Personal Data Protection Policy for Taurus Marketing BTL SpA

Introduction

Taurus Marketing BTL SpA («Taurus», «we», «us», or «the Company»), National Tax ID (RUT) No. 77.419.146-1, with its address at La Macarena 34, municipality of Las Condes, city of Santiago, Chile, is firmly committed to the protection and respect for the privacy of the personal data of all natural persons («Data Subjects» or «Users») who participate in the marketing activities we develop for our clients.

The purpose of this Personal Data Protection Policy («Policy») is to provide transparent information on how we collect, process, store, and protect personal data, in strict compliance with the Chilean regulatory framework, primarily Law No. 19.628 on the Protection of Private Life and its subsequent amendments.

This Policy establishes the principles and procedures that guarantee the integrity of the Company and the Users, and clearly defines our role as agents in the processing of data, which are for the exclusive use and ownership of our clients.

Applicable Legal Framework

This Policy is governed by the following Chilean regulations:

● Law No. 19.628 on the Protection of Private Life: Establishes the fundamental rules on the protection of personal data.

● Civil Code and Commercial Code: Regarding contractual obligations and responsibilities with our clients.

● Other sector-specific regulations that may be applicable to specific campaigns.

Key Definitions (According to Law No. 19.628)

● Personal Data: Information relating to any identified or identifiable natural person (Article 2, letter f).

● Sensitive Data: Personal data that refers to the physical or moral characteristics of persons or to facts or circumstances of their private life or intimacy, such as personal habits, racial origin, ideologies and political opinions, religious beliefs or convictions, physical or mental health conditions, and sex life (Article 2, letter g).

● Data Subject: The natural person to whom the personal data refers.

● Data Controller (Responsable del Registro o Banco de Datos): The private or public natural or legal person responsible for decisions on the processing of personal data (Article 2, letter n). In the context of Taurus’s services, our clients are the «Data Controllers».

● Data Processing: Any operation or set of operations or technical procedures, whether automated or not, that allow for the collection, storage, recording, organization, elaboration, selection, extraction, comparison, interconnection1, dissociation, communication, assignment, transfer, transmission, or cancellation of personal data, or its use in any other form (Article 2, letter o).

● Data Processor (Mandatario para el Tratamiento de Datos): Taurus Marketing BTL SpA acts as an agent that processes personal data on behalf of and under the instruction of the «Data Controller» (the client), without having ownership or control over said data.

Fundamental Principles of Data Processing

Taurus adheres to the following guiding principles established in Law No. 19.628:

● Principle of Lawfulness: All processing of personal data must be carried out with the consent of the data subject, except for legal exceptions (Article 4).

● Principle of Purpose: Personal data must be used only for the purposes for which it was collected, which must be explicit and lawful (Article 9).

● Principle of Quality and Accuracy: Personal data must be accurate, up-to-date, and truthfully reflect the real situation of the data subject (Article 11).

● Principle of Security: The Data Controller (and by extension, Taurus as the processor) must handle the data with due diligence, being liable for damages (Article 11). Security measures must be implemented to prevent its alteration, loss, unauthorized processing, or access.

● Principle of Information and Transparency: The data subject has the right to be informed about the purpose of storing their data and its possible communication to the public (Article 12).

Our Role: Data Processors

It is essential to clarify that Taurus Marketing BTL SpA is not the owner nor the final controller of the databases that are generated. We act exclusively as processors (mandatarios) on behalf of our clients.

This implies that:

1. The Client is the Controller: Our client, for whom the campaign or activation is carried

out, is the «Data Controller» and is the one who defines the purpose and use of the information collected.

2. Exclusive and Restricted Use: Personal data obtained in a campaign is the exclusive property and for the exclusive use of the client for whom said campaign was conducted.

3. Prohibition of Internal Use and Transfer: Taurus Marketing BTL SpA is strictly prohibited from using this data for its own purposes, for other campaigns of other clients, or from assigning, selling, sharing, or communicating it to any third party other than the mandating client.

Collection and Processing of Personal Data

We collect personal data on behalf of our clients through lawful means and with the prior consent of the data subject. These means include, but are not limited to:

● Registration forms at events, contests, and promotions.

● Landing pages and campaign websites.

● Interactions on social media.

● Surveys and point-of-sale activations.

The processing of data will always be based on the explicit, informed, and unequivocal consent of the data subject, in accordance with Article 4 of Law No. 19.628. At the time of collection, the following will be clearly informed:

● The identity of the client (Data Controller) for whom the data is being collected.

● The specific purpose of the processing (e.g., to participate in a sweepstake, receive a newsletter, etc.).

● Whether the data will be communicated to third parties and for what purpose (if the client so defines).

● The existence of the database in which it will be stored.

● The mandatory or optional nature of the answers.

● How to exercise their rights of access, rectification, cancellation, and opposition.

We will not collect sensitive data unless authorized by law, with the express consent of the data subject, or if the data is necessary for the determination or granting of health benefits corresponding to its subjects.

Rights of Data Subjects (ARCO Rights)

In accordance with Article 12 of Law No. 19.628, every data subject has the following rights:

● Right of Access: To request and obtain information about their personal data held in the

database, its origin, recipient, the purpose of storage, and the identity of the persons or entities to which their data is regularly transmitted.

● Right of Rectification: To request the modification of their data if it is erroneous, inaccurate, misleading, or incomplete.

● Right of Cancellation or Erasure: To request the erasure or cancellation of their data when its storage lacks a legal basis, has expired, or when the data subject has revoked their consent.

● Right of Opposition: To object to the use of their personal data for advertising, market research, or opinion survey purposes.

Procedure for Exercising Rights:

The data subject must direct their request to the client (Data Controller) for whom the information was collected. The identity and contact information of the responsible client will be provided at the time of data collection.

Taurus Marketing BTL SpA, in its capacity as a processor, will provide all necessary assistance to its clients so they can provide a timely and effective response to the requests of data subjects, within the deadlines and forms established by law (generally, within two business days for cancellation or modification).

Security Measures

In compliance with Article 11 of Law No. 19.628, we have implemented technical and organizational security measures to protect personal data against destruction, alteration, loss, unauthorized access, or illicit processing. These measures include:

● Digital Security: Use of firewalls, data encryption, secure transmission protocols (HTTPS), and role-based access controls.

● Physical Security: Protection of facilities and servers where information is stored.

● Contractual Confidentiality: All our employees and subcontractors sign confidentiality agreements that prohibit them from disclosing or using data for unauthorized purposes.

● Incident Management Procedures: Protocols to detect and respond to potential security breaches.

Data Retention and Deletion

Personal data will be kept only for the time necessary to fulfill the purpose for which it was collected, as instructed by our client. Once the purpose is fulfilled, or at the end of our contractual relationship with the client, the personal data will be securely deleted from our systems, or it will be returned in its entirety to the client, ensuring that no copies remain in our possession.

Modifications to the Privacy Policy

Taurus reserves the right to modify this Policy to adapt it to legislative or jurisprudential changes or new industry practices. Any modification will be communicated in a timely manner through the channels we deem appropriate.

Contact

For any questions about this Policy or the role of Taurus Marketing BTL SpA in data processing, you can contact us at:

Taurus Marketing BTL SpA

Address: La Macarena 34, Las Condes, Santiago, Chile.

Email: contacto@taurusmkt.com

It is reiterated that for the exercise of ARCO rights, data subjects must directly contact the company or brand (our client) identified as the Data Controller during the corresponding marketing activity.