top of page

Privacy Policy


The Hypermobility Syndromes Association (HMSA) is committed to protecting the privacy and personal information of those that visit our websites, use our services, complete our surveys, fundraise for us, purchase from our shop, work or volunteer for us or otherwise interact with us. This privacy notice details your personal data and privacy rights and how the law protects you.

If you choose to provide us with personally identifiable information (any information by which you can be identified) or health status, you can be assured that it will only be used to support your contact/relationship with the HMSA.

This privacy policy was last updated on the 16 October 2021.

If you have any queries related to this policy please contact us a info@hypermobility.orgor you can call our helpline on +44 (0)33 3011 6388 or write to us at our registered address HMSA, 49 Greek Street, Soho, London W1D 4EG.

What personal data we might collectuse and store about you?

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). The type of data we collect, use, store or transfer will be dependent on your connection to the HMSA (whether you are an employee, volunteer, service user, member, professional advisor, contractor etc.).

The different kinds of personal data about you, we may collect or process are grouped together as follows: 

  • Identity Data includes first name, last name, title, date of birth, gender, national insurance number, photos or video imagery, passport information, CV information 

  • Contact Data includes, billing address, delivery address, email address, telephone numbers and website URL next of kin/emergency contact information. 

  • Financial Data includes bank account, payment card details and payroll/wage data and tax information 

  • Transaction Data includes details about payments from you and other details of donations or fundraising you have provided to us. 

  • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website. 

  • Profile Data includes your interests, preferences, feedback and survey responses. 

  • Usage Data includes information about how you use our services and deal with us and your opinion of these services. 


We may also collect, store or use the following “special category” of more sensitive personal information: 

  • Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions.  

  • Information about your health, including any medical condition, health and sickness records.  

  • Information about criminal convictions and offences  

We may collect special category data about your health with respect to hypermobility syndromes, comorbidities or disabilities when organising conferences or other events, to ensure any special requirements are met.  We may also collect special category data about your health with respect to hypermobility syndromes and associated comorbidities when conducting surveys.  We collect this data from you with your explicit consent and process it on the basis of us having a legitimate business interest to process the data to run such events properly; and on the basis that the surveys are necessary for reasons of public interest in the area of public health.  This type of special category data is never disclosed or transferred to any other third parties without your explicit consent, and where possible it is deleted or anonymised as soon as possible. 

How do we collect your personal data?  

We collect your personal data by a variety of means either directly from you, via our website or social media platforms, surveys/forms, via post/phone/email or when you make donations, subscribe to our publications, provide feedback or via use of our services. At recruitment stage we collect data either directly from you, or via an employment agency (including online recruiters), or a background check provider. We may also collect data via automated technologies and interactions when you interact on our website (we may collect data about your equipment/browsers, browsing actions and patterns). We collect this personal data by using cookies, and other similar technologies.  


We may collect additional information from third parties including social media providers such as Facebook who are based outside the EU former employers and credit reference agencies or from public places such as Companies house and information that has been published in articles/ newspapers. 

How will we use your personal data?  

For the most part we will use your personal data for one of the following lawful bases:  

  1. a) Where we need to perform the contract, we have entered with you.  

  1. b) Where we need to comply with a legal obligation.  

c) Where it is necessary for our legitimate interests, or those of a third party, and your interests and fundamental rights do not override those interests.  


There are other rare occasions where we may use your personal data, which are:  

a) Where we need to protect your interests, or someone else’s interests.  

b) Where it is needed in the public interest, or for official purposes.  

How we store your personal data 

  • We take appropriate measures to ensure that your personal data is kept secure, including preventing it from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal data to those who have a legitimate business need to view it. Those processing your personal data will do so only in an authorised manner and are subject to a duty of confidentiality. 

  • We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so. 

  • Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted through any online means. 

When we might use your personal data?  

  • Process data relating to your employment or volunteering with the HMSA such as your name, address, phone number, next of kin, national insurance number, tax information, bank account details, date of birth, passport information and any criminal record information.  The source of the service data is you, any recruitment websites/consultants used as well as employer references and criminal check agencies/services. The legal basis for this processing is consent, contract, legal obligation and legitimate interest.  

  • Process usage data relating to your use of our website, social media pages and services. The usage data may include your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use. The source of the usage data is our analytics tracking system. This usage data may be processed for the purposes of analysing the use of the website and services. The legal basis for this processing is our legitimate interests, namely monitoring and improving our website and services. 

  • Our helpline team collective sensitive personal data about you when you speak, email or send instant messages. The HMSA will only share this data in exceptional circumstances, where legally required, such as where another person is at risk, or someone reports self-harm or a serious intention of harming themselves or someone else; 

  • Keep a record of our relationship with you. Process your account data such as your name and email address. The source of the account data is you. The account data may be processed for the purposes of operating our website, providing our services, ensuring the security of our website and services, maintaining back-ups of our databases and communicating with you. The legal basis for this processing is the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract.  

  • We may process your information included in your personal member profile on our website or social media pages. The profile data may include your name, address, telephone number, email address, profile pictures, gender, date of birth, social media ids, membership status, and your relationship to hypermobility syndromes. The profile data may be processed for the purposes of enabling and monitoring your use of our website and services. The legal basis for this processing is consent. 

  • Process your personal data that are provided in the course of the use of our services. The service data may include your name, address, telephone number, email address, and other information sent to us for example as part of an enquiry to our helpline. The source of the service data is you. The service data may be processed for the purposes of operating our website, providing our services, ensuring the security of our website and services, maintaining back-ups of our databases and communicating with you. The legal basis for this processing is consent. 

  • Process information related to transactions, including administering your membership, donation or support your fundraising including processing gift aid and purchases of goods or services. This transaction data may include your contact details, your card details and the transaction details. The transaction data may be processed for the purpose of supplying the purchased goods and services and keeping proper records of those transactions. The legal basis for this processing is the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract and our legitimate interests, namely our interest in the proper administration of our website and business. 

  • Sharing your story or other information we use in publication or promotion of our work with your permission unless it is anonymised. Some people choose to tell us about their experiences related to hypermobility diagnosis or care, to help further our work.  This may include them sharing sensitive information related to their health and family life.  We may also monitor the types of people who are involved to ensure that the views we hear are representative of the community.  This data may be processed for the purposes of enabling such publication and administering our website and services. The legal basis for this processing is consent. 

  • Enquiry information which may be processed for the purposes of offering, marketing and selling relevant products and/or services to you. The legal basis for this processing is consent. 

  • We may process information that you provide to us for the purpose of subscribing to our email notifications and/or newsletters. The legal basis for this processing is consent. 

  • We may process information contained in or relating to any communication that you send to us. The correspondence data may include the communication content and metadata associated with the communication. Our website will generate the metadata associated with communications made using the website contact forms. The correspondence data may be processed for the purposes of communicating with you and record-keeping. The legal basis for this processing is our legitimate interests, namely the proper administration of our website and business and communications with users. 

  • With your consent we may contact you to let you know about the progress we are making and to ask for donations or your views. We do not sell or share personal details to third parties for the purposes of marketing but if we run an event in partnership with another named organisation your details may need to be shared. We will be very clear what will happen to your data when you register; 

  • We may process any of your personal data identified in the other provisions of this policy where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. The legal basis for this processing is our legitimate interests, namely the protection and assertion of our legal rights, your legal rights and the legal rights of others. 

  • Understand how we can improve our services and information; 

  • Analyse and understand the issues affecting people in the hypermobile community; 

  • In addition to the specific purposes for which we may process your personal data set out here, we may also process any of your personal data where such processing is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. 

Providing your personal data to others (third-parties) 

We may disclose your personal data to our insurers and/or professional advisers insofar as reasonably necessary for the purposes of obtaining and maintaining insurance coverage, managing risks, obtaining professional advice and managing legal disputes 

We will share limited donor personal data (profile and/or service) to the relevant fundraiser where donations are made, insofar as reasonably necessary to inform them that an associated donation has been made. 

We may disclose name and contact details to our suppliers or subcontractors insofar as reasonably necessary for organising or attending events. 

Financial transactions relating to our website and services are handled by our payment services providers, Stripe, GoCardless, and PayPal. We will share transaction data with our payment services providers only to the extent necessary for the purposes of processing your payments, refunding such payments and dealing with complaints and queries relating to such payments and refunds. You can find information about the payment services providers' privacy policies and practices at the following URLS: 


The following third-party service providers process personal information about our employees/volunteers for the following purposes: 

  • Monetaire-& QuickBooks - payroll and pensions 

  • Bank Accounts and QuickBooks – bank account details to pay wages/expenses 

  • HMRC – tax  

  • Smart Pensions – pension provider 


Your data may also be available to our website provider to enable us and them to deliver their service to us, carry out analysis and research on demographics, interests and behaviour of our users and supporters to help us gain a better understanding of them to enable us to improve our services. This may include connecting data we receive from you on the website to data available from other sources. Your personally identifiable data will only be used where it is necessary for the analysis required, and where your interests for privacy are not deemed to outweigh their legitimate interests in developing new services for us. In the case of this activity the following will apply: 

  1. Your data will be made available to our website provider  

  2. The data that may be available to them include any of the data we collect as described in this policy. 

  3. Our website provider will not transfer your data to any other third party, or transfer your data outside of the EEA. 

  4. They will store your data for a maximum of 7 years. 

  5. This processing does not affect your rights as detailed in this privacy policy. 


Our websites may include links to third-party websites, plug-ins and applications such as payment gateways. Our surveys may be conducted via 3rd party organisations such as Survey Monkey. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit. 

Third party websites 

Our website includes hyperlinks to, and details of, third party websites. This privacy policy only governs our websites and we are not responsible for the privacy policies that govern third party websites even where we have provided links to them.  If you use any link on our website, we recommend you read the privacy policy of that website before sharing any personal or financial data.  

We operate a number of social media pages (including Facebook, Twitter, You Tube, LinkedIn and Instagram).  Although this policy covers how we will use any data collected from those pages it does not cover how the providers of social media websites will use your information.  Please ensure you read the privacy policy of the social media website before sharing data and make use of the privacy settings and reporting mechanisms to control how your data is used. 

In addition to the specific disclosures of personal data set out in this section, we may also disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

Where we store your data and international transfers of your personal data 

We predominantly process and store personal data in the UK; we also process and store personal data in countries within the European Economic Area (“EEA”) which have the same data protection laws as the United Kingdom. 

Some of our suppliers run their operations outside the United Kingdom, including within the European Economic Area (EEA). This includes countries which do not have the same data protection laws as in the UK. In these circumstances, we will make sure they provide an adequate level of protection in accordance with UK data protection law, and confirm that appropriate safeguards are in place. We provide information about the circumstances in which your personal data may be transferred to countries outside the European Economic Area (EEA). 

You acknowledge that personal data that you submit for publication through our website or services may be available, via the internet, around the world. We cannot prevent the use (or misuse) of such personal data by others. 

Retaining and deleting personal data 

This section sets out our data retention policies and procedure, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data. 

Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. 

By law we, and our payment gateway are legally obligated to retain essential information about your donation or payment (including Contact, Identity, Financial and Transaction Data) for seven years for tax purposes.  We do not retain payment card details. 

Notwithstanding the other provisions of this section, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. 

In some circumstances we may anonymise your personal data and special category data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you. 

In some circumstances you can ask us to delete your data: see Request erasure below for further information. 


We may update this policy from time to time by publishing a new version on our website. 

You should check this page occasionally to ensure you are happy with any changes to this policy. 

We may notify you of changes to this policy by email. 

Your rights 

Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.  Provision of such information will be subject to the supply of appropriate evidence of your identity (for this purpose, we will usually accept a photocopy of your passport certified by a solicitor or bank plus an original copy of a utility bill showing your current address). 

We may withhold personal information that you request to the extent permitted by law. 

Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us. 

Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. 

Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms. 

Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it. 

Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you. 

Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. 

If you wish to exercise any of the rights set out above, please contact us. 

You have a right to ask for a copy of the information we hold about you, although we may charge £10 to cover the costs involved.  If there are any discrepancies in the information we provide, please let us know and we will correct them.  

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. 

Personal data of children 

Our website and services are targeted at persons over the age of 13. 

If we have reason to believe that we hold personal data of a person under that age in our databases, we will delete that personal data, unless it is information that is necessary to fulfil our contractual obligations regarding membership. 

About cookies 

A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server. 

Cookies may be either "persistent" cookies or "session" cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed. 

Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies. 

We use cookies for the following purposes: 

  1. Necessary cookies: Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.  

  2. Statistic cookies: Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously. 

  3. Marketing cookies: Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers. 


Cookies used by our service providers 

Our service providers use cookies, and those cookies may be stored on your computer when you visit our website. 

We use Google Analytics to analyse the use of our website. Google Analytics gathers information about website use by means of cookies. This data may be stored outside the EU, under a EU-US Privacy Shield agreement. The information gathered relating to our website is used to create reports about the use of our website. Google's privacy policy is available at:[ The relevant cookies are: [_ga, _gid, _gat, __utma, __utmt, __utmb, __utmc, __utmz and __utmv. 

Managing cookies 

Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. The "Help" menu in the toolbar of most web browsers will tell you how to change your browser's cookie settings, including how to have the browser notify you when you receive a new cookie, and how to disable cookies altogether. You can obtain up-to-date information about blocking and deleting cookies via these links: 

(a) (Chrome); 

(b) (Firefox); 

(c) (Opera); 

(d) (Internet Explorer); 

(e) (Safari); and 

(f) (Edge). 

Blocking all cookies will have a negative impact upon the usability of many websites. 

If you block cookies, you will not be able to use all the features on our website. 

To find out more about UK law on cookies and other aspects of online privacy, visit the website of the UK Information Commissioner’s Office. 

Our details 

This website is owned and operated by The Hypermobility Syndromes Association. 

We are a registered charity in England and Wales under registration number 1186735 and our registered office is at 49 Greek Street, Soho, London, W1D 4EG 

You can contact our Data Protection Officer: 

  1. by post, using the postal address given above; 

  2. by telephone, via our Helpline +44 (0)33 3011 6388 or 

  3. by email,


If you have a complaint about us, or the treatment of your data, please contact us directly so we can resolve using the contact methods outlined above. But if you are unhappy with our resolution you can contact the Charity Commission or the Information Commissioner’s Office (ICO).  

  • The Charity Commission is the independent watchdog for charities.  You can make a complaint about a charity on their website at

  • The Information Commissioner’s Office (ICO) is the is the independent regulatory office in charge of upholding information rights in the interest of the public. You can find details of how to make the complaint on their website at 

If you've got a complaint about our fundraising activities you can also complain to the Fundraising Regulator.  To find out how to go about making a complaint, go to the Fundraising Regulator website at 

bottom of page