Effective Date: January 1, 2023

This Privacy Policy talks about how CVS Pharmacy, Inc. and its subsidiaries and affiliates which provide services in person at our stores or through CVS.com® ("CVS," "we" or "us") may collect information about you, including through your interactions with us:

• In our stores

• On our websites

• On our mobile applications

We refer to these collectively as the "Commercial Services" and our websites and mobile applications as the “Online Services.”

If you are a California consumer, for more information about your privacy rights, please see the section of this Privacy Policy called “Your California privacy rights.”

If you are a Virginia resident, for more information about your privacy rights, please see the section of this Privacy Policy called “Your Virginia privacy rights.”

As you likely know, CVS Health® offers many healthcare services in addition to the Commercial Services, such as pharmacy, medical, and health plan services. If you are looking for information about how CVS Health collects and uses information for any healthcare services other than the Commercial Services, you should review the privacy policy provided for those services. To make it easier for you to find, here are some other CVS Health privacy policies:

• To the extent that patient information is provided to obtain pharmacy or medical services, that information is governed by the CVS Pharmacy Notice of Privacy Practices, CVS Healthcare Practices® Notice of Privacy Practices, or the MinuteClinic® Notice of Privacy Practices and not this Privacy Policy.

• To the extent that information is provided to obtain services from Aetna®, that information is governed by Aetna’s privacy policies, available in Aetna’s Privacy Center.

• To the extent that information is provided to obtain services from CVS Caremark®, that information is governed by the CVS Caremark Privacy Policy.

If you have any questions or concerns about this Privacy Policy, how we collect and use your personal information, or questions about which policy applies to information you have provided, please do not hesitate to Contact Us, or call us toll-free at 1-888-607-4287.

We may change this Privacy Policy. The "Effective Date” at the top of this page shows when it was last revised. Any changes take effect when we post the revised Privacy Policy on the Commercial Services.

Our Online Services are designed for a general audience and are not directed to persons under the age of 16. We do not knowingly collect personal information online from any person we know to be under the age of 16.

We designed our Online Services for users from the United States and we control and operate the Online Services from the United States.

We want you to know how we collect and use your personal information. Some examples of the personal information we may collect about you include:

• Contact information including your name, mailing address, email address, and telephone number

• Your password, if you create an account

• Demographic information such as your age and date of birth, sex and/or gender

• Language preferences

• Enrollment in programs such as e-receipt or ExtraCare®, your use of coupons or other offers

• Transaction information such as purchase history, returns, or exchanges

• Use of certain store services such as if you arrange to pick up your retail order outside a CVS store, or have your order delivered to your home

• Your interactions with our websites or mobile sites, mobile apps, Wi-Fi and other online services, such as how you use our Online Services including search terms, pages you visit on CVS.com and our mobile applications

• Information about the apps, browsers and devices you use to access our Online Services including your computer’s IP address and/or mobile device information (e.g., device model, operating system version, unique device identifiers, mobile network information)

• Views and interactions with emails, communications, content and ads

• Payment card information

• Driver’s license number or other government issued identification information

• Geolocation information and in-store location

• Inferences about you, such as household income level and marital status

• Your social media account information if you share it with us

• Images you provide to us (e.g., when you upload photos) or that are viewed or recorded on an in-store security camera

• Health information you provide us based on your participation with certain programs

• Biometric information which may include voice recognition or records of calls to or from our customer service centers

• Professional or employment-related information, such as whether you are a CVS Health colleague

• Other information you provide to us

We may also combine information that does not personally identify you with personal information. If we do, we will treat the combined information as personal information for as long as it stays combined. Please note that personal information collected as described in this Privacy Policy may be used and disclosed in a de-identified format. Personal information is no longer within the scope of this Privacy Policy once it has been de-identified. Unless you take some action you take to re-identify your de-identified information, we will not attempt to re-identify this information so that it may be associated with you.

We collect the personal information described above from the following sources.

• Directly from you. We collect personal information directly from you when you interact with us through our Commercial Services and automatically when you visit our websites and mobile applications.

• From subsidiaries and affiliates. We collect personal information from our subsidiaries and affiliates you interact with as permitted by applicable law.

• Publicly available information and other sources. We may collect information about you from both publicly available and other third-party sources to enhance and improve the accuracy of our information about you. We may combine the information we collect from you through the Commercial Services with information we get from and about you from other online and offline sources. We may use the combined information in accordance with this Privacy Policy.

We use your personal information to provide you with the Commercial Services and products you purchase from us as well as to provide customer service to you. Additionally, we may use the personal information we collect about you for the purposes listed below.

• To communicate with you. We use your personal information to respond to your requests and otherwise communicate with you about your orders or accounts. For instance, we may use your personal information to fulfill your order, contact you with information about your order, send you email alerts, send you newsletters, and to provide you with related customer service. We may use your personal information to send marketing communications and administrative information. This may include push notifications in our mobile applications.

• To manage orders and subscriptions. We use personal information to manage orders, billing, and improve reorder experiences. We also use personal information to manage subscription services.

• To enhance your experience. We may use your personal information to personalize your experience shopping and interacting with us. We may present products and offers tailored to your interests. We may also use personal information to offer other products and services that may interest you including those that we recommend from third parties through the CVS media company, CMX.

• For our internal business purposes. We may use your personal information for our internal business purposes, such as training, data analysis, audits, fraud monitoring and prevention. We may also use it for developing our Commercial Services and new product and services, to assess the effectiveness of our campaigns, and to operate and expand our business activities.

• To administer our customer loyalty program. As further described below in Section 12, we use personal information to administer our loyalty and membership programs, including CVS ExtraCare and CarePass.

• Business transfers. To consider and implement mergers, acquisitions, reorganizations, and other business transactions, and where necessary to the administration of our general business, accounting, recordkeeping, and legal functions.

• To protect our legal rights and preventing misuse. To protect the Commercial Services and our business operations; to prevent and detect fraud, unauthorized activities and access, and other misuse; where we believe necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety or legal rights of any person or third party, or violations of our terms and conditions or this Privacy Policy.

• Other permissible uses. We also may use personal information in other ways, for which we provide specific notice at the time of collection.

We may disclose personal information with the following parties:

• Vendors. We may disclose Personal Information we collect to our service providers or agents who perform functions on our behalf. These may include, for example, IT service providers, help desk, payment processors, analytics providers, consultants, auditors, and legal counsel.

• Subsidiaries and affiliates. We may disclose personal information we collect to our subsidiaries or affiliates.

• Third-party ad networks and providers. We may disclose personal information to third-party ad network providers, sponsors and/or traffic measurement services. These third parties may use cookies, JavaScript, web beacons (including clear GIFs), and other tracking technologies to measure the effectiveness of their ads and to personalize advertising content to you. These third-party cookies and other technologies are governed by each third party's specific privacy policy, not this one.

• Our marketplace retailers. We will sometimes enable other businesses to make their products available on our Online Services, such as through CVS.com. When you purchase these products or services, we disclose personal information related to your purchase of their products.

• Government or public authorities. We may disclose personal information to a third party if (a) we believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process, or governmental request, (b) to enforce our agreements, policies, and terms of service, (c) to protect the security or integrity of our Commercial Services, (d) to protect the property, rights, and safety of CVS, our users, or the public from harm or illegal activities, (e) to respond to an emergency which we believe in the good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person, or (f) to investigate and defend ourselves against any third-party claims or allegations.

We may disclose personal information for the following purposes:

• To provide information to our service providers and contractors. We may disclose personal information to our service providers. They provide services such as website hosting, data analysis, payment processing, order fulfillment, information technology and infrastructure, customer service, email delivery, auditing and other services.

• In connection with a sale or transfer of business assets. We may disclose or transfer your personal information to other parties if some or all of our business, assets or stock are sold, transferred or used as security. This includes in connection with any bankruptcy or similar proceeding.

• To respond to law enforcement officials or enforce our rights. We may disclose your personal information if required to do so by law enforcement officials or other government authorities. We disclose personal information in matters involving claims of personal or public safety, or in litigation. This may include disclosure of your personal information to allow us to pursue remedies or to limit the damages we may sustain. We may also use or disclose your information to enforce our terms and conditions, to protect our operations or those of any of our affiliates, to prevent misuse of our Commercial Services, or to protect our rights, privacy, safety or property and/or that of our affiliates, you or others.

• To maintain and enhance the safety and security of our Commercial Services. We may disclose personal information to detect, prevent and address issues involving our Commercial Services, including security breaches.

The Services may contain links to, or make available, third-party websites, services, features or other resources not run by us or on our behalf (the “Third-Party Services.”) We make these Third-Party Services available as a convenience to you and are not affiliated with, endorsing or sponsoring the Third-Party Services.

Any information you give to such third parties is not subject to the terms of this Privacy Policy. We are not responsible for the privacy or security of the information you give to Third-Party Services or how they handle your information. We also are not responsible for the information collection, use, sharing or security practices of Third-Party Services. You should review the privacy policy of any Third-Party Service to whom you give information in connection with the Commercial Services.

Our Online Services include certain social media features such as our Facebook and Twitter accounts or widgets on our Online Services. If you engage with the Commercial Services using a social media platform your friends and connections and others who use our Commercial Services may also see it, as might your social media account provider. The social media provider’s privacy policy governs the use of the information you share on or through the social media platform.

We use reasonable physical, technical and administrative safeguards. Please be aware that despite our efforts, no data security measures can guarantee security. You should take steps to ensure your personal information is protected like using passwords that would be difficult to guess, not using the same password for multiple accounts and periodically changing your password.

What are cookies? Cookies are small computer files we transfer to your computer’s hard drive. These are usually small text files. They help us personalize content for you on our pages and provide programs like e-coupons. You can set your browser to accept or reject cookies. Instructions for resetting the browser are in the Help section of most browsers.

How we use cookies. Like many other websites and online services, we collect traffic and usage patterns. We use cookies, Web server logs and similar technologies to do this.

We use this information for various purposes:

• To ensure that the Online Services function properly

• To help with navigation (or how you find your way around the site)

• To personalize your experience

• To understand use of the Online Services

• To diagnose problems

• To measure the success of our marketing campaigns and targeted ads

• To otherwise administer the Online Services

We also use cookies to collect and receive certain information about a website user, such as the type of web browser used, Internet service provider (“ISP”), referring/exit pages, operating system, date/time stamp, clickstream data, device platform, device version, and/or other device characteristics including your choice of settings such as Wi-Fi, Bluetooth, and Global Positioning System ("GPS"), CPU ID and type, build, model, manufacturer, operating system version, screen size, screen resolution, mobile network status, device locale, and carrier ID. We review our web server logs and our customers’ use of our site. This helps us to gather statistics on how many people are using our site and why.

Internet providers assign your device an IP address number. We may identify and log your IP address automatically in our Web server log files when you use our Online Services. We may also collect the time of your visit and the pages you look at. We use IP addresses to do things like gauge usage levels of the Online Services, help find server problems, and administer the Commercial Services.

Our Online Services use tracking technologies to collect and record your activities and movements across our websites throughout your browsing session, including page hits, mouse movements, scrolling, typing, out-of-the-box errors and events, and API calls (“Session Data”). We use this information to (1) remember your information so you do not have to re-enter it, (2) track and understand how you use and interact with the Online Services, (3) perform analytics, (4) tailor the Online Services around your preferences; (5) measure the usability of the Online Services and the effectiveness of our communications; and (6) improve our products, services, and your experience. Such tracking may also include recorded sessions, which we may play back for these purposes. We may share Session Data with our vendors (which may change over time) for these purposes.

Like many companies, CVS participates in interest-based advertising. We may use or partner with third-party companies, including social media and third-party advertising companies tailored to your individual interests based on how you browse and shop online. Doing so helps us to measure services and display targeted ads when you access and use the Online Services.

These are ads about goods and services we feel may interest you based on your access to and your use of our Commercial Services and other online services. To do so, these companies may place or recognize a unique cookie on your browser. These third parties may also use pixel tags, web beacons and other storage technologies to collect or receive information about your online activities over time and across our website and elsewhere on the Internet.

We may also use analytics providers that use cookies, pixel tags, web beacons and other similar technologies. They may collect or receive data about your use of our Commercial Services and other websites or online services. These analytics services (like Adobe Analytics or Google Analytics) provide services that analyze information regarding visits to our Online Services.

To learn more about Adobe Analytics privacy practices, click https://www.adobe.com/privacy.html.

To learn more about how Google uses your data from our sites and how you can control the information collected by Google, click https://policies.google.com/technologies/partner-sites.

At any time, you may opt out of the collection and use of information for ad targeting. For more information, and to exercise your right to opt out, you may use various consumer choice tools created under self-regulation programs. For instance:

• NetworkAdvertising.org/managing/opt_out.asp

• AboutAds.info/

• Digitaladvertisingalliance.org

Even if you opt out of receiving targeted ads, you may still see or get other types of online ads.

Lastly, you may manage cookies in your web browser. You can set your browser to accept or reject cookies, which you can learn more about in the Help section of most browsers.

Do-Not-Track. Our websites are not designed to respond to “do-not-track” signals received from browsers.

You can take yourself off our email list for promotional offers at any time. Just update your Email Communications preference in your Account Profile. Start in the My Account section or follow the instructions in the email. If you opt out of getting promotional emails from us, we may still send you important administrative messages. You cannot opt out of these messages.

You may stop push notices through your mobile device settings. You may be able to allow or deny us to collect your device’s location by using the settings on your mobile device, and/or to avoid the collection of location by beacons by disabling Bluetooth on your mobile device. If you deny such collection, we and our service providers may not be able to offer you certain personalized services and content.

You can stop all further collection of information by a CVS mobile app. All you need to do is uninstall it.

If you uninstall the mobile app from your device, the CVS unique identifier associated with your install and/or device may continue to be stored. If you re-install the app on the same device, we might be able to link this identifier to your past activities.

If you are a minor, you may remove or request removal of any content or information you post on our site. To request removal of content or information you have posted to our site, please Contact Us. Removal or requests for removal of content or information that has been posted to our website does not ensure complete or comprehensive removal.

If you have any questions or concerns about the way we collect and use your information, Contact Us. Or call us toll-free at 1-888-607-4287.

If you have any other questions about the content of this Privacy Policy contact the CVS Health Privacy Office at the address below.

CVS Pharmacy

Attn: Privacy Office

1 CVS Drive

Woonsocket, R.I. 02895

Last Updated: January 1, 2023

This section supplements the CVS Pharmacy Privacy Policy and applies solely to California residents about whom we have collected personal information from any source, including through the use of our website(s), mobile applications or other online services, by buying our products or services, or by communicating with us electronically, in paper correspondence, or in person (collectively, "you"). Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020 (the “CCPA”), California residents have the right to receive certain disclosures regarding our information practices related to “personal information,” as defined under the CCPA.

This section does not apply to CVS personnel or job applicants. The terms used in this section have the same meaning given to them in the CCPA.

We may collect (and may have collected during the 12-month period prior to the effective date of this section) the following categories of personal information (as enumerated in the CCPA) about you. For more information about the personal information we collect, please see Section 2 above.

• Identifiers, which may include your name, mailing address, email address, telephone number, and government-issued ID numbers.

• Commercial information, which may include purchase history, returns, exchanges, and enrollment in programs (e.g., ExtraCare).

• Biometric information, which may include voice recognition information, facial scans, and/or other similar biometric identifiers.

• Information relating to Internet activity or other electronic network activity, which may include your interactions with our websites or mobile sites, mobile apps, Wi-Fi, emails, communications, content and ads.

• Geolocation data, which may include Global Positioning System ("GPS") data or in-store location.

• Audio, electronic or visual information, which may include images you provide to us (e.g., when you upload photos) or that are viewed or recorded on an in-store security camera.

• Professional or employment-related information, such as whether you are a CVS Health colleague

• Inferences about you, such as household income level and marital status.

• Information not listed above and related to characteristics protected under California or federal law, which may include demographic information such as your age or date of birth, gender and/or sex, language preferences.

• Other personal information not listed above and described in California Civil Code § 1798.80(e), which may include payment card information and other financial or health information and other information you provide to us.

We may also collect (and may have collected during the 12-month period prior to the effective date of this section) the following categories of sensitive personal information about you:

• Government identification, such as government issued identification.

• Account log-in information, which may include your account username and password, if you make an account with us.

• Precise geolocation data, if you choose to share with us, to identify the Commercial Services nearest or most applicable to you.

• Information concerning your health, if you choose to share with us, which may include your interactions with our Pharmacy or information made available via connected health devices (e.g., smart watches, health apps).

• Information concerning your sex life, such as your purchases of sexual health products using the Commercial Services.

We retain personal information only as long as necessary and in alignment with our data retention schedules. Information may be retained to comply with applicable law, adhere to contractual requirements, in anticipation of litigation or a legal matter, or as otherwise necessary and proportionate to provide you with a product or service.

We may use (and may have used during the 12-month period prior to the effective date of this section) your personal information for the purposes described above in Section 4 of our Privacy Policy and for the following business and commercial purposes specified in the CCPA:

• Performing services, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing advertising or marketing services, providing analytics services, or providing similar services

• Auditing related to a current interaction with you and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance

• Short-term, transient use, including, but not limited to, the contextual customization of ads shown as part of the same interaction

• Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity

• Debugging to identify and repair errors that impair existing intended functionality

• Undertaking internal research for technological development and demonstration

• Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by us

We may collect (and during the 12-month period prior to the effective date of this section, may have collected) personal information about you from these sources:

• Directly from you or your device, including via purchasing goods and services in our stores, your use of our websites and mobile applications, and your communications with us, including by telephone, text message, postal mail, social media, forums, message boards, chatbots, or other means

• Our subsidiaries and affiliates

• Our service providers, including but not limited to, marketing/customer relationship management providers, technology/website hosting providers, analytics providers, and systems administrators/security and fraud investigations providers

• Advertising networks and social media networks

• Government entities, regulators and law enforcement

• Third parties, including companies that collect and sell publicly available information, or business partners that collect information and provide it to us according to their privacy policies and terms of service

We do not sell your personal information to third parties in exchange for monetary consideration.

As with other companies that conduct digital marketing, we do share a limited set of personal information identified in the table above with certain third parties (such as online advertising services and social media networks). We may allow these third parties to collect your personal information, such as online activity, via automated technologies (such as cookies and pixels) on our websites and mobile applications in exchange for non-monetary consideration. We and these third parties may gather this data when you visit or use our websites, mobile applications and other web-based services. We may make this personal information, including inference information, available to third parties for online advertising purposes (e.g., to tailor digital ads about our products and services) and to provide third-party social network features and functionality on our website and mobile applications. We may also share this personal information to enhance our ability to communicate with you and provide you with promotional information. To the extent these activities are considered “sharing” or a “sale” under the CCPA's broad definitions of those terms, you have the right to opt out of this disclosure of your information. You can read more about opting out in Section G, below.

We do not knowingly sell the personal information of minors under 16 years of age.

If you are a California resident and we collect, use, or disclose personal information subject to CCPA, you may have the following rights under the CCPA with respect to your personal information.

• Right to know/access. : With respect to the personal information we have collected about you in the prior 12 months, you have the right to request from us (up to twice per year and subject to certain exemptions): (i) categories of personal information about you we have collected; (ii) the sources from which we have collected that personal information; (iii) our business or commercial purposes for collecting, selling, or disclosing that personal information; (iv) the categories of third parties to whom we have disclosed that personal information; and (v) a copy of the specific pieces of your personal information we have collected.

• Right to delete. Subject to certain conditions and exceptions, you may have the right to ask us to delete certain personal information we have collected from you.

• Right to correction. You may have the right to ask us to correct inaccuracies in the personal information we have collected.

• Right to opt out of sale/sharing. You have the right to opt out of the sale of your personal information by us. You will find our Notice of Right to Opt-Out here.

• Right to non-discrimination. We will not discriminate against you if you exercise any of these privacy rights.

If you are a California consumer and wish to exercise these rights, you can reach us in one of the ways shown below.

Right to Know / Delete / Correct:

• ExtraCare account only interactive webform; or

• CVS.com account password-protected web portal (includes ExtraCare, if linked): Sign in here

• 1-800-SHOP-CVS (1-800-746-7287)

See Section J for instructions on how to opt-out of sale or sharing.

You may also give someone else permission to exercise these rights for you. To submit a request as an authorized agent on behalf of a consumer, write us at [email protected] or call us at 1-800-SHOP-CVS (1-800-746-7287). We will need proof showing you have asked someone else to make a request on your behalf, which may include a Power of Attorney form or other signed document. If we have information on your minor child, you may exercise these rights for them.

Before we fulfill a request, we must verify your identity and ability to exercise these rights. There are also some exclusions and exceptions that may apply. So that we can verify your identity, if you have a CVS.com account, you will need to first sign into your account. If you do not have a CVS.com account, you will be asked to give us certain personal information via webform or on the phone, as described above. If you do not have a CVS.com account and request access to, correction or deletion of your personal information, we may require you to provide any of the following information: ExtraCare number, full legal name, email address, and/or phone number. In addition, if you do not have a CVS.com account and you ask us to provide you with specific pieces of personal information, we may require you to sign a declaration under penalty of perjury that you are the consumer whose personal information is the subject of the request.

To learn more about this Privacy Policy, or if you have any questions or concerns, Contact Us.

As further described below, we may offer you special pricing or service differences in exchange for your enrollment in our ExtraCare programs, such as CVS Pharmacy & Health Rewards Program and CarePass®, which may be considered “financial incentive” programs under the CCPA.

We offer ExtraBucks and other exclusive incentives, including special pricing on certain products and brands, for individuals who are ExtraCare members. To offer these discounts to our ExtraCare members, we collect the following categories of personal information:

• Identifiers. We collect identifiers such as your contact information.

• Commercial information. We collect information such as your purchasing history.

• Information concerning your health. We collect information such as your searches and purchases of healthcare products (e.g., diabetic supplies, pain relievers).

We may receive funding from manufacturers to offer special pricing on their products or to cover the administrative costs of sending marketing communications (e.g., direct mail, email messages) to ExtraCare members. These funding sources and amounts depend on our ability to communicate with a certain number or population of customers who are ExtraCare members. To offer these special prices, we may collect the following categories of personal information:

• Identifiers. We collect identifiers such as your contact information.

• Commercial information. We collect information such as your purchasing history.

• Inferences. We collect information such as household income and marital status.

• Information relating to Internet activity or other electronic network activity. We collect information such as your interactions with our websites or mobile sites, mobile apps, Wi-Fi, emails, communications, content and ads.

Participants in our Pharmacy & Health Rewards Program may receive additional ExtraBucks and participant-only incentives. The PHR Program rewards customers for completing certain health and pharmacy-related activities, such as filling a prescription or receiving an immunization. As part of this program, we may collect the following personal information:

• Identifiers. We collect identifiers such as your contact information.

• Information concerning your health. We collect information such as your interactions with our Pharmacy.

If you join our CarePass membership, we may offer additional ExtraBucks and members-only incentives by tracking additional data elements. As a CarePass member, you may have the opportunity to join a third-party partners’ program at a discount. If you choose to join a third-party partners’ program through your CarePass membership, you may receive additional ExtraBucks and members-only incentives in exchange for access and use of your information you provide to our partners as part of these third-party partners’ programs. As part of the CarePass program, including any third-party partners’ programs you link to your CarePass membership, we may collect the following personal information:

• Identifiers. We collect identifiers such as your contact information.

• Commercial information. We collect information such as your purchasing history.

• Information concerning your health. We may collect information such as your activity or weight made available via connected health devices (e.g., smart watches, health apps) that you link to your CarePass membership.

For more information about the CarePass Program, please see the full Terms and Conditions available here.

For participants in the aforementioned financial incentive programs, the value of the personal information you provide is reasonably related to the value of the financial incentives provided to you. The value of personal information will vary slightly for each member depending on several factors, including but not limited to your interactions and purchases with CVS, the administrative and technical expenses associated with maintaining the ExtraCare program (e.g., IT infrastructure, customer service, marketing strategy & planning), and the extent to which you take advantage of the program’s offerings and discounts (e.g., 2% ExtraBucks rewards for purchases).

To opt-in to these financial incentives, you must enroll in ExtraCare by visiting our website here.

You have the right to withdraw from the ExtraCare program at any time. To withdraw from the program, you must submit a request to delete your personal information from ExtraCare, as set forth in Section G above.

California residents have the right to opt out of sales and sharing of personal information. If you wish to opt out of our sharing of the limited data that is gathered when you visit our websites and other web-based services for purposes of targeted digital advertising as described in Section E, above, you may do so in one of the ways described below.

• Fill out this interactive webform

• Call us at 1-800-SHOP-CVS (1-800-746-7287)

The effectiveness of your opt-out request may be limited by our ability to associate the cookies and/or pixels that we may collect with your identity, browser, device and/or browsing session. As a result, your opt-out request will be more effective for future visits if you:

• Use the same device that was used to exercise the opt-out request

• Have not cleared cookies from your web browser

• Are not using a private mode in your web browser

• Provide the same personal information that you provided previously

We encourage you to re-submit opt-out requests from any other devices that you may be using to visit our websites, mobile applications and other web-based services. If you sign up and log in to your CVS.com account, we will be able to associate you more easily with your visits to our websites, mobile applications and other web-based services. This will also allow us to apply a more persistent opt-out request across devices, browsers and browsing sessions, subject to the above limitations.

You also have the right to opt-out of “sales” and “sharing” of your personal information, including through the use of an opt-out preference signal. If our website detects that your browser is transmitting an opt-out preference signal, such as the “global privacy control”—or GPC— signal, we will opt that browser out of cookies on our website that result in a “sale” or “sharing” of your personal information. Please note, if you come to our website from a different device or a different browser on the same device, you will need to opt out, or use an opt-out preference signal, for that browser and/or device as well.

To learn more about the consumer requests that CVS has processed in the past calendar year, click here.

If you are our customer and a California resident, you may ask us to provide you with (1) a list of certain categories of personal information we have disclosed to third parties for their direct marketing purposes during the immediately preceding calendar year and (2) the identity of those third parties. To do so, write to us at [email protected].

Under the Virginia Consumer Data Protection Act (“VCDPA”), Virginia residents have the right to receive certain disclosures regarding a business’ processing of “personal data,” as defined under the VCDPA, as well as certain rights with respect to our processing of such personal data. To the extent you are a resident of Virginia and we collect, use or disclose personal data subject to the VCDPA, the following applies. For more information about the personal data we collect, use and disclose, please see Sections 2-4 above.

If you are a Virginia resident, you have the following rights under the VCDPA with respect to your personal data.

• Right to access. You have the right to confirm whether or not we are processing your personal data and to access such personal data.

• Right of portability. You may have the right to obtain a copy of the personal data that you previously provided to us in a portable and, to the extent technically feasible, readily usable format that allows you to transmit your personal data to another controller or business where the processing is carried out by automated means.

• Right to delete. You have the right to ask us to delete certain personal data we have collected about you.

• Right to correction. You have the right to ask us to correct inaccuracies in the personal data we have collected.

• Right to opt out of sale. Under the VCDPA, a “sale” includes disclosing or making available personal data to a third party in exchange for money. We do not “sell” personal data as defined by VCDPA.

• Right to opt out of targeted advertising. You have the right to opt out of targeted advertising based on your personal data. To opt out of targeted marketing, please see our Notice of Right to Opt-Out here. VCDPA provides the right to opt out of the processing of personal data for decisions that produce legal or similarly significant effects concerning you. We do not process personal data for such profiling.

If you are a Virginia resident and wish to exercise these rights, you can reach us in one of the ways shown below.

Right to Know / Delete / Correct:

• ExtraCare account only interactive webform; or

• CVS.com account password-protected web portal (includes ExtraCare, if linked): Sign in here

• 1-800-SHOP-CVS (1-800-746-7287)

See Section D for instructions on how to opt-out of targeted advertising.

If we refused to fulfill your request to exercise your privacy rights in Section A, you may appeal this decision by contacting us at [email protected]. We will respond to your request within 60 days of receipt of your appeal with an explanation about our decision to fulfill or refuse your request.

You may contact the Virginia Attorney General to file a complaint related to the denial of your request by contacting [email protected].

If you wish to opt out of processing of personal data that is gathered when you visit our websites and other web-based services for purposes of targeted digital advertising, you may do so in one of the ways described below.

• Fill out this interactive webform

• Call us at 1-800-SHOP-CVS (1-800-746-7287)

The effectiveness of your opt-out request may be limited by our ability to associate the cookies and/or pixels that we may collect with your identity, browser, device and/or browsing session. As a result, your opt-out request will be more effective for future visits if you:

• Use the same device that was used to exercise the opt-out request

• Have not cleared cookies from your web browser

• Are not using a private mode in your web browser

• Provide the same personal information that you provided previously

We encourage you to re-submit opt-out requests from any other devices that you may be using to visit our websites, mobile applications and other web-based services. If you sign up and log in to your CVS.com account, we will be able to associate you more easily with your visits to our websites, mobile applications and other web-based services. This will also allow us to apply a more persistent opt-out request across devices, browsers and browsing sessions, subject to the above limitations.