National Organization for Rare Disorders, Inc. (NORD®) 

IAMRARE® Registry Platform Privacy Policy

I. Introduction

This Privacy Policy (the “Policy”) describes the type of information that the National Organization for Rare Disorders (the “Company”) gathers from users (“Users” or “you”) of the IAMRARE Registry Platform (the “Platform”) and how the Company uses that information. The Policy governs the Platform specifically and is separate from any privacy policy that may govern other services or websites offered by the Company.

II. What Information Does the Company Collect?

The Company occasionally collects Personal Information from Users. “Personal Information” means information that can be used to identify an individual.

The Company collects information in the following ways:

The Company collects information directly provided by Users as part of using various aspects of the Platform. These instances include:

Information Provided Directly

The Platform is intended to collect patient-reported health data, both when a User begins to use the Platform and also over time. For patients, submission, use, and sharing of information (including Personal Information), along with a patient’s rights related to their data, are governed by a separate, detailed informed consent document (the “Consent”). In the event of any conflict between the Consent and this Policy as to patient Personal Information, the Consent controls.

For other Users, the Platform will collect information necessary to verify the User’s identity and permission to utilize the Platform, including contact information such as name and email address.

Information Related to Contact Inquiries

If you make an inquiry through the “Contact Us” feature of the Platform, we collect your first and last name, email address, and information provided directly in the body of your inquiry.

The Platform utilizes various small files stored on your computer or device – called “cookies” – that perform functions in delivering the Platform. In specific, the Platform utilizes five cookies: one related to user authorization, one used as an anti-forgery mechanism for data entry forms, one used to track the instance of the Platform to which the User is connected, and two related to analytics functions for the Platform. Upon first visiting the Platform, the Platform requests a User’s permission to utilize cookies. Please be aware that some or all aspects of the Platform may not function properly if a User does not consent to the use of cookies.

The Platform automatically collects some basic technical information about Users. We use software to keep track of traffic to the Platform and acquire such information as the location from which the traffic originates and which particular pages on the Platform are being viewed and for how long.

The Platform may access, collect, monitor, store on your device, and/or remotely store one or more device identifiers, which are small data files which uniquely identify it.

Metadata is technical information associated with Personal Information, such as how or when Personal Information was collected.

III. Use of Information

The Company may use information from Users to operate and improve the Platform and its other products, and to deliver the Platform. These uses may include making the Platform easier to use by eliminating the need for you to enter the same information repeatedly; performing research and analysis aimed at improving the Platform; automatically updating the Platform; diagnosing or fixing problems with the Platform; and displaying content and advertising customized to your interests and preferences.

The Company also uses information from Users to communicate with Users. The Company may send certain mandatory service communications, such as welcome letters, information on technical service issues, and security announcements.

The Company does not use Users’ personal information for building user profiles for commercial purposes not related to the provision of the Platform. The Company may use Anonymous Info (as defined below) as described in this Policy.

IV. Sharing of Information

The Company will not share your Personal Information except as provided for by this Policy. The Company will not sell Personal Information. The Company may share other information as provided by this Policy.

Specific rare disease registries are sponsored by disease-specific patient advocacy organizations, and data collected in a registry is – consistent with permission obtained from patients – retained in order to facilitate future research. For a patient, information sharing activities related to research are governed by the Consent. In the event of any conflict between this Policy and the Consent, the Consent controls. 

The Company may share information collected by the Platform with businesses that are legally part of the same group as the Company, or that become part of that group (“Affiliates”). 

The Company may occasionally hire service providers to provide limited services on its behalf, such as providing customer support, hosting websites, processing transactions, or performing statistical analysis of its services. Those companies will be permitted to obtain only the Personal Information they need to deliver the service. They will be required to maintain the confidentiality of the information and will be prohibited from using it for any other purpose. 

The Company may disclose your Personal Information or any information submitted via the Platform if the Company has a good faith belief that disclosure of such information is helpful or reasonably necessary to: (i) comply with any applicable law, regulation, legal process or governmental request; (ii) enforce any applicable terms of service, including investigations of potential violations thereof; (iii) detect, prevent, or otherwise address fraud or security issues; or (iv) protect against harm to the rights, property or safety of the Company, our Users, yourself or the public. The Company may be required to disclose Personal Information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements. 

The Company may use Anonymous Information (as defined below) or disclose it to third party service providers, to provide and improve the Platform. The Company may also disclose Anonymous Information to third parties for a fee. "Anonymous Information" means information which does not enable identification of an individual User, such as aggregated information about use of the Platform.

V. Retention

It is the Company’s policy to retain Personal Information regarding Users for the time period necessary to deliver services requested by the User or to complete transactions initiated by the User.

VI. Your Choices Regarding Personal Information

You have the choice to request information about the collection, use, and disclosure of Personal Information (a “Request to Know”) and to request the deletion of personal information that pertains to you (a “Request to Delete”). The Company does not discriminate against users upon the basis of submitting either type of Request. As noted in the “Sharing of Information” section, above, the Company does not sell Personal Information, and so state laws regarding the right to “opt out” of such sales are not directly applicable to Company.

Users may submit two types of Requests to Know: (1) A request for the specific items of Personal Information that has been collected about you in the past twelve months; or (2) a request for the categories of Personal Information that have been collected, used, and disclosed about you in the past twelve months.

When you submit a Request to Know, you may be asked to provide certain items of information in order to verify your identity, such as your name, email address, and phone number. If you submit a Request to Know for the specific items of information that have been collected about you, you may also be required to submit a signed declaration under the penalty of perjury stating that you are the consumer whose Personal Information is the subject of the Request to Know.

If your identity can be verified, the response to your Request to Know will involve either: (a) providing the requested information; or (b) explaining why the requested information is not required to be provided. If your identity cannot be verified, the response will indicate that your identity cannot be verified. Receipt of your Request to Know will be confirmed within 10 days and you will receive a response to a Request to Know within 45 days. If a response requires additional time, you will be notified of the basis for the delay and the response period may be extended up to an additional 45 days.

If provided, information will be provided free of charge and in a readily useable portable format. Personal Information will not be provided to you more than twice in a 12-month period. If a Request to Know or series of Requests to Know are manifestly unfounded or excessive, a reasonable fee may be charged, or the request may be refused.

Users may submit a Request to Delete by emailing the Study Sponsor. When you submit a Request to Delete, you may be asked to provide certain items of information in order to verify your identity, such as your name, email address, and phone number. If your identity can be verified, the response to your request will involve (a) deleting your Personal Information and, if applicable, directing Service Providers to delete your Personal Information; or (b) explaining why deleting your Personal Information is not required. Personal Information may be deleted by de-identifying, aggregating, or completely erasing the Personal Information, and the manner of deletion will be specified.

If a Request to Delete or series of Requests to Delete are manifestly unfounded or excessive, you may be charged a reasonable fee for processing the Request(s) to Delete, or the Request(s) to Delete may be refused. Receipt of your Request to Delete will be confirmed within 10 days and you will receive a response to your Request to Delete within 45 days. If a response requires additional time, you will be notified of the basis for the delay and the response period may be extended up to an additional 45 days.

Please note, however, that certain information may be exempt from Requests to Delete, for example if the information is needed to comply with legal obligations or to establish, exercise, or defend legal claims.

Users who reside in the European Union, Switzerland, and the United Kingdom have the right to lodge a complaint with a national Data Protection Authority. Each European Union member nation has established its own Data Protection Authority; you can find out about the Data Protection Authority in your country here: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.

VII. Other Information

If the Company is acquired by or merged with a third-party entity, or if it is subject to a bankruptcy or any comparable event, the Company reserves the right to transfer or assign Personal Information in connection therewith.

The security of your Personal Information is important to us. The Company follows generally accepted industry standards, including the use of appropriate administrative, physical and technical safeguards, to protect Personal Information. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, while the Company strives to use commercially reasonable means to protect Personal Information, the Company cannot guarantee its absolute security or confidentiality.

Please be aware that certain Personal Information and other information provided by you in connection with your use of the Platform may be stored on your device (even if that information is not collected by the Company). You are solely responsible for maintaining the security of your device from unauthorized access.

The Company and its servers are located in the United States and are subject to applicable local, state, and federal laws. Users who choose to access the Platform do so on their own initiative and at their own risk, and are responsible for complying with all applicable laws, rules and regulations. Users who choose to access the Platform consent to the use and disclosure of information in accordance with this Policy and subject to such laws. We may limit the Platform’s availability, in whole or in part, to any person, geographic area or jurisdiction we choose, at any time and in our sole discretion. We do not represent or warrant that the Platform, or any part thereof, is appropriate or available for use in any other jurisdiction. 

As to residents of the EU, this means that, if you choose to use the Platform and/or to communicate with us through the Platform, information about you – including Personal Information – will be transmitted outside of the EU to the United States. The European Commission has the authority, pursuant to Article 45 of the GDPR, to determine that the laws of states outside of the EU provide residents of the EU with an adequate level of data protection similar to that of the GDPR. Please note that, to date, the European Commission has not determined that the federal and state laws of the United States provide EU residents with an adequate level of data protection.

The Company may include links on the Platform to other websites. Other websites are not governed by this Policy.

The Platform is neither directed to nor structured to attract Users who are not legal adults. If you are under legal age, you are not permitted to use the Platform. The Company does not knowingly collect Personal Information from users who are under legal age. The Company may collect Personal Information about users who are under legal age if entered by a parent or legal guardian of legal age. If you are a parent with concerns about children’s privacy issues in conjunction with the use of the Platform, please contact the Company at privacy@rarediseases.org.

Pursuant to the California Online Privacy Protection Act, the Company discloses to disclose how it responds to "Do Not Track Signals"; and whether third parties collect personally identifiable information about users when they use online services. 

The Company honors "do not track" signals and does not track, use cookies, or use advertising when a “do not track” mechanism is in place. Note that the Platform will not function properly if the use of cookies is disabled. 

The Company does not authorize the collection of personally identifiable information from our users for third party use through advertising technologies.

By using the Platform, you consent to the terms of the Policy and to our processing of Personal Information in the manner and for the purposes set forth in the Policy. If you do not agree with the Policy, please do not use the Platform. 

The Company reserves the right, at its sole discretion, to change the Policy at any time, which change will be effective 10 days following posting of the revision to the Policy on the Platform. Your continued use of the Platform 10 days following such posting means you accept those changes. 

If the Company makes any change in how we use your Personal Information, the Company will notify you by email (at the e-mail address specified in your account), or by means of a notice on the Platform prior to the change becoming effective.

If you have questions about this Policy, please contact privacy@rarediseases.org.

The effective date of this Policy is August 21, 2020.