PRIVACY AND PERSONAL DATA PROTECTION POLICY – ILEANOVO (COLOMBIA, ECUADOR, AND PERU

ILEANOVO (hereinafter, “ILEANOVO”, “we” or “the Company”) protects the privacy and personal data of users, clients, and patients who interact with our main website and digital channels. This Policy is issued to cover ILEANOVO’s operation in Colombia, Ecuador, and Peru, and is interpreted and applied according to the current regulatory framework of each country, without prejudice to the internal security and confidentiality standards adopted by ILEANOVO.

1. SCOPE

This Personal Data Protection Policy shall apply to all Databases and/or Files containing Personal Data that are subject to Processing by ILEANOVO, including data collected through:

• ILEANOVO’s main website and country-specific sites.
• Contact and evaluation forms.
• WhatsApp, email, phone calls, and video conferences.
• Social media, advertising campaigns, and other digital channels.

2. IDENTIFICATION OF THE DATA CONTROLLER

2.1 Controller (Colombia)

• Corporate Name: CLINICA ESTETICA MAYEIA SAS
• Commercial Name: Ileanovo
• Website: https://ileanovo.com/en/colombia
• Contact Email: Ileanovomedellin@gmail.com
• Address: Mall Complex Los Balsos, Carrera 25 #12 Sur-59, Local 209, Medellín, Antioquia.
• Email: info@ileanovo.com

2.2 Controller (Ecuador)

• Corporate Name: ETHOSMAYEIA S.A.
• Commercial Name: Ileanovo
• Website: https://ileanovo.com/en/ecuador
• Contact Email: Ileanovoquito@gmail.com
• Address: Republic of Ecuador.

Ecuador: ETHOSMAYEIA S.A. (Commercial Name: Ileanovo) – Ecuador operation. (Emails and addresses by country may be published on local sites for ARCO rights attention and equivalents).

2.2 Controller (PERU)

• Corporate Name: MAYEIA SAC
• Commercial Name: Ileanovo
• Website: https://ileanovo.com/en/peru
• Contact Email: computador4lima@gmail.com
• Address: Mariscal la mar 550, office 201 Miraflores Lima Peru.
• Data Controller: Ileanovo Lima headquarters.

3. DEFINITIONS

• Authorization: Prior, express, and informed consent of the Data Subject to carry out the Processing of Personal Data.
• Privacy Notice: Verbal or written communication generated by the controller, addressed to the data subject for the Processing of their Personal Data, informing them about the existence of these Policies, how to access them, and the purposes of the Processing.
• Database: Organized set of Personal Data that is the subject of Processing.
• Clients: Natural or legal person, public or private, with whom ILEANOVO has a commercial relationship.
• Personal Data: Any information linked or that may be associated with one or several determined or determinable natural persons (e.g., name, ID document, address, email, phone, health data, etc.).
• Sensitive Data: Information that affects the privacy of the Data Subject or whose misuse may generate discrimination, including, among others, data regarding health, sex life, biometrics, and image.
• Data Processor: Natural or legal person who performs the Processing on behalf of the Controller.
• Data Controller: Natural or legal person who decides on the Database and/or the Processing.
• Claim: Request from the Data Subject (or authorized persons) to correct, update, or delete data or revoke authorization in cases provided by law.
• Transfer: Sending data from a Controller/Processor in Colombia to a recipient Controller inside or outside the country.
• Transmission: Communication of data inside or outside Colombia so that a Processor may treat data on behalf of the Controller.
• Processing: Operation on Personal Data (collection, storage, use, circulation, or deletion).

4. APPLICABLE REGULATORY FRAMEWORK (BY COUNTRY)

4.1 Colombia

• Article 15 of the Political Constitution of Colombia.
• Law 1581 of 2012 and its regulatory decrees (includes Decree 1377 of 2013 and Decree 1074 of 2015).
• Law 1266 of 2008 (financial habeas data, when applicable).

4.2 Ecuador

• Organic Law on Personal Data Protection (LOPDP) and complementary regulations.

4.3 Peru

• Law No. 29733 – Personal Data Protection Law and its Regulation approved by Supreme Decree No. 003-2013-JUS.

5. PRINCIPLES APPLICABLE TO PROCESSING

ILEANOVO shall apply, as appropriate in each jurisdiction, the following principles:

• Legality / Lawfulness: Processing in accordance with the law.
• Purpose: Use for specific, explicit, and informed purposes.
• Freedom / Consent: Collection with prior, express, and informed authorization when applicable.
• Truthfulness / Quality: Truthful, complete, exact, and updated information.
• Transparency: The Data Subject’s right to obtain information about their data.
• Restricted access and circulation: Only authorized persons.
• Security: Measures to prevent loss, adulteration, consultation, or unauthorized access.
• Confidentiality: Duty of secrecy by personnel and authorized third parties.

6. PERSONAL DATA COLLECTED

ILEANOVO may collect, depending on user interaction:

• Identification: names, surnames, ID document (when applicable), age.
• Contact: phone, email, city/country, WhatsApp.
• Health data (sensitive): hair information, medical history, clinical photographs of the scalp, or other data provided for evaluation.
• Technical and navigation data: IP address, device, browser, cookies, and usage metrics.

7. PROCESSING AND PURPOSES

ILEANOVO, as the Data Controller, collects, stores, uses, circulates, and deletes personal data of persons with whom it has or has had a relationship (workers, shareholders, consumers, clients, suppliers, creditors, and debtors), to:

7.1 General purposes

• Allow participation in marketing and promotional activities.
• Evaluate service quality, market studies, internal statistical analysis.
• Control access to offices and security measures (including video surveillance where it exists).
• Respond to inquiries, petitions, complaints, and claims; and attend to requirements from authorities.
• Contact via email or any means for the described purposes.
• Transfer information to internal areas and related companies when necessary for operations (collections, treasury, accounting, among others).
• Comply with judicial or administrative requirements.
• Register data in commercial/operational systems and databases.
• Any other similar activity necessary for ILEANOVO’s corporate purpose.

7.2 Client and Consumer Data

• Fulfill obligations derived from the acquisition of products/services.
• Inform about changes in product/service conditions.
• Send offers and promotional information (with authorization when applicable).
• Strengthen relationships, order taking, and service evaluation.
• Determine pending obligations, consult financial information and credit history, and report to credit bureaus when legally appropriate.
• Promote and develop products/services.
• Train salespeople/agents.
• Allow contact by related companies with contracts and security guarantees.
• Control access and video-surveilled zones.
• Use of website services, content downloads, and forms.

7.3 Employee Data

• Selection and hiring, verification of references and security studies.
• HR Management: payroll, affiliation, welfare, occupational health, disciplinary authority.
• Payments, social benefits, and contract termination.
• Benefits with third parties (insurance, medical expenses, etc.).
• Notification to authorized contacts in emergencies.
• Support for access to computer resources.
• Planning of business activities.

7.4 Supplier Data

• Invitations to selection processes and events.
• Compliance evaluation.
• Registration in systems.
• Payment processing and balance verification.

8. AUTHORIZATION

ILEANOVO will request prior, express, and informed authorization from Data Subjects when required by applicable regulations. This authorization may be obtained, among others, by:

• Written: authorization forms.
• Oral: telephone conversation or video conference.
• Digital: checkbox marking/acceptance in forms.

9. SPECIAL PROVISIONS

9.1 Processing of sensitive data (health)

The Processing of sensitive data is prohibited except for legal exceptions. When applicable, ILEANOVO:

• Will inform that the Data Subject is not obliged to authorize the Processing of sensitive data.
• Will inform which data is sensitive and its purpose.
• Will adopt reinforced security and confidentiality standards.

9.2 Data of children and adolescents

ILEANOVO will only process data of minors when it responds to the best interest of the minor and the authorization of their legal representative is obtained, according to applicable regulations.

10. RIGHTS OF DATA SUBJECTS

Data Subjects may exercise, in accordance with applicable law, rights such as:

• Know, access, update, and rectify their data.
• Request proof of authorization (when applicable).
• Be informed of the use given to their data.
• Request deletion and/or revoke authorization when appropriate.
• Access freely their data (according to regulations).
• Oppose or limit processing (and, where applicable, portability and suspension).

11. RESPONSIBLE AREA

The Systems Area of ILEANOVO is in charge of the development, implementation, training, and observance of this Policy. Areas that process personal data must immediately transfer petitions, inquiries, complaints, and claims to said area.

12. PROCEDURE FOR PETITIONS, INQUIRIES, COMPLAINTS, AND CLAIMS

Attention Channel

📩 info@ileanovo.com

12.1 Petitions and inquiries

• Will be attended to within a maximum term of 10 business days from their receipt.
• If it is not possible to attend within that period, the reasons and a new date will be informed, which shall not exceed 5 business days.

12.2 Complaints and claims

• Will be attended to within a maximum term of 15 business days from the day following their receipt.
• If it is not possible to attend within that period, the reasons and a new date will be informed, which shall not exceed 8 business days.

(Terms may vary by country; when the data subject is from Ecuador or Peru, ILEANOVO will apply the deadlines and formalities required by the corresponding local norm.)

13. INFORMATION OBTAINED PASSIVELY (COOKIES)

ILEANOVO may collect passive information through cookies and similar technologies (IP, browser, operating system, access time, pages visited). The user can configure the use of cookies from their browser.

14. DATA SECURITY

ILEANOVO implements reasonable technical, human, and administrative measures to provide security to the records, avoiding adulteration, loss, consultation, use, or unauthorized or fraudulent access. Access is restricted to authorized personnel.

15. TRANSFER, TRANSMISSION, AND DISCLOSURE

ILEANOVO may share data with:

• Technological providers (hosting, CRM, communication platforms), under confidentiality agreements.
• Service providers acting as Processors.
• Administrative or judicial authorities when legally required.

When international transmission exists, ILEANOVO will adopt appropriate contractual clauses and security measures.

16. SUPERVISORY AUTHORITIES

• Colombia: Superintendence of Industry and Commerce (SIC), when applicable.
• Ecuador: Superintendence of Personal Data Protection.
• Peru: National Authority for Personal Data Protection – MINJUSDH.

17. VALIDITY AND AMENDMENTS

ILEANOVO may update this Policy at any time. Changes will be published on the website and will be effective from their publication.

18. AUTHORIZATION CLAUSE (MODEL FORMAT)

By accepting the conditions contained in this document, you expressly, freely, and voluntarily state that you authorize ILEANOVO to carry out the Processing of the personal data provided for the purposes described in this Policy, including informative communications and, where appropriate, promotional ones. Last updated: December 13, 2025