PRIVACY POLICY

Effective Date: October 31, 2019

This Privacy Policy describes the practices of ProCare Pharmacy, L.L.C. d/b/a Apothecary By Design, a CVS Health company (“CVS,” “we” or “us”) in connection with information collected through abdrx.com and other websites and mobile applications operated by us and from which you are accessing this Privacy Policy (the “Services”). By using the Services, you agree to the terms of this Privacy Policy. If you have any questions or concerns about this Privacy Policy, or about the way your information is collected and used, please call us toll-free at 1-800-237-2767. This Privacy Policy does not govern any other website, app or online service operated by CVS or any of its affiliates.

To the extent that information collected through the Services is patient information provided to obtain pharmacy services, this information is governed by the Apothecary By Design Notice of Privacy Practices and not this Privacy Policy. If you have questions about which policy applies to information you have provided, please do not hesitate to contact us, or call us toll-free at 1-800-237-2767.

We may change this Privacy Policy. The “Effective Date” legend at the top of this page indicates when this Privacy Policy was last revised. Any changes will become effective when we post the revised Privacy Policy on the Services. Your use of the Services following these changes means that you accept the revised Privacy Policy.

Who May Use the Services

The Services are not directed to minors. We do not knowingly collect personal information online from minors and instruct minors not to send us any information to or through the Services.

The Services are designed for users from, and are controlled and operated by us from, the United States. By using the Services, you consent to the transfer of your information to the United States, which may have different data protection rules than those of your country.

The Personal Information We Collect

We want you to understand how personal information you provide to us is collected and used. We collect and store your personal information when you provide it to us or to our service providers, such as in the following situations:

Transactions: We or our service providers collect personal information from you when you enter
into a transaction with us, such as when you refill a prescription or have your prescription order
delivered to your home.

Registration: We collect your personal information when you register on the Services.

Payment (Billing) Information: For all orders, we may ask for credit card, bank account, or other
information necessary to process a payment from you. For your prescription orders, we may collect
your prescription insurance information. We may also ask for your shipping or delivery information.

Storage: If you choose to create an online account, we will store payment, billing (including
prescription insurance) and shipping information as a convenience to you for future purchases, and
we will store information about your orders for order tracking and status retrieval purposes.

Contact Information: CVS collects personal information from users of the Services who are
interested in receiving information about our products or services, such as e-mail alerts, newsletters,
and other notifications.

Surveys: From time to time, CVS requests information from users via surveys on the Services.
Participation in these surveys is voluntary, and the information collected is used in accordance with
this Privacy Policy.

If you submit any personal information relating to other people in connection with the Services, you
represent that you have the authority to do so and to permit us to use the information in accordance
with this Privacy Policy.

We may combine the information collected from you through the Services with information we
receive from and about you from other online and offline sources, such as in our stores, and use the
combined information in accordance with this Privacy Policy. Our goal is to offer you content,
advertisements, products, and services that are most likely to appeal to you.

Use and Disclosure of Personal Information

We use your personal information to respond to your requests, such as to fulfill your order, contact
you with information about your order or prescriptions, send you email and app alerts, send you
newsletters, and to provide you with related customer service. We may also use your information to
send marketing communications and administrative information to you, including through the use of
push notifications in our apps.

We may use and disclose your personal information to provide and coordinate the treatment and
services you receive.

We may disclose your personal information to other third parties, such as pharmacies, doctors,
hospitals, and other health care providers to assist them in providing care to you or for your care
coordination. In some instances, uses and disclosures of your personal information for these
purposes may be made through a Health Information Exchange or similar shared medical record or
system.

We may use personal information to personalize your experience on the Services, including by
presenting products and offers tailored to you, and for our business purposes, such as data analysis,
audits, fraud monitoring and prevention, developing our Services and new products and services,
determining the effectiveness of our promotional campaigns, and operating and expanding our
business activities.

In the event that CVS or some or all of our business, assets or stock are sold or transferred
(including in connection with any bankruptcy or similar proceedings) or used as security, or to the
extent we engage in business negotiations with third parties, personal information may be
transferred to or shared with third parties as part of any such transaction or negotiation.

To the extent permitted by applicable law, we may provide personal information to our affiliated
businesses or to our business partners, who may use it to send you marketing and other
communications.

We may disclose personal information to our service providers, who provide services such as
website hosting, data analysis, payment processing, order fulfilment, information technology and
related infrastructure provision, customer service, email delivery, auditing, and other services.

If you add a payment card to a mobile application operated by us, we will share information you
provide about your card with our service providers and/or your card issuer to facilitate providing the
Services to you.

If we are requested by law enforcement officials or judicial authorities to provide personal
information, we may do so. In matters involving claims of personal or public safety or in litigation
where the information is pertinent (including to allow us to pursue available remedies or limit the
damages that we may sustain), we may use or disclose personal information, including without court
process. We may also use or disclose personal information to enforce our terms and conditions, to
protect our operations or those of any of our affiliates, or to protect our rights, privacy, safety or
property and/or that of our affiliates, you, or others.

We may use and disclose personal information to investigate security breaches or otherwise
cooperate with authorities pursuant to a legal matter.

We may use and disclose information that does not personally identify you (including the information
described under “Cookies and Other Technologies,” below) for any purpose, except to the extent
limited by applicable law. If we are required to treat such information as personal information under
applicable law, then we may use it for all the purposes for which we use and disclose personal
information.

We may combine information that does not personally identify you with personal information. If we
do, we will treat the combined information as personal information as long as it is combined.

Social Media

We may use and disclose your personal information to facilitate social media sharing functionality
that you initiate. If you choose to connect your social media account (e.g., Facebook, Twitter,
Pinterest) with your Services account or otherwise engage in social sharing on the Services, your
personal information may be shared with your friends, contacts or others associated with your social
media account, with other Services users, and with your social media account provider. By
connecting your Services account and your social media account or contacting us via social media,
you authorize us to share information with your social media account provider, and you understand
that the use of the information we share will be governed by the social media site’s privacy policy.

For example, if you utilize a social media feature such as the Facebook “Like” button, Google Plus,
Pinterest or a Twitter widget, these features may collect information about your IP address and
which page you’re visiting on our site, and they may set a cookie or employ other tracking
technologies. Social media features and widgets are either hosted by a third party or hosted directly
on our site. Your interactions with those features are governed by the privacy policies of the
companies that provide them.

We may display targeted ads to you through social media platforms. These ads are sent to groups of
people who share traits, such as where they live or have expressed an interest in shopping for
cosmetics on our mobile site. We do not share any of your personally identifiable information,
including your shopping history or health information, with social media platforms. See the policies of
each social media platform for additional information about these types of ads, including how to
manage your display settings for these ads.

Links

The Services may contain links to, or otherwise make available, third-party websites, services, or
other resources not operated by us or on our behalf (“Third Party Services”). These links are
provided as a convenience only and do not constitute an affiliation with, endorsement or sponsorship
of the Third Party Services. We recommend that you review the privacy policy of any third party to
whom you provide personal information online.

In addition, we are not responsible for the information collection, use, disclosure, or security policies
and practices of other organizations, such as Apple, Google, Microsoft, RIM, or any other app
developer, app provider, operating system provider, wireless service provider, or device
manufacturer.

Security

We seek to use reasonable physical, technical, and administrative safeguards to protect personal
information within our organization. Unfortunately, no data transmission or storage system can be
guaranteed to be 100% secure. If you have reason to believe that your interaction with us is not
secure, please immediately contact us in accordance with the “Contact Information” section below.

You are responsible for maintaining the confidentiality of your Services access information and
password and for restricting access to your device, and you agree to accept responsibility for all
activities that occur under your password.

Cookies and Other Technologies

Like many other websites and online services, we collect information about Services traffic and
usage patterns through the use of cookies, Web server logs, and other, similar technologies. We use
this information for various purposes, such as to ensure that the Services function properly, to
facilitate navigation, to personalize your experience, to understand use of the Services, to diagnose
problems, to measure the success of our marketing campaigns, and to otherwise administer the
Services.

Cookies are small text files we transfer to your computer or other device. These small files help us to
personalize content on our pages and provide programs like e-coupons. Your browser software can
be set to reject or accept cookies. Instructions for resetting the browser are available in the Help
section of most browsers.

Our use of cookies also allows us to collect and retain certain information about a website user, such
as the type of Web browser used by our customer. Reviewing our Web server logs and our
customers’ use of our site helps us to, among other purposes, statistically monitor how many people
are using our site and for what purpose.

Your IP address is a number that is automatically assigned to the computer that you are using by
your Internet Service Provider. An IP address may be identified and logged automatically in our
server log files whenever a user accesses the Services, along with the time of the visit and the
page(s) that were visited. Collecting IP addresses is standard practice and is done automatically by
many websites, applications and other services. We use IP addresses for purposes such as
calculating usage levels of the Services, helping diagnose server problems, and administering the
Services.

We may use Adobe Flash Local Stored Objects (“LSOs”) and other technologies to, among other
things, collect and store information about your use of the Services. If you do not want Flash LSOs
stored on your computer, you can adjust the settings of your Flash player to block Flash LSO
storage using the tools contained in the Website Storage Settings Panel. You can also control Flash
LSOs by going to the Global Storage Settings Panel and following the instructions (which may
include instructions that explain, for example, how to delete existing Flash LSOs (referred to
“information” on the Macromedia site), how to prevent Flash LSOs from being placed on your
computer without your being asked, and (for Flash Player 8 and later) how to block Flash LSOs that
are not being delivered by the operator of the page you are on at the time). Please note that setting
the Flash Player to restrict or limit acceptance of Flash LSOs may reduce or impede the functionality
of some Flash applications.

Tracking/Third-Party Advertisers

We may use third-party advertising companies to display advertisements regarding goods and
services that may be of interest to you when you access and use the Services, based on information
relating to your access to and use of the Services and other online services. To do so, these
companies may place or recognize a unique cookie on your browser (including through the use of
pixel tags). If you would like more information about this practice and to learn about your choices in
connection with it, please
visit https://www.networkadvertising.org/managing/opt_out.asp and https://www.aboutads.info/.

We do not respond to browser do-not-track signals.

We may use analytics providers that use cookies, pixel tags and other, similar technologies to collect
information about your use of the Services and your use of other websites or online services.

Physical Location

We and our service providers may collect the physical location of your device by, for example, using
satellite, cell phone tower, WiFi signals, beacons, Bluetooth, and near field communication protocols,
when you are in or near a CVS store. We may use your device’s physical location to provide you
with personalized location-based services and content, including for marketing purposes. We may
also use such information to understand traffic patterns in, near, and across our store locations. We
may share aggregated statistics derived from the location and other information we collect with
advertisers and other third parties. You may be permitted to allow or deny such collection of your
device’s location, such as through the settings on your mobile device and/or, to avoid the collection
of location by beacons, by disabling Bluetooth. If you choose to deny such collection, we and our
service providers may not be able to provide you with certain personalized services and content.

Fraudulent Sites, Spam & Phishing

Please be aware that there may be fraudulent websites that illegally use CVS logos, and other
aspects of the CVS brand. CVS is in no way associated with any fraudulent websites. These sites
may circulate their presence on the internet via spam email, or through fraudulent phishing practices.

These sites have not been authorized by CVS to use our name and we work aggressively to identify
their source and have them shut down. If you are in receipt of this type of spam email, to help protect
your privacy you should avoid replying to it or forwarding it to other people.

In addition to our official websites, CVS works with a number of third parties that host websites and
micro-sites that provide information and services to our customers. If you are concerned that a
website or an email may be fraudulent, please contact us by phone at 1-800-237-2767 with your
concerns.

Your Choices and Access

You can take yourself off our email list, by contacting CVS Specialty toll-free at 1-800-237-2767. You
may stop the receipt of push notifications through your mobile device settings.

You can request the removal or modification of the personal information you have provided to us by
contacting CVS Specialty toll-free at 1-800-237-2767. For your protection, we may only implement
requests with respect to the personal information associated with the particular email address that
you use to send us your request, and we may need to verify your identity and obtain information on
the context in which you provided your personal information before implementing your request. We
will try to accommodate your request as soon as reasonably practicable.

Please note that we may need to retain certain information for recordkeeping purposes and/or to
complete any transactions that you began prior to requesting such change or deletion. There may
also be residual information that will remain within our databases and other records, which will not
be removed.

Your California Privacy Rights

If you are our customer and a California resident, you may request that we provide you with certain
information about the entities with which we have shared our customers’ personal information for
direct marketing purposes during the preceding calendar year. To do so, please write to us
at privacy.officer@cvshealth.com.

Your Responsibility

By establishing an abdrx.com account, you agree that it is your responsibility to:
 Authorize, monitor, and control access to and use of your abdrx.com account, User ID and
password.
 Promptly inform us of any need to deactivate a password or an account by calling Customer
Care at 1-800-237-2767.

Contact Information

If you have any questions or concerns about this statement, or about the way your information is
collected and used, please call us toll-free at 1-800-237-2767.

If you have any questions about the content of this Privacy Policy, please contact the CVS Health
Corporation Privacy Office at the following address:

CVS Health Corporation
One CVS Drive
Woonsocket, RI 02895
(866) 443-0933

Date. This Notice is effective as of October 31, 2019.