Privacy Policy

IAMRARE PROGRAM POWERED BY NORD®

I. Introduction

This Privacy Policy (the “Policy”) describes the type of information that the National Organization for Rare Disorders, the controller (the “Company”) gathers from users (“Users” or “you”) of the IAMRARE platform and other platforms owned and/or operated by the Company where this Policy is posted (the “Platform”) and how the Company uses that information. The Policy governs the Platform specifically and where another privacy policy is posted to govern other services or websites offered by the Company, the respective privacy policy shall govern.

II. What Information Does the Company Collect?

The Company occasionally collects Personal Information from Users. “Personal Information” means information that can be used to identify an individual, such as name, postal address, email address, telephone number, user account, health conditions or diagnosis, health treatment data, health observational data, any communications that you choose to have with the Company, or any other information the Company collects that is defined as Personal Information under an applicable law.

The Company also collects information that is about you but individually does not identify you, such as the frequency of User visits to the Platform and demographic and geographic data.

You have choices about the information we collect. When you are asked to provide Personal Information, you may decline. However, if you choose not to provide information that is necessary, you may not be able to use some of our features on the Platform.

Information We Collect

The Company collects information in the following ways:

Information Users Provide Directly

The Company collects information directly provided by Users as part of using various aspects of the Platform. These instances include:

Information Provided Directly

The Platform is intended to collect patient-reported health data, both when a User begins to use the Platform and also over time. Patient-reported health data is collected to accelerate research and ultimately find treatments and cures to rare disorders. Patients submission, use, and sharing of information (including Personal Information), along with a patient’s rights related to their data, are governed by a separate, detailed informed consent document (the “Consent”). In the event of any conflict between the Consent and this Policy as to patient Personal Information, the Consent controls.

For other Users, the Platform will collect information necessary to verify the User’s identity and permission to utilize the Platform, including contact information such as name, email address, IP address, username, and password. The Company also collects information you provide by filling in forms on the Platform, including information provided at the times of creating an account, registering on our Platform, and publicly posting on the Platform.

Information Related to Contact Inquiries

If you make an inquiry through the “Contact Us” feature of the Platform, we collect your first and last name, email address, and information provided directly in the body of your inquiry.

Cookies

The Platform utilizes various small files stored on your computer or device – called “cookies” – that perform functions in delivering the Platform. Cookies can track how and when you use the Platform. Upon first visiting the Platform, the Platform requests a User’s permission to utilize cookies. Please be aware that some or all aspects of the Platform may not function properly if a User does not consent to the use of cookies.

The Platform utilizes strictly necessary cookies that are essential to platform functions and relate to the following: user authorization, an anti-forgery mechanism for data entry forms, tracking the instance of the Platform to which the User is connected, and analytics functions for the Platform.

To help facilitate the delivery of relevant content, Google Analytics may be used. Google Analytics uses cookies to report on user interactions. We use the data collected for optimizing marketing, refining advertising, and/or programming strategies, and generally improving user experience. For more information about Google Analytics and how it collects and processes data, please visit: and instructions on opting out of Google Analytics using a specific plug-in is available at the following link: . Note that this opt-out is specific to Google activities. In specific, the Platform utilizes five cookies: one related to User authorization, one used as an anti-forgery mechanism for data entry forms, one used to track the instance of the Platform to which the User is connected, and two related to analytics functions for the Platform. .

Traffic Data

The Platform automatically collects some basic technical information about Users. We use software to keep track of traffic to the Platform and acquire such information as the location from which the traffic originates and which particular pages on the Platform are being viewed and for how long.

Device Identifiers

The Platform may access, collect, monitor, store on your device, and/or remotely store one or more device identifiers, which are small data files which uniquely identify it.

Metadata

Metadata is technical information associated with Personal Information, such as how or when Personal Information was collected.

III. Use of Information

The Company may collaborate with the Sponsor of the Registry (Study(s)) that you are participating in to conduct IRB-approved research using your Personal Information. Additionally, they may need to access Personal Information to operate and improve the Platform and its other related products, to deliver the Platform, and to improve the Platform. These uses may include making the Platform easier to use by eliminating the need for you to enter the same information repeatedly; performing research and analysis aimed at improving the Platform; establishing registries for rare disorders; conducting observational natural history studies; changing the stigma around rare disorders; automatically updating the Platform; diagnosing or fixing problems with the Platform; and potentially displaying content and advertising customized to your interests and preferences.

The Company also uses information from Users to communicate with Users. The Company may send certain mandatory service communications, such as welcome letters, information on technical service issues, and security announcements.

The Company will use personal information when it has a lawful basis to do so, as follows:

At your direction and with your consent.

To fulfill contracts we might have with you.

For other legitimate business purposes.

To comply with a legal obligation.

The Company does not use Users’ Personal Information for building User profiles for commercial purposes not related to the provision of the Platform. The Company may use Anonymous Info (as defined below) as described in this Policy.

IV. Sharing of Information

The Company will not share your Personal Information except as provided for by this Policy. The Company may share information as provided by this Policy.

A. Patient Advocacy Groups and Research Organizations Researchers

Specific rare disease registries are sponsored by disease-specific patient advocacy groups, and data collected in a registry is – consistent with permission obtained from patients – retained in order to facilitate future research. For a patient, information sharing activities related to research are governed by the study’s Consent. As mentioned earlier, in the event of any conflict between this Policy and the Consent, the Consent controls.

B. Affiliates

The Company may share Personal Information collected by the Platform with businesses that are legally part of the same group as the Company, or that become part of that group (“Affiliates”).

C. Third Party Service Providers

The Company may occasionally hire service providers to provide limited services on its behalf, such as providing customer support, hosting websites, processing transactions, or performing statistical analysis of its services. Those companies will be permitted to obtain only the Personal Information they need to deliver the service. They will be required to maintain the confidentiality of the information and will be prohibited from using it for any other purpose.

D. Disclosures Pursuant to Law

The Company may disclose your Personal Information or any information submitted via the Platform if the Company has a good faith belief that disclosure of such information is helpful or reasonably necessary to: (i) comply with any applicable law, regulation, legal process or governmental request; (ii) enforce any applicable terms of service, including investigations of potential violations thereof; (iii) detect, prevent, or otherwise address fraud or security issues; or (iv) protect against harm to the rights, property or safety of the Company, our Users, yourself or the public. The Company may be required to disclose your Personal Information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.

E. Anonymous Information

The Company may use Anonymous Information (as defined below) or disclose it to third party service providers, to provide and improve the Platform. The Company may also disclose Anonymous Information to third parties for a fee. “Anonymous Information” means information which does not enable identification of an individual User, such as aggregated information about use of the Platform. The details, if relevant, will be outlined in your informed consent.

V. Retention

It is the Company’s policy to retain Personal Information regarding Users only for the time period necessary to deliver services requested by the User or to complete transactions initiated by the User unless a longer retention period is required or permitted by law.

VI. Your Choices Regarding Personal Information

Depending on your residence, the rights available to you may differ in some respects. We will respond to any rights request in accordance with local legal regulations. If you wish to make a request regarding any of the below rights, please contact us through the methods provided at the end of the Policy.

Right of access
You may have the right to get confirmation about whether or not your Personal Information is being processed. If so, you have the right to access the Personal Information and other information, such as the purposes, the categories of Personal Information, the recipients (or categories of recipients) to whom the Personal Information have been or will be disclosed – such as our list of service providers who may receive your Personal Information, for particular recipients in third countries or international organizations, where possible, the predicted period that the Personal Information will be stored, or, if not possible, the criteria used to determine that period, your rights, etc.

Where feasible and permitted by law, we will provide a copy of the Personal Information we are processing. For any further copies, we may charge a reasonable fee based on administrative costs. If you make the request by electronic means, and unless otherwise requested, the information shall be provided in electronic form.

Right to rectification

You may have the right to rectify or complete your Personal Information if inaccurate or incomplete.

Right to erasure (‘right to be forgotten’)
You may have the right to the erasure of your Personal Information in certain circumstances. For examples, see below:

Your Personal Information is no longer necessary for the purposes for which it was processed

You withdraw your consent on which the processing is based and make an explicit request for data deletion, and we have no other legal ground for the processing

You object to the processing and there are no overriding legitimate grounds for the processing

Your Personal Information has been unlawfully processed

Your Personal Information has to be erased for compliance with a legal obligation to which we are subject

This right shall not apply to the extent that processing is necessary for the below purposes.

For exercising the right of freedom of expression and information

For compliance with a legal obligation which requires processing by a law to which we are subject

For the performance of a task carried out in the public interest

For the establishment, exercise or defense of our legal claims

Right to restriction of processing
You may have the right to restrict the processing for the below reasons:

You contest the accuracy of your Personal Information, for a period enabling us to verify the accuracy of the Personal Information

The processing is unlawful and you oppose the erasure of the Personal Information and request the restriction of their use

We no longer need the Personal Information for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims

You exercised your right to object to processing pending the verification whether our legitimate grounds override yours

Right to data portability
You may have the right to receive the Personal Information that you have given us, in a structured, commonly used and machine-readable format. You have the right to send that Personal Information to another controller, if the processing is based on consent pursuant or on a contract and is carried out by automated means.

Right to object
You may have the right to object, on grounds relating to your particular situation, to processing of your Personal Information which is based on our legitimate purposes. We will stop processing the Personal Information unless we have compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims. If Personal Information is processed for direct marketing purposes, including profiling, you may object at any time.

Automated individual decision-making, including profiling
You may have the right not to be subject to a decision based solely on automated processing, including profiling, except under certain exceptions under local law.

Right to withdraw consent
Where the processing of Personal Information is based on your consent, you may have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before withdrawal.

Right to anonymity
You may also have a right to request anonymity. This means that your Personal Information would not be collected or processed. If you choose to exercise this right, we may not be able to provide you with your requested goods or services.

Right to lodge a complaint with a supervisory authority
We are committed to working with you in the event that you have a complaint of concern about privacy. If you need help lodging a complaint, you can contact us through the contact methods provided at the end of the Privacy Policy. Users who reside in the European Union, Switzerland, and the United Kingdom have the right to lodge a complaint with a national Data Protection Authority. Each European Union member nation has established its own Data Protection Authority; you can find out about the Data Protection Authority in your country here:

VII. Other Information

A. Business Transitions

In the event of a direct or indirect reorganization process including, but not limited to, mergers, acquisitions, divestitures, bankruptcies, and sales of all or a part of the Company’s assets, the Company reserves the right to transfer or assign Personal Information in connection therewith. If transferred in such a case, the purchaser will abide by the terms and conditions of this Policy.

B. Security, Confidentiality and Integrity of Personal Information

The security of your Personal Information is important to us. The Company follows generally accepted industry standards, including the use of appropriate administrative, physical and technical safeguards, to protect Personal Information. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, while the Company strives to use commercially reasonable means to protect Personal Information, the Company cannot guarantee its absolute security or confidentiality. Consequently, we cannot ensure or warrant the security of any information you transmit to us and you understand that any information that you transfer to us is done at your own risk. If we learn of a security systems breach we may attempt to notify you electronically so that you can take appropriate protective steps. By using the Platform or providing Personal Information to us, you agree that we can communicate with you electronically regarding security, privacy and administrative issues relating to your use of the Platform. We may post a notice via our Platform if a security breach occurs. We may also send an email to you at the email address you have provided to us in these circumstances. Depending on where you live, you may have a legal right to receive notice of a security breach in writing.

Please be aware that certain Personal Information and other information provided by you in connection with your use of the Platform may be stored on your device (even if that information is not collected by the Company). You are solely responsible for maintaining the security of your device from unauthorized access.

C. International Users

We may limit the Platform’s availability, in whole or in part, to any person, geographic area or jurisdiction we choose, at any time and in our sole discretion.

If you are visiting the Platform from a location outside of the United States or Canada, your connection may be through and to servers located in the United States or Canada. This means that, if you choose to use the Platform and/or to communicate with us through the Platform, information about you – including Personal Information – will be transmitted to the United States or Canada. You acknowledge you understand that by providing your Personal Information to the Company, your Personal Information (i) will be used for the uses identified above in accordance with this Policy, and (ii) may be transferred to the United States or Canada as indicated above, in accordance with applicable law. For example, where Personal Information is transferred from the European Economic Area to areas which have not been determined to have an adequate level of protection, we take measures designed to transfer the information in accordance with lawful requirements, such as standard contractual clauses.

D. Other Websites

The Company may include links on the Platform to other websites. Other websites are not governed by this Policy. Additionally, the Company is not responsible for the practices employed by websites linked to/from the Platform nor the information contained therein. Often links to other websites are provided solely as a way for the User to obtain information that may be useful to them. To better protect your privacy, the Company recommends that you review the privacy policy of any third party website you visit.

E. Children’s Privacy

The Platform is neither directed to nor structured to attract Users who are not legal adults. If you are under legal age, you are not permitted to use the Platform. The Company does not knowingly collect Personal Information from Users who are under legal age. The Company may collect Personal Information about Users who are under legal age if entered by a parent or legal guardian of legal age or by the individual under legal age with their parent or legal guardian’s awareness and permission. If you are a parent with concerns about children’s privacy issues in conjunction with the use of the Platform, please contact the Company at [email protected].

F. Do Not Track

Pursuant to the California Online Privacy Protection Act, the Company discloses how it responds to “Do Not Track” signals; and whether third parties collect Personal Information about Users when they use the Platform.

The Company honors “Do Not Track” signals and does not track, use cookies, or use advertising when a “do not track” mechanism is in place. Note that the Platform will not function properly if the use of cookies is disabled.

The Company does not authorize the collection of Personal Information from our Users for third party use through advertising technologies.

G. Public Posting Areas-Forums, Podcasts, and Other Public Posting Areas

Please note that any information you include in a message you post to any public posting area is available to anyone with internet access. If you don’t want people to know your e-mail address, for example, don’t include it in any message you post publicly. PLEASE BE EXTREMELY CAREFUL WHEN DISCLOSING ANY INFORMATION IN PUBLIC POSTING AREAS. WE ARE NOT RESPONSIBLE FOR THE USE BY OTHERS OF THE INFORMATION THAT YOU DISCLOSE IN PUBLIC POSTING AREAS.

H. Consent and Modification

By using the Platform, you consent to the terms of the Policy and to our processing of Personal Information in the manner and for the purposes set forth in the Policy. If you do not agree with the Policy, please do not use the Platform.

The Company reserves the right, at its sole discretion, to change the Policy at any time, which change will be effective 10 days following posting of the revision to the Policy on the Platform. Your continued use of the Platform 10 days following such posting means you accept those changes.

If the Company makes any change in how we use your Personal Information, the Company will notify you by revising the “Effective Data” at the bottom of this Policy. If we make material changes to our Policy, we will notify you by using the contact information you have on file with us, such as e-mail (at the e-mail address specified in your account), or by means of a notice on the Platform prior to the change becoming effective.

I. Contact Information

If you have questions about this Policy, please contact [email protected].

J. Effective Date

The effective date of this Policy is February 8, 2024.