U.S. Supplemental Privacy Notice

Merck has collected and/or disclosed for our business purposes the following categories of personal information during the preceding 12 months:

• Identifiers, such as your name, alias, contact information including postal address, Internet Protocol (IP) address, online identifiers, and other unique similar identifiers.
• Financial information, such as bank account number, credit card number, debit card number, or any other financial information that does not allow or withdrawal of funds.
• Commercial information, such as products purchased or purchasing or consuming histories.
• Medical and health information, where that information is processed outside the scope of the Health Insurance Portability and Accountability Act and human subject research frameworks.
• Internet and other electronic network activity information, such as browsing history, site visits, search history, and your interactions with our websites, advertisements, and other online resources.
• Geolocation data, such as device location that is more granular than a city or town.
• Audio, electronic, and visual information, such as call recordings and video testimonials.
• Professional or employment-related information, such as work history and prior employer.
• Education information, such as medical specialty and expertise.
• Inferences we derive from the information that we collect as set forth in this policy to create a profile about you reflecting preferences, characteristics, and other traits.
• Sensitive personal information, such as physical and mental health information, race, ethnicity, social security number, government identification, financial account information, and precise geolocation data.
• Other information that you provide as may be disclosed to you at the time of such collection, such as in our GIPP.

Merck does not knowingly collect personal information from children under 13 years of age without obtaining verifiable parental consent prior to collection.

Merck may collect personal information from the following categories of sources:

• Directly from you when you share it with us, from your interactions with our products and services;
• Through our websites and mobile apps. With your permission, we and our business partners may collect your personal information over time and across different internet websites or online services when you use any internet website or online service of a regulated entity;
• From third parties, including collaboration and other business partners; and
• From social media platforms (for more information, please see our Privacy Notice of Social Media Monitoring).

Merck may share personal information, including sensitive personal information:

• With service providers to assist us in providing the services;
• With advertising networks and data analytics providers for the purposes of cross-contextual advertising;
• With affiliates within our family of companies for everyday business purposes described in this Notice;
• With other companies we collaborate with solely for activities related to products and services jointly offered or developed by us and that company;
• To other entities, including actual or prospective purchasers, if we decide to reorganize or divest part or all of the business through sale, merger or acquisition;
• As legally required in relevant legal proceedings and otherwise to the extent required or authorized by applicable law; and
• Otherwise with your consent.

Merck may collect, process, and disclose personal information, including sensitive personal information, for the following business purposes:

• Operating, administering, managing, and maintaining our business;
• Performing the services or providing the goods reasonably expected by an average consumer who requests those goods or services;
• Developing, improving, repairing, and maintaining our products and services;
• Patient assistance, prescription discount and reimbursement support programs;
• Communicating with you, including communicating information about diseases, products and services through our web sites, via e-mail, direct mail and other channels;
• Personalizing, advertising, and marketing our products and services;
• Inferring characteristics about a consumer, such as when you choose to answer a survey so we can send you information and products about which you may be interested;
• Performing identity verification;
• Adverse experience and product complaint reporting;
• Auditing our programs and resources for compliance and security purposes;
• Preventing, detecting, and investigating security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted personal information;
• Resisting malicious, deceptive, fraudulent, or illegal actions directed at us and prosecuting those responsible for those actions;
• Verifying or maintaining the quality or safety of a product, program, service, treatment, or device that is owned, manufactured, manufactured for, or controlled by us;
• Analyzing improving, evaluating, developing, upgrading, or enhancing the products, programs, services, treatments and devices, including those that are owned, manufactured by, manufactured for, or controlled by us;
• Protecting our and others’ rights, including by monitoring, protecting, enforcing, and defending our legal rights, and monitoring, protecting against, enforcing, and defending against violations of our Terms of Use, policies and procedures, fraud, and other behavior that is illegal or harmful;
• As required or authorized by laws applicable to our business globally; and
• De-identifying your personal data to use or disclose it for the above purposes and other purposes permitted under applicable law.

Merck does not sell personal information to third parties for money or other valuable consideration.

Merck also does not knowingly sell or process for targeted advertising personal information of consumers under 18 years of age. In general, our websites and online resources are not directed at children and most of the online services that we offer are designed for individuals who are 18 years of age or older. From time to time, some of our web sites and other online resources may provide optional features for children. When we do offer those features, we will take appropriate steps to ensure that verifiable parental consent is obtained prior to any collection, use or disclosure of personal information from children in accordance with applicable law.

Retention of personal information: We generally retain personal information for as long as reasonably needed for the specific business purpose or purposes for which it was collected and the duration of your use of our web sites, apps and other relevant online tools. In some cases, we may be required to retain information for a longer period of time based on laws or regulations that apply to our business, such as applicable rules on statute of limitations or for other necessary business purposes. Where possible, we aim to anonymize, de-identify, or remove unnecessary identifiers from records that we may need to keep for periods beyond the original retention period.

Your Choices and Rights

You may be entitled to certain data subject rights pursuant to applicable U.S. law. These rights include:

• Right to know, confirm, access, and/or obtain a copy of the personal information we hold about you. You may have the right to request to know certain information, such as the specific pieces and categories of personal information that we have collected about you, the categories of sources for that information, the business or commercial purposes for collecting the information, and the categories of third parties with which the information has been shared. You also may have the right to request a copy of the personal information that is collected, including, in some cases, in a portable and readily usable format that allows you to transmit the data to a third party.
• Right to delete the personal information we hold about you.
• Right to correct inaccurate personal information we hold about you.
• Right to opt out of sharing your personal information with third parties for targeted advertising. We may share your information, including Internet and other electronic network activity information, with third parties for the purposes of cross-contextual behavioral advertising and targeted advertising. Cross-contextual behavioral advertising and targeting advertising refers to displaying an advertisement on a website you visit, selected based on your activities across multiple websites and applications. You may have the right to opt out of Merck’s use of your personal information for the purpose of cross-contextual behavioral advertising and targeted advertising. You may exercise this right here by selecting “Do not share my data” as the request type and providing the other requested information.
• Right to opt out of processing/limit use and disclosure of your sensitive personal information. We may collect and use sensitive personal information about you. You may exercise the right to opt out of this processing in certain limited scenarios by selecting “Limit use of my sensitive data” as the request type and providing the other requested information here.
• Right to withdraw your consent to our collection and use of your personal information, where we rely on your consent for the relevant processing of your personal information.
• Right to appeal a decision by Merck not to comply with your exercise of these rights. You may have the right to appeal, which you can exercise via our online portal by selecting “Other” as the request type, providing the other required personal information, and specifying that you want to appeal a decision in the “Additional information”.

We do not process your personal information for the purposes of profiling in furtherance of decisions that produce legal or significant effects.

You, a legal representative, or another legally authorized agent, can exercise available rights here by selecting the right you would like to exercise and providing the requested information, which will be used to verify your identity and to match the personal data we have about you. For more information on your data subject rights, you can contact Merck via email at merck_privacy_office@merck.com or at Merck Privacy Office, UG4B-24, 351 N. Sumneytown Pike, North Wales, PA 19454.

If you choose to exercise any of these rights, we will not discriminate against you.

Once we receive your request, we may request additional information from you to verify your identity and confirm that the request is valid. If you are seeking to use an agent to exercise your rights, that authorized agent should exercise your rights in the same manner you would under this Notice. Merck may request evidence that you have provided such agent with power of attorney or that the agent otherwise has valid written authority to submit requests to exercise rights on your behalf.

Opt-Out Preference Signals (Do Not Track and Global Privacy Controls)

Some internet browsers have incorporated “Do Not Track (DNT)” features or the Global Privacy Control (“GPC”) universal opt-out signal. These features, when turned on, send a signal or preference to the web sites you visit indicating that you do not wish to be tracked or do not want your information shared for targeted advertising purposes. These features apply only to a single browser or device. For example, if you have a laptop and a mobile device and use multiple internet browsers, you need to turn these features on from all of the internet browsers and devices you use, separately.

Merck recognizes DNT features and is monitoring new technologies that will help provide consumers enhanced privacy controls. Merck is also currently incorporating GPC into our websites. In addition to these features, Merck provides a variety of opt-out mechanisms available to consumers in our cookie panel. Using the cookie banner settings will ensure that your preferences are appropriately reflected.

Loyalty or Discount Programs

We may offer certain loyalty or discount programs that involves the collection and sharing of personal information, such as your name and email, which Merck may use to provide the relevant loyalty and/or discount programs. Based on our reasonable and good faith estimate, personal data collected through such programs do not have monetary value. You may withdraw from such programs at any time and may do so by completing an online form or calling us at 1-855-344-4971 (toll free in the US). If you make a data subjects rights to delete your personal data, then you may not be able to continue your participation in such programs.

Questions?

Questions about this Notice or Merck’s privacy practices can be submitted via email at merck_privacy_office@merck.com or by contacting Merck at: Merck Privacy Office, UG4B-24, 351 N. Sumneytown Pike, North Wales, PA 19454.

We may update this Notice periodically in response to changing laws, regulations, and industry practices. We reserve the right to modify, add or remove portions of this Notice at our discretion. If we decide to change this Notice, we will post the updated version on www.msdprivacy.com. If the changes are material, we will contact you directly where we have your contact information and appropriate under applicable law, and we will post the changes prior to the effective date of the change.

Last Updated: June 7, 2024

Calendar Year 2023 Metrics (including Sure Petcare and Harpoon Therapeutics, Inc.)

Requests to Know:
Number received: 19
Number complied with in whole or in part: 9
Number denied: 10

Requests to Delete:
Number received: 168
Number complied with in whole or in part: 161
Number denied: 7

Requests to Opt-Out:
Number received: 0
Number complied with in whole or in part: n/a
Number denied: n/a

Requests to Correct:
Number received: 23
Number complied with in whole or in part: 20
Number denied: 3

Requests to Limit:
Number received: 58
Number complied with in whole or in part: 52
Number denied: 6

The median number of days within which we substantively responded to Requests to Know, Requests to Delete, and Requests to Correct: 31.5 days

The median number of days within which we substantively responded to Requests to Opt-Out and Requests to Limit: 7.2 days

Calendar Year 2022 Metrics (including Imago BioSciences, Inc.)

Requests to Know:
Number received: 19
Number complied with in whole or in part: 19
Number denied: 0

Requests to Delete:
Number received: 31
Number complied with in whole or in part: 31
Number denied: 0

Requests to Opt-Out:
Number received: 73
Number complied with in whole or in part: 73
Number denied: 0

The median number of days within which we substantively responded to Requests to Know, Requests to Delete, and Requests to Opt-out: 6.9 days