PRIVACY POLICY

The purpose of this Personal Data Privacy Policy (hereinafter referred to as “Privacy Policy”) is to inform you how AIST PERU S.A.C. (hereinafter referred to as “Maxim”, “we”, “us”, “our”), with RUC Nº 20606461730, with address at Office D, Avenida Luis Gonzales 291, District and Province of Chiclayo, Department of Lambayeque, Republic of Peru, collects, uses, processes and discloses the personal data compiled from its passengers, drivers, customers, delivery partners (collectively hereinafter referred to as “you”, “your” or “yours”) through the use of Maxim’s apps and websites, including all mobile applications and websites (taximaxim.com) operated by Maxim, products, features and other services globally.

We want you to know and always have control over your personal data. For this, we provide you this Privacy Policy, whereby you can consult in detail, but in an easy and transparent way, the characteristics of the use we make of your personal data for providing you our services and for other purposes.

You can access this Privacy Policy at any time, as it is available for you on Maxim’s website https://legal.taximaxim.com/ (hereinafter referred to as “Website”).

This Privacy Policy is adequate to the current regulations of the Peruvian Law for Personal Data Protection (Law Nº 29733 and its Regulation, approved by the Supreme Decree Nº 003-2013-JUS). On this document we indicate the purposes of the processing of the personal data you provide us, who are the data processors, the storage period of the personal data on the databases, security measures and the means to exercise your rights as a data subject. It should be noted that Maxim ensures the maximum reserve and protection of the personal data you provide.

We have elaborated this Privacy Policy in a way that it does not contain a very technical language, since it is often difficult to understand the content of this documents. Of course, if you still have questions about any aspect of our Privacy Policy, do not hesitate to contact us.

1. Data Controller

Corporate name: AIST PERU S.A.C.;

TAX ID Nº: 20606461730;

Address: Office D, Avenida Luis Gonzales 291, District and Province of Chiclayo, Department of Lambayeque, Republic of Peru;

Database: Users;

Mail contact: [email protected].

2. Processing of Personal Data

Keep in mind that to fulfill the purposes listed in Section 3 of this Privacy Policy, we will use some of your personal data obtained through different ways and at different times. Following, they are detailed below:

Passengers and customers identifying data: name, address, e-mail address, phone number, birth date, sex.

Drivers and delivery partners identifying data: name, birth date, driving license number, validity period of driving license, ID number or foreign ID number and its other relevant details, number and other relevant details of the license or any other official permit required for the provision of services, license plate number, year of manufacture of the vehicle, brand, model, color, seat capacity of the vehicle, presence or absence of A/C in the vehicle, external view and condition of the vehicle. You agree to provide Maxim with all relevant tax information for the purpose of issuing tax documents applicable in Peru, and you acknowledge that tax documents may include specific information about you, including your name or tax identification number (RUC) and your address. You also consent to Maxim independently collecting your tax data, including your tax number (RUC), through publicly available methods. These data and information are collected within the submission of the following documents: 1) ID or foreign ID; 2) driving license; 3) ownership certificate or another document stating the legal right of the driver or delivery partner to drive the vehicle; 4) photo; 5) photo of the vehicle; 6) certificate of no criminal, judicial and police records; 7) Mandatory Traffic Accident Insurance Policy (SOAT); and 8) license or any other official permit required for the provision of services.

Metadata: functional location, including IP address used to connect to the internet from a computer, information about the user’s account, browser type and version, time setting, plug-ins associated, operating system and platform, etc. Also, certain information about the users’ and visitors’ activity on the platform will be compiled. Additionally, information relative to your journeys/orders will be stored; the identification code we internally assign you; your browsing/navigation through the platform (date and time you access, you click, etc.); the hardware, software and browser you use; the type of payment method you use. The technical data from calls between the passengers/customers and drivers/delivery partners, as long as they are made by the platform. The messages between the passengers/customers and drivers/delivery partners, as long as they are made by the platform.

Data referred to the online complaints book: virtual complaint book must contain at least the information consigned on the forms of the present regulation of the complaint books of the Protection and Defense of the Consumer Code, approved by the Supreme Decree N° 011-2011-PCM. In this sense, the following personal data will be processed: 1) name, address, ID or foreign ID number, phone number and e-mail of the complaining consumer; 2) name, address, phone number and e-mail of one of the parents or consumer representatives, in case of a minor; 3) detail of the complaint or claim; 4) identification of the product or service contracted; 5) claim or complain date; and 6) ID or foreign ID copy.

We will process and review any other information that could be provided by you, whether requested by us or provided voluntarily by you. If it is found relevant and necessary for the purposes listed in Section 3 of this Privacy Policy, we will keep it, otherwise we will eliminate it.

3. Processing purposes and legal basis

The personal data indicated in Section 2 of this Privacy Policy will be used/processed for the following purposes:

1) To provide, personalize, maintain and improve our services. This includes using your personal data to: 1) provide you with services; 2) engage you to provide services; 3) create, administer and update your account; 4) verify your identity; 5) validate your ride and process payments; 6) offer, obtain, provide or facilitate insurance or financing solutions; 7) track the progress of your trip; 8) enable features that personalize your app, such as lists of your favorite places and previous destinations; 9) perform internal operations necessary to provide our services, including troubleshooting software bugs and operational problems, conducting data analysis, testing and research, monitoring and analyzing usage and activity trends; and 10) protect the security or integrity of the services and any facilities or equipment used to make the services available (Legal basis: to perform a contract to which the data subject is party (art. 14°, numeral 5 of the Personal Data Protection Law));

2) To ensure the safety and security of our services and its users. This includes: 1) screening drivers and delivery partners before enabling their use of our services; 2) verifying your identity when you log in to Maxim; 3) using device, location, profile, usage and other personal data to prevent, detect and combat fraud or unsafe activities; 4) sharing drivers and passengers’ location when the emergency button is activated; 5) monitoring compliance with our Work Rules, License Agreement, Policies and other policies and agreements; and 6) detecting, preventing and prosecuting crime (Legal basis: to perform a contract to which the data subject is party (art. 14°, numeral 5 of the Personal Data Protection Law));

3) To resolve customer support issues. For example, we may: 1) investigate and address concerns; 2) monitor and improve our customer support responses; 3) respond to questions, comments and feedback; and 4) inform you about steps taken to resolve customer support issues (Legal basis: to perform a contract to which the data subject is party (art. 14°, numeral 5 of the Personal Data Protection Law));

4) For testing, research, analysis and product development. This allows us to understand and analyze your needs and preferences, protect your personal data, improve and enhance the safety and security of our services, develop new features, products and services, and facilitate insurance and finance solutions (Legal basis: to perform a contract to which the data subject is party (art. 14°, numeral 5 of the Personal Data Protection Law));

5) To investigate and resolve claims or disputes, or as allowed or required by applicable law (Legal basis: legal obligation (art. 14.13 of the Personal Data Protection Law));

6) We may also use your personal data when we are required, advised, recommended, expected or requested to do so by our legal advisors or any local or foreign legal, regulatory, governmental or other authority. For example, we may use your personal data to: 1) comply with court orders or other legal, governmental or regulatory requirements; 2) enforce our Work Rules, License Agreement or other agreements; and 3) protect our rights or property in the event of a claim or dispute (Legal basis: legal Obligation (art. 14.13 of the Personal Data Protection Law));

7) We may also use your personal data in connection with mergers, acquisitions, joint ventures, sale of company assets, consolidation, restructuring, financing, business asset transactions, or acquisition of all or part of our business by another company (Legal basis: consent (art. 13° of the Personal Data Protection Law));

8) To market Maxim and its business partners’ products, services, events or promotions. For example, we may: 1) send you alerts, newsletters, updates, mailers, promotional materials, special privileges, festive greetings; and 2) notify, invite and manage your participation in our events or activities (Legal basis: consent (art. 13° of the Personal Data Protection Law));

9) We may communicate such marketing to you by post, telephone call, short messaging service, in-app engagement, online messaging service as well as push notification, by hand and by email. If you wish to unsubscribe to the processing of your personal data for marketing and promotions, you may click on the unsubscribe link in the relevant email or message. Alternatively, you may also update your preferences in our app settings (Legal basis: consent (art. 13° of the Personal Data Protection Law)).

The provision of your personal data to us is on a voluntary basis. However, if you do not provide your personal data or if insufficient personal data is supplied to us when requested, this may affect our ability to fulfill the purposes mentioned above and your ability to enjoy the full range of benefits provided by us under our services.

4. Storage period

The personal data that Maxim compiles are stored in the database called “Users”. The personal data will be stored for a maximum period of (ten) 10 years, counted from the date when you are no longer our user. This storage period is strictly related to the statutes of limitations existing in the regulation/legal system, since Maxim could be required some type of responsibility resulting from the contractual relation or due to legal obligations to retain documents or information, as well for historical, statistical or scientific reasons.

It should be noted that Maxim will carry out semi-annual reviews in order to comply with the proportionality and quality principles. In this sense, once the personal data are no longer relevant for the purposes for which they were compiled, they must be destroyed.

5. Security measures

We know the importance of protecting the personal data to which we have access, that is why we are always in the search to implement new technologies and processes to better protect your personal data. We use information security techniques generally accepted in the industry, such as firewalls, access control procedures and cryptographic mechanisms, with the aim of preventing unauthorized access to your personal data. Likewise, suppliers have been hired to apply relevant security measures in order to safeguard personal data. Our employees, suppliers and agents who have access to your personal information are required by the duty of confidentiality and the obligations determined by the applicable regulations for personal data protection, which, if not complied, may be subject to disciplinary measures, including dismissal and compensation, for unauthorized use or disclosure of your personal data. Our apps and websites may contain links to other websites. Maxim is not responsible for the content of the privacy policies or practices of other websites. When you access a link that redirects you to another website, you must accept and abide the privacy policy of such website. We confirm that we have adopted appropriate security levels to safeguard the information, respecting the measures applicable to each category and type of treatment of the databases, following the provisions of the security directive of the National Authority for Personal Data Protection.

6. National/Domestic transfer. Disclosure of personal data

The personal data will be processed internally. Eventually, your personal data could be shared with third parties for certain purposes. These third parties include:

1. Other users of Maxim. For example, if you are a passenger, we may share your pick-up and drop-off locations with drivers. If you are a driver, we may share your personal data with your passenger, including your full name and photo, your vehicle mark, model, license plate number, location and average rating.

2. Third parties in connection with a ride. For example, we may share your location with third parties when a passenger activates the emergency button.

3. Subsidiaries and affiliates. We can share personal data with our subsidiaries, associated companies, jointly controlled entities and affiliates, precisely specified in Clause 7 of this Privacy Policy.

4. Our legal advisors and governmental authorities. We may share your personal data with our legal advisors, law enforcement officials, government authorities and other relevant third parties.

In all possible cases, Maxim compromises to enter into a confidentiality and personal data protection agreement in accordance with the provisions of current legislation.

7. International Transfer

Personal data will be stored on the servers of (and hereby you give your prior, informed, explicit, unambiguous and unconditional consent for this international transfer in accordance with art. 15°, numeral 7 of the Personal Data Protection Law):

Corporate name: HTMC LTD;

Address: Office 302B, Center Point, 4 Nicolaou Nikolaide Avenue, 8010 Paphos, Republic Of Cyprus;

Tax ID Nº: 10366633S;

Type of company: Technology;

Purpose: So that the related companies can analyze the services carried out with the aim of improving services.

8. Minors’ and third parties’ personal data

In the event that any personal data of a minor (i.e. individuals under the age of 18) is disclosed to us, you hereby signify your consent to the processing of the minor’s personal data as a parent or legal guardian of the minor (or your agreement to procure the necessary consent from the minor’s parent or legal guardian) and accept and agree to be bound by this Privacy Policy and take responsibility for his or her actions. In the event that you are a minor and intend to provide your personal data to us, you hereby confirm and acknowledge that you have obtained your parent or legal guardian’s agreement to be bound by this Privacy Policy. In case of legal requirement restricting us from communication and/or interaction with individuals under the age of 18, and if we detect that you are under the age of 18, we reserve the right to block and/or delete your personal account and/or profile. In some situations, you may provide personal data of other individuals (such as your spouse, family members or friends) to us. For example, you may add them as your emergency contact. If you provide us with their personal data, you represent and warrant that you have obtained their consent for their personal data to be processed as set out in this Privacy Policy.

9. Privacy Policy modifications

Our services and the applicable regulations may change so we reserve the right to update or modify this Privacy Policy and personal data protection at any time, for this we will take care of communicating any variation and require your consent regarding on the new version of this Privacy Policy and personal data protection in case any of the ways of processing you authorized by accepting this Policy vary. Nevertheless, we recommend that you review this Privacy Policy periodically, and specially before providing additional personal information. This Privacy Policy was updated on the date indicated at the end of this document.

10. Exercise of rights

The personal data protection right allows people to control their personal information. To that end, the regulations provide rights that allow people to require that their personal data are processed properly. These rights are called “ARCO”:

1. Access: everyone has the right to obtain information about themselves that is processed in public or private databases, the way in which their data was compiled, the reasons/purposes that motivated its compilation and at whose request the data was compiled, as well as the transfers made or planned to be made of them.

2. Rectification (update, include): it is the data subject right to modify data partially or totally inaccurate, incomplete, erroneous or false.

3. Erasure (cancellation): the data subject may request the erasure or cancellation of its personal data from a data base when they are no longer necessary or relevant for the purpose for which they have been compiled; the period established for its processing has expired; the consent for the processing has been revoked and in other cases they are not being processed in accordance with the law and regulations.

4. Opposition (restriction): every person has the possibility of opposing, for a legitimate and based reason, referring to a specific personal situation, to appear in a database or to the processing of their personal data, whenever  the law does not provide otherwise.

You may address a request to exercise rights to the following email address: [email protected] following special guidelines (application attention procedure for the exercise of ARCO rights) and using the ARCO rights request form attached to this Privacy Policy.

In order to exercise the aforementioned rights, you must present at the previously specified address, the respective request in the terms established by the Personal Data Protection Law (including: data subject name and address or other means to receive a response; documents that prove your identity or legal representation; clear and precise description of the data regarding those you seek to exercise your rights and other elements or documents that facilitates its location). If you consider that you have not been attended in the exercise of your rights, you can file a claim to the National Authority for Personal Data Protection, by contacting the Reception Desk of the Ministry of Justice and Human Rights: Calle Scipion Llona 350, Miraflores, Lima, Peru.