California Consumer Privacy Act Notice for Employees, Contractors, Directors and Shareholders

Under the California Consumer Privacy Act (CCPA), "Personal Information" is information that identifies, relates to, or could reasonably be linked directly or indirectly with a particular California resident and includes certain categories of Personal Information discussed below that constitute "Sensitive Personal Information." This "Notice" constitutes our notice at collection and our privacy policy pursuant to the CCPA with respect to California employees, contractors, directors and shareholders.

In the past 12 months, we have collected and disclosed for our business purposes each of the following categories of Personal Information relating to California residents covered by this Notice:

• Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers.

• Any information that identifies, relates to, describes, or is capable of being associated with a particular individual, including name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, financial information, medical information, or health insurance information.

• Characteristics of protected classifications under California or federal law, such as sex and marital status.

• Commercial information, such as records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

• Biometric information, such as fingerprints and voiceprints.

• Internet or other electronic network activity information, such as browsing history, search history, and information regarding California employees' and contractors' interaction with an internet website, application, or advertisement.

• Geolocation data, such as device location and Internet Protocol (IP) location.

• Audio, electronic, visual, thermal, or similar information such as call and video recordings.

• Professional or employment-related information, such as work history, prior employer, and compensation information including salary, bonus information, and equity-based award information.

• Education information directly related to a student and maintained by an educational agency or institution or by a party acting for the agency or institution.

• Inferences drawn from any of the Personal Information listed above to create a profile about a California employee, contractor, director, or shareholder reflecting preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

• The following categories of Sensitive Personal Information:

• Personal Information that reveals:
  • Social security, driver's license, state identification card, or passport number.
  • Account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.
  • Precise geolocation.
  • Racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, or union membership.
  • The contents of mail, email, and text messages unless the business is the intended recipient of the communication.
  • Genetic data.

• The processing of biometric information for the purpose of uniquely identifying a California employee, contractor, director, or shareholder.

• Personal information collected concerning one's health including personal information related to reproductive health services.

• Personal information collected concerning sex life or sexual orientation.

In addition to collecting Personal Information ourselves, we additionally coordinate with third parties to collect Personal Information on our behalf. These third parties are engaged in one or more of the following business practices:

• Delivering advertising and marketing, including on non-affiliated persons' or entities' sites and mobile apps.
• Facilitating events and event management including virtual and/or in-person events (hotels, restaurants, virtual platforms, audio/visual services, food/beverage, transportation).
• Referral sources used for identifying candidates for employment, identifying new client opportunities, or recommending vendors or contractors.

The categories of sources from which we collected Personal Information are:

• Directly from a California employee, contractor, director, shareholder, or their representatives.
• Service providers, consumer data resellers, credit reporting agencies, and similar entities.
• Public record sources (federal, state, or local government).
• Job applications submitted to us.
• Website, mobile app activity, social media, or other internet sources.

With respect to each category of Personal Information disclosed in the past 12 months, the categories of persons or entities to whom we disclosed that information are:

• Service providers and contractors who provide services such as website hosting, data analysis, payment processing, order fulfillment, IT services, customer service, email delivery, auditing, marketing, marketing research, credit financing, event management, employment background checks, and real estate management.
• Other service providers and contractors who provide payment, banking and communication infrastructure, storage, legal expertise, tax expertise, real estate expertise, appraisal expertise, notaries, and auditors.
• Service providers and contractors who enable online and mobile transactions.
• Other persons or entities to whom we transfer Personal Information as part of a merger, acquisition, or similar business transaction.
• Government agencies as required by law.
• Other persons or entities with which you may direct us to intentionally interact or disclose your personal information.

Refer to Appendix A for specific examples of Personal Information about employees, contractors, directors, and/or shareholders.

We collect, use, and disclose Personal Information, including Sensitive Personal Information, for business or commercial purposes, including:

• Performing services including maintaining or servicing accounts, providing customer service, processing transactions, verifying employee, contractor, director, and shareholder information, processing payments, providing HR services, financing, advertising or marketing services (excluding cross-context behavioral advertising), analytic services, facilitating event management and execution, and managing our real estate portfolio.
• Ensuring security and integrity where reasonably necessary and proportionate.
• Short-term, transient use, including non-personalized advertising shown during a current interaction.
• Auditing related to ad impressions and compliance.
• Verifying or maintaining the quality or safety of a service or device, or improving or enhancing it.
• Debugging to identify and repair errors.
• Internal research for technological development.
• Complying with laws, regulations, legal processes, and law enforcement requests.

The length of time that we intend to retain each category of Personal Information will depend on a number of criteria, including (i) the length of time we are required to retain Personal Information in order to comply with applicable legal and regulatory requirements, (ii) the length of time we may need to retain Personal Information in order to accomplish the business or commercial purpose(s) for which such Personal Information is collected, used or disclosed (as indicated in this Notice), and (iii) whether you choose to exercise your right, subject to certain exceptions, to request deletion of your Personal Information.

In the 12 months preceding this Notice, we have not "sold" Personal Information or Sensitive Personal Information subject to the CCPA nor have we "sold" or "shared" Personal Information or Sensitive Personal Information of minors under 16. For purposes of this Notice:

• "sold" means disclosure of Personal Information or Sensitive Personal Information to a third party for monetary or other valuable consideration.
• "shared" means disclosure of Personal Information or Sensitive Personal Information to a third party for cross-context behavioral advertising.

We only use or disclose Sensitive Personal Information only for purposes allowed under CCPA Regulations:

• To perform the human resource services reasonably expected by an average employee, contractor, director or shareholder who requests those services. For example, a California employees’, contractors’, directors’ or shareholders’ precise geolocation may be used by a mobile application that provides directions on how to get to a specific location.
• To detect security incidents that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal information, provided that the use of the personal information is reasonably necessary and proportionate for this purpose. For example, we may disclose log-in information to a data security company that it has hired to investigate and remediate a data breach that involved that employee's, contractor's, director’s, or shareholder’s account.
• To resist malicious, deceptive, fraudulent, or illegal actions directed at the business and to prosecute those responsible for those actions, provided that the use of personal information is reasonably necessary and proportionate for this purpose. For example, we may use information about ethnicity and/or the contents of email and text messages to investigate claims of racial discrimination or hate speech.
• To ensure the physical safety of natural persons, provided that the use of personal information is reasonably necessary and proportionate for this purpose. For example, we may disclose geolocation information to law enforcement to investigate an alleged kidnapping.
• For short-term, transient use, including, but not limited to, non-personalized advertising shown as part of current interaction with us.
• To perform services, such as providing human resource services, maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business.
• To verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured by, manufactured for, or controlled by us.

• To perform the human resource services reasonably expected by an average employee, contractor, director or shareholder who requests those services. For example, a California employees’, contractors’, directors’ or shareholders’ precise geolocation may be used by a mobile application that provides directions on how to get to a specific location.
• To detect security incidents that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal information, provided that the use of the personal information is reasonably necessary and proportionate for this purpose. For example, we may disclose log-in information to a data security company that it has hired to investigate and remediate a data breach that involved that employee's, contractor's, director’s, or shareholder’s account.
• To resist malicious, deceptive, fraudulent, or illegal actions directed at the business and to prosecute those responsible for those actions, provided that the use of personal information is reasonably necessary and proportionate for this purpose. For example, we may use information about ethnicity and/or the contents of email and text messages to investigate claims of racial discrimination or hate speech.
• To ensure the physical safety of natural persons, provided that the use of personal information is reasonably necessary and proportionate for this purpose. For example, we may disclose geolocation information to law enforcement to investigate an alleged kidnapping.
• For short-term, transient use, including, but not limited to, non-personalized advertising shown as part of current interaction with us.
• To perform services, such as providing human resource services, maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business.
• To verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured by, manufactured for, or controlled by us.

If you are a California resident covered by the CCPA, you have the right to:

1. Receive this Notice at or before the point of collection of your Personal Information;
2. Request we disclose to you free of charge the following information covering the 12 months preceding your request:
   1. the categories of Personal Information about you that we collected;
   2. the categories of sources from which the Personal Information was collected;
   3. the purpose for collecting Personal Information about you;
   4. the categories of third parties to whom we disclosed Personal Information about you and the categories of Personal Information that were disclosed (if applicable) and the purpose for disclosing the Personal Information about you; and
   5. the specific pieces of Personal Information we collected about you;
3. Request we correct inaccurate Personal Information that we maintain about you;
4. Request we delete Personal Information we collected from you, unless the CCPA recognizes an exception; and
5. Be free from unlawful discrimination for exercising your rights under the CCPA.

Please see the section below entitled, "How to Exercise Your Rights," for instructions explaining how you can exercise these rights described above.

We will acknowledge receipt of your request and advise you how long we expect it will take to respond if we are able to verify your identity. Requests for specific pieces of Personal Information will require additional information to verify your identity.

For individuals submitting a request on behalf of another person, we may require proof of authorization and verification of identity directly from the person for whom the request is made.

For a company or organization submitting a request on behalf of another person, we may require proof of authorization from the individual such as a power of attorney and verification of identity directly from the person for whom the request is made.

In some instances, we may not be able to honor your request. For example, we will not honor your request if we cannot verify your identity or if we cannot verify that you have the authority to make a request on behalf of another individual. Additionally, we will not honor your request where an exception applies, such as where the disclosure of Personal Information would adversely affect the rights and freedoms of another California resident or where the Personal Information that we maintain about you is not subject to the CCPA's access or deletion rights.

We will advise you in our response if we are not able to honor your request. We will not provide Social Security numbers, driver's license numbers or government issued identification numbers, financial account numbers, unique biometric data, health care or medical identification numbers, account passwords or security questions and answers, or any specific pieces of information if the disclosure presents the possibility of unauthorized access that could result in identity theft or fraud or unreasonable risk to data or systems and network security.

We will work to process all verified requests within 45 days pursuant to the CCPA. If we need an extension for up to an additional 45 days to process your request, we will provide you with an explanation for the delay.

If you are a California resident, you may submit a request by:

• Completing an online request at CCPA Request Form – https://www.ovcb.com/ccpa-request

• Calling us at 1-866-844-7500

You may contact us with questions or concerns about this Notice and our practices by:

1. Writing us at:

   Oak Valley Community Bank
   Attn: Human Resources
   125 N Third Avenue
   Oakdale, CA 95361

2. Contact us at https://www.ovcb.com/contact-hr

We may change or update this Notice from time to time. When we do, we will post the revised Notice on this page with a new "Last Updated" date.

Examples of the Personal Information about Employees, Contractors, Directors and/or Shareholders.

Below are the categories of data that may be collected for each purpose of use, summarized below.

The Categories of Personal Information We May Collect, Use, Transfer and Disclose, unless restricted by applicable law:

• Recruitment/Applicant information: Pre-employment references; employment history; language(s) spoken; previous compensation; 1-9 documentation; voice and video recording.
• Employment and Job Information: Job title and/or position and description of responsibilities/duties; job family; location; band/seniority; Employee Identifiers; department; line and sub-line of business; local Company entity name; cost center information; employment dates; supervisor/manager/team lead name and contact information; work contact information; termination details.
• Personal Demographic Information: Date and place of birth; Dependent date of birth; Nationality; gender; name (including birth surname and any other former names); Dependent full name; family/marital status; copies of birth certificate; date of death; details of military service.
• Visa/ Citizenship Details: Work eligibility status; entitlement to residency; citizenship; passport details; visa details; National ID.
• Contact Details: Address, telephone, email and emergency contact details.
• Payroll: Social Security number or other tax identifier number; bank account details; tax and social security contributions; payroll payments and deductions and other financial information; attendance data; shift and overtime data; governmental forms e.g., IRS W2
• Employee Administration: Reference letters; query management records; Flexible Working Requests; Employee Engagement Survey, personal preferences for events (e.g., dietary requirements), volunteering details, voice and video recording.
• Expense Management Information: Travel related personal preferences, passport information
• Life Events Additional Documentation: Medical/diagnosis documentation; personal circumstances; Return to Work Release Documentation; Death Certificate and Death Benefit documentation including beneficiary personal contact information and details; restraining orders, family custody legal/ orders; criminal records; military orders and documentation; personal insurance documentation e.g., house fire/hurricane damage report
• Contractor Administration: Reference letters, query management records; working arrangement requests; voice recording; video recording.
• Global Mobility; Business travel information (including business visa details and travel logs and itineraries).
• Absence Data: Absence details e.g., sickness, holiday and maternity leaves.
• Attendance Data: Working Time Directive Details.
• Physical Security and Life Safety Data: Swipe card entry data; security cameras; photograph (Security ID Card); Accident and Incident Reporting; Biometrics (e.g., fingerprints and iris scans); data required for purposes related to Health and Safety in the workplace.
• Compensation: Compensation information (including base salary, market rates, incentive payment(s), stock options information and allowances).
• Pension: Information related to retirement planning.
• Contractor, Director, or Shareholder benefits.
• Employee Benefits Including Retirement: Benefits including family and or other dependent data and retirement information.
• Education and Training: Academic Record, Professional Qualifications and Memberships; professional training; Company internal training; voice and video recording.
• Regulatory Data (where applicable): Licenses and certifications; financial regulatory registration; voice recording.
• Succession Planning Details: Reporting structure; talent management and succession planning data (including mobility preferences, date assigned to a talent pool, talent pool name and description, areas of expertise, general management experience, leadership behavior, strengths and development needs).
• Performance / Development Plans / Reviews: Performance related information (including assessments and ratings (results rating, behavior rating, potential rating), performance goals description, key competencies description).
• Employee Relations Case / Compliance / Legal Management: Areas for development, coaching notes, feedback from others, self-assessment description, manager review description, performance expectations, measurement criteria, action dates, manager progress notes; career development information; employment disciplinary record, activities and investigations; information pertaining to any grievances raised, termination reason.
• Technical information: Including username and passwords, voice data, IP address, domain, browser type, operating system, self-service password management, click-stream data and system logs) and electronic and non-electronic content and documents created or produced by you using Company systems or in the performance of your role with the Company.
• Securities and Stock Trading: Details of outside business activities and directorship(s) (where relevant for employment-related purposes); securities and stock trading activity/experience (where relevant for employment- related purposes); spouse, partner and child brokerage account details.
• Sensitive Personal Information: Information regarding physical and/or mental health (if required to make reasonable adjustments or engage in communications related to the disability accommodations process), race and/or ethnic origin, criminal history or unlawful behavior for recruitment and pre-employment screening purposes and for assessment of registration and licensing requirements, biometric data, such as fingerprints and iris scans, for the purposes of electronic identification, authentication and corporate security; eye color, hair color, height, weight (to facilitate fingerprint background screening process); information relevant to a security threat, to protect against deceptive, fraudulent or illegal activity, or other incident investigation.
• Diversity and Inclusion Data (e.g., veteran status, race, ethnicity, age, disability status, sexual orientation, gender, gender identity, and gender expression).
• Signatures, including digital images and physical copies.
• Virtual or In Person Events Data: Information needed for participation in virtual or in-person events: speaker biographies, travel details, spouse/partner name, name and age of child/children collected through parents or guardians attending events, dietary requirements of individuals attending an event, Special Assistance needs of individuals attending an event.

The Purposes for Which We May Collect, Use, Transfer And Disclose Personal Information:

• Administering and managing the Employee employment relationship, general administration and budgeting; marketing company products; expense management; preparation, management, and use of interna communication, business telephone/e-mail directory.
• Recruiting activities, talent management and succession planning.
• Authentication/identification of Employees, including voice authentication (e.g., for help desk security).
• Human resources information systems ("HRIS") and application support and development.
• Information technology and information security support (including firewall monitoring, anti-spam and virus protection, and other monitoring, for example in accordance with the Company's Information Security Monitoring Notices).
• To assist with Information Technology operational support (including system maintenance and bug fixes).
• Management of internal business operations (including monitoring compliance with Company policies and procedures, for example in accordance with the Company's Information Technology Acceptable Use Agreement.
• Complying with applicable government reporting and other local and foreign law requirements (including the requirements of the US Sarbanes-Oxley Act or other applicable internal control regulations and in such areas as immigration, tax or statutory financial regulation) and other legal obligations.
• Payroll and compensation management, administration and processing (including compensation metrics and decisions, bonus calculations and stock plan administration).
• Complying with local or foreign state and/or country specific tax and immigration laws and regulations and payroll reporting, not limited to but including business travel.
• Benefits and insurance administration and management (including information regarding various benefit programs available to Employees' decisions regarding eligibility for staff loans).
• Fostering career planning and growth.
• Training, advice and counselling purposes.
• Employee performance and productivity reviews/assessments and general performance management.
• Defending, preparing for, participating in and responding to potential legal claims, investigations and regulatory inquiries (all as permitted by applicable law).
• Disciplinary actions/investigations (as permitted by applicable law).
• Client and customer service and marketing activities (including but not limited to inclusion in internal and external internet and intranet sites, marketing materials, event management materials, deal documents, pitch books and as required to provide services and products to our clients).
• Managing relationships with clients and other third parties (including licensing and registration bodies, legal counsel, stock exchanges, or business counterparties).
• Post-employment purposes (for example, providing employment references, assessing rehire eligibility, and any of the purposes listed in this notice that may be applicable during the post-employment period).
• To assist with Information Technology operational support (including system maintenance and bug fixes).
• To promote the safe and healthy working conditions of company facilities.
• Diversity and Inclusion Data is used on an aggregated basis for reporting and promotions. Diversity and Inclusion Data excluding disability status is used on a personally identifiable basis, for talent management, succession planning, and training and conference opportunities.
• Conducting background screening including verifying criminal history, employment, education, credit and litigation history, bankruptcy, directorships, sanctions, politically exposed persons, financial, regulatory and media checks
• Physical identity for access management.
• Incident management (including threat investigations, medical emergencies, and crisis reporting).
• Corporate Alumni program for previous employee engagement.
• Virtual or In Person Events (including information needed for participation in virtual or in person events. This may include information on your spouse or children where appropriate. In the context of virtual or in person events, Personal Information or other information may be collected when an individual visits us online to register for an event, attends an event, asks for event information, downloads content, or shares an interest to attend an event through our client relationship partner.
• Administering volunteer and giving programs.

The Categories of Unaffiliated Third Parties With Whom We May Share Personal Information

• Professional Advisors: Accountants, auditors, lawyers, insurers, bankers, tax advisors and other outside professional advisors.
• Service Providers: Companies that provide products and services to the Company, such as payroll, partner banks, benefits and retirement service providers, life event assistance services, human resources services, recruitment and training providers; performance management, training, expense management, relocation services, IT systems suppliers and support, reception and security, catering and logistics services providers, translation services, third parties assisting with event organizing and marketing activities, medical or health practitioners, trade bodies and associations, background screening providers and other service providers.
• Public and Governmental Authorities: Entities that regulate or have jurisdiction over the Company in which the Company operates, such as regulatory authorities, law enforcement, public bodies, licensing and registration bodies, judicial bodies and third parties appointed by such authorities.
• Parties Related to a Corporate Transaction: A third party in connection with any proposed or actual reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of the Company's business, assets, or stock (including in connection with any bankruptcy or similar proceedings), e.g., stock exchanges and business counterparties.
• Current or prospective clients e.g., pitchbooks.
• Event Vendors: Event vendors, organizers, speakers, volunteers, contractors, and sponsors to facilitate events.

Last updated: November 1, 2025.