Privacy Policy and Personal Data Processing

1. Data Controller

The controller of your personal data is AMAZON CARBON S.A.S., a legally incorporated company in Colombia, domiciled at DG 4-1 | 20-14, Restrepo, Meta, Colombia. Contact email: info@amazoncarbon.com. Phone: +57 301 329 3330. Data Protection Officer (DPO): Jonathan Núñez Guevara — dpo@amazoncarbon.com.

2. Personal Data We Collect

Depending on the channel of interaction, we may process the following categories of data:

• Identification data: full name, document number, email address, phone, organization or company.
• Digital authentication data: blockchain wallet address, Privy session identifier, device data.
• Transaction data: amount, date, on-chain transaction hash, asset acquired (carbon credits, services, bio-products).
• Navigation data: IP address, browser type, pages visited, session time (via essential session technologies).
• Approximate geolocation data: country and city, inferred from IP address for regulatory compliance.

3. Blockchain Data and Immutability

Transactions made on our platform are recorded on public blockchain networks (Base, Avalanche). Due to the technological nature of the blockchain, this information is immutable and permanent. Transaction hashes and wallet addresses are public data on the chain. Amazon Carbon S.A.S. does not control and cannot delete records already confirmed on the blockchain, which limits the right to erasure with respect to those specific data points.

4. Purposes of Processing

Your data is processed for the following purposes:

• Managing your registration and authentication on the platform.
• Processing and recording transactions for the purchase of climate assets and bio-commerce products.
• Responding to institutional and technical inquiries.
• Complying with legal and regulatory obligations (UIAF, SIC, environmental regulation).
• Sending transactional communications and project updates (with prior consent).
• Internal statistical analysis for service improvement (using anonymized or pseudonymized data).

5. Legal Basis for Processing

We process your data under the following legal bases: (a) Explicit consent given at platform registration; (b) Execution of the purchase agreement for climate assets; (c) Compliance with legal obligations before Colombian and international authorities; (d) Legitimate interest in fraud prevention and operational security.

6. International Data Transfers

Your data may be processed by technology providers located outside Colombia: Supabase Inc. (USA, database storage); Vercel Inc. (USA, hosting infrastructure); Privy Technologies Inc. (USA, authentication and wallet management). All these providers have adequate security certifications and standard contractual clauses for international data transfers.

7. Data Retention Period

Data is retained for as long as necessary to fulfill the stated purposes and no less than: (a) 5 years for financial transaction records (UIAF Colombia requirement); (b) The duration of the contractual relationship + 3 additional years for account data; (c) Indefinitely on the public blockchain for confirmed transaction hashes.

8. Your Rights (ARCO + GDPR)

Under Colombian law (Law 1581/2012) and GDPR (if applicable based on your EU residence), you have the right to: Access your personal data; Rectify inaccurate data; Erase data (subject to blockchain limitations); Object to processing; Data portability; Restriction of processing; Withdraw consent at any time. To exercise these rights, write to: dpo@amazoncarbon.com. We will respond within a maximum of 15 business days.

9. Cookies and Tracking Technologies

Our site uses essential local storage technologies for authentication (Privy), language preferences, and user sessions. We do not use third-party advertising tracking cookies. You can manage your local storage preferences through your browser settings.

10. Minors

The Amazon Carbon S.A.S. platform is exclusively aimed at individuals over 18 years of age with legal capacity to enter into contracts. We do not intentionally collect data from minors. If we detect data belonging to a minor, we will delete it immediately.

11. Data Security

We implement appropriate technical and organizational measures to protect your data: TLS/SSL encryption in transit; encryption at rest in Supabase; role-based access control (RBAC); multi-factor authentication for administrative access; periodic security audits.

12. Changes to this Policy

We may update this policy periodically. Changes will be notified via an on-platform notice or email with at least 15 days' notice. Continued use of the platform after notification implies acceptance of the changes.