Veeva Engage Privacy Statement

Last Updated: December 10, 2021

We, Veeva, provide this Veeva Engage Privacy Statement (“Privacy Statement”) to describe how we collect, use, disclose and otherwise process your personal data when you use Veeva Engage (“Engage”), the types of personal data that life sciences companies collect from healthcare professionals when they use Engage, and the rights you may have under privacy laws. We use the term “personal data” to mean information about an identified or identifiable individual. If you are located in the European Economic Area, United Kingdom or Switzerland (collectively, the “EEA+”), “Veeva” refers to Veeva Systems Hungary Kft., Alkotás út 50.B. tower, 4th floor, H - 1123, Budapest, Hungary. If you are located outside of the EEA+, “Veeva” refers to Veeva Systems Inc., 4280 Hacienda Drive, Pleasanton, California, USA, 94588. For more information on country and region-specific privacy laws that may apply to you, please refer to the Jurisdiction-Specific Disclosures at the end of this Privacy Statement.

What personal data do we collect? Depending on how you interact with Engage, we may collect the following types of personal data about you, which we have grouped together as follows:

• Contact Data, which may include your first name, last name, title, work email address, territory at the postal code or similar level and the organization you represent. Contact Data also includes your work phone number if you are a representative of a life sciences company, and your specialty if you are a healthcare professional.
• Usage Data, which means information about how you use Engage, including the features with which you interact, the preferences you enter, the pages or other content you view, the searches you conduct, the people you follow or connect to, any comments and other content you post, the types of communications you have via Engage, the types of services or transactions you request via Engage, and the dates and times of your interactions and other activities on Engage.
• Communications Data, which includes the content of your communications with other Engage users.
• Account Data, which includes your Contact Data, Usage Data, Communications Data, your account identifier and account password, and any other information you voluntarily upload to your Engage profile.
• Technical Data, which includes your IP address, web browser type, operating system version, phone carrier, manufacturer, application installation details of Engage, and device identifiers.

If you do not provide the data that we request from you, you may not be able to use Engage.

What personal data do life sciences companies collect from healthcare professionals?

• When a healthcare professional uses Engage’s messaging feature to communicate with a life sciences company, the company collects their Profile Data and Communications Data.
• When a healthcare professional views, clicks on, plays or otherwise interacts with the content a life sciences company has posted to Engage (e.g., videos, photos and articles), that life sciences company collects information about what content the healthcare professional interacted with, on what date, at what time, and for how long.
• When a healthcare professional interacts with any content on Engage or uses any features of Engage, statistics and insights about that healthcare professional’s interactions become available to life sciences companies that use Veeva’s cloud software or Veeva’s database of healthcare professional biographical and business information. These statistics and insights do not identify what specific content the healthcare professional interacted with but include usage patterns (for instance, the times of day when the healthcare professional is most active on Engage) and insights about the types of content with which the healthcare professional actively interacts.

For more information on the data you automatically share with life sciences companies when you use Engage, see here. Life sciences companies process the personal data they receive from healthcare professionals in accordance with their respective privacy statement.

How do we collect personal data? We may collect personal data about you from the following sources:

• From you, such as when you create an Engage account or upload personal data to Engage. As you interact with Engage, we will also automatically collect Usage Data and Technical Data by using cookies, server logs and similar technologies.
• Publicly available sources, including national or local registries of physicians, national or local medical associations, the public websites and disclosures of hospitals, medical offices and clinics, to verify that you are a healthcare professional if you state you are one.
• Referrers, who refer you to us.

For what purposes do we use your personal data?

• To create and administer your profile on Engage as well as to provide, maintain and operate Engage for your use.
• To improve and enhance Engage and other databases with biographic and interest-based information on you that life sciences companies use to engage with you efficiently.
• To personalize your experience on Engage, such as by providing tailored content and recommendations to you.
• To communicate with you, provide you with updates and other information relating to Engage, provide information that you request, respond to comments and questions, and otherwise provide customer support.
• To protect against fraudulent, illegal and harmful activities, and respond to trust and safety issues that may arise.
• To exercise our legal rights and defend our legal interests, including enforcing our Terms of Use or other legal rights.
• If we take steps to enter into a reorganization, restructuring, merger, acquisition or transfer of assets (“Business Transfer”), we may use your personal data to give effect to that Business Transfer in accordance with applicable law.
• For other purposes in accordance with your prior informed consent.

To whom do we disclose personal data? We disclose your personal data to others only as follows:

• Service Providers: We disclose your personal data to our affiliated and unaffiliated service providers so that they may provide IT and other services to us to help us fulfil the purposes listed in this Privacy Statement. Our service providers are located and process personal data in the following jurisdictions: the U.S., European Union and Japan.
• Government Agencies, Regulators and Professional Advisors: Where permitted or required by applicable law, we may also transfer your personal data to government agencies, regulators and external professional advisors to comply with our legal obligations, or defend and advance our legal interests.
• Organizations Involved in Business Transfers: In the event of a Business Transfer, the acquiring or surviving entity may receive your personal data.

Also, you automatically share interest and usage information with life sciences companies when you use Engage, see here.

How do we protect personal data? We take steps intended to protect the personal data collected via Engage. We have contracted with Amazon Web Services (AWS) to provide the infrastructure on which Engage operates. AWS’ facilities are certified against established standards such as SSAE 18 and/or ISO27001. The processing of data is performed with a combination of a Veeva-maintained mobile application and web front-end running on top of AWS. The security of personal data, Engage, and the infrastructure it operates on are protected by a combination of security controls provided by AWS and third-party Internet security software providers, including AWS Guard Duty, AWS Shield, AWS CloudTrail, and Checkpoint Dome9 (Cloud security policy enforcement). We and our security service providers continuously monitor our and their security safeguards.

How about the personal data of children and patients? We do not knowingly collect, maintain, or use personal data from individuals under 18 years of age, and no part of Engage is directed to such individuals. You must not upload, transmit or otherwise provide personal data about any patients or anyone else under your care to us or through Engage.

What rights do you have? Under applicable laws, you may have rights to access, update, rectify, port or erase certain personal data that we have about you or restrict or object to certain activities in which we engage with respect to your personal data. If you have such rights and your request complies with the requirements under applicable laws, please use the details in the “Contact Us” section below to contact us and we will give effect to your rights as required by law. We may request additional information from you to verify your identity and complete your request.

Changes. We reserve the right to change this Privacy Statement. If we make a material change to how we process personal data, we will prominently post an updated Privacy Statement on Engage. Where required to do so by law, we may seek your prior consent to any material changes we make to this Privacy Statement. If you disagree with our Privacy Statement changes, you must discontinue using Engage.

Contact Us. If you have any questions or concerns regarding this Privacy Statement or would like to exercise your privacy rights, you may contact us by emailing privacy@veeva.com or writing to us at Alkotás út 50.B. tower, 4th floor, H - 1123, Budapest, Hungary if you are in the EEA+, or 4280 Hacienda Drive, Pleasanton, CA 94588 if you are outside the EEA+.

Jurisdiction-Specific Disclosures. In these Jurisdiction-Specific Disclosures, we provide additional (i) information related to rights individuals may have under the privacy laws of certain jurisdictions; and (ii) disclosures required by the privacy laws of certain jurisdictions.

• California. You may view a copy of our California Consumer Privacy Act Privacy Policy here: https://www.veeva.com/privacy/ccpa/.
• EEA+. If you are located in the EEA, UK or Switzerland and use Engage, the following statements apply to you. References to the GDPR are references to the General Data Protection Regulation as it applies in the country where you are located. If you are located in Switzerland, the provisions of the Swiss Federal Data Protection Act apply to you. References to the GDPR below shall be interpreted analogously for the purposes of applying the Swiss Federal Data Protection Act.
  • Who is the data controller? Veeva Systems Hungary Kft., Alkotás út 50.B. tower, 4th floor, H - 1123, Budapest, Hungary. The identity and contact details of our UK GDPR representative are as follows: Tünde Sátorová. You can contact our data protection officer at privacy@veeva.com.
  • What are our legal bases for processing your personal data?
    • When we process your personal data to provide you with Engage or other information or services that you request from us, we do so as necessary to perform a contract with you or take steps at your request prior to entering into a contract.
    • When we process your personal data to achieve the other purposes set forth in this Privacy Statement, we do so as necessary to realize our or others’ legitimate interests, including enabling and supporting information exchanges, communications and research collaborations between physicians and life science companies in the interest of improving medicine and healthcare and to generate interest for Veeva's applications, services and business, unless those interests are overridden by your interests or fundamental rights and freedoms.
  • In addition, we may ask for your consent to process your personal data for a particular purpose and, if you provide it, we process your personal data in accordance with your consent. You can withdraw your consent at any time, without needing to give a reason and free of charge, by emailing us at privacy@veeva.com. We will give effect to your withdrawal as of the time we receive it. The withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal. We will always inform you about the specific purpose(s) for which we ask for your consent.
  • For how long do we store personal data? We store your personal data for as long as is needed to fulfil the purposes outlined in this Privacy Statement. When we have no ongoing legitimate need to process personal data, we will delete it. When the contract between you and us is terminated, we will retain your personal data relevant to the concerned contract for 5 years, in accordance with the statutory limitation period under Section 6:22 (1) of Act V of 2013 on the Civil Code of Hungary, unless the processing of the data is necessary relating to the initiation, enforcement or defense of any legal claims or the applicable law prescribes a longer retention period.
  • In what circumstances do we transfer personal data outside of the EEA+? We disclose personal data to our service providers in the U.S. and Japan. The European Commission has determined Japan to provide adequate data protection measures. We take measures to verify that recipients in the U.S. provide an adequate level of data protection, including by entering into appropriate data transfer agreements based on Standard Contractual Clauses approved by the European Commission or UK Government, as applicable, and performing data protection assessments of data transfer arrangements as appropriate. Data transfer agreements are accessible upon request by contacting us at the details shown further above.
  • What rights do you have under the GDPR? Please find information about GDPR rights and how we respond to requests to exercise them here: https://www.veeva.com/privacy/ccpa/.