About this policy
By providing us with your data, you warrant to us that you are over 13 years of age.
If you have any questions about this policy, please contact us using the details in the ‘Contact us, section below.
The National Axial Spondyloarthritis Society (NASS) is the only UK registered charity dedicated to axial spondyloarthritis (axial SpA ) including ankylosing spondylitis (AS).
NASS provide support, advice and information to people with AS. We are committed to keeping people as informed as possible about AS. We believe that people who understand their AS and how it should be managed will have the best possible outcome.
The National Axial Spondyloarthritis Society is the data controller and we are responsible for your personal data (referred to as “we”, “us” or “our” in this privacy notice).
Full name of legal entity: The National Axial Spondyloarthritis Society (NASS)
Email address: firstname.lastname@example.org
Postal address: Ground Floor, Unit 6, Cambridge Court, 210 Shepherds Bush Road, London, W6 7NJ
Telephone number: 0208 741 1515
At NASS your privacy and preferences matter. We promise:
- To respect your personal details and to keep them safe and secure;
- Never to sell or exchange your information with another organisation for their own use;
- To respond promptly to any request you make to change your details, or for us to stop using your information;
- To be clear when we collect your details and not to do anything you wouldn’t reasonably expect.
By allowing us to use personal data to better understand our customers and supporters, you are helping us to make better decisions, improve our services for people with AS, fundraise more efficiently and, ultimately, achieve our goals of reaching, supporting and improving the lives of people affected by AS.
It is very important that the information we hold about you is accurate and up to date. Please let us know if at any time your personal information changes by emailing us at email@example.com
How we collect your personal data
When you give it to us DIRECTLY
You may give us your details when you sign up for one of our events, receive support from our Helpline or another service, volunteer with us, become a member or join one of our Branches, enter our raffle or lottery, order an information booklet, tell us your story, make a donation, purchase our products or communicate with us. Sometimes your information is collected by an organisation working for us (e.g. a professional fundraising agency), but we are responsible for your data at all times.
We will collect and process all the information that you give us, as well as responses given to you by our staff. This may include sensitive personal data where you volunteer this information.
We may also collect and retain your information if you send feedback about our services or make a complaint
When you give it to us INDIRECTLY
When you give permission to OTHER ORGANISATIONS to share your details
The information we get from other organisations may depend on your privacy settings or the responses you give, so you should regularly check them. This information comes from the following sources:
- Third party organisations: You may have provided permission for a company or other organisation to share your data with third parties, including charities. This could be when you buy a product or service, register for an online competition or sign up with a comparison site. We may receive data from third parties such as analytics providers such as Google based outside the EU, advertising networks such as Facebook based outside the EU, search information providers such as Google based outside the EU, providers of technical, payment and delivery services, such as data brokers or aggregators.
- Social Media: Depending on your settings or the privacy policies for social media and messaging services like Facebook, WhatsApp, LinkedIn, Instagram or Twitter, you might give us permission to access information from those accounts or services.
- Information available publicly: We may obtain and store information about you that is available publicly from third party sources such as from Companies House and information that has been published in articles/ newspapers.
When we collect it as you use our WEBSITES OR APPS
What data do we collect about you, for what purpose and on what grounds do we process it
Categories of personal data about you that we may process
Personal data means any information capable of identifying an individual. It does not include anonymised data.
- Communication Data that includes any communication that you send to us whether that be through the contact form on our website, through email, text, social media messaging, social media posting or any other communication that you send us. We process this data for the purposes of communicating with you, for record keeping and for the establishment, pursuance or defense of legal claims. Our lawful ground for this processing is our legitimate interests which in this case are to reply to communications sent to us, to keep records and to establish, pursue or defend legal claims.
- Customer Data that includes data relating to any donations/ purchases of goods/ membership such as your name, title, billing address, delivery address email address, phone number, contact details, purchase details and your card details. We process this data to supply the goods and/or services you have purchased and donations you have made and to keep records of such transactions. Our lawful ground for this processing is legitimate interest, the performance of a contract between you and us and/or taking steps at your request to enter into such a contract.
- User Data that includes data about how you use our website and any online services together with any data that you post for publication on our website or through other online services. We process this data to operate our website and ensure relevant content is provided to you, to ensure the security of our website, to maintain back- ups of our website and/or databases and to enable publication and administration of our website, other online services and business. Our lawful ground for this processing is our legitimate interests which in this case are to enable us to properly administer our website and our business.
- Technical Data that includes data about your use of our website and online services such as your IP address, your login data, details about your browser, length of visit to pages on our website, page views and navigation paths, details about the number of times you use our website, time zone settings and other technology on the devices you use to access our website. The source of this data is from our analytics tracking system. We process this data to analyse your use of our website and other online services, to administer and protect our business and website, to deliver relevant website content and advertisements to you and to understand the effectiveness of our advertising. Our lawful ground for this processing is our legitimate interests which in this case are to enable us to properly administer our website and our business and to grow our business and to decide our marketing strategy.
- Marketing Data that includes data about your preferences in receiving marketing from us and our third parties and your communication preferences. We process this data to enable you to partake in our promotions such as competitions, prize draws and free give-aways, to deliver relevant website content and advertisements to you and measure or understand the effectiveness of this advertising. Our lawful ground for this processing is consent or our legitimate interests which in this case are to study how customers use our products/services, to develop them, to grow our business and to decide our marketing strategy.
- Sensitive Data. Certain types of personal information are in a special category under data protection laws, as they are considered to be more sensitive. Examples of this type of sensitive data would be information about health, race, religious beliefs, political views, trade union membership, sex life or sexuality or genetic/biometric information.
We only collect this type of information about our supporters to the extent that there is a clear reason for us to do so, for example asking for health information if you are taking part in a sporting event, or where we ask for information for the purpose of providing appropriate facilities or support.We process this information under Article 9 condition (c) of the GDPR, “processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent”
We will also collect this type of information if you make it public or volunteer it to us – for instance if you tell us you have AS when fundraising for us and want to share your story or you call our Helpline for advice or ask us to help you with your benefits application.
Wherever it is practical for us to do so, we will make why we are collecting this type of information clear and what it will be used for. We process this information under Article 9 condition (a) of the GDPR, “the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject.
We may use Customer Data, User Data, Technical Data and Marketing Data to deliver relevant website content and advertisements to you (including Facebook adverts or other display advertisements) and to measure or understand the effectiveness of the advertising we serve you. Our lawful ground for this processing is legitimate interests which is to grow our organisation. We may also use such data to send other marketing communications to you. Our lawful ground for this processing is either consent or legitimate interests (namely to grow our organisation).
The type and quantity of information we collect and how we use
It depends on who you are and why you are providing it.
If you support us, for example if you make a donation, become a Member, volunteer, register to fundraise, sign up for an event, lobby or campaign for us or buy something from us, we will usually collect:
- Your name;
- Your contact details;
- Your date of birth;
- Your bank or credit card details.
Where it is appropriate we may also ask for:
- Information about your experiences of living with AS (if relevant). We will never make this question mandatory, and only want to know the answer if you are comfortable telling us;
- Information relating to your health (for example if you are taking part in a high-risk event);
- Why you have decided to support us. We will never make this question mandatory, and only want to know the answer if you are comfortable telling us.
We will mainly use your data to:
- Support you if you are affected by AS. See below for information about our helpline. Other programmes include local branch sessions and other activities aimed at supporting people with AS
- Provide you with the products or information you asked for;
- Administer your donation or support your fundraising and participation in our activities, including processing gift aid;
- Process your Membership send you your welcome pack, AS Magazine and remind you about the renewal
- Keep a record of your relationship with us;
- Work with third parties to send you relevant marketing materials based on your preferences and our analysis of your interests, which includes building profiles of our supporters (see sections on Direct marketing and building profiles, below);
- To share your story with fellow supporters, with your consent (see section on sharing your story, below);
- Ensure we know how you prefer to be contacted;
- Understand how we can improve our services, products or information. We may combine information you provide to us with information available from external sources;
- Manage feedback we receive from you.
We will not:
- Contact you with or about information you have not requested;
- Sell your data to another organisation.
If you seek information from us in a professional capacity (for example if you are a healthcare professional, an employee of a company that supports us or a Trustee in a registered Trust) or join one of our professional networks, we may treat your details slightly differently from other customers and supporters.
As well as your contact details and any financial information we require to process transactions, we will also store details about your role and who you work for. We may also ask for information about your professional experiences linked to AS. Our lawful ground for this processing is consent or our legitimate interests which in this case are to:
- Manage participation in our professional networks;
- Provide you with the information, services or products you asked for;
- Administer your organisation’s donation or support fundraising and participation in our activities;
- Keep a record of your organisation’s relationship with us and your role in this.
- Send you relevant marketing materials (see section on Direct Marketing, below);
- Understand how we can improve our services, products or information;
- Manage feedback we receive from you.
Public figures and AS Champions
We may obtain and store details about people who publicly express support or interest in AS-related issues. We will also store details of public figures, such as MPs, who express an interest in our work and the reason for this interest.
We will use this information to contact people in order to better raise awareness of AS and our work, and to seek changes to public or other policies when we have a legitimate interest.
We will maintain detailed employee records to manage current staff and to make payments to current and past employees.
We may store their personal details alongside any other information provided by people who express an interest in working for us, whether via a formal application or expressed informally.
Researchers and suppliers
We will store contact details and financial details of researchers and suppliers in order to manage and process grants, contracts and payments.
We will retain a directory of researchers and suppliers in order to issue future offers.
We will use information we collect about your internet browsing to identify your approximate location, to block disruptive or unauthorised use, to record or limit traffic, and to improve our site to ensure that content is presented in the most effective manner for you and for your computer.
If you enter your details onto one of our online forms, and you don’t ‘send’ or ‘submit’ the form, we may contact you to see if we can help with any problems you may be experiencing with the form on our websites.
We may also use your personal information to comply with legal requirements to detect and reduce fraud, money-laundering and credit risk.
Where you request, we will maintain a record for the purpose of suppressing future communications with you or to stop other data processing.
We use profiling and screening techniques to ensure communications are relevant and timely, and to provide an improved experience for our supporters. Profiling also allows us to target our resources effectively, which donors consistently tell us is a key priority for them. Our lawful ground for this processing is our legitimate interest. We do this because it allows us to understand the background of the people who support us and helps us to make appropriate requests to supporters who may be able and willing to give more than they already do. Importantly, it enables us to raise more funds, sooner, and more cost-effectively, than we otherwise would.
When building a profile, we may analyse geographic, demographic and other information relating to you to better understand your interests and preferences in order to contact you with the most relevant communications. In doing this, we may use additional information from third party sources when it is available. Such information is compiled using publicly available data about you, for example addresses, listed Directorships or typical earnings in a given area. We rely on legitimate interests for this processing.
We only want to contact supporters who want to hear from us in the ways that they want to hear from us. Our forms have clear marketing preference questions and we include information on how to opt out when we send you marketing.
If you have given us your consent to contact you by email, telephone and text message, we may contact you for marketing purposes by using that channel. If you subscribe to our regular emails or online magazine, you also allow us to email you other marketing and advertising materials. We may also contact you by email or telephone or text message for service delivery purposes (e.g. where you place an order on our site or where you donate to us).
If you have provided us with your postal address then we may rely on our legitimate interests to send you direct mail for fundraising, campaigning or research unless you have told us that you would prefer not to hear from us in this way.
We may contact professionals directly, without opt-in consent. However, we will always offer an opportunity to refuse marketing materials from us.
With your consent, we will contact you to let you know about the progress we are making and to ask for donations or other support. Occasionally, we may include information from partner organisations or organisations who support us in these communications. We make it easy for you to tell us how you want us to communicate, in a way that suits you.
If you don’t want to hear from us, that’s fine. Just let us know when you provide your details, click the “unsubscribe” link in any email we send or contact firstname.lastname@example.org 02087411515. We will retain your details on a suppression list to help ensure that we do not continue to contact you in future unless we receive a direct request otherwise.
We do not sell or share personal details to third parties for the purposes of marketing. But, if we run an event in partnership with another named organisation your details may need to be shared. We will be very clear what will happen to your data when you register.
Sharing your story
Some people choose to tell us about their experiences with AS to help further our work by publicising the impact that AS can have. This may include them sharing sensitive information related to their health and family life in addition to their biographical and contact information.
We use some of the information provided, including gender or ethnicity of people have experience with, to publicise our services, raise the profile of AS in the media, fundraise, or recruit volunteers and campaigners.
If we have the explicit and informed consent of the individuals, or their parent or guardian if they are under 18, this information may be made public by us at events, in materials promoting our campaigning and fundraising work, or in documents such as our annual report.
We run services to provide support to individuals affected by arthritis, and collect personal data in order to provide those services, this includes our Helplines, online forum, information provision, local support sessions, and other activities aimed at helping people affected by AS. Our lawful ground for this processing is consent or our legitimate interest.
The NASS Helpline may collect sensitive personal data about your health when you speak, email or send an instant message to them. We will use this information to answer your questions and give guidance and support. We will also use it for training, quality monitoring or evaluating the services we provide. Your data is kept for a maximum of 6 months which allows us to monitor and evaluate the service.
The Online Members Forum asks you to provide your email address when you register and may contact you about administrative issues and changes to the forum. With your consent, we may also use your email address to send you information about our work (see Direct Marketing, below). Posts to the forum are anonymous but are likely to contain sensitive information. We advise users to be careful not to post information which would allow them to be identified. To make the Online Community and our information as helpful as possible, we will sometimes use what’s written to promote what we do to other people. We’ll always do this anonymously, removing any names or identifiable details from what we use unless we gain your express permission (See also Sharing Your Story, above).
How we keep your data safe and who has access
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. For example, our online forms are always encrypted, and our network is protected and routinely monitored.
If you use a debit or credit card to donate to us or buy something online or over the phone, we will ensure that this is done securely in line with the PCI DSS standards by us or our contracted suppliers. All credit and debit card details are securely destroyed once the payment or donation has been processed.
We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by appropriately trained staff, volunteers and contractors.
We use external companies to collect or process personal data on our behalf. We do comprehensive checks on these companies before we work with them and put a contract in place that sets out our expectations and requirements, especially regarding how they manage the personal data they have collected or have access to. Please see the section ‘Disclosures of your personal data’
We will only share your details in exceptional circumstances if we are under a duty to disclose your personal information in order to comply with any legal obligation (for example to government bodies and law enforcement agencies), where we have good reason to believe that a person’s vital interests are at stake (for example where a child reports abuse, or someone reports serious self-harm or a serious intention of harming someone else) or in order to enforce or apply our rights (including in relation to our websites or other applicable terms and conditions), or to protect NASS.
We will only ever share your data in other circumstances if we have your explicit and informed consent.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
By law we must keep basic information about our members, donors and customers (including Contact, Identity, Financial and Transaction Data) for six years after they cease being customers for tax purposes.
In some circumstances you can ask us to delete your data: see below for further information.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
Where your information is no longer required, we will ensure that it is disposed of in a secure manner. For example, if you send us information in paper format, we may scan this and securely destroy the paper copy.
Disclosures of your personal data
We may have to share your personal data with the parties set out below for the purposes set out above:
- Service providers who provide IT and system administration services.
- Professional advisers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
- HM Revenue & Customs, regulators and other authorities based in the United Kingdom who require reporting of processing activities in certain circumstances.
- Mailing houses and distribution of our magazine provider
We require all third parties to whom we transfer your data to respect the security of your personal data and to treat it in accordance with the law. We only allow such third parties to process your personal data for specified purposes and in accordance with our instructions.
We do not transfer your personal data outside the European Economic Area (EEA).
Your legal rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data. These include the right to:
- Request access to your personal data.
- Request correction of your personal data.
- Request erasure of your personal data.
- Object to processing of your personal data.
- Request restriction of processing your personal data.
- Request transfer of your personal data.
- Right to withdraw consent.
You can see more about these rights at:
If you wish to exercise any of the rights set out above, please email us at email@example.com
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
If there are any legitimate and factual discrepancies in the information we provide, please let us know and we will correct them.
If you are not happy about how data is processed, and wish to make a complaint, then please contact Justyna Potiopa (firstname.lastname@example.org 02087411515). If you are unhappy with how a complaint is handled, then you should contact the Information Commissioner’s Office (ICO). You may contact the ICO without first making a complaint to us. You can find more information about the ICO and your rights on their website.
You might find links to third party websites on our website. These websites should have their own privacy policies which you should check. We do not accept any responsibility or liability for their policies whatsoever as we have no control over them.
Two types of cookies are used on this website:
- Session Cookies. These are temporary cookies, which only exist until you close the browser you are using to access the website.
- Persistent Cookies. These are cookies which remain in your cookie file after you have visited our website. These cookies help us identify you when you return to our site.
None of the cookies used on our websites collect personally identifiable information about you.
- Maintaining user preferences. If our website has a link to allow you to view the site with a larger font size or without images for improved accessibility, then a cookie will be set to allow that preference to remain between page visits and on your future return to the website.
- To allow certain functions and to help you navigate the website efficiently.
- Session management.
Cookies set by third party sites
The content of this website is updated regularly, and we may embed content from websites such as:
When you visit a page with content embedded from any of these services you may be presented with cookies from these websites. This website, the website owners and the website and software developers do not control the dissemination of these cookies. You should check the relevant third party website for more information about these.
Changes to this policy