential cookies may affect the functioning of the Services. Disabling analytics cookies does not affect the functioning of the Services and takes effect immediately.

7. International Data Transfers

Personal data collected by FaroNova is stored and processed on servers located in the United States of America (region us-east-1, Virginia), operated by Amazon Web Services, Inc.

Pursuant to Decree 1074 of 2015, FaroNova distinguishes between international transmission (sending data to a data processor) and international transfer (sending data to another data controller). Data flows to FaroNova's infrastructure providers constitute international transmissions, for which FaroNova has executed the corresponding contracts pursuant to Article 2.2.2.25.5.2 of Decree 1074 of 2015.

Transmission and transfer details:

• Amazon Web Services (AWS) — United States (us-east-1, Virginia) — International transmission (processor). Cloud infrastructure, storage, authentication (Cognito). AES-256 server-side encryption, AWS-managed keys. AWS holds SOC 2, ISO 27001, ISO 27018 certifications.

• Amazon Bedrock (Anthropic Claude) — United States — International transmission (processor). Processing of AI features in FaroMonitor and FaroPlanning. Zero Data Retention: User data is processed and deleted immediately. Not stored. Not used to train AI models.

• Anthropic (direct API) — United States — International transmission (processor). (1) Processing of AI features in FaroMonitor and FaroPlanning. Zero Data Retention: queries and responses are processed and deleted immediately. Not used to train AI models. (2) AI enrichment of public legal documents (official regulation from government sources) in FaroMonitor. Does not involve client data.

• Sentry (Functional Software, Inc.) — United States — International transmission (processor). Technical error monitoring on the faronova.co website. Data collected is technical in nature and does not include personally identifiable information.

• Google LLC — United States — International transmission (processor). (1) Google Analytics on the faronova.co website (anonymized browsing data). (2) Google Vertex AI for illustrative image generation in FaroPlanning (descriptive scenario prompts, no personally identifiable data). Google operates under enterprise terms prohibiting the use of customer data for AI model training.

International data transmissions are conducted under Article 26, paragraph a) of Law 1581 of 2012 (express and unequivocal authorization of the data subject) and pursuant to the transmission contracts executed with each processor under Article 2.2.2.25.5.2 of Decree 1074 of 2015. FaroNova discloses that the United States of America is not included in the list of countries with an adequate level of data protection issued by the Superintendence of Industry and Commerce, which is why the transmission is based on the express authorization of the data subject.

8. Data Processors

• Amazon Web Services, Inc. — Cloud infrastructure, storage, authentication, artificial intelligence — Data processed: account data, encrypted files, AI queries (no retention).

• Google LLC — Web analytics and AI image generation — Data processed: (1) anonymized browsing data on faronova.co (Google Analytics); (2) descriptive scenario planning prompts for illustrative image generation in FaroPlanning (Google Vertex AI). No personally identifiable User data is transmitted in image generation requests.

• Functional Software, Inc. (Sentry) — Technical error monitoring — Data processed: technical performance and error data (faronova.co website only). Does not include personally identifiable information.

FaroNova has entered into data processing agreements with each processor, requiring compliance with security standards equivalent to or higher than those established in Law 1581 of 2012.

Operational service providers: Additionally, FaroNova may use operational service providers (such as text extraction services, web access infrastructure, or content optimization services) that process exclusively public information or operational Service data, without access to Users' personal data. These providers are not considered Data Processors under Article 25 of Decree 1074 of 2015, as they do not process personal data. FaroNova periodically evaluates that such providers maintain adequate security practices.

9. Data Retention

• Conversations with the Conversational Assistant — Zero (0). Zero Data Retention. Deleted immediately after processing.

• Files uploaded by the User — As long as the User maintains them on the platform. The User may delete them at any time.

• Account data (name, email, organization) — While the account is active and during the post-termination export period established in the preceding item.

• Billing data — According to Colombian tax obligations (minimum 5 years pursuant to Art. 632 of the Tax Statute).

• Pseudonymized usage statistics — While the User maintains an active account with active analytics consent. Stored identifiers are irreversible hashes that do not allow User identification. Each Service may apply shorter automatic cleanup cycles (for example, deletion of individual events after 30 days and aggregated data after 90 days). All analytics data is deleted upon revocation of analytics consent or deletion of the User's account.

• Incomplete onboarding records — Records of users who did not complete the registration process (either because only the authentication account exists without a profile, or because the profile exists but onboarding was not completed) are retained for a maximum of sixty (60) days from account creation date, or thirty (30) days from last detected activity, whichever comes first. After that period, the profile, associated analytics data, and authentication account are deleted. This information is operational and administrative in nature, does not constitute analytics, and is not included in statistical reports.

• Post-termination data — Unless the applicable commercial agreement provides for a different period, data and files will remain available for export for thirty (30) calendar days following termination. After that period, permanently deleted from all systems, including analytics records, sessions, chat usage, and authentication account associated with the User. The exceptions are: (a) a minimal legal audit record that does not contain User content, email, or personally identifiable information, retained solely for legal compliance with a defined expiration period; and (b) encrypted backups of the authentication infrastructure, retained for a limited period in accordance with disaster recovery practices and automatically deleted upon expiration of their retention cycle.

10. Data Subject Rights

Pursuant to Article 8 of Law 1581 of 2012, the data subject has the following rights:

• Know, update, and rectify their personal data before FaroNova in its capacity as data controller.

• Request proof of the authorization granted to FaroNova for the processing of their data.

• Be informed by FaroNova, upon request, regarding the use given to their personal data.

• File complaints before the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012.

• Revoke the authorization and/or request the deletion of data when the processing does not respect constitutional and legal principles, rights, and guarantees.

• Access their personal data that has been subject to processing, free of charge. This right may be exercised at least once per calendar month at no cost.

Additionally, as a contractual benefit, FaroNova offers:

• Portability: Request the delivery of data in a structured, commonly used, and machine-readable format.

The rights provided in this section may be exercised by the data subject, their heirs, their representative, and/or their duly accredited attorney-in-fact, or by stipulation in favor of another.

10.1. Procedure to Exercise Rights

The data subject must send their request to privacidad@faronova.co indicating: full name and identity document, description of the right to be exercised, contact information for response, and supporting documents (if applicable). Alternatively, the rights request form available on the Platform may be used. If the claim is incomplete, FaroNova will require the data subject to remedy the deficiency within five (5) business days following receipt of the claim. If two (2) months elapse from the date of the requirement without the data subject providing the requested information, it shall be understood that the claim has been withdrawn. If FaroNova is not competent to resolve the claim, it will refer it to the appropriate party within two (2) business days.

10.2. Response Times

• Inquiries (Art. 14, Law 1581 of 2012): FaroNova will respond within ten (10) business days following the date of receipt of the request. When it is not possible to address the inquiry within that period, the data subject will be informed of the reasons for the delay and the date it will be addressed, which may not exceed five (5) business days following expiration of the first period.

• Claims (Art. 15, Law 1581 of 2012): FaroNova will respond within fifteen (15) business days following the date of receipt of the complete claim. When it is not possible to address the claim within that period, the data subject will be informed of the reasons for the delay and the date it will be addressed, which may not exceed eight (8) business days following expiration of the first period.

10.3. Complaint to the Authority

If the data subject is not satisfied with FaroNova's response, they may file a complaint with the Superintendence of Industry and Commerce (SIC), the authority responsible for overseeing compliance with personal data protection regulations in Colombia.

• Website: www.sic.gov.co

• National toll-free line: 018000-910165

11. Information Security

FaroNova implements technical, administrative, and human measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. For detailed information, please consult FaroNova's Data Security Guide.

Key measures include:

• AES-256 encryption for stored files (server-side, AWS-managed keys).

• Encryption in transit (TLS/HTTPS) for all communications.

• Zero Data Retention for conversations with the Conversational Assistant (Amazon Bedrock).

• Secure authentication via AWS Cognito.

• AWS certified infrastructure: FaroNova operates on Amazon Web Services, which holds SOC 2, ISO 27001, and ISO 27018 certifications. These certifications correspond to AWS; FaroNova does not hold them independently.

12. Data of Minors

FaroNova's Services are directed exclusively at adults (18 years of age or older) and business organizations. FaroNova does not intentionally collect personal data from minors.

FaroNova reserves the right to verify the User's age and request supporting documentation at any time. If FaroNova becomes aware that it has collected data from a minor, it will proceed to delete it immediately and deactivate the corresponding account.

13. Modifications to the Privacy Notice

FaroNova reserves the right to modify this Privacy Notice at any time. Modifications will be communicated to the data subject through:

• Publication of the updated version on faronova.co with the last updated date visible.

• Email notification to the address registered in their account.

• Notification on the Platform.

Substantial changes to the identity of the data controller or to the purposes of processing will be communicated before implementation. When the change affects the purpose or scope of the previously granted authorization, FaroNova will request a new authorization from the data subject before implementing the change.

Continued use of the Services after notification of changes that do not affect the purpose or scope of the authorization constitutes acceptance of the modifications.

14. Effective Date

This Privacy Notice takes effect from the date of its publication and will remain in force as long as FaroNova processes personal data in accordance with the purposes described herein.

15. Contact

For any inquiry, request, or claim related to the processing of personal data:

• Privacy email: privacidad@faronova.co

• General email: contacto@faronova.co

• WhatsApp: +57 317 378 4220

• Address: Bogotá D.C., Colombia