BACK

Privacy Policies of Use of the Alfred Platform — Peru

EFFECTIVE DATE:
November 17, 2025
last updated:
November 17, 2025

1. Introduction and Scope

This Privacy Policy governs how Alfred Pay Labs, LLC, a Delaware limited liability company, and its affiliates and its applicable local subsidiaries (collectively, “Alfred,” “we,” or “our”), collect, use, process, store, share, and protect personal information when you use our digital platform, including our website located at alfredpay.io, mobile applications, and related services (collectively, the “Services”).

Alfred Pay Labs, LLC, or the local entity where applicable, serves as the data controller for personal information collected through our Services. For users in Colombia, Argentina, Peru, the Dominican Republic, and Mexico, the specific data controller entity is the Alfred subsidiary you contracted with, as registered with the local supervisory authority.  This Policy describes our privacy practices and explains your rights regarding your personal information.  By using our Services, you acknowledge that you have read and understood this Policy and consent to the collection, use, and disclosure of your personal information as described herein.

This Policy applies to all users of our Services, including those located in Latin America (LATAM), where we operate through local partners or entities in Colombia, Argentina, Peru, the Dominican Republic, Mexico, and other jurisdictions. It has been designed to comply with applicable privacy and data protection laws in those countries, including but not limited to:

  • Ley 1581 de 2012 (Colombia)
  • Ley de Protección de Datos Personales N.º 25.326 (Argentina)
  • Ley N.º 29733 (Peru)
  • Ley 172-13 sobre Protección de Datos Personales (Dominican Republic)
  • Ley Federal de Protección de Datos Personales en Posesión de los Particulares (Mexico)

Alfred Pay Labs, LLC, or the local entity where applicable, serves as the data controller for personal information collected through our Services. This Policy describes our privacy practices in clear, understandable language and explains your rights regarding your personal information. By using our Services, you acknowledge that you have read and understood this Policy and consent to the collection, use, and disclosure of your personal information as described herein.

2. Information We Collect

We collect personal information through multiple channels to provide, maintain, and improve our Services while ensuring compliance with applicable legal and regulatory requirements. The information we collect falls into three: primary categories:

Information You Provide Directly: When you register for an account, use our Services, or communicate with us, you may provide various types of personal information. This includes your full legal name, email address, phone number, postal address, date of birth, and government-issued identification numbers required for identity verification and compliance with anti-money laundering regulations. We also collect financial information such as bank account details, payment card information, transaction history, and financial statements necessary to provide our financial services. Additionally, we collect verification documents including government-issued identification cards, and other documentation required for identity verification and regulatory compliance purposes.  Sensitive Personal Data. We do not collect sensitive personal data (datos sensibles) such as biometric data, health information, racial or ethnic origin, political opinions, religious beliefs, philosophical convictions, union membership, genetic data, or data concerning sexual orientation unless you explicitly provide such information with your prior express written consent, which we will request separately when required. If our Services evolve to require collection of sensitive data, we will update this Policy and obtain your explicit consent before processing such information.

Information Collected Automatically: Our systems automatically collect certain information when you access and use our Services. This includes technical information such as your IP address, device identifiers, browser type and version, operating system, screen resolution, and device settings. We also collect usage information including pages visited, features used, time spent on our Services, click patterns, navigation paths, and interaction data. Location information is collected based on your IP address and, with your permission, precise location data from your device. We use cookies, web beacons, pixels, and similar tracking technologies to collect information about your browsing behavior and preferences.

Information from Third-Party Sources: We obtain information from various third-party sources to verify your identity, prevent fraud, and comply with legal requirements. This includes information from identity verification services, credit reporting agencies, fraud prevention providers, and financial data aggregators. We may also collect information from public records, government databases, business partners, affiliates, and referral sources. All third-party information is obtained in accordance with applicable privacy laws and the terms of service of the providing parties.  If you believe that information obtained from third-party sources is inaccurate, incomplete, or outdated, you have the right to request correction or supplementation of such information by contacting us at  compliance@alfredpay.io. We will investigate your request within fifteen (15) business days and update our records accordingly, or provide an explanation if we determine the information to be accurate. You may also request information about the sources from which we obtained your personal data.

3. How We Use Your Information

We process your personal information for various purposes based on different legal grounds, ensuring that our processing activities are lawful, fair, and transparent. Our primary purposes for processing include service provision, legal compliance, business operations, and consent-based activities.

Service Provision and Contract Performance: We use your personal information to create and manage your account, authenticate your identity, process transactions, and provide the services you have requested. This includes facilitating payments and financial transactions, providing customer support, responding to your inquiries, and maintaining the security and integrity of our platform. We also use your information to personalize your experience, recommend relevant services, and communicate with you about your account and transactions.

Legal Compliance and Regulatory Requirements: We process your personal information to comply with various legal and regulatory obligations, including anti-money laundering and know-your-customer requirements, tax reporting obligations, and regulatory reporting requirements. We maintain records as required by financial regulations, report suspicious activities to appropriate authorities, respond to legal process and government requests, and cooperate with law enforcement investigations when legally required.

Legitimate Business Interests: We use your information to improve and develop our Services, conduct data analytics and research, detect and prevent fraud and security threats, and protect our rights and property. We also use your information for marketing purposes, business relationship management, risk assessment, and operational efficiency improvements. These activities are conducted in accordance with applicable privacy laws and balanced against your privacy rights and interests.

Consent-Based Processing: Where required by law or where we have obtained your explicit consent, we may use your personal information for additional purposes such as sending promotional communications, using precise location data for enhanced services, and processing sensitive personal information. You have the right to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

Automated Decision-Making and Profiling. We use automated systems and algorithms to analyze your personal information for purposes including fraud detection, risk assessment, credit decisioning, transaction monitoring, identity verification, and service personalization. These automated processes may produce decisions that significantly affect you, including decisions regarding your eligibility for financial services, transaction approval or rejection, account limitations, or pricing. The logic involved includes machine learning models, rule-based systems, and statistical analysis of transaction patterns and user behavior. You have the right to request human review of any automated decision that produces legal effects or similarly significant consequences concerning you. To request such review or obtain additional information about the automated processing logic, please contact us at  compliance@alfredpay.io. In Argentina, you have the specific right under Article 13 of Ley 25.326 not to be subject to decisions based solely on automated processing of your personal data that produce legal effects or significantly affect you.

4. Information Sharing and Disclosure

We may share your personal information with third parties in specific circumstances and under appropriate safeguards to protect your privacy and ensure compliance with applicable laws. Our sharing practices are designed to be transparent, limited to necessary purposes, and subject to appropriate contractual protections.

Service Providers and Business Partners: We share personal information with carefully selected third-party service providers who perform services on our behalf, including payment processors, identity verification services, cloud storage providers, customer support platforms, marketing service providers, and technology vendors. These providers are contractually obligated to protect your information, use it only for specified purposes, and maintain appropriate security measures. We also share information with financial institutions, payment networks, and other business partners necessary to provide our Services, subject to appropriate data protection agreements and regulatory requirements.  To the fullest extent permitted by law, Alfred is not liable for the unauthorized acts or omissions of third-party service providers regarding the security or processing of your personal information, provided that Alfred has implemented appropriate contractual safeguards, conducted reasonable due diligence in selecting such providers, and maintains ongoing oversight of their compliance. We require service providers to notify us immediately of any data breaches or security incidents and reserve the right to audit their compliance with data protection obligations. In the event of a third-party breach, we will take appropriate action as described in Section 13 (Data Breach Notification).

Legal Requirements and Regulatory Compliance: We disclose personal information when required by law, regulation, legal process, or government request. This includes disclosures to law enforcement agencies, regulatory authorities, tax authorities, and courts in response to subpoenas, court orders, or other legal demands. We may also disclose information to comply with anti-money laundering regulations, sanctions requirements, and other financial compliance obligations.

Business Transfers and Corporate Transactions: In connection with any merger, acquisition, reorganization, sale of assets, or other corporate transaction, your personal information may be transferred to the acquiring entity or successor organization. We will provide notice of such transfers and ensure that appropriate privacy protections are maintained during and after any such transaction.

Protection of Rights and Safety: We may disclose personal information when we believe it is necessary to protect our rights, property, or safety, or that of our users or the public. This includes disclosures in connection with fraud prevention, security investigations, enforcement of our terms of service, and protection against legal liability.

All data transfers—especially cross-border—are subject to applicable legal safeguards.

5. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes outlined in this Policy, comply with applicable legal and regulatory obligations in the jurisdictions where we operate (including AML, tax, and financial laws), resolve disputes, and enforce our agreements. Our retention practices are guided by the nature of the data, the legal basis for its processing, and any applicable requirements under local data protection frameworks.

Account and Identity Information: We retain account information, identity documents, and related personal data for the duration of your relationship with Alfred, and for up to seven (7) years following account closure. This retention is required to comply with anti-money laundering regulations and other financial and supervisory obligations in jurisdictions such as Mexico (CNBV), Colombia (UIAF), and Argentina (UIF).

Transaction and Financial Records: Transaction records, payment information, and financial data are retained for seven years after the transaction date or account closure, whichever is later, as required by financial regulations and tax laws. This includes transaction histories, payment card information, bank account details, and related financial documentation.

Communications and Support Records: Customer service communications, support tickets, and related correspondence are typically retained for three years after the last interaction to provide ongoing support and resolve any disputes that may arise. Marketing communications and preferences are retained until you unsubscribe or object to processing.

Technical and Usage Data: Technical logs, usage analytics, and similar data are typically retained for two to three years unless longer retention is required for security, fraud prevention, or legal purposes. We regularly review our retention practices and securely delete or anonymize information when it is no longer necessary or legally required.

6. Your Rights and Choices

Depending on your jurisdiction and applicable privacy laws, you may have various rights regarding your personal information. These rights may include the ability to request access to the data we hold about you, to request that inaccurate or incomplete information be corrected, and, in some cases, to request that we delete your personal information altogether. You may also have the right to restrict how we use your data, to object to certain types of processing (including direct marketing), and to request a copy of your data in a structured, machine-readable format that you can transfer to another service provider. Where our processing of your personal information is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. To exercise any of these rights, please contact us at  compliance@alfredpay.io or submit a written request to our physical address listed in Section 12. We will respond to your request as required by applicable law. We may require you to verify your identity by providing government-issued identification or answering security questions before processing your request to prevent unauthorized disclosure or modification of your personal information. We do not charge fees for rights requests unless they are manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable administrative fee or refuse the request, and we will inform you of the basis for any such decision. If we deny your request in whole or in part, we will provide a written explanation of the reasons for denial, and you may appeal the decision by contacting our Data Protection Officer at compliance@alfredpay.io or by lodging a complaint with the relevant supervisory authority as listed in Section 12.

Access and Data Portability Rights: You have the right to request access to the personal information we hold about you and to receive a copy of this information in a structured, commonly used, and machine-readable format. This includes the right to obtain information about the purposes of processing, categories of personal data, recipients of the data, and retention periods.

Correction and Update Rights: You may request correction of inaccurate or incomplete personal information and ask us to update your records with current information. We will make reasonable efforts to verify the accuracy of any corrections and update our records accordingly.

Deletion and Erasure Rights: You may request deletion of your personal information in certain circumstances, such as when the information is no longer necessary for the purposes for which it was collected or when you withdraw consent for consent-based processing. However, we may retain certain information as required by law or for legitimate business purposes such as fraud prevention and regulatory compliance.

Restriction and Objection Rights: You may request restriction of processing in certain circumstances, such as when you contest the accuracy of the information or object to processing based on legitimate interests. You also have the right to object to processing for direct marketing purposes at any time.

Consent Withdrawal: Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. Withdrawal of consent may affect our ability to provide certain services or features.

Non-Discrimination: You will not face discriminatory treatment for exercising your privacy rights, including denial of services, different pricing, or reduced service quality. However, some features or services may not be available if you choose to limit our processing of your personal information.

7. Security Measures

We apply robust technical, organizational, and physical safeguards to ensure the protection of your personal information against unauthorized access, loss, misuse, alteration, or destruction. These measures are regularly reviewed to ensure alignment with evolving threats and compliance with LATAM cybersecurity and financial regulations.

Technical Safeguards: We employ industry-standard encryption technologies to protect data both in transit and at rest, including end-to-end encryption for sensitive communications and advanced encryption standards for data storage. Our systems utilize multi-factor authentication, secure access controls, and regular security assessments including penetration testing and vulnerability management. We maintain secure network architectures with intrusion detection systems, firewalls, and continuous monitoring to identify and respond to potential security threats.  

Administrative Safeguards: Our employees receive regular training on privacy and security best practices, and access to personal information is limited to those with a legitimate business need to know. We conduct background checks for personnel with access to sensitive data and maintain incident response procedures to address potential security breaches promptly and effectively. Our privacy and security policies are regularly reviewed and updated to reflect current best practices and regulatory requirements.

Physical Safeguards: We utilize secure data centers with restricted access controls, environmental monitoring, and redundant systems to protect against physical threats and ensure business continuity. Physical media containing personal information is securely stored and disposed of in accordance with industry standards, and visitor access to facilities is controlled and logged.

In all countries where we operate, we commit to applying data protection by design and by default, and to aligning with local standards such as Colombia’s Decree 1377, Mexico’s LFPDPPP, and applicable security mandates from central banks or financial regulators.  For information about our data breach notification procedures, including timelines and your rights in the event of a security incident, please see Section 13 (Data Breach Notification) below.

8. International Transfers

We may transfer your personal information to countries outside your country of residence, including the United States, for processing and storage. When we transfer personal information from the European Economic Area to countries that have not received an adequacy decision from the European Commission, we implement appropriate safeguards to ensure adequate protection of your personal data.

Transfer Safeguards: We utilize Standard Contractual Clauses approved by the European Commission, Binding Corporate Rules for intra-group transfers, and other approved transfer mechanisms to ensure that your personal information receives adequate protection regardless of where it is processed. We also rely on adequacy decisions for transfers to countries that have been deemed to provide adequate protection for personal data.

Cross-Border Processing: Our global operations may require the transfer of personal information across international borders for legitimate business purposes such as customer support, technical operations, and regulatory compliance. All international transfers are conducted in accordance with applicable data protection laws and subject to appropriate contractual protections.

9. Cookie Policy

9. Children’s Privacy

Our Services are not intended for individuals under the age of eighteen, and we do not knowingly collect personal information from children under eighteen years of age. If we become aware that we have collected personal information from a child under eighteen, we will take immediate steps to delete such information from our systems and terminate any associated accounts.

Age Verification: We implement age verification procedures during account registration to prevent minors from accessing our Services. If you believe that we have collected information from a child under eighteen, please contact us immediately at  compliance@alfredpay.io so that we can take appropriate action to remove such information and prevent future collection.

Parental Rights: Parents or legal guardians who believe that their child has provided personal information to us may contact us to request access to, correction of, or deletion of such information. We will verify the identity of the requesting party before taking any action regarding a child’s personal information.

10. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors that may affect how we collect, use, or protect your personal information. We are committed to providing you with notice of material changes and ensuring that you have the opportunity to review and understand any updates to our privacy practices.

Notification of Changes: We will notify you of material changes to this Policy by posting the updated Policy on our website with a new effective date, sending email notifications to registered users, providing in-app notifications for mobile users, and using other appropriate communication methods. For significant changes that may affect your rights or how we process your personal information, we may seek your renewed consent where required by applicable law.

Continued Use: Your continued use of our Services after the effective date of any changes to this Policy constitutes your acceptance of the updated Policy. If you do not agree with any changes, you should discontinue use of our Services and may request deletion of your personal information subject to applicable legal and regulatory retention requirements.

11. Contact Information

For privacy-related questions, concerns, requests, or complaints, please contact us using the information provided below. We are committed to addressing your privacy concerns promptly and effectively, and we will respond to your inquiries within the timeframes required by applicable law.

Primary Contact Information: You may contact our privacy team for matters specifically related to data protection compliance and your privacy rights at  compliance@alfredpay.io.

12. Data Breach Notification

We are committed to protecting the security and confidentiality of your personal information. In the event of a data breach that compromises the security, confidentiality, or integrity of your personal information, we will notify affected individuals and relevant regulatory authorities in accordance with the applicable legal requirements in each jurisdiction where we operate. This section describes our breach notification procedures, timelines, and your rights in the event of a security incident.

12.1 What Constitutes a Data Breach. For purposes of this Policy, a “data breach” means any confirmed security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal information transmitted, stored, or otherwise processed by Alfred or our service providers. This includes but is not limited to: unauthorized access to our systems or databases; ransomware or malware attacks that compromise personal information; accidental disclosure to unauthorized third parties; loss or theft of devices or physical records containing personal information; and any other incident that creates a risk of harm to your privacy, financial security, or other fundamental rights.

12.2 Notification Timelines. We will notify affected individuals and regulatory authorities within the following timeframes from when we become aware of the data breach:

Colombia: Within fifteen (15) business days of confirming the breach, we will notify the Superintendencia de Industria y Comercio (SIC) and affected individuals, as required by Ley 1581 de 2012 and Decree 1377 of 2013.

Argentina: Immediately upon detection of the breach, we will notify the Agencia de Acceso a la Información Pública (AAIP) and affected individuals, consistent with the obligations under Ley 25.326 and applicable regulatory guidance.

Peru: Within five (5) business days of confirming the breach, we will notify the Autoridad Nacional de Protección de Datos Personales and affected individuals, as required under Ley N.º 29733 and its implementing regulations.

Dominican Republic: Within forty-eight (48) to seventy-two (72) hours of discovering the breach, we will notify the Departamento de Protección de Datos Personales and affected individuals, as mandated by Article 26 of Ley 172-13.

Mexico: Without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach, we will notify the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI) and affected individuals, consistent with LFPDPPP requirements and INAI guidelines.

United States and Other Jurisdictions: We will comply with applicable breach notification laws in any other jurisdictions where we operate or where affected individuals reside.

12.3 Who Will Be Notified. Depending on the nature and severity of the breach, we will notify:

Affected Individuals: All individuals whose personal information was or may have been compromised in the breach will receive direct notification via email to the address on file, and where email is unavailable or notification by email is not reasonably possible, via postal mail, SMS, telephone, or prominent notice on our website or mobile application.

Regulatory Authorities: We will notify the relevant data protection authority in each jurisdiction where affected individuals reside or where we are required to report, including the supervisory authorities listed in Section 13.2 above.

Financial Institutions and Payment Networks: Where the breach involves payment card information, bank account details, or other financial data, we will notify affected financial institutions and payment card networks as required by payment card industry (PCI DSS) standards and applicable banking regulations.

Law Enforcement: Where the breach involves suspected criminal activity, we will cooperate with and notify appropriate law enforcement agencies.

Third-Party Service Providers: We will notify any service providers, business partners, or vendors whose systems or data may have been affected by the breach.

12.4 Content of Breach Notifications. Notifications to affected individuals will include the following information, to the extent known at the time of notification:

(a) Description of the Breach: A clear description of what happened, including the date or estimated date of the breach and the date the breach was discovered;

(b) Categories of Personal Information: The types and categories of personal information that were or may have been compromised (e.g., names, identification numbers, financial account information, transaction history);

(c) Number of Individuals Affected: The approximate number of individuals affected or potentially affected by the breach;

(d) Potential Consequences: A description of the likely consequences and potential risks to affected individuals, including risks of identity theft, financial fraud, unauthorized account access, or other harm;

(e) Measures Taken: The measures we have taken or will take to mitigate the harm caused by the breach, including steps to secure our systems, investigate the incident, and prevent future breaches;

(f) Recommended Actions: Specific recommendations for affected individuals to protect themselves, which may include changing passwords, monitoring account statements and credit reports, enabling multi-factor authentication, placing fraud alerts, or other protective measures;

(g) Contact Information: Contact information for our Data Protection Officer or designated representative where individuals can obtain additional information, ask questions, or report concerns about the breach; and

(h) Right to Lodge Complaints: Information about your right to lodge a complaint with the relevant supervisory authority in your jurisdiction, including contact information for such authorities as listed in Section 12 of this Policy.

Notifications to regulatory authorities will include the information specified above plus any additional information required by the applicable authority’s breach notification procedures and guidelines.

12.5 Breach Investigation and Documentation. Upon discovering a potential data breach, we will immediately initiate an investigation to determine the scope, cause, and impact of the incident. Our investigation procedures include:

Incident Response Team: Activation of our designated incident response team, which includes information security, legal, compliance, and relevant business unit personnel;

Containment Measures: Immediate implementation of measures to contain the breach, prevent further unauthorized access, and secure affected systems and data;

Forensic Analysis: Engagement of internal or external cybersecurity experts to conduct forensic analysis and determine the root cause, entry point, and extent of the breach;

Impact Assessment: Assessment of the number and categories of individuals affected, the types of personal information compromised, and the potential risks and consequences to affected individuals;

Documentation: Comprehensive documentation of the breach, including timelines, affected systems and data, individuals and authorities notified, remediation measures implemented, and lessons learned; and

Record Retention: Maintenance of breach documentation for a minimum of seven (7) years or as required by applicable regulatory authorities, to demonstrate compliance with notification obligations and support regulatory audits or investigations.

We maintain an Incident Response Plan that is regularly tested and updated to ensure effective and timely response to data security incidents.

12.6 Post-Breach Remediation and Prevention. Following a data breach, we will take comprehensive measures to remediate the incident, mitigate harm to affected individuals, and prevent future breaches, including:

  • Immediate remediation of security vulnerabilities or weaknesses that contributed to the breach, including patching software, updating security configurations, and strengthening access controls;
  • Implementation of additional technical and organizational security measures based on lessons learned from the breach, which may include enhanced encryption, improved monitoring and detection systems, additional employee training, or changes to data handling procedures;
  • Provision of support services to affected individuals, which may include identity theft protection services, credit monitoring, fraud resolution assistance, or reimbursement for certain costs incurred as a direct result of the breach, as determined on a case-by-case basis and in accordance with applicable law;
  • Full cooperation with regulatory authorities in their investigation of the breach, including providing requested documentation, submitting to audits or inspections, and implementing any corrective measures required by regulators;
  • Where the breach resulted from a third-party service provider’s failure to maintain adequate security, we will take appropriate action, which may include contract termination, requiring remediation, or pursuing indemnification for losses; and
  • Review and update of our privacy and security policies, procedures, and practices to address any gaps or weaknesses identified during the breach investigation.

12.7 Delay or Limitation of Notification. In limited circumstances, we may delay or limit breach notification as follows:

  • If a law enforcement agency determines that notification would impede a criminal investigation or jeopardize national security, we may delay notification to affected individuals for the period requested by the agency, provided that such delay is permitted by applicable law. We will notify affected individuals as soon as the law enforcement agency confirms that notification will no longer impede the investigation.
  • If immediate notification would create additional risk to the security of our systems or data (for example, by alerting an ongoing attacker to our detection of the breach), we may briefly delay notification until containment measures are in place, but in no case longer than permitted by applicable law.
  • If a regulatory authority provides specific instructions regarding the timing, method, or content of breach notifications, we will comply with such instructions.

Any delay in notification will be documented with clear justification and will be reported to regulatory authorities as required by law. We will not delay notification beyond the timeframes required by applicable law without express authorization from the relevant regulatory authority or law enforcement agency.

12.8 No Waiver of Rights. Nothing in this Data Breach Notification section limits or waives your rights under applicable data protection laws, consumer protection laws, or other legal frameworks in your jurisdiction. You retain all rights to seek legal remedies, file complaints with regulatory authorities, or pursue other actions available to you under applicable law in the event of a data breach. Our compliance with breach notification obligations does not constitute an admission of liability or fault and does not limit our ability to assert applicable defenses in any legal proceeding.

13. Supervisory Authority Registration and Compliance

Alfred Pay Labs, LLC and its local entities maintain registrations with the relevant data protection supervisory authorities in each jurisdiction where required by law:

Colombia: We are registered with the Superintendencia de Industria y Comercio (SIC) as a data controller (responsable del tratamiento) and comply with registration renewal and reporting obligations under Ley 1581 de 2012.

Argentina: We are registered in the National Registry of Databases (Registro Nacional de Bases de Datos) maintained by the Agencia de Acceso a la Información Pública (AAIP) in accordance with Article 21 of Ley 25.326.

Mexico: We comply with reporting and registration obligations with the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI) as required under the LFPDPPP and maintain updated privacy notices.

Peru: We comply with registration requirements with the Autoridad Nacional de Protección de Datos Personales as required under Ley N.º 29733 for databases containing personal information.

Dominican Republic: We maintain compliance with registration and reporting requirements under Ley 172-13 with the Departamento de Protección de Datos Personales.

We submit periodic reports and updates to these authorities as required and cooperate fully with regulatory audits, investigations, and enforcement proceedings. You may verify our registration status by contacting the relevant supervisory authority in your jurisdiction.

14. Data Protection Impact Assessments

For processing activities that present high risks to your rights and freedoms, particularly those involving new technologies, large-scale processing, automated decision-making, or sensitive personal data, we conduct Data Protection Impact Assessments (DPIAs) to identify and mitigate privacy risks. Our DPIA process includes:

(a) Systematic description of the proposed processing operations and their purposes;

(b) Assessment of the necessity and proportionality of the processing in relation to the stated purposes; (c) Evaluation of the risks to your rights and freedoms, including risks of unauthorized access, identity theft, discrimination, or other harm; (d) Identification of measures to address and mitigate identified risks, including technical and organizational safeguards; and (e) Where required by law, consultation with the relevant supervisory authority before commencing high-risk processing activities.

We maintain documentation of DPIAs and review them periodically or when there are significant changes to processing operations. DPIA documentation is available to regulatory authorities upon request.

Effective Date: November 17, 2025 (o cuando esté previsto su lanzamiento)