Run: California CPRA Employee Privacy Notice

This Employee Privacy Notice explains how the Company collects, uses, discloses, retains, and protects personal information relating to California employees, applicants, contractors, temporary workers, and other covered personnel. It is intended to provide notice of our data practices under the California Privacy Rights Act (CPRA), Cal. Civ. Code § 1798.100 et seq., and related California privacy requirements. This notice also supports employment-related compliance obligations, including lawful recordkeeping, equal employment opportunity administration, wage-and-hour administration, and workplace safety and security.

This notice applies to personal information collected in connection with recruitment, hiring, onboarding, employment, benefits administration, payroll, performance management, workplace safety, access control, investigations, and offboarding. California employees: where a California-specific rule applies, that rule controls for California-covered data practices. If another policy conflicts with this notice, the more protective rule or the legally required rule will apply. This notice does not create a contract of employment and does not limit the Company's right to update its data practices as permitted by law.

**Personal information** means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular employee or applicant. **Sensitive personal information** includes data elements protected under CPRA, such as government identifiers, account log-in credentials, precise geolocation, racial or ethnic origin, union membership, health information, and similar categories where applicable. **Business purpose** means a use of personal information permitted by law for legitimate operational, legal, security, or employment administration needs. **Policy holder** means the Company department or designated owner responsible for maintaining this notice and coordinating privacy requests. **Interactive process** means the good-faith, individualized process used to evaluate a request for reasonable accommodation under the ADA and applicable state law.

The Company collects and uses employee personal information only for legitimate business, legal, and employment-related purposes, and limits access to personnel with a need to know. We will not sell employee personal information. We do not share employee personal information for cross-context behavioral advertising unless expressly disclosed and permitted by law. We maintain reasonable administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, or destruction. We will not discriminate or retaliate against an employee for exercising privacy rights permitted by law.

Depending on the role and relationship with the Company, we may collect the following categories of personal information: 1. Identifiers and contact information, such as name, address, phone number, email address, emergency contact information, employee ID, and government-issued identifiers where required. 2. Employment and professional information, such as job title, department, work location, manager, work history, education, certifications, references, and performance records. 3. Payroll, compensation, and benefits information, such as pay rate, time records, tax forms, direct deposit details, benefits elections, and leave records. 4. Protected class and accommodation-related information, where voluntarily provided or lawfully collected for EEO, ADA, FMLA, workers' compensation, or similar purposes. 5. Technology and access information, such as device identifiers, system logs, badge access records, network activity, and security monitoring data. 6. Health, safety, and incident information, such as injury reports, workplace incident records, drug testing results where permitted, and occupational health information. 7. Other information provided by the employee, applicant, or a third party in the course of employment or recruitment. We collect only the information reasonably necessary and proportionate to the disclosed purpose, unless a broader collection is required or permitted by law.

We may use personal information for the following business and employment purposes: - Recruiting, evaluating, and onboarding applicants - Administering payroll, taxes, benefits, and reimbursements - Managing attendance, scheduling, leave, and timekeeping - Evaluating performance, training, discipline, and promotion decisions - Supporting workplace safety, security, investigations, and incident response - Providing reasonable accommodation and leave administration through the interactive process - Meeting legal, regulatory, audit, and recordkeeping obligations - Protecting Company systems, property, confidential information, and personnel - Maintaining business continuity, analytics, and internal reporting - Responding to employee requests, complaints, disputes, or legal claims We use personal information in a manner consistent with the purpose for which it was collected, unless otherwise permitted by law.

We may disclose personal information to: - Internal personnel with a legitimate need to know, such as HR, payroll, legal, IT, security, finance, and management - Service providers and contractors that perform services on our behalf, subject to contractual confidentiality and security obligations - Benefit plan administrators, insurers, retirement plan providers, and leave administrators - Government agencies, courts, auditors, or other third parties when required by law or to protect legal rights - Successors or acquirers in connection with a merger, acquisition, restructuring, or asset transfer, subject to applicable legal requirements California employees: where required, we limit disclosures to the categories and purposes described in this notice and do not disclose personal information beyond what is reasonably necessary for the stated purpose. We do not permit service providers to use employee personal information for their own unrelated purposes.

We retain employee personal information for as long as reasonably necessary to fulfill the purposes described in this notice, including employment administration, legal compliance, dispute resolution, audit, and recordkeeping obligations. Retention periods may vary by record type, such as payroll records, tax records, benefits records, performance records, leave records, safety records, and investigation files. Where a specific legal retention period applies, we follow that requirement. When records are no longer needed, we dispose of them using methods designed to prevent unauthorized access or reconstruction. The policy holder is responsible for maintaining the retention schedule and coordinating legal holds when litigation, audits, or investigations are pending.

We use reasonable administrative, technical, and physical safeguards to protect employee personal information, which may include access controls, role-based permissions, encryption, logging, secure storage, vendor due diligence, and incident response procedures. Employees with access to personal information must use it only for authorized business purposes and must promptly report suspected unauthorized access, disclosure, or misuse to HR, IT, or the Compliance Officer. No security program can guarantee absolute protection, but we are committed to maintaining safeguards appropriate to the sensitivity of the information and the risk involved.

Where applicable under CPRA and other law, employees may request to know, access, correct, or delete certain personal information, and may request information about our collection, use, and disclosure practices. Requests will be reviewed and handled in accordance with applicable law, including identity verification, response timelines, and any lawful exceptions. Some information may be exempt from deletion or access rights, including information needed for payroll, tax, legal compliance, security, or other permitted employment purposes. Employees may submit requests through the designated privacy contact listed in this notice. We will not discriminate or retaliate against an employee for making a good-faith privacy request.

**Policy holder:** maintains this notice, coordinates updates, and oversees privacy requests. **HR:** collects and uses employee data only for approved employment purposes, supports the interactive process, and coordinates retention of personnel records. **Payroll/Finance:** maintains compensation, tax, and reimbursement records in accordance with legal requirements. **IT/Security:** protects systems and access controls, monitors for unauthorized activity, and supports incident response. **Managers:** limit access to employee information to a legitimate need-to-know basis and escalate privacy concerns promptly. **Employees:** provide accurate information when required, protect confidential data, and report suspected privacy incidents.

Failure to follow this notice, related privacy procedures, or applicable confidentiality requirements may result in access restrictions, documented warning, retraining, disciplinary action up to and including termination, and/or legal action where appropriate. Nothing in this notice limits rights protected by the National Labor Relations Act (NLRA), including protected concerted activity, or interferes with rights under the FLSA, FMLA, ADA, EEOC-enforced laws, or other applicable employment laws. California employees: privacy rights will be administered in a manner consistent with the CPRA and any applicable California employment privacy requirements.

This notice will be reviewed at least annually and updated when our data practices, legal obligations, vendors, retention periods, or security controls change. Material changes may be communicated through updated postings, employee communications, or acknowledgement requests as appropriate. The most current version controls.