Personal data protection and processing policy

1. Institutional Presentation and Policy Objective

1.1 Legal Nature and Educational Principles

Genuine School is an educational institution operated by Genuine Lab Inc., identified under EIN 30-1284629, with headquarters in the United States and international operations. The institution serves students between the ages of 7 and 18 across Elementary, Middle, and High School levels through a digital academic model focused on entrepreneurship, innovation, and technology. This model is designed to be global, secure, and respectful of the rights of minors and their families.

As an institution committed to holistic education, pedagogical innovation, and the ethical use of technology, we recognize that the protection of personal data is a fundamental component of our relationship with students, families, staff, suppliers, and other stakeholders.

1.2 Commitment to Personal Data Protection

Genuine School declares its institutional commitment to respecting, protecting, and appropriately managing the personal data of all individuals involved in its educational activities. This commitment is reflected in the implementation of appropriate technical, organizational, and legal measures to ensure compliance with the principles of lawfulness, transparency, security, confidentiality, data minimization, and accountability in the processing of personal data.

1.3 General Objective of this Policy

The objective of this policy is to establish the guidelines, principles, obligations, and rights that govern the processing of personal data at Genuine School, in accordance with applicable national and international data protection laws, including the General Data Protection Regulation (GDPR – European Union), Law 1581 of 2012 (Colombia), the Brazilian Data Protection Law (LGPD – Brazil), the Children’s Online Privacy Protection Act (COPPA – United States), and the Family Educational Rights and Privacy Act (FERPA – United States), as well as recognized international best practices in the education sector.

1.4 Material, Personal, and Territorial Scope

This policy applies to:

All personal data collected, stored, processed, transmitted, transferred, used, or deleted in connection with Genuine School’s academic, administrative, contractual, or promotional activities;

All data subjects, including students, parents or legal guardians, teachers, administrative staff, contractors, suppliers, candidates, and external users who interact with the institution;

All processing activities carried out through platforms, tools, or technology providers engaged by the institution (such as Microsoft, Amazon, BUK, or Meta), regardless of their geographic location;

In general, all personal data processing activities are conducted within the context of Genuine School’s educational operations, regardless of the country from which the service is accessed or received.

2. Applicable Regulatory Framework

2.1 International and National Standards of Reference

Genuine School, although legally domiciled in the United States, has adopted the European General Data Protection Regulation (GDPR – EU Regulation 2016/679) as the primary and guiding framework for its personal data protection system, due to its strong protective approach, extraterritorial applicability, and alignment with international standards on fundamental rights.

Additionally, this policy incorporates the following regulations, which apply depending on the type of data subject, their country of residence, or the specific nature of the processing:

Children’s Online Privacy Protection Act – COPPA (USA): Regulates the processing of personal data of children under 13 years of age, particularly when using digital platforms hosted or processed on US servers.

Family Educational Rights and Privacy Act – FERPA (USA): Applies to educational records and the access rights of students or their legal representatives when linked to educational services hosted or contracted from the United States.

Law 1581 of 2012 and Decree 1377 of 2013 (Colombia): Applies when processing the data of Colombian citizens, engaging in local contractual operations, or ensuring compliance with national regulations.

Brazilian Data Protection Law – LGPD (Brazil, Law 13.709/2018): Applies to processing involving data subjects in Brazil or to operations carried out within the country.

Legal Precedence and Regulatory Alignment

For interpretation and operational purposes, the GDPR (EU Regulation 2016/679) is regarded as the primary regulation, while other applicable laws are considered complementary. These will be applied in situations where:

A jurisdiction imposes stricter or more detailed requirements;

The data subject is domiciled in a specific country; or

The nature of the data or the technological platform necessitates their application.

2.2 Guiding Principles of Processing

Genuine School shall ensure that all personal data processing activities comply with the following principles:

Lawfulness, fairness, and transparency

Purpose limitation

Data minimization

Accuracy and updating

Storage limitation

Integrity and confidentiality

Accountability

These principles, as set out in Article 5 of the General Data Protection Regulation (GDPR) and reflected in other applicable data protection laws, form the legal and ethical foundation for all personal data processing activities carried out by the institution.

Definitions
For the purposes of this policy, and in accordance with Article 4 of the General Data Protection
Regulation (GDPR – EU Regulation 2016/679), Law 1581 of 2012 (Colombia, Article 3), the Brazilian
Data Protection Law (LGPD – Law 13.709/2018, Article 5), and other applicable regulations, the
following definitions apply:

Personal Data: Any information that allows the direct or indirect identification of a natural
person. Examples include names, identification documents, IP addresses, email addresses,
images, identifiers used in educational platforms, and voice recordings, among others. (Art. 4(1)
GDPR / Art. 3(c) Law 1581 / Art. 5(I) LGPD)
Sensitive Personal Data: Personal data revealing racial or ethnic origin, health data, sexual
orientation, religious or philosophical beliefs, biometric data, political opinions, or other
information that may affect the data subject’s privacy or lead to discrimination if misused. (Art.
9 GDPR / Art. 3(d) Law 1581 / Art. 5(II) and (XI) LGPD).
▪ Personal Data of a Minor: Personal data relating to a child or adolescent. Enhanced protection
measures apply to individuals under 18 years of age, and particularly to those under 13 in online
environments, in accordance with GDPR Article 8, COPPA (Sections 1302 and 1303), FERPA
(Section 1232g), and Article 7 of Law 1581.
Data Subject: The natural person to whom the personal data relates. In the case of minors,
rights shall be exercised by their parents or legal guardians. (Art. 4(1) GDPR / Art. 3(e) Law 1581
/ Art. 5(V) LGPD).
Data Controller: The legal entity (in this case, Genuine Lab Inc.) that determines the purposes
and means of personal data processing. (Art. 4(7) GDPR / Art. 3(f) Law 1581 / Art. 5(VI) LGPD)
Data Processor: A natural or legal person that processes personal data on behalf of the data
controller. Examples: contracted platforms, technology providers, and service operators. (Art.
4(8) GDPR / Art. 3(g) Law 1581 / Art. 5(VII) LGPD)
Consent: Any freely given, specific, informed, and unambiguous indication of the data subject’s
wishes by which they signify agreement to the processing of their personal data. In the case of
minors, consent shall be provided by their legal representative and must be verifiable. (Art.
4(11) and 7 GDPR / Art. 7 Law 1581 / Art. 5(XII) and Art. 8 LGPD / COPPA Sec. 1303)
Data Processing: Any operation or set of operations performed on personal data, such as
collection, storage, use, transmission, or erasure, among others. (Art. 4(2) GDPR / Art. 3(g) Law
1581 / Art. 5(X) LGPD).
Personal Data Breach: A breach of security leading to the destruction, loss, alteration,
unauthorized disclosure of, or access to personal data. (Art. 4(12), 33 and 34 GDPR / Art. 48
LGPD).

Data Controllers and Institutional Governance

Genuine School has established a clear and proactive governance structure to ensure the protection of personal data, integrating defined roles, responsibilities, and oversight mechanisms in accordance with the principle of accountability and proactive responsibility set out in the General Data Protection Regulation (GDPR – Articles 5(2) and 24).

2.3 Data Controller

The responsibility for the processing of personal data collected in the context of Genuine School’s academic, administrative, or contractual activities lies with:

Genuine Lab Inc.

Registered address: United States

Legal representative: Marcello Friedemann

In accordance with Article 4(7) of the GDPR, Genuine Lab Inc. acts as the data controller, determining the purposes and means of personal data processing, and assumes the responsibility to ensure lawfulness, security, transparency, and respect for the rights of data subjects.

2.4 Data Protection Officer (DPO)

Genuine School has formally appointed a Data Protection Officer (DPO) in accordance with Article 37 of the GDPR, who shall be responsible for:

Overseeing the implementation of this policy and ensuring compliance with applicable data protection laws.

Managing inquiries, complaints, and requests submitted by data subjects or their legal representatives.

Acting as the primary point of contact with national and international supervisory authorities.

Supporting the execution of Data Protection Impact Assessments (DPIAs) and conducting internal audits or reviews related to personal data processing.

Appointed DPO:

Name: Natalia Arce Archbold

ID: 53.123.390

Email: legal@genuinelab.us

2.5 Information Security Committee

Genuine School has established an Information Security Committee responsible for:

Evaluating and responding to information security incidents.

Coordinating institutional reviews and continuous improvement actions.

Validating preventive strategies and approving impact assessments, when applicable.

This committee is composed of representatives from the academic, technological, administrative, and data protection areas.

2.6 Processors and Authorized Third Parties

Any platform, provider, or strategic partner that processes personal data on behalf of Genuine School shall:

Be formally bound by confidentiality and security agreements or clauses.

Comply with applicable data protection requirements in the relevant jurisdiction.

Cooperate with the institution in the event of incidents or audits.

2.7 Review, Update, and Version Control

This policy will be reviewed regularly, at least once a year, and also whenever any of the following situations arise:

Changes in applicable regulations related to personal data protection, information security, or privacy.

Implementation, modification, or adoption of new technologies, platforms, providers, or processing activities that affect the scope of this policy.

Occurrence of information security incidents, personal data breaches, or other relevant events requiring review.

Findings, observations, or recommendations resulting from internal or external audits or regulatory reviews.

All revisions and updates to this policy shall be coordinated by the Data Protection Officer (DPO), in conjunction with the Information Security Committee, ensuring alignment with the Information Security Management System (ISMS), applicable regulations, and the principles of continuous improvement.

Each update shall be properly documented through a version control table to ensure the traceability, integrity, and validity of the document, including at least the following information:

Version	Effective Date	Responsible Party	Changes Made
V2.0	April 10, 2026	Natalia Arce Archbold	Adjustment and alignment of the policy with the European General Data Protection Regulation (GDPR)

Categories of Data Processed

2.8 By Data Subject Type

Genuine School collects, stores, and processes personal data from various groups of data subjects, including individuals currently affiliated with the institution and those involved in preliminary processes (such as admission, selection, or initial contact). These categories include:

Students and Prospective Students: Minors between 7 and 18 years of age who are enrolled or in the admissions process, as well as adult students enrolled at Genuine. Academic, family, health, platform usage, institutional participation, and holistic development data are processed.

Parents, Guardians, or Legal Representatives (including prospective): Individuals with legal responsibility or guardianship of current or prospective students. Identifying data, contact details, electronic signatures, parental relationship information, residential address, and verifiable consent records are processed.

Employees, Teachers, Administrative Staff, and Contractors: Individuals contractually engaged with the institution, including temporary teachers, evaluators, and operational personnel. Contractual, performance, compliance, and well-being data are processed.

Suppliers, Strategic Partners, and External Stakeholders: Natural or legal persons providing services to the institution, including technology providers, legal advisors, and wellness service providers. Contractual, regulatory compliance, and contact data are collected.

Candidates in Selection Processes (teachers, administrative staff, interns): Applicants for institutional positions, whose data is processed during stages such as pre-selection, assessments, interviews, medical evaluations, or background checks.

Website Visitors, Users of Forms, Virtual Events, or Campaigns: Individuals who interact with Genuine School through digital channels, including websites, academic fairs, contact forms, social media, surveys, or promotional campaigns. Browsing data, identification data, location data, submitted form data, and educational preferences are processed.

Additionally, Genuine School may receive personal data from prospective students and their families through strategic partners, educational advisors, or partner institutions, which shall ensure that prior, informed, and verifiable consent has been obtained from the data subjects for the transfer of such information.

2.9 By Type of Data Collected

In accordance with Articles 4.1 and 9 of the GDPR, Article 3 of Law 1581, the LGPD (Articles 5, II and XIII), and the functional analysis carried out in the ISMS, the types of data processed by Genuine School include, among others, the following:

Data Type	Examples
Identifying Data	Name, surname, ID number, date of birth, email address, phone number
Academic Data	Academic records, grades, curricula, submissions, and feedback, among others
Technological / Digital Traceability Data	IP addresses, login records, platform interactions, and MAC addresses
Communication Data	Chats, institutional emails, internal LMS messages
Family Data	Relationship details, names, and contact information of guardians
Images and Voice Data	Photographs, recordings, participation in classes or virtual events
Commercial and Educational Guidance Data	Records generated from admissions and guidance interactions, including internal notes, expressions of interest, educational expectations, or financial information voluntarily shared by families during the admission process.
Employment and Contractual Data	CVs, contracts, evaluations, performance reviews
Health and Well-being Data	Medical certificates, special needs, and institutional follow-ups
Sensitive Data	Religion, sexual orientation, medical condition, biometric data, background checks
Data of minors (specially protected)	Identifying, academic, family, medical, behavioral data, platform traceability, institutional participation, and other data relating to individuals under 18 years of age. This data shall be processed with enhanced security measures, verifiable consent where required, and in accordance with applicable child protection regulations and international standards.

2.10 By Sensitivity Level (Institutional ISMS Classification)

In accordance with Annex 1 – Functional Sensitivity Levels, and based on the principle of data minimization (Art. 5.1.c GDPR), Genuine School internally classifies the personal data it processes into three levels of sensitivity:

Classification Levels	Brief description
Level 1 – Public	Institutional information that has been legitimately disclosed in a controlled manner and whose access does not pose significant risks to confidentiality, privacy, or overall information security. This classification does not apply to personal data of minors, unless explicit, informed, and verifiable consent has been obtained from the data subject or their legal representative. It also does not apply to standard personal data of adults without proper consent, nor to internal institutional information, which may only be disclosed with prior express written authorization from Genuine School.
Level 2 – Confidential	Includes standard personal data of adults, as well as Genuine School’s internal or strategic documents that do not contain sensitive data or information related to minors. The unauthorized disclosure, access, or use of this information could negatively impact operations, regulatory compliance, or the institution’s reputation.
Level 3 – Restricted	Includes personal data of minors, sensitive personal data of adults, and any information of a criminal, judicial, or highly sensitive institutional nature. Unauthorized access, disclosure, or misuse of this information may result in serious legal, reputational, operational, and ethical consequences for both the individuals involved and for Genuine School.

This classification guides the technical and organizational measures implemented to protect personal data, in accordance with the principles of proportionality and a risk-based approach.

Purposes of Processing

2.11 Academic, Administrative, Contractual, Technological, and Promotional Purposes

Genuine School collects and processes personal data solely for legitimate, explicit, and specific purposes, in accordance with the principles of purpose limitation and data minimization established in Article 5(1)(b) and (c) of the General Data Protection Regulation (GDPR), as well as Article 4 of Law 1581 of 2012 (Colombia).

The main institutional purposes are:

A. Academic and Training Purposes

a. To manage the admission, validation, and enrollment process for national and international students, from the receipt of applications and verification of requirements to the formalization of enrollment and course allocation.

b. To manage academic progress, including attendance, assessments, leveling courses, and performance reports, ensuring continuous monitoring of learning outcomes.

c. To design and adapt pedagogical strategies based on the needs, abilities, and individual context of each student, applying principles of personalized learning and differentiated support.

d. To record and document student well-being processes, academic guidance, and psychosocial support, in support of holistic student development.

e. To issue, validate, and safeguard certificates, transcripts, and academic qualifications, ensuring their authenticity and traceability.

f. To enable access, navigation, and activity tracking within digital learning platforms (LMS), in order to measure interaction, progress, and use of educational resources.

Within the scope of its educational mission and in accordance with the principle of the best interests of the child, Genuine School processes personal data to carry out its academic and support functions, in accordance with Article 6(1)(e) of the General Data Protection Regulation (GDPR), Law 1581 of 2012 (Colombia), the LGPD (Brazil), and the applicable educational principles in each jurisdiction.

B. Administrative and Legal Purposes

g. To manage contractual relationships with teachers, suppliers, collaborators, and third parties, from the initiation of the relationship through its termination.

h. To carry out recruitment and engagement processes, whether employment-based or service-based, including verification of judicial, disciplinary, academic, and employment background, as well as the performance of occupational medical examinations where required by law.

i. To comply with legal and regulatory obligations arising from educational, labor, tax, fiscal, or data protection regulations in each jurisdiction where Genuine School operates or uses technological platforms.

j. To maintain the traceability of internal operations and decision-making processes as part of institutional control and accountability.

k. To respond to formal requests from judicial, administrative, or supervisory authorities, providing information as legally required, subject to prior verification of their validity.

C. Technological, Security, and Risk Management Purposes

l. To control and log access to platforms, systems, facilities, and digital resources in order to prevent intrusions and unauthorized access.

m. To implement monitoring and detection mechanisms for cybersecurity incidents, perform regular backups of critical information, and apply personal data breach response procedures.

n. To develop and implement physical and occupational security measures, including access control to facilities, evacuation procedures, health protocols, and occupational risk prevention.

o. To analyze usage, performance, and availability metrics of institutional platforms, with the aim of optimizing the quality of educational services and technological infrastructure.

D. Purposes Related to the Exercise of Data Subject Rights

p. To receive, manage, and respond to requests, complaints, claims, suggestions, and inquiries submitted by data subjects or their representatives.

q. To process requests related to the exercise of data subject rights, including access, rectification, erasure, objection, and data portability, ensuring responses within the timeframes and conditions established by applicable regulations.

E. Archiving, Retention, and Statistical Purposes

r. To retain personal data and documents for the periods required by applicable laws, contractual obligations, or internal policies, in order to comply with academic, administrative, tax, labor, or legal requirements.

s. To maintain historical, statistical, or educational research records, applying anonymization or pseudonymization techniques where appropriate to protect the identity of data subjects.

F. Staff Training and Development Purposes

t. To manage training, professional development, and continuing education programs for faculty, administrative staff, and contractors.

u. To evaluate staff performance, competencies, and results to ensure academic quality and continuous improvement in institutional processes.

G. Quality Control and Audit Purposes

v. To conduct internal and external audits in academic, administrative, and technological areas in order to verify compliance with regulatory, contractual, and quality standards.

w. To administer surveys, interviews, and other feedback mechanisms to assess the satisfaction of students, families, staff, and other stakeholders.

H. Promotional and Communication Purposes

x. To contact and follow up with prospective students and families interested in the educational program, providing information about programs, activities, and requirements.

y. To design and implement informational campaigns, surveys, virtual fairs, events, and publications for institutional, educational, or outreach purposes.

z. To use images, testimonials, and other content for pedagogical, institutional, or promotional purposes, subject to the prior free, informed, and explicit consent of the data subjects or their legal representatives.

I. Purposes Related to the Use of Image, Voice, and Intellectual Works

aa. To capture, record, reproduce, edit, and disseminate images, voice recordings, audiovisual materials, and intellectual works in which students, staff, or authorized third parties participate, for educational, institutional, promotional, or commercial purposes.

bb. To publish such materials on social media, websites, print or digital media, third-party platforms, academic events, and institutional activities, in accordance with the scope and limitations defined in the corresponding authorizations.

cc. To manage the assignment or licensing of economic and related rights, whether on a paid or unpaid basis, as established in contracts or authorizations, in compliance with applicable intellectual property and image rights laws.

2.12 Correspondence Between Collected Data and Authorized Purposes

Genuine School shall ensure that only personal data that is adequate, relevant, and limited to what is necessary in relation to the specified purposes is collected, in accordance with the principle of data minimization set out in Article 5(1)(c) of the General Data Protection Regulation (GDPR).

Any further or additional processing of personal data shall require the prior, informed, and verifiable consent of the data subject or their legal representative.

2.13 Reuse, Limitation, and Compatibility of Purposes

Personal data shall not be processed for purposes other than those originally specified, except when:

The further processing is compatible with the original purpose, in accordance with Article 6(4) of the General Data Protection Regulation;

There is a legal obligation requiring such processing; or

New, informed, and verifiable consent has been obtained.

Legal Basis for Processing

Genuine School shall ensure that all personal data processing is based on a valid, documented, and verifiable legal basis, in accordance with Article 6 of the General Data Protection Regulation (GDPR – European Union), Article 5 of Law 1581 of 2012 (Colombia), Article 7 of the General Data Protection Law (LGPD – Brazil), and other applicable regulations, including COPPA and FERPA (United States).

2.14 Informed, Freely Given, and Verifiable Consent

Genuine School shall obtain consent in a freely given, specific, informed, and demonstrable manner, in accordance with Article 6(1)(a) of the GDPR, Article 7 of Law 1581, and Article 8 of the GDPR in the case of minors.

In cases where processing is not based on a legal or contractual obligation, Genuine School shall obtain prior consent from the data subject or their legal representative. This consent shall be obtained through structured institutional forms that include authorization clauses and verification mechanisms.

When processing the personal data of minors, consent shall be obtained from parents or legal guardians, and its validity shall be supported by traceability controls, electronic records, and institutional documentation.

Consent may be withdrawn at any time by the data subject or their representative, without affecting the lawfulness of processing based on consent prior to its withdrawal (Article 7(3) GDPR).

In the case of special categories of personal data (such as health data, biometric data, or religious beliefs), the conditions set out in Article 9(2) of the GDPR, Article 11 of the LGPD, and Article 6 of Law 1581 shall also apply.

This consent applies to the processing activities described, including in particular:

Participation in admission forms, contact forms, or voluntary surveys.

Use of images, audio, recordings, or testimonials for institutional or promotional purposes.

Registration for events, campaigns, clubs, or extracurricular activities.

2.15 Contract Performance and Pre-Contractual Measures

Genuine School shall process personal data when necessary for the conclusion, performance, or management of contracts with students, legal representatives, staff, or suppliers, in accordance with Article 6(1)(b) of the GDPR and Article 5 of Law 1581.

This includes, for the declared processing activities and among other purposes, the following:

Formalization of enrollment and academic validation processes.

Fulfillment of contractual obligations with teachers, contractors, and suppliers.

Management of platforms, content, and digital resources associated with the contracted educational services.

Processing of pre-contractual requests (such as admissions, quotations, or inquiries).

Management of billing, collections, payments, and financial reconciliation arising from contractual relationships.

2.16 Compliance with a Legal Obligation

Genuine School shall process personal data when required to comply with applicable legal obligations, in accordance with Article 6(1)(c) of the GDPR and relevant national regulations (including Law 1581 of Colombia).

Some processing activities supported by this legal basis include:

Reporting to educational, tax, or administrative authorities.

Identity verification for legal or certification purposes.

Maintenance of academic records as required by applicable regulations.

Responding to formal requests from administrative or judicial authorities.

Compliance with international agreements in the countries where the institution operates, particularly those related to academic recognition, accreditation, or educational cooperation.

2.17 Protection of Vital Interests

When strictly necessary to protect the vital interests of a student, staff member, or other individual, Genuine School shall process the relevant personal data without prior consent, in accordance with Article 6(1)(d) of the GDPR.

This criterion may be applied, for example, in cases of medical emergencies, mental health alerts, or psychosocial risks identified by the institutional well-being team. It may also apply to the protection of digital or physical security in situations involving serious threats, such as cyberbullying, threats of violence, or critical incidents that may compromise the physical, emotional, or digital integrity of members of the community.

2.18 Performance of a Task in the Public Interest

As an educational institution established in accordance with applicable laws and guided by the best interests of the child, Genuine School may process personal data for the performance of its mission, in accordance with Article 6(1)(e) of the GDPR and applicable educational principles in each jurisdiction.

This includes:

Monitoring of professional development;

Administration of assessments;

Provision of educational support and well-being measures;

Participation in standardized assessments and official examinations required by competent educational authorities.

2.19 Legitimate Interests of the Data Controller

Genuine School may process personal data on the basis of its legitimate interests, in accordance with Article 6(1)(f) of the GDPR and Article 10 of the LGPD, provided that:

The fundamental rights of the data subject are not overridden;

The purpose is specific and proportionate; and

A balancing assessment demonstrates that such interests are not overridden by the interests or rights of the data subjects.

This legal basis applies, for example, to:

Activities aimed at improving the educational process;

Internal quality assessments;

Fraud prevention;

Institutional performance analysis;

Protection of institutional assets and the exercise or defense of legal claims in administrative, judicial, or arbitration proceedings, when necessary.

In the case of personal data relating to minors, legitimate interest shall only be relied upon where a prior Privacy Impact Assessment (PIA) has been conducted, and appropriate mitigation measures have been implemented.

3. Children’s Consent and Enhanced Protection for Minors

The provisions of this section shall apply to all processing of personal data relating to minors carried out by Genuine School, regardless of the legal basis relied upon, and shall constitute enhanced protection measures complementing the general data protection policy.

3.1 Principle of Priority Protection of the Child

Genuine School recognizes that personal data relating to minors requires enhanced protection, in accordance with the principle of the best interests of the child, as recognized by the United Nations Convention on the Rights of the Child, applicable international treaties, Article 8 of the General Data Protection Regulation (GDPR), the Children’s Online Privacy Protection Act (COPPA – United States), Article 7 of Law 1581 of 2012 (Colombia), and Article 14 of the General Data Protection Law (LGPD – Brazil).

As an educational institution serving students between the ages of 7 and 18, Genuine shall implement specific technical, legal, and organizational measures to ensure that the processing of children’s personal data is:

Lawful;

Proportionate;

Limited to educational purposes; and

Supported by verifiable parental consent.

These measures shall include restricted access controls, ongoing staff training in child protection, and periodic reviews of processing activities involving minors’ data.

3.2 Verifiable Consent Granted by the Legal Representative

For any processing not based on a legal or contractual obligation, Genuine School shall require that consent be provided by the parent or legal representative of the minor, and that such consent be verifiable and auditable at the institutional level, ensuring its traceability, integrity, and authenticity.

Prior to submitting a consent request through a certified electronic signature platform, the institution shall verify the identity and role of the signatory through:

Previously validated registration in the student’s record, including full name, identification number and type, relationship to the minor, and contact details (email and phone number) previously confirmed against an official document;

Confirmation of a secure communication channel for the transmission of consent, using only previously validated email addresses and/or phone numbers;

Documentation retained in the student record for identity verification purposes, including digital copies of identification documents and proof of relationship.

The platform used to obtain, validate, and record parental consent shall:

Incorporate specific and tailored authorization clauses for each purpose;

Enable verification of the signatory’s identity through secure authentication mechanisms;

Record essential metadata, including date and time of signature, IP address, document hash, and a unique verification code;

Generate a digital certificate of completion supporting the validity of the authorization in administrative and judicial contexts.

Technological Adaptability Clause: Genuine School may implement, replace, or enhance the tools and mechanisms used to obtain and verify consent, provided that such tools comply with the requirements of authenticity, integrity, traceability, and legal validity established under applicable legislation and this policy.

Right of Withdrawal: The legal representative may withdraw consent at any time, without affecting the lawfulness of processing based on consent prior to its withdrawal, by submitting a written request to legal@genuinelab.us. Genuine School shall process such withdrawal within a maximum period of five (5) business days and shall retain documentary evidence of compliance.

When the minor reaches the legal age to provide valid consent under the applicable jurisdiction and demonstrates sufficient capacity to understand the scope of the processing, the institution shall request direct confirmation or renewal of consent from the data subject.

3.3 Enhanced Requirements for Processing Minors’ Data

Genuine School shall adopt the following specific measures when processing involves personal data relating to individuals under the age of 18:

Data Minimization: Only personal data that is strictly necessary for the fulfillment of the educational or institutional purpose shall be collected.

Prior Impact Assessment: For processing activities that present a high risk (such as psychological assessments, experimental technologies, or personalized monitoring), a Data Protection Impact Assessment (DPIA) shall be conducted.

Separate and Granular Consent: Optional purposes (such as the use of images or participation in events) shall be clearly distinguished from general consent and shall require separate and explicit acceptance.

Processors with Enhanced Guarantees: Only technology platforms that provide equivalent safeguards for children’s data protection under the GDPR or COPPA shall be authorized, requiring the execution of data protection agreements or addenda (Data Processing Agreements – DPAs) containing specific clauses applicable to minors.

Right of Withdrawal: Legal representatives may withdraw their consent at any time, without retroactive effect, by contacting legal@genuinelab.us.

Consents granted shall be periodically reviewed to ensure their continued validity and alignment with the purposes for which the data is processed.

3.4 Recording of Evidence and Institutional Traceability

All consents granted for the processing of minors’ personal data shall be recorded within the institution’s document management systems and/or Learning Management System (LMS) environments, with the following information retained:

Date of issuance;

Method used (form, email, contract);

Identity of the legal representative;

Authorized purpose;

Digital fingerprint (hash) of the signed document as an integrity measure.

In the event of withdrawal, the consent shall be retained as historical evidence, marked as “revoked” and including the date of termination, in accordance with the principle of accountability (Article 5(2) GDPR).

4. Rights of Data Subjects and Their Exercise

4.1 Comprehensive Recognition of Rights

Genuine School recognizes the following fundamental rights regarding the personal data of all data subjects, including students, parents or legal guardians, staff, candidates, and third parties, in accordance with:

Articles 15 to 22 of the General Data Protection Regulation (GDPR – EU);

Article 8 of Law 1581 of 2012 (Colombia);

Articles 17 to 20 of the Brazilian Data Protection Law (LGPD – Brazil);

Section 1303 of COPPA and Section 1232g of FERPA (United States).

4.2 Guaranteed Rights

Right	Content	Legal Basis
Right of Access	To obtain confirmation as to whether personal data is being processed and to access such data, including information on purposes, recipients, and retention criteria, free of charge.	Art. 15 GDPR / Art. 18(I) LGPD / Art. 8 Law 1581
Right to Rectification	To request the correction or updating of inaccurate, incomplete, or outdated personal data.	Art. 16 GDPR / Art. 18(III) LGPD / Art. 8 Law 1581
Right to Erasure	To request the deletion of personal data, in whole or in part, where it is no longer necessary or where consent has been withdrawn.	Art. 17 GDPR / Art. 18(IV) LGPD / Art. 8 Law 1581
Right to Object	To object to the processing of personal data on legitimate grounds, particularly in cases involving marketing, automated decision-making, or profiling.	Art. 21 GDPR / Art. 18 §2 and Art. 20 LGPD
Right to Data Portability	To receive personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.	Art. 20 GDPR / Art. 18(V) LGPD
Right to Restriction of Processing	To request the restriction of processing while the accuracy, lawfulness, or necessity of the data is being verified.	Art. 18 GDPR
Right to Withdraw Consent	To withdraw consent at any time, without affecting the lawfulness of prior processing.	Art. 7.3 GDPR / Art. 18(IX) LGPD / Art. 8 Law 1581
Right to Lodge a Complaint	To lodge a complaint with the competent supervisory authority in case of alleged violations of data protection rights.	Art. 77 GDPR / SIC (Colombia) / ANPD (Brazil)

4.3 Procedure for Exercising Your Rights

Data subjects, or their legal representatives in the case of minors or persons lacking legal capacity, may exercise their rights of access, rectification, erasure, objection, data portability, restriction of processing, withdrawal of consent, and any other rights recognized by law, at any time through the following official channels:

Institutional email dedicated exclusively to data protection: legal@genuinelab.us

Signed written requests, submitted electronically with a copy of the data subject’s or legal representative’s identity document, sent to the indicated institutional channel.

Institutional web forms (when available), allowing the attachment of supporting documentation necessary to verify identity and substantiate the right being exercised.

All requests must include the data subject’s full identification, a clear and precise description of the right they wish to exercise, and the relevant supporting information or documents. Genuine School may request additional information if necessary to verify the requester’s identity.

The maximum response time will comply with the deadlines established in Section 9.4, “Response Times and Conditions.”

4.4 Response Times and Conditions

Genuine School commits to:

Respond within a maximum of 30 calendar days, in accordance with Article 12.3 of the GDPR.

For requests originating in Colombia, respond within 15 business days, as per Decree 1377 of 2013.

Notify the applicant within 5 business days if the request is incomplete or requires correction.

All requests are processed free of charge, except when physical or certified copies are requested, in which case a reasonable reproduction fee will apply.

5. International Data Transfers and Transmissions

5.1 Institutional Context

Genuine School operates as an educational institution with an international presence and relies on a technological ecosystem that includes multiple platforms and service providers located outside the data subjects’ country of origin, particularly in the United States.

Consequently, some personal data processing involves international transmission or transfer under conditions that ensure an adequate level of protection, in strict compliance with applicable regulations and the principles of lawfulness, proportionality, and accountability.

5.2 Applicable Definitions

International data transfer: the transfer of personal data to another country to be processed by a different data controller (GDPR Art. 44).

International transmission: the transfer of personal data to a data processor acting on behalf of the controller but located outside the country (Law 1581 of 2012).

5.3 Rules Applied by Genuine School

Genuine School ensures that all international data transfers and transmissions:

Are carried out only when necessary, proportionate, and compatible with the purposes previously authorized by the data subject.

Are formalized through data transfer agreements or Standard Contractual Clauses (SCCs) that guarantee a level of protection equivalent to that required by:

Article 46.2 of the GDPR (Standard Contractual Clauses of the European Commission);

Article 33 of Law 1581 of Colombia;

Articles 33–36 of the LGPD (Brazil).

They are restricted to countries or providers that have adequacy decisions, certifications, or equivalent contractual guarantees, such as those adopted by the European Commission.

For transfers to the United States, Genuine School ensures that providers are:

Subject to applicable sector-specific legislation, such as FERPA (Family Educational Rights and Privacy Act) in education and COPPA (Children’s Online Privacy Protection Act) for the protection of minors.

Covered by Standard Contractual Clauses or international certification mechanisms, including the EU-US Data Privacy Framework adopted by the European Commission in July 2023.

5.4 Platforms Used and Destination Countries

Currently, Genuine School uses the following services or platforms that may involve international data processing:

Platform	Provider	Server Location	Purpose of Processing
Microsoft 365 / Teams	Microsoft Corp.	United States and other countries, according to the region assigned by Microsoft and its Data Processing Agreements	LMS, email, storage
Amazon Web Services (AWS)	Amazon Web Services, Inc.	United States and other regions, depending on the contracted architecture	Technological infrastructure, application hosting, backup, and operational continuity
META (Facebook, Instagram)	Meta Platforms Inc.	United States and other countries, according to Meta Platforms Inc.’s global policies	Institutional campaigns
Proprietary LMS platforms	Technology providers contracted by Genuine School	United States or other jurisdictions, depending on the provider	Academic management, educational tracking, and learning administration
Buk	Buk SpA	United States and Chile (depending on services)	Human Talent Management
HubSpot	HubSpot, Inc.	United States	CRM, marketing, admissions, and communications
Google Analytics	Google	United States and other countries	Web traffic analysis, usage metrics, and visitor behavior
Treble		United States	Admissions process management (enrollment), application forms, and applicant tracking

5.5 Protection Measures Implemented

To guarantee the security and legality of these international transfers and transmissions, Genuine School shall:

Require the signing of Data Processing Agreements (DPAs) with each provider, incorporating confidentiality clauses and compliance with applicable international regulations.

Implement appropriate technical and organizational measures, such as data encryption in transit and at rest, multi-factor authentication, segregation of environments, and role-based access control.

Conduct periodic audits and verifications to ensure compliance with best practices, international security standards, and contractual requirements by international data processors and controllers.

Maintain an up-to-date record of all international transfers and transmissions carried out, including the legal basis supporting them, the destination country, the provider, the purpose, and the protection safeguards implemented.

6. Information Security and Confidentiality

Genuine School recognizes that information security is essential for the effective protection of personal data and the respect of the fundamental rights of data subjects. Therefore, Genuine School has adopted an Information Security Management System (ISMS) aligned with the international standard ISO/IEC 27001, integrating technical, organizational, personnel, and contractual measures to ensure regulatory compliance and risk mitigation.

6.1 Applicable Security Principles

All personal data processing activities at Genuine School shall be subject to the following operational security principles:

Confidentiality: Data shall be accessible only to duly authorized personnel, according to roles, profiles, and privileges defined in the institutional access control model.

Integrity: The accuracy, completeness, and consistency of data shall be preserved throughout its lifecycle, preventing unauthorized alterations.

Availability: Data shall be available to authorized users when required.

Traceability: All actions involving personal data shall be recorded with the date, user, access type, and justification.

Minimizing Exposure: Unnecessary data processing shall be avoided, limiting internal and external circulation.

Risk-Adapted Security: Technical and organizational measures shall be tailored to the sensitivity and criticality of the data processed.

6.2Data Classification and Control Levels

In addition to the institutional classification by sensitivity levels established in section 5.3 and Appendix 1, Genuine School shall treat this classification as a binding operational criterion for the application of specific safeguards.

Specifically:

The ISMS manuals and procedures shall detail the technical, organizational, physical, and contractual controls applicable to each level, with increasing stringency from the Public level to the Restricted level.

Access management shall be assigned according to the classification level and the user’s role, preventing unnecessary or unauthorized access.

The circulation, storage, and transmission of information shall be carried out under protection mechanisms consistent with its classification, including encryption, multi-factor authentication, and environment segmentation where appropriate.

Traceability and audit mechanisms shall be implemented to record and monitor any access, modification, or transmission of classified data.

The measures shall be reviewed and updated periodically, taking into account technological changes, regulatory updates, and the results of institutional risk assessments.

In this way, data classification shall function as an active management tool that guides and conditions decisions related to the security and confidentiality of information at Genuine School.

7. Security Breaches and Incident Notification

Genuine School recognizes that security incidents affecting the confidentiality, integrity, or availability of personal data can have significant impacts on the rights of data subjects. Therefore, Genuine School has adopted an institutional Incident Management and Breach Notification Policy, aligned with international regulations and the principle of accountability.

7.1 What is considered a security breach?

A personal data security breach shall include any incident that accidentally or unlawfully results in:

Unauthorized access to personal data;

Loss, destruction, alteration, or unauthorized disclosure of data;

Unplanned disruption of legitimate access to protected data.

7.2 Institutional Response Measures

Upon any indication or confirmation of a security breach, Genuine School shall activate its ISMS Incident Management Protocol, which includes:

Immediate identification and containment of the incident.

Assessment of the scope, type of data compromised, and potential victims.

Complete documentation of the event, including date, origin, cause, and technical evidence.

Immediate internal notification to the Safety Committee and the DPO.

Implementation of corrective and preventive measures to mitigate the damage and prevent recurrence.

7.3 Notification to Authorities and Data Subjects

In accordance with Article 33 of the General Data Protection Regulation (GDPR), Genuine School shall:

Notify the competent supervisory authority (SIC, ANPD, EU Supervisors, etc.) within 72 hours of becoming aware of the incident if there is a risk to the rights of data subjects.

The notification shall include:

Nature of the incident and type of data compromised;

Estimated number of data subjects affected;

Potential consequences of the incident;

Measures taken to mitigate the effects.

If the incident represents a high risk to the rights of data subjects, Genuine School shall ensure direct, clear, and timely communication to those affected, in accordance with Article 34 of the GDPR, through a traceable institutional channel.

7.4 Incident Log and Traceability

All incidents shall be recorded in the Internal Security Incident Log, which shall include:

Date and time of discovery;

Detection channel;

Data compromised;

Impact assessment;

Measures taken;

Assigned responsible party.

This log shall be maintained in accordance with the institutional Document Retention Policy and shall be monitored by the Data Protection Officer (DPO) and the Information Security Committee.

8. Privacy Impact Assessments (PIAs)

Genuine School recognizes that certain processing of personal data, by its nature, scope, context, or purposes, may generate high risks to the rights and freedoms of data subjects, particularly when involving minors, emerging technologies (e.g., AI), and sensitive data. Therefore, as a preventive and compliance measure, Genuine School shall implement Privacy Impact Assessments (DPIAs) in accordance with Articles 35 and 36 of the General Data Protection Regulation (GDPR) and the international standard ISO/IEC 29134.

9. Cross-references to Specific Modules and Notices

In accordance with the principle of differentiated transparency and the institutional obligation to provide clear, specific, and accessible information to each group of data subjects, Genuine School shall maintain a series of supplementary documents (privacy notices) tailored to the different profiles interacting with the institution.

These modules shall detail, in accessible language and with a contextualized approach, the most relevant aspects of personal data processing, taking into account the data subject’s role, the specific purposes of processing, the applicable rights, and the mechanisms available for exercising those rights.

The following documents form an integral part of this policy and shall be available for consultation through the institution’s official channels:

Module	Target Audience	Main Content	Version / Link
Privacy Notice for Students and Legal Representatives	Students under 18 and their legal representatives	Types of data collected, parental consent, retention periods, and specific rights	Appendix 1 or Privacy Notice for Students and Parents/Guardians
Privacy notice for contractors, staff, teachers, and suppliers.	Companies, contractors, or partners that process data on behalf of the organization or as part of a business relationship.	Contact information, contractual obligations, confidentiality, and international transfers	Appendix 2
Privacy Notice for Candidates	Individuals in the selection process (faculty, staff, interns)	Resumes, references, tests, interviews, retention, disposal	Appendix 3 or Privacy Notice for Candidates
Notice for Website Visitors	All visitors to the website	Contact information, technical support	Appendix 4 or Privacy Notice for Website Visitors

Note:

Each module shall be reviewed and updated as frequently as this general policy and shall explicitly state the date of its last modification and its connection to the Data Protection Officer (DPO) as the institutional point of contact.