Privacy Policy - The Ehlers Danlos Society

Last Updated: April 04, 2024

The Ehlers-Danlos Society
Privacy Policy

Introduction

We are The Ehlers-Danlos Society (“Ehlers Danlos”, “us”, “we”, “our”, “The Society”). We are an international nonprofit organization, dedicated to patient support, scientific research, advocacy, and increasing awareness for the Ehlers–Danlos syndromes and hypermobility spectrum disorder. We are registered in England and Wales under registration number 10722868, and we have our registered office at Wayman House 141 Wickham Road, Shirley, Croydon, Surrey, England, CR0 8TE. We are registered with the UK supervisory authority, Information Commissioner’s Office (“ICO”) in relation to our processing of Personal Data under registration number ZB343307.

Unless we notify you otherwise, we are the controller of the Personal Data we process about you. This means that we decide what Personal Data to collect and how to process it.

We provide our support and services to individuals located in countries all over the world, and we are therefore committed to ensuring we meet our legal obligations when processing personal data under the data protection laws of these countries, which include but are not limited to:

the UK General Data Protection Regulation and the EU General Data Protection Regulation 2016/679 (together referred to herein as the “GDPR”);
the UK Data Protection Act 2018 (“DPA 2018”)
the California Consumer Privacy Act (“CCPA”);
the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”);
the Colorado Privacy Act (“CPA”);
the Connecticut Data Privacy Act (“CTDPA”);
the Utah Consumer Privacy Act (“UCPA”);
the Virginia Consumer Data Protection Act (“VCDPA”).

The purpose of this privacy notice is to explain what Personal Data we collect about you and how we process it. This privacy notice also explains your rights, so please read it carefully. If you have any questions, you can contact us using the information provided below under the ‘How to Contact Us’ section.

Who This Privacy Notice Applies To

This privacy notice applies to you if:

You visit our website;
You join our global registry and repository;
You register to participate in one of our research programmes;
You undergo assessment to determine suitability for future fund-raising opportunities;
You make a donation to The Ehlers-Danlos Society;
You engage in fundraising for The Ehlers-Danlos Society;
You become an advocate of The Ehlers-Danlos Society;

You sign up to receive newsletters and/or other communications from us.

What Is Personal Data

‘Personal Data’ means any information from which someone can be identified either directly or indirectly. For example, you can be identified by your name or an online identifier.

‘Special Category Personal Data’ is more sensitive Personal Data and includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purposes of uniquely identifying someone, data concerning physical or mental health or data concerning someone’s sex life or sexual orientation.

How We Collect Your Information

We collect most of the Personal Data directly from you in person, by telephone, text or email and/or via our website.

However, where applicable, we may also collect your Personal Data from third parties such as:

others to whom you have provided consent;
publicly available sources such as social media and/or prospect research platforms.

Personal Data We Collect

The type of Personal Data we collect about you will depend on our relationship with you. For the type of Personal Data we collect, see the table below in the section entitled ‘Purposes and Lawful Basis’.

Purposes and Lawful Basis

We will only use your Personal Data when the law allows. Most commonly, we will use your Personal Data in the following circumstances:

Purpose of Processing	What information may we process	Lawful Basis
Process Donations	Your name (first & last name), address, email address, phone number, reason for giving	1. Performance of Contract 2. Legitimate Interest to use moneys received to support The Ehlers-Danlos Society’s strategic goals
Process Registrations for Research Groups/ Programmes	Your name (first & last name), email address	Performance of Contract
*Assessment/Screening for Future Donations/Fundraising Opportunities	Your name (first & last name), address, email address, phone number, wealth markers, philanthropic indicators	1. Consent 2. Performance of Contract
To send you newsletters and other promotional material	Your name (first & last name), email address	1. Performance of Contract 2. Consent
Event Registration	Your name (first & last name), address, email address, phone number	1. Performance of Contract 2. Consent
Virtual Support Group Registration	Your name (first & last name), email address	1. Performance of Contract 2. Consent
Helpline	Your name (first & last name), address, email address, phone number, special category data	1. Consent 2. Legitimate Interest to offer support to individuals that contact The Ehlers-Danlos Society via the helpline
Global Registry	Your name (first & last name), address, email address, phone number, special category data	1. Consent 2. Legitimate Interest to manage the registry database
Application Processing	Your name (first & last name), address, organisation (if applicable) email address, phone number	Legitimate Interest to process applications for various positions, coalitions, educational programs, grant funding
Healthcare Professionals Directory	Your name (first & last name), address, organisation (if applicable) email address, phone number	Legitimate Interest to manage the healthcare professionals’ directory
Prize Draws	Your name (first & last name), email address	Consent
Social Media	Your name (first & last name), email address, online identifiers	1. Consent 2. Legitimate Interest to promote The Ehlers-Danlos Society and it’s aims

* Where we use publicly available information to assess your inclination to provide financial support, and any areas of philanthropic interest, this research may include financial information (including assessment of income and whether particular donations or funding appeals may be of interest), philanthropy and other giving (including donations to other organisations), other support (for example, details of volunteering roles), career highlights and other life achievements, and information about areas of interest and extra-curricular activities.

Sharing Your Personal Data

We may also disclose your information to third parties in connection with other purposes set out in this policy. These third parties may include:

business partners, suppliers and sub-contractors who may process information on our behalf;
external researchers when explicit consent is given by the participant (regarding the Global Registry);
researchers, any joint funders of research, host institutions, and external members of our committee;
advertisers, social media platforms, and advertising networks;
analytics and search engine providers;
IT service providers.

Where we are under a legal or regulatory duty to do so, we may disclose your details to the police, regulatory bodies or legal advisors, and/or, where we consider necessary to protect the rights, property or safety of The Ehlers-Danlos Society, its personnel, users or others.

International Transfers

Your Personal Data may be processed outside of the EU or UK. This is because the organizations we use to provide our service to you may be based outside the EU or UK.

We have taken appropriate steps to ensure that the Personal Data processed outside the EU or UK has an essentially equivalent level of protection to that guaranteed in the EU or UK. We do this by ensuring that:

Your Personal Data is only processed in a country which the Secretary of State has confirmed has an adequate level of protection (an adequacy regulation);
We enter into an International Data Transfer Agreement (“IDTA”) with the receiving organization and adopt supplementary measures, where necessary. (A copy of the IDTA can be found here international-data-transfer-agreement.pdf (ico.org.uk)) or;
We enter into Standard Contractual Clauses (“SCCs”) with the receiving organizations and adopt supplementary measures, where necessary. (A copy of the SCCs can be found here Standard Contractual Clauses (SCCs)).

How Long We Keep Your Data

We will retain your personal data for as long as is necessary to provide you with our services and for a reasonable period thereafter to enable us to meet our contractual and legal obligations and to deal with complaints and claims.

At the end of the retention period, your personal data will be securely deleted or anonymized, for example by aggregation with other data, so that it can be used in a non-identifiable way for statistical analysis and business planning.

We Respect Your Confidentiality

The Ehlers-Danlos Society requires that your personal information be held in strict confidence. We use your information only for its intended Society purposes. We do not sell or trade your information to other organizations or individuals.

We Protect Your Information

The Ehlers-Danlos Society takes every possible measure to ensure that your information is not compromised in any way. We implement appropriate technical and organizational measures to protect data that we process from unauthorized disclosure, use, alteration or destruction. Our privacy promise is in place in respect of our website only. Other online services will be serviced by their own privacy policies.

Some of the controls we have in place are:

We ensure active SSL certification on all of our websites (using https:// rather than http://);
We use technology controls for our information systems, such as firewalls, user verification, data encryption, and separation of roles, systems & data management;
We use password encryption and password management tools;
We enforce a “need to know” policy, for access to any data or systems.

In addition to the technical and organizational measures we have put in place, there are a number of simple things you can do to in order to further protect your personal information;

Never share a One Time Passcode (OTP).
Never enter your details after clicking on a link in an email or text message.
Always send confidential information by encrypted email where possible this reduces the risk of interception.
If you are logged into any online service do not leave your computer unattended.
Close your internet browser once you have logged off.
Never download software or let anyone log on to your computer or devices remotely, during or after a cold call.

Secure Online Services

You can easily identify secure websites by looking at the address in the top of your browser which will begin https:// rather than http://.

What Are Your Data Protection Rights?

The Ehlers-Danlos Society would like to make sure you are fully aware of your rights. We will always ensure, no matter where you are located in the world, that we adhere to and fully respect your data protection rights. If you wish to exercise your data protection rights, please email [email protected].

If you are located in the EU or UK, you have the following rights:

The right to access You have the right to request from The Ehlers-Danlos Society copies of your personal data and information about our processing of it.
The right to rectification You have the right to request that The Ehlers-Danlos Society correct any information you believe to be inaccurate. You also have the right to request The Society to complete information you believe is incomplete.
The right to withdraw You have the right to withdraw your consent at any time when The Ehlers-Danlos Society are relying on consent as the lawful basis for processing your personal data.
The right to erasure You have the right to request that The Ehlers-Danlos Society erase your personal data, under certain conditions. Some data that is being used under certain conditions may not be able to be deleted, such as research data, however in these instances we will ensure all data being used is de-identified and cannot be linked with you.
The right to restrict processing You have the right to request that The Ehlers-Danlos Society restrict the processing of your personal data, under certain conditions.
The right to object to processing You have the right to object to The Ehlers-Danlos Society processing of your personal data, under certain conditions. If you object to us using your Personal Data for marketing purposes, we will stop sending you marketing material.
The right to data portability You have the right to request that The Ehlers-Danlos Society transfer the data that we have collected to another organization, or directly to you, under certain conditions. If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us.

We do not make significant decisions based solely on automated processing.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

If you wish to exercise your rights, please contact us at [email protected].

You can also lodge a complaint with your relevant data protection supervisory authority.

If you are located in the US, although The Ehlers-Danlos Society is not currently subject to any state privacy laws, we will always ensure that no matter where you are located, we adhere to and fully respect your data protection rights.

You can find the enacted US state privacy laws listed below:

California Consumer Privacy Act (as amended by the California Privacy Rights Act)
Colorado Privacy Act
The Connecticut Data Privacy Act
Utah Consumer Privacy Act
Virginia Consumer Data Protection Act

Privacy Policies of Other Websites

The Ehlers-Danlos Society website contains links to other websites. Our privacy policy applies only to our website, so if you click on a link to another website, you should read their privacy policy.

Children’s Privacy

The Ehlers-Danlos Society is committed to complying with the ICO’s Childrens Code (UK), the Children’s Online Privacy Protection Act (COPPA) and to protecting the online privacy of children under the age of 13. however we do not knowingly collect Personal Data of children without parental consent, unless permitted by law. If you are a child under the age of 13, you must have your parent’s permission to use our services. If you learn that a child has provided us with their Personal Data without parental consent, you may contact us, as described below, and if appropriate, we will securely and permanently delete it, in accordance with applicable law.

How to Contact Us and Our Data Protection Officer

If you have any questions about The Ehlers-Danlos Society Privacy Policy, the data we hold about you, or you would like to exercise one of your data protection rights, please do not hesitate to contact us.

Email us at: [email protected]

Call us: +1 410-670-7577 or +44 (0) 203 887 6132.

Or write to us at: The Ehlers-Danlos Society Headquarters, 447 Broadway, 2^nd FL #670, New York, NY 10013, USA or The Ehlers-Danlos Society Europe Office, Office 7, 35-37 Ludgate Hill, London, EC4M 7JN, United Kingdom.

We have also appointed a Data protection Officer (“DPO”). Our DPO is Evalian Limited and can be contacted as follows:

Using the above Society email or postal addresses, please send you’re your communication clearly indicating ‘FAO the ‘Data Protection Officer’, your message will be passed directly to Evalian Limited for attention.

Our EU Representative

We are based outside the EU and under the EU GDPR, we are required to appoint an EU representative. The purpose of an EU representative is to make it easy for people in the EU to contact us should they wish to exercise their rights or make a complaint or enquiry in relation to how we are processing their Personal Data. It is also a contact point for the supervisory authorities located in the EU.

Our EU representative is DataRep who can be contacted as follows:

Sending an email to DataRep at [email protected] quoting ‘The Ehlers-Danlos Society’ in the subject line
Sending an online webform at datarep.com/data-request
Mailing your inquiry to DataRep at the most convenient of the addresses in the table below. Please note when mailing inquiries, it is ESSENTIAL that you mark your letters for ‘DataRep’ and not The Ehlers-Danlos Society or your inquiry may not reach its destination.

DataRep Postal Address List:

Country	Address
Austria	DataRep, City Tower, Brückenkopfgasse 1/6. Stock, Graz, 8020, Austria
Belgium	DataRep, Place de L’Université 16, Louvain-La-Neuve, Waals Brabant, 1348, Belgium
Bulgaria	DataRep, 132 Mimi Balkanska Str., Sofia, 1540, Bulgaria
Croatia	DataRep, Ground & 9th Floor, Hoto Tower, Savska cesta 32, Zagreb, 10000, Croatia
Cyprus	DataRep, Victory House, 205 Archbishop Makarios Avenue, Limassol, 3030, Cyprus
Czech Republic	DataRep, IQ Ostrava Ground floor, 28. rijna 3346/91, Ostrava-mesto, Moravska, Ostrava, Czech Republic
Denmark	DataRep, Lautruphøj 1-3, Ballerup, 2750, Denmark
Estonia	DataRep, 2nd Floor, Tornimae 5, Tallinn, 10145, Estonia
Finland	DataRep, Luna House, 5.krs, Mannerheimintie 12 B, Helsinki, 00100, Finland
France	DataRep, 72 rue de Lessard, Rouen, 76100, France
Germany	DataRep, 3rd and 4th floor, Altmarkt 10 B/D, Dresden, 01067, Germany
Greece	DataRep, 24 Lagoumitzi str, Athens, 17671, Greece
Hungary	DataRep, President Centre, Kálmán Imre utca 1, Budapest, 1054, Hungary
Iceland	DataRep, Kalkofnsvegur 2, 101 Reykjavík, Iceland
Ireland	DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland
Italy	DataRep, Viale Giorgio Ribotta 11, Piano 1, Rome, Lazio, 00144, Italy
Latvia	DataRep, 4th & 5th floors, 14 Terbatas Street, Riga, LV-1011, Latvia
Liechtenstein	DataRep, City Tower, Brückenkopfgasse 1/6. Stock, Graz, 8020, Austria
Lithuania	DataRep, 44A Gedimino Avenue, 01110 Vilnius, Lithuania
Luxembourg	DataRep, BPM 335368, Banzelt 4 A, 6921, Roodt-sur-Syre, Luxembourg
Malta	DataRep, Tower Business Centre, 2nd floor, Tower Street, Swatar, BKR4013, Malta
Netherlands	DataRep, Cuserstraat 93, Floor 2 and 3, Amsterdam, 1081 CN, Netherlands
Norway	DataRep, C.J. Hambros Plass 2c, Oslo, 0164, Norway
Poland	DataRep, Budynek Fronton ul Kamienna 21, Krakow, 31-403, Poland
Portugal	DataRep, Torre de Monsanto, Rua Afonso Praça 30, 7th floor, Algès, Lisbon, 1495-061, Portugal
Romania	DataRep, 15 Piaţa Charles de Gaulle, nr. 1-T, Bucureşti, Sectorul 1, 011857, Romania
Slovakia	DataRep, Apollo Business Centre II, Block E / 9th floor, 4D Prievozska, Bratislava, 821 09, Slovakia
Slovenia	DataRep, Trg. Republike 3, Floor 3, Ljubljana, 1000, Slovenia
Spain	DataRep, Calle de Manzanares 4, Madrid, 28005, Spain
Sweden	DataRep, S:t Johannesgatan 2, 4th floor, Malmo, SE – 211 46, Sweden

How To Complain

You have the right to lodge a complaint with the relevant supervisory authority if you are concerned about the way in which we are handling your Personal Data. The supervisory authority in the UK is the Information Commissioner’s Office who can be contacted online at: Contact us | ICO, or by telephone on 0303 123 1113

For supervisory authorities in other countries within the EU see the link below:

https://edpb.europa.eu/about-edpb/about-edpb/members_en

Policy Review and Amendments

We may update this notice (and any supplemental privacy notice), from time to time as shown below. We will notify of the changes where required by applicable law to do so.

Last Modified: April 4, 2024

Cookie	Duration	Description
__stripe_mid	1 year	Stripe sets this cookie cookie to process payments.
__stripe_sid	30 minutes	Stripe sets this cookie cookie to process payments.
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
AWSALBCORS	7 days	This cookie is managed by Amazon Web Services and is used for load balancing.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_113340939_1	1 minute	Set by Google to distinguish users.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
ahoy_visit	4 hours	This cookie is set by Powr for analytics measurement.
ahoy_visitor	2 years	This cookie is set by Powr for analytics measurement.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
NID	6 months	NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
_network_for_good_drm_session	session	No description
_TS_	1 hour	No description
DEVICE_INFO	5 months 27 days	No description
m	2 years	No description available.
twp_session	1 hour	No description available.
whova_client_id	10 years	No description
wp_woocommerce_session_34b7f43f52f04b07c00e822d4e7f5de7	2 days	No description

The Ehlers-Danlos Society Privacy Policy