GDPR Compliance

Introduction

Chevron Energy is committed to protecting your personal data and respecting your privacy rights under the General Data Protection Regulation (GDPR). This document explains how we collect, use, and protect your personal information in compliance with GDPR requirements.

Your Rights Under GDPR

As a data subject under GDPR, you have the following rights regarding your personal data:

1. Right to Information

You have the right to be informed about the collection and use of your personal data. We provide clear and transparent information about our data processing activities.

2. Right of Access

You have the right to request access to your personal data and receive a copy of the personal data we hold about you.

3. Right to Rectification

You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.

4. Right to Erasure ("Right to be Forgotten")

Under certain circumstances, you have the right to request that we delete your personal data.

5. Right to Restrict Processing

You have the right to request that we restrict the processing of your personal data in certain circumstances.

6. Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format.

7. Right to Object

You have the right to object to the processing of your personal data in certain circumstances, including processing for direct marketing purposes.

8. Rights Related to Automated Decision Making

You have the right not to be subject to automated decision-making, including profiling, which produces legal effects or significantly affects you.

Personal Data We Collect

We collect and process the following categories of personal data:

Account Information

• Name and contact details (email, phone, address)
• Account credentials and authentication data
• Profile information and preferences

Financial Information

• Payment card details and billing information
• Transaction history and trading activity
• Investment preferences and risk profile

Technical Information

• IP address and device information
• Browser type and usage patterns
• Cookies and similar tracking technologies

Verification Data

• Identity verification documents
• Know Your Customer (KYC) information
• Anti-money laundering (AML) compliance data

Legal Basis for Processing

We process your personal data based on the following legal grounds:

Contractual Necessity

Processing necessary for the performance of our contract with you or to take steps prior to entering into a contract.

Legitimate Interests

Processing necessary for our legitimate business interests, such as fraud prevention, security, and improving our services.

Legal Compliance

Processing necessary to comply with legal obligations, including regulatory requirements for financial services.

Consent

Processing based on your explicit consent, which you can withdraw at any time.

Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including:

• Account Data: Retained while your account is active and for 7 years after closure for regulatory compliance
• Transaction Records: Retained for 10 years as required by financial regulations
• Marketing Data: Retained until you opt out or withdraw consent
• Technical Data: Typically retained for 2 years for security and improvement purposes

International Data Transfers

When we transfer your personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions recognizing equivalent protection levels
• Binding Corporate Rules (BCRs) where applicable
• Your explicit consent for specific transfers

Data Security

We implement appropriate technical and organizational measures to protect your personal data:

Technical Safeguards

• End-to-end encryption for data transmission and storage
• Multi-factor authentication and access controls
• Regular security assessments and penetration testing
• Automated threat detection and response systems

Organizational Measures

• Employee training on data protection and privacy
• Data processing agreements with third-party providers
• Privacy impact assessments for high-risk processing
• Incident response procedures for data breaches

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us using the following methods:

Response Timeline

We will respond to your requests within one month of receipt. In complex cases, we may extend this period by two months and will inform you of any delay.

Verification Process

To protect your privacy, we may need to verify your identity before processing your request. We will only use the information provided for verification purposes.

Filing Complaints

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with:

• Our Data Protection Officer at dpo@chevronenergy.org
• Your local supervisory authority
• The Information Commissioner's Office (ICO) in the UK
• Your national data protection authority in the EU

Updates to This Policy

We may update this GDPR compliance information from time to time to reflect changes in our data processing practices or legal requirements. We will notify you of any material changes through:

• Email notifications to your registered address
• Prominent notices on our website
• In-app notifications when you log in

Last Updated: October 19, 2025