1. About This Privacy Notice

Anfora International S. de R.L. de C.V. ("Anfora", "we", "us", "our") respects your privacy and is committed to protecting your personal data. This Privacy Notice (the "Notice") explains how we collect, use, disclose, transfer and otherwise process personal data in connection with our website at www.anfora.com (the "Website") and related interactions with you.

This Notice is the integral privacy notice (Aviso de Privacidad Integral) required under the Mexican Federal Law on Protection of Personal Data Held by Private Parties of 2025 ("LFPDPPP"). A short-form simplified privacy notice (Aviso de Privacidad Simplificado) is provided at each point of collection on the Website (for example, contact and registration forms and the cookie banner) and links back to this Notice. 

This Notice does not apply to:

• Anfora employees (see the Employee Privacy Notice).
• Job applicants and members of our talent network (see the Applicant Privacy Notice).
• Any third-party website or service we link to.

2. Who We Are; Contact

The data controller is Anfora International, with registered office at Camino a Pozos Téllez km 1.5, Mineral de la Reforma, Hidalgo, 42186, México. References to "Affiliates" mean entities that, directly or indirectly, control, are controlled by, or are under common control with Anfora International.

Privacy contact:

• Email: info@anfora.com (subject lines as set out in Section 8)
• Postal mail: address above, marked "Attn: Privacy / ARCO"
• Web form: the "Contact" form on www.anfora.com

You may submit privacy inquiries in Spanish or English.

3. Scope and Governing Law

Anfora is established in Mexico, and this Notice is governed primarily by the LFPDPPP. To the extent it applies to our processing, we also comply with U.S. state privacy laws — including the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CPRA"), and analogous laws in other U.S. states (collectively, "U.S. State Privacy Laws"). California-specific disclosures appear in Section 16; additional U.S. state rights are summarized in Section 17.

For convenience, we extend the core CPRA-equivalent rights to all U.S. residents who interact with the Website, regardless of their state of residence. This is an operational policy choice and is not a representation that the laws of every state are identical.

To the fullest extent permitted by applicable law, this Notice (and any dispute relating to it) is governed by the laws of Mexico, and you agree to submit to the competent courts located in Mexico, without prejudice to any mandatory rights or jurisdictional rules of your place of residence that cannot be waived.

4. Acceptance and Consent

Use of our Website indicates acceptance of this Notice. For activities that require your consent under applicable law — such as marketing communications, the placement of non-essential cookies, and the processing of sensitive personal data (in the limited circumstances we ever do so) — we obtain your affirmative, informed consent through specific mechanisms (e.g., the cookie banner, opt-in checkboxes on forms). Acceptance of this Notice alone is not taken as consent for those activities.

Under the LFPDPPP we may rely on express written, express, or tacit consent depending on the category of data and processing activity, and on legal bases that do not require consent (e.g., contractual necessity, legal obligation, intra-group transfers under common policies). Where we rely on consent, you may withdraw it at any time as described in Section 8, without affecting the lawfulness of processing prior to withdrawal.

5. Personal Data We Collect; Purposes; Lawful Basis

We collect the following categories of personal data through the Website and related interactions. Because we operate in a business-to-business (B2B) context, much of this data relates to individuals in their professional capacity (employees of customers, prospects, suppliers and partners).

Important note on B2B and the LFPDPPP. Under the 2025 LFPDPPP, "personal data" may extend to information identifying legal entities and to identifiable natural persons acting in a business capacity. We treat business contact data of individuals (name, business email, role, employer) as personal data subject to this Notice.

Sensitive personal data: We do not intend to collect or process sensitive personal data through the Website. If, in limited circumstances, we ever need to process sensitive personal data, we will do so only with your express written consent (where required) and with appropriate safeguards.

6. How We Use Personal Data

In addition to the purposes set out in the table above, we may use your personal data:

1. To deliver and administer the products, services and information you request;
2. To maintain internal records and data quality;
3. To analyze Website usage and visitor numbers, and to improve and personalize the Website;
4. To manage promotions, services (including events and webinar registrations) and offers you sign up for;
5. To send you, where permitted, marketing communications about our products, services and events;
6. To comply with applicable laws and respond to lawful requests from public authorities, in Mexico and abroad;
7. To enforce our terms of use and protect our rights, property and operations and those of our Affiliates and others; and
8. To prevent, detect and respond to security incidents, fraud and other unlawful activity.
9. No automated decision-making. We do not use the personal data you provide through the Website to make decisions about you that produce legal effects or similarly significant effects without human involvement.

7. Disclosures to Third Parties

We disclose categories of personal data to the following categories of recipients for business purposes:

We may also disclose personal data:

• To our Affiliates for the purposes described in this Notice;
• To public authorities to comply with applicable law, legal process or lawful requests;
• In connection with corporate transactions (such as a merger, acquisition, reorganization or sale of assets); and
• To enforce our terms and protect our rights, safety and property and those of our Affiliates and others.

Service providers and processors are bound by written agreements requiring them to process personal data only on our instructions and to implement appropriate security measures.

No sale of personal information. Anfora does not sell personal information for monetary consideration in any U.S. state.

"Sharing" for cross-context behavioral advertising under the CPRA. To the extent we use advertising and analytics technologies (such as Google Analytics, LinkedIn Insight Tag, Meta Pixel or similar) that involve disclosing personal information for cross-context behavioral advertising, those disclosures may constitute "sharing" under the CPRA. You can opt out as described in Section 16.

8. Your Rights

8.1 LFPDPPP — ARCO Rights

If you are a data subject under Mexican law, you have the following rights, exercisable directly with us:

• Access — confirm whether we process your personal data and obtain access and information about the conditions of processing.
• Rectification — request correction of inaccurate, incomplete or outdated personal data.
• Cancellation — request deletion when data is no longer needed for the purposes for which it was collected, subject to legal exceptions; under Mexican law this may include a prior blocking period.
• Opposition — object to processing for specific purposes (for example, certain marketing activities), where permitted by law.

You also have the right to:

• Revoke consent where processing is based on consent, without affecting the lawfulness of processing prior to revocation;
• Limit the use or disclosure of your personal data (for example, to opt out of marketing).

8.2 How to submit a request

Email info@anfora.com (or use the Website "Contact" form) with the subject line "Personal Data Rights / ARCO" and include:

1. Your full name and contact details;
2. The right(s) you wish to exercise and a clear description of your request;
3. The personal data concerned (where applicable);
4. Proof of identity (and, where applicable, written authority of any representative);
5. For rectification, documentation supporting the requested change.

8.3 Response times (LFPDPPP baseline)

For ARCO requests, we will inform you of our determination within 20 business days of receipt of a complete request (extendable once where permitted, with notice to you). If granted, we will give effect to your right within 15 business days of that determination (also extendable where permitted). These periods may be adjusted as the implementing regulations of the 2025 LFPDPPP are finalized; we will apply the timelines required by law in force at the time of your request.

The exercise of these rights is generally free of charge; we may charge reasonable costs of reproduction, copies or shipping where permitted by law.

8.4 Updating your details

It is your responsibility to keep your contact details up to date. To update them, email info@anfora.com with subject "Update Personal Data / Customer Profile".

8.5 Marketing opt-out

To opt out of marketing communications, click "unsubscribe" in any marketing email or email info@anfora.com with subject "Unsubscribe from Marketing Communications".

For U.S. state-specific rights — including the right to opt out of "sharing" for cross-context behavioral advertising — see Sections 16 and 17.

9. International Data Transfers

We may transfer personal data to:

• Our Affiliates for the purposes described in this Notice; and
• Service providers and processors (including in the United States and other jurisdictions) that help us operate the Website and provide our products and services.

Where the LFPDPPP applies, transfers are made in accordance with Articles 36 and 37 of the LFPDPPP, including, as applicable: (i) with your consent (when required); (ii) under the legal exceptions that permit transfer without consent (such as transfers within the same corporate group operating under common internal policies, transfers necessary to maintain or fulfill a legal relationship with you, or transfers required by law); and (iii) by ensuring that the recipient assumes the same data-protection obligations that apply to us.

We implement appropriate technical, contractual and organizational safeguards (including data-processing or transfer agreements) so that the recipient affords personal data a level of protection consistent with the LFPDPPP. The categories of recipients and purposes of transfer are described in this Notice and, where required, in the simplified notice provided at the point of collection. For further information about transfers, contact us at info@anfora.com.

10. Cookies and Similar Technologies

We use cookies and similar technologies (pixels, tags, local storage) on the Website. Cookies are small files placed on your device that allow us to recognize you and your preferences and to operate, secure, and improve the Website.

10.1 Categories we use

• Strictly necessary cookies — required to operate the Website (e.g., session, security, load balancing). These cannot be turned off in our systems.
• Functional cookies — remember your preferences (e.g., language, region) and personalize your experience.
• Analytics cookies — measure how visitors interact with the Website so we can understand and improve it (e.g., Google Analytics or similar).
• Advertising / cross-context behavioral advertising cookies — used by us or third-party partners (e.g., LinkedIn Insight Tag, Google Ads, Meta Pixel) to deliver and measure ads on third-party sites and to retarget Website visitors. Disclosures via these cookies may constitute "sharing" under the CPRA.

A complete list of cookies we use, the third parties involved, their purposes and retention is provided in our cookie banner / preference center on the Website.

10.2 Your choices

• Cookie banner / preference center. Where required by law, we obtain your prior consent for non-essential cookies through the banner displayed on your first visit. You can change your preferences at any time via the "Cookie Preferences" link in the Website footer.
• Browser controls. You can control cookies through your browser settings; blocking strictly necessary cookies may impair Website functionality.
• Global Privacy Control (GPC). We recognize the GPC browser signal as a valid request to opt out of "sharing" for cross-context behavioral advertising for California (and other U.S.) residents.

11. Marketing

Where required by applicable law, we obtain your prior consent before:

• Sending you marketing communications about Anfora;
• Providing your personal data to our Affiliates for their marketing purposes; and
• Providing your personal data to third-party partners for joint marketing.

We may use your personal data for our own marketing purposes — including notifying you of new products, services, offers and events by mail, email, telephone, text message and other means — only as permitted by law and your consent (where required). Existing-customer communications about similar products and services may rely on legitimate interest where the law permits, with an opt-out in every message. To opt out, follow the instructions in Section 8.5. You may withdraw consent at any time without affecting the lawfulness of prior processing.

12. Data Retention

We retain personal data only for as long as necessary for the purposes set out in this Notice, including to satisfy any legal, accounting, regulatory or reporting requirements. Indicative retention periods:

• Customer and supplier relationship data — duration of the relationship plus the period required by Mexican commercial and tax law (typically up to 10 years for accounting records).
• Prospect and inquiry data — up to 48 months from the last meaningful interaction, unless converted into a customer relationship.
• Marketing data — until you withdraw consent or opt out, and in any event up to five years from your last interaction with us.
• Website analytics — typically up to 26 months (or as configured in our analytics provider).
• Records required by law — for the period required by the applicable obligation.
• Records related to disputes or legal claims — for the duration of the dispute and the applicable limitation period.

After the applicable retention period, we delete or anonymize personal data. Under Mexican law, personal data may be blocked for a period prior to deletion.

13. Security and Confidentiality

We have implemented appropriate physical, technical and administrative measures to protect personal data against unauthorized access, disclosure, alteration or destruction. No security measure is perfect, however, and we cannot guarantee absolute security.

We cannot guarantee the confidentiality of non-confidential information you voluntarily submit through the Website (for example, feedback, questions, comments or ideas via the "Contact" feature). We may use and disclose such non-confidential information as appropriate, in compliance with applicable law.

14. Children

The Website is not directed to children. Anfora does not knowingly collect personal data:

• From persons under 18 years of age (our general policy); or
• From children under 13 years of age within the meaning of the U.S. Children's Online Privacy Protection Act ("COPPA").

If you are a parent or legal guardian and believe a person under 18 has provided us with personal data, please contact us at info@anfora.com and we will take appropriate steps to delete it.

15. Links to Other Sites; Social Media

The Website may contain links to other websites. We are not responsible for the privacy practices of those sites; please review their privacy notices.

The Website may also use plug-ins or link to social media platforms, including Facebook, Instagram, LinkedIn, X (formerly Twitter) and YouTube. Their privacy policies are available at:

• Facebook: https://www.facebook.com/privacy/policy
• Instagram: https://help.instagram.com/519522125107875
• LinkedIn: https://www.linkedin.com/legal/privacy-policy
• X: https://twitter.com/en/privacy
• YouTube: https://policies.google.com/privacy

To the extent we operate fan or company pages on Facebook, Instagram or LinkedIn, we may act as a joint controller with the platform for personal data collected through those pages. Information about these joint-controller arrangements is available at:

• Facebook (and Instagram, where applicable): https://www.facebook.com/legal/controller_addendum
• LinkedIn: https://legal.linkedin.com/pages-joint-controller-addendum

16. California Privacy Rights (CPRA)

This section applies to California residents, including individuals interacting with us in a business-to-business context (the prior CCPA B2B exemption expired on January 1, 2023).

A. Notice at Collection

The categories of personal information we collect, the purposes of collection, the categories of sources, and the categories of recipients are set out in Sections 5 and 7 above. Retention is described in Section 12.

B. No Sale; Right to Opt Out of "Sharing"

We do not sell personal information for monetary consideration. To the extent we engage in "sharing" for cross-context behavioral advertising (see Section 7), you can opt out by:

• Clicking "Do Not Sell or Share My Personal Information" in the Website footer;
• Adjusting your preferences in our Cookie Preference Center; and/or
• Sending the Global Privacy Control (GPC) signal from your browser, which we recognize as a valid opt-out request.

C. Sensitive Personal Information

We do not use or disclose sensitive personal information for purposes that, under California law, would trigger the right to limit its use. Accordingly, we do not currently provide a "Limit the Use of My Sensitive Personal Information" link. If our practices change, we will provide that mechanism.

D. Your CPRA Rights

You have the right to:

• Know / Access the categories and specific pieces of personal information we have collected about you, the categories of sources, the purposes, and the categories of recipients;
• Correct inaccurate personal information;
• Delete personal information we collected from you, subject to exceptions (such as completing a transaction, complying with legal obligations, security and fraud prevention, internal uses reasonably aligned with your expectations, and exercising legal rights);
• Opt out of "sale" or "sharing" of personal information;
• Limit the use of sensitive personal information (where applicable);
• Non-discrimination for exercising your rights — we will not deny goods or services, charge different prices, or provide a different level of quality because you exercised a right.

E. How to Exercise Your Rights

• Email: info@anfora.com (subject line: "California Privacy Rights")
• Postal mail: Anfora International, Camino a Pozos Téllez km 1.5, Mineral de la Reforma, Hidalgo, 42186, México (Attn: Privacy)

We will acknowledge your request within 10 business days and will respond substantively within 45 calendar days, extendable by another 45 days where permitted (we will notify you of any extension).

F. Verification

To process access, correction, deletion and limit requests, we will ask for sufficient information to verify your identity and match it to information we hold about you. If we cannot verify your identity to the required degree of certainty, we will explain the basis of any denial.

G. Authorized Agents

You may designate an authorized agent to submit requests on your behalf. The agent must be a natural person or a business entity registered with the California Secretary of State (as applicable). We require:

• Written, signed permission from you authorizing the agent;
• Verification of your identity directly with us (or written confirmation from you that you authorized the agent); and
• Verification of the agent's identity.

These verification requirements do not apply where the agent acts under the valid power of attorney; we will process such requests in accordance with California law on powers of attorney.

H. California "Shine the Light"

California Civil Code § 1798.83 ("Shine the Light") permits California residents that have an established business relationship with us to request, free of charge once per calendar year, information about certain categories of personal information disclosed to third parties for those parties' direct-marketing purposes during the preceding calendar year. To make a request, contact us using the details in Section 16.E.

17. Other U.S. State Privacy Rights

In addition to California, residents of other U.S. states with comprehensive privacy laws (including, as of 2026, Virginia, Colorado, Connecticut, Utah, Texas, Florida, Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, New Hampshire, New Jersey, Kentucky, Maryland, Minnesota and Rhode Island) may have rights including: access, correction, deletion, data portability, opt-out of targeted advertising, opt-out of "sale," opt-out of profiling that produces significant effects, and the right to appeal a denial of a request. As an operational matter, we extend the rights described in Section 16.D to all U.S. residents, regardless of whether their state has enacted a comprehensive privacy law. To exercise a right, follow the procedure in Section 16.E.

If we deny your request, you may appeal by replying to our denial; we will respond to your appeal within 45 days (extendable as permitted). If your appeal is denied, you may contact your state attorney general.

18. Supervisory Authority and Complaints

If you believe we have not handled your personal data or your rights request properly, you may file a complaint with the competent authority.

In Mexico, the competent authority for personal data held by private parties under the LFPDPPP is the Secretaría Anticorrupción y Buen Gobierno (operating, in part, through Transparencia para el Pueblo), which assumed the data-protection functions previously carried out by the INAI (dissolved in 2025). 

We strongly encourage you to contact us first per Email at info@anfora.com so that we can try to resolve the matter directly.

19. Updates to This Notice

We may update this Notice by posting a new version on the Website. If we make material changes that significantly affect how we use your personal data, we will take reasonable steps to bring those changes to your attention (for example, by notice on the Website or by email). We recommend reviewing this Notice periodically.

The "Last updated" date at the top of this Notice indicates the latest revision.

20. Contact

For any question about this Notice or our processing of personal data:

• Email: info@anfora.com
• Snail mail: 

Anfora International S. de R.L. de C.V. Camino a Pozos Téllez km 1.5, Mineral de la Reforma, Hidalgo, CP. 42186, México