Privacy Notice

Information you give us, or we collect about you.

We may obtain some or all the following information when you contact us via our Sites or email, telephone, or otherwise through your interaction with us or use of our Sites:

• Name;
• Company affiliation;
• Email address;
• Telephone number;
• Fax number;
• Physical address;
• Whether you are (or are not) a healthcare professional and what your specialty is;
• Your photograph, social media handle or digital or electronic signature;
• Information that you choose to share with us on social media or other public forums, including our social media sites (e.g., Cushing’s Connection on Facebook or our page on LinkedIn);
• Publicly available information (such as comments describing support for and experience with Corcept products);
• Health and medical information (such as information you provide about a suspected or actual diagnosis, or information about a diagnosis received by a person you know), if support services are requested from our Patient Advocate Support program;
• Information contained in a medical information request submitted by you;
• Other information that may be required for you to use the Sites; and
• Information from third-parties such as industry and patient groups and associations.

Job applicants. Additionally, if you apply for a job via our Corcept.com Site, you may also provide us with the following information:

• Your current city and state of residency;
• Your referral source;
• Information regarding your prior employment;
• Your contact information;
• Your education;
• Your gender; and
• Your ethnicity.

This includes information provided in resumes, emails, and cover letters we receive electronically or are uploaded directly to the Site by you.

Technical Usage Information. When you visit the Sites, we collect the information sent to us by your computer, mobile phone, or other access device. This information includes:

• Your IP address;
• Device information including, but not limited to, identifier, name, and type of operating system;
• Internet service provider and mobile network information;
• Date and time of your visit;
• Time spent on our site;
• Standard web information, such as your browser type and the pages you access on our Sites; and
• Websites visited just before and just after our Sites (including any third-party websites that link to our Sites, if you followed a link to or from our Sites).

In order to be responsive to you and to maintain our relationship, as a matter of our legitimate interests, we may use your information to:

• Communicate with you;
• Identify our users;
• Administer and provide services for you;
• Optimize or improve the content, services, and features of the Sites;
• Enforce our Sites’ terms and conditions;
• If you have opted into marketing, communicate with you about products, services, promotions, events and other news and information we think will be of interest to you;
• Create anonymized and aggregated data sets that may be used for a variety of functions, including research, internal analysis, analytics, and other functions;
• Process your application for employment;
• Comply with any legal obligations or respond to legal proceedings; or
• Detect, investigate, and prevent activities that may violate our policies or be illegal.

In addition, we will use some or all the information described in this notice to comply with any applicable legal obligations.

To the extent you are located in the European Economic Area (EEA) / UK, where you have provided health information (see section “Special Categories of Data” below) or ethnicity information as described above, we will use this information for the above purposes on the basis of your explicit consent, which we will ask you to provide before providing any health or ethnicity information to us.

Technical Usage Information: we use technical usage information about you to:

• Personalize our Sites to ensure content from the Sites is presented in the most effective manner for you and your device;
• Monitor and analyze trends, usage activity in connection with our Sites and services to improve the Sites;
• Administer the Sites and for internal operations, to conduct troubleshooting, data analysis, testing, research, statistical and survey analysis;
• Keep the Sites safe and secure; and
• Measure and understand the effectiveness of the content we serve to you and others.

Special Categories of Data: for residents of the EEA / UK, with your consent, we will use your health-related information (i.e., special categories of personal data under the GDPR and UK GDPR) described in this Privacy Notice to:

• Register you for optional support via our Korlym Patient Advocate Support program on the Korlym.com Site;
• Register you to receive opt-in updates relating to hypercortisolism and other information on any of the Sites; or
• Respond to your submitted medical information requests or social media comments via any of the Sites.

Some internet browsers include the ability to transmit “Do Not Track” signals. Currently, our Sites do not respond to global privacy controls, including “Do Not Track” signals.

To the extent you are located in the EEA / UK, please note that the information that we collect from you may be stored/processed in the US. We will take all steps reasonably necessary to ensure that your personal information is treated securely and in accordance with this notice. We may share your information with the following categories of recipients:

• Corporate Affiliates, for a variety of purposes, including business, operational, and marketing purposes;
• Cloud storage providers, to store the personal information you provide and for disaster recovery services, as well as for the performance of any contract we enter with you;
• IT Service providers, which provide us with SaaS services we use to store our customer relationship management, emails and Site information;
• Advertisers and advertising networks, which, provided you have consented, require the data to select and serve relevant advertisements to you and others; and
• Background reference agencies, which, provided you have consented, collect your information for the purpose of performing background checks, as part of our hiring process.

To the extent you are located in the EEA / UK, and your personal information is transferred to the above recipients in the US or to any other country not deemed to provide an adequate level of protection by the European Commission or UK government, such information will be transferred pursuant to the European Commission’s model contracts for the transfer of personal information to third-countries (i.e., the standard contractual clauses). Please contact us at corcept.dpo@mydata-trust.info if you wish to examine the data transfer safeguards entered by us.

We will share your information with law enforcement agencies, public authorities or other organizations if legally required to do so, or if we have a good faith belief that such use is reasonably necessary to:

• Comply with a legal obligation, process or request;
• Enforce our terms and conditions for using our Sites and other agreements, including investigation of any potential violation thereof;
• Detect, prevent or otherwise address security, fraud or technical issues; or
• Protect the rights, property or safety of us, our users, a third-party or the public as required or permitted by law (exchange information, with other companies and organizations for the purposes of fraud protection and credit risk reduction).

We will also disclose your information to third-parties:

• If we sell any business or assets that requires the transfer of your information; or
• If we, or substantially all our assets, are acquired by a third-party, in which case information held by us about our users will be one of the transferred assets.

In the event any of the above situations apply, the buyer of our business or assets will be subject to the terms and conditions of this notice.

We may also provide third-parties with statistical information about our users (but those third-parties will not be able to identify any individual user from that information).

We will retain your information as follows:

• information provided by you in connection with a request for communication using one of the Sites will be kept for as long as necessary to fulfil your request, unless you unsubscribe from communication; and
• job applicant information for approximately 4 years for unsuccessful candidates, and for successful candidates, the duration of employment and approximately 4 years thereafter. For unsuccessful applicants from France, we will keep your information for six months.
• Effective January 1, 2022, California employers must preserve employee records for four years from a non-hire application and four years from an employee’s termination date.

We will also retain and use your information in identifiable form to the extent necessary to comply with our legal obligations, resolve disputes and enforce our terms and conditions, other applicable terms of service, and our policies. Following this period, we will store your information in an aggregated and anonymised format; we may use this information indefinitely without further notice to you.

All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third-parties.

We collect and use your personal information in compliance with applicable privacy and data protection regulations, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, “GDPR”)), the Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications, “ePrivacy”), The California Consumer Privacy Act (“CCPA”), The Californian Online Privacy Protection Act (“COPPA”) and any applicable law.

The California Consumer Privacy Act (“CCPA”) regulates how businesses handle “personal information” (as such term is defined in the CCPA) of California residents and gives California residents certain rights with respect to their personal information. If you are a resident of California, we are required to inform you of how we use and disclose your personal information and certain rights you may have under the CCPA.

In the chart below, we have described the categories of personal information that we have collected and shared over the past twelve (12) months, the purposes for such collection and the types of entities with whom we have shared such information.

Certain features of the Sites permit you to initiate interactions between the Site and third-party services or platforms, such as social networks (“Social Features”). Social Features include features that allow you to click and access Corcept’s pages on certain third-party platforms, such as Facebook and Twitter, and from there to “like” or “share” our content on those platforms. Use of Social Features may entail a third-party’s collection and/or use of your data. If you use Social Features or similar third-party services, information you post or otherwise make accessible may be publicly displayed by the third-party service you are using. Both Corcept and the third-party may have access to information about you and your use of both the Site and the third-party service. See below for more information on third-party websites and links.

Our Site may contain links to other online platforms operated by third-parties. We do not control such other online platforms and are not responsible for their content, their privacy policies, or their use of your information. Information you provide on public or semi-public venues, including information you share on third-party social networking platforms (such as Facebook or Twitter) may also be viewable by other users of the Site and/or users of those third-party online platforms without limitation as to its use by us or by a third-party. Our inclusion of such links does not, by itself, imply any endorsement of the content on such platforms or of their owners or operators except as disclosed on the Site. We expressly disclaim any and all liability for the actions of third-parties, including but without limitation to actions relating to the use and/or disclosure of personal information by third-parties. Any information submitted by you directly to these third-parties is subject to that third-party’s privacy policy.

Unfortunately, the transmission of information via the internet or email is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of your information transmitted through the Sites or over email; any transmission is at your own risk. Once we have received your information, we will take appropriate technical and organizational measures to safeguard your personal information against loss, theft and unauthorized use, access or modification.

In certain circumstances you have rights in relation to the personal information we hold about you. We set out below an outline of those rights and how to exercise those rights. Please note that we will require you to verify your identify before responding to any requests to exercise your rights. Please note that for each of the rights below we may have valid legal reasons to refuse your request. In such instances, we will let you know if that is the case.

NOTE: Where you have provided your consent to us processing your personal information, you can withdraw your consent at any time by contacting us through the methods set forth below (see “Exercising Your Rights”).

If you are an EU or UK resident and/or accessing the Sites in the EEA / UK, you have the following rights:

• Access: You have the right to know whether we process personal information about you, and if we do, to access certain data we hold about you and certain information about how we use it and who we share it with.
• Correction: You have the right to require us to correct any personal information held about you that is inaccurate and have incomplete data completed.
• Erasure: You may request that we erase the personal information we hold about you in the following circumstances:

• where you believe it is no longer necessary for us to hold the personal information,
• where we are processing it on the basis of your consent (see section “Special Categories of Data” above) and you wish to withdraw your consent,
• where we are processing your data on the basis of our legitimate interest and you object to such processing,
• where you no longer wish us to use your data to send you marketing, or
• where you believe we are unlawfully processing your data.

Please provide as much detail as possible on your reasons for the request to assist us in determining whether you have a valid basis for erasure.

• Objection: You have the right to object to our processing of data about you and we will consider your request. Please provide us with detail as to your reasoning so that we can assesses whether there is a compelling overriding interest in us continuing to process such data or we need to process it in relation to legal claims.
• If you are a US resident, you have the following rights, subject to certain exceptions:
• Right to Know. You have the right to request that we disclose to you the personal information that we maintain about you, which we will provide to you upon receipt of a verifiable request. You may also request certain information regarding our disclosure of personal information to third-parties for direct marketing purposes in accordance with Cal. Civil Code § 1798.83.
• Right to Delete. You may have the right, under certain circumstances, to request that we delete the personal information we have collected from you.
• Right to Non-discrimination. You have the right to be free from discrimination related to your exercise of any of your privacy rights listed above. We will not discriminate against you for exercising any such privacy rights.

Exercising Your Rights

• Only you, or someone that you authorize to act on your behalf, may make a request related to your personal information. An authorized agent may make a request on your behalf by providing written permission signed by you.
• We will need to confirm your identity or the identity of your authorized agent, before processing your request by asking you to log into your existing account (if you are a registered user) or by asking you for additional information, such as a government issued ID, to confirm your identity against information we have already collected.
• Please note that, unless you are an EU or UK resident and/or accessing the Sites in the European Economic Area / UK, you may only make a request for access twice within a 12-month period.

If you have any questions or comments about this Privacy Notice, the ways in which Corcept collects and uses your information described above, your choices and rights regarding such use, or wish to exercise your rights under applicable laws, please do not hesitate to contact us as follows:

• By submitting a Data Privacy Request Intake Form using the following link: Submit Data Privacy Request
• If you are in the USA, by sending an email with your request to dataprotectionofficer@corcept.com or by calling us and leaving a voice message at 1-855-212-CORT (1-855-212-2678)
• If you are in the EEA/UK area, by sending an email to corcept.dpo@mydata-trust.info

Please note that we will endeavour to process your request as soon as possible. This is without prejudice to your right to lodge a complaint with the data protection supervisory authority in the UK or the EEA country in which you live or work where you think we have infringed data protection laws.

We do not knowingly collect or solicit personal information from anyone under the age of 18. If we learn that we have collected personal information from a child under age 18, we will delete that information. If you believe that we might have any such information from or about a child under 18, please contact us at dataprotectionofficer@corcept.com.

Any changes we will make to this Notice in the future will be posted on this page. Please check back frequently to see any updates or changes to this Notice.

COOKIES AND OTHER TRACKING TECHNOLOGIES

We and certain third-parties, use cookies and other technologies (“Tracking Technologies”) to collect personal data and to store information or gain access to information stored on your device, when you use our Sites. This notice tells you more about Tracking Technologies and how we use them in our Sites. When you enter our Sites, you can accept our cookies, or you can manage your cookie preferences through your browser settings. In some cases, when you disable certain cookies, some functions of the Sites may not work.

WHAT ARE TRACKING TECHNOLOGIES?

Tracking Technologies can remain on your device for different periods of time. Some Tracking Technologies exist only while your browser is open. These are deleted automatically once you close your browser. Other Tracking Technologies are “permanent”, meaning that they survive after your browser is closed. They can be used to recognise your device when you open your browser and browse the internet again.

• Cookies. Cookies are small text files, stored on your browser, that uniquely identify your browser or device. Cookies improve your user experience, for example, by enabling our Sites to recognise you when you re-visit, remember your preferences, and provide you with the ability to use customised features. Cookies are also used to make websites work in an efficient way and to ensure adverts you see online are relevant to you and your interests. You can find more information about cookies at www.allaboutcookies.org.
• Pixels. Pixels are small portions of code that we use as part of our Sites. We use pixels to learn whether you have clicked on certain web content. This helps us measure and improve our services and personalize your experience.
• Web beacons. Web beacons are invisible picture files that we use as part of our Sites. We use web beacons to see how you interact with our Sites and to understand how often you view certain content so that we can make our Sites more efficient and easier to use. Our Sites may also carry web beacons placed by third-party advertisers.
• Mobile device IDs. Mobile device IDs are a unique identifier which can be used to identify a mobile device. We use these to run analytics and ensure our Sites are useful to you. Our advertising partners use these to show you ads that are useful to you and also to make sure they don’t show the same ad to you twice.
• Local storage. We also use local storage to store data on your device such as the last time you visited a webpage, to remember which items you put in our shopping cart or to welcome you to our site.
• HTML5 local storage. We occasionally store information locally on your device using HTML5. This allows information to be stored in your browser after the browser has been closed and reopened. We only use HTML5 to store non-sensitive information, such as the previous page you viewed, the name of the current page you are viewing, and some of your preferences. We do use HTML5 local storage to collect personal data from you. You can choose whether the data in HTML5 local storage should be kept beyond your current browser session or deleted. Depending on your browser, you can remove local storage, including HTML5, when clearing your cache and cookies.

HOW DO WE USE TRACKING TECHNOLOGIES?

We use first-party and third-party Tracking Technologies. First-party Tracking Technologies are set directly by us whereas third-party Tracking Technologies are set by a third-party (such as analytics providers, our advertisers and business partners).

We use Tracking Technologies that perform the following functions:

• Essential Tracking Technologies, which are essential to the functioning of our Sites, to provide a service requested by you or to comply with the law (e.g. the security requirements of data protection law). We do not need to obtain your consent in order to use these Tracking Technologies and these Tracking Technologies cannot be turned off as we cannot provide the Sites without them.
• Functionality Tracking Technologies, which allow us to remember choices you make and provide enhanced and personalised features e.g. to show you when you are logged in.
• Performance Tracking Technologies, which enable us to collect information about your online activity (e.g. the duration of your use of the Sites), including behavioural data and content engagement. They allow us to provide you with a better user experience and to maintain, operate and continually improve the Sites.
• Social Media Tracking Technologies, our Sites include social media features, such as Facebook “Like” or “Share” buttons. These features are hosted by a third-party and enable us or the social network to obtain information about how you interact with our Sites or the social network. In addition, where we have a presence on social media platforms, those platforms will set Tracking Technologies on your device when you visit our pages on their platforms so that we can obtain statistical information about how you interact with our social media presence. The cookies notice of the social media platform should explain how you can manage the Tracking Technologies that they set, or you may also be able to manage these Tracking Technologies through using your browser settings.