A. Identity and Domicile of the Data Controller.

Pursuant to the Federal Law on Protection of Personal Data Held by Individuals (hereinafter, the "LFPD"), and the remaining applicable provisions, Bello, Gallardo, Bonequi y García, S. C. (hereinafter, the "Data Comptroller"), with registered office for service of process in Agustín Manuel Chávez, número 1-001, Centro de Ciudad de Santa Fe, Zip Code: 01210, Mexico City, Mexico, hereby expressly informs you:

B. Personal Data Gathered and Submitted to Processing.

For the development of the purposes described in this Privacy Notice, we gather the following categories of personal data:

• Identification and contact data;
• Personal data;
• Social circumstances data;
• Commercial information data;
• Financial or insurance data;
• Transaction data; and
• Legal status data.

C. Sensitive personal data processing.

For the purposes pointed out in the section below, the Data Controller will not gather sensitive personal data.

D. Processing purposes.

a) Original and necessary purposes

• To facilitate the contracting of the services offered by the Data Controller.
• To manage, control, administrate, and update personal data related to the clients of the Data Controller: individuals and legal representatives or contacts appointed by legal entities.
• To manage, control, and administrate communications between the Data Controller and its clients.
• To invoice the services provided, as well as their judicial or extrajudicial collection.
• To make a historical record and statistics of clients.
• To register and amend the internal record of the status of the provided services.

b) Additional purposes

• To send informative communications related to the services provided by the Data Controller.

E. Personal data transfers.

Your personal data may be transferred to and processed by persons other than the Data Controller in the following cases:

• Controlling companies, subsidiaries, or affiliates of the Data Controller, or to a parent company; for centralized safeguarding of information, control of registrations and cancellations, changes related to their agreement, and the performance of statistical functions and historical record of customers.
• Governmental authorities, agencies, or entities in compliance with the obligations set forth in the applicable legislation and/or in compliance with requirements made by them.
• Collection companies for the recovery of unpaid credits and their judicial or extrajudicial collection.

F. Personal data transfers. Consent.

According to LFPD, Article 37, your consent is not required to carry out the transfers indicated in numbers 1 to 3 above. If necessary, we will ask for your consent in order to transfer your data to possible business partners.

In all the other cases, your personal data will not be transferred to third parties without your consent, except on the cases set forth in LFPD, Article 37 and it will be done complying with the conditions set forth in LFPD, Article 17.

G. ARCO rights exercise

In all legally proceeding cases, you may exercise your rights to Access, Rectify, Cancel, and Oppose (ARCO) through the procedures that we have implemented. The relevant request must fulfill all the requirements established in the current legislation, through a written notice addressed to our Personal Data Area, to the domicile indicated in this Notice, Item A. The request must contain and be accompanied by the following:

• Your name and domicile or another mean to inform you the response to your request;
• The documents proving your identity or, when applicable, the legal representation;
• The clear and precise description of the ARCO Rights that you want to exercise; and
• Any other element or document that facilitates the localization of the personal data.

The Data Controller will inform you of the decision taken within a maximum of 20 (twenty) business days from the date it receives the relevant request. If the request is applicable, it will be effective within fifteen business days from the date on which the Data Controller communicates the response. In case the information provided in your request is incorrect or insufficient, or the necessary documents to prove your identity or the corresponding legal representation are not attached, the Data Controller, within five business days following the receipt of your request, will require the amendment of the deficiencies in order to be able to process it. In these cases, you will have ten business days to respond to the request for amendment, counted from the day after you have received this request. The request will be deemed as not filed if you do not respond within that period. Alternatively, you may direct your request through our Personal Data Area to the email address datospersonales@bgbg.mx, in compliance with all the requirements previously numbered, established as Subject of the communication "ARCO Rights and/or consent withdrawal." The procedure terms will be the same as the ones mentioned in this section. The use of electronic means for the exercise of ARCO Rights authorizes the Data Controller to respond to the relevant request through the same means unless the owner clearly and expressly points out another means. You may obtain the requested information or personal data through uncertified copies, electronic documents in conventional formats (Word, PDF, etc.), or through any legitimate means guaranteeing and accrediting the effective exercise of the requested right. You will be responsible for keeping updated your personal data in possession of the Data Controller. Therefore, you guarantee and are responsible, in any case, for the truthfulness, accuracy, validity, and authenticity of the personal data provided and undertake to keep them duly updated, communicating any changes to the Data Controller.

H. Consent revocation.

You may revoke your consent to the processing of your personal data, without any retroactive effect, if such revocation does not imply the impossibility of complying with obligations arising from a legal relationship in force between you and the Data Controller.

The procedure for the revocation of consent will be the same as the procedure established in the section above for the exercise of ARCO rights, if applicable.

I. Limitations on the Use and Disclosure of your Personal Data

You may limit the use or disclosure of your personal data by addressing the relevant request to our Personal Data Area. The requirements for proving your identity, as well as the procedure for handling your request, will be the same requirements indicated in section "Exercise of ARCO rights".

The Data Controller has the means and procedures to ensure the inclusion of some of your data in its own exclusion lists when you expressly request their inclusion in them. The Data Controller will grant the relevant registration certificate to the registered owners.

J. Automatic Means for Collecting Personal Data

The Data Controller uses cookies to facilitate navigation on the website www.bgbg.mx. The electronic services provided by the Data Controller allow the collection, analysis, and conservation of technical information related to the habits of use of such services, through cookies that allow this information to be collected automatically at the very moment when the user makes use of our electronic services. In certain cases, the Data Controller links this information to specific users or personal accounts. The Data Controller is limited to generating and analyzing statistics that improve the services offered and, where appropriate, the design of new ones. For more detailed information about cookies, we recommend visiting www.allaboutcookies.org.

K. Amendments or Updates to this Comprehensive Privacy Notice

The Data Controller may modify, update, extend, or otherwise change the content and scope of this Privacy Notice at any time and at its complete discretion. In such cases, we will post those changes on the website www.bgbg.mx, Section "Privacy Notices." Changes to this Privacy Notice may also be communicated by email when such means had been established as a communication channel between you and the Data Controller during the term of the legal relationship.