Privacy Notice | Tres Piedras — Personal Data Protection

Krono-Zam S. de R.L. de C.V. (hereinafter, "Tres Piedras"), with registered address at Paseo de los Cedros 22-E, Colonia La Floresta, Zamora, Michoacán, C.P. 59616, Mexico, and Federal Taxpayer Registration KRO191002UD2, is the controller responsible for the processing and protection of your personal data.

For any questions regarding the processing of your data, you may contact us through the following channels:

• Email: [email protected]
• Phone / WhatsApp: +52 351 351 5831
• Support hours: Monday through Friday, 9:00 a.m. to 6:00 p.m. (CST)

This notice applies to all individuals who interact with the website https://trespiedras.mx, as well as with any other digital platform operated by Tres Piedras, including Amazon and other sales platforms.

Tres Piedras conducts commercial operations in Mexico, the United States, Canada and Spain. Depending on your country of residence, additional rights and protections may apply, as described in Section VII of this document.

Identification and contact data

Full name, delivery address, phone number, email address.

Tax data

RFC (Mexican tax ID), tax address, tax regime and business name, collected only when the user requests the issuance of a tax receipt.

Payment and transactional data

Credit or debit card information, payment platform account data, purchase history. Tres Piedras does not directly store banking card data; processing is carried out entirely through the certified platforms listed in Section VI.

Browsing and device data

IP address, browser type, operating system, cookie identifiers, pages visited within the site, session duration and approximate geolocation information.

Communication data

Messages sent through the contact form, WhatsApp or email.

Tres Piedras does not process special categories of personal data (health data, racial or ethnic origin, religious beliefs, biometric data or sexual orientation) and does not aim to collect data from individuals under 18 years of age. If you are a minor, we ask that you do not provide your personal data without the consent of your parents or legal guardians. If we detect data from minors provided without authorization, we will delete it immediately.

A. Primary Purposes

These are necessary to formalize and execute the commercial relationship. The legal basis is the performance of a contract (for Mexico: LFPDPPP Art. 8; for users in Spain/EU: Art. 6.1.b GDPR; for Canada: PIPEDA Principle 4.3).

1. Processing, confirming and managing orders and purchases.
2. Shipping and delivering products to the indicated address.
3. Processing payments and issuing tax receipts when applicable.
4. Providing customer support, including follow-up on inquiries, complaints, exchanges, returns and warranty.
5. Managing the creation and administration of user accounts.
6. Complying with legal obligations and responding to requests from competent authorities. Additional legal basis: legal obligation (Art. 6.1.c GDPR for EU users).

B. Secondary Purposes

These are optional and do not affect the provision of service. The legal basis is user consent (for Mexico: LFPDPPP Art. 8; for Spain/EU: Art. 6.1.a GDPR).

1. Sending marketing communications, promotions and news by email or other digital channels.
2. Conducting statistical analyses and market research to improve products, services and user experience.
3. Personalizing the browsing experience on the website.
4. Retargeting and personalized advertising through digital platforms.

If you do not wish for your data to be used for these secondary purposes, you may indicate this at any time by sending an email to [email protected] or through the preference options available when creating your account. Your refusal will not affect the provision of contracted services in any way.

Transaction and purchase data

Retained for a minimum of five years, in accordance with the tax obligations set out in Mexico's Federal Tax Code and equivalent provisions in destination countries.

User account data

While the account remains active. Upon requesting account cancellation, data is deleted within 30 business days, except for data that must be retained by legal obligation.

Browsing and cookie data

In accordance with the expiration periods defined in the Cookie Policy, which range from the active session to a maximum of 24 months for analytical cookies.

Customer support communications

Up to three years from the closure of the case, for quality purposes and resolution of potential claims.

Once these periods have elapsed, data is securely deleted or anonymized for statistical use.

Your personal data is shared with the following recipients, solely for the purposes indicated:

Tres Piedras does not sell personal data to third parties. The transfers listed above are necessary for the provision of service or are carried out based on legal obligations. For transfers involving the sending of data to countries with legislation different from Mexico's, Tres Piedras verifies that recipients have adequate data protection policies in place.

A. ARCO Rights (applicable to all data subjects under Mexican law — LFPDPPP)

You have the right to:

• Access: know what personal data we hold about you and how we process it.
• Rectification: request the correction of inaccurate or incomplete data.
• Cancellation: request the deletion of your data when it is no longer necessary for the purposes for which it was collected.
• Opposition: object to the processing of your data for specific purposes.

To exercise any of these rights, send a request to [email protected] or contact us at +52 351 351 5831, including: full name, email address for receiving the response, official ID and description of the right you wish to exercise. We will respond within 20 business days of receiving your request, in accordance with the LFPDPPP.

B. Additional Rights for Users in Spain and the European Union (GDPR)

If you reside in Spain or another European Union country, you have the following additional rights:

• Portability: receive your data in a structured, commonly used format to transfer it to another controller.
• Restriction of processing: request that we suspend the processing of your data while a dispute regarding its accuracy or lawfulness is resolved.
• Erasure ("right to be forgotten"): request the deletion of your data when it is no longer necessary, when you withdraw consent, or when processing is unlawful.
• Withdrawal of consent: you may withdraw at any time the consent granted for secondary purposes, without affecting the lawfulness of prior processing.
• Complaint to supervisory authority: you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es, if you consider that the processing of your data does not comply with applicable regulations.

These rights can be exercised through [email protected]. We respond within a maximum of 30 calendar days, in accordance with Art. 12 of the GDPR.

C. Rights for Users in California, U.S. (CCPA/CPRA)

If you reside in California, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Know the categories of personal data collected and the purposes of its processing.
• Request the deletion of your personal data.
• Correct inaccurate personal data.
• Opt out of the sale or sharing of your personal data. Tres Piedras does not sell or share users' personal data with third parties for commercial purposes.
• Not be discriminated against for exercising your privacy rights.

To exercise these rights, contact us at [email protected]. We will respond within 45 calendar days of your request.

D. Rights for Users in Canada (PIPEDA / Quebec Law 25)

If you reside in Canada, the processing of your data is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA) at the federal level. If you reside in Quebec, Law 25 (An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information) also applies, fully in force since September 2023.

Your rights include:

• Access your personal data and request corrections.
• Withdraw your consent to the processing of data for secondary purposes.
• Request the deletion of your data when it is no longer necessary.
• Be notified in the event of a privacy incident that could cause you a real risk of harm, in accordance with Quebec Law 25.
• File a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca, or with the Commission d'accès à l'information du Québec (CAI) if you reside in that province.

International transfers from Canada: your data is processed on servers located in Mexico, the United States and other countries. Before carrying out these transfers, Tres Piedras verifies that recipients apply comparable protection measures. You may request information about the applicable safeguards by writing to [email protected].

Strictly necessary cookies

Enable the basic functioning of the site (shopping cart, login). Consent is not required.

Analytical cookies

Collect aggregated information about browsing behavior to improve the site (Google Analytics). Consent is required.

Advertising and remarketing cookies

Allow personalized ads to be shown on third-party platforms (Meta, Pinterest, Google Ads). Consent is required.

When you visit the site for the first time, you will be presented with a cookie management panel where you can accept, reject or customize the use of each category. You can also modify your preferences at any time from the cookie settings link available in the site's footer.

You may also disable cookies through your browser settings, although this may affect the functioning of some sections of the site.

For users in Spain and the EU, the use of non-essential cookies is suspended until you provide explicit consent, in accordance with the GDPR and the ePrivacy Directive.

Tres Piedras implements reasonable technical, administrative and physical measures to protect your personal data against unauthorized access, loss, alteration or disclosure, including:

• Encryption of data in transit using SSL/TLS protocols.
• Payment processing exclusively through platforms certified to the PCI-DSS standard.
• Restricted access to personal data based on operational need.
• Periodic security reviews of data storage systems.

In the event of a security incident that may pose a risk to your rights and freedoms, Tres Piedras will notify affected data subjects and, where applicable, competent supervisory authorities, within the timeframes established by the applicable legislation in each country.

If you attend exhibitions, fairs, pop-up events or any promotional event by Tres Piedras, photographs or video recordings of the event may be taken. These images may be used for dissemination and promotional purposes on social media, the website and communication materials. Your participation in such events implies consent to this processing, unless you expressly indicate otherwise.

Some of our service providers and technology platforms have servers outside of Mexico, primarily in the United States. When your data is transferred internationally, Tres Piedras ensures that such transfers are carried out under mechanisms that guarantee an adequate level of protection, such as standard contractual clauses or data processing agreements, as applicable.

For users in Spain and the EU: transfers to countries outside the European Economic Area are carried out under the safeguards provided in Art. 46 of the GDPR (standard contractual clauses approved by the European Commission).

This notice may be updated at any time to reflect changes in our practices, applicable legislation or the services we offer. When changes are significant, we will notify you through a visible notice on the website or, where possible, via email sent to registered users.

The version currently in effect is always the one published at https://trespiedras.mx/aviso-de-privacidad.

Tres Piedras — Krono-Zam S. de R.L. de C.V.

• [email protected]
• +52 351 351 5831
• Paseo de los Cedros 22-E, Col. La Floresta, C.P. 59616, Zamora, Michoacán, Mexico

Supervisory authorities by country

• Mexico: National Institute of Transparency, Access to Information and Personal Data Protection (INAI) — www.inai.org.mx
• Spain / EU: Spanish Data Protection Agency (AEPD) — www.aepd.es
• Canada: Office of the Privacy Commissioner of Canada — www.priv.gc.ca; Commission d'accès à l'information du Québec (CAI) — www.cai.gouv.qc.ca
• U.S. (California): California Privacy Protection Agency (CPPA) — www.cppa.ca.gov