California Consumer Privacy Act Notice for Employees, Contractors, Directors and Shareholders

Under the California Consumer Privacy Act (CCPA), "Personal Information" is information that identifies, relates to, or could reasonably be linked directly or indirectly with a particular California resident and includes certain categories of Personal Information discussed below that constitute "Sensitive Personal Information." This "Notice" constitutes our notice at collection and our privacy policy pursuant to the CCPA with respect to California employees, contractors, directors and shareholders.

In the past 12 months, we have collected and disclosed for our business purposes each of the following categories of Personal Information relating to California residents covered by this Notice:

• Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers;
• Any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information;
• Characteristics of protected classifications under California or federal law, such as sex and marital status;
• Commercial information, such as records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
• Biometric information, such as fingerprints and voiceprints;
• Internet or other electronic network activity information, such as browsing history, search history, and information regarding California Employees' and Contractors' interaction with an internet website application, or advertisement;
• Geolocation data, such as device location and Internet Protocol (IP) location;
• Audio, electronic, visual, thermal, or similar information such as call and video recordings;
• Professional or employment-related information, such as work history and prior employer, and compensation information, including salary and bonus information and other equity-based award information;
• Education information, directly related to a student; and maintained by an educational agency or institution or by a party acting for the agency or institution;
• Inferences drawn from any of the Personal Information listed above to create a profile about a California employee, contractor, director or shareholder’s reflecting their preferences, characteristics, psychological trends, predispositions, behavior, and attitudes, intelligence, abilities, and aptitudes; and
• The following categories of Sensitive Personal Information:
  • Personal Information that reveals:
    • Social security, driver's license, state identification card, or passport number;
    • Account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
    • Precise geolocation;
    • Racial or ethnic origin, religious or philosophical beliefs, or union membership;
    • The contents of mail, email, and text messages unless the business is the intended recipient of the communication;
    • Genetic data;
  • The processing of biometric information for the purpose of uniquely identifying a California employee, contractor, director or shareholder;
  • Personal information collected and analyzed concerning one’s health; and
  • Personal information collected concerning sex life or sexual orientation.

In addition to collecting Personal Information ourselves, we additionally coordinate with third parties to collect Personal Information on our behalf, which third parties are engaged in one or more of the business practices described below:

• Delivering advertising and marketing including on non-affiliated persons' or entities' sites and mobile apps;
• Facilitating events and event management including virtual and/or in-person events (e.g., hotels, restaurants, virtual platforms, audio/visual capabilities, food/beverage, transportation services, etc.); or
• Referral sources, whether for purposes of identifying candidates for employment, identifying new client opportunities, or recommending vendors or contractors.

The categories of sources from which we collected Personal Information are:

• Directly from a California employee, contractor, director, shareholder, or the individual's representatives;
• Service Providers, Consumer Data Resellers, Credit Reporting Agencies and other similar persons or entities;
• Public Record Sources (Federal, State or Local Government Sources);
• Job applications submitted to us; and
• Website, Mobile App Activity, Social Media, or other Internet sources.

With respect to each category of Personal Information that we disclosed for a business purpose in the past 12 months, the categories of persons or entities to whom we disclosed that Personal Information are:

• Service Providers and Contractors who provide services such as website hosting, data analysis, payment processing, order fulfillment, information technology and related infrastructure, customer service, email delivery, auditing, marketing, marketing research activities, credit financing, event management, employment background checks, and real estate management;
• Other Service Providers and Contractors who provide services such as payment, banking and communication infrastructure, storage, legal expertise, tax expertise, real estate expertise, appraisal expertise, notaries and auditors;
• Other Service Providers and Contractors who enable capability to conduct transactions online and via mobile devices;
• Other persons or entities to whom we transfer personal information as an asset that is part of a merger, acquisition or other transaction in which such other person or entity assumes control of all or part of the business;
• Government Agencies as required by laws and regulations; and
• Other persons or entities with which you may use us or direct us to intentionally interact or to which you may use us or direct us to intentionally disclose your personal information.

Refer to Appendix A for specific examples of the Personal Information about employees, contractors, directors and/or shareholders.

We collect, use and disclose for our business purposes Personal Information, including Sensitive Personal Information, relating to California residents to operate, manage, and maintain our business, to provide human resource services, and to accomplish our business or commercial purposes, including the following:

• Performing services, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying California employee, contractor, director and shareholder information, processing payments, providing human resource services, providing financing, providing advertising or marketing services (except for cross-context behavioral advertising, a type of targeted advertising), providing analytic services, facilitating event management and execution, managing our real estate portfolio, or providing similar services;
• Helping to ensure security and integrity to the extent the use of Personal Information is reasonably necessary and proportionate for these purposes;
• Short-term, transient use, including, but not limited to, non-personalized advertising shown as part of a current interaction with us, where the information is not disclosed to a third party and is not used to build a profile or otherwise alter the experience outside the current interaction with us;
• Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards;
• Undertaking activities to verify or maintain the quality or safety of a service controlled by us, and to improve, upgrade, or enhance that service;
• Debugging to identify and repair errors that impair existing intended functionality;
• Undertaking internal research for technological development and demonstration; and
• Complying with laws and regulations and to comply with other legal process and law enforcement requirements (including any internal policy based on or reflecting legal or regulatory guidance, codes or opinions).

The length of time that we intend to retain each category of Personal Information will depend on a number of criteria, including (i) the length of time we are required to retain Personal Information in order to comply with applicable legal and regulatory requirements, (ii) the length of time we may need to retain Personal Information in order to accomplish the business or commercial purpose(s) for which such Personal Information is collected, used or disclosed (as indicated in this Notice), and (iii) whether you choose to exercise your right, subject to certain exceptions, to request deletion of your Personal Information.

In the 12 months preceding the date of this Notice, we have not "sold" Personal Information or Sensitive Personal Information subject to the CCPA nor have we "sold" or "shared" Personal Information or Sensitive Personal Information of minors under the age of 16. For purposes of this Notice:

• "sold" means the disclosure of Personal Information or Sensitive Personal Information to a third party for monetary or other valuable consideration; and
• "shared" means the disclosure of Personal Information or Sensitive Personal Information to a third party for cross-context behavioral advertising.

We only use or disclose Sensitive Personal Information for the following purposes consistent with CCPA Regulations:

• To perform the human resource services reasonably expected by an average employee, contractor, director or shareholder who requests those services. For example, a California employees’, contractors’, directors’ or shareholders’ precise geolocation may be used by a mobile application that provides directions on how to get to a specific location.
• To detect security incidents that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal information, provided that the use of the personal information is reasonably necessary and proportionate for this purpose. For example, we may disclose log-in information to a data security company that it has hired to investigate and remediate a data breach that involved that employee's, contractor's, director’s, or shareholder’s account.
• To resist malicious, deceptive, fraudulent, or illegal actions directed at the business and to prosecute those responsible for those actions, provided that the use of personal information is reasonably necessary and proportionate for this purpose. For example, we may use information about ethnicity and/or the contents of email and text messages to investigate claims of racial discrimination or hate speech.
• To ensure the physical safety of natural persons, provided that the use of personal information is reasonably necessary and proportionate for this purpose. For example, we may disclose geolocation information to law enforcement to investigate an alleged kidnapping.
• For short-term, transient use, including, but not limited to, non-personalized advertising shown as part of current interaction with us.
• To perform services, such as providing human resource services, maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business.
• To verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured by, manufactured for, or controlled by us.

If you are a California resident covered by the CCPA, you have the right to:

1. Receive this Notice at or before the point of collection of your Personal Information;
2. Request we disclose to you free of charge the following information covering the 12 months preceding your request:
   1. the categories of Personal Information about you that we collected;
   2. the categories of sources from which the Personal Information was collected;
   3. the purpose for collecting Personal Information about you;
   4. the categories of third parties to whom we disclosed Personal Information about you and the categories of Personal Information that were disclosed (if applicable) and the purpose for disclosing the Personal Information about you; and
   5. the specific pieces of Personal Information we collected about you;
3. Request we correct inaccurate Personal Information that we maintain about you;
4. Request we delete Personal Information we collected from you, unless the CCPA recognizes an exception; and
5. Be free from unlawful discrimination for exercising your rights under the CCPA.

Please see the section below entitled, "How to Exercise Your Rights," for instructions explaining how you can exercise these rights described above.

We will acknowledge receipt of your request and advise you how long we expect it will take to respond if we are able to verify your identity. Requests for specific pieces of Personal Information will require additional information to verify your identity.

For individuals submitting a request on behalf of another person, we may require proof of authorization and verification of identity directly from the person for whom the request is made.

For a company or organization submitting a request on behalf of another person, we may require proof of authorization from the individual such as a power of attorney and verification of identity directly from the person for whom the request is made.

In some instances, we may not be able to honor your request. For example, we will not honor your request if we cannot verify your identity or if we cannot verify that you have the authority to make a request on behalf of another individual. Additionally, we will not honor your request where an exception applies, such as where the disclosure of Personal Information would adversely affect the rights and freedoms of another California resident or where the Personal Information that we maintain about you is not subject to the CCPA's access or deletion rights.

We will advise you in our response if we are not able to honor your request. We will not provide Social Security numbers, driver's license numbers or government issued identification numbers, financial account numbers, unique biometric data, health care or medical identification numbers, account passwords or security questions and answers, or any specific pieces of information if the disclosure presents the possibility of unauthorized access that could result in identity theft or fraud or unreasonable risk to data or systems and network security.

We will work to process all verified requests within 45 days pursuant to the CCPA. If we need an extension for up to an additional 45 days to process your request, we will provide you with an explanation for the delay.

If you are a California resident, you may submit a request by:

• Completing an online request at CCPA Request Form – https://www.ovcb.com/ccpa-request

• Calling us at 1-866-844-7500, Monday through Friday from 8:00 AM to 5:00 PM Pacific Time.

You may contact us with questions or concerns about this Notice and our practices by:

1. Writing us at:

   Oak Valley Community Bank
   Attn: Human Resources
   125 N Third Avenue
   Oakdale, CA 95361

2. Contact us at https://www.ovcb.com/contact-hr

We may change or update this Notice from time to time. When we do, we will post the revised Notice on this page with a new "Last Updated" date.

Examples of the Personal Information about Employees, Contractors, Directors and/or Shareholders.

Below are the categories of data that may be collected for each purpose of use, summarized below.

The Categories of Personal Information We May Collect, Use, Transfer and Disclose, unless restricted by applicable law:

• Recruitment/Applicant information: Pre-employment references; employment history; language(s) spoken; previous compensation; 1-9 documentation; voice and video recording.
• Employment and Job Information: Job title and/or position and description of responsibilities/duties; job family; location; band/seniority; Employee Identifiers; department; line and sub-line of business; local Company entity name; cost center information; employment dates; supervisor/manager/team lead name and contact information; work contact information; termination details.
• Personal Demographic Information: Date and place of birth; Dependent date of birth; Nationality; gender; name (including birth surname and any other former names); Dependent full name; family/marital status; copies of birth certificate; date of death; details of military service.
• Visa/ Citizenship Details: Work eligibility status; entitlement to residency; citizenship; passport details; visa details; National ID.
• Contact Details: Address, telephone, email and emergency contact details.
• Payroll: Social Security number or other tax identifier number; bank account details; tax and social security contributions; payroll payments and deductions and other financial information; attendance data; shift and overtime data; governmental forms e.g., IRS W2
• Employee Administration: Reference letters; query management records; Flexible Working Requests; Employee Engagement Survey, personal preferences for events (e.g., dietary requirements), volunteering details, voice and video recording.
• Expense Management Information: Travel related personal preferences, passport information
• Life Events Additional Documentation: Medical/diagnosis documentation; personal circumstances; Return to Work Release Documentation; Death Certificate and Death Benefit documentation including beneficiary personal contact information and details; restraining orders, family custody legal/ orders; criminal records; military orders and documentation; personal insurance documentation e.g., house fire/hurricane damage report
• Contractor Administration: Reference letters, query management records; working arrangement requests; voice recording; video recording.
• Global Mobility; Business travel information (including business visa details and travel logs and itineraries).
• Absence Data: Absence details e.g., sickness, holiday and maternity leaves.
• Attendance Data: Working Time Directive Details.
• Physical Security and Life Safety Data: Swipe card entry data; security cameras; photograph (Security ID Card); Accident and Incident Reporting; Biometrics (e.g., fingerprints and iris scans); data required for purposes related to Health and Safety in the workplace.
• Compensation: Compensation information (including base salary, market rates, incentive payment(s), stock options information and allowances).
• Pension: Information related to retirement planning.
• Contractor, Director, or Shareholder benefits.
• Employee Benefits Including Retirement: Benefits including family and or other dependent data and retirement information.
• Education and Training: Academic Record, Professional Qualifications and Memberships; professional training; Company internal training; voice and video recording.
• Regulatory Data (where applicable): Licenses and certifications; financial regulatory registration; voice recording.
• Succession Planning Details: Reporting structure; talent management and succession planning data (including mobility preferences, date assigned to a talent pool, talent pool name and description, areas of expertise, general management experience, leadership behavior, strengths and development needs).
• Performance / Development Plans / Reviews: Performance related information (including assessments and ratings (results rating, behavior rating, potential rating), performance goals description, key competencies description).
• Employee Relations Case / Compliance / Legal Management: Areas for development, coaching notes, feedback from others, self-assessment description, manager review description, performance expectations, measurement criteria, action dates, manager progress notes; career development information; employment disciplinary record, activities and investigations; information pertaining to any grievances raised, termination reason.
• Technical information: Including username and passwords, voice data, IP address, domain, browser type, operating system, self-service password management, click-stream data and system logs) and electronic and non-electronic content and documents created or produced by you using Company systems or in the performance of your role with the Company.
• Securities and Stock Trading: Details of outside business activities and directorship(s) (where relevant for employment-related purposes); securities and stock trading activity/experience (where relevant for employment-related purposes); spouse, partner and child brokerage account details.
• Sensitive Personal Information: Information regarding physical and/or mental health (if required to make reasonable adjustments or engage in communications related to the disability accommodations process), race and/or ethnic origin, criminal history or unlawful behavior for recruitment and pre-employment screening purposes and for assessment of registration and licensing requirements, biometric data, such as fingerprints and iris scans, for the purposes of electronic identification, authentication and corporate security; eye color, hair color, height, weight (to facilitate fingerprint background screening process); information relevant to a security threat, to protect against deceptive, fraudulent or illegal activity, or other incident investigation.
• Diversity and Inclusion Data (e.g., veteran status, race, ethnicity, age, disability status, sexual orientation, gender, gender identity, and gender expression).
• Signatures, including digital images and physical copies.
• Virtual or In Person Events Data: Information needed for participation in virtual or in-person events: speaker biographies, travel details, spouse/partner name, name and age of child/children collected through parents or guardians attending events, dietary requirements of individuals attending an event, Special Assistance needs of individuals attending an event.

The Purposes for Which We May Collect, Use, Transfer And Disclose Personal Information:

• Administering and managing the Employee employment relationship, general administration and budgeting; marketing company products; expense management; preparation, management, and use of interna communication, business telephone/e-mail directory.
• Recruiting activities, talent management and succession planning.
• Authentication/identification of Employees, including voice authentication (e.g., for help desk security).
• Human resources information systems ("HRIS") and application support and development.
• Information technology and information security support (including firewall monitoring, anti-spam and virus protection, and other monitoring, for example in accordance with the Company's Information Security Monitoring Notices).
• To assist with Information Technology operational support (including system maintenance and bug fixes).
• Management of internal business operations (including monitoring compliance with Company policies and procedures, for example in accordance with the Company's Information Technology Acceptable Use Agreement.
• Complying with applicable government reporting and other local and foreign law requirements (including the requirements of the US Sarbanes-Oxley Act or other applicable internal control regulations and in such areas as immigration, tax or statutory financial regulation) and other legal obligations.
• Payroll and compensation management, administration and processing (including compensation metrics and decisions, bonus calculations and stock plan administration).
• Complying with local or foreign state and/or country specific tax and immigration laws and regulations and payroll reporting, not limited to but including business travel.
• Benefits and insurance administration and management (including information regarding various benefit programs available to Employees' decisions regarding eligibility for staff loans).
• Fostering career planning and growth.
• Training, advice and counselling purposes.
• Employee performance and productivity reviews/assessments and general performance management.
• Defending, preparing for, participating in and responding to potential legal claims, investigations and regulatory inquiries (all as permitted by applicable law).
• Disciplinary actions/investigations (as permitted by applicable law).
• Client and customer service and marketing activities (including but not limited to inclusion in internal and external internet and intranet sites, marketing materials, event management materials, deal documents, pitch books and as required to provide services and products to our clients).
• Managing relationships with clients and other third parties (including licensing and registration bodies, legal counsel, stock exchanges, or business counterparties).
• Post-employment purposes (for example, providing employment references, assessing rehire eligibility, and any of the purposes listed in this notice that may be applicable during the post-employment period).
• To assist with Information Technology operational support (including system maintenance and bug fixes).
• To promote the safe and healthy working conditions of company facilities.
• Diversity and Inclusion Data is used on an aggregated basis for reporting and promotions. Diversity and Inclusion Data excluding disability status is used on a personally identifiable basis, for talent management, succession planning, and training and conference opportunities.
• Conducting background screening including verifying criminal history, employment, education, credit and litigation history, bankruptcy, directorships, sanctions, politically exposed persons, financial, regulatory and media checks
• Physical identity for access management.
• Incident management (including threat investigations, medical emergencies, and crisis reporting).
• Corporate Alumni program for previous employee engagement.
• Virtual or In Person Events (including information needed for participation in virtual or in person events. This may include information on your spouse or children where appropriate. In the context of virtual or in person events, Personal Information or other information may be collected when an individual visits us online to register for an event, attends an event, asks for event information, downloads content, or shares an interest to attend an event through our client relationship partner.
• Administering volunteer and giving programs.

The Categories of Unaffiliated Third Parties With Whom We May Share Personal Information

• Professional Advisors: Accountants, auditors, lawyers, insurers, bankers, tax advisors and other outside professional advisors.
• Service Providers: Companies that provide products and services to the Company, such as payroll, partner banks, benefits and retirement service providers, life event assistance services, human resources services, recruitment and training providers; performance management, training, expense management, relocation services, IT systems suppliers and support, reception and security, catering and logistics services providers, translation services, third parties assisting with event organizing and marketing activities, medical or health practitioners, trade bodies and associations, background screening providers and other service providers.
• Public and Governmental Authorities: Entities that regulate or have jurisdiction over the Company in which the Company operates, such as regulatory authorities, law enforcement, public bodies, licensing and registration bodies, judicial bodies and third parties appointed by such authorities.
• Parties Related to a Corporate Transaction: A third party in connection with any proposed or actual reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of the Company's business, assets, or stock (including in connection with any bankruptcy or similar proceedings), e.g., stock exchanges and business counterparties.
• Current or prospective clients e.g., pitchbooks.
• Event Vendors: Event vendors, organizers, speakers, volunteers, contractors, and sponsors to facilitate events.

Last updated: July 1, 2023.