Privacy notice

Sometimes we will ask for your consent directly, such as when we are processing a donation or when you sign up for a service or event. At other times your consent may be clear from the nature of your contact with us, for example if you email us with a question you are giving consent for us to reply. Where we process data without direct consent, for example where we have a legal obligation or a legitimate interest, we will respect your wishes where it is possible for us to do so.

We will be happy to answer any questions you have about how Versus Arthritis and its trading company store and use your personal information. Just get in touch by calling 0300 790 0400 or email us at supportercare@versusarthritis.org

We can also change your details or deal with requests for us to stop using data or sending marketing communications.

In this privacy notice, “we” means Versus Arthritis and Versus Arthritis Trading Limited (formally Arthritis Research UK Trading Limited). On 1 November 2017, Arthritis Research UK and Arthritis Care joined together to help more people with arthritis to live full and active lives, and Versus Arthritis was born on 19 September 2018. This means all data collected by or passed to Arthritis Research UK or Arthritis Care before and after these dates will be managed by Versus Arthritis as set out in this notice.

Versus Arthritis is a charity registered in England and Wales (number 207711) and in Scotland (SC041156), and a company incorporated in England and Wales (number 490500). Our registered address is Copeman House, St. Mary's Court, St Mary's Gate, Chesterfield, Derbyshire, S41 7TD.

Versus Arthritis Trading Limited is a company incorporated in England and Wales (number 891517). Its registered address is Copeman House, St. Mary's Court, St Mary's Gate, Chesterfield, Derbyshire, S41 7TD. It is a wholly owned subsidiary of Versus Arthritis, trading on behalf of Versus Arthritis, to raise funds for the charity’s work.

The Data Protection Officer for both Versus Arthritis and Versus Arthritis Trading is Chris Brown, Data Governance Manager. You can email with concerns about data protection at dpo@versusarthritis.org.

Changes to this privacy notice

We will regularly review this privacy notice. Any significant changes will be clearly described on our websites or we may contact you where we already hold your data and where the change affects you directly.

At Versus Arthritis we take your rights very seriously. You can ask us to delete copies of your personal data, stop particular activities, withdraw a consent you have given previously or challenge the results of any decisions or profiling. We will fulfil all requests, providing there are no legal and accounting requirements that stop us from doing so. If you are sure you don’t want to hear from us, either now or in the future, you can ask us to hold a record which will prevent us from contacting you. This may be more effective than completely removing your data. Please contact us at supportercare@versusarthritis.org or call 0300 790 0400 to discuss any concerns. Alternatively you can email our data protection officer at dpo@versusarthritis.org.

You have a right to ask for a copy of the information we hold about you. This can be provided in a machine-readable format for transfer elsewhere. To access your information, please send a description of the information you want to see and proof of your identity by post to Versus Arthritis, Copeman House, St Mary's Court, St Mary's Gate, Chesterfield, Derbyshire, S41 7TD. We cannot accept these requests by email as we want to guarantee that we only provide personal data to the right person.

If you discover that we are holding incorrect information about you, please let us know and we will correct this.

If you are not happy about how your data is managed, and wish to make a complaint, please contact us at supportercare@versusarthritis.org or call 0300 790 0400. If you are unhappy with how a complaint is handled, you are entitled to contact the Information Commissioner’s Office (ICO). You may also contact the ICO about a data protection issue without first making a complaint to us. You can find more information about the ICO and your rights on their website.

We use appropriate technical controls to protect your personal details. For example, our online forms are always encrypted and our network is protected and routinely monitored.

If you use a debit or credit card to make a donation or buy online or over the phone, we or our contracted suppliers will manage the transaction securely in line with the PCI DSS standards. All credit and debit card details are securely destroyed once the payment or donation has been processed.

Regular reviews ensure your personal information is only accessible by appropriately trained staff, volunteers and contractors.

We regularly perform administrative functions our systems and IT services and have a legitimate interest to do so. These include updating systems, moving data between systems, and data verification and management. We also run administrative data processing activities to ensure data is correct and accurate. We use specialist ICT service providers for this and some data may be stored in the cloud.

We sometimes use external companies to collect or process personal data on our behalf. We do comprehensive checks on these companies before we work with them and put a contract in place that sets out our expectations and requirements, especially regarding how they manage the personal data they have collected or have access to.

Your personal information may be transferred to, and stored at, a destination outside the European Economic Area (EEA) and may be processed by staff operating outside the EEA who work for us or for our suppliers. We will ensure that your information is held in compliance with the European data protection regulations.

We will only share your details in exceptional circumstances. This could be if we are under a duty to disclose your personal information to comply with any legal obligation (for example to government bodies and law enforcement agencies), where we have good reason to believe that a person’s vital interests are at stake (for example where a child reports abuse or someone reports serious self-harm or intends to harm someone else) or to enforce or apply our rights or to protect the organisation.

We will only ever share your data in other circumstances if we have your informed consent.

We keep records for as long as legal requirements and tax and accounting rules demand. We retain contact details for both marketing and suppression purposes until a request is made to remove information. We may also keep internal records of any contact with you indefinitely. Where your information is no longer required, we will ensure it is disposed of in a secure manner.

Children's data

Any information collected from or about children will be managed in a way appropriate to the age of the child. This information is usually collected when children attend our events or fundraise for us, but it can also be sensitive personal data about children who are receiving support from our Young People and Families service.

Wherever possible and appropriate we will seek consent from a parent or guardian before collecting information about children and we will make sure advertising for events is age appropriate.

• When you give it to us DIRECTLY

You may give us your details when you fundraise for us or generously donate, receive support from our services including a helpline, volunteer with us, join one of our networks, enter our raffle or lottery, order an information booklet, tell us your story, make a donation, purchase our products or communicate with us. Sometimes your information is collected by an organisation working for us, for example a professional fundraising agency, but we take responsibility for your data at all times.

We will collect and process all the information you give us, as well as responses given to you by our staff or AVA, our arthritis virtual assistant.

We may also collect and retain your information if you send feedback about our services or make a complaint.

• When you use our websites

When you visit our websites, information about your visit is recorded and stored on your own computer, using cookies. Cookies are text files which identify your computer to our server. Cookies in themselves do not identify the individual user, just the computer used. You can find more information on how we use cookies below. Beyond this you will remain anonymous unless you log in.

When you log in and browse Versus Arthritis site, including our online shop, you will remain logged in for 20 minutes after you last access a page or until you log out. You can ask us to keep a record of your favourite content or for our online shop to keep information on recent transactions so we can deal with future queries.

• When you give it to us indirectly

Your information may be shared with us by independent event organisers, for example the London Marathon or fundraising sites like Just Giving or Virgin Money Giving. These independent third parties will only do so with your consent. Please check the privacy notice of these organisations when you provide your information to understand fully how they will process your data.

Your personal details may also be collected if they are included in other information that is sent to us. For example, if you are named as a third party in an email we receive or you are a co-beneficiary of a legacy request. In these cases, we will not add your details to our direct records but may keep copies of the information for up to 10 years. From time to time it may be necessary for us to apply to the probate registry to receive a copy of a supporter’s Will to evidence their generosity to our auditors and comply requirements placed upon us by the Charity Commission. To help preserve charitable resources, we may receive a copy Will, or share a copy Will with charitable co beneficiaries who have also been fondly remembered by the same supporter.

• When you give permission to other organisations to share your details

Information we get from other organisations may depend on your privacy settings or the responses you give, so please check them regularly. This information comes from the following sources:

Referral by a healthcare professional – many of our services for people with arthritis are accessed following a referral or recommendation by a healthcare professional. Consent to be referred will have been obtained by the healthcare professional. In these cases, your personal information will be used to identify suitable services, but your consent will be requested before enrolment.

Third party organisations – you may have provided permission for an organisation to share your data with third parties, including charities. For example, when you buy a product or service, register for an online competition or sign up with a comparison site.

• When you use social media

Depending on your settings or the privacy policies for social media and messaging services like Facebook, WhatsApp, LinkedIn, Instagram or Twitter, you might give us permission to access information from those accounts or services, either directly or indirectly. Where you follow us via social media we will not automatically add you to our own records. However, if we receive a direct request from you (for example to make a donation, use one of our services or request a booklet) we will treat your details as having been received directly.

• Public information

We may also obtain and store information about you that is available publicly from third party sources, such as from Companies House or details published in the media.

If you support us, for example sign up to receive regular news and updates, make a donation, volunteer, register to fundraise, sign up for a workshop or an event, lobby or campaign for us or buy something from us, we keep a record of your support.

The law may require us to store information for up to seven years. Though we know some people will not want us to keep hold of their data indefinitely, keeping a record of past support does help us to maintain and build good relationships with people with an interest in our work.

If you choose to leave us a legacy in your Will we will keep a record of you and your pledge indefinitely. This will help us to manage your wishes when the time comes and ensure the process runs smoothly for your family.

Our standard data retention policy is to keep your personal information for 10 years, from your most recent active support. After this point we will normally remove any information that may identify you personally. However, if you ask us to hold your details to block marketing communications, either directly or via the Fundraising Preference Service, then we must keep a record indefinitely.

We apply a similar 10-year rule to personal data collected as part of our work. This may include information gathered through legitimate activities via contractors, suppliers or third parties.

If you do not want us to keep a record of your personal information, or want to discuss our data management, then please contact us at supportercare@versusarthritis.org or call 0300 790 0400.

Run our services

We run services to provide support to people living with arthritis and their families. We collect personal data to provide those services, which include our helpline, online community, information provision and local support sessions.

We will always obtain your consent before sharing information with your GP, orthopaedic surgeon, or other healthcare professional.

Helpline

Our helplines collect sensitive personal data about your health when you speak, email or send an instant message to them. We will use this information to answer your questions and give guidance and support. We will also use it for training, quality monitoring or evaluating the services we provide. Your data is kept for a maximum of six months.

Our virtual assistant

AVA, the arthritis virtual assistant is a chatbot, using a platform called Enterprise Bot Manager (EBM) to answer your questions.

EBM is owned and managed by Filament Consultancy Group. It’s hosted on the Versus Arthritis Microsoft Azure service. When you have a conversation with AVA , this conversation (data) is stored and processed in EBM. EBM connects to natural language understanding engines (Microsoft LUIS services and Azure Cognitive services), which allows the chatbots to ‘understand’ your questions in the words you use. It uses the information you share to answer your questions and to improve the answers it gives to others in the future.

Data stored in EBM is managed directly by Versus Arthritis and shared with Filament, Microsoft and Microsoft Azure under contract with appropriate data protection schedules. We share this data so that AVA can respond to questions in real time and so we can improve the chatbots. If needed, it also means we can service or fix any issues with them.

AVA doesn’t need your personal information and will only ask for your condition. Any data about health conditions is called special category data, and AVA asks for it so it can give you information that’s relevant to your condition. Without knowing about your condition, AVA can only provide very general information, and the conversation may not be as helpful.

AVA won’t treat your conversations as personal data, so you mustn’t give any information which may be used to identify you. Personal information includes your address, NHS number and bank details.

Any information you share with AVA, including any personal or sensitive information, will be transferred to and stored in EBM and any natural language understanding engines for up to 90 days. Versus Arthritis will keep your information for up to 24 months to help us to review the conversations and improve answers. The systems that we use to process and transfer data are tested regularly, so the risk of any security issues is low.

If you choose to arrange a call with our helpline through AVA, you’ll be asked for your name and phone number so our helpline can call you. You’ll be asked for your email address to confirm the time and date of the call. Your name, phone number and email address will be passed through Microsoft Bookings, which arranges timeslots, and held according to their data policies, which are compliant with data protection law. A secure link to your conversation will also be passed to the helpline to help them with your enquiry. This link will expire after 30 days.

You can read AVA privacy information in our terms and conditions.

Volunteer-delivered services

Versus Arthritis provides a range of services for people with arthritis and their families, many of which are run by volunteers, including:

• Joint Understanding Peer Support Pilot
• Living Well with Arthritis
• Young People and Families Service
• Staying Connected
• Working Well with Arthritis

When you agree to attend an event or workshop or sign up to take part in one of our services we take this as consent for us to manage and retain the personal information we need to deliver the service or event. For example, we might need to keep and use your personal data to:

• Keep you informed about the events or services you have signed up to and other similar events and services you might be interested in.
• Review and evaluate the service to make sure it is relevant and effective
• Share with our volunteers or with venues we use for our events to ensure everyone can access them and the event happens safely.
• Maintain waiting lists for over-subscribed services.

We may collect data from people throughout the time they are using our services to help us evaluate if the service is effective and meeting the needs of people with arthritis.

If you use our services, we may contact you for feedback, including asking you to take part in our annual survey. We also monitor our services to ensure they offer equal opportunities. We will always ask your consent to use special category data, for example information about your health, racial or ethnic origin, political opinions, Trade union membership, religious or philosophical beliefs, sex life or sexual orientation, genetic or biometric data.

If you give us consent, we may share data with an external evaluation company. We may also share information with co-funders of services where required.

Branches

If you join one of our branches we will keep a record of this. Branches keep their own records and if consent is given will keep members updated about local events and opportunities.

We may need to contact you by post, email, telephone or text message about a service you have signed up for or a donation or order you have made. We will never do so without good reason. We may also contact you occasionally with critical legal and technical information and updates to this privacy notice. Wherever possible, we will respect your preferences about how you want us to contact you.

We use specialist suppliers to process and manage communications.

Direct Marketing

We want to keep our supporters updated about what we are doing to improve the lives of people with arthritis and explain how you can help. However, we understand not everyone wants to receive these updates. We only send marketing materials to supporters who want to hear from us, in the ways they want to hear from us. Our forms have clear questions about preferences and all our messages include information on how to opt out.

We will never send a marketing email or text message or make a phone call without your direct consent. If you have given us your postal address, we may send you direct mail unless you have told us that you don’t want to hear from us in this way.

We may send you information about a range of topics including, but not limited to, the latest news about our services, the research we fund, events you can get involved in, joining one of our branches, volunteering, leaving a legacy, entering a raffle or making a donation and how you can campaign for us. We always try to make our messages relevant to you, by reviewing how you have supported us in the past.

If you don’t want to hear from us or only want to be kept informed about particular topics, that’s fine. Just let us know when you provide your details, click the 'unsubscribe' link in any email we send or contact us at supportercare@versusarthritis.org or call 0300 790 0400. If you opt out, we will keep your details on a suppression list to ensure we don’t contact you in future, unless you tell us otherwise.

We may contact professionals, for example people working in the healthcare industry, at corporate or business addresses directly by any channel, without opt-in consent. However, we will always offer an opportunity to opt out of receiving marketing materials.

If we already have your permission to contact you, you will need to ask us to stop sending information rather than simply deciding not to opt in when asked.

We will never sell or share your personal details to other organisations for their own use. But we may need to share data to use analytical tools and mailing services provided by suppliers.

Direct marketing is vital to spreading our message and is in our legitimate interest. For sending marketing by email, SMS and telephone we will obtain your consent first, unless we are clear we are contacting you only in a professional capacity. For postal marketing we may choose to obtain your consent in place of legitimate interest where we believe it to be fairer. We will also seek your consent before contacting you via social media. For service and technical communications, we rely on legitimate interest, but will aim to respect your preferences as to whether we contact you by email, phone or post.

You can opt out of all future marketing communications or data processing by making a direct request or registering your preferences through the Fundraising or the Telephone Preference Service. We will then keep your details on a suppression list to ensure we don’t contact you in future, unless you tell us otherwise.

Public figures and Arthritis Champions

We may collect and keep details about people who publicly express support for our work or an interest in arthritis-related issues. We will also store details of public figures, such as politicians, who are interested in our work.

We use this information to contact people to raise awareness of arthritis and our work, ask for involvement in our campaigns and seek changes to public policy.

Processing donations

When you make a donation or give us permission to claim gift aid, we must collect certain information about you to satisfy our legal obligations under audit and accounting rules.

If you use a debit or credit card to donate to us in person or over the phone, we will ensure this transaction is made securely in line with the PCI DSS standards by us or our contracted suppliers. All credit and debit card details are securely destroyed once the payment or donation has been processed.

Volunteering and participating in events

To meet required standards, we need to keep detailed records about people who volunteer for us or who participate in events. We ask for your consent during the sign-up process to help us to manage our relationship with you, for example supporting you with sponsorship or managing the process if you need to drop-out for any reason.

If we run an event in partnership with another organisation we may share your details with that organisation. This will be made clear when you register. You have the right to withdraw your consent for this if you no longer wish to volunteer or participate in the event.

Branches

If you join one of our branches we will keep a record of this. Branches keep their own records of both members and supporters and, if consent is given, will keep them updated about local events and opportunities. If you sign up for training, workshops or other events you give your consent for your data to be used during the administrative process.

Building profiles of supporters

We use categorisation, profiling and screening techniques to ensure our communications to supporters are tailored, relevant and timely. This approach allows us to target our resources effectively, something which we know is important to our donors. By understanding what engages our existing supporter base we can better target advertising to recruit new supporters.

We may group supporters into categories, to better understand and identify common features. Some categories may be chosen by the supporter, for example when you become a branch member you give consent for this information to be recorded. We may create other groups of supporters based on their history or the nature of the relationship they have with us.

When building a supporter profile, we may analyse geographic, demographic and other information relating to you to better understand your interests and preferences. This allows us to contact you with the most relevant communications. We may add information from third party sources or publicly-available data to your record, for example addresses, job titles, listed directorships or typical earnings in a given area. We may also pass your information to suppliers who perform profiling and analysis on our behalf.

We believe we have a legitimate interest to do this as building a detailed profile means we can improve the way we communicate with our supporters and will help us to raise more vital funds to help people with arthritis to live full and active lives. However, we know your privacy matters, so we only undertake profiling and screening where we are confident it would not cause you harm and we regularly review these activities to ensure we always follow best practice. To discuss our profiling and screening activity in more detail, or to ask to be exempt from these activities, please contact us at supportercare@versusarthritis.org or call 0300 790 0400.

When you share personal information about yourself, for example telling us that you have arthritis, you give us consent for profile-building.

Legacy administration

We receive copies of every Will in which we are left a gift. This often contains the personal data of other beneficiaries. We keep copies of the will in our files in accordance with our retention policy but will not use personal data beyond what is necessary to administer the legacy.

Use our website

We use information we collect about your internet browsing to identify your approximate location, to block disruptive or unauthorised use, to record or limit traffic and to improve our site to ensure content is accessible to you. If you enter your details onto an online form, but do not send or ‘submit the form, we may contact you to see if we can help with any problems you may be experiencing with the form.

We also use cookies, as set out in our cookies policy and use third party services to manage and administer our website functionality.

Online community

The Online Community on the Versus Arthritis website asks you to provide your email address when you register and may contact you about administrative issues and changes to the forum. With your consent, we may also use your email address to send you information about our work (see Direct Marketing). Posts to the forum use your chosen username which may let users stay anonymous, but posts often contain sensitive information. We advise users to be careful not to post information which would allow them to be identified. To make the Online Community and our information as helpful as possible, we sometimes use what's written to promote what we do to other people. We'll always do this anonymously, removing any names or identifiable details unless we gain your consent (see Sharing Your Story).

Online shop

When you order via our online shop we must collect certain information about you to process your order and to satisfy our legal obligations under audit and accounting rules.

If you use a debit or credit card the transaction will be processed securely in line with PCI DSS standards by us or our contracted suppliers. All credit and debit card details are securely destroyed once the payment or donation has been processed.

Share your story

Many people choose to tell us about their experiences with arthritis to help us to raise awareness of the impact of arthritis. This may include sharing sensitive information related to their health and family life, as well as biographical and contact information.

We use some of the information provided, including gender, ethnicity or the type of arthritis people have, to publicise our services, raise the profile of arthritis in the media, fundraise or recruit volunteers and campaigners.

If we have the explicit and informed consent of the individuals, or their parent or guardian if they are under 18, this information may be made public by us at events, in materials promoting our campaigning and fundraising work or in documents such as our annual report.

We will only use photographs with the consent of the person. We may use photographs to promote our services and activities or to encourage people to support us.

If you ask for information in your capacity as a healthcare professional or join one of our professional networks, we will mainly use your data to:

• manage participation in our professional networks
• provide you with the information, services or products you asked for
• administer your organisation’s donation or support fundraising and participation in our activities
• keep a record of your organisation’s relationship with us and your role in this
• send you relevant marketing materials (see Direct marketing)
• understand how we can improve our services, products or information
• manage your feedback.

As well as your contact details, we will also store details about your role and who you work for. We may also ask for information about your experiences linked to arthritis.

Where one of our service customers provides us with your details as their personal GP or other clinician we have a legitimate interest to store your name on their file and to contact you with their consent.

We store contact details and financial details of researchers and suppliers to manage and process grant applications, grants, contracts and payments. This includes details of staff and co-researchers/sponsors provided by Principal Investigators. Where partial information is provided we will complete the details using publicly-available information.

We keep a directory of researchers and suppliers so we can issue future offers. We may also contact people not in our directory where publicly-available information indicates a grant may be of interest. Grant processing and management in this way is a legitimate interest for Versus Arthritis.

If you join one of our networks, panels or committees for researchers and reviewers we will use your personal details for administration and to communicate with you.

If you ask for information in a professional capacity, for example as an employee of a company that supports us or supplies services or a Trustee in a registered Trust we will mainly use your data to:

• provide you with the information, services or products you asked for
• administer your organisation’s donation or support fundraising and participation in our activities
• keep a record of your organisation’s relationship with us and your role in this
• send you relevant marketing materials (see Direct marketing)
• understand how we can improve our services, products or information
• manage your feedback.

We store contact details and financial details of suppliers to manage and process contracts and payments. We retain a directory of suppliers that we may want to work with in the future.

As well as your contact details and any financial information we require to process transactions, we will also store details about your role and who you work for. We may also ask for information about your experiences linked to arthritis.

Applying to work for us

If you are employed by Versus Arthritis, we will process your data in accordance with your employment contract and to fulfil our legal obligations, records will be retained in accordance with legislation.

If you apply to work at Versus Arthritis, we will process your data for the purpose of the recruitment process and if unsuccessful in your application, we will hold your personal data for 12 months after the closing date to manage any queries or issues that may arise.

Should you wish to request that we do not retain your data, please contact dpo@versusarthritis.org

Providing services to us

We store contact details and financial details of suppliers to manage and process contracts and payments. We retain a directory of suppliers that we may want to work with in the future.

We also store named contacts at a particular supplier for management, audit and communication purposes.

Using social media is a great way for us to update you on our work, and let you know the difference your support is making.

If you use Facebook or Instagram and have opted in to receiving communications from us, we will use these platforms as part of our relationship with you. We will upload your contact details in encrypted format to enable these platforms to determine whether you are a registered account holder with them. Your data is not retained by the social media provider and is deleted if it does not match with an existing account. This allows us to show you communications which we think will be of interest to you.

We may also use your data to identify audiences with similar interests, behaviours and demographics to existing Versus Arthritis supporters. This will allow us to promote Versus Arthritis content to people who we think may be interested in finding out more about the work we do. We believe this is the most efficient way for us to reach more people, meaning we use our funds more effectively.

If you do not wish us to use your data in this way, you can either contact Versus Arthritis direct or you can do this via Facebook.