Personal Data Protection Policy

THE FIRM undertakes to safeguard the privacy of clients and users (hereinafter referred to as the user(s)) who visit its websites or applications (hereinafter referred to as the Digital Channels).

This Personal Data Protection Policy (hereinafter referred to as the Personal Data Protection Policy) establishes the practices for the collection and transmission of personal data on the Digital Channels, with the purpose of informing you of the ways in which the websites and applications collect personal data, the use given to such information, and the ways in which we will share any personal data you choose to provide to THE FIRM.

If you are already a client of THE FIRM, it is possible that, when personal information is collected from the user, you may receive additional notices explaining certain uses related to your personal information, together with the option to accept or reject such uses.

The Digital Channels may contain links to third-party websites. If you access a third-party website through one of these links, please note that such sites have their own Personal Data Protection Policies; therefore, THE FIRM assumes no responsibility for them or for the processing of personal data carried out on such third-party websites. Please review the corresponding policies before submitting personal information to such third-party websites.

This Personal Data Protection Policy aims to explain privacy practices and addresses the following aspects:

• What personal data about you we may collect
• Uses of personal data
• Transmission, storage, and security of personal data
• Internet security
• Transfer of personal data outside Ecuador
• Storage limits
• Your rights and how to contact us
• Marketing
• Data updating
• Data subject rights
• Cookie policy
• Changes to the Personal Data Protection Policy or the Cookie Policy

What personal data about you may we collect?

We will collect and process all or some of the following personal data about you:

• Information provided by the user.
• The personal data provided by the user include the data entered in the contact forms of the websites and applications, such as identification and contact details.
• Survey information. We may ask you to complete surveys that we use for research purposes. In such cases, the information provided in the completed survey will be collected.
• Use of websites and media. When a user visits the websites, details and information about such visits are collected through cookies and other tracking technologies. This information includes your
• IP address and domain name, browser version and operating system, traffic and location data, web logs, resources accessed, and other communication data.
• Data provided by other sources. We may collect your personal data from public sources and third parties.

Uses of personal data

This section sets out the purposes for which the user’s personal data are collected through the Digital Channels and, in accordance with the obligations imposed by Ecuadorian legislation, identifies the legal grounds that support the processing of the information.

These legal grounds are set out in the Organic Law on Personal Data Protection, which allows THE FIRM to process personal data only in accordance with the specific legal bases established in the law.

Please note that, in addition to the disclosures identified below, personal information may be disclosed for the purposes explained in this document to suppliers, contractors, agents, and advisors (whether legal, financial, commercial, or otherwise) of THE FIRM who act on our behalf.

For effective communication and to conduct business. To conduct business, including responding toinquiries, contacting the user, formalizing and legalizing processes before various public entities, and fulfilling the obligations assumed in agreements between THE FIRM and the user.

Legal basis for use: To perform contractual obligations and provide our services, we rely on compliance with contractual obligations, compliance with legal obligations, and our legitimate interest.

To provide marketing materials. To show you news and offers when you have agreed to receive them. Your personal information may also be used to offer you THE FIRM’s products and services and those of its selected business partners by regular mail, email, SMS, and telephone. In the cases provided by law, your consent will be requested at the time your data are collected in order to carry out any of these marketing actions. You have the option to unsubscribe or opt out of receiving further marketing-related communications, either in person at any branch nationwide or by submitting a request through the official email addresses available on our official website.

Legal basis for use: To keep you informed about news related to our products and services, we rely on your consent and our legitimate interest.

For research and development purposes. To analyze personal data in order to better understand your service and marketing requirements and those of other clients, as well as to better understand our business and develop higher-quality products and services.

Legal basis for use: To improve our services, we rely on our legitimate interest.

To monitor certain activities. To monitor inquiries and transactions, ensure service quality and compliance with regulatory procedures, and combat fraud.

Legal basis for use: To ensure the quality and legality of our services, processing is based on compliance with legal obligations, compliance with judicial orders, and our legitimate interest.

To inform you of changes. To notify you of changes made to our products and services.

Legal basis for use: To inform you of changes to our services, we rely on our legitimate interest.

To ensure that the content of the Digital Channels remains relevant. To ensure that the content of the

Digital Channels is presented in the most effective manner for the user and their devices, including the transmission of data to business partners, distributors, or service providers.

Legal basis for use: To display the content and services available on the Digital Channels, we rely on our legitimate interest as the legal basis.

To reorganize or modify the business. In the event that THE FIRM: (i) is subject to negotiations for the sale of the business or part thereof to a third party; (ii) is sold to a third party; or (iii) carries out a reorganization, we may need to transfer all or part of the user’s personal data to the relevant third party (or its advisors) as part of due diligence procedures related to analyzing any proposed sale or reorganization. We may also need to transfer the user’s personal data to such reorganized entity or third party after the sale or reorganization so that they may use them for the same purposes set out in this policy.

Legal basis for use: To modify our business, we rely on our legitimate interest. In relation to legal or regulatory obligations. The user’s personal data may be processed to comply with certain regulatory requirements or in communications with regulators, including the disclosure of personal information to third parties, judicial services, regulators, or law enforcement agencies in connection with requests, proceedings, or investigations carried out by such entities anywhere in the world or where they are required to carry out such actions. To the extent permitted, such requests will be directed to you or you will be informed before a response is provided, unless doing so would interfere with the prevention or detection of unlawful activity.

Legal basis for use: To cooperate with law enforcement agencies and regulatory authorities, we process personal data based on compliance with legal obligations, compliance with judicial orders, and our legitimate interest.

Transmission, storage, and security of personal data Internet security. The security of any transmission over the Internet or through the Digital Channels against intruders cannot be guaranteed. However, commercially reasonable physical, electronic, and procedural measures are employed, as well as legal and organizational mechanisms, to protect user information in accordance with the requirements established in data protection legislation.

All personal data you provide to us are stored on our secure servers or those of our data access providers.

Access to and use of such information are subject to THE FIRM’s security policies and standards. Where we have given you (or you have chosen) a password that enables you to access certain parts of our Digita Channels, you are responsible for keeping that password confidential and for complying with any other security procedures we notify to you. Please do not share your password with anyone.

Transfer of personal data outside Ecuador

It is possible that staff or providers may access, transfer, or store the user’s personal data in locations outside the country in which the user is located, whose data protection laws may be less restrictive than those of your country. In all circumstances, personal data will be protected in accordance with this Personal Data Protection Policy.

In all cases, legal grounds justifying the data transfer will be established, such as standard contractual clauses or other legal bases as permitted by applicable legal requirements.

Storage limits

Our personal data retention periods are based on business needs and legal requirements. We retain personal data for as long as necessary for the processing purposes for which the data were collected, as well as for any other permitted related purpose. For example, we may retain certain transaction details and correspondence until the limitation period for claims arising from the transaction has expired or to comply with legal requirements related to the retention of such data. When personal data are no longer necessary, we will cease processing them in accordance with the Law.

Your rights and how to contact us

Contact If you have any questions related to this policy, please contact us through the following channels (hereinafter referred to as the established Contact Channels):

• In person at our offices located nationwide.
• By sending an email to our official accounts available on our official website.
• Through our official website.

Marketing

In order to tailor online marketing on our websites to your needs or interests, we use automated decision- making technologies that track personal data such as browsing history on our websites, links you click in our emails, or mobile applications you use.

The user has the right to request that THE FIRM not process their personal information for marketing and commercial purposes. To exercise your right to opt out of such processing, you may check the boxes designated for this purpose on the forms used to collect personal data or contact us directly through the established Contact Channels.

Data updating

The user states that all data provided by them are true and accurate and undertakes to keep them updated.

For these purposes, the user is responsible for the accuracy of the data communicated and will keep them duly updated so that they reflect their actual situation. The user will be responsible for any false, excessive, or inaccurate information provided.

Data subject rights

If you have any questions regarding the use of personal data, please first contact us through the established Contact Channels.

In exercise of the rights recognized by the Organic Law on Personal Data Protection, you have the right to request:

• That we provide more details about the use we make of your data.
• That we provide you with a copy of the personal data you have provided to us.
• That we update and rectify any inaccuracies in the personal data we hold (see Section 5.3).
• That we delete any personal data for which we no longer have a legal basis to use.
• Where processing is based on consent, to withdraw your consent so that we cease carrying out that specific processing (see Section 5.1 on marketing).
• To object to any processing based on legitimate interest, unless our reasons for carrying out such
• processing outweigh any harm to your data protection rights.
• To suspend the processing of your data while a complaint is being handled.
• The portability of your data in a compatible, updated, structured, common, interoperable, and machine-readable format, preserving its characteristics; or to transmit them to other controllers; and
• Not to be subject to decisions based solely or partially on automated processing, including profiling, that produce legal effects concerning you or that adversely affect your fundamental rights and freedoms.

The exercise of these rights is subject to certain exceptions to safeguard the public interest (e.g., preventing or detecting unlawful acts) and THE FIRM’s interests (e.g., maintaining legal privileges). If you exercise any of these rights, the legitimacy of the request will be verified, and you will receive a response within up to fifteen (15) days.

If you are not satisfied with the use made of your personal information or with the response received when exercising your rights, you have the right to lodge a complaint with the Personal Data Protection Authority through the channels it enables for this purpose.

Privacy Policy / November 2025

ANNEX

DEFINITIONS

Consent: When you have expressed your will for us to use your data (you will have been presented with a consent form related to such use and may withdraw your consent by contacting us in accordance with the “Contact with the LOPDP” form shown below).

Performance of contractual obligations: When your data are necessary to enter into or perform underlying contractual obligations with you.

Compliance with legal obligations: When we need to use your data to comply with our legal obligations.

Legitimate interest: When we have a legitimate interest in processing your personal data to achieve a lawful purpose for our organization and when our reasons for processing your personal data outweigh any harm to your data protection rights.