US-DOCS\87812022.8

Last Revised: August 23, 2017

This privacy policy (the “Privacy Policy”) describes the information RxMx, Inc. and its affiliates (“RxMx,” “we” or

“us”) may collect, use and disclose that information, and how you can get access to this information, to better

serve visitors and users in connection with our Services. The term “Services” includes the website

www.lemtradalabwatch.com and its related sub-domains and subsites (collectively, the “Website”), our related

mobile device application (the “App”), and any other related content, software, applications, widgets, materials

and/or services made available by RxMx, including our Website and App portals (each, a “Portal”). For purposes of

this Privacy Policy, the term “you” refers to you, as a user of the Services.

Please review the following carefully so that you understand our privacy practices. When you use the Services, you

understand that RxMx may collect, use and disclose information about you in various ways subject to the terms of

the Privacy Policy. By using the Services, you are indicating your agreement with these Privacy Policy Terms. If you

have questions about this Privacy Policy, please contact us at the contact information listed in Section IX below or

labwatchinfo@rxmxusa.com.

I. Eligibility Requirements

The Services are only intended for use by (i) healthcare professionals in the United States who have obtained a

Lemtrada® REMS ID from the Lash Group, Inc. (“LASH”), or otherwise, as part of the One to One patient assistance

program (“One to One”) (collectively, the “Prescribers”), (ii) those users that the Prescriber designates as his or her

delegate for purposes of performing the Prescriber’s responsibilities in connection with the Services (each, a

“Delegate”) and (iii) nurses or other healthcare administrators to whom the Prescriber has granted access to the

Prescriber’s patients’ information as supporting staff (“Nurses” and “Administrators” and collectively with

Prescribers and Delegates referred to herein as “Users”). Any other person is not allowed to register with or use

the Services. Please refer to our Terms of Service at

www.lemtradalabwatch.com/csp/rxmx/TermsofService/TermsofService.pdf for additional information about user

eligibility.

RxMx does not knowingly collect or solicit Personal Information (as listed in Section II below) from anyone under

the age of 18 or knowingly allow such persons to register on the Services. In the event that we learn that we have

collected Personal Information from a child under age 18, we will delete that information. If you believe that we

might have any such information from or about a child under 18, please contact us.

II. Information We Collect

When you register to use the Services, you will populate a user profile. This profile includes certain personally

identifiable information you actively enter onto our online forms during registration or while using the Services

( “Personal Information”) and you may at other times also provide us with additional Personal Information.

In addition, we also collect other information from you and from Lash and One to One, some of which may be

Personal Information relating to you and/or to the patients to whom you provide healthcare, as described more

fully below.

If you choose to provide us with Personal Information, you consent to the transfer and storage of that information

US-DOCS\87812022.8

on our servers in the United States.

A. Information We Collect from Third Party Data Providers

The following patient data and laboratory result reports are provided by laboratories and patient care support

programs (including, for example, Quest Diagnostics®, LabCorp®, LASH and One to One) (the “Third Party Data

Providers”) with the patient’s prior written consent, which consent may be obtained, for example, via such

patient’s enrollment in the One to One Support Services program:

 Patient REMS ID

 Patient Name

 Patient Date of Birth

 Patient Gender

 Patient Status with LASH/One to One (including the reason for inactivity, if applicable)

 Patient Telephone Number

 Patient Email Address

 Patient Address and Zip Code

 Patient Treatment Details

 Patient Laboratory Result Reports

 Treating Provider Name

 Treating Provider REMS ID

 Treating Provider Email Address

B. Information We Collect from Users

As a User, you may edit the information we maintain on a patient who is under your care, including the patient’s

telephone number, email address and preference for pathology laboratory, and you may select to indicate the

patient as “Confidential” at any time. If you are a Prescriber, we may also collect the following information from

you and the members of your medical practice who may assist you in using the Services):

 REMS ID

 NPI

 Name

 Email

 Password

 Telephone Number

 Practice Details (including Name, Address and Zip Code, Telephone Number, and Preferred Pathology

Laboratory of the Practice for each practice, along with selection of a primary practice)

 Names, Emails and Telephone Numbers of Delegates and Nurses/Administrators

 Customization of Out-of-Office Dates and Descriptions

 Customization Preferences for Communications (including time and frequency of communications)

In addition, we may collect information regarding the User’s use of the Services, including, but not limited to, a

Prescriber’s adherence to patient monitoring and acknowledgement of alerts.

C. Cookies

To help us serve your needs better, we use "cookies" to store and sometimes track user non-Personal Information,

such as your IP address and click tracking. A cookie is a small amount of data that is sent to your browser from a

web server and stored on your computer's hard drive. A website can use cookies to recognize repeat users or track

web usage behavior. Cookies work by assigning a number to the user that has no meaning outside of the assigning

website. Users of the Services should be aware that non-Personal Information and data may be automatically

US-DOCS\87812022.8

collected by virtue of the standard operation of RxMx’s computer servers or through the use of cookies. If you do

not want information to be collected through the use of cookies, your browser allows you to deny or accept the

use of cookies. There may, however, be some features of the Services which require the use of cookies in order to

customize the delivery of information to you.

Users should be aware that RxMx cannot control the use of cookies (or the resulting information) by third parties.

The use of third party cookies is not covered by our Privacy Policy. We do not have access or control over these

cookies.

RxMx does not track users across third party websites, and therefore does not use or respond to "do not track"

signals in your web browser.

We may use “clear GIFs” (aka “web beacons” or “pixel tags”) or similar technologies, on our Services or in our

communications with you, to enable us to know whether you have visited a part of our Services or received a

message from us. A clear GIF is typically a one-pixel, transparent image (although it can be a visible image as well),

located on a website or in an email or other type of message, which is retrieved from a remote website on the

Internet enabling the verification of an individual’s viewing or receipt of a website or message.

We may also use services hosted by third parties, such as Google Analytics, a web analytics service provided by

Google, Inc. (“Google”), to assist in providing the Services. Google Analytics uses cookies to help us analyze how

users use the Services. The information generated by the cookie about your use of the website (including your IP

address) will be transmitted to, and stored by, Google on their servers. Google will use this information for the

purpose of evaluating your use of the Services, compiling reports on website activity for us and providing other

services relating to website activity and Internet usage. Google may also transfer this information to third parties

where required to do so by law, or where such third parties process the information on Google’s behalf. Google

will not associate your IP address with any other data held by Google. You may refuse the use of cookies by

selecting the appropriate settings on your browser, however please note that if you do this you may not be able to

use the full functionality of the Services. By using these Services, you consent to the processing of data about you

by Google in the manner and for the purposes set out above.

III. How We Use Your Information

A. To Provide the Services

We use the information that we collect from you to provide you with the Services, support and enhance your use

of the Services, to monitor which features of the Services are used most and to allow us to determine which

features we need to focus on improving. The information regarding Prescribers (and their respective Delegates,

Nurses and Administrators) is used to create the accounts for Prescribers, Delegates, Nurses and Administrators

that can be accessed through the Services.

We may use your contact information to send you SMS messaging, email and other types of notifications regarding

a patient’s laboratory result report or other related alerts, or other information about which you have requested

notifications. You may opt-out of these communications (except for email alerts) if you do not wish to receive

them. Email alerts are an important part of the Services; if you do not wish to receive email alerts, then you should

terminate your use of the Services. You may customize the times and frequency for which you receive

communications through our Alert Setting Tab on the HCP PROFILE page. If you are a Prescriber or Delegate, we

may use your contact information and that of your Delegate or Prescriber (as applicable) to call you if you have

failed to acknowledge the automated alerts sent via email and SMS/App (unless you have otherwise opted out).

We will contact you using the contact information (including email address, telephone number, and customized

preferences regarding timing and frequency of communications) that we have in our system. You may modify your

contact details and preferences at any time through the Portal. We may also contact LASH or One to One at any

time regarding your information or the information of any patient to obtain any missing or additional information

needed to provide the Services. While RxMx makes reasonable efforts to obtain such current, accurate information

US-DOCS\87812022.8

on users and patients, RxMx provides no representations or warranties regarding, and is not responsible for, the

accuracy of any such information.

We use non-Personal Information collected from users of the Services and/or from Third Party Data Providers in

the aggregate, so that we can improve the Services and for business and administrative purposes.

B. Patient Information, Including Laboratory Result Reports

Patient information, including laboratory result reports, uploaded to or submitted through the Services is used for:

(i) the creation of alerts (based on identification of the Identified Risks (as defined in the Terms of Service)(

www.lemtradalabwatch.com/csp/rxmx/TermsofService/TermsofService.pdf); (ii) the identification of the patient’s

last infusion date (which determines the length of time needed for monitoring); (iii) viewing by all Users associated

with such patient; and (iv) alert notification and acknowledgement by the Prescriber or his or her Delegate

associated with such patient.

C. Diagnose Website Problems

RxMx uses your Internet Protocol (IP) address to help diagnose problems with our computer server, and to

administer the Website. Your IP address is also used to gather broad demographic data. It is not stored or linked to

your personal profile information, such as name or contact information.

D. Service-related Announcements

We will use your contact information to send you service-related announcements when it is necessary to do so.

For instance, if our service is temporarily suspended for maintenance, we might send you an email.

Generally, you may not opt-out of these communications, which are not promotional in nature. By using the

Services, you agree to receive these communications.

E. Customer Service

We will also use your contact information to communicate with you in response to your inquiries, to provide the

Services you request, and to manage your account. We will communicate with you by your email address or

telephone number initially provided to us by LASH or One to One and confirmed by you, in accordance with your

wishes, and as further modified by you on the Portal (if applicable). By providing a telephone number, you consent

to us contacting you at that number for the purposes outlined in this Privacy Policy. You may revoke your consent

to be contacted at any time by making the change on our user information page or by emailing us at

labwatchinfo@rxmxusa.com. We will respond to your request within 30 days.

IV. Our Disclosure of Your Information

We provide access to the Personal Information that we collect only to Prescribers, Delegates, Nurses and

Administrators who have specific needs to access such information in order to provide the Services. We do not

share any information with external entities other than as provided below, and we do not share Personal

Information with third parties for them to use for their own marketing purposes.

A. Aggregated Data

RxMx may share aggregated usage and log data collected from users of the Services and/or Third Party Data

Providers with third parties for industry analysis and demographic profiling, but such aggregated data will not

include any Personal Information.

B. Third Party Service Providers

US-DOCS\87812022.8

We may provide third-party companies and individuals with access to your information to the extent that it is

needed by them to facilitate our Services, to provide the Services on our behalf, provide customer support,

perform Services-related services (e.g., without limitation, maintenance services, database management, web

analytics and improvement of the Services’ features) or to assist us in analyzing how our Services are used. These

third parties have access to your Personal Information only to perform these tasks on our behalf, and we will

contractually require them to protect and safeguard your Personal Information to at least the same extent that we

do.

C. Law Enforcement

RxMx cooperates with government and law enforcement officials, agencies and private parties to facilitate

enforcement and compliance with the law. We will disclose information about you to government or law

enforcement officials, agencies or private parties to the extent that we, in our sole discretion, believe such

disclosure is necessary or appropriate to respond to claims and legal processes (including but not limited to

subpoenas), to protect the property and rights of RxMx or a third party, to protect the safety of the public or any

person, or to prevent or stop activity we may consider to be, or to pose a risk of being, an illegal, unethical or

legally actionable activity.

D. Business Transfers

In the event that all or a substantial portion of the assets, business or stock of RxMx are acquired by, merged with

or transferred to another party, or in the event that RxMx goes out of business or enters bankruptcy, your Personal

Information may be one of the assets that is transferred to or acquired by the third party. You acknowledge that

such transfers may occur, and that any acquirer of RxMx or its assets may continue to use your Personal

Information as set forth in this Privacy Policy. If any acquirer of RxMx or its assets will use your Personal

Information contrary to this Privacy Policy, you will receive prior notice.

V. Accessing and Updating Your Personal Information and Preferences

If (i) your Personal Information changes, (ii) you no longer desire our Services, (iii) you wish to update your

preferences to receive SMS messaging or other communications from us, or (iv) you are a Delegate who no longer

desires to be a Delegate, you may correct, delete inaccuracies, or amend your Personal Information and

preferences by making the change on our user information page or by emailing us at labwatchinfo@rxmxusa.com.

We will respond to your access request within 30 days. If you are a Prescriber who would like to revoke access to

the Services by a Delegate or a Nurse or Administrator, you may make this change directly through the Portal.

VI. Security

We use standard, industry-wide, commercially reasonable security practices such as 256-bit encryption, firewalls

and TSL (Transport Layer Security). However, as effective as encryption technology is, no security system is

impenetrable. We cannot guarantee the security of our database, nor can we guarantee that information you

supply won't be intercepted while being transmitted to us over the Internet, and any information you transmit to

RxMx you do at your own risk. We recommend that you use unique numbers, letters and special characters in your

password and not disclose your password for these Services to anyone. If you do share your password or Personal

Information with others, you are responsible for all actions taken in the name of your account. If your password

has been compromised for any reason, you should immediately notify RxMx at labwatchinfo@rxmxusa.com and

change your password.

VII. Individual California Residents

California Civil Code Section § 1798.83 permits users of our Services that are California residents to request certain

information regarding our disclosure of Personal Information to third parties, if any, for their direct marketing

purposes (which RxMx does not currently engage in) or choose to opt out of such disclosure. To make such a

US-DOCS\87812022.8

request, you may contact us by email at labwatchinfo@rxmxusa.com.

VIII. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes to our information practices. If we make any material

changes we will notify you by email (sent to the email address specified in your account) or by means of a notice

on the Website and the App prior to the change becoming effective. We encourage you to periodically review this

the latest information on our privacy practices.

IX. Contact Us

If you have questions or concerns regarding this Privacy Policy, you should contact us at

labwatchinfo@rxmxusa.com or at the following address:

RxMx, Inc.

Attention: Privacy Officer

1271 Avenue of the Americas, Suite #4300

New York, NY 10020

Please see full Prescribing Information, including Boxed WARNING, for Important Safety Information about

Lemtrada (alemtuzumab) 12mg IV

Job number: SAUS.MS.17.06.3822a