Your privacy is important to us. This Privacy Statement will let you know what personal information Eli Lilly and Company and its wholly owned subsidiaries ("Lilly" or "we") and/or entities or persons that work on behalf of, or in partnership with, Lilly but are not Lilly employees ("Third Parties"), may process (e.g., collect, record, organize, structure, store, adapt or alter, retrieve, consult, use, disclose by transmission, disseminate or otherwise make available, align or combine, restrict, erase, or destroy), how we protect it, and your rights and choices with respect to your personal information. This Privacy Statement applies to all Lilly operations as well as websites, mobile applications and digital services ("websites") that link to or post it. It is incorporated into and made a part of our Terms of Use for this website, which include provisions that limit Lilly’s liability.

PI We Collect and How We Use It

We may collect the following personal information ("PI") necessary for our business purposes:

• Basic Personal Details
  • e.g., name; alias; date of birth; gender; family member names; family, lifestyle & social circumstances; image/photograph/video; marital status; physical characteristics/descriptions; signature; voice/audio
• Behavioral Information
  • e.g., behavior; computer ergonomics; inferences reflecting preferences
• Biometric Identifiers
• Commercial Information
  • e.g., purchasing/consuming history or tendencies
• Criminal/Conviction Records
• Education & Skills
  • e.g., academic transcripts; Curriculum Vitae (CVs); educational background; languages; qualifications/certifications; training records/test scores
• Employment Details
  • e.g., benefits/entitlements data; bullying/harassment details; business unit/division; contract type; corporate credit card number; disciplinary action; end date & reason for termination; exit interview & comments; grievances & complaints; hours of work; job application details; job title/role; line/reporting manager; office location; path/level; pay history; performance appraisal; personnel number; previous work history; record of absence/time tracking/annual leave; salary/wage; salary/wage expectation; start date; succession planning/talent potential; workers compensation claims
• Financial Information
  • e.g., investment account number; mortgage/loan account number; personal bank account information; personal credit card number
• Government Identifiers
  • e.g., driving license number; national identity card details; passport number; tax ID number; Social Security number; visa number
• Health Information, and any other data that could easily result in an inferred health status
• Location Data
  • e.g., GPS position; geotracking; precise geolocation
• Online/Electronic Resources Activity
  • e.g., account name, account age/number/password; browsing time; cookie information; email read receipts; website history
• Personal Contact Information
  • e.g., online identifiers (e.g., personal IP [Internet Protocol] address), email address, postal address, telephone number, unique personal identifier. This may also include information for your emergency contact(s).
• Professional Details
  • e.g., payment information; professional license number/status; professional memberships; reference/background checks
• Professional Contact Information
  • e.g., online identifiers (e.g., personal IP [Internet Protocol] address, email address, postal address, telephone number
• Protected Characteristics
  • e.g., nationality/citizenship; privately held political/philosophical/religious beliefs and opinions; racial or ethnic origin; sex life information; sexual orientation; trade union membership
• Social Media Information
  • e.g., social media account/contact/history
• Transactional Data
  • e.g., clinical trial participation; interactions with Lilly for products and services; speaking engagements; structured call notes; interactions with Lilly systems; audit logs; meeting minutes
• Travel & Expense Details
  • e.g., expense details; travel booking details; travel history

Some of this PI may be considered sensitive under applicable laws, such as information about your health or medical diagnosis and demographic information collected in some circumstances, such as race, ethnic origin, and sexual orientation. We may process your sensitive PI with your consent, or as otherwise permitted by law.

In the ordinary course of business, Lilly sometimes collects Social Security numbers to fulfill legal or regulatory obligations or for other administrative purposes. We respect the confidentiality of Social Security numbers and we avoid the unnecessary collection of them, limit access to them, and disclose them only (i) according to Lilly's internal global privacy policy and procedures, (ii) with those third parties who are legally or contractually obligated to protect them, and (iii) as required or permitted by law.

We may de-identify certain of the information described above. To the extent we maintain and use-de-identified information in its de-identified form, and do not re-identify such information except as permitted by law, this de-identified information is not PI and is not subject to this Privacy Statement.

We collect PI from a number of sources, including:

• Adverse event reporters and subjects;
• Business partners;
• Clinical/medical investigators and staff conducting clinical/medical research;
• Consumers;
• Customers;
• Directly from you;
• Employees, former employees, potential employees, and their family members;
• Government officials;
• Healthcare professionals;
• Investors and shareholders;
• Lilly systems and devices;
• Patients and clinical/medical trial participants;
• Publicly available sources; and
• Vendors, suppliers, contractors, and associations.

Lilly and/or third parties, may process PI for the following purposes:

• Activities for public health and interest;
• Activities as an employer to support and fulfill our obligations to our employees;
• Business and market research;
• Contracting and business planning activities;
• Communicating information about our products and services;
• Compliance with legal or regulatory obligations (e.g., adverse event and product complaint reporting, exercising or defending legal claims, financial disclosure reporting, maintaining patient registries);
• Data analytics;
• Engaging scientific experts and leaders;
• Event management;
• Finance or tax activities;
• Marketing and sales of our products;
• Merger and acquisition due diligence
• Patient testimonials (for sales and marketing, advertising, training and education, public relations, and research)
• Product improvement and development;
• Product orders or requests for samples;
• Providing patient assistance;
• Registration for services;
• Responding to requests for information;
• Statistical analytics;
• Study recruitment and management, including monitoring of study activities;
• Validating your ability to access/use certain product, services, and information; and
• Administration of other legal and business processes that are in Lilly's legitimate interest, inclusive of company record retention, safeguarding our physical and electronic workplace, maintaining our systems and records (e.g., testing, validation, fixing software errors), and website management.

Lilly may share your PI in compliance with applicable law with:

• Business partners;
• Government officials (e.g., law enforcement authorities, the courts, regulatory authorities);
• Health care professionals;
• Lilly employees and affiliates; and
• Vendors, suppliers and contractors.

Where permitted by law, Lilly may also enhance or merge information, including PI, with information obtained from third parties for the same purposes shared above. PI may also be used for profiling for the same purposes shared above. You may object to profiling via automated-decision making by contacting us using the information in the "How to Contact Us" section below.

You may choose not to share your PI, withdraw your consent to the processing of your PI, or restrict the processing of your PI, but we may not be able to provide you with certain information, products or services.

Cookies and Other Tracking Technologies

When you use our websites, we and our third party partners, including analytics and advertising partners, use cookies and other tracking technologies to collect information from your browser or device. These may include:

Web beacons: A web beacon (also known as an "action tag" or "clear GIF technology") is a tiny graphic on a web page or in an email message designed to track pages viewed or messages opened, and allows the collection of web log information. Web log information is gathered by the computer that hosts our website (called a "web server") when you visit one of our websites. We may use web beacons to help determine which email messages sent by us were opened and whether a message was acted upon. Web beacons also help Lilly analyze the effectiveness of websites by measuring the number of visitors to a site or how many visitors clicked on key elements of a site.

Cookies: A cookie is a small data file that a website can place on your computer's hard drive where your internet browser files are kept. A cookie saves you the trouble of reentering certain information in some registration areas because cookies can be used to enable a site to "remember" information a visitor has previously inputted. A cookie also helps deliver content and features likely to be of interest to you, based on your previous activities on our site, and to track how sections of the website are used. For example, cookies may be used to remarket employment opportunities to you in the United States. With most internet browsers or other software, you can change your browser settings to erase cookies from your computer hard drive, block all cookies or receive a warning before a cookie is stored. Please check your browser instructions to learn more about these functions. If you reject cookies, functionality of the site may be limited, and you may not be able to take advantage of many of the site's features.

Third-Party and Digital Advertising: We may partner with third-party advertising networks to manage our advertising on other sites. Our ad partners may place cookies and web beacons and similar digital markers on your browser when you visit our websites to collect information about your activities over time on this and third-party websites, apps, and other online services, to provide you targeted advertising based upon your interests. We may also share PI about you with third parties in order to have those third parties, on our behalf, directly serve advertising to you on their websites.

Social Media Plug-ins: Our websites may use social media plug-ins to enable you to share information with others easily. When you visit our websites, the operator of the social media plug-in that is on our website can place a cookie on your computer that lets that operator recognize individuals on their website who have previously visited our sites. Social media plug-ins may allow social media websites to receive directly identifiable information about you that shows you have visited our website. The social media plug-in may collect this information for visitors, whether or not they specifically interact with the plug-in on our website. Social media plug-ins also allow the social media website to share information about your activities on our website with other users of their social media website. Lilly does not control any of the content from social media plug-ins. For more information about social plug-ins from social media websites, you should refer to those sites' privacy and data-sharing statements.

You have certain choices available to you to help manage the use of cookies and other technologies:

• When you visit our websites, we may provide you a choice about whether to "agree" or "disagree" to the use of cookies and other technologies to personalize content and ads on our websites. You should feel free to select "disagree" to limit the circumstances in which personal information collected through tracking technologies on the website may be used for targeted advertising.
• Provided to you by third parties:
  • Google Analytics offers an opt-out provision for website visitors who do not want their data to be used by Google Analytics. You can receive more information about this option here.
  • There also are choices provided by the Network Advertising Initiative and the Digital Advertising Alliance. Ads displayed to you using targeted advertising technologies will usually have an AdChoices logo in the corner, which you can also click on to begin the industry opt-out process. Additionally, if you receive ads on a social media site, you can check that site's privacy statement and terms of use to determine how to stop seeing such ads. The European Interactive Digital Advertising Alliance keeps a website where people can opt out of receiving interest-based advertising from some or all of the network advertising companies participating in the program. You can find information about the EDAA here.
  • Do Not Track: There are different ways you can prevent tracking of your online activity. One of them is setting a preference in your browser that alerts websites you visit that you do not want them to collect certain information about you. This is referred to as a Do Not Track ("DNT") signal. Please note that currently our websites and web-based resources do not respond to these signals from web browsers. At this time, there is no universally accepted standard for what a company should do when a DNT signal is detected.

Children's Information

This website is not intended for or designed for individuals under the age of 18. We do not knowingly collect PI from any person under the age of 18 unless a parent or guardian provides consent.

Reasons We Share PI

We may share your PI recipients listed above for purposes consistent with those identified in this notice. These Third Parties have agreed to protect the information and to process it as directed by us (if acting on our behalf) or as required by law.

We may also be required to disclose your information in response to lawful requests by public authorities, including to comply with national security or law enforcement requests.

We may also provide your PI to a Third Party in connection with the merger, sale, assignment, or other transfer of the business to which the information relates, in which case PI may be shared with, sold, transferred, rented, licensed or otherwise in connection with the contemplated transaction to the Third Party. We will require any such Third Party to agree to treat PI in accordance with this notice.

Where We Transfer and Work With PI

This website is owned and operated by Lilly in the United States. Your PI may be transferred and processed by and between Eli Lilly and Company, its affiliates and wholly-owned subsidiaries, and Third Parties worldwide. When transferring PI across country borders, Lilly utilizes appropriate transfer mechanisms as applicable (which may include consent, Standard Contractual Clauses, existing adequacy decisions, intra-corporate data transfer agreements, etc.). To obtain additional information regarding the mechanism for transfers that Lilly has in place for cross-border transfers of PI, please contact us at privacy@lilly.com.

Data Privacy Framework

Lilly, including Lilly USA, LLC, Loxo Oncology at Lilly, and Avid Radiopharmaceuticals, Inc. ("Lilly U.S."), participates in and has certified to the EU-U.S. Data Privacy Framework (including UK Extension) and Swiss-U.S. Data Privacy Framework (collectively the "DPF"). Lilly U.S. is committed to processing the PI we receive in the United States (US) from the European Union (EU), the United Kingdom (UK), Gibraltar and Switzerland in accordance with the DPF Principles , including supplemental Principles and Annex I of the Principles (collectively the "Principles").

If you have been directed to this Privacy Statement from a source other than Lilly.com, and there is a conflict between the terms in this Privacy Statement and the Principles, the Principles shall govern.

As explained in the "Reasons We Share PI" section above, PI may be shared as appropriate with third parties that process information on behalf of, or with, Lilly U.S. Under certain circumstances, Lilly U.S. may remain liable for the acts of certain third parties if those third parties process PI originating from the EU, the UK, Gibraltar and/or Switzerland that Lilly discloses to them in a manner that is inconsistent with the Principles.

If you have any inquiries or complaints about our handling of your PI under the DPF, please contact us using the information in the "How to Contact Us" section below.

If you still have a specific privacy concern that has not been resolved after attempting to address your privacy question or concern with Lilly U.S. directly, you can contact our U.S.-based third party dispute resolution provider, the International Centre for Dispute Resolution, the international division of the American Arbitration Association (ICDR-AAA). You may submit your dispute to the ICDR-AAA for resolution free of charge by contacting them here or by emailing casefiling@adr.org.

If your concern is not resolved after following the recourse mechanisms described above, you may also have the option to select binding arbitration for the resolution of your complaint with respect to PI originating in the EU, the UK, Gibraltar or Switzerland. For more information on binding arbitration, please visit the U.S. Department of Commerce's website on submitting complaints located here.

Lilly U.S. is subject to the investigatory and enforcement authority of the U.S. Federal Trade Commission for purposes of enforcing compliance with the DPF. Lilly U.S. also commits to cooperate with EU Data Protection Authorities , the UK Information Commissioner's Office and the Swiss Federal Data Protection and Information Commissioner and comply with the advice given by such authorities with regard to human resources data transferred from the EU, the UK, Gibraltar and Switzerland in the context of the employment relationship. For more information about the DPF or to view Lilly U.S.'s certification on the DPF List, please visit the U.S. Department of Commerce’s Data Privacy Framework website located here.

How Long We Keep PI

PI will be saved for a period of time needed to fulfill legitimate and lawful business purposes in accordance with our record retention policies and applicable laws and regulations.

How We Secure PI

We provide reasonable physical, electronic, and procedural safeguards to protect PI we process and maintain. We limit access to PI to authorized employees and third parties who need access to perform the business activities in this notice. Although we strive to protect the PI we process and maintain, no security system can prevent all potential security breaches.

Your Rights and Choices

Upon verification of your identity, and as applicable by law, you have the right to request:

• information from us on how your PI is being used and with whom it is being shared;
• to see and receive a copy of the PI that we have about you;
• that we correct, restrict the processing of, and/or erase/delete your PI; and
• to have your information transmitted to another entity or person in a machine-readable format, in limited circumstances.

You also have the right to unsubscribe/opt out from communications or profiling for marketing, including direct marketing and object to profiling via automated decision-making.

Information about our process to verify your identity can be found here

There may be exceptions that apply to your request. To exercise your rights, you or your authorized representative may submit a request to datarights@lilly.com or 1-800-Lilly-Rx (1-800-545-5979). Instructions on appointing an authorized representative to submit U.S. requests for personal information on your behalf can be found here.

You may be entitled, in accordance with applicable law, to appeal a refusal to take action on your request. To do so, please contact us by using one of the methods listed in the "How to Contact Us" section below. You will not be discriminated against for exercising any of your rights.

California Privacy Disclosures

California residents who have an established business relationship with Lilly may have the right to request information regarding Lilly's disclosure of certain PI to third parties for their direct marketing purposes. To make a request for such information, you may contact us using the information in the "How to Contact Us" section below.

California law entitles California residents to certain rights with regard to their PI. Those rights have been incorporated into this Privacy Statement under "Your Rights and Choices" section above.

Sale and Sharing of Personal Information

Lilly does not sell PI about California consumers that are protected under the California Consumer Privacy Act ("CCPA") or California Privacy Rights Act ("CPRA") to third parties or share such PI with third parties for targeted or cross-context behavioral advertising, as those terms are defined by applicable law. When Lilly permits third parties to collect PI through our websites or discloses PI to third parties, Lilly is doing so pursuant to various exceptions to the opt-out rights provided for under California law. For example, Lilly permits third parties acting on its behalf to process PI for the business purposes described in this Privacy Statement, including advertising and marketing services (excluding cross-context behavioral advertising). In addition, Lilly may permit third-party advertising solutions to process PI when you direct us to do so by agreeing to the use of such technologies to personalize Lilly's content and ads. Consistent with the above, Lilly does not sell or share for cross-context behavioral advertising PI relating to consumers who it knows are under 16 years of age.

Sensitive Personal Information

Lilly does not use or disclose your sensitive PI except for limited purposes that are authorized by law. For example, Lilly may collect information about your health or medical diagnosis to provide you specific functionality or products or services that you have requested. California law does not afford you rights to limit the use or disclosure of sensitive PI for these purposes, although we may nonetheless ask for your consent or provide you choices about how we use this information depending on the relevant context.

How to Contact Us

If you have questions about this Privacy Statement, you may contact us at:

Eli Lilly and Company
1-800-Lilly-Rx (1-800-545-5979)
privacy@lilly.com

How to Submit a Complaint

If you wish to raise a complaint on how we have handled your PI, you can contact the Global Privacy Office and Data Protection Officer at privacy@lilly.com, who will investigate the matter.

If you are not satisfied with our response or believe we are not processing your PI in accordance with the law, you can register a complaint with a relevant regulatory authority (e.g., a Data Protection Authority or Attorney General).

Links to Third-Party Websites

As a convenience to our visitors, this website may contain links to other sites owned and operated by Third Parties that may offer useful information. The policies and procedures we describe here do not apply to those sites. We are not responsible for the collection or use of PI at any third-party sites. Therefore, we disclaim any liability for any Third Party's use of PI obtained through using the third-party website. We suggest contacting those sites directly for information on their privacy, security, data collection and distribution policies. Other company and product names are trademarks of their respective owners.

Changes to Our Privacy Practices

We may update this Privacy Statement from time to time. When we do update it, for your convenience, we will make the updated statement available on this page. We will always handle your PI in accordance with the Privacy Statement in effect at the time it was collected unless we provide you with the new notice and/or obtain your consent, as appropriate.