Privacy and personal data protection policy

Version: 2.0 (LATAM Regional Compliance & Global Standard)
Last Updated: [12/11/2025]

I. DATA CONTROLLER, SCOPE, AND APPLICABLE REGULATORY FRAMEWORK

Diversidad Financiera Consultores (hereinafter, the “Company”, the “Controller”, or “we”) respects your privacy and is committed to protecting your personal data. This Policy describes how we collect, use, and protect your information in the context of our Investment, Assignment of Litigious Rights, and Intangible Assets activities, as well as the use of our website.

Commitment to Regional Compliance (LATAM): We operate under the principle of Proactive and Demonstrated Accountability, ensuring compliance not only with international standards (GDPR) but also with the specific data protection regulations in force in the jurisdictions where we operate or where our clients reside, expressly including:

  • Brazil: Lei Geral de Proteção de Dados (LGPD – Law No. 13.709).
  • Ecuador: Organic Law on Personal Data Protection (LOPDP).
  • Colombia: Statutory Law 1581 of 2012 and Decree 1377.
  • Mexico: Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP).
  • Chile: Law No. 19.628 on the Protection of Private Life (and its amendments).
  • Peru: Law No. 29733 on Personal Data Protection.
  • Argentina: Law No. 25.326 on Personal Data Protection.

In the event of a conflict between regulations, we will apply the standard that grants the highest protection to the data subject (Pro-Homine Principle).

II. KEY DEFINITIONS

To ensure clarity and legal certainty throughout the region, we adopt the following definitions:

  1. Personal Data: Any information linked or that can be associated with one or several determined or determinable (identifiable) natural persons.
  2. Data Subject (or Interested Party): The natural person whose personal data is the subject of processing.
  3. Processing: Any operation or set of operations performed on personal data, such as collection, storage, use, circulation, erasure, transmission, or transfer.
  4. Data Controller: The natural or legal person (in this case, Diversidad Financiera Consultores) who decides on the purpose (“what for”) and the processing (“how”) of the data.
  5. Data Processor (Operator): The natural or legal person who performs the processing of personal data on behalf of and upon instruction from the Controller (e.g., cloud providers, external auditors).
  6. Sensitive Data: Data that affects the privacy of the Data Subject or whose misuse may generate discrimination (e.g., racial origin, political opinions, biometric data, health data).
  7. Transfer: The communication of personal data where the sender and the receiver are independent Controllers, located within or outside the country (e.g., assigning a portfolio to another fund).
  8. Transmission: The communication of data between a Controller and a Processor (e.g., sending data to our IT provider for hosting), within or outside the country.
  9. Consent: The free, specific, informed, and unequivocal manifestation of will, through which the Data Subject accepts the processing of their data.
  10. Anonymization: The process by which personal data ceases to be identifiable irreversibly, ceasing to be subject to data protection regulations.

III. DATA WE COLLECT AND ITS CATEGORIZATION

“Personal Data” means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store, and transfer different types of personal data about you, which we have grouped as follows:

  1. Identity Data: Includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth, and gender.
  2. Contact Data: Includes billing address, email address, and telephone numbers.
  3. Financial Data: Includes bank account details and payment card details (strictly necessary for transactions or disbursements).
  4. Technical Data (Digital Fingerprint): Includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
  5. Profile Data: Includes your interests, preferences, feedback, and survey responses.
  6. Usage Data: Includes information about how you use our website, products, and services.
  7. Marketing and Communications Data: Includes your preferences in receiving marketing from us and our third parties and your communication preferences.

Aggregated Data: We also collect, use, and share Aggregated Data, such as statistical or demographic data, for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not reveal your identity. If we combine Aggregated Data with your personal data so that it can identify you, we treat the combined data as personal data.

EXCLUSION OF SENSITIVE AND CRIMINAL DATA: We do not collect Special Categories of Personal Data (Sensitive Data). This includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data. Nor do we collect any information about criminal convictions and offenses in the ordinary course of web browsing. (Note: In contractual Due Diligence processes, the review of compliance/AML lists will be carried out strictly under legal mandate).

Consequence of failure to provide data: Where we need to collect personal data by law or under the terms of a contract, and you fail to provide that data, we may not be able to fulfil the contract or service requested (e.g., an investment). In this case, we will notify you.

IV. LAWFUL BASES AND PURPOSES

We will only process your data when the law allows us to. The main lawful bases are:

  1. Performance of a Contract: Necessary to manage your investment, evaluate the assignment of rights, or formalize our business relationship.
  2. Legal Obligation (Compliance): Processing necessary to comply with Anti-Money Laundering (AML/CFT) laws, reporting to Financial Intelligence Units (FIU/UAFE), and tax regulations.
  3. Legitimate Interest: To administer our business, prevent fraud, ensure network security, and improve our services, always balancing this so that your fundamental rights do not override these interests.
  4. Consent: Explicitly required before sending you third-party direct marketing communications. You have the right to withdraw your consent at any time.

V. DATA RETENTION

We will only retain your personal data for as long as reasonably necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect of our relationship with you.

VI. INTERNATIONAL TRANSFERS

Your data may be transferred to third countries. We guarantee that such transfers comply with lawfulness requirements:

  • Transfer to countries with an Adequate Level of Protection.
  • Use of Appropriate Safeguards (such as Standard Contractual Clauses or binding contracts) that ensure a standard of protection equal to or higher than the local one.

VII. RIGHTS OF THE DATA SUBJECT

As a data subject, you possess non-waivable rights:

  • Access: Request a copy of your data.
  • Rectification: Correct inaccurate or incomplete data.
  • Erasure (Deletion): Request the deletion of data when it is no longer necessary.
  • Opposition (Object): Object to processing based on legitimate interest or marketing.
  • Portability: Receive your data in a structured and readable format.
  • Suspension/Limitation: Request the temporary suspension of processing.

To exercise these rights, contact our privacy team. You will not have to pay a fee to access your personal data; however, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive.

VIII. COOKIES AND THIRD PARTIES

Our website may include links to third-party websites. We do not control these sites and are not responsible for their privacy statements. You can configure your browser to refuse all or some cookies. For more information, please consult our Cookie Policy.

IX. SECURITY AND RISK MANAGEMENT

The Company adopts a robust and layered Information Security approach:

  1. Technical and Organizational Measures: We have implemented appropriate security controls (encryption, firewalls, logical access controls) to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered, or disclosed.
  2. Restricted Access (Need-to-Know): We limit access to your personal data to those employees, agents, contractors, and other third parties who have a strict business need to know. They will only process your data on our instructions and are subject to a duty of confidentiality.
  3. Breach Management: We have procedures to deal with any suspected personal data breach. We will notify you and any applicable regulator of a breach where we are legally required to do so, within the established timeframes (generally 72 hours or according to local regulation).
  4. Impact Assessment: We conduct prior risk analyses to ensure that our tools and providers comply with the security standards required by regional regulations.

X. VALIDITY, CHANGES, AND UPDATES

10.1. Continuous Update: We keep our privacy policy under regular review. This version replaces all previous ones and is applicable as of the date indicated in the header.

10.2. Duty to Notify: It is important that the personal data we hold about you is accurate and current. Please keep us informed if your data changes. Any substantial change to this Policy (e.g., new purposes of use or changes in international transfers) will be notified via:

  • Email to the registered address (for active clients).
  • Prominent notice on our website (banner or pop-up) upon re-entry.

10.3. Acceptance: Continued use of our services or website following the publication of changes will constitute your acknowledgment and acceptance of the updated terms, to the extent permitted by applicable law.

XI. CONTACT

For any questions, exercise of rights, or complaints regarding this policy, please contact our Data Privacy Manager:

  • Email: info@diversidadfinanciera.com
  • Right to Complain: You have the right to make a complaint to the competent data protection authority in your country of residence, although we would appreciate the chance to deal with your concerns before you approach them.
Menu

EN

© 2026 DFC SRL - Company registration no. 3102953695 | Registered Address: Distrito San Rafael, Guachipelín, Diagonal a Distrito Cuatro, CC Plaza Mundo, Piso 2, Oficina 14, San José - Escazú, Costa Rica.

Close