Privacy Policy

Corporate Policy

Policy Title: Global Privacy Policy Effective Date: September 23, 2016 Revised: November 3, 2025

Author: Aileen R. Schwartz, Senior Vice President,

General Counsel Americas and Chief Privacy Officer

Approver: Elise Greenspan, Chief Legal Officer and Page: 1 of 13

Chief Compliance Officer

1.0 PURPOSE

Hill International, Inc. and its operating divisions, subsidiaries, affiliates and branches (collectively, “Hill,” the “Company,” “we,” “us” or “our”) are sensitive to privacy issues, and it is important to us to protect the Personal Data of our Clients, Suppliers, and potential, current and former Employees (“you” or “your”). Accordingly, Hill provides this privacy and information practices policy to inform you about our data handling practices and how you can exercise the privacy rights you may have (“Privacy Policy”).

1.1 SCOPE

This Privacy Policy applies to the Personal Data of our Clients, Suppliers, and potential, current and former Employees that are Processed by Hill in the course of our internal business operations. All individuals whose responsibilities include the Processing of Personal Data on behalf of Hill are expected to protect Personal Data by adherence to this Privacy Policy. This Privacy Policy is intended to address Hill’s data protection obligations globally, including those in North America, Europe, APAC, and other jurisdictions but may be supplemented by additional privacy policies and notices to address or provide additional details regarding local jurisdictions or contexts and through other legally valid methods, including international data transfer agreements.

This Privacy Policy applies to all current Hill operating divisions, subsidiaries, affiliates and branches and any that Hill may subsequently form.

2.0 TRANSPARENCY/NOTICE-WHAT PERSONAL DATA WE COLLECT AND HOW WE USE IT

The categories of Personal Data we may collect (directly from you or from Third Party sources) and our privacy practices depend on the nature of the relationship you have with Hill and the requirements of applicable law. We endeavor to collect only relevant information for lawful purposes of Processing. When we collect Personal Data from you, it may be (i) to fulfill a contract, such as employment contracts; (ii) to fulfill compliance obligations; (iii) to protect your or another individual’s vital interests; (iv) to perform a task in the public interest; or (v) for purposes of our or a Third Party’s legitimate interests, or other legal bases as permitted by law.

Below are some of the ways we collect information and how we use it.

Please refer to the Hill Web Privacy Statement for information on how we collect and use information associated with our public-facing Hill corporate websites and notices made available on those platforms.

2.1 Clients

Hill collects Personal Data regarding its current, prospective and former clients, customers, visitors and guests (collectively “Clients”). Client Personal Data we collect includes information relating to the sale or support of Hill’s program management, project management, construction management, project management oversight, construction claims, dispute resolution, advisory, facilities management, and other consulting services, including title, name, address, phone number, email address, government identification (such as driver’s license, passport or national identity numbers), and financial information related to payments for services or goods. Additionally, where permitted, we may collect location information regarding our Clients’ workers, including through GPS tracking technology on Company- owned vehicles, tools or other devices.

We acquire, hold, use and Process Personal Data about Clients for a variety of business purposes including to:

Applications, services, and systems, and, in Hill’s discretion, changes to any Hill policy;

improve Hill Applications and systems; develop new products, processes, and services;

undertake internal research for technological development and demonstration;

2.2 Suppliers

Hill collects Personal Data regarding its current, prospective, and former suppliers, distributors, subcontractors and strategic partners (collectively “Suppliers”). Supplier information we collect relates to the management of Suppliers and the receipt of their products and services. It may include title, name, address, phone number, email address, government identification (such as driver’s license, passport or national identity numbers), and financial information related to payment for goods and services.

We acquire, hold, use and Process Personal Data about Suppliers for a variety of business purposes including to:


develop new products, processes, and services; process applications and transactions; and

for purposes disclosed at the time Suppliers provide Personal Data or otherwise with consent.

2.3 Human Resources (“HR”) Data

Hill collects Personal Data from current, prospective, and former Employees, their contact information in case of a medical emergency, and beneficiaries under any insurance policy (“HR Data”). HR Data we collect may include title, name, address, phone number, email address, date of birth, passport number, driver’s license number, Social Security number, financial information related to credit checks, bank details for payroll, information that may be recorded on a CV or application form, or in Hill’s applicant tracking system, contact information of Third Parties in case of an emergency, and beneficiaries under any insurance policy. We may also collect Sensitive Personal Information such as details of health and disability, including mental health, medical leave, and parental leave, as well as information relating to trade union membership.

We acquire, hold, use and Process HR-related Personal Data for a variety of business purposes including:

shareholder management; restructuring and relocation; emergency contacts and services;

Biometric information collection. While Hill does not generally collect biometric information, we may collect limited biometric information, including potentially Employee fingerprints and facial recognition data, if required by certain Clients to access their job sites. Hill may also require some Employees to provide this information in high-security situations. In these situations, additional data collection and processing information will be provided, consent will be sought consistent with any applicable laws, and biometric information will only be accessible to Hill IT staff, service administrators, and to applicable Clients as required.

2.4 Information from Third Party Sources

Hill may collect information about Clients and Suppliers from Third Party sources, including email, phone numbers and/or other contact or business information to supplement its existing information. This supplemental information allows Hill to verify information that the Client or Supplier has provided to Hill and to enhance our ability to provide information about our business, products and services. Hill’s agreements with these Third Party-sources typically limit how the Company may use this supplemental information.

2.5 Direct Mail, Email and Outbound Telemarketing

Clients and Suppliers who provide us with Personal Data, or whose Personal Data we obtain from Third Parties, may receive periodic emails, mailings or phone calls from us with information on our products and services or upcoming special offers/events we believe may be of interest, in accordance with applicable law. We offer our Clients and Suppliers the option to object at any time by opting out of any such direct marketing communications at no cost to the individual Client or Supplier.

2.6 Research/Survey Solicitations

From time to time, Hill may perform research (online and offline) via surveys. We may engage Third Party service providers to conduct such surveys on our behalf. All survey responses are voluntary, and the information collected will be used for research and reporting purposes to help us to better serve Clients and Suppliers by learning more about their needs and the quality of the products and services we provide. The survey responses may be utilized to determine the effectiveness of our Applications, various types of communications, advertising campaigns and/or promotional activities. If a Client or Supplier participates in a survey, the information given will be used along with that of other study participants. We may share de-identified individual and aggregate data for research and analysis purposes.

2.7 Mobile Computing

Hill may provide websites and online resources necessary to the execution of Employee or Contractor duties that are specifically designed to be compatible with and used on mobile computing devices. Mobile versions of Hill’s Applications may require that users log in with an account. In such cases, information about use of each mobile version of the website may be associated with user accounts. In addition, Hill may enable individuals to download an application, widget or other tool that can be used on mobile or other computing devices. Some of these tools may store information on mobile or other devices like a device identifier, IP address, user settings, location information, mobile carrier, and the operating system of your device. These tools may transmit Personal Data to Hill to enable Data Subjects to access user accounts and to enable Hill to track use of these tools. Some of these tools may enable users to e-mail reports and other information from the tool. Hill may use Personal Data or non-identifiable information transmitted to the Company to enhance these tools, to develop new tools, for quality improvement and as otherwise described in this Privacy Policy or in other notices Hill provides.

3.0 CHOICE/MODALITIES TO OPT OUT (RIGHT TO OBJECT TO PROCESSING)

You have the right to object to and opt out of certain uses and disclosures of your Personal Data, as set out in this Privacy Policy.

3.1 General

Where you have consented to Hill’s Processing of your Personal Data, you may withdraw that consent at any time. Additionally, before we use Personal Data for any new purpose not consistent with the uses described in this Privacy Policy, we will provide information regarding the new purpose and give you the opportunity to opt out.

Prior to disclosing Sensitive Data to a Third Party or Processing Sensitive Data for a purpose other than its original purpose or the purpose authorized subsequently by the Data Subject, Hill will endeavor to obtain each Data Subject’s explicit consent (opt-in) where required by law. Where consent of the Data Subject for the Processing of Personal


Data is otherwise required by law or contract, Hill will comply with the law or contract.

3.2 Human Resource Data

With regard to Personal Data that Hill receives in connection with the employment relationship, Hill will use such Personal Data only for employment-related purposes (e.g., tax, payroll, benefits), as more fully described in Section 2.3 above. If Hill intends to use this Personal Data for any other purpose, Hill will provide the Data Subject with an opportunity to opt-out of such uses (e.g., charity, health club membership). Employees in certain jurisdictions, such as California, the European Union, and India, may have statutory Personal Data rights to: be informed about data use, collection and processing; access, rectify, erase, restrict or object to certain processing; data portability; and automated decision-making. Hill may retain Personal Data that is necessary for the performance of the employment and for internal purposes we describe to you. For questions about these rights and if you require assistance in exercising these rights contact Hill’s Chief Privacy Officer/Grievance Officer at privacyofficer@hillintl.com.

3.3 Automated Decision Making and Profiling

Hill does not currently engage in automated decision making (ADM) (i.e., makes a decision solely based on the automated processing of your Personal Data, for example using software, artificial intelligence or other rating or scoring algorithms) or profiling (i.e. using ADM to evaluate, analyze, or predict aspects about a person such as work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements). To the extent Hill engages in ADM or profiling, if and as applicable, and to the extent required by applicable law, we will obtain consent and honor your right to not be subject to decision making which is solely based on automated processing and profiling when that decision results in legal effects or otherwise significantly affects you.

4.0 ONWARD TRANSFER

The categories of third parties with whom we share your information, and the purposes for this sharing, are described below. Hill does not sell or otherwise disclose Personal Data about you, except as described in this Privacy Policy, Hill’s Web Privacy Notice or as you explicitly consent.

4.1 Third Parties That May Receive Personal Data

To other Clients and Suppliers. As part of our Services, we may share Personal Data with other Clients and Suppliers in order to create and track project proposals and job status.

Service Providers. We may share your Personal Data with our third-party service providers who use that information to assist us in providing you with a product or service. Service providers may include for example, applicant recruitment firms; evaluation and management services; payroll, insurance and other Employee-related benefits; security; travel services; cellular service; facilities management; IT; hosting; payment processing; customer service and related services.

Hill requires its service providers to agree in writing to maintain the confidentiality and security of Personal Data and to Process Personal Data only for the purposes authorized by and pursuant to Hill’s instructions.

Business Partners. We may share your Personal Data with business partners with whom we jointly offer products or services.

Disclosure to Affiliated Companies. We may share your Personal Data with our operating divisions, subsidiaries, affiliates, and branches to share knowledge of our users in different markets and otherwise run our business.

Disclosures to Protect Ourselves or Others. We may disclose information about you: (i) if we are required to do so by law, court order, subpoena or legal process; (ii) in response to lawful requests by public authorities, including to meet national security or law enforcement requirements; (iii) under the discovery process in litigation; (iv) to enforce Hill policies or contracts; (v) to collect amounts owed to Hill; (vi) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation or prosecution of suspected or actual illegal activity; or (vii) in the good faith belief that disclosure is otherwise necessary or advisable. In addition, from time to time, server logs may be reviewed for security purposes - e.g., to detect unauthorized activity on the Applications. In such cases, server log data containing IP addresses may be shared with law enforcement bodies in order that they may identify users in connection with their investigation of the unauthorized activities.

Disclosure in the Event of Merger, Sale, or Other Asset Transfers. We reserve the right to disclose or transfer any information we have about you in the event of a proposed or actual purchase, any reorganization, sale, lease, merger, joint venture, assignment, amalgamation or any other type of acquisition, disposal or financing of all or any portion of our business or of any of the business assets or shares (including in connection with any bankruptcy or similar proceeding). Should such an event occur, Hill will disclose your Personal Data in accordance with applicable law and notify you of this change as required by law and/or contract.

4.2 International Data Transfers

You agree that all Personal Data sent or collected by Hill may be transferred, Processed, and stored anywhere in the world, including but not limited to, in the United States, on the cloud, our servers, the servers of our affiliates or the servers of our service providers. When providing Personal Data to Hill, you acknowledge that your Personal Data may be Processed in jurisdiction which may have privacy protections less stringent than those afforded by your jurisdiction.

5.0 YOUR RIGHTS

In accordance with applicable law, you may have the right to exercise any of the rights listed below, contact us as set forth in Section 8 below. We will process such requests in accordance with applicable laws and will not discriminate against you or an authorized agent acting on your behalf for seeking to exercise any of these rights.

Hill makes good faith efforts to honor Data Subjects’ requests to exercise their privacy rights. However, there may be circumstances in which Hill is prevented or otherwise unable to fulfill such a request. If Hill determines that access should or may legally be restricted, we will timely provide you with legally required information.

6.0 RETENTION

Hill retains the Personal Data we receive as described in this Privacy Policy based on the following criteria. We will retain Personal Data for as long as you use our Applications or as necessary to fulfill the purpose(s) for which it was collected, provide our products and services, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, or based upon such other criteria, including, but not limited to, the sensitivity and volume of such data, required to comply with contracts, Hill policies and applicable laws and legal requirements.

7.0 SECURITY

The security of all Personal Data provided to Hill is important to us, and Hill takes reasonable steps designed to protect your Personal Data, including against unauthorized or unlawful Processing and against accidental loss, destruction or damage, endeavoring to use appropriate technical or organizational measures. Unfortunately, no data transmission over the Internet or storage of information can be guaranteed to be 100% secure. As a result, while Hill strives to protect your Personal Data, we cannot ensure or warrant the security of any information you transmit to Hill, and you do so at your own risk. If we learn of a security system’s breach, we will notify you as required under applicable law.

8.0 REDRESS / COMPLIANCE AND ACCOUNTABILITY

If after reviewing this Privacy Policy, you would like to contact us about our privacy practices or exercise any of your data subject rights, please send a written request to:

Hill International, Inc.

Attn: Chief Privacy Officer/Grievance

Officer One Commerce Square

2005 Market Street, 17th Floor

Philadelphia, PA 19103 1-833-235-4057 privacyofficer@hillintl.com

Hill will address your concerns and attempt to resolve any privacy issues in a timely manner, as required under applicable law.

9.0 OTHER RIGHTS AND IMPORTANT INFORMATION

9.1 Changes to the Privacy Policy

Hill may update this Privacy Policy from time to time as it deems necessary in its sole discretion. If there are any material changes to this Privacy Policy, Hill will notify you as required by applicable law. Hill encourages you to review this Privacy Policy periodically to be informed regarding how Hill is using and protecting your Personal Data and to be aware of any policy changes. Your continued relationship with Hill after the posting or notice of any amended Privacy Policy shall constitute your agreement to be bound by any such changes. Any changes to this Privacy Policy take effect immediately after being posted or as otherwise provided by Hill.

9.2 Compliance

Hill has implemented this Privacy Policy and put in place mechanisms to verify ongoing compliance with this Privacy Policy. Any individual who violates this Privacy Policy will be subject to disciplinary procedures.

10.0 DEFINITIONS

“Agent” means any Third Party that processes Personal Data pursuant to the instructions of, and solely for, Hill or to which Hill discloses Personal Data for use on its behalf.

“Applications” or “Hill Applications” means any of Hill’s current or future brand websites, any mobile applications we may create, and other public-facing or internal-use web-based or digital properties.

“Data Subject” is an identified or identifiable natural person.

“Employee” refers to any current, temporary, permanent, prospective or former Employee, director, contractor, consultant, worker or retiree of Hill or its subsidiaries worldwide.

“Personal Data” is any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a Data Subject including without limitation any information that qualifies as "personal information”, or other similar terms are defined under applicable law and includes Sensitive Data (each, as defined below); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Process” or “Processing” means any operation or set of operations which is performed upon Personal Data or sets of Personal Data, whether by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Sensitive Personal Information” is a subset of Personal Data, which due to its nature has been classified by law or by policy as deserving additional privacy and security protections. Sensitive Personal Information includes (a) all government-issued identification numbers (including US Social Security numbers, Canadian Social Insurance numbers, driver’s license numbers and passport numbers); (b) Individual financial account numbers (bank account numbers, credit card numbers, and other information if that information would permit access to an Data Subject’s financial account); (c) Data Subject employment, financial, credit, genetic, biometric or medical/health information; (d) Personal Data obtained from a US individual reporting agency and subject to the Fair Credit Reporting Act; (e) racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record of EU Data Subjects or (f) account passwords other information that falls within the definition of "special categories of data," "sensitive data" or "nonpublic personal information" under applicable data protection laws or personal information as defined in appliable data breach notification laws.

“Third Party” or “Third Parties” is/are any natural or legal person(s), public authority, agency or body other than a Data Subject (including Hill’s Clients, Suppliers and Employees), Hill or Hill’s Agents.

.

11.0 SUPPLEMENTAL NOTICE FOR CHINA RESIDENTS

This Supplemental Notice for China only applies to our processing of Personal Data of our Clients, Suppliers, and potential, current and former Employees Personal Data that is subject to the applicable data protection laws of China, including the Personal Information Protection Law (“PIPL”).

Your Privacy Rights. In addition to the applicable rights listed above in Section 5, you have the following additional data subject rights: the right to request an explanation on how your Personal Data is handled, the right to file a lawsuit, and the right to allow your next of kin to exercise any of your rights unless other arrangements have been made before your death. For purposes of the PIPL, the Hill Chief Privacy Officer/Grievance Officer is your data handler, and data subject requests may be directed to the contact information provided in Section 8 above.

International Transfers. When transferring Personal Data which originates in China internationally, we will comply with the applicable requirements governing the transfer and processing of such data. Providing Hill information for employment or otherwise during the Services or through the website constitutes your consent for our international transfer of your data.

List of Entrusted Persons. If permitted under applicable law, Data Subjects may request a copy of our service providers (entrusted persons).

12.0 SUPERSEDED DOCUMENTS

Document Number & Revision

Title

DMWEST #6675537 v2 (August 2015)

Hill International Inc., Safe Harbor Privacy Policy

(May 2017)

Hill International, Inc., Privacy Shield Policy

13.0 CHANGE LOG

Document all modifications to this Policy by date (oldest to the most recent), and include when Policy was initially released and expired.

Date

Rev

Change Made

Reason

Name

September 23, 2016

A

New Policy

EU-U.S. Privacy Shield

Aileen R. Schwartz

April 12, 2017

B

Revised Policy

Swiss-U.S. Privacy Shield

Aileen R. Schwartz

May 8, 2017

C

Revised Policy

Information Regarding Children Updated Legal Entities

Aileen R. Schwartz

May 26, 2017

D

Revised Policy

Information Regarding

Applicant Tracking Updated

Aileen R. Schwartz

March 1, 2018

E

Revised Policy

Information Regarding

Automated Profiling Updated

Aileen R. Schwartz

September 24, 2018

F

Revised Policy

Updated address Business

Units, Legal Entities, Mobile

Applications and Analytics

Aileen R. Schwartz

July 22, 2025

G

Revised Policy

Extracted elements for inclusion in separate Web Privacy Policy.

Aileen R. Schwartz

May 2, 2019

F

Revised Policy

Updated to address Title

Changes, Legal Entities,

Analytics and New Privacy

Requirements

Aileen R. Schwartz

September 21, 2020

G

Revised Policy

Updated to address New

CCPA and Other Privacy

Requirements

Aileen R. Schwartz

August 10, 2021

H

Revised Policy

Removed Privacy Shield and updated list of affiliates, and added reference to India

Aileen R. Schwartz

August 9, 2022

I

Revised Policy

Updated New CPRA, PIPL,

and other Privacy Requirements

Aileen R. Schwartz

April 28, 2023

J

Revised Policy

Updated to address Final

CCPA/CPRA Regulations

Aileen R. Schwartz

November 3, 2025

K

Revised Policy

Policy scope revised and reorganized

Aileen R. Schwartz