I. Purpose

Hana Group is committed to safeguarding personal information in its possession and ensuring its confidentiality. The company collects only the personal information required to operate its business, administer employment, and comply with government reporting and disclosure requirements.

II. Scope

This policy applies to all employees, temporary workers, job applicants, and any individual whose personal information is collected or maintained by Hana Group. It covers all forms of information, including electronic records, paper files, verbal communications, and data transmitted through approved third-party systems.

For purposes of this policy, personal information includes any data that identifies or relates to an identifiable individual. For purposes of confidentiality obligations under this policy, “personal information” means information that directly identifies an individual and is not generally shared in the ordinary course of business, such as Social Security numbers, home addresses, medical records, and financial information. Routine business information such as job titles, work locations, and business contact information is not subject to confidentiality restrictions.

III. Policy

Collection and Use of Personal Information

Hana Group collects only the personal information necessary to operate the business, administer employment, comply with legal requirements, and maintain workplace safety. Personal information collected by the company includes, but is not limited to, names, addresses, telephone numbers, e-mail addresses, emergency contact information, equal employment opportunity (EEO) demographic data, medical information, social security numbers, date of birth, employment eligibility data, benefits plan enrollment information, which may include dependent personal information, school/college or certification credentials, and information exchanged through approved HR and communication platforms, including text-based communications.

Personal information is used solely for legitimate business purposes such as payroll, benefits administration, compliance reporting, recruiting, onboarding, performance

management, and workplace safety. Personal information will be handled in accordance with applicable federal, state, and local privacy and employment laws.

Medical information, including disability-related documentation and genetic information, is maintained in separate, confidential files with access limited to those with a legitimate need to know (e.g., HR personnel administering accommodations, safety personnel in emergencies). Genetic information will not be used in making employment decisions.

Employees are responsible for ensuring that their personal information on file is accurate and up to date.

Confidentiality and Access Controls

Personal information is treated as confidential and is accessible only to individuals who need it to perform their job duties or meet legal or regulatory requirements. Hard-copy records are kept in locked, secure locations with access limited to authorized personnel. Electronic records are protected through company security systems, authentication controls, and data-protection protocols, with access restricted to those with a legitimate business need. Sensitive information, such as medical files and I-9 documentation, is stored separately from general personnel records.

Information such as organizational charts, job titles, internal directories, and facility details is considered proprietary and may be shared internally as needed for business operations.

Certain business information, including organizational charts, job titles, directories, and employment milestones, is not subject to confidentiality restrictions applicable to personal information and may be shared internally for legitimate business purposes.

Authorized Data and Communication Systems

Hana Group uses approved third-party systems to support business operations, including communication, payroll, scheduling, recruiting, benefits, and other workforce functions. These platforms may involve text messaging, mobile notifications, document exchange, and application tracking, and may collect or transmit personal information as part of their services.

Authorized vendors are expected to adhere to industry-standard privacy and security practices. This includes limiting data collection to legitimate business purposes, protecting information through administrative, technical, and physical safeguards, complying with applicable privacy laws, restricting access to authorized personnel, retaining information only as necessary, and ensuring secure transmission, storage, and disposal of data. These practices align with widely accepted principles such as transparency, data minimization, lawful processing, and secure handling of personal information.

Some platforms may allow employees or candidates to send or receive text or mobile communications. Message content may be stored, logged, and accessed by authorized HR or management personnel, and any personal information shared through these communications is protected under this policy. Users may opt out of text messaging where legally required. These communications are intended solely for legitimate business purposes such as recruiting, onboarding, scheduling, and employment-related updates, and vendors may retain message logs as part of their service delivery and compliance obligations.

Communications sent through company-approved systems—including text messages, mobile app messages, and internal messaging tools—may be monitored or reviewed for business, compliance, or security purposes, consistent with applicable law.

Hana Group monitors electronic communications on company systems. By using company systems, employees acknowledge and consent to such monitoring. This notice is provided pursuant to applicable state law.

Employee Privacy in the Workplace

Hana Group respects individual privacy while maintaining a safe, secure, and productive work environment. Employees may be required to cooperate with investigations related to safety, security, or policy compliance, which may include searches of personal belongings, work areas, company-issued equipment, or vehicles (where permitted by law), as well as review of electronic communications. Failure to cooperate or providing false information may result in disciplinary action, up to and including termination.

Social Security numbers are classified as highly confidential and are collected, used, and disclosed only for legitimate business or legal purposes such as tax reporting, new-hire reporting, benefits enrollment, or background checks. Records containing SSNs are stored securely with restricted access, and unauthorized use or disclosure is strictly prohibited and may result in disciplinary action, including termination.

Employees must promptly report any suspected breach of confidentiality or unauthorized disclosure of personal information to Human Resources. HR will investigate and take corrective action as appropriate. Disclosures such as sharing partial birth dates for recognition, providing contact information for scheduling, sharing employee identifiers for payroll or budgeting, or distributing service anniversary information are not considered breaches.

Personal information is retained only as long as necessary for business, legal, or regulatory purposes and is securely destroyed when no longer needed through shredding, secure deletion, or approved vendor disposal methods.

Nothing in this policy is intended to restrict employees’ rights under the National Labor Relations Act to discuss wages, hours, or other terms and conditions of employment, or to engage in other protected concerted activity.

Policy Violations

Unauthorized access, use, or disclosure of personal information may result in disciplinary action, up to and including termination, and may also result in legal consequences.