PERSONAL DATA PROTECTION POLICY
SADORNOEL CIA. LTDA.

The Company SADORNOEL CIA. LTDA., with RUC 1792461561001, located at Avenida Interoceánica s/n and Siena, in the city of Quito, hereinafter referred to as “SEGUNDO MUELLE” and/or “Controller,” whose main activity is the sale and table and home service of prepared meals, issues this Personal Data Protection Policy.

The processing of personal data will be carried out through any personal or automated operation, always respecting the guarantees to specific information on any decision adopted; likewise, no decision will be based solely on automated evaluations.

This Personal Data Protection Policy is published on the website www.segundomuelle.com.

i) DEFINITIONS:
For the purposes of executing this Personal Data Protection Policy and in accordance with legal regulations, the following definitions shall apply:

1. Authorization: Prior, express, and informed consent of the Data Subject to carry out the Processing of personal data.
2. Privacy Notice: Physical, electronic, or any other format document generated by the Controller that is made available to the Data Subject for the processing of their personal data. The Privacy Notice informs the Data Subject about the existence of the information processing policies that will be applicable to them, the way to access them, and the purpose of the intended personal data processing.
3. Database: Organized set of personal data that is subject to Processing.
4. Personal Data: Any information linked to or that can be associated with one or more determined or determinable natural persons.
5. Processor: Natural or legal person, public or private, who, alone or in association with others, performs the Processing of personal data on behalf of the Data Controller.
6. Data Controller: SADORNOEL CIA. LTDA. “SEGUNDO MUELLE”
7. Data Subject: Natural person whose personal data is subject to Processing.
8. Processing: Any operation of collection, compilation, obtaining, recording, organization, structuring, conservation, custody, preparation, adaptation, modification, elimination, indexing, extraction, consultation, use, possession, distribution, communication; or, any other form of access enablement, comparison, interconnection, limitation, suppression, destruction, and, in general, any use of personal data within the context of the purpose.

ii) PURPOSES FOR WHICH PERSONAL DATA IS COLLECTED:
The purposes of personal data processing carried out by SADORNOEL include:

• Employees:
  1. Employee information will be used and kept for administrative processes of recruitment and/or selection and/or labor linkage, payroll management, promotion and communication of additional employee benefits, induction and training, and labor performance evaluation. Sensitive employee information will be processed in accordance with the Law, seeking the dissociation of sensitive information.
• Customers:
  1. Provision of restaurant service, such as those related to the consumption of drinks and meals.
  2. Scheduling reservations.
  3. Dissemination of advertising material related to the services provided by the restaurant.
  4. Carrying out satisfaction surveys and evaluation of the services provided by SADORNOEL. The objective is to collect feedback and opinions from Data Subjects to identify areas for improvement, implement changes in the service offering, or in the quality of the services offered.
  5. Payment and invoicing management: Personal data will be used to manage the invoicing and collection of the services provided.
• Suppliers:
  1. Supplier Information: Information for supplier qualification. - The information collected from suppliers will be used for pre-selection management, reference verification, selection and qualification as suppliers, monitoring of service provision, and delivery of the contracted service.
  2. Contracting products and services: managing the contracting of products and services, as well as subsequent data that may arise from the relationship with SADORNOEL.

iii) PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA
The processing of personal data at SADORNOEL will be governed by the following principles:

1. Legality (Juridicidad). - Data must be processed in compliance with and adherence to the Constitution, the LOPDP, its Regulation, and other applicable regulations.
2. Loyalty (Lealtad). - The processing of personal data must be loyal, meaning Data Subjects must be clear regarding the processing of their data.
3. Transparency (Transparencia). - The processing of personal data must be transparent, so all information and communication must be easily accessible and understandable.
4. Purpose (Finalidad). - The purposes of the processing must be explicit, legitimate, and communicated to the Data Subject.
5. Relevance and Minimization (Pertinencia y minimización). - Only personal data that is necessary and directly related to the purpose to be fulfilled must be collected.
6. Proportionality of Processing (Proporcionalidad del tratamiento). - The processing must be adequate, necessary, timely, relevant, and not excessive in relation to the purposes.
7. Confidentiality (Confidencialidad). - Personal data information must be protected with due secrecy and discretion.
8. Quality and Accuracy (Calidad y exactitud). - Processed personal data must be exact, precise, complete, verifiable, and clear.
9. Retention (Conservación). - Personal data will not be kept for a time longer than necessary to fulfill its processing purpose and in accordance with the times established in this policy.
10. Security (Seguridad). - Adequate and necessary security measures will be implemented, understood as those accepted by the state of the art, whether they are organizational, legal, administrative, technical, physical, or of any other nature, to protect personal data against any risk, threat, or vulnerability, taking into account the nature of the personal data, the scope, and the context.
11. Proactive and Demonstrated Responsibility (Responsabilidad proactiva y demostrada). - The Data Controller must have implemented personal data protection mechanisms, in accordance with the Law, as well as other measures deemed necessary according to the purposes, nature of the personal data, and risk.
12. Application Favorable to the Data Subject (Aplicación favorable al Titular). - In case of doubt regarding the application of the Law, the rule will be interpreted in the sense most favorable to the personal data subject.
13. Independence of Control (Independencia de Control). - The Personal Data Protection Authority will exercise independent, impartial, and autonomous control.

iv) RIGHTS OF PERSONAL DATA SUBJECTS
We inform personal data subjects about their right to request the revocation of authorization for the processing of personal data in the cases contemplated in data protection regulations; as well as the rights of access, information, elimination, rectification, update, opposition, and portability of personal data.

1. Access: Request information about the personal data we have stored.
2. Rectification: Correct or update your personal data in case it is inaccurate or incomplete.
3. Erasure (Supresión): Request the deletion of your personal data when it is no longer necessary for the purposes for which it was collected.
4. Objection (Oposición): Object to the processing of your personal data in certain circumstances.
5. Restriction of Processing (Limitación del tratamiento): Request the restriction of the processing of your personal data in cases determined by Law.
6. Portability: Receive your personal data in a structured, commonly used, and readable format, and transmit it to another data controller when technically possible.
7. Revocation of Consent (Revocación del consentimiento): Withdraw your consent at any time, without affecting the lawfulness of the processing based on consent prior to its withdrawal.
8. File a Complaint (Presentar una reclamación): File a complaint with the competent data protection authority in Ecuador.

To exercise their rights, the interested party or personal data subject may fill out the application at the following link: bit.ly/4feOWJp, attaching the documents that prove their identity to the email protecciondatosquito@segundomuelle.com.

v) REQUEST FOR AUTHORIZATION FROM THE PERSONAL DATA SUBJECT
Prior to and/or at the time of collecting personal data, SADORNOEL will request the data subject's authorization to carry out its collection and processing, indicating the purpose for which the data is requested, using automated or written technical means for these purposes, which allow retaining proof of the authorization. Said authorization will be requested for the time that is reasonable and necessary to satisfy the needs that gave rise to the data request and, in any case, in compliance with the legal provisions governing the matter.

Once the purpose or purposes of the processing have been fulfilled, the personal data will be deleted. However, personal data must be retained when required for the fulfillment of a legal or contractual obligation.

vi) INFORMATION SECURITY
SADORNO EL will implement all adequate and necessary security measures, understood as those accepted by the state of the art, whether they are organizational, legal, administrative, technical, physical, or of any other nature, to protect personal data against any risk, threat, or vulnerability, taking into account the nature of the personal data, the scope, and the context.

In the event of violations of confidentiality, integrity, or availability of data, SADORNO EL will safeguard the rights and freedoms of the concerned persons and will notify the Ecuadorian data authority in accordance with the provisions of article 43 of the LOPDP.

vii) MODIFICATIONS TO THE POLICY
This personal data protection policy will be reviewed annually by default, and any modifications made will be published on this same SADORNOEL website: www.segundomuelle.com.