This section supplements the information contained in the rest of our Privacy Statement and applies to all Consumers residing in the state of California according to “The California Consumer Privacy Act of 2018” (California Civil Code §§ 1798.100 to 1798.199) and its implementing regulations, as amended or superseded from time to time (“CCPA”) and is effective upon the date that the CCPA enters into operation. Consumers are referred to below as “you”, “your”, “yours”, and, for such Consumers, these provisions supersede any other possibly divergent or conflicting provisions contained in the Privacy Statement. This part of the Privacy Statement uses the terms “Consumer”, “Personal Information”, “Sale” and “Business Purpose” as they are defined in the CCPA. All other capitalized terms in this section of the Privacy Statement are intended to have the same meaning as in the CCPA.

Children’s Privacy

The CCPA regulates the online collection of Personal Information from children under the age of 16. Our Services are not directed to or used by children, and we do not knowingly collect Personal Information from children under the age of 16.

Collection of Personal Information

Category of Personal Information Collected	Collect	Disclose	Sell	Categories of Sources of Collection	Categories of Third Parties With Whom Personal Information is Shared
A. Identifiers such as a real name, alias, postal address, telephone or mobile contact number, unique personal identifier, online identifier, Internet Protocol address, email address and account name.	Yes	Yes	Yes	Directly from you Indirectly from you by observing your actions on our Website or from your Devices. Directly or indirectly from others publicly available websites with permissible terms and conditions, customers, and business partners. Public records from government entities.	Internet service providers. Data analytics providers. Operating systems and platforms. Customers. Affiliates. Vendors and service providers. Third parties integrated into our services. Third parties as required by law and similar disclosures. Third parties in connection with a merger, sale, or asset transfer. Other third parties for whom we have obtained your permission to disclose your Personal Information. Not shared with: Advertising networks. Government entities. Social networks. Consumer data resellers.
B. Personal Information as defined in the California customer records law, Section 1798.80(e), such as name, contact information, education, employment, employment history and financial information.	Yes	Yes	Yes	Directly from you Directly or indirectly from other publicly available websites with permissible terms and conditions, customers, and business partners. Public records from government entities.	Internet service providers. Data analytics providers. Operating systems and platforms. Customers. Affiliates. Vendors and service providers. Third parties integrated into our services. Third parties as required by law and similar disclosures. Third parties in connection with a merger, sale, or asset transfer. Other third parties for whom we have obtained your permission to disclose your Personal Information. Not shared with: Advertising networks. Government entities. Social networks. Consumer data resellers.
C. Characteristics of Protected Classifications under California or Federal Law.	No	No	No	N/A	N/A
D. Commercial information, such as transaction information, purchase history, financial details and payment information.	No	No	No	N/A	N/A
E. Biometric Information, such as fingerprints and voiceprints.	No	No	No	N/A	N/A
F. Internet or other electronic network activity information, such as browsing history, search history, online behavior, interest data, and interactions with our and other websites, applications, systems and advertisements.	Yes	Yes	No	Directly from you when you create an account with us. Indirectly from you by observing your actions on our Website or from your Devices. Public records from government entities.	Internet service providers. Data analytics providers. Operating systems and platforms. Customers. Affiliates. Vendors and service providers. Third parties integrated into our services. Third parties as required by law and similar disclosures. Third parties in connection with a merger, sale, or asset transfer. Other third parties for whom we have obtained your permission to disclose your Personal Information. Not shared with: Advertising networks. Government entities. Social networks. Consumer data resellers.
G. Geolocation Data, such as Precise physical location.	No	No	No	N/A	N/A
H. Audio, electronic, visual and similar information, such as images and audio, video or call recordings created in connection with your practice.	Yes, only for Veeva Link	Yes, only for Veeva Link	Yes, only for Veeva Link	Directly from you. Directly or indirectly from other publicly available websites with permissible terms and conditions, customers, and business partners. Public records from government entities.	Internet service providers. Data analytics providers. Operating systems and platforms. Customers. Affiliates. Vendors and service providers. Third parties integrated into our services. Third parties as required by law and similar disclosures. Third parties in connection with a merger, sale, or asset transfer. Other third parties for whom we have obtained your permission to disclose your Personal Information. Not shared with: Advertising networks. Government entities. Social networks. Consumer data resellers.
I. Professional or employment-related information, such as job title as well as work history and experience in connection with your practice.	Yes	Yes	Yes	Directly from you when you create an account with us. Directly or indirectly from other publicly available websites with permissible terms and conditions, customers, and business partners. Public records from government entities.	Internet service providers. Data analytics providers. Operating systems and platforms. Customers. Affiliates. Vendors and service providers. Third parties integrated into our services. Third parties as required by law and similar disclosures. Third parties in connection with a merger, sale, or asset transfer. Other third parties for whom we have obtained your permission to disclose your Personal Information. Not shared with: Advertising networks. Government entities. Social networks. Consumer data resellers.
J. Non-Public Education information subject to the federal Family Educational Rights and Privacy Act, (as defined in 20 U.S.C. 1232g; 34 C.F.R. Part 99) such as student records.	No	No	No	N/A	N/A
K. Inferences drawn from any of the Personal information Collected to create a profile or summary about, for example, an individual’s preferences and characteristics.	No	No	No	N/A	N/A

As of the effective date, our Disclosures for a Business Purpose include:

1. Auditing related to a current interaction with the Consumer and concurrent transactions, including, but not limited to auditing compliance with this specification and other standards;
2. Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity;
3. Debugging to identify and repair errors that impair existing intended functionality;
4. Performing services on behalf of Veeva or a Customer, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying Consumer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of Veeva or a Customer;
5. Undertaking internal research for technological development and demonstration;
6. Undertaking activities to improve, upgrade, enhance, verify or maintain the quality of Veeva’s Services;
7. Disclosure to a Third Party, that is bound not to further disclose such information and is prohibited from Selling such information;
8. Consumer Identity Verification Information or Authorized Agent designation and identity verification; and
9. Compliance with law.

Verifiable Consumer Requests

You can make requests related to your rights under the CCPA by using the links or telephone number at the end of this Privacy Statement.

If you are a Consumer, you have the right to request that we disclose to you (i) the categories of Personal Information we Collected about you and the Categories of Sources from which we Collected such information; (ii) the specific pieces of Personal Information we Collected about you; (iii) the Business or Commercial Purpose for Collecting Personal Information about you; and (iv) the categories of Personal Information about you that we shared or Disclosed and the Categories of Third Parties with whom we shared or to whom we Disclosed such information in the preceding 12 months. You also have the right to request that we delete Personal Information we Collected from you subject to certain exceptions explained below.

You also have the right to not be discriminated against in pricing and services because you exercise any of your rights under the CCPA. Veeva does not offer Financial Incentives or Price or Service Differences to Consumers in exchange for the retention or Sale of a Consumer’s Personal Information.

You may only make a Verifiable Consumer Request for access or data portability twice within a 12-month period. The Verifiable Consumer Request must:

• Provide sufficient information that allows us to reasonably Verify you are the Consumer about whom we Collected personal information or an Authorized Agent (i.e., a person registered with the California Secretary of State that you authorize to act on your behalf). You may be required to submit proof of your identity. Only you or your Authorized Agent may make a Verifiable Consumer Request regarding your Personal Information.
• Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We will confirm receipt of your Verifiable Consumer Request promptly and aim to respond to your request within 45 days of its receipt. Should we need more time, we will explain to you the reasons why and how much more time we need to complete the request. Please note that we may need to take up to 90 days to fulfill your request.

We will not charge a fee to process or respond to your Verifiable Consumer Request unless we reasonably determine it is excessive, repetitive, or manifestly unfounded. As such, if we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

We will respond to your request consistent with the CCPA requirements, which do not apply to certain information excluded from the scope of the CCPA, such as publicly available information from government records; De-identified information, Aggregated Consumer Information, and information excluded from the CCPA’s scope, including health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data.

We will review the information related to your Verifiable Consumer Request that you provide and may request additional information from you to help ensure we are interacting with the correct individual. If you have an online account with us, you may be required to log-in to your account for identity verification. If you do not have an account with us, other information to Verify your identity may be required by law before we may take action upon such a request. This other information may vary depending on the nature of your request and/or the nature of the information about which your request relates. We may also be required by law to obtain a signed declaration under penalty of perjury from you. If we suspect fraudulent or malicious activity, we will delay taking action on your request until we can appropriately Verify your identity and the request as authentic. 

By law, we are not required to Collect Personal Information that we otherwise would not Collect in the ordinary course of our business, retain Personal Information for longer than we would otherwise retain such information in the ordinary course of our business, or reidentify or otherwise link information that is not maintained in a manner that would be considered Personal Information. If we have not requested specific information from you to Verify your request, please do not send such information.

We generally will aim to avoid requesting additional information from you for the purposes of verification. However, if we cannot reasonably Verify your identity or more information is needed for security or fraud-prevention purposes, we may consider any of the following factors, alone or in combination, in requesting additional information:

• The type, sensitivity, and value of the Personal Information Collected and maintained about the Consumer, as applicable law requires a more stringent verification process for sensitive or valuable Personal Information;
• The risk of harm to the Consumer posed by any unauthorized access or deletion;
• The likelihood that fraudulent or malicious actors would seek the Personal Information;
• Whether the Personal Information to be provided by the Consumer to Verify their identity is sufficiently robust to protect against fraudulent requests or being spoofed or fabricated;
• The manner in which we interact with you as the Consumer;
• Available technology for verification; and
• Other factors that may be reasonable in the circumstances, are consistent with industry practice, are recommended by California government officials, or which may be required by law or regulation following the effective date of this Privacy Statement.

If your request is regarding household information, the same verification steps above are required before we can provide you with aggregate household information. For us to process a request for access to or deletion of specific pieces of information regarding your household, all members of the household must make the request, and we must be able to Verify each household member.

In some cases, we may not have sufficient information about you or your household to be able to Verify your identity or sufficiently differentiate you from another consumer or household to the degree of certainty required by law, in which case, we will not be able to act upon your request. In such cases, it may be unlikely that we would be able to identify you or your household in the future without Collecting significantly more information or seeking to reidentify De-identified information. At this time, we do not intend to take such steps in response to a request made pursuant to this Privacy Statement and applicable law does not require that we do so. If, in the future, we determine a reasonable method to identify you or your household absent such steps, we will provide an update to you through this Privacy Statement and in response to any such request at that time.

Information that you submit for the purpose of allowing us to Verify your identity in furtherance of an individual Consumer-related or household-related request pursuant to California law will only be used by us, and our Service Providers if any, for that purpose and no other. Except where we are required by law to maintain such information for record-keeping purposes, we will take steps to delete any new Personal Information Collected for the purpose of verification as soon as practical after processing your request.

Please also be aware that making any such request does not ensure complete or comprehensive removal or deletion of Personal Information or content you may have posted. When we receive a deletion request, it may be necessary for us to flag certain Personal Information and suppress any future processing or sharing of that information in order to ensure proper fulfillment and implementation of the deletion request on an ongoing basis. In addition, there may be circumstances in which the law does not require or allow us to fulfill your request, including, for example, where retaining the information is necessary for us or our service providers to:

1. Complete the transaction for which we Collected the Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
3. Debug products to identify and repair errors that impair existing intended functionality.
4. Exercise free speech, ensure the right of another Consumer to exercise their free speech rights, or exercise another right provided for by law.
5. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).
6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
7. Enable solely internal uses that are reasonably aligned with any Consumer expectations based on your relationship with us.
8. Comply with a legal obligation.
9. Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

To exercise your rights:

• If you are a scientific expert whose Personal Information is included within Veeva Link, click here.
• If you are a healthcare professional whose Personal Information is included within Veeva OpenData, click here.
• If you are a healthcare professional whose Personal Information is included within Veeva Compass Patient, click here.
• If you are a healthcare professional whose Personal Information is included within Veeva Compass Prescriber, click here.
• If you are an EU resident, you may exercise your data subject rights under Articles 15 to 22 of the GDPR by contacting privacy@veeva.com
• If you are a consumer whose Personal Information is included within Veeva Crossix Products, click here
• For all other privacy requests, click here.
• You may also contact us toll-free at 1(800) 971-3716.

Please note that we cannot accept or process requests through any other means (such as via fax or social media).

For questions regarding this Privacy Statement, please contact ccpa@veeva.com.