CCPA Privacy Policy and Notice

Effective Date: January 12, 2024

This Privacy Policy for California Residents supplements the information contained in Shionogi's General Privacy Policy and applies solely to all visitors, users, and others who reside in the State of California ("consumers" or "you"). We adopt this notice to comply with the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act (CPRA), and any terms defined in the CCPA and CPRA have the same meaning when used in this Policy.

Information We Collect

We collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device ("personal information"). Personal information does not include:

Publicly available information from government records.
Deidentified or aggregated consumer information.
Information excluded from the CCPA's scope, like:
- health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA), clinical trial data, or other qualifying research data;
- personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver's Privacy Protection Act of 1994.

In particular, we collected the following categories of personal information from consumers within the last twelve (12) months:

Category	Examples	Collected
A. Identifiers.	A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers.	YES
B.	Personal information categories listed in the California Customer Records statute. A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories.	YES
C. Protected classification characteristics under California or federal law.	Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).	YES
D. Commercial information.	Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.	NO
E. Biometric information.	Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.	NO
F. Internet or other similar network activity.	Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement.	YES
G. Geolocation data.	Physical location or movements.	NO
H. Sensory data.	Audio, electronic, visual, thermal, olfactory, or similar information.	NO
I. Professional or employment-related information.	Current or past job history or performance evaluations.	YES
J. Non-public education information (per the Family Educational Rights and Privacy Act).	Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.	YES
K. Inferences drawn from other personal information.	Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.	NO

We obtain the categories of personal information listed above from the following categories of sources:

Directly from you. For example, from forms you complete or products and services you purchase.
Indirectly from you. For example, from observing your actions on our Website.
Data Brokers. For example, we may receive information from data brokers, which helps us understand trends in healthcare and assists in our research and development activities.
Vendors. For example, we may acquire information from our vendor partners involved in managing and conducting clinical trials or other outsourced research and development services.
Health Care Professionals. For example, we may receive information from physicians or other healthcare providers involved in your care or the conduct of our clinical trials.

Retention of Personal

We will keep the personal information we collect only for as long as necessary to carry out the purposes for which it was collected or as required under applicable law. We dispose of the information we collect in accordance with our retention policies and procedures.

Use of Personal Information

We may use or share the personal information we collect for one or more of the following purposes:

To fulfill or meet the reason for which you provided the information.
To provide, support, personalize, and develop our Website and its services: For instance, we may use your browsing history to enhance and personalize your user experience.
To Provide Access to and Support for Our Portal and Platform: We collect names and email addresses to facilitate access to our portal and scientific platform.
To process transactions, manage clinical trial compensation, and prevent transactional fraud: We use personal information to ensure accurate and safe transactions.
To provide support and to respond to inquiries: This includes to respond to requests for medical information and to appropriately report adverse events or complaints.
To personalize your Website experience and to deliver content and research updates relevant to your interests: For example, if you have shown interest in a specific type of clinical trial, we might provide you with related updates.
To providing advertising or marketing services, including targeted advertising.
To help maintain the safety, security, and integrity of our Website, research data, databases, and other technology assets, and business: We may use your information to enhance our security measures and prevent any fraudulent activities.
For testing, research, analysis, and product development: We use collected information to facilitate our drug research and development, improve our services, and develop new treatment approaches.
For compliance investigations: We may use your personal information to investigate and address compliance-related concerns or issues to ensure adherence to regulatory standards, our internal policies, and ethical guidelines.
For regulatory reporting purposes: We gather certain personal information to meet our obligations under the Physician Payments Sunshine Act, a regulation requiring reporting of certain transactions between pharmaceutical companies and healthcare providers.
To facilitate marketing communications: We may use your information to send you marketing materials and updates about our products, services, and research developments.
For our speaker bureau programs: For instance, if you are a speaker or participant, we might use your personal details to coordinate the program, manage schedules, and communicate updates.
For hospital credentialing: We may use your information during the credentialing process if you are a healthcare professional associated with a hospital or a similar institution.
For evaluating health care professional credentials: We may use your personal information to assess your qualifications as a healthcare professional in order to assign Fair Market Value rates for engagements.
To verify employment eligibility and conduct background checks: We use personal information to confirm eligibility for employment in compliance with applicable laws and regulations, and to conduct pre-employment background checks.
To create employee records: We often require certain personal identifiers to create comprehensive employee records to be used our internal management and operational processes.
To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations: We may disclose your personal information when legally obligated.
As described to you when collecting your personal information or as otherwise set forth in the CCPA.
To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us about our consumers is among the assets transferred.

We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

Use of Sensitive Personal Information

While we collect sensitive personal information, we do not use or disclose such information for purposes other than:

To perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services.
To detect security incidents that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal information, provided that the use of your personal information is reasonably necessary and proportionate for this purpose.
To resist malicious, deceptive, fraudulent, or illegal actions directed at the business and to prosecute those responsible for those actions, provided that the use of your personal information is reasonably necessary and proportionate for this purpose.
To ensure the physical safety of natural persons, provided that the use of your personal information is reasonably necessary and proportionate for this purpose.
For short-term, transient use, including, but not limited to, non-personalized advertising shown as part of a consumer's current interaction with the business, provided that the personal information is not disclosed to another third party and is not used to build a profile about you or otherwise alter your experience outside the current interaction with us.
To perform services on our behalf, such as maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on our behalf.
To verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for us, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured by, manufactured for us, or controlled by us.

Disclosing Personal Information

We may disclose your personal information to a third party for a business purpose. We only make these business purpose disclosures under written contracts that describe the purposes, require the recipient to keep the personal information confidential, and prohibit using the disclosed information for any purpose except performing the contract.

In the preceding twelve (12) months, we may have disclosed personal information for a business purpose to the categories of third parties indicated in the chart below.

Personal Information Category	Disclosed to the Following Categories of Third-Party Recipients
A. Identifiers.	Advertising networks Data Analytics Providers Business partners, including employee benefits providers; printing and distributing marketing vendors, speaker bureau programs, hospital credentialing services, and outside legal counsel under attorney-client privilege Government agencies, such as the U.S. Department of Health and Human Services and the U.S. Department of Homeland Security (through the E-Verify system), and the U.S. Equal Employment Opportunity Commission (through their EEO-1 reporting system)
B. Personal information categories listed in the California Customer Records statute.	Advertising networks Data Analytics Providers Business partners, including employee benefits providers; printing and distributing marketing vendors, speaker bureau programs, hospital credentialing services, and outside legal counsel under attorney-client privilege Government agencies, such as the U.S. Department of Health and Human Services and the U.S. Department of Homeland Security (through the E-Verify system), and the U.S. Equal Employment Opportunity Commission (through their EEO-1 reporting system)
C. Protected classification characteristics under California or federal law.	Government agencies, such as the U.S. Equal Employment Opportunity Commission (through their EEO-1 reporting system)
F. Internet or other similar network activity.	Advertising networks Data Analytics Providers
I. Professional or employment-related information.	Data Analytics Providers
L. Sensitive Personal Information	Government agencies, such as the U.S. Department of Homeland Security (through the E-Verify system)

The CCPA defines “share” as sharing, renting, releasing, disclosing, disseminating, making available, transferring a consumer's personal information to a third party for cross-context behavioral advertising. In the preceding twelve (12) months, we have shared personal information for a business purpose to categories of third parties as follows:

Personal Information Category	Shared With the Following Categories of Third-Party Recipients
A. Identifiers	Advertising networks Data Analytics Providers Editorial and Publishing Outlets
B. Personal information categories listed in the California Customer Records statute.	Advertising networks Data Analytics Providers
F. Internet or other similar network activity.	Advertising networks Data Analytics Providers

Personal Information Category

Shared With the Following Categories of Third-Party Recipients

A. Identifiers

Advertising networks

Data Analytics Providers

Editorial and Publishing Outlets

B. Personal information categories listed in the California Customer Records statute.

Advertising networks

Data Analytics Providers

F. Internet or other similar network activity.

Advertising networks

Data Analytics Providers

We do not knowingly share the personal information of consumers under 16 years of age.

The CCPA defines “sell” as selling, renting, releasing, disclosing, disseminating, making available, transferring a consumer's personal information by the business to a third party for monetary or other valuable consideration.

We do not sell personal information for money; however, the California Attorney General has taken a broad definition of what constitutes a "sale" under the CCPA, which may include disclosing personal information to third parties for personalized advertising. In the preceding twelve (12) months, we have disclosed personal information to the following categories of third parties for personalized advertising:

Personal Information Category	Provided to the Following Categories of Third-Party Recipients
A. Identifiers	Marketing Agencies Editorial and Publishing Outlets

Personal Information Category

Provided to the Following Categories of Third-Party Recipients

A. Identifiers

Marketing Agencies

Editorial and Publishing Outlets

You may opt-out of the sharing of personal information for the purposes of cross-context behavioral advertising. (see Exercising Your Right to Opt-Out of Sharing and Selling of Personal Information)

Your Rights and Choices

The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.

Right to Know and Data Portability

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months (the "right to know"). Once we receive your request and confirm your identity (see Exercising Your Right to Opt-Out of ), we will disclose to you:

The categories of personal information we collected about you.
The categories of sources for the personal information we collected about you.
Our business or commercial purpose for collecting or selling that personal information.
The categories of third parties with whom we share that personal information.
If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
- sales, identifying the personal information categories that each category of recipient purchased; and
- disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.
The specific pieces of personal information we collected about you (also called a data portability request).

Right to Delete

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions (the "right to delete"). Once we receive your request and confirm your identity (see Exercising Your Rights to Know or Delete), we will review your request to see if an exception allowing us to retain the information applies. We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, or otherwise perform our contract with you.
Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
Debug products to identify and repair errors that impair existing intended functionality.
Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if you previously provided informed consent.
Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
Comply with a legal obligation.
Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

We will delete or deidentify personal information not subject to one of these exceptions from our records and will direct our service providers to take similar action.

Exercising Your Rights to Know or Delete

To exercise your rights to know or delete described above, please submit a request by either:

Calling us at 1-800-792-8117
Emailing us at data.privacy@shionogi.com.

Only you, or someone legally authorized to act on your behalf, may make a request to know or delete related to your personal information. To designate an authorized agent, you may email us at data.privacy@shionogi.com.

You may only submit a request to know twice within a 12-month period. Your request to know or delete must:

Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative;
Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.

You do not need to create an account with us to submit a request to know or delete. However, we do consider requests made through a password protected account sufficiently verified when the request relates to personal information associated with that specific account.

We will only use personal information provided in the request to verify the requestor's identity or authority to make it.

Response Timing and Format

We will confirm receipt of your request within ten (10) business days. If you do not receive confirmation within the 10-day timeframe, please email as data.privacy@shionogi.com.

We endeavor to substantively respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to another 45 days), we will inform you of the reason and extension period in writing.

If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.

Any disclosures we provide will only cover the 12-month period preceding our receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

You have the right to opt-out of the selling or the sharing of your personal information for cross-context behavioral advertising. You can request that we stop selling or sharing your personal information by emailing as at data.privacy@shionogi.com or calling us at 1-800-792-8117.

With respect to sharing, we will also honor certain technologies broadcasting an Opt-Out Preference Signal such as the Global Privacy Control (“GPC”). This occurs on the browsers and/or browser extensions that support such a signal. This request will be linked to your browser identifier only and will not tie to your individual identity. We will process your opt-out preference using the GPC in a frictionless manner. This means that (1) we will not charge a fee or require any additional consideration if you use an opt-out signal, (2) your experience with our services will not change after processing of the opt-out signal, and (3) no additional notifications, pop-ups, text, or graphics will appear in response to the opt-out signal.

Some browsers include a "Do Not Track" (DNT) setting that can send a signal to the websites you visit indicating you do not wish to be tracked. Unlike the GPC described above, there is not a generally accepted understanding of how to interpret DNT signals. As such, we do not respond to browser DNT signals. Instead, you can email us or use the GPC as described above.

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

Deny you services.
Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
Provide you a different level or quality of goods or services.
Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Changes to Our Privacy Policy

We reserve the right to amend this privacy policy at our discretion and at any time. When we make changes to this privacy policy, we will post the updated notice on the Website and update the notice's effective date. Your continued use of our Website following the posting of changes constitutes your acceptance of such changes.

Contact Information

If you have any questions or comments about this notice, the ways in which we collect and use your information described here, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:

Phone: 1-800-792-8117

Email: data.privacy@shionogi.com