We Collect Personal Information directly from HCPs, as well as from joint marketing partners; public databases; providers of demographic data; publications; professional organizations; educational institutions; social media platforms; and Service Providers and Third Parties when they disclose information to us.

We, and our Service Providers, Collect, process, and disclose the HCP Personal Information (excluding Sensitive Personal Information) described in this Notice to:

• Administer Novo Nordisk websites;
• Contact HCPs and provide them with information, opportunities, updates, or special offers from Novo Nordisk and its business partners;
• Contract with HCPs;
• Identify and recruit subject matter experts, spokespersons, and other professionals;
• Evaluate eligibility for Novo Nordisk programs and services;
• Manage attendance at events and activities we host or sponsor;
• Manage access to and protect our facilities and physical locations;
• Meet legal requirements and ensure compliance with Novo Nordisk policies and procedures;
• Monitor and improve Novo Nordisk’s websites, products, and services, including monitoring the safety and efficacy of our products;
• Plan and manage business activities, including management of HCP relationships and Novo Nordisk personnel that interact with HCPs;
• Prepare for and conduct research related to medical conditions, treatments, and therapies;
• Prevent fraud or physical harm;
• Provide HCPs with products or services that they request from us;
• Respond to requests from HCPs;
• Support, Collect, and monitor publications, presentations, posters, and other media about Novo Nordisk, its products, and associated research; and
• With the HCP’s permission, include information about the HCP in marketing materials or at events, and prepare, evaluate, and distribute or conduct those materials or events.

We, and our Service Providers, Collect, Process, and disclose the Sensitive Personal Information described in this Notice only for the below purposes that are authorized by the CCPA and its implementing regulations:

• Performing the services or providing the goods reasonably expected by an average consumer who requests those goods or services;
• Ensuring security and integrity to the extent the use of the consumer's Personal Information is reasonably necessary and proportionate for these purposes;
• Preventing, detecting, and investigating security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted Personal Information;
• Resisting malicious, deceptive, fraudulent, or illegal actions directed at the business and prosecuting those responsible for those actions;
• Ensuring the physical safety of natural persons;
• Short-term, transient use, including, but not limited to, non-personalized advertising shown as part of a consumer's current interaction with us; provided that we will not disclose the consumer's Personal Information to a Third Party and or build a profile about the consumer or otherwise alter the consumer's experience outside the current interaction with the business;
• Performing services on our behalf, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on our behalf; and
• Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured by, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by us; and
• Collecting or processing Sensitive Personal Information where such collection or processing is not for the purpose of inferring characteristics about a consumer.

Affiliates & Service Providers. For each category of HCP Personal Information listed in Section D, we disclose such information to our affiliates and Service Providers for the purposes described in this Notice (see "Purposes for Processing Personal Information,” above). Our Service Providers provide us with services for our websites, as well as other products and services, such as web hosting, data analysis, payment processing, order fulfillment, customer service, infrastructure provision, technology services, email delivery services, credit card processing, legal services, and other similar services. We grant our Service Providers access to Personal Information only to the extent needed for them to perform their functions, and we require them to protect the confidentiality and security of such information.

Third Parties. For each category of HCP Personal Information listed in Section D, we disclose such Personal Information, and have disclosed such Personal Information in the past twelve months, to the following categories of Third Parties:

• At Your Direction. We may disclose your Personal Information to any Third Party with your consent or at your direction. In the case of marketing materials or events in or at which you have consented to appear, this includes disclosure of your Personal Information to the general public.
• Marketing Vendors. We may disclose your Personal Information to Third Parties to provide marketing services in order to serve HCPs with online advertising that is more relevant to them based on their network activity data, IP addresses, other online identifiers, and similar information and inferences derived therefrom.
• Business Transfers or Assignments. We may disclose your Personal Information to other entities as reasonably necessary to facilitate a merger, sale, joint venture or collaboration, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings).
• Legal and Regulatory. We may disclose your Personal Information to government authorities, including regulatory agencies and courts, as reasonably necessary for our business operational purposes, to assert and defend legal claims, and otherwise as permitted or required by law.

Exercising Data Subject Rights. You may exercise your data subject rights by contacting our Privacy Office at NNIPrivacy@novonordisk.com, by calling (888) 870-3901, or by clicking here. You may also authorize an agent to make data subject requests on your behalf via the above methods. When you submit a data subject request, please indicate the type of request you are making, so that we may properly process and respond to your request in accordance with applicable law.

Verification of Data Subject Requests. We value the security and confidentiality of your Personal Information. Depending on the type of data subject request you submit, we may ask you to provide information that will enable us to verify your identity before complying with the request. We verify requests carefully and in accordance with applicable law. In particular, if you authorize an agent to make a request on your behalf, we may require the agent to provide proof of signed permission from you to submit the request, or we may require you to verify your own identity to us or confirm with us that you provided the agent with permission to submit the request. In some instances, we may decline to honor your request if an exception applies under applicable law. We will respond to your request consistent with applicable law.

Non-Discrimination. We will not discriminate against you for exercising your data subject rights. For example, we will not deny goods or services to you, or charge you different prices or rates, or provide a different level of quality for products or services as a result of you exercising your data subject rights.

As an HCP, you have the following rights under the CCPA with respect to your Personal Information, subject to certain exceptions:

Right to Receive Information on Privacy Practices: You have the right to receive the following information at or before the point of Collection:

• The categories of Personal Information to be Collected;
• The purposes for which the categories of Personal Information are Collected or used;
• Whether or not that Personal Information is sold or shared;
• If the business Collects Sensitive Personal Information, the categories of Sensitive Personal Information to be Collected, the purposes for which it is Collected or used, and whether that information is sold or shared; and
• The length of time the business intends to retain each category of Personal Information, or if that is not possible, the criteria used to determine that period.

We have provided such information in this Notice, and you may request further information about our privacy practices by contacting us as at the contact information provided above.

Right to Deletion: You may request that we delete any Personal Information about you we that we Collected from you.

Right to Edit: You may request that we edit any inaccurate Personal Information we maintain about you.

Right to Know: You may request that we provide you with the following information about how we have handled your Personal Information:

• The categories of Personal Information we Collected about you;
• The categories of sources from which we Collected such Personal Information;
• The business or commercial purpose for Collecting, selling, or sharing Personal Information about you;
• The categories of Third Parties with whom we shared or disclosed such Personal Information; and
• The specific pieces of Personal Information we have Collected about you.

Right to Receive Information About Onward Disclosures: You may request that we disclose to you:

• The categories of Personal Information that we have Collected about you;
• The categories of Personal Information that we have sold or shared about you and the categories of Third Parties to whom the Personal Information was sold or shared; and
• The categories of Personal Information we have disclosed about you for a business purpose and the categories of persons to whom it was disclosed for a business purpose.

Right to Non-Discrimination: You have the right not to be discriminated against for exercising your data subject rights. We will not discriminate against you for exercising your data subject rights.

Right to Opt-Out of the Sale and Sharing of Personal Information.  You have the right, at any time, to direct us not to sell or share your Personal Information. To exercise this right, please click on the “Do Not Sell or Share My Personal Information” button in this policy or on any Novo Nordisk webpage where the button is present. Novo Nordisk does not have actual knowledge that it sells or shares the Personal Information of minors under 16 years of age without affirmative authorization.

Opt-Out Preference Signals. We recognize opt-opt preference signals that we are required to recognize for compliance with applicable law. We treat such opt-out preference signals as a valid request to opt-out of sale and sharing for the browser or device through which the signal is sent and any consumer profile we have associated with that browser or device, including pseudonymous profiles. If we know the identity of the consumer from the opt-out preference signal, we will also treat such opt-out preference signal as a valid request to opt out of sale and sharing for the consumer. California HCPs may use opt-out preference signals by downloading or otherwise activating them for use on supported browsers and setting them to send opt-out preference signals to websites they visit.

California Residents Under Age 18. If you are a resident of California under the age of 18 and a registered user of our website, you may ask us to remove content or data that you have posted to the website by writing to NNIPrivacy@novonordisk.com. Please note that your request does not ensure complete or comprehensive removal of the content or data, as, for example, some of your content or data may have been reposted by another user.

Disclosure About Direct Marketing for California Residents. California Civil Code § 1798.83 permits California residents to annually request certain information regarding our disclosure of Personal Information to other entities for their direct marketing purposes in the preceding calendar year. To make such a request, please send an email to NNIPrivacy@novonordisk.com with the subject “Shine the Light Request.”

Financial Incentives for California HCPs. Under California law, we do not provide financial incentives to California HCPs who allow us to Collect, retain, sell, or share their Personal Information. We will describe such programs to you if and when we offer them to you.

Changes to this Notice. We reserve the right to amend this Notice at our discretion and at any time. When we make material changes to this Notice, we will notify you by posting an updated Notice on our website and listing the effective date of such updates.

Call (888) 870-3901 or email us at NNIPrivacy@novonordisk.com to contact us with questions regarding this Notice. If you are unable to review or access this Notice due to a disability, you may contact us to request access to this Notice in an alternative format.