Integral Privacy Notice

Identity and contact details of the Data Controller

In compliance with the Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) of the United Mexican States, the General Data Protection Regulation of the European Union (GDPR), the Brazilian General Data Protection Law (LGPD), and the other legal frameworks applicable depending on the data subject's jurisdiction, ALOPROT S.A. de C.V. makes available this Integral Privacy Notice as a legally binding document.

For the purposes of the GDPR and the UK GDPR, the Data Controller acts as Data Controller. For the purposes of the LGPD, it acts as Controlador. For the purposes of the Canadian PIPEDA, it acts as Organization. For the purposes of the California CCPA/CPRA, it acts as Business. The Data Controller does not act as a mere Data Processor with respect to data collected directly through its website.

Personal data subject to processing

The Data Controller collects only personal data that is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed, in accordance with the data minimization principle recognized under the GDPR, the LGPD and their equivalents in each jurisdiction.

A. Data provided directly by the data subject

Identification and contact data

• Full name
• Landline, mobile or instant-messaging phone number
• Email address

Agricultural and geographic profile data

• State or province and municipality of residence or productive activity
• Agricultural region or production zone
• Main crops and area in production, expressed in hectares
• Type of production system: conventional, certified organic, or in transition
• Information on current agronomic practices, when voluntarily provided by the data subject

Business data, when the data subject acts on behalf of a legal entity

• Company's corporate name
• Tax registration number: RFC (Mexico), NIT (Colombia), CNPJ (Brazil), CUIT (Argentina), RUT (Chile) or equivalent in each jurisdiction
• Name of the legal representative or technical contact designated by the company

B. Data automatically collected through tracking technologies

• IP address of the device used to access the Site
• Unique device identifiers
• Web browser type, version, and device operating system
• Pages visited within the Site, session duration, and entry/exit pages
• Source of the visit: organic search, referral link, paid advertising campaign, or direct access
• Interactions with Site content: clicks on elements, vertical scrolling, and downloads of materials
• Data derived from cookies and equivalent tracking technologies, as described in Section VII
• Approximate geolocation derived from IP address analysis

C. Sensitive data

The Data Controller does not request or collect personal data of a sensitive nature —understood under each applicable law as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, genetic data, biometric data used for unique identification, health-related data, sexual orientation or sex life, or criminal convictions or administrative offenses— through the website. In the exceptional event that a data subject voluntarily provides such data in a free-text field, it will be understood that express consent is granted for its processing limited to the specific purpose of that inquiry, and such data will be deleted once the inquiry has been resolved.

D. Data of minors

The website is not directed at persons under eighteen (18) years of age. The Data Controller does not knowingly collect personal data from minors. In jurisdictions where the digital age of consent differs —thirteen (13) years under COPPA in the United States; sixteen (16) years by default under the GDPR, unless a national provision states otherwise— the most protective standard will apply in all cases. If the Data Controller becomes aware that a minor has provided data without the authorization of the holder of parental authority or guardianship, it will proceed to delete such data immediately, without the need for a prior request.

Purposes of processing and legal basis

All processing of personal data carried out by the Data Controller is based on a valid legal basis under the law applicable in each jurisdiction.

A. Primary purposes

These are the purposes necessary to handle the data subject's request and to fulfill the pre-contractual or contractual relationship established. The data subject cannot object to these purposes without this preventing the provision of the requested service.

Legal basis: performance of pre-contractual or contractual measures requested by the data subject; compliance with a legal obligation imposed on the Data Controller.

• Responding to requests for technical information about the Data Controller's products
• Preparing and sending the data subject personalized agronomic application protocols based on the crop, region, and stated production conditions
• Coordinating and managing technical field visits and agronomic follow-up after the first application
• Sending downloadable technical materials requested by the data subject: technical data sheets, safety data sheets, and crop-specific application guides
• Processing quotes, orders, and distribution agreements when requested by the data subject
• Complying with the Data Controller's legal obligations before the competent authorities in each jurisdiction: tax, health, agri-food, and labor authorities

B. Secondary purposes

These are purposes that are not necessary to handle the data subject's main request. They require the data subject's express consent. The data subject may decline these purposes without this affecting the provision of the requested service.

Legal basis: the data subject's express consent, freely given, specific, informed, and unambiguous.

• Sending periodic communications about technical news, agronomic alerts, and product updates
• Conducting market studies and statistical analysis of the productive profile of the user base
• Research and development of new products
• Carrying out direct marketing actions, advertising retargeting campaigns, and content personalization
• Preparing success stories or testimonials for use in the Data Controller's communication materials, subject to the data subject's prior, express, and individualized authorization

If the data subject does not wish their data to be processed for secondary purposes, they may indicate this in the following ways: (a) by not checking the corresponding consent box on the contact form; (b) by sending a request to contacto@nutrisurco.com with the subject line "Opt-out of secondary purposes"; (c) at any later time, using the same mechanism. Declining these purposes will under no circumstances condition access to the technical advisory service.

C. Purposes based on the Data Controller's legitimate interest

Legal basis: legitimate interest of the Data Controller, following a prior balancing test confirming that such interest does not override the data subject's fundamental rights and freedoms (GDPR art. 6.1.f and equivalents in each jurisdiction).

• Website security: detection and prevention of fraud, cyberattacks, and unauthorized access
• Improvement of the user experience through anonymized analysis of browsing behavior
• Defense of the Data Controller's legitimate rights and interests in judicial, arbitral, or administrative proceedings

D. Retention periods

Personal data will not be retained for a period longer than necessary to fulfill the purpose justifying its processing:

• Contact data for technical advisory purposes: for as long as the active business relationship lasts, plus an additional period of five (5) years from the last interaction, for warranty and liability purposes
• Browsing data and analytics cookies: a maximum period of thirteen (13) months from collection, in line with the standard set by the French CNIL and the British ICO
• Consent records: five (5) years from the date consent was obtained, as evidence of compliance with the transparency obligation
• Data subject to legal retention obligations: the period applicable in each jurisdiction; in Mexico, a minimum of five (5) years under NOM-151-SCFI-2016 and ten (10) years for tax obligations
• Data whose consent has been withdrawn: deletion within thirty (30) calendar days following receipt of the request, unless a legal provision requires its retention

Personal data transfers

A. Domestic transfers

The Data Controller may disclose personal data to the following recipients within Mexican territory, without requiring the data subject's consent under Article 37 of the LFPDPPP:

• Mexican government authorities: SADER, SENASICA, SAT, IMSS, INFONAVIT, PROFECO, and other competent authorities, when required by legal provision or an authority's ruling
• Technical distributors authorized by the Data Controller, exclusively for the purpose of providing field technical advisory services within the business relationship established with the data subject
• Service providers acting as Data Processors under written contract imposing obligations equivalent to those of the Data Controller: CRM platforms, web hosting services, transactional email systems, and web analytics tools

B. International transfers

The Data Controller may transfer personal data to service providers located in other countries for operational purposes. The safeguards applied to each cross-border data flow are as follows:

Transfers between Mexico and the European Union

Mexico holds an adequacy decision issued by the European Commission. Transfers in both directions are covered by this recognition without the need for additional safeguards.

Transfers to providers in the United States

These are carried out through Standard Contractual Clauses (SCCs) adopted by the European Commission under Decision 2021/914 and, where the provider has adhered to it, through the EU-US Data Privacy Framework. Providers receiving data from California residents act as Service Providers under the CCPA/CPRA, with a contractual prohibition on selling or using the data for their own purposes.

Transfers to providers in Canada

Canada holds an adequacy decision from the European Commission. Transfers are carried out under contracts incorporating PIPEDA principles. For recipients in Quebec, the requirements of Law 25 are additionally incorporated.

Transfers within Latin America

These are carried out through contracts incorporating safeguards equivalent to those required by the national legislation of each country involved, with reference to the Data Protection Standards of the Latin American Data Protection Network (RIPD, 2017).

Transfers to the United Kingdom and Switzerland

The United Kingdom holds a post-Brexit adequacy decision from the European Commission. Transfers are additionally supported through the International Data Transfer Agreement (IDTA) issued by the ICO when the recipient operates from a third country without adequacy status. Switzerland holds mutual adequacy recognition with the European Union.

C. Prohibition on the sale of data

The Data Controller expressly declares that it does not sell, assign, lease, or trade personal data of its data subjects to third parties for its own or third parties' profit. This declaration applies in all jurisdictions covered by this Notice and is of particular relevance for compliance with the California CCPA/CPRA, the Brazilian LGPD, and the European GDPR.

Data subjects' rights and the procedure for exercising them

A. Catalog of recognized rights

The data subject is recognized as having the rights listed below. The effective availability of each right in a particular jurisdiction will depend on the law applicable in the data subject's country of residence; nevertheless, the Data Controller recognizes and applies the broadest catalog as a general standard.

Right of Access

The data subject has the right to obtain confirmation as to whether or not the Data Controller is processing personal data concerning them and, if so, to access such data and the following information: purposes of processing, categories of data processed, recipients to whom the data has been or will be disclosed, the envisaged retention period, the existence of automated decisions and the logic applied, and the rights recognized to the data subject.

Right of Rectification

The data subject has the right to obtain, without undue delay, the rectification of inaccurate personal data concerning them. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed.

Right of Cancellation or Erasure

The data subject has the right to request the erasure of their personal data when: it is no longer necessary for the purposes for which it was collected; the data subject withdraws the consent on which the processing is based; the data subject objects to the processing; the data has been processed unlawfully; or it must be erased to comply with a legal obligation. This right is not absolute and may be limited by legal retention obligations.

Right to Object

The data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of their personal data based on the Data Controller's legitimate interest, including profiling. The data subject has the right to object at any time to the processing of their data for direct marketing purposes, without the need for any justification.

Right to Restriction of Processing

The data subject has the right to obtain restriction of the processing of their data when: they contest the accuracy of the data; the processing is unlawful and the data subject opposes its erasure; the Data Controller no longer needs the data but the data subject requires it for the exercise or defense of legal claims; or the data subject has objected to the processing while it is verified whether the Data Controller's legitimate grounds override those of the data subject.

Right to Data Portability

The data subject has the right to receive the personal data they have provided to the Data Controller, in a structured, commonly used, machine-readable format, and to transmit it to another data controller without hindrance from the Data Controller, when the processing is based on consent or a contract and is carried out by automated means. This right is expressly recognized under the GDPR, the LGPD, the CCPA/CPRA, and the Ecuadorian LOPDP, among other laws.

Right not to be subject to solely automated decisions

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning the data subject or significantly affects them in a similar way. The Data Controller does not currently make decisions of this nature regarding data subjects whose data is collected through the website.

Right to Withdraw Consent

The data subject may withdraw, at any time, consent previously given for the processing of their personal data, without affecting the lawfulness of processing carried out prior to such withdrawal.

Additional rights under the CCPA/CPRA (California, U.S. residents)

• Right to know what personal data is collected, for what purpose, and to whom it is sold or disclosed
• Right to delete personal data, subject to the exceptions established by law
• Right to correct inaccurate personal data
• Right to opt out of the sale and sharing of data for cross-context behavioral advertising. The "Do Not Sell or Share My Personal Information" link is permanently available in the Site's footer
• Right to limit the use of sensitive personal information
• Right not to be discriminated against for exercising any of the foregoing rights

B. Procedure for exercising rights

To exercise any of the foregoing rights, the data subject must submit a written request to contacto@nutrisurco.com, indicating in the subject line: "Exercise of Rights — [Country of residence]".

The request must contain, at minimum:

• Full name of the data subject and, where applicable, of the authorized representative or assignee
• Email address registered on the Site or used in the original request
• Clear and precise description of the data with respect to which the right is to be exercised
• Description of the right to be exercised and the reasons motivating it, in cases where the applicable law requires this
• Copy of a current official identification document proving the identity of the data subject or, where applicable, of the representative and of the power of attorney or authorization granting them standing
• Any additional documentation that facilitates locating the data subject to the request

The Data Controller will acknowledge receipt of the request within the period established by the law of the data subject's jurisdiction and will inform the data subject of the decision taken within the maximum legal period applicable, in accordance with the response-time table below.

C. Response times by jurisdiction

D. Supervisory authorities before which a complaint may be filed

• Mexico: Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI) — www.inai.org.mx
• European Union: the supervisory authority of the data subject's member state — directory: www.edpb.europa.eu
• Germany: Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) — www.bfdi.bund.de
• United Kingdom: Information Commissioner's Office (ICO) — www.ico.org.uk
• Switzerland: Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB) — www.edoeb.admin.ch
• Brazil: Autoridade Nacional de Proteção de Dados (ANPD) — www.gov.br/anpd
• Colombia: Superintendencia de Industria y Comercio (SIC) — www.sic.gov.co
• Argentina: Agencia de Acceso a la Información Pública (AAIP) — www.argentina.gob.ar/aaip
• Chile: Consejo para la Transparencia (CPLT) — www.cplt.cl
• Peru: Autoridad Nacional de Protección de Datos Personales — www.gob.pe/anpd
• Ecuador: Superintendencia de Protección de Datos Personales
• Uruguay: Unidad Reguladora y de Control de Datos Personales (URCDP) — www.datospersonales.gub.uy
• Panama: Autoridad Nacional de Transparencia y Acceso a la Información (ANTAI)
• Costa Rica: Agencia de Protección de Datos de los Habitantes (PRODHAB)
• Canada: Office of the Privacy Commissioner of Canada (OPC) — www.priv.gc.ca
• Canada, Quebec: Commission d'accès à l'information (CAI) — www.cai.gouv.qc.ca
• United States: California Privacy Protection Agency (CPPA) — www.cppa.ca.gov — and equivalent state authorities

Security measures

The Data Controller has implemented technical, administrative, and physical security measures designed to protect personal data against loss, misuse, unauthorized access, disclosure, alteration, or destruction, in accordance with the requirements of each applicable law.

A. Technical measures

• Encryption in transit of all communications using the TLS 1.3 protocol
• Encryption at rest of databases containing personal data using the AES-256 algorithm
• Role-based access control (RBAC) with multi-factor authentication (MFA) for all personnel with access to personal data
• Intrusion detection systems and continuous access monitoring
• Periodic vulnerability assessments and penetration testing performed by independent third parties on an annual basis
• Encrypted backups with automatic integrity verification

B. Administrative and organizational measures

• Internal personal data protection policy subject to mandatory annual review
• Confidentiality and data protection contractual clauses in agreements signed with employees and with all providers acting as Data Processors
• Privacy and cybersecurity training and awareness program for all personnel
• Designation of a Privacy Point of Contact with functions equivalent to those of a Data Protection Officer (DPO) under the GDPR
• Maintenance of an updated Record of Processing Activities (ROPA) available for inspection by supervisory authorities
• Performance of Data Protection Impact Assessments (DPIA) for any new processing activity that could pose a high risk to the rights and freedoms of data subjects

C. Security breach notification

In the event of a personal data security breach, the Data Controller will act according to the following protocol:

• Notification to the competent supervisory authority in the affected data subject's jurisdiction within seventy-two (72) hours of becoming aware of the breach, in accordance with Art. 33 of the GDPR and its equivalents in each law
• Direct notification to affected data subjects without undue delay, when the breach is likely to result in a high risk to their rights and freedoms, describing the nature of the breach, the Data Controller's contact details, foreseeable consequences, and measures taken or proposed
• Documented record of every security breach in the Data Controller's internal incident log, regardless of severity, as evidence of compliance

Cookies and tracking technologies

The website uses cookies and similar tracking technologies. Their nature, purpose, and how the data subject can manage their preferences are described below.

Classification of cookies used

Consent management and retention period

On first access to the Site, the data subject is presented with a consent management panel that allows them to accept, reject, or granularly customize cookie categories. The data subject's decision is recorded with a timestamp as evidence of the consent given or denied. The data subject may change their preferences at any time from the cookie management panel accessible in the footer. Session cookies are deleted when the browser is closed. Persistent cookies have a maximum lifespan of thirteen (13) months.

The Site recognizes and respects Do Not Track (DNT) and Global Privacy Control (GPC) signals from the data subject's browser. When an active GPC signal is detected, all non-essential cookies are automatically disabled.

Jurisdiction-specific provisions

The provisions contained in this section supplement the general framework of this Notice and apply specifically to data subjects residing in each jurisdiction indicated. They do not, under any circumstances, reduce the rights recognized in the preceding sections.

Amendments to the Privacy Notice

The Data Controller reserves the right to amend this Privacy Notice at any time to adapt it to legislative, judicial, regulatory, technological, or business changes. Amendments that substantially affect data subjects' rights will be communicated through a prominent notice on the website www.nutrisurco.com at least thirty (30) calendar days before they take effect. Minor amendments will be communicated at least five (5) business days in advance.

Continued use of the website www.nutrisurco.com after the effective date of an amendment constitutes acceptance of the new version of the Notice. If the data subject does not agree with the amendment, they must refrain from using the Site and, where applicable, request the deletion of their data in accordance with the procedure set out in Section V.

Previous versions of the Notice will be archived and may be consulted upon request sent to contacto@nutrisurco.com.

Acceptance and term

Access to and use of the website www.nutrisurco.com implies that the data subject has read, understood, and fully accepted this Privacy Notice. A data subject who does not accept the conditions set out herein must refrain from providing their personal data and from using the Site's services.

This Privacy Notice takes effect on July 1, 2025 and remains in force indefinitely until repealed or replaced by a subsequent version published in accordance with the procedure described in Section IX.

This Privacy Notice, in its complete and full version, is permanently available at: www.nutrisurco.com/docs/en/privacy/privacy-notice.html.