Some states have adopted data protection legislation that gives their residents certain rights with respect to Novo Nordisk’s collection, use, and disclosure of their Personal Information. This Supplemental Notice applies only to information collected about California, Colorado, Virginia, Utah, and Connecticut consumers. It provides information required under the California Consumer Privacy Act of 2018 and California Privacy Rights Act of 2020 (collectively, the “CPRA”), the Colorado Privacy Act of 2021 (the “CPA”), the Virginia Consumer Data Protection Act of 2021 (the “VCDPA”), the Utah Consumer Privacy Act of 2022 (the “UCPA”), and the Connecticut Data Privacy Act of 2022 (“CDPA”). We also provide a brief paragraph regarding information collected about Nevada consumers under the heading “Privacy Notice for Nevada Residents” at the end of this Supplemental Notice. The other portions of this Supplemental Notice do not apply to Nevada consumers.

All companies need to collect and share consumers’ Personal Information for everyday business purposes, marketing, and maintenance of the safety, security, and integrity of their websites and other assets, among other reasons. This Supplemental Notice describes Novo Nordisk’s (“we,” “us,” “our”) practices regarding the collection, use, and disclosure of Personal Information and provides instructions for submitting data subject requests. This Supplemental Notice is broader in scope than the Novo Nordisk Privacy Policy because it provides details about the Personal Information, we collect from you through both your online and offline interactions with Novo Nordisk’s products or services.

For more information about how we collect, use, and disclose information through our websites and online services, please review our Novo Nordisk Privacy Policy. Please also note that some portions of this Supplemental Notice apply only to consumers of particular states. In those instances, we have indicated that such language applies only to those consumers. Further, please note that this Supplemental Notice does not address our collection and processing of Personal Information from job applicants, employees, healthcare providers (HCPs), and other individuals with whom we interact in an employment-related or business-to-business context. California residents who fall into one of those categories may access our website privacy disclosures applicable to them by clicking here and selecting the notice that applies to them.

Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal Information includes “personal data” as that term is defined in the CPA, VCDPA, UCPA, and CDPA. Personal Information also includes “Sensitive Personal Information,” as defined below, except where otherwise noted.

Sensitive Personal Information” means Personal Information that reveals a consumer’s social security, driver’s license, state identification card, or passport number; account log-in, financial account number, debit card number, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; precise geolocation; racial or ethnic origin, religious beliefs, or union membership; contents of email or text messages; and genetic data. Sensitive Personal Information also includes processing of biometric information for the purpose of uniquely identifying a consumer and Personal Information collected and analyzed concerning a consumer’s health, sex life, or sexual orientation. Sensitive Personal Information also includes “sensitive data” as that term is defined in the CPA, VCDPA, UCPA, and CDPA.

Third Party” has the meanings afforded to it in the CPRA, CPA, VCDPA, UCPA, and CDPA.

Vendor” means a service provider, contractor, or processor as those terms are defined in the CPRA, CPA, VCDPA, UCPA, and CDPA.

To the extent other terms used in this Supplemental Notice are defined terms under the CPRA, CPA, VCDPA, UCPA, or CDPA they shall have the meanings afforded to them in those statutes, whether or not capitalized herein. As there are some variations between such definitions in each of the five statutes, the definitions applicable to you are those provided in the statute for the state in which you are a consumer. For example, if you are a Virginia consumer, terms used in this Supplemental Notice that are defined terms in the VCDPA shall have the meanings afforded to them in the VCDPA as this Supplemental Notice applies to you.

We, and our Vendors, collect the following categories of Personal Information about consumers. We also may have collected and processed the following categories of Personal Information about consumers in the preceding 12 months:

1.  Identifiers, such as name, alias, postal address, unique personal identifier, online identifier, internet protocol (IP) address, or other similar identifiers;

2.  Contact and financial information, including phone number, address, email address, bank account number, credit or debit card number, or other financial information, and health insurance information, including an individual’s insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in the individual’s application and claims history;

3.  Characteristics of protected classifications under state or federal law, such as age, gender, race, physical or mental health conditions, marital status, and religion;

4.  Commercial information, such as including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies

5.  Biometric information, including an individual’s physiological, biological, or behavioral characteristics (including DNA) to the extent it can be used to establish individual identity;

6.  Internet or other electronic network activity information, such as browsing history, search history, and information regarding an individual’s interaction with an internet website, application,  or advertisement;

7.  Geolocation data, such as device location;

8.  Audio, electronic, visual or similar information, such as call and video recordings or profile photograph;

9.  Professional or employment-related information, such as work history and prior employer;

10.  Education information, such as academic information and records;

11.  Inferences drawn from any of the information listed above to create a profile about an individual reflecting the individual’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. (e.g., predications about an individual’s preferences or tendencies);

12.  Individuals’ written signatures; and

13.  Sensitive personal information, including:

    a.  Personal Information that reveals:

         i.  Social security, driver’s license, state identification card, or passport number;

        ii.  Account log-in, financial account number, debit card number, or credit card number in combination with any required security or access code, password, or credentials for allowing access to an account;

        iii.  Precise geolocation data;

        iv.  Racial or ethnic origin, religious or philosophical beliefs, or union membership;

        v.  Genetic data.

     b.  Biometric data processed for the purpose of uniquely identifying a consumer;

     c.  Personal Information collected and analyzed concerning a consumer’s health, including any information in possession of or derived from a healthcare provider, healthcare service plan, pharmaceutical company, or contractor regarding an individual’s medical history, mental or physical condition, or treatment

Retention of Personal Information. We retain each of the categories of Personal Information listed in Section C for the period reasonably necessary to provide goods and services to you and for the period reasonably necessary to support our business operational purposes listed in Section G.

We have disclosed the following categories of Personal Information to Vendors and Third Parties for a business purpose in the past twelve months:

1.  Identifiers, such a real name, alias, postal address, unique personal identifier, online identifier, internet protocol (IP) address, or other similar identifiers;

2.  Contact and financial information, including phone number, address, email address, medical information, bank account number, credit or debit card number, or other financial information, and health insurance information, including an individual’s insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in the individual’s application and claims history;

3.  Characteristics of protected classifications under state or federal law, such as age, gender, race, physical or mental health conditions, marital status, and religion;

4.  Commercial information, such as including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;

5.  Biometric information, including an individual’s physiological, biological, or behavioral characteristics (including DNA) to the extent it can be used to establish individual identity;

6.  Internet or other electronic network activity information, such as browsing history, search history, and information regarding an individual’s interaction with an internet website, application, or advertisement;

7.  Geolocation data, such as device location;

8.  Audio, electronic, visual, thermal, olfactory, or similar information, such as a recording of a customer service call or profile photograph;

9.  Professional or employment-related information, such as work history and prior employer;

10.  Education information, such as academic information and records;

11.  Inferences drawn from any of the information listed above to create a profile about an individual reflecting the individual’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. (e.g., predications about an individual’s preferences or tendencies);

12.  Individuals’ written signatures; and

13.  Sensitive personal information, including:

    a.  Personal Information that reveals:

        i.  Social security, driver’s license, state identification card, or passport number;

        ii.  Account log-in, financial account number, debit card number, or credit card number in combination with any required security or access code, password, or credentials for allowing access to an account;

        iii.  Precise geolocation data;

        iv.  Contents of a consumer’s email and text messages, unless the business is the intended recipient thereof; or

        v.  Genetic data.

    b.  Biometric data processed for the purpose of uniquely identifying a consumer;

Personal Information collected and analyzed concerning a consumer’s health, including any information in possession of or derived from a healthcare provider, healthcare service plan, pharmaceutical company, or contractor regarding an individual’s medical history, mental or physical condition, or treatment;

Sale, Sharing, and Processing of Personal Information for Targeted Advertising: We sell, share, and process Personal Information for purposes of targeted advertising, as the terms “sell,” “share,” “process,” and “targeted advertising” are defined in the CPRA, CPA, VCDPA, UCPA, and CDPA. Of the categories of Personal Information listed in Section C, we sell and share the below categories of Personal Information. Further, in the past twelve months, we have sold or shared the below categories of Personal Information. We may also process the below categories of Personal Information for purposes of targeted advertising.

For Patients & Caregivers: Deidentified patient information derived from patient information that was originally collected, created, transmitted, or maintained by an entity regulated by the Health Insurance Portability and Accountability Act (HIPAA), the Confidentiality of Medical Information Act (CMIA), or the Federal Policy for the Protection of Human Subjects, also known as the Common Rule. Such information was either deidentified pursuant to the HIPAA expert determination method, as described in 45 C.F.R. § 164.514(b)(1) or the HIPAA safe harbor method, as described in 45 C.F.R. § 164.514(b)(2). We sell and share these categories of Personal Information to:

  • Affiliates & Vendors. We may disclose your Personal Information to our affiliates and Vendors for the purposes described in this Supplemental Notice (see Purposes for Processing Personal Information listed in Section G). Our Vendors provide us with services for our websites, as well as other products and services, such as web hosting, data analysis, payment processing, order fulfillment, customer service, infrastructure provision, technology services, email delivery services, credit card processing, legal services, and other similar services. We grant our Vendors access to Personal Information only to the extent needed for them to perform their functions, and we require them to protect the confidentiality and security of such information.
  • Third Parties. For each category of Personal Information identified in Section D, we disclose such Personal Information, and have disclosed such Personal Information in the past twelve (12) months, to the following categories of Third Parties:
    • At Your Direction. We may disclose your Personal Information to any Third Party with your consent or at your direction. In the case of marketing materials or events in or at which you have consented to appear, this includes disclosure of your Personal Information to the general public.
    • Marketing Vendors. We may disclose your Personal Information to Third Parties to provide marketing services in order to serve consumers with online advertising that is more relevant to them based on their network activity data, IP addresses, other online identifiers, and similar information and inferences derived therefrom.
    • Healthcare & Insurance Providers. We may disclose your Personal Information to your healthcare provider, pharmacy, and health insurance provider or administrator.
    • Business Transfers or Assignments. We may disclose your Personal Information to other entities as reasonably necessary to facilitate a merger, sale, joint venture or collaboration, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings).
    • Legal and Regulatory. We may disclose your Personal Information to government authorities, including regulatory agencies and courts, as reasonably necessary for our business operational purposes, to assert and defend legal claims, and otherwise as permitted or required by law.

For Healthcare Providers: Inferences, network activity data, IP addresses, commercial information, and other online identifiers with marketing vendors to provide consumers with online advertising that is more relevant.

For Website Users, Grant Applicants and Recipients, and Others: Inferences, network activity data, IP addresses, other online identifiers, and associated information with marketing vendors to provide consumers with online advertising that is more relevant.

We sell and share Personal Information for the purposes listed in Section G. We do not sell or share, and have not sold or shared in the past twelve (12) months, categories of Personal Information that are not listed in this Section E.

We collect Personal Information about California, Colorado, Virginia, Utah, and Connecticut consumers from the below sources:

For Patients & Caregivers: We may collect Personal Information about patients and caregivers directly from patients and caregivers, as well as from healthcare providers, and health insurance providers. We may also collect Personal Information about patients and caregivers from publicly-available sources and from commercial sources, including third parties that aggregate and sell data.

For Healthcare Providers: We may collect Personal Information about healthcare providers from such healthcare providers or their patients. We may also collect Personal Information about patients and caregivers from publicly-available sources and from commercial sources, including third parties that aggregate and sell data.

For Website Users, Grant Applicants and Recipients, and Others: We may collect Personal Information directly from these consumers.

We, and our Vendors, collect and process the Personal Information (excluding Sensitive Personal Information) described in this Supplemental Notice to:

  • Administer Novo Nordisk websites;
  • Contact consumers and provide consumers with information, opportunities, updates, or special offers from Novo Nordisk and its business partners;
  • Contract with service providers;
  • Identify and recruit subject matter experts, spokespersons, and other professionals;
  • Evaluate eligibility for Novo Nordisk programs and services;
  • Manage attendance at events and activities we host or sponsor;
  • Manage access to and protect our facilities and physical locations;
  • Meet legal requirements and ensure compliance with Novo Nordisk policies and procedures;
  • Monitor and improve Novo Nordisk’s websites, products, and services, including monitoring the safety and efficacy of our products;
  • Plan and manage business activities, including management of consumer relationships and Novo Nordisk personnel that interact with consumers;
  • Prepare for and conduct research related to medical conditions, treatments, and therapies;
  • Prevent fraud or physical harm;
  • Provide consumers with products or services that a consumer or consumer’s healthcare provider requests from us;
  • Respond to requests from consumers;
  • Support, collect, and monitor publications, presentations, posters, and other media about Novo Nordisk, its products, and associated research; and
  • With the consumer’s permission, include information about the consumer in marketing materials or at events, and to prepare, evaluate, and distribute or conduct those materials or events.

We, and our Vendors, collect and process the Sensitive Personal Information described in this Supplemental Notice only for:

  • Performing the services or providing the goods reasonably expected by an average consumer who requests those goods or services;
  • Ensuring security and integrity to the extent the use of the consumer's Personal Information is reasonably necessary and proportionate for these purposes;
  • Preventing, detecting, and investigating security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted Personal Information;
  • Resisting malicious, deceptive, fraudulent, or illegal actions directed at the business and prosecuting those response for those actions.
  • Ensuring the physical safety of natural persons;
  • Short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of a consumer's current interaction with us; provided that we will not disclose the consumer's Personal Information to a Third Party and or build a profile about the consumer or otherwise alter the consumer's experience outside the current interaction with the business;
  • Performing services on our behalf, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on our behalf; and
  • Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured by, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by us; and
  • Collecting or processing Sensitive Personal Information where such collection or processing is not for the purpose of inferring characteristics about a consumer.

Affiliates & Vendors. We may disclose your Personal Information to our affiliates and Vendors for the purposes described in this Supplemental Notice (see “Purposes for Processing Personal Information,” above). Our Vendors provide us with services for our websites, as well as other products and services, such as web hosting, data analysis, payment processing, order fulfillment, customer service, infrastructure provision, technology services, email delivery services, credit card processing, legal services, and other similar services. We grant our Vendors access to Personal Information only to the extent needed for them to perform their functions, and we require them to protect the confidentiality and security of such information.

Third Parties. For each category of Personal Information identified in Section D, we disclose such Personal Information, and have disclosed such Personal Information in the past twelve (12) months, to the following categories of Third Parties:

  • At Your Direction. We may disclose your Personal Information to any Third Party with your consent or at your direction. In the case of marketing materials or events in or at which you have consented to appear, this includes disclosure of your Personal Information to the general public.
  • Marketing Vendors. We may disclose your Personal Information to Third Parties to provide marketing services in order to serve consumers with online advertising that is more relevant to them based on their network activity data, IP addresses, other online identifiers, and similar information and inferences derived therefrom.
  • Healthcare & Insurance Providers. We may disclose your Personal Information to your healthcare provider, pharmacy, and health insurance provider or administrator.
  • Business Transfers or Assignments. We may disclose your Personal Information to other entities as reasonably necessary to facilitate a merger, sale, joint venture or collaboration, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings).
  • Legal and Regulatory. We may disclose your Personal Information to government authorities, including regulatory agencies and courts, as reasonably necessary for our business operational purposes, to assert and defend legal claims, and otherwise as permitted or required by law.

Exercising Data Subject Rights. California, Colorado, Virginia, Utah, and Connecticut consumers have certain rights with respect to the collection and use of their Personal Information. Those rights vary by state. As required by the CPRA, we provide detailed information below regarding the data subject rights available to California consumers. Colorado, Virginia, Utah, and Connecticut consumers have similar rights and can find more detail by referencing the CPA, VCDPA, UCPA, or CDPA, as applicable.

You may exercise the data subject rights applicable to you under the CPRA, CPA, VCDPA, UCPA, or CDPA by contacting our Privacy Office at NNIPrivacy@novonordisk.com, by calling (888) 870-3901, or by clicking here. Consumers in some states may also authorize an agent to make data subject requests on their behalf. When you submit a data subject request, please indicate the type of request you are making, so that we may properly process and respond to your request in accordance with applicable law.

Verification of Data Subject Requests. We value the security and confidentiality of your Personal Information. Depending on the type of data subject request you submit, we may ask you to provide information that will enable us to verify your identity before complying with the request. We verify requests carefully and in accordance with applicable law. In particular, when a California consumer authorizes an agent to make a request on their behalf, we may require the agent to provide proof of signed permission from the consumer to submit the request, or we may require the consumer to verify their own identity to us or confirm with us that they provided the agent with permission to submit the request. In some instances, we may decline to honor your request if an exception applies under applicable law. We will respond to your request consistent with applicable law.

Non-Discrimination. We will not discriminate against you for exercising your data subject rights. For example, we will not deny goods or services to you, or charge you different prices or rates, or provide a different level of quality for products or services as a result of you exercising your data subject rights.

Appeals for Virginia, Colorado, & Connecticut Consumers. Virginia, Colorado, and Connecticut consumers have the right to appeal our decisions on their data subject requests. This section does not apply to California or Utah consumers. To appeal our decision on your data subject requests, you may contact our Privacy Office at NNIPrivacy@novonordisk.com or by calling (888) 870-3901. Please enclose a copy of or otherwise specifically reference our decision on your data subject request, so that we may adequately address your appeal. We will respond to your appeal in accordance with applicable law.

If you are a California resident, you have the following rights under the CCPA with respect to your Personal Information, subject to certain exceptions:

Right to Receive Information on Privacy Practices: You have the right to receive the following information at or before the point of collection:

  • The categories of Personal Information to be collected;
  • The purposes for which the categories of Personal Information are collected or used;
  • Whether or not that Personal Information is sold or shared;
  • If the business collects Sensitive Personal Information, the categories of Sensitive Personal Information to be collected, the purposes for which it is collected or used, and whether that information is sold or shared; and
  • The length of time the business intends to retain each category of Personal Information, or if that is not possible, the criteria used to determine that period.

We have provided such information in this Supplemental Notice, and you may request further information about our privacy practices by contacting us as at the contact information provided above.

Right to Deletion: You may request that we delete any Personal Information about you we that we collected from you.

Right to Edit: You may request that we edit any inaccurate Personal Information we maintain about you.

Right to Know: You may request that we provide you with the following information about how we have handled your Personal Information:

  • The categories of Personal Information we collected about you;
  • The categories of sources from which we collected such Personal Information;
  • The business or commercial purpose for collecting, selling, or sharing Personal Information about you;
  • The categories of Third Parties with whom we shared or disclosed such Personal Information; and
  • The specific pieces of Personal Information we have collected about you.

Right to Receive Information About Onward Disclosures: You may request that we disclose to you:

  • The categories of Personal Information that we have collected about you;
  • The categories of Personal Information that we have sold or shared about you and the categories of Third Parties to whom the Personal Information was sold or shared; and
  • The categories of Personal Information we have disclosed about you for a business purpose and the categories of persons to whom it was disclosed for a business purpose.

Right to Non-Discrimination: You have the right not to be discriminated against for exercising your data subject rights. We will not discriminate against you for exercising your data subject rights.

Right to Opt-Out of the Sale and Sharing of Personal Information.  You have the right, at any time, to direct us not to sell or share your Personal Information. To exercise this right, please click on the “Do Not Sell or Share My Personal Information” button in this policy or on any Novo Nordisk webpage where the button is present. Novo Nordisk does not have actual knowledge that it sells or shares the Personal Information of minors under 16 years of age without affirmative authorization.

Opt-Out Preference Signals. We recognize opt-opt preference signals that we are required to recognize for compliance with applicable law. We treat such opt-out preference signals as a valid request to opt-out of sale and sharing for the browser or device through which the signal is sent and any consumer profile we have associated with that browser or device, including pseudonymous profiles. If we know the identity of the consumer from the opt-out preference signal, we will also treat such opt-out preference signal as a valid request to opt out of sale and sharing for the consumer. California consumers may use opt-out preference signals by downloading or otherwise activating them for use on supported browsers and setting them to send opt-out preference signals to websites they visit.

California Residents Under Age 18. If you are a resident of California under the age of 18 and a registered user of our website, you may ask us to remove content or data that you have posted to the website by writing to NNIPrivacy@novonordisk.com. Please note that your request does not ensure complete or comprehensive removal of the content or data, as, for example, some of your content or data may have been reposted by another user.

Disclosure About Direct Marketing for California Residents. California Civil Code § 1798.83 permits California residents to annually request certain information regarding our disclosure of Personal Information to other entities for their direct marketing purposes in the preceding calendar year. To make such a request, please send an email to NNIPrivacy@novonordisk.com with the subject “Shine the Light Request.”

Financial Incentives for California Consumers. Under California law, we do not provide financial incentives to California consumers who allow us to collect, retain, sell, or share their Personal Information. We will describe such programs to you if and when we offer them to you.

Privacy Notice for Nevada Residents. We sell Covered Information as defined under Nevada law, and we may disclose personal information as defined under Nevada law for commercial purposes. Under Nevada law, you have the right to direct us to not sell or license your personal information to third parties. To exercise this right, if applicable, you or your authorized representative may contact our Privacy Office at NNIPrivacy@novonordisk.com.

Changes to our Supplemental Notice. We reserve the right to amend this Supplemental Notice at our discretion and at any time. When we make material changes to this Supplemental Notice, we will notify you by posting an updated Supplemental Notice on our website and listing the effective date of such updates.

Call (888) 870-3901 or email us at NNIPrivacy@novonordisk.com to contact us with questions regarding this Notice. If you are unable to review or access this Notice due to a disability, you may contact us to request access to this Notice in an alternative format.