Global Privacy and
Data Sovereignty Policy.

1. PURPOSE AND INSTITUTIONAL COMMITMENT

Gneffin Group, along with its global subsidiaries, affiliates, and international operational nodes (collectively, "Gneffin," "we," "us," or "our"), operates under strict compliance frameworks to safeguard the integrity, confidentiality, and sovereignty of all corporate, transactional, and technical data entrusted to us.

This Global Privacy and Data Sovereignty Policy (the "Policy") establishes an absolute legal and technical standard for how Gneffin collects, processes, encrypts, and retains proprietary enterprise information. By engaging our technology-enabled professional consulting services, accessing our infrastructure, or requesting a Strategic Tariff Audit, you (the "Client" or "User") explicitly acknowledge and agree to the protocols detailed herein.

2. RIGOROUS DATA TAXONOMY AND SCOPE

Unlike consumer-facing platforms, Gneffin processes highly sensitive industrial and financial datasets. We classify collected data into three distinct tiers, each subjected to rigorous security isolation:

2.1. Tier 1: Proprietary Engineering & Technical Data

This encompasses all data required for neural HTS (Harmonized Tariff Schedule) classification alignment, including but not limited to:

• Computer-Aided Design (CAD) files, technical blueprints, and engineering schematics.
• Bills of Materials (BOM), chemical composition matrices, CAS numbers, and material safety data sheets (MSDS).
• Product functionality descriptions, frequency modulations, and proprietary component descriptions.

2.2. Tier 2: Commercial & Transactional Financial Data

This encompasses documents required for structural tariff arbitrage and retroactive duty drawback analysis, including but not limited to:

• Commercial invoices, packing lists, ocean bills of lading, and air waybills.
• Historical customs entry summaries (e.g., CBP Form 7501), liquidations, and prior administrative rulings.
• Freight spend logs, valuation declarations, and international corporate structure mapping.

2.3. Tier 3: Corporate & Professional Identity Data

This includes institutional contact parameters, authorized personnel credentials, corporate tax identification numbers, and digital interaction logs across our secure communication channels.

3. LEGAL BASIS FOR PROCESSING AND PROPRIETARY AI BOUNDARIES

Gneffin processes Tier 1, Tier 2, and Tier 3 data strictly under the legal constructs of Contractual Necessity and Legitimate Business Interest.

3.1. Sealed Neural Training Protocol

Gneffin utilizes proprietary, internally hosted artificial intelligence models to execute tariff optimization. Client data is ingested into logically isolated, single-tenant environments.

3.2. Absolute Non-Aggregation Warranty

Gneffin strictly guarantees that proprietary Client data (such as proprietary component designs or BOMs) will NEVER be aggregated into public large language models (LLMs), external neural networks, or shared cross-client databases. Your corporate competitive advantages and trade secrets remain structurally protected and exclusive to your organization.

4. DATA SECURITY ARCHITECTURE AND DEFENSE-IN-DEPTH

Gneffin implements an enterprise-grade security infrastructure aligned with SOC 2 Type II and ISO/IEC 27001 standards:

• Cryptographic Standards: All data is mathematically encrypted utilizing AES-256 at rest and enforced TLS 1.3 cryptographic protocols in transit.
• Logical Siloing: We enforce cryptographic multi-tenancy. No data from one Client can physically or logically interface with the analytical pipeline of another Client.
• Administrative Access Control: Access to raw Client documentation is strictly limited via the Principle of Least Privilege (PoLP). Only designated Strategic Architects with validated security clearances are granted temporary, audited access to perform verification.

5. INTERNATIONAL TRANSFERS AND CROSS-BORDER DATA SOVEREIGNTY

Gneffin operates a global trade intelligence network with primary corporate nodes and operational data infrastructures spanning Hong Kong, the United Kingdom, and Shenzhen.

• Compliance with Global Frameworks: We ensure cross-border data transfers comply with the EU/UK General Data Protection Regulation (GDPR), the Hong Kong Personal Data (Privacy) Ordinance (PDPO), and the China Personal Information Protection Law (PIPL) where applicable.
• Standard Contractual Clauses (SCCs): For European and British enterprises, Gneffin structurally integrates Standard Contractual Clauses into service frameworks to guarantee identical data sovereignty protections outside the EEA.

6. MANDATORY GOVERNMENT AND REGULATORY DISCLOSURE PROTOCOLS

Gneffin will not disclose Client data to any third-party marketing entities, logistics competitors, or public repositories. Disclosure to government entities (such as U.S. Customs and Border Protection, His Majesty's Revenue and Customs, or equivalent regulatory bodies) will ONLY occur under the following conditions:

• Upon direct, written authorization and legal instruction from the Client.
• When compelled by a legally binding, non-appealable subpoena, court order, or statutory warrant issued by a court of competent jurisdiction. In such events, Gneffin will notify the Client immediately, unless legally prohibited, to allow the Client to seek protective orders.

7. RETENTION, SANITIZATION, AND CERTIFICATE OF DESTRUCTION

Gneffin retains data only for the duration required to execute the requested optimization strategy or to fulfill statutory audit trail obligations. Upon completion of service or formal contract termination, the Client may issue a written request for data sanitization. Gneffin will permanently purge all Tier 1 and Tier 2 data from its active storage arrays within thirty (30) business days and, upon request, issue a formal Certificate of Data Destruction.

8. CONTACT AND DATA PROTECTION OFFICER (DPO)

For all corporate legal counsel inquiries, data sovereignty audits, or encryption protocol verifications, please contact our global compliance desk at: dpo@gneffin.com