Biometric Information Policy

ADDENDUM TO EMPLOYEE HANDBOOK

GFF, Inc. (the “Company”) Company has instituted the following Biometric Information Privacy Policy.

Biometric Data Defined

As used in this Addendum, “biometric data” and “biometric identifier” can include, but is not limited to photographs (only if used for facial recognition purposes),a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. However, the Company currently limits its use of biometric data to a scan of hand. Biometric identifiers do not include writing samples, written signatures, photographs (if not used for facial recognition purposes), human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. “Biometric information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers. Time and attendance data or information obtained by the timekeeping devices, the Company, or its Vendors (as defined below) shall not be considered to be biometric identifiers or biometric information.

Purpose for Collection of Biometric Data

Company and its hand scan, timekeeping and/or cloud storage vendors (“Vendors”) collect and store scans of hand geometry for purposes of the Company’s timekeeping system.

Disclosure and Authorization

To the extent that the Company and/or its Vendors collect, capture, otherwise obtain, store, and retain biometric data relating to an employee, the Company must first:

a. Inform the employee in writing that the Company and its Vendors are collecting, capturing, otherwise obtaining, storing, retaining, and using the employee’s biometric data, and that the Company is providing such biometric data to Vendors.

b. Inform the employee in writing of the specific purpose and length of time for which the employee’s biometric data is being collected, stored, and used; and

c. Receive a written release signed by the employee (or his or her legally authorized representative) authorizing the Company and its Vendors to collect, store, retain and use the employee’s biometric data for the specific purposes disclosed by the Company.

The Company and its Vendors will not sell, lease, trade, or otherwise profit from employees’ biometric data; provided, however, the Company’s Vendors may be paid for products or services used by the Company that utilizes such biometric data and may pay its employees as reflected in the time and attendance records from the timekeeping system.

Disclosure

The Company will not disclose or disseminate any biometric data to anyone other than its Vendors providing products and services using biometric data without/unless:

a. First obtaining written employee consent to such disclosure or dissemination.

b. The disclosed data completes a financial transaction requested or authorized by the employee.

c. Disclosure is required by state or federal law or municipal ordinance; or

d. Disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.

Retention Schedule

The Company shall retain each employee’s biometric data in the employee’s personnel records for four (4) years from the date of the employee’s separation from the Company. Thereafter, the Company shall safely and confidentially dispose of the employee’s biometric data.

Data Storage

The Company shall use a reasonable standard of care as used in the industry to store, transmit and protect from disclosure any biometric data collected. Such storage, transmission, and protection from disclosure shall also be performed in a manner that is the same as or more protective than the manner in which Company stores, transmits and protects from disclosure other confidential and sensitive information.

Consent

The Company requests that each employee consent to the collection, use and retention of the biometric data as described herein and requests that each employee sign a consent and acknowledgment form for these purposes. However, in the event that any employee fails to sign such a consent or acknowledgment form, employee’s signature on the handbook acknowledgement constitutes consent to this biometric data policy.