Last updated: October 2, 2025 | Version 1.0

Privacy Policy

At Kabal Capital, Kabal Trade Finance, and Kabal Bridge SA de CV (hereinafter "Kabal", "we", "our"), we are committed to protecting the privacy and security of the personal data of our clients, users, and website visitors. This Privacy Policy describes how we collect, use, store, share, and protect your personal information when you use our financial services and website.

1. INTRODUCTION

At Kabal Capital, Kabal Trade Finance, and Kabal Bridge SA de CV (hereinafter "Kabal", "we", "our"), we are committed to protecting the privacy and security of the personal data of our clients, users, and website visitors (hereinafter "You", "the User", "the Data Subject"). This Privacy Policy describes how we collect, use, store, share, and protect your personal information when you use our financial services and website. PRIVACY COMMITMENT: Kabal complies with applicable data protection laws in Honduras and El Salvador. Kabal Bridge SA de CV operates under Digital Asset Service Provider License No. PSAD-0056 issued by the National Digital Assets Commission (CNAD) of El Salvador. We implement appropriate technical, organizational, and administrative measures to protect your personal data.

2. DATA PROCESSING CONTROLLERS

🇭🇳 Kabal Capital (Honduras) Address: San Pedro Sula, Cortés, Honduras Email: [email protected] Phone: +1 (786) 450-3799 Scope: Flex, Grow, and Cash (Factoring) products 🇵🇦 Kabal Trade Finance (Panama) Incorporation: Panama (international operations) Email: [email protected] Scope: Trade Finance products exclusively outside Panama Note: Operates under data protection regulations of countries where operations are executed 🇸🇻 Kabal Bridge SA de CV (El Salvador) Address: San Salvador, El Salvador Email: [email protected] Scope: Digital asset services and loans Digital Assets License: No. PSAD-0056 issued by CNAD Previous name: Crossbridge Technologies El Salvador, S.A. de C.V. Regulation: Digital Asset Service Provider under CNAD supervision

3. INFORMATION WE COLLECT

3.1 Personal Identification Data: • Full name • Identity number (ID, passport, tax ID) • Date of birth • Nationality • Gender • Marital status • Photograph (for identity verification) • Digital and handwritten signature 3.2 Contact Data: • Physical address (residential and commercial) • Email address • Phone numbers (mobile and landline) • Professional social networks 3.3 Business Information: • Legal company name • Tax ID or business registration number • Articles of incorporation • Shareholder structure • Legal representatives • Economic sector and commercial activity • Business age • Number of employees 3.4 Financial Information: • Financial statements (balance sheet, income statement) • Tax returns • Bank accounts (numbers, types, institutions) • Credit history • Monthly income and expenses • Assets and liabilities • Banking and commercial references • Information about guarantees and collateral 3.5 Transactional Data: • Loan and payment history • Requested and approved amounts • Applied interest rates • Due dates and payments • Account status • Payment behavior 3.6 International Trade Information (Trade Finance): • Bills of Lading • Commercial invoices • Packing lists • Certificates of origin • Insurance policies • Customs documents • Information about international suppliers and customers 3.7 Technical and Navigation Data: • IP address • Browser type and version • Operating system • Pages visited and time spent • Cookies and similar technologies • Geolocation (with your consent) • Device used (mobile, tablet, computer) 3.8 Biometric Data: • Facial recognition (for identity verification) • Fingerprint (if implemented in the future) SPECIAL CONSENT: Biometric data is sensitive and requires your explicit consent. We only collect it for identity verification and fraud prevention. 3.9 Specific Data for Digital Assets (Kabal Bridge): For digital asset services under License PSAD-0056: • Digital wallet addresses • Blockchain transaction history • Source of funds in crypto assets • Information about digital asset holdings • Transaction data with cryptocurrencies (USDC and other authorized) • Information about digital asset exchange operations • Custody and safeguarding records of digital assets • Buy/sell orders for digital assets made on behalf of third parties • Specific risk analysis for digital assets • Information about platforms and wallets where digital assets are placed

4. HOW WE COLLECT YOUR INFORMATION

4.1 Directly from You: • Online application forms • Documents you provide physically or digitally • Phone, email, or chat communications • Visits to our offices • Mobile application (if applicable) 4.2 Automatic Sources: • Cookies and tracking technologies on our website • Server records and access logs • Online behavior analysis 4.3 Third-Party Sources: • Authorized credit bureaus • Financial institutions (for account verification) • Public records (business, judicial) • Commercial and personal references • Identity verification providers (KYC/AML) • Professional social networks (LinkedIn, with your consent)

5. PURPOSES OF DATA PROCESSING

5.1 Primary Purposes (Essential): We use your personal data to: • Credit assessment: Analyze your payment capacity and credit risk • Application processing: Process your loan or financing application • Identity verification: Confirm your identity and prevent fraud (KYC) • Money laundering prevention: Comply with AML/CFT regulations • Contract formalization: Prepare and execute loan contracts • Fund disbursement: Transfer approved money to your account • Payment management: Process your installments and manage your account • Collection: Manage overdue payments when necessary • Customer service: Respond to inquiries and provide support • Regulatory compliance: Comply with legal obligations and reports to authorities 5.2 Secondary Purposes (Optional): With your additional consent, we may use your data for: • Marketing: Send you personalized offers for financial products • Market research: Analyze trends and improve our services • Data analysis: Develop scoring models and AI algorithms • Commercial communications: Inform you about new products • Satisfaction surveys: Evaluate your experience with our services YOUR RIGHT TO OPT OUT: You can reject secondary purposes without affecting your access to our financial services.

6. LEGAL BASIS FOR PROCESSING

We process your personal data under the following legal bases: 6.1 Contract Performance: Processing your data is necessary to execute the loan contract we enter into with you. 6.2 Legal Obligation: We must process certain data to comply with: • Anti-money laundering laws (AML) • Know Your Customer regulations (KYC) • Tax authority reports • Judicial authority requirements • Compliance with License PSAD-0056 and CNAD supervision 6.3 Legitimate Interest: We process data to protect our legitimate interests: • Fraud prevention • Risk management • Improvement of our systems' security • Legal defense in case of litigation 6.4 Consent: For secondary purposes (marketing, non-mandatory analysis), we request your explicit consent, which you can revoke at any time.

7. SHARING INFORMATION WITH THIRD PARTIES

7.1 When We Share Your Data: Service Providers: • Payment processors: To process transactions • Verification services: For KYC/AML (e.g., Jumio, Chainalysis) • Cloud services: For secure data storage • Analytics platforms: For business intelligence • Communication services: Email, SMS, WhatsApp Financial Institutions: • Banks for transfers and account verification • Credit bureaus for inquiry and history reporting • Insurance companies (for products with included insurance) Authorities and Regulatory Entities: • Tax authorities • Financial Intelligence Units (AML/CFT) • Judicial authorities (with court order) • Financial regulators • National Digital Assets Commission (CNAD) - El Salvador • Ministry of Finance of El Salvador Other Kabal Group Entities: • Between Kabal Capital (Honduras), Kabal Trade Finance (Panama), and Kabal Bridge (El Salvador) for integrated management Portfolio Assignment: • Investors or institutions that purchase our loan portfolio • Collection companies in case of default 7.2 Protection in Sharing: All third parties are contractually obligated to: • Maintain information confidentiality • Use data only for authorized purposes • Implement adequate security measures • Not transfer data to others without authorization

8. INTERNATIONAL DATA TRANSFERS

Since Kabal operates in multiple countries (Honduras, Panama, El Salvador), your data may be transferred between these jurisdictions for: • Centralized credit analysis processing • Unified risk management • Regional technical support and customer service • Cloud server storage Note on Kabal Trade Finance (Panama): As this entity operates exclusively outside Panama, its clients' data is processed and stored in countries where Trade Finance operations are executed. TRANSFER PROTECTION: We implement appropriate measures through: • Data transfer agreements with protection clauses • Compliance with international standards (ISO 27001) • Encryption in transit and at rest

9. INFORMATION SECURITY

9.1 Technical Measures: • Encryption: TLS/SSL for data in transit, AES-256 for data at rest • Firewalls: Advanced perimeter protection systems • Multi-factor authentication: For access to critical systems • 24/7 monitoring: Real-time intrusion and threat detection • Data backup: Daily backups with redundant storage • Data segregation: Logical separation between different types of information 9.2 Organizational Measures: • Documented information security policies • Continuous staff training on data protection • Role-based and need-to-know access controls • Confidentiality agreements with employees and suppliers • Periodic security audits • Security incident response plan 9.3 Certifications and Standards: • ISO 27001 compliance (information security management) • Annual penetration testing by independent third parties • Quarterly vulnerability assessments

10. DATA RETENTION

10.1 Retention Periods: Identification data: 5 years after account closure (AML legal obligation) Financial information: 7 years from last transaction (Tax regulation) Loan contracts: 10 years after completion (Legal prescription) Payment history: 7 years from last payment (Credit reporting) Communications (emails, chats): 3 years (Service evidence) Marketing data: Until consent revocation Site access logs: 12 months (IT security) 10.2 Secure Deletion: At the end of the retention period, we delete your data through: • Permanent deletion from databases • Physical destruction of documents • Overwriting of storage media • Third-party deletion certification

11. YOUR RIGHTS AS A DATA SUBJECT

You have the following rights regarding your personal data: 11.1 Right of Access: You can request a copy of all personal data we have about you. 11.2 Right of Rectification: You can request correction of inaccurate or incomplete data. We will respond within 15 business days. 11.3 Right of Cancellation/Deletion: You can request deletion of your data when it is no longer necessary. LIMITATIONS: We cannot delete data that: • Is necessary to comply with legal obligations • Is related to current or recent contracts • Is necessary for legal defense • Must be retained for periods established by law 11.4 Right of Opposition: You can object to us processing your data for direct marketing, profiling, or purposes based on our legitimate interest. 11.5 Right to Portability: You can request that we provide your data in structured format (CSV or JSON). 11.6 Right to Revoke Consent: For secondary purposes, you can revoke your consent at any time. 11.7 Right Not to Be Subject to Automated Decisions: Although we use AI for initial credit scoring, you have the right to request human intervention. 11.8 How to Exercise Your Rights: Email: [email protected] Web form: Available in our contact section Postal mail: San Pedro Sula, Honduras In person: Visiting our offices Response time: 15 business days (may be extended to 30 days in complex cases) Free: The first exercise of rights is free

12. COOKIES AND TRACKING TECHNOLOGIES

12.1 What Are Cookies: Cookies are small text files that are stored on your device when you visit our website. 12.2 Types of Cookies We Use: Strictly Necessary Cookies (do not require consent): • User session • Security (CSRF tokens) • Language preferences Performance Cookies: • Google Analytics • Heat maps • Page load metrics Functionality Cookies: • Display preferences • Saved form data Marketing Cookies: • Facebook Pixel • Google Ads • Retargeting 12.3 Cookie Management: You can control cookies through: • Cookie banner when visiting our site • Browser settings • Opt-out tools for third-party cookies NOTE: Blocking strictly necessary cookies may affect site functionality.

13. MINORS

Our services are exclusively directed to persons over 18 years of age (or the legal age in your jurisdiction to contract loans). We do not intentionally collect data from minors. If we discover that we have collected data from a minor without appropriate parental consent, we will delete that information immediately.

14. CHANGES TO THIS POLICY

We may update this Privacy Policy periodically to reflect changes in our practices or legislation. When we make significant changes: • We will post the new policy on our website • We will update the "last updated" date • We will notify you by email if the changes are material • We will request your consent again if legally necessary We recommend reviewing this policy periodically to stay informed.

15. SECURITY BREACHES

15.1 Incident Notification: In the unlikely event of a security breach affecting your personal data, we commit to: • Notify you within 72 hours of learning of the incident • Describe the nature of the breach • Explain possible consequences • Detail measures taken to mitigate damage • Provide recommendations on how to protect yourself • Notify data protection authorities when legally required

16. COMPLAINTS AND CLAIMS

16.1 Internal Process: If you have a complaint about how we handle your data: 1. Contact our Data Protection Officer: [email protected] 2. Provide specific details of your concern 3. You will receive confirmation of receipt within 3 business days 4. We will investigate and respond within 15 business days 16.2 Supervisory Authorities: If you are not satisfied with our response, you can file a complaint with: Honduras: National Commissioner for Human Rights (CONADEH) El Salvador - Data Protection: Institute for Access to Public Information (IAIP) El Salvador - Digital Assets: National Digital Assets Commission (CNAD) For specific complaints related to digital asset services under License PSAD-0056 Colonia Escalón, between 91 Avenida Norte and 9ª Calle Poniente, #4647, San Salvador Centro, El Salvador Email: [email protected] Website: https://cnad.gob.sv/ Kabal Trade Finance Operations: Data protection authority of the country where the operation was executed

17. CONTACT

Data Protection Officer Email: [email protected] Phone: +1 (786) 450-3799 Address: San Pedro Sula, Cortés, Honduras Hours: Monday to Friday, 8:00 AM - 5:00 PM FINAL STATEMENT: By using our services, you acknowledge that you have read and understood this Privacy Policy and agree to the processing of your personal data as described. If you have questions or disagree with any aspect, please contact us before using our services.