DELLA TERRA APPAREL SAS, hereinafter DELLA TERRA, in order to ensure the proper processing and protection of personal data, or of any information residing in its databases, and in compliance with article 15 of the Political Constitution, Law 1581 of 2012, Regulatory Decree 1377 of 2013, and other regulations that modify, add to or develop it, has developed and adopted this personal data processing policy, hereinafter the "Policy". This Policy shall be binding on Spataro, in its capacity as Controller of personal data, as well as on all allied companies, subsidiaries or those that are part of the business group, and all employees, contractors or third parties acting on behalf of Spataro.

Company name: DELLA TERRA APPAREL SAS

NIT. 901889361

Address: Calle 24 # 3 - 46, Cali

Cali Phone: 4893049

Email address: hello@dellaterra.co

In accordance with current regulations, the following definitions will be applicable to the Policy, as well as to any other policy that forms part of the current regulatory framework regarding the protection and processing of personal data.

Authorization: Prior, express and informed consent of the Owner to carry out the Processing of personal data;

Database: Organized set of personal data subject to processing;

Personal data: Any information linked to or capable of being associated with one or more specific or identifiable natural persons; Data Controller:

Natural or legal person, public or private, which alone or in association with others, processes personal data on behalf of the Data Controller;

Data Controller: Natural or legal person, public or private, who alone or in association with others, decides on the database and/or the processing of data;

Owner: Natural person whose personal data are subject to processing;

Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

In accordance with current legislation, the principles that must be applied for the processing of personal data and, therefore, that govern this Policy, are the following:

Principle of legality in data processing: The processing referred to in this law is a regulated activity that must be subject to the provisions established therein and in the other provisions that develop it;

Principle of purpose : The treatment must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Owner;

Principle of freedom: Processing may only be carried out with the prior, express and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate waiving consent;

Principle of truthfulness or quality: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable and understandable. The processing of partial, incomplete, fractional or misleading data is prohibited;

Transparency Principle: In the Processing, the right of the Data Subject to obtain from the Data Controller or the Data Processor, at any time and without restrictions, information about the existence of data concerning him/her;

Principle of restricted access and circulation: Processing is subject to the limits arising from the nature of the personal data, the provisions of this law and the Constitution. In this regard, Processing may only be carried out by persons authorized by the Data Subject and/or by persons provided for in this law; personal data, except for public information, may not be made available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the Data Subjects or authorized third parties in accordance with this law;

Security principle: The information subject to processing by the Data Processor or Data Controller referred to in this law must be handled with the technical, human and administrative measures that are necessary to provide security to the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.

Confidentiality principle: All persons involved in the processing of personal data that are not public in nature are obliged to guarantee the confidentiality of the information, even after ending their relationship with any of the tasks included in the processing, and may only provide or communicate personal data when this corresponds to the development of the activities authorized in this law and under the terms thereof.

The processing of personal data carried out by DELLA TERRA will have the following purposes.

• Comply with obligations contracted with clients, suppliers, allies, users, distributors, contractors and other personnel related to Spataro.
• Carry out marketing, promotion or advertising activities of its own or of third parties, directly by Spataro or by third parties, through any means, on any product or service offered by Spataro or any of its allies, subsidiaries, brands and others.
• Manage procedures (requests, appointments and/or complaints) and conduct surveys on satisfaction, consumer habits, current trends, preferences, purchasing interests, purchasing methods and others related to compliance with Spataro's corporate purpose.
• Carry out sales, billing, collection management, debt collection, fraud prevention and/or any other activity related to current and future products and services, ensuring compliance with contractual obligations and the corporate purpose.
• Provide relevant information that may be required by the sales force and/or distribution network, or any third party with whom Spataro has a contractual relationship.
• Maintain efficient communication with customers, related to the offer of products, promotions, billing and/or services, or any activity carried out by Spataro in the exercise of its corporate purpose.
• Transfer and/or transmit the personal data of the holders within and/or outside the country to third parties, as a result of a contractual relationship, law or legal link that so requires, for the provision of services or by virtue of or compliance with commercial agreements, alliances or contractual relationships.
• Take the necessary measures to prevent and control fraud in any form.
• Carry out the procedures and/or activities necessary to comply with the obligations inherent to the services provided by Spataro.

Holders of personal data will have the following rights:

• To know, update and rectify your personal data in front of DELLA TERRA or the Data Controllers. This right may be exercised, among others, in front of partial, inaccurate, incomplete, fragmented data, which lead to error, or those whose Processing is expressly prohibited or has not been authorized;
• Request proof of the authorization granted to DELLA TERRA, except when expressly excepted as a requirement for Treatment;
• Be informed by DELLA TERRA or by the Data Controller, upon request, about the use that has been made of your personal data;
• Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of this law and other regulations that modify, add to or complement it;
• Revoke authorization and/or request deletion of data when processing does not comply with constitutional and legal principles, rights and guarantees;
• Free access to your personal data that has been subject to processing.

DELLA TERRA, as the party responsible for the processing of personal data, must comply with the duties dictated by law, such as:

a) Guarantee the holder, at all times, the full and effective exercise of the right to habeas data;

b) Request and retain, under the conditions established in this law, a copy of the respective authorization granted by the Owner;

c) Duly inform the Owner of the purpose of the collection and the rights granted to him by virtue of the authorization granted;

d) Maintain the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access;

e) Ensure that the information provided to the Data Controller is true, complete, accurate, up-to-date, verifiable and understandable;

f) Update the information, promptly communicating to the Data Controller any new developments regarding the data previously provided and adopting any other measures necessary to ensure that the information provided to you remains up to date;

g) Rectify the information when it is incorrect and communicate the relevant information to the person in charge of the treatment;

h) Provide the Data Controller, as the case may be, only with the data whose processing has been previously authorized in accordance with the provisions of this law;

i) Require the Data Controller to respect at all times the security and privacy conditions of the Owner's information;

j) Process queries and complaints made under the terms indicated in this law;

k) Adopt an internal manual of policies and procedures to ensure proper compliance with this law and, in particular, to address queries and complaints; in addition to other obligations set forth in current legislation on the matter.

At the latest at the time of collecting your data, DELLA TERRA must adopt procedures to request the prior, express and informed consent of the data subject for the processing of said data and inform him/her of the personal data that will be collected, as well as the purposes of the processing for which consent is obtained. The collection of data will be limited to those that are relevant and appropriate to the purpose for which they are collected and must be obtained by any means that can be subject to subsequent consultation and verification by the data subject.

The data subject shall be deemed to have given Spataro his/her authorization to process his/her personal data when this is stated: a) in writing; b) verbally; or c) through unequivocal conduct that reasonably allows us to conclude that he/she has given Spataro the respective authorization. In no case shall silence be deemed to be unequivocal conduct.

The authorization of the owner will not be necessary in the case of:

i) information required by a public or administrative entity in the exercise of its legal functions or by court order;

ii) public data;

iii) cases of medical or health emergencies;

iv) processing of information authorized by law for historical, statistical or scientific purposes; and

v) data related to the Civil Registry of Persons.

The owner of the personal data may request Spataro at any time to delete his/her personal data and/or revoke the authorization granted for the processing of the same, by submitting a claim as established in Law 1581 of 2012. However, the request for deletion of information and/or revocation of the authorization will not proceed if the owner of the personal data has a legal or contractual obligation under which it must remain in Spataro's database.

Likewise, the holder may submit queries and/or claims, the procedures and deadlines for which will be those established in Law 1581 of 2012.

The ways to exercise the rights of the holders are the following: Contact information: Calle 24 # 3-46, Cali Valle del Cauca. Tel: (2) 4893049, website: spataro.com.co, email: spataro@spataro.com.co The Spataro customer service area is responsible for receiving requests, queries and complaints from the Holder of Personal Data related to their rights to know, update, rectify and delete Personal Data and revoke the Authorization. Likewise, the Customer Service area will guarantee the timely and adequate response issued by each of the Spataro areas to the requests, queries and complaints of the Data Holders.

The owner of the information expressly authorizes that all his/her information may be transferred and/or transmitted abroad, in compliance with current regulations, in the development of DELLA TERRA's international relations when necessary. Spataro will take all necessary measures so that third parties who know the information of the owners, subject to the obligation to maintain confidentiality, know and observe this Policy, with the understanding that the personal information they receive may only be used for matters directly related to the relationship they have with DELLA TERRA and to achieve the purposes of said relationship, while it is in force.

DELLA TERRA may also exchange personal information with government or other public authorities (including, but not limited to, judicial or administrative authorities, tax authorities and criminal, civil, administrative, disciplinary and fiscal investigation bodies), and with third parties involved in civil legal proceedings and their accountants, auditors, lawyers and other advisors and representatives, because it is necessary or appropriate:

a) Comply with applicable laws, including laws other than those of your country of residence;

b) Comply with legal processes;

c) Respond to requests from public and government authorities, and respond to requests from public and government authorities other than those of your country of residence;

d) To enforce our terms and conditions;

e) To protect our operations;

a) To protect our rights, privacy, safety or property, yours or those of third parties; and

b) Obtain applicable compensation or limit the damages that may affect us.

This personal data processing policy is valid from November 1, 2020 until it is expressly revoked or modified.