ASHLEY PERSONAL DATA PROCESSING POLICY

Data controller: CLOVER4 SAS , with Tax Identification Number (NIT) No. 901.513.909-1, with registered address at Avenida Carrera 19 #109 -41 in Bogotá, Colombia (hereinafter (“ ASHLEY and/or the company ”), will act as controller for the collection, storage, use, processing, updating, circulation, deletion, transfer, transmission and, in general, any operation or set of operations in and on your staff data.

This ASHLEY Privacy and Personal Data Processing Policy (hereinafter the " Policy ") establishes the terms and conditions under which ASHLEY will carry out the processing to which the personal data provided through physical stores, the ASHLEY website, micro sites related to it, mobile versions, social networks and/or any other mechanism or channel enabled by ASHLEY for the collection of personal data will be subjected.

Before purchasing any product and/or service offered by ASHLEY, you must carefully read this Policy so that you are aware of your rights, ASHLEY's duties, the channels available for exercising your rights, the procedures established for inquiries and complaints, the purposes for which your personal data was collected, and other relevant information regarding current regulations regarding personal data.

By accepting this Personal Data Processing Policy, the data subject is informed and gives his or her free, informed, specific, and unequivocal consent for the processing of the personal data he or she provides by ASHLEY, as well as any data derived from his or her browsing and any other data he or she may provide in the future.

1. Regulatory framework applicable to the processing The legal and constitutional framework (hereinafter the " Regulatory Framework ") under which the Policy is governed is the following:

• Political Constitution of Colombia.
• Law 1266 of 2008.
• Law 1581 of 2012.
• Decree 1377 of 2013, incorporated into Single Decree 1074 of 2015.
• Other regulations that are incorporated into the legal system and are applicable.

2. Definitions and Principles: The concepts presented below are derived from current regulations. Should these definitions be modified, supplemented, and/or replaced, their meaning shall be that indicated in the current legal provisions:

• Authorization: Prior, express and informed consent of the Data Subject to carry out the processing of personal data.
• Database: Organized set of personal data that is the object of processing.
• Personal data: Any information linked to or that can be associated with one or more specific or identifiable natural persons.
• Processing: Any operation or set of operations on personal data or personal databases, such as collection, storage, use, circulation or deletion of data.
• Owner: Natural person whose personal data is subject to processing.
• Data Controller: A natural or legal person, public or private, who, either alone or in association with others, decides on the database and/or the processing of data.
• Data Processor: The natural or legal person, public or private, who, by himself or in association with others, carries out the processing of personal data on behalf of the Data Controller.
• Personal Data Protection Area: Responsible within the company, responsible for monitoring, controlling, and promoting the application of the Personal Data Processing Policy.

The processing of information collected by ASHLEY will be governed by the following principles:

• Principle of Legality : In the Processing of Personal Data, the Regulatory Framework that governs the Processing of these will be applied.
• Principle of Freedom : The processing of personal data will only be carried out with the prior, express and informed consent of the owner.
• Principle of Purpose : The processing of personal data will serve a legitimate purpose, which will be communicated to the respective owner.
• Principle of Truthfulness or Quality : The Protected Information subject to Processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. ASHLEY shall not be liable to the Data Subject when partial, incomplete, fragmented, or misleading data is processed.
• Transparency Principle : The right of the owner to obtain information about his or her data at any time and without restrictions must be guaranteed.
• Principle of Restricted Access and Circulation : Processing may only be carried out by persons authorized by the Data Controller or by the persons provided for by law.
• Security Principle : Personal Data under the Policy subject to Processing by ASHLEY will be protected to the extent that technical resources and minimum standards allow, through the adoption of the necessary technical, human and administrative measures to provide security to electronic records, preventing their adulteration, modification, loss, consultation, and in general against any unauthorized or fraudulent use or access.
• Confidentiality Principle : Personal data that is not public in nature is confidential and may only be provided in accordance with the law. Any person involved in the processing of information must guarantee its confidentiality.
• Principle of Temporality : The storage and processing of personal data will be limited to what is essentially necessary to fulfill the previously specified purposes of the business relationship, as well as the fulfillment of the purposes authorized by the Owner.

3. Scope of the Policy: This Policy will have the same scope of application as established in the Regulatory Framework. Consequently, it will apply to all operations carried out by ASHLEY in Colombia, safeguarding any use or processing of Protected Information by affiliated companies, in compliance with legal requirements.

4. Personal data and consent for its processing: ASHLEY obtains personal data from the Data Subjects through its physical stores, the Website, social networks or through other channels.

The Data Subject expressly consents to the processing (collection, storage, use, circulation, deletion) of Protected Information by accepting the authorization requested through documents, on the website, or through other means of obtaining personal data.

The Personal Data that will be processed are: identification data, contact information, location and geolocation information, browsing data, data classified as sensitive (for example: health-related data, fingerprints, photos, video recordings, among other biometric data), financial information, assets, socioeconomic data, employment and academic information, preferences, tastes and consumer behavior, data inferred or not from information observed or provided directly by the Data Subject or by third parties, and demographic and transactional information. Personal Data will be collected through the various channels provided by ASHLEY.

If ASHLEY requests sensitive personal data such as racial or ethnic origin, political orientation, religion, biometric data, etc., the Data Subject's response will be optional.

ASHLEY only collects and receives personal information voluntarily provided by Data Subjects through the channels provided for this purpose and only from individuals of legal age.

ASHLEY does not process data of minors, but if processing of this type of data is required, ASHLEY will protect this type of data with special care and will comply with the provisions of Articles 6 and 12 of Decree 1377 of 2013 and Article 5 of Law 1581 of 2012.

If the Data Subject provides third-party data, they declare that they have their consent and undertake to provide them with the information contained in the Policy, exempting ASHLEY from any liability in this regard. However, ASHLEY may conduct periodic checks to verify this fact, adopting the appropriate due diligence measures in accordance with data protection regulations.

5. Purposes of Processing: The personal data provided to ASHLEY by the Data Subjects will be collected, stored, used, analyzed, circulated, updated, reported and generally processed for the following purposes:

As the data controller of the data collected, ASHLEY has several databases, with respect to which it declares that they will be processed for one or more of the following purposes:

Administrative, Accounting and Legal Management:

• Carry out the corresponding invoicing and perform all tax, accounting, fiscal, and legal procedures and obligations.
• Administration and formalization of commercial agreements and contracts with suppliers of goods and service providers.
• Administration of Contracts with Third Parties
• Carry out the relevant procedures for the development of the pre-contractual, contractual and post-contractual stages and with respect to any underlying negotiations, as well as comply with Colombian or foreign law and the orders of judicial or administrative authorities.
• Verify the identity of the data subject, conduct security studies, and/or implement security protocols to prevent and mitigate the risk of fraud, money laundering, and/or terrorist financing.
• Conduct analysis of Website usage and verify the Owner's preferences and behaviors in order to improve communication with the Website Owners. Manage and respond to inquiries, requests, petitions, incidents, complaints, and claims.
• As a tool for the collection process.
• As support for external and internal audits.
• For the information to be transferred and/or transmitted to parent companies, subsidiaries or subordinates of ASHLEY or to third parties with which ASHLEY has alliances or contractual links for any of the purposes provided herein, who may be located outside the national territory.
• For the advancement of any procedure before a public authority or a private person or entity, in respect of which the information is relevant
• Guarantee the holder, at all times, the full and effective exercise of the right to habeas data, the rights included in Law 1581 of 2012, and all applicable regulations on the matter.
• To know, store, and process all information provided by personal data subjects in one or more databases, in the format deemed most convenient and secure.
• Conduct data update campaigns for the purposes outlined in this Policy.
• If the nature of the activities requires it, report to the Information Centers on the fulfillment or non-fulfillment of obligations that you have acquired with ASHLEY.
• Manage customer and supplier relationships to facilitate internal accounting, administrative, and financial processes.

6. Commercial management: the personal information of potential clients, customers, suppliers and contractors may be processed in accordance with the following purposes:

• To seek, establish, maintain and execute a contractual or commercial relationship, regardless of its nature.
• Develop commercial and marketing activities, such as consumer analysis; profiling; brand traceability; sending news, advertising, promotions, offers, and benefits; customer loyalty programs; marketing research; and generating campaigns and events.
• Send commercial communications to the Owner regarding benefits, advertising, promotions, offers, news, discounts, customer loyalty programs, market research, campaign and event generation, by electronic and conventional means, and in general regarding the offering of products and services from ASHLEY, (i) from companies with which ASHLEY collaborates, and; (ii) Companies linked to ASHLEY.
• Notify you of purchases, orders, shipments, news, or events related to the products or services you purchase or contract.
• Conducting quality and satisfaction surveys to understand Owners' opinions on ASHLEY's products and services.
• Manage, process, send, and follow up on quotes and purchases made.
• Contact the Owner to complete your purchase if you have saved products in your shopping cart without completing the process.

7. Human Resources and SG-SST: Purposes of processing within selection and/or hiring processes.

• Comply with the purposes of the Company's selection and/or hiring process, evaluate your suitability and/or eventual hiring
• Verify and confirm the veracity of the information included in the resume and any other documents or information provided to the Company.
• Conduct security reviews of the candidate, which includes reviewing or obtaining criminal records, conducting home visits, and consulting data in information centers, among other things.
• Be part of the applicant database for future hiring.
• Sending communications regarding selection processes similar to those in which the owner has participated.
• Comply with the Company's hiring policies.
• Conduct background checks in accordance with binding compliance programs, such as crime prevention, ethics, and antitrust.
• Request supporting documents for your resume, medical examinations, psychological tests, and any other necessary information.
• Manage the Companies' human resources in accordance with applicable legal and contractual terms.
• Comply with the legal obligations of companies in their capacity as employers, including, among others, payroll management, social benefits, comprehensive social security system, occupational risk prevention, etc.
• Control and monitoring of active and inactive personnel for statistical purposes.
• Manage the Occupational Health and Safety Management System (OHSMS) in order to mitigate risks, as well as the adequate attention to incidents or events in the development of different work activities.
• Manage employee training and development programs.
• Promote the development of wellness activities, action plans, staffing, and comprehensive employee development in their work environment.
• Use personal information and images generated within the framework of the Companies' activities, processes, and events to share them internally and externally through digital channels, social media, WhatsApp, YouTube, or any other communication medium; as well as the creation and distribution of physical, digital, or audiovisual advertising materials.
• Carry out physical and digital security risk management activities for the employing company through video surveillance and biometric registration devices.
• Conduct due diligence and disciplinary investigation procedures related to legal or reputational risk management, such as fraud, potential criminal offenses, antitrust violations, information leaks, or any other risk defined by the company.
• Register, process, and store the information provided in complaints and/or inquiries filed with the company.

7. D) Technology and security:

• Promote controls over the company's IT and technology systems to manage passwords, users, IT licenses, and technology support.
• Ensure the security of the personal and financial information of suppliers and collaborators, while also ensuring that we have comprehensive and sufficient information to provide them with the best service.
• Video surveillance. ASHLEY may use video surveillance installed in various internal and external locations of its commercial establishments, facilities, or offices. Therefore, it informs the general public of the existence of these mechanisms and will also publicize them in a visible location. The information collected through these mechanisms is used for security purposes, to improve services, and enhance visitor experience. It is also used as evidence in any type of proceeding before any authority or organization.

ASHLEY will process your Personal Data for as long as necessary to fulfill the aforementioned purposes, and/or as long as necessary to comply with legal or contractual obligations.

All Personal Data collected by ASHLEY will be processed exclusively for the purpose and end for which it was provided.

Personal Data may be processed through physical, automated, or digital means, depending on the type and method of information collection.

ASHLEY may subcontract certain functions to third parties. When the processing of personal information is subcontracted to third parties or personal information is provided to third-party service providers, ASHLEY informs such third parties of the need to protect such personal information with appropriate security measures, prohibits them from using the information for their own purposes, and requests that they not disclose the personal information to others.

8. Transmission and Transfer of Personal Data: ASHLEY may transmit or transfer personal data to its parent company, affiliates, subsidiaries, branches, affiliated companies, or third parties located within or outside the territory of the Republic of Colombia. This transfer of personal data must be carried out in strict compliance with the provisions of this Data Processing Policy, the implemented security standards, and ensuring compliance with the applicable principles established in this Policy.

By accepting this Policy, the Data Subject acknowledges that, in the event of a sale, merger, consolidation, change of corporate control, substantial transfer of assets, reorganization, or liquidation of ASHLEY, ASHLEY may transfer, dispose of, or assign the Personal Data to one or more relevant parties, including affiliated companies.

9. Rights and obligations of the data subjects: The Data Subjects, either themselves or through a third party legitimately authorized for this purpose, may exercise the following rights with respect to the Personal Data that is subject to Processing:

• To know, update, and rectify your Personal Data. This right may be exercised, among others, in the case of data that is partial, inaccurate, incomplete, fragmented, misleading, or whose processing is expressly prohibited or unauthorized.
• Request proof of the authorization granted to the data controller unless such authorization is not required by law.
• To be informed by the Data Controller or the Data Processor, upon request, regarding the use that has been given to your Personal Data.
• Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of the Regulatory Framework, after consulting or submitting a request to the Data Controller.
• Partially or fully revoke the authorization and/or request the deletion of personal data, except when it must remain in the database of the Data Controller or Data Processor due to legal or contractual obligations.
• Access your Personal Data that has been processed free of charge.
• Know the Personal Data Processing Policy and any substantial changes that may occur.
• Please refrain from answering questions about sensitive data. Answers regarding sensitive data or data about children and adolescents are optional.
• Others granted by current legal regulations.

10. Duties of the Controller: ASHLEY is obliged to:

• Guarantee the Holder the full and effective exercise of his or her rights at all times.
• Request and keep a copy of the respective authorization granted by the Owner.
• Inform the Data Subject, in a clear and sufficient manner, about the purpose of the collection and the rights to which they are entitled as Data Subject.
• Keep information under the necessary security conditions in order to guarantee its duty of confidentiality at all times.
• Correct information where appropriate.
• Request express authorization from the Data Subject to confirm and rectify the personal information provided by contacting public entities, specialized companies, or credit bureaus, their contacts, or their employer, as well as their personal, banking, or work references, among others.
• Provide the Controller, as the case may be, only with data whose processing has been previously authorized in accordance with the provisions of this law.
• Demand that the Manager respect the security and privacy conditions of the Owner's information at all times.
• Process inquiries and complaints submitted in accordance with the terms established in the regulations in force on the matter.
• Ensure the principles of legality, freedom, purpose, truthfulness or quality, transparency, restricted access and circulation, security, confidentiality, and temporality of information in the terms established in the Policy.

11. Handling inquiries, requests, and complaints: ASHLEY has established a department responsible for handling and resolving inquiries, requests, and complaints from personal data owners or those authorized to do so. For this purpose, the following channels are designated for handling inquiries, requests, and complaints:

Email: Privacy@ashleycolombia.com

Address: Carrera 19 Avenue #109 – 41 Bogotá DC, Colombia

In the claim or inquiry, the owner must provide their full name and identification. In the case of a third party, they must demonstrate that they are the person authorized to file the claim or inquiry. They must also include an accurate and complete description of the facts giving rise to the specific claim, request, or inquiry; a physical or email address for the purpose of sending the response and providing timely information on the status of the process; and, in the case of claims, any documents or evidence they consider relevant or wish to present.

ASHLEY will address and respond to claims or requests from Data Subjects within the timeframes and terms established for this purpose by the Regulatory Framework.

The Holder, without prejudice to the foregoing, and in the event that his or her request or claim has not been addressed by ASHLEY, may in any case subsequently appeal to the Superintendency of Industry and Commerce in a second instance.

Procedure for Submitting Queries, Petitions, and Complaints: ASHLEY will have the following procedures for addressing questions, complaints, queries, claims, and suggestions submitted by Information Holders:

Queries and Requests: The owner of the information, his/her successors in title or any other person with a legitimate interest, will make queries through written communication or by email, in which:

• Determine your identity, including your name and ID number.
• The reason for the must consultation be clearly and expressly specified.
• The legitimate interest with which the person is acting must be proven, always attaching the appropriate supporting documents.
• Please indicate the physical or electronic correspondence address to which the response to the request can be sent.

In accordance with article fourteen (14) of Law 1581 of 2012, it is established that: "The query will be attended to within a maximum period of ten (10) business days counted from the date of receipt thereof. When it is not possible to attend to it within said period, the interested party will be informed, stating the reasons for the delay and indicating the date on which his/her query will be resolved, which in no case may exceed five (5) business days following the expiration of the first term."

Claims: The owner, his successors in title or any other person with a legitimate interest who considers that the information contained in a database should be subject to correction, updating, deletion, or revocation of the authorization granted for the treatment, or when they notice the alleged non-compliance with any of the duties contained in Law 1581 of 2012, May, by physical or electronic means, present a timely claim to the responsible area. In accordance with article fifteen (15) of Law 1581 of 2012, said claim will be admissible once compliance with the requirements presented below is verified:

The claim must:

i) include the identity of the complainant, stating their name and identification number;

ii) clearly and expressly specify the reason for the inquiry;

iii) prove the legitimate interest of the complainant, always attaching the appropriate supporting documents; and

iv) indicate the physical or electronic correspondence address to which the response to the request should be sent. If the claim is found to be incomplete, "the interested party will be required within five (5) days of receipt to correct the deficiencies. After two (2) months from the date of the request, if the applicant does not submit the required information, it will be understood that they have withdrawn the claim."

In the event that ASHLEY is not competent to resolve the claim, she will forward it to the appropriate person within a maximum period of two (2) business days and inform the interested party of the situation.

The maximum period for addressing the claim will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to address it within this period, the interested party will be informed of the reasons for the delay and the date on which their claim will be resolved, which in no case may exceed eight (8) business days following the expiration of the first term.

ASHLEY may deny access to Personal Data or the right to rectify, cancel, or oppose the processing of such data when: (i) the applicant is not the Data Subject or the legal representative is not duly accredited to do so; (ii) the applicant's Personal Data cannot be found in its Database; (iii) the rights of a third party are violated; (iv) there is a legal impediment or, where applicable, a resolution from a competent authority restricting access or preventing rectification, cancellation, or opposition to the processing of such data; (v) the rectification, cancellation, or opposition has already been made; and (vi) the Data Subject has a legal or contractual obligation with ASHLEY to remain in its Information Systems.

10. Personal Data Security Measures: ASHLEY has implemented the necessary and sufficient measures to ensure that this Policy is respected at all times, establishing the administrative, technical, and physical security measures that facilitate the protection of your Personal Data, as well as prevent any damage, loss, alteration, destruction, or unauthorized use thereof.

11. Validity and modifications: The Personal Data provided will be kept as long as its deletion is not requested by the interested party (unless requested and there is a legal obligation to retain it). ASHLEY's databases will have an indefinite period of validity since the treatment of the same will be necessary while the legal entity and the development of its corporate purpose subsists, in any case this term will not be less than (50) years. This version of this policy governs from the date of its publication, which completely replaces any previous data processing provision or policy, and will be valid indefinitely and for as long as ASHLEY carries out the activities described therein and they correspond to the processing purposes that inspired this policy.

12. Applicable Law and Jurisdiction: This document shall be governed by and constructed in accordance with the laws of the Republic of Colombia. Any dispute arising from this document shall be submitted to the competent courts in accordance with Colombian law, and both Ashley and the Owner expressly waive any other jurisdiction that may apply to them based on their current or future domicile.