GLOBAL PRIVACY AND PERSONAL DATA PROCESSING POLICY

1.1. Scope, Nature of the Document and Consent:

This Global Privacy and Personal Data Processing Policy (the "Policy") is an integral legal instrument of our General Terms and Conditions of Service. It governs the collection, storage, use, transfer and deletion of personal information of every user ("Specialist" or "User") who accesses the Platform. By checking the consent box ("clickwrap"), registering an Account, undergoing the Medical KYC process or using the Platform, you give your express, unequivocal, free, prior and informed consent for the processing of your Personal and Sensitive Data in strict accordance with this document. If you do not agree with this Policy in full, you must immediately cease all use of the Platform.

1.2. Identification of Roles, Corporate Separation and Data Processing Agreements (DPA):

To ensure compliance with applicable data protection regimes in multiple jurisdictions, including the EU GDPR, the California CPRA/CCPA, and Colombia's Statutory Law 1581 of 2012 and its regulations, the Parties acknowledge the following allocation of responsibilities:

Data Controller: Fellowship Academy S.A.S., a company incorporated in Colombia. It is the entity that exclusively determines the purposes, means and scope of processing of Personal Data, manages financial collection and handles legal requests and exercise of data subject rights (ARCO/GDPR rights).

Data Processor / Subprocessor: The Fellowship Group Corp., a corporation incorporated in Delaware, U.S. It acts as technology infrastructure provider and software licensor, storing and processing information in encrypted databases under the Controller's strict documented instructions.

Intra-Group DPA: The User acknowledges that the relationship between Controller and Processor is formally governed by a Data Processing Agreement (DPA) incorporating the European Commission's Standard Contractual Clauses (SCCs), ensuring an adequate level of protection for cross-border transfer of data from Colombia to the United States.

1.3. Lawful Bases for Processing:

The Fellowship Academy categorically rejects arbitrary processing. All personal data processing is carried out under one or more of the following lawful bases:

1. Performance of a Contract: Processing is strictly necessary for Account creation, VOD streaming service provision, payment processing and performance of the Terms and Conditions.

2. Legal and Regulatory Compliance: Processing, retention and auditing of medical credentials (KYC) and financial data is required for AML/CFT laws, corporate tax billing regulations and response to subpoenas or binding requests from judicial and health authorities.

3. Legitimate Interest and Consent: For GDPR users we process telemetry, IP and activity data for security (DDoS prevention) and fraud investigation under Legitimate Interest. For users in Colombia (Law 1581 of 2012), all personal data processing, including telemetry and security metadata, is based strictly on Express, Prior and Informed Consent given by accepting this Policy.

4. Express and Specific Consent: Required for special categories of data and direct marketing communications.

1.4. Absolute Restriction for Minors (COPPA / GDPR Art. 8):

The Platform is designed exclusively for adult professionals and university students. We do not knowingly collect or process personal data of individuals under eighteen (18). If the Operator discovers that it has collected information from a minor without verifiable parental consent, that information will be purged and permanently deleted from our databases in accordance with the U.S. COPPA and similar laws.

To ensure the integrity and security of our closed elite medical ecosystem ("Walled Garden"), the Operator collects only the information strictly necessary, adequate and relevant for the purposes described in this Agreement. Data collected falls into the following formal categories:

2.1. Identity, Verification and Medical Profiling Data (KYC Medical):

Due to the critical, academic and restricted nature of the Platform, collection of this information is an indispensable legal and contractual requirement ("suspensive condition") for opening and maintaining an Account.

Basic Biographical Data (PII): Full legal name, institutional or personal email, mobile number for MFA, and jurisdiction of residence or professional practice.

Sensitive Data and Professional Credentials: Under GDPR Art. 9 and Colombia Law 1581 Art. 5 we collect government ID (passport, national ID), medical degrees, specialty certificates, proof of active enrollment (students), medical licenses and professional registration numbers. Providing Sensitive Data is voluntary; refusal will prevent verification and access to the Platform.

Ephemeral Biometric Data (Liveness Checks): As a critical fraud and identity spoofing mitigation and AML compliance measure, the User expressly authorizes our authorized verification subprocessor NOVACODIFY S.A.S. (and its technology providers) to collect and process temporary facial mappings or liveness checks. The Fellowship Group Corp. and the Operator do not extract, process or store raw biometric data on their own servers. Such data is processed in encrypted, temporary and ephemeral form by NOVACODIFY solely for validation against the official document, after which the biometric vector is destroyed.

2.2. Financial, Transactional Data and PCI-DSS Vault:

For subscription contract performance we process information related to purchase history, subscription tier and billing status.

Technological Isolation and Tokenization: The Operator's and IP Owner's servers are technically and logically segregated from raw financial data processing. We do not collect, process or store full card numbers (PAN) or security codes (CVV). All transactions are processed, encrypted and tokenized by third-party payment gateways audited under PCI-DSS Level 1, or through Apple App Store / Google Play Billing. The Operator retains only billing tokens, the last four (4) digits of the card and expiry date for support, fraud prevention and accounting reconciliation.

2.3. Technical Data, Telemetry and Usage Patterns (Automated Collection):

When you interact with the Platform, our architecture and that of our enterprise-grade cloud providers (for ultra-low-latency hosting and streaming) automatically collect technical metadata essential for service provision, network optimization and cybersecurity:

Network and Device Identifiers: IP addresses (for copyright geo-fencing and attack mitigation), User-Agent, device UUIDs, browser type, OS and network metrics.

Audit and Interaction Logs: VOD viewing history, live stream connection timestamps, latency reports, GUI interactions and automated application crash reports.

2.4. User-Generated Content (UGC) and Absolute Restriction on Patient Data (PHI):

We collect text, graphic or audiovisual content you voluntarily publish in discussion forums, live chats or Q&A panels.

Exclusion of HIPAA Business Associate Relationship: The Fellowship Academy operates solely as a peer medical education platform. You acknowledge that The Fellowship Academy is NOT a Covered Entity or Business Associate under U.S. HIPAA or analogous health laws. There is no BAA between the Parties.

User Prohibition and Regulatory Risk: It is strictly prohibited to upload, transmit or request Protected Health Information (PHI) or identifiable patient data. Any clinical case discussed for academic purposes must comply with the Safe Harbor de-identification standard (18 direct identifiers removed). Any PHI leakage will be treated as a material breach and purged immediately; the offending User assumes 100% civil, criminal and administrative liability.

3.1. Purpose Limitation Principle:

The Operator and IP Owner strictly adhere to purpose limitation. Personal and Sensitive Data collected will not be processed, sold, rented or commercialized in a manner incompatible with the original purposes. Your information is used exclusively, legitimately and proportionally for: Provision and performance of the service (Account creation, SSO/MFA, live streaming and VOD); Credential auditing (closed ecosystem); Transaction processing (billing, auto-renewal, tax receipts, refunds where applicable); Cybersecurity and business continuity (network monitoring, DDoS mitigation, fraud prevention, DRM enforcement); Continuous improvement and telemetry (traffic patterns, crash analytics, codec optimization); Legal and service communications (Terms updates, security alerts, payment receipts—these cannot be opted out due to their contractual nature).

3.2. Technology Subprocessor Matrix and Data Transfer (Authorized Third Parties):

To ensure technical viability, global scalability and security, the Operator relies on mission-critical technology subprocessors. By accepting this Policy you give express, prior and informed authorization for your information to be shared with the following categories, strictly on a need-to-know basis:

1. Cloud Hosting: Backend, databases and VOD library are hosted on AWS (or analogous enterprise providers). Data is encrypted in transit and at rest; no logical access to plaintext personal data.

2. Ultra-Low-Latency Streaming: Real-time video and Interactive Areas (chats) are supported by Agora Inc. Network telemetry and live interactions are processed by Agora solely for signal routing and QoS, in compliance with international privacy standards.

3. Identity and Medical Verification (KYC/AML): Document OCR, liveness checks and medical license validation are delegated to NOVACODIFY S.A.S. and its subcontractors under strict confidentiality; biometric and documentary data are processed ephemerally solely to issue a Pass/Fail verdict to the Operator.

4. Payment Gateways: Transactions are processed by PCI-DSS Level 1 certified entities (e.g. Stripe) and Apple/Google app store ecosystems.

3.3. Data Processing Agreements (DPAs) and Third-Party Restrictions:

The Fellowship Academy does not sell or monetize User personal data. Sharing with subprocessors listed in Section 3.2 does not constitute a Sale or Sharing under California CPRA or analogous laws. All subprocessors are bound by rigorous DPAs that expressly prohibit retention, use or disclosure of User Personal Data for their own marketing, cross-profiling or training their own AI models; they are limited to the Operator's documented instructions.

3.4. Mandatory Disclosure, Legal Requirements and Corporate Succession:

We reserve the right to disclose your personal information, including identity and activity records, to unaffiliated third parties (e.g. government authorities, medical boards, law enforcement) when the Operator determines in good faith and after rigorous legal analysis that disclosure is necessary to: (1) Comply with a subpoena, court order, warrant or binding legal requirement; (2) Investigate or act on suspected fraud, AML, patient privacy violations (PHI leakage) or serious IP infringement; (3) Protect the rights, property or physical and cybersecurity of The Fellowship Academy, its employees, presenting physicians or the public.

Change of Corporate Control (M&A): In the event of a merger, acquisition, restructuring, bankruptcy or sale of all or substantially all assets of The Fellowship Group Corp. or Fellowship Academy S.A.S., User Personal Data will constitute one of the business assets transferred to the successor or acquirer, subject to continuity of the protection obligations in this Policy.

4.1. Global Architecture and Express Transfer Consent:

The Fellowship Academy operates on a global cloud computing infrastructure designed for service resilience and ultra-low-latency transmission. The User acknowledges and accepts that their Personal Data, Sensitive Data (KYC Medical) and usage metadata will be transferred, transmitted, hosted and processed outside their country, state or province of residence.

By creating an Account and using the Platform, the User expressly, freely and irrevocably authorizes Fellowship Academy S.A.S. (Colombia) to export and transfer their data to The Fellowship Group Corp. (Delaware, U.S.) and to data centers operated by our authorized subprocessors located in the United States or other international jurisdictions.

4.2. Data Residency and Legislative Asymmetry:

The primary storage ecosystem and Master Databases of the Platform are physically located on secure servers within the United States.

The User is fully aware that privacy, data protection and government access laws in the U.S. (or other destination jurisdictions) may differ substantially and offer a different standard of protection than their jurisdiction of origin (including EU or Colombian regulations).

Notwithstanding this asymmetry, the Operator and IP Owner contractually guarantee that processing of transferred data will remain subject to the strict requirements and security measures in this Privacy Policy regardless of geographic location.

4.3. Legal Mechanisms and Safeguards for Transfer (Regulatory Approval):

To ensure lawful cross-border data flows and comply with Colombia Law 1581 Art. 26, GDPR Chapter V (Europe) and analogous regulations, The Fellowship Academy bases international transfers on: (1) Intra-Group DPAs between the commercial entity (Colombia) and the technology parent (Delaware) with strict confidentiality and exclusive processing; (2) Standard Contractual Clauses (SCCs) approved by the European Commission in DPAs with subprocessors where required; (3) Contractual necessity and consent—transfer is strictly necessary for performance of the service contract and you have given affirmative consent.

4.4. Supplementary Security Measures Post-Transfer:

In strict compliance with international cybersecurity standards (and in light of rulings such as Schrems II in the EU), all cross-border data flows are protected by Supplementary Security Measures, including military-grade encryption and strong cryptography for data in transit (TLS 1.3 or higher) and data at rest (AES-256). These technical measures are designed to prevent unauthorized interception by third parties or foreign government agencies during international transit.

5.1. Consolidated Privacy Rights (ARCO, GDPR and CPRA):

In strict compliance with Colombia Law 1581 of 2012, the GDPR (Europe) and the CPRA (California), the Operator guarantees Users the free exercise of: Access and Portability—confirm whether we process your data, obtain a copy and, where technically feasible, request transmission to another controller in a structured, machine-readable format; Rectification—request correction of inaccurate, incomplete or outdated data (changes to medical credentials require re-validation via NOVACODIFY); Opposition and Restriction—object to processing for specific purposes or request temporary restriction while a legal challenge is resolved; Erasure (Right to be Forgotten)—request deletion of your personal data from our active systems, subject to the critical exceptions and retention mandates in Section 5.3.

5.2. Request Procedure and Identity Authentication:

To exercise any of the above rights, the User (or a duly accredited legal representative) must send a formal written request to the Operator's Privacy and Compliance Officer at privacy@thefellowshipacademy.com.

Identity Verification: To prevent social engineering and identity impersonation, the Operator reserves the right to require reasonable additional information to verify the requester's identity before processing. Response Times (SLAs): We will acknowledge and respond in accordance with mandatory deadlines in your jurisdiction. For Users in Colombia: (i) Access/information requests within ten (10) business days; (ii) Erasure or rectification requests within fifteen (15) business days (extendable once as permitted by law). For GDPR users, maximum thirty (30) calendar days for any request.

5.3. Exceptions to the Right of Erasure and Mandatory Retention (Data Retention Carve-outs):

The User expressly acknowledges that the Right of Erasure is not absolute. The Operator and IP Owner will retain, preserve and block access to certain categories of data even after an erasure request or Account termination, based on Compelling Legitimate Grounds and mandatory legal retention:

1. Tax, Accounting and Transactional Retention (10 Years): Billing history, subscription receipts, payment tokens and transaction identifiers retained for no less than ten (10) fiscal years under international tax and corporate regulations.

2. AML Compliance Retention (5 Years): Identity verification records (KYC Medical via NOVACODIFY) and Account-opening metadata retained for at least five (5) years for financial and health authority audit requirements.

3. Blacklisting and Fraud Prevention (Indefinite): If the User's Account was suspended or terminated for violating the Zero Tolerance Policy, IP piracy or PHI leakage, the Operator will indefinitely retain a cryptographic hash of email, ID document and IP (blacklisting) as a vital legitimate interest to prevent the offender from evading the sanction by creating a new Account.

4. Litigation and Limitation Periods: We will retain information reasonably necessary to exercise, defend or establish legal claims until applicable civil, criminal or administrative limitation periods have expired.

5.4. Data Blocking:

Once the legal retention periods in Section 5.3 have ended, or when a valid erasure request is granted, your personal data will be cryptographically destroyed or subjected to an irreversible mathematical anonymization process. Data retained by legal obligation will be logically "blocked"—accessible only to the Compliance Officer and solely to respond to competent authority requests.

6.1. Technical and Organizational Security Measures (Industry Standard):

The Fellowship Academy recognizes the sensitivity of medical and financial profiling data. The Operator and IP Owner implement, maintain and continuously update an information security program based on enterprise-grade technical, administrative and organizational measures to protect your Personal Data against unauthorized access, alteration, disclosure, accidental loss or unlawful destruction.

Cryptographic Encryption: All data transmission between your device and our cloud infrastructure is protected by strong encryption (TLS 1.3 or higher). Data at rest on our subprocessors' servers is encrypted under AES-256.

Logical Access Control: Internal access to your personal data is restricted under Least Privilege and Need-to-Know; employees, contractors and compliance officers must use MFA and sign rigorous NDAs.

6.2. No Absolute Security Warranty and Assumption of Risk:

Despite robust security protocols and ongoing audits, the nature of the internet and cyber threats (including zero-day exploits, ransomware and APT) prevent a guarantee of infallible security. CONSEQUENTLY, THE USER EXPRESSLY ACKNOWLEDGES THAT NO DATA TRANSMISSION OR CLOUD STORAGE SYSTEM IS 100% SECURE. ANY TRANSMISSION OF PERSONAL DATA OR MEDICAL DOCUMENTATION VIA THE PLATFORM IS AT YOUR OWN AND EXCLUSIVE RISK. To the maximum extent permitted by law, The Fellowship Group Corp. and Fellowship Academy S.A.S. disclaim all liability for breaches, interception or data theft resulting from cyber force majeure, malicious third-party attacks or vulnerabilities in our subprocessors' infrastructure.

6.3. Incident Response and Breach Notification:

In the unlikely event of a confirmed security incident compromising the confidentiality, integrity or availability of your unencrypted Personal Data (Data Breach), the Operator will activate its Incident Response Plan: (1) Notify competent supervisory authorities within the strict timeframes required by applicable law; (2) If the breach poses a high and imminent risk to your rights and freedoms (including identity theft or financial fraud), the Operator will notify you by email "without undue delay" as required by law, including the nature of the breach, data compromised, mitigation measures and recommendations to protect your identity.

6.4. Exclusive User Responsibility (End-User Security Compromise):

The Operator shall not be liable under any circumstances for unauthorized access to your Account or data leakage resulting from User negligence, including but not limited to: (i) use of weak, recycled or compromised passwords; (ii) falling victim to social engineering, phishing or spear-phishing; (iii) sharing access credentials with colleagues, residents or third parties; or (iv) accessing the Platform from insecure public Wi-Fi or malware- or keylogger-infected devices. Any activity from the User's account after compromise of their own credentials shall be legally attributable to the User.

6.5. Modifications to the Privacy Policy:

We reserve the right to modify this Privacy Policy at any time to reflect changes in our data practices, new legal requirements or integration of new subprocessors. Any material change will be notified in advance by prominent notice on the Platform or by email. Continued use of the Platform after such modifications take effect will constitute your acknowledgment and tacit acceptance of the updated Policy.