Privacy NOTICE

july 2020

Identity and Address of the Responsible Organization:

YONDER MEDIA MOBILE MÉXICO, S. DE R.L. DE C.V. (hereinafter referred to as "YO" or the “Responsible Party”), with a legal address of Insurgentes Sur No. 1787, Piso 4.Col. Guadalupe Inn, CDMX México, to which any natural person can address complaints regarding the privacy and protection of the legitimate, controlled and informed treatment of personal data (the "Personal Data") of users (each a "User" or “Owner”) of the Website or the App, and in accordance with its privacy policy, with the provisions of the Federal Protection Law of Personal Data Held by Individuals (the “LFPDPPP” ) and with other applicable secondary regulations in force, as well as national and international standards regarding the protection of personal data, in order to guarantee privacy and right to informative self-determination and protection of Personal Data, which the Responsible Party may collect through the following means: (i) personally, when the Owner provides them physically at YO facilities (if and when possible), (ii) in a direct personal way, when the User enters them through the website www.yotelco.com (the "Website") or the Responsible Party's mobile application called “YO” (the “App” ), (iii) directly, when the Owner provides them via telephone, (iv) indirectly, when other companies transfer them to us, and (v) indirectly, when they are obtained through permitted public access sources by the LFPDPPP; makes available to the User this comprehensive privacy notice (the "Privacy Notice"), prior to obtaining any Personal Data, in strict adherence to the principles of information, legality, consent, quality, purpose, loyalty, proportionality and responsibility, as contemplated in the LFPDPPP.

Personal data that will be subjected to treatment:

Non-Sensitive Personal Data

ID: Name, surname, full address, date of birth, Federal Taxpayer Registry (“RFC”), Unique Population Registry Key (“CURP”), photograph or selfie and images.

Electronic and Computer: Fixed phone number, cell phone, device ID, GPS (Global Positioning System) location that allow YO to determine the exact position in real time and by radio base triangulation, email, call history, username and password.

Personal Financial Data

Financial: Bank card numbers, however, it is made known to the Owner that the Responsible Party does not intend to retain full bank card numbers as sensitive Personal Data.

Personal Data of Minors and Disabled: The Responsible Party will not carry out operations that involve the processing of Personal Data of minors or people who are in a state of incapacity. However, in the event that Personal Data from these types of persons is provided to the Responsible Party, it will be understood that they were provided by their father, mother or guardian.

Purposes of the processing of Personal Data

In order to provide you with the services offered by the Responsible Party through the App, the Responsible Party will use your Personal Data for the purposes indicated below:

Primary purposes. Those that are necessary for the existence and fulfillment of the legal obligation that the User establishes with the Responsible Party, in order to:

1. Verify and confirm the identity of the User.
2. Provide mobile phone service.
3. Increase, decrease, change and/or transfer services, equipment or plans.
4. Provide the tools, functions and controls available in the Responsible Party's mobile application, whether the User executes its order through the App.
5. Provide Customer Service through our authorized sales channels, including billing.
6. Comply with the obligations and exercise the rights derived from the legal relationship established between the Responsible Party and the User.
7. To verify the data of the card provided to make the payment of the requested services.
8. To adhere to the requirements of any competent authority.
9. Take steps to ensure that Personal Data is accurate, complete, pertinent, correct and at all times, as well as updated in compliance with the principle of quality established by the LFPDPPP

Secondary purposes. Those that are not necessary for the existence and fulfillment of the legal relationship that the User requests and formalizes with the Responsible Party, however, they are complementary and important, since they allow us to provide a better service, such as to:

1. Prepare profiles of clients and users of the services.
2. Send communications related to offers, promotional messages, communications for marketing, advertising and advertising purposes, and commercial prospecting on new or existing services.
3. Apply surveys, market studies, participate in events, contests, games and raffles, participate in social networks, chats and information that allows us to evaluate the quality of services.

With whom the Personal Data is shared

The User accepts and acknowledges that the Responsible Party, does not require your consent to make national or international transfers of Personal Data, in the following cases:

1. When the transfer is provided for in a Law or Treaty to which Mexico is a party.
2. When the transfer is made to controlling companies, subsidiaries or affiliates under the common control of the Responsible Party, or a parent company, or any company of the business group to which it belongs, and which operates under the same internal processes and policies.
3. When the transfer is necessary by virtue of a contract concluded in the interest of the User, by the Responsible Party and a third party.
4. When the transfer is necessary for the safeguarding of a public interest, or for the procurement or administration of justice.
5. When the transfer is necessary for the recognition, exercise or defense of a right in a judicial process.
6. When the transfer is necessary for the maintenance or fulfillment of the legal relationship derived from the services and products contracted with the Responsible Party.

Limitation on the use or disclosure of Personal Data

It is necessary to let the Owner know that to restrict, limit and control the processing of Personal Data, the Responsible Party has adopted administrative, physical and technical measures, in addition to having established internal privacy policies and programs to prevent disclosure of Personal Data and implemented various security controls. Personal Data will be processed on a strictly confidential basis, so the obtaining, transfer and exercise of the rights derived from them, is through the adequate, legitimate and lawful use, permanently safeguarding the principles of legality, consent, information, quality, purpose, loyalty, proportionality and responsibility.

Designated Person for Personal Data Issues

In the event that the Owner wants or needs to revoke his/her consent, as well as Access, Rectify, Cancel or Oppose the processing of the Personal Data he/she has provided to the Responsible Party, he/she must do so through the following contact designated by the Responsible Party for this:

Email: privacidad@yotelco.com.

Means to exercise ARCO rights

In the event that the Owner of any Personal Data needs to access, rectify, cancel or oppose the Personal Data that he/she has provided to the Responsible Party, the Owner may revoke the consent granted with the acceptance of this Notice by electronic means by using the following procedure to exercise your rights:

1. Send an e-mail to the designated address above, stating the following:

1.1. The full name of the Owner, address and email address to receive the response generated in connection with your request;
1.2. The reason for your request;
1.3. Arguments supporting your request or request;
1.4. Official document proving your identity and proving that you are who you claim to be; and
1.5. Clear and accurate description of the personal data for which any of the ARCO rights are sought, and any other element or document that facilitates the location of the Personal Data.
1.6. In the case of requests for rectification of personal data, the Owner shall indicate, in addition to the above, the modifications to be made and provide the documentation that supports his/her request.

2. The Responsible Party shall notify the Owner, within a maximum period of 20 (twenty) business days, from the date on which the request for access, rectification, cancellation or opposition was received, of the decision adopted, in order that, if appropriate, the same shall be effective within 15 (fifteen) business days following the date on which the reply is communicated. In the case of requests for access to Personal Data, the delivery will proceed with prior accreditation of the identity of the applicant or legal representative, as appropriate.

The Responsible Party may deny access to Personal Data or to make rectification, cancellation or grant opposition to treatment of the same, inthe following cases:

→ When the applicant is not the User or its legal representation is not duly accredited.
→ When Personal Data is not found in the Responsible Party's database.
→ When the rights of a third party are infringed.
→ When there is a legal impediment or the resolution of a competent authority that restricts access to Personal Data or does not allow the rectification, cancellation or opposition of the same.
→ When access, rectification, cancellation or opposition have been made.

The refusal referred to in the preceding paragraph may be partial, in which case the Responsible Party will carry out access, rectification, cancellation or opposition required by the User.

In the cases provided for above, the Person Responsible will duly inform the Owner or legal representative of the reason for the decision, within the time limits established for this purpose, by the same means in which the request was carried out or that indicated by the User. In case the User feels affected with the resolution issued by the Responsible Party, he/she has available the action to protect rights before the National Institute of Transparency, Access to Information and Protection of Personal Data (the "INAI").

Privacy Department

For any clarification, comment, complaint or disagreement regarding the privacy policy of the Responsible Party, you can send your request to the Privacy Department through email to privacidad@yotelco.com, who will respond to the request within a maximum period of 20 (twenty) business days.

In the event that the User is prevented from generating and sending the ARCO Rights Request, as well as manifesting the revocation of your consent in terms of the provisions of the Privacy Notice, due to technical failures of the DDP Website, you may send it to the Privacy Department, via email privacidad@yotelco.com, previous accreditation of the failure occurred, complying with the requirements and with the conditions considered by the LFPDPPP.

Cookies and Online Security Protocol

The Data Controller obtains information, through the Website, through the use of cookies, understanding that "Cookie" means the data file that is stored on the hard drive of the User's computer, when the latter has access to the Website. Such files may contain information such as the identification provided by the Owner, or information to track the preference pages of the same, to monitor their behavior as an internet user, provide them with a better service and user experience when browsing the Website. A Cookie cannot read the data or information on the User's hard drive or read the Cookies created by other sites or pages. In the event that the Owner wishes to reject cookies or selectively accept them, he/she can do so through the setting of preferences in the browser.

Remote electronic communication mechanisms that collect Personal Data automatically

Some parts of the Website may use Cookies and Web Beacons to simplify navigation. The Cookies are text files that are automatically downloaded and stored in the hard disk of the user's computer equipment when the user has access to the Website, which allow the Internet server to remember some information about this user, including their purchase preferences for viewing the pages on that server, name and password, and provide them with a better service and user experience when browsing the Website. A Cookie cannot read the data or information on the User's hard drive or read the Cookies created by other sites or pages. In the event that the Owner wishes to reject cookies or selectively accept them, he/she can do so through the setting of preferences in the browser. For their part, Web Beacons are images inserted into an Internet page or email, which can be used to monitor the behavior of a visitor, such as storing information on the user's IP address, duration of the interaction time on said page and the type of browser used, among others.

YO hereby informs you that it uses Cookies and Web Beacons to obtain personal information from you, such as the following: (i) The kind of browser and operating system you use; (ii) The Internet pages you visit before and after entering the Website; (iii) The links that follow and permanence on the Website; (iv) Your IP address; (v) Place from which you visit the Website and statistics of navigation. These Cookies and other technologies can be disabled. You can adjust your Cookie preferences by setting your preferences in your preferred browser.

In the case of the use of Cookies, the "help" button found in the toolbar of most browsers will tell you how to avoid accepting new Cookies, how to have the browser notify you when you receive a new cookie or how to disable all Cookies.

Conservation and Security of Personal Data

The Responsible Party and/or their managers, will keep Personal Data for as long as necessary to process the requests of products and/or services offered, comply with the legal relationship between the Owner and the Responsible Party, as well as to maintain the accounting, financial and audit records in terms of the LFPDPPP and the current commercial, fiscal and administrative legislation. The Personal Data processed by the Responsible Party and/or its managers will be protected by security measures, administrative, technical and physical measures against unauthorized damage, loss, alteration, destruction or use, access or treatment, in accordance with the provisions of the LFPDPPPP, the administrative regulation derived from it, banking legislation and secondary standards issued by the competent authorities.

INAI

In the event that the Owner considers that his/her right to protection of Personal Data has been damaged by the improper treatment of the Responsible Party, they may file a corresponding complaint or claim with the INAI, for which reason they may consult the website www.inai.org.mx for more information.

Disclaimer

The Website, as well as the DDP Website, may contain links, hyperlinks or hypertexts "links", banners, buttons and/or tools for Internet search that when used by the Users transport to other portals or internet sites that could be owned by third parties. Therefore, it does not control these sites and is not responsible for the privacy notices that they have, or where appropriate, the lack thereof; the Personal Data that the Users come to provide through said portals or Internet sites other than the Website, as well as with the DDP Website, they are your responsibility, so you must verify the privacy notice on each site you access. Some links, banners and/or buttons that request Personal Data within the Website are the responsibility of third parties outside the Responsible Party, who are sometimes service providers, so they are governed by their own terms and privacy policies. To learn more about this topic, we invite you to consult the terms and conditions section.

Modifications to this Privacy Notice

The Controller reserves the right to periodically update or modify the Privacy Notice in accordance with the changes in the information practices, in response to legislative developments, internal policies or new requirements for the provision of services. Said updates or modifications will be notified to the Owner through the Website, in the Privacy Notice section. The Responsible Party recommends and requires the Owner to consult the Privacy Notice, at least every six months, to be updated on the conditions and terms thereof.

Consent for the processing of Personal Data

The Owner declares that he/she has read, understood and accepted the terms set forth in the Privacy Notice, which constitutes the free, specific, unequivocal and informed consent, including with respect to the changes established in any updates made to it, with respect to the processing of Personal Data in compliance with the provisions of the LFPDPPP and the Guidelines.