INTRODUCTION
AGRÍCOLA HIMALAYA S.A., identified with NIT 890.326.050-8, committed to the values of respect, adherence to legality, privacy, confidentiality, availability, integrity, and the proper handling of information—and especially with the conviction to guarantee fundamental rights—hereby establishes this document to comply with Law 1266 of 2008 and Law 1581 of 2012, regulated by Decree 1377 of 2013, its regulatory decrees, and any norms that replace, subrogate, and/or complement them. This includes the necessity of adopting a Policy and Procedures Manual that guarantees compliance with said laws, addressing inquiries and claims from the Data Subject.

In literals d) and e) of Article 3 of Law 1581 of 2012, reference is made to the Data Processor and the Data Controller. AGRÍCOLA HIMALAYA S.A. fulfills both roles simultaneously across many of the databases managed, assuming responsibility for all personal data information and committing to safeguard it as established by law.

Current technologies must allow companies to efficiently manage, exploit, and store personal information used to fulfill corporate and business objectives solely for the purposes for which it is linked. For this reason, AGRÍCOLA HIMALAYA S.A.—dedicated to improving the quality of life of residents and protecting the environment in its areas of influence—may perform the following activities:

The cultivation, manufacture, processing, sale, and distribution (national and international) of bulk or packaged tea, essential oils, extracts, aromatic and/or medicinal herbs, and their import and export.

The production and commercialization of all types of food products or agricultural derivatives, and the administration and exploitation of real estate and its agricultural and agroecological utilization.

Agricultural, livestock, and poultry exploitation.

In development of its corporate purpose, the Society may:

a. Establish appropriate warehouses for its operations.

b. Give and receive money in loans, with or without real or personal guarantees.

c. Provide movable or immovable property as a guarantee for its obligations (mortgage, pledge, or antichresis).

d. Accept or fulfill mandates for lawful matters (general, special, judicial, or extrajudicial).

e. Receive assets for administration.

f. Draw, accept, negotiate, and provide guarantees for all types of negotiable instruments, civil or commercial documents.

g. Hold commercial representations.

h. Generally, carry out any act or contract related to the aforementioned corporate purpose.

This manual complies with the provisions established in the law regarding HABEAS DATA and PERSONAL DATA. The fundamental right to HABEAS DATA must guarantee citizens the power of decision and control over the information, use, and destination of their personal data.

The object of this Manual is to establish the internal policies set in compliance with Law 1581 of 2012 and related regulations. AGRÍCOLA HIMALAYA S.A. is headquartered in the municipality of Yumbo – Colombia at Calle 15 Nro. 25 A– 583 Parcelación CIC-1; Email: info@agricolahimalaya.com or cumplimiento@agricolahimalaya.com; Phone: 3188020759 / 3188273902; Website: [www.agricolahimalaya.com](https://www.agricolahimalaya.com).

I. PURPOSE
Through this policy, AGRÍCOLA HIMALAYA S.A. formalizes the processing of personal data applicable to activities with customers, users, members, suppliers, service providers, employees, distributors, and, in general, any natural person who is a Data Subject registered in our databases, specifically for:

Complying with obligations contracted by virtue of contracts and commercial relationships.

Providing information about our products and services.

Conducting commercial, social, and informative events or promotions.

Carrying out campaigns, studies, or contests for marketing and advertising purposes.

Loyalty programs and updating data of stakeholders.

Informing about changes in products, prices, or services.

Sending portfolio account statements.

Evaluating the quality of products/services via satisfaction surveys.

Collection activities, payments, verifications, and enabling payment methods.

Biometrics: Taking fingerprints or using other authorized biometric mechanisms to validate identity.

Video Surveillance: Collecting, storing, and viewing images and videos to guarantee the safety of people, property, and facilities.

Data Transfer: Delivering data to national or international entities (public or private) that are parent companies, subsidiaries, or affiliates, or for outsourcing processes (archiving, collection, software development, market research, risk analysis, etc.).

For Employees and Providers, data will be used for selection processes, labor relationship execution, skill enhancement (training), and welfare/benefit programs.

II. DEFINITIONS
Authorization: Prior, express, and informed consent of the Data Subject to carry out the processing of personal data.

Privacy Notice: Verbal or written communication informing the Data Subject about the existence of the information processing policies.

Database: Organized set of personal data subject to processing.

Personal Data: Any information linked or associated with one or several determined or determinable natural persons.

Public Data: Data related to civil status, profession, or quality as a merchant/public servant; data that by nature is not subject to protection.

Sensitive Data: Data that affects the privacy of the Subject or whose improper use could generate discrimination (racial origin, political orientation, religious convictions, health, sexual life, and biometric data).

Data Controller: Natural or legal person who decides on the database and/or the processing of data.

Data Processor: Natural or legal person who performs the processing of data on behalf of the Controller.

Processing: Any operation on personal data such as collection, storage, use, circulation, or deletion.

III. RIGHTS OF CHILDREN AND ADOLESCENTS
In all processing, respect for the prevailing rights of children and adolescents will be ensured. The processing of their personal data is prohibited, except for data of a public nature. It is the task of the State and educational entities to provide information and train legal representatives on the risks of improper processing.

IV. SENSITIVE DATA
Processing of sensitive data is prohibited except when:

The Subject has given explicit authorization.

It is necessary to safeguard the vital interest of the Subject (if incapacitated).

It is carried out by non-profit organizations (NGOs, foundations) for members.

It is necessary for the defense of a right in a judicial process.

Images/videos are strictly necessary for security.

Special Authorization: The Subject is not obliged to authorize the processing of sensitive data. No activity may be conditioned on the Subject providing sensitive personal data.

V. PRINCIPLES
AGRÍCOLA HIMALAYA S.A. will act according to these principles:

Legality: Subject to Law.

Purpose: Legitimate and informed purpose.

Freedom: Only with prior, express, and informed consent.

Truth/Quality: Information must be truthful, complete, and updated.

Transparency: Guaranteeing the Subject’s right to obtain information about their data.

Restricted Access/Circulation: Data will not be available on the internet or mass media unless public or technically controlled.

Security: Technical, human, and administrative measures to avoid loss or unauthorized access.

Confidentiality: Professional secrecy even after the relationship ends.

VI. DATA SUBJECT
Data Subjects include members, suppliers, employees, providers, customers, and users. For minors, legal representatives have the faculty to authorize processing.

VII. AUTHORIZATION
Authorization must be prior, informed, and express, obtained through any written, physical, or electronic medium that can be consulted subsequently.

VIII. RIGHTS OF THE SUBJECT
The Data Subject has the right to:

Know, update, and rectify their data.

Request proof of the authorization granted.

Be informed about the use of their data.

File complaints before the competent authority (Superintendencia de Industria y Comercio).

Revoke authorization and/or request deletion when legal principles are not respected.

Access their data free of charge.

IX. DUTIES OF THE SUBJECT
The Subject must maintain their information updated and guarantee its truthfulness. The Company is not responsible for inaccuracies provided by the Subject.

X. DATA PROTECTION OFFICER (DPO) AND ADMINISTRATION
The Administration Area is in charge of processing personal data on behalf of AGRÍCOLA HIMALAYA S.A. The Data Protection Officer (DPO) will:

Advise on compliance.

Promote a culture of data protection.

Manage the National Registry of Databases (RNBD).

Address inquiries and claims.

XI. SECURITY MEASURES
AGRÍCOLA HIMALAYA S.A. utilizes technical, human, and administrative measures (backup copies, centralized systems, access control) to protect data. It also has an “Information Security Policy Manual.”

XII. PROCEDURES FOR QUERIES AND CLAIMS
Queries (Consultas)
Queries will be addressed within a maximum term of ten (10) business days from receipt. If an extension is needed, it will be for a maximum of five (5) business days, with prior notice to the Subject.

Claims (Reclamos)
If data needs correction, updating, or deletion:

A request must be sent to the Administration area with the Subject’s ID and description of facts.

The maximum term to address the claim is fifteen (15) business days.

If information is missing, the Subject will be required to supplement it within five (5) business days. After two (2) months of no response, it will be understood as withdrawn.

Request for Deletion
The Subject may request deletion if data is not being treated legally, is no longer necessary for the purpose, or the legal period has expired. Note: Deletion may be denied if there is a legal or contractual duty to remain in the database.

XIII. APPLICABLE LEGISLATION
Political Constitution of Colombia (Arts. 15 and 20).

Law 1266 of 2008 (Financial Habeas Data).

Law 1581 of 2012 (General Data Protection).

Decree 1377 of 2013.

Sentence C-748 of 2011.

XIV. EFFECTIVE DATE AND CHANGES
This policy became effective on November 1, 2016, and will remain valid as long as AGRÍCOLA HIMALAYA S.A. carries out its corporate purpose. The Company reserves the right to modify this policy unilaterally at any time.

Versión	Fecha	Responsable (Nombre/cargo)	Descripción del cambio
01	01/11/2016		Documento inicial
02	24/04/2026	Angela Diaz – Oficial de protección de DP	Actualización