MERIDIAN GAMING COLOMBIA S.A.S. (hereinafter MERIDIAN), in compliance with Law 1581 of 2012, Regulatory Decree 1377 of 2013, and any other regulations that may supplement, amend or supersede these, in furtherance of its commitment to protect the personal data of its past, present, and future users, suppliers and workers, as well as of any individual from whom MERIDIAN obtains or processes personal information, has adopted this Personal Data Protection and Processing Policy (hereinafter, the "Policy"), the main purpose of which is to ensure compliance with the constitutional right of all persons to know, update, and rectify any information that has been collected about them by MERIDIAN in databases or files, or through its web platform or mobile application. The rules of this Policy apply to the processing of all personal information that MERIDIAN collects, stores, processes, uses or deletes.

It is likewise intended to make the Owners of the Personal Data aware of their rights and of the necessary channels for them to exercise such rights, among them: the rights to access, rectify, update, cancel and oppose the personal information that is processed by MERIDIAN, through queries or complaints, using the channels provided for such purpose in this Policy.

For the purposes of application of the Policy and in accordance with the provisions of the personal data protection regulations in Colombia, the following shall be understood:

Authorization: prior, express and informed consent of the Data Subject for the processing of personal data.

Privacy Notice: oral or written communication generated by the Data Controller, addressed to the Data Subject, for the processing of their Personal Data, by which they are informed about the existence of this Policy, the means to access it and the purposes of the processing that is to be given to such Personal Data.

Database: organized set of personal data that is to be processed. In this definition, the Database will be that stored in cloud computing services contracted by MERIDIAN, as well as that stored in MERIDIAN's servers, under strict information security rules and in compliance with the applicable regulations.

Service Channels: are the following means provided by MERIDIAN to receive inquiries, requests or claims regarding the Processing of Personal Data by MERIDIAN:

Via e-mail: protecciondatos@mozzartbet.com.co

Personal data: any information related to or which can be associated to one or several determined or determinable individuals.

Private data: is data which, due to its private or confidential nature, is relevant only to the data subject.

Public data: is data classified as such according to the legal mandates or the Political Constitution and that which is not semi-private, private or sensitive. Data relating to the marital status of individuals, their profession or occupation, their status as merchant or public servant and data that can be obtained without reservations are examples of public data. By its nature, public data may be contained in public records, public documents, official gazettes and journals, etc.

Sensitive data: is understood to be that which affects the privacy of the data subjects or that whose improper use may cause their discrimination, such as data that reveals the racial or ethnic origin, political beliefs, religious or philosophical convictions, membership in unions, social or human rights organizations, or organizations that promote the interests of any political party or ensure the rights and guarantees of opposition political parties, as well as data related to health, sex life, and biometric data.

Data Processor: individual or legal entity, public or private, which by itself or in association with others, carries out the processing of personal data for account of the Data Controller.

Data Controller: individual or legal entity, public or private, which by itself or in association with others, decides on the Database(s) and/or the Processing of data.

Technology Platforms: are the technological developments owned by MERIDIAN or its parent company, through which MERIDIAN offers its online betting services, under the applicable regulations of the Republic of Colombia. The Technology Platforms owned by MERIDIAN are: i) the mobile application "Mozzartbet", available for download in the Colombian territory through Android and Apple Store; and ii) the web platform https://mozzartbet.com.co/en#/betting

Data Subject: individual whose personal data are subject to processing. In the context of this Policy, the data subjects may be: i) MERIDIAN employees, ii) MERIDIAN contractors who are individuals, iii) users of the technology platforms developed by MERIDIAN and iv) all persons not related to MERIDIAN whose Personal Data are Processed.

Processing: any operation or set of operations on personal data, such as collection, storage, use, circulation, update or deletion thereof.

Transfer: data transfer takes place when the Data Controller and/or Data Processor, located in Colombia, sends the information or the personal data to a receiver, who is in turn a Data Controller and is located within or outside the country.

Transmission: processing of personal data which involves their communication within or outside the territory of the Republic of Colombia when its purpose is the processing by the Data Processor for account of the Data Controller.

As established under Title II of Statutory Law 1581 of 2012, the protection of Personal Data shall be governed by the harmonious and integral application of the following principles:

Principle of legality in the processing of personal data: MERIDIAN shall at all times process Personal Data in accordance with the provisions established by law.

Principle of purpose: Personal Data shall be processed only for the purposes for which they have been previously authorized by their Data Subject.

Principle of freedom: the Processing of Personal Data by MERIDIAN may only be carried out with the prior, express and informed consent of the Data Subject.

Principle of veracity: the information subject to Processing must be true, complete, accurate, current, verifiable and comprehensible by the Data Subject.

Principle of transparency: Data Subjects may always request MERIDIAN to provide information about their Personal Data that is being processed.

Principle of security: MERIDIAN has the strictest levels of information security, and has implemented the necessary technical and administrative measures to provide security for Personal Data, with a technical, administrative and legal team that prevents the adulteration, loss, consultation, unauthorized or fraudulent use or access of this data.

Principle of confidentiality: MERIDIAN requires all natural and/or legal persons involved in the Processing of Personal Data to guarantee the confidentiality of the information, even after the end of their relationship.

Principle of restricted circulation and access: MERIDIAN restricts access to the Databases only to people who know and understand the data protection culture, have been authorized, have signed a confidentiality agreement and require this information to fulfill the purposes for which the Processing is carried out.

Privacy commitment: From its senior management to all associates in the organization, MERIDIAN is committed to the confidentiality and privacy of the personal information that is stored in its Databases, which have the highest security standards, with access restrictions established for each case and not available to the public at any time. It thus guarantees its Data Subjects the protection of their information under strict security conditions that prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access, as well as internal policies and practices that contribute to a safe environment for the information.

MERIDIAN has manuals and protocols for handling and protection of the information in each of the Databases under its control and management, which are made available to the personnel in charge, so that the person handling the information is aware of the security standards under which the Processing must be done.

Likewise, MERIDIAN requires its employees, its parent company, its contractors and all users of its technological platforms to comply with this Policy and with the applicable regulations, in order to guarantee to individuals that their Personal Data will be protected at all times and used only for the purposes authorized by them.

Collection of Personal Data: Personal Data is collected by MERIDIAN through any of the following means:

- Through delivery of their Personal Data by MERIDIAN users, via the mobile application "Mozzart Bet", property of Mozzart, so that they can access the betting services offered by MERIDIAN.

- By creating a user and password on the betting web platform owned by Mozzart, which is accessed through: https://mozzartbet.com.co/en#/betting

- Through the exchange of emails.

- Through candidate resumes.

- In the course of job interviews.

- Through the remittance of information by headhunters companies to which the Data Subjects have provided the data.

- Through affiliation forms to the EPS, ARL and other entities of the General Social Security System.

- Through an employment or service contract.

- Through events carried out by MOZZART

- Through Transmission or Transfer by MOZZART's strategic allies.

- Through the use of entry lists of people to MOZZART's facilities.

- By sending or receiving service offers.

- By sending or receiving service portfolios.

- Through meetings or telephone communications.

Start and end of information processing: MERIDIAN guarantees that it only processes the personal information of those persons who have previously and expressly authorized the Data Controller to carry out such Processing. MERIDIAN and/or the Data Controller shall keep a true copy of the authorization so that, if and when appropriate, the Data Subject may request its revocation and the immediate deletion of the information.

Without prejudice to the application of this Policy to any Personal Data stored in MERIDIAN Databases, MERIDIAN will not be obliged to request the authorization of the Data Subject in the following cases:

i) for information required by a public or administrative authority in the performance of its statutory tasks or pursuant to a court order;

ii) in the case of data of a public nature;

iii) in cases of medical or health emergency;

iv) where the processing is authorized by law for historical, statistical or scientific purposes;

v) in the case of data relating to the civil status of individuals.

Purpose of the processing: the purpose of the Processing of Personal Data by MERIDIAN is:

i) to carry out MERIDIAN's corporate purpose;

ii) to fulfill the existing contractual relationship with its users, suppliers, workers and candidates;

iii) so that users of MERIDIAN's Technology Platforms can receive MERIDIAN's services and promotions;

iv) to create and access accounts that allow MERIDIAN users to access MERIDIAN services, through its Technology Platforms;

v) to inform about new products marketed and/or services provided by MERIDIAN;

vi) to evaluate the quality of service, carry out satisfaction campaigns and monitor its products and/or service provision;

vii) to carry out statistical studies;

viii) to send communications by physical or electronic mail, mobile devices, or through any other analog and/or digital means of communication;

ix) to maintain an efficient communication of information that is useful in MERIDIAN's contractual links;

x) to conduct the selection, evaluation, and job placement process;

xi) to comply with the obligations to MERIDIAN workers in relation to the payment of salaries, fringe benefits and others established in the employment contract;

xii) to carry out verification in credit bureaus; xiii) to support internal or external audit processes;

xiii) to assess the quality of services provided by workers; xiv) to carry out internal studies on workers' habits for corporate well-being programs;

xiv) to carry out internal studies on workers' habits for corporate well-being programs;

xv) to carry out accounting processes;

xvi) for emergency contact;

xvii) to keep backup information of employees and/or pensioners (active and inactive);

xviii) to provide, share, send or deliver personal data to MERIDIAN's subsidiaries, affiliates or subordinate companies, located in Colombia or any other country, in the event that these companies require the information for the purposes indicated herein;

xix) to comply with MERIDIAN's obligations before government entities such as DIAN, Coljuegos, and others; and

xx) to transfer or transmit Personal Data domestically or internationally to providers with which MERIDIAN carries out cloud computing activities in furtherance of its corporate purpose.

For better control and security of the Data Subject, MERIDIAN agrees to inform, in the request for authorization for Processing of the information, the specific purpose for which the personal data is collected, stored or used, which will depend on your status as employee, customer, user or supplier of MERIDIAN.

Access to information: In furtherance of the mentioned purposes and/or those that are expressly indicated in the request for authorization for the Processing, the information stored in MERIDIAN's Databases may be accessed by authorization through passwords by workers of MERIDIAN or its parent company that are directly related to the mentioned purpose.

MERIDIAN does not share, sell or hand over Personal Data stored in its Databases to third parties not related to MERIDIAN. However, and when the purpose requires it, personal information may be lawfully transmitted or transferred to MERIDIAN's parent company, business partners or service providers, to fulfill specific contractual or commercial objectives. In these cases, MERIDIAN guarantees compliance with the rules related to Data Transfer and/or Transmission, especially with respect to the countries to which such operations are carried out for the storage of Personal Data, ensuring that they have adequate levels of data protection and are endorsed by the competent authorities.

In any of these events, MERIDIAN undertakes to take all pertinent measures so that the Processing of Personal Data by its commercial partners or service providers is carried out in strict compliance with our Policy.

Processing of information in each case: The specific terms and conditions of the Processing of Personal Data contained in MERIDIAN's Databases are documented in each of the contracts signed with the data subjects, suppliers, and/or users, and in those cases where it is not required, in the request for authorization for processing of the information. These terms and conditions include a general description of how MERIDIAN may use and disclose each Data Subject's information. Therefore, when a provider, user or worker signs the corresponding contract or accepts the privacy notice, it is understood that they are giving their prior, express and informed consent for MERIDIAN to process their information, as in the case of requests for authorization to process the information.

Information update request: In compliance with the principles that govern the Processing of Personal Data, MERIDIAN undertakes to make its best efforts to ensure that the information contained in its Databases is accurate, complete and current. To this end, MERIDIAN may request its users, suppliers and workers to update their personal information on a permanent basis.

The Data Subjects of the Personal Data that are in MERIDIAN's Databases shall have the following rights:

a) To know, update and rectify their Personal Data.

b) To request proof of the authorization granted to the Data Controller, except when expressly exempted as a requirement for the Processing.

c) To be informed by MERIDIAN, upon request, about the use of their personal data.

d) To file complaints with the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other regulations that amend, add to or supplement it.

e) To revoke the authorization and/or request the suppression of their data when the Processing does not observe the constitutional and legal principles, rights and guarantees

f) To access, free of charge, their personal data that has been processed.

Consent and authorization by the Data Subject is a constitutional and legal requirement that must be fulfilled by the Personal Data Controller. The authorization must meet the following requirements:

Prior: Authorization must be given before commencing the Processing.

Express: Authorization must be given unequivocally, clearly and specifically.

Informed: The Data Subject must clearly understand what his/her personal data will be processed for and the effects that may derive from their processing.

In order to comply with the foregoing premises, MERIDIAN has established the following modalities to obtain the authorization, which will be applied depending on the relationship between the Data Subject and MERIDIAN:

a) By filling out and signing the physical form

b) By authorizing, when entering any of the Platforms owned by MERIDIAN (website, mobile application), the notice of privacy that must be read and accepted in order to access them.

Notwithstanding the above, in those cases where MERIDIAN is not the Personal Data Controller, within the framework of a commercial relationship, it will be the obligation of the Personal Data Controller to obtain the authorization of the Data Subject, in compliance with this Policy and the applicable regulations, also having to inform the Data Subject in such authorization that:

(i) MERIDIAN will store his/her Personal Data in the cloud computing services contracted by it within or outside the country, and

(ii) in the events where Sensitive Data are processed, inform which Sensitive Data will be processed and that he/she not obliged to give his/her consent.

In furtherance of the constitutional guarantee regarding rights of access, update, rectification and suppression of Personal Data by Data Subjects, their assignees, legal representatives and/or attorneys-in-fact, MERIDIAN has service channels for Data Subjects.

All communications, queries, complaints and/or claims must be addressed to the Personal Data Protection Officer via e-mail at the following e-mailaddress: protecciondatos@mozzartbet.com.co

MERIDIAN may only deliver information contained in its Databases to:

a) The Data Subjects, their assignees or their legal representatives;

b) Public or administrative entities in the performance of their legal duties or by court order;

c) Third parties authorized by the data subject or by law.

MERIDIAN reserves the right to request additional documentation in order to verify the capacity of the person requesting the information.

Requests, queries or claims may be submitted through a document with the characteristics described in each case, and sent through any of the Service Channels indicated below.

- Queries

Regarding the right to submit requests for information and/or queries, MERIDIAN shall answer these within a maximum of ten (10) working days from the day following the date of receipt of the request or query in compliance with this procedure.

When it is not possible to reply to the request within this term, the interested party will be informed accordingly, indicating the reasons for the delay and indicating the date when it will be attended to, which may in no case exceed five (5) working days from the expiration of the first term. The query document must contain the following:

a) Name and identification number of the Data Subject.

b) Copy of the Data Subject's identity card.

c) Full description of the query.

d) Address and contact details of the consulting party.

In case the successor of a Data Subject files the query, he/she must attach the following:

a) Name and identification number of the Data Subject.

b) Copy of the successor’s identity document.

c) Copy of the death certificate of the Data subject

d) Document certifying the capacity in which the successor is acting.

e) Copy of the data subject's identity document.

f) Full description of the query.

g) Address and contact details of the consulting party.

In the case of the legal representative and/or attorney-in-fact of a Data subject, he/she must present:

a) Name and identification number of the Data Subject.

b) Copy of the identity document of the legal representative of the Data Subject.

c) Document evidencing the capacity in which he/she acts (power-of-attorney, certificate of existence and legal representation issued by the respective Chamber of Commerce).

d) Copy of the data subject's identity document.

e) If the principal is a minor, the representative or guardian must present the minor’s identity card and/or birth certificate and the document evidencing his/her capacity.

f) Full description of the query.

g) Address and contact details of the consulting party.

Complaints and/or claims

When the Data Subject deems that his/her information should be corrected, updated or suppressed or when he/she is aware of an alleged breach of any of his/her rights, the maximum term for MERIDIAN to address the complaint or claim will be fifteen (15) working days from the day following the date of receipt of the document. When it is not possible to respond to the claim within said term, the interested party shall be informed accordingly, stating the reasons for the delay and indicating the date when the claim will be answered, which may not exceed, in any event, eight (8) working days following the expiration of the first term. If the claim is incomplete, the interested party will be requested, within five (5) days of receipt of the complaint and/or claim, to correct the deficiencies. If two (2) months after the date of the request the petitioner has not submitted the required information, it shall be understood that he/she has abandoned it.

The complaint or grievance document must contain:

a) Name and identification number of the Data Subject.

b) Copy of the data subject's identity card

In case a Data Subject's successor files the complaint and/or claim, he/she must attach:

a) Name and identification number of the Data Subject.

b) Copy of the Data Subject's identity card

c) Copy of the identity document of the successor.

d) Copy of the death certificate of the Data Subject.

e) Full description of the query.

f) Address and contact details of the consulting party.

g) Document certifying the capacity in which he/she acts.

In the case of a legal representative and/or attorney-in-fact:

a) Name and identification number of the Data Subject.

b) Copy of the Data Subject's identity document.

c) Copy of the identity document of the legal representative

d) Document evidencing the capacity in which he/she acts (power of attorney, certification).

e) If the principal is a minor, the representative or guardian must present the identity card and/or birth certificate of the minor and the document that proves his/her capacity.

f) Description of the facts giving rise to the claim and/or complaint.

g) Purpose being sought.

h) Address and contact details of the claimant.

Any person will be entirely free not to authorize MERIDIAN to Process their Personal Data. Without prejudice to the foregoing, in the event that former, current or future suppliers, users or workers do not authorize or revoke their authorization for the processing of their Data, MERIDIAN may refrain from initiating a contractual relationship or from continuing to provide benefits to this person.

In this regard, MERIDIAN shall not be liable for pre-contractual or contractual breach, or for the assignment of particular benefits to which third parties with whom MERIDIAN constantly communicates may have access, as a consequence of the non-authorization or revocation of authorization for the Processing of Personal Data.

MERIDIAN understands that the Processing of Personal Data of children or adolescents is prohibited, except for data of a public nature. Therefore, it is our policy not to collect data from individuals under 18 years of age, except when their representative authorizes the Processing, in which case MERIDIAN will take into account:

a) Respect for the best interests of children and adolescents.

b) Respect for their fundamental rights.

c) The child's opinion will be taken into consideration when he/she has the proper capacity and autonomy to understand the issue.

In any case, it will be the responsibility of the legal representatives of children and adolescents to grant authorization to proceed with the Processing of the Personal Data of minors. If the representative does not give his or her authorization, the data will not be processed and no relationship will be established between MERIDIAN and the minor.

The Data Subject understands and accepts that, due to MERIDIAN's corporate purpose, it needs to process Sensitive Data, and MERIDIAN commits to do so only when strictly necessary, in which case it will take into account:

a) The need to inform the Data Subject that since it is sensitive information, he/she is not obliged to authorize its processing.

b) The need to inform the data subject explicitly and in advance, in addition to the general requirements of authorization for the collection of any type of Personal Data, that the data to be processed is sensitive and the purpose of the processing.

c) Increase security measures for Sensitive Data, through restrictions, encryption and other measures available to MERIDIAN to provide greater security to this data.

In the event that MERIDIAN needs to collect and process Sensitive Data, it will not carry out any processing without the prior, informed and express authorization of the Data Subject, except in cases where the granting of such authorization is not required by law and one of the following exceptions is present:

a) When the Processing is necessary to safeguard the Data Subject's vital interest and he/she is physically or legally incapacitated.

b) When the Processing is carried out in the course of lawful activities and with due guarantees by a foundation, NGO, association or any other non-profit organization whose purpose is political, philosophical, religious or trade unionrelated, provided that such activities relate exclusively to their members or persons who have regular contact on account of their purpose, in which case the data may not be supplied to third parties without the authorization of the Data Subject.

c) When the Processing refers to data that are necessary for the recognition, exercise or defense of a right in legal proceedings.

d) When the Processing has a historical, statistical or scientific purpose. In this case, measures leading to the suppression of the Data subject's identity must be adopted.

e) When the Processing is carried out in compliance with a public or administrative order in the exercise of its legal functions or by court order.

MERIDIAN keeps a record of information related to workers, suppliers or users during and after the termination of the contractual relationship. These records may include personal data, which, after the contractual termination, will be kept for a reasonable period of time until the information contained therein is no longer required in order to comply with legal, administrative, audit or regulatory requirements.

MERIDIAN may share the Personal Data information with any third parties that may be necessary for the performance of its activities and corporate purpose, always protecting the rights and information of the Data Subject.

The Transmission or Transfer of Personal Data that takes place shall observe the rules provided for such purpose by the applicable regulations and the supervisory authority, especially the following:

- In the case of domestic transmissions or transfers of personal data, MERIDIAN will ensure compliance with the requirements of the data protection legislation in force and the protection measures taken by the Data Processor or the new person in charge, as the case may be.

- In the case of an international transfer, it must make sure that the recipient country of the Personal Data will provide adequate levels of protection, in the manner established by the competent authority in Colombia, so that it may issue the declaration of conformity referred to in the first paragraph of Article 26 of Law 1581 of 2012 and in Circular 05 of 2017 issued by the Superintendence of Industry and Commerce.

When the recipient country does not meet appropriate data protection standards, the Transmission or Transfer will be prohibited unless one of the following legal exceptions is present:

a) If the Data Subject has given express and unequivocal authorization for the Transfer or Transmission of Data.

b) Exchange of data of a medical nature, when required by the treatment of the Data Subject for health and public hygiene reasons.

c) Bank or stock exchange transfers, in accordance with the applicable legislation.

d) Transfers agreed under the framework of international treaties to which Colombia is party, based on the principle of reciprocity.

e) Transfers required for the performance of an agreement between the Data Subject and the Data Controller, or for the performance of precontractual measures, provided authorization has been obtained from the Data Subject.

MERIDIAN states that any substantial change in this Policy will be promptly communicated through its website https://mozzartbet.com.co/en#/betting and we therefore suggest that it be frequently consulted.

This Policy shall be in effect as of September 19, 2019, for an indefinite term.