Integrated Management System (IMS)

Privacy Policy

Domain: ims.bigoilco.com

This policy explains how Big Oil Co. (the "Company", "we", "us") collects, uses, discloses, and safeguards information in the IMS—our internal software used for operations, billing, and related business processes. IMS is for authorized users only (employees, contractors, and approved vendors/partners). It is not intended for the general public or consumers.

Effective Date: August 22, 2025 · Version: 1.0

1. Scope & Audience

This policy applies to information processed in IMS by or on behalf of Big Oil Co. It covers authorized users such as employees, contractors, temporary workers, and approved vendors/partners with access to IMS. IMS may integrate with other internal systems (e.g., HR, finance, procurement, field operations). In the event of conflict, your employment/contractor agreement and applicable Company policies (e.g., Information Security Policy, Acceptable Use Policy) control.

2. Data We Collect

Identity & Profile: name, employee/contractor/vendor ID, role, department, manager, profile photo (if provided).
Contact Details: work email, phone, business address; limited personal contact details where required for payroll, benefits, or emergency purposes as permitted by policy and law.
Authentication & Access: usernames, SSO identifiers, roles/permissions, MFA metadata, session tokens, password hashes (if applicable), and audit trails of sign-ins and access events.
Operational Records: work orders, job tickets, production and field operations data, scheduling data, time entries, location tied to job sites (where operationally necessary), asset IDs, maintenance logs, and incident reports.
Billing & Financial: invoices, purchase orders, vendor records, payment status, amounts, currencies, tax identifiers, and remittance details (for vendors and partners).
Content & Files: attachments, forms, notes, comments, and communications sent through IMS (e.g., support or operations messaging).
Device & Usage: IP address, approximate location from IP, device identifiers, browser/user-agent, pages and features used, clickstream, error/diagnostic logs, performance metrics, and cookie/SDK events necessary for security and reliability.
Integrations: data synchronized from other systems (HRIS, finance/ERP, inventory, identity provider, ticketing, etc.).

Sensitive information (e.g., health data) is not intentionally collected by IMS unless required for a specific operational purpose and authorized by policy and law.

3. Sources of Data

You (data you enter in IMS or provide to HR/IT/Finance).
Your manager, team, and authorized Company departments.
Automated collection via IMS (application logs, security systems, monitoring, cookies/SDKs).
Integrated systems (identity provider, HRIS, ERP, procurement, operations tooling).
Vendors and partners who interact with IMS for work-related purposes.

4. How We Use Data

Provide, operate, and maintain IMS and related services.
Support operations, scheduling, asset management, procurement, and field activities.
Process billing, invoicing, payments, and financial reconciliation.
Enforce access controls, authenticate users, and ensure system integrity.
Monitor performance, debug issues, and improve reliability and usability.
Comply with legal/regulatory obligations (e.g., tax, audit, safety, recordkeeping).
Protect Company, personnel, and assets (fraud prevention, incident response, security monitoring).
Train personnel and develop new features consistent with this policy and applicable law.

5. Legal Bases

Where required by applicable law, our processing may rely on:

Contractual necessity (to perform employment or contractor agreements and operate IMS).
Legitimate interests (to secure systems, manage operations, and improve services), balanced against user interests/rights.
Legal obligations (e.g., recordkeeping, safety, tax, audit, and compliance).
Consent where required (we will request it and allow withdrawal where feasible).

7. Retention

We retain information only as long as necessary for the purposes above and to meet legal, tax, audit, and safety requirements. When no longer needed, data is securely deleted or de-identified. Illustrative targets (adjust to your schedule):

Category	Typical Retention	Notes
Authentication & Audit Logs	12–24 months	Longer if required for security investigations.
Operational Records	7 years	Business & regulatory recordkeeping.
Billing & Financial	7 years	Tax/audit requirements.
Support Tickets & Attachments	2–4 years	Aligned to operational needs.

8. Security

Encryption in transit and at rest for applicable data stores.
SSO with MFA for privileged roles; least-privilege access control and periodic access reviews.
Network segmentation, secrets management, and hardened configurations.
Secure SDLC: code review, dependency scanning, and vulnerability management.
Monitoring, alerting, logging, and incident response procedures.
Employee training and confidentiality obligations.

9. International Transfers

IMS may be hosted or supported in locations outside your province/state or country. Where required, we implement appropriate safeguards (e.g., Standard Contractual Clauses, data processing agreements) and limit access to authorized personnel.

10. Your Choices & Rights

Subject to applicable law and Company policy, you may have rights to access, correct, or delete certain information, or to object/restrict certain processing. Some requests may be limited where processing is required by law or necessary for business operations. To exercise rights, contact the Office at hr@bigoilco.com.

11. Automated Decision‑Making

IMS does not perform automated decision-making that produces legal or similarly significant effects without human review. Where automation is used (e.g., routing, prioritization), it supports—not replaces—human decision-makers.

12. Children's Data

IMS is a workplace tool and is not intended for children. No one under the age of 16 should access IMS.

13. Changes to this Policy

We may update this policy from time to time. Material changes will be communicated through appropriate internal channels (e.g., IMS banner, email, or policy portal). The "Effective Date" above reflects the latest version.

14. Contact Us

Questions or requests? Contact the Office at hr@bigoilco.com. You may also contact your HR representative or the Information Security team at dev@bigoilco.com.

Integrated Management System (IMS)

Privacy Policy

Domain: ims.bigoilco.com

Effective Date: August 22, 2025 · Version: 1.0

1. Scope & Audience

2. Data We Collect

Identity & Profile: name, employee/contractor/vendor ID, role, department, manager, profile photo (if provided).
Contact Details: work email, phone, business address; limited personal contact details where required for payroll, benefits, or emergency purposes as permitted by policy and law.
Authentication & Access: usernames, SSO identifiers, roles/permissions, MFA metadata, session tokens, password hashes (if applicable), and audit trails of sign-ins and access events.
Operational Records: work orders, job tickets, production and field operations data, scheduling data, time entries, location tied to job sites (where operationally necessary), asset IDs, maintenance logs, and incident reports.
Billing & Financial: invoices, purchase orders, vendor records, payment status, amounts, currencies, tax identifiers, and remittance details (for vendors and partners).
Content & Files: attachments, forms, notes, comments, and communications sent through IMS (e.g., support or operations messaging).
Device & Usage: IP address, approximate location from IP, device identifiers, browser/user-agent, pages and features used, clickstream, error/diagnostic logs, performance metrics, and cookie/SDK events necessary for security and reliability.
Integrations: data synchronized from other systems (HRIS, finance/ERP, inventory, identity provider, ticketing, etc.).

Sensitive information (e.g., health data) is not intentionally collected by IMS unless required for a specific operational purpose and authorized by policy and law.

3. Sources of Data

You (data you enter in IMS or provide to HR/IT/Finance).
Your manager, team, and authorized Company departments.
Automated collection via IMS (application logs, security systems, monitoring, cookies/SDKs).
Integrated systems (identity provider, HRIS, ERP, procurement, operations tooling).
Vendors and partners who interact with IMS for work-related purposes.

4. How We Use Data

Provide, operate, and maintain IMS and related services.
Support operations, scheduling, asset management, procurement, and field activities.
Process billing, invoicing, payments, and financial reconciliation.
Enforce access controls, authenticate users, and ensure system integrity.
Monitor performance, debug issues, and improve reliability and usability.
Comply with legal/regulatory obligations (e.g., tax, audit, safety, recordkeeping).
Protect Company, personnel, and assets (fraud prevention, incident response, security monitoring).
Train personnel and develop new features consistent with this policy and applicable law.

5. Legal Bases

Where required by applicable law, our processing may rely on:

Contractual necessity (to perform employment or contractor agreements and operate IMS).
Legitimate interests (to secure systems, manage operations, and improve services), balanced against user interests/rights.
Legal obligations (e.g., recordkeeping, safety, tax, audit, and compliance).
Consent where required (we will request it and allow withdrawal where feasible).

7. Retention

Category	Typical Retention	Notes
Authentication & Audit Logs	12–24 months	Longer if required for security investigations.
Operational Records	7 years	Business & regulatory recordkeeping.
Billing & Financial	7 years	Tax/audit requirements.
Support Tickets & Attachments	2–4 years	Aligned to operational needs.

8. Security

Encryption in transit and at rest for applicable data stores.
SSO with MFA for privileged roles; least-privilege access control and periodic access reviews.
Network segmentation, secrets management, and hardened configurations.
Secure SDLC: code review, dependency scanning, and vulnerability management.
Monitoring, alerting, logging, and incident response procedures.
Employee training and confidentiality obligations.

9. International Transfers

10. Your Choices & Rights

11. Automated Decision‑Making

12. Children's Data

IMS is a workplace tool and is not intended for children. No one under the age of 16 should access IMS.

13. Changes to this Policy

14. Contact Us

Questions or requests? Contact the Office at hr@bigoilco.com. You may also contact your HR representative or the Information Security team at dev@bigoilco.com.

1. Scope & Audience

2. Data We Collect

3. Sources of Data

4. How We Use Data

5. Legal Bases

6. Sharing & Disclosures

7. Retention

8. Security

9. International Transfers

10. Your Choices & Rights

11. Automated Decision‑Making

12. Children's Data

13. Changes to this Policy

14. Contact Us

15. Related Policies

1. Scope & Audience

2. Data We Collect

3. Sources of Data

4. How We Use Data

5. Legal Bases

6. Sharing & Disclosures

7. Retention

8. Security

9. International Transfers

10. Your Choices & Rights

11. Automated Decision‑Making

12. Children's Data

13. Changes to this Policy

14. Contact Us

15. Related Policies