PRIVACY NOTICE FOR THE WEBSITE

  1. Identity and Address of the Controller

[*] Avendra LLC (the "Controller") with address for notifications at 540 Gaither Road, Suite 200 Rockville, MD 20850 (the "Address").

  1. Legal Framework

The Controller informs you that personal data, sensitive personal data, financial or equity data, or other similar information (the "Personal Data") that you provide to us will be protected in accordance with the applicable law (the "Law").

  1. Objective

The purpose of this privacy notice (the “Privacy Notice”) is to define the scope and general conditions of the processing of Personal Data by the Controller and to inform its owners (the "Data Subjects"), so that they are able to make informed decisions about the use of such Personal Data, and to maintain control and disposal over them. Likewise, this Privacy Notice allows the Controller to transparently disclose such processing and thereby strengthen the level of trust of users of this website (the "Website").

  1. Personal Data Collected

The Personal Data that will be processed, according to their different categories, are as follows:

  1. General: All those that allow identifying the Data Subject, including, but not limited to, full name or company name, address, home phone, office phone, email address, occupation, and references.

  2. Habitual: Those browsing patterns on the Website that are used to analyze and, where applicable, offer new products and services.

In this regard, we inform you that Personal Data will be processed and safeguarded based on the principles established in the Law, including legality, quality, consent, information, purpose, loyalty, proportionality, and responsibility.

Sensitive Data:

The Data Subject is informed that the Controller does not collect sensitive Personal Data from Users. In the event that any such data is communicated to the Controller, it will proceed to its deletion.

  1. Purposes of Personal Data Processing

The Controller, through the Website, will process the Personal Data of users accessing the Website (the "Users") to learn about the various products and services offered by the Controller, for the purposes mentioned below.

  1. Purposes that give rise to and are necessary for the existence, maintenance, and fulfillment of the legal relationship, and will not require consent:

  2. Analyze browsing patterns and habits within the Website.

  3. Maintain necessary communication with the User to address their inquiries, provide details of products and/or services, and, if applicable, promote such products and/or services offered by the Controller to the public.

  4. Comply with applicable regulations.

  5. Purposes that do NOT give rise to and are NOT necessary for the use of the Website, and that will require consent:

  6. Conduct surveys, statistics, and reports.

  7. Notify and offer promotions, discounts, and advertising campaigns for products or services according to the Controller's commercial activities.

  8. Publications and communication through social networks and internal communications.

The Data Subject is informed that the mechanism implemented by the Controller for expressing refusal to the processing of their personal data according to the purposes included in section B) of this section involves sending a request titled "Refusal of Secondary Personal Data Processing." The Data Subject must address this request to the address or email address specified in the Exercise of ARCO Rights section of this Privacy Notice, observing the requirements stated in the first paragraph of that section. This request will take place within three (3) business days following its receipt.

  1. Transfer of Personal Data

We inform you that, in order to fulfill the purposes stated above, and without prejudice to the exceptions contained in the Law, it is necessary for your Personal Data to be transferred and processed by individuals other than those who are part of, its affiliates, and subsidiaries, which are listed below:

  1. Specialized companies in statistics by target population, age range, and/or country of residence.

  2. Judicial and/or administrative authorities to which the Controller is obligated by law, as well as for the administration of justice.

  3. Purposes Justifying Transfer of Personal Data

The purposes justifying the transfer of Personal Data of the Data Subjects are those outlined in paragraphs 1 and 3 of section A) and paragraphs 1, 2, and 3 of section B) of the Purposes section of this Privacy Notice.

  1. Measures for Safeguarding, Use, or Disclosure of Your Personal Data

In order to limit the use or disclosure of Personal Data, the Controller safeguards such Personal Data using suitable equipment.

Both for Personal Data stored electronically and in physical documents, the Controller employs the same security measures as those applied to its own information.

Additionally, the Controller enters into confidentiality agreements with all its personnel, stipulating that Personal Data accessed in the course of their duties is confidential information. Any unauthorized disclosure of such confidential information may result in liability for damages and penalties, including criminal, administrative, and/or labor sanctions.

Furthermore, the Controller has implemented internal policies and processes applicable to its personnel, ensuring that Personal Data is accessed by a minimal number of individuals. The use of reproduction means it is limited, and there is an obligation to block and, if necessary, destroy all copies or reproductions of documents containing Personal Data that are not strictly necessary for the proper performance of the Controller's personnel functions.

Finally, the Controller informs Data Subjects they can limit the use and disclosure of their Personal Data through a different tool than exercising their ARCO Rights or withdrawing consent, by registering in the applicable registry as provided by the Law.

  1. Exercise of ARCO Rights

In accordance with the Law, the Data Subject may exercise their rights of access, rectification, cancellation, or opposition ("ARCO Rights") with respect to the Personal Data concerning them held by the Controller. For this purpose, the Data Subject must submit a request to the Controller in writing addressed to the [Officer/Committee] attention [*], which must include and be accompanied by the following: (i) full name or company name of the Data Subject and address or other means to communicate the response to their request; (ii) copy of the Data Subject's identification document, as well as the original for verification or, if applicable, in the case of the Data Subject's representative, in addition to the above, documents proving the representative's identity, as well as the public instrument or power of attorney signed before two witnesses, stating the granted powers, or a declaration made in person by the Data Subject; (iii) clear and precise description of the Personal Data for which any of the ARCO Rights are to be exercised, and (iv) any other element or document that facilitates the location of the Personal Data. This request must be submitted at the Address or via email to the following email address: [*], provided that duly certified electronic instruments replacing the identification of the Data Subject or, if applicable, their representative, are submitted. The cost of the exercise of ARCO Rights will be determined by the applicable legislation of each country. The hours for processing the aforementioned requests are Monday to Friday from [*] a.m. to [*] p.m.

The Controller will inform the Data Subject of the decision taken regarding the ARCO Right requested within a maximum period of twenty (20) business days counted from the date the ARCO Right request was received, so that, if appropriate, it will be effective within fifteen (15) business days following the date the response is communicated. The deadline may be extended only once for each request, for an additional period of fifteen (15) business days, provided that the Controller justifies the extension to the Data Subject, which must be notified before the original deadline expires. For this purpose, the Controller will record the corresponding date of receipt in the acknowledgment of receipt delivered to the Data Subject.

The deadline mentioned in the previous paragraph will be interrupted if the Controller requires additional information from the Data Subject because the information originally provided is insufficient or incorrect to process the request, or if the indicated documents are not attached. For this purpose, the Controller may request the Data Subject, once and within five (5) business days following the receipt of the request, to provide the necessary elements or documents to process it. The Data Subject will have ten (10) business days to comply with the request, starting from the day following its receipt. If the Data Subject does not respond within this period, the corresponding request will be considered as not submitted. Conversely, if the Data Subject complies with the information request, the deadline for the Controller to respond to the request will start the day after the Data Subject has provided the additional information.

The responses that the Controller provides to Data Subjects who have exercised their ARCO Rights will be made through the same means used to submit the request, addressing only the Personal Data specifically indicated in the respective request and must be presented in a readable and understandable format.

When access to Personal Data is granted at a physical location designated by the Controller, the Controller will provide the Data Subject with a period of fifteen (15) business days to come and review them. If this period elapses without the Data Subject attending, a new request will be necessary.

When the Controller denies the exercise of any of the ARCO Rights, they must justify their response, informing the Data Subject of their right to initiate proceedings, if applicable, before the competent authority.

  1. Revocation of Consent

The consent granted by the Data Subject under this Privacy Notice may be revoked at any time, without retroactive effects being attributed to it. To revoke the consent, the Data Subject must follow the means and procedure set forth in the preceding section.

  1. Changes to the Privacy Notice for Websites

The Controller reserves the right to make modifications or updates to this Privacy Notice at any time due to legislative reforms, internal policies, or new requirements for the provision or offering of its services. These modifications will be available through the Website: [*] and will be effective from the moment they are published therein.

For more information, visit the website of the corresponding supervisory authority.

  1. Cookie Policy

Cookies are text files that are stored on the computing equipment or smart mobile devices (the "Devices") used by the User when using the electronic platforms of the Controller, as well as the Controller's website: [*] (together, the "Website"). Cookies help the Controller provide the User with a better experience when using the Website and allow for improving that experience. The Controller uses cookies to analyze information flow, personalize its services, content, and advertising, measure promotional effectiveness, and promote trust and security on the portal. They also remember User preferences and make available default settings of Website functions configured by the Controller and eventually adapt the most relevant tools for Users. In this regard, Personal Data of the User may be obtained through cookies.

Each User can accept or reject the use of cookies by configuring their computing equipment or Devices accordingly. However, it is important for Users to note that if they do not accept the use of cookies, some functions of the Website may not be fully available because some services or content are only available through the use of cookies. Users can disable the use of cookies by following the procedure indicated in the settings of the browser, computing equipment, and/or Devices used to browse the Website. For this purpose, Users can consult the following sites:

Firefox:

https://support.mozilla.org/es/kb/habilitar-y-deshabilitar-cookies-sitios-web-rastrear-preferencias

Microsoft Edge:

https://support.microsoft.com/es-es/windows/administrar-cookies-en-microsoft-edge-ver-permitir-bloquear-eliminar-y-usar-168dab11-0753-043d-7c16-ede5947fc64d

Google Chrome:

https://support.google.com/accounts/answer/61416?co=GENIE.Platform%3DDesktop&hl=es

Safari:

https://www.apple.com/legal/privacy/es/cookies/

Opera:

https://help.opera.com/en/latest/web-preferences/

  1. Special clauses for Mexico

A. Legal Framework

For the purposes of this Privacy Notice, and when the processing of personal data is carried out within the territory of the United Mexican States ("Mexico"), the Controller shall be subject to the provisions of the Federal Law on Protection of Personal Data Held by Private Parties (in this way, every time reference is made to the “Law” for the purposes of treatment in Mexico, the reference made to said ordinance must be understood), as well as the secondary regulations issued thereunder.

B. Measures for Safeguarding, Use, or Disclosure of Your Personal Data

The Controller informs Data Subjects that they may limit the use and disclosure of their Personal Data, using a tool other than exercising their ARCO Rights or revoking their consent, by registering with the Public Registry to Avoid Advertising (REPEP) applicable under the Federal Consumer Protection Law.

C. Exercise of ARCO Rights

The exercise of ARCO Rights is free of charge, with the Data Subject only covering shipping, reproduction (simple copy), and, if applicable, document certification costs. However, if the same Data Subject reiterates their request within a period of less than twelve (12) months, the costs will be equivalent to three (3) times the current Unit of Measure and Update (UMA), unless there are substantial changes to the Privacy Notice that warrant new inquiries.

D. Further information on the processing of Personal Data

For more information, visit the website of the Secretariat of Anti-Corruption and Good Government: https://www.gob.mx/buengobierno/documentos/proteccion-de-datos-personales-nuevo

Date of last update: August 14, 2025.