Your privacy is important to us. This Privacy Statement will let you know what personal information Eli Lilly and Company and its wholly owned subsidiaries ("Lilly" or "we") and/or entities or persons that work on behalf of, or in partnership with, Lilly but are not Lilly employees ("Third Parties"), may process (e.g., collect, record, organize, structure, store, adapt or alter, retrieve, consult, use, disclose by transmission, disseminate or otherwise make available, align or combine, restrict, erase, or destroy), how we protect it, and your rights and choices with respect to your personal information. This Privacy Statement applies to all Lilly operations as well as websites, mobile applications and digital services ("websites") that link to or post it. It is incorporated into and made a part of our Terms of Use for this website, which include provisions that limit Lilly’s liability.

If you are a resident of California: Please refer to the Additional Information for Residents of Certain Jurisdictions, California Notice at Collection and Privacy Rights section below, which includes additional information about the personal information that we may collect about you and your rights under California privacy laws.

PI We Collect and How We Use It

We may collect the following personal information ("PI") necessary for our business purposes:

• Basic Personal Details
  • e.g., name; alias; date of birth; gender; family member names; family, lifestyle & social circumstances; image/photograph/video; marital status; physical characteristics/descriptions; signature; voice/audio
• Behavioral Information
  • e.g., behavior; computer ergonomics; inferences reflecting preferences
• Biometric Identifiers
• Commercial Information
  • e.g., purchasing/consuming history or tendencies
• Criminal/Conviction Records
• Education & Skills
  • e.g., academic transcripts; Curriculum Vitae (CVs); educational background; languages; qualifications/certifications; training records/test scores
• Employment Details
  • e.g., benefits/entitlements data; bullying/harassment details; business unit/division; contract type; corporate credit card number; disciplinary action; end date & reason for termination; exit interview & comments; grievances & complaints; hours of work; job application details; job title/role; line/reporting manager; office location; path/level; pay history; performance appraisal; personnel number; previous work history; record of absence/time tracking/annual leave; salary/wage; salary/wage expectation; start date; succession planning/talent potential; workers compensation claims
• Financial Information
  • e.g., investment account number; mortgage/loan account number; personal bank account information; personal credit card number
• Government Identifiers
  • e.g., driving license number; national identity card details; passport number; tax ID number; Social Security number; visa number
• Health Information, and any other data that could easily result in an inferred health status
• Location Data
  • e.g., GPS position; geotracking; precise geolocation
• Online/Electronic Resources Activity
  • e.g., account name, account age/number/password; browsing time; cookie information; email read receipts; website history
• Personal Contact Information
  • e.g., online identifiers (e.g., personal IP [Internet Protocol] address), email address, postal address, telephone number, unique personal identifier. This may also include information for your emergency contact(s).
• Professional Details
  • e.g., payment information; professional license number/status; professional memberships; reference/background checks
• Professional Contact Information
  • e.g., online identifiers (e.g., personal IP [Internet Protocol] address, email address, postal address, telephone number
• Protected Characteristics
  • e.g., nationality/citizenship; privately held political/philosophical/religious beliefs and opinions; racial or ethnic origin; sex life information; sexual orientation; trade union membership
• Social Media Information
  • e.g., social media account/contact/history
• Transactional Data
  • e.g., clinical trial participation; interactions with Lilly for products and services; speaking engagements; structured call notes; interactions with Lilly systems; audit logs; meeting minutes
• Travel & Expense Details
  • e.g., expense details; travel booking details; travel history

Some of this PI may be considered sensitive under applicable laws, such as information about your health or medical diagnosis and demographic information collected in some circumstances, such as race, ethnic origin, and sexual orientation. We may process your sensitive PI with your consent, or as otherwise permitted by law.

In the ordinary course of business, Lilly sometimes collects Social Security numbers to fulfill legal or regulatory obligations or for other administrative purposes. We respect the confidentiality of Social Security numbers and we avoid the unnecessary collection of them, limit access to them, and disclose them only (i) according to Lilly's internal global privacy policy and procedures, (ii) with those third parties who are legally or contractually obligated to protect them, and (iii) as required or permitted by law.

We may de-identify certain of the information described above. To the extent we maintain and use de-identified information in its de-identified form, and do not re-identify such information except as permitted by law, this de-identified information is not PI and is not subject to this Privacy Statement.

We collect PI from a number of sources, including:

• Adverse event reporters and subjects;
• Business partners;
• Clinical/medical investigators and staff conducting clinical/medical research;
• Consumers;
• Customers;
• Directly from you;
• Employees, former employees, potential employees, and their family members;
• Government officials;
• Healthcare professionals;
• Investors and shareholders;
• Lilly systems and devices;
• Patients and clinical/medical trial participants;
• Publicly available sources; and
• Vendors, suppliers, contractors, and associations.

Lilly and/or third parties may process PI for the following purposes:

• Activities for public health and interest;
• Activities as an employer to support and fulfill our obligations to our employees;
• Business and market research;
• Contracting and business planning activities;
• Communicating information about our products and services;
• Compliance with legal or regulatory obligations (e.g., adverse event and product complaint reporting, exercising or defending legal claims, financial disclosure reporting, maintaining patient registries);
• Data analytics;
• Engaging scientific experts and leaders;
• Event management;
• Finance or tax activities;
• Marketing and sales of our products;
• Merger and acquisition due diligence
• Patient testimonials (for sales and marketing, advertising, training and education, public relations, and research)
• Product improvement and development;
• Product orders or requests for samples;
• Providing patient assistance;
• Registration for services;
• Responding to requests for information;
• Statistical analytics;
• Study recruitment and management, including monitoring of study activities;
• Validating your ability to access/use certain product, services, and information; and
• Administration of other legal and business processes that are in Lilly's legitimate interest, inclusive of company record retention, safeguarding our physical and electronic workplace, maintaining our systems and records (e.g., testing, validation, fixing software errors), and website management.

Lilly may share your PI in compliance with applicable law with:

• Business partners;
• Government officials (e.g., law enforcement authorities, the courts, regulatory authorities);
• Health care professionals;
• Lilly employees and affiliates; and
• Vendors, suppliers and contractors.

Where permitted by law, Lilly may also enhance or merge information, including PI, with information obtained from third parties for the same purposes shared above. PI may also be used for profiling for the same purposes shared above. You may object to profiling via automated-decision making by contacting us using the information in the "How to Contact Us" section below. In compliance with applicable law, Lilly may use Artificial Intelligence (AI) to assist in our processing of information for the purposes described above and may offer services through tools and platforms using AI.

You may choose not to share your PI, withdraw your consent to the processing of your PI, or restrict the processing of your PI, but we may not be able to provide you with certain information, products or services.

Cookies and Tracking

We and other third parties may use cookies, pixel tags, session replay technology, and other similar tracking technologies to automatically collect information about browsing activity, device type, and similar information within our websites. This information, which may be considered personal information in some jurisdictions, is used, for example, to analyze and understand how you access, use, and interact with our websites; to identify and resolve bugs and errors in our websites; to assess, secure, protect, optimize, and improve the performance of our websites; for marketing, advertising, measurement and analytics purposes; and to personalize content on our websites. We may also de-identify and/or aggregate such information to analyze trends, administer our websites, and gather broad demographic information for aggregate uses, and for any other lawful purposes.

Cookies. Cookies are alphanumeric identifiers used for tracking purposes. Some cookies allow us to make it easier for you to navigate our websites, while others are used to enable a faster log-in process, to support the security and performance of the websites, or to allow us to track activity and usage data within and across our websites.

Pixel Tags and Similar Technologies. Pixel tags (sometimes called web beacons or clear GIFs) are tiny graphics with a unique identifier, similar in function to cookies. We may use these tracking technologies to understand users’ activities, to help manage content and compile usage statistics, and in emails to let us know when they have been opened or forwarded so we can track response rates and gauge the effectiveness of our communications.

Data Analytics. We may collect and process data from server logs designed to capture your user events or specific conditions pertinent to the websites utilizing them. This aids Lilly in assessing the marketing key performance metrics of our websites, such as determining the individual visitors count or observing the frequency at which individual users interact with essential components of our website and helps us to understand your personal preferences to provide better services.

Third-Party Analytics and Tools. We may use third-party tools, such as Google Analytics, which are operated by third-party companies to evaluate usage and traffic on our websites. These third-party analytics companies use cookies, pixels, and other tracking technologies to collect usage data to provide us with reports and metrics that help us analyze, improve, and enhance performance and user experience. You can learn more about how Google uses your information at www.google.com/policies/privacy/partners/ (“How Google uses information from sites or apps that use our services”). You can also download the Google Analytics Opt-out Browser Add-on to prevent your information from being used by Google Analytics at https://tools.google.com/dlpage/gaoptout.

Cross-Device Tracking. We and Third Parties may use the information we collect about you within our websites, and on other third-party websites, to help us and these third parties identify other devices that you use (e.g., a mobile phone, tablet, other computer, etc.) to interact or engage with us or our websites.

Targeted Advertising. We work with third parties, such as ad networks, channel partners, mobile ad networks, analytics and measurement services, and others (“third-party ad companies”) to personalize content and display advertising within our Services, as well as to manage our advertising on third-party websites, mobile apps, and online services. We may share certain information with third-party ad companies, and we and third-party ad companies may use cookies, pixels tags, and other tools to collect usage and browsing information within our Services, as well as on third-party websites, apps, and services. This information may include IP address, location information, cookie and advertising IDs, and other identifiers, as well as browsing information.

Custom Lists and Matching. We may share or make available certain customer or user information with third parties so that we can better target ads and content to you across third-party websites, platforms, and services. In some cases, these third parties may help us to enhance our customer lists with additional demographic or other information, so we can better target our advertising and marketing campaigns. You can opt out of this type of targeted advertising (also called “sharing” under California law), by submitting an opt out request under either the Additional Information for Residents of Certain Jurisdictions, United States or the Additional Information for Residents of Certain Jurisdictions, California Notice at Collection and Privacy Rights sections of this Privacy Statement below.

You have certain choices available to you to help manage the use of cookies and other technologies:

• When you visit our websites, we may provide you a choice about whether to "agree" or "disagree" to the use of cookies and other technologies to personalize content and ads on our websites. You should feel free to select "disagree" to limit the circumstances in which personal information collected through tracking technologies on the website may be used for targeted advertising.
• Provided to you by third parties:
  • Google Analytics offers an opt-out provision for website visitors who do not want their data to be used by Google Analytics. You can receive more information about this option here.
  • There also are choices provided by the Network Advertising Initiative and the Digital Advertising Alliance. Ads displayed to you using targeted advertising technologies will usually have an AdChoices logo in the corner, which you can also click on to begin the industry opt-out process. Additionally, if you receive ads on a social media site, you can check that site's privacy statement and terms of use to determine how to stop seeing such ads. The European Interactive Digital Advertising Alliance keeps a website where people can opt out of receiving interest-based advertising from some or all of the network advertising companies participating in the program. You can find information about the EDAA here.
  • If a website is utilizing cookies that result in a “sale” or “sharing” of your personal information and we detect that your browser or device is transmitting an opt-out preference signal, such as the Global Privacy Control (GPC) signal, we will opt that browser or device out of cookies that result in a “sale” or “sharing” of your personal information. If you come to our websites from a different device or from a different browser on the same device, you will need to opt out, or use an opt-out preference signal, for that browser and/or device as well. More information about GPC is available here.

Children's Information

This website is not intended for or designed for individuals under the age of 18. We do not knowingly collect PI from any person under the age of 18 unless a parent or guardian provides consent.

Reasons We Share PI

We may share your PI recipients listed above for purposes consistent with those identified in this notice. These Third Parties have agreed to protect the information and to process it as directed by us (if acting on our behalf) or as required by law.

We may also be required to disclose your information in response to lawful requests by public authorities, including to comply with national security or law enforcement requests.

We may also provide your PI to a Third Party in connection with the merger, sale, assignment, or other transfer of the business to which the information relates, in which case PI may be shared with, sold, transferred, rented, licensed or otherwise in connection with the contemplated transaction to the Third Party. We will require any such Third Party to agree to treat PI in accordance with this notice.

Where We Transfer and Work With PI

This website is owned and operated by Lilly in the United States. Your PI may be transferred and processed by and between Eli Lilly and Company, its affiliates and wholly-owned subsidiaries, and Third Parties worldwide. When transferring PI across country borders, Lilly utilizes appropriate transfer mechanisms as applicable (which may include consent, Standard Contractual Clauses, existing adequacy decisions, intra-corporate data transfer agreements, etc.). To obtain additional information regarding the mechanism for transfers that Lilly has in place for cross-border transfers of PI, please contact us at privacy@lilly.com.

Data Privacy Framework

Lilly, including Lilly USA, LLC, Loxo Oncology at Lilly, and Avid Radiopharmaceuticals, Inc. ("Lilly U.S."), participates in and has certified to the EU-U.S. Data Privacy Framework (including UK Extension) and Swiss-U.S. Data Privacy Framework (collectively the "DPF"). Lilly U.S. is committed to processing the PI we receive in the United States (US) from the European Union (EU), the United Kingdom (UK), Gibraltar and Switzerland in accordance with the DPF Principles, including supplemental Principles and Annex I of the Principles (collectively the "Principles").

If you have been directed to this Privacy Statement from a source other than Lilly.com, and there is a conflict between the terms in this Privacy Statement and the Principles, the Principles shall govern.

As explained in the "Reasons We Share PI" section above, PI may be shared as appropriate with third parties that process information on behalf of, or with, Lilly U.S. Under certain circumstances, Lilly U.S. may remain liable for the acts of certain third parties if those third parties process PI originating from the EU, the UK, Gibraltar and/or Switzerland that Lilly discloses to them in a manner that is inconsistent with the Principles.

If you have any inquiries or complaints about our handling of your PI under the DPF, please contact us using the information in the "How to Contact Us" section below.

If you still have a specific privacy concern that has not been resolved after attempting to address your privacy question or concern with Lilly U.S. directly, you can contact our U.S.-based third-party dispute resolution provider, the International Centre for Dispute Resolution, the international division of the American Arbitration Association (ICDR-AAA). You may submit your dispute to the ICDR-AAA for resolution free of charge by contacting them here or by emailing casefiling@adr.org.

If your concern is not resolved after following the recourse mechanisms described above, you may also have the option to select binding arbitration for the resolution of your complaint with respect to PI originating in the EU, the UK, Gibraltar or Switzerland. For more information on binding arbitration, please visit the U.S. Department of Commerce's website on submitting complaints located here.

Lilly U.S. is subject to the investigatory and enforcement authority of the U.S. Federal Trade Commission for purposes of enforcing compliance with the DPF. Lilly U.S. also commits to cooperate with EU Data Protection Authorities, the UK Information Commissioner's Office and the Swiss Federal Data Protection and Information Commissioner and comply with the advice given by such authorities with regard to human resources data transferred from the EU, the UK, Gibraltar and Switzerland in the context of the employment relationship. For more information about the DPF or to view Lilly U.S.'s certification on the DPF List, please visit the U.S. Department of Commerce’s Data Privacy Framework website located here.

How Long We Keep PI

PI will be saved for a period of time needed to fulfill legitimate and lawful business purposes in accordance with our record retention policies and applicable laws and regulations.

How We Secure PI

We provide reasonable physical, electronic, and procedural safeguards to protect PI we process and maintain. We limit access to PI to authorized employees and third parties who need access to perform the business activities in this notice. Although we strive to protect the PI we process and maintain, no security system can prevent all potential security breaches.

Your Rights and Choices

Upon verification of your identity, and as applicable by law, you have the right to request:

• information from us on how your PI is being used and with whom it is being shared;
• to see and receive a copy of the PI that we have about you;
• that we correct, restrict the processing of, and/or erase/delete your PI; and
• to have your information transmitted to another entity or person in a machine-readable format, in limited circumstances.

You also have the right to unsubscribe/opt out from communications or profiling for marketing, including direct marketing and object to profiling via automated decision-making.

Information about our process to verify your identity can be found here

There may be exceptions that apply to your request. To exercise your rights, you or your authorized representative may submit a request to datarights@lilly.com or 1-800-Lilly-Rx (1-800-545-5979). Instructions on appointing an authorized representative to submit U.S. requests for personal information on your behalf can be found here.

You may be entitled, in accordance with applicable law, to appeal a refusal to take action on your request. To do so, please contact us by using one of the methods listed in the "How to Contact Us" section below. You will not be discriminated against for exercising any of your rights.

How to Contact Us

If you have questions about this Privacy Statement, you may contact us at:

Eli Lilly and Company
1-800-Lilly-Rx (1-800-545-5979)
privacy@lilly.com

How to Submit a Complaint

If you wish to raise a complaint on how we have handled your PI, you can contact the Global Privacy Office and Data Protection Officer at privacy@lilly.com, who will investigate the matter.

If you are not satisfied with our response or believe we are not processing your PI in accordance with the law, you can register a complaint with a relevant regulatory authority (e.g., a Data Protection Authority or Attorney General).

Links to Third-Party Websites

As a convenience to our visitors, this website may contain links to other sites owned and operated by Third Parties that may offer useful information. The policies and procedures we describe here do not apply to those sites. We are not responsible for the collection or use of PI at any third-party sites. Therefore, we disclaim any liability for any Third Party's use of PI obtained through using the third-party website. We suggest contacting those sites directly for information on their privacy, security, data collection and distribution policies. Other company and product names are trademarks of their respective owners.

Changes to Our Privacy Practices

We may update this Privacy Statement from time to time. When we do update it, for your convenience, we will make the updated statement available on this page. We will always handle your PI in accordance with the Privacy Statement in effect at the time it was collected unless we provide you with the new notice and/or obtain your consent, as appropriate.

Additional Information for Residents of Certain Jurisdictions

Certain individuals may have additional rights under applicable privacy laws, as described in this section, subject to certain exceptions.

If you are a resident of California, please review your California Notice at Collection and Privacy Rights, below.

United States

Residents of certain U.S. states may have additional rights under applicable privacy laws, subject to certain limitations, which may include:

• Access. To confirm whether we are processing their personal information and to obtain a copy of their personal information in a portable and, to the extent technically feasible, readily usable format.
• Deletion. To delete their personal information provided to or obtained by us.
• Correction. To correct inaccuracies in their personal information.
• Opt Out. To opt out of certain types of processing, including:
  • to opt out of the “sale” of their personal information;
  • to opt out of targeted advertising by us; and
  • to opt out of any processing of personal information for purposes of making decisions that produce legal or similarly significant effects.

You may submit a request to exercise your privacy rights under U.S. state privacy laws through email at datarights@lilly.com or calling us at 1-800-Lilly-Rx (1-800-545-5979). To opt out of the use of your online browsing information for purposes of targeted advertising by us, you can adjust your cookies settings by clicking the “Cookie Settings” link in the footer of our homepage (www.lilly.com). See the Cookies and Tracking section above for more information.

We will respond to your request as required under applicable U.S. privacy law(s). When you submit a request to access, delete, or correct your information, we will take steps to verify your identity and your request by matching the information provided by you with the information we have in our records. In some cases, we may request additional information in order to verify your identity, or where necessary to process your request. If we are unable to verify your identity after a good faith attempt, we may deny the request and, if so, will explain the basis for the denial.

If we deny your request, you may appeal our decision in accordance with the instructions we provide in our response in accordance with applicable U.S. privacy laws.

To the extent permitted under applicable U.S. privacy laws, you may also designate someone as an authorized agent to submit requests and act on your behalf. More information about our verification process and authorized agents is available here.

Sales and Sharing of Personal Information.

NOTICE: We may sell your sensitive personal data. Certain state laws define “sale” as disclosing or making available personal information to a third party in exchange for monetary or other valuable consideration, and “sharing” includes disclosing or making available personal information to a third party for purposes of cross-contextual behavioral advertising. While we do not disclose personal information to third parties in exchange for monetary compensation, our use of third-party analytics and advertising cookies may be considered “selling” and “sharing” in certain jurisdictions. Based on these definitions, we may “sell” or “share” the following categories of personal information: identifiers; commercial information; location information; Internet and network activity information, and sensitive personal information (e.g., your Internet and network activity information when you visit some of our health-related pages on our Sites). We may disclose these categories to third-party advertising networks, analytics providers, and social networks for purposes of marketing and advertising and to improve and measure our ad campaigns. We may also share limited information, such as a unique personal identifier with data brokers for purposes of marketing and advertising and to improve and measure our ad campaigns. You may opt out of the sale of your personal information as further described above.

We do not sell or share personal information about individuals that we know are under age eighteen (18).

California Notice at Collection and Privacy Rights

This section of the Privacy Statement provides additional information for California residents and describes our information practices pursuant to applicable privacy laws, including the California Consumer Privacy Act and the regulations issued thereto, each as amended (the “CCPA”). To the extent you are a California resident, and we collect “personal information” subject to the CCPA, the following applies.

This section does not address or apply to our handling of personal information that is exempt under the CCPA, such as publicly available information or de-identified or aggregated information. Additionally, this Notice at Collection does not apply to personal information we collect, receive, or otherwise maintain about you that is primarily governed by certain federal laws.

Categories of Personal Information Collected and Disclosed. The table below identifies, generally, the categories of personal information we have collected about California residents, as well as the categories of third parties to whom we may disclose this personal information for a business or commercial purpose.

Categories of Personal Information	Third-Party Disclosures for Business or Commercial Purposes
Identifiers. Includes direct identifiers such as name, alias, email, phone number, address, unique personal identifier, online identifier, IP address, or other similar identifiers.	Advisors and agents Affiliates and subsidiaries Data analytics providers Advertising networks Social networks Internet service providers Operating systems and platforms Regulators, government entities, and law enforcement Healthcare providers and pharmacies (at your direction) Data brokers (limited data, such as a unique personal identifier) Others with your permission or as required by law
Customer Records. Includes your account and profile information and customer records that contain personal information, such as name, demographics and other characteristics or descriptions, contact information, and financial or payment information.	Advisors and agents Affiliates and subsidiaries Data analytics providers Advertising networks Social networks Regulators, government entities, and law enforcement Others with your permission or as required by law
Commercial Information. Includes records of Services purchased, obtained, or considered, or other purchasing or use histories or tendencies.	Advisors and agents Affiliates and subsidiaries Data analytics providers Advertising networks Social networks Regulators, government entities, and law enforcement Others with your permission or as required by law
Internet or Other Electronic Network Activity Information. Includes browsing history, clickstream data, search history, and information regarding interactions with our websites, advertisements, or emails, including other usage data related to your use of any of our Services or other similar online services.	Affiliates and subsidiaries Data analytics providers Advertising networks Social networks Data brokers Internet service providers Operating systems and platforms Regulators, government entities, and law enforcement Others with your permission or as required by law
Location Data. Such as general location information or geolocation data about a particular individual or device.	Affiliates and subsidiaries Data analytics providers Advertising networks Social networks Internet service providers Operating systems and platforms Regulators, government entities, and law enforcement Others with your permission or as required by law
Audio, Electronic, Visual, or Similar Information. Includes information collected via call recordings if you are interacting with us in a customer service capacity or if you call us on a recorded line, recorded meetings and webinars, videos, and photographs.	Advisors and agents Affiliates and subsidiaries Regulators, government entities, and law enforcement Others with your permission or as required by law
Inferences. Such as inferences drawn from any of the information described in this section about a consumer including inferences reflecting consumer preferences, characteristics, behaviors, attitudes, abilities, and aptitudes.	Affiliates and subsidiaries Regulators, government entities, and law enforcement Data analytics providers Others with your permission or as required by law
Protected Classifications. We may collect some information that is considered a protected classification under California or federal law, which may include your gender, age, date of birth, citizenship, marital status, disability status, gender identity or expression, and medical condition.	Healthcare providers and pharmacies (at your direction) Affiliates and subsidiaries Regulators, government entities, and law enforcement Others with your permission or as required by law
Sensitive Personal Information. In some circumstances, we may collect payment card information and related details, precise geolocation data, racial or ethnic origin, biometric information, and personal information collected and analyzed concerning a consumer’s health, sex life, or sexual orientation. We may also collect your Social Security, driver’s license, or state identification card number.	Affiliates and subsidiaries Regulators, government entities, and law enforcement Healthcare providers and pharmacies (at your direction) Data analytics providers Advertising networks Data brokers (limited data, such as information related to your interactions with certain health related pages on our Site) Social networks Others with your permission or as required by law

Sources of Personal Information. We generally collect personal information from the following categories of sources: directly or indirectly from you; affiliates and subsidiaries; business partners; clinical/medical investigators and staff conducting clinical/medical research; vendors and service providers; customers; government officials; healthcare professionals; investors and shareholders; patients and clinical/medical trial participants; third-party websites; data brokers; public databases; social media platforms and websites; Internet service providers; operating systems and platforms; and marketing and data analytics providers.

Purposes of Collection, Use, and Disclosure. As further described in PI We Collect and How We Use It and Reasons We Share PI sections above, we may collect, use, disclose, and otherwise process the above-listed personal information for the following business or commercial purposes and as otherwise directed or consented to by you:

• Services and support;
• Validation;
• Analytics and improvement;
• Customization and personalization;
• Marketing and advertising;
• Loyalty/rewards programs;
• Planning and managing events;
• Research, studies, and surveys;
• Public health and interest;
• Security and protection of rights;
• Legal proceedings and obligations; and
• General business and operational support.

Retention. We retain the personal information that we collect only as reasonably necessary for the purposes described above or as otherwise disclosed to you at the time of collection. For example, we will retain your account information for as long as you have an active account with us and additional information as necessary to comply with our tax, accounting, and recordkeeping obligations, to provide you with the Services you have requested, as well as an additional period of time as necessary to protect, defend, or establish our rights, defend against potential claims, and comply with our legal obligations. In some cases, rather than delete your personal information, we may de-identify or aggregate it and use it in compliance with the CCPA.

Privacy Rights for California Residents. The CCPA provides California residents with specific rights regarding personal information. Subject to certain conditions and exceptions, California residents have the following rights with respect to their personal information:

• Right to Know. You have the right to request: (i) the categories of personal information we collected about you; (ii) the categories of sources from which the personal information is collected; (iii) our business or commercial purposes for collecting, selling, or sharing personal information; (iv) the categories of third parties to whom we have disclosed personal information; and (v) a copy of the specific pieces of personal information we have collected about you.
• Right to Delete. You have the right to request we delete personal information that we have collected from you.
• Right to Correct. You have the right to request that we correct inaccuracies in the personal information we maintain about you.
• Right to Opt-Out of Sales and Sharing. You have the right to opt-out of “sales” and “sharing” of your personal information, as those terms are defined under the CCPA.
• Right to Limit Use and Disclosure. You have the right to limit the use and disclosure of your sensitive personal information.
• Right to Non-Discrimination. You have the right not to be subjected to discriminatory treatment for exercising any of the rights described in this section.

Submitting CCPA Requests. California residents may exercise their CCPA privacy rights as set forth below:

• Rights to Know, Delete, Correct and Limit Use/Disclosure of Sensitive Personal Information. California residents may submit CCPA requests to access/know, delete, correct, and limit the use and disclosure of their sensitive personal information by emailing us at datarights@lilly.com or by calling 1-800-Lilly-Rx (1-800-545-5979).
  
  When you submit a request to know, delete, or correct your information, we will take steps to verify your identity and your request by matching the information provided by you with the information we have in our records. In some cases, we may request additional information in order to verify your identity, or where necessary to process your request. If we are unable to verify your identity after a good faith attempt, we may deny the request and, if so, will explain the basis for denial.
  
  You may also designate someone as an authorized agent to submit requests and act on your behalf. Authorized agents will be required to provide proof of their authorization. Additionally, Eli Lilly requires you to confirm that you have provided the authorized agent permission to submit the request and you must provide the authorized agent with signed permission. “Signed” means that the written attestation, declaration, or permission has either been physically signed or provided electronically pursuant to the Uniform Electronic Transactions Act. Lilly may deny a request from an authorized agent who does not submit proof that he or she has been authorized to act on your behalf.
  
  
• Right to Opt Out of Sales and Sharing. To exercise your right to opt out of the “sale” or “sharing” of your online personal information, please email us at datarights@lilly.com. You may also click the “Cookie Settings” link in the footer of our homepage (www.lilly.com) and set the toggles to “off” in the banner. In addition, if we detect that your browser or device is transmitting an opt-out preference signal, such as the GPC signal, we will opt that browser or device out of cookies that result in a “sale” or “sharing” of your personal information. If you come to our Sites or use our Services from a different device or from a different browser on the same device, you will need to opt out, or use an opt-out preference signal, for that browser and/or device as well. More information about GPC is available here.
  
  To exercise your right to opt out of the “sale” or “sharing” of your offline Personal Information, please email us at datarights@lilly.com.
  
  We will apply your opt out based upon the personal information in our records that is linked or reasonably linkable to the information provided in your request.
  
  

California Shine the Light Rights. California’s “Shine the Light” law (Cal. Civ. Code § 1798.83) permits California residents who provide us certain personal information to request and obtain from us, free of charge, information about the personal information (if any) we have shared with third parties for their own direct marketing purposes. To make a California Shine the Light request, please call 1-800-Lilly-Rx (1-800-545-5979) or email us at privacy@lilly.com. Requests may be made once per year.