Gaskill Oil Refinery LLC Personal Data Processing Policy

1. General Provisions

1.1. Gaskill Oil Refinery LLC Personal Data Processing Policy (hereinafter the Policy) has been developed in accordance with applicable United States federal and state laws, including the California Consumer Privacy Act (CCPA), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and other relevant regulations governing data privacy and protection. It outlines the requirements for processing and safeguarding personal data.

1.2. The Policy reflects Gaskill Oil Refinery LLC’s commitment to protecting individual privacy rights and complies with international standards where applicable, including principles of data minimization, purpose limitation, and data security.

1.3. The purpose of this document is to inform the personal data owners and other persons engaged in personal data processing of Gaskill Oil Refinery LLC's adherence to the fundamental principles of legality, fairness, data minimization, and ensuring that the scope and purpose of processing are aligned with the declared objectives.

1.4. Protecting the rights and freedoms of individuals, including privacy, personal, and family secrets, is a priority for Gaskill Oil Refinery LLC.

1.5. This Policy covers all personal data processed by Gaskill Oil Refinery LLC and constitutes a public document.

2. Legal grounds for personal data processing

2.1. Personal data are processed by Gaskill Oil Refinery LLC based on the following legal grounds:

2.1.1. With the explicit consent of the data subject;

2.1.2. To fulfill contractual obligations or take pre-contractual actions at the request of the data subject;

2.1.3. To comply with applicable laws and regulations of the United States, including federal and state laws, executive orders, and relevant legal acts;

2.1.4. For legitimate interests pursued by the company, provided such interests are balanced against the rights of the data subjects;

2.1.5. To protect vital interests of the data subject or other persons in emergency situations.

3. Purposes and methods of personal data processing

3.1. Personal data are processed using both automated systems and manual methods, including information systems, in accordance with the purposes of processing.

3.2. When automated processing is used, data are transmitted via secure networks, including the company's internal network and the internet, in compliance with data security standards.

3.3. Personal data are processed for the following purposes:

3.3.1. Employee recruitment, employment management, training, and career development;

3.3.2. Providing social benefits and safety guarantees to employees and their family members;

3.3.3. Executing civil law and service contracts;

3.3.4. Complying with applicable US laws on corporate reporting and disclosure;

3.3.5. Ensuring compliance with antitrust and securities legislation;

3.3.6. Protecting the legal interests of the company and its affiliates in legal proceedings and disputes;

3.3.7. Submitting reports and notifications to government agencies such as the IRS, SEC, or other relevant authorities;

3.3.8. Data analysis, statistical reporting, and audits;

3.3.9. Managing access control and security of facilities and property;

3.3.10. Conducting internal inspections, audits, and compliance checks;

3.3.11. Organizing procurement and bidding procedures;

3.3.12. Preparing legal documents, powers of attorney, and other authorizations;

3.3.13. Managing communication and information systems;

3.3.14. Fulfilling other obligations under applicable laws and internal policies.

3.4. The processing of personal data is carried out in accordance with the principles of legality, fairness, transparency, and data minimization.

4. Processed personal data and data sources

4.1. Personal data are provided directly by the data subjects or their authorized representatives, or collected from publicly available sources, with the data subject’s consent where required.

4.2. Data may also be obtained from third parties, such as government agencies or business partners, with prior consent or legal authorization.

4.3. The processing of sensitive personal data (such as health information or biometric data) is prohibited unless explicitly authorized by law or with the explicit consent of the data subject.

4.4. Personal data are processed only for legitimate purposes and in accordance with applicable US laws.

4.5. Data sources include employee records, contractual documents, official registries, and publicly available information.

5. Personal data processing and storage period

5.1. Personal data are processed only during the period necessary to achieve processing purposes or as required by law.

5.2. Data are securely destroyed or anonymized after the expiration of the retention period or when processing objectives are achieved.

6. Rights of personal data owners

6.1. Data owners have the right to access, correct, delete, or restrict processing of their personal data in accordance with US laws such as the CCPA and other applicable legislation.

6.2. Data owners can withdraw consent at any time, where processing is based on consent, without affecting lawfulness.

6.3. Data owners may file complaints with relevant authorities, such as the Federal Trade Commission (FTC), regarding violations of their rights.

6.4. To exercise rights, data owners can contact the designated Data Protection Officer or use the contact details provided below.

7. Cross-border personal data transmission

7.1. Personal data may be transferred outside the United States only to countries with adequate data protection laws or with appropriate safeguards such as standard contractual clauses.

7.2. Cross-border transfers are conducted for legitimate purposes, including international cooperation, with prior notification to or consent of the data subject where required.

7.3. Data may be transferred to countries without adequate protections only with explicit consent or legal basis, such as necessity for contract execution or vital interests.

7.4. The list of countries includes, but is not limited to, Canada, European Union member states, Australia, and other countries recognized to ensure adequate data protection.

8. Third-party data processors

8.1. The company may engage third-party processors to handle personal data, provided they commit to confidentiality and data security obligations.

8.2. Responsible processing agreements specify scope, purposes, confidentiality, and security measures.

8.3. The company remains responsible for data processed by third parties on its behalf.

9. Data protection measures

9.1. Gaskill Oil Refinery LLC implements appropriate technical and organizational measures to protect personal data from unauthorized access, alteration, destruction, or disclosure.

9.2. These measures include access controls, encryption, secure storage, staff training, and regular audits.

9.3. The company complies with applicable US data security standards and updates measures as necessary.

10. Responsibility and penalties

10.1. Employees involved in personal data processing are subject to disciplinary, civil, administrative, or criminal liability for violations of applicable laws and policies.

11. Contact information

11.1. Data Controller: Gaskill Oil Refinery LLC, 5469 Bancroft Ave, Apt 305, Oakland, CA 94601 United States

11.2. Contact Phone: +1 (737) 227-3445 Or +1 (559) 656-1213

11.5. Regulatory Authority: Federal Trade Commission (FTC) or other applicable US authorities.