01. SCOPE AND APPLICATION
1.1. Comprehensive Coverage
This Privacy Policy (hereinafter, the "Policy") governs the processing of Personal Data collected through the official website of the HSO Consortium (hereinafter, "HSO Consorcio", "the Consortium", or "we"), accessible via the domain https://www.hsoconsortium.com (hereinafter, the "Website"). This Policy applies to all visitors, users, and any person interacting with our Website, without prejudice to specific provisions that may apply depending on the user's jurisdiction.
This Policy has been prepared in strict alignment with the Work Framework and Internal Regulations of the HSO Consortium (hereinafter, the "Internal Framework"), particularly regarding the principles of regulatory compliance, the OFAC sanctions architecture, and information protection within the framework of oil and gas operations in Venezuela.
1.2. Roles and Responsibilities
- Data Controller: HSO Co and HSO Petroleum Services, as the entity responsible for processing the Website, determines the purposes and means of processing Personal Data.
- Data Processor: Technology and infrastructure service providers that process data on behalf of HSO Consortium for the operation of the Website.
1.3. Applicable Regulatory Framework
This Policy is based on the following legal provisions:
In the United States:
- Privacy Act of 1974
- California Consumer Privacy Act (CCPA) and its amendments, applicable to California residents
- Children's Online Privacy Protection Act (COPPA)
- Consumer protection principles of the Federal Trade Commission (FTC), requiring clear notice and informed choice regarding the use of personal data
- Office of Foreign Assets Control (OFAC) Regulations, particularly General Licenses 46B, 48A, 49A and 50A, as well as Executive Order 14373, which establish restrictions applicable to the Consortium's operations in Venezuela
In Venezuela:
- Articles 28 and 60 of the Constitution of the Bolivarian Republic of Venezuela, guaranteeing the right to habeas data, privacy, and intimacy
- Infogobierno Law, establishing data protection principles in public and private registries
- Organic Law on Protection of Personal Data (LOPDP), enacted in 2021, regulating the collection, storage, and use of personal data in the public and private sectors
- Special Law against Computer Crimes, which typifies sanctions for unauthorized access to systems containing personal data
02. DEFINITIONS
2.1. Personal Data
Any information relating to an identified or identifiable natural person ("Data Subject"), including, but not limited to, name, email address, telephone number, IP address, unique identifiers, and any other data that may reasonably be linked to an individual.
2.2. Sensitive Personal Data
Data that reveals racial or ethnic origin, political opinions, religious or philosophical convictions, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, health data, or data concerning a natural person's sex life or sexual orientation.
2.3. Processing
Any operation or set of operations performed on Personal Data, whether by automated or non-automated means, such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
2.4. Habeas Data
Constitutional right recognized in Venezuela that allows any person to access information and data about them held in public or private registries, as well as to request rectification, updating, confidentiality, or erasure of data that illegitimately affects their rights.
03. CATEGORIES OF DATA COLLECTED
3.1. Identification Information
- Full name and alias
- Email address
- Telephone number
- Postal address
- Unique identifiers (user ID, account ID)
3.2. Professional Information
- Company name
- Job title or position
- Industry or sector
- Business contact information
3.3. Account Data (when registration applies)
- Login credentials
- Subscription or access level
- Account preferences
- Transaction history
3.4. Usage and Browsing Data
- IP addresses
- Browser type and version
- Operating system
- Referrer URLs
- Pages viewed and navigation patterns
- Access timestamps
3.5. Communication Data
- Inquiry and support request records
- Email correspondence
- Chat transcripts
- Call recordings (only with prior express consent)
04. SOURCES OF DATA
4.1. Directly from the User
- Contact and registration forms
- Information or proposal requests
- Newsletter or communication subscriptions
- Support communications
4.2. Automated Collection
- Cookies and similar tracking technologies
- Server logs
- Web analytics tools
- Performance and security monitoring systems
4.3. Third-Party Providers
- Hosting and cloud service providers
- Analytics and metrics services
- Customer Relationship Management (CRM) platforms
05. PURPOSES OF PROCESSING
5.1. Provision and Improvement of the Service
- Manage access and navigation of the Website
- Authenticate users and prevent unauthorized access
- Personalize the user experience based on preferences
- Improve the functionality, security, and performance of the Website
5.2. Regulatory Compliance and Risk Prevention
- Comply with the obligations set forth in the Internal Framework of the HSO Consortium, particularly regarding OFAC General Licenses
- Detect and prevent activities that may constitute violations of international sanctions or money laundering
- Monitor compliance with restrictions applicable to prohibited counterparties and jurisdictions (China, Russia, Iran, North Korea, Cuba), as provided in Chapter 2 of the Internal Framework
- Maintain audit records for regulatory and supervisory purposes
5.3. Commercial and Support Communications
- Respond to inquiries, information requests, or commercial proposals
- Send service updates, Policy changes, or legal notices
- Provide technical assistance and customer support
- Send marketing communications or newsletters, provided the user's prior consent has been obtained
5.4. Security and Fraud Prevention
- Implement technical and organizational security measures to protect Personal Data against unauthorized access, alteration, disclosure, or destruction
- Detect and respond to security incidents or suspicious activities
- Perform backups and disaster recovery procedures
5.5. Analytics and Development
- Analyze usage patterns and user behavior to optimize the Website
- Conduct market research and internal statistical studies
- Develop new features, functionalities, or services
06. LEGAL BASES FOR PROCESSING
6.1. Consent
Processing of Personal Data is based on the free, informed, specific, and unambiguous consent of the user, manifested through a statement or a clear affirmative action. In Venezuela, the principle of free will requires prior, free, informed, unequivocal, and revocable consent for the collection and use of personal data.
6.2. Performance of a Contract
Processing is necessary for the performance of a contract to which the user is a party, or for the implementation of pre-contractual measures taken at the user's request.
6.3. Compliance with a Legal Obligation
Processing is necessary to comply with a legal obligation applicable to HSO Consortium, including those derived from OFAC regulations and Venezuelan data protection and computer crime prevention laws.
6.4. Legitimate Interest
Processing is necessary for the legitimate interests pursued by HSO Consortium or by a third party, provided that such interests are not overridden by the interests or fundamental rights of the user. These legitimate interests include Website security, fraud prevention, and continuous improvement of our services.
07. DATA DISCLOSURE
7.1. Service Providers
We may share Personal Data with service providers that perform functions on our behalf, such as: cloud hosting and infrastructure service providers, web analytics and performance monitoring platforms, Customer Relationship Management (CRM) systems, technical support and customer service providers. These providers are contractually obligated to process Personal Data only for the specific purposes established by HSO Consorcio and to maintain adequate levels of security and confidentiality.
7.2. Legal and Regulatory Requirements
We will disclose Personal Data when required by law, regulation, or in response to: subpoenas or court orders, requests from law enforcement authorities, regulatory investigations, including those of OFAC, the U.S. Department of the Treasury, or the U.S. Department of State, protection of our legal rights or those of third parties.
7.3. Business Transfers
In the event of a merger, acquisition, sale of assets, or any other corporate transaction involving HSO Consortium, Personal Data may be transferred to the successor or acquiring entity, provided that such entity agrees to respect the terms of this Policy.
7.4. With User Consent
We may disclose Personal Data for any other purpose with the user's explicit consent.
7.5. Restriction on Disclosure to Sanctioned Countries
In strict compliance with the restrictions set forth in Chapter 2 of the Internal Framework and OFAC General Licenses 46B, 48A, and 49A, HSO Consortium will not transfer or disclose Personal Data to persons or entities located in, organized under the laws of, or connected with China, Russia, Iran, North Korea, or Cuba. Any access request from such jurisdictions will be automatically denied.
08. INTERNATIONAL DATA TRANSFERS
8.1. Transfer Mechanisms
HSO Consorcio operates in multiple jurisdictions, including the United States and Venezuela. International transfers of Personal Data will be carried out using appropriate safeguards, which may include: Standard Contractual Clauses (SCC) approved by the European Commission, adequacy decisions of the European Commission (where applicable), Binding Corporate Rules (BCRs), explicit user consent for the specific transfer.
8.2. Compliance with Venezuelan LOPDP
Within the framework of Venezuela's Organic Law on Protection of Personal Data (LOPDP), international transfers of personal data must be carried out in strict adherence to the constitutional principles of habeas data, privacy, and intimacy, as well as the guidelines issued by the Superintendence of Personal Data Protection through resolutions such as SPDP-SPD-2025-0024-R.
8.3. Supplementary Protection Measures
- Encryption of data in transit (TLS 1.3) and at rest (AES-256)
- Transfer impact assessments to determine risks
- Regular security audits of data recipients
- Data minimization: only strictly necessary information is transferred
09. DATA SECURITY
9.1. Technical Measures
- Encryption: TLS 1.3 for data in transit; AES-256 for data at rest
- Access Controls: Multi-factor authentication and Role-Based Access Controls (RBAC)
- Monitoring: Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
- Perimeter Protection: Next-generation firewalls and network segmentation
- Backups: Regular backup and disaster recovery procedures
9.2. Organizational Measures
- Background checks for personnel with access to sensitive data
- Mandatory and periodic training in information security and data protection
- Access policies based on the "need-to-know" principle
- Incident response plan
- Regular security audits, both internal and external
9.3. Data Breach Notification
In the event of a data breach that may affect the rights and freedoms of data subjects, HSO Consortium will: notify affected data subjects within the timeframes established by applicable law, notify competent regulatory authorities when required, document the breach and the corrective measures implemented.
10. DATA RETENTION
10.1. Retention Periods
- Contact data and inquiries: 2 years from the last interaction
- Audit and compliance records: 5 years, in accordance with OFAC and other applicable regulatory requirements
- User account data: For the duration of the account plus an additional 3 years
- Marketing communications: Until the user withdraws consent
10.2. Criteria for Determining Retention Periods
Retention periods are determined considering: the purpose for which the data was collected, applicable legal and regulatory requirements, legitimate business and operational needs, the existence of pending disputes or litigation.
10.3. Secure Deletion
Once Personal Data is no longer necessary, it will be securely deleted using methods that prevent reconstruction or recovery (physical destruction of media, certified secure erasure, or irreversible anonymization).
11. DATA SUBJECT RIGHTS
11.1. In the United States
| Right | Description |
|---|---|
| Access | Request confirmation of whether we process their Personal Data and access to such data. |
| Rectification | Request correction of inaccurate or incomplete Personal Data. |
| Deletion | Request erasure of their Personal Data, subject to certain legal exceptions. |
| Portability | Receive their Personal Data in a structured, commonly used, machine-readable format. |
| Opt-out of sale | Opt out of the sale of their Personal Data to third parties (HSO Consorcio does not sell personal data). |
| Limitation on use of sensitive data | Limit the use or disclosure of Sensitive Personal Data. |
11.2. In Venezuela
- Right to Habeas Data (Article 28 of the CRBV): Right to access information and data about them held in public or private registries, and to request rectification, updating, confidentiality, or erasure of data that illegitimately affects their rights.
- Right to Privacy and Intimacy (Article 60 of the CRBV): Right to protection of private life, privacy, honor, reputation, and self-image.
- Right to Rectification and Erasure: Right to request correction or deletion of inaccurate, incomplete, or prohibited data.
- Right to Object: Right to object to the processing of personal data on founded and legitimate grounds.
11.3. Exercising Rights
To exercise any of the rights described above, users may contact us through: Email: legal@huronsmithoil.com, Web form: available on the Website in the "Privacy and Data Protection" section, Postal mail: Huron Smith Oil Co & HSO Petroleum Services, 204 Hays St, Batesville, Mississippi, 38606.
12. COOKIES AND TRACKING TECHNOLOGIES
| Cookie Type | Purpose | Legal Basis |
|---|---|---|
| Strictly Necessary | Enable browsing and use of basic Website functions. | Legitimate interest (no consent required). |
| Performance | Collect information on how users interact with the Website. | Consent. |
| Functional | Remember user preferences (language, region, display settings). | Consent. |
| Targeting/Advertising | Track online activity to display relevant ads. | Consent (HSO Consortium currently does not use this type of cookie). |
12.2. Cookie Management
Upon first accessing the Website, a cookie banner will be displayed allowing the user to: accept all cookies, reject all non-essential cookies, configure personalized preferences by category. Users may modify or withdraw their consent at any time through their browser settings or via the cookie preferences panel available on the Website.
13. COMPLIANCE WITH THE INTERNAL FRAMEWORK AND OFAC SANCTIONS
13.1. Alignment with the Consortium's Compliance Architecture
This Privacy Policy operates within the compliance architecture established in Chapter 2 of the Internal Framework, particularly: OFAC General License 49A: HSO Consortium does not collect, process, or disclose Personal Data in a manner that constitutes "material performance" of a contingent contract. Data processing is limited to preparatory activities and due diligence, fully authorized under GL 49A. Counterparty and Jurisdiction Restrictions: In compliance with GL 46B, 48A, and 49A, HSO Consortium will not transfer or permit access to Personal Data from or to persons or entities connected with China, Russia, Iran, North Korea, or Cuba.
13.2. Sanctions List Screening (SDN Screening)
As part of our security and compliance procedures, HSO Consortium performs periodic checks against the Specially Designated Nationals (SDN) list administered by OFAC. Any access or registration attempt from an IP address, domain, or jurisdiction identified on such lists will be automatically blocked and logged for audit purposes.
13.3. Regulatory Reports
If required, HSO Consortium will file mandatory reports with the U.S. Department of the Treasury, the Department of State, and the Department of Energy, as established in GL 48A and 50A, without compromising the confidentiality of users' Personal Data.
14. CONTACT INFORMATION
For any questions, requests, or concerns regarding this Privacy Policy or the processing of your Personal Data, you may contact us through the following channels:
Email: legal@huronsmithoil.com
Postal Mail:
HSO Consortium Venezuela
Attn: Data Protection Office
Huron Smith Oil Co & HSO Petroleum Services, 204 Hays St, Batesville, Mississippi, 38606
Data Protection Officer (DPO): HSO Consortium has appointed a Data Protection Officer who oversees compliance with this Policy and applicable laws. The DPO may be contacted via the email address legal@huronsmithoil.com
15. UPDATES AND MODIFICATIONS
HSO Consortium reserves the right to update or modify this Privacy Policy at any time to reflect changes in our practices, applicable laws, or regulatory requirements.
- Notice of changes: Any material modification will be notified to users through a prominent notice on the Website, at least 30 days prior to its effective date, where possible.
- Effective date: The most current version of this Policy will always be available on the Website, with clear indication of the date of the last update.
- Continued acceptance: Continued use of the Website after any modification becomes effective shall constitute acceptance of such changes by the user.
Date of last update: April 13, 2026
16. ACCEPTANCE OF THE POLICY
By using the Website of the HSO Consortium, the user declares that they have read, understood, and accepted the terms of this Privacy Policy. If the user does not agree with any of the terms set forth herein, they must refrain from using the Website and from providing any Personal Data.
CONTROLLED DOCUMENT – This document forms an integral part of the Work Framework and Internal Regulations of the HSO Consortium. Any unauthorized modification, copying, or distribution is prohibited and will be sanctioned in accordance with the provisions of the Consortium Agreement and applicable laws.
HURON SMITH OIL CO and HSO PETROLEUM SERVICE