Colombia Privacy Notice – English

Supplemental Information For Colombia

If you are located in Colombia or your personal data is processed in Colombia, this section applies in addition to our general Privacy Notice. We process personal data in accordance with Law 1581 of 2012, Decree 1377 of 2013, and other applicable regulations issued by the Superintendence of Industry and Commerce.

1. Data Controller Identification
For purposes of Colombian data protection law, the Data Controller responsible for your personal data is:

U.S. CARIS MPI, Inc., d/b/a Caris Life Sciences
750 W John Carpenter Fwy, Suite 800, Irving, TX
privacy@carisls.com

If applicable, we may also designate a local or regional representative in Colombia to facilitate the exercise of your rights.

2. Legal Basis for Processing
Under Colombian law, the processing of personal data is generally subject to the prior, express and informed authorization of the data subject. Processing without authorization is only permitted in specific cases established by law, such as public information, legal requirements expressly provided by statute, or emergencies involving health or safety, according to Article 10 of Law 1581 of 2012

For sensitive personal data, including health, genetic, biometric, or clinical information, processing is generally prohibited unless:

• You have provided explicit authorization, or
• A legal exception applies under Colombian law

3. Sensitive Data Notice
We may process sensitive personal data, including:

• Health and medical records
• Genetic data
• Pathology and diagnostic results
• Biological samples and molecular data
• Treatment history and clinical outcomes

In accordance with Colombian law, you are not obligated to provide sensitive personal data. Refusal to provide such data will not result in any adverse consequences, except where such data is strictly necessary to provide the requested services.

Where required, we will obtain separate, explicit authorization for the processing of sensitive data, and we will apply enhanced security and confidentiality measures.

4. Purpose of Processing
We process personal data for the following purposes:

• Medical and diagnostic testing services
• Development and delivery of oncology and precision medicine insights
• Laboratory processing and clinical interpretation
• Scientific, clinical, and epidemiological research (where authorized)
• Quality assurance and service improvement
• Regulatory compliance and audit requirements
• Contractual and billing management

Personal data will not be processed for purposes incompatible with those disclosed at the time of collection unless separately authorized.

With regards to your sensitive personal data, it will only be processed to provide you with health-related services, as required on a case-by-case basis.

5. Rights of Data Subjects
Under Colombian law, you have the following rights:

• To access your personal data that has been subject to processing
• To know, update, and rectify partial, inaccurate, incomplete, fragmented data, data that may lead to error, or data whose processing has not been authorized or is expressly prohibited
• To request proof of your authorization granted to us
• To be informed, upon request, about the use of your data
• To revoke your authorization, where legally applicable
• To request deletion of your data when appropriate
• To file complaints with the Superintendence of Industry and Commerce

Requests may be submitted at any time through our designated privacy contact channels. The Privacy Team, acting as the Data Protection Officer, may be contacted through this email: privacy@carisls.com

6. Procedure to exercise your rights
If you submit a request to exercise any of your rights, it will be processed under the following procedures, as applicable:

6.1 Requests:

In case you want to access your personal data for which Caris acts as a Data Controller, you must send a request through the channels provided in our general Privacy Notice.

We will respond to your request within a maximum term of ten (10) business days counted from the date of its receipt. If it is not possible to address your request within this time frame, we will inform you of such circumstance, stating the reasons for the delay and indicating the new date on which it will be responded. This new date, in any case, may not exceed five (5) additional business days following the expiration of the initial term.

6.2 Claims:
If you consider that your personal data should be corrected, updated or deleted, or you want to exercise any of your remaining privacy rights, you must send your claim through the channels provided in our general Privacy Notice. Your claim must contain, at least, the following information:

• Proof of your identity.
• A description of the facts giving rise to your claim.
• The address in which you would like to receive the response.
• Any supporting documentation.

If your claim is incomplete, we will let you know within five (5) days following its receipt. You will then have two (2) months to provide the required information. If you do not provide it within this term, we will consider your claim as withdrawn.

Once we receive your claim, including all the required information we will include a note in the database stating “complaint in process”, including a short summary of the reason, within the following two (2) days. We will respond to your claim within fifteen (15) business days counted from the day following the date of its receipt. If it is not possible to address your claim within this time frame, we will inform you of such circumstance, stating the reasons for the delay and indicating the new date on which it will be responded. This new date, in any case, may not exceed eight (8) additional business days following the expiration of the initial term.

7. International Data Transfers
Your personal data may be transferred to or processed in countries outside Colombia. Such transfers will only occur when:

• The recipient country provides adequate levels of data protection, as determined by the Superintendence of Industry and Commerce, unless you have provided your prior, express and informed consent for your personal data to be transferred to this jurisdiction.
• You have provided prior, express authorization, or
• A legal exception applies.

8. Data Security Measures
We implement technical, administrative, and organizational safeguards designed to protect personal data against:

• Unauthorized access
• Loss or alteration
• Improper use or disclosure
• Destruction or accidental damage

Access to personal data is restricted to authorized personnel and service providers bound by confidentiality obligations.

Security measures are implemented considering the sensitivity of the personal data processed and the risks associated with its processing, in accordance with the principle of restricted access and security under Colombian law

9. Data Retention
Personal data will be retained only for as long as necessary to:

• Fulfill the purposes for which it was collected
• Comply with legal, regulatory, or contractual obligations
• Support medical, diagnostic, or scientific validity requirements

After expiration of retention periods, data will be securely deleted or anonymized where appropriate.

10. Complaints and Supervisory Authority
If you believe your rights under Colombian law have been violated, you may file a complaint with:

Superintendence of Industry and Commerce (SIC)
Calle 24 No. 7 – 43, Bogotá D.C., Colombia

You may also contact us directly to resolve concerns before escalating to the SIC, according to the procedure included in Secction 6.

11. Updates to This Colombia Notice
We may update this Colombia-specific disclosure periodically to reflect changes in law, regulatory guidance, or our processing activities.