Contact

Personal Data Processing Policy

C.I. CHOCO GOLD METALS S.A.S.

Version: 1.0

Effective date: April 16, 2026

Last update: April 16, 2026

1. Identification of the data controller

C.I. CHOCO GOLD METALS S.A.S. (hereinafter, the “Society” or the “Company”), a commercial company incorporated under the laws of the Republic of Colombia, identified with NIT 900245633-9, with its principal address in Bogotá, contact email for data protection legal@chocogoldmetals.com, phone +57 3118495464, is responsible for the processing of personal data collected in the course of its corporate, commercial, mining, logistics, contractual, administrative and compliance activities.

2. Applicable regulatory framework

This Policy is adopted in compliance with the provisions of Articles 15 and 20 of the Political Constitution of Colombia, the Law 1581 of 2012, he Decree 1074 of 2015 and the instructions given by the Superintendency of Industry and Commerce, regarding the protection of personal data. 

3. Scope of application

This Policy applies to the processing of personal data carried out by the Company with respect to:

  • Shareholders and administrators.

  • Employees, former employees, apprentices, and candidates.

  • Suppliers and contractors.

  • Exploiters, marketers, operators, transporters and allies linked to the mining chain.

  • Current and potential clients, including institutional buyers, authorized intermediaries, banks, refineries, and trading counterparties.

  • Visitors to offices, facilities, digital channels, and websites.

  • Third parties whose data is processed within the framework of due diligence, compliance, traceability, security, logistics and foreign trade processes.

4. Definitions

For the purposes of this Policy, the following definitions, among others, will be taken into account:

  • Personal information: any information linked to or that can be associated with a specific or identifiable natural person.

  • Sensitive data: that which affects the privacy of the holder or whose misuse may generate discrimination.

  • Holder: natural person whose personal data is being processed.

  • Treatment: any operation on personal data, such as collection, storage, use, circulation, deletion, transmission or transfer.

  • Data controller: legal entity that decides on the database and/or the processing of the data.

  • Person in charge of treatment: who performs the treatment on behalf of the responsible party.

  • Authorization: prior, express and informed consent of the data subject.

5. Guiding principles

The Company will apply the principles of legality, purpose, freedom, truthfulness or quality, transparency, access and restricted circulation, security, confidentiality and demonstrated responsibility, in accordance with current regulations.

6. Personal data subject to processing

The Company may collect and process, as appropriate and in proportion to each purpose, the following categories of data:

  • Identification data: name, surname, type and number of document, nationality, signature.

  • Contact information: address, email, phone, city.

  • Work and academic information: resume, experience, references, certifications.

  • Financial, accounting and tax data: bank information, RUT, certifications, payment receipts.

  • Corporate and representation data: position, company, powers, certificates of existence and representation.

  • Compliance data: information required for SARLAFT/SAGRILAFT, restricted lists, PEP, beneficial owner, due diligence and counterparty knowledge.

  • Operational and logistical data: records of entry, transport, custody, traceability, documentary chain and validation of operations.

  • Images or video recordings collected through security and access control systems.

  • Sensitive data, only when strictly necessary and there is legal authorization or express permission.

7. Purposes of the processing

Personal data will be processed for one or more of the following legitimate purposes:

7.1 Corporate and administrative purposes

  • Manage contractual, commercial, labor and corporate relationships.

  • Manage files, records, databases, correspondence, and information systems.

  • Perform payments, invoicing, collections, reconciliations, and audits.

7.2 Commercial purposes

  • Handle contact requests, quotes, proposals and negotiations.

  • Manage sales, purchasing, supply, transport, export, delivery and after-sales processes.

  • Maintain communication with clients, potential clients, suppliers, and partners.

7.3 Compliance and due diligence purposes

  • Verify identity, legal capacity, representation, suitability and background of counterparties.

  • Comply with obligations related to the prevention of money laundering, terrorist financing, corruption, fraud, bribery, national and international restricted lists and other applicable compliance systems.

  • Validate mining, commercial, tax, customs, environmental and traceability documentation.

  • Support counterparty due diligence processes, enhanced due diligence, and internal or third-party audits.

7.4 Operational purposes in the mining and commercial chain

  • Manage processes associated with the origin, custody, transport, legality, traceability and marketing of minerals and metals.

  • Verify documentary support from exploiters, suppliers, operators and other actors in the chain.

  • Coordinate processes with logistics partners, security transport companies, refineries, banks, laboratories, authorities and customs agents, when applicable and within the corresponding legal framework. 

7.5 Security purposes

  • Control access to physical or digital facilities.

  • Protecting people, assets, information, and operations.

  • Manage incidents, internal investigations, and security reports.

7.6 Employment purposes

  • Advance processes of selection, hiring, affiliations, payroll, welfare, SST, disciplinary control and retirement.

  • Verify references, degrees, experience, background and documentation of candidates and employees.

7.7 Legal purposes

  • Comply with legal, regulatory, contractual, judicial or administrative mandates.

  • Attend to requests from competent authorities.

  • To exercise the judicial or extrajudicial defense of the Company.

7.8 Informational and marketing purposes

  • Send corporate, legal, commercial or institutional information.

  • Send invitations to events, meetings, publications or business news, provided that authorization exists when required.

8. Processing of sensitive data

The Company will restrict the processing of sensitive data to the maximum extent possible. When such processing is necessary, it will be carried out in accordance with the law, informing the data subject that providing the data is optional and adopting enhanced security measures.

9. Processing of data of children and adolescents

The Company will not process personal data of children or adolescents, except in cases permitted by law and when such processing responds to the best interests of the child and ensures respect for their fundamental rights. 

10. Rights of the holders

Data subjects have the right to:

  • To know, update and correct your personal data.

  • Request proof of the authorization granted, except when it is not legally required.

  • To be informed about the use given to your personal data.

  • Submit inquiries and complaints.

  • Request the deletion of your data when appropriate.

  • Revoke the authorization when there is no legal or contractual duty that prevents the removal.

  • Access your personal data free of charge.

11. Authorization of the holder

The Company will request the prior, express, and informed consent of the data subject no later than at the time of collection, except in cases exempted by law. This consent may be obtained through physical, heectronic, digital, telephone, or contractual means, or through unambiguous conduct that reasonably allows the conclusion that the data subject has given their consent. 

12. Cases in which authorization is not required

The holder's authorization will not be necessary when it comes to:

  • Information required by a public or administrative entity in the exercise of its legal functions.

  • Data of a public nature.

  • Cases of medical or health emergencies.

  • Processing of information authorized by law for historical, statistical or scientific purposes.

  • Data related to the civil registration of people.

13. Transfer and transmission of personal data

The Company may transmit or transfer personal data to third parties located in Colombia or abroad, when necessary for the development of its activities and legitimate purposes, including technology providers, advisors, auditors, logistics operators, carriers, insurers, business partners, banks, refineries, authorities or processors, guaranteeing in all cases adequate levels of protection, confidentiality and security, in accordance with the law and through the applicable contractual instruments. 

14. Data Controllers

Third parties acting as data processors on behalf of the Company must comply with this Policy, applicable law and instructions given by the Company, adopting reasonable technical, human and administrative measures for the protection of personal data.

15. Security measures

The Company will adopt reasonable security measures to protect personal data against alteration, loss, unauthorized or fraudulent consultation, use or access, taking into account the nature of the data, the risks of the processing and the characteristics of the operation.

16. Information preservation

Personal data will be kept for the time necessary to fulfill the stated purposes, applicable legal or contractual obligations, statute of limitations and the Company's evidentiary, accounting, regulatory, labor, tax, compliance or legal defense needs.

17. Procedure for inquiries and complaints

17.1 Queries

The data subject or their successors may submit inquiries regarding personal information held in the Company's databases via email legal@chocogoldmetals.com or at the address AV 26 # 69-63 Of 302.

The inquiry will be addressed within a maximum of ten (10) business days counted from the date of receipt. If it is not possible to attend to it within that period, the reasons for the delay and the date on which it will be attended to will be informed, which may not exceed five (5) business days following the expiration of the first term.

17.2 Claims

The owner or their successors who consider that the information contained in a database should be corrected, updated, deleted, or who notice a presumed breach of the law, may file a claim by means of a written request to the email legal@chocogoldmetals.com

The claim must contain at least: identification of the holder, description of the facts, contact address and supporting documents if applicable.

If the claim is incomplete, the interested party will be required to provide further information within the following timeframes. five (5) business days following its receipt to rectify the faults. If more than two years elapse two (2) months If the requested information is not submitted after the request is made, it will be understood that the claimant has withdrawn.

Once the complete claim has been received, a note will be added to the database stating “Claim in process” and the reason for this, within a period of no more than two (2) business daysThe maximum time allowed to process the claim will be fifteen (15) business days, renewable by eight (8) business days especially when there are reasons that justify it.

18. Area responsible for handling habeas data requests

The department responsible for handling inquiries, complaints, requests for updates, rectification, deletion or revocation will be [Data Protection Officer / Legal Department / General Secretariat / Compliance], via mail legal@chocogoldmetals.com

19. Collection channels

The Company may collect personal data through, among others, the following channels:

  • Website and contact forms.

  • Email, calls, messaging, and meetings.

  • Contracts, purchase orders, proposals and linking processes.

  • Physical or digital forms from suppliers, customers, employees, and candidates.

  • Access control and video surveillance systems.

  • Interactions at trade fairs, events, audits and commercial or operational visits.

20. Video surveillance and access control

When the Company uses video surveillance systems or access control mechanisms, the information collected will be used for the purposes of the security of people, property and facilities, access control and support of internal investigations or requirements of competent authority.

21. Policy modifications

The Company reserves the right to modify this Policy at any time. Any substantial modification will be communicated through reasonable physical or electronic means, including publication on the corporate website.

22. Validity

This Policy is effective fromApril 16, 2026The databases containing personal information will be processed for the reasonable and necessary time for the fulfillment of the purposes stated herein and the applicable legal or contractual obligations.