Privacy Notice - Co-Pay Self Service
Effective Date: September 14, 2018

At McKesson Specialty Health ("McKesson" or "we"), we value the trust that pharmacies and patients place in us to appropriately use and protect personal information. This Privacy Notice informs visitors and regular users of McKesson's Co-Pay Self Service portal ("portal") about the purposes for which McKesson may collect, use and share personal information and how it is protected. We want you to be clear how we're using personal information and the ways in which we protect this information. By using this portal, you accept the privacy practices presented in this Privacy Notice. We encourage you to read this Privacy Notice in full to understand our privacy practices before using this portal or submitting any personal information.

Scope
This Privacy Notice applies only to the Co-Pay Self Service portal. McKesson affiliates and subsidiaries may have separate websites and services through other web, mobile, cloud or SaaS platforms which are not subject to this Privacy Notice. Additionally, McKesson business partners, ad networks and other third parties may have their own websites and services with separate privacy practices. We encourage you to read the privacy notices of all websites and services you visit to understand their privacy practices and your options.

Personal Information We Collect
When you use this portal, we may collect personal information about you. Personal information is any information accessed, collected, or used by McKesson that identifies an individual, or can reasonably be used to identify an individual, whether directly or indirectly. The personal information we may collect includes, but is not limited to:

• Unique identifiers and user behavioral information collected passively, such as your IP address, location, browser type, operating system and clickstream activity

If you use the portal as a patient, we also collect your:

• Name
• Personal characteristics, such as date of birth and gender
• Contact information, such as mailing address, phone number and email address
• Health-related information, such as prescription number, prescription invoice, co-pay card number and claims information

If you use the portal as a pharmacist, we also collect your:

• NPI number
• NCPDP number
• Patients' health-related information, such as co-pay card number and prescription number

Tracking Technologies We Use
We use various technologies to collect personal information about of this portal. These technologies include the following:

• Web server logs
  • As is true of most websites, we gather certain information automatically and store it in log files. This information may include IP addresses, browser type, internet service provider, referring/exit pages, operating system, date/time stamp and/or clickstream data.
• Cookies
  • We may utilize cookies. Cookies uniquely identify your device or user account associated with this portal. You can control the use of cookies by adjusting your browser preferences at any time. If you reject cookies, you may still use this portal, but your ability to use some features or areas of the portal may be limited.
• HTML5
  • We also local storage such as HTML5 to collect and store content information and preferences. Third parties who we partner with to provide certain features on this portal use local storage such as HTML5 to collect and store information. Various browsers may offer their own management tools for removing HTML5 local storage.
• Other Tracking Technologies
  • We may also use technologies such as scripts and tags.

These technologies are used to gather demographic information and to perform data analysis and audits. We may receive reports based on the use of these technologies from companies such as Google Analytics on an individual as well as aggregated basis. To learn more about Google's privacy practices, click here. If you want to opt-out of your data being used by Google Analytics, click here.

How We Respond to "Do Not Track" Signals
Some web browsers have a "Do Not Track" feature. This feature allows you to tell websites you visit that you do not want to have your online activity tracked over time and across websites. These features are not yet uniform across browsers and not broadly supported. This portal is not currently set up to respond to those signals.

How We Use the Personal Information Collected
We may use the personal information we collect for purposes such as:

• Customer and troubleshooting support
• Reporting or data analytics services
• Payment processing services

How We Share Personal Information Collected
McKesson does not sell personal information about you to third parties.
McKesson may also need to share information with companies, organizations or individuals outside of McKesson if we have a good faith belief that access, use, preservation, or disclosure of that information is reasonably necessary to:

• Meet applicable laws, regulations, legal processes or enforceable governmental requests
• Enforce applicable Terms of Service, including investigation of potential violations
• Detect, prevent, or otherwise address fraud, security or technical issues
• Protect against harm to the rights, property or safety of our users, McKesson, or the public as required or permitted by law
• Engage in a merger, acquisition, reorganization, or sale of all or a portion of McKesson assets.

Choice
Where appropriate or legally required, we will describe how your information that we collect through this portal will be used and will provide choices about whether to allow us to engage in that use. To exercise your choice, you may request to access, correct, update or delete information about you by contacting Privacy@McKesson.com.

Retention
We will retain your personal information for as long as your account is active, as reasonably useful for commercial purposes, or as necessary to comply with our legal obligations, resolve disputes and enforce our agreements.

Health Insurance Portability and Accountability Act ("HIPAA")
As a key provider of services and technology to the healthcare industry, McKesson has implemented programs to address the privacy and security requirements of HIPAA.

Children's Privacy
This portal is not intended for any user under the age of 13, and we do not knowingly collect personal information from children under the age of 13. We request that children under the age of 13 not submit any personal information through this portal.

How We Protect Your Information
McKesson has established appropriate physical, electronic and administrative safeguards to protect the information we collect from or about our users. We restrict access to personal information to McKesson employees, contractors and agents who need to know that information to process it for us, and who are subject to confidentiality obligations.

Any sensitive personal information (e.g., Protected Health Information) will be transmitted in an encrypted form using SSL encryption. Notwithstanding our security safeguards, it is impossible to guarantee 100% security in all circumstances. If you have any questions about security or have reason to believe that your interaction with us is no longer secure (for example, you feel that the security of any account you might have with us has been compromised), you must immediately notify us of the problem by contacting McKesson at Privacy@McKesson.com.

Changes to this Privacy Notice
We may periodically update this Privacy Notice to describe new features, products or services we offer and how it may affect our use of personal information about you and your controls. Since we may change this Privacy Notice, we recommend that you check the current version available from time to time. If we make changes to this notice, we will update the "Effective Date" at the beginning of this notice.

Contact Information
If you have questions or concerns about this Privacy Notice, our information handling practices, or any other aspect of privacy and security of your personal information, please contact us at: Privacy@McKesson.com.

You may also write to us at: