Data We Collect
and How We
Data We Collect
and How We
Updated March 2023
Information We Collect Online
1. Information you may provide to us online
When you visit our websites or contact us through a method provided on our websites, you may provide us with personal information, including (i) identifiers such as your name, postal address, email address or phone number, or (ii) other information you voluntarily provide to us, for example, when you complete the “Contact Us” form. Certain information we collect may constitute Personal Information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)), such as name, address, telephone number, education, employment, employment history, or characteristics of protected classifications such as race or ethnicity data. We collect education, employment, and race and ethnicity information when you apply for a position through our Careers page and voluntarily provide such information.
We use this information to respond to emails and other inquiries to help improve our websites and our services, to send updates or notices about Exelixis or our websites that we think may be of interest to you, and, in the case of education, employment and race and ethnicity information and other information submitted as part of an employment application, to process your application for employment and for equal employment purposes. We may also combine the personal information you provide with other generally or publicly available information to help us identify visitors’ preferences or interests, to improve our websites and our services or to process employment applications.
We will process information you voluntarily provide in free text forms such as our “Contact Us” feature. Although we do not solicit information concerning your health, we cannot prevent you from providing such information. If submitted, we use any such voluntary information to respond to you, including to answer your inquiries or as otherwise consistent with this Statement.
Additionally, we may also obtain certain information described in the “Information We Collect Offline” section below through our websites if you voluntarily submit it to us online, such as by sending it through our “Contact Us” form.
2. Information we may collect automatically online
When you visit our websites, we may automatically collect certain information that includes: (i) identifiers, including Internet Protocol (“IP”) addresses and other unique identifiers used online; and (ii) internet or other electronic network activity, including operating system, device details, usage details such as the date and times a website is accessed, referring URL, webpages viewed, and links clicked. We may also approximate your geographic region and Internet Service Provider based on your IP address. Certain internet or other network activity may constitute personal information if it is reasonably capable of being associated with you. This information may be collected by us or on our behalf through our service providers or other third parties using a number of technologies, including cookies, web beacons, and other tracking technologies, which are described further below.
We use this information for purposes including improving our website and services, such as by diagnosing problems with our servers, reporting aggregated information, determining the fastest route for your computer to use in connecting to our websites, tailoring website functionality for certain geographies, and otherwise administering and improving the websites. We may also use this information to better understand our audience and personalize our website, services, or advertisements.
Information We Collect Offline or By Email
In addition to our collection of personal information online, we also collect personal information offline or by email in various circumstances, as described below. As discussed below, this information is typically collected during our provision of services to you and our business partners.
3. Information we may collect when you contact us by email, phone, fax, mail or in person
We may obtain certain information either directly from you or from your healthcare provider (“Provider”) by email, phone, fax, mail, or in person. We use such information to provide you and our business partners with our products and services, to answer medical inquiries, administer our medical information activities, manage and plan our business operations, and improve our services.
The information we collect by phone, fax, mail, or in person may include: (i) identifiers, such as your name, postal address, email address and phone number; (ii) medical information, including prescription number, dosage, and health conditions or diagnoses; and (iii) other information you may voluntarily provide to us.
4. Information we collect from Providers
We collect information relating to individual Providers that we receive during the course of our business operations, such as through administering our medical information activities. This information may include identifiers, such as name, postal address, email address, phone number, and occupational details, including NPI physician ID number or similar identifiers, as well as other information Providers voluntarily provide to us. We use such information to answer medical inquiries, manage and plan our business operations, and improve our services.
5. De-identified information we collect from third parties
We obtain de-identified information relating to healthcare and prescription drug transactions from third parties, such as our service providers, specialty pharmacies, and healthcare data providers. This information may include: (i) medical information, including medical condition, treatment history, and prescription information such as dosage; (ii) health insurance-related information; and (iii) demographic information, including income level, year of birth, gender, postal code, and state of residence. In some cases, we may direct specialty pharmacy, hubs and other third parties to share identifiable personal information with our service providers through legally compliant means such as pursuant to a business associate agreement where required. Such information may include identifiers, health information, and Personal Information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e). Our service providers may then de-identify such information to provide services to us, as described below.
We use this information to forecast market demands, analyze market trends, understand product usage and other patterns for marketing purposes, track prescription drug distribution, improve the services we offer, and manage and plan our business operations. However, when available to Exelixis, this information is provided to us in a form that is not reasonably capable of being associated with, or reasonably linked to, a particular individual, and we do not attempt to identify any individuals using this information. We contractually obligate any service provider to de-identify personal information on our behalf and to maintain processes to ensure such information is not re-identified.
6. Information we collect when you visit our facilities
We may collect certain information from you if you visit our facilities, such as our offices. You generally provide this information when you first arrive at our facilities, which includes identifiers such as your name and email address. In light of the COVID-19 pandemic, we may request health information, such as your vaccination status or conduct medical screening prior to your admittance to our facilities in order to protect the health and welfare of our employees, contractors and others. Additionally, we use security cameras in our facilities and may collect visual information (namely, your image) and biometric information such as facial geometry if your image is captured by one of our security cameras. We use this information to protect the security and safety of our staff and visitors, and to maintain the security and confidentiality of our facilities, systems, and other information.
7. Information we collect through adverse event and safety reporting
We are required by law to collect certain adverse event and safety information regarding our products and services. Where such information concerns individuals, such as patients or clinical subjects, we require such information to be de-identified; however, in certain limited circumstances, a Provider or other third-parties may inadvertently provide us with identifiable personal information. If received, such personal information may include identifiers, such as your name, postal address, email address, phone number, insurance or other patient ID number and date of birth, and medical information, such as diagnosis and health status, therapy and treatment history, and prescription information such as dosage. We have adopted procedures to protect such personal information and took steps to limit access only to those who require such access to accomplish our legitimate business purposes described below or to otherwise comply with local, state, or federal law, regulations or other requirements. We use this data to comply with legal requirements and to improve and monitor the safety of our products, drug candidates, and services.
Sensitive Personal Information
Certain information we collect may be considered Sensitive Personal Information under applicable privacy laws including the California Consumer Privacy Act of 2018, codified at Title 1.81.5 of Part 4 of Division 3 of the California Civil Code, as amended by the California Privacy Rights Act of 2020 effective January 1, 2023. The Sensitive Information Exelixis collects (or instructs its service providers to collect on its behalf) includes:
- Information concerning a person’s health
- Race and ethnicity information, for equal employment purposes
Exelixis does not use Sensitive Personal Information to infer characteristics about data subjects; however, we may, in some circumstances, instruct our service providers to de-identify personal information, including Sensitive Personal Information, that may then be used for purposes such as analyzing trends and building profiles.
Business or Commercial Purposes
We collect and process personal information for the purposes described in the sections above, to comply with applicable laws, to communicate with you, and for our other legitimate business interests. These additional purposes include:
- to respond to inquiries from you or to otherwise perform services or to engage with your requests;
- to send you notices or updates we think may be of interest to you;
- to operate, maintain and improve our services, including our websites, such as diagnosing and debugging issues, or auditing site visits and conducting analytics;
- to understand how our services and websites are used in order to customize our services and activities;
- for marketing and advertising;
- to fulfill other legitimate business interests, including to meet our contractual obligations and support our internal business operations;
- to process job applications submitted through our online Careers page;
- to detect security risks, protect against malicious or illegal activity, and to investigate and pursue those responsible for such activity; and
- to comply with law or regulatory obligations or in response to law enforcement requests.