National Organization for Rare Disorders Privacy Policy
Last Updated: September 30, 2025
Introduction
The National Organization for Rare Disorders (“NORD”), along with our affiliates and subsidiaries, is deeply committed to helping those who battle and care for rare disease feel seen, heard, supported, and connected. Central to that is protecting the privacy of those we serve.
This Privacy Policy (the “Policy”) describes what information NORD (“we,” “us,” or “our”) collects about you, as well as how we use and share personal data, including through our website at https://iamrare.org/ (both mobile and online versions), the IAMRARE platform, other websites and platforms owned and/or operated by NORD, and any other technologies and content NORD offers, including the IAMRARE App (collectively, the “Platform”). Throughout this Policy, we refer to those who interact with the Platform as “Users.”
This Policy does not apply to third-party websites, applications, products, services, or other properties, even if they may link to the Platform or the Platform links to them.
This Policy also does not apply to information that NORD collects from individuals in a business-to-business or employment context (including employees, contractors, and agents), or data that is already subject to certain federal and state regulations, such as “protected health information” that is subject to the Health Insurance Portability and Accountability Act (“HIPAA”). Although NORD is not a “covered entity” under HIPAA, in some cases we may be a “business associate” to covered entities, and as such we may have certain federal, state, and contractual restrictions on how it can use protected health information. With respect to any protected health information that we receive from covered entities, we will comply with our obligations under HIPAA as a business associate.
We may update this Policy from time to time. Any updated Policy will be effective when posted; please check our website periodically for updates.
If you have any questions or concerns after reading this Policy, please do not hesitate to contact us using the contact information at the end of this Policy.
Overview
Here are a few things we want you to know:
Definitions. So we are clear about the terms we are using, when we use the term “Personal Information” in this Policy, we mean information about you that personally identifies you, such as your contact information (e.g., name, address, email address, or telephone number, health conditions or diagnosis, health treatment data, health observational data, any communications that you choose to have with NORD, and any other nonpublic information that is associated with such information). And when we use the term “Cookies,” which is defined further below, we mean the small pieces of information that a website sends to your browser while you are viewing that website.
We collect only the Personal Information we need in order to provide you with, or allow you to access, the Platform. We do not collect more information than we need.
We do not use your Personal Information for purposes unrelated to the reasons for which it was collected or unrelated to your reasonable expectations. We know it is important to you that you be aware of all the reasons that your information is handled by NORD. Our stewardship of the information you entrust to us is of the utmost importance. We hold that stewardship of your Personal Information to the same standard we would expect for ourselves and our families.
We do our best to minimize the amount of data we store. We understand the importance of keeping to a minimum the personal and sensitive data that we may maintain.
We do not sell your Personal Information. We will not sell your identifiable Personal Information to third parties.
We offer you ways to control your Personal Information and express your preferences. We provide you with a variety of ways to exercise control over your Personal Information, including making certain data collection optional, providing you with direct control over updating and editing your User profile, and providing you with unsubscribe options.
What Personal Information Do We Collect?
Through the services we provide, including via the Platform, we may collect Personal Information from you in various ways, including at the time of registration. NORD also collects information that is about you but does not identify you, such as the frequency of User visits to the Platform and demographic and geographic data.
You have choices about the information we collect. When you are asked to provide Personal Information, you may decline. However, if you choose not to provide information that is necessary, you may not be able to use some of our features on the Platform.
We collect information in the following ways:
Information Users Provide Directly. We collect information Users directly provide us as part of registering for use of various aspects of the Platform. The Platform is intended to collect patient-reported health data, both when a User begins to use the Platform and also over time.
Patient-reported health data is collected to accelerate research and ultimately find treatments and cures to rare disorders. Patients’ submission, use, and sharing of information (including Personal Information), along with patient’s rights related to their data, are governed by a separate, detailed informed consent document (the “Consent”). In the event of any conflict between the Consent and this Policy as to patient Personal Information, the Consent controls.
For non-patient Users, the Platform will collect information necessary to verify the User’s identity and permission to utilize the Platform, including contact information such as name, email address, username, and password.
We also collect information you provide by filling in forms on the Platform, including information provided at the time you create an account, register on our Platform, and publicly post on the Platform.
Information Related to Contact Inquiries. If you make an inquiry through the “Contact Us” feature of the Platform, we collect your first and last name, email address, and information provided directly in the body of your inquiry.
Cookies and Site Analytics.
Cookies. We use cookies, web beacons, and similar tracking technologies (collectively, “Cookies”) on the Platform. Cookies are small amounts of data that are stored on your browser, device, or the page you are viewing. Some Cookies are deleted once you close your browser, while other Cookies are retained even after you close your browser so that you can be recognized when you return to the Platform. Cookies may be placed by us (first-party Cookies) or by third-party partners and service providers (third-party Cookies).
These technologies are useful because they help us and the Platform:
Remember your information so you will not have to re-enter it;
Personalize the Platform and the services we offer to your preferences;
Track and understand how you use and interact with the Platform;
Generally improve your user experience;
Manage and measure the usability of the Platform;
Understand the effectiveness of our communications; and
Improve our Platform.
We use the following types of Cookies on our Platform:
Strictly Necessary or Essential Cookies: these Cookies are required for the operation of the Platform and enable you to navigate around the Platform and use its features;
Analytical/Performance Cookies: these Cookies are useful to assess the performance of the Platform, including as part of our analytic practices or otherwise to improve the content, products, or services offered through the Platform;
Functional Cookies: these Cookies improve the functional performance of the Platform and make them easier for you to use. For example, these Cookies are used to remember the choices you’ve made, information you have previously entered on the Platform, and to personalize your experience when you use the Platform.
Your Choices Regarding Cookies
Depending on your jurisdictions of residence, you may be asked to consent to our use of certain cookies before they are placed on your browser. You can modify your browser settings to decline or accept certain Cookies. However, if you decline Cookies, including via the banner on the NORD website, some or all of the Platform’s features may not function as they should and may affect your use of and experience on the Platform.
Analytics Information
We may use Google Analytics or other service providers for analytics services. These analytics services may use Cookies to help us analyze how users use the Platform. Information generated by these services (e.g., your IP address and other usage information) may be transmitted to and stored by Google Analytics and other service providers on servers in the U.S. or elsewhere, and these service providers may use this information for purposes such as evaluating your use of our Site, compiling statistical reports on our Site’s activity, and providing other services relating to our Site activity and other Internet usage. You may exercise choices regarding the use of Cookies from Google Analytics by going to https://tools.google.com/dlpage/gaoptout or downloading the Google Analytics Opt-out Browser Add-on.
Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. We are committed to providing you with meaningful choices about the information collected on the Platform for third-party purposes. We honor “Do Not Track” signals and do not track, use Cookies, or use advertising when a “do not track” mechanism is in place. However, as noted above, the Platform may not function properly if the use of cookies or certain tracking technologies is disabled. Please note that DNT is a different mechanism than the “global privacy control,” which signals that individuals want to exercise certain rights with respect to their data. We honor global privacy control signals as required by applicable law.
How Does NORD Use Personal Information?
We may use your Personal Information for the following purposes:
Collaboration with Sponsors. NORD collaborates with Sponsors of the Registry Study(s) (“Sponsors”) in which you are participating to conduct IRB-approved research using your Personal Information, in accordance with your informed Consent. The Sponsors have access to Personal Information you submit via the Platform, and they and we use your Personal Information to establish registries for rare disorders; conduct observational natural history studies; and reduce the stigma around rare disorders. In all cases, we and the Sponsors will comply with applicable state and federal laws that govern your Personal Information, including protected health information governed by HIPAA.
Service Delivery. We may use your Personal Information to operate and improve the Platform and its other related products, to deliver the Platform, and to improve the Platform. These uses include making the Platform easier to use; automatically updating the Platform; diagnosing or fixing problems with the Platform; and potentially displaying content and advertising customized to your interests and preferences.
Communication. We use your Personal Information to communicate with you. We may send certain mandatory service communications, such as welcome letters, information on technical service issues, and security or other administrative announcements. NORD may notify Users of updates, new clinical and research studies, and other valuable information about the Platform; if you would prefer not to receive such communications, you can edit profile settings. By registering for the Platform, Users consent to being contacted by the Company using the contact information we have on file, such as e-mail, or by means of a notice on the Platform.
As Permitted by Law. NORD will use Personal Information when it has a lawful basis to do so, such as:
At your direction and with your consent;
To fulfill contracts we might have with you;
For other legitimate business purposes, such as auditing our internal processes for compliance with legal and contractual requirements or our internal policies;
To enforce the Terms and Conditions that govern the Platform and/or
To comply with a legal obligation.
How We Will NOT Use Your Personal Information
NORD will not use or share your Personal Information except as provided for by this Policy.
We do not use Users’ Personal Information for building User profiles for commercial purposes not related to the provision of the Platform.
We will not sell your identifiable Personal Information to third parties.
We only collect and use the information we need in order to provide you with use of the Platform.
With Whom Does NORD Share Information?
We may share information as provided by this Policy and as described below.
Sponsors, Including Patient Advocacy Groups and Research Organizations. Specific rare disease registries are sponsored by disease-specific patient advocacy groups, and data collected in a registry is – consistent with permission obtained from patients – retained in order to facilitate future research. For a patient, information-sharing activities related to research are governed by the study’s Consent, as well as applicable federal and state privacy laws. As mentioned earlier, in the event of any conflict between this Policy and the Consent, the Consent controls.
Affiliates. We may share Personal Information collected by the Platform with businesses that are legally part of the same group as NORD, or that become part of that group (“Affiliates”).
Third-Party Service Providers. We may occasionally hire service providers to provide limited services on our behalf, such as providing customer support, hosting websites, processing transactions, or performing statistical analysis of our services. Those companies will be permitted by contract only to obtain the Personal Information they need to deliver the service. They will be contractually required to maintain the confidentiality of the information and will be prohibited from using it for any other purpose.
Disclosures Pursuant to Law. We may disclose your Personal Information or any information submitted via the Platform if we have a good faith belief that disclosure of such information is helpful or reasonably necessary to: (i) comply with any applicable law, regulation, legal process or governmental request; (ii) enforce any applicable terms of service, including investigations of potential violations thereof; (iii) detect, prevent, or otherwise address fraud or security issues; or (iv) protect against harm to the rights, property or safety of NORD, our Users, yourself, or the public. We may be required to disclose your Personal Information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.
De-Identified Information. We may use anonymized, or de-identified information (as defined above) or disclose it to third-party service providers to provide and improve the Platform. We may also disclose anonymized information to third parties for a fee. The details, if relevant, will be outlined in your informed Consent.
For How Long is Personal Information Retained?
It is NORD’s policy to retain Personal Information regarding Users only for the time-period necessary to deliver services requested by the User or to complete transactions initiated by the User, unless a longer retention period is required or permitted by law.
Your Rights and Choices Regarding Personal Information
Depending on your residence, the rights available to you may differ in some respects. We will respond to any rights request in accordance with local legal requirements. If you wish to make a request regarding any of the below rights, please contact us at privacy@rarediseases.org.
Right of access. You may have the right to get confirmation about whether or not your Personal Information is being collected, or processed. If so, you have the right to access the Personal Information and other information, such as the purposes for which it is being used, the categories of Personal Information collected, the recipients (or categories of recipients) to whom the Personal Information has been or will be disclosed – such as our list of service providers who may receive your Personal Information, the predicted period that the Personal Information will be stored, or the criteria used to determine that period.
Where feasible and permitted by law, we will provide you with a copy of the Personal Information we are processing. For any additional copies, we may charge a reasonable fee based on administrative costs. If you make the request by electronic means, and unless otherwise requested, the information shall be provided in electronic form.
Right to rectification. You may have the right to rectify or complete your Personal Information if inaccurate or incomplete.
Right to erasure, or the right to be forgotten. You may have the right to the erasure of your Personal Information in certain circumstances. For example, when:
Your Personal Information is no longer necessary for the purposes for which it was processed;
You withdraw your consent on which the processing is based and make an explicit request for data deletion, and we have no other legal ground for the processing;
You object to the processing and there are no overriding legitimate grounds for the processing;
Your Personal Information has been unlawfully processed; or
Your Personal Information has to be erased for compliance with a legal obligation to which we are subject.
This right shall not apply to the extent that processing is necessary for the below purposes:
For exercising the right of freedom of expression and information;
For compliance with a legal obligation that requires processing by a law to which we are subject;
For the performance of a task carried out in the public interest; or
For the establishment, exercise, or defense of our legal claims.
Right to restriction of processing. You may have the right to restrict the processing of your Personal Information for the following reasons:
You contest the accuracy of your Personal Information, for a period enabling us to verify the accuracy of the Personal Information;
The processing is unlawful and you oppose the erasure of the Personal Information and request the restriction of its use;
We no longer need the Personal Information for the purposes of the processing, but it is required by you for the establishment, exercise or defense of legal claims; or
You exercised your right to object to processing pending the verification of whether our legitimate grounds override yours.
Right to data portability. You may have the right to receive the Personal Information that you have given us in a structured, commonly used, and machine-readable format. You have the right to send that Personal Information to another data controller, if the processing is based on consent pursuant to a contract and is carried out by automated means.
Right to object. You may have the right to object, on grounds relating to your particular situation, to processing of your Personal Information that is based on our legitimate purposes. We will stop processing the Personal Information unless we have compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.
Automated individual decision-making, including profiling. You may have the right not to be subject to a decision based solely on automated processing, including profiling, except under certain exceptions under local law.
Right to withdraw consent. Where the processing of Personal Information is based on your consent, you may have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before withdrawal.
Right to anonymity. You may also have a right to request anonymity. This means that your Personal Information would not be collected or processed. If you choose to exercise this right, we may not be able to provide you with access to and use of the Platform.
Right to lodge a complaint with a supervisory authority. We are committed to working with you if you have a complaint or concern about privacy. If you need help lodging a complaint, you can contact us through the contact methods provided at the end of this Policy. Users who reside in the European Union, Switzerland, and the United Kingdom have the right to lodge a complaint with a national Data Protection Authority. You can find the contact details for all EEA supervisory authorities at https://edpb.europa.eu/about-edpb/board/members_en; for the UK at https://ico.org.uk/global/contact-us/; and in Switzerland at https://www.edoeb.admin.ch/edoeb/en/home/deredoeb/kontakt.html.
Consumer Health Data.
For detailed information regarding the rights of certain states’ residents to Consumer Health Information, please see our Consumer Health Data Privacy Notice. This Policy incorporates the Consumer Health Data Privacy Notice by reference.
Security, Confidentiality and Integrity of Personal Information
The privacy and security of your Personal Information are important to us. NORD follows generally accepted industry standards, including the use of appropriate administrative, physical and technical safeguards, to protect Personal Information, in addition to complying with all applicable laws and regulations regarding data privacy and security.
However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, while the Company strives to use commercially reasonable means to protect Personal Information, the Company cannot guarantee its absolute security or confidentiality. Consequently, we cannot ensure or warrant the security of any information you transmit to us, and you understand that any information that you transfer to us is done at your own risk.
If we learn of a security systems breach, we may attempt to notify you electronically so that you can take appropriate protective steps. By using the Platform or providing Personal Information to us, you agree that we can communicate with you electronically regarding security, privacy, and administrative issues relating to your use of the Platform. We may post a notice via our Platform if a security breach occurs. We may also send an email to you at the email address you have provided to us in these circumstances. Depending on where you live, you may have a legal right to receive notice of a security breach in writing.
Please be aware that certain Personal Information and other information provided by you in connection with your use of the Platform may be stored on the device via which you submitted it (even if that information is not collected by NORD). You are solely responsible for maintaining the security of your device and for preventing unauthorized access.
International Users
We may limit the Platform’s availability, in whole or in part, to any person, geographic area or jurisdiction we choose, at any time and in our sole discretion.
If you are visiting the Platform from a location outside of the United States or Canada, your connection may be through and to servers located in the United States or Canada. This means that, if you choose to use the Platform and/or to communicate with us through the Platform, information about you – including Personal Information – will be transmitted to the United States or Canada. You acknowledge you understand that by providing your Personal Information to the Company, your Personal Information (i) will be used for the uses identified above in accordance with this Policy, and (ii) may be transferred to the United States or Canada as indicated above, in accordance with applicable law.
For example, where Personal Information is transferred from the European Economic Area to areas that have not been determined to have an adequate level of protection, we take measures designed to transfer the information in accordance with lawful requirements, such as standard contractual clauses.
Other Websites
NORD may include links on the Platform to other websites. Other websites are not governed by this Policy. Additionally, NORD is not responsible for the practices employed by websites linked to/from the Platform, nor the information contained therein. Often links to other websites are provided solely as a way for the User to obtain information that may be useful to them. To better protect your privacy, the Company recommends that you review the privacy policy of any third-party website you visit.
Children’s Privacy
The Platform is neither directed to nor designed to attract Users who are not legal adults. If you are under legal age, you are not permitted to use the Platform. NORD does not knowingly collect Personal Information from Users who are under legal age. We may collect Personal Information about Users who are under legal age if entered by a parent or legal guardian or by the individual under legal age with their parent or legal guardian’s awareness and permission. If you are a parent with concerns about children’s privacy issues in conjunction with the use of the Platform, please contact us at privacy@rarediseases.org.
Public Posting Areas: Forums, Podcasts, and Other Public Posting Areas
Please note that any information you include in a message you post to any public area is available to anyone with internet access. If you don’t want people to know your e-mail address, for example, do not include it in any message you post publicly. PLEASE BE EXTREMELY CAREFUL WHEN DISCLOSING ANY INFORMATION IN PUBLIC POSTING AREAS. NORD IS NOT RESPONSIBLE FOR THE USE BY OTHERS OF THE INFORMATION THAT YOU DISCLOSE IN PUBLIC POSTING AREAS.
Consent and Modification
By using the Platform, you consent to the terms of the Policy and to our processing of Personal Information in the manner and for the purposes set forth in the Policy. If you do not agree with the Policy, please do not use the Platform.
NORD reserves the right, at its sole discretion, to change the Policy at any time, which change will be effective 10 days following posting of the revision to the Policy on the Platform. Your continued use of the Platform 10 days following such posting means you accept those changes.
If we make any change in how we use your Personal Information, the Company will notify you by revising the “Effective Date” at the top of this Policy. If we make material changes to our Policy, we will notify you by using the contact information we have on file, such as e-mail or by means of a notice on the Platform prior to the change becoming effective.
Business Transitions
In the event of a direct or indirect reorganization process including, but not limited to, mergers, acquisitions, divestitures, bankruptcies, and sales of all or a part of NORD’s assets, NORD reserves the right to transfer or assign Personal Information in connection therewith. If transferred in such a case, the purchaser will abide by the terms and conditions of this Policy.
Contact Information
Please contact privacy@rarediseases.org if you have any questions about this Policy, or if anything in here does not make sense or seem right to you. We are always open to feedback around our privacy policies and practices. Because email communications are not always secure, please do not include any sensitive information in your email to us.