State Supplemental Privacy Notice

This Supplemental Website Privacy Notice ("Supplemental Notice") applies only to information collected about California, Colorado, Virginia, Utah, and Connecticut consumers. It provides information required under the California Consumer Privacy Act of 2018 and California Privacy Rights Act of 2020 (collectively, the "CPRA"), the Colorado Privacy Act of 2021 (the "CPA"), the Virginia Consumer Data Protection Act of 2021 (the "VCDPA"), the Utah Consumer Privacy Act of 2022 (the "UCPA"), and the Connecticut Data Privacy Act of 2022 ("CDPA").

This Supplemental Notice describes Sumitomo Pharma's ("we," "us," "our") practices regarding the collection, use, and disclosure of Personal Information and provides instructions for submitting data subject requests.

A. Definitions

• "Personal Information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal Information includes "personal data" as that term is defined in the CPRA, CPA, VCDPA, UCPA, and CDPA. Personal Information also includes "Sensitive Personal Information," as defined below, except where otherwise noted.
• "Sensitive Personal Information" means Personal Information that reveals a consumer's social security, driver's license, state identification card, or passport number; account log-in, financial account number, debit card number, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; precise geolocation; racial or ethnic origin, religious beliefs, or union membership; contents of email or text messages; and genetic data. Sensitive Personal Information also includes processing of biometric information for the purpose of uniquely identifying a consumer and Personal Information collected and analyzed concerning a consumer's health, sex life, or sexual orientation. Sensitive Personal Information also includes "sensitive data" as that term is defined in the CPRA, CPA, VCDPA, UCPA, and CDPA.
• "Third Party" has the meanings afforded to it in the CPRA, CPA, VCDPA, UCPA, and CDPA.
• "Vendor" means a service provider, contractor, or processor as those terms are defined in the CPRA, CPA, VCDPA, UCPA, and CDPA.

B. Collection & Processing of Personal Information

We, and our Vendors, collect the following categories of Personal Information about consumers. We also have collected and processed the following categories of Personal Information about consumers in the preceding 12 months:

• (1) Identifiers, such as name, alias, online identifiers, account name, physical characteristics or description;
• (2) Contact and financial information, including phone number, address, email address, financial information, medical information, health insurance information;
• (3) Characteristics of protected classifications under state or federal law, such as age, gender, race, physical or mental health conditions, and marital status;
• (4) Commercial information, such as transaction information and purchase history;
• (5) Biometric information;
• (6) Internet or other electronic network activity information, such as browsing history and interactions with our websites or advertisements;
• (7) Geolocation data, such as device location;
• (8) Audio, electronic, visual and similar information, such as call and video recordings;
• (9) Professional or employment-related information, such as work history and prior employer;
• (10) Inferences drawn from any of the Personal Information listed above to create a profile or summary about, for example, an individual's preferences and characteristics;
• (11) Written signatures; and
• (12) Sensitive personal information, including:
  • a. Personal Information that reveals:
    • i. Social security, driver's license, state identification card, or passport number;
    • ii. Account log-in, financial account number, debit card number, or credit card number in combination with any required security or access code, password, or credentials for allowing access to an account;
    • iii. Precise geolocation;
    • iv. Racial or ethnic origin, religious or philosophical beliefs, or union membership;
    • v. Contents of a consumer's email and text messages, unless the business is the intended recipient thereof; or
    • vi. Genetic data.
  • b. Biometric data processed for the purpose of uniquely identifying a consumer;
  • c. Personal Information collected and analyzed concerning a consumer's health; and
  • d. Personal Information collected and analyzed concerning a consumer's sex life or sexual orientation.

Retention of Personal Information. We retain each of the categories of Personal Information listed in Section B for the period reasonably necessary to provide goods and services to you and for the period reasonably necessary to support our business operational purposes listed in Section E of this Supplemental Notice.

C. Categories of Personal Information We Disclose to Vendors & Third Parties

In the past twelve months, we have disclosed the following categories of Personal Information to Vendors and Third Parties for a business purpose:

• (1) Identifiers, such as name, alias, online identifiers, account name, physical characteristics or description;
• (2) Contact and financial information, including phone number, address, email address, financial information, medical information, health insurance information;
• (3) Characteristics of protected classifications under state or federal law, such as age, gender, race, physical or mental health conditions, and marital status;
• (4) Commercial information, such as transaction information and purchase history;
• (5) Biometric information;
• (6) Internet or other electronic network activity information, such as browsing history and interactions with our websites or advertisements;
• (7) Geolocation data, such as device location;
• (8) Audio, electronic, visual and similar information, such as call and video recordings;
• (9) Professional or employment-related information, such as work history and prior employer;
• (10) Inferences drawn from any of the Personal Information listed above to create a profile or summary about, for example, an individual's preferences and characteristics;
• (11) Written signatures; and
• (12) Sensitive personal information, including:
  • a. Personal Information that reveals:
    • i. Social security, driver's license, state identification card, or passport number;
    • ii. Account log-in, financial account number, debit card number, or credit card number in combination with any required security or access code, password, or credentials for allowing access to an account;
    • iii. Precise geolocation;
    • iv. Racial or ethnic origin, religious or philosophical beliefs, or union membership;
    • v. Contents of a consumer's email and text messages, unless the business is the intended recipient thereof; or
    • vi. Genetic data.
  • b. Biometric data processed for the purpose of uniquely identifying a consumer;
  • c. Personal Information collected and analyzed concerning a consumer's health; and
  • d. Personal Information collected and analyzed concerning a consumer's sex life or sexual orientation.

Disclosure for California Consumers: We will not sell or share any of the categories of Personal Information we collect about you, and we have not sold or shared Personal Information about California consumers in the past twelve months. Relatedly, we do not have actual knowledge that we sell or share Personal Information of California consumers under 16 years of age. For purposes of the CPRA, a "sale" is the disclosure of Personal Information to a Third Party for monetary or other valuable consideration, and a "share" is the disclosure of Personal Information to a Third Party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.

Disclosure for Colorado, Virginia, Utah, and Connecticut Consumers: We do not sell Personal Information to Third Parties, as the term "sell" is defined in the CPA, VCDPA, UCPA, and CDPA. However, we do process Personal Information for purposes of targeted advertising. To opt out of the processing of your Personal Information for purposes of targeted advertising, you may click on the cookie icon in the footer of the website and update your privacy preferences to opt-out of this processing.

D. Sources from Which We Collect Personal Information

We collect Personal Information directly from California, Colorado, Virginia, Utah, and Connecticut consumers, as well as from our affiliates, business partners, joint marketing partners, public databases, providers of demographic data, publications, professional organizations, social media platforms, and Vendors and Third Parties when they share the information with us.

E. Purposes for Processing & Disclosing Personal Information

We, and our Vendors, collect and process the Personal Information (excluding Sensitive Personal Information) described in this Supplemental Notice to:

• Operate, manage, and maintain our business;
• Provide, develop, improve, repair, and maintain our products and services;
• Hire and manage our employees, as well as for related employment purposes;
• Personalize, advertise, and market our products and services;
• Conduct research, analytics, and data analysis;
• Maintaining our facilities and infrastructure;
• Undertake quality and safety assurance measures;
• Conduct risk and security controls and monitoring;
• Detect and prevent fraud;
• Perform identity verification;
• Perform accounting, audit, and other internal functions, such as internal investigations;
• Comply with law, legal process, and internal policies;
• Maintain records;
• Exercise and defend legal claims; and
• Otherwise accomplish our business purposes and objectives.

We, and our Vendors, collect and process the Sensitive Personal Information described in this Supplemental Notice only for the below purposes that are authorized by the CPRA and its implementing regulations:

• Performing the services or providing the goods reasonably expected by an average consumer who requests those goods or services;
• Ensuring security and integrity to the extent the use of the consumer's Personal Information is reasonably necessary and proportionate for these purposes;
• Preventing, detecting, and investigating security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted Personal Information;
• Resisting malicious, deceptive, fraudulent, or illegal actions directed at the business and prosecuting those responsible for those actions;
• Ensuring the physical safety of natural persons;
• Short-term, transient use, including, but not limited to, non-personalized advertising shown as part of a consumer's current interaction with us; provided that we will not disclose the consumer's Personal Information to a Third Party and or build a profile about the consumer or otherwise alter the consumer's experience outside the current interaction with the business;
• Performing services on our behalf, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on our behalf;
• Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured by, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by us; and
• Collecting or processing Sensitive Personal Information where such collection or processing is not for the purpose of inferring characteristics about a consumer.

F. Categories of Entities to Whom We Disclose Personal Information

• Affiliates & Vendors. We may disclose your Personal Information to our affiliates and Vendors for the purposes described in Section E of this Supplemental Notice. Our Vendors provide us with services for our websites, as well as other products and services, such as web hosting, data analysis, payment processing, order fulfillment, customer service, infrastructure provision, technology services, email delivery services, credit card processing, legal services, and other similar services. We grant our Vendors access to Personal Information only to the extent needed for them to perform their functions, and require them to protect the confidentiality and security of such information.
• Third Parties. For each category of Personal Information identified in Section C, we disclose such Personal Information to the following categories of Third Parties:
  • At Your Direction. We may disclose your Personal Information to any Third Party with your consent or at your direction.
  • Business Transfers or Assignments. We may disclose your Personal Information to other entities as reasonably necessary to facilitate a merger, sale, joint venture or collaboration, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings).
  • Legal and Regulatory. We may disclose your Personal Information to government authorities, including regulatory agencies and courts, as reasonably necessary for our business operational purposes, to assert and defend legal claims, and otherwise as permitted or required by law.

G. Data Subject Rights

• Exercising Data Subject Rights. California, Colorado, Virginia, Utah, and Connecticut consumers have certain rights with respect to the collection and use of their Personal Information. Those rights vary by state. As required by the CPRA, we provide detailed information below regarding the data subject rights available to California consumers. Colorado, Virginia, Utah, and Connecticut consumers have similar rights and can find more detail by referencing the CPA, VCDPA, UCPA, or CDPA, as applicable.
  • You may exercise the data subject rights applicable to you under the CPRA, CPA, VCDPA, UCPA, or CDPA by clicking here.
• Verification of Data Subject Requests. We may ask you to provide information that will enable us to verify your identity in order to comply with your data subject request. In particular, when a California consumer authorizes an agent to make a request on their behalf, we may require the agent to provide proof of signed permission from the consumer to submit the request, or we may require the consumer to verify their own identity to us or confirm with us that they provided the agent with permission to submit the request. In some instances, we may decline to honor your request if an exception applies under applicable law. We will respond to your request consistent with applicable law.
• Non-Discrimination. We will not discriminate against you for exercising your data subject rights. For example, we will not deny goods or services to you, or charge you different prices or rates, or provide a different level of quality for products or services as a result of you exercising your data subject rights.
  Appeals To appeal a decision on a data subject request that you have submitted using our website privacy portal, you may reply directly to the decision and appeal by replying to the email notification. We will respond to your appeal in accordance with applicable law.
  Data Subject Rights Disclosure for California Consumers: California consumers have the following rights regarding our collection and use of their Personal Information, subject to certain exceptions.
  • Right to Receive Information on Privacy Practices: You have the right to receive the following information at or before the point of collection:
    • The categories of Personal Information to be collected;
    • The purposes for which the categories of Personal Information are collected or used;
    • Whether or not that Personal Information is sold or shared;
    • If the business collects Sensitive Personal Information, the categories of Sensitive Personal Information to be collected, the purposes for which it is collected or used, and whether that information is sold or shared; and
    • The length of time the business intends to retain each category of Personal Information, or if that is not possible, the criteria used to determine that period.
    We have provided such information in this Supplemental Notice, and you may request further information about our privacy practices by contacting us as at the contact information provided above.
  • Right to Deletion: You may request that we delete any Personal Information about you we that we collected from you.
  • Right to Correction: You may request that we correct any inaccurate Personal Information we maintain about you.
  • Right to Know: You may request that we provide you with the following information about how we have handled your Personal Information:
    • The categories of Personal Information we collected about you;
    • The categories of sources from which we collected such Personal Information;
    • The business or commercial purpose for collecting, selling, or sharing Personal Information about you;
    • The categories of Personal Information about you that we shared or disclosed and the categories of Third Parties with whom we shared or disclosed such Personal Information; and
    • The specific pieces of Personal Information we have collected about you.
  • Right to Receive Information About Onward Disclosures: You may request that we disclose to you:
    • The categories of Personal Information that we have collected about you;
    • The categories of Personal Information that we have sold or shared about you and the categories of Third Parties to whom the Personal Information was sold or shared; and
    • The categories of Personal Information we have disclosed about you for a business purpose and the categories of persons to whom it was disclosed for a business purpose.
  • Right to Non-Discrimination: You have the right not to be discriminated against for exercising your data subject rights. We will not discriminate against you for exercising your data subject rights.
• Opt-Out Preference Signals. We do not sell or share Personal Information, or use or disclose Sensitive Personal Information for purposes other than those authorized by the CPRA and its implementing regulations, as listed in Section E. Accordingly, we do not process opt-out preference signals. If we process opt-out preference signals in the future, we will update this policy to provide details about how we do so.

H. Other Disclosures

• California Residents Under Age 18. If you are a resident of California under the age of 18 and a registered user of our website, you may ask us to remove content or data that you have posted to the website by clicking here. Please note that your request does not ensure complete or comprehensive removal of the content or data, as, for example, some of your content or data may have been reposted by another user.
• Disclosure About Direct Marketing for California Residents. California Civil Code § 1798.83 permits California residents to annually request certain information regarding our disclosure of Personal Information to other entities for their direct marketing purposes in the preceding calendar year. We do not distribute your Personal Information to other entities for their own direct marketing purposes.
• Financial Incentives for California Consumers. We do not provide financial incentives to California consumers who allow us to collect, retain, sell, or share their Personal Information. We will describe such programs to you if and when we offer them to you.
• Changes to our Supplemental Notice. We reserve the right to amend this Supplemental Notice at our discretion and at any time. When we make material changes to this Supplemental Notice, we will notify you by posting an updated Supplemental Notice on our website and listing the effective date of such updates.

(Updated and Effective: January 1, 2023)