Eli Lilly Privacy Statement

Eli Lilly and Company, together with its subsidiaries and affiliates (collectively, “Lilly,” “Company,” “us,” “we,” or “our”) is committed to protecting the privacy of Personal Data (i.e., information reasonably related to a specific individual). This Privacy Statement describes how we process Personal Data collected through our websites, social media accounts, and mobile applications that link to the Privacy Statement, and other online interactions and communications such as email (collectively, our “Digital Properties”); in-person events; and other online and offline interactions.

Scope: This Privacy Statement applies to information we collect about individual consumers, such as general website visitors (“Individuals”) as well as information we collect about the personnel of our business partners, including vendors, healthcare professionals and business customers, in business-to-business interactions.

However, this Privacy Statement does not apply to:

• Information about our current/former employees, applicants, and other individuals who interact with us for employment-related purposes.
• Personal Data collected as part of a clinical trial or other biomedical research study subject to the Common Rule (45 C.F.R. 46).

Whenever you interact with us on behalf of another individual or entity, such as if you refer a friend to us or report an adverse event related to an individual, we recommend that you obtain their consent (or have the legal authority without consent) to share their Personal Data with us.

Changes: We may update this Privacy Statement from time to time. Any updated Privacy Statement will be effective when posted. Please check this Privacy Statement periodically for updates. If required by law, we will obtain your consent or contact you directly if there are material changes to this Privacy Statement.

1. Sources of Personal Data

We collect Personal Data about you from the following sources:

• Directly from you. We may collect Personal Data you provide to us directly, such as when you contact us through our Digital Properties, interact with us in person, fill out our surveys, register for an event, sign up for offers or newsletters, communicate with us, or sign up for an account or other services.
• Data collected automatically and through Cookies. We may automatically collect information or inferences about you, such as through cookies, pixels, tags, scripts, and other tracking technologies (collectively, “Cookies”), when you interact with our Digital Properties. This may include information about how you use and interact with our Digital Properties, information about your device, and internet usage information.
• From third parties. We may collect Personal Data from third parties, such as customers, other consumers, service providers, our affiliated companies and subsidiaries, business partners, investors and shareholders, healthcare professionals, patients and clinical trial participants, clinical investigators and staff conducting clinical trials, clinical trial participants, government officials, adverse event reporters and subjects, data brokers, social media companies or other parties who interact with us.
• From publicly available sources. We may collect Personal Data about you from publicly available sources, such as public profiles, social media, and websites.

We may combine information that we receive from the various sources described in this Privacy Statement, including third party sources, and use or disclose the combined information for the purposes identified below.

2. Types of Personal Data We Collect

Depending on your interactions with us, we may collect the following types of Personal Data about you.:

• Identifiers, such as your name, alias, email address, physical address, telephone number, business contact information, social media username, unique personal identifier, and device identifiers (e.g., cookie IDs and IP address).
• Records about you, such as signatures; financial information (e.g., payment card number or account information); physical characteristics or a description of you; the content, timing and method of communications you have with us, such as online chats, calls, and emails; and information you share with or upload to our Digital Properties, such as reviews and comments.
• Demographic information, such as age (including birthdates), marital status, gender, and information about your lifestyle and social circumstances.
• Commercial information, such as information related to your transactions; products or services purchased, obtained, or considered (including survey responses providing your opinion about our products and services); or other purchasing or consuming histories or tendencies.
• Internet or other electronic network activity information, such as your browsing history, search history, preference information (including marketing and purchasing preferences), account settings (including any default preferences), and other information regarding your interactions with and use of the Digital Properties (including inferences about your health derived from the activities, usage information, and location information that we collect). For more information about Cookies, please see Section 5 (Cookies).
• Non-precise geolocation data, such as your location as derived from your IP address.
• Audio, electronic, visual, or other sensory information, such as photographs and audio/video recordings.
• Professional or employment-related information, such as job title; organization; professional licenses, professional memberships, credentials, or affiliations; and other professional information.
• Education information.
• Inferences drawn from any of the information we collect about your preferences or behavior, including to assess the level of interest in our products and services based on frequency of visits and contact and determine your preferred frequency for receiving offers.
• Sensitive Personal Information, including the following:
  • Social Security number, driver’s license number, tax ID number, visa number, or passport number.
  • Precise geolocation.
  • Racial or ethnic origin, political opinions, religious or philosophical beliefs, or union membership.
  • Information about your health (such as medical condition(s), diagnoses, or information that could result in an inferred health status).
  • Information concerning your sex life or sexual orientation.

3. How We Use Personal Data

We may use Personal Data for the following purposes:

• To provide you or your company products and services, such as making our Digital Properties and other products and services available to you, including through the use of our AI tools; registering, verifying, and maintaining your account with us; providing and delivering you the goods and services you request; providing customer service; processing or fulfilling orders and transactions (including processing payments); verifying customer information and eligibility for certain programs or benefits; communicating with you (including soliciting feedback or responding to requests, complaints, and inquiries); hosting events and informational webinars; and providing similar services or otherwise facilitating your relationship with us.
• To support public health and public interest initiatives.
• For our internal business purposes, such as day-to-day operation of our business; maintaining internal business records, such as accounting, document management and similar activities; enforcing our policies and rules; training; management reporting; auditing; and IT security and administration.
• For our internal research and product improvement purposes, such as verifying or maintaining the quality or safety of our products or services; improving our products or services, including AI, machine learning, and similar tools; designing new products and services; evaluating the effectiveness of our advertising or marketing efforts; and debugging and repairing errors with our systems, networks, and equipment.
• For legal, safety or security reasons, such as complying with legal, reporting, and similar requirements; investigating and responding to claims against us, our personnel, and our customers; for the establishment, exercise or defense of legal claims; protecting our, your, our customers’, and other third parties’ safety, property or rights; detecting, preventing, and responding to security incidents and health and safety issues (including managing spread of communicable diseases); and protecting against malicious, deceptive, fraudulent, or illegal activity.
• In connection with a corporate transaction, such as if we acquire assets of another business, or sell or transfer all or a portion of our business or assets including through a sale in connection with bankruptcy and other forms of corporate change.
• For marketing and targeted advertising, such as marketing our products or services or those of our affiliates, business partners, or other third parties. For example, we may use Personal Data we collect to personalize advertising to you (including by developing product, brand, or services audiences and identifying you across devices/sites); to analyze interactions with us or our Digital Properties; or to send you newsletters, surveys, questionnaires, promotions, or information about events or webinars. We may use AI to improve the quality, speed, and value of our marketing analysis.

We may use anonymized or de-identified information for any purpose permitted by law.

4. How We Disclose Personal Data

We may disclose Personal Data to third parties, including the categories of recipients described below:

• Affiliates and subsidiaries, including parent entities, corporate affiliates, subsidiaries, business units, and other companies that share common ownership.
• Service providers that work on our behalf to provide the products and services you request or support our relationship with you, such as IT providers, internet service providers, data and web hosting providers, software service providers, operating systems and platforms, customer service vendors, email marketing providers, payment processing companies, data analytics providers, and companies that provide business support services, financial administration, or event organization.
• Healthcare providers and pharmacies, at your direction.
• Professional consultants, such as accountants, lawyers, consultants, financial advisors, and audit firms.
• Vendors necessary to complete transactions you request, such as shipping companies and logistics providers.
• Law enforcement, government agencies, and other recipients for legal, security, or safety purposes, such as when we share information to comply with law or legal requirements, to enforce or apply our Terms of Use and other agreements or policies, and to protect our, our customers’, or third parties’ safety, property, or rights.
• Other entities in connection with a corporate transaction, such as if we acquire assets of another entity, or sell or transfer all or a portion of our business or assets including through a sale in connection with bankruptcy and other forms of corporate change.
• Business partners that may use Personal Data for their own purposes, such as:
  
  • Advertisers, ad platforms and networks, and social media platforms;
  • Data brokers;
  • Third parties whose Cookies we use as described in Section 5 (Cookies), including data analytics providers.

  Where required by law, we will obtain your consent prior to disclosing your Personal Data to our business partners. Where recipients use your Personal Data for their own purposes independently from us, we are not responsible for their privacy practices or personal data processing policies. You should consult the privacy notices of those third-party services for details on their practices.

• The public, such as when you have an opportunity to make comments regarding us or our products that we may share with the public, including comments on our blog and social media posts. Any Personal Data in comments, reviews, or other content that you share in public areas of our Digital Properties may be read, collected, or used by other users or the public.
• Entities to which you have consented to the disclosure.

5. Cookies

Our Digital Properties and authorized third parties use Cookies to collect information about you, your device, and how you interact with our Digital Properties. This section contains additional information about:

• The types of Cookies we use and the purposes for which we use them
• The types of information we collect using these technologies
• How we disclose or make information available to others
• Choices you may have regarding these technologies

A. Types of Cookies

We and the third parties that we authorize may use:

• Cookies, which are a type of technology that install a small amount of information on a user’s computer or other device when they visit a website. Some cookies exist only during a single session and some are persistent over multiple sessions over time.
• Pixels, web beacons, and tags, which are types of code or transparent graphics. In addition to the uses described below, these technologies provide analytical information about the user experience and help us customize our marketing activities. In contrast to cookies, which are stored on a user’s computer hard drive, pixels, web beacons, and tags are embedded invisibly on web pages.
• Session replay tools, which record your interactions with our Digital Properties, such as how you move throughout our Digital Properties and engage with our webforms. In addition to the uses described below, this information helps us improve our Digital Properties and identify and fix technical issues visitors may be having with our Digital Properties.
• Embedded scripts and SDKs, which allow us to build and integrate custom apps and experiences on our Digital Properties.

B. Purposes for using these technologies

We and authorized third parties use these technologies for purposes including:

• Personalization, such as remembering language preferences and pages and products you have viewed in order to enhance and personalize your experience when you visit our Digital Properties;
• Improving performance, such as maintaining and improving the performance of our Digital Properties;
• Analytics, such as analyzing how our websites are used. For example, we use Google Analytics to help us improve the user experience. Google Analytics may use Cookies to perform their services. To learn how Google Analytics collects and processes data, please visit: “How Google uses data when you use our partners’ sites or apps” located at www.google.com/policies/privacy/partners;
• Advertising, such as conducting advertising and content personalization on our Digital Properties and those of third parties; tracking activity over time and across properties to develop a profile of your interests and advertise to you based on those interests (“interest-based advertising”); providing you with offers and online content that may be of interest to you; and measuring the effectiveness of advertising campaigns and our communications with you, including identifying how and when you engage with one of our emails; and
• Security, such as preventing fraud and malicious behavior.

C. Information collected

These Cookies collect data about you and your device, such as your IP address, location (both approximate and precise) cookie ID, device ID, ad ID, operating system, device type, browser used, browser history, search history, inferences about you and your interest in topics or certain products or services, and information about how you interact with our Digital Properties (such as pages on our Digital Properties that you have viewed). In some cases, this information may include sensitive personal information (such as if used to make an inference about your health).

D. Disclosures of your information

We may disclose information to third parties or allow third parties to directly collect information using these Cookies on our Digital Properties, such as social media companies, advertising networks, companies that provide analytics including ad tracking and reporting, security providers, and others that help us operate our business and Digital Properties. A list of these third parties can be found in our Cookie Notice.

6. Your Choices

You may opt out of marketing communications by contacting us using the information in Section 9 (Contact Information) below or taking one of the following steps. You can unsubscribe from our email marketing via the link in the email. You may opt out of text messages by responding as instructed in the text message.

As described in Section 10 (Supplemental U.S. State Privacy Disclosures) below, residents of certain states may be able to disable Cookies that constitute a “sale,” “sharing,” or “targeted advertising,” as those terms are defined under applicable laws.

In addition, some of the third parties we work with participate with the Digital Advertising Alliance (“DAA”) and Network Advertising Initiative (“NAI”). The DAA and NAI provide mechanisms for you to opt out of interest-based advertising performed by participating members at http://www.aboutads.info/choices/ and https://optout.networkadvertising.org/.

You can also refuse or delete Cookies using your browser settings. If you refuse or delete Cookies, some of our Digital Properties’ functionality may be impaired. Please refer to your browser’s Help instructions to learn more about how to manage Cookies. If you change computers, devices, or browsers; use multiple computers, devices, or browsers; or delete your Cookies, you may need to repeat this process for each computer, device, or browser.

Some browsers have incorporated Do Not Track (“DNT”) preferences. At this time, we do not honor Do Not Track signal.

7. Data Security and Data Retention

Although we maintain reasonable security safeguards, no security measures or communications over the Internet can be 100% secure, and we cannot guarantee the security of your information.

Compliance with data privacy and data security regulations is important to Lilly. Our Global Privacy Office and Legal Department have established policies, standards, and procedures to ensure that we adhere to the laws of the jurisdictions where we operate. With respect to the Department of Justice’s Data Security Program, 28 C.F.R., Part 202 (the “Rule”), Lilly acknowledges that it is a “U.S. person” as defined in 28 C.F.R. § 202.256 and is, therefore, required to comply with the Rule in handling any “bulk U.S. sensitive personal data” and “government-related data” under its control. As the Rule requires, we have developed a robust data compliance program, which will be certified annually by our Chief Privacy Officer.

Your Personal Data will be retained as long as necessary to fulfill the purposes we have outlined above unless we are required to do otherwise by applicable law. For example, we will retain your Personal Data for as long as you have an active account with us and as necessary to comply with our tax, accounting, and recordkeeping obligations, to provide you with the Services you have requested, as well as an additional period of time as necessary to protect, defend, or establish our rights, defend against potential claims, and comply with our legal obligations We may also retain your Personal Data to maintain our business relationship with you; improve our business over time; or otherwise in accordance with our internal retention procedures. Once you have terminated your relationship with us, we may retain your Personal Data in our systems and records in order to ensure adequate fulfillment of surviving provisions in terminated contracts or for other legitimate business purposes.

8. Children’s Privacy

Our Digital Properties are intended for individuals 18 years of age and older. The Digital Properties are not directed at, marketed to, nor intended for, children under 18 years of age. As a general rule, we do not knowingly collect any information, including Personal Data, from children under 18 years of age unless a parent or guardian provides consent. If you believe that we have inadvertently collected Personal Data from a child under the age of 18, please contact us at the address in Section 9 (Contact Information) below, and we will take prompt steps to delete the information.

9. External Links

Our Digital Properties may contain links to external sites or other online services that we do not control, including those embedded in third party advertisements or sponsor information. We are not responsible for the privacy practices or data collection policies of such third-party services. You should consult the privacy notices of those third-party services for details on their practices.

10. Contact Information

If you have questions regarding this Privacy Statement, please contact us at:

If you wish to raise a complaint on how we have handled your Personal Data you can contact the Global Privacy Office and Data Protection Officer at LillyDPO@lilly.com, who will investigate the matter.

If you are not satisfied with our response or believe we are not processing your Personal Data in accordance with the law, you can register a complaint with a relevant regulatory authority (e.g., your state’s Attorney General).

11. Supplemental U.S. State Privacy Disclosures

A. Data Subject Rights

Depending on our relationship with you and in which state you reside within the United States (such as California, Colorado, Nevada, Oregon, or Delaware), you may have certain rights regarding Personal Data that you can exercise by calling us at 1-800-Lilly-Rx (1-800-545-5979), or by emailing us at datarights@lilly.com:

• Right to Know. You may have the right to request information about the categories of Personal Data we have collected about you, the categories of sources from which we collected the Personal Data, the purposes for collecting, selling, or sharing the Personal Data, and to whom we have disclosed your Personal Data and why. You may also request the specific pieces of Personal Data we have collected about you. Residents of certain states such as Oregon and Minnesota may also request a specific list of third parties to whom we disclose your Personal Data.
• Right to Delete. You may have the right to request that we delete Personal Data that we have collected about you.
• Right to Correct. You may have the right to request that we correct inaccurate Personal Data that we maintain about you.
• Right to Opt Out of Profiling. You may have the right to opt out of certain automated processing activities that are used to evaluate characteristics about you. Residents of certain states such as Minnesota may also request to review the Personal Data used in profiling, question the result of the profiling, and request additional information on how the profiling was conducted.
• Right to Limit Use and Disclosure of Sensitive Personal Information. You may have the right to limit the use and disclosure of Sensitive Personal Information. Limit how we use and disclose Sensitive Personal Information.
• Right to Opt Out of Sale, Sharing, and Targeted Advertising. You may have the right to opt out of selling, sharing, and targeted advertising (as such terms are defined under applicable laws). We do not knowingly sell data about minors under 18. You can exercise the Right to Opt Out of Sale, Sharing, and Targeted Advertising by accessing the Cookie Settings link the footer of Lilly websites and turning the “Advertising and Marketing” toggle to the “off” position and emailing us at datarights@lilly.com.

NOTICE: We may sell your Sensitive Personal Information.

To the extent required by law, we will honor opt-out preference signals sent in a format commonly used and recognized by businesses, such as an HTTP header field or JavaScript object. We will process opt-out preference signals at the browser level.

We will not discriminate against you for exercising your privacy rights.

Verification: To process rights requests, we may need to obtain information to locate you in our records or verify your identity depending on the nature of the request.

• For Requests to Opt-Out of Sale, Sharing, and Targeted Advertising and Requests to Limit Use and Disclosure of Sensitive Personal Information: We may collect your name and email to locate you in our records.
• For Requests to Know, Delete, and Correct: We collect information necessary to locate you in our records and verify your identity and that you are a resident of a state that provides for these rights, which may include name, mailing address, email address, phone number, relationship to Lilly.

Authorized Agents: Authorized agents may exercise rights on your behalf by submitting a request via datarights@lilly.com.

• If you designate an authorized agent to submit a Request to Know, Delete, or Correct, we may seek additional information from the authorized agent or reach out to you directly to verify your identity or to confirm that you provided the authorized agent permission to submit the request.
• If you designate an authorized agent to submit a Request to Opt Out of Sale, Sharing, and Targeted Advertising or Request to Limit Use and Disclosure of Sensitive Personal Information, we may seek additional information directly from the authorized agent to process the request.

Appeal: If we deny your rights request, you may have the right to appeal. To submit an appeal, contact us at 1-800-Lilly-Rx (1-800-545-5979) or LillyDPO@lilly.com. We will inform you of our response.

B. Additional Data Processing Disclosures

In addition to the disclosures above, this section provides supplemental information about how we process Personal Data.

Disclosure of Personal Data

Below please find a chart detailing the categories of Personal Data we collected and with whom it was sold, shared, or disclosed for a business purpose in the past 12 months.

Use and Disclosure of Sensitive Personal Information. We may use and disclose sensitive personal information, including inferences about your health, for the purposes described in Section 3 (How We Use Personal Data) above.

California Shine the Light: California’s “Shine the Light” law (Civil Code Section § 1798.83) permits California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please call 1-800-Lilly-Rx (1-800-545-5979) or email us at datarights@lilly.com.

12. Data Privacy Framework

Eli Lilly and Company complies with the EU-U.S. Data Privacy Framework (“DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, as set forth by the U.S. Department of Commerce for transfers of personal data from the EEA, UK and Switzerland, respectively. Our Data Privacy Framework Statement can be found here https://www.lillyhub.com/legal/lilly/dpf.html.

LAST UPDATED June 24, 2025