Legal Policy

Associate and Contractor Biometric Identity Verification Policy and Written Consent

This Policy applies to Associates/Contractors in the following divisions:

• ☑ UNFI
• ☑ Retail
• ☑ UNFI Canada

Purpose

UNFI, including its present or future affiliates (the “Company”) has instituted this Associate and Contractor Biometric Identity Verification Policy (the “Policy”) to define the policy and procedures for its collection, storage, retention, disclosure, use, protection, and destruction of the data provided by certain individuals employed or engaged by UNFI (“Associates/Contractors”) for the purposes of identity verification when using UNFI systems and devices.

Biometric Data is provided by certain Associates/Contractors in connection with the Company’s user identity verification. It is the Company’s policy to ensure that Associate/Contractor Biometric Data is used and handled in accordance with its relevant policies and Biometric Laws, as defined below.

Scope

This Policy applies to all Associates/Contractors using identity verification technology. For additional information on the Company’s collection and use of Biometric Data, please review the UNFI Associate and Contractor Comprehensive Biometric Policy, which is located on myunfi.com in my policies.

Biometric Data Defined

“Biometric Data” means any biological characteristics of a person, or information based upon such a characteristic, including characteristics such as those defined as “Biometric Identifiers” and “Biometric Information” under Biometric Laws.

“Biometric Identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry, or any additional characteristics defined as such under Biometric Laws.

“Biometric Information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual, or any additional characteristic or measurement defined as such under Biometric Laws.

“Biometric Laws” means the Illinois Biometric Privacy Act, 740 ILCS 14/1, et seq., the Texas Biometric Privacy Act, Tex. Bus. & Com. 503.001, et seq., the Washington Biometric Identifiers Act, RCW 19.375.020, et seq., and any other applicable international, federal, state, or local law or regulation governing the collection, possession, or use of biometric data, biometric information, or biometric identifiers.

Purpose for Collection: Identity Verification

The Company has instituted certain procedures pursuant to which it collects, stores, uses, retains, and transmits Biometric Data of Associates/Contractors and job applicants solely for identity verification and background check purposes. As part of the application process and ongoing employment, the Company uses identity verification processes through a third-party vendor to assist with account verification and retrieval.

Biometric Data is collected from an Associate/Contractor or job applicant for purposes of verification, in connection with creation and maintenance of application or employment accounts to promote the security of Company systems and promote safety within the Company. The Company’s vendors and their third-party subcontractors can only access such data pursuant to the Company’s instructions and authorization.

Written Consent

The Company requires Associates/Contractors, as a condition of initial or continued employment and/or engagement, to sign a written consent authorizing the Company, its third-party vendors, and their subcontractors to collect, capture, use, store, obtain, possess, disclose or re-disclose Biometric Data for activities such as described in this Policy, and for equipment servicing, database maintenance, software repair, data restoration or to maintain backup copies necessary for related activities, even if such activities never occur. The written consent is located at the end of this Policy.

Use, Disclosure, Protection, Storage, and Destruction of Biometric Data

Associate/Contractor Biometric Data collected in connection with UNFI’s identity verification platform will only be used for the purposes and related activities set forth in this Policy. The Company will not sell, lease, trade, or otherwise profit from an Associate’s/Contractor’s Biometric Data.

The Company will not disclose, re-disclose, provide access to or otherwise disseminate any Biometric Data outside of the terms of the Policy, unless:

1. The Associate/Contractor or their legally authorized representative provides consent to such disclosure;
2. The disclosed data completes a financial transaction requested or authorized by the Associate/Contractor or their legally authorized representative;
3. The disclosure is required by state or federal law or municipal ordinance; or
4. The disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.

Company vendors and subcontractors have contractually represented that they do not sell, lease, trade or profit from such data, and that they use reasonable standards of care within their industries for any storage, transmittal or protection from disclosure of any such data.

Retention Schedule and Guidelines for Permanently Destroying Biometric Data

The Company shall retain Associate/Contractor Biometric Data only until, and shall request that its vendors and their subcontractors destroy such data, when the first of the following occurs:

1. The initial purpose for collecting or obtaining such Biometric Data has been satisfied, such as the termination of the Associate’s employment or the Contractor’s engagement with the Company, or the Associate/Contractor moves to a role within the Company for which the Biometric Data is not used; or
2. Within 3 years of the Associate’s/Contractor’s last interaction with the Company.

If legal obligations require the Company to retain Biometric Data for longer than the above, the Company will destroy such data not later than the first anniversary of the date the data is no longer required to be maintained by law.

Data Storage

The Company shall use a reasonable standard of care to store, transmit, and protect from disclosure any paper or electronic Biometric Data collected. Such storage, transmission, and protection from disclosure shall be performed in a manner that is the same as or more protective than the manner in which the Company stores, transmits, and protects from disclosure other confidential and sensitive information, including personally identifiable information.

Policy Questions

If you have any questions regarding this Policy or if you have questions that are not addressed in this Policy, please contact Human Resources.

Effective Date: April 29, 2026

WRITTEN CONSENT

As an Associate/Contractor of UNFI (“the Company”), I agree to the following collection, as may be applicable given my role and duties:

• Facial recognition software used by service providers for the purposes of identity verification and account security.

By clicking “Accept” I acknowledge that these devices collect data that may be considered Biometric Data under some laws. I also acknowledge and understand that Biometric Data is used by the Company for security, fraud detection, and safety.

I understand that my Biometric Data will be retained for as long as necessary to satisfy the purposes described above, in accordance with the Policy.

I have reviewed a copy of the UNFI Associate and Contractor Comprehensive Biometric Policy, which is located on myunfi.com in my policies, and I understand that my Biometric Data will be used, retained, protected, and destroyed in accordance with that Policy.

As a condition of my employment, I voluntarily consent to the collection, capture, storage, access to, use, possession, obtaining of, and/or disclosure or re-disclosure of my Biometric Data by the Company, its vendors, and any of their subcontractors in accordance with the UNFI Associate and Contractor Comprehensive Biometric Policy.