This English version is provided for informational purposes only. The legally binding version is the Spanish text governed by Colombian law. In case of conflict, the Spanish version prevails.

---

1. DATA CONTROLLER

1.1. SOCIEDAD TECNOLÓGICA DE COLOMBIA S.A.S., a commercial company organized under the laws of the Republic of Colombia, identified with NIT 902.064.873-1, with principal domicile in the city of Medellín, Colombia (hereinafter, "Dok" or "the Controller"), in compliance with Statutory Law 1581 of 2012, Regulatory Decree 1074 of 2015 and other applicable provisions, presents this Personal Data Processing Policy.

1.2. This Policy aims to inform Data Subjects about the purposes, rights, procedures to exercise such rights, and security measures adopted by Dok to protect their personal information.

1.3. Dok operates a technology productivity platform that assists healthcare professionals with clinical documentation through artificial intelligence tools. Dok acts as Controller with respect to its users' personal data, and as Processor with respect to patient data entered by healthcare professionals using the platform.

2. DEFINITIONS

For purposes of this Policy, the definitions established in article 3 of Law 1581 of 2012 and article 2.2.2.25.1.3 of Decree 1074 of 2015 apply, in particular:

• a) Authorization: Prior, express and informed consent of the Data Subject to carry out the Processing of personal data.
• b) Personal Data: Any information linked or that may be associated with one or several determined or determinable natural persons.
• c) Sensitive Data: Data that affects the privacy of the Data Subject or whose misuse may generate discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, union or social organization membership, as well as data related to health, sexual life and biometric data.
• d) Processor: Natural or legal person, public or private, that by itself or in association with others, performs the Processing of personal data on behalf of the Controller.
• e) Controller: Natural or legal person, public or private, that by itself or in association with others, decides on the database and/or the Processing of the data.
• f) Data Subject: Natural person whose personal data is subject to Processing.
• g) Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
• h) Transfer: Data transfer occurs when the Controller and/or Processor of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is Controller of the Processing and is located inside or outside the country.
• i) Transmission: Processing of personal data that involves its communication inside or outside the territory of the Republic of Colombia when its purpose is the performance of Processing by the Processor on behalf of the Controller.

3. GUIDING PRINCIPLES

The Processing of personal data by Dok shall be governed by the following principles, in accordance with article 4 of Law 1581 of 2012:

• a) Legality: The Processing of personal data shall be carried out in accordance with current and applicable provisions.
• b) Purpose: The Processing shall obey a legitimate purpose under the Constitution and the law, which shall be informed to the Data Subject.
• c) Freedom: Processing may only be exercised with the prior, express and informed consent of the Data Subject.
• d) Truthfulness or quality: The information subject to Processing must be truthful, complete, accurate, updated, verifiable and understandable.
• e) Transparency: Processing shall guarantee the right of the Data Subject to obtain from the Controller or Processor, at any time and without restrictions, information about the existence of data concerning them.
• f) Restricted access and circulation: Processing is subject to the limits derived from the nature of the personal data. Personal data, except public information, may not be available on the Internet or other means of mass dissemination, unless access is technically controllable.
• g) Security: Information subject to Processing must be handled with the technical, human and administrative measures necessary to provide security to records, preventing their alteration, loss, consultation, unauthorized or fraudulent use or access.
• h) Confidentiality: All persons involved in the Processing of personal data are obligated to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in Processing.

4. PERSONAL DATA PROCESSED

Dok collects and processes the following categories of personal data:

4.1. User identification and contact data:

• Full name
• Email address
• Authentication and access credentials
• IP address, browser type, operating system and navigation data
• Platform preferences and configuration

4.2. Sensitive health data (processed on behalf of the User):

In accordance with article 5 of Law 1581 of 2012, the following data constitutes sensitive data and is subject to reinforced protection:

• Content of clinical notes and medical documentation (free text)
• Medical diagnostic codes (ICD-10)
• Voice recordings of medical consultations
• Clinical audio transcriptions
• Patient clinical context, including age, sex, reason for consultation and relevant medical history
• History of interactions with the artificial intelligence assistant

Dok processes this data exclusively on behalf of and under the instructions of the healthcare professional who enters it into the platform, in its capacity as Processor pursuant to article 18 of Law 1581 of 2012.

Active data minimization. Dok applies data minimization at two layers:

• Schema layer: Dok does not provide structured fields to store direct patient identifiers such as full name, identification document number, date of birth, address, phone or email.
• AI assistant layer: the agent is instructed to assign the patient a non-identifying alias and to strip the patient's name from the clinical summary even when the User provides it.

Notwithstanding the foregoing, voice recordings, audio transcriptions and free-text clinical notes may contain identifiers spoken or written by the User. The User is responsible for applying the minimization principle when determining which information to include for the clinical purpose.

4.3. Service usage and quality data:

• Platform interaction events (product analytics)
• Technical error and performance logs
• Artificial intelligence usage traces, without identifiable clinical content

5. AUTHORIZATION AND APPLICABLE REGIME

This section distinguishes two regimes applicable depending on the type of data processed by Dok.

5.1. User's personal data (Dok as Controller).

By accepting this Privacy Policy, the User, in their capacity as Data Subject, prior, expressly and informedly AUTHORIZES Dok to Process their personal data described in sections 4.1 and 4.3, in the terms of article 9 of Law 1581 of 2012.

The User acknowledges that the data described in sections 4.1 and 4.3 do not constitute sensitive data under article 5 of Law 1581 of 2012. The User may revoke their authorization at any time by sending a written request to dok.lat.sas@gmail.com. Revocation will result in cancellation of the account and deletion of the User's personal data pursuant to section 12, without prejudice to applicable legal retention obligations and to the User's obligations as Controller of their patients' data.

5.2. Patients' sensitive health data (Dok as Processor).

The sensitive health data described in section 4.2 corresponds to the User's patients. This data is not contributed by the User as Data Subject nor authorized by the User under article 6 of Law 1581 of 2012. Its Processing is governed by the processing assignment contract contained in section 5 of the Terms and Conditions, in which the User acts as Controller and Dok as Processor.

The authorization from the patient Data Subject for the Processing of their sensitive data, including the use of artificial intelligence tools in their care and clinical documentation, must be obtained by the User in accordance with section 4.1.b of the Terms and Conditions and Law 23 of 1981 on medical ethics. Dok does not collect direct authorization from the patient.

The patient Data Subject may exercise before Dok the rights set forth in section 8 of this Policy by request directed to dok.lat.sas@gmail.com, without prejudice to the rights they may exercise directly before the User as Controller.

6. AUTHORIZATION FOR INTERNATIONAL DATA TRANSFER AND TRANSMISSION

By accepting this Privacy Policy, the User, as Data Subject of their own personal data, AUTHORIZES the transfer and transmission of such data to Dok's Sub-processors located outside the Republic of Colombia, in the terms of article 26 of Law 1581 of 2012. Regarding patients' sensitive health data, international transfer and transmission is carried out under the processing assignment described in section 5.2, with the User obtaining the patient Data Subject's authorization in accordance with section 4.1.b of the Terms and Conditions.

6.1. To provide the Service, personal data is processed by Sub-processors located outside Colombia, performing the following functions:

6.2. Dok requires its Sub-processors to comply with security, confidentiality and data protection measures equivalent to those established under Colombian law. Dok evaluates the security and privacy practices of its Sub-processors before entrusting them with the processing of personal data.

6.3. Dok will inform the Data Subject of any substantial change in the list of providers or destination countries with no less than fifteen (15) calendar days' notice.

6.4. The detailed list of providers and sub-processors is available upon request to dok.lat.sas@gmail.com.

6.5. International data transfers and transmissions are carried out based on: (a) the express authorization of the Data Subject granted by accepting this Policy; (b) verification that providers comply with adequate security and confidentiality measures for the protection of personal data; and (c) the necessity of the transfer for the execution of the Service contract, in accordance with paragraph d) of article 26 of Law 1581 of 2012.

7. PROCESSING PURPOSES

7.1. Primary purposes (necessary for the provision of the Service):

• a) Authentication, registration and management of the User's account.
• b) Assisted generation of clinical documentation through artificial intelligence models, including production of clinical note suggestions and drafts and diagnostic coding suggestions (ICD-10).
• c) Transcription of voice recordings of medical consultations.
• d) Storage, organization and consultation of User's clinical notes.
• e) Contextualized clinical assistance through artificial intelligence agent.
• f) Compliance with legal and regulatory obligations applicable to the Controller.
• g) Attention to queries, requests, complaints and claims of the Data Subject.

7.2. Secondary purposes (Service improvement):

• a) Product usage analysis for improvement of features and user experience.
• b) Monitoring of errors, technical performance and Service availability.
• c) Tracking of artificial intelligence processing costs.
• d) Informational and service communications to the User.

7.3. Expressly excluded purposes:

Dok will NOT use the Data Subject's personal data or sensitive health data in identifiable form for:

• a) Training, fine-tuning or improvement of own or third-party artificial intelligence models.
• b) Commercialization, sale or assignment to third parties for marketing, advertising or commercial profiling purposes.
• c) Creation of credit risk, insurability or similar profiles.

7.4. Dok may use aggregated, anonymized and irreversibly de-linked data from any natural person for statistical analysis and Service improvement, in accordance with current regulations on personal data protection. This data does not allow, directly or indirectly, the identification of the Data Subject.

8. DATA SUBJECT RIGHTS

8.1. In accordance with articles 8 and 15 of Law 1581 of 2012, the Data Subject has the right to:

• a) Know, update and rectify their personal data before the Controller. This right may be exercised, among others, against partial, inaccurate, incomplete, fragmented, misleading data, or data whose Processing is expressly prohibited or has not been authorized.
• b) Request proof of authorization granted to the Controller, except when expressly exempted as a requirement for Processing under article 10 of Law 1581 of 2012.
• c) Be informed by the Controller, upon request, regarding the use given to their personal data.
• d) File before the Superintendency of Industry and Commerce complaints for violations of Law 1581 of 2012 and other amending or supplementary regulations, once the consultation or claim procedure before the Controller has been exhausted.
• e) Revoke authorization and/or request deletion of personal data when constitutional and legal principles, rights and guarantees are not respected in Processing.
• f) Access free of charge to their personal data subject to Processing.
• g) Object to the Processing of their personal data for secondary purposes.

9. PROCEDURE FOR EXERCISING RIGHTS

9.1. The Data Subject or their representative may exercise their rights by sending a written request to the channels enabled by Dok:

• Email: dok.lat.sas@gmail.com
• Physical address: WeWork Vía Primavera, Carrera 43A No. 1-50, El Poblado, Medellín, Colombia

9.2. The request must contain at least: (a) name and identification of the Data Subject; (b) description of the facts giving rise to the request; (c) notification address; and (d) documents proving identity or representation, as applicable.

9.3. Consultations: In accordance with article 14 of Law 1581 of 2012, they will be addressed within a maximum term of ten (10) business days from the date of receipt. When it is not possible to address the consultation within such term, the interested party will be informed of the reasons for the delay and the date on which it will be addressed, which in no case may exceed five (5) business days following the expiration of the first term.

9.4. Claims: In accordance with article 15 of Law 1581 of 2012, they will be addressed within a maximum term of fifteen (15) business days from the day following receipt. When it is not possible to address the claim within such term, the interested party will be informed of the reasons for the delay and the date on which it will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

10. DUTIES OF DOK AS CONTROLLER

In compliance with article 17 of Law 1581 of 2012, Dok commits to:

• a) Guarantee the Data Subject, at all times, the full and effective exercise of the habeas data right.
• b) Preserve the information under the security conditions necessary to prevent its alteration, loss, consultation, unauthorized or fraudulent use or access.
• c) Timely carry out the update, rectification or deletion of data under the terms of the law.
• d) Process consultations and claims under the terms set forth in this Policy.
• e) Inform the Processor when certain information is in dispute by the Data Subject.
• f) Inform the Superintendency of Industry and Commerce when there are violations of security codes and there are risks in the administration of information of Data Subjects.

11. SECURITY MEASURES

11.1. In accordance with the security principle established in article 4, paragraph g) of Law 1581 of 2012 and the guidelines of External Circular 002 of 2015 of the Superintendency of Industry and Commerce, Dok implements the following technical, human and administrative measures:

Technical measures:

• Encryption of data in transit via TLS/HTTPS protocol in all communications.
• Encryption of data at rest in databases and file storage systems.
• Access control based on multi-factor authentication.
• Logical isolation of data by User at all storage layers.
• Time-limited URLs with expiration for access to audio files.
• Continuous monitoring of errors, threats and security events.

Administrative measures:

• Audit log of access, creation, modification and deletion of clinical data.
• Confidentiality agreements with all personnel having access to personal data.
• Periodic review of security and access controls.
• Documented incident response procedure.

12. PROCESSING TERM AND DATA DELETION

12.1. Personal data will be processed during the term of the contractual relationship between the User and Dok, and for the additional period necessary to comply with legal, contractual, accounting or tax obligations.

12.2. The User may request the deletion of their personal data at any time by sending a request to dok.lat.sas@gmail.com. Dok will proceed to delete within a maximum term of fifteen (15) business days, unless a legal or contractual duty prevents deletion.

12.3. After termination of the contractual relationship, the User will have a period of thirty (30) calendar days to export their data. After such period, Dok will proceed with the secure and irreversible deletion of the User's data.

13. MODIFICATIONS TO THIS POLICY

13.1. Dok reserves the right to modify this Policy at any time. Any substantial modification — understood as one that affects the identification of the Controller, the purposes of Processing, or the rights of Data Subjects — will be communicated to the User via email and/or notice on the platform with no less than fifteen (15) calendar days' notice prior to its entry into force.

13.2. In accordance with article 2.2.2.25.3.2 of Decree 1074 of 2015, if modifications imply substantial changes in the purposes of Processing, Dok will obtain a new authorization from the Data Subject before implementing such changes.

14. APPLICABLE LAW

This Policy is governed by the Political Constitution of Colombia, Statutory Law 1581 of 2012, Regulatory Decree 1074 of 2015 (Chapter 25), Decree 1377 of 2013, External Circular 002 of 2015 of the Superintendency of Industry and Commerce, and other amending or supplementary regulations.

15. TERM

This Personal Data Processing Policy enters into force as of May 11, 2026 and will remain in force as long as SOCIEDAD TECNOLÓGICA DE COLOMBIA S.A.S. carries out its corporate purpose and the Processing purposes described herein subsist.