PRIVACY NOTICE

This document constitutes the Privacy Notice for the purposes of the provisions of the Federal Law on Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) and the provisions emanating from or related to it. This Privacy Notice applies to personal information collected from Clients, Suppliers, and any natural or legal person who provides this information to CORAL SERVICIOS DE ALIMENTACIÓN DE MÉXICO S.A. DE C.V., hereinafter referred to as the "Data Controller"; this Privacy Notice is subject to the following terms and conditions:

1. DEFINITION OF TERMS: For the purposes of this Notice and in accordance with the Federal Law on Protection of Personal Data Held by Private Parties, the following shall be understood as:

Privacy Notice: A physical or electronic document generated by the Data Controller and made available to the Data Subject prior to the processing of their personal data.

Personal Data: Any information concerning an identified or identifiable natural or legal person.

Sensitive Personal Data: Those personal data that affect the most intimate sphere of the Data Subject, or whose improper use may give rise to discrimination or entail a serious risk for them.

ARCO Rights:Refers to the rights of Access, Rectification, Cancellation, and Opposition (Acceso, Rectificación, Cancelación y Oposición) that, in accordance with the Law, each Data Subject has in relation to the Personal Data collected:

Right of Access: The right to know the Personal Data held by the Data Controller, as well as to whom it has been shared and for what purpose.

Right to Rectification: The right to have Personal Data rectified when it is inaccurate or incomplete.

Right of Cancellation: The right to request at any time that Personal Data be deleted, which will occur after the blocking period.

Blocking:Involves the identification and preservation of Personal Data once the purpose for which it was collected is fulfilled, to determine possible responsibilities until the legal or contractual statute of limitations expires.

Right of Opposition: The right to request, for legitimate reasons, that the Data Controller stop processing Personal Data.

Data Controller (Responsable): The natural or legal person who decides on the processing of Personal Data; in this case, CORAL SERVICIOS DE ALIMENTACIÓN DE MÉXICO S.A. DE C.V.

Data Processor (Encargado): The natural or legal person who, alone or together with others, processes Personal Data on behalf of the Data Controller.

Data Subject (Titular): The natural person who owns the Personal Data or is authorized to provide a third party's data.

2. CONSENT OF THE DATA SUBJECT: In accordance with Article 17 of the Law, the Data Subject declares that:

(i) This Privacy Notice has been made known by the Data Controller.

(ii) To have read, understood, and agreed to the terms set forth in this Privacy Notice, thereby granting consent to the processing of your Personal Data for purposes of the Federal Law on the Protection of Personal Data Held by Private Parties and other applicable legislation. In the event that the Personal Data collected includes sensitive or financial Personal Data, by signing the corresponding agreement, whether in printed form or through electronic means and their respective processes for obtaining consent—such as, but not limited to, the provision of Personal Data through dialog boxes, or the viewing and navigation of terms and conditions on screen—such actions shall constitute the express consent of the data subject in accordance with the second paragraph of Article 8 of the Federal Law on the Protection of Personal Data Held by Private Parties and other applicable legislation, and,

(iii) They grant consent for CORAL SERVICIOS DE ALIMENTACIÓN DE MÉXICO S.A. DE C.V.., or its Data Processors, to carry out transfers of Personal Data to national or foreign third parties, with the understanding that the processing that such third parties give to your Personal Data must adhere to the provisions set forth in this Privacy Notice.

In the event that the Data Subject does not object to the terms of this Privacy Notice within the following 48 hours after it has been made available, its content shall be deemed agreed to and consented to, in accordance with the third paragraph of Article 8 of the Federal Law on the Protection of Personal Data Held by Private Parties. The Data Subject’s consent may be revoked at any time without retroactive effects, in accordance with the terms and procedures established below in this Privacy Notice.

Notwithstanding any provision of this Privacy Notice, the Data Subject acknowledges that their consent shall not be required for the processing of Personal Data by the Data Controller or by third parties in any of the cases set forth in Article 10 of the Federal Law on the Protection of Personal Data Held by Private Parties.

3. PURPOSE OF THE PRIVACY NOTICE; PURPOSE OF PERSONAL DATA: This Privacy Notice aims to establish the terms and conditions under which CORAL SERVICIOS DE ALIMENTACIÓN DE MÉXICO S.A. DE C.V.(or the Data Processor it designates): (i) will receive and protect the Personal Data of the Data Subject in order to safeguard their privacy and their right to informational self-determination, in compliance with the provisions of the Federal Law on the Protection of Personal Data Held by Private Parties; (ii) will use the Personal Data of the Data Subject; and (iii) will, where applicable, transfer Personal Data to third parties.

The Data Controller will collect and process the Data Subject’s Personal Data, that is, information that can reasonably identify them, through the receipt of documents, whether in printed and/or digital format. The following are examples, by way of illustration and not limitation, of information that the Data Controller may collect: first and last name; date of birth; age; marital status; nationality; address, whether personal, work, or tax-related; email address, personal or work; telephone number, personal or work; mobile phone number; credit card, debit card, or bank account numbers; Federal Taxpayer Registry (RFC) number; Unique Population Registry Code (CURP); Mexican Social Security Institute affiliation number; as well as other information of a similar nature. The collection of Personal Data may be carried out when provided directly by the Data Subject, through visits to the administrative offices or branches of the Data Controller, visits to the Data Controller’s points of sale, when communicating by telephone with the Data Controller or its Data Processors (including customer service), or through the use of email and/or the use of its websites, through the voluntary submission of information via dialog boxes enabled on the sites, or through the use of automatic data capture tools. Such tools allow the collection of information sent by your browser to such websites, such as the type of browser you use, the user language, access times, and the IP address of websites used to access the sites of the Data Controller or Data Processors. Among the documentation that may be collected by CORAL SERVICIOS DE ALIMENTACIÓN DE MÉXICO S.A. DE C.V.for the verification of the identity of the Data Subject are: voter identification card; in the case of foreigners, immigration form (FM2 or FM-3); military service card; RFC registration certificate; CURP certificate; proof of address such as water bill, property tax bill, or electricity bill; and a special credit report issued by a Credit Information Company. For job applicants or employees, a birth certificate; proof of studies; statement from the Retirement Fund Administrator (Afore); tax withholding form; medical examinations; as well as psychometric and socio-economic studies conducted by CORAL SERVICIOS DE ALIMENTACIÓN DE MÉXICO S.A. DE C.V. may also be requested. Personal Data of relatives, dependents, or beneficiaries may also be requested, such as full name, date of birth, address, and telephone number, along with supporting documentation such as birth and/or marriage certificates.

The Data Controller may also collect Personal Data from publicly accessible sources and other sources available in the market to which the Data Subject may have given consent to share their personal information or that have provided anonymous demographic information associated with a specific geographic area.

The Data Subject’s Personal Data are collected and processed by the Data Controller or its Data Processors in order to allow the Data Subject to carry out the following activities with the Data Controller:

1. Receive the provision of the service contracted between the parties.
2. Collect information from the Data Controller’s employees to comply with reporting obligations before authorities requiring access to such information for the continuation of the contractual relationship between the parties.
3. Request quotations;
4. Contact the Customer Service Department;
5. Submit comments or suggestions regarding products and services;
6. Process payments; and
7. Any other activity analogous to those described above.

Likewise, the Data Controller, directly or through its Data Processors, may use your Personal Data for the following purposes:

1. To send the Data Subject publications, notices, and to comply with requirements from authorities by legal mandate, whether through telephone, physical, electronic, or in-person means;
2. To manage service quality processes, complaints, and customer service.

4. DATA TRANSFER. Once the terms set forth in this Privacy Notice have been read, understood, and agreed upon, the Data Subject expresses their consent for the Data Controller or any Data Processor to transfer Personal Data to national or foreign third parties, with the understanding that the processing of such data by said third parties must comply with this Privacy Notice.

For the purposes established in this Section 4, but subject to the last paragraph thereof, the Data Controller informs the Data Subject that, in order to provide products, services, and solutions to its clients, consumers, employees, suppliers, and other users, the Data Controller and/or its Data Processors have entered into or will enter into various commercial agreements with providers of products and services, so that they may supply, among other services: email; database administration and management; automated processing of Personal Data and storage; call center customer service; authentication and validation of email addresses; telemarketing; credit card terminals; electronic invoicing; marketing; payroll administration and social security benefits; recruitment services; audit services; and other analogous services. The authorization granted by the Data Subject pursuant to this Section 4 empowers the Data Controller and/or its Data Processors to transmit the Data Subject’s Personal Data to such providers, with the understanding that such providers are obligated, by virtue of the corresponding contract, to maintain the confidentiality of the Personal Data provided and to comply with this Privacy Notice. The Data Controller and/or its Data Processors may transfer the Personal Data collected from the Data Subject to any other company within the same corporate group to which the Data Controller belongs, operating under the same processes and internal policies, whether located domestically or abroad, for processing with the same purposes described in this Privacy Notice. Personal Data may also be transferred to other third parties that support the Data Controller in fulfilling contracts or legal relationships with the Data Subject.

Your personal information may be transferred, stored, and processed in a country other than where it was provided. If this occurs, we transfer the information in accordance with applicable data protection laws. We take measures to protect personal information regardless of the country where it is stored or to which it is transferred. We have appropriate procedures and controls in place to ensure such protection.

We reserve the right to transfer your Personal Data in the event of a sale or transfer of all or part of our business or assets. In the event of such a sale or transfer, we will use reasonable efforts to require the new owner to use the Personal Data in accordance with this Privacy Notice. If you do not wish your Personal Data to be processed following such transfer, you must contact the new owner.

Notwithstanding the provisions of this Section 4 or elsewhere in this Privacy Notice, the Data Subject acknowledges and agrees that the Data Controller does not require authorization or confirmation from the Data Subject to carry out national or international transfers of Personal Data in the cases provided for in Article 37 of the Federal Law on the Protection of Personal Data Held by Private Parties or in any other exception provided by such law or other applicable legislation.

5. SAFEGUARDING AND SECURITY OF PERSONAL DATA. The Data Controller and/or its Data Processors will retain the Data Subject’s Personal Data for as long as necessary to process requests for information, products, and/or services, as well as to maintain accounting, financial, and audit records in accordance with the Federal Law on the Protection of Personal Data Held by Private Parties and applicable commercial, tax, and administrative legislation. Personal Data collected will be protected by appropriate administrative, technical, and physical security measures against damage, loss, alteration, destruction, or unauthorized use, access, or processing, in accordance with applicable law. However, CORAL SERVICIOS DE ALIMENTACIÓN DE MÉXICO S.A. DE C.V. does not guarantee that unauthorized third parties may not gain access to physical or logical systems or to electronic documents and files stored therein. CORAL SERVICIOS DE ALIMENTACIÓN DE MÉXICO S.A. DE C.V.it shall not be liable for any damages arising from such unauthorized access.

6. PERSONAL DATA DEPARTMENT. If you have questions, comments, or require additional information regarding this Privacy Notice, please contact:

Email address: [email protected]

For purposes of Article 16, Section I of the Federal Law on the Protection of Personal Data Held by Private Parties, the Data Controller’s address is as set forth in this Section 6.

Address: Camino a los Potreros 8740, Partido Senecú, Ciudad Juárez, Chihuahua.

7. PROCEDURE TO EXERCISE ARCO RIGHTS. To exercise ARCO Rights, the Data Subject or their representative must submit a request including:

i) Name of the Data Subject and address or other means to communicate the response;

ii) Documents proving your identity, whether they be notarial instruments proving the legal capacity in which the Data Subject or their processors are represented, as well as (a simple copy in printed or electronic format of your voter ID card, passport, or FM-2 or FM-3) or, where applicable, the legal representation of the Data Subject (a simple copy in printed or electronic format of a simple power of attorney with the handwritten signature of the Data Subject, the agent, and their corresponding official identifications –(voter ID card, passport, FM-2 or FM-3);

iii) A clear and precise description of the Personal Data regarding which you seek to exercise any of the ARCO Rights, and

iv) Any other element or document that facilitates the location of the Data Subject's Personal Data.

In the case of requests for the rectification of Personal Data, the respective Data Subject must also indicate the modifications to be made and provide the documentation that supports their request.

For the receipt, registration, and processing of requests to exercise your right of access, rectification, cancellation, and opposition to your Personal Data, as well as to limit the use or disclosure of your data, and the other rights provided for in the Federal Law on the Protection of Personal Data Held by Private Parties, please contact:

Email address: ________________________________

The Controller or its Processors shall respond to the respective Data Subject within a maximum period of twenty business days, counted from the date the request for access, rectification, cancellation, or opposition was received, regarding the determination adopted, so that, if applicable, it becomes effective within fifteen days following the date on which the response is communicated to the Data Subject. In the case of requests for access to Personal Data, the Controller or its Processors shall proceed with its delivery upon prior verification of the identity of the requester or their legal representative, as appropriate. The aforementioned periods may be extended only in terms of the Federal Law on the Protection of Personal Data Held by Private Parties.

The delivery of Personal Data shall be free of charge; you will only be responsible for covering justified shipping costs or the cost of reproduction in copies or other formats. In the event that the Data Subject repeats their request within a period of less than twelve months, they must cover the corresponding costs equivalent to 1.5 days of the Minimum Wage in force in the Federal District in terms of the Federal Law on the Protection of Personal Data Held by Private Parties, unless there are substantial modifications to the Privacy Notice that motivate new inquiries.

For the purposes of requests for the cancellation of Personal Data, in addition to the provisions of this Privacy Notice, the provisions of Article 26 of the Federal Law on the Protection of Personal Data Held by Private Parties shall apply, including the specified cases of exception for the cancellation of Personal Data.

The submission of a request for opposition to the use of Personal Data by the Data Subject shall grant the Controller the power to oppose the use of the Personal Data that you, as the Data Subject, have delivered to the opposing party.

8. CHANGES TO THE PRIVACY NOTICE. CORAL SERVICIOS DE ALIMENTACIÓN DE MÉXICO S.A. DE C.V.reserves the right to periodically update this Notice to reflect changes in our information practices. The Controller shall understand that, unless expressed otherwise, it means the Data Subject has read, understood, and agreed to the stated terms, which constitutes their consent to the changes established in said updates regarding the processing of their Personal Data for the purposes of the Federal Law on the Protection of Personal Data Held by Private Parties and other applicable legislation.

CORAL SERVICIOS DE ALIMENTACIÓN DE MÉXICO S.A. DE C.V.