COOKIE USAGE POLICIES

In accordance with the legislation on the protection of personal data, Law 1581 of 2012 and Decree 1377 of 2013, and other regulations that modify, add to, or replace them, we inform you that LICOR INDEPENDIENTE SAS , on its website www.veinte.co, may use both its own and third-party cookies for various purposes. Therefore, below we present the COOKIE POLICY adopted by LICOR INDEPENDIENTE SAS , which contains the necessary information that all website users should know about the use of cookies by LICOR INDEPENDIENTE SAS or the third parties it contracts. LICOR INDEPENDIENTE SAS may modify this document at any time to keep it current and up-to-date. Therefore, we recommend that users check the date of preparation or update, which is indicated at the end of this document.

If you have any questions or concerns about the use of cookies or any of the points detailed in this Policy, please write to the following email address: licorindependiente@gmail.com or through our website www.veinte.co

Definition and types of cookies.

A cookie is a small piece of data that is downloaded to a user's computer, smartphone, or tablet when they access certain websites. Cookies store and retrieve information about the user's browsing activity. Through cookies, websites remember information about users' visits, allowing for a better and more secure browsing experience. Cookies are associated with both anonymous users—those who visit websites without identifying themselves or registering—and registered users.

On the other hand, cookies are not viruses or any other type of malicious program that can harm users' devices. Cookies cannot delete or read information from users' computers or devices.

Cookies are automatically created or updated on the user's computer or device when they access the LICOR INDEPENDIENTE SAS website . This allows LICOR INDEPENDIENTE SAS, or third parties it contracts, to track the user's cookies and, therefore, the information these cookies contain or obtain from the user. It is important to clarify that cookies are only read by the website that created them.

LICOR INDEPENDIENTE SAS may share information obtained through cookies with external parties or third parties (partners, clients, suppliers, or companies affiliated with LICOR INDEPENDIENTE SAS ) in order to improve user services. Likewise, the information received through cookies will be used by LICOR INDEPENDIENTE SAS and the aforementioned national or international third parties for the purposes described in this document and any subsequent updates.

There are different types of cookies, which can be classified according to who created them, how long they last, and finally, what their purpose is.

• Creation - First-party or third-party cookies: cookies are managed from the terminal or domain of the same publisher, while they are third-party cookies when they are not sent by the publisher itself, but by another entity.

• Time - Session Cookies: The data collected will only be stored while the user is browsing the website.

• Time - Persistent Cookies: the data continues to be stored on the terminal and can be accessed for a certain period of time.

• Purpose - Technical cookies: technical cookies are those that allow control of traffic and data communication;

• Purpose - Personalization cookies: those that allow users to access according to some of their own characteristics that are collected (browser, language, etc.), such as personalizing the search engine's home page.

• Purpose - Analytics Cookies: These collect data on user behavior and allow for the creation of a user profile. This enables the analysis and detection of browsing habits and the improvement of the website, blog, or e-commerce platform to better meet users' browsing needs. Finally,

• Purpose - Advertising Cookies: Advertising cookies collect data about the management of advertising spaces. This type of cookie allows, for example, showing users advertising banners that may be of interest to them.

PERSONAL DATA PROCESSING POLICY

1. APPLICATION

2. DEFINITIONS

3. CONTROLLER OF PERSONAL DATA

4. PURPOSES

5. PRINCIPLES OF THE PERSONAL DATA PROCESSING POLICY

6. EXCEPTIONS

7. TAXPAYERS

8. PROHIBITION ON PROVIDING SENSITIVE DATA

9. ACCESS TO INFORMATION

10. DELETION OF PERSONAL DATA

11. INQUIRIES AND COMPLAINTS

12. SECURITY AND PROTECTION OF COLLECTED INFORMATION

13. MODIFICATIONS

14. POLICY VALIDITY

The Personal Data Processing Policy of LICOR INDEPENDIENTE SAS complies with Article 15 of the Political Constitution of Colombia, Law 1581 of 2012, its decrees, resolutions, and circulars, as well as the provisions of Law 1273 of 2009, and the constitutional principles, rights, and guarantees regarding data protection (habeas data). This policy aims to protect the processing of personal data entrusted to us and voluntarily provided by our partners, employees, contractors, clients, and suppliers. We understand that the personal data we manage does not belong to us and that we have the responsibility to ensure the confidentiality, integrity, and availability of this information.

Veinte Ron Independiente manages this store and website, including the data, content, features, tools, products, and services to provide you, the customer, with a curated shopping experience (the “Services”). Veinte Ron Independiente uses Shopify technology to enable us to provide the Services. This Privacy Policy describes how we collect, use, and disclose your personal information when you visit, use, or make a purchase or other transaction through the Services or when you communicate with us through any other means. In the event of a conflict between our Terms of Service and this Privacy Policy, this Privacy Policy will prevail with respect to the collection, processing, and disclosure of your personal information.

Please read this Privacy Policy carefully. By using and accessing any of the Services, you acknowledge that you have read this Privacy Policy and understand how your personal information is collected, used, and disclosed, in accordance with this Privacy Policy.

1. APPLICATION

This policy will apply to all personal data recorded in databases that are processed by the controller, and in general to the protection of personal information obtained within the normal course of the company's operations.

2. DEFINITIONS

For the purpose of understanding the processing of personal data, we present the following definitions, which are tempered in article 3 of Law 1581 of 2012 and in article 3 of Decree 1377 of 2013.

A. Personal data: Any information linked to or that can be associated with one or more specific or identifiable natural persons.

B. Processing: Any operation or set of operations performed on personal data, such as collection, storage, use, circulation or deletion.

C. Authorization: Prior, express and informed consent of the Holder to carry out the Processing of Personal Data.

D. Data Subject: Natural person whose personal data is subject to Processing.

E. Data Controller: Natural or legal person, public or private, who alone or jointly with others, decides on the database and/or the processing of the data.

F. Processor: Natural or legal person, public or private, who, alone or in association with others, carries out the processing of personal data on behalf of the Data Controller.

G. Database: An organized set of Personal Data that is subject to Processing.

H. Partner: A natural person who has a partnership relationship with the Company. I. Employee: A natural person who works for the Company, bound by an employment contract in exchange for compensation called a salary.

J. Contractor: Natural and/or legal person who provides professional services under a professional services contract.

K. Client: Natural person who uses the services of the Company by virtue of the current commercial relationship.

L. Supplier: Natural and/or legal person who supplies goods and/or services to the Company by reason of the existing commercial relationship; the signing of a contract is not essential.

M. Former Employee and Former Contractor: Natural and/or legal person who provided services to the Company through an employment and/or service provision contract whose contractual relationship ended for any of the reasons established in the employment and/or service provision contract.

3. CONTROLLER OF PERSONAL DATA

The Data Controller for personal data is LICOR INDEPENDIENTE SAS, a company duly registered with the Medellín Chamber of Commerce for Antioquia, with NIT 901060305-6, whose main address is the city of Medellín and email address licorindependiente@gmail.com. Personal data will have the following purposes, according to the databases that are processed by the Data Controller, and according to each character.

In compliance with the provisions of Law 1581 of 2012, its regulatory decrees and other regulations that complement, modify or repeal it; LICOR INDEPENDIENTE SAS has adopted the following communication channels to address the requests of the Holders of personal data:

▪ Company name: LICOR INDEPENDIENTE SAS

▪ Email: licorindependiente@gmail.com

▪ Telephone: (057) 322 228 1752

▪ Website: www.veinte.co

LICOR INDEPENDIENTE SAS is responsible for addressing requests, complaints, claims and inquiries made by data subjects regarding information related to the personal data protection law, which will be received through the channels mentioned above.

Among the functions of LICOR INDEPENDIENTE for the protection of Personal Data are the following, without being an exhaustive list of its functions, which may increase in favor of the protection of the rights of the data subjects.

Please note that no security measure is perfect or foolproof, and we cannot guarantee "absolute security." Furthermore, any information you send us may not be protected during transmission. We recommend that you do not use unsecured channels to send us sensitive or confidential information.

The length of time we retain your personal information depends on several factors, including the need to maintain your account, provide you with the Services, comply with legal obligations, resolve disputes, or enforce other applicable contracts and policies.

THIRD-PARTY WEBSITES AND LINKS.

The Services may include links to websites or other online platforms operated by third parties. If you access links that lead to sites not affiliated with or controlled by us, we recommend that you review their privacy and security policies and other terms and conditions. We do not guarantee or assume responsibility for the privacy or security of such sites, including the accuracy, completeness, or reliability of the information they contain. Information you provide in public or semi-public spaces—including information you share on third-party social media platforms—may also be visible to other users of the Services and to users of those third-party platforms, without any limitations on its use by us or third parties. The inclusion of such links does not, in itself, imply any endorsement of the content of those platforms or their owners or operators, unless expressly stated within the Services themselves.

RELATIONSHIP WITH SHOPIFY.

The Services are hosted on Shopify, which collects and processes personal information about your access to and use of the Services in order to provide and improve the Services for you. To provide and improve the Services, information you submit to the Services will be transmitted to and shared with Shopify and third parties who may be located in countries other than your own. Additionally, to help protect, develop, and improve our business, we use certain advanced Shopify features that incorporate data and information obtained from your interactions with our store, other entrepreneurs, and the Shopify platform itself. To provide these advanced features, Shopify may use personal information collected about your interactions with our store, other entrepreneurs, and the Shopify platform itself. In these circumstances, Shopify is responsible for the processing of your personal information, including responding to your requests to exercise your rights regarding the use of such information for these purposes. For more information about how Shopify uses your personal information and the rights you may have, please refer to the Shopify Privacy Policy. Shopify Consumer Privacy Policy . Depending on where you live, you may be able to exercise certain rights regarding your personal information here. Link to Shopify's privacy portal .

4. PURPOSES

1. To receive requests from personal data owners, process and respond to those that are based on the law or on these policies, such as:

▪ Requests for updating and accessing personal data

▪ Requests for deletion of personal data when the data subject freely requests deletion or when the data subject presents a copy of the decision of the Superintendency of Industry and Commerce in accordance with the provisions of the law

▪ Requests for information about the use given to your personal data

2. To respond to data subjects regarding requests that are not admissible in accordance with the law.

3. To serve as a link with the regulatory institution in charge of inspection, surveillance and control in matters of personal data protection, in this case the Superintendency of Industry and Commerce.

4. Conduct periodic assessments regarding compliance with personal data protection, confidentiality and information security policies.

5. Comply with the legal obligations dictated in the regulations on the processing of personal data, especially those enshrined in Law 1581 of 2016 and its regulatory decrees.

6. To guide company staff in the handling of personal information.

7. Control and verify access to personal data within the company.

8. Principles of the Personal Data Processing Policy: The processing of personal data will be subject to the following principles:

Personal data will have the following purposes, according to the databases that are processed by the Controller, and according to each character as follows:

• Partners: Administrative, economic, payment, tax and accounting management.

• Employees: Comply with the obligations inherent to the employment relationship, payroll management, legal and conventional benefits, performance and quality evaluations, tax, economic and accounting management, temporary work management, social benefits, prevention of occupational risks and safety at work, selection and promotion of personnel, and any other derived from the Law or the employment relationship.

• Contractors: Comply with the obligations inherent to the service provision relationship, fee management, legal and conventional benefits, performance and quality evaluations, fiscal, economic and accounting management, temporary work management, social benefits, prevention of occupational risks and safety at work, selection and promotion of personnel, and any other derived from the Law or the contractual relationship.

• Clients: Administrative management, collections and payments, invoicing, economic, accounting, and tax management, history of commercial relationships, advertising by ourselves or by third parties, marketing and sales prospecting, customer management, and any other derived from the Law or the contractual relationship.

• Suppliers: Administrative, tax, collections and payments, financial and accounting management, history of commercial relationships, supplier management, and any other activity derived from the Law or the contractual relationship. Data may eventually be shared with third parties and authorities exercising Inspection, Control and Oversight functions, and may also be used to send commercial, legal, and general interest information, among others.

WITH SHOPIFY

In certain circumstances, we may disclose your personal information to third parties for legitimate reasons, in accordance with this Privacy Policy. Such circumstances may include:

• With Shopify, suppliers, and other third parties who provide services on our behalf (for example, IT management, payment processing, data analysis, customer support, cloud storage, order management, and shipping).

• We use your information with business and marketing partners to provide marketing services and show you advertising. For example, we use Shopify to support personalized advertising through third-party services, based on your online activity with different merchants and websites. Our business and marketing partners will use your information in accordance with their own privacy policies. Depending on where you live, you may have the right to tell us not to share information about you for personalized advertising and marketing purposes based on your online activity with different businesses and websites.

• When you instruct us, request it, or otherwise consent to the disclosure of certain information to third parties, for example, to send you products or through the use of social media widgets or login integrations.

• With our affiliates or, in general, within our business group.

• In connection with a business transaction, such as a merger or insolvency proceeding, to comply with applicable legal obligations (including responding to subpoenas, search warrants, or other similar requests), to enforce the Terms of Service or applicable policies, and to protect or defend the Services, our rights, and the rights of our users or others.

5. PRINCIPLES OF THE PERSONAL DATA PROCESSING POLICY

Legality, purpose, freedom, truthfulness, transparency, restricted access and circulation, security, confidentiality, which are fully defined in Article 4 of Law 1581 of 2012.

Depending on where you live, you may have some or all of the rights listed below regarding your personal information. However, these rights are not absolute, may apply only in certain circumstances, and in some cases, we may refuse your request where permitted by law.

1. Right of access. You may have the right to request access to the personal information we hold about you.

2. Right to erasure. You may have the right to request that we erase the personal information we hold about you.

3. Right to rectification. You may have the right to request that we correct any inaccurate personal information we hold about you.

4. Right to data portability. You may have the right to receive a copy of the personal information we hold about you and request that we transfer it to a third party, under certain circumstances and with certain exceptions.

5. Communication preferences management. We may send you promotional emails, and you can opt out of receiving them at any time using the unsubscribe option in our emails. If you opt out, we may still send you non-promotional emails, such as those related to your account or orders you have placed.

You can exercise any of these rights at the locations indicated in the Services or by contacting us using the contact details provided below. For more information about how Shopify uses your personal information and the rights you may have—including those related to data processed by Shopify—please visit https://privacy.shopify.com/en.

We do not discriminate against you for exercising any of these rights. We may need to verify your identity before we can process your requests, as permitted or required by applicable law. In accordance with applicable law, you may appoint an authorized representative to submit requests on your behalf to exercise your rights. Before accepting a request submitted by a representative, we will require the representative to provide proof that you have authorized them to act on your behalf, and we may need you to verify your identity directly with us. We will respond to your request within a reasonable time, as provided by applicable law.

6. EXCEPTIONS

The personal data protection regime will not apply in the following cases:

1. Databases or files maintained in an exclusively personal or domestic setting.

2. Databases and files whose purpose is national security and defense, as well as the prevention, detection, monitoring and control of money laundering and the financing of terrorism.

3. Databases that have as their purpose and contain intelligence and counterintelligence information.

4. Databases and archives of journalistic information and other editorial content.

5. Databases and files regulated by Law 1266 of 2008.

6. Databases and files regulated by Law 79 of 1993.

7. TAXPAYERS

This policy applies to our partners, employees, former employees, contractors, former contractors, clients, suppliers, and all other individuals and/or legal entities with whom the Company has or has had any contractual relationship. The Company will assume, in good faith, that any data for which any data subject is responsible due to contractual relationships has been collected and processed in accordance with Law 1581 of 2012 and its implementing regulations.

8. PROHIBITION ON PROVIDING SENSITIVE DATA

The data subject is not obligated to provide sensitive personal data, such as information revealing racial, ethnic, or political origin, religious beliefs, trade union membership, membership in social or human rights organizations, or political parties, as well as information relating to fundamental rights to health, privacy, and freedom. If the Company deems it necessary to collect data considered "sensitive," the data subject's authorization will be required.

9. ACCESS TO INFORMATION

The owner of the personal data will have the right to request free access to the personal data held by us, as well as to know, update and rectify personal data when it is partial, inaccurate, incomplete, fragmented or misleading, as well as to request the deletion of personal data that is prohibited by law or that has not been authorized.

We may collect personal information from the following sources:

• Directly from you, including when you create an account, visit or use the Services, communicate with us, or provide us with your personal information by any other means.

• Automatically through the Services, including information from your device when you use our products or services or visit our websites, as well as through the use of cookies and similar technologies;

• From our service providers, including when we engage them to enable certain technology or when they collect or process your personal information on our behalf;

• From our partners or other third parties.

PERSONAL INFORMATION WE COLLECT OR PROCESS.

When we use the term "personal information," we mean any data that identifies you or can reasonably be linked to you or another person. Personal information does not include data collected anonymously or data that has been de-identified so that you cannot be identified or reasonably linked to you. We may collect or process the following categories of personal information—including inferences drawn from such information—depending on how you interact with the Services, where you live, and what is permitted or required by applicable law:

• Contact details including your name, address, billing address, shipping address, phone number, and email address.

• Financial information including credit card numbers, debit card numbers and financial accounts, payment card information, financial account details, transaction details, payment method, payment confirmation and other payment-related information.

• Account information including your username, password, security questions, preferences, and settings.

• Transaction information, including items you view, add to your cart, save to your wish list, purchase, return, exchange, or cancel, as well as your previous transactions.

• Communications with us, including information you provide to us in your communications with us, for example, when submitting a complaint to customer service.

• Device information including information about your device, browser or network connection, your IP address and other unique identifiers.

• Information about usage, including information relating to your interaction with the Services, such as how and when you use or browse them.

HOW WE USE YOUR PERSONAL INFORMATION.

Depending on how you interact with us or which Services you use, we may use your personal information for the following purposes:

• Providing, personalizing, and improving the Services. We use your personal information to provide you with the Services, which includes fulfilling our contract with you, processing your payments, managing your orders, remembering your preferences and items that interest you, sending you account-related notifications, processing purchases, returns, exchanges, or other transactions, creating, maintaining, and managing your account, arranging shipping, facilitating returns and exchanges, allowing you to post reviews, and offering you a personalized shopping experience, such as recommending products related to your purchases. This may include using your personal information to personalize and improve the Services.

• Marketing and advertising. We use your personal information for marketing and promotional purposes, such as sending you commercial, advertising, and promotional communications via email, text message, or postal mail, as well as showing you online advertisements about products or services on the Services themselves or on other websites, including based on items you have previously purchased, added to your cart, or other activities performed on the Services.

• Security and fraud prevention. We use your personal information to authenticate your account, provide a secure shopping and payment experience, detect, investigate, or take action against potential fraudulent, illegal, dangerous, or malicious activity, protect public safety, and ensure the security of our services. If you choose to use the Services and register an account, you are responsible for maintaining the confidentiality of your login credentials. We strongly recommend that you do not share your username, password, or other information with anyone.

• Communications with you. We use your personal information to provide you with customer support, respond to your requests, provide you with services efficiently, and maintain our business relationship with you.

• Legal reasons. We use your personal information to comply with applicable law or respond to valid legal processes, including requests from law enforcement agencies or government authorities, as well as to investigate or participate in civil discovery, potential or actual litigation, or other contentious legal proceedings, and to enforce or investigate possible violations of our terms or policies.

10. Deletion of Personal Data: The data subject may request the deletion of their data when:

1. They are not necessary for the purpose for which they were collected.

2. When they are not being used in accordance with current regulations, as well as in violation of constitutional rights and guarantees.

3. Expiration of the indicated deadline for the purposes for which they were collected.

11. INQUIRIES AND COMPLAINTS

Inquiries and complaints from the data subject must comply with the provisions of Articles 14 and 15 of Law 1581 of 2012, its regulatory decree 1377 of 2013 and other regulations that modify or add to it, which must be directed in writing to the following communication channels for the attention of the requests of the Data Subjects:

▪ Email: licorindependiente@gmail.com

▪ Website: www.veinte.co

PROCEDURE.

• Name and surname of the Holder.

Photocopy of the Citizenship Card of the Holder and, where applicable, of the person who represents him, as well as the document accrediting such representation.

• Description of the request.

• Address for notifications, date and signature of the applicant. The rights of children or adolescents will be exercised by the persons who are authorized to represent them.

Responses to inquiries and complaints will be made within 10 and 15 business days from the date of receipt respectively.

12. SECURITY AND PROTECTION OF COLLECTED INFORMATION

The information collected will be processed maintaining the best security and technological protection practices in order to prevent unauthorized or illegal access, or accidental loss or damage to the information. The corresponding electronic and procedural safeguards are maintained in relation to the collection, storage, use and disclosure of the information, and in accordance with the security measures defined in the Company's Information and Information Technology Security Policy.

13. MODIFICATIONS

The Company may at any time make modifications to this policy, which will be published on the Company's website, or in the medium that the Company determines.

In any case, the company undertakes to notify the liable parties of any change to the address registered for such purposes.

14. POLICY VALIDITY

This policy is effective from the date of its publication. Matters not addressed in this policy will be governed by Law 1581 of 2012 and its implementing regulations. We may update this Privacy Policy from time to time, including to reflect changes in our practices or for operational, legal, or regulatory reasons. We will post the updated version of this Privacy Policy on this website, update the "Last Updated" date, and notify you of changes as required by applicable law.

Signed in the city of Medellín, Antioquia, on the 9th day of September of the year 2025

FELIPE ISAZA VASQUEZ

Legal representative

Independent Liquor SAS

NIT: 901060305-6